loop7: detected capacity change from 0 to 1036 ================================================================== BUG: KASAN: use-after-free in d_inode include/linux/dcache.h:516 [inline] BUG: KASAN: use-after-free in relay_switch_subbuf+0x837/0x900 kernel/relay.c:676 Read of size 8 at addr ffff888071e6a2e0 by task syz-executor.4/31251 CPU: 1 PID: 31251 Comm: syz-executor.4 Not tainted 5.19.0-rc2-syzkaller-00060-g30306f6194ca #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xeb/0x467 mm/kasan/report.c:313 print_report mm/kasan/report.c:429 [inline] kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491 d_inode include/linux/dcache.h:516 [inline] relay_switch_subbuf+0x837/0x900 kernel/relay.c:676 relay_reserve include/linux/relay.h:248 [inline] trace_note+0x5af/0x720 kernel/trace/blktrace.c:95 trace_note_tsk kernel/trace/blktrace.c:126 [inline] __blk_add_trace+0xbfb/0xdf0 kernel/trace/blktrace.c:267 blk_add_trace_bio+0x326/0x4f0 kernel/trace/blktrace.c:908 trace_block_bio_queue include/trace/events/block.h:355 [inline] submit_bio_noacct+0x1404/0x1b30 block/blk-core.c:856 submit_bio block/blk-core.c:914 [inline] submit_bio+0xd7/0x300 block/blk-core.c:886 mpage_bio_submit fs/mpage.c:64 [inline] mpage_readahead+0x60f/0x7b0 fs/mpage.c:360 read_pages+0x19e/0xfb0 mm/readahead.c:158 page_cache_ra_unbounded+0x3f5/0x550 mm/readahead.c:263 do_page_cache_ra mm/readahead.c:293 [inline] page_cache_ra_order+0x680/0x940 mm/readahead.c:548 ondemand_readahead+0x7c5/0x1150 mm/readahead.c:670 page_cache_sync_ra+0x1c5/0x200 mm/readahead.c:697 page_cache_sync_readahead include/linux/pagemap.h:1234 [inline] filemap_get_pages+0x2bf/0x17c0 mm/filemap.c:2592 filemap_read+0x325/0xc70 mm/filemap.c:2679 blkdev_read_iter+0x3e7/0x750 block/fops.c:594 call_read_iter include/linux/fs.h:2052 [inline] generic_file_splice_read+0x3b4/0x5d0 fs/splice.c:311 do_splice_to+0x1b9/0x240 fs/splice.c:796 splice_direct_to_actor+0x2c2/0x8c0 fs/splice.c:870 do_splice_direct+0x1a7/0x270 fs/splice.c:979 do_sendfile+0xae0/0x1240 fs/read_write.c:1262 __do_sys_sendfile64 fs/read_write.c:1327 [inline] __se_sys_sendfile64 fs/read_write.c:1313 [inline] __x64_sys_sendfile64+0x1cc/0x210 fs/read_write.c:1313 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f7c3c089109 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f7c3d16f168 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 00007f7c3c19bf60 RCX: 00007f7c3c089109 RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000003 RBP: 00007f7c3c0e305d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000024002da8 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd918f5f6f R14: 00007f7c3d16f300 R15: 0000000000022000 Allocated by task 14661: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] __kasan_slab_alloc+0x85/0xb0 mm/kasan/common.c:469 kasan_slab_alloc include/linux/kasan.h:224 [inline] slab_post_alloc_hook mm/slab.h:750 [inline] slab_alloc mm/slab.c:3302 [inline] __kmem_cache_alloc_lru mm/slab.c:3479 [inline] kmem_cache_alloc_lru+0x301/0x8c0 mm/slab.c:3506 __d_alloc+0x32/0x960 fs/dcache.c:1769 d_alloc_pseudo+0x19/0x70 fs/dcache.c:1899 alloc_file_pseudo+0xc6/0x250 fs/file_table.c:262 sock_alloc_file+0x4f/0x190 net/socket.c:463 sock_map_fd net/socket.c:487 [inline] __sys_socket+0x1a4/0x240 net/socket.c:1644 __do_sys_socket net/socket.c:1649 [inline] __se_sys_socket net/socket.c:1647 [inline] __x64_sys_socket+0x6f/0xb0 net/socket.c:1647 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Freed by task 14661: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free+0x13d/0x180 mm/kasan/common.c:328 kasan_slab_free include/linux/kasan.h:200 [inline] __cache_free mm/slab.c:3425 [inline] kmem_cache_free.part.0+0xa9/0x240 mm/slab.c:3735 __d_free fs/dcache.c:298 [inline] dentry_free+0xde/0x160 fs/dcache.c:375 __dentry_kill+0x4cb/0x640 fs/dcache.c:621 dentry_kill fs/dcache.c:733 [inline] dput+0x806/0xdb0 fs/dcache.c:913 __fput+0x39c/0x9d0 fs/file_table.c:330 task_work_run+0xdd/0x1a0 kernel/task_work.c:177 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:169 [inline] exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Last potentially related work creation: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 __kasan_record_aux_stack+0x7e/0x90 mm/kasan/generic.c:348 call_rcu+0x99/0x790 kernel/rcu/tree.c:3126 dentry_free+0xc3/0x160 fs/dcache.c:377 __dentry_kill+0x4cb/0x640 fs/dcache.c:621 dentry_kill fs/dcache.c:745 [inline] dput+0x64d/0xdb0 fs/dcache.c:913 proc_invalidate_siblings_dcache+0x3df/0x610 fs/proc/inode.c:151 release_task+0xcb8/0x17e0 kernel/exit.c:226 wait_task_zombie kernel/exit.c:1111 [inline] wait_consider_task+0x2fda/0x3bf0 kernel/exit.c:1338 do_wait_thread kernel/exit.c:1401 [inline] do_wait+0x6ca/0xce0 kernel/exit.c:1518 kernel_wait4+0x14c/0x260 kernel/exit.c:1681 __do_sys_wait4+0x13f/0x150 kernel/exit.c:1709 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Second to last potentially related work creation: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 __kasan_record_aux_stack+0x7e/0x90 mm/kasan/generic.c:348 call_rcu+0x99/0x790 kernel/rcu/tree.c:3126 dentry_free+0xc3/0x160 fs/dcache.c:377 __dentry_kill+0x4cb/0x640 fs/dcache.c:621 shrink_dentry_list+0x23c/0x800 fs/dcache.c:1201 shrink_dcache_parent+0x1fe/0x3c0 fs/dcache.c:1628 vfs_rmdir.part.0+0x272/0x5a0 fs/namei.c:4065 vfs_rmdir fs/namei.c:4046 [inline] do_rmdir+0x3a6/0x430 fs/namei.c:4122 __do_sys_unlinkat fs/namei.c:4302 [inline] __se_sys_unlinkat fs/namei.c:4296 [inline] __x64_sys_unlinkat+0xeb/0x130 fs/namei.c:4296 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 The buggy address belongs to the object at ffff888071e6a278 which belongs to the cache dentry of size 312 The buggy address is located 104 bytes inside of 312-byte region [ffff888071e6a278, ffff888071e6a3b0) The buggy address belongs to the physical page: page:ffffea0001c79a80 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888071e6a3f0 pfn:0x71e6a memcg:ffff888059abfc81 flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 ffffea0001d2c208 ffffea000117cd48 ffff888012015400 raw: ffff888071e6a3f0 ffff888071e6a100 0000000100000009 ffff888059abfc81 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x2420d0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE|__GFP_RECLAIMABLE), pid 2989, tgid 2989 (udevd), ts 26081372964, free_ts 12370215633 prep_new_page mm/page_alloc.c:2456 [inline] get_page_from_freelist+0x1290/0x3b70 mm/page_alloc.c:4198 __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5426 __alloc_pages_node include/linux/gfp.h:587 [inline] kmem_getpages mm/slab.c:1363 [inline] cache_grow_begin+0x75/0x350 mm/slab.c:2569 cache_alloc_refill+0x27f/0x380 mm/slab.c:2942 ____cache_alloc mm/slab.c:3024 [inline] ____cache_alloc mm/slab.c:3007 [inline] __do_cache_alloc mm/slab.c:3253 [inline] slab_alloc mm/slab.c:3295 [inline] __kmem_cache_alloc_lru mm/slab.c:3479 [inline] kmem_cache_alloc_lru+0x752/0x8c0 mm/slab.c:3506 __d_alloc+0x32/0x960 fs/dcache.c:1769 d_alloc+0x4a/0x230 fs/dcache.c:1849 d_alloc_parallel+0xe7/0x1af0 fs/dcache.c:2601 lookup_open.isra.0+0xb66/0x1690 fs/namei.c:3298 open_last_lookups fs/namei.c:3444 [inline] path_openat+0x9a2/0x2910 fs/namei.c:3650 do_filp_open+0x1aa/0x400 fs/namei.c:3680 do_sys_openat2+0x16d/0x4c0 fs/open.c:1278 do_sys_open fs/open.c:1294 [inline] __do_sys_openat fs/open.c:1310 [inline] __se_sys_openat fs/open.c:1305 [inline] __x64_sys_openat+0x13f/0x1f0 fs/open.c:1305 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1371 [inline] free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1421 free_unref_page_prepare mm/page_alloc.c:3343 [inline] free_unref_page+0x19/0x6a0 mm/page_alloc.c:3438 free_contig_range+0xb1/0x180 mm/page_alloc.c:9314 destroy_args+0xa8/0x646 mm/debug_vm_pgtable.c:1031 debug_vm_pgtable+0x2a03/0x2a94 mm/debug_vm_pgtable.c:1354 do_one_initcall+0x103/0x650 init/main.c:1295 do_initcall_level init/main.c:1368 [inline] do_initcalls init/main.c:1384 [inline] do_basic_setup init/main.c:1403 [inline] kernel_init_freeable+0x6b1/0x73a init/main.c:1610 kernel_init+0x1a/0x1d0 init/main.c:1499 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302 Memory state around the buggy address: ffff888071e6a180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888071e6a200: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fa >ffff888071e6a280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888071e6a300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888071e6a380: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fb fb ==================================================================