program: syz_mount_image$ext4(&(0x7f0000000180)='ext4\x00', &(0x7f0000000280)='\xe9\x1fq\x89Y\x1e\x923aK\x00', 0x800700, &(0x7f0000000880)={[{@journal_ioprio={'journal_ioprio', 0x3d, 0x5}}, {@nogrpid}, {@debug_want_extra_isize={'debug_want_extra_isize', 0x3d, 0x5c}}, {@minixdf}, {@resgid}, {@sysvgroups}, {@usrjquota}]}, 0x3, 0x467, &(0x7f0000002280)="$eJzs3M9rHFUcAPDvzCb93SbWKrRWjRYx+CNp0qo9eFEUPFQU9FCPcZOW0m0jTQRbio0i9SJIQc/iUfAv8OZF1JPgVe9SKBqEVk+R2Z1JN9vdZNNsdmv384Fp39t5M/O+O+/tvJm3mwD61kj2TxKxKyJ+i4ihWnZlgZHafzcXL5X/WbxUTmJp6a0/k2q5G4uXykXRYrudeWY0jUg/SfKDxNb63c5duHhmqlKZOZ/nx+fPvjc+d+His6fPTp2aOTVzbvLYsaNHJl54fvK5tuJI1lifxXXjwIezB/e/9s7V18snrr7707fZNrvy9fVxdMpIFvhfS1WN657o9MF6bHddOhnoYUVYl1JEZKdrsNr/h6IUt07eULz6cU8rB2yq7Nq0tfXqhSXgHpbE2mX+7kZFgC4rLvTZ/W+xdGnocVe4/lLtBiiL+2a+1NYMRJqXGWy4v+2kkYg4sfDvV9kSm/QcAgCg3mflL4/HM83Gf2k8WFduTz6HMhwR90XE3oi4PyL2RcQDEVnZxiFlW0Ya8rePf9JrdxhaW7Lx34v53NbK8V8x+ovhUp7bXY1/MDl5ujJzOH9PRmNwa5afWOUY37/y6+et1tWP/7IlO34xFszrcW2g4QHd9NT8VHVQ2gHXP4o4MNAs/mR5JiCJiP0RcWB9u95TJE4/9c3B7QebF1o7/lV0YJ5p6euIJ2vnfyEa4i8kq89Pjm+Lyszh8aJV3O7nX6682er4LeLfsvHI2pOd/x0r239jkeGkfr52bv3HuPL7py3vae60/W9J3q6el+KN+mBqfv78RMSW5Hg1v+L1yVvbFvmifBb/6KHm/X9vvk12nIciImvCD0fEIxHxaF73xyLi8Yg4tEr8P76cJ5q01w21/w7I4p9u+vm33P4bzv/6E6UzP3xX7GzbuuPPzv/Ramo0f6X6+beGdiu40fcPAAAA/g/S6nfgk3RsOZ2mY2O17/Dvix1pZXZu/umTs++fm659V344BtPiSddQ3fPQiWQh32MtP5k/Ky7WH8mfG39R2l7Nj5VnK9M9jh363c4W/T/zR6nXtQM2XbN5tMmuTUEBvdTY/9OV2ctvdLMyQFf5vTb0rzX6f9qtegDd5/oP/atZ/7/ckDcXAPcm13/oX/o/9C/9H/qX/g99aSO/65fo50Sklcr0tojVCxd/EOjuqLNE+4lefzIBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB0xn8BAAD///xQ9VA=") chdir(&(0x7f0000000140)='./file0\x00') (async) openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000180)='net_prio.prioidx\x00', 0x275a, 0x0) (async) r0 = socket$nl_crypto(0x10, 0x3, 0x15) sendmsg$nl_crypto(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000300)=@del={0xe0, 0x10, 0x94b3a63dd6d0c713, 0x70bd28, 0x25dfdbfc, {{'drbg_nopr_ctr_aes128\x00'}}}, 0xe0}, 0x1, 0x0, 0x0, 0x4000}, 0x0) mkdir(&(0x7f00000002c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x5) (async) creat(&(0x7f0000000580)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x0) (async) mknod$loop(&(0x7f0000000000)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x0, 0x1) symlink(&(0x7f0000000dc0)='./file0\x00', &(0x7f0000000cc0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00') (async) mkdirat(0xffffffffffffff9c, &(0x7f00000005c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x0) [ 58.873232][ T5321] loop0: detected capacity change from 0 to 512 [ 58.892979][ T5321] EXT4-fs error (device loop0): ext4_xattr_ibody_find:2240: inode #15: comm syz.0.0: corrupted in-inode xattr: invalid ea_ino [ 58.904551][ T5321] EXT4-fs error (device loop0): ext4_orphan_get:1393: comm syz.0.0: couldn't read orphan inode 15 (err -117) [ 58.910377][ T5321] EXT4-fs (loop0): mounted filesystem 00000007-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. [ 58.923610][ T5321] ================================================================== [ 58.926088][ T5321] BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 [ 58.928581][ T5321] Write of size 251 at addr ffff88804c987f14 by task syz.0.0/5321 [ 58.931081][ T5321] [ 58.931986][ T5321] CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted 6.12.0-rc6-syzkaller-00279-gde2f378f2b77 #0 [ 58.935586][ T5321] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 58.939684][ T5321] Call Trace: [ 58.940932][ T5321] [ 58.942042][ T5321] dump_stack_lvl+0x241/0x360 [ 58.943854][ T5321] ? __pfx_dump_stack_lvl+0x10/0x10 [ 58.945854][ T5321] ? __pfx__printk+0x10/0x10 [ 58.947593][ T5321] ? _printk+0xd5/0x120 [ 58.949061][ T5321] ? __virt_addr_valid+0x183/0x530 [ 58.951029][ T5321] ? __virt_addr_valid+0x183/0x530 [ 58.953019][ T5321] print_report+0x169/0x550 [ 58.954895][ T5321] ? __virt_addr_valid+0x183/0x530 [ 58.956815][ T5321] ? __virt_addr_valid+0x183/0x530 [ 58.958858][ T5321] ? __virt_addr_valid+0x45f/0x530 [ 58.961084][ T5321] ? __phys_addr+0xba/0x170 [ 58.963114][ T5321] ? ext4_insert_dentry+0x36a/0x6d0 [ 58.965460][ T5321] kasan_report+0x143/0x180 [ 58.967360][ T5321] ? ext4_insert_dentry+0x36a/0x6d0 [ 58.969610][ T5321] kasan_check_range+0x282/0x290 [ 58.971538][ T5321] ? ext4_insert_dentry+0x36a/0x6d0 [ 58.973590][ T5321] __asan_memcpy+0x40/0x70 [ 58.975560][ T5321] ext4_insert_dentry+0x36a/0x6d0 [ 58.977089][ T5321] add_dirent_to_buf+0x3d9/0x750 [ 58.978760][ T5321] ? __pfx_add_dirent_to_buf+0x10/0x10 [ 58.980918][ T5321] ? __ext4_handle_dirty_metadata+0x30d/0x820 [ 58.983203][ T5321] make_indexed_dir+0xf98/0x1600 [ 58.984993][ T5321] ? __pfx_make_indexed_dir+0x10/0x10 [ 58.986920][ T5321] ? add_dirent_to_buf+0x398/0x750 [ 58.988781][ T5321] ? __pfx_add_dirent_to_buf+0x10/0x10 [ 58.990757][ T5321] ? __ext4_read_dirblock+0x527/0x890 [ 58.992784][ T5321] ext4_add_entry+0x222a/0x25d0 [ 58.994528][ T5321] ? __pfx_ext4_initxattrs+0x10/0x10 [ 58.996486][ T5321] ? __pfx_security_inode_init_security+0x10/0x10 [ 58.998785][ T5321] ? rcu_is_watching+0x15/0xb0 [ 59.000587][ T5321] ? __brelse+0x59/0xa0 [ 59.002225][ T5321] ? __ext4_new_inode+0x380f/0x4380 [ 59.004262][ T5321] ? __pfx_ext4_add_entry+0x10/0x10 [ 59.006208][ T5321] ext4_add_nondir+0x8d/0x290 [ 59.007966][ T5321] ? ext4_symlink+0x6ce/0xb50 [ 59.009718][ T5321] ext4_symlink+0x920/0xb50 [ 59.011408][ T5321] ? __pfx_ext4_symlink+0x10/0x10 [ 59.013329][ T5321] ? generic_permission+0x1e0/0x550 [ 59.015276][ T5321] ? inode_permission+0xff/0x460 [ 59.017223][ T5321] ? bpf_lsm_inode_symlink+0x9/0x10 [ 59.019144][ T5321] ? security_inode_symlink+0xbe/0x330 [ 59.021217][ T5321] vfs_symlink+0x137/0x2e0 [ 59.022922][ T5321] do_symlinkat+0x222/0x3a0 [ 59.024519][ T5321] ? __pfx_do_symlinkat+0x10/0x10 [ 59.026277][ T5321] ? strncpy_from_user+0x13a/0x260 [ 59.028061][ T5321] ? getname_flags+0x1e3/0x540 [ 59.029772][ T5321] __x64_sys_symlink+0x7a/0x90 [ 59.031441][ T5321] do_syscall_64+0xf3/0x230 [ 59.033056][ T5321] ? clear_bhb_loop+0x35/0x90 [ 59.034736][ T5321] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 59.036806][ T5321] RIP: 0033:0x7fe3ce57e719 [ 59.038314][ T5321] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 59.045376][ T5321] RSP: 002b:00007fe3cf38a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000058 [ 59.048373][ T5321] RAX: ffffffffffffffda RBX: 00007fe3ce735f80 RCX: 00007fe3ce57e719 [ 59.051162][ T5321] RDX: 0000000000000000 RSI: 0000000020000cc0 RDI: 0000000020000dc0 [ 59.053988][ T5321] RBP: 00007fe3ce5f139e R08: 0000000000000000 R09: 0000000000000000 [ 59.056923][ T5321] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 59.059857][ T5321] R13: 0000000000000000 R14: 00007fe3ce735f80 R15: 00007ffcbe995b28 [ 59.062748][ T5321] [ 59.063942][ T5321] [ 59.064916][ T5321] The buggy address belongs to the physical page: [ 59.067336][ T5321] page: refcount:3 mapcount:0 mapping:ffff888031d04d78 index:0x3f pfn:0x4c987 [ 59.070575][ T5321] memcg:ffff888030476000 [ 59.072196][ T5321] aops:def_blk_aops ino:700000 dentry name(?):"" [ 59.074574][ T5321] flags: 0x4fff08000004214(referenced|dirty|workingset|private|node=1|zone=1|lastcpupid=0x7ff) [ 59.078146][ T5321] raw: 04fff08000004214 0000000000000000 dead000000000122 ffff888031d04d78 [ 59.081208][ T5321] raw: 000000000000003f ffff888031c85ae0 00000003ffffffff ffff888030476000 [ 59.084319][ T5321] page dumped because: kasan: bad access detected [ 59.086697][ T5321] page_owner tracks the page as allocated [ 59.088763][ T5321] page last allocated via order 0, migratetype Movable, gfp_mask 0x148c48(GFP_NOFS|__GFP_NOFAIL|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5321, tgid 5320 (syz.0.0), ts 58923500979, free_ts 0 [ 59.095464][ T5321] post_alloc_hook+0x1f3/0x230 [ 59.097215][ T5321] get_page_from_freelist+0x303f/0x3190 [ 59.099255][ T5321] __alloc_pages_noprof+0x292/0x710 [ 59.101164][ T5321] alloc_pages_mpol_noprof+0x3e8/0x680 [ 59.103196][ T5321] folio_alloc_noprof+0x128/0x180 [ 59.105122][ T5321] filemap_alloc_folio_noprof+0xdf/0x500 [ 59.107323][ T5321] __filemap_get_folio+0x446/0xbd0 [ 59.109201][ T5321] bdev_getblk+0x1d8/0x550 [ 59.110916][ T5321] ext4_getblk+0x303/0x800 [ 59.112589][ T5321] ext4_bread+0x2e/0x180 [ 59.114206][ T5321] ext4_append+0x327/0x5c0 [ 59.115867][ T5321] make_indexed_dir+0x523/0x1600 [ 59.117749][ T5321] ext4_add_entry+0x222a/0x25d0 [ 59.119549][ T5321] ext4_add_nondir+0x8d/0x290 [ 59.121323][ T5321] ext4_symlink+0x920/0xb50 [ 59.122987][ T5321] vfs_symlink+0x137/0x2e0 [ 59.124703][ T5321] page_owner free stack trace missing [ 59.126623][ T5321] [ 59.127393][ T5321] Memory state around the buggy address: [ 59.129335][ T5321] ffff88804c987f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.132337][ T5321] ffff88804c987f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.135371][ T5321] >ffff88804c988000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 59.138518][ T5321] ^ [ 59.140121][ T5321] ffff88804c988080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 59.143050][ T5321] ffff88804c988100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 59.146072][ T5321] ================================================================== [ 59.154319][ T5307] Bluetooth: hci0: command tx timeout [ 59.163514][ T5321] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 59.166356][ T5321] CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted 6.12.0-rc6-syzkaller-00279-gde2f378f2b77 #0 [ 59.170327][ T5321] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 59.174361][ T5321] Call Trace: [ 59.175687][ T5321] [ 59.176878][ T5321] dump_stack_lvl+0x241/0x360 [ 59.178720][ T5321] ? __pfx_dump_stack_lvl+0x10/0x10 [ 59.180550][ T5321] ? __pfx__printk+0x10/0x10 [ 59.182148][ T5321] ? preempt_schedule+0xe1/0xf0 [ 59.183891][ T5321] ? vscnprintf+0x5d/0x90 [ 59.185586][ T5321] panic+0x349/0x880 [ 59.187042][ T5321] ? check_panic_on_warn+0x21/0xb0 [ 59.188917][ T5321] ? __pfx_panic+0x10/0x10 [ 59.190628][ T5321] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 59.192974][ T5321] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 59.195821][ T5321] ? print_report+0x502/0x550 [ 59.197782][ T5321] check_panic_on_warn+0x86/0xb0 [ 59.199497][ T5321] ? ext4_insert_dentry+0x36a/0x6d0 [ 59.201490][ T5321] end_report+0x77/0x160 [ 59.203228][ T5321] kasan_report+0x154/0x180 [ 59.204897][ T5321] ? ext4_insert_dentry+0x36a/0x6d0 [ 59.206525][ T5321] kasan_check_range+0x282/0x290 [ 59.208480][ T5321] ? ext4_insert_dentry+0x36a/0x6d0 [ 59.210458][ T5321] __asan_memcpy+0x40/0x70 [ 59.212170][ T5321] ext4_insert_dentry+0x36a/0x6d0 [ 59.214059][ T5321] add_dirent_to_buf+0x3d9/0x750 [ 59.215880][ T5321] ? __pfx_add_dirent_to_buf+0x10/0x10 [ 59.218020][ T5321] ? __ext4_handle_dirty_metadata+0x30d/0x820 [ 59.220399][ T5321] make_indexed_dir+0xf98/0x1600 [ 59.222400][ T5321] ? __pfx_make_indexed_dir+0x10/0x10 [ 59.224154][ T5321] ? add_dirent_to_buf+0x398/0x750 [ 59.226113][ T5321] ? __pfx_add_dirent_to_buf+0x10/0x10 [ 59.228072][ T5321] ? __ext4_read_dirblock+0x527/0x890 [ 59.229960][ T5321] ext4_add_entry+0x222a/0x25d0 [ 59.231784][ T5321] ? __pfx_ext4_initxattrs+0x10/0x10 [ 59.233879][ T5321] ? __pfx_security_inode_init_security+0x10/0x10 [ 59.236339][ T5321] ? rcu_is_watching+0x15/0xb0 [ 59.238221][ T5321] ? __brelse+0x59/0xa0 [ 59.239861][ T5321] ? __ext4_new_inode+0x380f/0x4380 [ 59.241922][ T5321] ? __pfx_ext4_add_entry+0x10/0x10 [ 59.243855][ T5321] ext4_add_nondir+0x8d/0x290 [ 59.245743][ T5321] ? ext4_symlink+0x6ce/0xb50 [ 59.247479][ T5321] ext4_symlink+0x920/0xb50 [ 59.249385][ T5321] ? __pfx_ext4_symlink+0x10/0x10 [ 59.251573][ T5321] ? generic_permission+0x1e0/0x550 [ 59.253487][ T5321] ? inode_permission+0xff/0x460 [ 59.255239][ T5321] ? bpf_lsm_inode_symlink+0x9/0x10 [ 59.262420][ T5321] ? security_inode_symlink+0xbe/0x330 [ 59.264499][ T5321] vfs_symlink+0x137/0x2e0 [ 59.266210][ T5321] do_symlinkat+0x222/0x3a0 [ 59.268009][ T5321] ? __pfx_do_symlinkat+0x10/0x10 [ 59.269947][ T5321] ? strncpy_from_user+0x13a/0x260 [ 59.271868][ T5321] ? getname_flags+0x1e3/0x540 [ 59.273740][ T5321] __x64_sys_symlink+0x7a/0x90 [ 59.275598][ T5321] do_syscall_64+0xf3/0x230 [ 59.277313][ T5321] ? clear_bhb_loop+0x35/0x90 [ 59.279190][ T5321] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 59.281344][ T5321] RIP: 0033:0x7fe3ce57e719 [ 59.283036][ T5321] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 59.290202][ T5321] RSP: 002b:00007fe3cf38a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000058 [ 59.293249][ T5321] RAX: ffffffffffffffda RBX: 00007fe3ce735f80 RCX: 00007fe3ce57e719 [ 59.296493][ T5321] RDX: 0000000000000000 RSI: 0000000020000cc0 RDI: 0000000020000dc0 [ 59.300204][ T5321] RBP: 00007fe3ce5f139e R08: 0000000000000000 R09: 0000000000000000 [ 59.303518][ T5321] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 59.306546][ T5321] R13: 0000000000000000 R14: 00007fe3ce735f80 R15: 00007ffcbe995b28 [ 59.309669][ T5321] [ 59.311319][ T5321] Kernel Offset: disabled [ 59.313241][ T5321] Rebooting in 86400 seconds..