netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. ================================================================== BUG: KASAN: slab-out-of-bounds in __ext4_check_dir_entry+0x2f9/0x340 fs/ext4/dir.c:68 Read of size 2 at addr ffff8880559e2002 by task syz-executor.0/19796 CPU: 1 PID: 19796 Comm: syz-executor.0 Not tainted 4.14.184-syzkaller #0 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x283 lib/dump_stack.c:58 print_address_description.cold+0x54/0x1dc mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0xa9/0x2b9 mm/kasan/report.c:393 __ext4_check_dir_entry+0x2f9/0x340 fs/ext4/dir.c:68 ext4_readdir+0x819/0x27e0 fs/ext4/dir.c:240 iterate_dir+0x1a0/0x5e0 fs/readdir.c:52 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. SYSC_getdents fs/readdir.c:269 [inline] SyS_getdents+0x132/0x260 fs/readdir.c:250 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x45c1f9 RSP: 002b:00007f774a0ddc78 EFLAGS: 00000246 ORIG_RAX: 000000000000004e RAX: ffffffffffffffda RBX: 0000000000003ec0 RCX: 000000000045c1f9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 000000000078bf40 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000078bf0c netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. R13: 00007fff2f7763df R14: 00007f774a0de9c0 R15: 000000000078bf0c Allocated by task 3641: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc.part.0+0x4f/0xd0 mm/kasan/kasan.c:551 kmem_cache_alloc+0x124/0x3c0 mm/slab.c:3552 getname_flags+0xc8/0x550 fs/namei.c:138 user_path_at_empty+0x2a/0x50 fs/namei.c:2631 user_path_at include/linux/namei.h:57 [inline] vfs_statx+0xd1/0x160 fs/stat.c:185 vfs_lstat include/linux/fs.h:3066 [inline] SYSC_newlstat fs/stat.c:350 [inline] SyS_newlstat+0x83/0xe0 fs/stat.c:344 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb Freed by task 3641: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0xaf/0x190 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3496 [inline] kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758 putname+0xcd/0x110 fs/namei.c:259 filename_lookup+0x23a/0x380 fs/namei.c:2386 user_path_at include/linux/namei.h:57 [inline] vfs_statx+0xd1/0x160 fs/stat.c:185 vfs_lstat include/linux/fs.h:3066 [inline] SYSC_newlstat fs/stat.c:350 [inline] SyS_newlstat+0x83/0xe0 fs/stat.c:344 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb The buggy address belongs to the object at ffff8880559e2800 which belongs to the cache names_cache of size 4096 The buggy address is located 2046 bytes to the left of 4096-byte region [ffff8880559e2800, ffff8880559e3800) The buggy address belongs to the page: page:ffffea0001567880 count:1 mapcount:0 mapping:ffff8880559e2800 index:0x0 compound_mapcount: 0 flags: 0xfffe0000008100(slab|head) raw: 00fffe0000008100 ffff8880559e2800 0000000000000000 0000000100000001 raw: ffffea00025a5c20 ffffea0002991420 ffff8880aa9dacc0 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880559e1f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880559e1f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8880559e2000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8880559e2080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. ffff8880559e2100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================