==================================================================
BUG: KASAN: use-after-free in ext4_htree_fill_tree+0x131b/0x13e0 fs/ext4/namei.c:1246
Read of size 1 at addr ffff888113343a67 by task syz-executor/476

CPU: 0 PID: 476 Comm: syz-executor Not tainted 5.15.180-syzkaller-1080019-g8034ec1338e8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1c0 lib/dump_stack.c:106
 print_address_description+0x87/0x3b0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:427 [inline]
 kasan_report+0x179/0x1c0 mm/kasan/report.c:444
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report_generic.c:306
 ext4_htree_fill_tree+0x131b/0x13e0 fs/ext4/namei.c:1246
 ext4_dx_readdir fs/ext4/dir.c:609 [inline]
 ext4_readdir+0x2f75/0x3960 fs/ext4/dir.c:145
 iterate_dir+0x265/0x600 fs/readdir.c:-1
 __do_sys_getdents64 fs/readdir.c:369 [inline]
 __se_sys_getdents64+0x1c1/0x460 fs/readdir.c:354
 __x64_sys_getdents64+0x7b/0x90 fs/readdir.c:354
 x64_sys_call+0x5ae/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:218
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f0b5550a693
Code: c1 66 0f 1f 44 00 00 48 83 c4 08 48 89 ef 5b 5d e9 82 3e f8 ff 66 90 b8 ff ff ff 7f 48 39 c2 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 a8 ff ff ff f7 d8
RSP: 002b:00007ffc42b49358 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00005555746814e0 RCX: 00007f0b5550a693
RDX: 0000000000008000 RSI: 00005555746814e0 RDI: 0000000000000005
RBP: 00005555746814b4 R08: 0000000000028b61 R09: 0000000000000000
R10: 00007f0b5569dca0 R11: 0000000000000293 R12: ffffffffffffffa8
R13: 0000000000000010 R14: 00005555746814b0 R15: 0000000000000001
 </TASK>

Allocated by task 386:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:433 [inline]
 __kasan_slab_alloc+0xb1/0xe0 mm/kasan/common.c:466
 kasan_slab_alloc include/linux/kasan.h:217 [inline]
 slab_post_alloc_hook+0x53/0x2c0 mm/slab.h:550
 slab_alloc_node mm/slub.c:3240 [inline]
 slab_alloc mm/slub.c:3250 [inline]
 kmem_cache_alloc+0xf5/0x250 mm/slub.c:3255
 skb_clone+0x1d1/0x360 net/core/skbuff.c:1547
 dev_queue_xmit_nit+0x25b/0xa40 net/core/dev.c:2349
 xmit_one net/core/dev.c:3651 [inline]
 dev_hard_start_xmit+0x149/0x620 net/core/dev.c:3672
 sch_direct_xmit+0x298/0x9b0 net/sched/sch_generic.c:342
 __dev_xmit_skb net/core/dev.c:3891 [inline]
 __dev_queue_xmit+0x15b6/0x2e80 net/core/dev.c:4260
 dev_queue_xmit+0x17/0x20 net/core/dev.c:4328
 neigh_hh_output include/net/neighbour.h:501 [inline]
 neigh_output include/net/neighbour.h:515 [inline]
 ip_finish_output2+0xb9f/0xf60 net/ipv4/ip_output.c:228
 __ip_finish_output+0x162/0x360 net/ipv4/ip_output.c:-1
 ip_finish_output+0x31/0x210 net/ipv4/ip_output.c:316
 NF_HOOK_COND include/linux/netfilter.h:294 [inline]
 ip_output+0x1d6/0x420 net/ipv4/ip_output.c:430
 dst_output include/net/dst.h:453 [inline]
 ip_local_out net/ipv4/ip_output.c:126 [inline]
 __ip_queue_xmit+0x1108/0x1c20 net/ipv4/ip_output.c:532
 ip_queue_xmit+0x4c/0x70 net/ipv4/ip_output.c:546
 __tcp_transmit_skb+0x1e84/0x3920 net/ipv4/tcp_output.c:1404
 __tcp_send_ack+0x303/0x710 net/ipv4/tcp_output.c:4012
 tcp_send_ack+0x3b/0x60 net/ipv4/tcp_output.c:4018
 __tcp_ack_snd_check+0x3fc/0x970 net/ipv4/tcp_input.c:5584
 tcp_rcv_established+0x10f1/0x1ac0 net/ipv4/tcp_input.c:6019
 tcp_v4_do_rcv+0x3d7/0xa00 net/ipv4/tcp_ipv4.c:1726
 tcp_v4_rcv+0x23dd/0x2a70 net/ipv4/tcp_ipv4.c:2138
 ip_protocol_deliver_rcu+0x32f/0x710 net/ipv4/ip_input.c:204
 ip_local_deliver_finish net/ipv4/ip_input.c:231 [inline]
 NF_HOOK include/linux/netfilter.h:305 [inline]
 ip_local_deliver+0x2c6/0x590 net/ipv4/ip_input.c:252
 dst_input include/net/dst.h:463 [inline]
 ip_sublist_rcv_finish net/ipv4/ip_input.c:577 [inline]
 ip_list_rcv_finish net/ipv4/ip_input.c:628 [inline]
 ip_sublist_rcv+0x7e2/0x980 net/ipv4/ip_input.c:636
 ip_list_rcv+0x422/0x470 net/ipv4/ip_input.c:671
 __netif_receive_skb_list_ptype net/core/dev.c:5575 [inline]
 __netif_receive_skb_list_core+0x6b1/0x890 net/core/dev.c:5623
 __netif_receive_skb_list net/core/dev.c:5675 [inline]
 netif_receive_skb_list_internal+0x967/0xcc0 net/core/dev.c:5766
 gro_normal_list net/core/dev.c:5920 [inline]
 napi_complete_done+0x344/0x770 net/core/dev.c:6658
 virtqueue_napi_complete drivers/net/virtio_net.c:357 [inline]
 virtnet_poll+0xbd0/0x1250 drivers/net/virtio_net.c:1592
 __napi_poll+0xc4/0x5a0 net/core/dev.c:7082
 napi_poll net/core/dev.c:7149 [inline]
 net_rx_action+0x47d/0xc50 net/core/dev.c:7239
 handle_softirqs+0x25e/0x5c0 kernel/softirq.c:565
 __do_softirq kernel/softirq.c:603 [inline]
 invoke_softirq kernel/softirq.c:425 [inline]
 __irq_exit_rcu+0x52/0xf0 kernel/softirq.c:652
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:664
 common_interrupt+0x68/0xe0 arch/x86/kernel/irq.c:242
 asm_common_interrupt+0x27/0x40 arch/x86/include/asm/idtentry.h:667

Freed by task 386:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:45
 kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:370
 ____kasan_slab_free+0x126/0x160 mm/kasan/common.c:365
 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:373
 kasan_slab_free include/linux/kasan.h:193 [inline]
 slab_free_hook mm/slub.c:1723 [inline]
 slab_free_freelist_hook+0xbd/0x190 mm/slub.c:1749
 slab_free mm/slub.c:3521 [inline]
 kmem_cache_free+0x115/0x330 mm/slub.c:3539
 kfree_skbmem+0x104/0x170 net/core/skbuff.c:-1
 __kfree_skb net/core/skbuff.c:758 [inline]
 consume_skb+0xb4/0x250 net/core/skbuff.c:930
 packet_rcv+0x160/0x1150 net/packet/af_packet.c:2243
 dev_queue_xmit_nit+0x9a4/0xa40 net/core/dev.c:2381
 xmit_one net/core/dev.c:3651 [inline]
 dev_hard_start_xmit+0x149/0x620 net/core/dev.c:3672
 sch_direct_xmit+0x298/0x9b0 net/sched/sch_generic.c:342
 __dev_xmit_skb net/core/dev.c:3891 [inline]
 __dev_queue_xmit+0x15b6/0x2e80 net/core/dev.c:4260
 dev_queue_xmit+0x17/0x20 net/core/dev.c:4328
 neigh_hh_output include/net/neighbour.h:501 [inline]
 neigh_output include/net/neighbour.h:515 [inline]
 ip_finish_output2+0xb9f/0xf60 net/ipv4/ip_output.c:228
 __ip_finish_output+0x162/0x360 net/ipv4/ip_output.c:-1
 ip_finish_output+0x31/0x210 net/ipv4/ip_output.c:316
 NF_HOOK_COND include/linux/netfilter.h:294 [inline]
 ip_output+0x1d6/0x420 net/ipv4/ip_output.c:430
 dst_output include/net/dst.h:453 [inline]
 ip_local_out net/ipv4/ip_output.c:126 [inline]
 __ip_queue_xmit+0x1108/0x1c20 net/ipv4/ip_output.c:532
 ip_queue_xmit+0x4c/0x70 net/ipv4/ip_output.c:546
 __tcp_transmit_skb+0x1e84/0x3920 net/ipv4/tcp_output.c:1404
 __tcp_send_ack+0x303/0x710 net/ipv4/tcp_output.c:4012
 tcp_send_ack+0x3b/0x60 net/ipv4/tcp_output.c:4018
 __tcp_ack_snd_check+0x3fc/0x970 net/ipv4/tcp_input.c:5584
 tcp_rcv_established+0x10f1/0x1ac0 net/ipv4/tcp_input.c:6019
 tcp_v4_do_rcv+0x3d7/0xa00 net/ipv4/tcp_ipv4.c:1726
 tcp_v4_rcv+0x23dd/0x2a70 net/ipv4/tcp_ipv4.c:2138
 ip_protocol_deliver_rcu+0x32f/0x710 net/ipv4/ip_input.c:204
 ip_local_deliver_finish net/ipv4/ip_input.c:231 [inline]
 NF_HOOK include/linux/netfilter.h:305 [inline]
 ip_local_deliver+0x2c6/0x590 net/ipv4/ip_input.c:252
 dst_input include/net/dst.h:463 [inline]
 ip_sublist_rcv_finish net/ipv4/ip_input.c:577 [inline]
 ip_list_rcv_finish net/ipv4/ip_input.c:628 [inline]
 ip_sublist_rcv+0x7e2/0x980 net/ipv4/ip_input.c:636
 ip_list_rcv+0x422/0x470 net/ipv4/ip_input.c:671
 __netif_receive_skb_list_ptype net/core/dev.c:5575 [inline]
 __netif_receive_skb_list_core+0x6b1/0x890 net/core/dev.c:5623
 __netif_receive_skb_list net/core/dev.c:5675 [inline]
 netif_receive_skb_list_internal+0x967/0xcc0 net/core/dev.c:5766
 gro_normal_list net/core/dev.c:5920 [inline]
 napi_complete_done+0x344/0x770 net/core/dev.c:6658
 virtqueue_napi_complete drivers/net/virtio_net.c:357 [inline]
 virtnet_poll+0xbd0/0x1250 drivers/net/virtio_net.c:1592
 __napi_poll+0xc4/0x5a0 net/core/dev.c:7082
 napi_poll net/core/dev.c:7149 [inline]
 net_rx_action+0x47d/0xc50 net/core/dev.c:7239
 handle_softirqs+0x25e/0x5c0 kernel/softirq.c:565
 __do_softirq kernel/softirq.c:603 [inline]
 invoke_softirq kernel/softirq.c:425 [inline]
 __irq_exit_rcu+0x52/0xf0 kernel/softirq.c:652
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:664
 common_interrupt+0x68/0xe0 arch/x86/kernel/irq.c:242
 asm_common_interrupt+0x27/0x40 arch/x86/include/asm/idtentry.h:667

The buggy address belongs to the object at ffff888113343a00
 which belongs to the cache skbuff_head_cache of size 248
The buggy address is located 103 bytes inside of
 248-byte region [ffff888113343a00, ffff888113343af8)
The buggy address belongs to the page:
page:ffffea00044cd0c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x113343
flags: 0x4000000000000200(slab|zone=1)
raw: 4000000000000200 ffffea00044f5b80 0000000500000005 ffff8881081abc80
raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 113, ts 4946987804, free_ts 0
 set_page_owner include/linux/page_owner.h:33 [inline]
 post_alloc_hook+0x1a3/0x1b0 mm/page_alloc.c:2605
 prep_new_page+0x1b/0x110 mm/page_alloc.c:2611
 get_page_from_freelist+0x3550/0x35d0 mm/page_alloc.c:4485
 __alloc_pages+0x27e/0x8f0 mm/page_alloc.c:5781
 alloc_slab_page mm/slub.c:-1 [inline]
 allocate_slab mm/slub.c:1932 [inline]
 new_slab+0x9a/0x4e0 mm/slub.c:1995
 ___slab_alloc+0x39e/0x830 mm/slub.c:3028
 __slab_alloc+0x4a/0x90 mm/slub.c:3115
 slab_alloc_node mm/slub.c:3206 [inline]
 slab_alloc mm/slub.c:3250 [inline]
 kmem_cache_alloc+0x139/0x250 mm/slub.c:3255
 kmem_cache_alloc_node include/linux/slab.h:489 [inline]
 __alloc_skb+0xbe/0x550 net/core/skbuff.c:416
 alloc_skb include/linux/skbuff.h:1183 [inline]
 netlink_alloc_large_skb net/netlink/af_netlink.c:1187 [inline]
 netlink_sendmsg+0x797/0xd20 net/netlink/af_netlink.c:1884
 sock_sendmsg_nosec net/socket.c:704 [inline]
 __sock_sendmsg net/socket.c:716 [inline]
 ____sys_sendmsg+0x59e/0x8f0 net/socket.c:2436
 ___sys_sendmsg+0x252/0x2e0 net/socket.c:2490
 __sys_sendmsg net/socket.c:2519 [inline]
 __do_sys_sendmsg net/socket.c:2528 [inline]
 __se_sys_sendmsg+0x19a/0x260 net/socket.c:2526
 __x64_sys_sendmsg+0x7b/0x90 net/socket.c:2526
 x64_sys_call+0x16a/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:47
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
page_owner free stack trace missing

Memory state around the buggy address:
 ffff888113343900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888113343980: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
>ffff888113343a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff888113343a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
 ffff888113343b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
==================================================================