Warning: Permanently added '10.128.0.228' (ECDSA) to the list of known hosts. syzkaller login: [ 56.917342] IPVS: ftp: loaded support on port[0] = 21 executing program [ 57.018149] ================================================================== [ 57.025747] BUG: KASAN: slab-out-of-bounds in udf_find_entry+0xa33/0x1070 [ 57.032657] Write of size 165 at addr ffff8880a9f1e5da by task syz-executor396/8096 [ 57.040426] [ 57.042037] CPU: 1 PID: 8096 Comm: syz-executor396 Not tainted 4.19.211-syzkaller #0 [ 57.049895] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 57.059223] Call Trace: [ 57.061794] dump_stack+0x1fc/0x2ef [ 57.065406] print_address_description.cold+0x54/0x219 [ 57.070664] kasan_report_error.cold+0x8a/0x1b9 [ 57.075311] ? udf_find_entry+0xa33/0x1070 [ 57.079524] kasan_report+0x8f/0xa0 [ 57.083132] ? rcu_read_lock_sched_held+0xa1/0x1d0 [ 57.088040] ? udf_find_entry+0xa33/0x1070 [ 57.092260] memcpy+0x35/0x50 [ 57.095354] udf_find_entry+0xa33/0x1070 [ 57.099399] ? empty_dir+0x7e0/0x7e0 [ 57.103222] ? mark_held_locks+0xf0/0xf0 [ 57.107282] ? fs_reclaim_release+0xd0/0x110 [ 57.111678] udf_lookup+0x156/0x270 [ 57.115291] ? udf_tmpfile+0x190/0x190 [ 57.119161] ? d_alloc+0x6a/0x230 [ 57.122596] ? do_raw_spin_unlock+0x171/0x230 [ 57.127176] ? _raw_spin_unlock+0x29/0x40 [ 57.131305] ? d_alloc+0x1bc/0x230 [ 57.134828] __lookup_hash+0x117/0x180 [ 57.138697] do_unlinkat+0x295/0x660 [ 57.142399] ? __ia32_sys_rmdir+0x40/0x40 [ 57.146530] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 57.151614] ? memcpy+0x35/0x50 [ 57.154878] do_coredump+0x1f9c/0x2d60 [ 57.158750] ? debug_check_no_obj_freed+0x201/0x490 [ 57.163748] ? lock_acquire+0x160/0x3c0 [ 57.167704] ? cn_esc_printf+0x510/0x510 [ 57.171757] ? trace_hardirqs_off+0x64/0x200 [ 57.176168] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 57.181258] ? debug_check_no_obj_freed+0x201/0x490 [ 57.186260] ? check_preemption_disabled+0x41/0x280 [ 57.191266] ? collect_signal+0x2ee/0x580 [ 57.195414] ? collect_signal+0x2ee/0x580 [ 57.199563] ? _raw_spin_unlock_irq+0x24/0x80 [ 57.204071] get_signal+0xed9/0x1f70 [ 57.207776] do_signal+0x8f/0x1670 [ 57.211305] ? kernel_read+0x110/0x110 [ 57.215186] ? setup_sigcontext+0x820/0x820 [ 57.219498] ? vfs_write+0x3d7/0x540 [ 57.223199] ? lock_downgrade+0x720/0x720 [ 57.227338] ? __x64_sys_pwrite64+0x197/0x250 [ 57.231819] ? exit_to_usermode_loop+0x36/0x2a0 [ 57.236473] exit_to_usermode_loop+0x204/0x2a0 [ 57.241045] do_syscall_64+0x538/0x620 [ 57.244921] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.250094] RIP: 0033:0x7f68d25a20b6 [ 57.253964] Code: b8 ff ff ff ff eb b9 e8 c8 39 04 00 0f 1f 84 00 00 00 00 00 49 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 12 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 90 48 83 ec 28 48 89 54 24 10 48 89 74 [ 57.272850] RSP: 002b:00007ffcba4dad98 EFLAGS: 00000246 ORIG_RAX: 0000000000000012 [ 57.280535] RAX: ffffffffffffffe5 RBX: 0000000000000006 RCX: 00007f68d25a20b6 [ 57.287787] RDX: 0000000000000027 RSI: 0000020006000001 RDI: 0000000000000006 [ 57.295038] RBP: 00007ffcba4dadb0 R08: 00007ffcba4dac30 R09: 00005555558f1380 [ 57.302299] R10: 6608000000000014 R11: 0000000000000246 R12: 0000000000000028 [ 57.309559] R13: 0000000000000006 R14: 000000000000001c R15: 00000000200004a0 [ 57.316819] [ 57.318430] Allocated by task 8096: [ 57.322054] kmem_cache_alloc_trace+0x12f/0x380 [ 57.326850] udf_find_entry+0xa82/0x1070 [ 57.330892] udf_lookup+0x156/0x270 [ 57.334501] __lookup_hash+0x117/0x180 [ 57.338370] do_unlinkat+0x295/0x660 [ 57.342066] do_coredump+0x1f9c/0x2d60 [ 57.345934] get_signal+0xed9/0x1f70 [ 57.349660] do_signal+0x8f/0x1670 [ 57.353182] exit_to_usermode_loop+0x204/0x2a0 [ 57.357747] do_syscall_64+0x538/0x620 [ 57.361614] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.366778] [ 57.368404] Freed by task 5233: [ 57.371663] kfree+0xcc/0x210 [ 57.374752] __do_execve_file+0x171c/0x2360 [ 57.379054] do_execve+0x35/0x50 [ 57.382401] __x64_sys_execve+0x7c/0xa0 [ 57.386365] do_syscall_64+0xf9/0x620 [ 57.390150] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.395422] [ 57.397039] The buggy address belongs to the object at ffff8880a9f1e580 [ 57.397039] which belongs to the cache kmalloc-256 of size 256 [ 57.409688] The buggy address is located 90 bytes inside of [ 57.409688] 256-byte region [ffff8880a9f1e580, ffff8880a9f1e680) [ 57.421462] The buggy address belongs to the page: [ 57.426814] page:ffffea0002a7c780 count:1 mapcount:0 mapping:ffff88813bff07c0 index:0x0 [ 57.434956] flags: 0xfff00000000100(slab) [ 57.439089] raw: 00fff00000000100 ffffea0002a6eb48 ffff88813bff1648 ffff88813bff07c0 [ 57.446955] raw: 0000000000000000 ffff8880a9f1e080 000000010000000c 0000000000000000 [ 57.454821] page dumped because: kasan: bad access detected [ 57.460505] [ 57.462111] Memory state around the buggy address: [ 57.467019] ffff8880a9f1e500: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 57.474365] ffff8880a9f1e580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 57.481709] >ffff8880a9f1e600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 [ 57.489249] ^ [ 57.496508] ffff8880a9f1e680: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 57.503852] ffff8880a9f1e700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 57.511469] ================================================================== [ 57.518805] Disabling lock debugging due to kernel taint [ 57.527414] Kernel panic - not syncing: panic_on_warn set ... [ 57.527414] [ 57.536129] CPU: 1 PID: 8096 Comm: syz-executor396 Tainted: G B 4.19.211-syzkaller #0 [ 57.545394] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 57.554737] Call Trace: [ 57.557310] dump_stack+0x1fc/0x2ef [ 57.560956] panic+0x26a/0x50e [ 57.564131] ? __warn_printk+0xf3/0xf3 [ 57.568001] ? preempt_schedule_common+0x45/0xc0 [ 57.572737] ? ___preempt_schedule+0x16/0x18 [ 57.577128] ? trace_hardirqs_on+0x55/0x210 [ 57.581432] kasan_end_report+0x43/0x49 [ 57.585414] kasan_report_error.cold+0xa7/0x1b9 [ 57.590061] ? udf_find_entry+0xa33/0x1070 [ 57.594276] kasan_report+0x8f/0xa0 [ 57.597882] ? rcu_read_lock_sched_held+0xa1/0x1d0 [ 57.602787] ? udf_find_entry+0xa33/0x1070 [ 57.607022] memcpy+0x35/0x50 [ 57.610109] udf_find_entry+0xa33/0x1070 [ 57.614152] ? empty_dir+0x7e0/0x7e0 [ 57.617853] ? mark_held_locks+0xf0/0xf0 [ 57.621896] ? fs_reclaim_release+0xd0/0x110 [ 57.626372] udf_lookup+0x156/0x270 [ 57.629978] ? udf_tmpfile+0x190/0x190 [ 57.633849] ? d_alloc+0x6a/0x230 [ 57.637280] ? do_raw_spin_unlock+0x171/0x230 [ 57.641756] ? _raw_spin_unlock+0x29/0x40 [ 57.645880] ? d_alloc+0x1bc/0x230 [ 57.649399] __lookup_hash+0x117/0x180 [ 57.653263] do_unlinkat+0x295/0x660 [ 57.656954] ? __ia32_sys_rmdir+0x40/0x40 [ 57.661081] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 57.666075] ? memcpy+0x35/0x50 [ 57.669333] do_coredump+0x1f9c/0x2d60 [ 57.673198] ? debug_check_no_obj_freed+0x201/0x490 [ 57.678192] ? lock_acquire+0x160/0x3c0 [ 57.682209] ? cn_esc_printf+0x510/0x510 [ 57.686248] ? trace_hardirqs_off+0x64/0x200 [ 57.690727] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 57.695807] ? debug_check_no_obj_freed+0x201/0x490 [ 57.700804] ? check_preemption_disabled+0x41/0x280 [ 57.705800] ? collect_signal+0x2ee/0x580 [ 57.709938] ? collect_signal+0x2ee/0x580 [ 57.714078] ? _raw_spin_unlock_irq+0x24/0x80 [ 57.718563] get_signal+0xed9/0x1f70 [ 57.722269] do_signal+0x8f/0x1670 [ 57.725788] ? kernel_read+0x110/0x110 [ 57.729660] ? setup_sigcontext+0x820/0x820 [ 57.733963] ? vfs_write+0x3d7/0x540 [ 57.737662] ? lock_downgrade+0x720/0x720 [ 57.741964] ? __x64_sys_pwrite64+0x197/0x250 [ 57.746440] ? exit_to_usermode_loop+0x36/0x2a0 [ 57.751089] exit_to_usermode_loop+0x204/0x2a0 [ 57.755652] do_syscall_64+0x538/0x620 [ 57.759521] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.764686] RIP: 0033:0x7f68d25a20b6 [ 57.768378] Code: b8 ff ff ff ff eb b9 e8 c8 39 04 00 0f 1f 84 00 00 00 00 00 49 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 12 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 90 48 83 ec 28 48 89 54 24 10 48 89 74 [ 57.787260] RSP: 002b:00007ffcba4dad98 EFLAGS: 00000246 ORIG_RAX: 0000000000000012 [ 57.794946] RAX: ffffffffffffffe5 RBX: 0000000000000006 RCX: 00007f68d25a20b6 [ 57.802193] RDX: 0000000000000027 RSI: 0000020006000001 RDI: 0000000000000006 [ 57.809460] RBP: 00007ffcba4dadb0 R08: 00007ffcba4dac30 R09: 00005555558f1380 [ 57.816723] R10: 6608000000000014 R11: 0000000000000246 R12: 0000000000000028 [ 57.823970] R13: 0000000000000006 R14: 000000000000001c R15: 00000000200004a0 [ 57.831381] Kernel Offset: disabled [ 57.835099] Rebooting in 86400 seconds..