Warning: Permanently added '10.128.10.55' (ED25519) to the list of known hosts. 2025/02/05 02:13:51 ignoring optional flag "sandboxArg"="0" 2025/02/05 02:13:51 ignoring optional flag "type"="gce" 2025/02/05 02:13:52 parsed 1 programs [ 60.154568][ T1428] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k 2025/02/05 02:13:57 executed programs: 0 [ 69.658700][ T2410] loop0: detected capacity change from 0 to 512 [ 69.678934][ T2410] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. [ 69.755333][ T2410] loop0: detected capacity change from 512 to 511 [ 69.767989][ T1956] EXT4-fs error (device loop0): htree_dirblock_to_tree:1112: inode #2: block 21: comm syz-executor: bad entry in directory: directory entry overrun - offset=1004, inode=0, rec_len=1000, size=1024 fake=0 [ 69.788750][ T1956] ================================================================== [ 69.796804][ T1956] BUG: KASAN: use-after-free in ext4_inlinedir_to_tree+0x47e/0x1010 [ 69.804889][ T1956] Read of size 324 at addr ffff888125c84c05 by task syz-executor/1956 [ 69.813039][ T1956] [ 69.815369][ T1956] CPU: 1 UID: 0 PID: 1956 Comm: syz-executor Not tainted 6.14.0-rc1-syzkaller #0 [ 69.815377][ T1956] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 69.815386][ T1956] Call Trace: [ 69.815391][ T1956] [ 69.815394][ T1956] dump_stack_lvl+0x108/0x280 [ 69.815408][ T1956] ? __pfx_dump_stack_lvl+0x10/0x10 [ 69.815414][ T1956] ? __pfx__printk+0x10/0x10 [ 69.815419][ T1956] ? lock_acquire+0xc2/0x3a0 [ 69.815424][ T1956] ? __pfx_lock_acquire+0x10/0x10 [ 69.815428][ T1956] ? __virt_addr_valid+0x141/0x270 [ 69.815435][ T1956] ? __virt_addr_valid+0x229/0x270 [ 69.815440][ T1956] print_report+0x169/0x550 [ 69.815448][ T1956] ? __virt_addr_valid+0x141/0x270 [ 69.815454][ T1956] ? __virt_addr_valid+0x229/0x270 [ 69.815460][ T1956] ? ext4_inlinedir_to_tree+0x47e/0x1010 [ 69.815466][ T1956] kasan_report+0x143/0x180 [ 69.815472][ T1956] ? ext4_inlinedir_to_tree+0x47e/0x1010 [ 69.815479][ T1956] kasan_check_range+0x282/0x290 [ 69.815485][ T1956] ? ext4_inlinedir_to_tree+0x47e/0x1010 [ 69.815490][ T1956] __asan_memcpy+0x29/0x70 [ 69.815496][ T1956] ext4_inlinedir_to_tree+0x47e/0x1010 [ 69.815503][ T1956] ? __pfx_ext4_inlinedir_to_tree+0x10/0x10 [ 69.815513][ T1956] ext4_htree_fill_tree+0x4db/0x1240 [ 69.815520][ T1956] ? __lock_acquire+0x61d/0xc70 [ 69.815525][ T1956] ? __pfx_register_lock_class+0x10/0x10 [ 69.815530][ T1956] ? __pfx_ext4_htree_fill_tree+0x10/0x10 [ 69.815537][ T1956] ? __lock_acquire+0x61d/0xc70 [ 69.815541][ T1956] ? inode_query_iversion+0xd3/0x170 [ 69.815551][ T1956] ext4_readdir+0x253c/0x2fb0 [ 69.815560][ T1956] ? __mutex_lock+0x65c/0x1bb0 [ 69.815571][ T1956] ? fdget_pos+0x1c6/0x280 [ 69.815576][ T1956] ? __pfx___mutex_lock+0x10/0x10 [ 69.815582][ T1956] ? __pfx_ext4_readdir+0x10/0x10 [ 69.815589][ T1956] ? __pfx_down_read_killable+0x10/0x10 [ 69.815596][ T1956] ? reacquire_held_locks+0x3a3/0x5b0 [ 69.815603][ T1956] ? __pfx_reacquire_held_locks+0x10/0x10 [ 69.815610][ T1956] iterate_dir+0x18e/0x490 [ 69.815617][ T1956] __se_sys_getdents64+0x1b3/0x400 [ 69.815623][ T1956] ? __pfx___se_sys_getdents64+0x10/0x10 [ 69.815630][ T1956] ? __up_read+0x28b/0x370 [ 69.815636][ T1956] ? __pfx_filldir64+0x10/0x10 [ 69.815643][ T1956] do_syscall_64+0x8d/0x170 [ 69.815650][ T1956] ? clear_bhb_loop+0x55/0xb0 [ 69.815657][ T1956] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 69.815668][ T1956] RIP: 0033:0x7f3074a2c013 [ 69.815680][ T1956] Code: c1 66 0f 1f 44 00 00 48 83 c4 08 48 89 ef 5b 5d e9 52 43 f8 ff 66 90 b8 ff ff ff 7f 48 39 c2 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 a8 ff ff ff f7 d8 [ 69.815685][ T1956] RSP: 002b:00007fffeccdac28 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9 [ 69.815699][ T1956] RAX: ffffffffffffffda RBX: 0000555583a86520 RCX: 00007f3074a2c013 [ 69.815704][ T1956] RDX: 0000000000008000 RSI: 0000555583a86520 RDI: 0000000000000006 [ 69.815708][ T1956] RBP: 0000555583a864f4 R08: 0000000000000000 R09: 0000000000000000 [ 69.815712][ T1956] R10: 0000000000001000 R11: 0000000000000293 R12: ffffffffffffffa8 [ 69.815716][ T1956] R13: 0000000000000016 R14: 0000555583a864f0 R15: 00007fffeccddfc0 [ 69.815722][ T1956] [ 69.815725][ T1956] [ 70.121025][ T1956] The buggy address belongs to the physical page: [ 70.127413][ T1956] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7fcba690f pfn:0x125c84 [ 70.136966][ T1956] flags: 0x200000000000000(node=0|zone=2) [ 70.142776][ T1956] raw: 0200000000000000 dead000000000100 dead000000000122 0000000000000000 [ 70.151371][ T1956] raw: 00000007fcba690f 0000000000000000 00000000ffffffff 0000000000000000 [ 70.160129][ T1956] page dumped because: kasan: bad access detected [ 70.166720][ T1956] page_owner tracks the page as freed [ 70.172067][ T1956] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 1428, tgid 1428 (syz-executor), ts 60027093392, free_ts 60696133352 [ 70.190719][ T1956] post_alloc_hook+0x108/0x120 [ 70.195469][ T1956] get_page_from_freelist+0x3b4a/0x3d80 [ 70.200992][ T1956] __alloc_frozen_pages_noprof+0x256/0x650 [ 70.206780][ T1956] alloc_pages_mpol+0x14d/0x3b0 [ 70.211606][ T1956] vma_alloc_folio_noprof+0x2b9/0x430 [ 70.217034][ T1956] folio_prealloc+0x23/0xf0 [ 70.221519][ T1956] handle_mm_fault+0x183a/0x3230 [ 70.226435][ T1956] exc_page_fault+0x3fa/0x780 [ 70.231239][ T1956] asm_exc_page_fault+0x26/0x30 [ 70.236075][ T1956] page last free pid 1428 tgid 1428 stack trace: [ 70.242400][ T1956] free_unref_folios+0xb24/0x1340 [ 70.247403][ T1956] folios_put_refs+0x409/0x510 [ 70.252143][ T1956] free_pages_and_swap_cache+0x275/0x4d0 [ 70.257756][ T1956] tlb_flush_mmu+0x2ad/0x4e0 [ 70.262318][ T1956] tlb_finish_mmu+0xb6/0x1c0 [ 70.266880][ T1956] vms_clear_ptes+0x3d2/0x4e0 [ 70.271528][ T1956] vms_complete_munmap_vmas+0x1ab/0x6e0 [ 70.277043][ T1956] do_vmi_align_munmap+0x590/0x6a0 [ 70.282121][ T1956] do_vmi_munmap+0x1b6/0x210 [ 70.286685][ T1956] __vm_munmap+0x257/0x430 [ 70.291072][ T1956] __x64_sys_munmap+0x5b/0x70 [ 70.295719][ T1956] do_syscall_64+0x8d/0x170 [ 70.300193][ T1956] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.306068][ T1956] [ 70.308368][ T1956] Memory state around the buggy address: [ 70.314004][ T1956] ffff888125c84b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 70.322124][ T1956] ffff888125c84b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 70.330255][ T1956] >ffff888125c84c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 70.338287][ T1956] ^ [ 70.342323][ T1956] ffff888125c84c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 70.350559][ T1956] ffff888125c84d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 70.358586][ T1956] ================================================================== [ 70.366948][ T1956] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 70.374394][ T1956] Kernel Offset: disabled [ 70.378706][ T1956] Rebooting in 86400 seconds..