MINIX-fs: mounting unchecked file system, running fsck is recommended rtc_cmos 00:00: Alarms can be up to one day in the future rtc_cmos 00:00: Alarms can be up to one day in the future Process accounting resumed ================================================================== BUG: KASAN: slab-out-of-bounds in add_chain fs/minix/itree_common.c:14 [inline] BUG: KASAN: slab-out-of-bounds in get_branch fs/minix/itree_common.c:52 [inline] BUG: KASAN: slab-out-of-bounds in get_block+0xe06/0x1100 fs/minix/itree_common.c:160 Read of size 2 at addr ffff8880957ab18a by task syz-executor.2/2261 CPU: 0 PID: 2261 Comm: syz-executor.2 Not tainted 4.14.184-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x283 lib/dump_stack.c:58 print_address_description.cold+0x54/0x1dc mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0xa9/0x2b9 mm/kasan/report.c:393 add_chain fs/minix/itree_common.c:14 [inline] get_branch fs/minix/itree_common.c:52 [inline] get_block+0xe06/0x1100 fs/minix/itree_common.c:160 minix_get_block+0xd6/0x100 fs/minix/inode.c:379 __block_write_begin_int+0x33a/0x1000 fs/buffer.c:2038 __block_write_begin fs/buffer.c:2088 [inline] block_write_begin+0x58/0x260 fs/buffer.c:2147 minix_write_begin+0x35/0xc0 fs/minix/inode.c:415 generic_perform_write+0x1c9/0x420 mm/filemap.c:3047 __generic_file_write_iter+0x227/0x590 mm/filemap.c:3172 generic_file_write_iter+0x36f/0x650 mm/filemap.c:3200 call_write_iter include/linux/fs.h:1778 [inline] new_sync_write fs/read_write.c:469 [inline] __vfs_write+0x44e/0x630 fs/read_write.c:482 __kernel_write+0xf5/0x330 fs/read_write.c:501 do_acct_process+0xb49/0xf60 kernel/acct.c:520 acct_pin_kill+0x28/0xe0 kernel/acct.c:174 pin_kill+0x147/0x650 fs/fs_pin.c:50 mnt_pin_kill+0x62/0x170 fs/fs_pin.c:87 cleanup_mnt+0x110/0x140 fs/namespace.c:1180 task_work_run+0x113/0x190 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline] syscall_return_slowpath arch/x86/entry/common.c:270 [inline] do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x45cba9 RSP: 002b:00007f4fabb83c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 RAX: 0000000000000000 RBX: 000000000050ca80 RCX: 000000000045cba9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000500 RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000cb6 R14: 00000000004cf091 R15: 00007f4fabb846d4 Allocated by task 1564: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc.part.0+0x4f/0xd0 mm/kasan/kasan.c:551 kmem_cache_alloc+0x124/0x3c0 mm/slab.c:3552 __sigqueue_alloc+0x1b8/0x3e0 kernel/signal.c:400 __send_signal+0x193/0x1280 kernel/signal.c:1097 specific_send_sig_info kernel/signal.c:1208 [inline] force_sig_info+0x240/0x340 kernel/signal.c:1260 force_sig_info_fault.constprop.0+0x185/0x260 arch/x86/mm/fault.c:225 __bad_area_nosemaphore+0x1d6/0x2c0 arch/x86/mm/fault.c:940 __do_page_fault+0x842/0xb50 arch/x86/mm/fault.c:1412 page_fault+0x45/0x50 arch/x86/entry/entry_64.S:1123 Freed by task 1564: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0xaf/0x190 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3496 [inline] kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758 __sigqueue_free kernel/signal.c:419 [inline] dequeue_synchronous_signal kernel/signal.c:727 [inline] get_signal+0xba1/0x1c90 kernel/signal.c:2313 do_signal+0x7c/0x15d0 arch/x86/kernel/signal.c:814 exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160 prepare_exit_to_usermode+0x1af/0x210 arch/x86/entry/common.c:199 retint_user+0x8/0x18 The buggy address belongs to the object at ffff8880957ab0e0 which belongs to the cache sigqueue of size 160 The buggy address is located 10 bytes to the right of 160-byte region [ffff8880957ab0e0, ffff8880957ab180) The buggy address belongs to the page: page:ffffea000255eac0 count:1 mapcount:0 mapping:ffff8880957ab000 index:0x0 flags: 0xfffe0000000100(slab) raw: 00fffe0000000100 ffff8880957ab000 0000000000000000 0000000100000012 raw: ffffea0001520020 ffffea000286a020 ffff8880aa9da6c0 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880957ab080: fb fb fb fb fc fc fc fc fc fc fc fc fb fb fb fb ffff8880957ab100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880957ab180: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff8880957ab200: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff8880957ab280: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================