Syzkaller hit 'BUG: unable to handle kernel paging request in squashfs_decompress' bug. Head Commit : 841fca5a32cc tag: v5.10.1 git tree : stable kernel config : Attached config.txt console output : BUG: unable to handle page fault for address: ffffc9000014b000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 3c00067 P4D 3c00067 PUD 3dce067 PMD 3dcf067 PTE 0 Oops: 0002 [#1] SMP PTI CPU: 0 PID: 318 Comm: syz-executor186 Not tainted 5.10.1 #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1 04/01/2014 RIP: 0010:memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:55 Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe RSP: 0018:ffffc9000089f840 EFLAGS: 00010246 RAX: ffffc9000014affe RBX: 0000000000001000 RCX: 0000000000000ffe RDX: 0000000000001000 RSI: ffff888005a34002 RDI: ffffc9000014b000 RBP: ffffc9000089f8b8 R08: 0000000000007368 R09: ffff888005ca1240 R10: ffffffff8157e760 R11: 0000000000000000 R12: 0000000000000000 R13: ffffc9000014affe R14: 0000000000000000 R15: 000000000000236a FS: 00000000019f7380(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000014b000 CR3: 0000000005ada006 CR4: 0000000000370ef0 Call Trace: squashfs_decompress+0x62/0x90 fs/squashfs/decompressor_single.c:70 squashfs_read_data+0x111/0x710 fs/squashfs/block.c:214 squashfs_cache_get+0x198/0x460 fs/squashfs/cache.c:110 squashfs_read_metadata+0xeb/0x1b0 fs/squashfs/cache.c:344 squashfs_xattr_lookup+0x76/0xd0 fs/squashfs/xattr_id.c:38 squashfs_read_inode+0x63d/0xae0 fs/squashfs/inode.c:395 squashfs_iget+0xa8/0xf0 fs/squashfs/inode.c:85 squashfs_lookup+0x42d/0x500 fs/squashfs/namei.c:212 lookup_open fs/namei.c:3083 [inline] open_last_lookups fs/namei.c:3178 [inline] path_openat+0x6ee/0x14a0 fs/namei.c:3366 do_filp_open+0xa7/0x190 fs/namei.c:3396 do_sys_openat2+0xcc/0x1e0 fs/open.c:1168 do_sys_open fs/open.c:1184 [inline] __do_sys_openat fs/open.c:1200 [inline] __se_sys_openat fs/open.c:1195 [inline] __x64_sys_openat+0x80/0xe0 fs/open.c:1195 do_syscall_64+0x38/0x90 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x4489fd Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fffea7e1498 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000400530 RCX: 00000000004489fd RDX: 0000000000080000 RSI: 0000000020000040 RDI: 0000000000000005 RBP: 0000000000403e50 R08: 0000000000000000 R09: 0000000000400530 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403ef0 R13: 0000000000000000 R14: 00000000004bf018 R15: 0000000000400530 Modules linked in: Dumping ftrace buffer: (ftrace buffer empty) CR2: ffffc9000014b000 ---[ end trace ef664778b3add560 ]--- RIP: 0010:memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:55 Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe RSP: 0018:ffffc9000089f840 EFLAGS: 00010246 RAX: ffffc9000014affe RBX: 0000000000001000 RCX: 0000000000000ffe RDX: 0000000000001000 RSI: ffff888005a34002 RDI: ffffc9000014b000 RBP: ffffc9000089f8b8 R08: 0000000000007368 R09: ffff888005ca1240 R10: ffffffff8157e760 R11: 0000000000000000 R12: 0000000000000000 R13: ffffc9000014affe R14: 0000000000000000 R15: 000000000000236a FS: 00000000019f7380(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000014b000 CR3: 0000000005ada006 CR4: 0000000000370ef0 c reproducer : Attached reproduer.c syzkaller reproducer : # {Threaded:false Collide:false Repeat:false RepeatTimes:0 Procs:1 Sandbox: Fault:false FaultCall:-1 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false Sysctl:false UseTmpDir:false HandleSegv:false Repro:false Trace:false} r0 = syz_mount_image$squashfs(&(0x7f0000000000)='squashfs\x00', &(0x7f0000000100)='./file0\x00', 0x7fffffff, 0x1, &(0x7f0000000200)=[{&(0x7f0000010000)="6873717307000000911d675f004000000100000003000e00e0000200040000001201000000000000f801000000000000ac01000000000000e0010000000000007f000000000000001f0100000000000076010000000000009a010000000000001a73797a6b616c6c6572203a200020438c01200000009820002838001100009e001d0200ed0100000100911d675f40012b0100644c002a7d00032d6e001a040f000300ff277c005901006d08264c00000e2f746d702f73797a2d696d61676567656e3431393737363339322f66696c6530b5000129750102c40b7d00294d00074d0009297d000529f5010a2da402e6177e04bc002add00065d0160de0328232cdc006d0dff410000291f000100c027ed0007dc04651f545d1a085c001100004800130100a100034d00204c00090200040066696c65304000015002b2013104d404f7050200088003032e636f6c647e590201f9069e4001ec080131d60005273100322a3100331100000b00136000a1001fdc0011000069010000000000001a001200c1007edd0020dd0040dd009edd00d6de001201bc001100007e0100000000000008805cf90100535f0100a2010000000000001b001e00000600786174747231060000c401274d0032274d00321100000d001200c100024d00244c00110000b40100000000000001", 0x1e9}], 0x0, &(0x7f0000010200)=ANY=[]) openat(r0, &(0x7f0000000040)='./file1\x00', 0x80000, 0x0) I haven't seen this entry on the syzkaller dashboard yet; syzbot tracker - https://groups.google.com/g/syzkaller-bugs/c/WrjySbEAF3s . Palash