Warning: Permanently added '10.128.10.7' (ED25519) to the list of known hosts. 2025/06/27 01:53:06 ignoring optional flag "sandboxArg"="0" 2025/06/27 01:53:06 ignoring optional flag "type"="gce" 2025/06/27 01:53:06 parsed 1 programs [ 64.548754][ T1902] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k 2025/06/27 01:53:14 executed programs: 0 2025/06/27 01:53:20 executed programs: 2 [ 77.638552][ T2882] loop0: detected capacity change from 0 to 1024 [ 77.664784][ T2882] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. [ 77.717112][ T2882] loop0: detected capacity change from 1024 to 1023 [ 77.728964][ T2428] EXT4-fs error (device loop0): ext4_readdir:264: inode #2: block 16: comm syz-executor: path /0/bus: bad entry in directory: rec_len is smaller than minimal - offset=980, inode=0, rec_len=0, size=1024 fake=0 [ 77.750196][ T2428] ================================================================== [ 77.758285][ T2428] BUG: KASAN: slab-use-after-free in ext4_read_inline_data+0x18f/0x280 [ 77.766510][ T2428] Read of size 68 at addr ffff888124d8651a by task syz-executor/2428 [ 77.774546][ T2428] [ 77.776866][ T2428] CPU: 1 UID: 0 PID: 2428 Comm: syz-executor Not tainted 6.16.0-rc3-syzkaller #0 PREEMPT(undef) [ 77.776872][ T2428] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 77.776878][ T2428] Call Trace: [ 77.776883][ T2428] [ 77.776886][ T2428] dump_stack_lvl+0xf4/0x170 [ 77.776896][ T2428] ? __pfx_dump_stack_lvl+0x10/0x10 [ 77.776900][ T2428] ? rcu_is_watching+0x1f/0xa0 [ 77.776906][ T2428] ? __virt_addr_valid+0x176/0x2b0 [ 77.776911][ T2428] ? lock_release+0x42/0x2f0 [ 77.776915][ T2428] ? lock_acquire+0x69/0x210 [ 77.776918][ T2428] ? _raw_spin_lock_irqsave+0xa5/0xe0 [ 77.776923][ T2428] ? __virt_addr_valid+0x176/0x2b0 [ 77.776926][ T2428] ? __virt_addr_valid+0x262/0x2b0 [ 77.776929][ T2428] print_report+0xd2/0x2b0 [ 77.776935][ T2428] ? ext4_read_inline_data+0x18f/0x280 [ 77.776940][ T2428] kasan_report+0x118/0x150 [ 77.776945][ T2428] ? ext4_read_inline_data+0x18f/0x280 [ 77.776949][ T2428] kasan_check_range+0x2b0/0x2c0 [ 77.776953][ T2428] ? ext4_read_inline_data+0x18f/0x280 [ 77.776957][ T2428] __asan_memcpy+0x29/0x70 [ 77.776962][ T2428] ext4_read_inline_data+0x18f/0x280 [ 77.776966][ T2428] ext4_read_inline_dir+0x2cd/0x940 [ 77.776971][ T2428] ? __pfx_ext4_read_inline_dir+0x10/0x10 [ 77.776976][ T2428] ? __lock_acquire+0x74/0x4c0 [ 77.776979][ T2428] ext4_readdir+0x252/0x2d10 [ 77.776984][ T2428] ? rcu_is_watching+0x1f/0xa0 [ 77.776990][ T2428] ? handle_mm_fault+0x1d0b/0x2310 [ 77.776994][ T2428] ? __pfx_ext4_readdir+0x10/0x10 [ 77.776998][ T2428] ? rwsem_read_trylock+0x18e/0x210 [ 77.777004][ T2428] ? __pfx_rwsem_read_trylock+0x10/0x10 [ 77.777009][ T2428] ? iterate_dir+0xb5/0x4c0 [ 77.777013][ T2428] ? down_read_killable+0x120/0x1a0 [ 77.777018][ T2428] iterate_dir+0x1aa/0x4c0 [ 77.777022][ T2428] __se_sys_getdents64+0xd3/0x1b0 [ 77.777026][ T2428] ? __pfx___se_sys_getdents64+0x10/0x10 [ 77.777030][ T2428] ? exc_page_fault+0x62/0xa0 [ 77.777034][ T2428] ? __pfx_filldir64+0x10/0x10 [ 77.777037][ T2428] ? do_user_addr_fault+0x378/0xc30 [ 77.777044][ T2428] do_syscall_64+0x8f/0x250 [ 77.777049][ T2428] ? fpregs_assert_state_consistent+0x48/0x60 [ 77.777054][ T2428] ? clear_bhb_loop+0x40/0x90 [ 77.777059][ T2428] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 77.777063][ T2428] RIP: 0033:0x7fc452729333 [ 77.777071][ T2428] Code: c1 66 0f 1f 44 00 00 48 83 c4 08 48 89 ef 5b 5d e9 02 45 f8 ff 66 90 b8 ff ff ff 7f 48 39 c2 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 a8 ff ff ff f7 d8 [ 77.777077][ T2428] RSP: 002b:00007ffebdbffcd8 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9 [ 77.777085][ T2428] RAX: ffffffffffffffda RBX: 0000555574d67520 RCX: 00007fc452729333 [ 77.777088][ T2428] RDX: 0000000000008000 RSI: 0000555574d67520 RDI: 0000000000000006 [ 77.777091][ T2428] RBP: 0000555574d674f4 R08: 0000000000000000 R09: 0000000000000000 [ 77.777094][ T2428] R10: 0000000000001000 R11: 0000000000000293 R12: ffffffffffffffa8 [ 77.777096][ T2428] R13: 0000000000000016 R14: 0000555574d674f0 R15: 00007ffebdc03070 [ 77.777100][ T2428] [ 77.777102][ T2428] [ 78.072019][ T2428] Allocated by task 2853: [ 78.076317][ T2428] kasan_save_track+0x3e/0x80 [ 78.080965][ T2428] __kasan_kmalloc+0x93/0xb0 [ 78.085524][ T2428] __kmalloc_cache_noprof+0x220/0x410 [ 78.090866][ T2428] kmem_cache_free+0x14c/0x460 [ 78.095598][ T2428] exit_mmap+0x430/0x850 [ 78.099806][ T2428] __mmput+0x62/0x290 [ 78.103754][ T2428] exit_mm+0x11b/0x1b0 [ 78.107787][ T2428] do_exit+0x506/0x1d40 [ 78.111908][ T2428] do_group_exit+0x1b1/0x280 [ 78.116464][ T2428] __x64_sys_exit_group+0x3f/0x40 [ 78.121452][ T2428] x64_sys_call+0x21ba/0x21c0 [ 78.126098][ T2428] do_syscall_64+0x8f/0x250 [ 78.130569][ T2428] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 78.136429][ T2428] [ 78.138731][ T2428] Freed by task 15: [ 78.142506][ T2428] kasan_save_track+0x3e/0x80 [ 78.147156][ T2428] kasan_save_free_info+0x46/0x50 [ 78.152160][ T2428] __kasan_slab_free+0x62/0x70 [ 78.156913][ T2428] kfree+0x174/0x3e0 [ 78.160776][ T2428] slab_free_after_rcu_debug+0x60/0x290 [ 78.166290][ T2428] rcu_core+0xbf1/0x1530 [ 78.170510][ T2428] handle_softirqs+0x19a/0x500 [ 78.175242][ T2428] run_ksoftirqd+0x28/0x40 [ 78.179631][ T2428] smpboot_thread_fn+0x3f4/0x7d0 [ 78.184564][ T2428] kthread+0x59b/0x690 [ 78.188605][ T2428] ret_from_fork+0x139/0x2d0 [ 78.193253][ T2428] ret_from_fork_asm+0x1a/0x30 [ 78.197993][ T2428] [ 78.200290][ T2428] Last potentially related work creation: [ 78.205975][ T2428] kasan_save_stack+0x3e/0x60 [ 78.210621][ T2428] kasan_record_aux_stack+0xbd/0xd0 [ 78.215786][ T2428] call_rcu+0x14a/0x790 [ 78.219909][ T2428] kmem_cache_free+0x2c8/0x460 [ 78.224638][ T2428] exit_mmap+0x430/0x850 [ 78.228845][ T2428] __mmput+0x62/0x290 [ 78.232796][ T2428] exit_mm+0x11b/0x1b0 [ 78.236835][ T2428] do_exit+0x506/0x1d40 [ 78.241042][ T2428] do_group_exit+0x1b1/0x280 [ 78.245598][ T2428] __x64_sys_exit_group+0x3f/0x40 [ 78.250587][ T2428] x64_sys_call+0x21ba/0x21c0 [ 78.255230][ T2428] do_syscall_64+0x8f/0x250 [ 78.259698][ T2428] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 78.265573][ T2428] [ 78.267894][ T2428] The buggy address belongs to the object at ffff888124d86500 [ 78.267894][ T2428] which belongs to the cache kmalloc-32 of size 32 [ 78.281740][ T2428] The buggy address is located 26 bytes inside of [ 78.281740][ T2428] freed 32-byte region [ffff888124d86500, ffff888124d86520) [ 78.295326][ T2428] [ 78.297622][ T2428] The buggy address belongs to the physical page: [ 78.304007][ T2428] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x124d86 [ 78.312828][ T2428] anon flags: 0x200000000000000(node=0|zone=2) [ 78.318953][ T2428] page_type: f5(slab) [ 78.322902][ T2428] raw: 0200000000000000 ffff888100041780 0000000000000000 dead000000000001 [ 78.331543][ T2428] raw: 0000000000000000 0000000000400040 00000000f5000000 0000000000000000 [ 78.340089][ T2428] page dumped because: kasan: bad access detected [ 78.346481][ T2428] page_owner tracks the page as allocated [ 78.352165][ T2428] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP), pid 1057, tgid 1057 (modprobe), ts 33823477787, free_ts 33797594514 [ 78.369921][ T2428] post_alloc_hook+0x168/0x1a0 [ 78.374660][ T2428] get_page_from_freelist+0x2c22/0x2de0 [ 78.380259][ T2428] __alloc_frozen_pages_noprof+0x26b/0x460 [ 78.386029][ T2428] alloc_pages_mpol+0xcb/0x270 [ 78.390755][ T2428] allocate_slab+0x8a/0x350 [ 78.395742][ T2428] ___slab_alloc+0x9dc/0x10e0 [ 78.400381][ T2428] __kmalloc_cache_noprof+0x27c/0x410 [ 78.405718][ T2428] kmem_cache_free+0x14c/0x460 [ 78.410451][ T2428] vms_complete_munmap_vmas+0x390/0x680 [ 78.415962][ T2428] do_vmi_align_munmap+0x307/0x350 [ 78.421057][ T2428] do_vmi_munmap+0x192/0x210 [ 78.425651][ T2428] __vm_munmap+0x1bc/0x330 [ 78.430326][ T2428] elf_load+0x239/0x4e0 [ 78.434468][ T2428] load_elf_binary+0xd94/0x2130 [ 78.439313][ T2428] bprm_execve+0x6bf/0xe80 [ 78.443796][ T2428] kernel_execve+0x4d3/0x5f0 [ 78.448363][ T2428] page last free pid 23 tgid 23 stack trace: [ 78.454313][ T2428] __free_frozen_pages+0xa1a/0xbf0 [ 78.459420][ T2428] rcu_core+0xbf1/0x1530 [ 78.463644][ T2428] handle_softirqs+0x19a/0x500 [ 78.468651][ T2428] run_ksoftirqd+0x28/0x40 [ 78.473060][ T2428] smpboot_thread_fn+0x3f4/0x7d0 [ 78.477983][ T2428] kthread+0x59b/0x690 [ 78.482066][ T2428] ret_from_fork+0x139/0x2d0 [ 78.486631][ T2428] ret_from_fork_asm+0x1a/0x30 [ 78.491364][ T2428] [ 78.493660][ T2428] Memory state around the buggy address: [ 78.499257][ T2428] ffff888124d86400: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 78.507291][ T2428] ffff888124d86480: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 78.515321][ T2428] >ffff888124d86500: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 78.523353][ T2428] ^ [ 78.528172][ T2428] ffff888124d86580: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 78.536214][ T2428] ffff888124d86600: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 78.544261][ T2428] ================================================================== [ 78.552635][ T2428] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 78.560070][ T2428] Kernel Offset: disabled [ 78.564394][ T2428] Rebooting in 86400 seconds..