[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.90' (ECDSA) to the list of known hosts. syzkaller login: [ 36.493506] IPVS: ftp: loaded support on port[0] = 21 executing program [ 36.570106] UDF-fs: error (device loop0): udf_read_tagged: tag checksum failed, block 96: 0x73 != 0x9b [ 36.579767] UDF-fs: error (device loop0): udf_process_sequence: Primary Volume Descriptor not found! [ 36.591995] UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000) [ 36.606357] audit: type=1800 audit(1673668096.604:2): pid=8092 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor107" name="bus" dev="loop0" ino=861 res=0 [ 36.681788] ================================================================== [ 36.689364] BUG: KASAN: use-after-free in crc_itu_t+0xce/0xe0 [ 36.695255] Read of size 1 at addr ffff8880abe7c000 by task syz-executor107/8092 [ 36.703443] [ 36.705057] CPU: 1 PID: 8092 Comm: syz-executor107 Not tainted 4.19.211-syzkaller #0 [ 36.712916] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 36.722335] Call Trace: [ 36.724907] dump_stack+0x1fc/0x2ef [ 36.728521] print_address_description.cold+0x54/0x219 [ 36.733782] kasan_report_error.cold+0x8a/0x1b9 [ 36.738442] ? crc_itu_t+0xce/0xe0 [ 36.741969] __asan_report_load1_noabort+0x88/0x90 [ 36.746881] ? kvm_register_clock+0x70/0xc0 [ 36.751182] ? crc_itu_t+0xce/0xe0 [ 36.754709] crc_itu_t+0xce/0xe0 [ 36.758070] udf_close_lvid+0x47a/0x770 [ 36.762030] ? udf_open_lvid+0x4f0/0x4f0 [ 36.766079] ? dispose_list+0x1f0/0x1f0 [ 36.770032] ? iput+0x16/0x860 [ 36.773209] udf_put_super+0x217/0x290 [ 36.777084] ? udf_sb_free_partitions.isra.0+0xba0/0xba0 [ 36.782518] generic_shutdown_super+0x144/0x370 [ 36.787170] kill_block_super+0x97/0xf0 [ 36.791127] deactivate_locked_super+0x94/0x160 [ 36.795779] deactivate_super+0x174/0x1a0 [ 36.799910] ? deactivate_locked_super+0x160/0x160 [ 36.804912] ? dput+0x31/0x640 [ 36.808089] cleanup_mnt+0x1a8/0x290 [ 36.811974] task_work_run+0x148/0x1c0 [ 36.815862] do_exit+0xbf3/0x2be0 [ 36.819309] ? lock_downgrade+0x720/0x720 [ 36.823459] ? mm_update_next_owner+0x650/0x650 [ 36.828118] ? up_read+0x17/0x110 [ 36.831556] ? __do_page_fault+0x180/0xd60 [ 36.835776] do_group_exit+0x125/0x310 [ 36.839646] __x64_sys_exit_group+0x3a/0x50 [ 36.843949] do_syscall_64+0xf9/0x620 [ 36.847737] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.852908] RIP: 0033:0x7f1c881c7e99 [ 36.856607] Code: Bad RIP value. [ 36.860040] RSP: 002b:00007fff19fc78f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 36.867725] RAX: ffffffffffffffda RBX: 00007f1c8823d410 RCX: 00007f1c881c7e99 [ 36.874973] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 36.882236] RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007f1c88237e40 [ 36.889503] R10: 000080001d00c0d0 R11: 0000000000000246 R12: 00007f1c8823d410 [ 36.896751] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 36.904007] [ 36.905624] Allocated by task 6218: [ 36.909240] kmem_cache_alloc+0x122/0x370 [ 36.913371] prepare_creds+0x39/0x510 [ 36.917151] do_faccessat+0x94/0x7a0 [ 36.920867] do_syscall_64+0xf9/0x620 [ 36.924650] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.929818] [ 36.931427] Freed by task 6218: [ 36.934692] kmem_cache_free+0x7f/0x260 [ 36.938647] __put_cred+0x1de/0x250 [ 36.942286] do_faccessat+0x64e/0x7a0 [ 36.946076] do_syscall_64+0xf9/0x620 [ 36.949869] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.955034] [ 36.956644] The buggy address belongs to the object at ffff8880abe7c000 [ 36.956644] which belongs to the cache cred_jar of size 184 [ 36.969022] The buggy address is located 0 bytes inside of [ 36.969022] 184-byte region [ffff8880abe7c000, ffff8880abe7c0b8) [ 36.980797] The buggy address belongs to the page: [ 36.985711] page:ffffea0002af9f00 count:1 mapcount:0 mapping:ffff88813be45b00 index:0xffff8880abe7c400 [ 36.995264] flags: 0xfff00000000100(slab) [ 36.999402] raw: 00fff00000000100 ffffea0002ac1148 ffffea0002afe4c8 ffff88813be45b00 [ 37.007358] raw: ffff8880abe7c400 ffff8880abe7c000 0000000100000004 0000000000000000 [ 37.015218] page dumped because: kasan: bad access detected [ 37.020906] [ 37.022511] Memory state around the buggy address: [ 37.027432] ffff8880abe7bf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 37.034771] ffff8880abe7bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 37.043857] >ffff8880abe7c000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.051193] ^ [ 37.054549] ffff8880abe7c080: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc [ 37.061888] ffff8880abe7c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.069225] ================================================================== [ 37.076562] Disabling lock debugging due to kernel taint [ 37.085288] Kernel panic - not syncing: panic_on_warn set ... [ 37.085288] [ 37.092676] CPU: 1 PID: 8092 Comm: syz-executor107 Tainted: G B 4.19.211-syzkaller #0 [ 37.101944] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 37.111289] Call Trace: [ 37.113869] dump_stack+0x1fc/0x2ef [ 37.117479] panic+0x26a/0x50e [ 37.120657] ? __warn_printk+0xf3/0xf3 [ 37.124526] ? preempt_schedule_common+0x45/0xc0 [ 37.129261] ? ___preempt_schedule+0x16/0x18 [ 37.133650] ? trace_hardirqs_on+0x55/0x210 [ 37.137955] kasan_end_report+0x43/0x49 [ 37.141922] kasan_report_error.cold+0xa7/0x1b9 [ 37.146570] ? crc_itu_t+0xce/0xe0 [ 37.150092] __asan_report_load1_noabort+0x88/0x90 [ 37.155002] ? kvm_register_clock+0x70/0xc0 [ 37.159303] ? crc_itu_t+0xce/0xe0 [ 37.162844] crc_itu_t+0xce/0xe0 [ 37.166198] udf_close_lvid+0x47a/0x770 [ 37.170160] ? udf_open_lvid+0x4f0/0x4f0 [ 37.174202] ? dispose_list+0x1f0/0x1f0 [ 37.178154] ? iput+0x16/0x860 [ 37.181339] udf_put_super+0x217/0x290 [ 37.185208] ? udf_sb_free_partitions.isra.0+0xba0/0xba0 [ 37.190652] generic_shutdown_super+0x144/0x370 [ 37.195342] kill_block_super+0x97/0xf0 [ 37.199324] deactivate_locked_super+0x94/0x160 [ 37.203991] deactivate_super+0x174/0x1a0 [ 37.208124] ? deactivate_locked_super+0x160/0x160 [ 37.213039] ? dput+0x31/0x640 [ 37.216219] cleanup_mnt+0x1a8/0x290 [ 37.219916] task_work_run+0x148/0x1c0 [ 37.223799] do_exit+0xbf3/0x2be0 [ 37.227235] ? lock_downgrade+0x720/0x720 [ 37.231364] ? mm_update_next_owner+0x650/0x650 [ 37.236020] ? up_read+0x17/0x110 [ 37.239455] ? __do_page_fault+0x180/0xd60 [ 37.243675] do_group_exit+0x125/0x310 [ 37.247548] __x64_sys_exit_group+0x3a/0x50 [ 37.251850] do_syscall_64+0xf9/0x620 [ 37.255637] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.260808] RIP: 0033:0x7f1c881c7e99 [ 37.264501] Code: Bad RIP value. [ 37.267842] RSP: 002b:00007fff19fc78f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 37.275525] RAX: ffffffffffffffda RBX: 00007f1c8823d410 RCX: 00007f1c881c7e99 [ 37.282785] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 37.290043] RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007f1c88237e40 [ 37.297301] R10: 000080001d00c0d0 R11: 0000000000000246 R12: 00007f1c8823d410 [ 37.304560] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 37.312006] Kernel Offset: disabled [ 37.315640] Rebooting in 86400 seconds..