Warning: Permanently added '10.128.0.60' (ED25519) to the list of known hosts. 2024/05/21 16:56:26 ignoring optional flag "sandboxArg"="0" 2024/05/21 16:56:27 parsed 1 programs 2024/05/21 16:56:27 executed programs: 0 [ 51.306045][ T1046] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 56.542243][ T1506] loop0: detected capacity change from 0 to 512 [ 56.550189][ T1506] EXT4-fs: Ignoring removed bh option [ 56.556205][ T1506] EXT4-fs (loop0): mounting ext3 file system using the ext4 subsystem [ 56.567434][ T1506] EXT4-fs (loop0): 1 truncate cleaned up [ 56.573256][ T1506] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. 2024/05/21 16:56:32 executed programs: 1 [ 56.587281][ T1506] EXT4-fs error (device loop0): ext4_find_dest_de:2112: inode #12: block 7: comm syz-executor.0: bad entry in directory: rec_len % 4 != 0 - offset=0, inode=4061898738, rec_len=7079, size=56 fake=0 [ 56.616141][ T1052] EXT4-fs (loop0): unmounting filesystem. [ 56.636080][ T1511] loop0: detected capacity change from 0 to 512 [ 56.643379][ T1511] EXT4-fs: Ignoring removed bh option [ 56.649072][ T1511] EXT4-fs (loop0): mounting ext3 file system using the ext4 subsystem [ 56.659309][ T1511] EXT4-fs (loop0): 1 truncate cleaned up [ 56.665088][ T1511] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [ 56.679963][ T1511] ================================================================== [ 56.688058][ T1511] BUG: KASAN: use-after-free in ext4_search_dir+0x148/0x250 [ 56.695343][ T1511] Read of size 1 at addr ffff8881251bb3ed by task syz-executor.0/1511 [ 56.703492][ T1511] [ 56.705823][ T1511] CPU: 0 PID: 1511 Comm: syz-executor.0 Not tainted 6.1.91-syzkaller #0 [ 56.714247][ T1511] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 56.724480][ T1511] Call Trace: [ 56.727770][ T1511] [ 56.730706][ T1511] dump_stack_lvl+0xf4/0x251 [ 56.735407][ T1511] ? nf_tcp_handle_invalid+0x2f3/0x2f3 [ 56.741233][ T1511] ? panic+0x3fe/0x3fe [ 56.745284][ T1511] ? _printk+0xca/0x10a [ 56.749431][ T1511] ? __virt_addr_valid+0x139/0x260 [ 56.754616][ T1511] ? __virt_addr_valid+0x211/0x260 [ 56.759841][ T1511] print_report+0x15f/0x4f0 [ 56.764510][ T1511] ? __virt_addr_valid+0x139/0x260 [ 56.769612][ T1511] ? __virt_addr_valid+0x211/0x260 [ 56.774814][ T1511] ? ext4_search_dir+0x148/0x250 [ 56.780100][ T1511] kasan_report+0x136/0x160 [ 56.784863][ T1511] ? ext4_search_dir+0x148/0x250 [ 56.790057][ T1511] ext4_search_dir+0x148/0x250 [ 56.794833][ T1511] ext4_find_inline_entry+0x367/0x540 [ 56.800477][ T1511] ? ext4_try_create_inline_dir+0x320/0x320 [ 56.806557][ T1511] ? tomoyo_path_number_perm+0x54d/0x6a0 [ 56.812294][ T1511] ? tomoyo_path_number_perm+0x1c3/0x6a0 [ 56.818048][ T1511] __ext4_find_entry+0x2dc/0x1a10 [ 56.823349][ T1511] ? d_alloc_parallel+0x318/0x1130 [ 56.828552][ T1511] ? dx_node_limit+0x150/0x150 [ 56.833389][ T1511] ? d_alloc_parallel+0x318/0x1130 [ 56.839010][ T1511] ext4_lookup+0x1ab/0x5f0 [ 56.843404][ T1511] ? ext4_add_entry+0x2e80/0x2e80 [ 56.848497][ T1511] ? inode_permission+0x56/0x320 [ 56.853598][ T1511] ? ext4_add_entry+0x2e80/0x2e80 [ 56.858637][ T1511] path_openat+0xdb6/0x2410 [ 56.863494][ T1511] ? do_filp_open+0x430/0x430 [ 56.868530][ T1511] do_filp_open+0x226/0x430 [ 56.873122][ T1511] ? vfs_tmpfile+0x3e0/0x3e0 [ 56.877809][ T1511] ? _raw_spin_unlock+0x24/0x40 [ 56.882650][ T1511] ? alloc_fd+0x3dc/0x470 [ 56.887008][ T1511] do_sys_openat2+0x10b/0x420 [ 56.891756][ T1511] ? rcu_is_watching+0x1b/0x90 [ 56.896601][ T1511] ? do_sys_open+0x1c0/0x1c0 [ 56.901337][ T1511] ? __rseq_handle_notify_resume+0x827/0xdf0 [ 56.907842][ T1511] ? xfd_validate_state+0x12/0x50 [ 56.912982][ T1511] __x64_sys_open+0x1eb/0x240 [ 56.917879][ T1511] ? do_sys_openat2+0x420/0x420 [ 56.922935][ T1511] ? switch_fpu_return+0xc9/0x130 [ 56.928033][ T1511] do_syscall_64+0x3b/0x80 [ 56.932566][ T1511] ? clear_bhb_loop+0x45/0xa0 [ 56.937264][ T1511] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 56.943362][ T1511] RIP: 0033:0x7fc7b9b05b29 [ 56.947878][ T1511] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 56.967780][ T1511] RSP: 002b:00007fc7b96880c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 56.976210][ T1511] RAX: ffffffffffffffda RBX: 00007fc7b9c24f80 RCX: 00007fc7b9b05b29 [ 56.984176][ T1511] RDX: 0000000000000000 RSI: 0000000000141042 RDI: 0000000020000100 [ 56.992315][ T1511] RBP: 00007fc7b9b5147a R08: 0000000000000000 R09: 0000000000000000 [ 57.000371][ T1511] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 57.008332][ T1511] R13: 0000000000000006 R14: 00007fc7b9c24f80 R15: 00007ffe8dec8048 [ 57.016556][ T1511] [ 57.019604][ T1511] [ 57.022378][ T1511] The buggy address belongs to the physical page: [ 57.028961][ T1511] page:ffffea0004946ec0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x1251bb [ 57.039185][ T1511] flags: 0x200000000000000(node=0|zone=2) [ 57.044966][ T1511] raw: 0200000000000000 dead000000000100 dead000000000122 0000000000000000 [ 57.053564][ T1511] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 57.062225][ T1511] page dumped because: kasan: bad access detected [ 57.068633][ T1511] page_owner tracks the page as freed [ 57.074077][ T1511] page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 1445, tgid 1445 (modprobe), ts 55817897321, free_ts 55821638802 [ 57.091544][ T1511] post_alloc_hook+0x286/0x2b0 [ 57.096410][ T1511] get_page_from_freelist+0x2ba7/0x2de0 [ 57.102018][ T1511] __alloc_pages+0x251/0x640 [ 57.106603][ T1511] vma_alloc_folio+0x689/0x870 [ 57.111343][ T1511] wp_page_copy+0x1e6/0x1610 [ 57.115947][ T1511] handle_mm_fault+0x91a/0x2bf0 [ 57.120968][ T1511] exc_page_fault+0x22a/0x5e0 [ 57.125636][ T1511] asm_exc_page_fault+0x22/0x30 [ 57.130474][ T1511] page last free stack trace: [ 57.135130][ T1511] free_unref_page_prepare+0xca9/0xd80 [ 57.140571][ T1511] free_unref_page_list+0xaa/0x690 [ 57.145664][ T1511] release_pages+0x1763/0x1900 [ 57.150527][ T1511] tlb_flush_mmu+0x26f/0x3d0 [ 57.155108][ T1511] tlb_finish_mmu+0xb0/0x1b0 [ 57.159882][ T1511] exit_mmap+0x311/0x700 [ 57.164283][ T1511] __mmput+0x61/0x290 [ 57.169355][ T1511] exit_mm+0x122/0x1b0 [ 57.173552][ T1511] do_exit+0x81e/0x23a0 [ 57.177729][ T1511] do_group_exit+0x1b5/0x280 [ 57.182348][ T1511] __x64_sys_exit_group+0x3b/0x40 [ 57.187376][ T1511] do_syscall_64+0x3b/0x80 [ 57.191788][ T1511] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 57.197666][ T1511] [ 57.199975][ T1511] Memory state around the buggy address: [ 57.205582][ T1511] ffff8881251bb280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 57.213855][ T1511] ffff8881251bb300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 57.221926][ T1511] >ffff8881251bb380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 57.229971][ T1511] ^ [ 57.237684][ T1511] ffff8881251bb400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 57.246094][ T1511] ffff8881251bb480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 57.254408][ T1511] ================================================================== [ 57.262684][ T1511] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 57.270414][ T1511] Kernel Offset: disabled [ 57.274745][ T1511] Rebooting in 86400 seconds..