audit: type=1804 audit(1667606454.638:8): pid=10448 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.2" name="/root/syzkaller-testdir2010140751/syzkaller.qGHbDf/9/file0" dev="sda1" ino=13971 res=1 ================================================================== BUG: KASAN: slab-out-of-bounds in udf_write_aext+0x847/0x860 fs/udf/inode.c:2059 Write of size 4 at addr ffff88809f3292b8 by task syz-executor.0/10459 CPU: 0 PID: 10459 Comm: syz-executor.0 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 IPVS: ftp: loaded support on port[0] = 21 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_store_n_noabort+0x8b/0xa0 mm/kasan/report.c:449 udf_write_aext+0x847/0x860 fs/udf/inode.c:2059 udf_add_entry+0xdab/0x2a20 fs/udf/namei.c:496 udf_mkdir+0x145/0x650 fs/udf/namei.c:693 vfs_mkdir+0x508/0x7a0 fs/namei.c:3819 do_mkdirat+0x262/0x2d0 fs/namei.c:3842 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7fac57c065a9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fac56137168 EFLAGS: 00000246 ORIG_RAX: 0000000000000053 RAX: ffffffffffffffda RBX: 00007fac57d27120 RCX: 00007fac57c065a9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000280 RBP: 00007fac57c617b0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffdfa67095f R14: 00007fac56137300 R15: 0000000000022000 Allocated by task 10454: __do_kmalloc mm/slab.c:3727 [inline] __kmalloc+0x15a/0x3c0 mm/slab.c:3736 kmalloc include/linux/slab.h:520 [inline] kzalloc include/linux/slab.h:709 [inline] ops_init+0xfe/0x410 net/core/net_namespace.c:119 setup_net+0x2c2/0x720 net/core/net_namespace.c:316 copy_net_ns+0x1f7/0x340 net/core/net_namespace.c:439 create_new_namespaces+0x3f6/0x7b0 kernel/nsproxy.c:107 unshare_nsproxy_namespaces+0xbd/0x1f0 kernel/nsproxy.c:206 ksys_unshare+0x36c/0x9a0 kernel/fork.c:2542 __do_sys_unshare kernel/fork.c:2610 [inline] __se_sys_unshare kernel/fork.c:2608 [inline] __x64_sys_unshare+0x2d/0x40 kernel/fork.c:2608 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 8136: __cache_free mm/slab.c:3503 [inline] kfree+0xcc/0x210 mm/slab.c:3822 skb_free_head net/core/skbuff.c:563 [inline] skb_release_data+0x6de/0x920 net/core/skbuff.c:583 skb_release_all net/core/skbuff.c:640 [inline] __kfree_skb net/core/skbuff.c:654 [inline] consume_skb+0x113/0x3d0 net/core/skbuff.c:714 netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline] netlink_unicast+0x4dd/0x690 net/netlink/af_netlink.c:1351 netlink_sendmsg+0x6c3/0xc50 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xc3/0x120 net/socket.c:661 __sys_sendto+0x21a/0x320 net/socket.c:1899 __do_sys_sendto net/socket.c:1911 [inline] __se_sys_sendto net/socket.c:1907 [inline] __x64_sys_sendto+0xdd/0x1b0 net/socket.c:1907 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff88809f329040 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 120 bytes to the right of 512-byte region [ffff88809f329040, ffff88809f329240) The buggy address belongs to the page: page:ffffea00027cca40 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffffea00027c8cc8 ffffea00027c4648 ffff88813bff0940 raw: 0000000000000000 ffff88809f329040 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88809f329180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88809f329200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc >ffff88809f329280: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ^ ffff88809f329300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88809f329380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== loop5: rw=1, want=2151, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2153, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2156, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2158, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2159, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2162, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2163, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2164, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2166, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2167, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2169, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2171, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2173, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2174, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2175, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2180, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2181, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2182, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2183, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2190, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2193, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2195, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2197, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2199, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2203, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2207, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2210, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2211, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2215, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2218, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2219, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2223, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2225, limit=2047 attempt to access beyond end of device loop5: rw=1, want=2226, limit=2047 audit: type=1804 audit(1667606455.838:9): pid=10495 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir1788183562/syzkaller.lEOzGl/7/file0/bus" dev="ramfs" ino=33151 res=1 audit: type=1804 audit(1667606455.858:10): pid=10495 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.4" name="/root/syzkaller-testdir1788183562/syzkaller.lEOzGl/7/file0/bus" dev="ramfs" ino=33151 res=1 audit: type=1804 audit(1667606456.068:11): pid=10505 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir1788183562/syzkaller.lEOzGl/8/bus" dev="sda1" ino=13989 res=1 audit: type=1804 audit(1667606456.098:12): pid=10504 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.4" name="/root/syzkaller-testdir1788183562/syzkaller.lEOzGl/8/bus" dev="sda1" ino=13989 res=1 IPVS: ftp: loaded support on port[0] = 21