Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.216' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 27.441593] ================================================================== [ 27.449059] BUG: KASAN: slab-out-of-bounds in pdu_read+0x94/0x100 [ 27.455394] Read of size 65419 at addr ffff8880a1a006ed by task syz-executor371/7950 [ 27.463252] [ 27.464862] CPU: 0 PID: 7950 Comm: syz-executor371 Not tainted 4.14.288-syzkaller #0 [ 27.472717] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 [ 27.482135] Call Trace: [ 27.484723] dump_stack+0x1b2/0x281 [ 27.488336] print_address_description.cold+0x54/0x1d3 [ 27.493592] kasan_report_error.cold+0x8a/0x191 [ 27.498241] ? pdu_read+0x94/0x100 [ 27.501755] kasan_report+0x6f/0x80 [ 27.505360] ? pdu_read+0x94/0x100 [ 27.508890] memcpy+0x20/0x50 [ 27.512003] pdu_read+0x94/0x100 [ 27.515347] p9pdu_readf+0x381/0x1970 [ 27.519122] ? p9_client_prepare_req.part.0+0xb60/0xb60 [ 27.524473] ? p9pdu_writef+0xd0/0xd0 [ 27.528258] ? p9_fd_poll+0x237/0x2e0 [ 27.532041] ? p9_fd_create+0x293/0x3b0 [ 27.535989] ? p9_fd_create_tcp+0x440/0x440 [ 27.540289] p9_client_create+0x9b2/0x12c0 [ 27.544501] ? p9_client_flush+0x4c0/0x4c0 [ 27.548716] ? __lockdep_init_map+0x100/0x560 [ 27.553191] ? __raw_spin_lock_init+0x28/0x100 [ 27.557752] v9fs_session_init+0x1c5/0x1540 [ 27.562053] ? pcpu_alloc+0xbe0/0xf50 [ 27.565838] ? gfp_pfmemalloc_allowed+0x150/0x150 [ 27.570655] ? _find_next_bit+0xdb/0x100 [ 27.574692] ? v9fs_show_options+0x6b0/0x6b0 [ 27.579099] ? v9fs_mount+0x54/0x860 [ 27.582792] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 27.588225] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 27.593217] ? kmem_cache_alloc_trace+0x36c/0x3d0 [ 27.598047] v9fs_mount+0x73/0x860 [ 27.601564] ? alloc_pages_current+0x15d/0x260 [ 27.606124] ? __lockdep_init_map+0x100/0x560 [ 27.610600] mount_fs+0x92/0x2a0 [ 27.613947] vfs_kern_mount.part.0+0x5b/0x470 [ 27.618418] do_mount+0xe65/0x2a30 [ 27.621955] ? retint_kernel+0x2d/0x2d [ 27.625818] ? copy_mount_string+0x40/0x40 [ 27.630032] ? copy_mount_options+0x18f/0x2f0 [ 27.634504] ? copy_mount_options+0x1fa/0x2f0 [ 27.638990] ? copy_mnt_ns+0xa30/0xa30 [ 27.642860] SyS_mount+0xa8/0x120 [ 27.646292] ? copy_mnt_ns+0xa30/0xa30 [ 27.650175] do_syscall_64+0x1d5/0x640 [ 27.654039] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.659208] RIP: 0033:0x7f76326abee9 [ 27.662895] RSP: 002b:00007fff180a3c28 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 27.670578] RAX: ffffffffffffffda RBX: 00007fff180a3cf8 RCX: 00007f76326abee9 [ 27.677824] RDX: 00000000200000c0 RSI: 0000000020000040 RDI: 0000000000000000 [ 27.685069] RBP: 00007fff180a3c40 R08: 0000000020000100 R09: 0000000000000000 [ 27.692328] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff180a3cf0 [ 27.699576] R13: 0000000000000000 R14: 431bde82d7b634db R15: 0000000000000000 [ 27.706828] [ 27.708442] Allocated by task 7950: [ 27.712050] kasan_kmalloc+0xeb/0x160 [ 27.715831] __kmalloc+0x15a/0x400 [ 27.719347] p9_fcall_alloc+0x19/0x90 [ 27.723148] p9_client_prepare_req.part.0+0x7f8/0xb60 [ 27.728311] p9_client_rpc+0x170/0x1520 [ 27.732274] p9_client_create+0x92f/0x12c0 [ 27.736488] v9fs_session_init+0x1c5/0x1540 [ 27.740783] v9fs_mount+0x73/0x860 [ 27.744297] mount_fs+0x92/0x2a0 [ 27.747639] vfs_kern_mount.part.0+0x5b/0x470 [ 27.752109] do_mount+0xe65/0x2a30 [ 27.755624] SyS_mount+0xa8/0x120 [ 27.759063] do_syscall_64+0x1d5/0x640 [ 27.762928] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.768088] [ 27.769691] Freed by task 4618: [ 27.772960] kasan_slab_free+0xc3/0x1a0 [ 27.776909] kfree+0xc9/0x250 [ 27.779990] devkmsg_release+0xb3/0xe0 [ 27.783851] __fput+0x25f/0x7a0 [ 27.787103] task_work_run+0x11f/0x190 [ 27.790965] do_exit+0xa44/0x2850 [ 27.794394] do_group_exit+0x100/0x2e0 [ 27.798254] SyS_exit_group+0x19/0x20 [ 27.802026] do_syscall_64+0x1d5/0x640 [ 27.805886] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.811052] [ 27.812659] The buggy address belongs to the object at ffff8880a1a006c0 [ 27.812659] which belongs to the cache kmalloc-16384 of size 16384 [ 27.825652] The buggy address is located 45 bytes inside of [ 27.825652] 16384-byte region [ffff8880a1a006c0, ffff8880a1a046c0) [ 27.837594] The buggy address belongs to the page: [ 27.842503] page:ffffea0002868000 count:1 mapcount:0 mapping:ffff8880a1a006c0 index:0x0 compound_mapcount: 0 [ 27.852472] flags: 0xfff00000008100(slab|head) [ 27.857031] raw: 00fff00000008100 ffff8880a1a006c0 0000000000000000 0000000100000001 [ 27.864888] raw: ffffea0002830020 ffffea0002861420 ffff88813fe65200 0000000000000000 [ 27.872739] page dumped because: kasan: bad access detected [ 27.878420] [ 27.880019] Memory state around the buggy address: [ 27.884921] ffff8880a1a02580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.892258] ffff8880a1a02600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.899599] >ffff8880a1a02680: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 27.906931] ^ [ 27.913412] ffff8880a1a02700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.920742] ffff8880a1a02780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.928070] ================================================================== [ 27.935409] Disabling lock debugging due to kernel taint [ 27.943582] Kernel panic - not syncing: panic_on_warn set ... [ 27.943582] [ 27.950953] CPU: 0 PID: 7950 Comm: syz-executor371 Tainted: G B 4.14.288-syzkaller #0 [ 27.960218] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 [ 27.969556] Call Trace: [ 27.972121] dump_stack+0x1b2/0x281 [ 27.975727] panic+0x1f9/0x42d [ 27.978893] ? add_taint.cold+0x16/0x16 [ 27.982844] ? ___preempt_schedule+0x16/0x18 [ 27.987226] kasan_end_report+0x43/0x49 [ 27.991174] kasan_report_error.cold+0xa7/0x191 [ 27.995816] ? pdu_read+0x94/0x100 [ 27.999329] kasan_report+0x6f/0x80 [ 28.002941] ? pdu_read+0x94/0x100 [ 28.006903] memcpy+0x20/0x50 [ 28.009989] pdu_read+0x94/0x100 [ 28.013333] p9pdu_readf+0x381/0x1970 [ 28.017121] ? p9_client_prepare_req.part.0+0xb60/0xb60 [ 28.022515] ? p9pdu_writef+0xd0/0xd0 [ 28.026297] ? p9_fd_poll+0x237/0x2e0 [ 28.030089] ? p9_fd_create+0x293/0x3b0 [ 28.034044] ? p9_fd_create_tcp+0x440/0x440 [ 28.038345] p9_client_create+0x9b2/0x12c0 [ 28.042579] ? p9_client_flush+0x4c0/0x4c0 [ 28.046859] ? __lockdep_init_map+0x100/0x560 [ 28.051330] ? __raw_spin_lock_init+0x28/0x100 [ 28.055898] v9fs_session_init+0x1c5/0x1540 [ 28.060195] ? pcpu_alloc+0xbe0/0xf50 [ 28.063977] ? gfp_pfmemalloc_allowed+0x150/0x150 [ 28.068798] ? _find_next_bit+0xdb/0x100 [ 28.072839] ? v9fs_show_options+0x6b0/0x6b0 [ 28.077227] ? v9fs_mount+0x54/0x860 [ 28.080916] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 28.086339] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 28.091341] ? kmem_cache_alloc_trace+0x36c/0x3d0 [ 28.096172] v9fs_mount+0x73/0x860 [ 28.099694] ? alloc_pages_current+0x15d/0x260 [ 28.104253] ? __lockdep_init_map+0x100/0x560 [ 28.108730] mount_fs+0x92/0x2a0 [ 28.112078] vfs_kern_mount.part.0+0x5b/0x470 [ 28.116547] do_mount+0xe65/0x2a30 [ 28.120066] ? retint_kernel+0x2d/0x2d [ 28.123927] ? copy_mount_string+0x40/0x40 [ 28.128146] ? copy_mount_options+0x18f/0x2f0 [ 28.132617] ? copy_mount_options+0x1fa/0x2f0 [ 28.137089] ? copy_mnt_ns+0xa30/0xa30 [ 28.140964] SyS_mount+0xa8/0x120 [ 28.144410] ? copy_mnt_ns+0xa30/0xa30 [ 28.148542] do_syscall_64+0x1d5/0x640 [ 28.152418] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.157683] RIP: 0033:0x7f76326abee9 [ 28.161447] RSP: 002b:00007fff180a3c28 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 28.169262] RAX: ffffffffffffffda RBX: 00007fff180a3cf8 RCX: 00007f76326abee9 [ 28.176515] RDX: 00000000200000c0 RSI: 0000000020000040 RDI: 0000000000000000 [ 28.183764] RBP: 00007fff180a3c40 R08: 0000000020000100 R09: 0000000000000000 [ 28.191011] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff180a3cf0 [ 28.198265] R13: 0000000000000000 R14: 431bde82d7b634db R15: 0000000000000000 [ 28.205698] Kernel Offset: disabled [ 28.209302] Rebooting in 86400 seconds..