Warning: Permanently added '10.128.0.14' (ED25519) to the list of known hosts. executing program [ 45.375105][ T4023] loop0: detected capacity change from 0 to 32768 [ 45.450938][ T4023] (syz-executor291,4023,0):ocfs2_block_check_validate:402 ERROR: CRC32 failed: stored: 0xb3775c19, computed 0x2dd1c265. Applying ECC. [ 45.454669][ T4023] (syz-executor291,4023,0):ocfs2_block_check_validate:402 ERROR: CRC32 failed: stored: 0xb3775c19, computed 0x2dd1c265. Applying ECC. [ 45.468544][ T4023] (syz-executor291,4023,1):ocfs2_block_check_validate:402 ERROR: CRC32 failed: stored: 0xcfdff595, computed 0xefed4a20. Applying ECC. [ 45.474802][ T4023] JBD2: Ignoring recovery information on journal [ 45.515304][ T4023] ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode. [ 45.530790][ T4023] ================================================================== [ 45.532665][ T4023] BUG: KASAN: use-after-free in ocfs2_get_next_id+0x22c/0x8ac [ 45.534358][ T4023] Read of size 8 at addr ffff0000caf40028 by task syz-executor291/4023 [ 45.536116][ T4023] [ 45.536584][ T4023] CPU: 1 PID: 4023 Comm: syz-executor291 Not tainted 5.15.176-syzkaller #0 [ 45.538474][ T4023] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 45.540613][ T4023] Call trace: [ 45.541338][ T4023] dump_backtrace+0x0/0x530 [ 45.542376][ T4023] show_stack+0x2c/0x3c [ 45.543352][ T4023] dump_stack_lvl+0x108/0x170 [ 45.544278][ T4023] print_address_description+0x7c/0x3f0 [ 45.545457][ T4023] kasan_report+0x174/0x1e4 [ 45.546525][ T4023] __asan_report_load8_noabort+0x44/0x50 [ 45.547773][ T4023] ocfs2_get_next_id+0x22c/0x8ac [ 45.548798][ T4023] dquot_get_next_dqblk+0x7c/0x348 [ 45.550012][ T4023] quota_getnextquota+0x264/0x674 [ 45.551100][ T4023] do_quotactl+0x52c/0x698 [ 45.552087][ T4023] __arm64_sys_quotactl+0x2d8/0x7a4 [ 45.553212][ T4023] invoke_syscall+0x98/0x2b8 [ 45.554314][ T4023] el0_svc_common+0x138/0x258 [ 45.555277][ T4023] do_el0_svc+0x58/0x14c [ 45.556201][ T4023] el0_svc+0x7c/0x1f0 [ 45.557038][ T4023] el0t_64_sync_handler+0x84/0xe4 [ 45.558077][ T4023] el0t_64_sync+0x1a0/0x1a4 [ 45.559169][ T4023] [ 45.559649][ T4023] Allocated by task 4023: [ 45.560571][ T4023] ____kasan_kmalloc+0xbc/0xfc [ 45.561590][ T4023] __kasan_kmalloc+0x10/0x1c [ 45.562624][ T4023] kmem_cache_alloc_trace+0x27c/0x47c [ 45.563749][ T4023] ocfs2_local_read_info+0x1b8/0x15bc [ 45.564930][ T4023] dquot_load_quota_sb+0x6f0/0xb1c [ 45.565961][ T4023] dquot_load_quota_inode+0x280/0x4f4 [ 45.567141][ T4023] ocfs2_enable_quotas+0x1d4/0x3cc [ 45.568160][ T4023] ocfs2_fill_super+0x37bc/0x4abc [ 45.569234][ T4023] mount_bdev+0x274/0x370 [ 45.570200][ T4023] ocfs2_mount+0x44/0x58 [ 45.571146][ T4023] legacy_get_tree+0xd4/0x16c [ 45.572079][ T4023] vfs_get_tree+0x90/0x274 [ 45.573063][ T4023] do_new_mount+0x278/0x8fc [ 45.574045][ T4023] path_mount+0x594/0x101c [ 45.574957][ T4023] __arm64_sys_mount+0x510/0x5e0 [ 45.576030][ T4023] invoke_syscall+0x98/0x2b8 [ 45.577125][ T4023] el0_svc_common+0x138/0x258 [ 45.578088][ T4023] do_el0_svc+0x58/0x14c [ 45.578988][ T4023] el0_svc+0x7c/0x1f0 [ 45.579892][ T4023] el0t_64_sync_handler+0x84/0xe4 [ 45.580966][ T4023] el0t_64_sync+0x1a0/0x1a4 [ 45.581901][ T4023] [ 45.582410][ T4023] Freed by task 4023: [ 45.583282][ T4023] kasan_set_track+0x4c/0x84 [ 45.584322][ T4023] kasan_set_free_info+0x28/0x4c [ 45.585387][ T4023] ____kasan_slab_free+0x118/0x164 [ 45.586434][ T4023] __kasan_slab_free+0x18/0x28 [ 45.587481][ T4023] slab_free_freelist_hook+0x128/0x1ec [ 45.588613][ T4023] kfree+0x178/0x410 [ 45.589435][ T4023] ocfs2_local_free_info+0x720/0x8a4 [ 45.590664][ T4023] dquot_disable+0xefc/0x1800 [ 45.591619][ T4023] ocfs2_susp_quotas+0x1f0/0x2d4 [ 45.592713][ T4023] ocfs2_remount+0x464/0x9cc [ 45.593621][ T4023] legacy_reconfigure+0xfc/0x114 [ 45.594671][ T4023] reconfigure_super+0x1d0/0x6ec [ 45.595803][ T4023] path_mount+0xbec/0x101c [ 45.596722][ T4023] __arm64_sys_mount+0x510/0x5e0 [ 45.597773][ T4023] invoke_syscall+0x98/0x2b8 [ 45.598769][ T4023] el0_svc_common+0x138/0x258 [ 45.599820][ T4023] do_el0_svc+0x58/0x14c [ 45.600730][ T4023] el0_svc+0x7c/0x1f0 [ 45.601661][ T4023] el0t_64_sync_handler+0x84/0xe4 [ 45.602682][ T4023] el0t_64_sync+0x1a0/0x1a4 [ 45.603628][ T4023] [ 45.604143][ T4023] The buggy address belongs to the object at ffff0000caf40000 [ 45.604143][ T4023] which belongs to the cache kmalloc-1k of size 1024 [ 45.607366][ T4023] The buggy address is located 40 bytes inside of [ 45.607366][ T4023] 1024-byte region [ffff0000caf40000, ffff0000caf40400) [ 45.610421][ T4023] The buggy address belongs to the page: [ 45.611596][ T4023] page:000000004fc827b8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10af40 [ 45.614002][ T4023] head:000000004fc827b8 order:3 compound_mapcount:0 compound_pincount:0 [ 45.615754][ T4023] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 45.617613][ T4023] raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002780 [ 45.619422][ T4023] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 45.621239][ T4023] page dumped because: kasan: bad access detected [ 45.622619][ T4023] [ 45.623088][ T4023] Memory state around the buggy address: [ 45.624445][ T4023] ffff0000caf3ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.626223][ T4023] ffff0000caf3ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.628091][ T4023] >ffff0000caf40000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.629758][ T4023] ^ [ 45.631028][ T4023] ffff0000caf40080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.632838][ T4023] ffff0000caf40100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.634483][ T4023] ================================================================== [ 45.636177][ T4023] Disabling lock debugging due to kernel taint