================================================================== BUG: KASAN: slab-out-of-bounds in ext4_read_inline_data fs/ext4/inline.c:210 [inline] BUG: KASAN: slab-out-of-bounds in ext4_inlinedir_to_tree+0x560/0x1160 fs/ext4/inline.c:1394 Read of size 68 at addr ffff88811f363ec9 by task syz-executor.0/447 CPU: 0 PID: 447 Comm: syz-executor.0 Not tainted 6.1.75-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x158/0x4e0 mm/kasan/report.c:395 kasan_report+0x13c/0x170 mm/kasan/report.c:495 kasan_check_range+0x294/0x2a0 mm/kasan/generic.c:189 memcpy+0x2d/0x70 mm/kasan/shadow.c:65 ext4_read_inline_data fs/ext4/inline.c:210 [inline] ext4_inlinedir_to_tree+0x560/0x1160 fs/ext4/inline.c:1394 ext4_htree_fill_tree+0x5d1/0x13e0 fs/ext4/namei.c:1210 ext4_dx_readdir fs/ext4/dir.c:597 [inline] ext4_readdir+0x2f4b/0x3930 fs/ext4/dir.c:142 iterate_dir+0x265/0x600 __do_sys_getdents64 fs/readdir.c:369 [inline] __se_sys_getdents64+0x1c1/0x460 fs/readdir.c:354 __x64_sys_getdents64+0x7b/0x90 fs/readdir.c:354 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f5c89ea9363 Code: c1 66 0f 1f 44 00 00 48 83 c4 08 48 89 ef 5b 5d e9 62 8b fa ff 66 90 b8 ff ff ff 7f 48 39 c2 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 b0 ff ff ff f7 d8 RSP: 002b:00007ffd603fd848 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 00005555565a3890 RCX: 00007f5c89ea9363 RDX: 0000000000008000 RSI: 00005555565a3890 RDI: 0000000000000006 RBP: 00005555565a3864 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000001000 R11: 0000000000000293 R12: ffffffffffffffb0 R13: 0000000000000016 R14: 00005555565a3860 R15: 0000000000000008 Allocated by task 433: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505 __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook+0x53/0x2c0 mm/slab.h:737 slab_alloc_node mm/slub.c:3398 [inline] slab_alloc mm/slub.c:3406 [inline] __kmem_cache_alloc_lru mm/slub.c:3413 [inline] kmem_cache_alloc+0x175/0x2c0 mm/slub.c:3422 kmem_cache_zalloc include/linux/slab.h:679 [inline] __kernfs_new_node+0xdb/0x700 fs/kernfs/dir.c:608 kernfs_new_node+0x97/0x170 fs/kernfs/dir.c:672 __kernfs_create_file+0x4a/0x270 fs/kernfs/file.c:1043 sysfs_add_file_mode_ns+0x1c8/0x270 fs/sysfs/file.c:294 create_files fs/sysfs/group.c:64 [inline] internal_create_group+0x545/0xed0 fs/sysfs/group.c:148 internal_create_groups fs/sysfs/group.c:188 [inline] sysfs_create_groups+0x5b/0x130 fs/sysfs/group.c:214 device_add_groups drivers/base/core.c:2719 [inline] device_add_attrs+0xe1/0x5f0 drivers/base/core.c:2867 device_add+0x5f1/0xef0 drivers/base/core.c:3615 netdev_register_kobject+0x150/0x300 net/core/net-sysfs.c:2015 register_netdevice+0xe43/0x1490 net/core/dev.c:10096 veth_newlink+0x7fc/0xc70 drivers/net/veth.c:1793 rtnl_newlink_create net/core/rtnetlink.c:3390 [inline] __rtnl_newlink net/core/rtnetlink.c:3610 [inline] rtnl_newlink+0x14c6/0x2030 net/core/rtnetlink.c:3623 rtnetlink_rcv_msg+0x9a5/0xca0 net/core/rtnetlink.c:6122 netlink_rcv_skb+0x1cd/0x410 net/netlink/af_netlink.c:2508 rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6140 netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline] netlink_unicast+0x906/0xab0 net/netlink/af_netlink.c:1352 netlink_sendmsg+0xa15/0xd30 net/netlink/af_netlink.c:1874 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg net/socket.c:730 [inline] __sys_sendto+0x480/0x600 net/socket.c:2148 __do_sys_sendto net/socket.c:2160 [inline] __se_sys_sendto net/socket.c:2156 [inline] __x64_sys_sendto+0xe5/0x100 net/socket.c:2156 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 8: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:516 ____kasan_slab_free+0x131/0x180 mm/kasan/common.c:236 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:244 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1724 [inline] slab_free_freelist_hook mm/slub.c:1750 [inline] slab_free mm/slub.c:3661 [inline] kmem_cache_free+0x291/0x510 mm/slub.c:3683 kernfs_put+0x392/0x520 fs/kernfs/dir.c:562 kernfs_remove_by_name_ns+0xf4/0x160 fs/kernfs/dir.c:1639 kernfs_remove_by_name include/linux/kernfs.h:622 [inline] remove_files fs/sysfs/group.c:28 [inline] sysfs_remove_group+0x10c/0x2a0 fs/sysfs/group.c:288 sysfs_remove_groups+0x56/0xb0 fs/sysfs/group.c:312 device_remove_groups drivers/base/core.c:2726 [inline] device_remove_attrs+0x236/0x290 drivers/base/core.c:2946 device_del+0x612/0xe80 drivers/base/core.c:3851 netdev_unregister_kobject+0x18b/0x260 net/core/net-sysfs.c:1987 unregister_netdevice_many+0x122c/0x1740 net/core/dev.c:10905 default_device_exit_batch+0x5be/0x640 net/core/dev.c:11382 ops_exit_list net/core/net_namespace.c:174 [inline] cleanup_net+0x6c9/0xbf0 net/core/net_namespace.c:601 process_one_work+0x73d/0xcb0 kernel/workqueue.c:2292 worker_thread+0xa5d/0x1260 kernel/workqueue.c:2439 kthread+0x26d/0x300 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 The buggy address belongs to the object at ffff88811f363e40 which belongs to the cache kernfs_node_cache of size 128 The buggy address is located 9 bytes to the right of 128-byte region [ffff88811f363e40, ffff88811f363ec0) The buggy address belongs to the physical page: page:ffffea00047cd8c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11f363 flags: 0x4000000000000200(slab|zone=1) raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881001a7780 raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 433, tgid 433 (syz-executor.0), ts 41718498930, free_ts 34544401878 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x1e2/0x1f0 mm/page_alloc.c:2513 prep_new_page mm/page_alloc.c:2520 [inline] get_page_from_freelist+0x2df3/0x2ed0 mm/page_alloc.c:4279 __alloc_pages+0x3c2/0x7d0 mm/page_alloc.c:5545 allocate_slab mm/slub.c:1939 [inline] new_slab+0xce/0x4c0 mm/slub.c:1992 ___slab_alloc+0x6f9/0xb80 mm/slub.c:3180 __slab_alloc+0x5d/0xa0 mm/slub.c:3279 slab_alloc_node mm/slub.c:3364 [inline] slab_alloc mm/slub.c:3406 [inline] __kmem_cache_alloc_lru mm/slub.c:3413 [inline] kmem_cache_alloc+0x1b9/0x2c0 mm/slub.c:3422 kmem_cache_zalloc include/linux/slab.h:679 [inline] __kernfs_new_node+0xdb/0x700 fs/kernfs/dir.c:608 kernfs_new_node+0x97/0x170 fs/kernfs/dir.c:672 __kernfs_create_file+0x4a/0x270 fs/kernfs/file.c:1043 sysfs_add_file_mode_ns+0x1c8/0x270 fs/sysfs/file.c:294 create_files fs/sysfs/group.c:64 [inline] internal_create_group+0x545/0xed0 fs/sysfs/group.c:148 internal_create_groups fs/sysfs/group.c:188 [inline] sysfs_create_groups+0x5b/0x130 fs/sysfs/group.c:214 device_add_groups drivers/base/core.c:2719 [inline] device_add_attrs+0xe1/0x5f0 drivers/base/core.c:2867 device_add+0x5f1/0xef0 drivers/base/core.c:3615 netdev_register_kobject+0x150/0x300 net/core/net-sysfs.c:2015 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1440 [inline] free_pcp_prepare mm/page_alloc.c:1513 [inline] free_unref_page_prepare+0x83d/0x850 mm/page_alloc.c:3358 free_unref_page+0x36/0x3c0 mm/page_alloc.c:3453 __folio_put_small mm/swap.c:105 [inline] __folio_put+0xaa/0xe0 mm/swap.c:128 folio_put include/linux/mm.h:1167 [inline] put_page include/linux/mm.h:1219 [inline] anon_pipe_buf_release+0x184/0x1f0 fs/pipe.c:138 pipe_buf_release include/linux/pipe_fs_i.h:183 [inline] pipe_read+0x5a6/0x1040 fs/pipe.c:324 call_read_iter include/linux/fs.h:2243 [inline] new_sync_read fs/read_write.c:389 [inline] vfs_read+0x771/0xad0 fs/read_write.c:470 ksys_read+0x199/0x2c0 fs/read_write.c:613 __do_sys_read fs/read_write.c:623 [inline] __se_sys_read fs/read_write.c:621 [inline] __x64_sys_read+0x7b/0x90 fs/read_write.c:621 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x63/0xcd Memory state around the buggy address: ffff88811f363d80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88811f363e00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb >ffff88811f363e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff88811f363f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88811f363f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== EXT4-fs error (device loop0): ext4_inlinedir_to_tree:1432: inode #12: block 7: comm syz-executor.0: path /root/syzkaller-testdir3334683376/syzkaller.dvNPx4/0/file0/file0: bad entry in directory: directory entry overrun - offset=34816, inode=2538880996, rec_len=34812, size=128 fake=0 EXT4-fs error (device loop0): empty_inline_dir:1858: inode #12: block 7: comm syz-executor.0: bad entry in directory: directory entry overrun - offset=4, inode=2538880996, rec_len=34812, size=60 fake=0 EXT4-fs warning (device loop0): empty_inline_dir:1865: bad inline directory (dir #12) - inode 2538880996, rec_len 34812, name_len 234inline size 60 EXT4-fs error (device loop0): ext4_inlinedir_to_tree:1432: inode #12: block 7: comm syz-executor.0: path /root/syzkaller-testdir3334683376/syzkaller.dvNPx4/0/file0/file0: bad entry in directory: directory entry overrun - offset=34816, inode=2538880996, rec_len=34812, size=128 fake=0 EXT4-fs error (device loop0): empty_inline_dir:1858: inode #12: block 7: comm syz-executor.0: bad entry in directory: directory entry overrun - offset=4, inode=2538880996, rec_len=34812, size=60 fake=0 EXT4-fs warning (device loop0): empty_inline_dir:1865: bad inline directory (dir #12) - inode 2538880996, rec_len 34812, name_len 234inline size 60 EXT4-fs error (device loop0): ext4_inlinedir_to_tree:1432: inode #12: block 7: comm syz-executor.0: path /root/syzkaller-testdir3334683376/syzkaller.dvNPx4/0/file0/file0: bad entry in directory: directory entry overrun - offset=34816, inode=2538880996, rec_len=34812, size=128 fake=0 EXT4-fs error (device loop0): empty_inline_dir:1858: inode #12: block 7: comm syz-executor.0: bad entry in directory: directory entry overrun - offset=4, inode=2538880996, rec_len=34812, size=60 fake=0 EXT4-fs warning (device loop0): empty_inline_dir:1865: bad inline directory (dir #12) - inode 2538880996, rec_len 34812, name_len 234inline size 60 EXT4-fs error (device loop0): ext4_inlinedir_to_tree:1432: inode #12: block 7: comm syz-executor.0: path /root/syzkaller-testdir3334683376/syzkaller.dvNPx4/0/file0/file0: bad entry in directory: directory entry overrun - offset=34816, inode=2538880996, rec_len=34812, size=128 fake=0 EXT4-fs error (device loop0): empty_inline_dir:1858: inode #12: block 7: comm syz-executor.0: bad entry in directory: directory entry overrun - offset=4, inode=2538880996, rec_len=34812, size=60 fake=0 EXT4-fs warning (device loop0): empty_inline_dir:1865: bad inline directory (dir #12) - inode 2538880996, rec_len 34812, name_len 234inline size 60 EXT4-fs error (device loop0): ext4_inlinedir_to_tree:1432: inode #12: block 7: comm syz-executor.0: path /root/syzkaller-testdir3334683376/syzkaller.dvNPx4/0/file0/file0: bad entry in directory: directory entry overrun - offset=34816, inode=2538880996, rec_len=34812, size=128 fake=0 EXT4-fs error (device loop0): empty_inline_dir:1858: inode #12: block 7: comm syz-executor.0: bad entry in directory: directory entry overrun - offset=4, inode=2538880996, rec_len=34812, size=60 fake=0 EXT4-fs warning (device loop0): empty_inline_dir:1865: bad inline directory (dir #12) - inode 2538880996, rec_len 34812, name_len 234inline size 60 EXT4-fs warning (device loop0): empty_inline_dir:1865: bad inline directory (dir #12) - inode 2538880996, rec_len 34812, name_len 234inline size 60 EXT4-fs warning (device loop0): empty_inline_dir:1865: bad inline directory (dir #12) - inode 2538880996, rec_len 34812, name_len 234inline size 60 EXT4-fs warning (device loop0): empty_inline_dir:1865: bad inline directory (dir #12) - inode 2538880996, rec_len 34812, name_len 234inline size 60 EXT4-fs warning (device loop0): empty_inline_dir:1865: bad inline directory (dir #12) - inode 2538880996, rec_len 34812, name_len 234inline size 60 EXT4-fs warning (device loop0): empty_inline_dir:1865: bad inline directory (dir #12) - inode 2538880996, rec_len 34812, name_len 234inline size 60 EXT4-fs (loop0): unmounting filesystem.