UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2020/09/19 18:44 (1000) ================================================================== BUG: KASAN: slab-out-of-bounds in udf_get_fileident+0x233/0x250 fs/udf/directory.c:176 Read of size 2 at addr ffff8880977b9ffc by task syz-executor721/8110 CPU: 0 PID: 8110 Comm: syz-executor721 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load_n_noabort+0x8b/0xa0 mm/kasan/report.c:443 udf_get_fileident+0x233/0x250 fs/udf/directory.c:176 udf_fileident_read+0x550/0x1930 fs/udf/directory.c:37 udf_readdir+0x559/0x1350 fs/udf/dir.c:129 iterate_dir+0x473/0x5c0 fs/readdir.c:51 ksys_getdents64+0x175/0x2b0 fs/readdir.c:357 __do_sys_getdents64 fs/readdir.c:376 [inline] __se_sys_getdents64 fs/readdir.c:373 [inline] __x64_sys_getdents64+0x6f/0xb0 fs/readdir.c:373 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f173bc1b219 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffec75c0be8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f173bc1b219 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 00007f173bbd3000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f173bbd3090 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 6152: kmem_cache_alloc+0x122/0x370 mm/slab.c:3559 shmem_alloc_inode+0x18/0x40 mm/shmem.c:3609 alloc_inode+0x5d/0x180 fs/inode.c:211 new_inode_pseudo fs/inode.c:911 [inline] new_inode+0x1d/0xf0 fs/inode.c:940 shmem_get_inode+0x96/0x8d0 mm/shmem.c:2196 shmem_mknod+0x5a/0x1f0 mm/shmem.c:2843 lookup_open+0x893/0x1a20 fs/namei.c:3235 do_last fs/namei.c:3327 [inline] path_openat+0x1094/0x2df0 fs/namei.c:3537 do_filp_open+0x18c/0x3f0 fs/namei.c:3567 do_sys_open+0x3b3/0x520 fs/open.c:1085 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8880977b9a60 which belongs to the cache shmem_inode_cache of size 1200 The buggy address is located 236 bytes to the right of 1200-byte region [ffff8880977b9a60, ffff8880977b9f10) The buggy address belongs to the page: page:ffffea00025dee40 count:1 mapcount:0 mapping:ffff8880b59c36c0 index:0xffff8880977b9ffd flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffffea000260f208 ffffea000262d5c8 ffff8880b59c36c0 raw: ffff8880977b9ffd ffff8880977b9000 0000000100000003 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880977b9e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880977b9f00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880977b9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8880977ba000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880977ba080: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ==================================================================