R10: 0000000000000000 R11: 0000000000000282 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 ================================================================== BUG: KASAN: out-of-bounds in udf_write_fi+0x914/0xf20 fs/udf/namei.c:93 Write of size 18446744073709551572 at addr ffff888077c1562c by task syz-executor.3/9162 CPU: 3 PID: 9162 Comm: syz-executor.3 Not tainted 6.2.0-rc5-syzkaller-00047-g7c46948a6e9c #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:306 [inline] print_report+0x15e/0x45d mm/kasan/report.c:417 kasan_report+0xbf/0x1f0 mm/kasan/report.c:517 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x141/0x190 mm/kasan/generic.c:189 memset+0x24/0x50 mm/kasan/shadow.c:44 udf_write_fi+0x914/0xf20 fs/udf/namei.c:93 udf_rename+0xd80/0x1260 fs/udf/namei.c:1173 vfs_rename+0x1162/0x1a90 fs/namei.c:4779 do_renameat2+0xb22/0xc30 fs/namei.c:4930 __do_sys_rename fs/namei.c:4976 [inline] __se_sys_rename fs/namei.c:4974 [inline] __ia32_sys_rename+0x80/0xa0 fs/namei.c:4974 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178 do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203 entry_SYSENTER_compat_after_hwframe+0x70/0x82 RIP: 0023:0xf7f3f549 Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:00000000f7f3a5cc EFLAGS: 00000296 ORIG_RAX: 0000000000000026 RAX: ffffffffffffffda RBX: 0000000020000040 RCX: 0000000020000100 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000282 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 The buggy address belongs to the physical page: page:ffffea0001df0540 refcount:3 mapcount:0 mapping:ffff88801967dff8 index:0xe pfn:0x77c15 memcg:ffff8880267a4000 aops:def_blk_aops ino:700003 flags: 0x4fff0000000202a(referenced|dirty|active|private|node=1|zone=1|lastcpupid=0x7ff) raw: 04fff0000000202a 0000000000000000 dead000000000122 ffff88801967dff8 raw: 000000000000000e ffff8880451d1ae0 00000003ffffffff ffff8880267a4000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Movable, gfp_mask 0x148c48(GFP_NOFS|__GFP_NOFAIL|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 9162, tgid 9161 (syz-executor.3), ts 333855889494, free_ts 333745911140 prep_new_page mm/page_alloc.c:2531 [inline] get_page_from_freelist+0x119c/0x2ce0 mm/page_alloc.c:4283 __alloc_pages_slowpath.constprop.0+0x36b/0x23d0 mm/page_alloc.c:5084 __alloc_pages+0x4aa/0x5b0 mm/page_alloc.c:5562 alloc_pages+0x1aa/0x270 mm/mempolicy.c:2286 folio_alloc+0x20/0x70 mm/mempolicy.c:2296 filemap_alloc_folio+0x362/0x450 mm/filemap.c:972 __filemap_get_folio+0x32c/0xd80 mm/filemap.c:1966 pagecache_get_page+0x2e/0x280 mm/folio-compat.c:98 find_or_create_page include/linux/pagemap.h:612 [inline] grow_dev_page fs/buffer.c:946 [inline] grow_buffers fs/buffer.c:1011 [inline] __getblk_slow+0x1f4/0x1030 fs/buffer.c:1038 __getblk_gfp+0x72/0x80 fs/buffer.c:1333 sb_getblk include/linux/buffer_head.h:356 [inline] udf_tgetblk+0xfd/0x1d0 fs/udf/misc.c:36 udf_expand_dir_adinicb+0x399/0xf20 fs/udf/inode.c:360 udf_add_entry+0x1ea8/0x2ac0 fs/udf/namei.c:444 udf_rename+0x121f/0x1260 fs/udf/namei.c:1150 vfs_rename+0x1162/0x1a90 fs/namei.c:4779 do_renameat2+0xb22/0xc30 fs/namei.c:4930 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1446 [inline] free_pcp_prepare+0x65c/0xc00 mm/page_alloc.c:1496 free_unref_page_prepare mm/page_alloc.c:3369 [inline] free_unref_page_list+0x176/0xcd0 mm/page_alloc.c:3510 release_pages+0xcb1/0x1330 mm/swap.c:1076 __pagevec_release+0x77/0xe0 mm/swap.c:1096 pagevec_release include/linux/pagevec.h:71 [inline] folio_batch_release include/linux/pagevec.h:135 [inline] shmem_undo_range+0x595/0x1340 mm/shmem.c:947 shmem_truncate_range mm/shmem.c:1042 [inline] shmem_evict_inode+0x32f/0xb60 mm/shmem.c:1151 evict+0x2ed/0x6b0 fs/inode.c:664 iput_final fs/inode.c:1747 [inline] iput.part.0+0x59b/0x880 fs/inode.c:1773 iput+0x5c/0x80 fs/inode.c:1763 dentry_unlink_inode+0x2b1/0x460 fs/dcache.c:401 __dentry_kill+0x3c0/0x640 fs/dcache.c:607 dentry_kill fs/dcache.c:733 [inline] dput+0x80a/0xdb0 fs/dcache.c:913 __fput+0x3cc/0xa90 fs/file_table.c:328 task_work_run+0x16f/0x270 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 Memory state around the buggy address: ffff888077c15500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888077c15580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888077c15600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff888077c15680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888077c15700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== ---------------- Code disassembly (best guess): 0: 03 74 c0 01 add 0x1(%rax,%rax,8),%esi 4: 10 05 03 74 b8 01 adc %al,0x1b87403(%rip) # 0x1b8740d a: 10 06 adc %al,(%rsi) c: 03 74 b4 01 add 0x1(%rsp,%rsi,4),%esi 10: 10 07 adc %al,(%rdi) 12: 03 74 b0 01 add 0x1(%rax,%rsi,4),%esi 16: 10 08 adc %cl,(%rax) 18: 03 74 d8 01 add 0x1(%rax,%rbx,8),%esi 1c: 00 00 add %al,(%rax) 1e: 00 00 add %al,(%rax) 20: 00 51 52 add %dl,0x52(%rcx) 23: 55 push %rbp 24: 89 e5 mov %esp,%ebp 26: 0f 34 sysenter 28: cd 80 int $0x80 * 2a: 5d pop %rbp <-- trapping instruction 2b: 5a pop %rdx 2c: 59 pop %rcx 2d: c3 retq 2e: 90 nop 2f: 90 nop 30: 90 nop 31: 90 nop 32: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi 39: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi