Warning: Permanently added '10.128.0.207' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 42.297183] ================================================================== [ 42.304662] BUG: KASAN: use-after-free in fuse_copy_do+0x34a/0x430 [ 42.310965] Read of size 256 at addr ffff88809d072590 by task syz-executor416/8196 [ 42.318649] [ 42.320264] CPU: 0 PID: 8196 Comm: syz-executor416 Not tainted 4.19.211-syzkaller #0 [ 42.328214] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 42.337563] Call Trace: [ 42.340140] dump_stack+0x1fc/0x2ef [ 42.343759] print_address_description.cold+0x54/0x219 [ 42.349032] kasan_report_error.cold+0x8a/0x1b9 [ 42.353693] ? fuse_copy_do+0x34a/0x430 [ 42.357648] kasan_report+0x8f/0xa0 [ 42.361266] ? fuse_copy_do+0x34a/0x430 [ 42.365223] memcpy+0x20/0x50 [ 42.368312] fuse_copy_do+0x34a/0x430 [ 42.372098] fuse_copy_args+0x1fa/0x530 [ 42.376154] ? do_raw_spin_unlock+0x171/0x230 [ 42.380645] ? fuse_copy_page+0x2770/0x2770 [ 42.384952] ? lock_acquire+0x170/0x3c0 [ 42.389008] ? memcpy+0x35/0x50 [ 42.392283] ? fuse_copy_do+0x282/0x430 [ 42.396248] fuse_dev_do_read+0x15ac/0x20e0 [ 42.400715] ? aa_file_perm+0x3f0/0xd20 [ 42.404675] ? fuse_request_send+0x90/0x90 [ 42.408908] ? lock_downgrade+0x720/0x720 [ 42.413047] ? check_preemption_disabled+0x41/0x280 [ 42.418152] ? check_preemption_disabled+0x41/0x280 [ 42.423241] ? aa_file_perm+0x417/0xd20 [ 42.427196] fuse_dev_read+0x156/0x1f0 [ 42.431071] ? fuse_dev_splice_read+0x680/0x680 [ 42.435728] ? iov_iter_init+0xb8/0x1d0 [ 42.439700] __vfs_read+0x518/0x750 [ 42.443320] ? __se_sys_copy_file_range+0x410/0x410 [ 42.448323] ? security_file_permission+0x1c0/0x220 [ 42.453322] vfs_read+0x194/0x3c0 [ 42.456860] ksys_read+0x12b/0x2a0 [ 42.460482] ? kernel_write+0x110/0x110 [ 42.464442] ? trace_hardirqs_off_caller+0x6e/0x210 [ 42.469441] ? do_syscall_64+0x21/0x620 [ 42.473401] do_syscall_64+0xf9/0x620 [ 42.477185] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 42.482362] RIP: 0033:0x7f9b0a3b61d9 [ 42.486067] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 42.504950] RSP: 002b:00007f9b0a3032f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 42.512639] RAX: ffffffffffffffda RBX: 00007f9b0a4474f0 RCX: 00007f9b0a3b61d9 [ 42.519889] RDX: 0000000000002020 RSI: 0000000020002140 RDI: 0000000000000003 [ 42.527198] RBP: 00007f9b0a41428c R08: 0000000000000000 R09: 0000000000000000 [ 42.534536] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9b0a40e168 [ 42.541789] R13: 00007f9b0a410280 R14: 00007f9b0a412288 R15: 00007f9b0a4474f8 [ 42.549045] [ 42.550654] Allocated by task 8160: [ 42.554279] __kmalloc+0x15a/0x3c0 [ 42.557812] __d_alloc+0x636/0xa10 [ 42.561337] d_alloc+0x4a/0x230 [ 42.564600] d_alloc_parallel+0xeb/0x19e0 [ 42.568728] __lookup_slow+0x18d/0x4a0 [ 42.572627] walk_component+0x7ac/0xda0 [ 42.576579] path_lookupat+0x1ff/0x8d0 [ 42.580446] filename_lookup+0x1ac/0x5a0 [ 42.584489] do_mount+0x147/0x2f50 [ 42.588007] ksys_mount+0xcf/0x130 [ 42.591535] __x64_sys_mount+0xba/0x150 [ 42.595504] do_syscall_64+0xf9/0x620 [ 42.599286] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 42.604627] [ 42.606230] Freed by task 0: [ 42.609233] kfree+0xcc/0x210 [ 42.612328] rcu_process_callbacks+0x8ff/0x18b0 [ 42.616974] __do_softirq+0x265/0x980 [ 42.620748] [ 42.622362] The buggy address belongs to the object at ffff88809d072580 [ 42.622362] which belongs to the cache kmalloc-512 of size 512 [ 42.635171] The buggy address is located 16 bytes inside of [ 42.635171] 512-byte region [ffff88809d072580, ffff88809d072780) [ 42.646938] The buggy address belongs to the page: [ 42.651854] page:ffffea0002741c80 count:1 mapcount:0 mapping:ffff88813bff0940 index:0xffff88809d072a80 [ 42.661282] flags: 0xfff00000000100(slab) [ 42.665416] raw: 00fff00000000100 ffffea000275b7c8 ffffea000275b748 ffff88813bff0940 [ 42.673805] raw: ffff88809d072a80 ffff88809d072080 0000000100000004 0000000000000000 [ 42.681772] page dumped because: kasan: bad access detected [ 42.687469] [ 42.689163] Memory state around the buggy address: [ 42.694075] ffff88809d072480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.701424] ffff88809d072500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.708894] >ffff88809d072580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.716240] ^ [ 42.720292] ffff88809d072600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.727721] ffff88809d072680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.735150] ================================================================== [ 42.743486] Disabling lock debugging due to kernel taint [ 42.749139] Kernel panic - not syncing: panic_on_warn set ... [ 42.749139] [ 42.756683] CPU: 0 PID: 8196 Comm: syz-executor416 Tainted: G B 4.19.211-syzkaller #0 [ 42.765947] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 42.775311] Call Trace: [ 42.777902] dump_stack+0x1fc/0x2ef [ 42.781555] panic+0x26a/0x50e [ 42.784751] ? __warn_printk+0xf3/0xf3 [ 42.788821] ? retint_kernel+0x2d/0x2d [ 42.792706] ? trace_hardirqs_on+0x55/0x210 [ 42.797101] kasan_end_report+0x43/0x49 [ 42.801784] kasan_report_error.cold+0xa7/0x1b9 [ 42.806435] ? fuse_copy_do+0x34a/0x430 [ 42.810385] kasan_report+0x8f/0xa0 [ 42.814012] ? fuse_copy_do+0x34a/0x430 [ 42.817970] memcpy+0x20/0x50 [ 42.821070] fuse_copy_do+0x34a/0x430 [ 42.825038] fuse_copy_args+0x1fa/0x530 [ 42.829252] ? do_raw_spin_unlock+0x171/0x230 [ 42.833728] ? fuse_copy_page+0x2770/0x2770 [ 42.838027] ? lock_acquire+0x170/0x3c0 [ 42.842019] ? memcpy+0x35/0x50 [ 42.845652] ? fuse_copy_do+0x282/0x430 [ 42.849618] fuse_dev_do_read+0x15ac/0x20e0 [ 42.853932] ? aa_file_perm+0x3f0/0xd20 [ 42.857895] ? fuse_request_send+0x90/0x90 [ 42.862126] ? lock_downgrade+0x720/0x720 [ 42.866273] ? check_preemption_disabled+0x41/0x280 [ 42.871287] ? check_preemption_disabled+0x41/0x280 [ 42.876305] ? aa_file_perm+0x417/0xd20 [ 42.880266] fuse_dev_read+0x156/0x1f0 [ 42.884150] ? fuse_dev_splice_read+0x680/0x680 [ 42.888807] ? iov_iter_init+0xb8/0x1d0 [ 42.892764] __vfs_read+0x518/0x750 [ 42.896378] ? __se_sys_copy_file_range+0x410/0x410 [ 42.901573] ? security_file_permission+0x1c0/0x220 [ 42.906575] vfs_read+0x194/0x3c0 [ 42.910009] ksys_read+0x12b/0x2a0 [ 42.913531] ? kernel_write+0x110/0x110 [ 42.917501] ? trace_hardirqs_off_caller+0x6e/0x210 [ 42.922498] ? do_syscall_64+0x21/0x620 [ 42.926461] do_syscall_64+0xf9/0x620 [ 42.930259] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 42.935433] RIP: 0033:0x7f9b0a3b61d9 [ 42.939133] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 42.958214] RSP: 002b:00007f9b0a3032f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 42.966071] RAX: ffffffffffffffda RBX: 00007f9b0a4474f0 RCX: 00007f9b0a3b61d9 [ 42.973329] RDX: 0000000000002020 RSI: 0000000020002140 RDI: 0000000000000003 [ 42.980586] RBP: 00007f9b0a41428c R08: 0000000000000000 R09: 0000000000000000 [ 42.987898] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9b0a40e168 [ 42.995266] R13: 00007f9b0a410280 R14: 00007f9b0a412288 R15: 00007f9b0a4474f8 [ 43.002704] Kernel Offset: disabled [ 43.006323] Rebooting in 86400 seconds..