[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.10' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 60.381703][ T6858] ================================================================== [ 60.389863][ T6858] BUG: KASAN: slab-out-of-bounds in squashfs_get_id+0x1ae/0x1d0 [ 60.397483][ T6858] Read of size 8 at addr ffff88809f6766f8 by task syz-executor432/6858 [ 60.405694][ T6858] [ 60.408050][ T6858] CPU: 1 PID: 6858 Comm: syz-executor432 Not tainted 5.9.0-rc6-syzkaller #0 [ 60.416697][ T6858] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.426906][ T6858] Call Trace: [ 60.430190][ T6858] dump_stack+0x198/0x1fd [ 60.434623][ T6858] ? squashfs_get_id+0x1ae/0x1d0 [ 60.439546][ T6858] ? squashfs_get_id+0x1ae/0x1d0 [ 60.444475][ T6858] print_address_description.constprop.0.cold+0xae/0x497 [ 60.451531][ T6858] ? squashfs_get_id+0x1ae/0x1d0 [ 60.456449][ T6858] ? lockdep_hardirqs_off+0x96/0xd0 [ 60.461643][ T6858] ? vprintk_func+0x95/0x1d4 [ 60.466227][ T6858] ? squashfs_get_id+0x1ae/0x1d0 [ 60.471163][ T6858] ? squashfs_get_id+0x1ae/0x1d0 [ 60.476080][ T6858] kasan_report.cold+0x1f/0x37 [ 60.480845][ T6858] ? squashfs_get_id+0x1ae/0x1d0 [ 60.485760][ T6858] squashfs_get_id+0x1ae/0x1d0 [ 60.490519][ T6858] ? squashfs_read_fragment_index_table+0xf0/0xf0 [ 60.496964][ T6858] ? squashfs_read_metadata+0x2e5/0x3b0 [ 60.502503][ T6858] squashfs_read_inode+0x197/0x1940 [ 60.507720][ T6858] ? squashfs_read_id_index_table+0xf0/0xf0 [ 60.513956][ T6858] ? new_inode+0x23b/0x2f0 [ 60.518490][ T6858] ? lock_downgrade+0x830/0x830 [ 60.523331][ T6858] ? do_raw_spin_lock+0x120/0x2b0 [ 60.528398][ T6858] ? rwlock_bug.part.0+0x90/0x90 [ 60.533318][ T6858] ? inode_init_always+0xa98/0xd10 [ 60.538489][ T6858] ? do_raw_spin_unlock+0x171/0x230 [ 60.543875][ T6858] ? _raw_spin_unlock+0x24/0x40 [ 60.548703][ T6858] ? new_inode+0x240/0x2f0 [ 60.553108][ T6858] squashfs_fill_super+0x1079/0x1ecf [ 60.558466][ T6858] get_tree_bdev+0x421/0x740 [ 60.563081][ T6858] ? init_once+0x20/0x20 [ 60.567352][ T6858] vfs_get_tree+0x89/0x2f0 [ 60.572024][ T6858] path_mount+0x1387/0x20a0 [ 60.576580][ T6858] ? strncpy_from_user+0x2bf/0x3e0 [ 60.581702][ T6858] ? copy_mount_string+0x40/0x40 [ 60.586643][ T6858] ? getname_flags.part.0+0x1dd/0x4f0 [ 60.592017][ T6858] __x64_sys_mount+0x27f/0x300 [ 60.596775][ T6858] ? copy_mnt_ns+0xa60/0xa60 [ 60.601348][ T6858] ? check_preemption_disabled+0x50/0x130 [ 60.607215][ T6858] ? syscall_enter_from_user_mode+0x1d/0x60 [ 60.613139][ T6858] do_syscall_64+0x2d/0x70 [ 60.617544][ T6858] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 60.623420][ T6858] RIP: 0033:0x446d1a [ 60.627297][ T6858] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd ad fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 da ad fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 60.647232][ T6858] RSP: 002b:00007ffcecd1f658 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 60.655693][ T6858] RAX: ffffffffffffffda RBX: 00007ffcecd1f6b0 RCX: 0000000000446d1a [ 60.663651][ T6858] RDX: 0000000020000040 RSI: 0000000020000100 RDI: 00007ffcecd1f670 [ 60.671773][ T6858] RBP: 00007ffcecd1f670 R08: 00007ffcecd1f6b0 R09: 00007ffc00000015 [ 60.679750][ T6858] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001 [ 60.687719][ T6858] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 60.695711][ T6858] [ 60.698024][ T6858] Allocated by task 6858: [ 60.702362][ T6858] kasan_save_stack+0x1b/0x40 [ 60.707017][ T6858] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 60.712647][ T6858] __kmalloc+0x1b0/0x360 [ 60.716897][ T6858] squashfs_read_table+0xbb/0x1d9 [ 60.721912][ T6858] squashfs_read_xattr_id_table+0x198/0x1f0 [ 60.727816][ T6858] squashfs_fill_super+0xc12/0x1ecf [ 60.732993][ T6858] get_tree_bdev+0x421/0x740 [ 60.737698][ T6858] vfs_get_tree+0x89/0x2f0 [ 60.742103][ T6858] path_mount+0x1387/0x20a0 [ 60.746602][ T6858] __x64_sys_mount+0x27f/0x300 [ 60.751369][ T6858] do_syscall_64+0x2d/0x70 [ 60.755882][ T6858] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 60.761788][ T6858] [ 60.764116][ T6858] Freed by task 6858: [ 60.768092][ T6858] kasan_save_stack+0x1b/0x40 [ 60.772774][ T6858] kasan_set_track+0x1c/0x30 [ 60.777360][ T6858] kasan_set_free_info+0x1b/0x30 [ 60.782291][ T6858] __kasan_slab_free+0xd8/0x120 [ 60.787564][ T6858] kfree+0x10e/0x2b0 [ 60.791484][ T6858] squashfs_read_table+0x189/0x1d9 [ 60.796574][ T6858] squashfs_read_xattr_id_table+0x198/0x1f0 [ 60.802963][ T6858] squashfs_fill_super+0xc12/0x1ecf [ 60.808155][ T6858] get_tree_bdev+0x421/0x740 [ 60.812810][ T6858] vfs_get_tree+0x89/0x2f0 [ 60.817206][ T6858] path_mount+0x1387/0x20a0 [ 60.824862][ T6858] __x64_sys_mount+0x27f/0x300 [ 60.831776][ T6858] do_syscall_64+0x2d/0x70 [ 60.836299][ T6858] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 60.842203][ T6858] [ 60.844556][ T6858] The buggy address belongs to the object at ffff88809f6766c0 [ 60.844556][ T6858] which belongs to the cache kmalloc-32 of size 32 [ 60.858889][ T6858] The buggy address is located 24 bytes to the right of [ 60.858889][ T6858] 32-byte region [ffff88809f6766c0, ffff88809f6766e0) [ 60.872856][ T6858] The buggy address belongs to the page: [ 60.878491][ T6858] page:000000000f284c12 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809f676fc1 pfn:0x9f676 [ 60.890275][ T6858] flags: 0xfffe0000000200(slab) [ 60.895113][ T6858] raw: 00fffe0000000200 ffffea0002814b08 ffffea0002858e88 ffff8880aa040100 [ 60.903774][ T6858] raw: ffff88809f676fc1 ffff88809f676000 000000010000003f 0000000000000000 [ 60.912397][ T6858] page dumped because: kasan: bad access detected [ 60.918792][ T6858] [ 60.921105][ T6858] Memory state around the buggy address: [ 60.926803][ T6858] ffff88809f676580: fb fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc [ 60.934898][ T6858] ffff88809f676600: 00 fc fc fc fc fc fc fc fa fb fb fb fc fc fc fc [ 60.942945][ T6858] >ffff88809f676680: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 60.950993][ T6858] ^ [ 60.958954][ T6858] ffff88809f676700: 00 fc fc fc fc fc fc fc fa fb fb fb fc fc fc fc [ 60.967013][ T6858] ffff88809f676780: fa fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 60.975048][ T6858] ================================================================== [ 60.983098][ T6858] Disabling lock debugging due to kernel taint [ 60.989907][ T6858] Kernel panic - not syncing: panic_on_warn set ... [ 60.996510][ T6858] CPU: 1 PID: 6858 Comm: syz-executor432 Tainted: G B 5.9.0-rc6-syzkaller #0 [ 61.006588][ T6858] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.016640][ T6858] Call Trace: [ 61.020124][ T6858] dump_stack+0x198/0x1fd [ 61.024440][ T6858] ? squashfs_get_id+0x170/0x1d0 [ 61.029352][ T6858] panic+0x382/0x7fb [ 61.033237][ T6858] ? __warn_printk+0xf3/0xf3 [ 61.037808][ T6858] ? preempt_schedule_common+0x59/0xc0 [ 61.043240][ T6858] ? squashfs_get_id+0x1ae/0x1d0 [ 61.048151][ T6858] ? preempt_schedule_thunk+0x16/0x18 [ 61.053513][ T6858] ? trace_hardirqs_on+0x55/0x220 [ 61.058528][ T6858] ? squashfs_get_id+0x1ae/0x1d0 [ 61.063469][ T6858] ? squashfs_get_id+0x1ae/0x1d0 [ 61.068380][ T6858] end_report+0x4d/0x53 [ 61.072511][ T6858] kasan_report.cold+0xd/0x37 [ 61.077173][ T6858] ? squashfs_get_id+0x1ae/0x1d0 [ 61.082105][ T6858] squashfs_get_id+0x1ae/0x1d0 [ 61.086864][ T6858] ? squashfs_read_fragment_index_table+0xf0/0xf0 [ 61.093540][ T6858] ? squashfs_read_metadata+0x2e5/0x3b0 [ 61.099112][ T6858] squashfs_read_inode+0x197/0x1940 [ 61.104284][ T6858] ? squashfs_read_id_index_table+0xf0/0xf0 [ 61.110162][ T6858] ? new_inode+0x23b/0x2f0 [ 61.114736][ T6858] ? lock_downgrade+0x830/0x830 [ 61.119573][ T6858] ? do_raw_spin_lock+0x120/0x2b0 [ 61.124609][ T6858] ? rwlock_bug.part.0+0x90/0x90 [ 61.129523][ T6858] ? inode_init_always+0xa98/0xd10 [ 61.134606][ T6858] ? do_raw_spin_unlock+0x171/0x230 [ 61.139795][ T6858] ? _raw_spin_unlock+0x24/0x40 [ 61.144629][ T6858] ? new_inode+0x240/0x2f0 [ 61.149038][ T6858] squashfs_fill_super+0x1079/0x1ecf [ 61.154354][ T6858] get_tree_bdev+0x421/0x740 [ 61.159049][ T6858] ? init_once+0x20/0x20 [ 61.163336][ T6858] vfs_get_tree+0x89/0x2f0 [ 61.167742][ T6858] path_mount+0x1387/0x20a0 [ 61.172286][ T6858] ? strncpy_from_user+0x2bf/0x3e0 [ 61.177489][ T6858] ? copy_mount_string+0x40/0x40 [ 61.182543][ T6858] ? getname_flags.part.0+0x1dd/0x4f0 [ 61.188030][ T6858] __x64_sys_mount+0x27f/0x300 [ 61.192834][ T6858] ? copy_mnt_ns+0xa60/0xa60 [ 61.197767][ T6858] ? check_preemption_disabled+0x50/0x130 [ 61.203601][ T6858] ? syscall_enter_from_user_mode+0x1d/0x60 [ 61.209476][ T6858] do_syscall_64+0x2d/0x70 [ 61.214009][ T6858] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.219983][ T6858] RIP: 0033:0x446d1a [ 61.223872][ T6858] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd ad fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 da ad fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 61.243464][ T6858] RSP: 002b:00007ffcecd1f658 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 61.251851][ T6858] RAX: ffffffffffffffda RBX: 00007ffcecd1f6b0 RCX: 0000000000446d1a [ 61.259795][ T6858] RDX: 0000000020000040 RSI: 0000000020000100 RDI: 00007ffcecd1f670 [ 61.267856][ T6858] RBP: 00007ffcecd1f670 R08: 00007ffcecd1f6b0 R09: 00007ffc00000015 [ 61.276167][ T6858] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001 [ 61.284128][ T6858] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 61.293403][ T6858] Kernel Offset: disabled [ 61.297721][ T6858] Rebooting in 86400 seconds..