Warning: Permanently added '10.128.1.46' (ECDSA) to the list of known hosts. executing program executing program executing program [ 37.393890] SQUASHFS error: squashfs_read_data failed to read block 0x0 [ 37.401165] SQUASHFS error: Unable to read metadata cache entry [0] [ 37.409050] SQUASHFS error: Unable to read inode 0x99001a executing program [ 37.478897] ================================================================== [ 37.486471] BUG: KASAN: use-after-free in squashfs_get_id+0x1ae/0x1d0 [ 37.493076] Read of size 8 at addr ffff8880b0a88780 by task syz-executor734/8129 [ 37.500643] [ 37.502288] CPU: 0 PID: 8129 Comm: syz-executor734 Not tainted 4.19.161-syzkaller #0 [ 37.510191] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.519565] Call Trace: [ 37.522172] dump_stack+0x1fc/0x2fe [ 37.525826] print_address_description.cold+0x54/0x219 [ 37.531130] kasan_report_error.cold+0x8a/0x1c7 [ 37.535820] ? squashfs_get_id+0x1ae/0x1d0 [ 37.540272] __asan_report_load8_noabort+0x88/0x90 [ 37.546185] ? squashfs_get_id+0x1ae/0x1d0 [ 37.550436] squashfs_get_id+0x1ae/0x1d0 [ 37.554605] ? squashfs_read_fragment_index_table+0xf0/0xf0 [ 37.560333] ? squashfs_read_metadata+0x2f9/0x460 [ 37.565186] squashfs_read_inode+0x1b4/0x1b40 [ 37.569690] ? lock_downgrade+0x720/0x720 [ 37.573843] ? squashfs_read_id_index_table+0x120/0x120 [ 37.579215] ? map_id_range_down+0x1c4/0x340 [ 37.583630] ? new_inode+0xc7/0xf0 [ 37.587232] ? do_raw_spin_lock+0xcb/0x220 [ 37.591493] ? do_raw_spin_unlock+0x171/0x230 [ 37.595992] squashfs_fill_super+0x1655/0x1c00 [ 37.600590] mount_bdev+0x2fc/0x3b0 [ 37.604231] ? squashfs_alloc_inode+0x40/0x40 [ 37.608744] mount_fs+0xa3/0x30c [ 37.612105] vfs_kern_mount.part.0+0x68/0x470 [ 37.616633] do_mount+0x113c/0x2f10 [ 37.620280] ? __do_page_fault+0x180/0xd60 [ 37.624536] ? copy_mount_string+0x40/0x40 [ 37.628789] ? copy_mount_options+0x1cd/0x380 [ 37.633288] ? copy_mount_options+0x1da/0x380 [ 37.637804] ? copy_mount_options+0x1e9/0x380 [ 37.642412] ? copy_mount_options+0x26f/0x380 [ 37.647349] ksys_mount+0xcf/0x130 [ 37.650894] __x64_sys_mount+0xba/0x150 [ 37.654908] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 37.659495] do_syscall_64+0xf9/0x620 [ 37.663308] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.668493] RIP: 0033:0x447cca [ 37.671855] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 7d a3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 5a a3 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 37.691634] RSP: 002b:00007ffffc0f2ad8 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 37.699338] RAX: ffffffffffffffda RBX: 00007ffffc0f2b30 RCX: 0000000000447cca [ 37.706618] RDX: 0000000020000000 RSI: 00000000200000c0 RDI: 00007ffffc0f2af0 [ 37.714010] RBP: 00007ffffc0f2af0 R08: 00007ffffc0f2b30 R09: 0000000000000000 [ 37.721298] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001 [ 37.728568] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 37.735862] [ 37.737494] Allocated by task 8129: [ 37.741128] __kmalloc+0x15a/0x3c0 [ 37.744680] squashfs_read_table+0xc2/0x1e3 [ 37.749018] squashfs_read_xattr_id_table+0x2b/0x220 [ 37.754149] squashfs_fill_super+0xc28/0x1c00 [ 37.758657] mount_bdev+0x2fc/0x3b0 [ 37.762299] mount_fs+0xa3/0x30c [ 37.765687] vfs_kern_mount.part.0+0x68/0x470 [ 37.770201] do_mount+0x113c/0x2f10 [ 37.773866] ksys_mount+0xcf/0x130 [ 37.777557] __x64_sys_mount+0xba/0x150 [ 37.781666] do_syscall_64+0xf9/0x620 [ 37.785505] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.790683] [ 37.792296] Freed by task 8129: [ 37.795567] kfree+0xcc/0x210 [ 37.798662] squashfs_read_table+0x191/0x1e3 [ 37.803058] squashfs_read_xattr_id_table+0x2b/0x220 [ 37.808154] squashfs_fill_super+0xc28/0x1c00 [ 37.812729] mount_bdev+0x2fc/0x3b0 [ 37.816350] mount_fs+0xa3/0x30c [ 37.819707] vfs_kern_mount.part.0+0x68/0x470 [ 37.824206] do_mount+0x113c/0x2f10 [ 37.827849] ksys_mount+0xcf/0x130 [ 37.831477] __x64_sys_mount+0xba/0x150 [ 37.835453] do_syscall_64+0xf9/0x620 [ 37.839239] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.844438] [ 37.846056] The buggy address belongs to the object at ffff8880b0a88780 [ 37.846056] which belongs to the cache kmalloc-32 of size 32 [ 37.858647] The buggy address is located 0 bytes inside of [ 37.858647] 32-byte region [ffff8880b0a88780, ffff8880b0a887a0) [ 37.870347] The buggy address belongs to the page: [ 37.875291] page:ffffea0002c2a200 count:1 mapcount:0 mapping:ffff88813bff01c0 index:0xffff8880b0a88fc1 [ 37.884732] flags: 0xfff00000000100(slab) [ 37.888895] raw: 00fff00000000100 ffffea0002c2ee08 ffffea0002bff148 ffff88813bff01c0 [ 37.896778] raw: ffff8880b0a88fc1 ffff8880b0a88000 000000010000003f 0000000000000000 [ 37.904673] page dumped because: kasan: bad access detected [ 37.910372] [ 37.911998] Memory state around the buggy address: [ 37.916913] ffff8880b0a88680: fb fb fb fb fc fc fc fc 00 fc fc fc fc fc fc fc [ 37.924290] ffff8880b0a88700: 00 fc fc fc fc fc fc fc 00 00 fc fc fc fc fc fc [ 37.931654] >ffff8880b0a88780: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 37.939024] ^ [ 37.942392] ffff8880b0a88800: fb fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc [ 37.949897] ffff8880b0a88880: fb fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc [ 37.957425] ================================================================== [ 37.964782] Disabling lock debugging due to kernel taint [ 37.984297] Kernel panic - not syncing: panic_on_warn set ... [ 37.984297] [ 37.991797] CPU: 1 PID: 8129 Comm: syz-executor734 Tainted: G B 4.19.161-syzkaller #0 [ 38.001113] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.010457] Call Trace: [ 38.013060] dump_stack+0x1fc/0x2fe [ 38.016694] panic+0x26a/0x50e [ 38.020006] ? __warn_printk+0xf3/0xf3 [ 38.023889] ? preempt_schedule_common+0x45/0xc0 [ 38.028761] ? ___preempt_schedule+0x16/0x18 [ 38.033215] ? trace_hardirqs_on+0x55/0x210 [ 38.037661] kasan_end_report+0x43/0x49 [ 38.041633] kasan_report_error.cold+0xa7/0x1c7 [ 38.046314] ? squashfs_get_id+0x1ae/0x1d0 [ 38.050543] __asan_report_load8_noabort+0x88/0x90 [ 38.055471] ? squashfs_get_id+0x1ae/0x1d0 [ 38.059700] squashfs_get_id+0x1ae/0x1d0 [ 38.063754] ? squashfs_read_fragment_index_table+0xf0/0xf0 [ 38.069501] ? squashfs_read_metadata+0x2f9/0x460 [ 38.074474] squashfs_read_inode+0x1b4/0x1b40 [ 38.078969] ? lock_downgrade+0x720/0x720 [ 38.083106] ? squashfs_read_id_index_table+0x120/0x120 [ 38.088466] ? map_id_range_down+0x1c4/0x340 [ 38.092879] ? new_inode+0xc7/0xf0 [ 38.096413] ? do_raw_spin_lock+0xcb/0x220 [ 38.100654] ? do_raw_spin_unlock+0x171/0x230 [ 38.105320] squashfs_fill_super+0x1655/0x1c00 [ 38.109925] mount_bdev+0x2fc/0x3b0 [ 38.113544] ? squashfs_alloc_inode+0x40/0x40 [ 38.118082] mount_fs+0xa3/0x30c [ 38.121536] vfs_kern_mount.part.0+0x68/0x470 [ 38.126058] do_mount+0x113c/0x2f10 [ 38.129696] ? __do_page_fault+0x180/0xd60 [ 38.133931] ? copy_mount_string+0x40/0x40 [ 38.138403] ? copy_mount_options+0x1cd/0x380 [ 38.143945] ? copy_mount_options+0x1da/0x380 [ 38.148546] ? copy_mount_options+0x1e9/0x380 [ 38.153035] ? copy_mount_options+0x26f/0x380 [ 38.157549] ksys_mount+0xcf/0x130 [ 38.161095] __x64_sys_mount+0xba/0x150 [ 38.165062] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 38.169658] do_syscall_64+0xf9/0x620 [ 38.173465] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 38.178640] RIP: 0033:0x447cca [ 38.181829] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 7d a3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 5a a3 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 38.200807] RSP: 002b:00007ffffc0f2ad8 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 38.218105] RAX: ffffffffffffffda RBX: 00007ffffc0f2b30 RCX: 0000000000447cca [ 38.225374] RDX: 0000000020000000 RSI: 00000000200000c0 RDI: 00007ffffc0f2af0 [ 38.232631] RBP: 00007ffffc0f2af0 R08: 00007ffffc0f2b30 R09: 0000000000000000 [ 38.239978] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001 [ 38.247282] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 38.255101] Kernel Offset: disabled [ 38.258743] Rebooting in 86400 seconds..