[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 25.596275] kauditd_printk_skb: 7 callbacks suppressed [ 25.596288] audit: type=1800 audit(1539640325.027:29): pid=5186 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 25.628154] audit: type=1800 audit(1539640325.027:30): pid=5186 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.6' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 37.184194] ================================================================== [ 37.192124] BUG: KASAN: slab-out-of-bounds in fscache_alloc_cookie+0x7ad/0x880 [ 37.199473] Read of size 4 at addr ffff8801d7b219d4 by task syz-executor191/5342 [ 37.206985] [ 37.208599] CPU: 0 PID: 5342 Comm: syz-executor191 Not tainted 4.19.0-rc8+ #188 [ 37.216027] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.225366] Call Trace: [ 37.227942] dump_stack+0x1c4/0x2b4 [ 37.231556] ? dump_stack_print_info.cold.2+0x52/0x52 [ 37.236747] ? printk+0xa7/0xcf [ 37.240012] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 37.244755] print_address_description.cold.8+0x9/0x1ff [ 37.250124] kasan_report.cold.9+0x242/0x309 [ 37.254519] ? fscache_alloc_cookie+0x7ad/0x880 [ 37.259176] __asan_report_load4_noabort+0x14/0x20 [ 37.264093] fscache_alloc_cookie+0x7ad/0x880 [ 37.268580] ? fscache_cookie_init_once+0x80/0x80 [ 37.273413] ? rpcauth_cache_shrink_scan+0x180/0x180 [ 37.278519] ? __kmalloc_track_caller+0x14a/0x750 [ 37.283349] ? kstrdup+0x39/0x70 [ 37.286710] ? nfs_alloc_client+0x383/0x760 [ 37.291018] ? nfs_get_client+0x8e8/0x14d0 [ 37.295238] ? nfs_init_server+0x357/0x1010 [ 37.299542] ? nfs_create_server+0x86/0x5f0 [ 37.303847] ? nfs_fs_mount+0x17f8/0x2f1c [ 37.307980] ? mount_fs+0xae/0x31d [ 37.311506] ? vfs_kern_mount.part.35+0xdc/0x4f0 [ 37.316247] ? do_mount+0x581/0x31f0 [ 37.319944] ? __ia32_compat_sys_mount+0x5d5/0x860 [ 37.324857] ? do_fast_syscall_32+0x34d/0xfb2 [ 37.329341] ? entry_SYSENTER_compat+0x70/0x7f [ 37.333913] __fscache_acquire_cookie+0x230/0xb60 [ 37.338744] ? fscache_cookie_put+0x880/0x880 [ 37.343229] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.348755] ? check_preemption_disabled+0x48/0x200 [ 37.353762] ? rcu_lockdep_current_cpu_online+0x1f0/0x2d0 [ 37.359283] ? rcu_dynticks_curr_cpu_in_eqs+0x9f/0x160 [ 37.364546] ? rcu_pm_notify+0xc0/0xc0 [ 37.368422] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.373949] nfs_fscache_get_client_cookie+0x463/0x600 [ 37.379216] ? nfs_readpage_from_fscache_complete+0x200/0x200 [ 37.385107] nfs_alloc_client+0x563/0x760 [ 37.389346] ? register_nfs_version+0x280/0x280 [ 37.394015] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 37.398687] nfs_get_client+0x8e8/0x14d0 [ 37.402743] ? kmem_cache_alloc_trace+0x152/0x750 [ 37.407573] ? mount_fs+0xae/0x31d [ 37.411224] ? __lockdep_init_map+0x105/0x590 [ 37.415723] ? nfs_put_client+0x30/0x30 [ 37.419687] ? nfs_alloc_server+0x5ca/0x730 [ 37.423992] ? depot_save_stack+0x292/0x470 [ 37.428324] ? nfs_wait_client_init_complete+0x210/0x210 [ 37.433772] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.439298] ? check_preemption_disabled+0x48/0x200 [ 37.444303] ? check_preemption_disabled+0x48/0x200 [ 37.449303] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 37.454480] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 37.460009] nfs_init_server+0x357/0x1010 [ 37.464142] ? nfs_clone_server+0x920/0x920 [ 37.468449] ? nfs_alloc_fattr+0x48/0x1d0 [ 37.472606] ? rcu_read_lock_sched_held+0x108/0x120 [ 37.477625] nfs_create_server+0x86/0x5f0 [ 37.481763] nfs_try_mount+0x180/0xa80 [ 37.485642] ? lock_downgrade+0x900/0x900 [ 37.489804] ? nfs_request_mount.constprop.18+0x920/0x920 [ 37.495378] ? kasan_check_read+0x11/0x20 [ 37.499514] ? do_raw_spin_unlock+0xa7/0x2f0 [ 37.503905] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 37.508472] ? kasan_check_write+0x14/0x20 [ 37.512693] ? do_raw_spin_lock+0xc1/0x200 [ 37.516917] ? _raw_spin_unlock+0x2c/0x50 [ 37.521066] ? find_nfs_version+0x138/0x190 [ 37.525376] nfs_fs_mount+0x17f8/0x2f1c [ 37.529339] ? nfs_show_options+0x250/0x250 [ 37.533647] ? nfs_clone_super+0x420/0x420 [ 37.537873] ? nfs_parse_mount_options+0x2660/0x2660 [ 37.542966] ? lock_downgrade+0x900/0x900 [ 37.547103] mount_fs+0xae/0x31d [ 37.550458] vfs_kern_mount.part.35+0xdc/0x4f0 [ 37.555025] ? may_umount+0xb0/0xb0 [ 37.558638] ? _raw_read_unlock+0x2c/0x50 [ 37.562783] ? __get_fs_type+0x97/0xc0 [ 37.566669] do_mount+0x581/0x31f0 [ 37.570200] ? copy_mount_string+0x40/0x40 [ 37.574439] ? copy_mount_options+0x5f/0x380 [ 37.578836] ? rcu_read_lock_sched_held+0x108/0x120 [ 37.583838] ? kmem_cache_alloc_trace+0x353/0x750 [ 37.588691] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 37.594212] ? _copy_from_user+0xdf/0x150 [ 37.598347] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.603867] ? copy_mount_options+0x288/0x380 [ 37.608353] __ia32_compat_sys_mount+0x5d5/0x860 [ 37.613100] do_fast_syscall_32+0x34d/0xfb2 [ 37.617407] ? do_int80_syscall_32+0x890/0x890 [ 37.621975] ? entry_SYSENTER_compat+0x68/0x7f [ 37.626556] ? trace_hardirqs_off_caller+0xbb/0x310 [ 37.631557] ? syscall_return_slowpath+0x5e0/0x5e0 [ 37.636473] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.641298] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.646130] ? trace_hardirqs_on_caller+0x310/0x310 [ 37.651130] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 37.656218] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.661743] ? prepare_exit_to_usermode+0x291/0x3b0 [ 37.666750] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.671582] entry_SYSENTER_compat+0x70/0x7f [ 37.675975] RIP: 0023:0xf7f88ca9 [ 37.679328] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 0c 24 c3 8b 1c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 37.698230] RSP: 002b:00000000fff75aac EFLAGS: 00000286 ORIG_RAX: 0000000000000015 [ 37.705925] RAX: ffffffffffffffda RBX: 00000000208deff8 RCX: 0000000020343ff8 [ 37.713178] RDX: 000000002015bffc RSI: 0000000000000000 RDI: 000000002000a000 [ 37.720448] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 37.727704] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 37.734958] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.742219] [ 37.743829] Allocated by task 5342: [ 37.747459] save_stack+0x43/0xd0 [ 37.750914] kasan_kmalloc+0xc7/0xe0 [ 37.754611] __kmalloc+0x14e/0x760 [ 37.758162] fscache_alloc_cookie+0x6f7/0x880 [ 37.762651] __fscache_acquire_cookie+0x230/0xb60 [ 37.767493] nfs_fscache_get_client_cookie+0x463/0x600 [ 37.772770] nfs_alloc_client+0x563/0x760 [ 37.776902] nfs_get_client+0x8e8/0x14d0 [ 37.780942] nfs_init_server+0x357/0x1010 [ 37.785079] nfs_create_server+0x86/0x5f0 [ 37.789222] nfs_try_mount+0x180/0xa80 [ 37.793092] nfs_fs_mount+0x17f8/0x2f1c [ 37.797051] mount_fs+0xae/0x31d [ 37.800404] vfs_kern_mount.part.35+0xdc/0x4f0 [ 37.804968] do_mount+0x581/0x31f0 [ 37.808495] __ia32_compat_sys_mount+0x5d5/0x860 [ 37.813239] do_fast_syscall_32+0x34d/0xfb2 [ 37.817559] entry_SYSENTER_compat+0x70/0x7f [ 37.821949] [ 37.823559] Freed by task 1: [ 37.826561] save_stack+0x43/0xd0 [ 37.829998] __kasan_slab_free+0x102/0x150 [ 37.834213] kasan_slab_free+0xe/0x10 [ 37.837998] kfree+0xcf/0x230 [ 37.841090] acpi_ns_get_node_unlocked+0x2b9/0x309 [ 37.846005] acpi_ns_get_node+0x4d/0x6b [ 37.849962] acpi_get_handle+0x15b/0x263 [ 37.854004] acpi_has_method+0x70/0xb0 [ 37.857878] acpi_device_setup_files+0x3aa/0x830 [ 37.862614] acpi_device_add+0x8b6/0x1250 [ 37.866746] acpi_add_single_object+0xaa7/0x1ed0 [ 37.871506] acpi_bus_check_add+0x5e0/0xb10 [ 37.875819] acpi_ns_walk_namespace+0x224/0x400 [ 37.880483] acpi_walk_namespace+0xf2/0x12c [ 37.884799] acpi_bus_scan+0x146/0x170 [ 37.888683] acpi_scan_init+0x403/0x8fe [ 37.892645] acpi_init+0x941/0xa19 [ 37.896179] do_one_initcall+0x145/0x957 [ 37.900228] kernel_init_freeable+0x4bb/0x5ae [ 37.904721] kernel_init+0x11/0x1b2 [ 37.908334] ret_from_fork+0x3a/0x50 [ 37.912027] [ 37.913636] The buggy address belongs to the object at ffff8801d7b219c0 [ 37.913636] which belongs to the cache kmalloc-32 of size 32 [ 37.926117] The buggy address is located 20 bytes inside of [ 37.926117] 32-byte region [ffff8801d7b219c0, ffff8801d7b219e0) [ 37.937815] The buggy address belongs to the page: [ 37.942732] page:ffffea00075ec840 count:1 mapcount:0 mapping:ffff8801da8001c0 index:0xffff8801d7b21fc1 [ 37.952164] flags: 0x2fffc0000000100(slab) [ 37.956388] raw: 02fffc0000000100 ffffea00075ecc08 ffff8801da801248 ffff8801da8001c0 [ 37.964255] raw: ffff8801d7b21fc1 ffff8801d7b21000 000000010000003f 0000000000000000 [ 37.972115] page dumped because: kasan: bad access detected [ 37.977806] [ 37.979412] Memory state around the buggy address: [ 37.984321] ffff8801d7b21880: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 37.991677] ffff8801d7b21900: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 37.999022] >ffff8801d7b21980: fb fb fb fb fc fc fc fc 00 00 06 fc fc fc fc fc [ 38.006360] ^ [ 38.012313] ffff8801d7b21a00: 01 fc fc fc fc fc fc fc 01 fc fc fc fc fc fc fc [ 38.019668] ffff8801d7b21a80: 00 02 fc fc fc fc fc fc 00 02 fc fc fc fc fc fc [ 38.027011] ================================================================== [ 38.034349] Disabling lock debugging due to kernel taint [ 38.040091] Kernel panic - not syncing: panic_on_warn set ... [ 38.040091] [ 38.047479] CPU: 0 PID: 5342 Comm: syz-executor191 Tainted: G B 4.19.0-rc8+ #188 [ 38.056309] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.065643] Call Trace: [ 38.068231] dump_stack+0x1c4/0x2b4 [ 38.071845] ? dump_stack_print_info.cold.2+0x52/0x52 [ 38.077023] panic+0x238/0x4e7 [ 38.080200] ? add_taint.cold.5+0x16/0x16 [ 38.084334] ? preempt_schedule+0x4d/0x60 [ 38.088477] ? ___preempt_schedule+0x16/0x18 [ 38.092877] ? trace_hardirqs_on+0xb4/0x310 [ 38.097186] kasan_end_report+0x47/0x4f [ 38.101143] kasan_report.cold.9+0x76/0x309 [ 38.105450] ? fscache_alloc_cookie+0x7ad/0x880 [ 38.110104] __asan_report_load4_noabort+0x14/0x20 [ 38.115017] fscache_alloc_cookie+0x7ad/0x880 [ 38.119498] ? fscache_cookie_init_once+0x80/0x80 [ 38.124344] ? rpcauth_cache_shrink_scan+0x180/0x180 [ 38.129434] ? __kmalloc_track_caller+0x14a/0x750 [ 38.134260] ? kstrdup+0x39/0x70 [ 38.137629] ? nfs_alloc_client+0x383/0x760 [ 38.141939] ? nfs_get_client+0x8e8/0x14d0 [ 38.146156] ? nfs_init_server+0x357/0x1010 [ 38.150461] ? nfs_create_server+0x86/0x5f0 [ 38.154769] ? nfs_fs_mount+0x17f8/0x2f1c [ 38.158900] ? mount_fs+0xae/0x31d [ 38.162423] ? vfs_kern_mount.part.35+0xdc/0x4f0 [ 38.167156] ? do_mount+0x581/0x31f0 [ 38.170870] ? __ia32_compat_sys_mount+0x5d5/0x860 [ 38.175782] ? do_fast_syscall_32+0x34d/0xfb2 [ 38.180262] ? entry_SYSENTER_compat+0x70/0x7f [ 38.184833] __fscache_acquire_cookie+0x230/0xb60 [ 38.189672] ? fscache_cookie_put+0x880/0x880 [ 38.194151] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.199694] ? check_preemption_disabled+0x48/0x200 [ 38.204696] ? rcu_lockdep_current_cpu_online+0x1f0/0x2d0 [ 38.210218] ? rcu_dynticks_curr_cpu_in_eqs+0x9f/0x160 [ 38.215482] ? rcu_pm_notify+0xc0/0xc0 [ 38.219354] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.224876] nfs_fscache_get_client_cookie+0x463/0x600 [ 38.230138] ? nfs_readpage_from_fscache_complete+0x200/0x200 [ 38.236011] nfs_alloc_client+0x563/0x760 [ 38.240142] ? register_nfs_version+0x280/0x280 [ 38.244796] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 38.249366] nfs_get_client+0x8e8/0x14d0 [ 38.253411] ? kmem_cache_alloc_trace+0x152/0x750 [ 38.258236] ? mount_fs+0xae/0x31d [ 38.261779] ? __lockdep_init_map+0x105/0x590 [ 38.266262] ? nfs_put_client+0x30/0x30 [ 38.270218] ? nfs_alloc_server+0x5ca/0x730 [ 38.274531] ? depot_save_stack+0x292/0x470 [ 38.278841] ? nfs_wait_client_init_complete+0x210/0x210 [ 38.284279] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.289801] ? check_preemption_disabled+0x48/0x200 [ 38.294802] ? check_preemption_disabled+0x48/0x200 [ 38.299806] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 38.304988] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 38.310517] nfs_init_server+0x357/0x1010 [ 38.314650] ? nfs_clone_server+0x920/0x920 [ 38.318973] ? nfs_alloc_fattr+0x48/0x1d0 [ 38.323106] ? rcu_read_lock_sched_held+0x108/0x120 [ 38.328114] nfs_create_server+0x86/0x5f0 [ 38.332247] nfs_try_mount+0x180/0xa80 [ 38.336122] ? lock_downgrade+0x900/0x900 [ 38.340254] ? nfs_request_mount.constprop.18+0x920/0x920 [ 38.345776] ? kasan_check_read+0x11/0x20 [ 38.349907] ? do_raw_spin_unlock+0xa7/0x2f0 [ 38.354297] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 38.358863] ? kasan_check_write+0x14/0x20 [ 38.363082] ? do_raw_spin_lock+0xc1/0x200 [ 38.367302] ? _raw_spin_unlock+0x2c/0x50 [ 38.371434] ? find_nfs_version+0x138/0x190 [ 38.375743] nfs_fs_mount+0x17f8/0x2f1c [ 38.379702] ? nfs_show_options+0x250/0x250 [ 38.384008] ? nfs_clone_super+0x420/0x420 [ 38.388224] ? nfs_parse_mount_options+0x2660/0x2660 [ 38.393320] ? lock_downgrade+0x900/0x900 [ 38.397454] mount_fs+0xae/0x31d [ 38.400807] vfs_kern_mount.part.35+0xdc/0x4f0 [ 38.405372] ? may_umount+0xb0/0xb0 [ 38.408981] ? _raw_read_unlock+0x2c/0x50 [ 38.413114] ? __get_fs_type+0x97/0xc0 [ 38.416984] do_mount+0x581/0x31f0 [ 38.420510] ? copy_mount_string+0x40/0x40 [ 38.424727] ? copy_mount_options+0x5f/0x380 [ 38.429118] ? rcu_read_lock_sched_held+0x108/0x120 [ 38.434117] ? kmem_cache_alloc_trace+0x353/0x750 [ 38.438943] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 38.444464] ? _copy_from_user+0xdf/0x150 [ 38.448613] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.454145] ? copy_mount_options+0x288/0x380 [ 38.458628] __ia32_compat_sys_mount+0x5d5/0x860 [ 38.463384] do_fast_syscall_32+0x34d/0xfb2 [ 38.467695] ? do_int80_syscall_32+0x890/0x890 [ 38.472261] ? entry_SYSENTER_compat+0x68/0x7f [ 38.476829] ? trace_hardirqs_off_caller+0xbb/0x310 [ 38.481828] ? syscall_return_slowpath+0x5e0/0x5e0 [ 38.486740] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 38.491579] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 38.496408] ? trace_hardirqs_on_caller+0x310/0x310 [ 38.501407] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 38.506404] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.511926] ? prepare_exit_to_usermode+0x291/0x3b0 [ 38.516925] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 38.521768] entry_SYSENTER_compat+0x70/0x7f [ 38.526157] RIP: 0023:0xf7f88ca9 [ 38.529509] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 0c 24 c3 8b 1c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 38.548395] RSP: 002b:00000000fff75aac EFLAGS: 00000286 ORIG_RAX: 0000000000000015 [ 38.556088] RAX: ffffffffffffffda RBX: 00000000208deff8 RCX: 0000000020343ff8 [ 38.563339] RDX: 000000002015bffc RSI: 0000000000000000 RDI: 000000002000a000 [ 38.570591] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 38.577843] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 38.585099] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 38.593275] Kernel Offset: disabled [ 38.596898] Rebooting in 86400 seconds..