Warning: Permanently added '10.128.0.18' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 35.457812][ T5967] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=5967 'syz-executor407' [ 35.615623][ T5967] loop0: detected capacity change from 0 to 32768 [ 35.715911][ T5967] ================================================================================ [ 35.718089][ T5967] UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2238:2 [ 35.719757][ T5967] index 2000 is out of range for type 's64[128]' (aka 'long long[128]') [ 35.721603][ T5967] CPU: 0 PID: 5967 Comm: syz-executor407 Not tainted 6.4.0-rc2-syzkaller-gf1fcbaa18b28 #0 [ 35.723792][ T5967] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 35.725903][ T5967] Call trace: [ 35.726596][ T5967] dump_backtrace+0x1b8/0x1e4 [ 35.727653][ T5967] show_stack+0x2c/0x44 [ 35.728550][ T5967] dump_stack_lvl+0xd0/0x124 [ 35.729570][ T5967] dump_stack+0x1c/0x28 [ 35.730487][ T5967] __ubsan_handle_out_of_bounds+0xfc/0x148 [ 35.731751][ T5967] dbAllocBits+0x8a4/0x8d0 [ 35.732694][ T5967] dbAllocNear+0x224/0x334 [ 35.733660][ T5967] dbAlloc+0x8b4/0xb68 [ 35.734606][ T5967] ea_get+0x6f8/0xef0 [ 35.735517][ T5967] __jfs_setxattr+0x41c/0x1338 [ 35.736593][ T5967] __jfs_set_acl+0x108/0x1a4 [ 35.737621][ T5967] jfs_set_acl+0x20c/0x478 [ 35.738603][ T5967] vfs_set_acl+0x728/0x94c [ 35.739631][ T5967] do_set_acl+0xe4/0x1ac [ 35.740540][ T5967] setxattr+0x230/0x29c [ 35.741485][ T5967] path_setxattr+0x17c/0x258 [ 35.742440][ T5967] __arm64_sys_lsetxattr+0xbc/0xd8 [ 35.743593][ T5967] invoke_syscall+0x98/0x2c0 [ 35.744637][ T5967] el0_svc_common+0x138/0x258 [ 35.745641][ T5967] do_el0_svc+0x64/0x198 [ 35.746565][ T5967] el0_svc+0x4c/0x15c [ 35.747512][ T5967] el0t_64_sync_handler+0x84/0xf0 [ 35.748605][ T5967] el0t_64_sync+0x190/0x194 [ 35.749715][ T5967] ================================================================================ [ 35.751679][ T5967] ================================================================== [ 35.753400][ T5967] BUG: KASAN: slab-use-after-free in dbAllocBits+0x7a8/0x8d0 [ 35.755047][ T5967] Read of size 8 at addr ffff0000dc158eb8 by task syz-executor407/5967 [ 35.756826][ T5967] [ 35.757286][ T5967] CPU: 0 PID: 5967 Comm: syz-executor407 Not tainted 6.4.0-rc2-syzkaller-gf1fcbaa18b28 #0 [ 35.759528][ T5967] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 35.761724][ T5967] Call trace: [ 35.762418][ T5967] dump_backtrace+0x1b8/0x1e4 [ 35.763437][ T5967] show_stack+0x2c/0x44 [ 35.764323][ T5967] dump_stack_lvl+0xd0/0x124 [ 35.765249][ T5967] print_report+0x174/0x514 [ 35.766173][ T5967] kasan_report+0xd4/0x130 [ 35.767138][ T5967] __asan_report_load8_noabort+0x20/0x2c [ 35.768318][ T5967] dbAllocBits+0x7a8/0x8d0 [ 35.769247][ T5967] dbAllocNear+0x224/0x334 [ 35.770200][ T5967] dbAlloc+0x8b4/0xb68 [ 35.771122][ T5967] ea_get+0x6f8/0xef0 [ 35.772041][ T5967] __jfs_setxattr+0x41c/0x1338 [ 35.773060][ T5967] __jfs_set_acl+0x108/0x1a4 [ 35.774067][ T5967] jfs_set_acl+0x20c/0x478 [ 35.775020][ T5967] vfs_set_acl+0x728/0x94c [ 35.775994][ T5967] do_set_acl+0xe4/0x1ac [ 35.776899][ T5967] setxattr+0x230/0x29c [ 35.777807][ T5967] path_setxattr+0x17c/0x258 [ 35.778759][ T5967] __arm64_sys_lsetxattr+0xbc/0xd8 [ 35.779887][ T5967] invoke_syscall+0x98/0x2c0 [ 35.780902][ T5967] el0_svc_common+0x138/0x258 [ 35.781928][ T5967] do_el0_svc+0x64/0x198 [ 35.782858][ T5967] el0_svc+0x4c/0x15c [ 35.783694][ T5967] el0t_64_sync_handler+0x84/0xf0 [ 35.784707][ T5967] el0t_64_sync+0x190/0x194 [ 35.785663][ T5967] [ 35.786141][ T5967] Allocated by task 5925: [ 35.787071][ T5967] kasan_set_track+0x4c/0x7c [ 35.788138][ T5967] kasan_save_alloc_info+0x24/0x30 [ 35.789277][ T5967] __kasan_kmalloc+0xac/0xc4 [ 35.790257][ T5967] __kmalloc+0xcc/0x1b8 [ 35.791135][ T5967] tomoyo_realpath_from_path+0xc8/0x4cc [ 35.792396][ T5967] tomoyo_path_perm+0x218/0x588 [ 35.793486][ T5967] tomoyo_inode_getattr+0x28/0x38 [ 35.794610][ T5967] security_inode_getattr+0xd8/0x124 [ 35.795739][ T5967] vfs_statx+0x184/0x420 [ 35.796616][ T5967] __arm64_sys_newfstatat+0x12c/0x1b4 [ 35.797767][ T5967] invoke_syscall+0x98/0x2c0 [ 35.798721][ T5967] el0_svc_common+0x138/0x258 [ 35.799765][ T5967] do_el0_svc+0x64/0x198 [ 35.800761][ T5967] el0_svc+0x4c/0x15c [ 35.801621][ T5967] el0t_64_sync_handler+0x84/0xf0 [ 35.802676][ T5967] el0t_64_sync+0x190/0x194 [ 35.803670][ T5967] [ 35.804163][ T5967] Freed by task 5925: [ 35.805022][ T5967] kasan_set_track+0x4c/0x7c [ 35.806086][ T5967] kasan_save_free_info+0x38/0x5c [ 35.807171][ T5967] ____kasan_slab_free+0x144/0x1c0 [ 35.808309][ T5967] __kasan_slab_free+0x18/0x28 [ 35.809352][ T5967] __kmem_cache_free+0x2a8/0x49c [ 35.810511][ T5967] kfree+0xb8/0x19c [ 35.811312][ T5967] tomoyo_realpath_from_path+0x484/0x4cc [ 35.812605][ T5967] tomoyo_path_perm+0x218/0x588 [ 35.813669][ T5967] tomoyo_inode_getattr+0x28/0x38 [ 35.814733][ T5967] security_inode_getattr+0xd8/0x124 [ 35.815894][ T5967] vfs_statx+0x184/0x420 [ 35.816834][ T5967] __arm64_sys_newfstatat+0x12c/0x1b4 [ 35.817987][ T5967] invoke_syscall+0x98/0x2c0 [ 35.818976][ T5967] el0_svc_common+0x138/0x258 [ 35.820037][ T5967] do_el0_svc+0x64/0x198 [ 35.821007][ T5967] el0_svc+0x4c/0x15c [ 35.821874][ T5967] el0t_64_sync_handler+0x84/0xf0 [ 35.822944][ T5967] el0t_64_sync+0x190/0x194 [ 35.823888][ T5967] [ 35.824368][ T5967] The buggy address belongs to the object at ffff0000dc158000 [ 35.824368][ T5967] which belongs to the cache kmalloc-4k of size 4096 [ 35.827506][ T5967] The buggy address is located 3768 bytes inside of [ 35.827506][ T5967] freed 4096-byte region [ffff0000dc158000, ffff0000dc159000) [ 35.830538][ T5967] [ 35.831033][ T5967] The buggy address belongs to the physical page: [ 35.832422][ T5967] page:000000009696a80b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11c158 [ 35.834683][ T5967] head:000000009696a80b order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 35.836530][ T5967] anon flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 35.838387][ T5967] page_type: 0xffffffff() [ 35.839366][ T5967] raw: 05ffc00000010200 ffff0000c0002a80 0000000000000000 dead000000000001 [ 35.841199][ T5967] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 35.843022][ T5967] page dumped because: kasan: bad access detected [ 35.844431][ T5967] [ 35.844931][ T5967] Memory state around the buggy address: [ 35.846142][ T5967] ffff0000dc158d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.847853][ T5967] ffff0000dc158e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.849544][ T5967] >ffff0000dc158e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.851393][ T5967] ^ [ 35.852697][ T5967] ffff0000dc158f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.854405][ T5967] ffff0000dc158f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.856176][ T5967] ================================================================== [ 35.857985][ T5967] Disabling lock debugging due to kernel taint [ 35.859440][ T5967] JFS: metapage_get_blocks failed [ 35.860502][ T5967] ERROR: (device loop0): release_metapage: metapage_write_one() failed [ 35.860502][ T5967] [ 35.862919][ T5967] ERROR: (device loop0): remounting filesystem as read-only