audit: type=1400 audit(1589126371.466:8): avc: denied { execmem } for pid=6334 comm="syz-executor795" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 ================================================================== BUG: KASAN: slab-out-of-bounds in __ext4_check_dir_entry+0x2f9/0x340 fs/ext4/dir.c:68 Read of size 2 at addr ffff88808bd16003 by task syz-executor795/6334 CPU: 0 PID: 6334 Comm: syz-executor795 Not tainted 4.14.180-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x13e/0x194 lib/dump_stack.c:58 print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393 __ext4_check_dir_entry+0x2f9/0x340 fs/ext4/dir.c:68 ext4_readdir+0x822/0x27f0 fs/ext4/dir.c:240 iterate_dir+0x1a0/0x5e0 fs/readdir.c:52 SYSC_getdents64 fs/readdir.c:355 [inline] SyS_getdents64+0x130/0x240 fs/readdir.c:336 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x440699 RSP: 002b:00007ffe38dc98c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 00007ffe38dc98d0 RCX: 0000000000440699 RDX: 00000000c0002521 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 0000000000000000 R08: 0000000000400c20 R09: 0000000000400c20 R10: 000000000000000f R11: 0000000000000246 R12: 0000000000401f80 R13: 0000000000402010 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 1: save_stack+0x32/0xa0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc mm/kasan/kasan.c:551 [inline] kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529 kmem_cache_alloc+0x127/0x770 mm/slab.c:3552 kmem_cache_zalloc include/linux/slab.h:651 [inline] get_empty_filp+0x86/0x3e0 fs/file_table.c:123 path_openat+0x8d/0x3c50 fs/namei.c:3545 do_filp_open+0x18e/0x250 fs/namei.c:3603 do_sys_open+0x29d/0x3f0 fs/open.c:1081 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 Freed by task 17: save_stack+0x32/0xa0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3496 [inline] kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758 __rcu_reclaim kernel/rcu/rcu.h:195 [inline] rcu_do_batch kernel/rcu/tree.c:2699 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2929 [inline] rcu_process_callbacks+0x792/0x1190 kernel/rcu/tree.c:2946 __do_softirq+0x254/0x9bf kernel/softirq.c:288 The buggy address belongs to the object at ffff88808bd16040 which belongs to the cache filp of size 456 The buggy address is located 61 bytes to the left of 456-byte region [ffff88808bd16040, ffff88808bd16208) The buggy address belongs to the page: page:ffffea00022f4580 count:1 mapcount:0 mapping:ffff88808bd16040 index:0x0 flags: 0xfffe0000000100(slab) raw: 00fffe0000000100 ffff88808bd16040 0000000000000000 0000000100000006 raw: ffffea0002370820 ffffea00022f4520 ffff8880aa587b40 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88808bd15f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88808bd15f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88808bd16000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff88808bd16080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88808bd16100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================