[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.1' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 28.748498] ================================================================== [ 28.755961] BUG: KASAN: slab-out-of-bounds in squashfs_export_iget+0x22f/0x250 [ 28.763319] Read of size 8 at addr ffff8880b2f75af8 by task syz-executor936/7988 [ 28.770835] [ 28.772440] CPU: 0 PID: 7988 Comm: syz-executor936 Not tainted 4.14.206-syzkaller #0 [ 28.780301] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.789631] Call Trace: [ 28.792196] dump_stack+0x1b2/0x283 [ 28.795820] print_address_description.cold+0x54/0x1d3 [ 28.801073] kasan_report_error.cold+0x8a/0x194 [ 28.805721] ? squashfs_export_iget+0x22f/0x250 [ 28.810401] __asan_report_load8_noabort+0x68/0x70 [ 28.815311] ? squashfs_export_iget+0x22f/0x250 [ 28.819972] squashfs_export_iget+0x22f/0x250 [ 28.824440] ? squashfs_readdir.cold+0x4b/0x4b [ 28.829000] squashfs_fh_to_dentry+0x5f/0x90 [ 28.833394] exportfs_decode_fh+0x113/0x6bc [ 28.837709] ? squashfs_get_parent+0xa0/0xa0 [ 28.842104] ? drop_caches_sysctl_handler.cold+0x76/0x76 [ 28.847532] ? reconnect_path+0x730/0x730 [ 28.851755] ? trace_hardirqs_on+0x10/0x10 [ 28.855973] ? locks_remove_posix+0x242/0x4b0 [ 28.860441] ? do_lock_file_wait+0x210/0x210 [ 28.864839] ? trace_hardirqs_on+0x10/0x10 [ 28.869051] ? __might_fault+0x104/0x1b0 [ 28.873087] ? lock_acquire+0x170/0x3f0 [ 28.877038] ? lock_downgrade+0x740/0x740 [ 28.881164] ? __might_fault+0x177/0x1b0 [ 28.885208] do_handle_open+0x248/0x570 [ 28.889164] ? fput+0xb/0x140 [ 28.892247] ? SyS_name_to_handle_at+0x3f0/0x3f0 [ 28.896976] ? __close_fd+0x159/0x230 [ 28.900751] ? do_syscall_64+0x4c/0x640 [ 28.904698] ? do_handle_open+0x570/0x570 [ 28.908837] do_syscall_64+0x1d5/0x640 [ 28.912738] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.917911] RIP: 0033:0x4443e9 [ 28.921081] RSP: 002b:00007ffc966f52b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000130 [ 28.928763] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004443e9 [ 28.936020] RDX: 0000000000490400 RSI: 0000000020000100 RDI: 0000000000000005 [ 28.943281] RBP: 00000000006cf018 R08: 00007ffc00000015 R09: 00000000004002e0 [ 28.950525] R10: 00007ffc966f5160 R11: 0000000000000246 R12: 0000000000401fd0 [ 28.957771] R13: 0000000000402060 R14: 0000000000000000 R15: 0000000000000000 [ 28.965116] [ 28.966728] Allocated by task 7988: [ 28.970334] kasan_kmalloc+0xeb/0x160 [ 28.974108] __kmalloc+0x15a/0x400 [ 28.977623] squashfs_read_table+0x76/0x18d [ 28.981927] squashfs_read_inode_lookup_table+0x95/0xe0 [ 28.987278] squashfs_fill_super+0xcef/0x1aa0 [ 28.991747] mount_bdev+0x2b3/0x360 [ 28.995346] mount_fs+0x92/0x2a0 [ 28.998697] vfs_kern_mount.part.0+0x5b/0x470 [ 29.003176] do_mount+0xe53/0x2a00 [ 29.006693] SyS_mount+0xa8/0x120 [ 29.010121] do_syscall_64+0x1d5/0x640 [ 29.013992] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.019160] [ 29.020767] Freed by task 7988: [ 29.024022] kasan_slab_free+0xc3/0x1a0 [ 29.027977] kfree+0xc9/0x250 [ 29.031055] squashfs_read_table+0x127/0x18d [ 29.035437] squashfs_read_inode_lookup_table+0x95/0xe0 [ 29.040777] squashfs_fill_super+0xcef/0x1aa0 [ 29.045304] mount_bdev+0x2b3/0x360 [ 29.048974] mount_fs+0x92/0x2a0 [ 29.052336] vfs_kern_mount.part.0+0x5b/0x470 [ 29.056813] do_mount+0xe53/0x2a00 [ 29.060332] SyS_mount+0xa8/0x120 [ 29.063761] do_syscall_64+0x1d5/0x640 [ 29.067626] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.072786] [ 29.074389] The buggy address belongs to the object at ffff8880b2f75ac0 [ 29.074389] which belongs to the cache kmalloc-32 of size 32 [ 29.086861] The buggy address is located 24 bytes to the right of [ 29.086861] 32-byte region [ffff8880b2f75ac0, ffff8880b2f75ae0) [ 29.099068] The buggy address belongs to the page: [ 29.103973] page:ffffea0002cbdd40 count:1 mapcount:0 mapping:ffff8880b2f75000 index:0xffff8880b2f75fc1 [ 29.113393] flags: 0xfff00000000100(slab) [ 29.117522] raw: 00fff00000000100 ffff8880b2f75000 ffff8880b2f75fc1 000000010000003f [ 29.125377] raw: ffffea0002cbd8e0 ffff88813fe80248 ffff88813fe821c0 0000000000000000 [ 29.133250] page dumped because: kasan: bad access detected [ 29.138935] [ 29.140536] Memory state around the buggy address: [ 29.145459] ffff8880b2f75980: 00 fc fc fc fc fc fc fc 00 fc fc fc fc fc fc fc [ 29.152796] ffff8880b2f75a00: 00 fc fc fc fc fc fc fc 00 fc fc fc fc fc fc fc [ 29.160128] >ffff8880b2f75a80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 29.167475] ^ [ 29.174736] ffff8880b2f75b00: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 29.182070] ffff8880b2f75b80: fb fb fb fb fc fc fc fc 00 fc fc fc fc fc fc fc [ 29.189413] ================================================================== [ 29.196757] Disabling lock debugging due to kernel taint [ 29.204850] Kernel panic - not syncing: panic_on_warn set ... [ 29.204850] [ 29.212368] CPU: 1 PID: 7988 Comm: syz-executor936 Tainted: G B 4.14.206-syzkaller #0 [ 29.221456] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.230890] Call Trace: [ 29.233472] dump_stack+0x1b2/0x283 [ 29.237074] panic+0x1f9/0x42d [ 29.240239] ? add_taint.cold+0x16/0x16 [ 29.244304] ? ___preempt_schedule+0x16/0x18 [ 29.248700] kasan_end_report+0x43/0x49 [ 29.252647] kasan_report_error.cold+0xa7/0x194 [ 29.257290] ? squashfs_export_iget+0x22f/0x250 [ 29.261930] __asan_report_load8_noabort+0x68/0x70 [ 29.266832] ? squashfs_export_iget+0x22f/0x250 [ 29.271486] squashfs_export_iget+0x22f/0x250 [ 29.275955] ? squashfs_readdir.cold+0x4b/0x4b [ 29.280512] squashfs_fh_to_dentry+0x5f/0x90 [ 29.284984] exportfs_decode_fh+0x113/0x6bc [ 29.289288] ? squashfs_get_parent+0xa0/0xa0 [ 29.293681] ? drop_caches_sysctl_handler.cold+0x76/0x76 [ 29.299104] ? reconnect_path+0x730/0x730 [ 29.303228] ? trace_hardirqs_on+0x10/0x10 [ 29.307434] ? locks_remove_posix+0x242/0x4b0 [ 29.311901] ? do_lock_file_wait+0x210/0x210 [ 29.316282] ? trace_hardirqs_on+0x10/0x10 [ 29.320490] ? __might_fault+0x104/0x1b0 [ 29.324536] ? lock_acquire+0x170/0x3f0 [ 29.328496] ? lock_downgrade+0x740/0x740 [ 29.332618] ? __might_fault+0x177/0x1b0 [ 29.336651] do_handle_open+0x248/0x570 [ 29.340614] ? fput+0xb/0x140 [ 29.343689] ? SyS_name_to_handle_at+0x3f0/0x3f0 [ 29.348429] ? __close_fd+0x159/0x230 [ 29.352202] ? do_syscall_64+0x4c/0x640 [ 29.356149] ? do_handle_open+0x570/0x570 [ 29.360268] do_syscall_64+0x1d5/0x640 [ 29.364223] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.369386] RIP: 0033:0x4443e9 [ 29.372549] RSP: 002b:00007ffc966f52b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000130 [ 29.380232] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004443e9 [ 29.387477] RDX: 0000000000490400 RSI: 0000000020000100 RDI: 0000000000000005 [ 29.394815] RBP: 00000000006cf018 R08: 00007ffc00000015 R09: 00000000004002e0 [ 29.402072] R10: 00007ffc966f5160 R11: 0000000000000246 R12: 0000000000401fd0 [ 29.409327] R13: 0000000000402060 R14: 0000000000000000 R15: 0000000000000000 [ 29.417382] Kernel Offset: disabled [ 29.421016] Rebooting in 86400 seconds..