[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.218' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 35.549816] UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000) [ 35.610022] ================================================================== [ 35.617642] BUG: KASAN: use-after-free in udf_get_filelongad+0x134/0x140 [ 35.624652] Read of size 4 at addr ffff888095d0c458 by task syz-executor160/8108 [ 35.632161] [ 35.633774] CPU: 0 PID: 8108 Comm: syz-executor160 Not tainted 4.19.211-syzkaller #0 [ 35.641644] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 35.650984] Call Trace: [ 35.653561] dump_stack+0x1fc/0x2ef [ 35.657177] print_address_description.cold+0x54/0x219 [ 35.662443] kasan_report_error.cold+0x8a/0x1b9 [ 35.667192] ? udf_get_filelongad+0x134/0x140 [ 35.671691] __asan_report_load_n_noabort+0x8b/0xa0 [ 35.676697] ? udf_get_filelongad+0x134/0x140 [ 35.681176] udf_get_filelongad+0x134/0x140 [ 35.685480] udf_current_aext+0x198/0x900 [ 35.689636] udf_next_aext+0x200/0x3a0 [ 35.693524] udf_setsize+0x7ca/0x1030 [ 35.697454] ? inode_bmap+0x750/0x750 [ 35.701249] ? ktime_get_coarse_real_ts64+0x1c7/0x290 [ 35.706435] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 35.711008] ? ktime_get_coarse_real_ts64+0x1a1/0x290 [ 35.716188] ? inode_newsize_ok+0x121/0x1e0 [ 35.721472] ? setattr_prepare+0x135/0x7e0 [ 35.725693] udf_setattr+0x33d/0x430 [ 35.729390] ? udf_file_write_iter+0x4e0/0x4e0 [ 35.733951] notify_change+0x70b/0xfc0 [ 35.737822] do_truncate+0x134/0x1f0 [ 35.741522] ? dentry_open+0x1d0/0x1d0 [ 35.745394] ? apparmor_path_truncate+0x183/0x200 [ 35.750233] do_sys_ftruncate+0x492/0x560 [ 35.754363] do_syscall_64+0xf9/0x620 [ 35.758164] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.763351] RIP: 0033:0x7f5440ffa929 [ 35.767053] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 35.785945] RSP: 002b:00007ffd62686c98 EFLAGS: 00000246 ORIG_RAX: 000000000000004d [ 35.793807] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5440ffa929 [ 35.801056] RDX: 00007f5440ffa929 RSI: 0100000000000000 RDI: 0000000000000005 [ 35.808310] RBP: 00007f5440fba1c0 R08: 0000000000000000 R09: 0000000000000000 [ 35.815560] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5440fba250 [ 35.822894] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 35.830149] [ 35.831755] Allocated by task 6200: [ 35.835368] kmem_cache_alloc_trace+0x12f/0x380 [ 35.840021] ep_alloc.constprop.0+0xae/0x2d0 [ 35.844772] do_epoll_create+0x97/0x1c0 [ 35.848738] __x64_sys_epoll_create1+0x2d/0x40 [ 35.853313] do_syscall_64+0xf9/0x620 [ 35.857101] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.862267] [ 35.863875] Freed by task 6200: [ 35.867136] kfree+0xcc/0x210 [ 35.870219] ep_eventpoll_release+0x41/0x60 [ 35.874519] __fput+0x2ce/0x890 [ 35.877780] task_work_run+0x148/0x1c0 [ 35.881651] exit_to_usermode_loop+0x251/0x2a0 [ 35.886214] do_syscall_64+0x538/0x620 [ 35.890085] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.895248] [ 35.896944] The buggy address belongs to the object at ffff888095d0c280 [ 35.896944] which belongs to the cache kmalloc-512 of size 512 [ 35.909580] The buggy address is located 472 bytes inside of [ 35.909580] 512-byte region [ffff888095d0c280, ffff888095d0c480) [ 35.921450] The buggy address belongs to the page: [ 35.926361] page:ffffea0002574300 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0 [ 35.934485] flags: 0xfff00000000100(slab) [ 35.938617] raw: 00fff00000000100 ffffea000257e848 ffffea0002cf2a08 ffff88813bff0940 [ 35.946615] raw: 0000000000000000 ffff888095d0c000 0000000100000006 0000000000000000 [ 35.954474] page dumped because: kasan: bad access detected [ 35.960158] [ 35.961762] Memory state around the buggy address: [ 35.966804] ffff888095d0c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.974145] ffff888095d0c380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.981484] >ffff888095d0c400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.988968] ^ [ 35.995177] ffff888095d0c480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.002519] ffff888095d0c500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 36.009939] ================================================================== [ 36.017276] Disabling lock debugging due to kernel taint [ 36.022925] Kernel panic - not syncing: panic_on_warn set ... [ 36.022925] [ 36.030293] CPU: 0 PID: 8108 Comm: syz-executor160 Tainted: G B 4.19.211-syzkaller #0 [ 36.039560] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 36.048912] Call Trace: [ 36.051495] dump_stack+0x1fc/0x2ef [ 36.055134] panic+0x26a/0x50e [ 36.058307] ? __warn_printk+0xf3/0xf3 [ 36.062174] ? preempt_schedule_common+0x45/0xc0 [ 36.066909] ? ___preempt_schedule+0x16/0x18 [ 36.071297] ? trace_hardirqs_on+0x55/0x210 [ 36.075621] kasan_end_report+0x43/0x49 [ 36.079578] kasan_report_error.cold+0xa7/0x1b9 [ 36.084227] ? udf_get_filelongad+0x134/0x140 [ 36.088791] __asan_report_load_n_noabort+0x8b/0xa0 [ 36.093787] ? udf_get_filelongad+0x134/0x140 [ 36.098261] udf_get_filelongad+0x134/0x140 [ 36.102564] udf_current_aext+0x198/0x900 [ 36.106699] udf_next_aext+0x200/0x3a0 [ 36.110572] udf_setsize+0x7ca/0x1030 [ 36.114425] ? inode_bmap+0x750/0x750 [ 36.118249] ? ktime_get_coarse_real_ts64+0x1c7/0x290 [ 36.123434] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 36.128007] ? ktime_get_coarse_real_ts64+0x1a1/0x290 [ 36.133184] ? inode_newsize_ok+0x121/0x1e0 [ 36.137487] ? setattr_prepare+0x135/0x7e0 [ 36.141702] udf_setattr+0x33d/0x430 [ 36.145397] ? udf_file_write_iter+0x4e0/0x4e0 [ 36.149955] notify_change+0x70b/0xfc0 [ 36.153823] do_truncate+0x134/0x1f0 [ 36.157515] ? dentry_open+0x1d0/0x1d0 [ 36.161383] ? apparmor_path_truncate+0x183/0x200 [ 36.166209] do_sys_ftruncate+0x492/0x560 [ 36.170336] do_syscall_64+0xf9/0x620 [ 36.174117] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.179283] RIP: 0033:0x7f5440ffa929 [ 36.182977] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 36.201867] RSP: 002b:00007ffd62686c98 EFLAGS: 00000246 ORIG_RAX: 000000000000004d [ 36.209565] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5440ffa929 [ 36.216817] RDX: 00007f5440ffa929 RSI: 0100000000000000 RDI: 0000000000000005 [ 36.224066] RBP: 00007f5440fba1c0 R08: 0000000000000000 R09: 0000000000000000 [ 36.231404] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5440fba250 [ 36.238693] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 36.246175] Kernel Offset: disabled [ 36.249789] Rebooting in 86400 seconds..