syzkaller login: [ 7.196189][ T373] udevd (373) used greatest stack depth: 25568 bytes left [ 32.532035][ T449] sshd (449) used greatest stack depth: 25288 bytes left [ 42.527005][ T465] cgroup: Unknown subsys name 'net' [ 42.532341][ T465] cgroup: Unknown subsys name 'net_prio' [ 42.538152][ T465] cgroup: Unknown subsys name 'devices' [ 42.543831][ T465] cgroup: Unknown subsys name 'blkio' [ 42.633462][ T465] cgroup: Unknown subsys name 'hugetlb' [ 42.639223][ T465] cgroup: Unknown subsys name 'rlimit' [ 42.783302][ T465] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 45.045992][ T473] syz-executor.0 (473) used greatest stack depth: 23944 bytes left Warning: Permanently added '10.128.0.54' (ED25519) to the list of known hosts. 2024/08/06 06:43:36 ignoring optional flag "sandboxArg"="0" 2024/08/06 06:43:36 parsed 1 programs 2024/08/06 06:43:36 executed programs: 0 [ 78.495655][ T945] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 80.751312][ T1405] loop0: detected capacity change from 0 to 512 [ 80.759629][ T1405] EXT4-fs (loop0): Ignoring removed bh option [ 80.765916][ T1405] EXT4-fs (loop0): mounting ext3 file system using the ext4 subsystem [ 80.776168][ T1405] EXT4-fs (loop0): 1 truncate cleaned up [ 80.781881][ T1405] EXT4-fs (loop0): mounted filesystem without journal. Opts: jqfmt=vfsold,resgid=0x000000000000ee00,bh,noload,data_err=ignore,usrjquota=,,errors=continue. Quota mode: none. [ 80.802677][ T1405] ================================================================== [ 80.810745][ T1405] BUG: KASAN: use-after-free in ext4_search_dir+0x1df/0x260 [ 80.818107][ T1405] Read of size 1 at addr ffff88810ef923ed by task syz-executor.0/1405 [ 80.826272][ T1405] [ 80.828761][ T1405] CPU: 1 PID: 1405 Comm: syz-executor.0 Not tainted 5.15.164-syzkaller #0 [ 80.837498][ T1405] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 [ 80.848883][ T1405] Call Trace: [ 80.852369][ T1405] [ 80.855281][ T1405] dump_stack_lvl+0x41/0x5e [ 80.859876][ T1405] print_address_description.constprop.0.cold+0x6c/0x309 [ 80.866944][ T1405] ? ext4_search_dir+0x1df/0x260 [ 80.871951][ T1405] ? ext4_search_dir+0x1df/0x260 [ 80.877062][ T1405] kasan_report.cold+0x83/0xdf [ 80.882072][ T1405] ? ext4_search_dir+0x1df/0x260 [ 80.887203][ T1405] ext4_search_dir+0x1df/0x260 [ 80.891960][ T1405] ext4_find_inline_entry+0x355/0x440 [ 80.897328][ T1405] ? tomoyo_path_number_perm+0x1d8/0x420 [ 80.902956][ T1405] ? ext4_try_create_inline_dir+0x290/0x290 [ 80.908833][ T1405] ? lock_downgrade+0x4f0/0x4f0 [ 80.913660][ T1405] __ext4_find_entry+0x84a/0xce0 [ 80.918755][ T1405] ? find_held_lock+0x2d/0x110 [ 80.923497][ T1405] ? ext4_dx_find_entry+0x570/0x570 [ 80.928849][ T1405] ? d_alloc_parallel+0x638/0x1010 [ 80.933940][ T1405] ext4_lookup+0x156/0x570 [ 80.938503][ T1405] ? userns_owner+0x30/0x30 [ 80.943248][ T1405] ? ext4_resetent+0x280/0x280 [ 80.947979][ T1405] ? apparmor_capget+0x6b0/0x6b0 [ 80.952893][ T1405] ? tomoyo_path_mknod+0xb5/0x130 [ 80.957888][ T1405] ? from_kgid+0x7f/0xc0 [ 80.962137][ T1405] ? ext4_resetent+0x280/0x280 [ 80.966875][ T1405] lookup_open.isra.0+0x808/0x1680 [ 80.972047][ T1405] ? vfs_tmpfile+0x2d0/0x2d0 [ 80.976701][ T1405] path_openat+0x7e3/0x2360 [ 80.981182][ T1405] ? __kasan_slab_free_mempool+0x181/0x200 [ 80.986962][ T1405] ? do_syscall_64+0x33/0x80 [ 80.991659][ T1405] ? entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 80.997694][ T1405] ? path_lookupat+0x6b0/0x6b0 [ 81.002429][ T1405] ? futex_wait_restart+0x210/0x210 [ 81.007608][ T1405] ? stack_trace_save+0x8c/0xc0 [ 81.012445][ T1405] ? find_held_lock+0x2d/0x110 [ 81.017273][ T1405] do_filp_open+0x199/0x3d0 [ 81.021921][ T1405] ? may_open_dev+0xd0/0xd0 [ 81.026572][ T1405] ? do_raw_spin_lock+0x120/0x2b0 [ 81.031571][ T1405] ? rwlock_bug.part.0+0x90/0x90 [ 81.036662][ T1405] ? lock_acquire+0x11a/0x230 [ 81.041390][ T1405] ? _raw_spin_unlock+0x1a/0x20 [ 81.046234][ T1405] ? alloc_fd+0x17c/0x4e0 [ 81.050720][ T1405] ? getname_flags.part.0+0x89/0x440 [ 81.055979][ T1405] do_sys_openat2+0x11e/0x400 [ 81.060629][ T1405] ? build_open_flags+0x490/0x490 [ 81.065793][ T1405] ? lock_downgrade+0x4f0/0x4f0 [ 81.070699][ T1405] __x64_sys_open+0xfd/0x1a0 [ 81.075305][ T1405] ? do_sys_open+0xe0/0xe0 [ 81.079688][ T1405] ? vtime_user_exit+0xde/0x180 [ 81.084519][ T1405] ? trace_user_exit.constprop.0+0x25/0xb0 [ 81.090515][ T1405] do_syscall_64+0x33/0x80 [ 81.094995][ T1405] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 81.100892][ T1405] RIP: 0033:0x7f59c6068b29 [ 81.105283][ T1405] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 81.125043][ T1405] RSP: 002b:00007f59c5beb0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 81.133429][ T1405] RAX: ffffffffffffffda RBX: 00007f59c6187f80 RCX: 00007f59c6068b29 [ 81.141413][ T1405] RDX: 0000000000000000 RSI: 0000000000141042 RDI: 0000000020000100 [ 81.149641][ T1405] RBP: 00007f59c60b447a R08: 0000000000000000 R09: 0000000000000000 [ 81.157675][ T1405] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 81.165797][ T1405] R13: 0000000000000006 R14: 00007f59c6187f80 R15: 00007ffe29b18498 [ 81.173833][ T1405] [ 81.176856][ T1405] [ 81.179162][ T1405] The buggy address belongs to the page: [ 81.184919][ T1405] page:ffffea00043be480 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10ef92 [ 81.195387][ T1405] flags: 0x200000000000000(node=0|zone=2) [ 81.201195][ T1405] raw: 0200000000000000 ffffea00047e99c8 ffffea00047eab48 0000000000000000 [ 81.209785][ T1405] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 81.218436][ T1405] page dumped because: kasan: bad access detected [ 81.224940][ T1405] page_owner tracks the page as freed [ 81.230280][ T1405] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x500cc2(GFP_HIGHUSER|__GFP_ACCOUNT), pid 929, ts 58145406560, free_ts 58145495533 [ 81.245530][ T1405] get_page_from_freelist+0x166f/0x2910 [ 81.251055][ T1405] __alloc_pages+0x2b3/0x590 [ 81.255620][ T1405] pipe_write+0x9b7/0x18f0 [ 81.260016][ T1405] new_sync_write+0x4ad/0x5f0 [ 81.264666][ T1405] vfs_write+0x541/0x7b0 [ 81.268890][ T1405] ksys_write+0x171/0x1d0 [ 81.273595][ T1405] do_syscall_64+0x33/0x80 [ 81.278081][ T1405] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 81.284082][ T1405] page last free stack trace: [ 81.288901][ T1405] free_pcp_prepare+0x34e/0x730 [ 81.293724][ T1405] free_unref_page+0x19/0x3b0 [ 81.298373][ T1405] pipe_read+0x552/0xd50 [ 81.302580][ T1405] new_sync_read+0x4a2/0x5f0 [ 81.307135][ T1405] vfs_read+0x209/0x470 [ 81.311340][ T1405] ksys_read+0x171/0x1d0 [ 81.315550][ T1405] do_syscall_64+0x33/0x80 [ 81.319934][ T1405] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 81.325798][ T1405] [ 81.328101][ T1405] Memory state around the buggy address: [ 81.333706][ T1405] ffff88810ef92280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 81.341831][ T1405] ffff88810ef92300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 81.349944][ T1405] >ffff88810ef92380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 81.357986][ T1405] ^ [ 81.365585][ T1405] ffff88810ef92400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 81.373615][ T1405] ffff88810ef92480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 81.381653][ T1405] ================================================================== [ 81.389693][ T1405] Disabling lock debugging due to kernel taint [ 81.395895][ T1405] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 81.403402][ T1405] Kernel Offset: disabled [ 81.408008][ T1405] Rebooting in 86400 seconds..