[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.93' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 31.090581] UDF-fs: error (device loop0): udf_read_tagged: tag checksum failed, block 96: 0x73 != 0x9b [ 31.100341] UDF-fs: error (device loop0): udf_process_sequence: Block 96 of volume descriptor sequence is corrupted or we could not read it [ 31.115703] UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000) [ 31.126335] ================================================================== [ 31.133786] BUG: KASAN: slab-out-of-bounds in udf_write_aext+0x6e3/0x7d0 [ 31.140623] Write of size 4 at addr ffff888096b7e770 by task syz-executor132/7976 [ 31.148231] [ 31.151160] CPU: 1 PID: 7976 Comm: syz-executor132 Not tainted 4.14.302-syzkaller #0 [ 31.159022] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 31.168352] Call Trace: [ 31.170917] dump_stack+0x1b2/0x281 [ 31.174518] print_address_description.cold+0x54/0x1d3 [ 31.179768] kasan_report_error.cold+0x8a/0x191 [ 31.184413] ? udf_write_aext+0x6e3/0x7d0 [ 31.188534] __asan_report_store_n_noabort+0x6b/0x80 [ 31.193616] ? udf_write_aext+0x6e3/0x7d0 [ 31.197743] udf_write_aext+0x6e3/0x7d0 [ 31.201696] udf_add_entry+0xc54/0x2710 [ 31.205645] ? udf_write_fi+0xe80/0xe80 [ 31.209680] ? udf_new_inode+0x891/0xce0 [ 31.213717] ? lock_acquire+0x170/0x3f0 [ 31.217664] udf_mkdir+0x122/0x620 [ 31.221352] ? putname+0xcd/0x110 [ 31.224779] ? udf_create+0x160/0x160 [ 31.228553] ? map_id_up+0xe9/0x180 [ 31.232155] ? security_inode_permission+0xb5/0xf0 [ 31.237085] ? security_inode_mkdir+0xca/0x100 [ 31.241644] vfs_mkdir+0x463/0x6e0 [ 31.245164] SyS_mkdirat+0x1fd/0x270 [ 31.248878] ? SyS_mknod+0x30/0x30 [ 31.252392] ? do_syscall_64+0x4c/0x640 [ 31.256336] ? SyS_mknod+0x30/0x30 [ 31.259848] do_syscall_64+0x1d5/0x640 [ 31.263714] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 31.268877] RIP: 0033:0x7fd75fbb4bd9 [ 31.272562] RSP: 002b:00007ffe7dd96a98 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 [ 31.280243] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd75fbb4bd9 [ 31.287485] RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000004 [ 31.294727] RBP: 00007fd75fb741e0 R08: 0000000000000000 R09: 0000000000000000 [ 31.301978] R10: 000000000000002e R11: 0000000000000246 R12: 00007fd75fb74270 [ 31.309307] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 31.316555] [ 31.318157] Allocated by task 6203: [ 31.321805] kasan_kmalloc+0xeb/0x160 [ 31.325609] kmem_cache_alloc_trace+0x131/0x3d0 [ 31.330252] kernfs_fop_open+0x266/0xc40 [ 31.334284] do_dentry_open+0x44b/0xec0 [ 31.338229] vfs_open+0x105/0x220 [ 31.341655] path_openat+0x628/0x2970 [ 31.345429] do_filp_open+0x179/0x3c0 [ 31.349198] do_sys_open+0x296/0x410 [ 31.352886] do_syscall_64+0x1d5/0x640 [ 31.356744] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 31.361903] [ 31.363500] Freed by task 6203: [ 31.366751] kasan_slab_free+0xc3/0x1a0 [ 31.370709] kfree+0xc9/0x250 [ 31.373785] kernfs_fop_release+0x10e/0x180 [ 31.378078] __fput+0x25f/0x7a0 [ 31.381336] task_work_run+0x11f/0x190 [ 31.385195] exit_to_usermode_loop+0x1ad/0x200 [ 31.389746] do_syscall_64+0x4a3/0x640 [ 31.393607] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 31.398765] [ 31.400367] The buggy address belongs to the object at ffff888096b7e500 [ 31.400367] which belongs to the cache kmalloc-512 of size 512 [ 31.412992] The buggy address is located 112 bytes to the right of [ 31.412992] 512-byte region [ffff888096b7e500, ffff888096b7e700) [ 31.425356] The buggy address belongs to the page: [ 31.430258] page:ffffea00025adf80 count:1 mapcount:0 mapping:ffff888096b7e000 index:0x0 [ 31.438372] flags: 0xfff00000000100(slab) [ 31.442493] raw: 00fff00000000100 ffff888096b7e000 0000000000000000 0000000100000006 [ 31.450344] raw: ffffea0002cfc0a0 ffffea0002c5d420 ffff88813fe74940 0000000000000000 [ 31.458196] page dumped because: kasan: bad access detected [ 31.463877] [ 31.465478] Memory state around the buggy address: [ 31.470387] ffff888096b7e600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.477718] ffff888096b7e680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.485046] >ffff888096b7e700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.492375] ^ [ 31.499357] ffff888096b7e780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.506689] ffff888096b7e800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.514016] ================================================================== [ 31.521343] Disabling lock debugging due to kernel taint [ 31.537184] Kernel panic - not syncing: panic_on_warn set ... [ 31.537184] [ 31.544559] CPU: 0 PID: 7976 Comm: syz-executor132 Tainted: G B 4.14.302-syzkaller #0 [ 31.553641] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 31.563000] Call Trace: [ 31.565568] dump_stack+0x1b2/0x281 [ 31.569180] panic+0x1f9/0x42d [ 31.572342] ? add_taint.cold+0x16/0x16 [ 31.576373] ? ___preempt_schedule+0x16/0x18 [ 31.580756] kasan_end_report+0x43/0x49 [ 31.584703] kasan_report_error.cold+0xa7/0x191 [ 31.589344] ? udf_write_aext+0x6e3/0x7d0 [ 31.593464] __asan_report_store_n_noabort+0x6b/0x80 [ 31.598540] ? udf_write_aext+0x6e3/0x7d0 [ 31.602659] udf_write_aext+0x6e3/0x7d0 [ 31.606714] udf_add_entry+0xc54/0x2710 [ 31.610682] ? udf_write_fi+0xe80/0xe80 [ 31.614645] ? udf_new_inode+0x891/0xce0 [ 31.618704] ? lock_acquire+0x170/0x3f0 [ 31.622669] udf_mkdir+0x122/0x620 [ 31.626185] ? putname+0xcd/0x110 [ 31.629613] ? udf_create+0x160/0x160 [ 31.633387] ? map_id_up+0xe9/0x180 [ 31.636987] ? security_inode_permission+0xb5/0xf0 [ 31.641890] ? security_inode_mkdir+0xca/0x100 [ 31.646446] vfs_mkdir+0x463/0x6e0 [ 31.649958] SyS_mkdirat+0x1fd/0x270 [ 31.653672] ? SyS_mknod+0x30/0x30 [ 31.657184] ? do_syscall_64+0x4c/0x640 [ 31.661126] ? SyS_mknod+0x30/0x30 [ 31.664635] do_syscall_64+0x1d5/0x640 [ 31.668502] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 31.673721] RIP: 0033:0x7fd75fbb4bd9 [ 31.677416] RSP: 002b:00007ffe7dd96a98 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 [ 31.685103] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd75fbb4bd9 [ 31.692349] RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000004 [ 31.699592] RBP: 00007fd75fb741e0 R08: 0000000000000000 R09: 0000000000000000 [ 31.706836] R10: 000000000000002e R11: 0000000000000246 R12: 00007fd75fb74270 [ 31.714080] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 31.721564] Kernel Offset: disabled [ 31.725168] Rebooting in 86400 seconds..