Warning: Permanently added '10.128.15.198' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 35.835866] ================================================================== [ 35.843358] BUG: KASAN: slab-out-of-bounds in squashfs_export_iget+0x274/0x2a0 [ 35.850722] Read of size 8 at addr ffff88809f047ab8 by task syz-executor147/8106 [ 35.858369] [ 35.860000] CPU: 1 PID: 8106 Comm: syz-executor147 Not tainted 4.19.160-syzkaller #0 [ 35.867876] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.877230] Call Trace: [ 35.879825] dump_stack+0x1fc/0x2fe [ 35.883467] print_address_description.cold+0x54/0x219 [ 35.888752] kasan_report_error.cold+0x8a/0x1c7 [ 35.893431] ? squashfs_export_iget+0x274/0x2a0 [ 35.898097] __asan_report_load8_noabort+0x88/0x90 [ 35.903013] ? squashfs_export_iget+0x274/0x2a0 [ 35.907664] squashfs_export_iget+0x274/0x2a0 [ 35.912143] ? squashfs_readdir.cold+0x4c/0x4c [ 35.916706] ? depot_save_stack+0x258/0x40a [ 35.921013] ? __lock_acquire+0x6de/0x3ff0 [ 35.925233] squashfs_fh_to_dentry+0x78/0xb0 [ 35.929624] exportfs_decode_fh+0x126/0x7d8 [ 35.933929] ? drop_caches_sysctl_handler.cold+0x79/0x79 [ 35.939361] ? squashfs_get_parent+0xa0/0xa0 [ 35.943751] ? reconnect_path+0x7e0/0x7e0 [ 35.947895] ? debug_object_active_state+0x104/0x330 [ 35.952977] ? locks_remove_posix+0x2ad/0x5a0 [ 35.957460] ? do_lock_file_wait+0x4c0/0x4c0 [ 35.961855] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 35.966422] ? __might_fault+0x11f/0x1d0 [ 35.970465] ? lock_downgrade+0x720/0x720 [ 35.974591] ? lock_acquire+0x170/0x3c0 [ 35.978549] ? __might_fault+0xef/0x1d0 [ 35.982524] ? __might_fault+0x192/0x1d0 [ 35.986569] do_handle_open+0x2f4/0x650 [ 35.990527] ? do_sys_name_to_handle+0x480/0x480 [ 35.995264] ? fput+0x2b/0x190 [ 35.998445] ? trace_hardirqs_off_caller+0x6e/0x210 [ 36.003458] ? do_syscall_64+0x21/0x620 [ 36.007424] do_syscall_64+0xf9/0x620 [ 36.011304] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.016474] RIP: 0033:0x4443e9 [ 36.019654] Code: 8d d7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b d7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 36.038797] RSP: 002b:00007ffd7b091d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000130 [ 36.046484] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004443e9 [ 36.053738] RDX: 0000000000490400 RSI: 0000000020000100 RDI: 0000000000000005 [ 36.060990] RBP: 00000000006cf018 R08: 00007ffd00000015 R09: 00000000004002e0 [ 36.068256] R10: 00007ffd7b091be0 R11: 0000000000000246 R12: 0000000000401fd0 [ 36.075506] R13: 0000000000402060 R14: 0000000000000000 R15: 0000000000000000 [ 36.082778] [ 36.084388] Allocated by task 1: [ 36.087748] __kmalloc_track_caller+0x155/0x3c0 [ 36.092395] kstrdup+0x36/0x70 [ 36.095565] kstrdup_const+0x53/0x80 [ 36.099258] __kernfs_new_node+0x9b/0x680 [ 36.103384] kernfs_new_node+0x92/0x120 [ 36.107347] __kernfs_create_file+0x51/0x33f [ 36.111742] cgroup_addrm_files+0x399/0x980 [ 36.116044] css_populate_dir+0x19b/0x450 [ 36.120173] cgroup_apply_control_enable+0x3dd/0xc60 [ 36.125256] cgroup_mkdir+0x7d9/0x1090 [ 36.129123] kernfs_iop_mkdir+0x146/0x1d0 [ 36.133251] vfs_mkdir+0x508/0x7a0 [ 36.136785] do_mkdirat+0x262/0x2d0 [ 36.140410] do_syscall_64+0xf9/0x620 [ 36.144208] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.149375] [ 36.150981] Freed by task 6243: [ 36.154242] kfree+0xcc/0x210 [ 36.157343] single_release+0x8c/0xb0 [ 36.161145] close_pdeo.part.0+0xda/0x2f0 [ 36.165289] proc_reg_release+0x21e/0x270 [ 36.169505] __fput+0x2ce/0x890 [ 36.172765] task_work_run+0x148/0x1c0 [ 36.176644] exit_to_usermode_loop+0x251/0x2a0 [ 36.181207] do_syscall_64+0x538/0x620 [ 36.185856] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.191019] [ 36.192628] The buggy address belongs to the object at ffff88809f047a80 [ 36.192628] which belongs to the cache kmalloc-32 of size 32 [ 36.205102] The buggy address is located 24 bytes to the right of [ 36.205102] 32-byte region [ffff88809f047a80, ffff88809f047aa0) [ 36.217330] The buggy address belongs to the page: [ 36.222242] page:ffffea00027c11c0 count:1 mapcount:0 mapping:ffff88813bff01c0 index:0xffff88809f047fc1 [ 36.231677] flags: 0xfff00000000100(slab) [ 36.235827] raw: 00fff00000000100 ffffea000288bb08 ffffea000284b6c8 ffff88813bff01c0 [ 36.243706] raw: ffff88809f047fc1 ffff88809f047000 0000000100000026 0000000000000000 [ 36.251568] page dumped because: kasan: bad access detected [ 36.257262] [ 36.258885] Memory state around the buggy address: [ 36.263801] ffff88809f047980: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 36.271144] ffff88809f047a00: 00 00 02 fc fc fc fc fc 00 01 fc fc fc fc fc fc [ 36.278488] >ffff88809f047a80: 00 05 fc fc fc fc fc fc 00 fc fc fc fc fc fc fc [ 36.285841] ^ [ 36.291027] ffff88809f047b00: fb fb fb fb fc fc fc fc 00 07 fc fc fc fc fc fc [ 36.298370] ffff88809f047b80: fb fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc [ 36.305721] ================================================================== [ 36.313076] Disabling lock debugging due to kernel taint [ 36.321545] Kernel panic - not syncing: panic_on_warn set ... [ 36.321545] [ 36.328931] CPU: 1 PID: 8106 Comm: syz-executor147 Tainted: G B 4.19.160-syzkaller #0 [ 36.338196] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.347566] Call Trace: [ 36.350139] dump_stack+0x1fc/0x2fe [ 36.353749] panic+0x26a/0x50e [ 36.356921] ? __warn_printk+0xf3/0xf3 [ 36.360792] ? preempt_schedule_common+0x45/0xc0 [ 36.365546] ? ___preempt_schedule+0x16/0x18 [ 36.369936] ? trace_hardirqs_on+0x55/0x210 [ 36.374244] kasan_end_report+0x43/0x49 [ 36.378305] kasan_report_error.cold+0xa7/0x1c7 [ 36.382956] ? squashfs_export_iget+0x274/0x2a0 [ 36.387616] __asan_report_load8_noabort+0x88/0x90 [ 36.392525] ? squashfs_export_iget+0x274/0x2a0 [ 36.397174] squashfs_export_iget+0x274/0x2a0 [ 36.401649] ? squashfs_readdir.cold+0x4c/0x4c [ 36.406210] ? depot_save_stack+0x258/0x40a [ 36.410513] ? __lock_acquire+0x6de/0x3ff0 [ 36.414730] squashfs_fh_to_dentry+0x78/0xb0 [ 36.419118] exportfs_decode_fh+0x126/0x7d8 [ 36.424389] ? drop_caches_sysctl_handler.cold+0x79/0x79 [ 36.429832] ? squashfs_get_parent+0xa0/0xa0 [ 36.434219] ? reconnect_path+0x7e0/0x7e0 [ 36.438346] ? debug_object_active_state+0x104/0x330 [ 36.443427] ? locks_remove_posix+0x2ad/0x5a0 [ 36.447901] ? do_lock_file_wait+0x4c0/0x4c0 [ 36.452290] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 36.456859] ? __might_fault+0x11f/0x1d0 [ 36.460899] ? lock_downgrade+0x720/0x720 [ 36.465023] ? lock_acquire+0x170/0x3c0 [ 36.468977] ? __might_fault+0xef/0x1d0 [ 36.472932] ? __might_fault+0x192/0x1d0 [ 36.476973] do_handle_open+0x2f4/0x650 [ 36.480927] ? do_sys_name_to_handle+0x480/0x480 [ 36.485675] ? fput+0x2b/0x190 [ 36.488849] ? trace_hardirqs_off_caller+0x6e/0x210 [ 36.493868] ? do_syscall_64+0x21/0x620 [ 36.497830] do_syscall_64+0xf9/0x620 [ 36.501616] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.506805] RIP: 0033:0x4443e9 [ 36.510033] Code: 8d d7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b d7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 36.528922] RSP: 002b:00007ffd7b091d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000130 [ 36.536611] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004443e9 [ 36.543906] RDX: 0000000000490400 RSI: 0000000020000100 RDI: 0000000000000005 [ 36.551158] RBP: 00000000006cf018 R08: 00007ffd00000015 R09: 00000000004002e0 [ 36.558494] R10: 00007ffd7b091be0 R11: 0000000000000246 R12: 0000000000401fd0 [ 36.565743] R13: 0000000000402060 R14: 0000000000000000 R15: 0000000000000000 [ 36.573760] Kernel Offset: disabled [ 36.577371] Rebooting in 86400 seconds..