Warning: Permanently added '10.128.0.101' (ED25519) to the list of known hosts. 2025/02/17 15:01:03 ignoring optional flag "sandboxArg"="0" 2025/02/17 15:01:03 ignoring optional flag "type"="gce" 2025/02/17 15:01:04 parsed 1 programs [ 52.724242][ T1541] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k 2025/02/17 15:01:07 executed programs: 0 [ 65.461525][ T4277] loop3: detected capacity change from 0 to 128 [ 65.499436][ T4277] EXT4-fs (loop3): mounted filesystem without journal. Opts: ,errors=continue. Quota mode: none. [ 65.510132][ T4277] ext4 filesystem being mounted at /root/syzkaller-testdir1068478248/syzkaller.xIqFsb/0/file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa supports timestamps until 2038-01-19 (0x7fffffff) [ 65.607170][ T4303] loop0: detected capacity change from 0 to 128 [ 65.624976][ T4277] EXT4-fs warning (device loop3): dx_probe:891: inode #2: comm syz-executor.3: dx entry: limit 0 != root limit 124 [ 65.637115][ T4277] EXT4-fs warning (device loop3): dx_probe:965: inode #2: comm syz-executor.3: Corrupt directory, running e2fsck is recommended [ 65.663457][ T4277] ================================================================== [ 65.671580][ T4277] BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x5ee/0x920 [ 65.679496][ T4277] Read of size 2 at addr ffff88810ee2d003 by task syz-executor.3/4277 [ 65.688083][ T4277] [ 65.690410][ T4277] CPU: 0 PID: 4277 Comm: syz-executor.3 Not tainted 5.15.178-syzkaller #0 [ 65.698909][ T4277] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 65.708967][ T4277] Call Trace: [ 65.712241][ T4277] [ 65.715165][ T4277] dump_stack_lvl+0x41/0x5e [ 65.719668][ T4277] print_address_description.constprop.0.cold+0x6c/0x309 [ 65.726675][ T4277] ? __ext4_check_dir_entry+0x5ee/0x920 [ 65.732210][ T4277] ? __ext4_check_dir_entry+0x5ee/0x920 [ 65.737749][ T4277] kasan_report.cold+0x83/0xdf [ 65.742513][ T4277] ? __ext4_check_dir_entry+0x5ee/0x920 [ 65.748044][ T4277] __ext4_check_dir_entry+0x5ee/0x920 [ 65.753403][ T4277] ext4_readdir+0xd2c/0x2780 [ 65.757980][ T4277] ? __ext4_check_dir_entry+0x920/0x920 [ 65.763509][ T4277] ? down_read_killable+0x157/0x330 [ 65.768696][ T4277] ? fsnotify_perm.part.0+0x118/0x4c0 [ 65.774058][ T4277] iterate_dir+0x48a/0x6d0 [ 65.778471][ T4277] __x64_sys_getdents64+0x122/0x220 [ 65.783661][ T4277] ? __ia32_sys_getdents+0x220/0x220 [ 65.788939][ T4277] ? compat_fillonedir+0x300/0x300 [ 65.792021][ T4313] loop4: detected capacity change from 0 to 128 [ 65.794053][ T4277] ? vtime_user_exit+0xde/0x180 [ 65.794071][ T4277] do_syscall_64+0x33/0x80 [ 65.794080][ T4277] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 65.815432][ T4277] RIP: 0033:0x7fbb87068ee9 [ 65.819839][ T4277] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 65.839431][ T4277] RSP: 002b:00007fbb86beb0c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 65.847834][ T4277] RAX: ffffffffffffffda RBX: 00007fbb8719ffa0 RCX: 00007fbb87068ee9 [ 65.855802][ T4277] RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000008 [ 65.863766][ T4277] RBP: 00007fbb870b547f R08: 0000000000000000 R09: 0000000000000000 [ 65.871728][ T4277] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 65.879698][ T4277] R13: 0000000000000006 R14: 00007fbb8719ffa0 R15: 00007fff3693bee8 [ 65.888488][ T4277] [ 65.891501][ T4277] [ 65.893818][ T4277] Allocated by task 4196: [ 65.898143][ T4277] kasan_save_stack+0x1b/0x40 [ 65.902815][ T4277] __kasan_slab_alloc+0x61/0x80 [ 65.907662][ T4277] kmem_cache_alloc+0x211/0x310 [ 65.912500][ T4277] vm_area_dup+0x73/0x280 [ 65.916815][ T4277] __split_vma+0x88/0x420 [ 65.921136][ T4277] __do_munmap+0xa02/0x10d0 [ 65.925630][ T4277] mmap_region+0x1ce/0xfe0 [ 65.930037][ T4277] do_mmap+0x5ca/0xd80 [ 65.934099][ T4277] vm_mmap_pgoff+0x160/0x200 [ 65.938678][ T4277] ksys_mmap_pgoff+0x396/0x570 [ 65.943452][ T4277] do_syscall_64+0x33/0x80 [ 65.947860][ T4277] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 65.953751][ T4277] [ 65.956081][ T4277] Freed by task 4196: [ 65.960047][ T4277] kasan_save_stack+0x1b/0x40 [ 65.964720][ T4277] kasan_set_track+0x1c/0x30 [ 65.969306][ T4277] kasan_set_free_info+0x20/0x30 [ 65.974233][ T4277] __kasan_slab_free+0xe0/0x110 [ 65.979079][ T4277] kmem_cache_free+0x7e/0x450 [ 65.983745][ T4277] __do_munmap+0x5bf/0x10d0 [ 65.988245][ T4277] mmap_region+0x1ce/0xfe0 [ 65.992652][ T4277] do_mmap+0x5ca/0xd80 [ 65.996709][ T4277] vm_mmap_pgoff+0x160/0x200 [ 66.001289][ T4277] ksys_mmap_pgoff+0x396/0x570 [ 66.006043][ T4277] do_syscall_64+0x33/0x80 [ 66.010455][ T4277] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 66.016338][ T4277] [ 66.018651][ T4277] The buggy address belongs to the object at ffff88810ee2d000 [ 66.018651][ T4277] which belongs to the cache vm_area_struct of size 192 [ 66.029372][ T4331] loop2: detected capacity change from 0 to 128 [ 66.032948][ T4277] The buggy address is located 3 bytes inside of [ 66.032948][ T4277] 192-byte region [ffff88810ee2d000, ffff88810ee2d0c0) [ 66.032956][ T4277] The buggy address belongs to the page: [ 66.032959][ T4277] page:ffffea00043b8b40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10ee2d [ 66.032983][ T4277] memcg:ffff88810a58d401 [ 66.059346][ T4334] loop1: detected capacity change from 0 to 128 [ 66.068104][ T4277] flags: 0x200000000000200(slab|node=0|zone=2) [ 66.068116][ T4277] raw: 0200000000000200 dead000000000100 dead000000000122 ffff88810012fa00 [ 66.068130][ T4277] raw: 0000000000000000 0000000000100010 00000001ffffffff ffff88810a58d401 [ 66.068134][ T4277] page dumped because: kasan: bad access detected [ 66.068138][ T4277] page_owner tracks the page as allocated [ 66.068141][ T4277] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 577, ts 29352526160, free_ts 29348703202 [ 66.068152][ T4277] get_page_from_freelist+0x1319/0x2e50 [ 66.135377][ T4277] __alloc_pages+0x2b3/0x590 [ 66.139973][ T4277] allocate_slab+0x2eb/0x430 [ 66.144544][ T4277] ___slab_alloc+0xb1c/0xf80 [ 66.149115][ T4277] kmem_cache_alloc+0x2d7/0x310 [ 66.153944][ T4277] vm_area_alloc+0x17/0xf0 [ 66.158345][ T4277] mmap_region+0x763/0xfe0 [ 66.162763][ T4277] do_mmap+0x5ca/0xd80 [ 66.166815][ T4277] vm_mmap_pgoff+0x160/0x200 [ 66.171378][ T4277] ksys_mmap_pgoff+0x91/0x570 [ 66.176031][ T4277] do_syscall_64+0x33/0x80 [ 66.180438][ T4277] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 66.186315][ T4277] page last free stack trace: [ 66.190978][ T4277] free_pcp_prepare+0x34e/0x730 [ 66.195806][ T4277] free_unref_page_list+0x168/0x9a0 [ 66.200997][ T4277] release_pages+0x9f2/0x1100 [ 66.205666][ T4277] tlb_finish_mmu+0x125/0x6c0 [ 66.210315][ T4277] exit_mmap+0x185/0x580 [ 66.214551][ T4277] mmput+0x90/0x390 [ 66.218340][ T4277] do_exit+0x87f/0x21d0 [ 66.222480][ T4277] do_group_exit+0xe7/0x290 [ 66.226957][ T4277] __x64_sys_exit_group+0x35/0x40 [ 66.231953][ T4277] do_syscall_64+0x33/0x80 [ 66.236343][ T4277] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 66.242215][ T4277] [ 66.244514][ T4277] Memory state around the buggy address: [ 66.250146][ T4277] ffff88810ee2cf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 66.258182][ T4277] ffff88810ee2cf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 66.266220][ T4277] >ffff88810ee2d000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.274261][ T4277] ^ [ 66.278302][ T4277] ffff88810ee2d080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 66.286334][ T4277] ffff88810ee2d100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.294371][ T4277] ================================================================== [ 66.302421][ T4277] Disabling lock debugging due to kernel taint [ 66.308615][ T4277] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 66.316108][ T4277] Kernel Offset: disabled [ 66.320427][ T4277] Rebooting in 86400 seconds..