syzkaller login: [ 18.513434][ T1691] sshd (1691) used greatest stack depth: 23248 bytes left [ 24.838940][ T1710] cgroup: Unknown subsys name 'net' [ 24.960756][ T1710] cgroup: Unknown subsys name 'rlimit' [ 25.051644][ T1704] syz-fuzzer[1704]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set [ 25.165254][ T1723] modprobe (1723) used greatest stack depth: 23224 bytes left [ 26.501134][ T1888] modprobe (1888) used greatest stack depth: 22640 bytes left [ 28.445729][ T1713] syz-executor.0 (1713) used greatest stack depth: 20984 bytes left [ 29.185005][ T1707] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 29.355663][ T1707] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list Warning: Permanently added '10.128.10.39' (ED25519) to the list of known hosts. 2023/09/23 22:27:46 ignoring optional flag "sandboxArg"="0" 2023/09/23 22:27:46 parsed 1 programs 2023/09/23 22:27:46 executed programs: 0 [ 51.232117][ T2647] loop0: detected capacity change from 0 to 2048 [ 51.242669][ T2647] UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000) [ 51.320129][ T2234] ================================================================== [ 51.328516][ T2234] BUG: KASAN: use-after-free in crc_itu_t+0x17c/0x250 [ 51.335602][ T2234] Read of size 1 at addr ffff88806ac68000 by task syz-executor.0/2234 [ 51.343738][ T2234] [ 51.346143][ T2234] CPU: 1 PID: 2234 Comm: syz-executor.0 Not tainted 6.6.0-rc2-syzkaller #0 [ 51.355171][ T2234] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 51.365497][ T2234] Call Trace: [ 51.368936][ T2234] [ 51.372020][ T2234] dump_stack_lvl+0xf8/0x260 [ 51.376789][ T2234] ? nf_tcp_handle_invalid+0x300/0x300 [ 51.382558][ T2234] ? panic+0x410/0x410 [ 51.386733][ T2234] ? _printk+0xce/0x110 [ 51.391179][ T2234] ? ktime_get_real_ts64+0x350/0x350 [ 51.396548][ T2234] print_report+0x163/0x540 [ 51.401043][ T2234] ? crc_itu_t+0x17c/0x250 [ 51.405623][ T2234] kasan_report+0x175/0x1b0 [ 51.410105][ T2234] ? crc_itu_t+0x17c/0x250 [ 51.414509][ T2234] ? writeback_inodes_sb+0x2e0/0x360 [ 51.419774][ T2234] crc_itu_t+0x17c/0x250 [ 51.424016][ T2234] udf_sync_fs+0x1c1/0x370 [ 51.428423][ T2234] ? udf_put_super+0x130/0x130 [ 51.433158][ T2234] ? dput+0x3c/0x2b0 [ 51.437037][ T2234] sync_filesystem+0xc3/0x180 [ 51.441794][ T2234] generic_shutdown_super+0x6b/0x260 [ 51.447061][ T2234] kill_block_super+0x3c/0x60 [ 51.451984][ T2234] deactivate_locked_super+0x82/0x270 [ 51.457506][ T2234] cleanup_mnt+0x2a6/0x320 [ 51.462058][ T2234] task_work_run+0x20a/0x280 [ 51.467338][ T2234] ? task_work_cancel+0x2a0/0x2a0 [ 51.472353][ T2234] ? __x64_sys_umount+0xe8/0x120 [ 51.477541][ T2234] ? path_umount+0xcc0/0xcc0 [ 51.482126][ T2234] exit_to_user_mode_loop+0xa9/0xc0 [ 51.487569][ T2234] exit_to_user_mode_prepare+0x64/0xb0 [ 51.493043][ T2234] syscall_exit_to_user_mode+0x2b/0x1d0 [ 51.498872][ T2234] do_syscall_64+0x4d/0x90 [ 51.503449][ T2234] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 51.509340][ T2234] RIP: 0033:0x7f945047dc87 [ 51.513846][ T2234] Code: b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b0 ff ff ff f7 d8 64 89 02 b8 [ 51.533637][ T2234] RSP: 002b:00007ffd5cf05e38 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [ 51.542126][ T2234] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f945047dc87 [ 51.550187][ T2234] RDX: 0000000000000000 RSI: 000000000000000a RDI: 00007ffd5cf05ef0 [ 51.558397][ T2234] RBP: 00007ffd5cf05ef0 R08: 0000000000000000 R09: 0000000000000000 [ 51.566627][ T2234] R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffd5cf06fb0 [ 51.574676][ T2234] R13: 00007f94504d7c5a R14: 000000000000c803 R15: 0000000000000006 [ 51.582723][ T2234] [ 51.585919][ T2234] [ 51.588341][ T2234] The buggy address belongs to the physical page: [ 51.594832][ T2234] page:ffffea0001ab1a00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x6ac68 [ 51.605499][ T2234] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 51.613081][ T2234] page_type: 0xffffffff() [ 51.617467][ T2234] raw: 00fff00000000000 ffffea0001ab7ac8 ffffea0001ab3b88 0000000000000000 [ 51.626238][ T2234] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 51.635159][ T2234] page dumped because: kasan: bad access detected [ 51.641657][ T2234] page_owner tracks the page as freed [ 51.647089][ T2234] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 2645, tgid 2645 (syz-executor.0), ts 51256899331, free_ts 51315424181 [ 51.666788][ T2234] post_alloc_hook+0x26e/0x290 [ 51.671639][ T2234] get_page_from_freelist+0x3201/0x33a0 [ 51.677294][ T2234] __alloc_pages+0x255/0x650 [ 51.682211][ T2234] __folio_alloc+0x13/0x30 [ 51.687227][ T2234] vma_alloc_folio+0x48e/0x9f0 [ 51.692208][ T2234] handle_mm_fault+0x20d3/0x4a30 [ 51.697520][ T2234] exc_page_fault+0x4cd/0x8d0 [ 51.702453][ T2234] asm_exc_page_fault+0x26/0x30 [ 51.708769][ T2234] page last free stack trace: [ 51.713557][ T2234] free_unref_page_prepare+0x7cd/0x8f0 [ 51.719205][ T2234] free_unref_page_list+0x54b/0x7e0 [ 51.724647][ T2234] release_pages+0x194a/0x1af0 [ 51.729390][ T2234] tlb_flush_mmu+0x273/0x3d0 [ 51.734223][ T2234] unmap_page_range+0x1afd/0x20e0 [ 51.739402][ T2234] unmap_vmas+0x2cf/0x450 [ 51.744317][ T2234] exit_mmap+0x27b/0x990 [ 51.748610][ T2234] __mmput+0x9b/0x2d0 [ 51.752766][ T2234] exit_mm+0x113/0x1b0 [ 51.757021][ T2234] do_exit+0x7cf/0x2350 [ 51.761385][ T2234] do_group_exit+0x1b9/0x280 [ 51.765966][ T2234] get_signal+0x115a/0x12b0 [ 51.770812][ T2234] arch_do_signal_or_restart+0x91/0x600 [ 51.776524][ T2234] exit_to_user_mode_loop+0x61/0xc0 [ 51.781890][ T2234] exit_to_user_mode_prepare+0x64/0xb0 [ 51.787340][ T2234] syscall_exit_to_user_mode+0x2b/0x1d0 [ 51.792987][ T2234] [ 51.795302][ T2234] Memory state around the buggy address: [ 51.801118][ T2234] ffff88806ac67f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 51.809440][ T2234] ffff88806ac67f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 51.818087][ T2234] >ffff88806ac68000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 51.826740][ T2234] ^ [ 51.831170][ T2234] ffff88806ac68080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 51.840015][ T2234] ffff88806ac68100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 51.848324][ T2234] ================================================================== [ 51.856986][ T2234] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 51.865171][ T2234] Kernel Offset: disabled [ 51.869841][ T2234] Rebooting in 86400 seconds..