================================================================== BUG: KASAN: slab-out-of-bounds in squashfs_get_id+0x1ae/0x1d0 fs/squashfs/id.c:38 Read of size 8 at addr ffff888020997d68 by task syz-executor.1/7967 CPU: 0 PID: 7967 Comm: syz-executor.1 Not tainted 5.10.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xae/0x4c8 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562 squashfs_get_id+0x1ae/0x1d0 fs/squashfs/id.c:38 squashfs_new_inode fs/squashfs/inode.c:51 [inline] squashfs_read_inode+0x1b4/0x1b40 fs/squashfs/inode.c:120 squashfs_fill_super+0x1140/0x23b0 fs/squashfs/super.c:310 get_tree_bdev+0x421/0x740 fs/super.c:1344 vfs_get_tree+0x89/0x2f0 fs/super.c:1549 do_new_mount fs/namespace.c:2875 [inline] path_mount+0x13ad/0x20c0 fs/namespace.c:3205 do_mount fs/namespace.c:3218 [inline] __do_sys_mount fs/namespace.c:3426 [inline] __se_sys_mount fs/namespace.c:3403 [inline] __x64_sys_mount+0x27f/0x300 fs/namespace.c:3403 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x46090a Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 ad 89 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 8a 89 fb ff c3 66 0f 1f 84 00 00 00 00 00 RSP: 002b:00007f0423881a88 EFLAGS: 00000216 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f0423881b20 RCX: 000000000046090a RDX: 0000000020000000 RSI: 00000000200000c0 RDI: 00007f0423881ae0 RBP: 00007f0423881ae0 R08: 00007f0423881b20 R09: 0000000020000000 R10: 0000000000000000 R11: 0000000000000216 R12: 0000000020000000 R13: 00000000200000c0 R14: 0000000020000200 R15: 0000000020010200 Allocated by task 1: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:461 slab_post_alloc_hook mm/slab.h:526 [inline] slab_alloc_node mm/slub.c:2891 [inline] slab_alloc mm/slub.c:2899 [inline] __kmalloc_track_caller+0x1dc/0x3d0 mm/slub.c:4464 kstrdup+0x36/0x70 mm/util.c:60 kstrdup_const+0x53/0x80 mm/util.c:83 __kernfs_new_node+0x9d/0x8b0 fs/kernfs/dir.c:623 kernfs_new_node fs/kernfs/dir.c:689 [inline] kernfs_create_dir_ns+0x9c/0x220 fs/kernfs/dir.c:1026 sysfs_create_dir_ns+0x127/0x290 fs/sysfs/dir.c:59 create_dir lib/kobject.c:89 [inline] kobject_add_internal+0x2d2/0xa60 lib/kobject.c:255 kobject_add_varg lib/kobject.c:390 [inline] kobject_add+0x150/0x1c0 lib/kobject.c:442 device_add+0x36d/0x1ce0 drivers/base/core.c:2869 device_create_groups_vargs+0x203/0x280 drivers/base/core.c:3586 device_create+0xdf/0x120 drivers/base/core.c:3628 sound_insert_unit.constprop.0+0x580/0x700 sound/sound_core.c:283 register_sound_special_device+0x119/0x2f0 sound/sound_core.c:411 snd_register_oss_device+0x31c/0x550 sound/core/sound_oss.c:123 register_oss_dsp sound/core/oss/pcm_oss.c:3086 [inline] snd_pcm_oss_register_minor+0x509/0x8d0 sound/core/oss/pcm_oss.c:3100 snd_pcm_dev_register+0x4ea/0x8c0 sound/core/pcm.c:1081 __snd_device_register sound/core/device.c:149 [inline] __snd_device_register sound/core/device.c:145 [inline] snd_device_register_all+0x108/0x1a0 sound/core/device.c:197 snd_card_register+0x102/0x5a0 sound/core/init.c:758 loopback_probe+0xba1/0x10a0 sound/drivers/aloop.c:1742 platform_drv_probe+0xce/0x1a0 drivers/base/platform.c:761 really_probe+0x291/0xde0 drivers/base/dd.c:554 driver_probe_device+0x26b/0x3d0 drivers/base/dd.c:738 __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:844 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:431 __device_attach+0x228/0x4a0 drivers/base/dd.c:912 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491 device_add+0xbb2/0x1ce0 drivers/base/core.c:2936 platform_device_add+0x363/0x820 drivers/base/platform.c:611 platform_device_register_full+0x3e3/0x550 drivers/base/platform.c:734 platform_device_register_resndata include/linux/platform_device.h:131 [inline] platform_device_register_simple include/linux/platform_device.h:160 [inline] alsa_card_loopback_init+0x12a/0x253 sound/drivers/aloop.c:1815 do_one_initcall+0x103/0x650 init/main.c:1217 do_initcall_level init/main.c:1290 [inline] do_initcalls init/main.c:1306 [inline] do_basic_setup init/main.c:1326 [inline] kernel_init_freeable+0x600/0x684 init/main.c:1526 kernel_init+0xd/0x1b8 init/main.c:1415 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 The buggy address belongs to the object at ffff888020997d48 which belongs to the cache kmalloc-8 of size 8 The buggy address is located 24 bytes to the right of 8-byte region [ffff888020997d48, ffff888020997d50) The buggy address belongs to the page: page:00000000b0ff0cf5 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20997 flags: 0xfff00000000200(slab) raw: 00fff00000000200 ffffea00004b96c0 0000000900000009 ffff888010041c80 raw: 0000000000000000 0000000000660066 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888020997c00: fc 00 fc fc fc fc 00 fc fc fc fc 00 fc fc fc fc ffff888020997c80: 00 fc fc fc fc 00 fc fc fc fc fa fc fc fc fc 00 >ffff888020997d00: fc fc fc fc 00 fc fc fc fc 00 fc fc fc fc 00 fc ^ ffff888020997d80: fc fc fc 00 fc fc fc fc 00 fc fc fc fc 00 fc fc ffff888020997e00: fc fc 00 fc fc fc fc 00 fc fc fc fc fa fc fc fc ==================================================================