Warning: Permanently added '10.128.1.160' (ED25519) to the list of known hosts. 2023/12/02 01:58:43 ignoring optional flag "sandboxArg"="0" 2023/12/02 01:58:43 parsed 1 programs 2023/12/02 01:58:43 executed programs: 0 [ 48.720257][ T1044] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 53.393917][ T1504] loop0: detected capacity change from 0 to 512 [ 53.400822][ T1504] EXT4-fs: Ignoring removed bh option [ 53.407536][ T1504] EXT4-fs (loop0): mounting ext3 file system using the ext4 subsystem [ 53.418115][ T1504] EXT4-fs (loop0): 1 truncate cleaned up [ 53.423841][ T1504] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [ 53.436893][ T1504] EXT4-fs error (device loop0): ext4_find_dest_de:2112: inode #12: block 7: comm syz-executor.0: bad entry in directory: rec_len % 4 != 0 - offset=0, inode=4061898738, rec_len=7079, size=56 fake=0 [ 53.466910][ T1050] EXT4-fs (loop0): unmounting filesystem. [ 53.484440][ T1509] loop0: detected capacity change from 0 to 512 [ 53.491067][ T1509] EXT4-fs: Ignoring removed bh option [ 53.496775][ T1509] EXT4-fs (loop0): mounting ext3 file system using the ext4 subsystem [ 53.506696][ T1509] EXT4-fs (loop0): 1 truncate cleaned up [ 53.512325][ T1509] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [ 53.525445][ T1509] EXT4-fs error (device loop0): ext4_find_dest_de:2112: inode #12: block 7: comm syz-executor.0: bad entry in directory: rec_len % 4 != 0 - offset=0, inode=4061898738, rec_len=7079, size=56 fake=0 [ 53.554683][ T1050] EXT4-fs (loop0): unmounting filesystem. [ 53.574772][ T1512] loop0: detected capacity change from 0 to 512 [ 53.581651][ T1512] EXT4-fs: Ignoring removed bh option [ 53.587646][ T1512] EXT4-fs (loop0): mounting ext3 file system using the ext4 subsystem [ 53.597307][ T1512] EXT4-fs (loop0): 1 truncate cleaned up [ 53.602922][ T1512] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [ 53.615465][ T1512] ================================================================== [ 53.623515][ T1512] BUG: KASAN: use-after-free in ext4_search_dir+0x148/0x250 [ 53.631234][ T1512] Read of size 1 at addr ffff8881255b43ed by task syz-executor.0/1512 [ 53.639349][ T1512] [ 53.641675][ T1512] CPU: 0 PID: 1512 Comm: syz-executor.0 Not tainted 6.1.64-syzkaller #0 [ 53.649965][ T1512] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 [ 53.659995][ T1512] Call Trace: [ 53.663250][ T1512] [ 53.666160][ T1512] dump_stack_lvl+0xf4/0x251 [ 53.670721][ T1512] ? nf_tcp_handle_invalid+0x2f3/0x2f3 [ 53.676147][ T1512] ? panic+0x3f7/0x3f7 [ 53.680209][ T1512] ? _printk+0xca/0x10a [ 53.684330][ T1512] ? __x64_sys_open+0x1eb/0x240 [ 53.689158][ T1512] print_report+0x15f/0x4f0 [ 53.693632][ T1512] ? down_read+0x8fd/0xba0 [ 53.698017][ T1512] ? ext4_search_dir+0x148/0x250 [ 53.702923][ T1512] kasan_report+0x136/0x160 [ 53.707395][ T1512] ? ext4_search_dir+0x148/0x250 [ 53.712307][ T1512] ext4_search_dir+0x148/0x250 [ 53.717037][ T1512] ext4_find_inline_entry+0x367/0x540 [ 53.722376][ T1512] ? ext4_try_create_inline_dir+0x320/0x320 [ 53.728232][ T1512] ? tomoyo_path_number_perm+0x54d/0x6a0 [ 53.733831][ T1512] ? tomoyo_path_number_perm+0x1c3/0x6a0 [ 53.739429][ T1512] __ext4_find_entry+0x2dc/0x1a10 [ 53.744417][ T1512] ? d_alloc_parallel+0x318/0x1130 [ 53.749495][ T1512] ? dx_node_limit+0x150/0x150 [ 53.754223][ T1512] ? d_alloc_parallel+0x318/0x1130 [ 53.759299][ T1512] ext4_lookup+0x1ab/0x5f0 [ 53.763679][ T1512] ? ext4_add_entry+0x2e80/0x2e80 [ 53.768667][ T1512] ? inode_permission+0x56/0x320 [ 53.773577][ T1512] ? ext4_add_entry+0x2e80/0x2e80 [ 53.778576][ T1512] path_openat+0xdb6/0x2410 [ 53.783048][ T1512] ? do_filp_open+0x430/0x430 [ 53.787690][ T1512] do_filp_open+0x226/0x430 [ 53.792162][ T1512] ? vfs_tmpfile+0x3e0/0x3e0 [ 53.796717][ T1512] ? _raw_spin_unlock+0x24/0x40 [ 53.801534][ T1512] ? alloc_fd+0x3dc/0x470 [ 53.805851][ T1512] do_sys_openat2+0x10b/0x420 [ 53.810502][ T1512] ? rcu_is_watching+0x1b/0x90 [ 53.815229][ T1512] ? do_sys_open+0x1c0/0x1c0 [ 53.819781][ T1512] ? __rseq_handle_notify_resume+0x827/0xdf0 [ 53.825726][ T1512] ? xfd_validate_state+0x12/0x50 [ 53.830717][ T1512] __x64_sys_open+0x1eb/0x240 [ 53.835358][ T1512] ? do_sys_openat2+0x420/0x420 [ 53.840173][ T1512] ? switch_fpu_return+0xc9/0x130 [ 53.845161][ T1512] do_syscall_64+0x3d/0x80 [ 53.849557][ T1512] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 53.855415][ T1512] RIP: 0033:0x7f9d00842b29 [ 53.859800][ T1512] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 53.879370][ T1512] RSP: 002b:00007f9d003c50c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 53.887747][ T1512] RAX: ffffffffffffffda RBX: 00007f9d00961f80 RCX: 00007f9d00842b29 [ 53.895687][ T1512] RDX: 0000000000000000 RSI: 0000000000141042 RDI: 0000000020000100 [ 53.903630][ T1512] RBP: 00007f9d0088e47a R08: 0000000000000000 R09: 0000000000000000 [ 53.911567][ T1512] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 53.919505][ T1512] R13: 0000000000000006 R14: 00007f9d00961f80 R15: 00007ffc0c4df6b8 [ 53.927444][ T1512] [ 53.930436][ T1512] [ 53.932735][ T1512] The buggy address belongs to the physical page: [ 53.939111][ T1512] page:ffffea0004956d00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x1255b4 [ 53.949313][ T1512] flags: 0x200000000000000(node=0|zone=2) [ 53.954997][ T1512] raw: 0200000000000000 ffffea0004959088 ffffea0004956f48 0000000000000000 [ 53.963549][ T1512] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 53.972115][ T1512] page dumped because: kasan: bad access detected [ 53.978499][ T1512] page_owner tracks the page as freed [ 53.983835][ T1512] page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 1298, tgid 1298 (modprobe), ts 51288082000, free_ts 51292858252 [ 54.001155][ T1512] post_alloc_hook+0x286/0x2b0 [ 54.005899][ T1512] get_page_from_freelist+0x2ba7/0x2de0 [ 54.011412][ T1512] __alloc_pages+0x251/0x640 [ 54.015968][ T1512] vma_alloc_folio+0x689/0x870 [ 54.020697][ T1512] wp_page_copy+0x1e6/0x1610 [ 54.025252][ T1512] handle_mm_fault+0x91a/0x2bf0 [ 54.030085][ T1512] exc_page_fault+0x22a/0x5e0 [ 54.034732][ T1512] asm_exc_page_fault+0x22/0x30 [ 54.039554][ T1512] page last free stack trace: [ 54.044199][ T1512] free_unref_page_prepare+0xca9/0xd80 [ 54.049631][ T1512] free_unref_page_list+0xaa/0x690 [ 54.054731][ T1512] release_pages+0x1763/0x1900 [ 54.059468][ T1512] tlb_flush_mmu+0x26f/0x3d0 [ 54.064025][ T1512] tlb_finish_mmu+0xb0/0x1b0 [ 54.068589][ T1512] exit_mmap+0x311/0x700 [ 54.072799][ T1512] __mmput+0x61/0x290 [ 54.076747][ T1512] exit_mm+0x122/0x1b0 [ 54.080788][ T1512] do_exit+0x81e/0x23a0 [ 54.084923][ T1512] do_group_exit+0x1b5/0x280 [ 54.089483][ T1512] __x64_sys_exit_group+0x3b/0x40 [ 54.094485][ T1512] do_syscall_64+0x3d/0x80 [ 54.098881][ T1512] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 54.104751][ T1512] [ 54.107051][ T1512] Memory state around the buggy address: [ 54.112644][ T1512] ffff8881255b4280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 54.120669][ T1512] ffff8881255b4300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 54.128706][ T1512] >ffff8881255b4380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 54.136742][ T1512] ^ [ 54.144161][ T1512] ffff8881255b4400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 54.152191][ T1512] ffff8881255b4480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 54.160216][ T1512] ================================================================== [ 54.168383][ T1512] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 54.175748][ T1512] Kernel Offset: disabled [ 54.180045][ T1512] Rebooting in 86400 seconds..