[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.76' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 29.819191] UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000) [ 29.849772] ================================================================== [ 29.857195] BUG: KASAN: use-after-free in udf_get_filelongad+0x111/0x120 [ 29.864013] Read of size 4 at addr ffff8880b4371c98 by task syz-executor278/7977 [ 29.871517] [ 29.873127] CPU: 1 PID: 7977 Comm: syz-executor278 Not tainted 4.14.300-syzkaller #0 [ 29.881072] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 29.890400] Call Trace: [ 29.892971] dump_stack+0x1b2/0x281 [ 29.896576] print_address_description.cold+0x54/0x1d3 [ 29.901826] kasan_report_error.cold+0x8a/0x191 [ 29.906472] ? udf_get_filelongad+0x111/0x120 [ 29.910938] __asan_report_load_n_noabort+0x6b/0x80 [ 29.915931] ? udf_get_filelongad+0x111/0x120 [ 29.920409] udf_get_filelongad+0x111/0x120 [ 29.924707] udf_current_aext+0x183/0x8b0 [ 29.928831] udf_next_aext+0x1f5/0x360 [ 29.932708] udf_setsize+0x69f/0xe90 [ 29.936402] ? inode_bmap+0x730/0x730 [ 29.940179] ? current_time+0x16/0xb0 [ 29.943962] ? mark_held_locks+0xa6/0xf0 [ 29.948003] ? current_kernel_time64+0x17c/0x230 [ 29.952736] ? inode_newsize_ok+0x145/0x1c0 [ 29.957036] ? setattr_prepare+0xbe/0x530 [ 29.961162] ? udf_file_write_iter+0x470/0x470 [ 29.965716] udf_setattr+0xd2/0x130 [ 29.969317] notify_change+0x56b/0xd10 [ 29.973185] do_truncate+0xff/0x1a0 [ 29.976802] ? finish_open+0x170/0x170 [ 29.980665] ? apparmor_path_truncate+0x163/0x1d0 [ 29.985481] do_sys_ftruncate.constprop.0+0x3a3/0x480 [ 29.990640] ? compat_SyS_truncate+0x40/0x40 [ 29.995022] do_syscall_64+0x1d5/0x640 [ 29.998885] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 30.004051] [ 30.005654] Allocated by task 5881: [ 30.009285] kasan_kmalloc+0xeb/0x160 [ 30.013063] __kmalloc_node_track_caller+0x4c/0x70 [ 30.017972] __alloc_skb+0x96/0x510 [ 30.021569] alloc_skb_with_frags+0x85/0x500 [ 30.026123] sock_alloc_send_pskb+0x577/0x6d0 [ 30.030594] unix_dgram_sendmsg+0x331/0x1080 [ 30.034976] sock_sendmsg+0xb5/0x100 [ 30.038659] sock_write_iter+0x22c/0x370 [ 30.042690] __vfs_write+0x44c/0x630 [ 30.046375] vfs_write+0x17f/0x4d0 [ 30.049896] SyS_write+0xf2/0x210 [ 30.053328] do_syscall_64+0x1d5/0x640 [ 30.057194] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 30.062367] [ 30.063973] Freed by task 4631: [ 30.067233] kasan_slab_free+0xc3/0x1a0 [ 30.071182] kfree+0xc9/0x250 [ 30.074266] skb_release_data+0x5f6/0x820 [ 30.078386] consume_skb+0xe0/0x380 [ 30.081988] skb_free_datagram+0x16/0xe0 [ 30.086021] unix_dgram_recvmsg+0x67e/0xc60 [ 30.090312] sock_recvmsg+0xc0/0x100 [ 30.093997] ___sys_recvmsg+0x20b/0x4d0 [ 30.097956] __sys_recvmsg+0xa0/0x120 [ 30.101725] SyS_recvmsg+0x27/0x40 [ 30.105235] do_syscall_64+0x1d5/0x640 [ 30.109092] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 30.114251] [ 30.115849] The buggy address belongs to the object at ffff8880b4371ac0 [ 30.115849] which belongs to the cache kmalloc-512 of size 512 [ 30.128483] The buggy address is located 472 bytes inside of [ 30.128483] 512-byte region [ffff8880b4371ac0, ffff8880b4371cc0) [ 30.140422] The buggy address belongs to the page: [ 30.145324] page:ffffea0002d0dc40 count:1 mapcount:0 mapping:ffff8880b43710c0 index:0x0 [ 30.153436] flags: 0xfff00000000100(slab) [ 30.157562] raw: 00fff00000000100 ffff8880b43710c0 0000000000000000 0000000100000006 [ 30.165504] raw: ffffea000257ed60 ffffea00025942e0 ffff88813fe74940 0000000000000000 [ 30.173357] page dumped because: kasan: bad access detected [ 30.179045] [ 30.180660] Memory state around the buggy address: [ 30.185569] ffff8880b4371b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.192913] ffff8880b4371c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.200268] >ffff8880b4371c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.207599] ^ [ 30.211718] ffff8880b4371d00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 30.219049] ffff8880b4371d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.226466] ================================================================== [ 30.233793] Disabling lock debugging due to kernel taint [ 30.251822] Kernel panic - not syncing: panic_on_warn set ... [ 30.251822] [ 30.259201] CPU: 0 PID: 7977 Comm: syz-executor278 Tainted: G B 4.14.300-syzkaller #0 [ 30.268284] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 30.277614] Call Trace: [ 30.280176] dump_stack+0x1b2/0x281 [ 30.283776] panic+0x1f9/0x42d [ 30.286940] ? add_taint.cold+0x16/0x16 [ 30.290886] ? ___preempt_schedule+0x16/0x18 [ 30.295267] kasan_end_report+0x43/0x49 [ 30.299212] kasan_report_error.cold+0xa7/0x191 [ 30.303862] ? udf_get_filelongad+0x111/0x120 [ 30.308331] __asan_report_load_n_noabort+0x6b/0x80 [ 30.313326] ? udf_get_filelongad+0x111/0x120 [ 30.317796] udf_get_filelongad+0x111/0x120 [ 30.322098] udf_current_aext+0x183/0x8b0 [ 30.326235] udf_next_aext+0x1f5/0x360 [ 30.330097] udf_setsize+0x69f/0xe90 [ 30.333784] ? inode_bmap+0x730/0x730 [ 30.337555] ? current_time+0x16/0xb0 [ 30.341329] ? mark_held_locks+0xa6/0xf0 [ 30.345448] ? current_kernel_time64+0x17c/0x230 [ 30.350174] ? inode_newsize_ok+0x145/0x1c0 [ 30.354465] ? setattr_prepare+0xbe/0x530 [ 30.358633] ? udf_file_write_iter+0x470/0x470 [ 30.363183] udf_setattr+0xd2/0x130 [ 30.366780] notify_change+0x56b/0xd10 [ 30.370642] do_truncate+0xff/0x1a0 [ 30.374239] ? finish_open+0x170/0x170 [ 30.378100] ? apparmor_path_truncate+0x163/0x1d0 [ 30.382915] do_sys_ftruncate.constprop.0+0x3a3/0x480 [ 30.388076] ? compat_SyS_truncate+0x40/0x40 [ 30.392455] do_syscall_64+0x1d5/0x640 [ 30.396316] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 30.401693] Kernel Offset: disabled [ 30.405302] Rebooting in 86400 seconds..