loop0: detected capacity change from 0 to 2048 ================================================================== BUG: KASAN: slab-out-of-bounds in check_igot_inode+0x187/0x1b0 fs/ext4/inode.c:4656 Read of size 8 at addr ffff88806d7c7ff0 by task syz-executor.0/19366 CPU: 2 PID: 19366 Comm: syz-executor.0 Not tainted 6.5.0-syzkaller-12728-ga48fa7efaf11 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xc4/0x620 mm/kasan/report.c:475 kasan_report+0xda/0x110 mm/kasan/report.c:588 check_igot_inode+0x187/0x1b0 fs/ext4/inode.c:4656 __ext4_iget+0x14fb/0x4300 fs/ext4/inode.c:4708 ext4_quota_enable fs/ext4/super.c:7038 [inline] ext4_enable_quotas+0x521/0xba0 fs/ext4/super.c:7074 __ext4_fill_super fs/ext4/super.c:5568 [inline] ext4_fill_super+0x9ac9/0xad40 fs/ext4/super.c:5703 get_tree_bdev+0x3b5/0x650 fs/super.c:1577 vfs_get_tree+0x8c/0x370 fs/super.c:1750 do_new_mount fs/namespace.c:3335 [inline] path_mount+0x1492/0x1ed0 fs/namespace.c:3662 do_mount fs/namespace.c:3675 [inline] __do_sys_mount fs/namespace.c:3884 [inline] __se_sys_mount fs/namespace.c:3861 [inline] __ia32_sys_mount+0x291/0x310 fs/namespace.c:3861 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0x61/0xe0 arch/x86/entry/common.c:178 do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203 entry_SYSENTER_compat_after_hwframe+0x70/0x82 RIP: 0023:0xf7f43579 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:00000000f7f3e3f0 EFLAGS: 00000296 ORIG_RAX: 0000000000000015 RAX: ffffffffffffffda RBX: 00000000f7f3e460 RCX: 00000000200007c0 RDX: 0000000020000780 RSI: 0000000000000000 RDI: 00000000f7f3e4a0 RBP: 0000000020000780 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 5173: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:186 [inline] slab_post_alloc_hook mm/slab.h:762 [inline] slab_alloc_node mm/slub.c:3478 [inline] slab_alloc mm/slub.c:3486 [inline] __kmem_cache_alloc_lru mm/slub.c:3493 [inline] kmem_cache_alloc_lru+0x21a/0x630 mm/slub.c:3509 __d_alloc+0x32/0xac0 fs/dcache.c:1768 d_alloc+0x4e/0x220 fs/dcache.c:1848 lookup_one_qstr_excl+0xc7/0x180 fs/namei.c:1604 filename_create+0x1ed/0x530 fs/namei.c:3890 do_mkdirat+0xb3/0x330 fs/namei.c:4135 __do_sys_mkdirat fs/namei.c:4158 [inline] __se_sys_mkdirat fs/namei.c:4156 [inline] __ia32_sys_mkdirat+0x84/0xa0 fs/namei.c:4156 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0x61/0xe0 arch/x86/entry/common.c:178 do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203 entry_SYSENTER_compat_after_hwframe+0x70/0x82 Last potentially related work creation: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:492 __call_rcu_common.constprop.0+0x9a/0x790 kernel/rcu/tree.c:2653 dentry_free+0xc2/0x160 fs/dcache.c:377 __dentry_kill+0x4c1/0x640 fs/dcache.c:621 shrink_dentry_list+0x235/0x7e0 fs/dcache.c:1201 shrink_dcache_parent+0xe4/0x3b0 fs/dcache.c:1652 vfs_rmdir fs/namei.c:4207 [inline] vfs_rmdir+0x220/0x650 fs/namei.c:4180 do_rmdir+0x344/0x400 fs/namei.c:4262 __do_sys_unlinkat fs/namei.c:4440 [inline] __se_sys_unlinkat fs/namei.c:4434 [inline] __ia32_sys_unlinkat+0xef/0x130 fs/namei.c:4434 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0x61/0xe0 arch/x86/entry/common.c:178 do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203 entry_SYSENTER_compat_after_hwframe+0x70/0x82 Second to last potentially related work creation: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:492 __call_rcu_common.constprop.0+0x9a/0x790 kernel/rcu/tree.c:2653 dentry_free+0xc2/0x160 fs/dcache.c:377 __dentry_kill+0x4c1/0x640 fs/dcache.c:621 shrink_dentry_list+0x235/0x7e0 fs/dcache.c:1201 shrink_dcache_parent+0xe4/0x3b0 fs/dcache.c:1652 vfs_rmdir fs/namei.c:4207 [inline] vfs_rmdir+0x220/0x650 fs/namei.c:4180 do_rmdir+0x344/0x400 fs/namei.c:4262 __do_sys_unlinkat fs/namei.c:4440 [inline] __se_sys_unlinkat fs/namei.c:4434 [inline] __ia32_sys_unlinkat+0xef/0x130 fs/namei.c:4434 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0x61/0xe0 arch/x86/entry/common.c:178 do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203 entry_SYSENTER_compat_after_hwframe+0x70/0x82 The buggy address belongs to the object at ffff88806d7c7d60 which belongs to the cache dentry of size 312 The buggy address is located 344 bytes to the right of allocated 312-byte region [ffff88806d7c7d60, ffff88806d7c7e98) The buggy address belongs to the physical page: page:ffffea0001b5f180 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88806d7c62f0 pfn:0x6d7c6 head:ffffea0001b5f180 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff88806c60d501 flags: 0x4fff00000000840(slab|head|node=1|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 04fff00000000840 ffff888040649400 ffffea0001099890 ffffea0001ba6190 raw: ffff88806d7c62f0 0000000000150007 00000001ffffffff ffff88806c60d501 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 1, migratetype Reclaimable, gfp_mask 0x1d20d0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5173, tgid 5173 (syz-executor.3), ts 204199708440, free_ts 203842491384 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1536 prep_new_page mm/page_alloc.c:1543 [inline] get_page_from_freelist+0xee0/0x2f20 mm/page_alloc.c:3170 __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4426 alloc_pages+0x1a9/0x270 mm/mempolicy.c:2298 alloc_slab_page mm/slub.c:1870 [inline] allocate_slab+0x251/0x380 mm/slub.c:2017 new_slab mm/slub.c:2070 [inline] ___slab_alloc+0x8be/0x1570 mm/slub.c:3223 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322 __slab_alloc_node mm/slub.c:3375 [inline] slab_alloc_node mm/slub.c:3468 [inline] slab_alloc mm/slub.c:3486 [inline] __kmem_cache_alloc_lru mm/slub.c:3493 [inline] kmem_cache_alloc_lru+0x4e4/0x630 mm/slub.c:3509 __d_alloc+0x32/0xac0 fs/dcache.c:1768 d_alloc_pseudo+0x1c/0x70 fs/dcache.c:1898 alloc_file_pseudo+0xdc/0x240 fs/file_table.c:329 sock_alloc_file+0x50/0x1d0 net/socket.c:469 sock_map_fd net/socket.c:494 [inline] __sys_socket+0x1bf/0x260 net/socket.c:1700 __do_compat_sys_socketcall+0x57b/0x700 net/compat.c:448 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0x61/0xe0 arch/x86/entry/common.c:178 do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1136 [inline] free_unref_page_prepare+0x476/0xa40 mm/page_alloc.c:2312 free_unref_page+0x33/0x3b0 mm/page_alloc.c:2405 __unfreeze_partials+0x21d/0x240 mm/slub.c:2655 qlink_free mm/kasan/quarantine.c:166 [inline] qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:185 kasan_quarantine_reduce+0x18b/0x1d0 mm/kasan/quarantine.c:292 __kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305 kasan_slab_alloc include/linux/kasan.h:186 [inline] slab_post_alloc_hook mm/slab.h:762 [inline] slab_alloc_node mm/slub.c:3478 [inline] __kmem_cache_alloc_node+0x19b/0x350 mm/slub.c:3517 __do_kmalloc_node mm/slab_common.c:1022 [inline] __kmalloc_node+0x52/0x110 mm/slab_common.c:1030 kmalloc_node include/linux/slab.h:619 [inline] __vmalloc_area_node mm/vmalloc.c:3125 [inline] __vmalloc_node_range+0x3e9/0x1540 mm/vmalloc.c:3320 __vmalloc_node mm/vmalloc.c:3385 [inline] vmalloc+0x6b/0x80 mm/vmalloc.c:3418 xt_compat_init_offsets+0xe3/0x220 net/netfilter/x_tables.c:733 ebt_compat_init_offsets net/bridge/netfilter/ebtables.c:1828 [inline] compat_table_info+0x11b/0x830 net/bridge/netfilter/ebtables.c:1839 compat_copy_everything_to_user+0xf27/0x1100 net/bridge/netfilter/ebtables.c:1879 compat_do_ebt_get_ctl+0x71f/0xb70 net/bridge/netfilter/ebtables.c:2426 do_ebt_get_ctl+0x31a/0x7a0 net/bridge/netfilter/ebtables.c:2454 nf_getsockopt+0x76/0xe0 net/netfilter/nf_sockopt.c:116 Memory state around the buggy address: ffff88806d7c7e80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88806d7c7f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88806d7c7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88806d7c8000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88806d7c8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== ---------------- Code disassembly (best guess), 2 bytes skipped: 0: 10 06 adc %al,(%rsi) 2: 03 74 b4 01 add 0x1(%rsp,%rsi,4),%esi 6: 10 07 adc %al,(%rdi) 8: 03 74 b0 01 add 0x1(%rax,%rsi,4),%esi c: 10 08 adc %cl,(%rax) e: 03 74 d8 01 add 0x1(%rax,%rbx,8),%esi 1e: 00 51 52 add %dl,0x52(%rcx) 21: 55 push %rbp 22: 89 e5 mov %esp,%ebp 24: 0f 34 sysenter 26: cd 80 int $0x80 * 28: 5d pop %rbp <-- trapping instruction 29: 5a pop %rdx 2a: 59 pop %rcx 2b: c3 ret 2c: 90 nop 2d: 90 nop 2e: 90 nop 2f: 90 nop 30: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi 37: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi