================================================================== BUG: KASAN: slab-out-of-bounds in squashfs_get_id+0x1ae/0x1d0 fs/squashfs/id.c:38 Read of size 8 at addr ffff88804e77f8f8 by task syz-executor.3/25799 CPU: 0 PID: 25799 Comm: syz-executor.3 Not tainted 5.9.0-rc5-next-20200921-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x198/0x1fb lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562 squashfs_get_id+0x1ae/0x1d0 fs/squashfs/id.c:38 squashfs_new_inode fs/squashfs/inode.c:55 [inline] squashfs_read_inode+0x1d3/0x1940 fs/squashfs/inode.c:120 squashfs_fill_super+0x1079/0x1ed0 fs/squashfs/super.c:310 get_tree_bdev+0x421/0x740 fs/super.c:1342 vfs_get_tree+0x89/0x2f0 fs/super.c:1547 do_new_mount fs/namespace.c:2896 [inline] path_mount+0x12ae/0x1e70 fs/namespace.c:3227 do_mount fs/namespace.c:3240 [inline] __do_sys_mount fs/namespace.c:3448 [inline] __se_sys_mount fs/namespace.c:3425 [inline] __x64_sys_mount+0x27f/0x300 fs/namespace.c:3425 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x46004a Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd 89 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 da 89 fb ff c3 66 0f 1f 84 00 00 00 00 00 RSP: 002b:00007f8692b75a88 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f8692b75b20 RCX: 000000000046004a RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f8692b75ae0 RBP: 00007f8692b75ae0 R08: 00007f8692b75b20 R09: 0000000020000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000020000000 R13: 0000000020000100 R14: 0000000020000040 R15: 0000000020000240 Allocated by task 785: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461 kmem_cache_alloc_trace+0x1a0/0x480 mm/slab.c:3548 kmalloc include/linux/slab.h:554 [inline] tcf_block_owner_add net/sched/cls_api.c:1276 [inline] tcf_block_get_ext+0x14a/0x17c0 net/sched/cls_api.c:1324 tcf_block_get+0xa5/0xf0 net/sched/cls_api.c:1369 hfsc_init_qdisc+0x155/0x410 net/sched/sch_hfsc.c:1404 qdisc_create+0x4ba/0x1270 net/sched/sch_api.c:1246 tc_modify_qdisc+0x4c8/0x1990 net/sched/sch_api.c:1662 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5563 netlink_rcv_skb+0x15a/0x430 net/netlink/af_netlink.c:2470 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:671 ____sys_sendmsg+0x331/0x810 net/socket.c:2362 ___sys_sendmsg+0xf3/0x170 net/socket.c:2416 __sys_sendmmsg+0x196/0x4b0 net/socket.c:2506 __do_sys_sendmmsg net/socket.c:2535 [inline] __se_sys_sendmmsg net/socket.c:2532 [inline] __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2532 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff88804e77f8c0 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 24 bytes to the right of 32-byte region [ffff88804e77f8c0, ffff88804e77f8e0) The buggy address belongs to the page: page:0000000022176fa3 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88804e77ffc1 pfn:0x4e77f flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea00028e14c8 ffffea00026ad048 ffff8880aa040100 raw: ffff88804e77ffc1 ffff88804e77f000 0000000100000033 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88804e77f780: fb fb fb fb fc fc fc fc 00 fc fc fc fc fc fc fc ffff88804e77f800: 00 fc fc fc fc fc fc fc fa fb fb fb fc fc fc fc >ffff88804e77f880: fb fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc ^ ffff88804e77f900: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc ffff88804e77f980: 00 fc fc fc fc fc fc fc fa fb fb fb fc fc fc fc ==================================================================