[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.115' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 34.744860] UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2020/09/19 18:44 (1000) [ 34.755223] ================================================================== [ 34.762698] BUG: KASAN: slab-out-of-bounds in udf_get_fileident+0x233/0x250 [ 34.769795] Read of size 2 at addr ffff8880977b9ffc by task syz-executor721/8110 [ 34.777414] [ 34.779047] CPU: 0 PID: 8110 Comm: syz-executor721 Not tainted 4.19.211-syzkaller #0 [ 34.786921] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.796256] Call Trace: [ 34.798831] dump_stack+0x1fc/0x2ef [ 34.802444] print_address_description.cold+0x54/0x219 [ 34.807702] kasan_report_error.cold+0x8a/0x1b9 [ 34.812350] ? udf_get_fileident+0x233/0x250 [ 34.816744] __asan_report_load_n_noabort+0x8b/0xa0 [ 34.821743] ? unwind_get_return_address+0x70/0x90 [ 34.826652] ? udf_get_fileident+0x233/0x250 [ 34.831055] udf_get_fileident+0x233/0x250 [ 34.835272] udf_fileident_read+0x550/0x1930 [ 34.839662] ? deref_stack_reg+0x1d0/0x1d0 [ 34.843876] ? __unwind_start+0x5b8/0x960 [ 34.848002] ? bpf_prog_kallsyms_find.part.0+0x1ad/0x270 [ 34.853433] ? udf_get_fileident+0x250/0x250 [ 34.857820] ? is_bpf_text_address+0xfc/0x1b0 [ 34.862297] ? kernel_text_address+0xbd/0xf0 [ 34.866693] ? check_preemption_disabled+0x41/0x280 [ 34.871693] ? udf_readdir+0x376/0x1350 [ 34.875647] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 34.880649] udf_readdir+0x559/0x1350 [ 34.884436] ? udf_new_block+0x490/0x490 [ 34.888479] ? aa_path_link+0x410/0x410 [ 34.892430] ? kmem_cache_free+0x7f/0x260 [ 34.896556] ? putname+0xe1/0x120 [ 34.899988] ? do_sys_open+0x2ba/0x520 [ 34.903872] ? do_syscall_64+0xf9/0x620 [ 34.907826] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.913171] ? mark_held_locks+0xf0/0xf0 [ 34.917216] ? mark_held_locks+0xf0/0xf0 [ 34.921261] ? debug_check_no_obj_freed+0x201/0x490 [ 34.926257] ? fsnotify+0x84e/0xe10 [ 34.929864] ? fsnotify_first_mark+0x200/0x200 [ 34.934429] ? lock_acquire+0x170/0x3c0 [ 34.938381] ? iterate_dir+0xd2/0x5c0 [ 34.942166] iterate_dir+0x473/0x5c0 [ 34.945877] ksys_getdents64+0x175/0x2b0 [ 34.949917] ? __ia32_sys_getdents+0xa0/0xa0 [ 34.954306] ? do_sys_open+0x2bf/0x520 [ 34.958172] ? filldir+0x400/0x400 [ 34.961709] ? inode_permission.part.0+0x10c/0x450 [ 34.966630] ? __sanitizer_cov_trace_switch+0x4b/0x80 [ 34.971808] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 34.977174] ? trace_hardirqs_off_caller+0x6e/0x210 [ 34.982173] __x64_sys_getdents64+0x6f/0xb0 [ 34.986476] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 34.991039] do_syscall_64+0xf9/0x620 [ 34.994822] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.999990] RIP: 0033:0x7f173bc1b219 [ 35.003683] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 35.022564] RSP: 002b:00007ffec75c0be8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 35.030251] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f173bc1b219 [ 35.037501] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 35.044751] RBP: 00007f173bbd3000 R08: 0000000000000000 R09: 0000000000000000 [ 35.052001] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f173bbd3090 [ 35.059252] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 35.066506] [ 35.068113] Allocated by task 6152: [ 35.071725] kmem_cache_alloc+0x122/0x370 [ 35.075853] shmem_alloc_inode+0x18/0x40 [ 35.079896] alloc_inode+0x5d/0x180 [ 35.083499] new_inode+0x1d/0xf0 [ 35.086843] shmem_get_inode+0x96/0x8d0 [ 35.090801] shmem_mknod+0x5a/0x1f0 [ 35.094423] lookup_open+0x893/0x1a20 [ 35.098207] path_openat+0x1094/0x2df0 [ 35.102073] do_filp_open+0x18c/0x3f0 [ 35.105851] do_sys_open+0x3b3/0x520 [ 35.109548] do_syscall_64+0xf9/0x620 [ 35.113331] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.118495] [ 35.120100] Freed by task 0: [ 35.123093] (stack is not available) [ 35.126786] [ 35.128392] The buggy address belongs to the object at ffff8880977b9a60 [ 35.128392] which belongs to the cache shmem_inode_cache of size 1200 [ 35.141647] The buggy address is located 236 bytes to the right of [ 35.141647] 1200-byte region [ffff8880977b9a60, ffff8880977b9f10) [ 35.154103] The buggy address belongs to the page: [ 35.159013] page:ffffea00025dee40 count:1 mapcount:0 mapping:ffff8880b59c36c0 index:0xffff8880977b9ffd [ 35.168437] flags: 0xfff00000000100(slab) [ 35.172568] raw: 00fff00000000100 ffffea000260f208 ffffea000262d5c8 ffff8880b59c36c0 [ 35.180445] raw: ffff8880977b9ffd ffff8880977b9000 0000000100000003 0000000000000000 [ 35.188301] page dumped because: kasan: bad access detected [ 35.193998] [ 35.195602] Memory state around the buggy address: [ 35.200509] ffff8880977b9e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.207845] ffff8880977b9f00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.215181] >ffff8880977b9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.222519] ^ [ 35.229769] ffff8880977ba000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.237112] ffff8880977ba080: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 35.244448] ================================================================== [ 35.251780] Disabling lock debugging due to kernel taint [ 35.258561] Kernel panic - not syncing: panic_on_warn set ... [ 35.258561] [ 35.265946] CPU: 0 PID: 8110 Comm: syz-executor721 Tainted: G B 4.19.211-syzkaller #0 [ 35.275211] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.284556] Call Trace: [ 35.287147] dump_stack+0x1fc/0x2ef [ 35.290789] panic+0x26a/0x50e [ 35.293980] ? __warn_printk+0xf3/0xf3 [ 35.297864] ? preempt_schedule_common+0x45/0xc0 [ 35.302617] ? ___preempt_schedule+0x16/0x18 [ 35.307021] ? trace_hardirqs_on+0x55/0x210 [ 35.311326] kasan_end_report+0x43/0x49 [ 35.315281] kasan_report_error.cold+0xa7/0x1b9 [ 35.319929] ? udf_get_fileident+0x233/0x250 [ 35.324318] __asan_report_load_n_noabort+0x8b/0xa0 [ 35.329313] ? unwind_get_return_address+0x70/0x90 [ 35.334221] ? udf_get_fileident+0x233/0x250 [ 35.338609] udf_get_fileident+0x233/0x250 [ 35.342821] udf_fileident_read+0x550/0x1930 [ 35.347225] ? deref_stack_reg+0x1d0/0x1d0 [ 35.351440] ? __unwind_start+0x5b8/0x960 [ 35.355570] ? bpf_prog_kallsyms_find.part.0+0x1ad/0x270 [ 35.361013] ? udf_get_fileident+0x250/0x250 [ 35.365398] ? is_bpf_text_address+0xfc/0x1b0 [ 35.369870] ? kernel_text_address+0xbd/0xf0 [ 35.374259] ? check_preemption_disabled+0x41/0x280 [ 35.379265] ? udf_readdir+0x376/0x1350 [ 35.383217] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 35.388215] udf_readdir+0x559/0x1350 [ 35.391998] ? udf_new_block+0x490/0x490 [ 35.396037] ? aa_path_link+0x410/0x410 [ 35.399988] ? kmem_cache_free+0x7f/0x260 [ 35.404112] ? putname+0xe1/0x120 [ 35.407543] ? do_sys_open+0x2ba/0x520 [ 35.411409] ? do_syscall_64+0xf9/0x620 [ 35.415379] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.420743] ? mark_held_locks+0xf0/0xf0 [ 35.424793] ? mark_held_locks+0xf0/0xf0 [ 35.428836] ? debug_check_no_obj_freed+0x201/0x490 [ 35.433836] ? fsnotify+0x84e/0xe10 [ 35.437443] ? fsnotify_first_mark+0x200/0x200 [ 35.442007] ? lock_acquire+0x170/0x3c0 [ 35.445960] ? iterate_dir+0xd2/0x5c0 [ 35.449742] iterate_dir+0x473/0x5c0 [ 35.453434] ksys_getdents64+0x175/0x2b0 [ 35.457473] ? __ia32_sys_getdents+0xa0/0xa0 [ 35.461858] ? do_sys_open+0x2bf/0x520 [ 35.465725] ? filldir+0x400/0x400 [ 35.469261] ? inode_permission.part.0+0x10c/0x450 [ 35.474187] ? __sanitizer_cov_trace_switch+0x4b/0x80 [ 35.479373] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 35.484724] ? trace_hardirqs_off_caller+0x6e/0x210 [ 35.489721] __x64_sys_getdents64+0x6f/0xb0 [ 35.494022] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 35.498580] do_syscall_64+0xf9/0x620 [ 35.502359] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.507539] RIP: 0033:0x7f173bc1b219 [ 35.511352] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 35.530232] RSP: 002b:00007ffec75c0be8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 35.537918] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f173bc1b219 [ 35.545194] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 35.552444] RBP: 00007f173bbd3000 R08: 0000000000000000 R09: 0000000000000000 [ 35.559691] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f173bbd3090 [ 35.566936] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 35.574362] Kernel Offset: disabled [ 35.577982] Rebooting in 86400 seconds..