./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2994189205 <...> Warning: Permanently added '10.128.0.39' (ED25519) to the list of known hosts. execve("./syz-executor2994189205", ["./syz-executor2994189205"], 0x7fffde67b360 /* 10 vars */) = 0 brk(NULL) = 0x555556fa2000 brk(0x555556fa2d00) = 0x555556fa2d00 arch_prctl(ARCH_SET_FS, 0x555556fa2380) = 0 set_tid_address(0x555556fa2650) = 5056 set_robust_list(0x555556fa2660, 24) = 0 rseq(0x555556fa2ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2994189205", 4096) = 28 getrandom("\x25\x0a\xbf\x68\xd4\x9b\x6a\x8b", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555556fa2d00 brk(0x555556fc3d00) = 0x555556fc3d00 brk(0x555556fc4000) = 0x555556fc4000 mprotect(0x7f5446914000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 unshare(CLONE_NEWPID) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5057 attached , child_tidptr=0x555556fa2650) = 5057 [pid 5057] set_robust_list(0x555556fa2660, 24) = 0 [pid 5057] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy) [pid 5057] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5057] setsid() = 1 [pid 5057] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0 [pid 5057] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0 [pid 5057] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0 [pid 5057] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0 [pid 5057] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0 [pid 5057] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0 [pid 5057] unshare(CLONE_NEWNS) = 0 [pid 5057] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0 [pid 5057] unshare(CLONE_NEWIPC) = 0 [pid 5057] unshare(CLONE_NEWCGROUP) = 0 [pid 5057] unshare(CLONE_NEWUTS) = 0 [pid 5057] unshare(CLONE_SYSVSEM) = 0 [pid 5057] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3 [pid 5057] write(3, "16777216", 8) = 8 [pid 5057] close(3) = 0 [pid 5057] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3 [pid 5057] write(3, "536870912", 9) = 9 [pid 5057] close(3) = 0 [pid 5057] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3 [pid 5057] write(3, "1024", 4) = 4 [pid 5057] close(3) = 0 [pid 5057] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3 [pid 5057] write(3, "8192", 4) = 4 [pid 5057] close(3) = 0 [pid 5057] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3 [pid 5057] write(3, "1024", 4) = 4 [pid 5057] close(3) = 0 [pid 5057] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3 [pid 5057] write(3, "1024", 4) = 4 [pid 5057] close(3) = 0 [pid 5057] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3 [pid 5057] write(3, "1024 1048576 500 1024", 21) = 21 [pid 5057] close(3) = 0 [pid 5057] getpid() = 1 [pid 5057] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1< [ 65.861268][ T5057] dump_stack_lvl+0xd9/0x1b0 [ 65.865844][ T5057] print_report+0xc4/0x620 [ 65.870245][ T5057] ? __virt_addr_valid+0x5e/0x2d0 [ 65.875265][ T5057] ? __phys_addr+0xc6/0x140 [ 65.879758][ T5057] kasan_report+0xda/0x110 [ 65.884163][ T5057] ? crc_itu_t+0xd7/0xe0 [ 65.888392][ T5057] ? crc_itu_t+0xd7/0xe0 [ 65.892622][ T5057] crc_itu_t+0xd7/0xe0 [ 65.896677][ T5057] udf_finalize_lvid+0xf2/0x1f0 [ 65.901518][ T5057] ? udf_mount+0x40/0x40 [ 65.905751][ T5057] udf_sync_fs+0xea/0x150 [ 65.910069][ T5057] ? udf_finalize_lvid+0x1f0/0x1f0 [ 65.915198][ T5057] sync_filesystem+0x109/0x280 [ 65.919973][ T5057] generic_shutdown_super+0x7e/0x3c0 [ 65.925257][ T5057] kill_block_super+0x3b/0x90 [ 65.929932][ T5057] deactivate_locked_super+0x9a/0x170 [ 65.935293][ T5057] deactivate_super+0xde/0x100 [ 65.940046][ T5057] cleanup_mnt+0x222/0x450 [ 65.944460][ T5057] task_work_run+0x14d/0x240 [ 65.949047][ T5057] ? task_work_cancel+0x30/0x30 [ 65.953890][ T5057] ? __put_net+0x61/0x70 [ 65.958129][ T5057] do_exit+0xa92/0x2a20 [ 65.962278][ T5057] ? do_group_exit+0x1c5/0x2a0 [ 65.967036][ T5057] ? reacquire_held_locks+0x4b0/0x4b0 [ 65.972405][ T5057] ? do_raw_spin_lock+0x12e/0x2b0 [ 65.977445][ T5057] ? mm_update_next_owner+0x840/0x840 [ 65.982812][ T5057] ? spin_bug+0x1d0/0x1d0 [ 65.987136][ T5057] do_group_exit+0xd4/0x2a0 [ 65.991636][ T5057] __x64_sys_exit_group+0x3e/0x50 [ 65.996654][ T5057] do_syscall_64+0x3f/0x110 [ 66.001151][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 66.007034][ T5057] RIP: 0033:0x7f544687e9c9 [ 66.011432][ T5057] Code: Unable to access opcode bytes at 0x7f544687e99f. [ 66.018452][ T5057] RSP: 002b:00007fff6c29d0d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 66.026849][ T5057] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f544687e9c9 [ 66.034808][ T5057] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 66.042763][ T5057] RBP: 00007f544691a2d0 R08: ffffffffffffffb8 R09: 0000000000000004 [ 66.050723][ T5057] R10: 0000000000001400 R11: 0000000000000246 R12: 00007f544691a2d0 [ 66.058700][ T5057] R13: 0000000000000000 R14: 00007f544691b040 R15: 00007f544684cf20 [ 66.066662][ T5057] [ 66.069666][ T5057] [ 66.071971][ T5057] The buggy address belongs to the physical page: [ 66.078362][ T5057] page:ffffea0001c8b6c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x722db [ 66.088498][ T5057] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 66.095608][ T5057] page_type: 0xffffffff() [ 66.099922][ T5057] raw: 00fff00000000000 ffffea0001c8b708 ffffea0001c82548 0000000000000000 [ 66.108493][ T5057] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 66.117060][ T5057] page dumped because: kasan: bad access detected [ 66.123519][ T5057] page_owner tracks the page as freed [ 66.128867][ T5057] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5045, tgid 5045 (sshd), ts 49794200068, free_ts 49841228228 [ 66.146823][ T5057] post_alloc_hook+0x2cf/0x340 [ 66.151585][ T5057] get_page_from_freelist+0xee0/0x2f20 [ 66.157034][ T5057] __alloc_pages+0x1d0/0x4a0 [ 66.161613][ T5057] __folio_alloc+0x16/0x40 [ 66.166016][ T5057] vma_alloc_folio+0x156/0x890 [ 66.170763][ T5057] __handle_mm_fault+0xe67/0x3e10 [ 66.175776][ T5057] handle_mm_fault+0x478/0xa00 [ 66.180528][ T5057] do_user_addr_fault+0x30b/0x1000 [ 66.185641][ T5057] exc_page_fault+0x5c/0xd0 [ 66.190133][ T5057] asm_exc_page_fault+0x26/0x30 [ 66.194972][ T5057] page last free stack trace: [ 66.199622][ T5057] free_unref_page_prepare+0x476/0xa40 [ 66.205067][ T5057] free_unref_page_list+0xe6/0xb30 [ 66.210165][ T5057] release_pages+0x32a/0x14e0 [ 66.214833][ T5057] tlb_batch_pages_flush+0x9a/0x190 [ 66.220039][ T5057] tlb_finish_mmu+0x14b/0x6f0 [ 66.224705][ T5057] unmap_region.constprop.0+0x2e6/0x3b0 [ 66.230242][ T5057] do_vmi_align_munmap+0xddc/0x15f0 [ 66.235425][ T5057] do_vmi_munmap+0x20e/0x450 [ 66.239997][ T5057] __vm_munmap+0x144/0x390 [ 66.244395][ T5057] __x64_sys_munmap+0x62/0x80 [ 66.249054][ T5057] do_syscall_64+0x3f/0x110 [ 66.253548][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 66.259435][ T5057] [ 66.261739][ T5057] Memory state around the buggy address: [ 66.267350][ T5057] ffff8880722daf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 66.275395][ T5057] ffff8880722daf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 66.283457][ T5057] >ffff8880722db000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 66.291497][ T5057] ^ [ 66.295566][ T5057] ffff8880722db080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 66.303612][ T5057] ffff8880722db100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 66.311658][ T5057] ================================================================== [ 66.320072][ T5057] Disabling lock debugging due to kernel taint [ 66.326257][ T5057] ================================================================== [ 66.334313][ T5057] BUG: KASAN: use-after-free in crc_itu_t+0xd7/0xe0 [ 66.340882][ T5057] Read of size 1 at addr ffff8880722db001 by task syz-executor299/5057 [ 66.349095][ T5057] [ 66.351399][ T5057] CPU: 1 PID: 5057 Comm: syz-executor299 Tainted: G B 6.6.0-syzkaller-05843-g89ed67ef126c #0 [ 66.362914][ T5057] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 66.372957][ T5057] Call Trace: [ 66.376217][ T5057] [ 66.379132][ T5057] dump_stack_lvl+0xd9/0x1b0 [ 66.383726][ T5057] print_report+0xc4/0x620 [ 66.388124][ T5057] ? __virt_addr_valid+0x5e/0x2d0 [ 66.393137][ T5057] ? __phys_addr+0xc6/0x140 [ 66.397619][ T5057] kasan_report+0xda/0x110 [ 66.402013][ T5057] ? crc_itu_t+0xd7/0xe0 [ 66.406235][ T5057] ? crc_itu_t+0xd7/0xe0 [ 66.410462][ T5057] crc_itu_t+0xd7/0xe0 [ 66.414509][ T5057] udf_finalize_lvid+0xf2/0x1f0 [ 66.419341][ T5057] ? udf_mount+0x40/0x40 [ 66.423562][ T5057] udf_sync_fs+0xea/0x150 [ 66.427876][ T5057] ? udf_finalize_lvid+0x1f0/0x1f0 [ 66.432983][ T5057] sync_filesystem+0x109/0x280 [ 66.437728][ T5057] generic_shutdown_super+0x7e/0x3c0 [ 66.442997][ T5057] kill_block_super+0x3b/0x90 [ 66.447656][ T5057] deactivate_locked_super+0x9a/0x170 [ 66.453004][ T5057] deactivate_super+0xde/0x100 [ 66.457765][ T5057] cleanup_mnt+0x222/0x450 [ 66.462166][ T5057] task_work_run+0x14d/0x240 [ 66.466740][ T5057] ? task_work_cancel+0x30/0x30 [ 66.471573][ T5057] ? __put_net+0x61/0x70 [ 66.475793][ T5057] do_exit+0xa92/0x2a20 [ 66.479937][ T5057] ? do_group_exit+0x1c5/0x2a0 [ 66.484680][ T5057] ? reacquire_held_locks+0x4b0/0x4b0 [ 66.490054][ T5057] ? do_raw_spin_lock+0x12e/0x2b0 [ 66.495067][ T5057] ? mm_update_next_owner+0x840/0x840 [ 66.500436][ T5057] ? spin_bug+0x1d0/0x1d0 [ 66.504747][ T5057] do_group_exit+0xd4/0x2a0 [ 66.509233][ T5057] __x64_sys_exit_group+0x3e/0x50 [ 66.514240][ T5057] do_syscall_64+0x3f/0x110 [ 66.518727][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 66.524606][ T5057] RIP: 0033:0x7f544687e9c9 [ 66.529000][ T5057] Code: Unable to access opcode bytes at 0x7f544687e99f. [ 66.535991][ T5057] RSP: 002b:00007fff6c29d0d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 66.544383][ T5057] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f544687e9c9 [ 66.552333][ T5057] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 66.560286][ T5057] RBP: 00007f544691a2d0 R08: ffffffffffffffb8 R09: 0000000000000004 [ 66.568241][ T5057] R10: 0000000000001400 R11: 0000000000000246 R12: 00007f544691a2d0 [ 66.576191][ T5057] R13: 0000000000000000 R14: 00007f544691b040 R15: 00007f544684cf20 [ 66.584160][ T5057] [ 66.587155][ T5057] [ 66.589459][ T5057] The buggy address belongs to the physical page: [ 66.595840][ T5057] page:ffffea0001c8b6c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x722db [ 66.605984][ T5057] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 66.613073][ T5057] page_type: 0xffffffff() [ 66.617378][ T5057] raw: 00fff00000000000 ffffea0001c8b708 ffffea0001c82548 0000000000000000 [ 66.625936][ T5057] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 66.634580][ T5057] page dumped because: kasan: bad access detected [ 66.640982][ T5057] page_owner tracks the page as freed [ 66.646322][ T5057] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5045, tgid 5045 (sshd), ts 49794200068, free_ts 49841228228 [ 66.664267][ T5057] post_alloc_hook+0x2cf/0x340 [ 66.669012][ T5057] get_page_from_freelist+0xee0/0x2f20 [ 66.674446][ T5057] __alloc_pages+0x1d0/0x4a0 [ 66.679014][ T5057] __folio_alloc+0x16/0x40 [ 66.683406][ T5057] vma_alloc_folio+0x156/0x890 [ 66.688146][ T5057] __handle_mm_fault+0xe67/0x3e10 [ 66.693151][ T5057] handle_mm_fault+0x478/0xa00 [ 66.697897][ T5057] do_user_addr_fault+0x30b/0x1000 [ 66.702984][ T5057] exc_page_fault+0x5c/0xd0 [ 66.707464][ T5057] asm_exc_page_fault+0x26/0x30 [ 66.712314][ T5057] page last free stack trace: [ 66.716961][ T5057] free_unref_page_prepare+0x476/0xa40 [ 66.722397][ T5057] free_unref_page_list+0xe6/0xb30 [ 66.727485][ T5057] release_pages+0x32a/0x14e0 [ 66.732143][ T5057] tlb_batch_pages_flush+0x9a/0x190 [ 66.737337][ T5057] tlb_finish_mmu+0x14b/0x6f0 [ 66.741991][ T5057] unmap_region.constprop.0+0x2e6/0x3b0 [ 66.747516][ T5057] do_vmi_align_munmap+0xddc/0x15f0 [ 66.752709][ T5057] do_vmi_munmap+0x20e/0x450 [ 66.757278][ T5057] __vm_munmap+0x144/0x390 [ 66.761688][ T5057] __x64_sys_munmap+0x62/0x80 [ 66.766360][ T5057] do_syscall_64+0x3f/0x110 [ 66.770844][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 66.776715][ T5057] [ 66.779016][ T5057] Memory state around the buggy address: [ 66.784617][ T5057] ffff8880722daf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 66.792652][ T5057] ffff8880722daf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 66.800688][ T5057] >ffff8880722db000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 66.808721][ T5057] ^ [ 66.812764][ T5057] ffff8880722db080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 66.820801][ T5057] ffff8880722db100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 66.828835][ T5057] ================================================================== [ 66.837084][ T5057] ================================================================== [ 66.845141][ T5057] BUG: KASAN: use-after-free in crc_itu_t+0xd7/0xe0 [ 66.851752][ T5057] Read of size 1 at addr ffff8880722db002 by task syz-executor299/5057 [ 66.859975][ T5057] [ 66.862288][ T5057] CPU: 1 PID: 5057 Comm: syz-executor299 Tainted: G B 6.6.0-syzkaller-05843-g89ed67ef126c #0 [ 66.873833][ T5057] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 66.883876][ T5057] Call Trace: [ 66.887142][ T5057] [ 66.890059][ T5057] dump_stack_lvl+0xd9/0x1b0 [ 66.894650][ T5057] print_report+0xc4/0x620 [ 66.899056][ T5057] ? __virt_addr_valid+0x5e/0x2d0 [ 66.904083][ T5057] ? __phys_addr+0xc6/0x140 [ 66.908581][ T5057] kasan_report+0xda/0x110 [ 66.912985][ T5057] ? crc_itu_t+0xd7/0xe0 [ 66.917214][ T5057] ? crc_itu_t+0xd7/0xe0 [ 66.921449][ T5057] crc_itu_t+0xd7/0xe0 [ 66.925529][ T5057] udf_finalize_lvid+0xf2/0x1f0 [ 66.930371][ T5057] ? udf_mount+0x40/0x40 [ 66.934607][ T5057] udf_sync_fs+0xea/0x150 [ 66.938925][ T5057] ? udf_finalize_lvid+0x1f0/0x1f0 [ 66.944026][ T5057] sync_filesystem+0x109/0x280 [ 66.948789][ T5057] generic_shutdown_super+0x7e/0x3c0 [ 66.954075][ T5057] kill_block_super+0x3b/0x90 [ 66.958747][ T5057] deactivate_locked_super+0x9a/0x170 [ 66.964105][ T5057] deactivate_super+0xde/0x100 [ 66.968860][ T5057] cleanup_mnt+0x222/0x450 [ 66.973271][ T5057] task_work_run+0x14d/0x240 [ 66.977862][ T5057] ? task_work_cancel+0x30/0x30 [ 66.982709][ T5057] ? __put_net+0x61/0x70 [ 66.986943][ T5057] do_exit+0xa92/0x2a20 [ 66.991096][ T5057] ? do_group_exit+0x1c5/0x2a0 [ 66.995858][ T5057] ? reacquire_held_locks+0x4b0/0x4b0 [ 67.001223][ T5057] ? do_raw_spin_lock+0x12e/0x2b0 [ 67.006244][ T5057] ? mm_update_next_owner+0x840/0x840 [ 67.011610][ T5057] ? spin_bug+0x1d0/0x1d0 [ 67.015937][ T5057] do_group_exit+0xd4/0x2a0 [ 67.020450][ T5057] __x64_sys_exit_group+0x3e/0x50 [ 67.025472][ T5057] do_syscall_64+0x3f/0x110 [ 67.029970][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 67.035855][ T5057] RIP: 0033:0x7f544687e9c9 [ 67.040256][ T5057] Code: Unable to access opcode bytes at 0x7f544687e99f. [ 67.047276][ T5057] RSP: 002b:00007fff6c29d0d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 67.055676][ T5057] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f544687e9c9 [ 67.063634][ T5057] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 67.071592][ T5057] RBP: 00007f544691a2d0 R08: ffffffffffffffb8 R09: 0000000000000004 [ 67.079550][ T5057] R10: 0000000000001400 R11: 0000000000000246 R12: 00007f544691a2d0 [ 67.087507][ T5057] R13: 0000000000000000 R14: 00007f544691b040 R15: 00007f544684cf20 [ 67.095469][ T5057] [ 67.098472][ T5057] [ 67.100779][ T5057] The buggy address belongs to the physical page: [ 67.107172][ T5057] page:ffffea0001c8b6c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x722db [ 67.117307][ T5057] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 67.124403][ T5057] page_type: 0xffffffff() [ 67.128721][ T5057] raw: 00fff00000000000 ffffea0001c8b708 ffffea0001c82548 0000000000000000 [ 67.137288][ T5057] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 67.145857][ T5057] page dumped because: kasan: bad access detected [ 67.152274][ T5057] page_owner tracks the page as freed [ 67.157622][ T5057] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5045, tgid 5045 (sshd), ts 49794200068, free_ts 49841228228 [ 67.175579][ T5057] post_alloc_hook+0x2cf/0x340 [ 67.180337][ T5057] get_page_from_freelist+0xee0/0x2f20 [ 67.185786][ T5057] __alloc_pages+0x1d0/0x4a0 [ 67.190363][ T5057] __folio_alloc+0x16/0x40 [ 67.194766][ T5057] vma_alloc_folio+0x156/0x890 [ 67.199515][ T5057] __handle_mm_fault+0xe67/0x3e10 [ 67.204554][ T5057] handle_mm_fault+0x478/0xa00 [ 67.209325][ T5057] do_user_addr_fault+0x30b/0x1000 [ 67.214426][ T5057] exc_page_fault+0x5c/0xd0 [ 67.218925][ T5057] asm_exc_page_fault+0x26/0x30 [ 67.223767][ T5057] page last free stack trace: [ 67.228426][ T5057] free_unref_page_prepare+0x476/0xa40 [ 67.233873][ T5057] free_unref_page_list+0xe6/0xb30 [ 67.238973][ T5057] release_pages+0x32a/0x14e0 [ 67.243642][ T5057] tlb_batch_pages_flush+0x9a/0x190 [ 67.248828][ T5057] tlb_finish_mmu+0x14b/0x6f0 [ 67.253492][ T5057] unmap_region.constprop.0+0x2e6/0x3b0 [ 67.259036][ T5057] do_vmi_align_munmap+0xddc/0x15f0 [ 67.264223][ T5057] do_vmi_munmap+0x20e/0x450 [ 67.268801][ T5057] __vm_munmap+0x144/0x390 [ 67.273206][ T5057] __x64_sys_munmap+0x62/0x80 [ 67.277869][ T5057] do_syscall_64+0x3f/0x110 [ 67.282365][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 67.288253][ T5057] [ 67.290562][ T5057] Memory state around the buggy address: [ 67.296177][ T5057] ffff8880722daf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.304224][ T5057] ffff8880722daf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.312268][ T5057] >ffff8880722db000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 67.320312][ T5057] ^ [ 67.324361][ T5057] ffff8880722db080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 67.332410][ T5057] ffff8880722db100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 67.340454][ T5057] ================================================================== [ 67.349762][ T5057] ================================================================== [ 67.357833][ T5057] BUG: KASAN: use-after-free in crc_itu_t+0xd7/0xe0 [ 67.364419][ T5057] Read of size 1 at addr ffff8880722db003 by task syz-executor299/5057 [ 67.372662][ T5057] [ 67.374972][ T5057] CPU: 0 PID: 5057 Comm: syz-executor299 Tainted: G B 6.6.0-syzkaller-05843-g89ed67ef126c #0 [ 67.386498][ T5057] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 67.396551][ T5057] Call Trace: [ 67.399820][ T5057] [ 67.402739][ T5057] dump_stack_lvl+0xd9/0x1b0 [ 67.407326][ T5057] print_report+0xc4/0x620 [ 67.411733][ T5057] ? __virt_addr_valid+0x5e/0x2d0 [ 67.416745][ T5057] ? __phys_addr+0xc6/0x140 [ 67.421237][ T5057] kasan_report+0xda/0x110 [ 67.425644][ T5057] ? crc_itu_t+0xd7/0xe0 [ 67.429871][ T5057] ? crc_itu_t+0xd7/0xe0 [ 67.434101][ T5057] crc_itu_t+0xd7/0xe0 [ 67.438156][ T5057] udf_finalize_lvid+0xf2/0x1f0 [ 67.442995][ T5057] ? udf_mount+0x40/0x40 [ 67.447232][ T5057] udf_sync_fs+0xea/0x150 [ 67.451554][ T5057] ? udf_finalize_lvid+0x1f0/0x1f0 [ 67.456655][ T5057] sync_filesystem+0x109/0x280 [ 67.461415][ T5057] generic_shutdown_super+0x7e/0x3c0 [ 67.466699][ T5057] kill_block_super+0x3b/0x90 [ 67.471372][ T5057] deactivate_locked_super+0x9a/0x170 [ 67.476732][ T5057] deactivate_super+0xde/0x100 [ 67.481482][ T5057] cleanup_mnt+0x222/0x450 [ 67.485891][ T5057] task_work_run+0x14d/0x240 [ 67.490477][ T5057] ? task_work_cancel+0x30/0x30 [ 67.495321][ T5057] ? __put_net+0x61/0x70 [ 67.499554][ T5057] do_exit+0xa92/0x2a20 [ 67.503706][ T5057] ? do_group_exit+0x1c5/0x2a0 [ 67.508464][ T5057] ? reacquire_held_locks+0x4b0/0x4b0 [ 67.513828][ T5057] ? do_raw_spin_lock+0x12e/0x2b0 [ 67.518847][ T5057] ? mm_update_next_owner+0x840/0x840 [ 67.524214][ T5057] ? spin_bug+0x1d0/0x1d0 [ 67.528540][ T5057] do_group_exit+0xd4/0x2a0 [ 67.533041][ T5057] __x64_sys_exit_group+0x3e/0x50 [ 67.538059][ T5057] do_syscall_64+0x3f/0x110 [ 67.542557][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 67.548438][ T5057] RIP: 0033:0x7f544687e9c9 [ 67.552856][ T5057] Code: Unable to access opcode bytes at 0x7f544687e99f. [ 67.559872][ T5057] RSP: 002b:00007fff6c29d0d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 67.568270][ T5057] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f544687e9c9 [ 67.576227][ T5057] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 67.584186][ T5057] RBP: 00007f544691a2d0 R08: ffffffffffffffb8 R09: 0000000000000004 [ 67.592143][ T5057] R10: 0000000000001400 R11: 0000000000000246 R12: 00007f544691a2d0 [ 67.600100][ T5057] R13: 0000000000000000 R14: 00007f544691b040 R15: 00007f544684cf20 [ 67.608060][ T5057] [ 67.611064][ T5057] [ 67.613370][ T5057] The buggy address belongs to the physical page: [ 67.619762][ T5057] page:ffffea0001c8b6c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x722db [ 67.629895][ T5057] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 67.636983][ T5057] page_type: 0xffffffff() [ 67.641296][ T5057] raw: 00fff00000000000 ffffea0001c8b708 ffffea0001c82548 0000000000000000 [ 67.649865][ T5057] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 67.658430][ T5057] page dumped because: kasan: bad access detected [ 67.664821][ T5057] page_owner tracks the page as freed [ 67.670167][ T5057] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5045, tgid 5045 (sshd), ts 49794200068, free_ts 49841228228 [ 67.688122][ T5057] post_alloc_hook+0x2cf/0x340 [ 67.692875][ T5057] get_page_from_freelist+0xee0/0x2f20 [ 67.698410][ T5057] __alloc_pages+0x1d0/0x4a0 [ 67.702986][ T5057] __folio_alloc+0x16/0x40 [ 67.707386][ T5057] vma_alloc_folio+0x156/0x890 [ 67.712133][ T5057] __handle_mm_fault+0xe67/0x3e10 [ 67.717148][ T5057] handle_mm_fault+0x478/0xa00 [ 67.721899][ T5057] do_user_addr_fault+0x30b/0x1000 [ 67.726997][ T5057] exc_page_fault+0x5c/0xd0 [ 67.731489][ T5057] asm_exc_page_fault+0x26/0x30 [ 67.736330][ T5057] page last free stack trace: [ 67.741000][ T5057] free_unref_page_prepare+0x476/0xa40 [ 67.746461][ T5057] free_unref_page_list+0xe6/0xb30 [ 67.751558][ T5057] release_pages+0x32a/0x14e0 [ 67.756223][ T5057] tlb_batch_pages_flush+0x9a/0x190 [ 67.761406][ T5057] tlb_finish_mmu+0x14b/0x6f0 [ 67.766066][ T5057] unmap_region.constprop.0+0x2e6/0x3b0 [ 67.771601][ T5057] do_vmi_align_munmap+0xddc/0x15f0 [ 67.776784][ T5057] do_vmi_munmap+0x20e/0x450 [ 67.781360][ T5057] __vm_munmap+0x144/0x390 [ 67.785779][ T5057] __x64_sys_munmap+0x62/0x80 [ 67.790454][ T5057] do_syscall_64+0x3f/0x110 [ 67.794953][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 67.800838][ T5057] [ 67.803150][ T5057] Memory state around the buggy address: [ 67.808761][ T5057] ffff8880722daf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.816806][ T5057] ffff8880722daf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.824851][ T5057] >ffff8880722db000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 67.832892][ T5057] ^ [ 67.836938][ T5057] ffff8880722db080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 67.844982][ T5057] ffff8880722db100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 67.853024][ T5057] ================================================================== [ 67.862779][ T5057] ================================================================== [ 67.870835][ T5057] BUG: KASAN: use-after-free in crc_itu_t+0xd7/0xe0 [ 67.877419][ T5057] Read of size 1 at addr ffff8880722db004 by task syz-executor299/5057 [ 67.885652][ T5057] [ 67.887969][ T5057] CPU: 0 PID: 5057 Comm: syz-executor299 Tainted: G B 6.6.0-syzkaller-05843-g89ed67ef126c #0 [ 67.899532][ T5057] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 67.909596][ T5057] Call Trace: [ 67.912877][ T5057] [ 67.915815][ T5057] dump_stack_lvl+0xd9/0x1b0 [ 67.920428][ T5057] print_report+0xc4/0x620 [ 67.924865][ T5057] ? __virt_addr_valid+0x5e/0x2d0 [ 67.929902][ T5057] ? __phys_addr+0xc6/0x140 [ 67.934454][ T5057] kasan_report+0xda/0x110 [ 67.938891][ T5057] ? crc_itu_t+0xd7/0xe0 [ 67.943120][ T5057] ? crc_itu_t+0xd7/0xe0 [ 67.947366][ T5057] crc_itu_t+0xd7/0xe0 [ 67.951433][ T5057] udf_finalize_lvid+0xf2/0x1f0 [ 67.956278][ T5057] ? udf_mount+0x40/0x40 [ 67.960499][ T5057] udf_sync_fs+0xea/0x150 [ 67.964804][ T5057] ? udf_finalize_lvid+0x1f0/0x1f0 [ 67.969898][ T5057] sync_filesystem+0x109/0x280 [ 67.974660][ T5057] generic_shutdown_super+0x7e/0x3c0 [ 67.979931][ T5057] kill_block_super+0x3b/0x90 [ 67.984589][ T5057] deactivate_locked_super+0x9a/0x170 [ 67.989936][ T5057] deactivate_super+0xde/0x100 [ 67.994675][ T5057] cleanup_mnt+0x222/0x450 [ 67.999072][ T5057] task_work_run+0x14d/0x240 [ 68.003642][ T5057] ? task_work_cancel+0x30/0x30 [ 68.008474][ T5057] ? __put_net+0x61/0x70 [ 68.012692][ T5057] do_exit+0xa92/0x2a20 [ 68.016826][ T5057] ? do_group_exit+0x1c5/0x2a0 [ 68.021573][ T5057] ? reacquire_held_locks+0x4b0/0x4b0 [ 68.026925][ T5057] ? do_raw_spin_lock+0x12e/0x2b0 [ 68.031929][ T5057] ? mm_update_next_owner+0x840/0x840 [ 68.037281][ T5057] ? spin_bug+0x1d0/0x1d0 [ 68.041592][ T5057] do_group_exit+0xd4/0x2a0 [ 68.046075][ T5057] __x64_sys_exit_group+0x3e/0x50 [ 68.051094][ T5057] do_syscall_64+0x3f/0x110 [ 68.055581][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 68.061451][ T5057] RIP: 0033:0x7f544687e9c9 [ 68.065838][ T5057] Code: Unable to access opcode bytes at 0x7f544687e99f. [ 68.072828][ T5057] RSP: 002b:00007fff6c29d0d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 68.081216][ T5057] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f544687e9c9 [ 68.089165][ T5057] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 68.097111][ T5057] RBP: 00007f544691a2d0 R08: ffffffffffffffb8 R09: 0000000000000004 [ 68.105075][ T5057] R10: 0000000000001400 R11: 0000000000000246 R12: 00007f544691a2d0 [ 68.113032][ T5057] R13: 0000000000000000 R14: 00007f544691b040 R15: 00007f544684cf20 [ 68.121008][ T5057] [ 68.124004][ T5057] [ 68.126305][ T5057] The buggy address belongs to the physical page: [ 68.132688][ T5057] page:ffffea0001c8b6c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x722db [ 68.142812][ T5057] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 68.149894][ T5057] page_type: 0xffffffff() [ 68.154199][ T5057] raw: 00fff00000000000 ffffea0001c8b708 ffffea0001c82548 0000000000000000 [ 68.162756][ T5057] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 68.171314][ T5057] page dumped because: kasan: bad access detected [ 68.177697][ T5057] page_owner tracks the page as freed [ 68.183038][ T5057] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5045, tgid 5045 (sshd), ts 49794200068, free_ts 49841228228 [ 68.200982][ T5057] post_alloc_hook+0x2cf/0x340 [ 68.205724][ T5057] get_page_from_freelist+0xee0/0x2f20 [ 68.211163][ T5057] __alloc_pages+0x1d0/0x4a0 [ 68.215727][ T5057] __folio_alloc+0x16/0x40 [ 68.220124][ T5057] vma_alloc_folio+0x156/0x890 [ 68.224893][ T5057] __handle_mm_fault+0xe67/0x3e10 [ 68.229898][ T5057] handle_mm_fault+0x478/0xa00 [ 68.234654][ T5057] do_user_addr_fault+0x30b/0x1000 [ 68.239742][ T5057] exc_page_fault+0x5c/0xd0 [ 68.244223][ T5057] asm_exc_page_fault+0x26/0x30 [ 68.249051][ T5057] page last free stack trace: [ 68.253695][ T5057] free_unref_page_prepare+0x476/0xa40 [ 68.259130][ T5057] free_unref_page_list+0xe6/0xb30 [ 68.264220][ T5057] release_pages+0x32a/0x14e0 [ 68.268874][ T5057] tlb_batch_pages_flush+0x9a/0x190 [ 68.274050][ T5057] tlb_finish_mmu+0x14b/0x6f0 [ 68.278704][ T5057] unmap_region.constprop.0+0x2e6/0x3b0 [ 68.284247][ T5057] do_vmi_align_munmap+0xddc/0x15f0 [ 68.289423][ T5057] do_vmi_munmap+0x20e/0x450 [ 68.293991][ T5057] __vm_munmap+0x144/0x390 [ 68.298383][ T5057] __x64_sys_munmap+0x62/0x80 [ 68.303034][ T5057] do_syscall_64+0x3f/0x110 [ 68.307517][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 68.313389][ T5057] [ 68.315689][ T5057] Memory state around the buggy address: [ 68.321292][ T5057] ffff8880722daf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 68.329329][ T5057] ffff8880722daf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 68.337366][ T5057] >ffff8880722db000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.345413][ T5057] ^ [ 68.349454][ T5057] ffff8880722db080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.357489][ T5057] ffff8880722db100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.365522][ T5057] ================================================================== [ 68.373644][ T5057] ================================================================== [ 68.381694][ T5057] BUG: KASAN: use-after-free in crc_itu_t+0xd7/0xe0 [ 68.388275][ T5057] Read of size 1 at addr ffff8880722db005 by task syz-executor299/5057 [ 68.396492][ T5057] [ 68.398800][ T5057] CPU: 0 PID: 5057 Comm: syz-executor299 Tainted: G B 6.6.0-syzkaller-05843-g89ed67ef126c #0 [ 68.410324][ T5057] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 68.420365][ T5057] Call Trace: [ 68.423632][ T5057] [ 68.426552][ T5057] dump_stack_lvl+0xd9/0x1b0 [ 68.431142][ T5057] print_report+0xc4/0x620 [ 68.435550][ T5057] ? __virt_addr_valid+0x5e/0x2d0 [ 68.440566][ T5057] ? __phys_addr+0xc6/0x140 [ 68.445071][ T5057] kasan_report+0xda/0x110 [ 68.449477][ T5057] ? crc_itu_t+0xd7/0xe0 [ 68.453705][ T5057] ? crc_itu_t+0xd7/0xe0 [ 68.457933][ T5057] crc_itu_t+0xd7/0xe0 [ 68.461989][ T5057] udf_finalize_lvid+0xf2/0x1f0 [ 68.466827][ T5057] ? udf_mount+0x40/0x40 [ 68.471064][ T5057] udf_sync_fs+0xea/0x150 [ 68.475401][ T5057] ? udf_finalize_lvid+0x1f0/0x1f0 [ 68.480501][ T5057] sync_filesystem+0x109/0x280 [ 68.485260][ T5057] generic_shutdown_super+0x7e/0x3c0 [ 68.490540][ T5057] kill_block_super+0x3b/0x90 [ 68.495210][ T5057] deactivate_locked_super+0x9a/0x170 [ 68.500571][ T5057] deactivate_super+0xde/0x100 [ 68.505330][ T5057] cleanup_mnt+0x222/0x450 [ 68.509740][ T5057] task_work_run+0x14d/0x240 [ 68.514324][ T5057] ? task_work_cancel+0x30/0x30 [ 68.519188][ T5057] ? __put_net+0x61/0x70 [ 68.523431][ T5057] do_exit+0xa92/0x2a20 [ 68.527584][ T5057] ? do_group_exit+0x1c5/0x2a0 [ 68.532347][ T5057] ? reacquire_held_locks+0x4b0/0x4b0 [ 68.537712][ T5057] ? do_raw_spin_lock+0x12e/0x2b0 [ 68.542730][ T5057] ? mm_update_next_owner+0x840/0x840 [ 68.548095][ T5057] ? spin_bug+0x1d0/0x1d0 [ 68.552420][ T5057] do_group_exit+0xd4/0x2a0 [ 68.556918][ T5057] __x64_sys_exit_group+0x3e/0x50 [ 68.561936][ T5057] do_syscall_64+0x3f/0x110 [ 68.566434][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 68.572317][ T5057] RIP: 0033:0x7f544687e9c9 [ 68.576714][ T5057] Code: Unable to access opcode bytes at 0x7f544687e99f. [ 68.583710][ T5057] RSP: 002b:00007fff6c29d0d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 68.592127][ T5057] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f544687e9c9 [ 68.600082][ T5057] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 68.608037][ T5057] RBP: 00007f544691a2d0 R08: ffffffffffffffb8 R09: 0000000000000004 [ 68.615992][ T5057] R10: 0000000000001400 R11: 0000000000000246 R12: 00007f544691a2d0 [ 68.623947][ T5057] R13: 0000000000000000 R14: 00007f544691b040 R15: 00007f544684cf20 [ 68.631908][ T5057] [ 68.634910][ T5057] [ 68.637215][ T5057] The buggy address belongs to the physical page: [ 68.643608][ T5057] page:ffffea0001c8b6c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x722db [ 68.653740][ T5057] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 68.660831][ T5057] page_type: 0xffffffff() [ 68.665143][ T5057] raw: 00fff00000000000 ffffea0001c8b708 ffffea0001c82548 0000000000000000 [ 68.673714][ T5057] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 68.682275][ T5057] page dumped because: kasan: bad access detected [ 68.688665][ T5057] page_owner tracks the page as freed [ 68.694012][ T5057] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5045, tgid 5045 (sshd), ts 49794200068, free_ts 49841228228 [ 68.711971][ T5057] post_alloc_hook+0x2cf/0x340 [ 68.716723][ T5057] get_page_from_freelist+0xee0/0x2f20 [ 68.722171][ T5057] __alloc_pages+0x1d0/0x4a0 [ 68.726749][ T5057] __folio_alloc+0x16/0x40 [ 68.731151][ T5057] vma_alloc_folio+0x156/0x890 [ 68.735903][ T5057] __handle_mm_fault+0xe67/0x3e10 [ 68.740916][ T5057] handle_mm_fault+0x478/0xa00 [ 68.745667][ T5057] do_user_addr_fault+0x30b/0x1000 [ 68.750764][ T5057] exc_page_fault+0x5c/0xd0 [ 68.755255][ T5057] asm_exc_page_fault+0x26/0x30 [ 68.760095][ T5057] page last free stack trace: [ 68.764745][ T5057] free_unref_page_prepare+0x476/0xa40 [ 68.770192][ T5057] free_unref_page_list+0xe6/0xb30 [ 68.775289][ T5057] release_pages+0x32a/0x14e0 [ 68.779958][ T5057] tlb_batch_pages_flush+0x9a/0x190 [ 68.785145][ T5057] tlb_finish_mmu+0x14b/0x6f0 [ 68.789809][ T5057] unmap_region.constprop.0+0x2e6/0x3b0 [ 68.795345][ T5057] do_vmi_align_munmap+0xddc/0x15f0 [ 68.800541][ T5057] do_vmi_munmap+0x20e/0x450 [ 68.805139][ T5057] __vm_munmap+0x144/0x390 [ 68.809537][ T5057] __x64_sys_munmap+0x62/0x80 [ 68.814200][ T5057] do_syscall_64+0x3f/0x110 [ 68.818697][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 68.824576][ T5057] [ 68.826883][ T5057] Memory state around the buggy address: [ 68.832496][ T5057] ffff8880722daf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 68.840539][ T5057] ffff8880722daf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 68.848587][ T5057] >ffff8880722db000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.856627][ T5057] ^ [ 68.860676][ T5057] ffff8880722db080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.868721][ T5057] ffff8880722db100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.876763][ T5057] ================================================================== [ 68.884882][ T5057] ================================================================== [ 68.893027][ T5057] BUG: KASAN: use-after-free in crc_itu_t+0xd7/0xe0 [ 68.899655][ T5057] Read of size 1 at addr ffff8880722db006 by task syz-executor299/5057 [ 68.907894][ T5057] [ 68.910203][ T5057] CPU: 0 PID: 5057 Comm: syz-executor299 Tainted: G B 6.6.0-syzkaller-05843-g89ed67ef126c #0 [ 68.921747][ T5057] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 68.931787][ T5057] Call Trace: [ 68.935050][ T5057] [ 68.937971][ T5057] dump_stack_lvl+0xd9/0x1b0 [ 68.942563][ T5057] print_report+0xc4/0x620 [ 68.946968][ T5057] ? __virt_addr_valid+0x5e/0x2d0 [ 68.951982][ T5057] ? __phys_addr+0xc6/0x140 [ 68.956474][ T5057] kasan_report+0xda/0x110 [ 68.960880][ T5057] ? crc_itu_t+0xd7/0xe0 [ 68.965112][ T5057] ? crc_itu_t+0xd7/0xe0 [ 68.969343][ T5057] crc_itu_t+0xd7/0xe0 [ 68.973401][ T5057] udf_finalize_lvid+0xf2/0x1f0 [ 68.978246][ T5057] ? udf_mount+0x40/0x40 [ 68.982475][ T5057] udf_sync_fs+0xea/0x150 [ 68.986793][ T5057] ? udf_finalize_lvid+0x1f0/0x1f0 [ 68.991894][ T5057] sync_filesystem+0x109/0x280 [ 68.996651][ T5057] generic_shutdown_super+0x7e/0x3c0 [ 69.001933][ T5057] kill_block_super+0x3b/0x90 [ 69.007454][ T5057] deactivate_locked_super+0x9a/0x170 [ 69.012813][ T5057] deactivate_super+0xde/0x100 [ 69.017566][ T5057] cleanup_mnt+0x222/0x450 [ 69.021974][ T5057] task_work_run+0x14d/0x240 [ 69.026564][ T5057] ? task_work_cancel+0x30/0x30 [ 69.031410][ T5057] ? __put_net+0x61/0x70 [ 69.035639][ T5057] do_exit+0xa92/0x2a20 [ 69.039792][ T5057] ? do_group_exit+0x1c5/0x2a0 [ 69.044550][ T5057] ? reacquire_held_locks+0x4b0/0x4b0 [ 69.049922][ T5057] ? do_raw_spin_lock+0x12e/0x2b0 [ 69.054941][ T5057] ? mm_update_next_owner+0x840/0x840 [ 69.060305][ T5057] ? spin_bug+0x1d0/0x1d0 [ 69.064629][ T5057] do_group_exit+0xd4/0x2a0 [ 69.069125][ T5057] __x64_sys_exit_group+0x3e/0x50 [ 69.074144][ T5057] do_syscall_64+0x3f/0x110 [ 69.078664][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 69.084545][ T5057] RIP: 0033:0x7f544687e9c9 [ 69.088948][ T5057] Code: Unable to access opcode bytes at 0x7f544687e99f. [ 69.095946][ T5057] RSP: 002b:00007fff6c29d0d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 69.104344][ T5057] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f544687e9c9 [ 69.112323][ T5057] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 69.120281][ T5057] RBP: 00007f544691a2d0 R08: ffffffffffffffb8 R09: 0000000000000004 [ 69.128263][ T5057] R10: 0000000000001400 R11: 0000000000000246 R12: 00007f544691a2d0 [ 69.136233][ T5057] R13: 0000000000000000 R14: 00007f544691b040 R15: 00007f544684cf20 [ 69.144199][ T5057] [ 69.147203][ T5057] [ 69.149509][ T5057] The buggy address belongs to the physical page: [ 69.155901][ T5057] page:ffffea0001c8b6c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x722db [ 69.166034][ T5057] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 69.173149][ T5057] page_type: 0xffffffff() [ 69.177462][ T5057] raw: 00fff00000000000 ffffea0001c8b708 ffffea0001c82548 0000000000000000 [ 69.186028][ T5057] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 69.194592][ T5057] page dumped because: kasan: bad access detected [ 69.200981][ T5057] page_owner tracks the page as freed [ 69.206325][ T5057] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5045, tgid 5045 (sshd), ts 49794200068, free_ts 49841228228 [ 69.224277][ T5057] post_alloc_hook+0x2cf/0x340 [ 69.229028][ T5057] get_page_from_freelist+0xee0/0x2f20 [ 69.234473][ T5057] __alloc_pages+0x1d0/0x4a0 [ 69.239048][ T5057] __folio_alloc+0x16/0x40 [ 69.243452][ T5057] vma_alloc_folio+0x156/0x890 [ 69.248197][ T5057] __handle_mm_fault+0xe67/0x3e10 [ 69.253209][ T5057] handle_mm_fault+0x478/0xa00 [ 69.257962][ T5057] do_user_addr_fault+0x30b/0x1000 [ 69.263056][ T5057] exc_page_fault+0x5c/0xd0 [ 69.267545][ T5057] asm_exc_page_fault+0x26/0x30 [ 69.272384][ T5057] page last free stack trace: [ 69.277031][ T5057] free_unref_page_prepare+0x476/0xa40 [ 69.282476][ T5057] free_unref_page_list+0xe6/0xb30 [ 69.287573][ T5057] release_pages+0x32a/0x14e0 [ 69.292239][ T5057] tlb_batch_pages_flush+0x9a/0x190 [ 69.297419][ T5057] tlb_finish_mmu+0x14b/0x6f0 [ 69.302079][ T5057] unmap_region.constprop.0+0x2e6/0x3b0 [ 69.307613][ T5057] do_vmi_align_munmap+0xddc/0x15f0 [ 69.312792][ T5057] do_vmi_munmap+0x20e/0x450 [ 69.317368][ T5057] __vm_munmap+0x144/0x390 [ 69.321765][ T5057] __x64_sys_munmap+0x62/0x80 [ 69.326424][ T5057] do_syscall_64+0x3f/0x110 [ 69.330918][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 69.336798][ T5057] [ 69.339105][ T5057] Memory state around the buggy address: [ 69.344712][ T5057] ffff8880722daf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 69.352753][ T5057] ffff8880722daf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 69.360794][ T5057] >ffff8880722db000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 69.368834][ T5057] ^ [ 69.372880][ T5057] ffff8880722db080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 69.380922][ T5057] ffff8880722db100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 69.388966][ T5057] ================================================================== [ 69.397618][ T5057] ================================================================== [ 69.405680][ T5057] BUG: KASAN: use-after-free in crc_itu_t+0xd7/0xe0 [ 69.412255][ T5057] Read of size 1 at addr ffff8880722db007 by task syz-executor299/5057 [ 69.420474][ T5057] [ 69.422781][ T5057] CPU: 0 PID: 5057 Comm: syz-executor299 Tainted: G B 6.6.0-syzkaller-05843-g89ed67ef126c #0 [ 69.434302][ T5057] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 69.444343][ T5057] Call Trace: [ 69.447606][ T5057] [ 69.450522][ T5057] dump_stack_lvl+0xd9/0x1b0 [ 69.455109][ T5057] print_report+0xc4/0x620 [ 69.459515][ T5057] ? __virt_addr_valid+0x5e/0x2d0 [ 69.464532][ T5057] ? __phys_addr+0xc6/0x140 [ 69.469032][ T5057] kasan_report+0xda/0x110 [ 69.473437][ T5057] ? crc_itu_t+0xd7/0xe0 [ 69.477665][ T5057] ? crc_itu_t+0xd7/0xe0 [ 69.481894][ T5057] crc_itu_t+0xd7/0xe0 [ 69.485950][ T5057] udf_finalize_lvid+0xf2/0x1f0 [ 69.490794][ T5057] ? udf_mount+0x40/0x40 [ 69.495025][ T5057] udf_sync_fs+0xea/0x150 [ 69.499344][ T5057] ? udf_finalize_lvid+0x1f0/0x1f0 [ 69.504445][ T5057] sync_filesystem+0x109/0x280 [ 69.509202][ T5057] generic_shutdown_super+0x7e/0x3c0 [ 69.514484][ T5057] kill_block_super+0x3b/0x90 [ 69.519155][ T5057] deactivate_locked_super+0x9a/0x170 [ 69.524515][ T5057] deactivate_super+0xde/0x100 [ 69.529285][ T5057] cleanup_mnt+0x222/0x450 [ 69.533713][ T5057] task_work_run+0x14d/0x240 [ 69.538299][ T5057] ? task_work_cancel+0x30/0x30 [ 69.543142][ T5057] ? __put_net+0x61/0x70 [ 69.547383][ T5057] do_exit+0xa92/0x2a20 [ 69.551534][ T5057] ? do_group_exit+0x1c5/0x2a0 [ 69.556301][ T5057] ? reacquire_held_locks+0x4b0/0x4b0 [ 69.561666][ T5057] ? do_raw_spin_lock+0x12e/0x2b0 [ 69.566683][ T5057] ? mm_update_next_owner+0x840/0x840 [ 69.572049][ T5057] ? spin_bug+0x1d0/0x1d0 [ 69.576374][ T5057] do_group_exit+0xd4/0x2a0 [ 69.580870][ T5057] __x64_sys_exit_group+0x3e/0x50 [ 69.585886][ T5057] do_syscall_64+0x3f/0x110 [ 69.590386][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 69.596273][ T5057] RIP: 0033:0x7f544687e9c9 [ 69.600671][ T5057] Code: Unable to access opcode bytes at 0x7f544687e99f. [ 69.607669][ T5057] RSP: 002b:00007fff6c29d0d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 69.616065][ T5057] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f544687e9c9 [ 69.624021][ T5057] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 69.631976][ T5057] RBP: 00007f544691a2d0 R08: ffffffffffffffb8 R09: 0000000000000004 [ 69.639936][ T5057] R10: 0000000000001400 R11: 0000000000000246 R12: 00007f544691a2d0 [ 69.647894][ T5057] R13: 0000000000000000 R14: 00007f544691b040 R15: 00007f544684cf20 [ 69.655855][ T5057] [ 69.658859][ T5057] [ 69.661166][ T5057] The buggy address belongs to the physical page: [ 69.667554][ T5057] page:ffffea0001c8b6c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x722db [ 69.677691][ T5057] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 69.684803][ T5057] page_type: 0xffffffff() [ 69.689118][ T5057] raw: 00fff00000000000 ffffea0001c8b708 ffffea0001c82548 0000000000000000 [ 69.697686][ T5057] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 69.706249][ T5057] page dumped because: kasan: bad access detected [ 69.712641][ T5057] page_owner tracks the page as freed [ 69.717991][ T5057] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5045, tgid 5045 (sshd), ts 49794200068, free_ts 49841228228 [ 69.735947][ T5057] post_alloc_hook+0x2cf/0x340 [ 69.740700][ T5057] get_page_from_freelist+0xee0/0x2f20 [ 69.746149][ T5057] __alloc_pages+0x1d0/0x4a0 [ 69.750728][ T5057] __folio_alloc+0x16/0x40 [ 69.755134][ T5057] vma_alloc_folio+0x156/0x890 [ 69.759882][ T5057] __handle_mm_fault+0xe67/0x3e10 [ 69.764895][ T5057] handle_mm_fault+0x478/0xa00 [ 69.769656][ T5057] do_user_addr_fault+0x30b/0x1000 [ 69.774765][ T5057] exc_page_fault+0x5c/0xd0 [ 69.779262][ T5057] asm_exc_page_fault+0x26/0x30 [ 69.784100][ T5057] page last free stack trace: [ 69.788751][ T5057] free_unref_page_prepare+0x476/0xa40 [ 69.794199][ T5057] free_unref_page_list+0xe6/0xb30 [ 69.799296][ T5057] release_pages+0x32a/0x14e0 [ 69.803965][ T5057] tlb_batch_pages_flush+0x9a/0x190 [ 69.809148][ T5057] tlb_finish_mmu+0x14b/0x6f0 [ 69.813809][ T5057] unmap_region.constprop.0+0x2e6/0x3b0 [ 69.819347][ T5057] do_vmi_align_munmap+0xddc/0x15f0 [ 69.824531][ T5057] do_vmi_munmap+0x20e/0x450 [ 69.829128][ T5057] __vm_munmap+0x144/0x390 [ 69.833537][ T5057] __x64_sys_munmap+0x62/0x80 [ 69.838203][ T5057] do_syscall_64+0x3f/0x110 [ 69.842701][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 69.848584][ T5057] [ 69.850890][ T5057] Memory state around the buggy address: [ 69.856499][ T5057] ffff8880722daf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 69.864542][ T5057] ffff8880722daf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 69.872586][ T5057] >ffff8880722db000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 69.880629][ T5057] ^ [ 69.884678][ T5057] ffff8880722db080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 69.892720][ T5057] ffff8880722db100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 69.900764][ T5057] ================================================================== [ 69.911986][ T5057] ================================================================== [ 69.920045][ T5057] BUG: KASAN: use-after-free in crc_itu_t+0xd7/0xe0 [ 69.926615][ T5057] Read of size 1 at addr ffff8880722db008 by task syz-executor299/5057 [ 69.934827][ T5057] [ 69.937128][ T5057] CPU: 0 PID: 5057 Comm: syz-executor299 Tainted: G B 6.6.0-syzkaller-05843-g89ed67ef126c #0 [ 69.948640][ T5057] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 69.958672][ T5057] Call Trace: [ 69.961930][ T5057] [ 69.964838][ T5057] dump_stack_lvl+0xd9/0x1b0 [ 69.969415][ T5057] print_report+0xc4/0x620 [ 69.973809][ T5057] ? __virt_addr_valid+0x5e/0x2d0 [ 69.978813][ T5057] ? __phys_addr+0xc6/0x140 [ 69.983293][ T5057] kasan_report+0xda/0x110 [ 69.987686][ T5057] ? crc_itu_t+0xd7/0xe0 [ 69.991907][ T5057] ? crc_itu_t+0xd7/0xe0 [ 69.996124][ T5057] crc_itu_t+0xd7/0xe0 [ 70.000171][ T5057] udf_finalize_lvid+0xf2/0x1f0 [ 70.004998][ T5057] ? udf_mount+0x40/0x40 [ 70.009219][ T5057] udf_sync_fs+0xea/0x150 [ 70.013526][ T5057] ? udf_finalize_lvid+0x1f0/0x1f0 [ 70.018615][ T5057] sync_filesystem+0x109/0x280 [ 70.023362][ T5057] generic_shutdown_super+0x7e/0x3c0 [ 70.028630][ T5057] kill_block_super+0x3b/0x90 [ 70.033293][ T5057] deactivate_locked_super+0x9a/0x170 [ 70.038663][ T5057] deactivate_super+0xde/0x100 [ 70.043417][ T5057] cleanup_mnt+0x222/0x450 [ 70.047833][ T5057] task_work_run+0x14d/0x240 [ 70.052424][ T5057] ? task_work_cancel+0x30/0x30 [ 70.057257][ T5057] ? __put_net+0x61/0x70 [ 70.061478][ T5057] do_exit+0xa92/0x2a20 [ 70.065618][ T5057] ? do_group_exit+0x1c5/0x2a0 [ 70.070365][ T5057] ? reacquire_held_locks+0x4b0/0x4b0 [ 70.075736][ T5057] ? do_raw_spin_lock+0x12e/0x2b0 [ 70.080742][ T5057] ? mm_update_next_owner+0x840/0x840 [ 70.086095][ T5057] ? spin_bug+0x1d0/0x1d0 [ 70.090406][ T5057] do_group_exit+0xd4/0x2a0 [ 70.094891][ T5057] __x64_sys_exit_group+0x3e/0x50 [ 70.099898][ T5057] do_syscall_64+0x3f/0x110 [ 70.104384][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 70.110256][ T5057] RIP: 0033:0x7f544687e9c9 [ 70.114645][ T5057] Code: Unable to access opcode bytes at 0x7f544687e99f. [ 70.121639][ T5057] RSP: 002b:00007fff6c29d0d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 70.130028][ T5057] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f544687e9c9 [ 70.137980][ T5057] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 70.145931][ T5057] RBP: 00007f544691a2d0 R08: ffffffffffffffb8 R09: 0000000000000004 [ 70.153880][ T5057] R10: 0000000000001400 R11: 0000000000000246 R12: 00007f544691a2d0 [ 70.161827][ T5057] R13: 0000000000000000 R14: 00007f544691b040 R15: 00007f544684cf20 [ 70.169781][ T5057] [ 70.172777][ T5057] [ 70.175077][ T5057] The buggy address belongs to the physical page: [ 70.181459][ T5057] page:ffffea0001c8b6c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x722db [ 70.191581][ T5057] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 70.198662][ T5057] page_type: 0xffffffff() [ 70.202983][ T5057] raw: 00fff00000000000 ffffea0001c8b708 ffffea0001c82548 0000000000000000 [ 70.211542][ T5057] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 70.220096][ T5057] page dumped because: kasan: bad access detected [ 70.226480][ T5057] page_owner tracks the page as freed [ 70.231817][ T5057] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5045, tgid 5045 (sshd), ts 49794200068, free_ts 49841228228 [ 70.249758][ T5057] post_alloc_hook+0x2cf/0x340 [ 70.254502][ T5057] get_page_from_freelist+0xee0/0x2f20 [ 70.259940][ T5057] __alloc_pages+0x1d0/0x4a0 [ 70.264506][ T5057] __folio_alloc+0x16/0x40 [ 70.268920][ T5057] vma_alloc_folio+0x156/0x890 [ 70.273661][ T5057] __handle_mm_fault+0xe67/0x3e10 [ 70.278671][ T5057] handle_mm_fault+0x478/0xa00 [ 70.283418][ T5057] do_user_addr_fault+0x30b/0x1000 [ 70.288507][ T5057] exc_page_fault+0x5c/0xd0 [ 70.292985][ T5057] asm_exc_page_fault+0x26/0x30 [ 70.297810][ T5057] page last free stack trace: [ 70.302458][ T5057] free_unref_page_prepare+0x476/0xa40 [ 70.307894][ T5057] free_unref_page_list+0xe6/0xb30 [ 70.312982][ T5057] release_pages+0x32a/0x14e0 [ 70.317650][ T5057] tlb_batch_pages_flush+0x9a/0x190 [ 70.322824][ T5057] tlb_finish_mmu+0x14b/0x6f0 [ 70.327476][ T5057] unmap_region.constprop.0+0x2e6/0x3b0 [ 70.333002][ T5057] do_vmi_align_munmap+0xddc/0x15f0 [ 70.338178][ T5057] do_vmi_munmap+0x20e/0x450 [ 70.342745][ T5057] __vm_munmap+0x144/0x390 [ 70.347137][ T5057] __x64_sys_munmap+0x62/0x80 [ 70.351788][ T5057] do_syscall_64+0x3f/0x110 [ 70.356272][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 70.362143][ T5057] [ 70.364447][ T5057] Memory state around the buggy address: [ 70.370050][ T5057] ffff8880722daf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 70.379040][ T5057] ffff8880722daf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 70.387072][ T5057] >ffff8880722db000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 70.395102][ T5057] ^ [ 70.399403][ T5057] ffff8880722db080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 70.407435][ T5057] ffff8880722db100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 70.415467][ T5057] ================================================================== [ 70.423994][ T5057] ================================================================== [ 70.432053][ T5057] BUG: KASAN: use-after-free in crc_itu_t+0xd7/0xe0 [ 70.438644][ T5057] Read of size 1 at addr ffff8880722db009 by task syz-executor299/5057 [ 70.446855][ T5057] [ 70.449155][ T5057] CPU: 0 PID: 5057 Comm: syz-executor299 Tainted: G B 6.6.0-syzkaller-05843-g89ed67ef126c #0 [ 70.460668][ T5057] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 70.470701][ T5057] Call Trace: [ 70.473958][ T5057] [ 70.476867][ T5057] dump_stack_lvl+0xd9/0x1b0 [ 70.481442][ T5057] print_report+0xc4/0x620 [ 70.485851][ T5057] ? __virt_addr_valid+0x5e/0x2d0 [ 70.490872][ T5057] ? __phys_addr+0xc6/0x140 [ 70.495352][ T5057] kasan_report+0xda/0x110 [ 70.499747][ T5057] ? crc_itu_t+0xd7/0xe0 [ 70.503965][ T5057] ? crc_itu_t+0xd7/0xe0 [ 70.508183][ T5057] crc_itu_t+0xd7/0xe0 [ 70.512230][ T5057] udf_finalize_lvid+0xf2/0x1f0 [ 70.517058][ T5057] ? udf_mount+0x40/0x40 [ 70.521368][ T5057] udf_sync_fs+0xea/0x150 [ 70.525676][ T5057] ? udf_finalize_lvid+0x1f0/0x1f0 [ 70.530765][ T5057] sync_filesystem+0x109/0x280 [ 70.535510][ T5057] generic_shutdown_super+0x7e/0x3c0 [ 70.540778][ T5057] kill_block_super+0x3b/0x90 [ 70.545433][ T5057] deactivate_locked_super+0x9a/0x170 [ 70.550779][ T5057] deactivate_super+0xde/0x100 [ 70.555518][ T5057] cleanup_mnt+0x222/0x450 [ 70.559917][ T5057] task_work_run+0x14d/0x240 [ 70.564486][ T5057] ? task_work_cancel+0x30/0x30 [ 70.569319][ T5057] ? __put_net+0x61/0x70 [ 70.573539][ T5057] do_exit+0xa92/0x2a20 [ 70.577676][ T5057] ? do_group_exit+0x1c5/0x2a0 [ 70.582419][ T5057] ? reacquire_held_locks+0x4b0/0x4b0 [ 70.587770][ T5057] ? do_raw_spin_lock+0x12e/0x2b0 [ 70.592774][ T5057] ? mm_update_next_owner+0x840/0x840 [ 70.598126][ T5057] ? spin_bug+0x1d0/0x1d0 [ 70.602453][ T5057] do_group_exit+0xd4/0x2a0 [ 70.606938][ T5057] __x64_sys_exit_group+0x3e/0x50 [ 70.611943][ T5057] do_syscall_64+0x3f/0x110 [ 70.616426][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 70.622298][ T5057] RIP: 0033:0x7f544687e9c9 [ 70.626688][ T5057] Code: Unable to access opcode bytes at 0x7f544687e99f. [ 70.633677][ T5057] RSP: 002b:00007fff6c29d0d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 70.642064][ T5057] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f544687e9c9 [ 70.650013][ T5057] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 70.657962][ T5057] RBP: 00007f544691a2d0 R08: ffffffffffffffb8 R09: 0000000000000004 [ 70.665908][ T5057] R10: 0000000000001400 R11: 0000000000000246 R12: 00007f544691a2d0 [ 70.673858][ T5057] R13: 0000000000000000 R14: 00007f544691b040 R15: 00007f544684cf20 [ 70.681809][ T5057] [ 70.684804][ T5057] [ 70.687105][ T5057] The buggy address belongs to the physical page: [ 70.693487][ T5057] page:ffffea0001c8b6c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x722db [ 70.703696][ T5057] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 70.710779][ T5057] page_type: 0xffffffff() [ 70.715083][ T5057] raw: 00fff00000000000 ffffea0001c8b708 ffffea0001c82548 0000000000000000 [ 70.723642][ T5057] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 70.732198][ T5057] page dumped because: kasan: bad access detected [ 70.738584][ T5057] page_owner tracks the page as freed [ 70.743924][ T5057] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5045, tgid 5045 (sshd), ts 49794200068, free_ts 49841228228 [ 70.761864][ T5057] post_alloc_hook+0x2cf/0x340 [ 70.766611][ T5057] get_page_from_freelist+0xee0/0x2f20 [ 70.772074][ T5057] __alloc_pages+0x1d0/0x4a0 [ 70.776644][ T5057] __folio_alloc+0x16/0x40 [ 70.781039][ T5057] vma_alloc_folio+0x156/0x890 [ 70.785801][ T5057] __handle_mm_fault+0xe67/0x3e10 [ 70.790826][ T5057] handle_mm_fault+0x478/0xa00 [ 70.795579][ T5057] do_user_addr_fault+0x30b/0x1000 [ 70.800672][ T5057] exc_page_fault+0x5c/0xd0 [ 70.805150][ T5057] asm_exc_page_fault+0x26/0x30 [ 70.809980][ T5057] page last free stack trace: [ 70.814623][ T5057] free_unref_page_prepare+0x476/0xa40 [ 70.820058][ T5057] free_unref_page_list+0xe6/0xb30 [ 70.825143][ T5057] release_pages+0x32a/0x14e0 [ 70.829798][ T5057] tlb_batch_pages_flush+0x9a/0x190 [ 70.834980][ T5057] tlb_finish_mmu+0x14b/0x6f0 [ 70.839630][ T5057] unmap_region.constprop.0+0x2e6/0x3b0 [ 70.845154][ T5057] do_vmi_align_munmap+0xddc/0x15f0 [ 70.850329][ T5057] do_vmi_munmap+0x20e/0x450 [ 70.854910][ T5057] __vm_munmap+0x144/0x390 [ 70.859306][ T5057] __x64_sys_munmap+0x62/0x80 [ 70.863955][ T5057] do_syscall_64+0x3f/0x110 [ 70.868440][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 70.874312][ T5057] [ 70.876609][ T5057] Memory state around the buggy address: [ 70.882210][ T5057] ffff8880722daf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 70.890244][ T5057] ffff8880722daf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 70.898296][ T5057] >ffff8880722db000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 70.906329][ T5057] ^ [ 70.910634][ T5057] ffff8880722db080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 70.918669][ T5057] ffff8880722db100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 70.926700][ T5057] ================================================================== [ 70.939149][ T5057] ================================================================== [ 70.947225][ T5057] BUG: KASAN: use-after-free in crc_itu_t+0xd7/0xe0 [ 70.953815][ T5057] Read of size 1 at addr ffff8880722db00a by task syz-executor299/5057 [ 70.962026][ T5057] [ 70.964327][ T5057] CPU: 0 PID: 5057 Comm: syz-executor299 Tainted: G B 6.6.0-syzkaller-05843-g89ed67ef126c #0 [ 70.975838][ T5057] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 70.985870][ T5057] Call Trace: [ 70.989131][ T5057] [ 70.992038][ T5057] dump_stack_lvl+0xd9/0x1b0 [ 70.996612][ T5057] print_report+0xc4/0x620 [ 71.001008][ T5057] ? __virt_addr_valid+0x5e/0x2d0 [ 71.006010][ T5057] ? __phys_addr+0xc6/0x140 [ 71.010493][ T5057] kasan_report+0xda/0x110 [ 71.014886][ T5057] ? crc_itu_t+0xd7/0xe0 [ 71.019105][ T5057] ? crc_itu_t+0xd7/0xe0 [ 71.023324][ T5057] crc_itu_t+0xd7/0xe0 [ 71.027368][ T5057] udf_finalize_lvid+0xf2/0x1f0 [ 71.032196][ T5057] ? udf_mount+0x40/0x40 [ 71.036434][ T5057] udf_sync_fs+0xea/0x150 [ 71.040742][ T5057] ? udf_finalize_lvid+0x1f0/0x1f0 [ 71.045830][ T5057] sync_filesystem+0x109/0x280 [ 71.050664][ T5057] generic_shutdown_super+0x7e/0x3c0 [ 71.055976][ T5057] kill_block_super+0x3b/0x90 [ 71.060656][ T5057] deactivate_locked_super+0x9a/0x170 [ 71.066019][ T5057] deactivate_super+0xde/0x100 [ 71.070770][ T5057] cleanup_mnt+0x222/0x450 [ 71.075200][ T5057] task_work_run+0x14d/0x240 [ 71.079788][ T5057] ? task_work_cancel+0x30/0x30 [ 71.084656][ T5057] ? __put_net+0x61/0x70 [ 71.088885][ T5057] do_exit+0xa92/0x2a20 [ 71.093032][ T5057] ? do_group_exit+0x1c5/0x2a0 [ 71.097790][ T5057] ? reacquire_held_locks+0x4b0/0x4b0 [ 71.103157][ T5057] ? do_raw_spin_lock+0x12e/0x2b0 [ 71.108184][ T5057] ? mm_update_next_owner+0x840/0x840 [ 71.113548][ T5057] ? spin_bug+0x1d0/0x1d0 [ 71.117876][ T5057] do_group_exit+0xd4/0x2a0 [ 71.122381][ T5057] __x64_sys_exit_group+0x3e/0x50 [ 71.127399][ T5057] do_syscall_64+0x3f/0x110 [ 71.131900][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 71.137781][ T5057] RIP: 0033:0x7f544687e9c9 [ 71.142182][ T5057] Code: Unable to access opcode bytes at 0x7f544687e99f. [ 71.149202][ T5057] RSP: 002b:00007fff6c29d0d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 71.157599][ T5057] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f544687e9c9 [ 71.165557][ T5057] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 71.173512][ T5057] RBP: 00007f544691a2d0 R08: ffffffffffffffb8 R09: 0000000000000004 [ 71.181467][ T5057] R10: 0000000000001400 R11: 0000000000000246 R12: 00007f544691a2d0 [ 71.189425][ T5057] R13: 0000000000000000 R14: 00007f544691b040 R15: 00007f544684cf20 [ 71.197385][ T5057] [ 71.200389][ T5057] [ 71.202697][ T5057] The buggy address belongs to the physical page: [ 71.209085][ T5057] page:ffffea0001c8b6c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x722db [ 71.219221][ T5057] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 71.226314][ T5057] page_type: 0xffffffff() [ 71.230625][ T5057] raw: 00fff00000000000 ffffea0001c8b708 ffffea0001c82548 0000000000000000 [ 71.239193][ T5057] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 71.247754][ T5057] page dumped because: kasan: bad access detected [ 71.254147][ T5057] page_owner tracks the page as freed [ 71.259496][ T5057] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5045, tgid 5045 (sshd), ts 49794200068, free_ts 49841228228 [ 71.277449][ T5057] post_alloc_hook+0x2cf/0x340 [ 71.282201][ T5057] get_page_from_freelist+0xee0/0x2f20 [ 71.287647][ T5057] __alloc_pages+0x1d0/0x4a0 [ 71.292226][ T5057] __folio_alloc+0x16/0x40 [ 71.296630][ T5057] vma_alloc_folio+0x156/0x890 [ 71.301378][ T5057] __handle_mm_fault+0xe67/0x3e10 [ 71.306393][ T5057] handle_mm_fault+0x478/0xa00 [ 71.311147][ T5057] do_user_addr_fault+0x30b/0x1000 [ 71.316245][ T5057] exc_page_fault+0x5c/0xd0 [ 71.320738][ T5057] asm_exc_page_fault+0x26/0x30 [ 71.325604][ T5057] page last free stack trace: [ 71.330257][ T5057] free_unref_page_prepare+0x476/0xa40 [ 71.335703][ T5057] free_unref_page_list+0xe6/0xb30 [ 71.340800][ T5057] release_pages+0x32a/0x14e0 [ 71.345477][ T5057] tlb_batch_pages_flush+0x9a/0x190 [ 71.350665][ T5057] tlb_finish_mmu+0x14b/0x6f0 [ 71.355328][ T5057] unmap_region.constprop.0+0x2e6/0x3b0 [ 71.360863][ T5057] do_vmi_align_munmap+0xddc/0x15f0 [ 71.366048][ T5057] do_vmi_munmap+0x20e/0x450 [ 71.370655][ T5057] __vm_munmap+0x144/0x390 [ 71.375062][ T5057] __x64_sys_munmap+0x62/0x80 [ 71.379725][ T5057] do_syscall_64+0x3f/0x110 [ 71.384240][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 71.390124][ T5057] [ 71.392432][ T5057] Memory state around the buggy address: [ 71.398043][ T5057] ffff8880722daf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 71.406091][ T5057] ffff8880722daf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 71.414137][ T5057] >ffff8880722db000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 71.422180][ T5057] ^ [ 71.426486][ T5057] ffff8880722db080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 71.434529][ T5057] ffff8880722db100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 71.442573][ T5057] ================================================================== [ 71.450878][ T5057] ================================================================== [ 71.458946][ T5057] BUG: KASAN: use-after-free in crc_itu_t+0xd7/0xe0 [ 71.465569][ T5057] Read of size 1 at addr ffff8880722db00b by task syz-executor299/5057 [ 71.473785][ T5057] [ 71.476087][ T5057] CPU: 1 PID: 5057 Comm: syz-executor299 Tainted: G B 6.6.0-syzkaller-05843-g89ed67ef126c #0 [ 71.487601][ T5057] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 71.497639][ T5057] Call Trace: [ 71.500903][ T5057] [ 71.503817][ T5057] dump_stack_lvl+0xd9/0x1b0 [ 71.508395][ T5057] print_report+0xc4/0x620 [ 71.512793][ T5057] ? __virt_addr_valid+0x5e/0x2d0 [ 71.517796][ T5057] ? __phys_addr+0xc6/0x140 [ 71.522295][ T5057] kasan_report+0xda/0x110 [ 71.526692][ T5057] ? crc_itu_t+0xd7/0xe0 [ 71.530911][ T5057] ? crc_itu_t+0xd7/0xe0 [ 71.535131][ T5057] crc_itu_t+0xd7/0xe0 [ 71.539177][ T5057] udf_finalize_lvid+0xf2/0x1f0 [ 71.544013][ T5057] ? udf_mount+0x40/0x40 [ 71.548236][ T5057] udf_sync_fs+0xea/0x150 [ 71.552544][ T5057] ? udf_finalize_lvid+0x1f0/0x1f0 [ 71.557633][ T5057] sync_filesystem+0x109/0x280 [ 71.562383][ T5057] generic_shutdown_super+0x7e/0x3c0 [ 71.567669][ T5057] kill_block_super+0x3b/0x90 [ 71.572330][ T5057] deactivate_locked_super+0x9a/0x170 [ 71.577678][ T5057] deactivate_super+0xde/0x100 [ 71.582437][ T5057] cleanup_mnt+0x222/0x450 [ 71.586836][ T5057] task_work_run+0x14d/0x240 [ 71.591410][ T5057] ? task_work_cancel+0x30/0x30 [ 71.596244][ T5057] ? __put_net+0x61/0x70 [ 71.600466][ T5057] do_exit+0xa92/0x2a20 [ 71.604620][ T5057] ? do_group_exit+0x1c5/0x2a0 [ 71.609370][ T5057] ? reacquire_held_locks+0x4b0/0x4b0 [ 71.614723][ T5057] ? do_raw_spin_lock+0x12e/0x2b0 [ 71.619727][ T5057] ? mm_update_next_owner+0x840/0x840 [ 71.625079][ T5057] ? spin_bug+0x1d0/0x1d0 [ 71.629391][ T5057] do_group_exit+0xd4/0x2a0 [ 71.633893][ T5057] __x64_sys_exit_group+0x3e/0x50 [ 71.638899][ T5057] do_syscall_64+0x3f/0x110 [ 71.643402][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 71.649276][ T5057] RIP: 0033:0x7f544687e9c9 [ 71.653667][ T5057] Code: Unable to access opcode bytes at 0x7f544687e99f. [ 71.660658][ T5057] RSP: 002b:00007fff6c29d0d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 71.669047][ T5057] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f544687e9c9 [ 71.676994][ T5057] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 71.684944][ T5057] RBP: 00007f544691a2d0 R08: ffffffffffffffb8 R09: 0000000000000004 [ 71.692894][ T5057] R10: 0000000000001400 R11: 0000000000000246 R12: 00007f544691a2d0 [ 71.700845][ T5057] R13: 0000000000000000 R14: 00007f544691b040 R15: 00007f544684cf20 [ 71.708796][ T5057] [ 71.711810][ T5057] [ 71.714109][ T5057] The buggy address belongs to the physical page: [ 71.720494][ T5057] page:ffffea0001c8b6c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x722db [ 71.730617][ T5057] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 71.737698][ T5057] page_type: 0xffffffff() [ 71.742002][ T5057] raw: 00fff00000000000 ffffea0001c8b708 ffffea0001c82548 0000000000000000 [ 71.750567][ T5057] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 71.759124][ T5057] page dumped because: kasan: bad access detected [ 71.765507][ T5057] page_owner tracks the page as freed [ 71.770850][ T5057] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5045, tgid 5045 (sshd), ts 49794200068, free_ts 49841228228 [ 71.788792][ T5057] post_alloc_hook+0x2cf/0x340 [ 71.793534][ T5057] get_page_from_freelist+0xee0/0x2f20 [ 71.798972][ T5057] __alloc_pages+0x1d0/0x4a0 [ 71.803537][ T5057] __folio_alloc+0x16/0x40 [ 71.807935][ T5057] vma_alloc_folio+0x156/0x890 [ 71.812675][ T5057] __handle_mm_fault+0xe67/0x3e10 [ 71.817676][ T5057] handle_mm_fault+0x478/0xa00 [ 71.822420][ T5057] do_user_addr_fault+0x30b/0x1000 [ 71.827509][ T5057] exc_page_fault+0x5c/0xd0 [ 71.831990][ T5057] asm_exc_page_fault+0x26/0x30 [ 71.836819][ T5057] page last free stack trace: [ 71.841464][ T5057] free_unref_page_prepare+0x476/0xa40 [ 71.846897][ T5057] free_unref_page_list+0xe6/0xb30 [ 71.851984][ T5057] release_pages+0x32a/0x14e0 [ 71.856641][ T5057] tlb_batch_pages_flush+0x9a/0x190 [ 71.861816][ T5057] tlb_finish_mmu+0x14b/0x6f0 [ 71.866470][ T5057] unmap_region.constprop.0+0x2e6/0x3b0 [ 71.871995][ T5057] do_vmi_align_munmap+0xddc/0x15f0 [ 71.877168][ T5057] do_vmi_munmap+0x20e/0x450 [ 71.881732][ T5057] __vm_munmap+0x144/0x390 [ 71.886143][ T5057] __x64_sys_munmap+0x62/0x80 [ 71.890814][ T5057] do_syscall_64+0x3f/0x110 [ 71.895298][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 71.901168][ T5057] [ 71.903470][ T5057] Memory state around the buggy address: [ 71.909089][ T5057] ffff8880722daf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 71.917124][ T5057] ffff8880722daf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 71.925159][ T5057] >ffff8880722db000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 71.933197][ T5057] ^ [ 71.937499][ T5057] ffff8880722db080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 71.945553][ T5057] ffff8880722db100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 71.953597][ T5057] ================================================================== [ 71.961911][ T5057] ================================================================== [ 71.969977][ T5057] BUG: KASAN: use-after-free in crc_itu_t+0xd7/0xe0 [ 71.976577][ T5057] Read of size 1 at addr ffff8880722db00c by task syz-executor299/5057 [ 71.984800][ T5057] [ 71.987112][ T5057] CPU: 1 PID: 5057 Comm: syz-executor299 Tainted: G B 6.6.0-syzkaller-05843-g89ed67ef126c #0 [ 71.998641][ T5057] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 72.008684][ T5057] Call Trace: [ 72.011952][ T5057] [ 72.014868][ T5057] dump_stack_lvl+0xd9/0x1b0 [ 72.019457][ T5057] print_report+0xc4/0x620 [ 72.023867][ T5057] ? __virt_addr_valid+0x5e/0x2d0 [ 72.028881][ T5057] ? __phys_addr+0xc6/0x140 [ 72.033376][ T5057] kasan_report+0xda/0x110 [ 72.037780][ T5057] ? crc_itu_t+0xd7/0xe0 [ 72.042011][ T5057] ? crc_itu_t+0xd7/0xe0 [ 72.046242][ T5057] crc_itu_t+0xd7/0xe0 [ 72.050300][ T5057] udf_finalize_lvid+0xf2/0x1f0 [ 72.055144][ T5057] ? udf_mount+0x40/0x40 [ 72.059377][ T5057] udf_sync_fs+0xea/0x150 [ 72.063717][ T5057] ? udf_finalize_lvid+0x1f0/0x1f0 [ 72.068816][ T5057] sync_filesystem+0x109/0x280 [ 72.073581][ T5057] generic_shutdown_super+0x7e/0x3c0 [ 72.078867][ T5057] kill_block_super+0x3b/0x90 [ 72.083539][ T5057] deactivate_locked_super+0x9a/0x170 [ 72.088902][ T5057] deactivate_super+0xde/0x100 [ 72.093652][ T5057] cleanup_mnt+0x222/0x450 [ 72.098066][ T5057] task_work_run+0x14d/0x240 [ 72.102653][ T5057] ? task_work_cancel+0x30/0x30 [ 72.107496][ T5057] ? __put_net+0x61/0x70 [ 72.111728][ T5057] do_exit+0xa92/0x2a20 [ 72.115879][ T5057] ? do_group_exit+0x1c5/0x2a0 [ 72.120642][ T5057] ? reacquire_held_locks+0x4b0/0x4b0 [ 72.126006][ T5057] ? do_raw_spin_lock+0x12e/0x2b0 [ 72.131025][ T5057] ? mm_update_next_owner+0x840/0x840 [ 72.136395][ T5057] ? spin_bug+0x1d0/0x1d0 [ 72.140721][ T5057] do_group_exit+0xd4/0x2a0 [ 72.145222][ T5057] __x64_sys_exit_group+0x3e/0x50 [ 72.150239][ T5057] do_syscall_64+0x3f/0x110 [ 72.154737][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 72.160621][ T5057] RIP: 0033:0x7f544687e9c9 [ 72.165045][ T5057] Code: Unable to access opcode bytes at 0x7f544687e99f. [ 72.172046][ T5057] RSP: 002b:00007fff6c29d0d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 72.180448][ T5057] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f544687e9c9 [ 72.188406][ T5057] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 72.196364][ T5057] RBP: 00007f544691a2d0 R08: ffffffffffffffb8 R09: 0000000000000004 [ 72.204322][ T5057] R10: 0000000000001400 R11: 0000000000000246 R12: 00007f544691a2d0 [ 72.212284][ T5057] R13: 0000000000000000 R14: 00007f544691b040 R15: 00007f544684cf20 [ 72.220246][ T5057] [ 72.223273][ T5057] [ 72.225582][ T5057] The buggy address belongs to the physical page: [ 72.231972][ T5057] page:ffffea0001c8b6c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x722db [ 72.242108][ T5057] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 72.249201][ T5057] page_type: 0xffffffff() [ 72.253517][ T5057] raw: 00fff00000000000 ffffea0001c8b708 ffffea0001c82548 0000000000000000 [ 72.262086][ T5057] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 72.270648][ T5057] page dumped because: kasan: bad access detected [ 72.277041][ T5057] page_owner tracks the page as freed [ 72.282388][ T5057] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5045, tgid 5045 (sshd), ts 49794200068, free_ts 49841228228 [ 72.300344][ T5057] post_alloc_hook+0x2cf/0x340 [ 72.305101][ T5057] get_page_from_freelist+0xee0/0x2f20 [ 72.310550][ T5057] __alloc_pages+0x1d0/0x4a0 [ 72.315132][ T5057] __folio_alloc+0x16/0x40 [ 72.319536][ T5057] vma_alloc_folio+0x156/0x890 [ 72.324289][ T5057] __handle_mm_fault+0xe67/0x3e10 [ 72.329306][ T5057] handle_mm_fault+0x478/0xa00 [ 72.334082][ T5057] do_user_addr_fault+0x30b/0x1000 [ 72.339182][ T5057] exc_page_fault+0x5c/0xd0 [ 72.343672][ T5057] asm_exc_page_fault+0x26/0x30 [ 72.348513][ T5057] page last free stack trace: [ 72.353170][ T5057] free_unref_page_prepare+0x476/0xa40 [ 72.358616][ T5057] free_unref_page_list+0xe6/0xb30 [ 72.363740][ T5057] release_pages+0x32a/0x14e0 [ 72.368411][ T5057] tlb_batch_pages_flush+0x9a/0x190 [ 72.373600][ T5057] tlb_finish_mmu+0x14b/0x6f0 [ 72.378266][ T5057] unmap_region.constprop.0+0x2e6/0x3b0 [ 72.383806][ T5057] do_vmi_align_munmap+0xddc/0x15f0 [ 72.388989][ T5057] do_vmi_munmap+0x20e/0x450 [ 72.393573][ T5057] __vm_munmap+0x144/0x390 [ 72.397974][ T5057] __x64_sys_munmap+0x62/0x80 [ 72.402657][ T5057] do_syscall_64+0x3f/0x110 [ 72.407155][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 72.413039][ T5057] [ 72.415348][ T5057] Memory state around the buggy address: [ 72.420962][ T5057] ffff8880722daf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 72.429029][ T5057] ffff8880722daf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 72.437074][ T5057] >ffff8880722db000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 72.445118][ T5057] ^ [ 72.449427][ T5057] ffff8880722db080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 72.457473][ T5057] ffff8880722db100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 72.465539][ T5057] ================================================================== [ 72.475162][ T5057] ================================================================== [ 72.483221][ T5057] BUG: KASAN: use-after-free in crc_itu_t+0xd7/0xe0 [ 72.489790][ T5057] Read of size 1 at addr ffff8880722db00d by task syz-executor299/5057 [ 72.498002][ T5057] [ 72.500304][ T5057] CPU: 1 PID: 5057 Comm: syz-executor299 Tainted: G B 6.6.0-syzkaller-05843-g89ed67ef126c #0 [ 72.511815][ T5057] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 72.521847][ T5057] Call Trace: [ 72.525104][ T5057] [ 72.528015][ T5057] dump_stack_lvl+0xd9/0x1b0 [ 72.532589][ T5057] print_report+0xc4/0x620 [ 72.536985][ T5057] ? __virt_addr_valid+0x5e/0x2d0 [ 72.541990][ T5057] ? __phys_addr+0xc6/0x140 [ 72.546472][ T5057] kasan_report+0xda/0x110 [ 72.550868][ T5057] ? crc_itu_t+0xd7/0xe0 [ 72.555089][ T5057] ? crc_itu_t+0xd7/0xe0 [ 72.559308][ T5057] crc_itu_t+0xd7/0xe0 [ 72.563354][ T5057] udf_finalize_lvid+0xf2/0x1f0 [ 72.568184][ T5057] ? udf_mount+0x40/0x40 [ 72.572407][ T5057] udf_sync_fs+0xea/0x150 [ 72.576713][ T5057] ? udf_finalize_lvid+0x1f0/0x1f0 [ 72.581808][ T5057] sync_filesystem+0x109/0x280 [ 72.586574][ T5057] generic_shutdown_super+0x7e/0x3c0 [ 72.591857][ T5057] kill_block_super+0x3b/0x90 [ 72.596531][ T5057] deactivate_locked_super+0x9a/0x170 [ 72.601895][ T5057] deactivate_super+0xde/0x100 [ 72.606646][ T5057] cleanup_mnt+0x222/0x450 [ 72.611058][ T5057] task_work_run+0x14d/0x240 [ 72.615647][ T5057] ? task_work_cancel+0x30/0x30 [ 72.620490][ T5057] ? __put_net+0x61/0x70 [ 72.624723][ T5057] do_exit+0xa92/0x2a20 [ 72.628872][ T5057] ? do_group_exit+0x1c5/0x2a0 [ 72.633629][ T5057] ? reacquire_held_locks+0x4b0/0x4b0 [ 72.638996][ T5057] ? do_raw_spin_lock+0x12e/0x2b0 [ 72.644014][ T5057] ? mm_update_next_owner+0x840/0x840 [ 72.649400][ T5057] ? spin_bug+0x1d0/0x1d0 [ 72.653724][ T5057] do_group_exit+0xd4/0x2a0 [ 72.658222][ T5057] __x64_sys_exit_group+0x3e/0x50 [ 72.663242][ T5057] do_syscall_64+0x3f/0x110 [ 72.667739][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 72.673623][ T5057] RIP: 0033:0x7f544687e9c9 [ 72.678026][ T5057] Code: Unable to access opcode bytes at 0x7f544687e99f. [ 72.685026][ T5057] RSP: 002b:00007fff6c29d0d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 72.693428][ T5057] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f544687e9c9 [ 72.701389][ T5057] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 72.709346][ T5057] RBP: 00007f544691a2d0 R08: ffffffffffffffb8 R09: 0000000000000004 [ 72.717305][ T5057] R10: 0000000000001400 R11: 0000000000000246 R12: 00007f544691a2d0 [ 72.725263][ T5057] R13: 0000000000000000 R14: 00007f544691b040 R15: 00007f544684cf20 [ 72.733228][ T5057] [ 72.736235][ T5057] [ 72.738544][ T5057] The buggy address belongs to the physical page: [ 72.744939][ T5057] page:ffffea0001c8b6c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x722db [ 72.755072][ T5057] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 72.762163][ T5057] page_type: 0xffffffff() [ 72.766497][ T5057] raw: 00fff00000000000 ffffea0001c8b708 ffffea0001c82548 0000000000000000 [ 72.775074][ T5057] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 72.783646][ T5057] page dumped because: kasan: bad access detected [ 72.790040][ T5057] page_owner tracks the page as freed [ 72.795389][ T5057] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5045, tgid 5045 (sshd), ts 49794200068, free_ts 49841228228 [ 72.813345][ T5057] post_alloc_hook+0x2cf/0x340 [ 72.818102][ T5057] get_page_from_freelist+0xee0/0x2f20 [ 72.823549][ T5057] __alloc_pages+0x1d0/0x4a0 [ 72.828134][ T5057] __folio_alloc+0x16/0x40 [ 72.832538][ T5057] vma_alloc_folio+0x156/0x890 [ 72.837289][ T5057] __handle_mm_fault+0xe67/0x3e10 [ 72.842329][ T5057] handle_mm_fault+0x478/0xa00 [ 72.847084][ T5057] do_user_addr_fault+0x30b/0x1000 [ 72.852187][ T5057] exc_page_fault+0x5c/0xd0 [ 72.856680][ T5057] asm_exc_page_fault+0x26/0x30 [ 72.861542][ T5057] page last free stack trace: [ 72.866198][ T5057] free_unref_page_prepare+0x476/0xa40 [ 72.871647][ T5057] free_unref_page_list+0xe6/0xb30 [ 72.876746][ T5057] release_pages+0x32a/0x14e0 [ 72.881415][ T5057] tlb_batch_pages_flush+0x9a/0x190 [ 72.886600][ T5057] tlb_finish_mmu+0x14b/0x6f0 [ 72.891263][ T5057] unmap_region.constprop.0+0x2e6/0x3b0 [ 72.896803][ T5057] do_vmi_align_munmap+0xddc/0x15f0 [ 72.901988][ T5057] do_vmi_munmap+0x20e/0x450 [ 72.906574][ T5057] __vm_munmap+0x144/0x390 [ 72.910977][ T5057] __x64_sys_munmap+0x62/0x80 [ 72.915638][ T5057] do_syscall_64+0x3f/0x110 [ 72.920134][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 72.926016][ T5057] [ 72.928324][ T5057] Memory state around the buggy address: [ 72.933936][ T5057] ffff8880722daf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 72.941980][ T5057] ffff8880722daf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 72.950027][ T5057] >ffff8880722db000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 72.958071][ T5057] ^ [ 72.962380][ T5057] ffff8880722db080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 72.970427][ T5057] ffff8880722db100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 72.978470][ T5057] ================================================================== [ 72.995316][ T5057] ================================================================== [ 73.003473][ T5057] BUG: KASAN: use-after-free in crc_itu_t+0xd7/0xe0 [ 73.010043][ T5057] Read of size 1 at addr ffff8880722db00e by task syz-executor299/5057 [ 73.018261][ T5057] [ 73.020569][ T5057] CPU: 0 PID: 5057 Comm: syz-executor299 Tainted: G B 6.6.0-syzkaller-05843-g89ed67ef126c #0 [ 73.032084][ T5057] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 73.042118][ T5057] Call Trace: [ 73.045373][ T5057] [ 73.048285][ T5057] dump_stack_lvl+0xd9/0x1b0 [ 73.052856][ T5057] print_report+0xc4/0x620 [ 73.057252][ T5057] ? __virt_addr_valid+0x5e/0x2d0 [ 73.062256][ T5057] ? __phys_addr+0xc6/0x140 [ 73.066737][ T5057] kasan_report+0xda/0x110 [ 73.071134][ T5057] ? crc_itu_t+0xd7/0xe0 [ 73.075352][ T5057] ? crc_itu_t+0xd7/0xe0 [ 73.079571][ T5057] crc_itu_t+0xd7/0xe0 [ 73.083633][ T5057] udf_finalize_lvid+0xf2/0x1f0 [ 73.088463][ T5057] ? udf_mount+0x40/0x40 [ 73.092685][ T5057] udf_sync_fs+0xea/0x150 [ 73.096990][ T5057] ? udf_finalize_lvid+0x1f0/0x1f0 [ 73.102079][ T5057] sync_filesystem+0x109/0x280 [ 73.106825][ T5057] generic_shutdown_super+0x7e/0x3c0 [ 73.112090][ T5057] kill_block_super+0x3b/0x90 [ 73.116751][ T5057] deactivate_locked_super+0x9a/0x170 [ 73.122102][ T5057] deactivate_super+0xde/0x100 [ 73.126840][ T5057] cleanup_mnt+0x222/0x450 [ 73.131235][ T5057] task_work_run+0x14d/0x240 [ 73.135805][ T5057] ? task_work_cancel+0x30/0x30 [ 73.140634][ T5057] ? __put_net+0x61/0x70 [ 73.144852][ T5057] do_exit+0xa92/0x2a20 [ 73.148986][ T5057] ? do_group_exit+0x1c5/0x2a0 [ 73.153733][ T5057] ? reacquire_held_locks+0x4b0/0x4b0 [ 73.159100][ T5057] ? do_raw_spin_lock+0x12e/0x2b0 [ 73.164104][ T5057] ? mm_update_next_owner+0x840/0x840 [ 73.169455][ T5057] ? spin_bug+0x1d0/0x1d0 [ 73.173765][ T5057] do_group_exit+0xd4/0x2a0 [ 73.178248][ T5057] __x64_sys_exit_group+0x3e/0x50 [ 73.183249][ T5057] do_syscall_64+0x3f/0x110 [ 73.187730][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 73.193601][ T5057] RIP: 0033:0x7f544687e9c9 [ 73.197998][ T5057] Code: Unable to access opcode bytes at 0x7f544687e99f. [ 73.204992][ T5057] RSP: 002b:00007fff6c29d0d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 73.213380][ T5057] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f544687e9c9 [ 73.221329][ T5057] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 73.229278][ T5057] RBP: 00007f544691a2d0 R08: ffffffffffffffb8 R09: 0000000000000004 [ 73.237226][ T5057] R10: 0000000000001400 R11: 0000000000000246 R12: 00007f544691a2d0 [ 73.245187][ T5057] R13: 0000000000000000 R14: 00007f544691b040 R15: 00007f544684cf20 [ 73.253152][ T5057] [ 73.256150][ T5057] [ 73.258449][ T5057] The buggy address belongs to the physical page: [ 73.264849][ T5057] page:ffffea0001c8b6c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x722db [ 73.274971][ T5057] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 73.282051][ T5057] page_type: 0xffffffff() [ 73.286357][ T5057] raw: 00fff00000000000 ffffea0001c8b708 ffffea0001c82548 0000000000000000 [ 73.294912][ T5057] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 73.303465][ T5057] page dumped because: kasan: bad access detected [ 73.309847][ T5057] page_owner tracks the page as freed [ 73.315186][ T5057] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5045, tgid 5045 (sshd), ts 49794200068, free_ts 49841228228 [ 73.333131][ T5057] post_alloc_hook+0x2cf/0x340 [ 73.337877][ T5057] get_page_from_freelist+0xee0/0x2f20 [ 73.343312][ T5057] __alloc_pages+0x1d0/0x4a0 [ 73.347979][ T5057] __folio_alloc+0x16/0x40 [ 73.352378][ T5057] vma_alloc_folio+0x156/0x890 [ 73.357139][ T5057] __handle_mm_fault+0xe67/0x3e10 [ 73.362149][ T5057] handle_mm_fault+0x478/0xa00 [ 73.366891][ T5057] do_user_addr_fault+0x30b/0x1000 [ 73.371980][ T5057] exc_page_fault+0x5c/0xd0 [ 73.376459][ T5057] asm_exc_page_fault+0x26/0x30 [ 73.381288][ T5057] page last free stack trace: [ 73.385932][ T5057] free_unref_page_prepare+0x476/0xa40 [ 73.391363][ T5057] free_unref_page_list+0xe6/0xb30 [ 73.396448][ T5057] release_pages+0x32a/0x14e0 [ 73.401103][ T5057] tlb_batch_pages_flush+0x9a/0x190 [ 73.406278][ T5057] tlb_finish_mmu+0x14b/0x6f0 [ 73.410930][ T5057] unmap_region.constprop.0+0x2e6/0x3b0 [ 73.416471][ T5057] do_vmi_align_munmap+0xddc/0x15f0 [ 73.421657][ T5057] do_vmi_munmap+0x20e/0x450 [ 73.426220][ T5057] __vm_munmap+0x144/0x390 [ 73.430610][ T5057] __x64_sys_munmap+0x62/0x80 [ 73.435260][ T5057] do_syscall_64+0x3f/0x110 [ 73.439755][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 73.445620][ T5057] [ 73.447918][ T5057] Memory state around the buggy address: [ 73.453521][ T5057] ffff8880722daf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 73.461555][ T5057] ffff8880722daf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 73.469596][ T5057] >ffff8880722db000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 73.477641][ T5057] ^ [ 73.481942][ T5057] ffff8880722db080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 73.489996][ T5057] ffff8880722db100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 73.498044][ T5057] ================================================================== [ 73.507042][ T5057] ================================================================== [ 73.515217][ T5057] BUG: KASAN: use-after-free in crc_itu_t+0xd7/0xe0 [ 73.521834][ T5057] Read of size 1 at addr ffff8880722db00f by task syz-executor299/5057 [ 73.530051][ T5057] [ 73.532357][ T5057] CPU: 1 PID: 5057 Comm: syz-executor299 Tainted: G B 6.6.0-syzkaller-05843-g89ed67ef126c #0 [ 73.543871][ T5057] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 73.553903][ T5057] Call Trace: [ 73.557163][ T5057] [ 73.560078][ T5057] dump_stack_lvl+0xd9/0x1b0 [ 73.564654][ T5057] print_report+0xc4/0x620 [ 73.569050][ T5057] ? __virt_addr_valid+0x5e/0x2d0 [ 73.574056][ T5057] ? __phys_addr+0xc6/0x140 [ 73.578541][ T5057] kasan_report+0xda/0x110 [ 73.582932][ T5057] ? crc_itu_t+0xd7/0xe0 [ 73.587148][ T5057] ? crc_itu_t+0xd7/0xe0 [ 73.591366][ T5057] crc_itu_t+0xd7/0xe0 [ 73.595412][ T5057] udf_finalize_lvid+0xf2/0x1f0 [ 73.600242][ T5057] ? udf_mount+0x40/0x40 [ 73.604496][ T5057] udf_sync_fs+0xea/0x150 [ 73.608854][ T5057] ? udf_finalize_lvid+0x1f0/0x1f0 [ 73.613944][ T5057] sync_filesystem+0x109/0x280 [ 73.618687][ T5057] generic_shutdown_super+0x7e/0x3c0 [ 73.623952][ T5057] kill_block_super+0x3b/0x90 [ 73.628609][ T5057] deactivate_locked_super+0x9a/0x170 [ 73.633955][ T5057] deactivate_super+0xde/0x100 [ 73.638693][ T5057] cleanup_mnt+0x222/0x450 [ 73.643088][ T5057] task_work_run+0x14d/0x240 [ 73.647655][ T5057] ? task_work_cancel+0x30/0x30 [ 73.652487][ T5057] ? __put_net+0x61/0x70 [ 73.656705][ T5057] do_exit+0xa92/0x2a20 [ 73.660841][ T5057] ? do_group_exit+0x1c5/0x2a0 [ 73.665583][ T5057] ? reacquire_held_locks+0x4b0/0x4b0 [ 73.670937][ T5057] ? do_raw_spin_lock+0x12e/0x2b0 [ 73.675943][ T5057] ? mm_update_next_owner+0x840/0x840 [ 73.681293][ T5057] ? spin_bug+0x1d0/0x1d0 [ 73.685604][ T5057] do_group_exit+0xd4/0x2a0 [ 73.690089][ T5057] __x64_sys_exit_group+0x3e/0x50 [ 73.695094][ T5057] do_syscall_64+0x3f/0x110 [ 73.699577][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 73.705447][ T5057] RIP: 0033:0x7f544687e9c9 [ 73.709835][ T5057] Code: Unable to access opcode bytes at 0x7f544687e99f. [ 73.716825][ T5057] RSP: 002b:00007fff6c29d0d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 73.725211][ T5057] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f544687e9c9 [ 73.733163][ T5057] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 73.741115][ T5057] RBP: 00007f544691a2d0 R08: ffffffffffffffb8 R09: 0000000000000004 [ 73.749069][ T5057] R10: 0000000000001400 R11: 0000000000000246 R12: 00007f544691a2d0 [ 73.757014][ T5057] R13: 0000000000000000 R14: 00007f544691b040 R15: 00007f544684cf20 [ 73.764964][ T5057] [ 73.767963][ T5057] [ 73.770261][ T5057] The buggy address belongs to the physical page: [ 73.776640][ T5057] page:ffffea0001c8b6c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x722db [ 73.786765][ T5057] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 73.793850][ T5057] page_type: 0xffffffff() [ 73.798160][ T5057] raw: 00fff00000000000 ffffea0001c8b708 ffffea0001c82548 0000000000000000 [ 73.806719][ T5057] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 73.815277][ T5057] page dumped because: kasan: bad access detected [ 73.821663][ T5057] page_owner tracks the page as freed [ 73.827005][ T5057] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5045, tgid 5045 (sshd), ts 49794200068, free_ts 49841228228 [ 73.844963][ T5057] post_alloc_hook+0x2cf/0x340 [ 73.849706][ T5057] get_page_from_freelist+0xee0/0x2f20 [ 73.855142][ T5057] __alloc_pages+0x1d0/0x4a0 [ 73.859709][ T5057] __folio_alloc+0x16/0x40 [ 73.864104][ T5057] vma_alloc_folio+0x156/0x890 [ 73.868843][ T5057] __handle_mm_fault+0xe67/0x3e10 [ 73.873849][ T5057] handle_mm_fault+0x478/0xa00 [ 73.878591][ T5057] do_user_addr_fault+0x30b/0x1000 [ 73.883680][ T5057] exc_page_fault+0x5c/0xd0 [ 73.888160][ T5057] asm_exc_page_fault+0x26/0x30 [ 73.893002][ T5057] page last free stack trace: [ 73.897645][ T5057] free_unref_page_prepare+0x476/0xa40 [ 73.903096][ T5057] free_unref_page_list+0xe6/0xb30 [ 73.908188][ T5057] release_pages+0x32a/0x14e0 [ 73.912844][ T5057] tlb_batch_pages_flush+0x9a/0x190 [ 73.918037][ T5057] tlb_finish_mmu+0x14b/0x6f0 [ 73.922689][ T5057] unmap_region.constprop.0+0x2e6/0x3b0 [ 73.928216][ T5057] do_vmi_align_munmap+0xddc/0x15f0 [ 73.933388][ T5057] do_vmi_munmap+0x20e/0x450 [ 73.937953][ T5057] __vm_munmap+0x144/0x390 [ 73.942362][ T5057] __x64_sys_munmap+0x62/0x80 [ 73.947011][ T5057] do_syscall_64+0x3f/0x110 [ 73.951493][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 73.957368][ T5057] [ 73.959671][ T5057] Memory state around the buggy address: [ 73.965272][ T5057] ffff8880722daf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 73.973311][ T5057] ffff8880722daf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 73.981365][ T5057] >ffff8880722db000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 73.989401][ T5057] ^ [ 73.993700][ T5057] ffff8880722db080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 74.001738][ T5057] ffff8880722db100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 74.009772][ T5057] ================================================================== [ 74.018052][ T5057] ================================================================== [ 74.026111][ T5057] BUG: KASAN: use-after-free in crc_itu_t+0xd7/0xe0 [ 74.032709][ T5057] Read of size 1 at addr ffff8880722db010 by task syz-executor299/5057 [ 74.040931][ T5057] [ 74.043242][ T5057] CPU: 1 PID: 5057 Comm: syz-executor299 Tainted: G B 6.6.0-syzkaller-05843-g89ed67ef126c #0 [ 74.054769][ T5057] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 74.064834][ T5057] Call Trace: [ 74.068100][ T5057] [ 74.071019][ T5057] dump_stack_lvl+0xd9/0x1b0 [ 74.075608][ T5057] print_report+0xc4/0x620 [ 74.080014][ T5057] ? __virt_addr_valid+0x5e/0x2d0 [ 74.085028][ T5057] ? __phys_addr+0xc6/0x140 [ 74.089521][ T5057] kasan_report+0xda/0x110 [ 74.093928][ T5057] ? crc_itu_t+0xd7/0xe0 [ 74.098158][ T5057] ? crc_itu_t+0xd7/0xe0 [ 74.102390][ T5057] crc_itu_t+0xd7/0xe0 [ 74.106449][ T5057] udf_finalize_lvid+0xf2/0x1f0 [ 74.111291][ T5057] ? udf_mount+0x40/0x40 [ 74.115525][ T5057] udf_sync_fs+0xea/0x150 [ 74.119850][ T5057] ? udf_finalize_lvid+0x1f0/0x1f0 [ 74.124950][ T5057] sync_filesystem+0x109/0x280 [ 74.129711][ T5057] generic_shutdown_super+0x7e/0x3c0 [ 74.134993][ T5057] kill_block_super+0x3b/0x90 [ 74.139666][ T5057] deactivate_locked_super+0x9a/0x170 [ 74.145044][ T5057] deactivate_super+0xde/0x100 [ 74.149793][ T5057] cleanup_mnt+0x222/0x450 [ 74.154207][ T5057] task_work_run+0x14d/0x240 [ 74.158793][ T5057] ? task_work_cancel+0x30/0x30 [ 74.163637][ T5057] ? __put_net+0x61/0x70 [ 74.167872][ T5057] do_exit+0xa92/0x2a20 [ 74.172023][ T5057] ? do_group_exit+0x1c5/0x2a0 [ 74.176783][ T5057] ? reacquire_held_locks+0x4b0/0x4b0 [ 74.182151][ T5057] ? do_raw_spin_lock+0x12e/0x2b0 [ 74.187170][ T5057] ? mm_update_next_owner+0x840/0x840 [ 74.192536][ T5057] ? spin_bug+0x1d0/0x1d0 [ 74.196867][ T5057] do_group_exit+0xd4/0x2a0 [ 74.201386][ T5057] __x64_sys_exit_group+0x3e/0x50 [ 74.206409][ T5057] do_syscall_64+0x3f/0x110 [ 74.210907][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 74.216791][ T5057] RIP: 0033:0x7f544687e9c9 [ 74.221192][ T5057] Code: Unable to access opcode bytes at 0x7f544687e99f. [ 74.228193][ T5057] RSP: 002b:00007fff6c29d0d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 74.236591][ T5057] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f544687e9c9 [ 74.244556][ T5057] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 74.252519][ T5057] RBP: 00007f544691a2d0 R08: ffffffffffffffb8 R09: 0000000000000004 [ 74.260477][ T5057] R10: 0000000000001400 R11: 0000000000000246 R12: 00007f544691a2d0 [ 74.268435][ T5057] R13: 0000000000000000 R14: 00007f544691b040 R15: 00007f544684cf20 [ 74.276397][ T5057] [ 74.279581][ T5057] [ 74.281887][ T5057] The buggy address belongs to the physical page: [ 74.288277][ T5057] page:ffffea0001c8b6c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x722db [ 74.298414][ T5057] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 74.305506][ T5057] page_type: 0xffffffff() [ 74.309819][ T5057] raw: 00fff00000000000 ffffea0001c8b708 ffffea0001c82548 0000000000000000 [ 74.318390][ T5057] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 74.326955][ T5057] page dumped because: kasan: bad access detected [ 74.333436][ T5057] page_owner tracks the page as freed [ 74.338804][ T5057] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5045, tgid 5045 (sshd), ts 49794200068, free_ts 49841228228 [ 74.356760][ T5057] post_alloc_hook+0x2cf/0x340 [ 74.361514][ T5057] get_page_from_freelist+0xee0/0x2f20 [ 74.366961][ T5057] __alloc_pages+0x1d0/0x4a0 [ 74.371539][ T5057] __folio_alloc+0x16/0x40 [ 74.375947][ T5057] vma_alloc_folio+0x156/0x890 [ 74.380697][ T5057] __handle_mm_fault+0xe67/0x3e10 [ 74.385714][ T5057] handle_mm_fault+0x478/0xa00 [ 74.390465][ T5057] do_user_addr_fault+0x30b/0x1000 [ 74.395568][ T5057] exc_page_fault+0x5c/0xd0 [ 74.400059][ T5057] asm_exc_page_fault+0x26/0x30 [ 74.404899][ T5057] page last free stack trace: [ 74.409554][ T5057] free_unref_page_prepare+0x476/0xa40 [ 74.415008][ T5057] free_unref_page_list+0xe6/0xb30 [ 74.420106][ T5057] release_pages+0x32a/0x14e0 [ 74.424794][ T5057] tlb_batch_pages_flush+0x9a/0x190 [ 74.429978][ T5057] tlb_finish_mmu+0x14b/0x6f0 [ 74.434640][ T5057] unmap_region.constprop.0+0x2e6/0x3b0 [ 74.440182][ T5057] do_vmi_align_munmap+0xddc/0x15f0 [ 74.445366][ T5057] do_vmi_munmap+0x20e/0x450 [ 74.449942][ T5057] __vm_munmap+0x144/0x390 [ 74.454364][ T5057] __x64_sys_munmap+0x62/0x80 [ 74.459028][ T5057] do_syscall_64+0x3f/0x110 [ 74.463548][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 74.469434][ T5057] [ 74.471747][ T5057] Memory state around the buggy address: [ 74.477360][ T5057] ffff8880722daf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 74.485423][ T5057] ffff8880722daf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 74.493467][ T5057] >ffff8880722db000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 74.501532][ T5057] ^ [ 74.506100][ T5057] ffff8880722db080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 74.514145][ T5057] ffff8880722db100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 74.522187][ T5057] ================================================================== [ 74.530366][ T5057] ================================================================== [ 74.538421][ T5057] BUG: KASAN: use-after-free in crc_itu_t+0xd7/0xe0 [ 74.544997][ T5057] Read of size 1 at addr ffff8880722db011 by task syz-executor299/5057 [ 74.553218][ T5057] [ 74.555531][ T5057] CPU: 1 PID: 5057 Comm: syz-executor299 Tainted: G B 6.6.0-syzkaller-05843-g89ed67ef126c #0 [ 74.567060][ T5057] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 74.577104][ T5057] Call Trace: [ 74.580391][ T5057] [ 74.583311][ T5057] dump_stack_lvl+0xd9/0x1b0 [ 74.587920][ T5057] print_report+0xc4/0x620 [ 74.592328][ T5057] ? __virt_addr_valid+0x5e/0x2d0 [ 74.597347][ T5057] ? __phys_addr+0xc6/0x140 [ 74.601842][ T5057] kasan_report+0xda/0x110 [ 74.606251][ T5057] ? crc_itu_t+0xd7/0xe0 [ 74.610482][ T5057] ? crc_itu_t+0xd7/0xe0 [ 74.614715][ T5057] crc_itu_t+0xd7/0xe0 [ 74.618776][ T5057] udf_finalize_lvid+0xf2/0x1f0 [ 74.623616][ T5057] ? udf_mount+0x40/0x40 [ 74.627855][ T5057] udf_sync_fs+0xea/0x150 [ 74.632196][ T5057] ? udf_finalize_lvid+0x1f0/0x1f0 [ 74.637295][ T5057] sync_filesystem+0x109/0x280 [ 74.642054][ T5057] generic_shutdown_super+0x7e/0x3c0 [ 74.647338][ T5057] kill_block_super+0x3b/0x90 [ 74.652011][ T5057] deactivate_locked_super+0x9a/0x170 [ 74.657370][ T5057] deactivate_super+0xde/0x100 [ 74.662120][ T5057] cleanup_mnt+0x222/0x450 [ 74.666534][ T5057] task_work_run+0x14d/0x240 [ 74.671123][ T5057] ? task_work_cancel+0x30/0x30 [ 74.675969][ T5057] ? __put_net+0x61/0x70 [ 74.680228][ T5057] do_exit+0xa92/0x2a20 [ 74.684378][ T5057] ? do_group_exit+0x1c5/0x2a0 [ 74.689139][ T5057] ? reacquire_held_locks+0x4b0/0x4b0 [ 74.694530][ T5057] ? do_raw_spin_lock+0x12e/0x2b0 [ 74.699554][ T5057] ? mm_update_next_owner+0x840/0x840 [ 74.704928][ T5057] ? spin_bug+0x1d0/0x1d0 [ 74.709274][ T5057] do_group_exit+0xd4/0x2a0 [ 74.713772][ T5057] __x64_sys_exit_group+0x3e/0x50 [ 74.718792][ T5057] do_syscall_64+0x3f/0x110 [ 74.723294][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 74.729180][ T5057] RIP: 0033:0x7f544687e9c9 [ 74.733583][ T5057] Code: Unable to access opcode bytes at 0x7f544687e99f. [ 74.740670][ T5057] RSP: 002b:00007fff6c29d0d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 74.749090][ T5057] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f544687e9c9 [ 74.757052][ T5057] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 74.765101][ T5057] RBP: 00007f544691a2d0 R08: ffffffffffffffb8 R09: 0000000000000004 [ 74.773062][ T5057] R10: 0000000000001400 R11: 0000000000000246 R12: 00007f544691a2d0 [ 74.781020][ T5057] R13: 0000000000000000 R14: 00007f544691b040 R15: 00007f544684cf20 [ 74.788985][ T5057] [ 74.791987][ T5057] [ 74.794294][ T5057] The buggy address belongs to the physical page: [ 74.800693][ T5057] page:ffffea0001c8b6c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x722db [ 74.810828][ T5057] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 74.817940][ T5057] page_type: 0xffffffff() [ 74.822260][ T5057] raw: 00fff00000000000 ffffea0001c8b708 ffffea0001c82548 0000000000000000 [ 74.830847][ T5057] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 74.839414][ T5057] page dumped because: kasan: bad access detected [ 74.845803][ T5057] page_owner tracks the page as freed [ 74.851149][ T5057] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5045, tgid 5045 (sshd), ts 49794200068, free_ts 49841228228 [ 74.869105][ T5057] post_alloc_hook+0x2cf/0x340 [ 74.873858][ T5057] get_page_from_freelist+0xee0/0x2f20 [ 74.879304][ T5057] __alloc_pages+0x1d0/0x4a0 [ 74.883880][ T5057] __folio_alloc+0x16/0x40 [ 74.888285][ T5057] vma_alloc_folio+0x156/0x890 [ 74.893035][ T5057] __handle_mm_fault+0xe67/0x3e10 [ 74.898048][ T5057] handle_mm_fault+0x478/0xa00 [ 74.902803][ T5057] do_user_addr_fault+0x30b/0x1000 [ 74.907903][ T5057] exc_page_fault+0x5c/0xd0 [ 74.912394][ T5057] asm_exc_page_fault+0x26/0x30 [ 74.917230][ T5057] page last free stack trace: [ 74.921881][ T5057] free_unref_page_prepare+0x476/0xa40 [ 74.927327][ T5057] free_unref_page_list+0xe6/0xb30 [ 74.932427][ T5057] release_pages+0x32a/0x14e0 [ 74.937093][ T5057] tlb_batch_pages_flush+0x9a/0x190 [ 74.942279][ T5057] tlb_finish_mmu+0x14b/0x6f0 [ 74.946943][ T5057] unmap_region.constprop.0+0x2e6/0x3b0 [ 74.952480][ T5057] do_vmi_align_munmap+0xddc/0x15f0 [ 74.957663][ T5057] do_vmi_munmap+0x20e/0x450 [ 74.962240][ T5057] __vm_munmap+0x144/0x390 [ 74.966639][ T5057] __x64_sys_munmap+0x62/0x80 [ 74.971301][ T5057] do_syscall_64+0x3f/0x110 [ 74.975794][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 74.981677][ T5057] [ 74.983984][ T5057] Memory state around the buggy address: [ 74.989594][ T5057] ffff8880722daf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 74.997638][ T5057] ffff8880722daf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 75.005682][ T5057] >ffff8880722db000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 75.013724][ T5057] ^ [ 75.018291][ T5057] ffff8880722db080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 75.026333][ T5057] ffff8880722db100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 75.034374][ T5057] ================================================================== [ 75.042550][ T5057] ================================================================== [ 75.050625][ T5057] BUG: KASAN: use-after-free in crc_itu_t+0xd7/0xe0 [ 75.057222][ T5057] Read of size 1 at addr ffff8880722db012 by task syz-executor299/5057 [ 75.065454][ T5057] [ 75.067754][ T5057] CPU: 0 PID: 5057 Comm: syz-executor299 Tainted: G B 6.6.0-syzkaller-05843-g89ed67ef126c #0 [ 75.079269][ T5057] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 75.089302][ T5057] Call Trace: [ 75.092561][ T5057] [ 75.095468][ T5057] dump_stack_lvl+0xd9/0x1b0 [ 75.100043][ T5057] print_report+0xc4/0x620 [ 75.104440][ T5057] ? __virt_addr_valid+0x5e/0x2d0 [ 75.109443][ T5057] ? __phys_addr+0xc6/0x140 [ 75.113925][ T5057] kasan_report+0xda/0x110 [ 75.118320][ T5057] ? crc_itu_t+0xd7/0xe0 [ 75.122536][ T5057] ? crc_itu_t+0xd7/0xe0 [ 75.126754][ T5057] crc_itu_t+0xd7/0xe0 [ 75.130800][ T5057] udf_finalize_lvid+0xf2/0x1f0 [ 75.135632][ T5057] ? udf_mount+0x40/0x40 [ 75.139850][ T5057] udf_sync_fs+0xea/0x150 [ 75.144155][ T5057] ? udf_finalize_lvid+0x1f0/0x1f0 [ 75.149243][ T5057] sync_filesystem+0x109/0x280 [ 75.153986][ T5057] generic_shutdown_super+0x7e/0x3c0 [ 75.159252][ T5057] kill_block_super+0x3b/0x90 [ 75.163906][ T5057] deactivate_locked_super+0x9a/0x170 [ 75.169256][ T5057] deactivate_super+0xde/0x100 [ 75.173993][ T5057] cleanup_mnt+0x222/0x450 [ 75.178390][ T5057] task_work_run+0x14d/0x240 [ 75.182959][ T5057] ? task_work_cancel+0x30/0x30 [ 75.187786][ T5057] ? __put_net+0x61/0x70 [ 75.192008][ T5057] do_exit+0xa92/0x2a20 [ 75.196144][ T5057] ? do_group_exit+0x1c5/0x2a0 [ 75.200886][ T5057] ? reacquire_held_locks+0x4b0/0x4b0 [ 75.206256][ T5057] ? do_raw_spin_lock+0x12e/0x2b0 [ 75.211264][ T5057] ? mm_update_next_owner+0x840/0x840 [ 75.216618][ T5057] ? spin_bug+0x1d0/0x1d0 [ 75.220927][ T5057] do_group_exit+0xd4/0x2a0 [ 75.225411][ T5057] __x64_sys_exit_group+0x3e/0x50 [ 75.230419][ T5057] do_syscall_64+0x3f/0x110 [ 75.234903][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 75.240774][ T5057] RIP: 0033:0x7f544687e9c9 [ 75.245182][ T5057] Code: Unable to access opcode bytes at 0x7f544687e99f. [ 75.252188][ T5057] RSP: 002b:00007fff6c29d0d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 75.260580][ T5057] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f544687e9c9 [ 75.268532][ T5057] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 75.276483][ T5057] RBP: 00007f544691a2d0 R08: ffffffffffffffb8 R09: 0000000000000004 [ 75.284429][ T5057] R10: 0000000000001400 R11: 0000000000000246 R12: 00007f544691a2d0 [ 75.292377][ T5057] R13: 0000000000000000 R14: 00007f544691b040 R15: 00007f544684cf20 [ 75.300327][ T5057] [ 75.303318][ T5057] [ 75.305613][ T5057] The buggy address belongs to the physical page: [ 75.311993][ T5057] page:ffffea0001c8b6c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x722db [ 75.322114][ T5057] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 75.329195][ T5057] page_type: 0xffffffff() [ 75.333496][ T5057] raw: 00fff00000000000 ffffea0001c8b708 ffffea0001c82548 0000000000000000 [ 75.342054][ T5057] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 75.350627][ T5057] page dumped because: kasan: bad access detected [ 75.357011][ T5057] page_owner tracks the page as freed [ 75.362348][ T5057] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5045, tgid 5045 (sshd), ts 49794200068, free_ts 49841228228 [ 75.380292][ T5057] post_alloc_hook+0x2cf/0x340 [ 75.385034][ T5057] get_page_from_freelist+0xee0/0x2f20 [ 75.390472][ T5057] __alloc_pages+0x1d0/0x4a0 [ 75.395037][ T5057] __folio_alloc+0x16/0x40 [ 75.399429][ T5057] vma_alloc_folio+0x156/0x890 [ 75.404181][ T5057] __handle_mm_fault+0xe67/0x3e10 [ 75.409182][ T5057] handle_mm_fault+0x478/0xa00 [ 75.413923][ T5057] do_user_addr_fault+0x30b/0x1000 [ 75.419009][ T5057] exc_page_fault+0x5c/0xd0 [ 75.423485][ T5057] asm_exc_page_fault+0x26/0x30 [ 75.428312][ T5057] page last free stack trace: [ 75.432957][ T5057] free_unref_page_prepare+0x476/0xa40 [ 75.438394][ T5057] free_unref_page_list+0xe6/0xb30 [ 75.443482][ T5057] release_pages+0x32a/0x14e0 [ 75.448135][ T5057] tlb_batch_pages_flush+0x9a/0x190 [ 75.453313][ T5057] tlb_finish_mmu+0x14b/0x6f0 [ 75.457976][ T5057] unmap_region.constprop.0+0x2e6/0x3b0 [ 75.463502][ T5057] do_vmi_align_munmap+0xddc/0x15f0 [ 75.468674][ T5057] do_vmi_munmap+0x20e/0x450 [ 75.473238][ T5057] __vm_munmap+0x144/0x390 [ 75.477626][ T5057] __x64_sys_munmap+0x62/0x80 [ 75.482277][ T5057] do_syscall_64+0x3f/0x110 [ 75.486761][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 75.492630][ T5057] [ 75.494930][ T5057] Memory state around the buggy address: [ 75.500535][ T5057] ffff8880722daf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 75.508574][ T5057] ffff8880722daf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 75.516605][ T5057] >ffff8880722db000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 75.524636][ T5057] ^ [ 75.529197][ T5057] ffff8880722db080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 75.537230][ T5057] ffff8880722db100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 75.545264][ T5057] ================================================================== [ 75.553626][ T5057] ================================================================== [ 75.561684][ T5057] BUG: KASAN: use-after-free in crc_itu_t+0xd7/0xe0 [ 75.568275][ T5057] Read of size 1 at addr ffff8880722db013 by task syz-executor299/5057 [ 75.576487][ T5057] [ 75.578787][ T5057] CPU: 0 PID: 5057 Comm: syz-executor299 Tainted: G B 6.6.0-syzkaller-05843-g89ed67ef126c #0 [ 75.590315][ T5057] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 75.600348][ T5057] Call Trace: [ 75.603605][ T5057] [ 75.606512][ T5057] dump_stack_lvl+0xd9/0x1b0 [ 75.611086][ T5057] print_report+0xc4/0x620 [ 75.615482][ T5057] ? __virt_addr_valid+0x5e/0x2d0 [ 75.620484][ T5057] ? __phys_addr+0xc6/0x140 [ 75.624964][ T5057] kasan_report+0xda/0x110 [ 75.629359][ T5057] ? crc_itu_t+0xd7/0xe0 [ 75.633582][ T5057] ? crc_itu_t+0xd7/0xe0 [ 75.637799][ T5057] crc_itu_t+0xd7/0xe0 [ 75.641841][ T5057] udf_finalize_lvid+0xf2/0x1f0 [ 75.646670][ T5057] ? udf_mount+0x40/0x40 [ 75.650891][ T5057] udf_sync_fs+0xea/0x150 [ 75.655197][ T5057] ? udf_finalize_lvid+0x1f0/0x1f0 [ 75.660289][ T5057] sync_filesystem+0x109/0x280 [ 75.665134][ T5057] generic_shutdown_super+0x7e/0x3c0 [ 75.670417][ T5057] kill_block_super+0x3b/0x90 [ 75.675086][ T5057] deactivate_locked_super+0x9a/0x170 [ 75.680444][ T5057] deactivate_super+0xde/0x100 [ 75.685197][ T5057] cleanup_mnt+0x222/0x450 [ 75.689608][ T5057] task_work_run+0x14d/0x240 [ 75.694191][ T5057] ? task_work_cancel+0x30/0x30 [ 75.699034][ T5057] ? __put_net+0x61/0x70 [ 75.703265][ T5057] do_exit+0xa92/0x2a20 [ 75.707413][ T5057] ? do_group_exit+0x1c5/0x2a0 [ 75.712170][ T5057] ? reacquire_held_locks+0x4b0/0x4b0 [ 75.717535][ T5057] ? do_raw_spin_lock+0x12e/0x2b0 [ 75.722604][ T5057] ? mm_update_next_owner+0x840/0x840 [ 75.727972][ T5057] ? spin_bug+0x1d0/0x1d0 [ 75.732305][ T5057] do_group_exit+0xd4/0x2a0 [ 75.736804][ T5057] __x64_sys_exit_group+0x3e/0x50 [ 75.741825][ T5057] do_syscall_64+0x3f/0x110 [ 75.746324][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 75.752209][ T5057] RIP: 0033:0x7f544687e9c9 [ 75.756608][ T5057] Code: Unable to access opcode bytes at 0x7f544687e99f. [ 75.763629][ T5057] RSP: 002b:00007fff6c29d0d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 75.772024][ T5057] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f544687e9c9 [ 75.779982][ T5057] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 75.787937][ T5057] RBP: 00007f544691a2d0 R08: ffffffffffffffb8 R09: 0000000000000004 [ 75.795892][ T5057] R10: 0000000000001400 R11: 0000000000000246 R12: 00007f544691a2d0 [ 75.803848][ T5057] R13: 0000000000000000 R14: 00007f544691b040 R15: 00007f544684cf20 [ 75.811810][ T5057] [ 75.814812][ T5057] [ 75.817117][ T5057] The buggy address belongs to the physical page: [ 75.823507][ T5057] page:ffffea0001c8b6c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x722db [ 75.833643][ T5057] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 75.840732][ T5057] page_type: 0xffffffff() [ 75.845046][ T5057] raw: 00fff00000000000 ffffea0001c8b708 ffffea0001c82548 0000000000000000