Warning: Permanently added '10.128.0.168' (ECDSA) to the list of known hosts. executing program [ 38.343696] UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2020/09/19 18:44 (1000) [ 38.363851] ================================================================== [ 38.371358] BUG: KASAN: slab-out-of-bounds in udf_find_entry+0xa33/0x1070 [ 38.378385] Write of size 45 at addr ffff8880abdeb892 by task syz-executor314/8087 [ 38.386093] [ 38.387732] CPU: 0 PID: 8087 Comm: syz-executor314 Not tainted 4.19.211-syzkaller #0 [ 38.395625] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.405092] Call Trace: [ 38.407680] dump_stack+0x1fc/0x2ef [ 38.411305] print_address_description.cold+0x54/0x219 [ 38.416567] kasan_report_error.cold+0x8a/0x1b9 [ 38.421221] ? udf_find_entry+0xa33/0x1070 [ 38.425440] kasan_report+0x8f/0xa0 [ 38.429233] ? rcu_read_lock_sched_held+0xa1/0x1d0 [ 38.434169] ? udf_find_entry+0xa33/0x1070 [ 38.438396] memcpy+0x35/0x50 [ 38.441511] udf_find_entry+0xa33/0x1070 [ 38.445563] ? empty_dir+0x7e0/0x7e0 [ 38.449264] ? __d_lookup_rcu+0x382/0x6b0 [ 38.453416] ? check_preemption_disabled+0x41/0x280 [ 38.458428] ? d_alloc_parallel+0x954/0x19e0 [ 38.462830] udf_lookup+0x156/0x270 [ 38.466530] ? udf_tmpfile+0x190/0x190 [ 38.470418] ? __d_lookup_rcu+0x6b0/0x6b0 [ 38.474559] ? __lockdep_init_map+0x100/0x5a0 [ 38.479044] ? __lockdep_init_map+0x100/0x5a0 [ 38.483550] __lookup_slow+0x246/0x4a0 [ 38.487430] ? follow_dotdot_rcu+0x1040/0x1040 [ 38.492003] ? lookup_fast+0x4e9/0x1080 [ 38.495978] ? walk_component+0x798/0xda0 [ 38.500157] walk_component+0x7ac/0xda0 [ 38.504127] ? lookup_fast+0x1080/0x1080 [ 38.508226] ? walk_component+0xda0/0xda0 [ 38.512561] path_lookupat+0x1ff/0x8d0 [ 38.516462] ? path_mountpoint+0xac0/0xac0 [ 38.520700] ? copy_fpstate_to_sigframe+0x3ef/0x6b0 [ 38.525839] ? mark_held_locks+0xf0/0xf0 [ 38.529898] filename_lookup+0x1ac/0x5a0 [ 38.533947] ? filename_parentat+0x590/0x590 [ 38.538352] ? __phys_addr_symbol+0x2c/0x70 [ 38.542664] ? __check_object_size+0x17b/0x3e0 [ 38.547238] ? getname_flags+0x25b/0x590 [ 38.551292] do_mount+0x147/0x2f50 [ 38.554849] ? copy_mount_string+0x40/0x40 [ 38.559106] ? __do_page_fault+0x180/0xd60 [ 38.563331] ? copy_mount_options+0x26f/0x380 [ 38.567816] ksys_mount+0xcf/0x130 [ 38.571345] __x64_sys_mount+0xba/0x150 [ 38.575310] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 38.579886] do_syscall_64+0xf9/0x620 [ 38.583690] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 38.588871] RIP: 0033:0x7f6edbaac049 [ 38.592575] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 38.611579] RSP: 002b:00007fffb5805a08 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 38.619281] RAX: ffffffffffffffda RBX: 00007fffb5805a18 RCX: 00007f6edbaac049 [ 38.626540] RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000000 [ 38.633806] RBP: 00007fffb5805a10 R08: 0000000000000000 R09: 00007f6edba69f50 [ 38.641099] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 38.648359] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 38.655645] [ 38.657265] Allocated by task 8087: [ 38.660887] kmem_cache_alloc_trace+0x12f/0x380 [ 38.665545] udf_find_entry+0xa82/0x1070 [ 38.669594] udf_lookup+0x156/0x270 [ 38.673214] __lookup_slow+0x246/0x4a0 [ 38.677089] walk_component+0x7ac/0xda0 [ 38.681059] path_lookupat+0x1ff/0x8d0 [ 38.684939] filename_lookup+0x1ac/0x5a0 [ 38.688995] do_mount+0x147/0x2f50 [ 38.692524] ksys_mount+0xcf/0x130 [ 38.696060] __x64_sys_mount+0xba/0x150 [ 38.700027] do_syscall_64+0xf9/0x620 [ 38.703822] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 38.708999] [ 38.710615] Freed by task 7888: [ 38.713909] kfree+0xcc/0x210 [ 38.717005] __do_execve_file+0x171c/0x2360 [ 38.721319] do_execve+0x35/0x50 [ 38.724699] __x64_sys_execve+0x7c/0xa0 [ 38.728824] do_syscall_64+0xf9/0x620 [ 38.732640] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 38.737831] [ 38.739450] The buggy address belongs to the object at ffff8880abdeb7c0 [ 38.739450] which belongs to the cache kmalloc-256 of size 256 [ 38.752192] The buggy address is located 210 bytes inside of [ 38.752192] 256-byte region [ffff8880abdeb7c0, ffff8880abdeb8c0) [ 38.764067] The buggy address belongs to the page: [ 38.768988] page:ffffea0002af7ac0 count:1 mapcount:0 mapping:ffff88813bff07c0 index:0x0 [ 38.777243] flags: 0xfff00000000100(slab) [ 38.781384] raw: 00fff00000000100 ffffea0002b06508 ffffea0002a2f188 ffff88813bff07c0 [ 38.789343] raw: 0000000000000000 ffff8880abdeb040 000000010000000c 0000000000000000 [ 38.797360] page dumped because: kasan: bad access detected [ 38.803136] [ 38.804750] Memory state around the buggy address: [ 38.809665] ffff8880abdeb780: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 38.817008] ffff8880abdeb800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 38.824490] >ffff8880abdeb880: 00 00 00 00 00 00 00 06 fc fc fc fc fc fc fc fc [ 38.831839] ^ [ 38.837203] ffff8880abdeb900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.844568] ffff8880abdeb980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.851931] ================================================================== [ 38.859283] Disabling lock debugging due to kernel taint [ 38.878895] Kernel panic - not syncing: panic_on_warn set ... [ 38.878895] [ 38.886287] CPU: 0 PID: 8087 Comm: syz-executor314 Tainted: G B 4.19.211-syzkaller #0 [ 38.895554] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.904905] Call Trace: [ 38.907502] dump_stack+0x1fc/0x2ef [ 38.911119] panic+0x26a/0x50e [ 38.914442] ? __warn_printk+0xf3/0xf3 [ 38.918395] ? preempt_schedule_common+0x45/0xc0 [ 38.923163] ? ___preempt_schedule+0x16/0x18 [ 38.927572] ? trace_hardirqs_on+0x55/0x210 [ 38.931887] kasan_end_report+0x43/0x49 [ 38.935966] kasan_report_error.cold+0xa7/0x1b9 [ 38.940711] ? udf_find_entry+0xa33/0x1070 [ 38.944932] kasan_report+0x8f/0xa0 [ 38.948548] ? rcu_read_lock_sched_held+0xa1/0x1d0 [ 38.953586] ? udf_find_entry+0xa33/0x1070 [ 38.957818] memcpy+0x35/0x50 [ 38.960918] udf_find_entry+0xa33/0x1070 [ 38.964977] ? empty_dir+0x7e0/0x7e0 [ 38.968682] ? __d_lookup_rcu+0x382/0x6b0 [ 38.972910] ? check_preemption_disabled+0x41/0x280 [ 38.977921] ? d_alloc_parallel+0x954/0x19e0 [ 38.982332] udf_lookup+0x156/0x270 [ 38.985957] ? udf_tmpfile+0x190/0x190 [ 38.989843] ? __d_lookup_rcu+0x6b0/0x6b0 [ 38.994073] ? __lockdep_init_map+0x100/0x5a0 [ 38.998561] ? __lockdep_init_map+0x100/0x5a0 [ 39.003048] __lookup_slow+0x246/0x4a0 [ 39.006950] ? follow_dotdot_rcu+0x1040/0x1040 [ 39.011636] ? lookup_fast+0x4e9/0x1080 [ 39.015599] ? walk_component+0x798/0xda0 [ 39.019857] walk_component+0x7ac/0xda0 [ 39.023823] ? lookup_fast+0x1080/0x1080 [ 39.027874] ? walk_component+0xda0/0xda0 [ 39.032019] path_lookupat+0x1ff/0x8d0 [ 39.036002] ? path_mountpoint+0xac0/0xac0 [ 39.040243] ? copy_fpstate_to_sigframe+0x3ef/0x6b0 [ 39.045392] ? mark_held_locks+0xf0/0xf0 [ 39.049438] filename_lookup+0x1ac/0x5a0 [ 39.053480] ? filename_parentat+0x590/0x590 [ 39.057890] ? __phys_addr_symbol+0x2c/0x70 [ 39.062343] ? __check_object_size+0x17b/0x3e0 [ 39.066927] ? getname_flags+0x25b/0x590 [ 39.070978] do_mount+0x147/0x2f50 [ 39.074510] ? copy_mount_string+0x40/0x40 [ 39.078730] ? __do_page_fault+0x180/0xd60 [ 39.082947] ? copy_mount_options+0x26f/0x380 [ 39.087423] ksys_mount+0xcf/0x130 [ 39.091124] __x64_sys_mount+0xba/0x150 [ 39.095087] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 39.099650] do_syscall_64+0xf9/0x620 [ 39.103438] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.108701] RIP: 0033:0x7f6edbaac049 [ 39.112403] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 39.131288] RSP: 002b:00007fffb5805a08 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 39.138979] RAX: ffffffffffffffda RBX: 00007fffb5805a18 RCX: 00007f6edbaac049 [ 39.146238] RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000000 [ 39.153497] RBP: 00007fffb5805a10 R08: 0000000000000000 R09: 00007f6edba69f50 [ 39.160749] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 39.168000] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 39.175488] Kernel Offset: disabled [ 39.179102] Rebooting in 86400 seconds..