syzkaller syzkaller login: [ 22.634817][ T868] sftp-server (868) used greatest stack depth: 21424 bytes left [ 30.127074][ T883] cgroup: Unknown subsys name 'net' [ 30.229068][ T883] cgroup: Unknown subsys name 'cpuset' [ 30.235861][ T883] cgroup: Unknown subsys name 'rlimit' [ 30.518813][ T883] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 31.048727][ T890] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 35.674834][ T951] syz-executor (951) used greatest stack depth: 20312 bytes left Warning: Permanently added '10.128.10.12' (ED25519) to the list of known hosts. 2024/12/02 22:17:04 ignoring optional flag "sandboxArg"="0" 2024/12/02 22:17:04 ignoring optional flag "type"="gce" 2024/12/02 22:17:05 parsed 1 programs [ 55.346986][ T1425] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k 2024/12/02 22:17:10 executed programs: 0 [ 64.465764][ T2405] loop0: detected capacity change from 0 to 1024 [ 64.481313][ T2405] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. [ 64.528049][ T2405] loop0: detected capacity change from 1024 to 1023 [ 64.539790][ T1951] EXT4-fs error (device loop0): ext4_readdir:261: inode #2: block 16: comm syz-executor: path /0/bus: bad entry in directory: rec_len is smaller than minimal - offset=980, inode=0, rec_len=0, size=1024 fake=0 [ 64.560785][ T1951] ================================================================== [ 64.568842][ T1951] BUG: KASAN: slab-use-after-free in ext4_read_inline_dir+0x455/0xc10 [ 64.577086][ T1951] Read of size 68 at addr ffff88811427c51a by task syz-executor/1951 [ 64.585274][ T1951] [ 64.587623][ T1951] CPU: 1 UID: 0 PID: 1951 Comm: syz-executor Not tainted 6.13.0-rc1-syzkaller #0 [ 64.597162][ T1951] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 64.607203][ T1951] Call Trace: [ 64.610497][ T1951] [ 64.613406][ T1951] dump_stack_lvl+0x108/0x280 [ 64.618146][ T1951] ? __pfx_dump_stack_lvl+0x10/0x10 [ 64.623317][ T1951] ? __pfx__printk+0x10/0x10 [ 64.627895][ T1951] ? lock_acquire+0xc2/0x3a0 [ 64.632471][ T1951] ? __pfx_lock_acquire+0x10/0x10 [ 64.637498][ T1951] ? __virt_addr_valid+0x141/0x270 [ 64.642682][ T1951] ? __virt_addr_valid+0x229/0x270 [ 64.647940][ T1951] print_report+0x169/0x550 [ 64.652417][ T1951] ? __virt_addr_valid+0x141/0x270 [ 64.657495][ T1951] ? __virt_addr_valid+0x229/0x270 [ 64.662575][ T1951] ? ext4_read_inline_dir+0x455/0xc10 [ 64.667923][ T1951] kasan_report+0x143/0x180 [ 64.672404][ T1951] ? ext4_read_inline_dir+0x455/0xc10 [ 64.677750][ T1951] kasan_check_range+0x282/0x290 [ 64.682662][ T1951] ? ext4_read_inline_dir+0x455/0xc10 [ 64.688007][ T1951] __asan_memcpy+0x29/0x70 [ 64.692412][ T1951] ext4_read_inline_dir+0x455/0xc10 [ 64.697676][ T1951] ? __pfx_ext4_read_inline_dir+0x10/0x10 [ 64.703370][ T1951] ext4_readdir+0x291/0x2fe0 [ 64.707932][ T1951] ? __mutex_lock+0x652/0x1a60 [ 64.712669][ T1951] ? __pfx___mutex_lock+0x10/0x10 [ 64.717671][ T1951] ? __pfx_ext4_readdir+0x10/0x10 [ 64.722667][ T1951] ? __pfx_down_read_killable+0x10/0x10 [ 64.728206][ T1951] ? reacquire_held_locks+0x3a3/0x5b0 [ 64.733552][ T1951] ? __pfx_reacquire_held_locks+0x10/0x10 [ 64.739245][ T1951] iterate_dir+0x18e/0x4a0 [ 64.743636][ T1951] __se_sys_getdents64+0x1b3/0x400 [ 64.748729][ T1951] ? __pfx___se_sys_getdents64+0x10/0x10 [ 64.754505][ T1951] ? __up_read+0x28b/0x370 [ 64.758980][ T1951] ? __pfx_filldir64+0x10/0x10 [ 64.763832][ T1951] do_syscall_64+0x8d/0x170 [ 64.768324][ T1951] ? clear_bhb_loop+0x55/0xb0 [ 64.772975][ T1951] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 64.778913][ T1951] RIP: 0033:0x7f7897129333 [ 64.783316][ T1951] Code: c1 66 0f 1f 44 00 00 48 83 c4 08 48 89 ef 5b 5d e9 02 45 f8 ff 66 90 b8 ff ff ff 7f 48 39 c2 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 a8 ff ff ff f7 d8 [ 64.803083][ T1951] RSP: 002b:00007ffe81d3c538 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9 [ 64.811497][ T1951] RAX: ffffffffffffffda RBX: 0000555593193520 RCX: 00007f7897129333 [ 64.819447][ T1951] RDX: 0000000000008000 RSI: 0000555593193520 RDI: 0000000000000006 [ 64.827422][ T1951] RBP: 00005555931934f4 R08: 0000000000000000 R09: 0000000000000000 [ 64.835592][ T1951] R10: 0000000000001000 R11: 0000000000000293 R12: ffffffffffffffa8 [ 64.843565][ T1951] R13: 0000000000000016 R14: 00005555931934f0 R15: 00007ffe81d3f8d0 [ 64.851550][ T1951] [ 64.854561][ T1951] [ 64.856864][ T1951] Allocated by task 1421: [ 64.861196][ T1951] kasan_save_track+0x3f/0x80 [ 64.865853][ T1951] __kasan_slab_alloc+0x66/0x80 [ 64.870675][ T1951] kmem_cache_alloc_noprof+0x1b9/0x410 [ 64.876104][ T1951] __send_signal_locked+0x1c0/0xa10 [ 64.881299][ T1951] do_send_specific+0x19b/0x210 [ 64.886144][ T1951] __x64_sys_tgkill+0x23d/0x340 [ 64.891066][ T1951] do_syscall_64+0x8d/0x170 [ 64.895542][ T1951] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 64.901404][ T1951] [ 64.903705][ T1951] Freed by task 1420: [ 64.907687][ T1951] kasan_save_track+0x3f/0x80 [ 64.912358][ T1951] kasan_save_free_info+0x40/0x50 [ 64.917377][ T1951] __kasan_slab_free+0x59/0x70 [ 64.922121][ T1951] kmem_cache_free+0x17e/0x470 [ 64.926859][ T1951] __dequeue_signal+0x2ea/0x430 [ 64.931684][ T1951] dequeue_signal+0x16b/0x380 [ 64.936338][ T1951] get_signal+0x681/0x10f0 [ 64.940817][ T1951] arch_do_signal_or_restart+0x91/0x610 [ 64.946454][ T1951] syscall_exit_to_user_mode+0x64/0x1b0 [ 64.952000][ T1951] do_syscall_64+0x9a/0x170 [ 64.956612][ T1951] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 64.962603][ T1951] [ 64.964954][ T1951] The buggy address belongs to the object at ffff88811427c4d0 [ 64.964954][ T1951] which belongs to the cache sigqueue of size 80 [ 64.978643][ T1951] The buggy address is located 74 bytes inside of [ 64.978643][ T1951] freed 80-byte region [ffff88811427c4d0, ffff88811427c520) [ 64.992242][ T1951] [ 64.994930][ T1951] The buggy address belongs to the physical page: [ 65.001378][ T1951] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88811427cd90 pfn:0x11427c [ 65.011507][ T1951] memcg:ffff88810c733801 [ 65.015736][ T1951] flags: 0x200000000000000(node=0|zone=2) [ 65.021493][ T1951] page_type: f5(slab) [ 65.025465][ T1951] raw: 0200000000000000 ffff888100ac1500 dead000000000122 0000000000000000 [ 65.034025][ T1951] raw: ffff88811427cd90 000000008024001f 00000001f5000000 ffff88810c733801 [ 65.042759][ T1951] page dumped because: kasan: bad access detected [ 65.049160][ T1951] page_owner tracks the page as allocated [ 65.054851][ T1951] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 915, tgid 915 (syz-executor), ts 31269562139, free_ts 31251295920 [ 65.073933][ T1951] post_alloc_hook+0x10f/0x130 [ 65.078689][ T1951] get_page_from_freelist+0x3b4a/0x3d80 [ 65.084256][ T1951] __alloc_pages_noprof+0x256/0x650 [ 65.089449][ T1951] alloc_pages_mpol_noprof+0x143/0x330 [ 65.094906][ T1951] alloc_slab_page+0x6a/0x140 [ 65.099662][ T1951] allocate_slab+0x5d/0x290 [ 65.104159][ T1951] ___slab_alloc+0xa7f/0x11e0 [ 65.108842][ T1951] kmem_cache_alloc_noprof+0x279/0x410 [ 65.114375][ T1951] __send_signal_locked+0x1c0/0xa10 [ 65.119591][ T1951] do_notify_parent+0x77f/0x990 [ 65.124429][ T1951] do_exit+0x1359/0x2550 [ 65.128646][ T1951] do_group_exit+0x1ba/0x280 [ 65.133209][ T1951] __x64_sys_exit_group+0x3f/0x40 [ 65.138208][ T1951] x64_sys_call+0x26a8/0x26b0 [ 65.142866][ T1951] do_syscall_64+0x8d/0x170 [ 65.147344][ T1951] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 65.153224][ T1951] page last free pid 912 tgid 912 stack trace: [ 65.159357][ T1951] free_unref_folios+0xc8f/0x1530 [ 65.164355][ T1951] folios_put_refs+0x48e/0x570 [ 65.169092][ T1951] free_pages_and_swap_cache+0x415/0x4e0 [ 65.174701][ T1951] tlb_flush_mmu+0x2ad/0x4e0 [ 65.179262][ T1951] tlb_finish_mmu+0xb6/0x1c0 [ 65.183836][ T1951] exit_mmap+0x3b8/0x900 [ 65.188059][ T1951] __mmput+0x61/0x290 [ 65.192017][ T1951] exit_mm+0x114/0x1b0 [ 65.196057][ T1951] do_exit+0x7dd/0x2550 [ 65.200182][ T1951] do_group_exit+0x1ba/0x280 [ 65.204746][ T1951] __x64_sys_exit_group+0x3f/0x40 [ 65.209741][ T1951] x64_sys_call+0x26a8/0x26b0 [ 65.214392][ T1951] do_syscall_64+0x8d/0x170 [ 65.218871][ T1951] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 65.224735][ T1951] [ 65.227036][ T1951] Memory state around the buggy address: [ 65.232728][ T1951] ffff88811427c400: fb fb fb fb fb fb fb fb fc fc fc fc fa fb fb fb [ 65.240792][ T1951] ffff88811427c480: fb fb fb fb fb fb fc fc fc fc fa fb fb fb fb fb [ 65.248999][ T1951] >ffff88811427c500: fb fb fb fb fc fc fc fc fa fb fb fb fb fb fb fb [ 65.257147][ T1951] ^ [ 65.262060][ T1951] ffff88811427c580: fb fb fc fc fc fc fa fb fb fb fb fb fb fb fb fb [ 65.270377][ T1951] ffff88811427c600: fc fc fc fc fa fb fb fb fb fb fb fb fb fb fc fc [ 65.278412][ T1951] ================================================================== [ 65.286690][ T1951] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 65.294181][ T1951] Kernel Offset: disabled [ 65.298497][ T1951] Rebooting in 86400 seconds..