================================================================== BUG: KASAN: slab-out-of-bounds in udf_write_aext+0x578/0x668 fs/udf/inode.c:2104 Write of size 4 at addr ffff0000cf3b3ff8 by task syz.4.197/4933 CPU: 0 PID: 4933 Comm: syz.4.197 Not tainted 5.15.167-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call trace: dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106 print_address_description+0x7c/0x3f0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:434 [inline] kasan_report+0x174/0x1e4 mm/kasan/report.c:451 __asan_report_store_n_noabort+0x40/0x4c mm/kasan/report_generic.c:325 udf_write_aext+0x578/0x668 fs/udf/inode.c:2104 udf_add_entry+0x11e0/0x28b0 fs/udf/namei.c:482 udf_mkdir+0x158/0x7e0 fs/udf/namei.c:681 vfs_mkdir+0x334/0x4e4 fs/namei.c:4065 do_mkdirat+0x20c/0x610 fs/namei.c:4090 __do_sys_mkdirat fs/namei.c:4105 [inline] __se_sys_mkdirat fs/namei.c:4103 [inline] __arm64_sys_mkdirat+0x90/0xa8 fs/namei.c:4103 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181 el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584 Allocated by task 1: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] ____kasan_kmalloc+0xbc/0xfc mm/kasan/common.c:513 __kasan_kmalloc+0x10/0x1c mm/kasan/common.c:522 kasan_kmalloc include/linux/kasan.h:264 [inline] kmem_cache_alloc_trace+0x27c/0x47c mm/slub.c:3247 kmalloc include/linux/slab.h:591 [inline] kzalloc include/linux/slab.h:721 [inline] device_private_init drivers/base/core.c:3259 [inline] device_add+0xc4/0xef4 drivers/base/core.c:3309 device_create_groups_vargs+0x1e0/0x278 drivers/base/core.c:4079 device_create+0x100/0x154 drivers/base/core.c:4121 mon_bin_add+0xb8/0x12c drivers/usb/mon/mon_bin.c:1369 mon_bus_init+0x144/0x26c drivers/usb/mon/mon_main.c:302 mon_bus_add drivers/usb/mon/mon_main.c:199 [inline] mon_notify+0x108/0x3f4 drivers/usb/mon/mon_main.c:230 notifier_call_chain kernel/notifier.c:83 [inline] blocking_notifier_call_chain+0xf0/0x198 kernel/notifier.c:318 usb_notify_add_bus+0x2c/0x3c drivers/usb/core/notify.c:62 usb_register_bus drivers/usb/core/hcd.c:935 [inline] usb_add_hcd+0x3ec/0xfc0 drivers/usb/core/hcd.c:2887 vhci_hcd_probe+0x144/0x368 drivers/usb/usbip/vhci_hcd.c:1365 platform_probe+0x148/0x1c0 drivers/base/platform.c:1391 really_probe+0x26c/0xaec drivers/base/dd.c:595 __driver_probe_device+0x194/0x3b4 drivers/base/dd.c:755 driver_probe_device+0x78/0x34c drivers/base/dd.c:785 __device_attach_driver+0x28c/0x4d8 drivers/base/dd.c:907 bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:427 __device_attach+0x2f0/0x480 drivers/base/dd.c:979 device_initial_probe+0x24/0x34 drivers/base/dd.c:1028 bus_probe_device+0xbc/0x1c8 drivers/base/bus.c:487 device_add+0xae0/0xef4 drivers/base/core.c:3415 platform_device_add+0x3f8/0x708 drivers/base/platform.c:712 vhci_hcd_init+0x37c/0x49c drivers/usb/usbip/vhci_hcd.c:1549 do_one_initcall+0x234/0x990 init/main.c:1302 do_initcall_level+0x154/0x214 init/main.c:1375 do_initcalls+0x58/0xac init/main.c:1391 do_basic_setup+0x8c/0xa0 init/main.c:1410 kernel_init_freeable+0x460/0x640 init/main.c:1615 kernel_init+0x24/0x294 init/main.c:1506 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870 The buggy address belongs to the object at ffff0000cf3b3c00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 504 bytes to the right of 512-byte region [ffff0000cf3b3c00, ffff0000cf3b3e00) The buggy address belongs to the page: page:000000002e2a63f3 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10f3b0 head:000000002e2a63f3 order:2 compound_mapcount:0 compound_pincount:0 flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002600 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000cf3b3e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000cf3b3f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff0000cf3b3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff0000cf3b4000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0000cf3b4080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== Unable to handle kernel paging request at virtual address dfff800000000000 Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 [dfff800000000000] address between user and kernel address ranges Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 4933 Comm: syz.4.197 Tainted: G B 5.15.167-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 pstate: a0400005 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : arch_test_and_set_bit_lock include/asm-generic/bitops/lock.h:25 [inline] pc : test_and_set_bit_lock include/asm-generic/bitops/instrumented-lock.h:56 [inline] pc : trylock_buffer include/linux/buffer_head.h:395 [inline] pc : lock_buffer include/linux/buffer_head.h:401 [inline] pc : udf_getblk fs/udf/inode.c:473 [inline] pc : udf_bread+0x238/0x5b0 fs/udf/inode.c:1201 lr : instrument_atomic_read_write include/linux/instrumented.h:101 [inline] lr : test_and_set_bit_lock include/asm-generic/bitops/instrumented-lock.h:55 [inline] lr : trylock_buffer include/linux/buffer_head.h:395 [inline] lr : lock_buffer include/linux/buffer_head.h:401 [inline] lr : udf_getblk fs/udf/inode.c:473 [inline] lr : udf_bread+0x234/0x5b0 fs/udf/inode.c:1201 sp : ffff800020b375a0 x29: ffff800020b37720 x28: ffff800020b375c0 x27: dfff800000000000 x26: ffff700004166eb8 x25: 0000000000000000 x24: 1ffff00004166f66 x23: 0000000000000030 x22: 0000000000000000 x21: ffff800020b376d0 x20: ffff0000ddfa8158 x19: ffff800020b37b30 x18: 0000000000000000 x17: 0000000000000002 x16: ffff800011ac1a54 x15: 0000000000000406 x14: ffff0000da163680 x13: 0000000000ff0100 x12: 0000000000040000 x11: 0000000000000000 x10: 0000000000000003 x9 : ffff80001b7833d0 x8 : 0000000000000001 x7 : 0000000000000000 x6 : ffff8000087b400c x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff800009859c24 x2 : 0000000000000001 x1 : 0000000000000008 x0 : 0000000000000001 Call trace: arch_test_and_set_bit_lock include/asm-generic/bitops/lock.h:25 [inline] test_and_set_bit_lock include/asm-generic/bitops/instrumented-lock.h:56 [inline] trylock_buffer include/linux/buffer_head.h:395 [inline] lock_buffer include/linux/buffer_head.h:401 [inline] udf_getblk fs/udf/inode.c:473 [inline] udf_bread+0x238/0x5b0 fs/udf/inode.c:1201 udf_add_entry+0x15e0/0x28b0 fs/udf/namei.c:495 udf_mkdir+0x158/0x7e0 fs/udf/namei.c:681 vfs_mkdir+0x334/0x4e4 fs/namei.c:4065 do_mkdirat+0x20c/0x610 fs/namei.c:4090 __do_sys_mkdirat fs/namei.c:4105 [inline] __se_sys_mkdirat fs/namei.c:4103 [inline] __arm64_sys_mkdirat+0x90/0xa8 fs/namei.c:4103 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181 el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584 Code: aa1603e0 52800101 97c1f2a0 d343fed9 (387b6b28) ---[ end trace ba450ce7082df46d ]--- ---------------- Code disassembly (best guess): 0: aa1603e0 mov x0, x22 4: 52800101 mov w1, #0x8 // #8 8: 97c1f2a0 bl 0xffffffffff07ca88 c: d343fed9 lsr x25, x22, #3 * 10: 387b6b28 ldrb w8, [x25, x27] <-- trapping instruction