syzkaller syzkaller login: [ 24.091785][ T1062] cgroup: Unknown subsys name 'net' [ 24.092846][ T1062] cgroup: Unknown subsys name 'net_prio' [ 24.093958][ T1062] cgroup: Unknown subsys name 'devices' [ 24.094909][ T1062] cgroup: Unknown subsys name 'blkio' [ 24.199646][ T1062] cgroup: Unknown subsys name 'hugetlb' [ 24.205330][ T1062] cgroup: Unknown subsys name 'rlimit' [ 26.537491][ T1064] syz-executor.0 (1064) used greatest stack depth: 24336 bytes left Warning: Permanently added '10.128.1.122' (ED25519) to the list of known hosts. 2024/03/25 02:52:08 ignoring optional flag "sandboxArg"="0" 2024/03/25 02:52:08 parsed 1 programs 2024/03/25 02:52:08 executed programs: 0 [ 47.601515][ T2011] loop0: detected capacity change from 0 to 2048 [ 47.611164][ T2011] UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000) [ 47.742407][ T2014] loop0: detected capacity change from 0 to 2048 [ 47.750459][ T2014] UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000) [ 47.874034][ T2016] loop0: detected capacity change from 0 to 2048 [ 47.883160][ T2016] UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000) [ 47.937542][ T1593] ================================================================== [ 47.946910][ T1593] BUG: KASAN: use-after-free in crc_itu_t+0x9c/0xc0 [ 47.953599][ T1593] Read of size 1 at addr ffff88806d944000 by task syz-executor.0/1593 [ 47.961964][ T1593] [ 47.964451][ T1593] CPU: 0 PID: 1593 Comm: syz-executor.0 Not tainted 5.15.152-syzkaller #0 [ 47.973416][ T1593] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 [ 47.983987][ T1593] Call Trace: [ 47.987265][ T1593] [ 47.990204][ T1593] dump_stack_lvl+0x41/0x5e [ 47.995551][ T1593] print_address_description.constprop.0.cold+0x6c/0x309 [ 48.002694][ T1593] ? crc_itu_t+0x9c/0xc0 [ 48.006995][ T1593] ? crc_itu_t+0x9c/0xc0 [ 48.011203][ T1593] kasan_report.cold+0x83/0xdf [ 48.015935][ T1593] ? crc_itu_t+0x9c/0xc0 [ 48.020179][ T1593] crc_itu_t+0x9c/0xc0 [ 48.024215][ T1593] udf_finalize_lvid+0xdb/0x1d0 [ 48.029120][ T1593] ? udf_mount+0x10/0x10 [ 48.033334][ T1593] udf_close_lvid+0x3db/0x590 [ 48.038174][ T1593] udf_put_super+0x167/0x1d0 [ 48.042819][ T1593] generic_shutdown_super+0x129/0x320 [ 48.048348][ T1593] kill_block_super+0x93/0xd0 [ 48.053113][ T1593] deactivate_locked_super+0x7b/0x130 [ 48.058554][ T1593] cleanup_mnt+0x2b8/0x3e0 [ 48.062965][ T1593] task_work_run+0xb8/0x140 [ 48.067570][ T1593] exit_to_user_mode_prepare+0x15a/0x160 [ 48.073756][ T1593] syscall_exit_to_user_mode+0x12/0x30 [ 48.079646][ T1593] do_syscall_64+0x42/0x80 [ 48.084133][ T1593] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 48.090365][ T1593] RIP: 0033:0x7f5688febc87 [ 48.094840][ T1593] Code: b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b0 ff ff ff f7 d8 64 89 02 b8 [ 48.115571][ T1593] RSP: 002b:00007ffd51717d98 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [ 48.123987][ T1593] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f5688febc87 [ 48.131931][ T1593] RDX: 0000000000000000 RSI: 000000000000000a RDI: 00007ffd51717e50 [ 48.139881][ T1593] RBP: 00007ffd51717e50 R08: 0000000000000000 R09: 0000000000000000 [ 48.148465][ T1593] R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffd51718f10 [ 48.156451][ T1593] R13: 00007f5689045c5a R14: 000000000000badc R15: 0000000000000006 [ 48.164500][ T1593] [ 48.167511][ T1593] [ 48.169839][ T1593] Allocated by task 1577: [ 48.174133][ T1593] kasan_save_stack+0x1b/0x40 [ 48.178897][ T1593] __kasan_slab_alloc+0x61/0x80 [ 48.183714][ T1593] kmem_cache_alloc+0x223/0x370 [ 48.188529][ T1593] security_file_alloc+0x25/0x120 [ 48.193615][ T1593] __alloc_file+0xb7/0x240 [ 48.197997][ T1593] alloc_empty_file+0x3c/0xf0 [ 48.202736][ T1593] path_openat+0xe5/0x24d0 [ 48.207133][ T1593] do_filp_open+0x199/0x3d0 [ 48.211620][ T1593] do_sys_openat2+0x11e/0x400 [ 48.216422][ T1593] __x64_sys_openat+0x11b/0x1d0 [ 48.221415][ T1593] do_syscall_64+0x35/0x80 [ 48.225800][ T1593] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 48.231933][ T1593] [ 48.234336][ T1593] The buggy address belongs to the object at ffff88806d944000 [ 48.234336][ T1593] which belongs to the cache lsm_file_cache of size 80 [ 48.248679][ T1593] The buggy address is located 0 bytes inside of [ 48.248679][ T1593] 80-byte region [ffff88806d944000, ffff88806d944050) [ 48.261962][ T1593] The buggy address belongs to the page: [ 48.267567][ T1593] page:ffffea0001b65100 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88806d9444d0 pfn:0x6d944 [ 48.279018][ T1593] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 48.286540][ T1593] raw: 00fff00000000200 ffffea0001b61dc0 0000000500000005 ffff88800858a000 [ 48.295108][ T1593] raw: ffff88806d9444d0 0000000080240000 00000001ffffffff 0000000000000000 [ 48.303674][ T1593] page dumped because: kasan: bad access detected [ 48.310080][ T1593] page_owner tracks the page as allocated [ 48.315781][ T1593] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1155, ts 24769031068, free_ts 24766504088 [ 48.331815][ T1593] get_page_from_freelist+0x12d1/0x2d40 [ 48.337340][ T1593] __alloc_pages+0x1b2/0x440 [ 48.341904][ T1593] allocate_slab+0x2eb/0x430 [ 48.346463][ T1593] ___slab_alloc+0xa4b/0xfe0 [ 48.351020][ T1593] kmem_cache_alloc+0x31f/0x370 [ 48.355838][ T1593] security_file_alloc+0x25/0x120 [ 48.360845][ T1593] __alloc_file+0xb7/0x240 [ 48.365228][ T1593] alloc_empty_file+0x3c/0xf0 [ 48.369871][ T1593] path_openat+0xe5/0x24d0 [ 48.374257][ T1593] do_filp_open+0x199/0x3d0 [ 48.378728][ T1593] do_sys_openat2+0x11e/0x400 [ 48.383371][ T1593] __x64_sys_openat+0x11b/0x1d0 [ 48.388189][ T1593] do_syscall_64+0x35/0x80 [ 48.392580][ T1593] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 48.398541][ T1593] page last free stack trace: [ 48.403460][ T1593] free_pcp_prepare+0x379/0x850 [ 48.408288][ T1593] free_unref_page_list+0x16f/0xbd0 [ 48.413465][ T1593] release_pages+0xb3a/0x1480 [ 48.418467][ T1593] tlb_finish_mmu+0x127/0x790 [ 48.423111][ T1593] exit_mmap+0x1b7/0x530 [ 48.427321][ T1593] mmput+0xd6/0x400 [ 48.431278][ T1593] do_exit+0x884/0x2200 [ 48.435400][ T1593] do_group_exit+0xe7/0x290 [ 48.439879][ T1593] __x64_sys_exit_group+0x35/0x40 [ 48.444877][ T1593] do_syscall_64+0x35/0x80 [ 48.449457][ T1593] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 48.455328][ T1593] [ 48.457732][ T1593] Memory state around the buggy address: [ 48.463335][ T1593] ffff88806d943f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 48.471613][ T1593] ffff88806d943f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 48.479665][ T1593] >ffff88806d944000: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fb fb [ 48.487899][ T1593] ^ [ 48.492140][ T1593] ffff88806d944080: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb [ 48.500179][ T1593] ffff88806d944100: fb fb fb fb fb fb fc fc fc fc fb fb fb fb fb fb [ 48.508214][ T1593] ================================================================== [ 48.516689][ T1593] Disabling lock debugging due to kernel taint [ 48.523349][ T1593] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 48.531004][ T1593] Kernel Offset: disabled [ 48.535305][ T1593] Rebooting in 86400 seconds..