================================================================== BUG: KASAN: use-after-free in ext4_data_block_valid+0x2ef/0x350 fs/ext4/block_validity.c:211 Read of size 8 at addr ffff88809a7c1d38 by task syz-executor4/17213 CPU: 1 PID: 17213 Comm: syz-executor4 Not tainted 5.0.0-rc2-next-20190118 #15 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1db/0x2d0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 ext4_data_block_valid+0x2ef/0x350 fs/ext4/block_validity.c:211 ext4_valid_extent fs/ext4/extents.c:380 [inline] ext4_valid_extent_entries fs/ext4/extents.c:410 [inline] __ext4_ext_check+0xcd6/0x13a0 fs/ext4/extents.c:465 ext4_ext_remove_space+0x1ca6/0x5bb0 fs/ext4/extents.c:3000 ext4_ext_truncate+0x1b5/0x200 fs/ext4/extents.c:4543 ext4_truncate+0xf8d/0x1660 fs/ext4/inode.c:4535 ext4_evict_inode+0xa8e/0x1b80 fs/ext4/inode.c:289 evict+0x49b/0x940 fs/inode.c:558 iput_final fs/inode.c:1550 [inline] iput+0x67e/0xae0 fs/inode.c:1576 dentry_unlink_inode+0x43a/0x5e0 fs/dcache.c:360 d_delete+0x1e1/0x230 fs/dcache.c:2350 vfs_rmdir fs/namei.c:3892 [inline] vfs_rmdir+0x38f/0x470 fs/namei.c:3858 do_rmdir+0x474/0x580 fs/namei.c:3940 __do_sys_rmdir fs/namei.c:3958 [inline] __se_sys_rmdir fs/namei.c:3956 [inline] __x64_sys_rmdir+0x36/0x40 fs/namei.c:3956 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457e07 Code: 00 66 90 b8 57 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 ed b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 54 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 cd b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffc095c8798 EFLAGS: 00000207 ORIG_RAX: 0000000000000054 RAX: ffffffffffffffda RBX: 0000000000000065 RCX: 0000000000457e07 RDX: 0000000000000000 RSI: 0000000000710698 RDI: 00007ffc095c98d0 RBP: 000000000000002a R08: 0000000000000000 R09: 0000000000000001 R10: 0000000000000006 R11: 0000000000000207 R12: 00007ffc095c98d0 R13: 0000000001726940 R14: 0000000000000000 R15: 0000000000000004 Allocated by task 1: save_stack+0x45/0xd0 mm/kasan/common.c:73 set_track mm/kasan/common.c:85 [inline] __kasan_kmalloc mm/kasan/common.c:496 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:469 kasan_kmalloc mm/kasan/common.c:504 [inline] kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:411 kmem_cache_alloc+0x12d/0x710 mm/slab.c:3543 add_system_zone+0x302/0x650 fs/ext4/block_validity.c:85 ext4_setup_system_zone+0x36d/0x510 fs/ext4/block_validity.c:169 ext4_fill_super+0x7fcb/0xd890 fs/ext4/super.c:4500 mount_bdev+0x307/0x3c0 fs/super.c:1346 ext4_mount+0x35/0x40 fs/ext4/super.c:6007 legacy_get_tree+0xf2/0x200 fs/fs_context.c:590 vfs_get_tree+0x123/0x450 fs/super.c:1481 do_new_mount fs/namespace.c:2610 [inline] do_mount+0x1622/0x2fa0 fs/namespace.c:2932 ksys_mount+0xdb/0x150 fs/namespace.c:3148 do_mount_root+0x35/0x1d3 init/do_mounts.c:388 mount_block_root+0x39c/0x6ea init/do_mounts.c:417 mount_root+0x345/0x38c init/do_mounts.c:562 prepare_namespace+0x26f/0x2ae init/do_mounts.c:621 kernel_init_freeable+0x5ab/0x5c4 init/main.c:1159 kernel_init+0x12/0x1c5 init/main.c:1057 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 Freed by task 17478: save_stack+0x45/0xd0 mm/kasan/common.c:73 set_track mm/kasan/common.c:85 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:458 kasan_slab_free+0xe/0x10 mm/kasan/common.c:466 __cache_free mm/slab.c:3487 [inline] kmem_cache_free+0x86/0x260 mm/slab.c:3749 ext4_release_system_zone+0x6f/0xf0 fs/ext4/block_validity.c:187 ext4_setup_system_zone+0x450/0x510 fs/ext4/block_validity.c:151 ext4_remount+0x16ab/0x28f0 fs/ext4/super.c:5452 legacy_reconfigure+0x113/0x170 fs/fs_context.c:613 reconfigure_super+0x33c/0xb00 fs/super.c:986 do_remount fs/namespace.c:2397 [inline] do_mount+0x187b/0x2fa0 fs/namespace.c:2923 ksys_mount+0xdb/0x150 fs/namespace.c:3148 __do_sys_mount fs/namespace.c:3162 [inline] __se_sys_mount fs/namespace.c:3159 [inline] __x64_sys_mount+0xbe/0x150 fs/namespace.c:3159 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff88809a7c1d20 which belongs to the cache ext4_system_zone of size 40 The buggy address is located 24 bytes inside of 40-byte region [ffff88809a7c1d20, ffff88809a7c1d48) The buggy address belongs to the page: page:ffffea000269f040 count:1 mapcount:0 mapping:ffff888219f746c0 index:0xffff88809a7c1fb9 flags: 0x1fffc0000000200(slab) raw: 01fffc0000000200 ffff8880a5ef2638 ffff8880a5ef2638 ffff888219f746c0 raw: ffff88809a7c1fb9 ffff88809a7c1000 0000000100000003 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88809a7c1c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88809a7c1c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88809a7c1d00: fc fc fc fc fb fb fb fb fb fc fc fb fb fb fb fb ^ ffff88809a7c1d80: fc fc fb fb fb fb fb fc fc fb fb fb fb fb fc fc ffff88809a7c1e00: fb fb fb fb fb fc fc fb fb fb fb fb fc fc fb fb ==================================================================