bisecting cause commit starting from 4b0986a3613c92f4ec1bdc7f60ec66fea135991f building syzkaller on 4c7657cb23023fd64d0585c979e6fec4ef441f04 testing commit 4b0986a3613c92f4ec1bdc7f60ec66fea135991f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f3761ace4658b43820859be9f72d0f06c06d0b4728db0f5d7dc99edc0d29772f run #0: crashed: KASAN: slab-out-of-bounds Write in udf_open_lvid run #1: crashed: KASAN: use-after-free Write in udf_close_lvid run #2: crashed: KASAN: use-after-free Write in udf_close_lvid run #3: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #4: crashed: KASAN: use-after-free Write in udf_close_lvid run #5: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #6: crashed: KASAN: slab-out-of-bounds Write in udf_open_lvid run #7: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #8: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #9: crashed: KASAN: slab-out-of-bounds Write in udf_open_lvid run #10: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #11: crashed: KASAN: use-after-free Write in udf_open_lvid run #12: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #13: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #14: crashed: KASAN: use-after-free Write in udf_close_lvid run #15: crashed: KASAN: use-after-free Write in udf_open_lvid run #16: crashed: KASAN: use-after-free Write in udf_close_lvid run #17: crashed: KASAN: use-after-free Write in udf_close_lvid run #18: crashed: KASAN: use-after-free Write in udf_close_lvid run #19: crashed: KASAN: use-after-free Write in udf_open_lvid testing release v5.17 testing commit f443e374ae131c168a065ea1748feac6b2e76613 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 49f31d1183aa89a7b8854dfe4fa7aed309c2f951e39572051a65f532967b952c run #0: crashed: KASAN: use-after-free Write in udf_close_lvid run #1: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #2: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #3: crashed: KASAN: use-after-free Write in udf_open_lvid run #4: crashed: KASAN: slab-out-of-bounds Write in udf_open_lvid run #5: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #6: crashed: KASAN: use-after-free Write in udf_open_lvid run #7: crashed: KASAN: use-after-free Write in udf_close_lvid run #8: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #9: OK testing release v5.16 testing commit df0cc57e057f18e44dac8e6c18aba47ab53202f9 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 96eac08028b2e3dd5c1210776630649572f5cde4886daf21a678d9d402791ec1 run #0: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #1: crashed: KASAN: slab-out-of-bounds Write in udf_open_lvid run #2: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #3: crashed: KASAN: use-after-free Write in udf_open_lvid run #4: crashed: KASAN: use-after-free Write in udf_open_lvid run #5: crashed: KASAN: use-after-free Write in udf_close_lvid run #6: crashed: KASAN: use-after-free Write in udf_close_lvid run #7: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #8: crashed: KASAN: use-after-free Write in udf_close_lvid run #9: OK testing release v5.15 testing commit 8bb7eca972ad531c9b149c0a51ab43a417385813 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 90e0c318d0aa3a1c9dbf6e9d951f95670c4a99366588c5f0c81985a8886fe18b failed: failed to create VM pool: failed to create GCE image: create image operation failed: &{Code:PERMISSIONS_ERROR Location: Message:Required 'read' permission for 'disks/ci-upstream-kasan-gce-smack-root-bisect-job-bisect-job-image.tar.gz' ForceSendFields:[] NullFields:[]}. testing release v5.14 testing commit 7d2a07b769330c34b4deabeed939325c77a7ec2f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 591b732cb29700218e1d0e901d396a26b28e6c30316eda1590fed439b407dc93 all runs: OK # git bisect start df0cc57e057f18e44dac8e6c18aba47ab53202f9 7d2a07b769330c34b4deabeed939325c77a7ec2f Bisecting: 14449 revisions left to test after this (roughly 14 steps) [970eae15600a883e4ad27dd0757b18871cc983ab] BackMerge tag 'v5.15-rc7' into drm-next testing commit 970eae15600a883e4ad27dd0757b18871cc983ab compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 88687a8407885cf6ca2e092bc3920280dba965ec69b64ee2b99438b22d2234be run #0: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #1: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #2: crashed: KASAN: use-after-free Write in udf_open_lvid run #3: crashed: KASAN: slab-out-of-bounds Write in udf_open_lvid run #4: crashed: KASAN: use-after-free Write in udf_open_lvid run #5: crashed: KASAN: use-after-free Write in udf_open_lvid run #6: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #7: crashed: KASAN: use-after-free Write in udf_open_lvid run #8: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #9: crashed: KASAN: use-after-free Write in udf_open_lvid # git bisect bad 970eae15600a883e4ad27dd0757b18871cc983ab Bisecting: 7342 revisions left to test after this (roughly 13 steps) [32b47072f319bb65e9afad59e78153d83496f1f5] Merge tag 'defconfig-5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 32b47072f319bb65e9afad59e78153d83496f1f5 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 35848f42cab577c3095ef0c774170b24ddb76cafec2f0bbac8f3ede98c0d25c5 run #0: crashed: KASAN: use-after-free Write in udf_close_lvid run #1: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #2: crashed: KASAN: use-after-free Write in udf_close_lvid run #3: crashed: KASAN: use-after-free Write in udf_close_lvid run #4: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #5: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #6: crashed: KASAN: use-after-free Write in udf_close_lvid run #7: crashed: KASAN: use-after-free Write in udf_close_lvid run #8: crashed: KASAN: use-after-free Read in __d_alloc run #9: OK # git bisect bad 32b47072f319bb65e9afad59e78153d83496f1f5 Bisecting: 3309 revisions left to test after this (roughly 12 steps) [9e9fb7655ed585da8f468e29221f0ba194a5f613] Merge tag 'net-next-5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 9e9fb7655ed585da8f468e29221f0ba194a5f613 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 arch/x86/kernel/setup.c:916:6: error: implicit declaration of function 'acpi_mps_check' [-Werror=implicit-function-declaration] arch/x86/kernel/setup.c:1110:2: error: implicit declaration of function 'acpi_table_upgrade' [-Werror=implicit-function-declaration] arch/x86/kernel/setup.c:1112:2: error: implicit declaration of function 'acpi_boot_table_init' [-Werror=implicit-function-declaration] arch/x86/kernel/setup.c:1120:2: error: implicit declaration of function 'early_acpi_boot_init'; did you mean 'early_cpu_init'? [-Werror=implicit-function-declaration] arch/x86/kernel/setup.c:1162:2: error: implicit declaration of function 'acpi_boot_init' [-Werror=implicit-function-declaration] # git bisect skip 9e9fb7655ed585da8f468e29221f0ba194a5f613 Bisecting: 3309 revisions left to test after this (roughly 12 steps) [45cb13963df304fde13262654939dfb18788f95e] can: etas_es58x: use error pointer during device probing testing commit 45cb13963df304fde13262654939dfb18788f95e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fb211a75267afeedda225a5d7ed10483a87fad7b5dbd7c6d533447658200981f all runs: OK # git bisect good 45cb13963df304fde13262654939dfb18788f95e Bisecting: 3309 revisions left to test after this (roughly 12 steps) [5d3c0db4598c5de511824649df2aa976259cf10a] Merge tag 'sched-core-2021-08-30' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 5d3c0db4598c5de511824649df2aa976259cf10a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 958d303d11c47ccea7ab15db5c84dc6be4de5fee6cfd9a68fc84888a1cb22908 run #0: crashed: KASAN: slab-out-of-bounds Read in udf_close_lvid run #1: crashed: KASAN: use-after-free Write in udf_close_lvid run #2: crashed: KASAN: use-after-free Write in udf_close_lvid run #3: crashed: KASAN: use-after-free Write in udf_close_lvid run #4: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #5: crashed: KASAN: use-after-free Write in udf_open_lvid run #6: crashed: KASAN: use-after-free Write in udf_close_lvid run #7: crashed: KASAN: use-after-free Write in udf_close_lvid run #8: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #9: crashed: KASAN: use-after-free Write in udf_close_lvid # git bisect bad 5d3c0db4598c5de511824649df2aa976259cf10a Bisecting: 271 revisions left to test after this (roughly 8 steps) [4ca4256453effb885c1688633676682529593f82] Merge branch 'core-rcu.2021.08.28a' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu testing commit 4ca4256453effb885c1688633676682529593f82 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a49999c02cb1a2152fc18975925f0086bd142ff7688de73c992cd28f47500a9a run #0: crashed: KASAN: use-after-free Write in udf_close_lvid run #1: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #2: crashed: KASAN: use-after-free Write in udf_open_lvid run #3: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #4: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #5: crashed: KASAN: use-after-free Write in udf_open_lvid run #6: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #7: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #8: crashed: KASAN: use-after-free Write in udf_open_lvid run #9: crashed: KASAN: use-after-free Write in udf_close_lvid # git bisect bad 4ca4256453effb885c1688633676682529593f82 Bisecting: 127 revisions left to test after this (roughly 7 steps) [0da9bc6d2fc3f98095d69f34c17f7d5730bbcc6c] Merge tag 'spi-v5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi testing commit 0da9bc6d2fc3f98095d69f34c17f7d5730bbcc6c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 686eb74bf3ccbf3b0bc25d4c5dad4876e5a6172561edb29eda1b2fea7ed6a561 run #0: crashed: KASAN: slab-out-of-bounds Write in udf_open_lvid run #1: crashed: KASAN: use-after-free Write in udf_close_lvid run #2: crashed: KASAN: use-after-free Write in udf_close_lvid run #3: crashed: KASAN: use-after-free Write in udf_close_lvid run #4: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #5: crashed: KASAN: use-after-free Write in udf_close_lvid run #6: crashed: KASAN: slab-out-of-bounds Write in udf_open_lvid run #7: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #8: crashed: KASAN: use-after-free Write in udf_close_lvid run #9: crashed: KASAN: slab-out-of-bounds Write in udf_open_lvid # git bisect bad 0da9bc6d2fc3f98095d69f34c17f7d5730bbcc6c Bisecting: 53 revisions left to test after this (roughly 6 steps) [d46e0d335497d89e36a8dab3ce5b605d7088c67a] Merge tag 'regulator-v5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator testing commit d46e0d335497d89e36a8dab3ce5b605d7088c67a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: bad00d00488327a48345a0a95438b53f4aaa4fb1000b0dda0506cac4ab7a81d6 run #0: crashed: KASAN: use-after-free Write in udf_close_lvid run #1: crashed: KASAN: use-after-free Write in udf_close_lvid run #2: crashed: KASAN: use-after-free Write in udf_close_lvid run #3: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #4: crashed: KASAN: slab-out-of-bounds Write in udf_open_lvid run #5: crashed: KASAN: use-after-free Write in udf_close_lvid run #6: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #7: crashed: KASAN: use-after-free Write in udf_close_lvid run #8: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #9: crashed: KASAN: use-after-free Write in udf_open_lvid # git bisect bad d46e0d335497d89e36a8dab3ce5b605d7088c67a Bisecting: 43 revisions left to test after this (roughly 6 steps) [4aed6ee53fcc012ea599f1be6b2c8d76cb7f7354] Merge tag 'regmap-v5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap testing commit 4aed6ee53fcc012ea599f1be6b2c8d76cb7f7354 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f8ae763669923a74293871b7190e5358575c49149ecf60e7ede14a7b24cf563f run #0: crashed: KASAN: use-after-free Write in udf_close_lvid run #1: crashed: KASAN: use-after-free Write in udf_close_lvid run #2: crashed: KASAN: use-after-free Write in udf_close_lvid run #3: crashed: KASAN: slab-out-of-bounds Write in udf_open_lvid run #4: crashed: KASAN: use-after-free Write in udf_open_lvid run #5: crashed: KASAN: use-after-free Write in udf_close_lvid run #6: crashed: KASAN: use-after-free Write in udf_close_lvid run #7: crashed: KASAN: use-after-free Write in udf_close_lvid run #8: crashed: KASAN: use-after-free Write in udf_close_lvid run #9: crashed: KASAN: use-after-free Write in udf_open_lvid # git bisect bad 4aed6ee53fcc012ea599f1be6b2c8d76cb7f7354 Bisecting: 22 revisions left to test after this (roughly 5 steps) [a1ca8e7147d07cb8649c618bc9902a9a7e6444e1] Merge tag 'fs_for_v5.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs testing commit a1ca8e7147d07cb8649c618bc9902a9a7e6444e1 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8621df669d66708296688d9645f544bab36715b87f56dd54a3dade73bfac30d4 run #0: crashed: KASAN: use-after-free Write in udf_close_lvid run #1: crashed: KASAN: slab-out-of-bounds Write in udf_open_lvid run #2: crashed: KASAN: use-after-free Write in udf_open_lvid run #3: crashed: KASAN: use-after-free Write in udf_close_lvid run #4: crashed: KASAN: use-after-free Write in udf_close_lvid run #5: crashed: KASAN: use-after-free Write in udf_open_lvid run #6: crashed: KASAN: slab-out-of-bounds Write in udf_open_lvid run #7: crashed: KASAN: use-after-free Write in udf_open_lvid run #8: crashed: KASAN: use-after-free Write in udf_close_lvid run #9: crashed: KASAN: use-after-free Write in udf_open_lvid # git bisect bad a1ca8e7147d07cb8649c618bc9902a9a7e6444e1 Bisecting: 12 revisions left to test after this (roughly 4 steps) [3513431926f9bfe3f4fcb06a39d9ec59b0470311] Merge tag 'fsnotify_for_v5.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs testing commit 3513431926f9bfe3f4fcb06a39d9ec59b0470311 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ec749666b53d9409849453a890745afd213ccc9c8a80ec80e968b05d8373cb6e all runs: OK # git bisect good 3513431926f9bfe3f4fcb06a39d9ec59b0470311 Bisecting: 6 revisions left to test after this (roughly 3 steps) [28ce50f8d96ec9035f60c9348294ea26b94db944] isofs: joliet: Fix iocharset=utf8 mount option testing commit 28ce50f8d96ec9035f60c9348294ea26b94db944 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 19abee2fdf789b120cf48a1c95c95f390dac960daa313fb620c9ee62e8e42e0f run #0: crashed: KASAN: use-after-free Write in udf_open_lvid run #1: crashed: KASAN: use-after-free Write in udf_close_lvid run #2: crashed: KASAN: use-after-free Write in udf_close_lvid run #3: crashed: KASAN: use-after-free Write in udf_close_lvid run #4: crashed: KASAN: use-after-free Write in udf_close_lvid run #5: crashed: KASAN: slab-out-of-bounds Write in udf_open_lvid run #6: crashed: KASAN: use-after-free Write in udf_close_lvid run #7: crashed: KASAN: use-after-free Write in udf_close_lvid run #8: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #9: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid # git bisect bad 28ce50f8d96ec9035f60c9348294ea26b94db944 Bisecting: 2 revisions left to test after this (roughly 2 steps) [b3c8c9801eb9b8e0f73246b4b14efbde1a4c570c] udf: Get rid of 0-length arrays testing commit b3c8c9801eb9b8e0f73246b4b14efbde1a4c570c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f0fa3f3eb428168ea345cd834fc669861f7e9367861a71f4e5d8df0ee014fcf9 run #0: crashed: KASAN: use-after-free Write in udf_close_lvid run #1: crashed: KASAN: use-after-free Write in udf_close_lvid run #2: crashed: KASAN: use-after-free Write in udf_close_lvid run #3: crashed: KASAN: use-after-free Write in udf_open_lvid run #4: crashed: KASAN: slab-out-of-bounds Write in udf_open_lvid run #5: crashed: KASAN: use-after-free Write in udf_close_lvid run #6: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #7: crashed: KASAN: use-after-free Write in udf_close_lvid run #8: crashed: KASAN: use-after-free Write in udf_close_lvid run #9: crashed: KASAN: use-after-free Write in udf_close_lvid # git bisect bad b3c8c9801eb9b8e0f73246b4b14efbde1a4c570c Bisecting: 0 revisions left to test after this (roughly 1 step) [04e8ee504a677d07dd60f6c8aae912e4842301c8] udf: Remove unused declaration testing commit 04e8ee504a677d07dd60f6c8aae912e4842301c8 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f0fa3f3eb428168ea345cd834fc669861f7e9367861a71f4e5d8df0ee014fcf9 run #0: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #1: crashed: KASAN: use-after-free Write in udf_close_lvid run #2: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #3: crashed: KASAN: use-after-free Write in udf_close_lvid run #4: crashed: KASAN: use-after-free Write in udf_close_lvid run #5: crashed: KASAN: slab-out-of-bounds Write in udf_open_lvid run #6: crashed: KASAN: use-after-free Write in udf_close_lvid run #7: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #8: crashed: KASAN: slab-out-of-bounds Write in udf_open_lvid run #9: crashed: KASAN: use-after-free Write in udf_close_lvid # git bisect bad 04e8ee504a677d07dd60f6c8aae912e4842301c8 Bisecting: 0 revisions left to test after this (roughly 0 steps) [781d2a9a2fc7d0be53a072794dc03ef6de770f3d] udf: Check LVID earlier testing commit 781d2a9a2fc7d0be53a072794dc03ef6de770f3d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f0fa3f3eb428168ea345cd834fc669861f7e9367861a71f4e5d8df0ee014fcf9 run #0: crashed: KASAN: use-after-free Write in udf_open_lvid run #1: crashed: KASAN: use-after-free Write in udf_close_lvid run #2: crashed: KASAN: use-after-free Write in udf_close_lvid run #3: crashed: KASAN: slab-out-of-bounds Write in udf_open_lvid run #4: crashed: KASAN: use-after-free Write in udf_close_lvid run #5: crashed: KASAN: slab-out-of-bounds Write in udf_open_lvid run #6: crashed: KASAN: slab-out-of-bounds Write in udf_open_lvid run #7: crashed: KASAN: use-after-free Write in udf_close_lvid run #8: crashed: KASAN: slab-out-of-bounds Write in udf_open_lvid run #9: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid # git bisect bad 781d2a9a2fc7d0be53a072794dc03ef6de770f3d 781d2a9a2fc7d0be53a072794dc03ef6de770f3d is the first bad commit commit 781d2a9a2fc7d0be53a072794dc03ef6de770f3d Author: Jan Kara Date: Mon May 3 11:39:03 2021 +0200 udf: Check LVID earlier We were checking validity of LVID entries only when getting implementation use information from LVID in udf_sb_lvidiu(). However if the LVID is suitably corrupted, it can cause problems also to code such as udf_count_free() which doesn't use udf_sb_lvidiu(). So check validity of LVID already when loading it from the disk and just disable LVID altogether when it is not valid. Reported-by: syzbot+7fbfe5fed73ebb675748@syzkaller.appspotmail.com Signed-off-by: Jan Kara fs/udf/super.c | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) parent commit 902e7f373fff2476b53824264c12e4e76c7ec02a wasn't tested testing commit 902e7f373fff2476b53824264c12e4e76c7ec02a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 202f06064d8f5d878400765d8b3567417415b724e85ce018c9c2a37be597758d culprit signature: f0fa3f3eb428168ea345cd834fc669861f7e9367861a71f4e5d8df0ee014fcf9 parent signature: 202f06064d8f5d878400765d8b3567417415b724e85ce018c9c2a37be597758d revisions tested: 19, total time: 5h5m45.980077308s (build: 2h6m4.861712869s, test: 2h57m24.46739146s) first bad commit: 781d2a9a2fc7d0be53a072794dc03ef6de770f3d udf: Check LVID earlier recipients (to): ["jack@suse.com" "jack@suse.cz" "linux-kernel@vger.kernel.org"] recipients (cc): ["akpm@linux-foundation.org" "alden.tondettar@gmail.com" "hch@infradead.org" "pali@kernel.org"] crash: KASAN: slab-out-of-bounds Write in udf_close_lvid UDF-fs: error (device loop0): udf_read_inode: (ino 1408) failed !bh UDF-fs: error (device loop0): udf_fill_super: Error in udf_iget, block=96, partition=0 ================================================================== BUG: KASAN: slab-out-of-bounds in udf_close_lvid+0x47c/0x590 fs/udf/super.c:2068 Write of size 1 at addr ffff8880399b6f80 by task syz-executor316/15725 CPU: 1 PID: 15725 Comm: syz-executor316 Not tainted 5.14.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:105 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:233 __kasan_report mm/kasan/report.c:419 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:436 udf_close_lvid+0x47c/0x590 fs/udf/super.c:2068 udf_fill_super.cold+0x8f/0x15d fs/udf/super.c:2321 mount_bdev+0x2cb/0x3b0 fs/super.c:1368 legacy_get_tree+0xfa/0x1f0 fs/fs_context.c:610 vfs_get_tree+0x7f/0x2c0 fs/super.c:1498 do_new_mount fs/namespace.c:2905 [inline] path_mount+0x41e/0x1a30 fs/namespace.c:3235 do_mount fs/namespace.c:3248 [inline] __do_sys_mount fs/namespace.c:3456 [inline] __se_sys_mount fs/namespace.c:3433 [inline] __x64_sys_mount+0x1f5/0x260 fs/namespace.c:3433 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fc19bc8507a Code: 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 a8 00 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fc19bc30168 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007fc19bc301c0 RCX: 00007fc19bc8507a RDX: 0000000020000000 RSI: 0000000020000700 RDI: 00007fc19bc30180 RBP: 000000000000000e R08: 00007fc19bc301c0 R09: 00007fc19bc306b8 R10: 0000000000000810 R11: 0000000000000286 R12: 00007fc19bc30180 R13: 0000000020000350 R14: 0000000000000003 R15: 0000000000000004 Allocated by task 5782: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] __kasan_slab_alloc+0x84/0xa0 mm/kasan/common.c:467 kasan_slab_alloc include/linux/kasan.h:254 [inline] slab_post_alloc_hook mm/slab.h:519 [inline] slab_alloc_node mm/slub.c:2956 [inline] slab_alloc mm/slub.c:2964 [inline] kmem_cache_alloc+0x285/0x4a0 mm/slub.c:2969 kmem_cache_zalloc include/linux/slab.h:711 [inline] __kernfs_new_node+0xc7/0x7b0 fs/kernfs/dir.c:583 kernfs_new_node fs/kernfs/dir.c:645 [inline] kernfs_create_dir_ns+0x80/0x220 fs/kernfs/dir.c:982 sysfs_create_dir_ns+0x116/0x260 fs/sysfs/dir.c:59 create_dir lib/kobject.c:89 [inline] kobject_add_internal+0x279/0x900 lib/kobject.c:255 kobject_add_varg lib/kobject.c:390 [inline] kobject_init_and_add+0xdb/0x130 lib/kobject.c:473 netdev_queue_add_kobject net/core/net-sysfs.c:1610 [inline] netdev_queue_update_kobjects+0x13c/0x380 net/core/net-sysfs.c:1655 register_queue_kobjects net/core/net-sysfs.c:1716 [inline] netdev_register_kobject+0x301/0x3c0 net/core/net-sysfs.c:1959 register_netdevice+0xa91/0x1240 net/core/dev.c:10349 macvlan_common_newlink+0x117c/0x1700 drivers/net/macvlan.c:1496 macvtap_newlink drivers/net/macvtap.c:109 [inline] macvtap_newlink+0x16e/0x250 drivers/net/macvtap.c:81 __rtnl_newlink+0xcc8/0x1380 net/core/rtnetlink.c:3460 rtnl_newlink+0x5a/0x90 net/core/rtnetlink.c:3508 rtnetlink_rcv_msg+0x31d/0x8d0 net/core/rtnetlink.c:5574 netlink_rcv_skb+0x118/0x340 net/netlink/af_netlink.c:2504 netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] netlink_unicast+0x42e/0x700 net/netlink/af_netlink.c:1340 netlink_sendmsg+0x704/0xbf0 net/netlink/af_netlink.c:1929 sock_sendmsg_nosec net/socket.c:703 [inline] sock_sendmsg+0xab/0xe0 net/socket.c:723 __sys_sendto+0x1a4/0x270 net/socket.c:2019 __do_sys_sendto net/socket.c:2031 [inline] __se_sys_sendto net/socket.c:2027 [inline] __x64_sys_sendto+0xd8/0x1b0 net/socket.c:2027 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff8880399b6e80 which belongs to the cache kernfs_node_cache of size 168 The buggy address is located 88 bytes to the right of 168-byte region [ffff8880399b6e80, ffff8880399b6f28) The buggy address belongs to the page: page:ffffea0000e66d80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x399b6 flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 0000000000000000 dead000000000122 ffff88800f9c4b40 raw: 0000000000000000 0000000000110011 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 5782, ts 63309065875, free_ts 0 prep_new_page mm/page_alloc.c:2436 [inline] get_page_from_freelist+0xa6f/0x2f50 mm/page_alloc.c:4169 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5391 alloc_slab_page mm/slub.c:1688 [inline] allocate_slab+0x32e/0x4b0 mm/slub.c:1828 new_slab mm/slub.c:1891 [inline] new_slab_objects mm/slub.c:2637 [inline] ___slab_alloc+0x4ba/0x820 mm/slub.c:2800 __slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2840 slab_alloc_node mm/slub.c:2922 [inline] slab_alloc mm/slub.c:2964 [inline] kmem_cache_alloc+0x3e1/0x4a0 mm/slub.c:2969 kmem_cache_zalloc include/linux/slab.h:711 [inline] __kernfs_new_node+0xc7/0x7b0 fs/kernfs/dir.c:583 kernfs_new_node+0x73/0x110 fs/kernfs/dir.c:645 __kernfs_create_file+0x27/0x2e0 fs/kernfs/file.c:985 sysfs_add_file_mode_ns+0x1ae/0x4f0 fs/sysfs/file.c:317 create_files fs/sysfs/group.c:64 [inline] internal_create_group+0x262/0x9a0 fs/sysfs/group.c:149 internal_create_groups.part.0+0x77/0x100 fs/sysfs/group.c:189 device_add_groups drivers/base/core.c:2435 [inline] device_add_attrs drivers/base/core.c:2594 [inline] device_add+0x119f/0x1e00 drivers/base/core.c:3305 netdev_register_kobject+0x166/0x3c0 net/core/net-sysfs.c:1955 register_netdevice+0xa91/0x1240 net/core/dev.c:10349 macvlan_common_newlink+0x117c/0x1700 drivers/net/macvlan.c:1496 page_owner free stack trace missing Memory state around the buggy address: ffff8880399b6e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880399b6f00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc >ffff8880399b6f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8880399b7000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880399b7080: 00 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00 ==================================================================