==================================================================
BUG: KASAN: use-after-free in ext4_htree_fill_tree+0x1316/0x13e0 fs/ext4/namei.c:1246
Read of size 1 at addr ffff888130c3b365 by task syz-executor/1290
CPU: 1 PID: 1290 Comm: syz-executor Not tainted 6.1.124-syzkaller-00008-gccc915784332 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:316 [inline]
print_report+0x158/0x4e0 mm/kasan/report.c:427
kasan_report+0x13c/0x170 mm/kasan/report.c:531
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report_generic.c:348
ext4_htree_fill_tree+0x1316/0x13e0 fs/ext4/namei.c:1246
ext4_dx_readdir fs/ext4/dir.c:605 [inline]
ext4_readdir+0x2e6f/0x3860 fs/ext4/dir.c:142
iterate_dir+0x265/0x600
__do_sys_getdents64 fs/readdir.c:369 [inline]
__se_sys_getdents64+0x1c1/0x460 fs/readdir.c:354
__x64_sys_getdents64+0x7b/0x90 fs/readdir.c:354
x64_sys_call+0x5ae/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:218
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fd3eafbf753
Code: c1 66 0f 1f 44 00 00 48 83 c4 08 48 89 ef 5b 5d e9 52 3e f8 ff 66 90 b8 ff ff ff 7f 48 39 c2 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 a8 ff ff ff f7 d8
RSP: 002b:00007fff7ba4de08 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000555559c644e0 RCX: 00007fd3eafbf753
RDX: 0000000000008000 RSI: 0000555559c644e0 RDI: 0000000000000005
RBP: 0000555559c644b4 R08: 0000000000028b61 R09: 0000000000000000
R10: 00007fd3eb17cca0 R11: 0000000000000293 R12: ffffffffffffffa8
R13: 0000000000000010 R14: 0000555559c644b0 R15: 00007fff7ba500c0
</TASK>
The buggy address belongs to the physical page:
page:ffffea0004c30ec0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x130c3b
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 374, tgid 374 (syz-executor), ts 56447581733, free_ts 56941707585
set_page_owner include/linux/page_owner.h:33 [inline]
post_alloc_hook+0x213/0x220 mm/page_alloc.c:2637
prep_new_page+0x1b/0x110 mm/page_alloc.c:2644
get_page_from_freelist+0x3a98/0x3b10 mm/page_alloc.c:4539
__alloc_pages+0x234/0x610 mm/page_alloc.c:5837
__vmalloc_area_node mm/vmalloc.c:3074 [inline]
__vmalloc_node_range+0x8a5/0x1560 mm/vmalloc.c:3246
vmalloc_user+0x73/0x80 mm/vmalloc.c:3400
kcov_ioctl+0x59/0x640 kernel/kcov.c:713
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0x114/0x190 fs/ioctl.c:856
__x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:856
x64_sys_call+0x98/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
page last free stack trace:
reset_page_owner include/linux/page_owner.h:26 [inline]
free_pages_prepare mm/page_alloc.c:1545 [inline]
free_pcp_prepare mm/page_alloc.c:1619 [inline]
free_unref_page_prepare+0x9f1/0xa00 mm/page_alloc.c:3581
free_unref_page+0xb2/0x5c0 mm/page_alloc.c:3677
free_the_page mm/page_alloc.c:830 [inline]
__free_pages+0x61/0xf0 mm/page_alloc.c:5926
__vunmap+0x9c6/0xb80 mm/vmalloc.c:2729
__vfree mm/vmalloc.c:2778 [inline]
vfree+0x5c/0x80 mm/vmalloc.c:2809
kcov_put kernel/kcov.c:437 [inline]
kcov_close+0x2b/0x50 kernel/kcov.c:533
__fput+0x1e5/0x870 fs/file_table.c:320
____fput+0x15/0x20 fs/file_table.c:348
task_work_run+0x24d/0x2e0 kernel/task_work.c:203
exit_task_work include/linux/task_work.h:39 [inline]
do_exit+0xbd0/0x2b80 kernel/exit.c:877
do_group_exit+0x21a/0x2d0 kernel/exit.c:1027
get_signal+0x169d/0x1820 kernel/signal.c:2889
arch_do_signal_or_restart+0xb0/0x16f0 arch/x86/kernel/signal.c:871
exit_to_user_mode_loop+0x74/0xa0 kernel/entry/common.c:174
exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:210
__syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
syscall_exit_to_user_mode+0x26/0x130 kernel/entry/common.c:303
Memory state around the buggy address:
ffff888130c3b200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888130c3b280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888130c3b300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888130c3b380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888130c3b400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs error (device loop4): htree_dirblock_to_tree:1112: inode #2: block 20: comm syz-executor: bad entry in directory: inode out of bounds - offset=1024, inode=2033530174, rec_len=1012, size=1024 fake=0
EXT4-fs error (device loop4): htree_dirblock_to_tree:1112: inode #2: block 20: comm syz-executor: bad entry in directory: inode out of bounds - offset=1024, inode=2033530174, rec_len=1012, size=1024 fake=0
EXT4-fs error (device loop4): htree_dirblock_to_tree:1112: inode #2: block 20: comm syz-executor: bad entry in directory: inode out of bounds - offset=1024, inode=2033530174, rec_len=1012, size=1024 fake=0
EXT4-fs error (device loop4): htree_dirblock_to_tree:1112: inode #2: block 20: comm syz-executor: bad entry in directory: inode out of bounds - offset=1024, inode=2033530174, rec_len=1012, size=1024 fake=0
EXT4-fs error (device loop4): htree_dirblock_to_tree:1112: inode #2: block 20: comm syz-executor: bad entry in directory: inode out of bounds - offset=1024, inode=2033530174, rec_len=1012, size=1024 fake=0
EXT4-fs error (device loop4): htree_dirblock_to_tree:1112: inode #2: block 20: comm syz-executor: bad entry in directory: inode out of bounds - offset=1024, inode=2033530174, rec_len=1012, size=1024 fake=0
EXT4-fs error (device loop4): htree_dirblock_to_tree:1112: inode #2: block 20: comm syz-executor: bad entry in directory: inode out of bounds - offset=1024, inode=2033530174, rec_len=1012, size=1024 fake=0
EXT4-fs (loop4): unmounting filesystem.