UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000) audit: type=1800 audit(1673668096.604:2): pid=8092 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor107" name="bus" dev="loop0" ino=861 res=0 ================================================================== BUG: KASAN: use-after-free in crc_itu_t+0xce/0xe0 lib/crc-itu-t.c:62 Read of size 1 at addr ffff8880abe7c000 by task syz-executor107/8092 CPU: 1 PID: 8092 Comm: syz-executor107 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load1_noabort+0x88/0x90 mm/kasan/report.c:430 crc_itu_t+0xce/0xe0 lib/crc-itu-t.c:62 udf_close_lvid+0x47a/0x770 fs/udf/super.c:2064 udf_put_super+0x217/0x290 fs/udf/super.c:2361 generic_shutdown_super+0x144/0x370 fs/super.c:456 kill_block_super+0x97/0xf0 fs/super.c:1185 deactivate_locked_super+0x94/0x160 fs/super.c:329 deactivate_super+0x174/0x1a0 fs/super.c:360 cleanup_mnt+0x1a8/0x290 fs/namespace.c:1098 task_work_run+0x148/0x1c0 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0xbf3/0x2be0 kernel/exit.c:870 do_group_exit+0x125/0x310 kernel/exit.c:967 __do_sys_exit_group kernel/exit.c:978 [inline] __se_sys_exit_group kernel/exit.c:976 [inline] __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:976 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f1c881c7e99 Code: Bad RIP value. RSP: 002b:00007fff19fc78f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 00007f1c8823d410 RCX: 00007f1c881c7e99 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007f1c88237e40 R10: 000080001d00c0d0 R11: 0000000000000246 R12: 00007f1c8823d410 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 Allocated by task 6218: kmem_cache_alloc+0x122/0x370 mm/slab.c:3559 prepare_creds+0x39/0x510 kernel/cred.c:255 do_faccessat+0x94/0x7a0 fs/open.c:359 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 6218: __cache_free mm/slab.c:3503 [inline] kmem_cache_free+0x7f/0x260 mm/slab.c:3765 __put_cred+0x1de/0x250 kernel/cred.c:151 put_cred include/linux/cred.h:279 [inline] do_faccessat+0x64e/0x7a0 fs/open.c:438 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8880abe7c000 which belongs to the cache cred_jar of size 184 The buggy address is located 0 bytes inside of 184-byte region [ffff8880abe7c000, ffff8880abe7c0b8) The buggy address belongs to the page: page:ffffea0002af9f00 count:1 mapcount:0 mapping:ffff88813be45b00 index:0xffff8880abe7c400 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffffea0002ac1148 ffffea0002afe4c8 ffff88813be45b00 raw: ffff8880abe7c400 ffff8880abe7c000 0000000100000004 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880abe7bf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880abe7bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8880abe7c000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880abe7c080: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc ffff8880abe7c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================