==================================================================
BUG: KASAN: use-after-free in crc_itu_t+0x9c/0xc0 lib/crc-itu-t.c:60
Read of size 1 at addr ffff888033c6d000 by task syz-executor.0/5859

CPU: 1 PID: 5859 Comm: syz-executor.0 Not tainted 5.11.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x9a/0xcc lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:230
 __kasan_report mm/kasan/report.c:396 [inline]
 kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413
 crc_itu_t+0x9c/0xc0 lib/crc-itu-t.c:60
 udf_finalize_lvid+0xdb/0x1d0 fs/udf/super.c:2009
 udf_sync_fs+0xc9/0x130 fs/udf/super.c:2382
 __sync_filesystem fs/sync.c:39 [inline]
 sync_filesystem fs/sync.c:64 [inline]
 sync_filesystem+0xcb/0x1f0 fs/sync.c:48
 generic_shutdown_super+0x64/0x320 fs/super.c:448
 kill_block_super+0x90/0xd0 fs/super.c:1393
 deactivate_locked_super+0x7b/0x130 fs/super.c:335
 cleanup_mnt+0x326/0x4c0 fs/namespace.c:1118
 task_work_run+0xc0/0x160 kernel/task_work.c:140
 tracehook_notify_resume include/linux/tracehook.h:189 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:174 [inline]
 exit_to_user_mode_prepare+0x249/0x250 kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
 syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f0541c59aa7
Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdcaf206e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f0541c59aa7
RDX: 00007ffdcaf207bb RSI: 000000000000000a RDI: 00007ffdcaf207b0
RBP: 00007ffdcaf207b0 R08: 00000000ffffffff R09: 00007ffdcaf20580
R10: 00005555570438b3 R11: 0000000000000246 R12: 00007f0541cb2826
R13: 00007ffdcaf21870 R14: 0000555557043810 R15: 00007ffdcaf218b0

The buggy address belongs to the page:
page:00000000a9991740 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x1 pfn:0x33c6d
flags: 0xfff00000000000()
raw: 00fff00000000000 ffffea0000cd7a88 ffffea0000cf4b48 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 7949, ts 107114744644
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x144/0x1c0 mm/page_alloc.c:2297
 prep_new_page mm/page_alloc.c:2306 [inline]
 get_page_from_freelist+0x1c6e/0x3f80 mm/page_alloc.c:3945
 __alloc_pages_nodemask+0x2d6/0x730 mm/page_alloc.c:4995
 alloc_pages_vma+0xb1/0x5d0 mm/mempolicy.c:2230
 shmem_alloc_page+0x11a/0x1d0 mm/shmem.c:1565
 shmem_alloc_and_acct_page+0xff/0x730 mm/shmem.c:1590
 shmem_getpage_gfp+0x470/0x1bc0 mm/shmem.c:1893
 shmem_getpage mm/shmem.c:155 [inline]
 shmem_write_begin+0xc6/0x1a0 mm/shmem.c:2528
 generic_perform_write+0x1ce/0x430 mm/filemap.c:3412
 __generic_file_write_iter+0x1fb/0x590 mm/filemap.c:3541
 generic_file_write_iter+0xb9/0x1c0 mm/filemap.c:3573
 call_write_iter include/linux/fs.h:1901 [inline]
 new_sync_write+0x35d/0x5f0 fs/read_write.c:518
 vfs_write+0x5be/0x870 fs/read_write.c:605
 ksys_pwrite64 fs/read_write.c:712 [inline]
 __do_sys_pwrite64 fs/read_write.c:722 [inline]
 __se_sys_pwrite64 fs/read_write.c:719 [inline]
 __x64_sys_pwrite64+0x198/0x1f0 fs/read_write.c:719
 do_syscall_64+0x2d/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1271 [inline]
 free_pcp_prepare+0x2cb/0x410 mm/page_alloc.c:1306
 free_unref_page_prepare mm/page_alloc.c:3200 [inline]
 free_unref_page_list+0x19b/0x750 mm/page_alloc.c:3268
 release_pages+0xbee/0x1400 mm/swap.c:934
 __pagevec_release+0x59/0xe0 mm/swap.c:954
 pagevec_release include/linux/pagevec.h:85 [inline]
 shmem_undo_range+0x70e/0x1180 mm/shmem.c:954
 shmem_truncate_range mm/shmem.c:1058 [inline]
 shmem_evict_inode+0x345/0xa90 mm/shmem.c:1158
 evict+0x296/0x5d0 fs/inode.c:577
 __dentry_kill+0x315/0x550 fs/dcache.c:579
 __fput+0x2d3/0x870 fs/file_table.c:293
 task_work_run+0xc0/0x160 kernel/task_work.c:140
 tracehook_notify_resume include/linux/tracehook.h:189 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:174 [inline]
 exit_to_user_mode_prepare+0x249/0x250 kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
 syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Memory state around the buggy address:
 ffff888033c6cf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888033c6cf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888033c6d000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff888033c6d080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888033c6d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================