netlink: 20 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor.1'. ================================================================== BUG: KASAN: slab-out-of-bounds in __ext4_check_dir_entry+0x2f9/0x340 fs/ext4/dir.c:68 Read of size 2 at addr ffff88809222a002 by task syz-executor.3/10077 xt_SECMARK: target only valid in the 'mangle' or 'security' tables, not 'filter'. CPU: 1 PID: 10077 Comm: syz-executor.3 Not tainted 4.14.184-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x283 lib/dump_stack.c:58 print_address_description.cold+0x54/0x1dc mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0xa9/0x2b9 mm/kasan/report.c:393 __ext4_check_dir_entry+0x2f9/0x340 fs/ext4/dir.c:68 ext4_readdir+0x819/0x27e0 fs/ext4/dir.c:240 iterate_dir+0x1a0/0x5e0 fs/readdir.c:52 SYSC_getdents fs/readdir.c:269 [inline] SyS_getdents+0x132/0x260 fs/readdir.c:250 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 RIP: 0033:0x45c1f9 RSP: 002b:00007fb51b7edc78 EFLAGS: 00000246 ORIG_RAX: 000000000000004e RAX: ffffffffffffffda RBX: 0000000000003ec0 RCX: 000000000045c1f9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 000000000078bf40 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000078bf0c R13: 00007ffdb94f35df R14: 00007fb51b7ee9c0 R15: 000000000078bf0c Allocated by task 3639: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc.part.0+0x4f/0xd0 mm/kasan/kasan.c:551 CPU: 0 PID: 10096 Comm: syz-executor.0 Not tainted 4.14.184-syzkaller #0 kmem_cache_alloc+0x124/0x3c0 mm/slab.c:3552 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 getname_flags+0xc8/0x550 fs/namei.c:138 Call Trace: user_path_at_empty+0x2a/0x50 fs/namei.c:2631 __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x283 lib/dump_stack.c:58 user_path_at include/linux/namei.h:57 [inline] SYSC_faccessat fs/open.c:403 [inline] SyS_faccessat+0x21b/0x680 fs/open.c:353 fail_dump lib/fault-inject.c:51 [inline] should_fail.cold+0x10a/0x154 lib/fault-inject.c:149 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 should_failslab+0xd6/0x130 mm/failslab.c:32 entry_SYSCALL_64_after_hwframe+0x46/0xbb slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc mm/slab.c:3376 [inline] kmem_cache_alloc+0x28e/0x3c0 mm/slab.c:3550 getname_flags+0xc8/0x550 fs/namei.c:138 Freed by task 3639: do_sys_open+0x202/0x3e0 fs/open.c:1075 save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0xaf/0x190 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3496 [inline] kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758 putname+0xcd/0x110 fs/namei.c:259 filename_lookup+0x23a/0x380 fs/namei.c:2386 user_path_at include/linux/namei.h:57 [inline] SYSC_faccessat fs/open.c:403 [inline] SyS_faccessat+0x21b/0x680 fs/open.c:353 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x415f71 The buggy address belongs to the object at ffff88809222a740 which belongs to the cache names_cache of size 4096 RSP: 002b:00007ff2a83c1820 EFLAGS: 00000293 The buggy address is located 1854 bytes to the left of 4096-byte region [ffff88809222a740, ffff88809222b740) ORIG_RAX: 0000000000000002 The buggy address belongs to the page: RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 0000000000415f71 page:ffffea0002488a80 count:1 mapcount:0 mapping:ffff88809222a740 index:0x0 RDX: 0000000000000000 RSI: 0000000000181782 RDI: 00007ff2a83c1850 compound_mapcount: 0 RBP: 00007ff2a83c1ca0 R08: 000000000000000f R09: 0000000000000000 flags: 0xfffe0000008100(slab|head) R10: 0000000000000064 R11: 0000000000000293 R12: 0000000000000000 raw: 00fffe0000008100 ffff88809222a740 0000000000000000 0000000100000001 R13: 00007fff8364aa5f R14: 00007ff2a83c29c0 R15: 000000000078bf0c raw: ffffea0002491120 ffffea0002941c20 ffff8880aa9dacc0 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888092229f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888092229f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88809222a000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88809222a080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88809222a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 ip_tables: iptables: counters copy to user failed while replacing table CPU: 1 PID: 10106 Comm: syz-executor.0 Tainted: G B 4.14.184-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x283 lib/dump_stack.c:58 fail_dump lib/fault-inject.c:51 [inline] should_fail.cold+0x10a/0x154 lib/fault-inject.c:149 should_failslab+0xd6/0x130 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc mm/slab.c:3376 [inline] kmem_cache_alloc+0x28e/0x3c0 mm/slab.c:3550 kmem_cache_zalloc include/linux/slab.h:651 [inline] get_empty_filp+0x86/0x3e0 fs/file_table.c:123 path_openat+0x87/0x2aa0 fs/namei.c:3545 do_filp_open+0x18e/0x250 fs/namei.c:3603 do_sys_open+0x292/0x3e0 fs/open.c:1081 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x415f71 RSP: 002b:00007ff2a83c1820 EFLAGS: 00000293 ORIG_RAX: 0000000000000002 RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 0000000000415f71 RDX: 0000000000000000 RSI: 0000000000181782 RDI: 00007ff2a83c1850 RBP: 00007ff2a83c1ca0 R08: 000000000000000f R09: 0000000000000000 R10: 0000000000000064 R11: 0000000000000293 R12: 0000000000000001 R13: 00007fff8364aa5f R14: 00007ff2a83c29c0 R15: 000000000078bf0c EXT4-fs error (device sda1): ext4_readdir:240: inode #11: block 8230: comm syz-executor.3: path /lost+found: bad entry in directory: directory entry overrun - offset=4094, inode=84279296, rec_len=772, name_len=2, size=4096