[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.22' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 29.678845] ================================================================== [ 29.686395] BUG: KASAN: slab-out-of-bounds in squashfs_get_id+0x181/0x1a0 [ 29.693325] Read of size 8 at addr ffff8880b50f0c78 by task syz-executor848/7975 [ 29.700905] [ 29.702519] CPU: 1 PID: 7975 Comm: syz-executor848 Not tainted 4.14.211-syzkaller #0 [ 29.710390] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.719733] Call Trace: [ 29.722307] dump_stack+0x1b2/0x283 [ 29.725920] print_address_description.cold+0x54/0x1d3 [ 29.731178] kasan_report_error.cold+0x8a/0x194 [ 29.735845] ? squashfs_get_id+0x181/0x1a0 [ 29.740142] __asan_report_load8_noabort+0x68/0x70 [ 29.745050] ? squashfs_get_id+0x181/0x1a0 [ 29.749276] squashfs_get_id+0x181/0x1a0 [ 29.753315] ? squashfs_read_fragment_index_table+0xc0/0xc0 [ 29.759010] ? squashfs_read_metadata+0x2ba/0x430 [ 29.763831] squashfs_read_inode+0x1b6/0x19e0 [ 29.768322] ? squashfs_read_id_index_table+0xe0/0xe0 [ 29.773490] ? new_inode+0xc7/0xf0 [ 29.777008] ? lock_acquire+0x170/0x3f0 [ 29.780978] ? do_raw_spin_unlock+0x164/0x220 [ 29.785451] squashfs_fill_super+0x1501/0x1aa0 [ 29.790014] mount_bdev+0x2b3/0x360 [ 29.793630] ? squashfs_alloc_inode+0x40/0x40 [ 29.798111] mount_fs+0x92/0x2a0 [ 29.801464] vfs_kern_mount.part.0+0x5b/0x470 [ 29.805940] do_mount+0xe53/0x2a00 [ 29.809464] ? copy_mount_string+0x40/0x40 [ 29.813703] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 29.818697] ? copy_mnt_ns+0xa30/0xa30 [ 29.822563] ? copy_mount_options+0x1fa/0x2f0 [ 29.827175] ? copy_mnt_ns+0xa30/0xa30 [ 29.831040] SyS_mount+0xa8/0x120 [ 29.834472] ? copy_mnt_ns+0xa30/0xa30 [ 29.838337] do_syscall_64+0x1d5/0x640 [ 29.842222] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.847390] RIP: 0033:0x446d2a [ 29.850557] RSP: 002b:00007ffd1c766eb8 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 29.858674] RAX: ffffffffffffffda RBX: 00007ffd1c766f10 RCX: 0000000000446d2a [ 29.865920] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd1c766ed0 [ 29.873171] RBP: 00007ffd1c766ed0 R08: 00007ffd1c766f10 R09: 00007ffd00000015 [ 29.880418] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000005 [ 29.887669] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 29.895095] [ 29.896713] Allocated by task 328: [ 29.900246] kasan_kmalloc+0xeb/0x160 [ 29.904023] kmem_cache_alloc_trace+0x131/0x3d0 [ 29.908683] aa_alloc_task_context+0x4d/0x90 [ 29.913067] apparmor_cred_prepare+0x1a/0xb0 [ 29.917474] security_prepare_creds+0x76/0xb0 [ 29.921948] prepare_creds+0x2ef/0x490 [ 29.925824] prepare_exec_creds+0xd/0xf0 [ 29.929876] do_execveat_common+0x32b/0x1f30 [ 29.934259] do_execve+0x33/0x50 [ 29.937616] call_usermodehelper_exec_async+0x2ed/0x510 [ 29.942967] ret_from_fork+0x24/0x30 [ 29.946654] [ 29.948269] Freed by task 418: [ 29.951472] kasan_slab_free+0xc3/0x1a0 [ 29.955435] kfree+0xc9/0x250 [ 29.958519] aa_free_task_context+0xda/0x130 [ 29.962918] apparmor_cred_free+0x34/0x70 [ 29.967059] security_cred_free+0x71/0xb0 [ 29.971183] put_cred_rcu+0xe3/0x300 [ 29.975309] rcu_process_callbacks+0x780/0x1180 [ 29.979967] __do_softirq+0x254/0xa1d [ 29.983740] [ 29.985347] The buggy address belongs to the object at ffff8880b50f0c40 [ 29.985347] which belongs to the cache kmalloc-32 of size 32 [ 29.997819] The buggy address is located 24 bytes to the right of [ 29.997819] 32-byte region [ffff8880b50f0c40, ffff8880b50f0c60) [ 30.010016] The buggy address belongs to the page: [ 30.014921] page:ffffea0002d43c00 count:1 mapcount:0 mapping:ffff8880b50f0000 index:0xffff8880b50f0fc1 [ 30.024368] flags: 0xfff00000000100(slab) [ 30.028501] raw: 00fff00000000100 ffff8880b50f0000 ffff8880b50f0fc1 000000010000003f [ 30.036820] raw: ffffea0002c3a7e0 ffff88813fe81248 ffff88813fe801c0 0000000000000000 [ 30.044693] page dumped because: kasan: bad access detected [ 30.050380] [ 30.051999] Memory state around the buggy address: [ 30.057032] ffff8880b50f0b00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 30.064381] ffff8880b50f0b80: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 30.071715] >ffff8880b50f0c00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 30.079570] ^ [ 30.086831] ffff8880b50f0c80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 30.094164] ffff8880b50f0d00: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 30.101508] ================================================================== [ 30.108855] Disabling lock debugging due to kernel taint [ 30.116803] Kernel panic - not syncing: panic_on_warn set ... [ 30.116803] [ 30.124180] CPU: 0 PID: 7975 Comm: syz-executor848 Tainted: G B 4.14.211-syzkaller #0 [ 30.133264] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.142789] Call Trace: [ 30.145369] dump_stack+0x1b2/0x283 [ 30.148988] panic+0x1f9/0x42d [ 30.152529] ? add_taint.cold+0x16/0x16 [ 30.156502] ? ___preempt_schedule+0x16/0x18 [ 30.160903] kasan_end_report+0x43/0x49 [ 30.164870] kasan_report_error.cold+0xa7/0x194 [ 30.169628] ? squashfs_get_id+0x181/0x1a0 [ 30.173859] __asan_report_load8_noabort+0x68/0x70 [ 30.178786] ? squashfs_get_id+0x181/0x1a0 [ 30.183006] squashfs_get_id+0x181/0x1a0 [ 30.187057] ? squashfs_read_fragment_index_table+0xc0/0xc0 [ 30.192757] ? squashfs_read_metadata+0x2ba/0x430 [ 30.197589] squashfs_read_inode+0x1b6/0x19e0 [ 30.202080] ? squashfs_read_id_index_table+0xe0/0xe0 [ 30.207333] ? new_inode+0xc7/0xf0 [ 30.210851] ? lock_acquire+0x170/0x3f0 [ 30.214808] ? do_raw_spin_unlock+0x164/0x220 [ 30.219454] squashfs_fill_super+0x1501/0x1aa0 [ 30.224014] mount_bdev+0x2b3/0x360 [ 30.227617] ? squashfs_alloc_inode+0x40/0x40 [ 30.232089] mount_fs+0x92/0x2a0 [ 30.235448] vfs_kern_mount.part.0+0x5b/0x470 [ 30.239921] do_mount+0xe53/0x2a00 [ 30.243460] ? copy_mount_string+0x40/0x40 [ 30.248118] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 30.253117] ? copy_mnt_ns+0xa30/0xa30 [ 30.257018] ? copy_mount_options+0x1fa/0x2f0 [ 30.261489] ? copy_mnt_ns+0xa30/0xa30 [ 30.265354] SyS_mount+0xa8/0x120 [ 30.268783] ? copy_mnt_ns+0xa30/0xa30 [ 30.272763] do_syscall_64+0x1d5/0x640 [ 30.276637] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.281848] RIP: 0033:0x446d2a [ 30.285031] RSP: 002b:00007ffd1c766eb8 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 30.292713] RAX: ffffffffffffffda RBX: 00007ffd1c766f10 RCX: 0000000000446d2a [ 30.299977] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd1c766ed0 [ 30.307261] RBP: 00007ffd1c766ed0 R08: 00007ffd1c766f10 R09: 00007ffd00000015 [ 30.314599] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000005 [ 30.321861] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 30.329694] Kernel Offset: disabled [ 30.333334] Rebooting in 86400 seconds..