[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.176' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 35.756599] BFS-fs: bfs_fill_super(): loop0 is unclean, continuing [ 35.770705] ================================================================== [ 35.778147] BUG: KASAN: slab-out-of-bounds in find_first_zero_bit+0xa8/0xb0 [ 35.785229] Read of size 8 at addr ffff8880a9fc86c0 by task syz-executor280/8110 [ 35.792733] [ 35.794345] CPU: 0 PID: 8110 Comm: syz-executor280 Not tainted 4.19.211-syzkaller #0 [ 35.802200] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 [ 35.811528] Call Trace: [ 35.814102] dump_stack+0x1fc/0x2ef [ 35.817725] print_address_description.cold+0x54/0x219 [ 35.822986] kasan_report_error.cold+0x8a/0x1b9 [ 35.827634] ? find_first_zero_bit+0xa8/0xb0 [ 35.832023] __asan_report_load8_noabort+0x88/0x90 [ 35.836938] ? find_first_zero_bit+0xa8/0xb0 [ 35.841412] find_first_zero_bit+0xa8/0xb0 [ 35.845631] bfs_create+0xfb/0x610 [ 35.849165] vfs_create+0x461/0x6c0 [ 35.852780] do_mknodat.part.0+0x2ff/0x480 [ 35.856998] ? kern_path_create+0x40/0x40 [ 35.861131] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 35.866479] __x64_sys_mknod+0xf8/0x120 [ 35.870436] do_syscall_64+0xf9/0x620 [ 35.874220] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.879391] RIP: 0033:0x7f4c62f637d9 [ 35.883085] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 35.901968] RSP: 002b:00007ffda2fc7f28 EFLAGS: 00000246 ORIG_RAX: 0000000000000085 [ 35.909657] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00007f4c62f637d9 [ 35.916906] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000040 [ 35.924155] RBP: 0000000000000000 R08: 0000000000000002 R09: 00007f4c62fd0ec0 [ 35.931405] R10: 00007ffda2fc7df0 R11: 0000000000000246 R12: 00007ffda2fc7f50 [ 35.938652] R13: 0000000000000000 R14: 431bde82d7b634db R15: 0000000000000000 [ 35.945909] [ 35.947519] Allocated by task 8110: [ 35.951130] __kmalloc+0x15a/0x3c0 [ 35.954648] bfs_fill_super+0x447/0xec0 [ 35.958600] mount_bdev+0x2fc/0x3b0 [ 35.962206] mount_fs+0xa3/0x310 [ 35.965554] vfs_kern_mount.part.0+0x68/0x470 [ 35.970027] do_mount+0x115c/0x2f50 [ 35.973633] ksys_mount+0xcf/0x130 [ 35.977153] __x64_sys_mount+0xba/0x150 [ 35.981106] do_syscall_64+0xf9/0x620 [ 35.984886] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.990047] [ 35.991656] Freed by task 52: [ 35.994742] kfree+0xcc/0x210 [ 35.997828] usb_hcd_submit_urb+0xb93/0x23c0 [ 36.002215] usb_submit_urb+0xb2f/0x13b0 [ 36.006254] usb_start_wait_urb+0x108/0x4c0 [ 36.010551] usb_control_msg+0x31c/0x4a0 [ 36.014597] hub_ext_port_status+0x112/0x4b0 [ 36.018985] hub_activate+0x50f/0x1a40 [ 36.022937] process_one_work+0x864/0x1570 [ 36.027149] worker_thread+0x64c/0x1130 [ 36.031098] kthread+0x33f/0x460 [ 36.034443] ret_from_fork+0x24/0x30 [ 36.038130] [ 36.039739] The buggy address belongs to the object at ffff8880a9fc86c0 [ 36.039739] which belongs to the cache kmalloc-32 of size 32 [ 36.052198] The buggy address is located 0 bytes inside of [ 36.052198] 32-byte region [ffff8880a9fc86c0, ffff8880a9fc86e0) [ 36.063786] The buggy address belongs to the page: [ 36.068699] page:ffffea0002a7f200 count:1 mapcount:0 mapping:ffff88813bff01c0 index:0xffff8880a9fc8fc1 [ 36.078126] flags: 0xfff00000000100(slab) [ 36.082260] raw: 00fff00000000100 ffffea0002a7ee48 ffffea0002a6c288 ffff88813bff01c0 [ 36.090128] raw: ffff8880a9fc8fc1 ffff8880a9fc8000 000000010000003f 0000000000000000 [ 36.097985] page dumped because: kasan: bad access detected [ 36.103672] [ 36.105289] Memory state around the buggy address: [ 36.110206] ffff8880a9fc8580: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 36.117545] ffff8880a9fc8600: fb fb fb fb fc fc fc fc 00 03 fc fc fc fc fc fc [ 36.124907] >ffff8880a9fc8680: fb fb fb fb fc fc fc fc 07 fc fc fc fc fc fc fc [ 36.132245] ^ [ 36.137674] ffff8880a9fc8700: 00 03 fc fc fc fc fc fc 00 00 fc fc fc fc fc fc [ 36.145011] ffff8880a9fc8780: 00 00 fc fc fc fc fc fc 00 00 fc fc fc fc fc fc [ 36.152345] ================================================================== [ 36.159678] Disabling lock debugging due to kernel taint [ 36.174065] Kernel panic - not syncing: panic_on_warn set ... [ 36.174065] [ 36.181449] CPU: 1 PID: 8110 Comm: syz-executor280 Tainted: G B 4.19.211-syzkaller #0 [ 36.190707] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 [ 36.200048] Call Trace: [ 36.202618] dump_stack+0x1fc/0x2ef [ 36.206235] panic+0x26a/0x50e [ 36.209409] ? __warn_printk+0xf3/0xf3 [ 36.213300] ? preempt_schedule_common+0x45/0xc0 [ 36.218035] ? ___preempt_schedule+0x16/0x18 [ 36.222682] ? trace_hardirqs_on+0x55/0x210 [ 36.226982] kasan_end_report+0x43/0x49 [ 36.230934] kasan_report_error.cold+0xa7/0x1b9 [ 36.235583] ? find_first_zero_bit+0xa8/0xb0 [ 36.239969] __asan_report_load8_noabort+0x88/0x90 [ 36.244876] ? find_first_zero_bit+0xa8/0xb0 [ 36.249262] find_first_zero_bit+0xa8/0xb0 [ 36.253474] bfs_create+0xfb/0x610 [ 36.257003] vfs_create+0x461/0x6c0 [ 36.260613] do_mknodat.part.0+0x2ff/0x480 [ 36.264827] ? kern_path_create+0x40/0x40 [ 36.268961] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 36.274307] __x64_sys_mknod+0xf8/0x120 [ 36.278278] do_syscall_64+0xf9/0x620 [ 36.282068] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.287247] RIP: 0033:0x7f4c62f637d9 [ 36.290943] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 36.309821] RSP: 002b:00007ffda2fc7f28 EFLAGS: 00000246 ORIG_RAX: 0000000000000085 [ 36.317565] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00007f4c62f637d9 [ 36.325206] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000040 [ 36.332452] RBP: 0000000000000000 R08: 0000000000000002 R09: 00007f4c62fd0ec0 [ 36.339698] R10: 00007ffda2fc7df0 R11: 0000000000000246 R12: 00007ffda2fc7f50 [ 36.346945] R13: 0000000000000000 R14: 431bde82d7b634db R15: 0000000000000000 [ 36.354360] Kernel Offset: disabled [ 36.357968] Rebooting in 86400 seconds..