[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.94' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 36.021340] ================================================================== [ 36.028814] BUG: KASAN: use-after-free in squashfs_get_id+0x1ae/0x1d0 [ 36.035396] Read of size 8 at addr ffff8880a9f9d400 by task syz-executor999/8155 [ 36.042922] [ 36.044582] CPU: 0 PID: 8155 Comm: syz-executor999 Not tainted 4.19.157-syzkaller #0 [ 36.052461] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.061809] Call Trace: [ 36.064381] dump_stack+0x1fc/0x2fe [ 36.067992] print_address_description.cold+0x54/0x219 [ 36.073254] kasan_report_error.cold+0x8a/0x1c7 [ 36.077906] ? squashfs_get_id+0x1ae/0x1d0 [ 36.082145] __asan_report_load8_noabort+0x88/0x90 [ 36.087080] ? squashfs_get_id+0x1ae/0x1d0 [ 36.092267] squashfs_get_id+0x1ae/0x1d0 [ 36.096328] ? squashfs_read_fragment_index_table+0xf0/0xf0 [ 36.102033] ? squashfs_read_metadata+0x2f9/0x460 [ 36.106868] squashfs_read_inode+0x1b4/0x1b40 [ 36.111349] ? lock_downgrade+0x720/0x720 [ 36.115491] ? squashfs_read_id_index_table+0x120/0x120 [ 36.120838] ? map_id_range_down+0x1c4/0x340 [ 36.125231] ? new_inode+0xc7/0xf0 [ 36.128770] ? do_raw_spin_lock+0xcb/0x220 [ 36.132988] ? do_raw_spin_unlock+0x171/0x230 [ 36.137465] squashfs_fill_super+0x1655/0x1c00 [ 36.142040] mount_bdev+0x2fc/0x3b0 [ 36.145648] ? squashfs_alloc_inode+0x40/0x40 [ 36.150132] mount_fs+0xa3/0x30c [ 36.153484] vfs_kern_mount.part.0+0x68/0x470 [ 36.157975] do_mount+0x113c/0x2f10 [ 36.161586] ? lock_acquire+0x170/0x3c0 [ 36.165540] ? check_preemption_disabled+0x41/0x280 [ 36.170553] ? copy_mount_string+0x40/0x40 [ 36.174781] ? copy_mount_options+0x59/0x380 [ 36.179171] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 36.184168] ? kmem_cache_alloc_trace+0x323/0x380 [ 36.188994] ? copy_mount_options+0x26f/0x380 [ 36.193471] ksys_mount+0xcf/0x130 [ 36.196993] __x64_sys_mount+0xba/0x150 [ 36.200949] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 36.205515] do_syscall_64+0xf9/0x620 [ 36.209654] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.214841] RIP: 0033:0x446d1a [ 36.218015] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd ad fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 da ad fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 36.236910] RSP: 002b:00007ffeaacb9378 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 36.244611] RAX: ffffffffffffffda RBX: 00007ffeaacb93d0 RCX: 0000000000446d1a [ 36.251874] RDX: 0000000020000000 RSI: 00000000200000c0 RDI: 00007ffeaacb9390 [ 36.259143] RBP: 00007ffeaacb9390 R08: 00007ffeaacb93d0 R09: 00007ffe00000015 [ 36.266392] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001 [ 36.273640] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 36.280911] [ 36.282540] Allocated by task 14: [ 36.285977] __kmalloc+0x15a/0x3c0 [ 36.289517] usb_hcd_submit_urb+0x656/0x23c0 [ 36.293918] usb_submit_urb+0xb2f/0x13b0 [ 36.297957] usb_start_wait_urb+0x108/0x4c0 [ 36.302259] usb_control_msg+0x31c/0x4a0 [ 36.306315] hub_ext_port_status+0x112/0x4b0 [ 36.310703] hub_activate+0x515/0x19b0 [ 36.314570] process_one_work+0x864/0x1570 [ 36.318782] worker_thread+0x64c/0x1130 [ 36.322750] kthread+0x33f/0x460 [ 36.326097] ret_from_fork+0x24/0x30 [ 36.329784] [ 36.331387] Freed by task 14: [ 36.334470] kfree+0xcc/0x210 [ 36.337578] usb_hcd_submit_urb+0xb93/0x23c0 [ 36.341981] usb_submit_urb+0xb2f/0x13b0 [ 36.346033] usb_start_wait_urb+0x108/0x4c0 [ 36.350350] usb_control_msg+0x31c/0x4a0 [ 36.354390] hub_ext_port_status+0x112/0x4b0 [ 36.358790] hub_activate+0x515/0x19b0 [ 36.362675] process_one_work+0x864/0x1570 [ 36.366904] worker_thread+0x64c/0x1130 [ 36.370872] kthread+0x33f/0x460 [ 36.374233] ret_from_fork+0x24/0x30 [ 36.377932] [ 36.379538] The buggy address belongs to the object at ffff8880a9f9d400 [ 36.379538] which belongs to the cache kmalloc-32 of size 32 [ 36.392001] The buggy address is located 0 bytes inside of [ 36.392001] 32-byte region [ffff8880a9f9d400, ffff8880a9f9d420) [ 36.403603] The buggy address belongs to the page: [ 36.408511] page:ffffea0002a7e740 count:1 mapcount:0 mapping:ffff88813bff01c0 index:0xffff8880a9f9dfc1 [ 36.417933] flags: 0xfff00000000100(slab) [ 36.422064] raw: 00fff00000000100 ffffea0002a71348 ffff88813bff1238 ffff88813bff01c0 [ 36.429940] raw: ffff8880a9f9dfc1 ffff8880a9f9d000 0000000100000022 0000000000000000 [ 36.437882] page dumped because: kasan: bad access detected [ 36.443570] [ 36.445174] Memory state around the buggy address: [ 36.450082] ffff8880a9f9d300: fb fb fb fb fc fc fc fc 00 fc fc fc fc fc fc fc [ 36.457420] ffff8880a9f9d380: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 36.464776] >ffff8880a9f9d400: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 36.472124] ^ [ 36.475492] ffff8880a9f9d480: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 36.482843] ffff8880a9f9d500: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 36.490180] ================================================================== [ 36.497529] Disabling lock debugging due to kernel taint [ 36.503535] Kernel panic - not syncing: panic_on_warn set ... [ 36.503535] [ 36.510912] CPU: 0 PID: 8155 Comm: syz-executor999 Tainted: G B 4.19.157-syzkaller #0 [ 36.520175] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.529523] Call Trace: [ 36.532144] dump_stack+0x1fc/0x2fe [ 36.535785] panic+0x26a/0x50e [ 36.538984] ? __warn_printk+0xf3/0xf3 [ 36.542867] ? preempt_schedule_common+0x45/0xc0 [ 36.547604] ? ___preempt_schedule+0x16/0x18 [ 36.551993] ? trace_hardirqs_on+0x55/0x210 [ 36.556312] kasan_end_report+0x43/0x49 [ 36.560311] kasan_report_error.cold+0xa7/0x1c7 [ 36.564964] ? squashfs_get_id+0x1ae/0x1d0 [ 36.569207] __asan_report_load8_noabort+0x88/0x90 [ 36.574122] ? squashfs_get_id+0x1ae/0x1d0 [ 36.578336] squashfs_get_id+0x1ae/0x1d0 [ 36.582379] ? squashfs_read_fragment_index_table+0xf0/0xf0 [ 36.588067] ? squashfs_read_metadata+0x2f9/0x460 [ 36.592891] squashfs_read_inode+0x1b4/0x1b40 [ 36.597367] ? lock_downgrade+0x720/0x720 [ 36.601496] ? squashfs_read_id_index_table+0x120/0x120 [ 36.606841] ? map_id_range_down+0x1c4/0x340 [ 36.611247] ? new_inode+0xc7/0xf0 [ 36.614783] ? do_raw_spin_lock+0xcb/0x220 [ 36.618995] ? do_raw_spin_unlock+0x171/0x230 [ 36.623471] squashfs_fill_super+0x1655/0x1c00 [ 36.628035] mount_bdev+0x2fc/0x3b0 [ 36.631662] ? squashfs_alloc_inode+0x40/0x40 [ 36.636149] mount_fs+0xa3/0x30c [ 36.639496] vfs_kern_mount.part.0+0x68/0x470 [ 36.643973] do_mount+0x113c/0x2f10 [ 36.647581] ? lock_acquire+0x170/0x3c0 [ 36.651533] ? check_preemption_disabled+0x41/0x280 [ 36.656529] ? copy_mount_string+0x40/0x40 [ 36.660745] ? copy_mount_options+0x59/0x380 [ 36.665135] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 36.670131] ? kmem_cache_alloc_trace+0x323/0x380 [ 36.674954] ? copy_mount_options+0x26f/0x380 [ 36.679429] ksys_mount+0xcf/0x130 [ 36.682957] __x64_sys_mount+0xba/0x150 [ 36.686912] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 36.691474] do_syscall_64+0xf9/0x620 [ 36.695261] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.700430] RIP: 0033:0x446d1a [ 36.703601] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd ad fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 da ad fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 36.722493] RSP: 002b:00007ffeaacb9378 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 36.730181] RAX: ffffffffffffffda RBX: 00007ffeaacb93d0 RCX: 0000000000446d1a [ 36.737430] RDX: 0000000020000000 RSI: 00000000200000c0 RDI: 00007ffeaacb9390 [ 36.744695] RBP: 00007ffeaacb9390 R08: 00007ffeaacb93d0 R09: 00007ffe00000015 [ 36.751943] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001 [ 36.759208] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 36.766874] Kernel Offset: disabled [ 36.770491] Rebooting in 86400 seconds..