loop3: detected capacity change from 0 to 1024 ================================================================== BUG: KASAN: slab-out-of-bounds in __ext4_iget+0x2ee/0x3f00 fs/ext4/inode.c:4672 Read of size 8 at addr ffff88815f900b88 by task syz-executor.3/4127 CPU: 1 PID: 4127 Comm: syz-executor.3 Not tainted 5.15.122-syzkaller-00676-g1463976ddc64 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106 print_address_description+0x87/0x3b0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:427 [inline] kasan_report+0x179/0x1c0 mm/kasan/report.c:444 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:309 __ext4_iget+0x2ee/0x3f00 fs/ext4/inode.c:4672 ext4_quota_enable fs/ext4/super.c:6366 [inline] ext4_enable_quotas+0x556/0x980 fs/ext4/super.c:6402 ext4_fill_super+0x8b95/0x96e0 fs/ext4/super.c:4950 mount_bdev+0x282/0x3b0 fs/super.c:1378 ext4_mount+0x34/0x40 fs/ext4/super.c:6581 legacy_get_tree+0xf1/0x190 fs/fs_context.c:611 vfs_get_tree+0x88/0x290 fs/super.c:1508 do_new_mount+0x28b/0xad0 fs/namespace.c:2994 path_mount+0x671/0x1070 fs/namespace.c:3324 do_mount fs/namespace.c:3337 [inline] __do_sys_mount fs/namespace.c:3545 [inline] __se_sys_mount+0x2c4/0x3b0 fs/namespace.c:3522 __x64_sys_mount+0xbf/0xd0 fs/namespace.c:3522 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7fe4d3f3a1ea Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 09 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fe4d2cbaee8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007fe4d2cbaf80 RCX: 00007fe4d3f3a1ea RDX: 0000000020000580 RSI: 00000000200005c0 RDI: 00007fe4d2cbaf40 RBP: 0000000020000580 R08: 00007fe4d2cbaf80 R09: 0000000001008002 R10: 0000000001008002 R11: 0000000000000202 R12: 00000000200005c0 R13: 00007fe4d2cbaf40 R14: 00000000000005d8 R15: 0000000020000240 Allocated by task 0: (stack is not available) The buggy address belongs to the object at ffff88815f900648 which belongs to the cache f2fs_inode_cache of size 1480 The buggy address is located 1344 bytes inside of 1480-byte region [ffff88815f900648, ffff88815f900c10) The buggy address belongs to the page: page:ffffea00057e4000 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88815f902bf8 pfn:0x15f900 head:ffffea00057e4000 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x4000000000010200(slab|head|zone=1) raw: 4000000000010200 0000000000000000 dead000000000122 ffff888104ba6300 raw: ffff88815f902bf8 000000008014000d 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 1685, ts 198758451649, free_ts 173440412783 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook+0x1a3/0x1b0 mm/page_alloc.c:2600 prep_new_page mm/page_alloc.c:2606 [inline] get_page_from_freelist+0x2ed2/0x2f90 mm/page_alloc.c:4474 __alloc_pages+0x206/0x5e0 mm/page_alloc.c:5765 allocate_slab mm/slub.c:1932 [inline] new_slab+0x9a/0x4e0 mm/slub.c:1995 ___slab_alloc+0x39e/0x830 mm/slub.c:3028 __slab_alloc+0x4a/0x90 mm/slub.c:3115 slab_alloc_node mm/slub.c:3206 [inline] slab_alloc mm/slub.c:3248 [inline] kmem_cache_alloc+0x134/0x200 mm/slub.c:3253 f2fs_kmem_cache_alloc fs/f2fs/f2fs.h:2776 [inline] f2fs_alloc_inode+0x26/0x3f0 fs/f2fs/super.c:1373 alloc_inode fs/inode.c:236 [inline] new_inode_pseudo+0x64/0x220 fs/inode.c:937 new_inode+0x28/0x1c0 fs/inode.c:966 f2fs_new_inode+0x10e/0x1410 fs/f2fs/namei.c:36 f2fs_create+0x178/0x1560 fs/f2fs/namei.c:358 lookup_open fs/namei.c:3392 [inline] open_last_lookups fs/namei.c:3462 [inline] path_openat+0x13a8/0x2f40 fs/namei.c:3669 do_filp_open+0x21c/0x460 fs/namei.c:3699 do_sys_openat2+0x13f/0x830 fs/open.c:1234 do_sys_open fs/open.c:1250 [inline] __do_sys_openat fs/open.c:1266 [inline] __se_sys_openat fs/open.c:1261 [inline] __x64_sys_openat+0x243/0x290 fs/open.c:1261 page last free stack trace: reset_page_owner include/linux/page_owner.h:26 [inline] free_pages_prepare mm/page_alloc.c:1467 [inline] __free_pages_ok+0x985/0xa50 mm/page_alloc.c:1767 free_the_page mm/page_alloc.c:802 [inline] free_compound_page+0x89/0xa0 mm/page_alloc.c:823 free_transhuge_page+0x283/0x2a0 mm/huge_memory.c:2771 destroy_compound_page include/linux/mm.h:989 [inline] __put_compound_page+0x73/0xb0 mm/swap.c:111 __put_page+0xbf/0xe0 mm/swap.c:127 put_page include/linux/mm.h:1295 [inline] khugepaged_do_scan mm/khugepaged.c:2287 [inline] khugepaged+0x8dc/0x1070 mm/khugepaged.c:2324 kthread+0x421/0x510 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 Memory state around the buggy address: ffff88815f900a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88815f900b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88815f900b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88815f900c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88815f900c80: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== EXT4-fs warning (device loop3): ext4_enable_quotas:6410: Failed to enable quota tracking (type=0, err=-13, ino=3). Please run e2fsck to fix. EXT4-fs (loop3): mount failed