Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.63' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 27.491079] BFS-fs: bfs_fill_super(): loop0 is unclean, continuing [ 27.498921] ================================================================== [ 27.506374] BUG: KASAN: slab-out-of-bounds in find_first_zero_bit+0x84/0x90 [ 27.513473] Read of size 8 at addr ffff8880afeab100 by task syz-executor333/7969 [ 27.521010] [ 27.522630] CPU: 0 PID: 7969 Comm: syz-executor333 Not tainted 4.14.290-syzkaller #0 [ 27.530482] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 27.539811] Call Trace: [ 27.542383] dump_stack+0x1b2/0x281 [ 27.545991] print_address_description.cold+0x54/0x1d3 [ 27.551246] kasan_report_error.cold+0x8a/0x191 [ 27.555902] ? find_first_zero_bit+0x84/0x90 [ 27.560290] __asan_report_load8_noabort+0x68/0x70 [ 27.565206] ? do_raw_spin_unlock+0xc0/0x220 [ 27.569595] ? find_first_zero_bit+0x84/0x90 [ 27.573995] find_first_zero_bit+0x84/0x90 [ 27.578205] bfs_create+0xfb/0x620 [ 27.581722] ? security_inode_permission+0xb5/0xf0 [ 27.586642] vfs_create+0x3e3/0x620 [ 27.590247] SyS_mknodat+0x2f4/0x470 [ 27.593938] ? do_file_open_root+0x490/0x490 [ 27.598322] ? __close_fd+0x159/0x230 [ 27.602108] ? do_syscall_64+0x4c/0x640 [ 27.606058] ? do_file_open_root+0x490/0x490 [ 27.610442] do_syscall_64+0x1d5/0x640 [ 27.614310] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.619475] RIP: 0033:0x7f96cb7b0dd9 [ 27.623158] RSP: 002b:00007ffde01b3aa8 EFLAGS: 00000246 ORIG_RAX: 0000000000000103 [ 27.630842] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f96cb7b0dd9 [ 27.638086] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 [ 27.645338] RBP: 00007f96cb770670 R08: 0000000000000000 R09: 0000000000000000 [ 27.652584] R10: 0000000000000701 R11: 0000000000000246 R12: 00007f96cb770700 [ 27.659829] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 27.667078] [ 27.668680] Allocated by task 7969: [ 27.672282] kasan_kmalloc+0xeb/0x160 [ 27.676056] __kmalloc+0x15a/0x400 [ 27.679579] bfs_fill_super+0x3d5/0xd80 [ 27.683527] mount_bdev+0x2b3/0x360 [ 27.687130] mount_fs+0x92/0x2a0 [ 27.690483] vfs_kern_mount.part.0+0x5b/0x470 [ 27.694949] do_mount+0xe65/0x2a30 [ 27.698459] SyS_mount+0xa8/0x120 [ 27.701899] do_syscall_64+0x1d5/0x640 [ 27.705760] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.710923] [ 27.712525] Freed by task 1: [ 27.715522] kasan_slab_free+0xc3/0x1a0 [ 27.719471] kfree+0xc9/0x250 [ 27.722550] aa_free_task_context+0xda/0x130 [ 27.726937] apparmor_cred_free+0x34/0x70 [ 27.731061] security_cred_free+0x71/0xb0 [ 27.735181] put_cred_rcu+0xe3/0x300 [ 27.738868] rcu_process_callbacks+0x780/0x1180 [ 27.743511] __do_softirq+0x24d/0x9ff [ 27.747279] [ 27.748884] The buggy address belongs to the object at ffff8880afeab100 [ 27.748884] which belongs to the cache kmalloc-32 of size 32 [ 27.761340] The buggy address is located 0 bytes inside of [ 27.761340] 32-byte region [ffff8880afeab100, ffff8880afeab120) [ 27.772924] The buggy address belongs to the page: [ 27.777828] page:ffffea0002bfaac0 count:1 mapcount:0 mapping:ffff8880afeab000 index:0xffff8880afeabfc1 [ 27.787244] flags: 0xfff00000000100(slab) [ 27.791366] raw: 00fff00000000100 ffff8880afeab000 ffff8880afeabfc1 000000010000003f [ 27.799218] raw: ffffea0002bfa5e0 ffffea0002be19e0 ffff88813fe741c0 0000000000000000 [ 27.807068] page dumped because: kasan: bad access detected [ 27.812748] [ 27.814466] Memory state around the buggy address: [ 27.819366] ffff8880afeab000: fb fb fb fb fc fc fc fc 00 03 fc fc fc fc fc fc [ 27.826698] ffff8880afeab080: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 27.834029] >ffff8880afeab100: 07 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 27.841362] ^ [ 27.844704] ffff8880afeab180: 06 fc fc fc fc fc fc fc 06 fc fc fc fc fc fc fc [ 27.852055] ffff8880afeab200: 06 fc fc fc fc fc fc fc 00 00 fc fc fc fc fc fc [ 27.859387] ================================================================== [ 27.866719] Disabling lock debugging due to kernel taint [ 27.876744] Kernel panic - not syncing: panic_on_warn set ... [ 27.876744] [ 27.884113] CPU: 1 PID: 7969 Comm: syz-executor333 Tainted: G B 4.14.290-syzkaller #0 [ 27.893192] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 27.902559] Call Trace: [ 27.905123] dump_stack+0x1b2/0x281 [ 27.908724] panic+0x1f9/0x42d [ 27.911891] ? add_taint.cold+0x16/0x16 [ 27.915841] ? ___preempt_schedule+0x16/0x18 [ 27.920224] kasan_end_report+0x43/0x49 [ 27.924169] kasan_report_error.cold+0xa7/0x191 [ 27.928809] ? find_first_zero_bit+0x84/0x90 [ 27.933204] __asan_report_load8_noabort+0x68/0x70 [ 27.938116] ? do_raw_spin_unlock+0xc0/0x220 [ 27.942498] ? find_first_zero_bit+0x84/0x90 [ 27.946879] find_first_zero_bit+0x84/0x90 [ 27.951088] bfs_create+0xfb/0x620 [ 27.954617] ? security_inode_permission+0xb5/0xf0 [ 27.959517] vfs_create+0x3e3/0x620 [ 27.963129] SyS_mknodat+0x2f4/0x470 [ 27.966828] ? do_file_open_root+0x490/0x490 [ 27.971207] ? __close_fd+0x159/0x230 [ 27.974981] ? do_syscall_64+0x4c/0x640 [ 27.978925] ? do_file_open_root+0x490/0x490 [ 27.983306] do_syscall_64+0x1d5/0x640 [ 27.987169] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.992332] RIP: 0033:0x7f96cb7b0dd9 [ 27.996033] RSP: 002b:00007ffde01b3aa8 EFLAGS: 00000246 ORIG_RAX: 0000000000000103 [ 28.003711] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f96cb7b0dd9 [ 28.010953] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 [ 28.018195] RBP: 00007f96cb770670 R08: 0000000000000000 R09: 0000000000000000 [ 28.025437] R10: 0000000000000701 R11: 0000000000000246 R12: 00007f96cb770700 [ 28.032678] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 28.040132] Kernel Offset: disabled [ 28.043738] Rebooting in 86400 seconds..