Warning: Permanently added '10.128.0.191' (ED25519) to the list of known hosts. 2024/03/11 20:03:25 ignoring optional flag "sandboxArg"="0" 2024/03/11 20:03:25 parsed 1 programs 2024/03/11 20:03:25 executed programs: 0 [ 42.540053][ T1046] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 45.009517][ T1507] loop0: detected capacity change from 0 to 512 [ 45.018091][ T1507] EXT4-fs (loop0): Ignoring removed bh option [ 45.024910][ T1507] EXT4-fs (loop0): mounting ext3 file system using the ext4 subsystem [ 45.036129][ T1507] EXT4-fs (loop0): 1 truncate cleaned up [ 45.041995][ T1507] EXT4-fs (loop0): mounted filesystem without journal. Opts: jqfmt=vfsold,resgid=0x000000000000ee00,bh,noload,data_err=ignore,usrjquota=,,errors=continue. Quota mode: none. [ 45.072046][ T1507] ================================================================== [ 45.080486][ T1507] BUG: KASAN: use-after-free in ext4_search_dir+0x1df/0x260 [ 45.087873][ T1507] Read of size 1 at addr ffff888121fdb3ed by task syz-executor.0/1507 [ 45.096216][ T1507] [ 45.098550][ T1507] CPU: 1 PID: 1507 Comm: syz-executor.0 Not tainted 5.15.151-syzkaller #0 [ 45.107701][ T1507] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 [ 45.118707][ T1507] Call Trace: [ 45.122082][ T1507] [ 45.125003][ T1507] dump_stack_lvl+0x41/0x5e [ 45.129509][ T1507] print_address_description.constprop.0.cold+0x6c/0x309 [ 45.136886][ T1507] ? ext4_search_dir+0x1df/0x260 [ 45.142118][ T1507] ? ext4_search_dir+0x1df/0x260 [ 45.147679][ T1507] kasan_report.cold+0x83/0xdf [ 45.152811][ T1507] ? ext4_search_dir+0x1df/0x260 [ 45.157979][ T1507] ext4_search_dir+0x1df/0x260 [ 45.162736][ T1507] ext4_find_inline_entry+0x355/0x440 [ 45.168755][ T1507] ? tomoyo_path_number_perm+0x1d8/0x420 [ 45.174814][ T1507] ? ext4_try_create_inline_dir+0x290/0x290 [ 45.181170][ T1507] ? lock_downgrade+0x4f0/0x4f0 [ 45.186762][ T1507] __ext4_find_entry+0x84a/0xce0 [ 45.191930][ T1507] ? find_held_lock+0x2d/0x110 [ 45.196732][ T1507] ? ext4_dx_find_entry+0x570/0x570 [ 45.202513][ T1507] ? d_alloc_parallel+0x638/0x1010 [ 45.209378][ T1507] ext4_lookup+0x156/0x570 [ 45.213882][ T1507] ? userns_owner+0x30/0x30 [ 45.218757][ T1507] ? ext4_resetent+0x280/0x280 [ 45.224645][ T1507] ? apparmor_capget+0x6b0/0x6b0 [ 45.229975][ T1507] ? tomoyo_path_mknod+0xb5/0x130 [ 45.235350][ T1507] ? from_kgid+0x7f/0xc0 [ 45.239741][ T1507] ? ext4_resetent+0x280/0x280 [ 45.244617][ T1507] lookup_open.isra.0+0x808/0x1680 [ 45.249904][ T1507] ? vfs_tmpfile+0x2d0/0x2d0 [ 45.254623][ T1507] path_openat+0x800/0x24d0 [ 45.259532][ T1507] ? get_slabinfo+0xe1/0xf0 [ 45.264452][ T1507] ? __x64_sys_open+0xfd/0x1a0 [ 45.269646][ T1507] ? do_syscall_64+0x35/0x80 [ 45.276797][ T1507] ? entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 45.283516][ T1507] ? path_lookupat+0x6b0/0x6b0 [ 45.289007][ T1507] ? futex_wait_restart+0x210/0x210 [ 45.294255][ T1507] ? stack_trace_save+0x8c/0xc0 [ 45.299451][ T1507] ? find_held_lock+0x2d/0x110 [ 45.304528][ T1507] do_filp_open+0x199/0x3d0 [ 45.309407][ T1507] ? may_open_dev+0xd0/0xd0 [ 45.313997][ T1507] ? do_raw_spin_lock+0x120/0x2b0 [ 45.319693][ T1507] ? rwlock_bug.part.0+0x90/0x90 [ 45.324926][ T1507] ? lock_acquire+0x11a/0x230 [ 45.329596][ T1507] ? _raw_spin_unlock+0x1a/0x20 [ 45.334692][ T1507] ? alloc_fd+0x17c/0x4e0 [ 45.339021][ T1507] ? getname_flags.part.0+0x89/0x440 [ 45.344469][ T1507] do_sys_openat2+0x11e/0x400 [ 45.349188][ T1507] ? build_open_flags+0x490/0x490 [ 45.355066][ T1507] ? lock_downgrade+0x4f0/0x4f0 [ 45.361342][ T1507] __x64_sys_open+0xfd/0x1a0 [ 45.366380][ T1507] ? do_sys_open+0xe0/0xe0 [ 45.370995][ T1507] ? vtime_user_exit+0xde/0x180 [ 45.376050][ T1507] ? trace_user_exit.constprop.0+0x25/0xb0 [ 45.381876][ T1507] do_syscall_64+0x35/0x80 [ 45.386547][ T1507] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 45.392464][ T1507] RIP: 0033:0x7f82cafc3b29 [ 45.397106][ T1507] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 45.417685][ T1507] RSP: 002b:00007f82cab460c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 45.426818][ T1507] RAX: ffffffffffffffda RBX: 00007f82cb0e2f80 RCX: 00007f82cafc3b29 [ 45.434790][ T1507] RDX: 0000000000000000 RSI: 0000000000141042 RDI: 0000000020000100 [ 45.442762][ T1507] RBP: 00007f82cb00f47a R08: 0000000000000000 R09: 0000000000000000 [ 45.450920][ T1507] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 45.459299][ T1507] R13: 0000000000000006 R14: 00007f82cb0e2f80 R15: 00007ffe80094998 [ 45.467495][ T1507] [ 45.470522][ T1507] [ 45.472828][ T1507] The buggy address belongs to the page: [ 45.478436][ T1507] page:ffffea000487f6c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x121fdb [ 45.488657][ T1507] flags: 0x200000000000000(node=0|zone=2) [ 45.494769][ T1507] raw: 0200000000000000 ffffea000487f3c8 ffffea000487f208 0000000000000000 [ 45.504050][ T1507] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 45.513157][ T1507] page dumped because: kasan: bad access detected [ 45.519866][ T1507] page_owner tracks the page as freed [ 45.525497][ T1507] page last allocated via order 0, migratetype Movable, gfp_mask 0x1100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), pid 1443, ts 44636933643, free_ts 44638549797 [ 45.541415][ T1507] get_page_from_freelist+0x166f/0x2910 [ 45.547027][ T1507] __alloc_pages+0x2b3/0x590 [ 45.551712][ T1507] alloc_pages_vma+0xcf/0x4b0 [ 45.556711][ T1507] __handle_mm_fault+0xdf5/0x1ec0 [ 45.562288][ T1507] handle_mm_fault+0x1c0/0x5a0 [ 45.567307][ T1507] do_user_addr_fault+0x293/0xcb0 [ 45.572484][ T1507] exc_page_fault+0x5a/0xb0 [ 45.577171][ T1507] asm_exc_page_fault+0x22/0x30 [ 45.582940][ T1507] page last free stack trace: [ 45.587607][ T1507] free_pcp_prepare+0x34e/0x730 [ 45.592720][ T1507] free_unref_page_list+0x168/0x9a0 [ 45.597914][ T1507] release_pages+0x9f2/0x1100 [ 45.602586][ T1507] tlb_finish_mmu+0x125/0x6c0 [ 45.607463][ T1507] exit_mmap+0x185/0x4e0 [ 45.611890][ T1507] mmput+0x90/0x390 [ 45.615818][ T1507] do_exit+0x87f/0x21d0 [ 45.620514][ T1507] do_group_exit+0xe7/0x290 [ 45.625231][ T1507] __x64_sys_exit_group+0x35/0x40 [ 45.630416][ T1507] do_syscall_64+0x35/0x80 [ 45.636705][ T1507] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 45.642682][ T1507] [ 45.645079][ T1507] Memory state around the buggy address: [ 45.650701][ T1507] ffff888121fdb280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.658761][ T1507] ffff888121fdb300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.667173][ T1507] >ffff888121fdb380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.675493][ T1507] ^ [ 45.683045][ T1507] ffff888121fdb400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.692191][ T1507] ffff888121fdb480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.701067][ T1507] ================================================================== [ 45.709371][ T1507] Disabling lock debugging due to kernel taint [ 45.715740][ T1507] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 45.723340][ T1507] Kernel Offset: disabled [ 45.727661][ T1507] Rebooting in 86400 seconds..