Warning: Permanently added '10.128.1.183' (ED25519) to the list of known hosts. 2025/02/14 10:41:18 ignoring optional flag "sandboxArg"="0" 2025/02/14 10:41:18 parsed 1 programs [ 56.140448][ T2024] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k 2025/02/14 10:41:22 executed programs: 0 [ 62.372275][ T2938] loop0: detected capacity change from 0 to 32768 [ 62.459019][ T2938] ================================================================== [ 62.467106][ T2938] BUG: KASAN: use-after-free in __ocfs2_find_path+0x482/0x510 [ 62.474576][ T2938] Read of size 4 at addr ffff88806bec6000 by task syz.0.15/2938 [ 62.482200][ T2938] [ 62.484512][ T2938] CPU: 1 PID: 2938 Comm: syz.0.15 Not tainted 5.15.178-syzkaller #0 [ 62.492458][ T2938] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 62.502496][ T2938] Call Trace: [ 62.505754][ T2938] [ 62.508660][ T2938] dump_stack_lvl+0x41/0x5e [ 62.513159][ T2938] print_address_description.constprop.0.cold+0x6c/0x309 [ 62.520157][ T2938] ? __ocfs2_find_path+0x482/0x510 [ 62.525248][ T2938] ? __ocfs2_find_path+0x482/0x510 [ 62.530331][ T2938] kasan_report.cold+0x83/0xdf [ 62.535066][ T2938] ? __ocfs2_find_path+0x482/0x510 [ 62.540167][ T2938] __ocfs2_find_path+0x482/0x510 [ 62.545075][ T2938] ? find_path_ins+0x130/0x130 [ 62.549808][ T2938] ? ocfs2_extend_rotate_transaction.isra.0+0x180/0x180 [ 62.556714][ T2938] ? wait_for_completion+0x220/0x220 [ 62.561974][ T2938] ? ocfs2_set_buffer_uptodate.part.0+0x696/0xd80 [ 62.568359][ T2938] ocfs2_find_leaf+0x83/0x160 [ 62.573025][ T2938] ? submit_bh_wbc.constprop.0+0x424/0x5b0 [ 62.578978][ T2938] ? ocfs2_find_path+0xe0/0xe0 [ 62.583711][ T2938] ? ocfs2_read_blocks+0x984/0xe00 [ 62.588793][ T2938] ocfs2_get_clusters_nocache+0x163/0xd30 [ 62.594484][ T2938] ? ocfs2_read_blocks_sync+0x850/0x850 [ 62.600004][ T2938] ? ocfs2_figure_hole_clusters+0x560/0x560 [ 62.605894][ T2938] ? ocfs2_read_inode_block+0xbd/0x150 [ 62.611346][ T2938] ? ocfs2_read_inode_block_full+0x160/0x160 [ 62.617302][ T2938] ocfs2_get_clusters+0x248/0xb60 [ 62.622325][ T2938] ? ocfs2_xattr_get_clusters+0x970/0x970 [ 62.628022][ T2938] ? __lock_acquire.constprop.0+0x478/0xb30 [ 62.633890][ T2938] ocfs2_extent_map_get_blocks+0x14e/0x5a0 [ 62.639671][ T2938] ? ocfs2_get_clusters+0xb60/0xb60 [ 62.644839][ T2938] ? rwsem_down_read_slowpath+0x980/0x980 [ 62.650530][ T2938] ? put_dec+0x90/0x90 [ 62.654573][ T2938] ocfs2_read_virt_blocks+0x1ca/0x650 [ 62.659918][ T2938] ? __ocfs2_delete_entry+0x640/0x640 [ 62.665261][ T2938] ? ocfs2_seek_data_hole_offset+0x6c0/0x6c0 [ 62.671214][ T2938] ? kasan_unpoison+0x40/0x60 [ 62.675901][ T2938] ? find_held_lock+0x2d/0x110 [ 62.680685][ T2938] ocfs2_read_dir_block+0xa7/0x440 [ 62.685829][ T2938] ? lock_downgrade+0x4f0/0x4f0 [ 62.690681][ T2938] ? ocfs2_read_dir_block_direct+0x3f0/0x3f0 [ 62.696643][ T2938] ? register_lock_class+0x4d5/0x1580 [ 62.701994][ T2938] ocfs2_find_entry+0x80c/0x1230 [ 62.706920][ T2938] ? ocfs2_free_dir_lookup_result+0xd0/0xd0 [ 62.712793][ T2938] ? vsnprintf+0x192/0x1560 [ 62.717354][ T2938] ? pointer+0x700/0x700 [ 62.721569][ T2938] ocfs2_find_files_on_disk+0x65/0x270 [ 62.727107][ T2938] ocfs2_lookup_ino_from_name+0x87/0xd0 [ 62.732649][ T2938] ? ocfs2_find_files_on_disk+0x270/0x270 [ 62.738362][ T2938] ocfs2_get_system_file_inode+0x1d3/0x5e0 [ 62.744161][ T2938] ? do_raw_spin_unlock+0x171/0x230 [ 62.749354][ T2938] ? ocfs2_fast_symlink_readpage+0x370/0x370 [ 62.755307][ T2938] ? ocfs2_iget+0x618/0x7e0 [ 62.759803][ T2938] ? ocfs2_read_locked_inode+0xca0/0xca0 [ 62.765491][ T2938] ? __kasan_kmalloc+0x7c/0x90 [ 62.770225][ T2938] ? ocfs2_put_dlm_debug+0x40/0x40 [ 62.775307][ T2938] ? memcpy+0x39/0x60 [ 62.779261][ T2938] ocfs2_initialize_super.isra.0+0x1f15/0x3420 [ 62.785385][ T2938] ? ocfs2_remount+0xad0/0xad0 [ 62.790136][ T2938] ? lockdep_init_map_type+0x2c1/0x5e0 [ 62.795567][ T2938] ? lock_downgrade+0x4f0/0x4f0 [ 62.800415][ T2938] ? ocfs2_fill_super+0x6c0/0x2d60 [ 62.805501][ T2938] ocfs2_fill_super+0x6c0/0x2d60 [ 62.810438][ T2938] ? ocfs2_initialize_super.isra.0+0x3420/0x3420 [ 62.816737][ T2938] ? pointer+0x700/0x700 [ 62.820974][ T2938] ? up_write+0x138/0x200 [ 62.825361][ T2938] ? sget+0x390/0x470 [ 62.829316][ T2938] mount_bdev+0x2c3/0x3a0 [ 62.833720][ T2938] ? ocfs2_initialize_super.isra.0+0x3420/0x3420 [ 62.840021][ T2938] ? trace_raw_output_ocfs2_buffer_cached_end+0xe0/0xe0 [ 62.846934][ T2938] legacy_get_tree+0xfa/0x1f0 [ 62.851586][ T2938] ? security_capable+0x4c/0x90 [ 62.856408][ T2938] vfs_get_tree+0x83/0x1b0 [ 62.860797][ T2938] path_mount+0x44f/0x1a60 [ 62.865187][ T2938] ? finish_automount+0x7d0/0x7d0 [ 62.870182][ T2938] ? kasan_set_free_info+0x20/0x30 [ 62.875274][ T2938] ? user_path_at_empty+0x40/0x50 [ 62.880270][ T2938] ? kmem_cache_free+0x7e/0x470 [ 62.885090][ T2938] __x64_sys_mount+0x1f5/0x260 [ 62.889824][ T2938] ? copy_mnt_ns+0xd20/0xd20 [ 62.894385][ T2938] ? vtime_user_exit+0xde/0x180 [ 62.899205][ T2938] do_syscall_64+0x33/0x80 [ 62.903594][ T2938] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 62.909465][ T2938] RIP: 0033:0x7f32cb7c779a [ 62.913852][ T2938] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 62.933527][ T2938] RSP: 002b:00007f32cb246e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 62.941912][ T2938] RAX: ffffffffffffffda RBX: 00007f32cb246ef0 RCX: 00007f32cb7c779a [ 62.949856][ T2938] RDX: 0000000020004440 RSI: 0000000020000780 RDI: 00007f32cb246eb0 [ 62.957888][ T2938] RBP: 0000000020004440 R08: 00007f32cb246ef0 R09: 0000000001000000 [ 62.965919][ T2938] R10: 0000000001000000 R11: 0000000000000246 R12: 0000000020000780 [ 62.973968][ T2938] R13: 00007f32cb246eb0 R14: 000000000000444a R15: 00000000200005c0 [ 62.981915][ T2938] [ 62.984912][ T2938] [ 62.987214][ T2938] The buggy address belongs to the page: [ 62.992823][ T2938] page:ffffea0001afb180 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x6bec6 [ 63.002960][ T2938] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 63.010148][ T2938] raw: 00fff00000000000 ffffea0001a0f248 ffffea0001afb308 0000000000000000 [ 63.018703][ T2938] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 63.027264][ T2938] page dumped because: kasan: bad access detected [ 63.033660][ T2938] page_owner tracks the page as freed [ 63.039010][ T2938] page last allocated via order 0, migratetype Movable, gfp_mask 0x1100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), pid 2646, ts 60514614212, free_ts 60516146396 [ 63.054703][ T2938] get_page_from_freelist+0x1369/0x31f0 [ 63.060240][ T2938] __alloc_pages+0x1b2/0x440 [ 63.064798][ T2938] alloc_pages_vma+0xe0/0x650 [ 63.069443][ T2938] __handle_mm_fault+0x1d97/0x33a0 [ 63.074524][ T2938] handle_mm_fault+0x1c5/0x5b0 [ 63.079258][ T2938] do_user_addr_fault+0x298/0xc80 [ 63.084251][ T2938] exc_page_fault+0x5a/0xb0 [ 63.088723][ T2938] asm_exc_page_fault+0x22/0x30 [ 63.093653][ T2938] page last free stack trace: [ 63.098306][ T2938] free_pcp_prepare+0x379/0x850 [ 63.103135][ T2938] free_unref_page_list+0x16f/0xbd0 [ 63.108304][ T2938] release_pages+0xb3a/0x1480 [ 63.112956][ T2938] tlb_finish_mmu+0x127/0x790 [ 63.117605][ T2938] exit_mmap+0x1b7/0x5d0 [ 63.121840][ T2938] mmput+0xd6/0x400 [ 63.125623][ T2938] do_exit+0x884/0x2200 [ 63.129746][ T2938] do_group_exit+0xe7/0x290 [ 63.134217][ T2938] __x64_sys_exit_group+0x35/0x40 [ 63.139210][ T2938] do_syscall_64+0x33/0x80 [ 63.143595][ T2938] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 63.149457][ T2938] [ 63.151754][ T2938] Memory state around the buggy address: [ 63.157369][ T2938] ffff88806bec5f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 63.165399][ T2938] ffff88806bec5f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 63.173428][ T2938] >ffff88806bec6000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 63.181475][ T2938] ^ [ 63.185515][ T2938] ffff88806bec6080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 63.193560][ T2938] ffff88806bec6100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 63.201678][ T2938] ================================================================== [ 63.209804][ T2938] Disabling lock debugging due to kernel taint [ 63.216698][ T2938] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 63.224168][ T2938] Kernel Offset: disabled [ 63.228480][ T2938] Rebooting in 86400 seconds..