UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000) ================================================================== BUG: KASAN: use-after-free in udf_get_filelongad+0x134/0x140 fs/udf/directory.c:235 Read of size 4 at addr ffff888095d0c458 by task syz-executor160/8108 CPU: 0 PID: 8108 Comm: syz-executor160 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load_n_noabort+0x8b/0xa0 mm/kasan/report.c:443 udf_get_filelongad+0x134/0x140 fs/udf/directory.c:235 udf_current_aext+0x198/0x900 fs/udf/inode.c:2168 udf_next_aext+0x200/0x3a0 fs/udf/inode.c:2104 udf_extend_file fs/udf/inode.c:658 [inline] udf_setsize+0x7ca/0x1030 fs/udf/inode.c:1251 udf_setattr+0x33d/0x430 fs/udf/file.c:278 notify_change+0x70b/0xfc0 fs/attr.c:334 do_truncate+0x134/0x1f0 fs/open.c:63 do_sys_ftruncate+0x492/0x560 fs/open.c:194 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f5440ffa929 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffd62686c98 EFLAGS: 00000246 ORIG_RAX: 000000000000004d RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5440ffa929 RDX: 00007f5440ffa929 RSI: 0100000000000000 RDI: 0000000000000005 RBP: 00007f5440fba1c0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5440fba250 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 6200: kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625 kmalloc include/linux/slab.h:515 [inline] kzalloc include/linux/slab.h:709 [inline] ep_alloc.constprop.0+0xae/0x2d0 fs/eventpoll.c:1019 do_epoll_create+0x97/0x1c0 fs/eventpoll.c:1950 __do_sys_epoll_create1 fs/eventpoll.c:1981 [inline] __se_sys_epoll_create1 fs/eventpoll.c:1979 [inline] __x64_sys_epoll_create1+0x2d/0x40 fs/eventpoll.c:1979 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 6200: __cache_free mm/slab.c:3503 [inline] kfree+0xcc/0x210 mm/slab.c:3822 ep_eventpoll_release+0x41/0x60 fs/eventpoll.c:867 __fput+0x2ce/0x890 fs/file_table.c:278 task_work_run+0x148/0x1c0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:193 [inline] exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath arch/x86/entry/common.c:271 [inline] do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff888095d0c280 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 472 bytes inside of 512-byte region [ffff888095d0c280, ffff888095d0c480) The buggy address belongs to the page: page:ffffea0002574300 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffffea000257e848 ffffea0002cf2a08 ffff88813bff0940 raw: 0000000000000000 ffff888095d0c000 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888095d0c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888095d0c380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888095d0c400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888095d0c480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888095d0c500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================