Warning: Permanently added '10.128.1.47' (ED25519) to the list of known hosts. 2025/03/27 23:21:45 ignoring optional flag "sandboxArg"="0" 2025/03/27 23:21:46 parsed 1 programs [ 71.267720][ T25] cfg80211: failed to load regulatory.db [ 71.931779][ T3316] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k 2025/03/27 23:21:55 executed programs: 0 [ 77.933917][ T3756] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=3756 'syz.1.17' [ 78.000831][ T3756] loop1: detected capacity change from 0 to 1024 [ 78.026623][ T3756] ======================================================= [ 78.026623][ T3756] WARNING: The mand mount option has been deprecated and [ 78.026623][ T3756] and is ignored by this kernel. Remove the mand [ 78.026623][ T3756] option from the mount to silence this warning. [ 78.026623][ T3756] ======================================================= [ 78.081640][ T3756] EXT4-fs: Ignoring removed nobh option [ 78.089241][ T3756] EXT4-fs: Ignoring removed bh option [ 78.095234][ T3756] EXT4-fs: Warning: mounting with an experimental mount option 'dioread_nolock' for blocksize < PAGE_SIZE [ 78.149754][ T3756] EXT4-fs (loop1): mounted filesystem 00000000-0000-0000-0000-000000000000 without journal. Quota mode: writeback. [ 78.221869][ T3756] EXT4-fs error (device loop1): ext4_mb_mark_diskspace_used:3783: comm syz.1.17: Allocating blocks 497-513 which overlap fs metadata [ 78.246821][ T3756] EXT4-fs (loop1): pa ffff8880724dc9a0: logic 64, phys. 193, len 20 [ 78.254904][ T3756] EXT4-fs error (device loop1): ext4_mb_release_inode_pa:4857: group 0, free 0, pa_free 1 [ 78.316182][ T3360] EXT4-fs error (device loop1): ext4_free_blocks:6169: comm syz-executor: Freeing blocks not in datazone - block = 3307124818688, count = 16 [ 78.346867][ T3360] EXT4-fs error (device loop1): ext4_free_blocks:6169: comm syz-executor: Freeing blocks not in datazone - block = 3307124817920, count = 770 [ 78.364055][ T3360] EXT4-fs error (device loop1): ext4_free_blocks:6169: comm syz-executor: Freeing blocks not in datazone - block = 3307124817920, count = 16 [ 78.407012][ T3360] EXT4-fs error (device loop1): ext4_xattr_delete_inode:2977: inode #21: comm syz-executor: corrupted xattr block 145: invalid header [ 78.427988][ T3360] EXT4-fs warning (device loop1): ext4_evict_inode:298: xattr delete (err -117) [ 78.439317][ T3360] EXT4-fs (loop1): unmounting filesystem 00000000-0000-0000-0000-000000000000. [ 78.538472][ T3804] loop1: detected capacity change from 0 to 1024 [ 78.545365][ T3804] EXT4-fs: Ignoring removed nobh option [ 78.565162][ T3804] EXT4-fs: Ignoring removed bh option [ 78.584713][ T3804] EXT4-fs: Warning: mounting with an experimental mount option 'dioread_nolock' for blocksize < PAGE_SIZE [ 78.638990][ T3804] EXT4-fs (loop1): mounted filesystem 00000000-0000-0000-0000-000000000000 without journal. Quota mode: writeback. [ 78.683746][ T3804] EXT4-fs error (device loop1): ext4_mb_mark_diskspace_used:3783: comm syz.1.21: Allocating blocks 497-513 which overlap fs metadata [ 78.709643][ T3804] EXT4-fs (loop1): pa ffff8880724dcee0: logic 64, phys. 193, len 20 [ 78.717683][ T3804] EXT4-fs error (device loop1): ext4_mb_release_inode_pa:4857: group 0, free 0, pa_free 1 [ 78.778415][ T3360] EXT4-fs (loop1): unmounting filesystem 00000000-0000-0000-0000-000000000000. [ 78.838925][ T3827] loop1: detected capacity change from 0 to 1024 [ 78.882254][ T3827] EXT4-fs: Ignoring removed nobh option [ 78.896614][ T3827] EXT4-fs: Ignoring removed bh option [ 78.916640][ T3827] EXT4-fs: Warning: mounting with an experimental mount option 'dioread_nolock' for blocksize < PAGE_SIZE [ 78.977978][ T3827] EXT4-fs (loop1): mounted filesystem 00000000-0000-0000-0000-000000000000 without journal. Quota mode: writeback. [ 79.029628][ T3827] EXT4-fs error (device loop1): ext4_mb_mark_diskspace_used:3783: comm syz.1.22: Allocating blocks 497-513 which overlap fs metadata [ 79.048859][ T3827] EXT4-fs (loop1): pa ffff888019b25b60: logic 64, phys. 193, len 20 [ 79.057032][ T3827] EXT4-fs error (device loop1): ext4_mb_release_inode_pa:4857: group 0, free 0, pa_free 1 [ 79.163519][ T3360] EXT4-fs error (device loop1): ext4_free_blocks:6169: comm syz-executor: Freeing blocks not in datazone - block = 107146555807168, count = 16 [ 79.215400][ T3360] EXT4-fs error (device loop1): ext4_free_blocks:6169: comm syz-executor: Freeing blocks not in datazone - block = 107146555780194, count = 26980 [ 79.266845][ T3360] EXT4-fs error (device loop1): ext4_free_blocks:6169: comm syz-executor: Freeing blocks not in datazone - block = 107146555780192, count = 16 [ 79.287838][ T3360] EXT4-fs error (device loop1): ext4_free_blocks:6169: comm syz-executor: Freeing blocks not in datazone - block = 54298846208160, count = 16 [ 79.309959][ T3360] EXT4-fs error (device loop1): ext4_free_blocks:6169: comm syz-executor: Freeing blocks not in datazone - block = 54298846178617, count = 29557 [ 79.352372][ T3360] EXT4-fs error (device loop1): ext4_free_blocks:6169: comm syz-executor: Freeing blocks not in datazone - block = 54298846178608, count = 16 [ 79.369828][ T3360] EXT4-fs error (device loop1): ext4_free_blocks:6169: comm syz-executor: Freeing blocks not in datazone - block = 54078909459769, count = 14641 [ 79.389812][ T3360] EXT4-fs error (device loop1): ext4_free_blocks:6169: comm syz-executor: Freeing blocks not in datazone - block = 54078909459760, count = 16 [ 79.447296][ T3360] EXT4-fs warning (device loop1): ext4_evict_inode:298: xattr delete (err -117) [ 79.468452][ T3360] EXT4-fs (loop1): unmounting filesystem 00000000-0000-0000-0000-000000000000. [ 79.525690][ T3881] loop1: detected capacity change from 0 to 1024 [ 79.542489][ T3881] EXT4-fs: Ignoring removed nobh option [ 79.566735][ T3881] EXT4-fs: Ignoring removed bh option [ 79.572584][ T3881] EXT4-fs: Warning: mounting with an experimental mount option 'dioread_nolock' for blocksize < PAGE_SIZE [ 79.635998][ T3881] EXT4-fs (loop1): mounted filesystem 00000000-0000-0000-0000-000000000000 without journal. Quota mode: writeback. [ 79.695661][ T3881] EXT4-fs error (device loop1): ext4_mb_mark_diskspace_used:3783: comm syz.1.23: Allocating blocks 497-513 which overlap fs metadata [ 79.729397][ T3881] EXT4-fs (loop1): pa ffff888072742540: logic 64, phys. 193, len 20 [ 79.737562][ T3881] EXT4-fs error (device loop1): ext4_mb_release_inode_pa:4857: group 0, free 0, pa_free 1 [ 79.827315][ T3360] ================================================================== [ 79.835582][ T3360] BUG: KASAN: use-after-free in ext4_ext_remove_space+0x3766/0x49a0 [ 79.843579][ T3360] Read of size 4 at addr ffff888069bdec18 by task syz-executor/3360 [ 79.851547][ T3360] [ 79.853882][ T3360] CPU: 1 PID: 3360 Comm: syz-executor Not tainted 6.3.0-rc3-syzkaller #0 [ 79.862284][ T3360] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 79.872349][ T3360] Call Trace: [ 79.875627][ T3360] [ 79.878553][ T3360] dump_stack_lvl+0xf8/0x260 [ 79.883173][ T3360] ? __pfx_dump_stack_lvl+0x10/0x10 [ 79.888371][ T3360] ? __pfx__printk+0x10/0x10 [ 79.892962][ T3360] ? vprintk_emit+0x119/0x1f0 [ 79.897659][ T3360] ? _printk+0xce/0x120 [ 79.902075][ T3360] ? ext4_sb_block_valid+0x252/0x300 [ 79.907366][ T3360] print_report+0x167/0x540 [ 79.911905][ T3360] ? ext4_ext_remove_space+0x3766/0x49a0 [ 79.917562][ T3360] kasan_report+0x176/0x1b0 [ 79.922065][ T3360] ? ext4_ext_remove_space+0x3766/0x49a0 [ 79.927781][ T3360] ext4_ext_remove_space+0x3766/0x49a0 [ 79.933258][ T3360] ? preempt_schedule+0xe1/0xf0 [ 79.938107][ T3360] ? preempt_schedule_common+0x83/0xd0 [ 79.943569][ T3360] ? preempt_schedule+0xe1/0xf0 [ 79.948422][ T3360] ? __pfx_preempt_schedule+0x10/0x10 [ 79.953804][ T3360] ? __pfx_ext4_ext_remove_space+0x10/0x10 [ 79.959617][ T3360] ? ext4_es_remove_extent+0x1a8/0x330 [ 79.965076][ T3360] ? __pfx_ext4_es_remove_extent+0x10/0x10 [ 79.970886][ T3360] ext4_ext_truncate+0x195/0x260 [ 79.975904][ T3360] ext4_truncate+0xaba/0xed0 [ 79.980564][ T3360] ? __pfx_ext4_truncate+0x10/0x10 [ 79.985656][ T3360] ext4_evict_inode+0xc99/0x1260 [ 79.990562][ T3360] ? __pfx_ext4_evict_inode+0x10/0x10 [ 79.995992][ T3360] ? do_raw_spin_unlock+0x13b/0x8b0 [ 80.001160][ T3360] ? _raw_spin_unlock+0x28/0x50 [ 80.006085][ T3360] evict+0x264/0x650 [ 80.009951][ T3360] do_unlinkat+0x4ae/0x870 [ 80.014429][ T3360] ? __pfx_do_unlinkat+0x10/0x10 [ 80.019345][ T3360] ? strncpy_from_user+0x6d/0x1b0 [ 80.024458][ T3360] ? getname_flags+0xe2/0x430 [ 80.029126][ T3360] __x64_sys_unlink+0x44/0x50 [ 80.033837][ T3360] do_syscall_64+0x46/0xa0 [ 80.038232][ T3360] entry_SYSCALL_64_after_hwframe+0x73/0xdd [ 80.044111][ T3360] RIP: 0033:0x7ff74a58c717 [ 80.048525][ T3360] Code: 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 80.068128][ T3360] RSP: 002b:00007ffc26c06e18 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 [ 80.076532][ T3360] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff74a58c717 [ 80.084683][ T3360] RDX: 00007ffc26c06e40 RSI: 00007ffc26c06ed0 RDI: 00007ffc26c06ed0 [ 80.092641][ T3360] RBP: 00007ffc26c06ed0 R08: 0000000000000000 R09: 0000000000000000 [ 80.100601][ T3360] R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffc26c07fc0 [ 80.108576][ T3360] R13: 00007ff74a60e08c R14: 0000000000013132 R15: 00007ffc26c0a180 [ 80.116539][ T3360] [ 80.119536][ T3360] [ 80.121829][ T3360] The buggy address belongs to the physical page: [ 80.128221][ T3360] page:ffffea0001a6f780 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x69bde [ 80.138513][ T3360] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 80.145591][ T3360] raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000 [ 80.154151][ T3360] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 80.162723][ T3360] page dumped because: kasan: bad access detected [ 80.169386][ T3360] page_owner tracks the page as freed [ 80.174736][ T3360] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 3316, tgid 3316 (syz-executor), ts 71953267855, free_ts 72165630876 [ 80.193460][ T3360] post_alloc_hook+0x10f/0x130 [ 80.198213][ T3360] prep_new_page+0x28/0x2a0 [ 80.202739][ T3360] get_page_from_freelist+0x31c8/0x3320 [ 80.208269][ T3360] __alloc_pages+0x255/0x650 [ 80.212921][ T3360] __folio_alloc+0x13/0x40 [ 80.217306][ T3360] vma_alloc_folio+0x48b/0x9f0 [ 80.222038][ T3360] handle_mm_fault+0x266a/0x3fd0 [ 80.226946][ T3360] exc_page_fault+0x51d/0x720 [ 80.231598][ T3360] asm_exc_page_fault+0x26/0x30 [ 80.236433][ T3360] page last free stack trace: [ 80.241079][ T3360] free_unref_page_prepare+0xcaa/0xd00 [ 80.246507][ T3360] free_unref_page_list+0x54b/0x7f0 [ 80.251700][ T3360] release_pages+0x19c3/0x1b80 [ 80.256529][ T3360] tlb_flush_mmu+0xe9/0x1d0 [ 80.261022][ T3360] tlb_finish_mmu+0xb6/0x1c0 [ 80.265588][ T3360] unmap_region+0x230/0x280 [ 80.270099][ T3360] do_vmi_align_munmap+0x91f/0xe80 [ 80.275181][ T3360] do_vmi_munmap+0x199/0x200 [ 80.279742][ T3360] __vm_munmap+0x1ee/0x2c0 [ 80.284144][ T3360] __x64_sys_munmap+0x5b/0x70 [ 80.288786][ T3360] do_syscall_64+0x46/0xa0 [ 80.293168][ T3360] entry_SYSCALL_64_after_hwframe+0x73/0xdd [ 80.299031][ T3360] [ 80.301345][ T3360] Memory state around the buggy address: [ 80.307032][ T3360] ffff888069bdeb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 80.315056][ T3360] ffff888069bdeb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 80.323096][ T3360] >ffff888069bdec00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 80.331139][ T3360] ^ [ 80.335961][ T3360] ffff888069bdec80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 80.344009][ T3360] ffff888069bded00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 80.352059][ T3360] ================================================================== [ 80.364114][ T3360] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 80.371552][ T3360] Kernel Offset: disabled [ 80.375888][ T3360] Rebooting in 86400 seconds..