[ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.225' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 72.801414][ T34] audit: type=1400 audit(1607011246.847:8): avc: denied { execmem } for pid=8501 comm="syz-executor077" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 72.826841][ T8501] ================================================================== [ 72.835100][ T8501] BUG: KASAN: slab-out-of-bounds in squashfs_get_id+0x1ae/0x1d0 [ 72.842742][ T8501] Read of size 8 at addr ffff88801d590860 by task syz-executor077/8501 [ 72.850985][ T8501] [ 72.853331][ T8501] CPU: 1 PID: 8501 Comm: syz-executor077 Not tainted 5.10.0-rc6-syzkaller #0 [ 72.862116][ T8501] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 72.872185][ T8501] Call Trace: [ 72.875501][ T8501] dump_stack+0x107/0x163 [ 72.879850][ T8501] ? squashfs_get_id+0x1ae/0x1d0 [ 72.884805][ T8501] ? squashfs_get_id+0x1ae/0x1d0 [ 72.889751][ T8501] print_address_description.constprop.0.cold+0xae/0x497 [ 72.896888][ T8501] ? _raw_spin_lock_irqsave+0x4e/0x50 [ 72.902246][ T8501] ? vprintk_func+0x95/0x1e0 [ 72.906821][ T8501] ? squashfs_get_id+0x1ae/0x1d0 [ 72.911842][ T8501] ? squashfs_get_id+0x1ae/0x1d0 [ 72.916782][ T8501] kasan_report.cold+0x1f/0x37 [ 72.921531][ T8501] ? squashfs_get_id+0x1ae/0x1d0 [ 72.926474][ T8501] squashfs_get_id+0x1ae/0x1d0 [ 72.931288][ T8501] ? squashfs_read_fragment_index_table+0xf0/0xf0 [ 72.937698][ T8501] ? squashfs_read_metadata+0x2f9/0x460 [ 72.943239][ T8501] squashfs_read_inode+0x1b4/0x1b40 [ 72.948441][ T8501] ? find_held_lock+0x2d/0x110 [ 72.953202][ T8501] ? squashfs_read_id_index_table+0x120/0x120 [ 72.959261][ T8501] ? new_inode+0x23b/0x2f0 [ 72.963666][ T8501] ? lock_downgrade+0x6d0/0x6d0 [ 72.968504][ T8501] ? do_raw_spin_lock+0x120/0x2b0 [ 72.973528][ T8501] ? rwlock_bug.part.0+0x90/0x90 [ 72.978456][ T8501] ? do_raw_spin_unlock+0x171/0x230 [ 72.983648][ T8501] ? _raw_spin_unlock+0x24/0x40 [ 72.988480][ T8501] ? new_inode+0x240/0x2f0 [ 72.992890][ T8501] squashfs_fill_super+0x1140/0x23b0 [ 72.998173][ T8501] get_tree_bdev+0x421/0x740 [ 73.002747][ T8501] ? init_once+0x20/0x20 [ 73.006973][ T8501] vfs_get_tree+0x89/0x2f0 [ 73.011371][ T8501] path_mount+0x13ad/0x20c0 [ 73.015860][ T8501] ? strncpy_from_user+0x2a0/0x3e0 [ 73.020974][ T8501] ? finish_automount+0xac0/0xac0 [ 73.025983][ T8501] ? getname_flags.part.0+0x1dd/0x4f0 [ 73.031367][ T8501] __x64_sys_mount+0x27f/0x300 [ 73.036111][ T8501] ? copy_mnt_ns+0xa60/0xa60 [ 73.040703][ T8501] ? syscall_enter_from_user_mode+0x1d/0x50 [ 73.046612][ T8501] do_syscall_64+0x2d/0x70 [ 73.051042][ T8501] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 73.056937][ T8501] RIP: 0033:0x446d2a [ 73.060820][ T8501] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd ad fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 da ad fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 73.080575][ T8501] RSP: 002b:00007ffd57dbe818 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 73.089001][ T8501] RAX: ffffffffffffffda RBX: 00007ffd57dbe870 RCX: 0000000000446d2a [ 73.096978][ T8501] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd57dbe830 [ 73.105041][ T8501] RBP: 00007ffd57dbe830 R08: 00007ffd57dbe870 R09: 00007ffd00000015 [ 73.113016][ T8501] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001 [ 73.120991][ T8501] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 73.128972][ T8501] [ 73.131289][ T8501] Allocated by task 8501: [ 73.135602][ T8501] kasan_save_stack+0x1b/0x40 [ 73.140258][ T8501] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 73.145883][ T8501] __kmalloc+0x23d/0x490 [ 73.150119][ T8501] squashfs_read_table+0x43/0x1e0 [ 73.155140][ T8501] squashfs_read_xattr_id_table+0x191/0x220 [ 73.161021][ T8501] squashfs_fill_super+0xcfb/0x23b0 [ 73.166211][ T8501] get_tree_bdev+0x421/0x740 [ 73.170788][ T8501] vfs_get_tree+0x89/0x2f0 [ 73.175183][ T8501] path_mount+0x13ad/0x20c0 [ 73.180806][ T8501] __x64_sys_mount+0x27f/0x300 [ 73.185552][ T8501] do_syscall_64+0x2d/0x70 [ 73.189959][ T8501] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 73.195845][ T8501] [ 73.198154][ T8501] The buggy address belongs to the object at ffff88801d590840 [ 73.198154][ T8501] which belongs to the cache kmalloc-32 of size 32 [ 73.212100][ T8501] The buggy address is located 0 bytes to the right of [ 73.212100][ T8501] 32-byte region [ffff88801d590840, ffff88801d590860) [ 73.225624][ T8501] The buggy address belongs to the page: [ 73.231249][ T8501] page:000000006a5c1217 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801d590fc1 pfn:0x1d590 [ 73.243900][ T8501] flags: 0xfff00000000200(slab) [ 73.248776][ T8501] raw: 00fff00000000200 ffffea000073e388 ffff888010041250 ffff888010040100 [ 73.257340][ T8501] raw: ffff88801d590fc1 ffff88801d590000 000000010000003f 0000000000000000 [ 73.265907][ T8501] page dumped because: kasan: bad access detected [ 73.272302][ T8501] [ 73.274618][ T8501] Memory state around the buggy address: [ 73.280231][ T8501] ffff88801d590700: 00 fc fc fc fc fc fc fc 00 03 fc fc fc fc fc fc [ 73.288274][ T8501] ffff88801d590780: 00 03 fc fc fc fc fc fc fa fb fb fb fc fc fc fc [ 73.296330][ T8501] >ffff88801d590800: 00 fc fc fc fc fc fc fc 00 fc fc fc fc fc fc fc [ 73.304368][ T8501] ^ [ 73.315054][ T8501] ffff88801d590880: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 73.323163][ T8501] ffff88801d590900: 00 fc fc fc fc fc fc fc 00 fc fc fc fc fc fc fc [ 73.331324][ T8501] ================================================================== [ 73.339542][ T8501] Disabling lock debugging due to kernel taint [ 73.346484][ T8501] Kernel panic - not syncing: panic_on_warn set ... [ 73.353085][ T8501] CPU: 1 PID: 8501 Comm: syz-executor077 Tainted: G B 5.10.0-rc6-syzkaller #0 [ 73.363220][ T8501] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.373261][ T8501] Call Trace: [ 73.376647][ T8501] dump_stack+0x107/0x163 [ 73.380956][ T8501] ? squashfs_get_id+0x160/0x1d0 [ 73.385875][ T8501] panic+0x306/0x73d [ 73.389747][ T8501] ? __warn_printk+0xf3/0xf3 [ 73.394315][ T8501] ? preempt_schedule_common+0x59/0xc0 [ 73.399747][ T8501] ? squashfs_get_id+0x1ae/0x1d0 [ 73.404657][ T8501] ? preempt_schedule_thunk+0x16/0x18 [ 73.410001][ T8501] ? trace_hardirqs_on+0x51/0x1c0 [ 73.415023][ T8501] ? squashfs_get_id+0x1ae/0x1d0 [ 73.419939][ T8501] ? squashfs_get_id+0x1ae/0x1d0 [ 73.424871][ T8501] end_report+0x58/0x5e [ 73.429007][ T8501] kasan_report.cold+0xd/0x37 [ 73.433662][ T8501] ? squashfs_get_id+0x1ae/0x1d0 [ 73.438587][ T8501] squashfs_get_id+0x1ae/0x1d0 [ 73.443327][ T8501] ? squashfs_read_fragment_index_table+0xf0/0xf0 [ 73.449817][ T8501] ? squashfs_read_metadata+0x2f9/0x460 [ 73.455822][ T8501] squashfs_read_inode+0x1b4/0x1b40 [ 73.461038][ T8501] ? find_held_lock+0x2d/0x110 [ 73.465786][ T8501] ? squashfs_read_id_index_table+0x120/0x120 [ 73.471843][ T8501] ? new_inode+0x23b/0x2f0 [ 73.476252][ T8501] ? lock_downgrade+0x6d0/0x6d0 [ 73.481076][ T8501] ? do_raw_spin_lock+0x120/0x2b0 [ 73.486170][ T8501] ? rwlock_bug.part.0+0x90/0x90 [ 73.491091][ T8501] ? do_raw_spin_unlock+0x171/0x230 [ 73.496267][ T8501] ? _raw_spin_unlock+0x24/0x40 [ 73.501095][ T8501] ? new_inode+0x240/0x2f0 [ 73.505511][ T8501] squashfs_fill_super+0x1140/0x23b0 [ 73.510800][ T8501] get_tree_bdev+0x421/0x740 [ 73.515367][ T8501] ? init_once+0x20/0x20 [ 73.519584][ T8501] vfs_get_tree+0x89/0x2f0 [ 73.523976][ T8501] path_mount+0x13ad/0x20c0 [ 73.528458][ T8501] ? strncpy_from_user+0x2a0/0x3e0 [ 73.533554][ T8501] ? finish_automount+0xac0/0xac0 [ 73.538648][ T8501] ? getname_flags.part.0+0x1dd/0x4f0 [ 73.544023][ T8501] __x64_sys_mount+0x27f/0x300 [ 73.548767][ T8501] ? copy_mnt_ns+0xa60/0xa60 [ 73.553334][ T8501] ? syscall_enter_from_user_mode+0x1d/0x50 [ 73.559212][ T8501] do_syscall_64+0x2d/0x70 [ 73.563623][ T8501] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 73.569490][ T8501] RIP: 0033:0x446d2a [ 73.573374][ T8501] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd ad fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 da ad fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 73.592953][ T8501] RSP: 002b:00007ffd57dbe818 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 73.601352][ T8501] RAX: ffffffffffffffda RBX: 00007ffd57dbe870 RCX: 0000000000446d2a [ 73.609299][ T8501] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd57dbe830 [ 73.617258][ T8501] RBP: 00007ffd57dbe830 R08: 00007ffd57dbe870 R09: 00007ffd00000015 [ 73.625204][ T8501] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001 [ 73.633151][ T8501] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 73.641947][ T8501] Kernel Offset: disabled [ 73.646269][ T8501] Rebooting in 86400 seconds..