Warning: Permanently added '10.128.0.126' (ED25519) to the list of known hosts. 2024/12/10 14:32:58 ignoring optional flag "sandboxArg"="0" 2024/12/10 14:32:58 parsed 1 programs [ 65.477752] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 65.874587] cfg80211: failed to load regulatory.db 2024/12/10 14:33:03 executed programs: 0 [ 69.981178] (syz.3.15,4617,0):ocfs2_block_check_validate:444 ERROR: CRC32 failed: stored: 0xb3775c19, computed 0x2dd1c265. Applying ECC. [ 69.994171] (syz.3.15,4617,0):ocfs2_block_check_validate:444 ERROR: CRC32 failed: stored: 0xb3775c19, computed 0x2dd1c265. Applying ECC. [ 70.008879] (syz.3.15,4617,1):ocfs2_block_check_validate:444 ERROR: CRC32 failed: stored: 0xcfdff595, computed 0xefed4a20. Applying ECC. [ 70.022293] JBD2: Ignoring recovery information on journal [ 70.040708] ocfs2: Mounting device (7,3) on (node local, slot 0) with ordered data mode. [ 70.057010] ================================================================== [ 70.064399] BUG: KASAN: use-after-free in ocfs2_lock_global_qf+0x1de/0x220 [ 70.071397] Read of size 8 at addr ffff8800a85b8928 by task syz.3.15/4617 [ 70.078480] [ 70.080102] CPU: 1 PID: 4617 Comm: syz.3.15 Not tainted 4.19.0-syzkaller #0 [ 70.087196] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 70.096523] Call Trace: [ 70.099093] dump_stack+0x10c/0x17a [ 70.102707] print_address_description.cold.6+0x9/0x244 [ 70.108051] kasan_report.cold.7+0x242/0x305 [ 70.112438] ? ocfs2_lock_global_qf+0x1de/0x220 [ 70.117179] __asan_report_load8_noabort+0x14/0x20 [ 70.122081] ocfs2_lock_global_qf+0x1de/0x220 [ 70.126554] ? ocfs2_quota_write+0xab0/0xab0 [ 70.130947] ? qid_valid+0x110/0x110 [ 70.134633] ocfs2_get_next_id+0x1e0/0x430 [ 70.138856] ? ocfs2_unlock_global_qf+0x190/0x190 [ 70.143671] ? from_kqid+0x12f/0x1a0 [ 70.147465] ? qid_valid+0x110/0x110 [ 70.151157] dquot_get_next_dqblk+0x72/0x140 [ 70.155555] quota_getnextquota+0x204/0x490 [ 70.159872] ? lock_acquire+0x18b/0x340 [ 70.163822] ? __get_super.part.3+0x190/0x260 [ 70.168299] ? quota_getxquota+0x370/0x370 [ 70.172505] ? down_read+0x28/0xa0 [ 70.176123] ? __get_super.part.3+0x190/0x260 [ 70.180594] ? kasan_check_read+0x11/0x20 [ 70.184824] ? _atomic_dec_and_lock+0xc8/0x160 [ 70.189471] ? cpumask_local_spread+0x230/0x230 [ 70.194115] ? __get_super_thawed+0xdf/0x210 [ 70.198501] ? get_super+0x30/0x30 [ 70.202015] ? security_capable+0x55/0x90 [ 70.206228] kernel_quotactl+0x625/0x1020 [ 70.210373] ? qtype_enforce_flag+0x50/0x50 [ 70.214701] ? _raw_spin_unlock_irqrestore+0x63/0x90 [ 70.219922] ? debug_check_no_obj_freed+0x1eb/0x455 [ 70.224914] ? lock_downgrade+0x590/0x590 [ 70.229035] ? kasan_check_write+0x14/0x20 [ 70.233249] ? __lock_acquire.isra.10+0x116/0x1870 [ 70.238237] ? __context_tracking_exit.part.3+0x81/0x170 [ 70.243667] ? lock_downgrade+0x590/0x590 [ 70.247882] ? debug_smp_processor_id+0x17/0x20 [ 70.252540] ? syscall_slow_exit_work+0x460/0x460 [ 70.257376] __x64_sys_quotactl+0x92/0xf0 [ 70.261541] do_syscall_64+0xd0/0x340 [ 70.265363] ? prepare_exit_to_usermode+0xec/0x130 [ 70.270376] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 70.275587] RIP: 0033:0x7f572be51f19 [ 70.279286] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 70.298452] RSP: 002b:00007f572b8d1058 EFLAGS: 00000246 ORIG_RAX: 00000000000000b3 [ 70.306138] RAX: ffffffffffffffda RBX: 00007f572c017fa0 RCX: 00007f572be51f19 [ 70.313399] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: ffffffff80000900 [ 70.320739] RBP: 00007f572bec5cc8 R08: 0000000000000000 R09: 0000000000000000 [ 70.328155] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 70.335435] R13: 0000000000000000 R14: 00007f572c017fa0 R15: 00007ffe9d30c478 [ 70.342683] [ 70.344290] Allocated by task 4617: [ 70.347897] kasan_kmalloc.part.1+0x62/0xf0 [ 70.352372] kasan_kmalloc+0xaf/0xc0 [ 70.356066] kmem_cache_alloc_trace+0x13c/0x260 [ 70.360713] ocfs2_local_read_info+0x159/0x1230 [ 70.365443] vfs_load_quota_inode+0x54d/0xfd0 [ 70.369907] dquot_enable+0x121/0x170 [ 70.373680] ocfs2_enable_quotas+0x25d/0x550 [ 70.378210] ocfs2_fill_super.cold.15+0x177/0x333 [ 70.383038] mount_bdev+0x272/0x330 [ 70.386668] ocfs2_mount+0x10/0x20 [ 70.390239] mount_fs+0x84/0x1f5 [ 70.393667] vfs_kern_mount.part.11+0x58/0x3d0 [ 70.398244] do_mount+0x376/0x26e0 [ 70.401757] ksys_mount+0xb1/0xd0 [ 70.405203] __x64_sys_mount+0xb9/0x150 [ 70.409148] do_syscall_64+0xd0/0x340 [ 70.412929] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 70.418087] [ 70.419684] Freed by task 4617: [ 70.422935] __kasan_slab_free+0x167/0x240 [ 70.427144] kasan_slab_free+0xe/0x10 [ 70.431007] kfree+0x110/0x2c0 [ 70.434175] ocfs2_local_free_info+0x413/0x810 [ 70.438756] dquot_disable+0x5e3/0x18d0 [ 70.442701] ocfs2_susp_quotas.isra.7+0x1ed/0x2f0 [ 70.447510] ocfs2_remount+0x1ee/0xc40 [ 70.451385] do_remount_sb+0x15b/0x640 [ 70.455254] do_mount+0xfd8/0x26e0 [ 70.458768] ksys_mount+0xb1/0xd0 [ 70.462195] __x64_sys_mount+0xb9/0x150 [ 70.466141] do_syscall_64+0xd0/0x340 [ 70.469985] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 70.475151] [ 70.476766] The buggy address belongs to the object at ffff8800a85b8900 [ 70.476766] which belongs to the cache kmalloc-1024 of size 1024 [ 70.489657] The buggy address is located 40 bytes inside of [ 70.489657] 1024-byte region [ffff8800a85b8900, ffff8800a85b8d00) [ 70.501679] The buggy address belongs to the page: [ 70.506784] page:ffffea0002a16e00 count:1 mapcount:0 mapping:ffff88013bff4a00 index:0x0 compound_mapcount: 0 [ 70.516947] flags: 0xfff00000008100(slab|head) [ 70.521513] raw: 00fff00000008100 ffffea0002322700 0000000300000003 ffff88013bff4a00 [ 70.529376] raw: 0000000000000000 00000000000e000e 00000001ffffffff 0000000000000000 [ 70.537253] page dumped because: kasan: bad access detected [ 70.543049] page allocated via order 2, migratetype Unmovable, gfp_mask 0x352c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL) [ 70.558300] get_page_from_freelist+0x2c68/0x41c0 [ 70.563139] __alloc_pages_nodemask+0x390/0x2380 [ 70.568110] alloc_pages_current+0xfd/0x290 [ 70.572454] new_slab+0x49d/0x7f0 [ 70.575901] ___slab_alloc+0x5b3/0x8e0 [ 70.579782] __slab_alloc.isra.22+0x6a/0xa0 [ 70.584260] __kmalloc_node+0xe2/0x3a0 [ 70.588135] kvmalloc_node+0x68/0x70 [ 70.591850] bucket_table_alloc.isra.6+0x39/0x3d0 [ 70.596671] rhashtable_init+0x3df/0x7f0 [ 70.600703] ipc_init_ids+0x8d/0x1e0 [ 70.604421] msg_init_ns+0x146/0x180 [ 70.608139] copy_ipcs+0x300/0x390 [ 70.611670] create_new_namespaces+0x22a/0x750 [ 70.616255] unshare_nsproxy_namespaces+0x8b/0x1a0 [ 70.621339] ksys_unshare+0x31b/0x6e0 [ 70.625123] [ 70.626731] Memory state around the buggy address: [ 70.631641] ffff8800a85b8800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.639096] ffff8800a85b8880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 70.646533] >ffff8800a85b8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.653867] ^ [ 70.658612] ffff8800a85b8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.666310] ffff8800a85b8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.673751] ================================================================== [ 70.681111] Disabling lock debugging due to kernel taint [ 70.687289] Kernel panic - not syncing: panic_on_warn set ... [ 70.687289] [ 70.695487] Kernel Offset: disabled [ 70.699208] Rebooting in 86400 seconds..