Warning: Permanently added '10.128.0.197' (ED25519) to the list of known hosts. 2023/10/08 15:30:31 ignoring optional flag "sandboxArg"="0" 2023/10/08 15:30:31 parsed 1 programs 2023/10/08 15:30:31 executed programs: 0 [ 58.122724][ T1503] loop0: detected capacity change from 0 to 2048 [ 58.141021][ T1503] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. 2023/10/08 15:30:38 executed programs: 1 [ 58.162841][ T1503] EXT4-fs error (device loop0): ext4_xattr_ibody_find:2213: inode #18: comm syz-executor.0: corrupted in-inode xattr [ 58.181704][ T1049] EXT4-fs (loop0): unmounting filesystem. [ 58.216996][ T1509] loop0: detected capacity change from 0 to 2048 [ 58.240699][ T1509] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [ 58.256934][ T1509] ================================================================== [ 58.265204][ T1509] BUG: KASAN: use-after-free in ext4_convert_inline_data_nolock+0x282/0xc10 [ 58.273870][ T1509] Read of size 20 at addr ffff88811abba1a3 by task syz-executor.0/1509 [ 58.282173][ T1509] [ 58.284503][ T1509] CPU: 0 PID: 1509 Comm: syz-executor.0 Not tainted 6.1.56-syzkaller #0 [ 58.293076][ T1509] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023 [ 58.303111][ T1509] Call Trace: [ 58.306550][ T1509] [ 58.309476][ T1509] dump_stack_lvl+0xf4/0x251 [ 58.314061][ T1509] ? ext4_convert_inline_data+0x3b8/0x4d0 [ 58.319773][ T1509] ? nf_tcp_handle_invalid+0x2f3/0x2f3 [ 58.325219][ T1509] ? panic+0x3f7/0x3f7 [ 58.329269][ T1509] ? _printk+0xca/0x10a [ 58.333404][ T1509] print_report+0x15f/0x4f0 [ 58.337885][ T1509] ? ext4_convert_inline_data_nolock+0x282/0xc10 [ 58.344192][ T1509] kasan_report+0x136/0x160 [ 58.348768][ T1509] ? ext4_convert_inline_data_nolock+0x282/0xc10 [ 58.355078][ T1509] kasan_check_range+0x27f/0x290 [ 58.360005][ T1509] ? ext4_convert_inline_data_nolock+0x282/0xc10 [ 58.366306][ T1509] memcpy+0x25/0x60 [ 58.370121][ T1509] ext4_convert_inline_data_nolock+0x282/0xc10 [ 58.376275][ T1509] ? __down_write_common+0x12a/0x1e0 [ 58.381547][ T1509] ? ext4_add_dirent_to_inline+0x390/0x390 [ 58.387357][ T1509] ? __ext4_journal_start_sb+0xa4/0x360 [ 58.392998][ T1509] ext4_convert_inline_data+0x3b8/0x4d0 [ 58.398719][ T1509] ? ext4_inline_data_truncate+0xb70/0xb70 [ 58.404591][ T1509] ext4_fallocate+0x136/0x1790 [ 58.409696][ T1509] ? read_lock_is_recursive+0x10/0x10 [ 58.415158][ T1509] ? ext4_ext_truncate+0x260/0x260 [ 58.420432][ T1509] ? preempt_count_add+0x8f/0x120 [ 58.425471][ T1509] vfs_fallocate+0x30c/0x3d0 [ 58.430056][ T1509] __x64_sys_fallocate+0xa6/0xd0 [ 58.435077][ T1509] do_syscall_64+0x3d/0x80 [ 58.439490][ T1509] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 58.445397][ T1509] RIP: 0033:0x7fae31d77959 [ 58.449823][ T1509] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 58.469419][ T1509] RSP: 002b:00007fae318fa0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000011d [ 58.477824][ T1509] RAX: ffffffffffffffda RBX: 00007fae31e96f80 RCX: 00007fae31d77959 [ 58.486396][ T1509] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 58.494353][ T1509] RBP: 00007fae31dd3c88 R08: 0000000000000000 R09: 0000000000000000 [ 58.502309][ T1509] R10: 0000000000008000 R11: 0000000000000246 R12: 0000000000000000 [ 58.510268][ T1509] R13: 0000000000000006 R14: 00007fae31e96f80 R15: 00007ffce0cda498 [ 58.518264][ T1509] [ 58.521270][ T1509] [ 58.523587][ T1509] Allocated by task 1440: [ 58.527899][ T1509] kasan_set_track+0x4b/0x70 [ 58.532562][ T1509] __kasan_kmalloc+0x97/0xb0 [ 58.537136][ T1509] __kmalloc_node+0xa9/0x1c0 [ 58.541711][ T1509] kvmalloc_node+0x3e/0xe0 [ 58.546110][ T1509] seq_read_iter+0x1ac/0xbd0 [ 58.550706][ T1509] proc_reg_read_iter+0x104/0x1e0 [ 58.555711][ T1509] vfs_read+0x780/0x9a0 [ 58.559858][ T1509] ksys_read+0x15f/0x240 [ 58.564075][ T1509] do_syscall_64+0x3d/0x80 [ 58.568468][ T1509] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 58.574357][ T1509] [ 58.576682][ T1509] Freed by task 1440: [ 58.580641][ T1509] kasan_set_track+0x4b/0x70 [ 58.585202][ T1509] kasan_save_free_info+0x27/0x40 [ 58.590201][ T1509] ____kasan_slab_free+0x122/0x1e0 [ 58.595285][ T1509] __kmem_cache_free+0x2b4/0x470 [ 58.600197][ T1509] single_release+0x71/0x90 [ 58.604684][ T1509] close_pdeo+0x1c5/0x370 [ 58.609005][ T1509] proc_reg_release+0x117/0x150 [ 58.613943][ T1509] __fput+0x326/0x700 [ 58.618107][ T1509] task_work_run+0x206/0x280 [ 58.622677][ T1509] exit_to_user_mode_loop+0xa9/0xc0 [ 58.627852][ T1509] exit_to_user_mode_prepare+0x64/0xb0 [ 58.633301][ T1509] syscall_exit_to_user_mode+0x27/0x1c0 [ 58.638820][ T1509] do_syscall_64+0x49/0x80 [ 58.643211][ T1509] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 58.649089][ T1509] [ 58.651392][ T1509] The buggy address belongs to the object at ffff88811abba000 [ 58.651392][ T1509] which belongs to the cache kmalloc-cg-4k of size 4096 [ 58.665681][ T1509] The buggy address is located 419 bytes inside of [ 58.665681][ T1509] 4096-byte region [ffff88811abba000, ffff88811abbb000) [ 58.679187][ T1509] [ 58.681502][ T1509] The buggy address belongs to the physical page: [ 58.687885][ T1509] page:ffffea00046aee00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11abb8 [ 58.698223][ T1509] head:ffffea00046aee00 order:3 compound_mapcount:0 compound_pincount:0 [ 58.706623][ T1509] flags: 0x200000000010200(slab|head|node=0|zone=2) [ 58.713199][ T1509] raw: 0200000000010200 ffffea00045ff600 dead000000000003 ffff88810004c280 [ 58.721759][ T1509] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 58.730316][ T1509] page dumped because: kasan: bad access detected [ 58.736703][ T1509] page_owner tracks the page as allocated [ 58.742391][ T1509] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 368, tgid 368 (udevd), ts 5033290423, free_ts 0 [ 58.761980][ T1509] post_alloc_hook+0x286/0x2b0 [ 58.766812][ T1509] get_page_from_freelist+0x2c71/0x2eb0 [ 58.772441][ T1509] __alloc_pages+0x251/0x640 [ 58.777006][ T1509] alloc_slab_page+0x6a/0x150 [ 58.781657][ T1509] new_slab+0x70/0x250 [ 58.785718][ T1509] ___slab_alloc+0x9df/0xe70 [ 58.790294][ T1509] __kmem_cache_alloc_node+0x195/0x250 [ 58.795816][ T1509] __kmalloc_node+0x98/0x1c0 [ 58.800400][ T1509] kvmalloc_node+0x3e/0xe0 [ 58.804797][ T1509] seq_read_iter+0x1ac/0xbd0 [ 58.809449][ T1509] vfs_read+0x780/0x9a0 [ 58.813586][ T1509] ksys_read+0x15f/0x240 [ 58.817816][ T1509] do_syscall_64+0x3d/0x80 [ 58.822204][ T1509] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 58.828075][ T1509] page_owner free stack trace missing [ 58.833426][ T1509] [ 58.835732][ T1509] Memory state around the buggy address: [ 58.841445][ T1509] ffff88811abba080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.849675][ T1509] ffff88811abba100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.857716][ T1509] >ffff88811abba180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.865757][ T1509] ^ [ 58.870933][ T1509] ffff88811abba200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.878970][ T1509] ffff88811abba280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.887003][ T1509] ================================================================== [ 58.895176][ T1509] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 58.902665][ T1509] Kernel Offset: disabled [ 58.906974][ T1509] Rebooting in 86400 seconds..