Warning: Permanently added '10.128.10.2' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 29.111280] ================================================================== [ 29.118768] BUG: KASAN: slab-out-of-bounds in pdu_read+0x94/0x100 [ 29.124993] Read of size 65419 at addr ffff8880a2c783ad by task syz-executor650/7975 [ 29.132852] [ 29.134464] CPU: 0 PID: 7975 Comm: syz-executor650 Not tainted 4.14.302-syzkaller #0 [ 29.142322] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 29.151675] Call Trace: [ 29.154244] dump_stack+0x1b2/0x281 [ 29.157851] print_address_description.cold+0x54/0x1d3 [ 29.163103] kasan_report_error.cold+0x8a/0x191 [ 29.167745] ? pdu_read+0x94/0x100 [ 29.171262] kasan_report+0x6f/0x80 [ 29.174865] ? pdu_read+0x94/0x100 [ 29.178378] memcpy+0x20/0x50 [ 29.181458] pdu_read+0x94/0x100 [ 29.184798] p9pdu_readf+0x381/0x1970 [ 29.188573] ? p9_client_prepare_req.part.0+0xb60/0xb60 [ 29.193913] ? p9pdu_writef+0xd0/0xd0 [ 29.197686] ? p9_fd_poll+0x237/0x2e0 [ 29.201480] ? p9_fd_create+0x2f3/0x420 [ 29.205427] ? p9_fd_create_tcp+0x440/0x440 [ 29.209724] p9_client_create+0x9b2/0x12c0 [ 29.213935] ? p9_client_flush+0x4c0/0x4c0 [ 29.218145] ? __lockdep_init_map+0x100/0x560 [ 29.222633] ? __raw_spin_lock_init+0x28/0x100 [ 29.227198] v9fs_session_init+0x1c5/0x1540 [ 29.231493] ? pcpu_alloc+0xbe0/0xf50 [ 29.235277] ? gfp_pfmemalloc_allowed+0x150/0x150 [ 29.240093] ? _find_next_bit+0xdb/0x100 [ 29.244140] ? v9fs_show_options+0x6b0/0x6b0 [ 29.248620] ? v9fs_mount+0x54/0x860 [ 29.252314] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 29.257740] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 29.262743] ? kmem_cache_alloc_trace+0x36c/0x3d0 [ 29.267562] v9fs_mount+0x73/0x860 [ 29.271087] ? alloc_pages_current+0x15d/0x260 [ 29.275648] ? __lockdep_init_map+0x100/0x560 [ 29.280126] mount_fs+0x92/0x2a0 [ 29.283472] vfs_kern_mount.part.0+0x5b/0x470 [ 29.287943] do_mount+0xe65/0x2a30 [ 29.291461] ? copy_mount_string+0x40/0x40 [ 29.295726] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 29.300715] ? copy_mnt_ns+0xa30/0xa30 [ 29.304579] ? copy_mount_options+0x1fa/0x2f0 [ 29.309049] ? copy_mnt_ns+0xa30/0xa30 [ 29.312920] SyS_mount+0xa8/0x120 [ 29.316360] ? copy_mnt_ns+0xa30/0xa30 [ 29.320221] do_syscall_64+0x1d5/0x640 [ 29.324085] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 29.329248] RIP: 0033:0x7fddb121fff9 [ 29.332933] RSP: 002b:00007fddb11d22f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 29.340613] RAX: ffffffffffffffda RBX: 00007fddb12a84c0 RCX: 00007fddb121fff9 [ 29.347855] RDX: 0000000020000500 RSI: 00000000200004c0 RDI: 0000000000000000 [ 29.355098] RBP: 00007fddb12a84cc R08: 0000000020000540 R09: 0000000000000000 [ 29.362347] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fddb1276024 [ 29.369593] R13: 0030656c69662f2e R14: 64663d736e617274 R15: 00007fddb12a84c8 [ 29.376842] [ 29.378444] Allocated by task 7975: [ 29.382050] kasan_kmalloc+0xeb/0x160 [ 29.385852] __kmalloc+0x15a/0x400 [ 29.389367] p9_fcall_alloc+0x19/0x90 [ 29.393139] p9_client_prepare_req.part.0+0x7f8/0xb60 [ 29.398502] p9_client_rpc+0x170/0x1520 [ 29.402464] p9_client_create+0x92f/0x12c0 [ 29.406673] v9fs_session_init+0x1c5/0x1540 [ 29.410967] v9fs_mount+0x73/0x860 [ 29.414480] mount_fs+0x92/0x2a0 [ 29.417822] vfs_kern_mount.part.0+0x5b/0x470 [ 29.422297] do_mount+0xe65/0x2a30 [ 29.425811] SyS_mount+0xa8/0x120 [ 29.429243] do_syscall_64+0x1d5/0x640 [ 29.433106] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 29.438353] [ 29.439956] Freed by task 4599: [ 29.443213] kasan_slab_free+0xc3/0x1a0 [ 29.447161] kfree+0xc9/0x250 [ 29.450240] devkmsg_release+0xb3/0xe0 [ 29.454103] __fput+0x25f/0x7a0 [ 29.457354] task_work_run+0x11f/0x190 [ 29.461218] do_exit+0xa44/0x2850 [ 29.464644] do_group_exit+0x100/0x2e0 [ 29.468504] SyS_exit_group+0x19/0x20 [ 29.472276] do_syscall_64+0x1d5/0x640 [ 29.476146] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 29.481307] [ 29.482909] The buggy address belongs to the object at ffff8880a2c78380 [ 29.482909] which belongs to the cache kmalloc-16384 of size 16384 [ 29.495888] The buggy address is located 45 bytes inside of [ 29.495888] 16384-byte region [ffff8880a2c78380, ffff8880a2c7c380) [ 29.507819] The buggy address belongs to the page: [ 29.512721] page:ffffea00028b1e00 count:1 mapcount:0 mapping:ffff8880a2c78380 index:0x0 compound_mapcount: 0 [ 29.522660] flags: 0xfff00000008100(slab|head) [ 29.527217] raw: 00fff00000008100 ffff8880a2c78380 0000000000000000 0000000100000001 [ 29.535070] raw: ffffea0002859820 ffffea0002895020 ffff88813fe65200 0000000000000000 [ 29.542920] page dumped because: kasan: bad access detected [ 29.548629] [ 29.550232] Memory state around the buggy address: [ 29.555132] ffff8880a2c7a280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.562461] ffff8880a2c7a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.569791] >ffff8880a2c7a380: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 29.577121] ^ [ 29.581506] ffff8880a2c7a400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.588845] ffff8880a2c7a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.596173] ================================================================== [ 29.603503] Disabling lock debugging due to kernel taint [ 29.611450] Kernel panic - not syncing: panic_on_warn set ... [ 29.611450] [ 29.618830] CPU: 1 PID: 7975 Comm: syz-executor650 Tainted: G B 4.14.302-syzkaller #0 [ 29.627915] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 29.637257] Call Trace: [ 29.639835] dump_stack+0x1b2/0x281 [ 29.643439] panic+0x1f9/0x42d [ 29.646606] ? add_taint.cold+0x16/0x16 [ 29.650556] ? ___preempt_schedule+0x16/0x18 [ 29.654940] kasan_end_report+0x43/0x49 [ 29.658892] kasan_report_error.cold+0xa7/0x191 [ 29.663535] ? pdu_read+0x94/0x100 [ 29.667052] kasan_report+0x6f/0x80 [ 29.670652] ? pdu_read+0x94/0x100 [ 29.674167] memcpy+0x20/0x50 [ 29.677245] pdu_read+0x94/0x100 [ 29.680584] p9pdu_readf+0x381/0x1970 [ 29.684355] ? p9_client_prepare_req.part.0+0xb60/0xb60 [ 29.689693] ? p9pdu_writef+0xd0/0xd0 [ 29.693465] ? p9_fd_poll+0x237/0x2e0 [ 29.697327] ? p9_fd_create+0x2f3/0x420 [ 29.701273] ? p9_fd_create_tcp+0x440/0x440 [ 29.705566] p9_client_create+0x9b2/0x12c0 [ 29.709771] ? p9_client_flush+0x4c0/0x4c0 [ 29.713980] ? __lockdep_init_map+0x100/0x560 [ 29.718451] ? __raw_spin_lock_init+0x28/0x100 [ 29.723006] v9fs_session_init+0x1c5/0x1540 [ 29.727301] ? pcpu_alloc+0xbe0/0xf50 [ 29.731075] ? gfp_pfmemalloc_allowed+0x150/0x150 [ 29.735909] ? _find_next_bit+0xdb/0x100 [ 29.739941] ? v9fs_show_options+0x6b0/0x6b0 [ 29.744322] ? v9fs_mount+0x54/0x860 [ 29.748013] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 29.753433] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 29.758421] ? kmem_cache_alloc_trace+0x36c/0x3d0 [ 29.763237] v9fs_mount+0x73/0x860 [ 29.766748] ? alloc_pages_current+0x15d/0x260 [ 29.771308] ? __lockdep_init_map+0x100/0x560 [ 29.775791] mount_fs+0x92/0x2a0 [ 29.779142] vfs_kern_mount.part.0+0x5b/0x470 [ 29.783621] do_mount+0xe65/0x2a30 [ 29.787135] ? copy_mount_string+0x40/0x40 [ 29.791346] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 29.796333] ? copy_mnt_ns+0xa30/0xa30 [ 29.800193] ? copy_mount_options+0x1fa/0x2f0 [ 29.804678] ? copy_mnt_ns+0xa30/0xa30 [ 29.808553] SyS_mount+0xa8/0x120 [ 29.811988] ? copy_mnt_ns+0xa30/0xa30 [ 29.815974] do_syscall_64+0x1d5/0x640 [ 29.819845] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 29.825009] RIP: 0033:0x7fddb121fff9 [ 29.828696] RSP: 002b:00007fddb11d22f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 29.836399] RAX: ffffffffffffffda RBX: 00007fddb12a84c0 RCX: 00007fddb121fff9 [ 29.843815] RDX: 0000000020000500 RSI: 00000000200004c0 RDI: 0000000000000000 [ 29.851061] RBP: 00007fddb12a84cc R08: 0000000020000540 R09: 0000000000000000 [ 29.858303] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fddb1276024 [ 29.865546] R13: 0030656c69662f2e R14: 64663d736e617274 R15: 00007fddb12a84c8 [ 29.872979] Kernel Offset: disabled [ 29.876595] Rebooting in 86400 seconds..