ntfs: (device loop4): parse_options(): The fmask option requires an argument. FAT-fs (loop6): Directory bread(block 132) failed FAT-fs (loop6): Directory bread(block 133) failed ================================================================== FAT-fs (loop6): Directory bread(block 134) failed BUG: KASAN: use-after-free in __list_add include/linux/list.h:64 [inline] BUG: KASAN: use-after-free in list_add include/linux/list.h:79 [inline] BUG: KASAN: use-after-free in irq_bypass_register_consumer+0x51e/0x550 virt/lib/irqbypass.c:217 Write of size 8 at addr ffff88019ac1b728 by task syz-executor5/29341 CPU: 1 PID: 29341 Comm: syz-executor5 Not tainted 4.18.0-rc4+ #141 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 FAT-fs (loop6): Directory bread(block 135) failed print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_store8_noabort+0x17/0x20 mm/kasan/report.c:438 FAT-fs (loop6): Directory bread(block 136) failed __list_add include/linux/list.h:64 [inline] list_add include/linux/list.h:79 [inline] irq_bypass_register_consumer+0x51e/0x550 virt/lib/irqbypass.c:217 kvm_irqfd_assign arch/x86/kvm/../../../virt/kvm/eventfd.c:417 [inline] kvm_irqfd+0x198e/0x1ef0 arch/x86/kvm/../../../virt/kvm/eventfd.c:572 FAT-fs (loop6): Directory bread(block 137) failed kvm_vm_ioctl+0xf80/0x1d80 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3015 attempt to access beyond end of device loop6: rw=2049, want=310, limit=128 Buffer I/O error on dev loop6, logical block 309, lost async page write attempt to access beyond end of device vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:684 loop6: rw=2049, want=311, limit=128 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701 Buffer I/O error on dev loop6, logical block 310, lost async page write __do_sys_ioctl fs/ioctl.c:708 [inline] __se_sys_ioctl fs/ioctl.c:706 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 attempt to access beyond end of device entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x455e29 Code: 1d ba fb ff loop6: rw=2049, want=312, limit=128 c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 Buffer I/O error on dev loop6, logical block 311, lost async page write 48 89 d6 48 89 ca 4d 89 attempt to access beyond end of device c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f9345489c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f934548a6d4 RCX: 0000000000455e29 loop6: rw=2049, want=313, limit=128 RDX: 0000000020000180 RSI: 000000004020ae76 RDI: 0000000000000018 RBP: 000000000072bf48 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000004bdf94 R14: 00000000004cc800 R15: 0000000000000001 Allocated by task 29341: Buffer I/O error on dev loop6, logical block 312, lost async page write save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 kmem_cache_alloc_trace+0x152/0x780 mm/slab.c:3620 attempt to access beyond end of device kmalloc include/linux/slab.h:513 [inline] kzalloc include/linux/slab.h:707 [inline] kvm_irqfd_assign arch/x86/kvm/../../../virt/kvm/eventfd.c:296 [inline] kvm_irqfd+0x18f/0x1ef0 arch/x86/kvm/../../../virt/kvm/eventfd.c:572 kvm_vm_ioctl+0xf80/0x1d80 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3015 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:684 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701 __do_sys_ioctl fs/ioctl.c:708 [inline] __se_sys_ioctl fs/ioctl.c:706 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 25: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xd9/0x260 mm/slab.c:3813 loop6: rw=2049, want=326, limit=128 irqfd_shutdown+0x144/0x1c0 arch/x86/kvm/../../../virt/kvm/eventfd.c:148 process_one_work+0xc73/0x1ba0 kernel/workqueue.c:2153 worker_thread+0x189/0x13c0 kernel/workqueue.c:2296 kthread+0x345/0x410 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 Buffer I/O error on dev loop6, logical block 325, lost async page write The buggy address belongs to the object at ffff88019ac1b5c0 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 360 bytes inside of 512-byte region [ffff88019ac1b5c0, ffff88019ac1b7c0) The buggy address belongs to the page: page:ffffea00066b06c0 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 attempt to access beyond end of device flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffffea0006b92088 ffffea0006d77cc8 ffff8801da800940 raw: 0000000000000000 ffff88019ac1b0c0 0000000100000006 0000000000000000 loop6: rw=2049, want=327, limit=128 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88019ac1b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88019ac1b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88019ac1b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88019ac1b780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc Buffer I/O error on dev loop6, logical block 326, lost async page write ffff88019ac1b800: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ==================================================================