Re: [UDF] BUG: KASAN: slab-out-of-bounds in iput+0x8df/0xa80
From: Jan Kara
Date: Thu Sep 06 2018 - 12:12:48 EST
On Thu 28-06-18 22:48:51, Anatoly Trosinenko wrote:
> Mounting broken UDF image causes KASAN warning on v4.18-rc2.
>
> How to reproduce:
> 1. Compile v4.18-rc2 kernel with the attached config
> 2. Unpack and mount the attached FS image as UDF
Thanks for the report and reproducer. I'll send fixes for the bug shortly.
Honza
>
> What happens:
> [ 24.002776] UDF-fs: warning (device sda): udf_fill_super: No fileset found
> [ 24.003207] ==================================================================
> [ 24.003402] BUG: KASAN: slab-out-of-bounds in iput+0x8df/0xa80
> [ 24.003584] Read of size 8 at addr ffff880067e82100 by task exe/1090
> [ 24.003684]
> [ 24.004030] CPU: 0 PID: 1090 Comm: exe Not tainted 4.18.0-rc2 #1
> [ 24.004146] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS 1.10.2-1ubuntu1 04/01/2014
> [ 24.004420] Call Trace:
> [ 24.004629] dump_stack+0xae/0x14b
> [ 24.004736] ? show_regs_print_info+0x5/0x5
> [ 24.004815] ? printk+0x97/0xbe
> [ 24.004876] ? kmsg_dump_rewind_nolock+0xf0/0xf0
> [ 24.004950] ? __switch_to_asm+0x40/0x70
> [ 24.005018] ? iput+0x8df/0xa80
> [ 24.005076] print_address_description+0x75/0x3e0
> [ 24.005157] ? iput+0x8df/0xa80
> [ 24.005217] kasan_report+0x1d8/0x460
> [ 24.005284] ? __switch_to_asm+0x40/0x70
> [ 24.005353] ? iput+0x8df/0xa80
> [ 24.005412] iput+0x8df/0xa80
> [ 24.005472] ? __sched_text_start+0x8/0x8
> [ 24.005540] ? inode_add_lru+0x280/0x280
> [ 24.005610] ? inode_add_lru+0x280/0x280
> [ 24.005676] ? kmsg_dump_rewind_nolock+0xf0/0xf0
> [ 24.005753] ? submit_bio+0x97/0x480
> [ 24.005825] ? submit_bio+0x97/0x480
> [ 24.005890] ? bio_alloc_bioset+0x224/0x680
> [ 24.005964] ? _udf_warn+0x104/0x190
> [ 24.006027] ? apic_timer_interrupt+0xa/0x20
> [ 24.006107] udf_sb_free_partitions+0x4e1/0x9b0
> [ 24.006190] udf_fill_super+0xe00/0x1ed0
> [ 24.006265] ? udf_load_vrs+0xc80/0xc80
> [ 24.006331] ? strspn+0x230/0x250
> [ 24.006394] ? vsnprintf+0x587/0x1380
> [ 24.006461] ? pointer+0x790/0x790
> [ 24.006522] ? rcu_note_context_switch+0x4e3/0x500
> [ 24.006603] ? udf_load_vrs+0xc80/0xc80
> [ 24.006669] ? snprintf+0x8f/0xc0
> [ 24.006729] ? vsprintf+0x10/0x10
> [ 24.006791] ? udf_load_vrs+0xc80/0xc80
> [ 24.006861] ? udf_load_vrs+0xc80/0xc80
> [ 24.006925] mount_bdev+0x25e/0x330
> [ 24.006993] mount_fs+0x59/0x330
> [ 24.007059] vfs_kern_mount.part.8+0xba/0x460
> [ 24.007136] ? unlock_mount+0x190/0x190
> [ 24.007207] ? __get_fs_type+0x82/0xe0
> [ 24.007276] do_mount+0xe13/0x34f0
> [ 24.007345] ? copy_mount_string+0x20/0x20
> [ 24.007417] ? strndup_user+0x42/0xb0
> [ 24.007479] ? save_stack+0x89/0xb0
> [ 24.007541] ? __kmalloc_track_caller+0x11a/0x360
> [ 24.007614] ? memdup_user+0x23/0x60
> [ 24.007673] ? strndup_user+0x42/0xb0
> [ 24.007733] ? ksys_mount+0x49/0xd0
> [ 24.007793] ? __x64_sys_mount+0xbe/0x170
> [ 24.007857] ? do_syscall_64+0x13c/0x520
> [ 24.007921] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [ 24.008014] ? d_move+0xf0/0xf0
> [ 24.008077] ? selinux_inode_getattr+0x19f/0x260
> [ 24.008153] ? selinux_sctp_assoc_request+0x9e0/0x9e0
> [ 24.008233] ? kmem_cache_alloc+0xfa/0x2d0
> [ 24.008304] ? _copy_to_user+0x6d/0xb0
> [ 24.008369] ? cp_new_stat+0x66a/0x8e0
> [ 24.008433] ? inode_get_bytes+0x210/0x210
> [ 24.008509] ? kasan_unpoison_shadow+0x30/0x40
> [ 24.008583] ? kasan_kmalloc+0xa0/0xd0
> [ 24.008649] ? __kmalloc_track_caller+0x11a/0x360
> [ 24.008726] ? _copy_from_user+0x75/0xc0
> [ 24.008794] ? memdup_user+0x39/0x60
> [ 24.008860] ksys_mount+0x7b/0xd0
> [ 24.008926] __x64_sys_mount+0xbe/0x170
> [ 24.008996] do_syscall_64+0x13c/0x520
> [ 24.009065] ? syscall_return_slowpath+0x370/0x370
> [ 24.009145] ? __do_page_fault+0xb80/0xb80
> [ 24.009215] ? prepare_exit_to_usermode+0x1df/0x280
> [ 24.009293] ? perf_trace_sys_enter+0x17e0/0x17e0
> [ 24.009370] ? __put_user_4+0x1c/0x30
> [ 24.009437] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [ 24.009621] RIP: 0033:0x48d31a
> [ 24.009692] Code: b8 67 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 6d
> cc 01 00 c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00
> 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 4a cc 01 00 c3 66 0f 1f 84 00 00 00
> 00 00
> [ 24.010213] RSP: 002b:00007ffdd66b17e8 EFLAGS: 00000246 ORIG_RAX:
> 00000000000000a5
> [ 24.010368] RAX: ffffffffffffffda RBX: 0000000000008000 RCX: 000000000048d31a
> [ 24.010487] RDX: 00007ffdd66b2fa2 RSI: 00007ffdd66b2f9a RDI: 00007ffdd66b2f91
> [ 24.010605] RBP: 0000000001d668a0 R08: 0000000000000000 R09: 0000000000000000
> [ 24.010723] R10: 0000000000008000 R11: 0000000000000246 R12: 0000000000000000
> [ 24.010839] R13: 0000000000000000 R14: 00007ffdd66b1a58 R15: 0000000000000000
> [ 24.011020]
> [ 24.011147] Allocated by task 0:
> [ 24.011209] (stack is not available)
> [ 24.011277]
> [ 24.011314] Freed by task 0:
> [ 24.011359] (stack is not available)
> [ 24.011413]
> [ 24.011457] The buggy address belongs to the object at ffff880067e82100
> [ 24.011457] which belongs to the cache kmalloc-16 of size 16
> [ 24.011662] The buggy address is located 0 bytes inside of
> [ 24.011662] 16-byte region [ffff880067e82100, ffff880067e82110)
> [ 24.011839] The buggy address belongs to the page:
> [ 24.012064] page:ffffea00019fa080 count:1 mapcount:0
> mapping:ffff88006c001b40 index:0x0
> [ 24.012318] flags: 0x100000000000100(slab)
> [ 24.012614] raw: 0100000000000100 dead000000000100 dead000000000200
> ffff88006c001b40
> [ 24.012744] raw: 0000000000000000 0000000080800080 00000001ffffffff
> 0000000000000000
> [ 24.012991] page dumped because: kasan: bad access detected
> [ 24.013105]
> [ 24.013162] Memory state around the buggy address:
> [ 24.013453] ffff880067e82000: fb fb fc fc 00 00 fc fc 00 00 fc fc
> 00 00 fc fc
> [ 24.013581] ffff880067e82080: fc fc fc fc fc fc fc fc fc fc fc fc
> fc fc fc fc
> [ 24.013700] >ffff880067e82100: fc fc fc fc fc fc fc fc fc fc fc fc
> fc fc fc fc
> [ 24.013851] ^
> [ 24.013912] ffff880067e82180: fc fc fc fc fc fc fc fc fc fc fc fc
> fc fc fc fc
> [ 24.014012] ffff880067e82200: fc fc fc fc fc fc fc fc fc fc fc fc
> fc fc fc fc
> [ 24.014132] ==================================================================
> [ 24.014250] Disabling lock debugging due to kernel taint
> mount: mounting /dev/sda on /mnt failed: Invalid argument
> [ 24.027931] exe (1090) used greatest stack depth: 19824 bytes left
>
> (Full log attached)
>
> Thanks,
> Anatoly
> q[ 0.000000] Linux version 4.18.0-rc2 (trosinenko@trosinenko-pc) (gcc version 7.3.0 (Ubuntu 7.3.0-16ubuntu3)) #1 SMP Thu Jun 28 22:26:49 MSK 2018
> [ 0.000000] Command line: console=ttyS0
> [ 0.000000] x86/fpu: x87 FPU will use FXSAVE
> [ 0.000000] BIOS-provided physical RAM map:
> [ 0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable
> [ 0.000000] BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved
> [ 0.000000] BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved
> [ 0.000000] BIOS-e820: [mem 0x0000000000100000-0x000000007ffdffff] usable
> [ 0.000000] BIOS-e820: [mem 0x000000007ffe0000-0x000000007fffffff] reserved
> [ 0.000000] BIOS-e820: [mem 0x00000000fffc0000-0x00000000ffffffff] reserved
> [ 0.000000] NX (Execute Disable) protection: active
> [ 0.000000] SMBIOS 2.8 present.
> [ 0.000000] DMI: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
> [ 0.000000] last_pfn = 0x7ffe0 max_arch_pfn = 0x400000000
> [ 0.000000] x86/PAT: Configuration [0-7]: WB WC UC- UC WB WP UC- WT
> [ 0.000000] found SMP MP-table at [mem 0x000f6aa0-0x000f6aaf] mapped at [(____ptrval____)]
> [ 0.000000] Scanning 1 areas for low memory corruption
> [ 0.000000] RAMDISK: [mem 0x7f991000-0x7ffdffff]
> [ 0.000000] ACPI: Early table checksum verification disabled
> [ 0.000000] ACPI: RSDP 0x00000000000F68C0 000014 (v00 BOCHS )
> [ 0.000000] ACPI: RSDT 0x000000007FFE15FC 000030 (v01 BOCHS BXPCRSDT 00000001 BXPC 00000001)
> [ 0.000000] ACPI: FACP 0x000000007FFE1458 000074 (v01 BOCHS BXPCFACP 00000001 BXPC 00000001)
> [ 0.000000] ACPI: DSDT 0x000000007FFE0040 001418 (v01 BOCHS BXPCDSDT 00000001 BXPC 00000001)
> [ 0.000000] ACPI: FACS 0x000000007FFE0000 000040
> [ 0.000000] ACPI: APIC 0x000000007FFE154C 000078 (v01 BOCHS BXPCAPIC 00000001 BXPC 00000001)
> [ 0.000000] ACPI: HPET 0x000000007FFE15C4 000038 (v01 BOCHS BXPCHPET 00000001 BXPC 00000001)
> [ 0.000000] No NUMA configuration found
> [ 0.000000] Faking a node at [mem 0x0000000000000000-0x000000007ffdffff]
> [ 0.000000] NODE_DATA(0) allocated [mem 0x7f98d000-0x7f990fff]
> [ 0.000000] tsc: Fast TSC calibration using PIT
> [ 0.000000] Zone ranges:
> [ 0.000000] DMA [mem 0x0000000000001000-0x0000000000ffffff]
> [ 0.000000] DMA32 [mem 0x0000000001000000-0x000000007ffdffff]
> [ 0.000000] Normal empty
> [ 0.000000] Movable zone start for each node
> [ 0.000000] Early memory node ranges
> [ 0.000000] node 0: [mem 0x0000000000001000-0x000000000009efff]
> [ 0.000000] node 0: [mem 0x0000000000100000-0x000000007ffdffff]
> [ 0.000000] Initmem setup node 0 [mem 0x0000000000001000-0x000000007ffdffff]
> [ 0.000000] Reserved but unavailable: 98 pages
> [ 0.000000] kasan: KernelAddressSanitizer initialized
> [ 0.000000] ACPI: PM-Timer IO Port: 0x608
> [ 0.000000] ACPI: LAPIC_NMI (acpi_id[0xff] dfl dfl lint[0x1])
> [ 0.000000] IOAPIC[0]: apic_id 0, version 32, address 0xfec00000, GSI 0-23
> [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl)
> [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level)
> [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)
> [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level)
> [ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level)
> [ 0.000000] Using ACPI (MADT) for SMP configuration information
> [ 0.000000] ACPI: HPET id: 0x8086a201 base: 0xfed00000
> [ 0.000000] smpboot: Allowing 1 CPUs, 0 hotplug CPUs
> [ 0.000000] PM: Registered nosave memory: [mem 0x00000000-0x00000fff]
> [ 0.000000] PM: Registered nosave memory: [mem 0x0009f000-0x0009ffff]
> [ 0.000000] PM: Registered nosave memory: [mem 0x000a0000-0x000effff]
> [ 0.000000] PM: Registered nosave memory: [mem 0x000f0000-0x000fffff]
> [ 0.000000] [mem 0x80000000-0xfffbffff] available for PCI devices
> [ 0.000000] clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 1910969940391419 ns
> [ 0.000000] random: get_random_bytes called from start_kernel+0xed/0x7f6 with crng_init=0
> [ 0.000000] setup_percpu: NR_CPUS:64 nr_cpumask_bits:64 nr_cpu_ids:1 nr_node_ids:1
> [ 0.000000] percpu: Embedded 52 pages/cpu @(____ptrval____) s175128 r8192 d29672 u2097152
> [ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 515945
> [ 0.000000] Policy zone: DMA32
> [ 0.000000] Kernel command line: console=ttyS0
> [ 0.000000] Memory: 1643244K/2096632K available (55308K kernel code, 49708K rwdata, 6688K rodata, 2008K init, 9040K bss, 453388K reserved, 0K cma-reserved)
> [ 0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
> [ 0.000000] Hierarchical RCU implementation.
> [ 0.000000] RCU event tracing is enabled.
> [ 0.000000] RCU restricting CPUs from NR_CPUS=64 to nr_cpu_ids=1.
> [ 0.000000] RCU: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=1
> [ 0.000000] NR_IRQS: 4352, nr_irqs: 256, preallocated irqs: 16
> [ 0.000000] Console: colour VGA+ 80x25
> [ 0.000000] console [ttyS0] enabled
> [ 0.000000] ACPI: Core revision 20180531
> [ 0.000000] clocksource: hpet: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604467 ns
> [ 0.003000] APIC: Switch to symmetric I/O mode setup
> [ 0.009000] ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1
> [ 0.014000] tsc: Fast TSC calibration using PIT
> [ 0.015000] tsc: Detected 2808.209 MHz processor
> [ 0.017473] clocksource: tsc-early: mask: 0xffffffffffffffff max_cycles: 0x287a8b8a1c0, max_idle_ns: 440795227519 ns
> [ 0.018141] Calibrating delay loop (skipped), value calculated using timer frequency.. 5616.41 BogoMIPS (lpj=2808209)
> [ 0.018450] pid_max: default: 32768 minimum: 301
> [ 0.020681] Security Framework initialized
> [ 0.021073] SELinux: Initializing.
> [ 0.027162] Dentry cache hash table entries: 262144 (order: 9, 2097152 bytes)
> [ 0.028626] Inode-cache hash table entries: 131072 (order: 8, 1048576 bytes)
> [ 0.029311] Mount-cache hash table entries: 4096 (order: 3, 32768 bytes)
> [ 0.029577] Mountpoint-cache hash table entries: 4096 (order: 3, 32768 bytes)
> [ 0.061230] mce: CPU supports 10 MCE banks
> [ 0.063110] Last level iTLB entries: 4KB 0, 2MB 0, 4MB 0
> [ 0.063205] Last level dTLB entries: 4KB 0, 2MB 0, 4MB 0, 1GB 0
> [ 0.063442] Spectre V2 : Spectre mitigation: LFENCE not serializing, switching to generic retpoline
> [ 0.063590] Spectre V2 : Mitigation: Full generic retpoline
> [ 0.063723] Spectre V2 : Spectre v2 mitigation: Filling RSB on context switch
> [ 0.063924] Speculative Store Bypass: Vulnerable
> [ 0.256397] random: fast init done
> [ 0.455845] Freeing SMP alternatives memory: 40K
> [ 0.481000] smpboot: CPU0: AMD QEMU Virtual CPU version 2.5+ (family: 0x6, model: 0x6, stepping: 0x3)
> [ 0.493825] Performance Events: PMU not available due to virtualization, using software events only.
> [ 0.498073] Hierarchical SRCU implementation.
> [ 0.505165] Huh? What family is it: 0x6?!
> [ 0.506387] smp: Bringing up secondary CPUs ...
> [ 0.506553] smp: Brought up 1 node, 1 CPU
> [ 0.506734] smpboot: Max logical packages: 1
> [ 0.506899] smpboot: Total of 1 processors activated (5616.41 BogoMIPS)
> [ 0.529340] devtmpfs: initialized
> [ 0.607599] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 1911260446275000 ns
> [ 0.608193] futex hash table entries: 256 (order: 2, 16384 bytes)
> [ 0.618953] RTC time: 19:33:37, date: 06/28/18
> [ 0.623415] kworker/u2:0 (17) used greatest stack depth: 24496 bytes left
> [ 0.638162] NET: Registered protocol family 16
> [ 0.649060] audit: initializing netlink subsys (disabled)
> [ 0.654074] audit: type=2000 audit(1530214416.651:1): state=initialized audit_enabled=0 res=1
> [ 0.663356] kworker/u2:1 (21) used greatest stack depth: 24112 bytes left
> [ 0.671352] kworker/u2:1 (24) used greatest stack depth: 22936 bytes left
> [ 0.688550] cpuidle: using governor menu
> [ 0.693503] ACPI: bus type PCI registered
> [ 0.702697] PCI: Using configuration type 1 for base access
> [ 1.193628] kworker/u2:2 (233) used greatest stack depth: 22792 bytes left
> [ 1.561817] HugeTLB registered 2.00 MiB page size, pre-allocated 0 pages
> [ 1.577757] ACPI: Added _OSI(Module Device)
> [ 1.577877] ACPI: Added _OSI(Processor Device)
> [ 1.577947] ACPI: Added _OSI(3.0 _SCP Extensions)
> [ 1.578147] ACPI: Added _OSI(Processor Aggregator Device)
> [ 1.578475] ACPI: Added _OSI(Linux-Dell-Video)
> [ 1.800896] ACPI: 1 ACPI AML tables successfully acquired and loaded
> [ 1.868847] ACPI: Interpreter enabled
> [ 1.871322] ACPI: (supports S0 S3 S4 S5)
> [ 1.871453] ACPI: Using IOAPIC for interrupt routing
> [ 1.873657] PCI: Using host bridge windows from ACPI; if necessary, use "pci=nocrs" and report a bug
> [ 1.891553] ACPI: Enabled 2 GPEs in block 00 to 0F
> [ 2.546287] ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-ff])
> [ 2.548667] acpi PNP0A03:00: _OSC: OS supports [ASPM ClockPM Segments MSI]
> [ 2.550450] acpi PNP0A03:00: _OSC failed (AE_NOT_FOUND); disabling ASPM
> [ 2.553086] acpi PNP0A03:00: fail to add MMCONFIG information, can't access extended PCI configuration space under this bridge.
> [ 2.561868] PCI host bridge to bus 0000:00
> [ 2.562399] pci_bus 0000:00: root bus resource [io 0x0000-0x0cf7 window]
> [ 2.562586] pci_bus 0000:00: root bus resource [io 0x0d00-0xffff window]
> [ 2.562757] pci_bus 0000:00: root bus resource [mem 0x000a0000-0x000bffff window]
> [ 2.562923] pci_bus 0000:00: root bus resource [mem 0x80000000-0xfebfffff window]
> [ 2.563100] pci_bus 0000:00: root bus resource [mem 0x100000000-0x17fffffff window]
> [ 2.563520] pci_bus 0000:00: root bus resource [bus 00-ff]
> [ 2.613125] pci 0000:00:01.1: legacy IDE quirk: reg 0x10: [io 0x01f0-0x01f7]
> [ 2.613305] pci 0000:00:01.1: legacy IDE quirk: reg 0x14: [io 0x03f6]
> [ 2.613458] pci 0000:00:01.1: legacy IDE quirk: reg 0x18: [io 0x0170-0x0177]
> [ 2.613600] pci 0000:00:01.1: legacy IDE quirk: reg 0x1c: [io 0x0376]
> [ 2.633780] pci 0000:00:01.3: quirk: [io 0x0600-0x063f] claimed by PIIX4 ACPI
> [ 2.633944] pci 0000:00:01.3: quirk: [io 0x0700-0x070f] claimed by PIIX4 SMB
> [ 2.775527] ACPI: PCI Interrupt Link [LNKA] (IRQs 5 *10 11)
> [ 2.788069] ACPI: PCI Interrupt Link [LNKB] (IRQs 5 *10 11)
> [ 2.800167] ACPI: PCI Interrupt Link [LNKC] (IRQs 5 10 *11)
> [ 2.812044] ACPI: PCI Interrupt Link [LNKD] (IRQs 5 10 *11)
> [ 2.817261] ACPI: PCI Interrupt Link [LNKS] (IRQs *9)
> [ 2.849000] pci 0000:00:02.0: vgaarb: setting as boot VGA device
> [ 2.849000] pci 0000:00:02.0: vgaarb: VGA device added: decodes=io+mem,owns=io+mem,locks=none
> [ 2.849090] pci 0000:00:02.0: vgaarb: bridge control possible
> [ 2.849356] vgaarb: loaded
> [ 2.862274] SCSI subsystem initialized
> [ 2.883787] ACPI: bus type USB registered
> [ 2.890761] usbcore: registered new interface driver usbfs
> [ 2.893496] usbcore: registered new interface driver hub
> [ 2.894455] usbcore: registered new device driver usb
> [ 2.903395] pps_core: LinuxPPS API ver. 1 registered
> [ 2.903507] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@xxxxxxxx>
> [ 2.907834] PTP clock support registered
> [ 2.915465] EDAC MC: Ver: 3.0.0
> [ 2.932454] Advanced Linux Sound Architecture Driver Initialized.
> [ 2.937315] PCI: Using ACPI for IRQ routing
> [ 2.969872] NetLabel: Initializing
> [ 2.970041] NetLabel: domain hash size = 128
> [ 2.970115] NetLabel: protocols = UNLABELED CIPSOv4 CALIPSO
> [ 2.974292] NetLabel: unlabeled traffic allowed by default
> [ 2.979336] HPET: 3 timers in total, 0 timers will be used for per-cpu timer
> [ 2.979857] hpet0: at MMIO 0xfed00000, IRQs 2, 8, 0
> [ 2.980076] hpet0: 3 comparators, 64-bit 100.000000 MHz counter
> [ 2.986696] clocksource: Switched to clocksource tsc-early
> [ 4.324764] VFS: Disk quotas dquot_6.6.0
> [ 4.325423] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
> [ 4.332741] pnp: PnP ACPI init
> [ 4.407246] pnp: PnP ACPI: found 6 devices
> [ 4.713833] clocksource: acpi_pm: mask: 0xffffff max_cycles: 0xffffff, max_idle_ns: 2085701024 ns
> [ 4.726418] NET: Registered protocol family 2
> [ 4.741225] tcp_listen_portaddr_hash hash table entries: 1024 (order: 2, 16384 bytes)
> [ 4.741854] TCP established hash table entries: 16384 (order: 5, 131072 bytes)
> [ 4.742779] TCP bind hash table entries: 16384 (order: 6, 262144 bytes)
> [ 4.743522] TCP: Hash tables configured (established 16384 bind 16384)
> [ 4.746491] UDP hash table entries: 1024 (order: 3, 32768 bytes)
> [ 4.747208] UDP-Lite hash table entries: 1024 (order: 3, 32768 bytes)
> [ 4.751439] NET: Registered protocol family 1
> [ 4.760941] pci 0000:00:00.0: Limiting direct PCI/PCI transfers
> [ 4.761267] pci 0000:00:01.0: PIIX3: Enabling Passive Release
> [ 4.761562] pci 0000:00:01.0: Activating ISA DMA hang workarounds
> [ 4.762047] pci 0000:00:02.0: Video device with shadowed ROM at [mem 0x000c0000-0x000dffff]
> [ 4.774561] Unpacking initramfs...
> [ 5.130716] Freeing initrd memory: 6460K
> [ 5.145346] Scanning for low memory corruption every 60 seconds
> [ 5.206053] Initialise system trusted keyrings
> [ 5.211246] workingset: timestamp_bits=56 max_order=19 bucket_order=0
> [ 5.577481] kworker/u2:2 (743) used greatest stack depth: 21168 bytes left
> [ 5.720731] SGI XFS with ACLs, security attributes, no debug enabled
> [ 5.916791] Key type asymmetric registered
> [ 5.916998] Asymmetric key parser 'x509' registered
> [ 5.921445] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 251)
> [ 5.921759] io scheduler noop registered
> [ 5.921878] io scheduler deadline registered
> [ 5.930274] io scheduler cfq registered (default)
> [ 5.930413] io scheduler mq-deadline registered
> [ 5.930491] io scheduler kyber registered
> [ 5.975911] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
> [ 5.977769] ACPI: Power Button [PWRF]
> [ 6.014555] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
> [ 6.039447] 00:05: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
> [ 6.096560] Non-volatile memory driver v1.3
> [ 6.100775] Linux agpgart interface v0.103
> [ 6.176494] tsc: Refined TSC clocksource calibration: 2808.082 MHz
> [ 6.176741] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x287a13892a4, max_idle_ns: 440795348502 ns
> [ 6.177109] clocksource: Switched to clocksource tsc
> [ 6.289643] loop: module loaded
> [ 6.366407] scsi host0: ata_piix
> [ 6.382885] scsi host1: ata_piix
> [ 6.391381] ata1: PATA max MWDMA2 cmd 0x1f0 ctl 0x3f6 bmdma 0xc040 irq 14
> [ 6.391581] ata2: PATA max MWDMA2 cmd 0x170 ctl 0x376 bmdma 0xc048 irq 15
> [ 6.414667] e100: Intel(R) PRO/100 Network Driver, 3.5.24-k2-NAPI
> [ 6.414797] e100: Copyright(c) 1999-2006 Intel Corporation
> [ 6.417634] e1000: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPI
> [ 6.417763] e1000: Copyright (c) 1999-2006 Intel Corporation.
> [ 6.561478] ata1.00: ATA-7: QEMU HARDDISK, 2.5+, max UDMA/100
> [ 6.561619] ata1.00: 2048 sectors, multi 16: LBA48
> [ 6.567791] ata2.00: ATAPI: QEMU DVD-ROM, 2.5+, max UDMA/100
> [ 6.608970] scsi 0:0:0:0: Direct-Access ATA QEMU HARDDISK 2.5+ PQ: 0 ANSI: 5
> [ 6.659396] sd 0:0:0:0: Attached scsi generic sg0 type 0
> [ 6.662495] sd 0:0:0:0: [sda] 2048 512-byte logical blocks: (1.05 MB/1.00 MiB)
> [ 6.665960] sd 0:0:0:0: [sda] Write Protect is off
> [ 6.678630] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> [ 6.679878] scsi 1:0:0:0: CD-ROM QEMU QEMU DVD-ROM 2.5+ PQ: 0 ANSI: 5
> [ 6.723763] sr 1:0:0:0: [sr0] scsi3-mmc drive: 4x/4x cd/rw xa/form2 tray
> [ 6.724296] cdrom: Uniform CD-ROM driver Revision: 3.20
> [ 6.786185] sr 1:0:0:0: Attached scsi generic sg1 type 5
> [ 6.836523] sd 0:0:0:0: [sda] Attached SCSI disk
> [ 19.893823] PCI Interrupt Link [LNKC] enabled at IRQ 11
> [ 20.203979] e1000 0000:00:03.0 eth0: (PCI:33MHz:32-bit) 52:54:00:12:34:56
> [ 20.204505] e1000 0000:00:03.0 eth0: Intel(R) PRO/1000 Network Connection
> [ 20.207769] e1000e: Intel(R) PRO/1000 Network Driver - 3.2.6-k
> [ 20.207881] e1000e: Copyright(c) 1999 - 2015 Intel Corporation.
> [ 20.209804] sky2: driver version 1.30
> [ 20.233708] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
> [ 20.233886] ehci-pci: EHCI PCI platform driver
> [ 20.234950] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
> [ 20.235938] ohci-pci: OHCI PCI platform driver
> [ 20.236867] uhci_hcd: USB Universal Host Controller Interface driver
> [ 20.246727] usbcore: registered new interface driver usblp
> [ 20.250392] usbcore: registered new interface driver usb-storage
> [ 20.257766] i8042: PNP: PS/2 Controller [PNP0303:KBD,PNP0f13:MOU] at 0x60,0x64 irq 1,12
> [ 20.270772] serio: i8042 KBD port at 0x60,0x64 irq 1
> [ 20.272798] serio: i8042 AUX port at 0x60,0x64 irq 12
> [ 20.302861] rtc_cmos 00:00: RTC can wake from S4
> [ 20.304033] input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input1
> [ 20.326954] rtc_cmos 00:00: registered as rtc0
> [ 20.339642] rtc_cmos 00:00: alarms up to one day, y3k, 114 bytes nvram, hpet irqs
> [ 20.380001] device-mapper: ioctl: 4.39.0-ioctl (2018-04-03) initialised: dm-devel@xxxxxxxxxx
> [ 20.385520] hidraw: raw HID events driver (C) Jiri Kosina
> [ 20.443299] usbcore: registered new interface driver usbhid
> [ 20.443437] usbhid: USB HID core driver
> [ 20.496845] Initializing XFRM netlink socket
> [ 20.521833] NET: Registered protocol family 10
> [ 20.552610] Segment Routing with IPv6
> [ 20.564402] sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver
> [ 20.586536] NET: Registered protocol family 17
> [ 20.587435] Key type dns_resolver registered
> [ 20.596490] sched_clock: Marking stable (20596083277, 0)->(20731580955, -135497678)
> [ 20.614255] registered taskstats version 1
> [ 20.614383] Loading compiled-in X.509 certificates
> [ 20.618946] Unable to create integrity sysfs dir: -19
> [ 20.651619] Magic number: 6:151:598
> [ 20.652449] console [netcon0] enabled
> [ 20.652576] netconsole: network logging started
> [ 20.659513] cfg80211: Loading compiled-in X.509 certificates for regulatory database
> [ 20.690194] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
> [ 20.693610] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
> [ 20.694296] cfg80211: failed to load regulatory.db
> [ 20.694714] ALSA device list:
> [ 20.694811] No soundcards found.
> [ 20.752768] Freeing unused kernel memory: 2008K
> [ 20.754450] Write protecting the kernel read-only data: 65536k
> [ 20.760006] Freeing unused kernel memory: 2004K
> [ 20.808943] Freeing unused kernel memory: 1504K
> [ 21.020827] input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input3
>
> Mounting...
>
> [ 24.002776] UDF-fs: warning (device sda): udf_fill_super: No fileset found
> [ 24.003207] ==================================================================
> [ 24.003402] BUG: KASAN: slab-out-of-bounds in iput+0x8df/0xa80
> [ 24.003584] Read of size 8 at addr ffff880067e82100 by task exe/1090
> [ 24.003684]
> [ 24.004030] CPU: 0 PID: 1090 Comm: exe Not tainted 4.18.0-rc2 #1
> [ 24.004146] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
> [ 24.004420] Call Trace:
> [ 24.004629] dump_stack+0xae/0x14b
> [ 24.004736] ? show_regs_print_info+0x5/0x5
> [ 24.004815] ? printk+0x97/0xbe
> [ 24.004876] ? kmsg_dump_rewind_nolock+0xf0/0xf0
> [ 24.004950] ? __switch_to_asm+0x40/0x70
> [ 24.005018] ? iput+0x8df/0xa80
> [ 24.005076] print_address_description+0x75/0x3e0
> [ 24.005157] ? iput+0x8df/0xa80
> [ 24.005217] kasan_report+0x1d8/0x460
> [ 24.005284] ? __switch_to_asm+0x40/0x70
> [ 24.005353] ? iput+0x8df/0xa80
> [ 24.005412] iput+0x8df/0xa80
> [ 24.005472] ? __sched_text_start+0x8/0x8
> [ 24.005540] ? inode_add_lru+0x280/0x280
> [ 24.005610] ? inode_add_lru+0x280/0x280
> [ 24.005676] ? kmsg_dump_rewind_nolock+0xf0/0xf0
> [ 24.005753] ? submit_bio+0x97/0x480
> [ 24.005825] ? submit_bio+0x97/0x480
> [ 24.005890] ? bio_alloc_bioset+0x224/0x680
> [ 24.005964] ? _udf_warn+0x104/0x190
> [ 24.006027] ? apic_timer_interrupt+0xa/0x20
> [ 24.006107] udf_sb_free_partitions+0x4e1/0x9b0
> [ 24.006190] udf_fill_super+0xe00/0x1ed0
> [ 24.006265] ? udf_load_vrs+0xc80/0xc80
> [ 24.006331] ? strspn+0x230/0x250
> [ 24.006394] ? vsnprintf+0x587/0x1380
> [ 24.006461] ? pointer+0x790/0x790
> [ 24.006522] ? rcu_note_context_switch+0x4e3/0x500
> [ 24.006603] ? udf_load_vrs+0xc80/0xc80
> [ 24.006669] ? snprintf+0x8f/0xc0
> [ 24.006729] ? vsprintf+0x10/0x10
> [ 24.006791] ? udf_load_vrs+0xc80/0xc80
> [ 24.006861] ? udf_load_vrs+0xc80/0xc80
> [ 24.006925] mount_bdev+0x25e/0x330
> [ 24.006993] mount_fs+0x59/0x330
> [ 24.007059] vfs_kern_mount.part.8+0xba/0x460
> [ 24.007136] ? unlock_mount+0x190/0x190
> [ 24.007207] ? __get_fs_type+0x82/0xe0
> [ 24.007276] do_mount+0xe13/0x34f0
> [ 24.007345] ? copy_mount_string+0x20/0x20
> [ 24.007417] ? strndup_user+0x42/0xb0
> [ 24.007479] ? save_stack+0x89/0xb0
> [ 24.007541] ? __kmalloc_track_caller+0x11a/0x360
> [ 24.007614] ? memdup_user+0x23/0x60
> [ 24.007673] ? strndup_user+0x42/0xb0
> [ 24.007733] ? ksys_mount+0x49/0xd0
> [ 24.007793] ? __x64_sys_mount+0xbe/0x170
> [ 24.007857] ? do_syscall_64+0x13c/0x520
> [ 24.007921] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [ 24.008014] ? d_move+0xf0/0xf0
> [ 24.008077] ? selinux_inode_getattr+0x19f/0x260
> [ 24.008153] ? selinux_sctp_assoc_request+0x9e0/0x9e0
> [ 24.008233] ? kmem_cache_alloc+0xfa/0x2d0
> [ 24.008304] ? _copy_to_user+0x6d/0xb0
> [ 24.008369] ? cp_new_stat+0x66a/0x8e0
> [ 24.008433] ? inode_get_bytes+0x210/0x210
> [ 24.008509] ? kasan_unpoison_shadow+0x30/0x40
> [ 24.008583] ? kasan_kmalloc+0xa0/0xd0
> [ 24.008649] ? __kmalloc_track_caller+0x11a/0x360
> [ 24.008726] ? _copy_from_user+0x75/0xc0
> [ 24.008794] ? memdup_user+0x39/0x60
> [ 24.008860] ksys_mount+0x7b/0xd0
> [ 24.008926] __x64_sys_mount+0xbe/0x170
> [ 24.008996] do_syscall_64+0x13c/0x520
> [ 24.009065] ? syscall_return_slowpath+0x370/0x370
> [ 24.009145] ? __do_page_fault+0xb80/0xb80
> [ 24.009215] ? prepare_exit_to_usermode+0x1df/0x280
> [ 24.009293] ? perf_trace_sys_enter+0x17e0/0x17e0
> [ 24.009370] ? __put_user_4+0x1c/0x30
> [ 24.009437] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [ 24.009621] RIP: 0033:0x48d31a
> [ 24.009692] Code: b8 67 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 6d cc 01 00 c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 4a cc 01 00 c3 66 0f 1f 84 00 00 00 00 00
> [ 24.010213] RSP: 002b:00007ffdd66b17e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
> [ 24.010368] RAX: ffffffffffffffda RBX: 0000000000008000 RCX: 000000000048d31a
> [ 24.010487] RDX: 00007ffdd66b2fa2 RSI: 00007ffdd66b2f9a RDI: 00007ffdd66b2f91
> [ 24.010605] RBP: 0000000001d668a0 R08: 0000000000000000 R09: 0000000000000000
> [ 24.010723] R10: 0000000000008000 R11: 0000000000000246 R12: 0000000000000000
> [ 24.010839] R13: 0000000000000000 R14: 00007ffdd66b1a58 R15: 0000000000000000
> [ 24.011020]
> [ 24.011147] Allocated by task 0:
> [ 24.011209] (stack is not available)
> [ 24.011277]
> [ 24.011314] Freed by task 0:
> [ 24.011359] (stack is not available)
> [ 24.011413]
> [ 24.011457] The buggy address belongs to the object at ffff880067e82100
> [ 24.011457] which belongs to the cache kmalloc-16 of size 16
> [ 24.011662] The buggy address is located 0 bytes inside of
> [ 24.011662] 16-byte region [ffff880067e82100, ffff880067e82110)
> [ 24.011839] The buggy address belongs to the page:
> [ 24.012064] page:ffffea00019fa080 count:1 mapcount:0 mapping:ffff88006c001b40 index:0x0
> [ 24.012318] flags: 0x100000000000100(slab)
> [ 24.012614] raw: 0100000000000100 dead000000000100 dead000000000200 ffff88006c001b40
> [ 24.012744] raw: 0000000000000000 0000000080800080 00000001ffffffff 0000000000000000
> [ 24.012991] page dumped because: kasan: bad access detected
> [ 24.013105]
> [ 24.013162] Memory state around the buggy address:
> [ 24.013453] ffff880067e82000: fb fb fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
> [ 24.013581] ffff880067e82080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [ 24.013700] >ffff880067e82100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [ 24.013851] ^
> [ 24.013912] ffff880067e82180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [ 24.014012] ffff880067e82200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [ 24.014132] ==================================================================
> [ 24.014250] Disabling lock debugging due to kernel taint
> mount: mounting /dev/sda on /mnt failed: Invalid argument
> [ 24.027931] exe (1090) used greatest stack depth: 19824 bytes left
>
>
>
> BusyBox v1.27.2 (Ubuntu 1:1.27.2-2ubuntu3) built-in shell (ash)
> Enter 'help' for a list of built-in commands.
>
> /bin/sh: can't access tty; job control turned off
> / # [6n
--
Jan Kara <jack@xxxxxxxx>
SUSE Labs, CR