[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.8' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 26.951368] UDF-fs: warning (device loop0): udf_load_vrs: No VRS found [ 26.958213] UDF-fs: Scanning with blocksize 512 failed [ 26.965452] UDF-fs: warning (device loop0): udf_load_vrs: No VRS found [ 26.972535] UDF-fs: Scanning with blocksize 1024 failed [ 26.978206] UDF-fs: warning (device loop0): udf_load_vrs: No VRS found [ 26.984937] UDF-fs: Scanning with blocksize 2048 failed [ 26.990915] UDF-fs: error (device loop0): udf_read_tagged: read failed, block=256, location=256 [ 27.000901] UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/17 09:39 (1000) [ 27.011708] ================================================================== [ 27.019165] BUG: KASAN: slab-out-of-bounds in udf_get_fileident+0x1ea/0x200 [ 27.026264] Read of size 2 at addr ffff8880b2ce60bc by task syz-executor413/7983 [ 27.033787] [ 27.035412] CPU: 0 PID: 7983 Comm: syz-executor413 Not tainted 4.14.299-syzkaller #0 [ 27.043279] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 27.052622] Call Trace: [ 27.055200] dump_stack+0x1b2/0x281 [ 27.058805] print_address_description.cold+0x54/0x1d3 [ 27.064058] kasan_report_error.cold+0x8a/0x191 [ 27.068711] ? udf_get_fileident+0x1ea/0x200 [ 27.073099] __asan_report_load_n_noabort+0x6b/0x80 [ 27.078187] ? udf_get_fileident+0x1ea/0x200 [ 27.082578] udf_get_fileident+0x1ea/0x200 [ 27.086790] udf_fileident_read+0x4b9/0x1840 [ 27.091176] ? __lock_acquire+0x5fc/0x3f20 [ 27.095395] ? udf_get_fileident+0x200/0x200 [ 27.099790] ? udf_readdir+0x326/0x11f0 [ 27.103739] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 27.109167] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 27.114160] udf_readdir+0x4d0/0x11f0 [ 27.117941] ? __lock_acquire+0x5fc/0x3f20 [ 27.122152] ? udf_new_block+0x430/0x430 [ 27.126194] ? aa_file_perm+0x304/0xab0 [ 27.130187] ? debug_check_no_obj_freed+0x2c0/0x680 [ 27.135179] ? trace_hardirqs_on+0x10/0x10 [ 27.139390] ? aa_path_link+0x3a0/0x3a0 [ 27.143363] ? __fsnotify_inode_delete+0x20/0x20 [ 27.148105] ? __fsnotify_update_child_dentry_flags.part.0+0x2e0/0x2e0 [ 27.154753] ? lock_acquire+0x170/0x3f0 [ 27.158701] ? iterate_dir+0xbc/0x5e0 [ 27.162477] iterate_dir+0x1a0/0x5e0 [ 27.166168] SyS_getdents+0x125/0x240 [ 27.169944] ? SyS_old_readdir+0x120/0x120 [ 27.174185] ? compat_filldir+0x340/0x340 [ 27.178314] ? do_syscall_64+0x4c/0x640 [ 27.182279] ? SyS_old_readdir+0x120/0x120 [ 27.186490] do_syscall_64+0x1d5/0x640 [ 27.190359] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 27.195535] [ 27.197153] Allocated by task 7983: [ 27.200762] kasan_kmalloc+0xeb/0x160 [ 27.204542] __kmalloc+0x15a/0x400 [ 27.208059] udf_alloc_i_data+0x1f/0x70 [ 27.212090] __udf_iget+0x2750/0x3370 [ 27.215886] udf_lookup+0x1c7/0x210 [ 27.219582] lookup_open+0x5c4/0x1750 [ 27.223355] path_openat+0x14bb/0x2970 [ 27.227213] do_filp_open+0x179/0x3c0 [ 27.231005] do_sys_open+0x296/0x410 [ 27.234694] do_syscall_64+0x1d5/0x640 [ 27.238560] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 27.243724] [ 27.245327] Freed by task 6274: [ 27.248601] kasan_slab_free+0xc3/0x1a0 [ 27.252552] kfree+0xc9/0x250 [ 27.255630] kvfree+0x45/0x50 [ 27.258713] seq_release+0x4f/0x70 [ 27.262227] kernfs_fop_release+0xdc/0x180 [ 27.266434] __fput+0x25f/0x7a0 [ 27.269685] task_work_run+0x11f/0x190 [ 27.273548] exit_to_usermode_loop+0x1ad/0x200 [ 27.278106] do_syscall_64+0x4a3/0x640 [ 27.281963] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 27.287120] [ 27.288723] The buggy address belongs to the object at ffff8880b2ce6180 [ 27.288723] which belongs to the cache kmalloc-4096 of size 4096 [ 27.301526] The buggy address is located 196 bytes to the left of [ 27.301526] 4096-byte region [ffff8880b2ce6180, ffff8880b2ce7180) [ 27.313937] The buggy address belongs to the page: [ 27.318852] page:ffffea0002cb3980 count:1 mapcount:0 mapping:ffff8880b2ce6180 index:0x0 compound_mapcount: 0 [ 27.328810] flags: 0xfff00000008100(slab|head) [ 27.333371] raw: 00fff00000008100 ffff8880b2ce6180 0000000000000000 0000000100000001 [ 27.341225] raw: ffffea0002cd7da0 ffffea0002cca220 ffff88813fe74dc0 0000000000000000 [ 27.349079] page dumped because: kasan: bad access detected [ 27.354766] [ 27.356388] Memory state around the buggy address: [ 27.361308] ffff8880b2ce5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.368733] ffff8880b2ce6000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.376068] >ffff8880b2ce6080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.383403] ^ [ 27.388567] ffff8880b2ce6100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.395907] ffff8880b2ce6180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.403237] ================================================================== [ 27.410667] Disabling lock debugging due to kernel taint [ 27.416905] Kernel panic - not syncing: panic_on_warn set ... [ 27.416905] [ 27.424272] CPU: 0 PID: 7983 Comm: syz-executor413 Tainted: G B 4.14.299-syzkaller #0 [ 27.433443] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 27.442784] Call Trace: [ 27.445348] dump_stack+0x1b2/0x281 [ 27.448951] panic+0x1f9/0x42d [ 27.452117] ? add_taint.cold+0x16/0x16 [ 27.456065] ? ___preempt_schedule+0x16/0x18 [ 27.460445] kasan_end_report+0x43/0x49 [ 27.464392] kasan_report_error.cold+0xa7/0x191 [ 27.469037] ? udf_get_fileident+0x1ea/0x200 [ 27.473710] __asan_report_load_n_noabort+0x6b/0x80 [ 27.478712] ? udf_get_fileident+0x1ea/0x200 [ 27.483103] udf_get_fileident+0x1ea/0x200 [ 27.487311] udf_fileident_read+0x4b9/0x1840 [ 27.491698] ? __lock_acquire+0x5fc/0x3f20 [ 27.495929] ? udf_get_fileident+0x200/0x200 [ 27.500332] ? udf_readdir+0x326/0x11f0 [ 27.504281] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 27.509710] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 27.514701] udf_readdir+0x4d0/0x11f0 [ 27.518478] ? __lock_acquire+0x5fc/0x3f20 [ 27.522686] ? udf_new_block+0x430/0x430 [ 27.526725] ? aa_file_perm+0x304/0xab0 [ 27.530672] ? debug_check_no_obj_freed+0x2c0/0x680 [ 27.535664] ? trace_hardirqs_on+0x10/0x10 [ 27.539870] ? aa_path_link+0x3a0/0x3a0 [ 27.543818] ? __fsnotify_inode_delete+0x20/0x20 [ 27.548650] ? __fsnotify_update_child_dentry_flags.part.0+0x2e0/0x2e0 [ 27.555315] ? lock_acquire+0x170/0x3f0 [ 27.559362] ? iterate_dir+0xbc/0x5e0 [ 27.563140] iterate_dir+0x1a0/0x5e0 [ 27.566838] SyS_getdents+0x125/0x240 [ 27.570627] ? SyS_old_readdir+0x120/0x120 [ 27.574841] ? compat_filldir+0x340/0x340 [ 27.578962] ? do_syscall_64+0x4c/0x640 [ 27.582912] ? SyS_old_readdir+0x120/0x120 [ 27.587118] do_syscall_64+0x1d5/0x640 [ 27.590984] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 27.596320] Kernel Offset: disabled [ 27.599926] Rebooting in 86400 seconds..