UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000)
audit: type=1800 audit(1673668096.604:2): pid=8092 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor107" name="bus" dev="loop0" ino=861 res=0
==================================================================
BUG: KASAN: use-after-free in crc_itu_t+0xce/0xe0 lib/crc-itu-t.c:62
Read of size 1 at addr ffff8880abe7c000 by task syz-executor107/8092
CPU: 1 PID: 8092 Comm: syz-executor107 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load1_noabort+0x88/0x90 mm/kasan/report.c:430
crc_itu_t+0xce/0xe0 lib/crc-itu-t.c:62
udf_close_lvid+0x47a/0x770 fs/udf/super.c:2064
udf_put_super+0x217/0x290 fs/udf/super.c:2361
generic_shutdown_super+0x144/0x370 fs/super.c:456
kill_block_super+0x97/0xf0 fs/super.c:1185
deactivate_locked_super+0x94/0x160 fs/super.c:329
deactivate_super+0x174/0x1a0 fs/super.c:360
cleanup_mnt+0x1a8/0x290 fs/namespace.c:1098
task_work_run+0x148/0x1c0 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xbf3/0x2be0 kernel/exit.c:870
do_group_exit+0x125/0x310 kernel/exit.c:967
__do_sys_exit_group kernel/exit.c:978 [inline]
__se_sys_exit_group kernel/exit.c:976 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:976
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f1c881c7e99
Code: Bad RIP value.
RSP: 002b:00007fff19fc78f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f1c8823d410 RCX: 00007f1c881c7e99
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007f1c88237e40
R10: 000080001d00c0d0 R11: 0000000000000246 R12: 00007f1c8823d410
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
Allocated by task 6218:
kmem_cache_alloc+0x122/0x370 mm/slab.c:3559
prepare_creds+0x39/0x510 kernel/cred.c:255
do_faccessat+0x94/0x7a0 fs/open.c:359
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 6218:
__cache_free mm/slab.c:3503 [inline]
kmem_cache_free+0x7f/0x260 mm/slab.c:3765
__put_cred+0x1de/0x250 kernel/cred.c:151
put_cred include/linux/cred.h:279 [inline]
do_faccessat+0x64e/0x7a0 fs/open.c:438
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880abe7c000
which belongs to the cache cred_jar of size 184
The buggy address is located 0 bytes inside of
184-byte region [ffff8880abe7c000, ffff8880abe7c0b8)
The buggy address belongs to the page:
page:ffffea0002af9f00 count:1 mapcount:0 mapping:ffff88813be45b00 index:0xffff8880abe7c400
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0002ac1148 ffffea0002afe4c8 ffff88813be45b00
raw: ffff8880abe7c400 ffff8880abe7c000 0000000100000004 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880abe7bf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880abe7bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880abe7c000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880abe7c080: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
ffff8880abe7c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================