================================================================== BUG: KASAN: slab-out-of-bounds in ext4_read_inline_data fs/ext4/inline.c:209 [inline] BUG: KASAN: slab-out-of-bounds in ext4_inlinedir_to_tree+0x555/0x1160 fs/ext4/inline.c:1399 Read of size 68 at addr ffff8881dbfceec9 by task syz-executor200/356 CPU: 0 PID: 356 Comm: syz-executor200 Not tainted 5.4.268-syzkaller-00012-gd0d34dcb02cc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d8/0x241 lib/dump_stack.c:118 print_address_description+0x8c/0x600 mm/kasan/report.c:384 __kasan_report+0xf3/0x120 mm/kasan/report.c:516 kasan_report+0x30/0x60 mm/kasan/common.c:653 check_memory_region_inline mm/kasan/generic.c:141 [inline] check_memory_region+0x272/0x280 mm/kasan/generic.c:191 memcpy+0x25/0x50 mm/kasan/common.c:123 ext4_read_inline_data fs/ext4/inline.c:209 [inline] ext4_inlinedir_to_tree+0x555/0x1160 fs/ext4/inline.c:1399 ext4_htree_fill_tree+0x5b2/0x1770 fs/ext4/namei.c:1174 ext4_dx_readdir fs/ext4/dir.c:599 [inline] ext4_readdir+0x2c1d/0x3610 fs/ext4/dir.c:142 iterate_dir+0x266/0x4e0 fs/readdir.c:64 ksys_getdents64+0x21b/0x4c0 fs/readdir.c:374 __do_sys_getdents64 fs/readdir.c:395 [inline] __se_sys_getdents64 fs/readdir.c:392 [inline] __x64_sys_getdents64+0x76/0x80 fs/readdir.c:392 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 Allocated by task 0: (stack is not available) Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8881dbfceea0 which belongs to the cache file_lock_cache of size 248 The buggy address is located 41 bytes inside of 248-byte region [ffff8881dbfceea0, ffff8881dbfcef98) The buggy address belongs to the page: page:ffffea00076ff380 refcount:1 mapcount:0 mapping:ffff8881f1dcc780 index:0x0 flags: 0x8000000000000200(slab) raw: 8000000000000200 dead000000000100 dead000000000122 ffff8881f1dcc780 raw: 0000000000000000 00000000800d000d 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY) set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook mm/page_alloc.c:2165 [inline] prep_new_page+0x18f/0x370 mm/page_alloc.c:2171 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4891 alloc_slab_page+0x39/0x3c0 mm/slub.c:343 allocate_slab mm/slub.c:1683 [inline] new_slab+0x97/0x440 mm/slub.c:1749 new_slab_objects mm/slub.c:2505 [inline] ___slab_alloc+0x2fe/0x490 mm/slub.c:2667 __slab_alloc+0x62/0xa0 mm/slub.c:2707 slab_alloc_node mm/slub.c:2792 [inline] slab_alloc mm/slub.c:2837 [inline] kmem_cache_alloc+0x109/0x250 mm/slub.c:2842 kmem_cache_zalloc include/linux/slab.h:680 [inline] locks_alloc_lock fs/locks.c:346 [inline] flock_lock_inode+0x342/0x1460 fs/locks.c:1076 flock_lock_inode_wait fs/locks.c:2162 [inline] locks_lock_inode_wait+0xee/0x3f0 fs/locks.c:2189 locks_lock_file_wait include/linux/fs.h:1375 [inline] __do_sys_flock fs/locks.c:2252 [inline] __se_sys_flock+0x47b/0x5a0 fs/locks.c:2215 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 page_owner free stack trace missing Memory state around the buggy address: ffff8881dbfced80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8881dbfcee00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8881dbfcee80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8881dbfcef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8881dbfcef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== EXT4-fs error (device loop0): ext4_inlinedir_to_tree:1437: inode #12: block 7: comm syz-executor200: path /root/syzkaller.zUnyci/0/file0/file0: bad entry in directory: directory entry overrun - offset=34816, inode=2538880996, rec_len=34812, size=128 fake=0 EXT4-fs error (device loop0): empty_inline_dir:1832: inode #12: block 7: comm syz-executor200: bad entry in directory: directory entry overrun - off