Warning: Permanently added '10.128.10.35' (ECDSA) to the list of known hosts. [ 47.873442] UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2020/09/19 18:44 (1000) [ 47.882892] ================================================================== [ 47.891251] BUG: KASAN: use-after-free in udf_get_fileident+0x1d1/0x1f0 [ 47.899051] Read of size 2 at addr ffff8880a99df4bc by task syz-executor302/8273 [ 47.906574] [ 47.908294] CPU: 1 PID: 8273 Comm: syz-executor302 Not tainted 4.14.272-syzkaller #0 [ 47.916165] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.925641] Call Trace: [ 47.928212] dump_stack+0x14b/0x1e7 [ 47.931927] ? udf_get_fileident+0x1d1/0x1f0 [ 47.936352] print_address_description.cold.6+0x9/0x1ca [ 47.941790] ? udf_get_fileident+0x1d1/0x1f0 [ 47.946328] kasan_report.cold.7+0x11a/0x2d3 [ 47.950735] __asan_report_load_n_noabort+0xf/0x20 [ 47.955644] udf_get_fileident+0x1d1/0x1f0 [ 47.959862] udf_fileident_read+0x4b8/0x1ae0 [ 47.964349] ? unwind_next_frame.part.6+0x1a3/0xa40 [ 47.969432] ? is_bpf_text_address+0x60/0xe0 [ 47.973815] ? lock_downgrade+0x7f0/0x7f0 [ 47.977933] ? unwind_next_frame.part.6+0x1a3/0xa40 [ 47.982936] ? udf_get_fileident+0x1f0/0x1f0 [ 47.987333] ? udf_readdir+0x438/0x12b0 [ 47.991364] ? rcu_read_lock_sched_held+0x108/0x120 [ 47.996353] ? kmem_cache_alloc_trace+0x37c/0x3f0 [ 48.001260] udf_readdir+0x5ca/0x12b0 [ 48.005035] ? save_stack_trace+0x16/0x20 [ 48.009419] ? udf_new_block+0x450/0x450 [ 48.013653] ? check_usage_forwards+0x260/0x260 [ 48.018389] ? __lock_acquire+0x24d5/0x42d0 [ 48.022691] ? __fsnotify_inode_delete+0x20/0x20 [ 48.027440] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 48.032635] ? debug_check_no_obj_freed+0x2d5/0x890 [ 48.037646] ? lock_acquire+0x17e/0x3e0 [ 48.041687] ? iterate_dir+0xaf/0x660 [ 48.045470] iterate_dir+0x188/0x660 [ 48.049154] ? iterate_dir+0x188/0x660 [ 48.053020] SyS_getdents64+0x10d/0x1c0 [ 48.056989] ? do_sys_open+0x16d/0x350 [ 48.060850] ? set_fs_root+0x1b0/0x1b0 [ 48.064709] ? SyS_getdents+0x1d0/0x1d0 [ 48.068680] ? filldir+0x440/0x440 [ 48.072194] ? do_syscall_64+0x4c/0x5b0 [ 48.076335] ? SyS_getdents+0x1d0/0x1d0 [ 48.080341] do_syscall_64+0x1c7/0x5b0 [ 48.084309] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 48.090193] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 48.095551] RIP: 0033:0x7fe4c1123599 [ 48.099248] RSP: 002b:00007ffd7de61e28 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 48.106939] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00007fe4c1123599 [ 48.114281] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 48.123262] RBP: 00007fe4c10e2d90 R08: 0000000000000000 R09: 0000000000000000 [ 48.130523] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe4c10e2e20 [ 48.137767] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 48.145028] [ 48.146638] Allocated by task 8191: [ 48.150257] save_stack_trace+0x16/0x20 [ 48.154223] kasan_kmalloc.part.1+0x62/0xf0 [ 48.158519] kasan_kmalloc+0xaf/0xc0 [ 48.162312] __kmalloc_node_track_caller+0x50/0x70 [ 48.167214] __kmalloc_reserve.isra.7+0x2c/0xc0 [ 48.171857] __alloc_skb+0xc1/0x540 [ 48.175468] alloc_skb_with_frags+0x75/0x490 [ 48.179846] sock_alloc_send_pskb+0x542/0x6f0 [ 48.184337] unix_dgram_sendmsg+0x334/0x13b0 [ 48.188736] sock_sendmsg+0xac/0xf0 [ 48.192335] sock_write_iter+0x20d/0x400 [ 48.196370] __vfs_write+0x413/0x840 [ 48.200057] vfs_write+0x150/0x4f0 [ 48.203569] SyS_write+0x100/0x250 [ 48.207083] do_syscall_64+0x1c7/0x5b0 [ 48.210943] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 48.216107] [ 48.217713] Freed by task 4627: [ 48.220968] save_stack_trace+0x16/0x20 [ 48.224917] kasan_slab_free+0xab/0x190 [ 48.228865] kfree+0xcc/0x270 [ 48.231944] skb_free_head+0x74/0x90 [ 48.235634] skb_release_data+0x4e0/0x820 [ 48.239850] skb_release_all+0x3d/0x50 [ 48.243718] consume_skb+0x84/0x2a0 [ 48.247318] skb_free_datagram+0x12/0xc0 [ 48.251355] unix_dgram_recvmsg+0x758/0xe60 [ 48.255664] sock_recvmsg+0xb7/0xf0 [ 48.259279] ___sys_recvmsg+0x206/0x4d0 [ 48.263224] __sys_recvmsg+0xbe/0x140 [ 48.267005] SyS_recvmsg+0xd/0x20 [ 48.270434] do_syscall_64+0x1c7/0x5b0 [ 48.274381] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 48.279570] [ 48.281173] The buggy address belongs to the object at ffff8880a99df300 [ 48.281173] which belongs to the cache kmalloc-512 of size 512 [ 48.293890] The buggy address is located 444 bytes inside of [ 48.293890] 512-byte region [ffff8880a99df300, ffff8880a99df500) [ 48.305911] The buggy address belongs to the page: [ 48.310823] page:ffffea0002a677c0 count:1 mapcount:0 mapping:ffff8880a99df080 index:0x0 [ 48.318951] flags: 0xfff00000000100(slab) [ 48.323072] raw: 00fff00000000100 ffff8880a99df080 0000000000000000 0000000100000006 [ 48.331013] raw: ffffea0002ae90e0 ffffea0002a6c2e0 ffff88813fe50940 0000000000000000 [ 48.338865] page dumped because: kasan: bad access detected [ 48.344565] [ 48.346167] Memory state around the buggy address: [ 48.351077] ffff8880a99df380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.358408] ffff8880a99df400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.365745] >ffff8880a99df480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.373075] ^ [ 48.378237] ffff8880a99df500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.385581] ffff8880a99df580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 48.393011] ================================================================== [ 48.400369] Disabling lock debugging due to kernel taint [ 48.408526] Kernel panic - not syncing: panic_on_warn set ... [ 48.408526] [ 48.415911] CPU: 0 PID: 8273 Comm: syz-executor302 Tainted: G B 4.14.272-syzkaller #0 [ 48.424998] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.434357] Call Trace: [ 48.436932] dump_stack+0x14b/0x1e7 [ 48.440541] ? udf_get_fileident+0x1d1/0x1f0 [ 48.445011] panic+0x1b0/0x358 [ 48.448176] ? add_taint.cold.4+0x11/0x11 [ 48.452299] ? ___preempt_schedule+0x16/0x18 [ 48.456697] ? udf_get_fileident+0x1d1/0x1f0 [ 48.461086] kasan_end_report+0x47/0x4f [ 48.465039] kasan_report.cold.7+0x76/0x2d3 [ 48.469335] __asan_report_load_n_noabort+0xf/0x20 [ 48.474236] udf_get_fileident+0x1d1/0x1f0 [ 48.478442] udf_fileident_read+0x4b8/0x1ae0 [ 48.482825] ? unwind_next_frame.part.6+0x1a3/0xa40 [ 48.487813] ? is_bpf_text_address+0x60/0xe0 [ 48.492214] ? lock_downgrade+0x7f0/0x7f0 [ 48.496334] ? unwind_next_frame.part.6+0x1a3/0xa40 [ 48.501324] ? udf_get_fileident+0x1f0/0x1f0 [ 48.505721] ? udf_readdir+0x438/0x12b0 [ 48.509670] ? rcu_read_lock_sched_held+0x108/0x120 [ 48.514665] ? kmem_cache_alloc_trace+0x37c/0x3f0 [ 48.519477] udf_readdir+0x5ca/0x12b0 [ 48.523253] ? save_stack_trace+0x16/0x20 [ 48.527459] ? udf_new_block+0x450/0x450 [ 48.531494] ? check_usage_forwards+0x260/0x260 [ 48.536135] ? __lock_acquire+0x24d5/0x42d0 [ 48.540611] ? __fsnotify_inode_delete+0x20/0x20 [ 48.545349] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 48.550434] ? debug_check_no_obj_freed+0x2d5/0x890 [ 48.556027] ? lock_acquire+0x17e/0x3e0 [ 48.559977] ? iterate_dir+0xaf/0x660 [ 48.563767] iterate_dir+0x188/0x660 [ 48.567470] ? iterate_dir+0x188/0x660 [ 48.571521] SyS_getdents64+0x10d/0x1c0 [ 48.575473] ? do_sys_open+0x16d/0x350 [ 48.579335] ? set_fs_root+0x1b0/0x1b0 [ 48.583196] ? SyS_getdents+0x1d0/0x1d0 [ 48.587142] ? filldir+0x440/0x440 [ 48.590664] ? do_syscall_64+0x4c/0x5b0 [ 48.594609] ? SyS_getdents+0x1d0/0x1d0 [ 48.598555] do_syscall_64+0x1c7/0x5b0 [ 48.602413] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 48.607248] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 48.612414] RIP: 0033:0x7fe4c1123599 [ 48.616095] RSP: 002b:00007ffd7de61e28 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 48.623773] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00007fe4c1123599 [ 48.631118] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 48.638363] RBP: 00007fe4c10e2d90 R08: 0000000000000000 R09: 0000000000000000 [ 48.645608] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe4c10e2e20 [ 48.652848] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 48.660185] Kernel Offset: disabled [ 48.663792] Rebooting in 86400 seconds..