syzbot

loop3: detected capacity change from 0 to 1024
EXT4-fs: Ignoring removed bh option
EXT4-fs error (device loop3): ext4_map_blocks:607: inode #3: block 69: comm syz.3.66: lblock 8 mapped to illegal pblock 69 (length 1)
==================================================================
BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:930 [inline]
BUG: KASAN: use-after-free in enqueue_timer+0xa6/0x480 kernel/time/timer.c:611
Write of size 8 at addr ffff8881152024c0 by task syz.3.66/611

CPU: 1 PID: 611 Comm: syz.3.66 Not tainted 6.1.90-syzkaller-00023-gedca080b95df #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:316 [inline]
 print_report+0x158/0x4e0 mm/kasan/report.c:427
 kasan_report+0x13c/0x170 mm/kasan/report.c:531
 __asan_report_store8_noabort+0x17/0x20 mm/kasan/report_generic.c:356
 hlist_add_head include/linux/list.h:930 [inline]
 enqueue_timer+0xa6/0x480 kernel/time/timer.c:611
 internal_add_timer kernel/time/timer.c:640 [inline]
 __mod_timer+0x8d3/0xcf0 kernel/time/timer.c:1121
 mod_timer+0x1f/0x30 kernel/time/timer.c:1172
 ext4_update_super+0xa41/0xe50 fs/ext4/super.c:6043
 ext4_commit_super+0xe3/0x4b0 fs/ext4/super.c:6062
 ext4_handle_error+0x5e1/0x890 fs/ext4/super.c:678
 __ext4_error_inode+0x327/0x5e0 fs/ext4/super.c:810
 ext4_map_blocks+0xacb/0x1ca0
 ext4_getblk+0x1eb/0x7b0 fs/ext4/inode.c:866
 ext4_bread+0x2f/0x180 fs/ext4/inode.c:922
 ext4_quota_write+0x21e/0x560 fs/ext4/super.c:7134
 write_blk fs/quota/quota_tree.c:64 [inline]
 do_insert_tree+0x136e/0x1b60 fs/quota/quota_tree.c:380
 do_insert_tree+0x73a/0x1b60 fs/quota/quota_tree.c:375
 do_insert_tree+0x73a/0x1b60 fs/quota/quota_tree.c:375
 do_insert_tree+0x73a/0x1b60 fs/quota/quota_tree.c:375
 dq_insert_tree fs/quota/quota_tree.c:401 [inline]
 qtree_write_dquot+0x3b3/0x530 fs/quota/quota_tree.c:420
 v2_write_dquot+0x123/0x190 fs/quota/quota_v2.c:358
 dquot_acquire+0x342/0x680 fs/quota/dquot.c:472
 ext4_acquire_dquot+0x2e4/0x4a0 fs/ext4/super.c:6760
 dqget+0x745/0xe60 fs/quota/dquot.c:986
 __dquot_initialize+0x2d9/0xde0 fs/quota/dquot.c:1516
 dquot_initialize+0x1a/0x20 fs/quota/dquot.c:1578
 ext4_process_orphan+0x59/0x2f0 fs/ext4/orphan.c:329
 ext4_orphan_cleanup+0xa50/0x11b0 fs/ext4/orphan.c:474
 __ext4_fill_super fs/ext4/super.c:5520 [inline]
 ext4_fill_super+0x7d46/0x8460 fs/ext4/super.c:5651
 get_tree_bdev+0x440/0x680 fs/super.c:1357
 ext4_get_tree+0x1c/0x20 fs/ext4/super.c:5681
 vfs_get_tree+0x88/0x290 fs/super.c:1564
 do_new_mount+0x2ba/0xb30 fs/namespace.c:3051
 path_mount+0x671/0x1070 fs/namespace.c:3381
 do_mount fs/namespace.c:3394 [inline]
 __do_sys_mount fs/namespace.c:3602 [inline]
 __se_sys_mount+0x2c4/0x3b0 fs/namespace.c:3579
 __x64_sys_mount+0xbf/0xd0 fs/namespace.c:3579
 x64_sys_call+0x49d/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7ff2e2b7b61a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ff2e396ce68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ff2e396cef0 RCX: 00007ff2e2b7b61a
RDX: 0000000020000100 RSI: 00000000200005c0 RDI: 00007ff2e396ceb0
RBP: 0000000020000100 R08: 00007ff2e396cef0 R09: 0000000001018e58
R10: 0000000001018e58 R11: 0000000000000246 R12: 00000000200005c0
R13: 00007ff2e396ceb0 R14: 0000000000000641 R15: 0000000020000300
 </TASK>

Allocated by task 417:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
 kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505
 ____kasan_kmalloc mm/kasan/common.c:379 [inline]
 __kasan_kmalloc+0x9c/0xb0 mm/kasan/common.c:388
 kasan_kmalloc include/linux/kasan.h:212 [inline]
 kmalloc_trace+0x44/0xa0 mm/slab_common.c:1052
 kmalloc include/linux/slab.h:556 [inline]
 kzalloc include/linux/slab.h:692 [inline]
 ext4_alloc_sbi fs/ext4/super.c:4264 [inline]
 ext4_fill_super+0x102/0x8460 fs/ext4/super.c:5638
 get_tree_bdev+0x440/0x680 fs/super.c:1357
 ext4_get_tree+0x1c/0x20 fs/ext4/super.c:5681
 vfs_get_tree+0x88/0x290 fs/super.c:1564
 do_new_mount+0x2ba/0xb30 fs/namespace.c:3051
 path_mount+0x671/0x1070 fs/namespace.c:3381
 do_mount fs/namespace.c:3394 [inline]
 __do_sys_mount fs/namespace.c:3602 [inline]
 __se_sys_mount+0x2c4/0x3b0 fs/namespace.c:3579
 __x64_sys_mount+0xbf/0xd0 fs/namespace.c:3579
 x64_sys_call+0x49d/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

Freed by task 299:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:516
 ____kasan_slab_free+0x131/0x180 mm/kasan/common.c:241
 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:249
 kasan_slab_free include/linux/kasan.h:178 [inline]
 slab_free_hook mm/slub.c:1745 [inline]
 slab_free_freelist_hook mm/slub.c:1771 [inline]
 slab_free mm/slub.c:3684 [inline]
 __kmem_cache_free+0x218/0x3b0 mm/slub.c:3697
 kfree+0x7a/0xf0 mm/slab_common.c:1009
 ext4_put_super+0x9e5/0xd60 fs/ext4/super.c:1312
 generic_shutdown_super+0x14f/0x370 fs/super.c:503
 kill_block_super+0x7e/0xe0 fs/super.c:1461
 deactivate_locked_super+0xad/0x110 fs/super.c:334
 deactivate_super+0xbe/0xf0 fs/super.c:365
 cleanup_mnt+0x485/0x510 fs/namespace.c:1186
 __cleanup_mnt+0x19/0x20 fs/namespace.c:1193
 task_work_run+0x24d/0x2e0 kernel/task_work.c:179
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0xbd5/0x2b80 kernel/exit.c:875
 do_group_exit+0x21a/0x2d0 kernel/exit.c:1025
 __do_sys_exit_group kernel/exit.c:1036 [inline]
 __se_sys_exit_group kernel/exit.c:1034 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1034
 x64_sys_call+0x610/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

The buggy address belongs to the object at ffff888115202000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 1216 bytes inside of
 4096-byte region [ffff888115202000, ffff888115203000)

The buggy address belongs to the physical page:
page:ffffea0004548000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x115200
head:ffffea0004548000 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head|zone=1)
raw: 4000000000010200 0000000000000000 dead000000000001 ffff888100043380
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 109, tgid 109 (udevadm), ts 8156809989, free_ts 0
 set_page_owner include/linux/page_owner.h:33 [inline]
 post_alloc_hook+0x213/0x220 mm/page_alloc.c:2590
 prep_new_page+0x1b/0x110 mm/page_alloc.c:2597
 get_page_from_freelist+0x27ea/0x2870 mm/page_alloc.c:4425
 __alloc_pages+0x3a1/0x780 mm/page_alloc.c:5714
 alloc_slab_page+0x6c/0xf0
 allocate_slab mm/slub.c:1962 [inline]
 new_slab+0x90/0x3e0 mm/slub.c:2015
 ___slab_alloc+0x6f9/0xb80 mm/slub.c:3203
 __slab_alloc+0x5d/0xa0 mm/slub.c:3302
 slab_alloc_node mm/slub.c:3387 [inline]
 __kmem_cache_alloc_node+0x1af/0x250 mm/slub.c:3460
 kmalloc_trace+0x2a/0xa0 mm/slab_common.c:1047
 kmalloc include/linux/slab.h:556 [inline]
 kzalloc include/linux/slab.h:692 [inline]
 kobject_uevent_env+0x262/0x720 lib/kobject_uevent.c:524
 kobject_synth_uevent+0x4eb/0xae0 lib/kobject_uevent.c:208
 uevent_store+0x25/0x60 drivers/base/core.c:2678
 dev_attr_store+0x5c/0x80 drivers/base/core.c:2380
 sysfs_kf_write+0x123/0x140 fs/sysfs/file.c:136
 kernfs_fop_write_iter+0x2c4/0x410 fs/kernfs/file.c:330
page_owner free stack trace missing

Memory state around the buggy address:
 ffff888115202380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888115202400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888115202480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff888115202500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888115202580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
__quota_error: 2 callbacks suppressed
Quota error (device loop3): write_blk: dquota write failed
EXT4-fs error (device loop3): ext4_map_blocks:607: inode #3: block 68: comm syz.3.66: lblock 7 mapped to illegal pblock 68 (length 1)
Quota error (device loop3): write_blk: dquota write failed
EXT4-fs error (device loop3): ext4_map_blocks:607: inode #3: block 67: comm syz.3.66: lblock 6 mapped to illegal pblock 67 (length 1)
Quota error (device loop3): write_blk: dquota write failed
Quota error (device loop3): qtree_write_dquot: Error -117 occurred while creating quota
EXT4-fs error (device loop3): ext4_map_blocks:607: inode #3: block 48: comm syz.3.66: lblock 0 mapped to illegal pblock 48 (length 1)
Quota error (device loop3): v2_write_file_info: Can't write info structure
EXT4-fs error (device loop3): ext4_acquire_dquot:6764: comm syz.3.66: Failed to acquire dquot type 0
EXT4-fs error (device loop3) in ext4_reserve_inode_write:5870: Corrupt filesystem
EXT4-fs error (device loop3): ext4_evict_inode:279: inode #11: comm syz.3.66: mark_inode_dirty error
EXT4-fs warning (device loop3): ext4_evict_inode:282: couldn't mark inode dirty (err -117)
EXT4-fs (loop3): 1 orphan inode deleted
EXT4-fs (loop3): mounted filesystem without journal. Quota mode: none.
EXT4-fs (loop3): unmounting filesystem.
EXT4-fs error (device loop3) in ext4_reserve_inode_write:5870: Corrupt filesystem
EXT4-fs error (device loop3): ext4_quota_off:7053: inode #3: comm syz.3.66: mark_inode_dirty error