[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.86' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 30.542426] UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2020/09/19 18:44 (1000) [ 30.577767] ================================================================== [ 30.585320] BUG: KASAN: use-after-free in udf_get_fileident+0x1ea/0x200 [ 30.592071] Read of size 2 at addr ffff8880980024fc by task syz-executor244/7960 [ 30.599589] [ 30.601227] CPU: 1 PID: 7960 Comm: syz-executor244 Not tainted 4.14.266-syzkaller #0 [ 30.609196] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.618534] Call Trace: [ 30.621118] dump_stack+0x1b2/0x281 [ 30.624734] print_address_description.cold+0x54/0x1d3 [ 30.629994] kasan_report_error.cold+0x8a/0x191 [ 30.634657] ? udf_get_fileident+0x1ea/0x200 [ 30.639046] __asan_report_load_n_noabort+0x6b/0x80 [ 30.644058] ? udf_get_fileident+0x1ea/0x200 [ 30.648469] udf_get_fileident+0x1ea/0x200 [ 30.652695] udf_fileident_read+0x4b9/0x1840 [ 30.657100] ? lock_downgrade+0x740/0x740 [ 30.661233] ? unwind_next_frame+0xe54/0x17d0 [ 30.665713] ? entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.671064] ? udf_get_fileident+0x200/0x200 [ 30.675465] ? is_bpf_text_address+0xb8/0x150 [ 30.680059] ? kernel_text_address+0xbd/0xf0 [ 30.684555] ? udf_readdir+0x326/0x11f0 [ 30.688512] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 30.693951] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 30.699060] udf_readdir+0x4d0/0x11f0 [ 30.702848] ? __lock_acquire+0x2190/0x3f20 [ 30.707154] ? udf_new_block+0x430/0x430 [ 30.711205] ? aa_file_perm+0x304/0xab0 [ 30.715173] ? debug_check_no_obj_freed+0x2c0/0x680 [ 30.720176] ? trace_hardirqs_on+0x10/0x10 [ 30.724396] ? aa_path_link+0x3a0/0x3a0 [ 30.728357] ? __fsnotify_inode_delete+0x20/0x20 [ 30.733105] ? __fsnotify_update_child_dentry_flags.part.0+0x2e0/0x2e0 [ 30.739758] ? lock_acquire+0x170/0x3f0 [ 30.743717] ? iterate_dir+0xbc/0x5e0 [ 30.747510] iterate_dir+0x1a0/0x5e0 [ 30.751211] SyS_getdents64+0x125/0x230 [ 30.755172] ? SyS_getdents+0x240/0x240 [ 30.759131] ? filldir+0x390/0x390 [ 30.762655] ? do_syscall_64+0x4c/0x640 [ 30.766615] ? SyS_getdents+0x240/0x240 [ 30.770569] do_syscall_64+0x1d5/0x640 [ 30.774449] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.779623] RIP: 0033:0x7efd8c27c5b9 [ 30.783316] RSP: 002b:00007ffd8620d638 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 30.791106] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00007efd8c27c5b9 [ 30.798360] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 30.805616] RBP: 00007efd8c23be50 R08: 0000000000000000 R09: 0000000000000000 [ 30.812870] R10: 0000000000000000 R11: 0000000000000246 R12: 00007efd8c23bee0 [ 30.820126] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 30.827387] [ 30.828994] Allocated by task 6234: [ 30.832609] kasan_kmalloc+0xeb/0x160 [ 30.836391] kmem_cache_alloc_trace+0x131/0x3d0 [ 30.841065] kernfs_fop_open+0x266/0xc40 [ 30.845130] do_dentry_open+0x44b/0xec0 [ 30.849091] vfs_open+0x105/0x220 [ 30.852531] path_openat+0x628/0x2970 [ 30.856320] do_filp_open+0x179/0x3c0 [ 30.860107] do_sys_open+0x296/0x410 [ 30.863864] do_syscall_64+0x1d5/0x640 [ 30.867740] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.872908] [ 30.874515] Freed by task 6234: [ 30.877780] kasan_slab_free+0xc3/0x1a0 [ 30.881734] kfree+0xc9/0x250 [ 30.884823] kernfs_fop_release+0x10e/0x180 [ 30.889125] __fput+0x25f/0x7a0 [ 30.892389] task_work_run+0x11f/0x190 [ 30.896392] exit_to_usermode_loop+0x1ad/0x200 [ 30.900959] do_syscall_64+0x4a3/0x640 [ 30.904828] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.910018] [ 30.911627] The buggy address belongs to the object at ffff888098002340 [ 30.911627] which belongs to the cache kmalloc-512 of size 512 [ 30.924375] The buggy address is located 444 bytes inside of [ 30.924375] 512-byte region [ffff888098002340, ffff888098002540) [ 30.936406] The buggy address belongs to the page: [ 30.941322] page:ffffea0002600080 count:1 mapcount:0 mapping:ffff8880980020c0 index:0xffff888098002340 [ 30.950749] flags: 0xfff00000000100(slab) [ 30.954880] raw: 00fff00000000100 ffff8880980020c0 ffff888098002340 0000000100000005 [ 30.962742] raw: ffffea00025bd9a0 ffff88813fe64738 ffff88813fe74940 0000000000000000 [ 30.970603] page dumped because: kasan: bad access detected [ 30.976292] [ 30.977918] Memory state around the buggy address: [ 30.982831] ffff888098002380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.990176] ffff888098002400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.997531] >ffff888098002480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.004875] ^ [ 31.012135] ffff888098002500: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.019473] ffff888098002580: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 31.026818] ================================================================== [ 31.034158] Disabling lock debugging due to kernel taint [ 31.042115] Kernel panic - not syncing: panic_on_warn set ... [ 31.042115] [ 31.049500] CPU: 0 PID: 7960 Comm: syz-executor244 Tainted: G B 4.14.266-syzkaller #0 [ 31.058591] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.067974] Call Trace: [ 31.070549] dump_stack+0x1b2/0x281 [ 31.074176] panic+0x1f9/0x42d [ 31.077491] ? add_taint.cold+0x16/0x16 [ 31.081475] ? ___preempt_schedule+0x16/0x18 [ 31.085876] kasan_end_report+0x43/0x49 [ 31.089830] kasan_report_error.cold+0xa7/0x191 [ 31.094483] ? udf_get_fileident+0x1ea/0x200 [ 31.098871] __asan_report_load_n_noabort+0x6b/0x80 [ 31.103870] ? udf_get_fileident+0x1ea/0x200 [ 31.108259] udf_get_fileident+0x1ea/0x200 [ 31.112497] udf_fileident_read+0x4b9/0x1840 [ 31.116911] ? lock_downgrade+0x740/0x740 [ 31.121066] ? unwind_next_frame+0xe54/0x17d0 [ 31.125552] ? entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.130903] ? udf_get_fileident+0x200/0x200 [ 31.135293] ? is_bpf_text_address+0xb8/0x150 [ 31.139766] ? kernel_text_address+0xbd/0xf0 [ 31.144161] ? udf_readdir+0x326/0x11f0 [ 31.148120] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 31.153558] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 31.158561] udf_readdir+0x4d0/0x11f0 [ 31.162351] ? __lock_acquire+0x2190/0x3f20 [ 31.166656] ? udf_new_block+0x430/0x430 [ 31.170697] ? aa_file_perm+0x304/0xab0 [ 31.174654] ? debug_check_no_obj_freed+0x2c0/0x680 [ 31.179653] ? trace_hardirqs_on+0x10/0x10 [ 31.183868] ? aa_path_link+0x3a0/0x3a0 [ 31.187831] ? __fsnotify_inode_delete+0x20/0x20 [ 31.192576] ? __fsnotify_update_child_dentry_flags.part.0+0x2e0/0x2e0 [ 31.199232] ? lock_acquire+0x170/0x3f0 [ 31.203196] ? iterate_dir+0xbc/0x5e0 [ 31.206984] iterate_dir+0x1a0/0x5e0 [ 31.210688] SyS_getdents64+0x125/0x230 [ 31.214642] ? SyS_getdents+0x240/0x240 [ 31.218597] ? filldir+0x390/0x390 [ 31.222125] ? do_syscall_64+0x4c/0x640 [ 31.226084] ? SyS_getdents+0x240/0x240 [ 31.230045] do_syscall_64+0x1d5/0x640 [ 31.233926] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.239099] RIP: 0033:0x7efd8c27c5b9 [ 31.242802] RSP: 002b:00007ffd8620d638 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 31.250506] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00007efd8c27c5b9 [ 31.257756] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 31.265012] RBP: 00007efd8c23be50 R08: 0000000000000000 R09: 0000000000000000 [ 31.272267] R10: 0000000000000000 R11: 0000000000000246 R12: 00007efd8c23bee0 [ 31.279517] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 31.287089] Kernel Offset: disabled [ 31.290703] Rebooting in 86400 seconds..