[ OK ] Reached target Timers. Starting System Logging Service... Starting Permit User Sessions... Starting OpenBSD Secure Shell server... [ OK ] Started Regular background program processing daemon. [ OK ] Started System Logging Service. [ OK ] Started Permit User Sessions. [ OK ] Found device /dev/ttyS0. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.110' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 74.306201][ T35] audit: type=1400 audit(1607223661.632:8): avc: denied { execmem } for pid=8471 comm="syz-executor067" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 74.325140][ T8471] ================================================================== [ 74.335007][ T8471] BUG: KASAN: use-after-free in squashfs_get_id+0x1ae/0x1d0 [ 74.342300][ T8471] Read of size 8 at addr ffff88801e52f0d8 by task syz-executor067/8471 [ 74.350624][ T8471] [ 74.352970][ T8471] CPU: 1 PID: 8471 Comm: syz-executor067 Not tainted 5.10.0-rc6-syzkaller #0 [ 74.361763][ T8471] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.371852][ T8471] Call Trace: [ 74.375272][ T8471] dump_stack+0x107/0x163 [ 74.379641][ T8471] ? squashfs_get_id+0x1ae/0x1d0 [ 74.384596][ T8471] ? squashfs_get_id+0x1ae/0x1d0 [ 74.389585][ T8471] print_address_description.constprop.0.cold+0xae/0x497 [ 74.396623][ T8471] ? _raw_spin_lock_irqsave+0x4e/0x50 [ 74.402026][ T8471] ? vprintk_func+0x95/0x1e0 [ 74.406653][ T8471] ? squashfs_get_id+0x1ae/0x1d0 [ 74.411607][ T8471] ? squashfs_get_id+0x1ae/0x1d0 [ 74.416560][ T8471] kasan_report.cold+0x1f/0x37 [ 74.421444][ T8471] ? squashfs_get_id+0x1ae/0x1d0 [ 74.426401][ T8471] squashfs_get_id+0x1ae/0x1d0 [ 74.431198][ T8471] ? squashfs_read_fragment_index_table+0xf0/0xf0 [ 74.437627][ T8471] ? squashfs_read_metadata+0x2f9/0x460 [ 74.443181][ T8471] squashfs_read_inode+0x1b4/0x1b40 [ 74.448716][ T8471] ? find_held_lock+0x2d/0x110 [ 74.453577][ T8471] ? squashfs_read_id_index_table+0x120/0x120 [ 74.459635][ T8471] ? new_inode+0x23b/0x2f0 [ 74.464047][ T8471] ? lock_downgrade+0x6d0/0x6d0 [ 74.468899][ T8471] ? do_raw_spin_lock+0x120/0x2b0 [ 74.473907][ T8471] ? rwlock_bug.part.0+0x90/0x90 [ 74.478839][ T8471] ? do_raw_spin_unlock+0x171/0x230 [ 74.484110][ T8471] ? _raw_spin_unlock+0x24/0x40 [ 74.488962][ T8471] ? new_inode+0x240/0x2f0 [ 74.493371][ T8471] squashfs_fill_super+0x1140/0x23b0 [ 74.498655][ T8471] get_tree_bdev+0x421/0x740 [ 74.503250][ T8471] ? init_once+0x20/0x20 [ 74.507496][ T8471] vfs_get_tree+0x89/0x2f0 [ 74.511913][ T8471] path_mount+0x13ad/0x20c0 [ 74.516437][ T8471] ? strncpy_from_user+0x2a0/0x3e0 [ 74.521549][ T8471] ? finish_automount+0xac0/0xac0 [ 74.526574][ T8471] ? getname_flags.part.0+0x1dd/0x4f0 [ 74.531950][ T8471] __x64_sys_mount+0x27f/0x300 [ 74.536713][ T8471] ? copy_mnt_ns+0xa60/0xa60 [ 74.541308][ T8471] ? syscall_enter_from_user_mode+0x1d/0x50 [ 74.547216][ T8471] do_syscall_64+0x2d/0x70 [ 74.551625][ T8471] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 74.557515][ T8471] RIP: 0033:0x446d1a [ 74.561513][ T8471] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd ad fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 da ad fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 74.581126][ T8471] RSP: 002b:00007ffc9fb56f38 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 74.589540][ T8471] RAX: ffffffffffffffda RBX: 00007ffc9fb56f90 RCX: 0000000000446d1a [ 74.597653][ T8471] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffc9fb56f50 [ 74.605616][ T8471] RBP: 00007ffc9fb56f50 R08: 00007ffc9fb56f90 R09: 00007ffc00000015 [ 74.613589][ T8471] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001 [ 74.621546][ T8471] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 74.629530][ T8471] [ 74.631883][ T8471] Allocated by task 8471: [ 74.636242][ T8471] kasan_save_stack+0x1b/0x40 [ 74.640919][ T8471] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 74.646545][ T8471] __kmalloc+0x23d/0x490 [ 74.650785][ T8471] squashfs_read_table+0xbb/0x1e0 [ 74.655797][ T8471] squashfs_read_id_index_table+0xab/0x120 [ 74.661584][ T8471] squashfs_fill_super+0xdd0/0x23b0 [ 74.666766][ T8471] get_tree_bdev+0x421/0x740 [ 74.671350][ T8471] vfs_get_tree+0x89/0x2f0 [ 74.675757][ T8471] path_mount+0x13ad/0x20c0 [ 74.680263][ T8471] __x64_sys_mount+0x27f/0x300 [ 74.685132][ T8471] do_syscall_64+0x2d/0x70 [ 74.689554][ T8471] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 74.695476][ T8471] [ 74.697922][ T8471] Freed by task 8471: [ 74.701896][ T8471] kasan_save_stack+0x1b/0x40 [ 74.706575][ T8471] kasan_set_track+0x1c/0x30 [ 74.711148][ T8471] kasan_set_free_info+0x1b/0x30 [ 74.716083][ T8471] __kasan_slab_free+0xd8/0x120 [ 74.720912][ T8471] kfree+0xe8/0x240 [ 74.724703][ T8471] squashfs_read_table+0x189/0x1e0 [ 74.729801][ T8471] squashfs_read_id_index_table+0xab/0x120 [ 74.735607][ T8471] squashfs_fill_super+0xdd0/0x23b0 [ 74.740827][ T8471] get_tree_bdev+0x421/0x740 [ 74.745400][ T8471] vfs_get_tree+0x89/0x2f0 [ 74.749816][ T8471] path_mount+0x13ad/0x20c0 [ 74.754301][ T8471] __x64_sys_mount+0x27f/0x300 [ 74.759084][ T8471] do_syscall_64+0x2d/0x70 [ 74.763496][ T8471] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 74.769374][ T8471] [ 74.771802][ T8471] The buggy address belongs to the object at ffff88801e52f0c0 [ 74.771802][ T8471] which belongs to the cache kmalloc-32 of size 32 [ 74.785689][ T8471] The buggy address is located 24 bytes inside of [ 74.785689][ T8471] 32-byte region [ffff88801e52f0c0, ffff88801e52f0e0) [ 74.798868][ T8471] The buggy address belongs to the page: [ 74.804502][ T8471] page:000000009f69cbb3 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801e52ffc1 pfn:0x1e52f [ 74.816130][ T8471] flags: 0xfff00000000200(slab) [ 74.820994][ T8471] raw: 00fff00000000200 ffffea000053f4c8 ffff888010041250 ffff888010040100 [ 74.829576][ T8471] raw: ffff88801e52ffc1 ffff88801e52f000 000000010000003f 0000000000000000 [ 74.838140][ T8471] page dumped because: kasan: bad access detected [ 74.844549][ T8471] [ 74.846881][ T8471] Memory state around the buggy address: [ 74.852495][ T8471] ffff88801e52ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 74.860555][ T8471] ffff88801e52f000: 00 fc fc fc fc fc fc fc 00 fc fc fc fc fc fc fc [ 74.868616][ T8471] >ffff88801e52f080: fb fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 74.876676][ T8471] ^ [ 74.883590][ T8471] ffff88801e52f100: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 74.891644][ T8471] ffff88801e52f180: fb fb fb fb fc fc fc fc 00 fc fc fc fc fc fc fc [ 74.899698][ T8471] ================================================================== [ 74.907848][ T8471] Disabling lock debugging due to kernel taint [ 74.916855][ T8471] Kernel panic - not syncing: panic_on_warn set ... [ 74.923454][ T8471] CPU: 1 PID: 8471 Comm: syz-executor067 Tainted: G B 5.10.0-rc6-syzkaller #0 [ 74.933606][ T8471] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.943656][ T8471] Call Trace: [ 74.946939][ T8471] dump_stack+0x107/0x163 [ 74.951265][ T8471] ? squashfs_get_id+0x160/0x1d0 [ 74.956194][ T8471] panic+0x306/0x73d [ 74.960110][ T8471] ? __warn_printk+0xf3/0xf3 [ 74.964695][ T8471] ? preempt_schedule_common+0x59/0xc0 [ 74.970144][ T8471] ? squashfs_get_id+0x1ae/0x1d0 [ 74.975069][ T8471] ? preempt_schedule_thunk+0x16/0x18 [ 74.980427][ T8471] ? trace_hardirqs_on+0x51/0x1c0 [ 74.985427][ T8471] ? squashfs_get_id+0x1ae/0x1d0 [ 74.990353][ T8471] ? squashfs_get_id+0x1ae/0x1d0 [ 74.995282][ T8471] end_report+0x58/0x5e [ 74.999426][ T8471] kasan_report.cold+0xd/0x37 [ 75.004080][ T8471] ? squashfs_get_id+0x1ae/0x1d0 [ 75.008995][ T8471] squashfs_get_id+0x1ae/0x1d0 [ 75.013750][ T8471] ? squashfs_read_fragment_index_table+0xf0/0xf0 [ 75.020154][ T8471] ? squashfs_read_metadata+0x2f9/0x460 [ 75.025688][ T8471] squashfs_read_inode+0x1b4/0x1b40 [ 75.030875][ T8471] ? find_held_lock+0x2d/0x110 [ 75.035618][ T8471] ? squashfs_read_id_index_table+0x120/0x120 [ 75.041662][ T8471] ? new_inode+0x23b/0x2f0 [ 75.046083][ T8471] ? lock_downgrade+0x6d0/0x6d0 [ 75.051187][ T8471] ? do_raw_spin_lock+0x120/0x2b0 [ 75.056188][ T8471] ? rwlock_bug.part.0+0x90/0x90 [ 75.061100][ T8471] ? do_raw_spin_unlock+0x171/0x230 [ 75.066379][ T8471] ? _raw_spin_unlock+0x24/0x40 [ 75.071204][ T8471] ? new_inode+0x240/0x2f0 [ 75.075614][ T8471] squashfs_fill_super+0x1140/0x23b0 [ 75.080906][ T8471] get_tree_bdev+0x421/0x740 [ 75.085488][ T8471] ? init_once+0x20/0x20 [ 75.089709][ T8471] vfs_get_tree+0x89/0x2f0 [ 75.094117][ T8471] path_mount+0x13ad/0x20c0 [ 75.098646][ T8471] ? strncpy_from_user+0x2a0/0x3e0 [ 75.103754][ T8471] ? finish_automount+0xac0/0xac0 [ 75.108773][ T8471] ? getname_flags.part.0+0x1dd/0x4f0 [ 75.114147][ T8471] __x64_sys_mount+0x27f/0x300 [ 75.118981][ T8471] ? copy_mnt_ns+0xa60/0xa60 [ 75.123566][ T8471] ? syscall_enter_from_user_mode+0x1d/0x50 [ 75.129690][ T8471] do_syscall_64+0x2d/0x70 [ 75.134088][ T8471] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 75.140009][ T8471] RIP: 0033:0x446d1a [ 75.143887][ T8471] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd ad fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 da ad fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 75.163490][ T8471] RSP: 002b:00007ffc9fb56f38 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 75.171904][ T8471] RAX: ffffffffffffffda RBX: 00007ffc9fb56f90 RCX: 0000000000446d1a [ 75.180036][ T8471] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffc9fb56f50 [ 75.188037][ T8471] RBP: 00007ffc9fb56f50 R08: 00007ffc9fb56f90 R09: 00007ffc00000015 [ 75.196040][ T8471] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001 [ 75.204269][ T8471] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 75.212837][ T8471] Kernel Offset: disabled [ 75.217175][ T8471] Rebooting in 86400 seconds..