[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.79' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 68.937022][ T8494] ================================================================== [ 68.945245][ T8494] BUG: KASAN: slab-out-of-bounds in squashfs_get_id+0x1ae/0x1d0 [ 68.952975][ T8494] Read of size 8 at addr ffff88801cc23830 by task syz-executor046/8494 [ 68.961315][ T8494] [ 68.963639][ T8494] CPU: 0 PID: 8494 Comm: syz-executor046 Not tainted 5.10.0-rc2-syzkaller #0 [ 68.972423][ T8494] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.982602][ T8494] Call Trace: [ 68.985906][ T8494] dump_stack+0x107/0x163 [ 68.990225][ T8494] ? squashfs_get_id+0x1ae/0x1d0 [ 68.995159][ T8494] ? squashfs_get_id+0x1ae/0x1d0 [ 69.000080][ T8494] print_address_description.constprop.0.cold+0xae/0x4c8 [ 69.007084][ T8494] ? _raw_spin_lock_irqsave+0x4e/0x50 [ 69.012442][ T8494] ? vprintk_func+0x95/0x1e0 [ 69.019826][ T8494] ? squashfs_get_id+0x1ae/0x1d0 [ 69.024743][ T8494] ? squashfs_get_id+0x1ae/0x1d0 [ 69.029665][ T8494] kasan_report.cold+0x1f/0x37 [ 69.034411][ T8494] ? squashfs_get_id+0x1ae/0x1d0 [ 69.039333][ T8494] squashfs_get_id+0x1ae/0x1d0 [ 69.044082][ T8494] ? squashfs_read_fragment_index_table+0xf0/0xf0 [ 69.050501][ T8494] ? squashfs_read_metadata+0x2f9/0x460 [ 69.056040][ T8494] squashfs_read_inode+0x1b4/0x1b40 [ 69.061242][ T8494] ? find_held_lock+0x2d/0x110 [ 69.066004][ T8494] ? squashfs_read_id_index_table+0x120/0x120 [ 69.072071][ T8494] ? new_inode+0x23b/0x2f0 [ 69.076468][ T8494] ? lock_downgrade+0x6d0/0x6d0 [ 69.081317][ T8494] ? do_raw_spin_lock+0x120/0x2b0 [ 69.086336][ T8494] ? rwlock_bug.part.0+0x90/0x90 [ 69.091258][ T8494] ? do_raw_spin_unlock+0x171/0x230 [ 69.096436][ T8494] ? _raw_spin_unlock+0x24/0x40 [ 69.101263][ T8494] ? new_inode+0x240/0x2f0 [ 69.105663][ T8494] squashfs_fill_super+0x1140/0x23b0 [ 69.110938][ T8494] get_tree_bdev+0x421/0x740 [ 69.115509][ T8494] ? init_once+0x20/0x20 [ 69.119732][ T8494] vfs_get_tree+0x89/0x2f0 [ 69.124130][ T8494] path_mount+0x13ad/0x20c0 [ 69.128618][ T8494] ? strncpy_from_user+0x29e/0x3a0 [ 69.133709][ T8494] ? finish_automount+0xac0/0xac0 [ 69.138730][ T8494] ? getname_flags.part.0+0x1dd/0x4f0 [ 69.144105][ T8494] __x64_sys_mount+0x27f/0x300 [ 69.148849][ T8494] ? copy_mnt_ns+0xa60/0xa60 [ 69.153423][ T8494] ? syscall_enter_from_user_mode+0x1d/0x50 [ 69.159299][ T8494] do_syscall_64+0x2d/0x70 [ 69.163697][ T8494] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.169571][ T8494] RIP: 0033:0x446d4a [ 69.173449][ T8494] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd ad fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 da ad fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 69.194973][ T8494] RSP: 002b:00007ffe33247b88 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 69.203983][ T8494] RAX: ffffffffffffffda RBX: 00007ffe33247be0 RCX: 0000000000446d4a [ 69.213246][ T8494] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffe33247ba0 [ 69.221214][ T8494] RBP: 00007ffe33247ba0 R08: 00007ffe33247be0 R09: 00007ffe00000015 [ 69.230039][ T8494] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000002 [ 69.237996][ T8494] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 69.245959][ T8494] [ 69.248273][ T8494] Allocated by task 8410: [ 69.252622][ T8494] kasan_save_stack+0x1b/0x40 [ 69.257293][ T8494] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 69.262908][ T8494] security_prepare_creds+0x10e/0x190 [ 69.268259][ T8494] prepare_creds+0x4bd/0x6c0 [ 69.272836][ T8494] do_faccessat+0x3d7/0x820 [ 69.277323][ T8494] do_syscall_64+0x2d/0x70 [ 69.281735][ T8494] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.287602][ T8494] [ 69.289915][ T8494] Freed by task 8410: [ 69.294008][ T8494] kasan_save_stack+0x1b/0x40 [ 69.298690][ T8494] kasan_set_track+0x1c/0x30 [ 69.303286][ T8494] kasan_set_free_info+0x1b/0x30 [ 69.308211][ T8494] __kasan_slab_free+0x102/0x140 [ 69.313137][ T8494] slab_free_freelist_hook+0x5d/0x150 [ 69.318491][ T8494] kfree+0xdb/0x360 [ 69.322297][ T8494] security_cred_free+0xc3/0x130 [ 69.327215][ T8494] put_cred_rcu+0x122/0x4a0 [ 69.331714][ T8494] __put_cred+0x1de/0x250 [ 69.336088][ T8494] revert_creds+0x1a8/0x1f0 [ 69.340583][ T8494] do_faccessat+0x2ca/0x820 [ 69.345070][ T8494] do_syscall_64+0x2d/0x70 [ 69.349480][ T8494] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.355356][ T8494] [ 69.357675][ T8494] The buggy address belongs to the object at ffff88801cc23820 [ 69.357675][ T8494] which belongs to the cache kmalloc-8 of size 8 [ 69.371380][ T8494] The buggy address is located 8 bytes to the right of [ 69.371380][ T8494] 8-byte region [ffff88801cc23820, ffff88801cc23828) [ 69.384820][ T8494] The buggy address belongs to the page: [ 69.390438][ T8494] page:00000000204051e6 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1cc23 [ 69.400564][ T8494] flags: 0xfff00000000200(slab) [ 69.405412][ T8494] raw: 00fff00000000200 ffffea0000823e40 0000000200000002 ffff888010041c80 [ 69.413975][ T8494] raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000 [ 69.422533][ T8494] page dumped because: kasan: bad access detected [ 69.428921][ T8494] [ 69.431229][ T8494] Memory state around the buggy address: [ 69.438158][ T8494] ffff88801cc23700: fc fa fc fc fc fc fa fc fc fc fc 00 fc fc fc fc [ 69.446217][ T8494] ffff88801cc23780: fa fc fc fc fc fa fc fc fc fc fa fc fc fc fc fa [ 69.454259][ T8494] >ffff88801cc23800: fc fc fc fc fa fc fc fc fc fa fc fc fc fc fa fc [ 69.462383][ T8494] ^ [ 69.468006][ T8494] ffff88801cc23880: fc fc fc fa fc fc fc fc fa fc fc fc fc fa fc fc [ 69.477262][ T8494] ffff88801cc23900: fc fc fa fc fc fc fc fa fc fc fc fc fa fc fc fc [ 69.485507][ T8494] ================================================================== [ 69.493576][ T8494] Disabling lock debugging due to kernel taint [ 69.504875][ T8494] Kernel panic - not syncing: panic_on_warn set ... [ 69.511497][ T8494] CPU: 0 PID: 8494 Comm: syz-executor046 Tainted: G B 5.10.0-rc2-syzkaller #0 [ 69.521637][ T8494] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.531692][ T8494] Call Trace: [ 69.535287][ T8494] dump_stack+0x107/0x163 [ 69.539881][ T8494] ? squashfs_get_id+0x150/0x1d0 [ 69.544821][ T8494] panic+0x306/0x73d [ 69.548891][ T8494] ? __warn_printk+0xf3/0xf3 [ 69.553480][ T8494] ? preempt_schedule_common+0x59/0xc0 [ 69.558938][ T8494] ? squashfs_get_id+0x1ae/0x1d0 [ 69.563945][ T8494] ? preempt_schedule_thunk+0x16/0x18 [ 69.569326][ T8494] ? trace_hardirqs_on+0x51/0x1c0 [ 69.574355][ T8494] ? squashfs_get_id+0x1ae/0x1d0 [ 69.579297][ T8494] ? squashfs_get_id+0x1ae/0x1d0 [ 69.584771][ T8494] end_report+0x58/0x5e [ 69.588920][ T8494] kasan_report.cold+0xd/0x37 [ 69.593593][ T8494] ? squashfs_get_id+0x1ae/0x1d0 [ 69.598522][ T8494] squashfs_get_id+0x1ae/0x1d0 [ 69.603298][ T8494] ? squashfs_read_fragment_index_table+0xf0/0xf0 [ 69.609691][ T8494] ? squashfs_read_metadata+0x2f9/0x460 [ 69.616192][ T8494] squashfs_read_inode+0x1b4/0x1b40 [ 69.621889][ T8494] ? find_held_lock+0x2d/0x110 [ 69.626991][ T8494] ? squashfs_read_id_index_table+0x120/0x120 [ 69.634021][ T8494] ? new_inode+0x23b/0x2f0 [ 69.638438][ T8494] ? lock_downgrade+0x6d0/0x6d0 [ 69.643277][ T8494] ? do_raw_spin_lock+0x120/0x2b0 [ 69.648285][ T8494] ? rwlock_bug.part.0+0x90/0x90 [ 69.653309][ T8494] ? do_raw_spin_unlock+0x171/0x230 [ 69.658503][ T8494] ? _raw_spin_unlock+0x24/0x40 [ 69.663344][ T8494] ? new_inode+0x240/0x2f0 [ 69.667738][ T8494] squashfs_fill_super+0x1140/0x23b0 [ 69.673002][ T8494] get_tree_bdev+0x421/0x740 [ 69.677569][ T8494] ? init_once+0x20/0x20 [ 69.681801][ T8494] vfs_get_tree+0x89/0x2f0 [ 69.686196][ T8494] path_mount+0x13ad/0x20c0 [ 69.690694][ T8494] ? strncpy_from_user+0x29e/0x3a0 [ 69.695779][ T8494] ? finish_automount+0xac0/0xac0 [ 69.700786][ T8494] ? getname_flags.part.0+0x1dd/0x4f0 [ 69.706135][ T8494] __x64_sys_mount+0x27f/0x300 [ 69.710917][ T8494] ? copy_mnt_ns+0xa60/0xa60 [ 69.715602][ T8494] ? syscall_enter_from_user_mode+0x1d/0x50 [ 69.721473][ T8494] do_syscall_64+0x2d/0x70 [ 69.725867][ T8494] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.731734][ T8494] RIP: 0033:0x446d4a [ 69.735608][ T8494] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd ad fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 da ad fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 69.755204][ T8494] RSP: 002b:00007ffe33247b88 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 69.763594][ T8494] RAX: ffffffffffffffda RBX: 00007ffe33247be0 RCX: 0000000000446d4a [ 69.772162][ T8494] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffe33247ba0 [ 69.780111][ T8494] RBP: 00007ffe33247ba0 R08: 00007ffe33247be0 R09: 00007ffe00000015 [ 69.788172][ T8494] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000002 [ 69.796484][ T8494] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 69.805979][ T8494] Kernel Offset: disabled [ 69.810299][ T8494] Rebooting in 86400 seconds..