Warning: Permanently added '10.128.1.101' (ED25519) to the list of known hosts. executing program [ 37.474308][ T4290] loop0: detected capacity change from 0 to 32768 [ 37.480722][ T4290] (syz-executor214,4290,0):ocfs2_block_check_validate:402 ERROR: CRC32 failed: stored: 0xb3775c19, computed 0x2dd1c265. Applying ECC. [ 37.484120][ T4290] (syz-executor214,4290,0):ocfs2_block_check_validate:402 ERROR: CRC32 failed: stored: 0xb3775c19, computed 0x2dd1c265. Applying ECC. [ 37.491856][ T4290] (syz-executor214,4290,0):ocfs2_block_check_validate:402 ERROR: CRC32 failed: stored: 0xcfdff595, computed 0xefed4a20. Applying ECC. [ 37.497284][ T4290] JBD2: Ignoring recovery information on journal [ 37.528574][ T4290] ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode. [ 37.541088][ T4290] ================================================================== [ 37.542730][ T4290] BUG: KASAN: use-after-free in ocfs2_get_next_id+0x250/0x944 [ 37.544179][ T4290] Read of size 8 at addr ffff0000d0fc0028 by task syz-executor214/4290 [ 37.545736][ T4290] [ 37.546222][ T4290] CPU: 0 PID: 4290 Comm: syz-executor214 Not tainted 6.1.124-syzkaller #0 [ 37.547979][ T4290] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 37.550039][ T4290] Call trace: [ 37.550685][ T4290] dump_backtrace+0x1c8/0x1f4 [ 37.551634][ T4290] show_stack+0x2c/0x3c [ 37.552493][ T4290] dump_stack_lvl+0x108/0x170 [ 37.553468][ T4290] print_report+0x174/0x4c0 [ 37.554424][ T4290] kasan_report+0xd4/0x130 [ 37.555359][ T4290] __asan_report_load8_noabort+0x2c/0x38 [ 37.556609][ T4290] ocfs2_get_next_id+0x250/0x944 [ 37.557645][ T4290] dquot_get_next_dqblk+0x7c/0x348 [ 37.558652][ T4290] quota_getnextquota+0x264/0x650 [ 37.559691][ T4290] do_quotactl+0x52c/0x698 [ 37.560619][ T4290] __arm64_sys_quotactl+0x2d8/0x7a0 [ 37.561685][ T4290] invoke_syscall+0x98/0x2bc [ 37.562718][ T4290] el0_svc_common+0x138/0x258 [ 37.563641][ T4290] do_el0_svc+0x58/0x13c [ 37.564570][ T4290] el0_svc+0x58/0x168 [ 37.565355][ T4290] el0t_64_sync_handler+0x84/0xf0 [ 37.566389][ T4290] el0t_64_sync+0x18c/0x190 [ 37.567340][ T4290] [ 37.567828][ T4290] Allocated by task 4290: [ 37.568735][ T4290] kasan_set_track+0x4c/0x80 [ 37.569697][ T4290] kasan_save_alloc_info+0x24/0x30 [ 37.570729][ T4290] __kasan_kmalloc+0xac/0xc4 [ 37.571820][ T4290] kmalloc_trace+0x7c/0x94 [ 37.572723][ T4290] ocfs2_local_read_info+0x1b8/0x15bc [ 37.573790][ T4290] dquot_load_quota_sb+0x6f0/0xb1c [ 37.574906][ T4290] dquot_load_quota_inode+0x280/0x4f4 [ 37.576033][ T4290] ocfs2_enable_quotas+0x1d4/0x3cc [ 37.577128][ T4290] ocfs2_fill_super+0x3aa4/0x48c4 [ 37.578189][ T4290] mount_bdev+0x274/0x370 [ 37.579064][ T4290] ocfs2_mount+0x44/0x58 [ 37.579997][ T4290] legacy_get_tree+0xd4/0x16c [ 37.580981][ T4290] vfs_get_tree+0x90/0x274 [ 37.581941][ T4290] do_new_mount+0x278/0x8fc [ 37.582822][ T4290] path_mount+0x590/0xe5c [ 37.583589][ T4290] __arm64_sys_mount+0x45c/0x594 [ 37.584538][ T4290] invoke_syscall+0x98/0x2bc [ 37.585528][ T4290] el0_svc_common+0x138/0x258 [ 37.586510][ T4290] do_el0_svc+0x58/0x13c [ 37.587419][ T4290] el0_svc+0x58/0x168 [ 37.588114][ T4290] el0t_64_sync_handler+0x84/0xf0 [ 37.589140][ T4290] el0t_64_sync+0x18c/0x190 [ 37.590018][ T4290] [ 37.590417][ T4290] Freed by task 4290: [ 37.591212][ T4290] kasan_set_track+0x4c/0x80 [ 37.592175][ T4290] kasan_save_free_info+0x38/0x5c [ 37.593151][ T4290] ____kasan_slab_free+0x144/0x1c0 [ 37.594264][ T4290] __kasan_slab_free+0x18/0x28 [ 37.595257][ T4290] __kmem_cache_free+0x2c0/0x4b4 [ 37.596262][ T4290] kfree+0xcc/0x1b8 [ 37.597050][ T4290] ocfs2_local_free_info+0x720/0x8a4 [ 37.598119][ T4290] dquot_disable+0xebc/0x17c0 [ 37.599229][ T4290] ocfs2_susp_quotas+0x1f0/0x2d4 [ 37.600172][ T4290] ocfs2_remount+0x464/0x9cc [ 37.601090][ T4290] legacy_reconfigure+0xfc/0x114 [ 37.602123][ T4290] reconfigure_super+0x318/0x7a4 [ 37.603065][ T4290] path_mount+0xc70/0xe5c [ 37.603949][ T4290] __arm64_sys_mount+0x45c/0x594 [ 37.604980][ T4290] invoke_syscall+0x98/0x2bc [ 37.605981][ T4290] el0_svc_common+0x138/0x258 [ 37.607014][ T4290] do_el0_svc+0x58/0x13c [ 37.607950][ T4290] el0_svc+0x58/0x168 [ 37.608785][ T4290] el0t_64_sync_handler+0x84/0xf0 [ 37.609820][ T4290] el0t_64_sync+0x18c/0x190 [ 37.610776][ T4290] [ 37.611231][ T4290] The buggy address belongs to the object at ffff0000d0fc0000 [ 37.611231][ T4290] which belongs to the cache kmalloc-1k of size 1024 [ 37.614097][ T4290] The buggy address is located 40 bytes inside of [ 37.614097][ T4290] 1024-byte region [ffff0000d0fc0000, ffff0000d0fc0400) [ 37.616762][ T4290] [ 37.617206][ T4290] The buggy address belongs to the physical page: [ 37.618466][ T4290] page:00000000264f5995 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x110fc0 [ 37.620623][ T4290] head:00000000264f5995 order:3 compound_mapcount:0 compound_pincount:0 [ 37.622376][ T4290] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 37.624083][ T4290] raw: 05ffc00000010200 fffffc00031bfa00 dead000000000002 ffff0000c0002780 [ 37.625813][ T4290] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 37.627472][ T4290] page dumped because: kasan: bad access detected [ 37.628840][ T4290] [ 37.629323][ T4290] Memory state around the buggy address: [ 37.630471][ T4290] ffff0000d0fbff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.632164][ T4290] ffff0000d0fbff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.633909][ T4290] >ffff0000d0fc0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.635521][ T4290] ^ [ 37.636594][ T4290] ffff0000d0fc0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.638271][ T4290] ffff0000d0fc0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.639886][ T4290] ================================================================== [ 37.641910][ T4290] Disabling lock debugging due to kernel taint