EXT4-fs warning (device loop2): dx_probe:892: inode #2: comm syz-executor.2: dx entry: limit 0 != root limit 124 EXT4-fs warning (device loop2): dx_probe:965: inode #2: comm syz-executor.2: Corrupt directory, running e2fsck is recommended ================================================================== BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x6f3/0x870 fs/ext4/dir.c:85 Read of size 2 at addr ffff88805fee8003 by task syz-executor.2/3690 CPU: 0 PID: 3690 Comm: syz-executor.2 Not tainted 5.15.160-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106 print_address_description+0x63/0x3b0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:434 [inline] kasan_report+0x16b/0x1c0 mm/kasan/report.c:451 __ext4_check_dir_entry+0x6f3/0x870 fs/ext4/dir.c:85 ext4_readdir+0x14a6/0x38e0 fs/ext4/dir.c:258 iterate_dir+0x224/0x570 __do_sys_getdents64 fs/readdir.c:369 [inline] __se_sys_getdents64+0x209/0x4f0 fs/readdir.c:354 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 RIP: 0033:0x7fecd4bf7ee9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fecd316b0c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 00007fecd4d2efa0 RCX: 00007fecd4bf7ee9 RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000008 RBP: 00007fecd4c4447f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fecd4d2efa0 R15: 00007fff1e5e37e8 Allocated by task 2963: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] ____kasan_kmalloc+0xba/0xf0 mm/kasan/common.c:513 kasan_kmalloc include/linux/kasan.h:264 [inline] __kmalloc+0x168/0x300 mm/slub.c:4407 kmalloc include/linux/slab.h:596 [inline] kzalloc include/linux/slab.h:721 [inline] tomoyo_encode2 security/tomoyo/realpath.c:45 [inline] tomoyo_encode+0x26b/0x530 security/tomoyo/realpath.c:80 tomoyo_realpath_from_path+0x5a2/0x5e0 security/tomoyo/realpath.c:288 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x273/0x6b0 security/tomoyo/file.c:822 security_inode_getattr+0xcf/0x120 security/security.c:1348 vfs_getattr+0x26/0x360 fs/stat.c:157 vfs_statx+0x18f/0x3b0 fs/stat.c:225 vfs_fstatat fs/stat.c:243 [inline] __do_sys_newfstatat fs/stat.c:411 [inline] __se_sys_newfstatat fs/stat.c:405 [inline] __x64_sys_newfstatat+0x12c/0x1b0 fs/stat.c:405 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 Freed by task 2963: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track+0x4b/0x80 mm/kasan/common.c:46 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360 ____kasan_slab_free+0xd8/0x120 mm/kasan/common.c:366 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:1705 [inline] slab_free_freelist_hook+0xdd/0x160 mm/slub.c:1731 slab_free mm/slub.c:3499 [inline] kfree+0xf1/0x270 mm/slub.c:4559 tomoyo_path_perm+0x555/0x6b0 security/tomoyo/file.c:842 security_inode_getattr+0xcf/0x120 security/security.c:1348 vfs_getattr+0x26/0x360 fs/stat.c:157 vfs_statx+0x18f/0x3b0 fs/stat.c:225 vfs_fstatat fs/stat.c:243 [inline] __do_sys_newfstatat fs/stat.c:411 [inline] __se_sys_newfstatat fs/stat.c:405 [inline] __x64_sys_newfstatat+0x12c/0x1b0 fs/stat.c:405 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 The buggy address belongs to the object at ffff88805fee8000 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 3 bytes inside of 64-byte region [ffff88805fee8000, ffff88805fee8040) The buggy address belongs to the page: page:ffffea00017fba00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5fee8 flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 ffffea000076d600 0000000f00000009 ffff888011c41640 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 3533, ts 44999202753, free_ts 10931538267 prep_new_page mm/page_alloc.c:2426 [inline] get_page_from_freelist+0x322a/0x33c0 mm/page_alloc.c:4159 __alloc_pages+0x272/0x700 mm/page_alloc.c:5423 alloc_slab_page mm/slub.c:1775 [inline] allocate_slab mm/slub.c:1912 [inline] new_slab+0xbb/0x4b0 mm/slub.c:1975 ___slab_alloc+0x6f6/0xe10 mm/slub.c:3008 __slab_alloc mm/slub.c:3095 [inline] slab_alloc_node mm/slub.c:3186 [inline] slab_alloc mm/slub.c:3228 [inline] __kmalloc+0x1c9/0x300 mm/slub.c:4403 kmalloc include/linux/slab.h:596 [inline] tomoyo_add_entry security/tomoyo/common.c:2031 [inline] tomoyo_supervisor+0xe67/0x12c0 security/tomoyo/common.c:2103 tomoyo_audit_path_number_log security/tomoyo/file.c:235 [inline] tomoyo_path_number_perm+0x5ba/0x810 security/tomoyo/file.c:734 security_file_ioctl+0x6d/0xa0 security/security.c:1555 __do_sys_ioctl fs/ioctl.c:868 [inline] __se_sys_ioctl+0x47/0x160 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1340 [inline] free_pcp_prepare mm/page_alloc.c:1391 [inline] free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317 free_unref_page+0x95/0x2d0 mm/page_alloc.c:3396 free_contig_range+0x95/0xf0 mm/page_alloc.c:9342 destroy_args+0xfe/0x980 mm/debug_vm_pgtable.c:1018 debug_vm_pgtable+0x40d/0x470 mm/debug_vm_pgtable.c:1331 do_one_initcall+0x22b/0x7a0 init/main.c:1302 do_initcall_level+0x157/0x210 init/main.c:1375 do_initcalls+0x49/0x90 init/main.c:1391 kernel_init_freeable+0x425/0x5c0 init/main.c:1615 kernel_init+0x19/0x290 init/main.c:1506 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:300 Memory state around the buggy address: ffff88805fee7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88805fee7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88805fee8000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff88805fee8080: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff88805fee8100: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ==================================================================