EXT4-fs (loop3): mounting ext3 file system using the ext4 subsystem EXT4-fs (loop3): 1 truncate cleaned up EXT4-fs (loop3): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. ================================================================== BUG: KASAN: slab-out-of-bounds in ext4_search_dir+0xf2/0x1b0 fs/ext4/namei.c:1543 Read of size 1 at addr ffff888025901ee7 by task syz-executor.3/13865 CPU: 0 PID: 13865 Comm: syz-executor.3 Not tainted 6.6.0-rc5-syzkaller-00067-g8182d7a3f1b8 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0x163/0x540 mm/kasan/report.c:475 kasan_report+0x175/0x1b0 mm/kasan/report.c:588 ext4_search_dir+0xf2/0x1b0 fs/ext4/namei.c:1543 ext4_find_inline_entry+0x4ba/0x5e0 fs/ext4/inline.c:1694 __ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1616 ext4_lookup_entry fs/ext4/namei.c:1771 [inline] ext4_lookup+0x17a/0x750 fs/ext4/namei.c:1839 lookup_one_qstr_excl+0x11b/0x250 fs/namei.c:1608 filename_create+0x297/0x530 fs/namei.c:3890 do_mkdirat+0xb7/0x520 fs/namei.c:4135 __do_sys_mkdir fs/namei.c:4163 [inline] __se_sys_mkdir fs/namei.c:4161 [inline] __x64_sys_mkdir+0x6e/0x80 fs/namei.c:4161 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7ff19d27cae9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ff19df930c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000053 RAX: ffffffffffffffda RBX: 00007ff19d39bf80 RCX: 00007ff19d27cae9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000000 RBP: 00007ff19d2c847a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007ff19d39bf80 R15: 00007ffe9b299178 Allocated by task 6424: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4f/0x70 mm/kasan/common.c:52 __kasan_slab_alloc+0x66/0x70 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook+0x67/0x3d0 mm/slab.h:762 slab_alloc_node mm/slub.c:3478 [inline] slab_alloc mm/slub.c:3486 [inline] __kmem_cache_alloc_lru mm/slub.c:3493 [inline] kmem_cache_alloc+0x123/0x300 mm/slub.c:3502 kmem_cache_zalloc include/linux/slab.h:710 [inline] __proc_create+0x41d/0xa00 fs/proc/generic.c:425 proc_create_reg fs/proc/generic.c:552 [inline] proc_create_single_data+0x127/0x240 fs/proc/generic.c:652 snmp6_register_dev+0xa5/0x110 net/ipv6/proc.c:257 ipv6_add_dev+0x630/0x1280 net/ipv6/addrconf.c:414 addrconf_notify+0x68e/0x1010 net/ipv6/addrconf.c:3589 notifier_call_chain+0x18c/0x3a0 kernel/notifier.c:93 call_netdevice_notifiers_info net/core/dev.c:1970 [inline] call_netdevice_notifiers_extack net/core/dev.c:2008 [inline] call_netdevice_notifiers+0x149/0x1c0 net/core/dev.c:2022 register_netdevice+0x10d7/0x1510 net/core/dev.c:10169 rtnl_newlink_create net/core/rtnetlink.c:3487 [inline] __rtnl_newlink net/core/rtnetlink.c:3705 [inline] rtnl_newlink+0x170c/0x2070 net/core/rtnetlink.c:3718 rtnetlink_rcv_msg+0x87e/0x1030 net/core/rtnetlink.c:6444 netlink_rcv_skb+0x1df/0x430 net/netlink/af_netlink.c:2545 netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] netlink_unicast+0x7dc/0x970 net/netlink/af_netlink.c:1368 netlink_sendmsg+0xa37/0xd70 net/netlink/af_netlink.c:1910 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x484/0x640 net/socket.c:2194 __do_sys_sendto net/socket.c:2206 [inline] __se_sys_sendto net/socket.c:2202 [inline] __x64_sys_sendto+0xde/0xf0 net/socket.c:2202 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The buggy address belongs to the object at ffff888025901dc0 which belongs to the cache proc_dir_entry of size 256 The buggy address is located 39 bytes to the right of allocated 256-byte region [ffff888025901dc0, ffff888025901ec0) The buggy address belongs to the physical page: page:ffffea0000964040 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25901 flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000000800 ffff888015a6da00 ffffea00007b5a40 0000000000000006 raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5063, tgid 5063 (syz-executor.1), ts 201758051371, free_ts 201694737395 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536 prep_new_page mm/page_alloc.c:1543 [inline] get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170 __alloc_pages+0x255/0x670 mm/page_alloc.c:4426 alloc_slab_page+0x6a/0x160 mm/slub.c:1870 allocate_slab mm/slub.c:2017 [inline] new_slab+0x84/0x2f0 mm/slub.c:2070 ___slab_alloc+0xc85/0x1310 mm/slub.c:3223 __slab_alloc mm/slub.c:3322 [inline] __slab_alloc_node mm/slub.c:3375 [inline] slab_alloc_node mm/slub.c:3468 [inline] slab_alloc mm/slub.c:3486 [inline] __kmem_cache_alloc_lru mm/slub.c:3493 [inline] kmem_cache_alloc+0x1bf/0x300 mm/slub.c:3502 kmem_cache_zalloc include/linux/slab.h:710 [inline] __proc_create+0x41d/0xa00 fs/proc/generic.c:425 proc_create_reg fs/proc/generic.c:552 [inline] proc_create_single_data+0x127/0x240 fs/proc/generic.c:652 snmp6_register_dev+0xa5/0x110 net/ipv6/proc.c:257 addrconf_notify+0x72f/0x1010 net/ipv6/addrconf.c:3725 notifier_call_chain+0x18c/0x3a0 kernel/notifier.c:93 call_netdevice_notifiers_info net/core/dev.c:1970 [inline] call_netdevice_notifiers_extack net/core/dev.c:2008 [inline] call_netdevice_notifiers net/core/dev.c:2022 [inline] dev_change_name+0x5db/0x8f0 net/core/dev.c:1244 do_setlink+0xab8/0x4340 net/core/rtnetlink.c:2853 __rtnl_newlink net/core/rtnetlink.c:3671 [inline] rtnl_newlink+0x17f6/0x2070 net/core/rtnetlink.c:3718 rtnetlink_rcv_msg+0x87e/0x1030 net/core/rtnetlink.c:6444 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1136 [inline] free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405 discard_slab mm/slub.c:2116 [inline] __unfreeze_partials+0x1dc/0x220 mm/slub.c:2655 put_cpu_partial+0x17b/0x250 mm/slub.c:2731 __slab_free+0x2b6/0x390 mm/slub.c:3679 qlink_free mm/kasan/quarantine.c:166 [inline] qlist_free_all+0x75/0xe0 mm/kasan/quarantine.c:185 kasan_quarantine_reduce+0x14b/0x160 mm/kasan/quarantine.c:292 __kasan_slab_alloc+0x23/0x70 mm/kasan/common.c:305 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook+0x67/0x3d0 mm/slab.h:762 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x148/0x330 mm/slub.c:3523 __alloc_skb+0x181/0x420 net/core/skbuff.c:640 alloc_skb include/linux/skbuff.h:1286 [inline] nlmsg_new include/net/netlink.h:999 [inline] rtmsg_ifinfo_build_skb+0x84/0x280 net/core/rtnetlink.c:4031 rtmsg_ifinfo_event net/core/rtnetlink.c:4074 [inline] rtmsg_ifinfo+0x91/0x1b0 net/core/rtnetlink.c:4083 netdev_state_change+0x1c8/0x250 net/core/dev.c:1354 linkwatch_do_dev+0x10c/0x160 net/core/link_watch.c:182 __linkwatch_run_queue+0x44f/0x6c0 net/core/link_watch.c:235 Memory state around the buggy address: ffff888025901d80: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ffff888025901e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888025901e80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ^ ffff888025901f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888025901f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================