Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.83' (ECDSA) to the list of known hosts. syzkaller login: [ 30.512006] IPVS: ftp: loaded support on port[0] = 21 [ 30.579840] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready [ 30.597146] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 30.612356] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready [ 30.617915] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 executing program [ 30.625402] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 30.633708] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 30.640319] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 30.656865] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 30.680266] ================================================================== [ 30.687741] BUG: KASAN: use-after-free in squashfs_get_id+0x181/0x1a0 [ 30.694314] Read of size 8 at addr ffff8880afd02300 by task syz-executor182/7993 [ 30.701837] [ 30.703462] CPU: 1 PID: 7993 Comm: syz-executor182 Not tainted 4.14.207-syzkaller #0 [ 30.711333] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.720708] Call Trace: [ 30.723277] dump_stack+0x1b2/0x283 [ 30.726895] print_address_description.cold+0x54/0x1d3 [ 30.732148] kasan_report_error.cold+0x8a/0x194 [ 30.736807] ? squashfs_get_id+0x181/0x1a0 [ 30.741024] __asan_report_load8_noabort+0x68/0x70 [ 30.745941] ? squashfs_get_id+0x181/0x1a0 [ 30.750161] squashfs_get_id+0x181/0x1a0 [ 30.754199] ? squashfs_read_fragment_index_table+0xc0/0xc0 [ 30.759886] ? squashfs_read_metadata+0x2ba/0x430 [ 30.764708] squashfs_read_inode+0x185/0x19e0 [ 30.769183] ? squashfs_read_id_index_table+0xe0/0xe0 [ 30.774350] ? new_inode+0xc7/0xf0 [ 30.777868] ? lock_acquire+0x170/0x3f0 [ 30.781822] ? do_raw_spin_unlock+0x164/0x220 [ 30.786292] squashfs_fill_super+0x1501/0x1aa0 [ 30.790853] mount_bdev+0x2b3/0x360 [ 30.794456] ? squashfs_alloc_inode+0x40/0x40 [ 30.798929] mount_fs+0x92/0x2a0 [ 30.802274] vfs_kern_mount.part.0+0x5b/0x470 [ 30.806747] do_mount+0xe53/0x2a00 [ 30.810280] ? copy_mount_string+0x40/0x40 [ 30.814491] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 30.819483] ? copy_mnt_ns+0xa30/0xa30 [ 30.823356] ? copy_mount_options+0x1fa/0x2f0 [ 30.827828] ? copy_mnt_ns+0xa30/0xa30 [ 30.831692] SyS_mount+0xa8/0x120 [ 30.835123] ? copy_mnt_ns+0xa30/0xa30 [ 30.838996] do_syscall_64+0x1d5/0x640 [ 30.842879] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.848082] RIP: 0033:0x44dcda [ 30.851265] RSP: 002b:00007fff2b2414c8 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 30.858949] RAX: ffffffffffffffda RBX: 00007fff2b241520 RCX: 000000000044dcda [ 30.866206] RDX: 0000000020000000 RSI: 00000000200000c0 RDI: 00007fff2b2414e0 [ 30.873455] RBP: 0000000000000004 R08: 00007fff2b241520 R09: 0000000000000000 [ 30.880714] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003 [ 30.887978] R13: 00007fff2b2414e0 R14: 0000000000000000 R15: 0000000020000228 [ 30.895241] [ 30.896846] Allocated by task 7993: [ 30.900459] kasan_kmalloc+0xeb/0x160 [ 30.904261] __kmalloc+0x15a/0x400 [ 30.907787] squashfs_read_table+0x76/0x18d [ 30.912094] squashfs_read_xattr_id_table+0x16a/0x200 [ 30.917266] squashfs_fill_super+0xb6c/0x1aa0 [ 30.921766] mount_bdev+0x2b3/0x360 [ 30.925373] mount_fs+0x92/0x2a0 [ 30.928740] vfs_kern_mount.part.0+0x5b/0x470 [ 30.933215] do_mount+0xe53/0x2a00 [ 30.936733] SyS_mount+0xa8/0x120 [ 30.940177] do_syscall_64+0x1d5/0x640 [ 30.944061] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.949235] [ 30.950844] Freed by task 7993: [ 30.954106] kasan_slab_free+0xc3/0x1a0 [ 30.958061] kfree+0xc9/0x250 [ 30.961143] squashfs_read_table+0x127/0x18d [ 30.965527] squashfs_read_xattr_id_table+0x16a/0x200 [ 30.970692] squashfs_fill_super+0xb6c/0x1aa0 [ 30.975168] mount_bdev+0x2b3/0x360 [ 30.978783] mount_fs+0x92/0x2a0 [ 30.982139] vfs_kern_mount.part.0+0x5b/0x470 [ 30.987328] do_mount+0xe53/0x2a00 [ 30.990851] SyS_mount+0xa8/0x120 [ 30.994280] do_syscall_64+0x1d5/0x640 [ 30.998144] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.003310] [ 31.004920] The buggy address belongs to the object at ffff8880afd02300 [ 31.004920] which belongs to the cache kmalloc-32 of size 32 [ 31.017414] The buggy address is located 0 bytes inside of [ 31.017414] 32-byte region [ffff8880afd02300, ffff8880afd02320) [ 31.029028] The buggy address belongs to the page: [ 31.033935] page:ffffea0002bf4080 count:1 mapcount:0 mapping:ffff8880afd02000 index:0xffff8880afd02fc1 [ 31.043364] flags: 0xfff00000000100(slab) [ 31.047486] raw: 00fff00000000100 ffff8880afd02000 ffff8880afd02fc1 000000010000003f [ 31.055342] raw: ffffea0002d214a0 ffffea0002bc8760 ffff88813fe821c0 0000000000000000 [ 31.063195] page dumped because: kasan: bad access detected [ 31.068888] [ 31.070486] Memory state around the buggy address: [ 31.075396] ffff8880afd02200: fb fb fb fb fc fc fc fc 00 fc fc fc fc fc fc fc [ 31.082738] ffff8880afd02280: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 31.090070] >ffff8880afd02300: fb fb fb fb fc fc fc fc 00 fc fc fc fc fc fc fc [ 31.097402] ^ [ 31.100751] ffff8880afd02380: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 31.108083] ffff8880afd02400: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 31.115424] ================================================================== [ 31.122767] Disabling lock debugging due to kernel taint [ 31.129852] Kernel panic - not syncing: panic_on_warn set ... [ 31.129852] [ 31.137221] CPU: 1 PID: 7993 Comm: syz-executor182 Tainted: G B 4.14.207-syzkaller #0 [ 31.146305] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.155647] Call Trace: [ 31.158228] dump_stack+0x1b2/0x283 [ 31.161853] panic+0x1f9/0x42d [ 31.165031] ? add_taint.cold+0x16/0x16 [ 31.168993] ? ___preempt_schedule+0x16/0x18 [ 31.173388] kasan_end_report+0x43/0x49 [ 31.177336] kasan_report_error.cold+0xa7/0x194 [ 31.181981] ? squashfs_get_id+0x181/0x1a0 [ 31.186188] __asan_report_load8_noabort+0x68/0x70 [ 31.191101] ? squashfs_get_id+0x181/0x1a0 [ 31.195314] squashfs_get_id+0x181/0x1a0 [ 31.199352] ? squashfs_read_fragment_index_table+0xc0/0xc0 [ 31.205044] ? squashfs_read_metadata+0x2ba/0x430 [ 31.209861] squashfs_read_inode+0x185/0x19e0 [ 31.214343] ? squashfs_read_id_index_table+0xe0/0xe0 [ 31.219505] ? new_inode+0xc7/0xf0 [ 31.223019] ? lock_acquire+0x170/0x3f0 [ 31.226978] ? do_raw_spin_unlock+0x164/0x220 [ 31.231449] squashfs_fill_super+0x1501/0x1aa0 [ 31.236021] mount_bdev+0x2b3/0x360 [ 31.239624] ? squashfs_alloc_inode+0x40/0x40 [ 31.244095] mount_fs+0x92/0x2a0 [ 31.247454] vfs_kern_mount.part.0+0x5b/0x470 [ 31.251925] do_mount+0xe53/0x2a00 [ 31.255439] ? copy_mount_string+0x40/0x40 [ 31.259647] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 31.264636] ? copy_mnt_ns+0xa30/0xa30 [ 31.268498] ? copy_mount_options+0x1fa/0x2f0 [ 31.272971] ? copy_mnt_ns+0xa30/0xa30 [ 31.276872] SyS_mount+0xa8/0x120 [ 31.280299] ? copy_mnt_ns+0xa30/0xa30 [ 31.284162] do_syscall_64+0x1d5/0x640 [ 31.288038] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.293204] RIP: 0033:0x44dcda [ 31.296365] RSP: 002b:00007fff2b2414c8 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 31.304051] RAX: ffffffffffffffda RBX: 00007fff2b241520 RCX: 000000000044dcda [ 31.311293] RDX: 0000000020000000 RSI: 00000000200000c0 RDI: 00007fff2b2414e0 [ 31.318546] RBP: 0000000000000004 R08: 00007fff2b241520 R09: 0000000000000000 [ 31.325789] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003 [ 31.333047] R13: 00007fff2b2414e0 R14: 0000000000000000 R15: 0000000020000228 [ 31.340761] Kernel Offset: disabled [ 31.344371] Rebooting in 86400 seconds..