Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.119' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 27.630074] ================================================================== [ 27.637763] BUG: KASAN: slab-out-of-bounds in pdu_read+0x94/0x100 [ 27.643989] Read of size 65419 at addr ffff8880a2b0852d by task syz-executor206/7992 [ 27.651848] [ 27.653475] CPU: 1 PID: 7992 Comm: syz-executor206 Not tainted 4.14.223-syzkaller #0 [ 27.661333] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.670668] Call Trace: [ 27.673241] dump_stack+0x1b2/0x281 [ 27.676847] print_address_description.cold+0x54/0x1d3 [ 27.682102] kasan_report_error.cold+0x8a/0x191 [ 27.686769] ? pdu_read+0x94/0x100 [ 27.690289] kasan_report+0x6f/0x80 [ 27.693898] ? pdu_read+0x94/0x100 [ 27.697419] memcpy+0x20/0x50 [ 27.700504] pdu_read+0x94/0x100 [ 27.703851] p9pdu_readf+0x381/0x1970 [ 27.707631] ? p9_client_prepare_req.part.0+0xb60/0xb60 [ 27.712975] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 27.717987] ? p9pdu_writef+0xd0/0xd0 [ 27.721768] ? p9_fd_poll+0x237/0x2e0 [ 27.725550] ? p9_fd_create+0x293/0x3b0 [ 27.729521] ? p9_fd_create_tcp+0x440/0x440 [ 27.733824] p9_client_create+0x9b2/0x12c0 [ 27.738041] ? p9_client_flush+0x4c0/0x4c0 [ 27.742260] ? __lockdep_init_map+0x100/0x560 [ 27.746755] ? __raw_spin_lock_init+0x28/0x100 [ 27.751321] v9fs_session_init+0x1c5/0x1540 [ 27.755623] ? pcpu_alloc+0xbe0/0xf50 [ 27.759406] ? gfp_pfmemalloc_allowed+0x150/0x150 [ 27.764231] ? v9fs_show_options+0x6b0/0x6b0 [ 27.768623] ? v9fs_mount+0x54/0x860 [ 27.772317] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 27.777747] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 27.782757] ? kmem_cache_alloc_trace+0x36c/0x3d0 [ 27.787594] v9fs_mount+0x73/0x860 [ 27.791118] ? alloc_pages_current+0x15d/0x260 [ 27.795681] ? __lockdep_init_map+0x100/0x560 [ 27.800157] mount_fs+0x92/0x2a0 [ 27.803507] vfs_kern_mount.part.0+0x5b/0x470 [ 27.807981] do_mount+0xe53/0x2a00 [ 27.811501] ? do_raw_spin_unlock+0x164/0x220 [ 27.815978] ? copy_mount_string+0x40/0x40 [ 27.820192] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 27.825187] ? copy_mnt_ns+0xa30/0xa30 [ 27.829054] ? copy_mount_options+0x1fa/0x2f0 [ 27.833542] ? copy_mnt_ns+0xa30/0xa30 [ 27.837410] SyS_mount+0xa8/0x120 [ 27.840856] ? copy_mnt_ns+0xa30/0xa30 [ 27.844732] do_syscall_64+0x1d5/0x640 [ 27.848602] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.853779] RIP: 0033:0x445c19 [ 27.856948] RSP: 002b:00007f66686d5308 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 27.864635] RAX: ffffffffffffffda RBX: 00000000004cb508 RCX: 0000000000445c19 [ 27.871886] RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000 [ 27.879137] RBP: 00000000004cb500 R08: 00000000200001c0 R09: 0000000000000000 [ 27.886395] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004cb50c [ 27.893646] R13: 000000000049b07c R14: 64663d736e617274 R15: 0000000000022000 [ 27.901075] [ 27.902681] Allocated by task 7992: [ 27.906302] kasan_kmalloc+0xeb/0x160 [ 27.910084] __kmalloc+0x15a/0x400 [ 27.913603] p9_fcall_alloc+0x19/0x90 [ 27.917383] p9_client_prepare_req.part.0+0x7f8/0xb60 [ 27.922552] p9_client_rpc+0x170/0x1520 [ 27.926518] p9_client_create+0x92f/0x12c0 [ 27.930734] v9fs_session_init+0x1c5/0x1540 [ 27.935034] v9fs_mount+0x73/0x860 [ 27.938570] mount_fs+0x92/0x2a0 [ 27.941931] vfs_kern_mount.part.0+0x5b/0x470 [ 27.946404] do_mount+0xe53/0x2a00 [ 27.949922] SyS_mount+0xa8/0x120 [ 27.953364] do_syscall_64+0x1d5/0x640 [ 27.957316] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.962491] [ 27.964097] Freed by task 4599: [ 27.967366] kasan_slab_free+0xc3/0x1a0 [ 27.971342] kfree+0xc9/0x250 [ 27.974428] devkmsg_release+0xb3/0xe0 [ 27.978294] __fput+0x25f/0x7a0 [ 27.981553] task_work_run+0x11f/0x190 [ 27.985434] do_exit+0xa44/0x2850 [ 27.988882] do_group_exit+0x100/0x2e0 [ 27.992773] SyS_exit_group+0x19/0x20 [ 27.996551] do_syscall_64+0x1d5/0x640 [ 28.000420] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.005583] [ 28.007189] The buggy address belongs to the object at ffff8880a2b08500 [ 28.007189] which belongs to the cache kmalloc-16384 of size 16384 [ 28.020169] The buggy address is located 45 bytes inside of [ 28.020169] 16384-byte region [ffff8880a2b08500, ffff8880a2b0c500) [ 28.032105] The buggy address belongs to the page: [ 28.037013] page:ffffea00028ac200 count:1 mapcount:0 mapping:ffff8880a2b08500 index:0x0 compound_mapcount: 0 [ 28.046958] flags: 0xfff00000008100(slab|head) [ 28.051519] raw: 00fff00000008100 ffff8880a2b08500 0000000000000000 0000000100000001 [ 28.059396] raw: ffffea00028ab220 ffffea00028a7420 ffff88813fe08200 0000000000000000 [ 28.067251] page dumped because: kasan: bad access detected [ 28.072934] [ 28.074541] Memory state around the buggy address: [ 28.079461] ffff8880a2b0a400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.086797] ffff8880a2b0a480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.094307] >ffff8880a2b0a500: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 28.101641] ^ [ 28.106029] ffff8880a2b0a580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.113365] ffff8880a2b0a600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.120719] ================================================================== [ 28.128054] Disabling lock debugging due to kernel taint [ 28.136239] Kernel panic - not syncing: panic_on_warn set ... [ 28.136239] [ 28.143612] CPU: 1 PID: 7992 Comm: syz-executor206 Tainted: G B 4.14.223-syzkaller #0 [ 28.152696] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.162036] Call Trace: [ 28.164603] dump_stack+0x1b2/0x281 [ 28.168212] panic+0x1f9/0x42d [ 28.171379] ? add_taint.cold+0x16/0x16 [ 28.175328] ? ___preempt_schedule+0x16/0x18 [ 28.179733] kasan_end_report+0x43/0x49 [ 28.183684] kasan_report_error.cold+0xa7/0x191 [ 28.188331] ? pdu_read+0x94/0x100 [ 28.191844] kasan_report+0x6f/0x80 [ 28.195449] ? pdu_read+0x94/0x100 [ 28.198972] memcpy+0x20/0x50 [ 28.202058] pdu_read+0x94/0x100 [ 28.205402] p9pdu_readf+0x381/0x1970 [ 28.209195] ? p9_client_prepare_req.part.0+0xb60/0xb60 [ 28.214538] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 28.219531] ? p9pdu_writef+0xd0/0xd0 [ 28.223307] ? p9_fd_poll+0x237/0x2e0 [ 28.227085] ? p9_fd_create+0x293/0x3b0 [ 28.231033] ? p9_fd_create_tcp+0x440/0x440 [ 28.235348] p9_client_create+0x9b2/0x12c0 [ 28.239573] ? p9_client_flush+0x4c0/0x4c0 [ 28.243810] ? __lockdep_init_map+0x100/0x560 [ 28.248293] ? __raw_spin_lock_init+0x28/0x100 [ 28.252855] v9fs_session_init+0x1c5/0x1540 [ 28.257156] ? pcpu_alloc+0xbe0/0xf50 [ 28.260935] ? gfp_pfmemalloc_allowed+0x150/0x150 [ 28.265755] ? v9fs_show_options+0x6b0/0x6b0 [ 28.270161] ? v9fs_mount+0x54/0x860 [ 28.273854] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 28.279329] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 28.284325] ? kmem_cache_alloc_trace+0x36c/0x3d0 [ 28.289192] v9fs_mount+0x73/0x860 [ 28.292713] ? alloc_pages_current+0x15d/0x260 [ 28.297289] ? __lockdep_init_map+0x100/0x560 [ 28.301760] mount_fs+0x92/0x2a0 [ 28.305113] vfs_kern_mount.part.0+0x5b/0x470 [ 28.309611] do_mount+0xe53/0x2a00 [ 28.313148] ? do_raw_spin_unlock+0x164/0x220 [ 28.317777] ? copy_mount_string+0x40/0x40 [ 28.321990] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 28.327039] ? copy_mnt_ns+0xa30/0xa30 [ 28.330905] ? copy_mount_options+0x1fa/0x2f0 [ 28.335383] ? copy_mnt_ns+0xa30/0xa30 [ 28.339250] SyS_mount+0xa8/0x120 [ 28.342718] ? copy_mnt_ns+0xa30/0xa30 [ 28.346604] do_syscall_64+0x1d5/0x640 [ 28.350473] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.355643] RIP: 0033:0x445c19 [ 28.358830] RSP: 002b:00007f66686d5308 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 28.366541] RAX: ffffffffffffffda RBX: 00000000004cb508 RCX: 0000000000445c19 [ 28.373807] RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000 [ 28.381055] RBP: 00000000004cb500 R08: 00000000200001c0 R09: 0000000000000000 [ 28.388302] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004cb50c [ 28.395567] R13: 000000000049b07c R14: 64663d736e617274 R15: 0000000000022000 [ 28.403643] Kernel Offset: disabled [ 28.407256] Rebooting in 86400 seconds..