Warning: Permanently added '10.128.10.2' (ED25519) to the list of known hosts. 2024/03/14 20:03:15 ignoring optional flag "sandboxArg"="0" 2024/03/14 20:03:15 parsed 1 programs 2024/03/14 20:03:15 executed programs: 0 [ 52.385137][ T1046] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 57.714302][ T1506] loop0: detected capacity change from 0 to 512 [ 57.721705][ T1506] EXT4-fs: Ignoring removed bh option [ 57.728435][ T1506] EXT4-fs (loop0): mounting ext3 file system using the ext4 subsystem [ 57.739380][ T1506] EXT4-fs (loop0): 1 truncate cleaned up [ 57.745282][ T1506] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. 2024/03/14 20:03:20 executed programs: 1 [ 57.759369][ T1506] EXT4-fs error (device loop0): ext4_find_dest_de:2112: inode #12: block 7: comm syz-executor.0: bad entry in directory: rec_len % 4 != 0 - offset=0, inode=4061898738, rec_len=7079, size=56 fake=0 [ 57.790891][ T1052] EXT4-fs (loop0): unmounting filesystem. [ 57.811599][ T1511] loop0: detected capacity change from 0 to 512 [ 57.818839][ T1511] EXT4-fs: Ignoring removed bh option [ 57.824867][ T1511] EXT4-fs (loop0): mounting ext3 file system using the ext4 subsystem [ 57.835660][ T1511] EXT4-fs (loop0): 1 truncate cleaned up [ 57.841317][ T1511] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [ 57.861110][ T1511] EXT4-fs error (device loop0): ext4_find_dest_de:2112: inode #12: block 7: comm syz-executor.0: bad entry in directory: rec_len % 4 != 0 - offset=0, inode=4061898738, rec_len=7079, size=56 fake=0 [ 57.890860][ T1052] EXT4-fs (loop0): unmounting filesystem. [ 57.914416][ T1514] loop0: detected capacity change from 0 to 512 [ 57.921825][ T1514] EXT4-fs: Ignoring removed bh option [ 57.928234][ T1514] EXT4-fs (loop0): mounting ext3 file system using the ext4 subsystem [ 57.938482][ T1514] EXT4-fs (loop0): 1 truncate cleaned up [ 57.944201][ T1514] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [ 57.957952][ T1514] EXT4-fs error (device loop0): ext4_find_dest_de:2112: inode #12: block 7: comm syz-executor.0: bad entry in directory: rec_len % 4 != 0 - offset=0, inode=4061898738, rec_len=7079, size=56 fake=0 [ 57.988002][ T1052] EXT4-fs (loop0): unmounting filesystem. [ 58.009752][ T1517] loop0: detected capacity change from 0 to 512 [ 58.017578][ T1517] EXT4-fs: Ignoring removed bh option [ 58.023660][ T1517] EXT4-fs (loop0): mounting ext3 file system using the ext4 subsystem [ 58.034955][ T1517] EXT4-fs (loop0): 1 truncate cleaned up [ 58.040699][ T1517] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [ 58.054491][ T1517] ================================================================== [ 58.062773][ T1517] BUG: KASAN: use-after-free in ext4_search_dir+0x148/0x250 [ 58.070385][ T1517] Read of size 1 at addr ffff88812537e3ed by task syz-executor.0/1517 [ 58.078512][ T1517] [ 58.081732][ T1517] CPU: 1 PID: 1517 Comm: syz-executor.0 Not tainted 6.1.81-syzkaller #0 [ 58.091074][ T1517] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 [ 58.101119][ T1517] Call Trace: [ 58.104386][ T1517] [ 58.107380][ T1517] dump_stack_lvl+0xf4/0x251 [ 58.112122][ T1517] ? nf_tcp_handle_invalid+0x2f3/0x2f3 [ 58.117580][ T1517] ? panic+0x3f7/0x3f7 [ 58.121719][ T1517] ? _printk+0xca/0x10a [ 58.125966][ T1517] ? __virt_addr_valid+0x139/0x260 [ 58.131077][ T1517] ? __virt_addr_valid+0x211/0x260 [ 58.136349][ T1517] print_report+0x15f/0x4f0 [ 58.140834][ T1517] ? __virt_addr_valid+0x139/0x260 [ 58.146190][ T1517] ? __virt_addr_valid+0x211/0x260 [ 58.151286][ T1517] ? ext4_search_dir+0x148/0x250 [ 58.156211][ T1517] kasan_report+0x136/0x160 [ 58.160787][ T1517] ? ext4_search_dir+0x148/0x250 [ 58.165966][ T1517] ext4_search_dir+0x148/0x250 [ 58.171236][ T1517] ext4_find_inline_entry+0x367/0x540 [ 58.176581][ T1517] ? ext4_try_create_inline_dir+0x320/0x320 [ 58.182821][ T1517] ? tomoyo_path_number_perm+0x54d/0x6a0 [ 58.188421][ T1517] ? tomoyo_path_number_perm+0x1c3/0x6a0 [ 58.194090][ T1517] __ext4_find_entry+0x2dc/0x1a10 [ 58.199087][ T1517] ? d_alloc_parallel+0x318/0x1130 [ 58.204170][ T1517] ? dx_node_limit+0x150/0x150 [ 58.208922][ T1517] ? d_alloc_parallel+0x318/0x1130 [ 58.213998][ T1517] ext4_lookup+0x1ab/0x5f0 [ 58.218398][ T1517] ? ext4_add_entry+0x2e80/0x2e80 [ 58.223390][ T1517] ? inode_permission+0x56/0x320 [ 58.228303][ T1517] ? ext4_add_entry+0x2e80/0x2e80 [ 58.233302][ T1517] path_openat+0xdb6/0x2410 [ 58.237778][ T1517] ? do_filp_open+0x430/0x430 [ 58.242446][ T1517] do_filp_open+0x226/0x430 [ 58.246935][ T1517] ? vfs_tmpfile+0x3e0/0x3e0 [ 58.251552][ T1517] ? _raw_spin_unlock+0x24/0x40 [ 58.256407][ T1517] ? alloc_fd+0x3dc/0x470 [ 58.260806][ T1517] do_sys_openat2+0x10b/0x420 [ 58.265467][ T1517] ? rcu_is_watching+0x1b/0x90 [ 58.270206][ T1517] ? do_sys_open+0x1c0/0x1c0 [ 58.274849][ T1517] ? __rseq_handle_notify_resume+0x827/0xdf0 [ 58.280800][ T1517] ? xfd_validate_state+0x12/0x50 [ 58.285816][ T1517] __x64_sys_open+0x1eb/0x240 [ 58.290460][ T1517] ? do_sys_openat2+0x420/0x420 [ 58.295288][ T1517] ? switch_fpu_return+0xc9/0x130 [ 58.300300][ T1517] do_syscall_64+0x3d/0x80 [ 58.304793][ T1517] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 58.311207][ T1517] RIP: 0033:0x7f8afa650b29 [ 58.315604][ T1517] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 58.335203][ T1517] RSP: 002b:00007f8afa1d30c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 58.343940][ T1517] RAX: ffffffffffffffda RBX: 00007f8afa76ff80 RCX: 00007f8afa650b29 [ 58.351970][ T1517] RDX: 0000000000000000 RSI: 0000000000141042 RDI: 0000000020000100 [ 58.360097][ T1517] RBP: 00007f8afa69c47a R08: 0000000000000000 R09: 0000000000000000 [ 58.368212][ T1517] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 58.376326][ T1517] R13: 0000000000000006 R14: 00007f8afa76ff80 R15: 00007ffd4fafd168 [ 58.384281][ T1517] [ 58.387278][ T1517] [ 58.389581][ T1517] The buggy address belongs to the physical page: [ 58.395961][ T1517] page:ffffea000494df80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x12537e [ 58.406189][ T1517] flags: 0x200000000000000(node=0|zone=2) [ 58.411878][ T1517] raw: 0200000000000000 dead000000000100 dead000000000122 0000000000000000 [ 58.420430][ T1517] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 58.428981][ T1517] page dumped because: kasan: bad access detected [ 58.435647][ T1517] page_owner tracks the page as freed [ 58.441077][ T1517] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 1514, tgid 1513 (syz-executor.0), ts 57910582714, free_ts 57914089108 [ 58.460285][ T1517] post_alloc_hook+0x286/0x2b0 [ 58.465148][ T1517] get_page_from_freelist+0x2ba7/0x2de0 [ 58.470683][ T1517] __alloc_pages+0x251/0x640 [ 58.475279][ T1517] vma_alloc_folio+0x689/0x870 [ 58.480064][ T1517] wp_page_copy+0x1c1/0x1610 [ 58.484629][ T1517] handle_mm_fault+0x91a/0x2bf0 [ 58.489536][ T1517] exc_page_fault+0x22a/0x5e0 [ 58.494290][ T1517] asm_exc_page_fault+0x22/0x30 [ 58.499125][ T1517] page last free stack trace: [ 58.503867][ T1517] free_unref_page_prepare+0xca9/0xd80 [ 58.509410][ T1517] free_unref_page_list+0xaa/0x690 [ 58.514494][ T1517] release_pages+0x1763/0x1900 [ 58.519249][ T1517] tlb_flush_mmu+0x26f/0x3d0 [ 58.523980][ T1517] tlb_finish_mmu+0xb0/0x1b0 [ 58.528580][ T1517] unmap_region+0x265/0x2b0 [ 58.533072][ T1517] do_mas_align_munmap+0xa6c/0x11e0 [ 58.538537][ T1517] do_mas_munmap+0x195/0x1f0 [ 58.543101][ T1517] __vm_munmap+0x236/0x300 [ 58.547506][ T1517] __x64_sys_munmap+0x57/0x60 [ 58.552158][ T1517] do_syscall_64+0x3d/0x80 [ 58.556541][ T1517] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 58.562400][ T1517] [ 58.564695][ T1517] Memory state around the buggy address: [ 58.570378][ T1517] ffff88812537e280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 58.578419][ T1517] ffff88812537e300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 58.586446][ T1517] >ffff88812537e380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 58.594500][ T1517] ^ [ 58.601919][ T1517] ffff88812537e400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 58.609991][ T1517] ffff88812537e480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 58.618202][ T1517] ================================================================== [ 58.626718][ T1517] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 58.634237][ T1517] Kernel Offset: disabled [ 58.638628][ T1517] Rebooting in 86400 seconds..