* [syzbot ci] Re: Data in direntry (dirdata) feature [not found] <20260610152417.13576-1-ablagodarenko@thelustrecollective.com> @ 2026-06-11 10:29 ` syzbot ci 2026-06-19 14:10 ` Artem Blagodarenko 2026-06-19 16:45 ` Artem Blagodarenko 0 siblings, 2 replies; 10+ messages in thread From: syzbot ci @ 2026-06-11 10:29 UTC (permalink / raw) To: adilger.kernel, adilger, adilger, artem.blagodarenko, linux-ext4, pravin.shelar Cc: syzbot, syzkaller-bugs syzbot ci has tested the following series [v2] Data in direntry (dirdata) feature https://lore.kernel.org/all/20260610152417.13576-1-ablagodarenko@thelustrecollective.com * [PATCH v2 01/10] ext4: replace ext4_dir_entry with ext4_dir_entry_2 * [PATCH v2 02/10] ext4: add ext4_dir_entry_is_tail() * [PATCH v2 03/10] ext4: refactor dx_root to support variable dirent sizes * [PATCH v2 04/10] ext4: add dirdata format definitions and access helpers * [PATCH v2 05/10] ext4: preserve dirdata bits in get_dtype() * [PATCH v2 06/10] ext4: add ext4_dir_entry_len() and harden dirdata parsing * [PATCH v2 07/10] ext4: rename ext4_dir_rec_len() and clarify dirdata usage * [PATCH v2 08/10] ext4: dirdata feature * [PATCH v2 09/10] ext4: add dirdata set/get helpers * [PATCH v2 10/10] ext4: Add EXT4_IOC_SET_LUFID ioctl for setting LUFID on directory entries and found the following issues: * KASAN: slab-out-of-bounds Read in __ext4_check_dir_entry * KASAN: slab-out-of-bounds Read in ext4_inlinedir_to_tree * KASAN: slab-use-after-free Read in __ext4_check_dir_entry * KASAN: slab-use-after-free Read in ext4_inlinedir_to_tree * KASAN: use-after-free Read in __ext4_check_dir_entry Full report is available here: https://ci.syzbot.org/series/5bf0e2fa-2e68-4532-8396-4568879b2788 *** KASAN: slab-out-of-bounds Read in __ext4_check_dir_entry tree: torvalds URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux base: 9716c086c8e8b141d35aa61f2e96a2e83de212a7 arch: amd64 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 config: https://ci.syzbot.org/builds/ddf6ee7c-dfa8-4383-b004-10140edc081c/config syz repro: https://ci.syzbot.org/findings/b0854918-13f9-49dd-ab30-12154f0debe2/syz_repro loop0: lost filesystem error report for type 5 error -117 EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. ================================================================== BUG: KASAN: slab-out-of-bounds in ext4_dirent_get_data_len fs/ext4/ext4.h:4069 [inline] BUG: KASAN: slab-out-of-bounds in ext4_dir_entry_len fs/ext4/ext4.h:4096 [inline] BUG: KASAN: slab-out-of-bounds in __ext4_check_dir_entry+0x65a/0xc40 fs/ext4/dir.c:96 Read of size 1 at addr ffff8881022db7f5 by task syz.0.23/5815 CPU: 1 UID: 0 PID: 5815 Comm: syz.0.23 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description+0x55/0x1e0 mm/kasan/report.c:378 print_report+0x58/0x70 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 ext4_dirent_get_data_len fs/ext4/ext4.h:4069 [inline] ext4_dir_entry_len fs/ext4/ext4.h:4096 [inline] __ext4_check_dir_entry+0x65a/0xc40 fs/ext4/dir.c:96 ext4_check_all_de+0x66/0x150 fs/ext4/dir.c:657 ext4_convert_inline_data_nolock+0x1b7/0x990 fs/ext4/inline.c:1121 ext4_try_add_inline_entry+0x604/0x8e0 fs/ext4/inline.c:1247 __ext4_add_entry+0x390/0x1f40 fs/ext4/namei.c:2529 ext4_add_entry fs/ext4/namei.c:2613 [inline] ext4_mkdir+0x5e5/0xce0 fs/ext4/namei.c:3175 vfs_mkdir+0x413/0x630 fs/namei.c:5271 filename_mkdirat+0x285/0x510 fs/namei.c:5304 __do_sys_mkdirat fs/namei.c:5325 [inline] __se_sys_mkdirat+0x35/0x150 fs/namei.c:5322 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f669359bcc7 Code: 00 66 90 48 89 f2 b9 00 01 00 00 48 89 fe bf 9c ff ff ff e9 db f7 ff ff 66 2e 0f 1f 84 00 00 00 00 00 90 b8 02 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffd42381d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 00007ffd42381dc0 RCX: 00007f669359bcc7 RDX: 00000000000001ff RSI: 0000200000001200 RDI: 00000000ffffff9c RBP: 00002000000024c0 R08: 0000200000000240 R09: 0000000000000000 R10: 00002000000024c0 R11: 0000000000000246 R12: 0000200000001200 R13: 00007ffd42381d80 R14: 0000000000000000 R15: 0000000000000000 </TASK> Allocated by task 5066: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __kmalloc_cache_noprof+0x31c/0x660 mm/slub.c:5420 kmalloc_noprof include/linux/slab.h:950 [inline] kzalloc_noprof include/linux/slab.h:1188 [inline] kernfs_get_open_node fs/kernfs/file.c:543 [inline] kernfs_fop_open+0x862/0xda0 fs/kernfs/file.c:718 do_dentry_open+0x822/0x13a0 fs/open.c:947 vfs_open+0x3b/0x340 fs/open.c:1079 do_open fs/namei.c:4699 [inline] path_openat+0x2e08/0x3860 fs/namei.c:4858 do_file_open+0x23e/0x4a0 fs/namei.c:4887 do_sys_openat2+0x113/0x200 fs/open.c:1364 do_sys_open fs/open.c:1370 [inline] __do_sys_openat fs/open.c:1386 [inline] __se_sys_openat fs/open.c:1381 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1381 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Last potentially related work creation: kasan_save_stack+0x3e/0x60 mm/kasan/common.c:57 kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:556 kvfree_call_rcu+0x100/0x430 mm/slab_common.c:1970 kernfs_unlink_open_file+0x3fe/0x4b0 fs/kernfs/file.c:604 kernfs_fop_release+0x2eb/0x440 fs/kernfs/file.c:783 __fput+0x44f/0xa60 fs/file_table.c:510 fput_close_sync+0x11f/0x240 fs/file_table.c:615 __do_sys_close fs/open.c:1507 [inline] __se_sys_close fs/open.c:1492 [inline] __x64_sys_close+0x7e/0x110 fs/open.c:1492 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff8881022db700 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 117 bytes to the right of allocated 128-byte region [ffff8881022db700, ffff8881022db780) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1022db flags: 0x17ff00000000000(node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 017ff00000000000 ffff888100041a00 dead000000000100 dead000000000122 raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2000(__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 0, tgid 0 (swapper/0), ts 2408938923, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x2593/0x2610 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 alloc_slab_page mm/slub.c:3278 [inline] allocate_slab+0x77/0x660 mm/slub.c:3467 new_slab mm/slub.c:3525 [inline] refill_objects+0x339/0x3d0 mm/slub.c:7272 refill_sheaf mm/slub.c:2816 [inline] __pcs_replace_empty_main+0x321/0x720 mm/slub.c:4652 alloc_from_pcs mm/slub.c:4750 [inline] slab_alloc_node mm/slub.c:4884 [inline] __do_kmalloc_node mm/slub.c:5295 [inline] __kmalloc_noprof+0x474/0x760 mm/slub.c:5308 kmalloc_noprof include/linux/slab.h:954 [inline] kzalloc_noprof include/linux/slab.h:1188 [inline] __alloc_empty_sheaf mm/slub.c:2768 [inline] alloc_empty_sheaf mm/slub.c:2783 [inline] __pcs_replace_empty_main+0x2df/0x720 mm/slub.c:4647 alloc_from_pcs mm/slub.c:4750 [inline] slab_alloc_node mm/slub.c:4884 [inline] kmem_cache_alloc_noprof+0x37d/0x650 mm/slub.c:4906 dup_fd+0x55/0xb40 fs/file.c:390 copy_files+0xc8/0x120 kernel/fork.c:1639 copy_process+0x1d94/0x4440 kernel/fork.c:2252 kernel_clone+0x2d7/0x940 kernel/fork.c:2722 user_mode_thread+0x110/0x180 kernel/fork.c:2798 rest_init+0x23/0x300 init/main.c:727 start_kernel+0x38a/0x3e0 init/main.c:1220 page_owner free stack trace missing Memory state around the buggy address: ffff8881022db680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8881022db700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8881022db780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8881022db800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881022db880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== *** KASAN: slab-out-of-bounds Read in ext4_inlinedir_to_tree tree: torvalds URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux base: 9716c086c8e8b141d35aa61f2e96a2e83de212a7 arch: amd64 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 config: https://ci.syzbot.org/builds/ddf6ee7c-dfa8-4383-b004-10140edc081c/config syz repro: https://ci.syzbot.org/findings/2dff870b-f382-4c93-8d8d-b2291d921224/syz_repro loop1: lost filesystem error report for type 5 error -117 EXT4-fs (loop1): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. ================================================================== BUG: KASAN: slab-out-of-bounds in ext4_dir_entry_len fs/ext4/ext4.h:4095 [inline] BUG: KASAN: slab-out-of-bounds in ext4_inlinedir_to_tree+0xda5/0x10d0 fs/ext4/inline.c:1335 Read of size 2 at addr ffff888115a3183c by task syz.1.18/5839 CPU: 1 UID: 0 PID: 5839 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description+0x55/0x1e0 mm/kasan/report.c:378 print_report+0x58/0x70 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 ext4_dir_entry_len fs/ext4/ext4.h:4095 [inline] ext4_inlinedir_to_tree+0xda5/0x10d0 fs/ext4/inline.c:1335 ext4_htree_fill_tree+0x517/0x1230 fs/ext4/namei.c:1182 ext4_dx_readdir fs/ext4/dir.c:600 [inline] ext4_readdir+0x2db4/0x3640 fs/ext4/dir.c:146 iterate_dir+0x399/0x570 fs/readdir.c:110 __do_sys_getdents64 fs/readdir.c:399 [inline] __se_sys_getdents64+0xf1/0x280 fs/readdir.c:384 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f3e02b9ce59 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f3e03ad5028 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 00007f3e02e15fa0 RCX: 00007f3e02b9ce59 RDX: 0000000000001000 RSI: 0000200000000f80 RDI: 0000000000000004 RBP: 00007f3e02c32d6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f3e02e16038 R14: 00007f3e02e15fa0 R15: 00007ffcaa902298 </TASK> Allocated by task 5839: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __do_kmalloc_node mm/slub.c:5296 [inline] __kmalloc_noprof+0x35c/0x760 mm/slub.c:5308 kmalloc_noprof include/linux/slab.h:954 [inline] ext4_inlinedir_to_tree+0x312/0x10d0 fs/ext4/inline.c:1292 ext4_htree_fill_tree+0x517/0x1230 fs/ext4/namei.c:1182 ext4_dx_readdir fs/ext4/dir.c:600 [inline] ext4_readdir+0x2db4/0x3640 fs/ext4/dir.c:146 iterate_dir+0x399/0x570 fs/readdir.c:110 __do_sys_getdents64 fs/readdir.c:399 [inline] __se_sys_getdents64+0xf1/0x280 fs/readdir.c:384 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888115a31800 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes to the right of allocated 60-byte region [ffff888115a31800, ffff888115a3183c) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x115a31 flags: 0x17ff00000000000(node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 017ff00000000000 ffff8881000418c0 dead000000000100 dead000000000122 raw: 0000000000000000 0000000800200020 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5051, tgid 5051 (acpid), ts 27203740677, free_ts 27201732767 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x2593/0x2610 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 alloc_slab_page mm/slub.c:3278 [inline] allocate_slab+0x77/0x660 mm/slub.c:3467 new_slab mm/slub.c:3525 [inline] refill_objects+0x339/0x3d0 mm/slub.c:7272 refill_sheaf mm/slub.c:2816 [inline] __pcs_replace_empty_main+0x321/0x720 mm/slub.c:4652 alloc_from_pcs mm/slub.c:4750 [inline] slab_alloc_node mm/slub.c:4884 [inline] __do_kmalloc_node mm/slub.c:5295 [inline] __kmalloc_noprof+0x474/0x760 mm/slub.c:5308 kmalloc_noprof include/linux/slab.h:954 [inline] kzalloc_noprof include/linux/slab.h:1188 [inline] tomoyo_get_name+0x20c/0x590 security/tomoyo/memory.c:173 tomoyo_parse_name_union+0xd9/0x130 security/tomoyo/util.c:260 tomoyo_update_path_acl security/tomoyo/file.c:399 [inline] tomoyo_write_file+0x3a6/0xc50 security/tomoyo/file.c:1027 tomoyo_write_domain2 security/tomoyo/common.c:1160 [inline] tomoyo_add_entry security/tomoyo/common.c:2177 [inline] tomoyo_supervisor+0x1208/0x1570 security/tomoyo/common.c:2238 tomoyo_audit_path_log security/tomoyo/file.c:169 [inline] tomoyo_path_permission+0x25a/0x380 security/tomoyo/file.c:592 tomoyo_check_open_permission+0x2b2/0x470 security/tomoyo/file.c:782 security_file_open+0xa9/0x240 security/security.c:2739 do_dentry_open+0x4a8/0x13a0 fs/open.c:924 vfs_open+0x3b/0x340 fs/open.c:1079 page last free pid 15 tgid 15 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc1c/0xd30 mm/page_alloc.c:2938 __tlb_remove_table_free mm/mmu_gather.c:228 [inline] tlb_remove_table_rcu+0x85/0x100 mm/mmu_gather.c:291 rcu_do_batch kernel/rcu/tree.c:2617 [inline] rcu_core+0x7cd/0x1070 kernel/rcu/tree.c:2869 handle_softirqs+0x22a/0x840 kernel/softirq.c:622 run_ksoftirqd+0x36/0x60 kernel/softirq.c:1076 smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160 kthread+0x389/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Memory state around the buggy address: ffff888115a31700: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff888115a31780: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc >ffff888115a31800: 00 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc ^ ffff888115a31880: 00 00 00 00 00 00 02 fc fc fc fc fc fc fc fc fc ffff888115a31900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ================================================================== *** KASAN: slab-use-after-free Read in __ext4_check_dir_entry tree: torvalds URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux base: 9716c086c8e8b141d35aa61f2e96a2e83de212a7 arch: amd64 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 config: https://ci.syzbot.org/builds/ddf6ee7c-dfa8-4383-b004-10140edc081c/config syz repro: https://ci.syzbot.org/findings/f1d48ea1-6e87-4d64-9c13-8bf8aed109fc/syz_repro loop0: lost filesystem error report for type 5 error -117 EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. ================================================================== BUG: KASAN: slab-use-after-free in ext4_dirent_get_data_len fs/ext4/ext4.h:4069 [inline] BUG: KASAN: slab-use-after-free in ext4_dir_entry_len fs/ext4/ext4.h:4096 [inline] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x65a/0xc40 fs/ext4/dir.c:96 Read of size 1 at addr ffff888114d8c045 by task syz.0.20/5821 CPU: 1 UID: 0 PID: 5821 Comm: syz.0.20 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description+0x55/0x1e0 mm/kasan/report.c:378 print_report+0x58/0x70 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 ext4_dirent_get_data_len fs/ext4/ext4.h:4069 [inline] ext4_dir_entry_len fs/ext4/ext4.h:4096 [inline] __ext4_check_dir_entry+0x65a/0xc40 fs/ext4/dir.c:96 ext4_find_dest_de+0x136/0x770 fs/ext4/namei.c:2203 ext4_add_dirent_to_inline+0xcf/0x430 fs/ext4/inline.c:984 ext4_try_add_inline_entry+0x235/0x8e0 fs/ext4/inline.c:1213 __ext4_add_entry+0x390/0x1f40 fs/ext4/namei.c:2529 ext4_add_entry fs/ext4/namei.c:2613 [inline] ext4_add_nondir+0x111/0x310 fs/ext4/namei.c:2936 ext4_create+0x2e9/0x470 fs/ext4/namei.c:2982 lookup_open fs/namei.c:4511 [inline] open_last_lookups fs/namei.c:4611 [inline] path_openat+0x1395/0x3860 fs/namei.c:4855 do_file_open+0x23e/0x4a0 fs/namei.c:4887 do_sys_openat2+0x113/0x200 fs/open.c:1364 do_sys_open fs/open.c:1370 [inline] __do_sys_openat fs/open.c:1386 [inline] __se_sys_openat fs/open.c:1381 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1381 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f922219ce59 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f9223137028 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007f9222415fa0 RCX: 00007f922219ce59 RDX: 0000000000042042 RSI: 0000200000000080 RDI: 0000000000000004 RBP: 00007f9222232d6f R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000014a R11: 0000000000000246 R12: 0000000000000000 R13: 00007f9222416038 R14: 00007f9222415fa0 R15: 00007ffd01a2d448 </TASK> Allocated by task 5484: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 unpoison_slab_object mm/kasan/common.c:340 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4570 [inline] slab_alloc_node mm/slub.c:4899 [inline] kmem_cache_alloc_node_noprof+0x384/0x690 mm/slub.c:4951 kmalloc_reserve net/core/skbuff.c:613 [inline] __alloc_skb+0x27d/0x7d0 net/core/skbuff.c:713 alloc_skb include/linux/skbuff.h:1385 [inline] nlmsg_new include/net/netlink.h:1055 [inline] mpls_netconf_notify_devconf+0x46/0x100 net/mpls/af_mpls.c:1217 mpls_dev_notify+0xb2d/0xd10 net/mpls/af_mpls.c:1691 notifier_call_chain+0x1ad/0x3d0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2287 [inline] call_netdevice_notifiers net/core/dev.c:2301 [inline] unregister_netdevice_many_notify+0x17a5/0x22c0 net/core/dev.c:12421 ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] ops_undo_list+0x3d3/0x940 net/core/net_namespace.c:248 cleanup_net+0x56b/0x800 net/core/net_namespace.c:702 process_one_work kernel/workqueue.c:3314 [inline] process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3397 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3478 kthread+0x389/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Freed by task 5484: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2689 [inline] slab_free mm/slub.c:6251 [inline] kfree+0x1c5/0x640 mm/slub.c:6566 skb_kfree_head net/core/skbuff.c:1075 [inline] skb_free_head net/core/skbuff.c:1087 [inline] skb_release_data+0x828/0xa60 net/core/skbuff.c:1114 skb_release_all net/core/skbuff.c:1189 [inline] __kfree_skb+0x5d/0x210 net/core/skbuff.c:1203 netlink_broadcast_filtered+0xe18/0xf20 net/netlink/af_netlink.c:1540 nlmsg_multicast_filtered include/net/netlink.h:1165 [inline] nlmsg_multicast include/net/netlink.h:1184 [inline] nlmsg_notify+0xf0/0x1a0 net/netlink/af_netlink.c:2598 mpls_dev_notify+0xb2d/0xd10 net/mpls/af_mpls.c:1691 notifier_call_chain+0x1ad/0x3d0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2287 [inline] call_netdevice_notifiers net/core/dev.c:2301 [inline] unregister_netdevice_many_notify+0x17a5/0x22c0 net/core/dev.c:12421 ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] ops_undo_list+0x3d3/0x940 net/core/net_namespace.c:248 cleanup_net+0x56b/0x800 net/core/net_namespace.c:702 process_one_work kernel/workqueue.c:3314 [inline] process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3397 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3478 kthread+0x389/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 The buggy address belongs to the object at ffff888114d8c000 which belongs to the cache skbuff_small_head of size 704 The buggy address is located 69 bytes inside of freed 704-byte region [ffff888114d8c000, ffff888114d8c2c0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x114d8c head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x17ff00000000040(head|node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 017ff00000000040 ffff888160416b40 dead000000000100 dead000000000122 raw: 0000000000000000 0000000800120012 00000000f5000000 0000000000000000 head: 017ff00000000040 ffff888160416b40 dead000000000100 dead000000000122 head: 0000000000000000 0000000800120012 00000000f5000000 0000000000000000 head: 017ff00000000002 ffffffffffffff01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5484, tgid 5484 (kworker/u8:2), ts 72573003529, free_ts 72546506446 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x2593/0x2610 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 alloc_slab_page mm/slub.c:3278 [inline] allocate_slab+0x77/0x660 mm/slub.c:3467 new_slab mm/slub.c:3525 [inline] refill_objects+0x339/0x3d0 mm/slub.c:7272 refill_sheaf mm/slub.c:2816 [inline] __pcs_replace_empty_main+0x321/0x720 mm/slub.c:4652 alloc_from_pcs mm/slub.c:4750 [inline] slab_alloc_node mm/slub.c:4884 [inline] kmem_cache_alloc_node_noprof+0x441/0x690 mm/slub.c:4951 kmalloc_reserve net/core/skbuff.c:613 [inline] __alloc_skb+0x27d/0x7d0 net/core/skbuff.c:713 alloc_skb include/linux/skbuff.h:1385 [inline] nlmsg_new include/net/netlink.h:1055 [inline] mpls_netconf_notify_devconf+0x46/0x100 net/mpls/af_mpls.c:1217 mpls_dev_notify+0xb2d/0xd10 net/mpls/af_mpls.c:1691 notifier_call_chain+0x1ad/0x3d0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2287 [inline] call_netdevice_notifiers net/core/dev.c:2301 [inline] unregister_netdevice_many_notify+0x17a5/0x22c0 net/core/dev.c:12421 ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] ops_undo_list+0x3d3/0x940 net/core/net_namespace.c:248 cleanup_net+0x56b/0x800 net/core/net_namespace.c:702 process_one_work kernel/workqueue.c:3314 [inline] process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3397 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3478 page last free pid 5484 tgid 5484 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc1c/0xd30 mm/page_alloc.c:2938 stack_depot_save_flags+0x40e/0x810 lib/stackdepot.c:735 kasan_save_stack mm/kasan/common.c:58 [inline] kasan_save_track+0x4f/0x80 mm/kasan/common.c:78 unpoison_slab_object mm/kasan/common.c:340 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4570 [inline] slab_alloc_node mm/slub.c:4899 [inline] kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4906 kmem_alloc_batch lib/debugobjects.c:371 [inline] fill_pool+0x156/0x580 lib/debugobjects.c:420 debug_objects_fill_pool lib/debugobjects.c:752 [inline] debug_object_activate+0x4a3/0x580 lib/debugobjects.c:841 debug_rcu_head_queue kernel/rcu/rcu.h:236 [inline] __call_rcu_common kernel/rcu/tree.c:3116 [inline] call_rcu+0x43/0x890 kernel/rcu/tree.c:3251 kernfs_put+0x259/0x520 fs/kernfs/dir.c:618 kernfs_remove_by_name_ns+0xc8/0x140 fs/kernfs/dir.c:1799 device_remove_class_symlinks+0x178/0x190 drivers/base/core.c:3479 device_del+0x400/0x8f0 drivers/base/core.c:3881 unregister_netdevice_many_notify+0x1d5f/0x22c0 net/core/dev.c:12456 ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] ops_undo_list+0x3d3/0x940 net/core/net_namespace.c:248 cleanup_net+0x56b/0x800 net/core/net_namespace.c:702 process_one_work kernel/workqueue.c:3314 [inline] process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3397 Memory state around the buggy address: ffff888114d8bf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888114d8bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888114d8c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888114d8c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888114d8c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== *** KASAN: slab-use-after-free Read in ext4_inlinedir_to_tree tree: torvalds URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux base: 9716c086c8e8b141d35aa61f2e96a2e83de212a7 arch: amd64 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 config: https://ci.syzbot.org/builds/ddf6ee7c-dfa8-4383-b004-10140edc081c/config syz repro: https://ci.syzbot.org/findings/f42da242-e16e-4f10-bf25-0bd7e192d989/syz_repro loop0: lost filesystem error report for type 5 error -117 EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. ================================================================== BUG: KASAN: slab-use-after-free in ext4_dirent_get_data_len fs/ext4/ext4.h:4069 [inline] BUG: KASAN: slab-use-after-free in ext4_dir_entry_len fs/ext4/ext4.h:4096 [inline] BUG: KASAN: slab-use-after-free in ext4_inlinedir_to_tree+0x94c/0x10d0 fs/ext4/inline.c:1335 Read of size 1 at addr ffff88816fee8825 by task syz.0.20/5867 CPU: 1 UID: 0 PID: 5867 Comm: syz.0.20 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description+0x55/0x1e0 mm/kasan/report.c:378 print_report+0x58/0x70 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 ext4_dirent_get_data_len fs/ext4/ext4.h:4069 [inline] ext4_dir_entry_len fs/ext4/ext4.h:4096 [inline] ext4_inlinedir_to_tree+0x94c/0x10d0 fs/ext4/inline.c:1335 ext4_htree_fill_tree+0x517/0x1230 fs/ext4/namei.c:1182 ext4_dx_readdir fs/ext4/dir.c:600 [inline] ext4_readdir+0x2db4/0x3640 fs/ext4/dir.c:146 iterate_dir+0x399/0x570 fs/readdir.c:110 __do_sys_getdents fs/readdir.c:319 [inline] __se_sys_getdents+0xf1/0x270 fs/readdir.c:304 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f010ad9ce59 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f010bc0f028 EFLAGS: 00000246 ORIG_RAX: 000000000000004e RAX: ffffffffffffffda RBX: 00007f010b015fa0 RCX: 00007f010ad9ce59 RDX: 0000000000000054 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 00007f010ae32d6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f010b016038 R14: 00007f010b015fa0 R15: 00007ffd93577348 </TASK> Allocated by task 5064: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __do_kmalloc_node mm/slub.c:5296 [inline] __kmalloc_noprof+0x35c/0x760 mm/slub.c:5308 kmalloc_noprof include/linux/slab.h:954 [inline] kzalloc_noprof include/linux/slab.h:1188 [inline] tomoyo_encode2 security/tomoyo/realpath.c:45 [inline] tomoyo_encode+0x28b/0x550 security/tomoyo/realpath.c:80 tomoyo_realpath_from_path+0x58d/0x5d0 security/tomoyo/realpath.c:283 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x283/0x560 security/tomoyo/file.c:827 security_inode_getattr+0x12b/0x310 security/security.c:1895 vfs_getattr fs/stat.c:259 [inline] vfs_fstat fs/stat.c:281 [inline] vfs_fstatat+0xb4/0x170 fs/stat.c:371 __do_sys_newfstatat fs/stat.c:538 [inline] __se_sys_newfstatat fs/stat.c:532 [inline] __x64_sys_newfstatat+0x151/0x200 fs/stat.c:532 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5064: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2689 [inline] slab_free mm/slub.c:6251 [inline] kfree+0x1c5/0x640 mm/slub.c:6566 tomoyo_path_perm+0x403/0x560 security/tomoyo/file.c:847 security_inode_getattr+0x12b/0x310 security/security.c:1895 vfs_getattr fs/stat.c:259 [inline] vfs_fstat fs/stat.c:281 [inline] vfs_fstatat+0xb4/0x170 fs/stat.c:371 __do_sys_newfstatat fs/stat.c:538 [inline] __se_sys_newfstatat fs/stat.c:532 [inline] __x64_sys_newfstatat+0x151/0x200 fs/stat.c:532 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88816fee8800 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 37 bytes inside of freed 64-byte region [ffff88816fee8800, ffff88816fee8840) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x16fee8 flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 057ff00000000000 ffff8881000418c0 dead000000000100 dead000000000122 raw: 0000000000000000 0000000800200020 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 21294026082, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x2593/0x2610 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 alloc_slab_page mm/slub.c:3278 [inline] allocate_slab+0x77/0x660 mm/slub.c:3467 new_slab mm/slub.c:3525 [inline] refill_objects+0x339/0x3d0 mm/slub.c:7272 refill_sheaf mm/slub.c:2816 [inline] __pcs_replace_empty_main+0x321/0x720 mm/slub.c:4652 alloc_from_pcs mm/slub.c:4750 [inline] slab_alloc_node mm/slub.c:4884 [inline] __do_kmalloc_node mm/slub.c:5295 [inline] __kmalloc_noprof+0x474/0x760 mm/slub.c:5308 kmalloc_noprof include/linux/slab.h:954 [inline] kzalloc_noprof include/linux/slab.h:1188 [inline] handler_new_ref+0x261/0x9c0 drivers/media/v4l2-core/v4l2-ctrls-core.c:1882 v4l2_ctrl_add_handler+0x19f/0x290 drivers/media/v4l2-core/v4l2-ctrls-core.c:2443 vivid_create_controls+0x332d/0x3bd0 drivers/media/test-drivers/vivid/vivid-ctrls.c:2072 vivid_create_instance drivers/media/test-drivers/vivid/vivid-core.c:1933 [inline] vivid_probe+0x4261/0x72b0 drivers/media/test-drivers/vivid/vivid-core.c:2095 platform_probe+0xf9/0x190 drivers/base/platform.c:1432 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x267/0xaf0 drivers/base/dd.c:709 __driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871 driver_probe_device+0x4f/0x240 drivers/base/dd.c:901 __driver_attach+0x34c/0x640 drivers/base/dd.c:1295 page_owner free stack trace missing Memory state around the buggy address: ffff88816fee8700: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc ffff88816fee8780: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc >ffff88816fee8800: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff88816fee8880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88816fee8900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ================================================================== *** KASAN: use-after-free Read in __ext4_check_dir_entry tree: torvalds URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux base: 9716c086c8e8b141d35aa61f2e96a2e83de212a7 arch: amd64 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 config: https://ci.syzbot.org/builds/ddf6ee7c-dfa8-4383-b004-10140edc081c/config syz repro: https://ci.syzbot.org/findings/57c0b75a-8922-4dc1-9a20-ca947564792b/syz_repro ================================================================== BUG: KASAN: use-after-free in ext4_dirent_get_data_len fs/ext4/ext4.h:4069 [inline] BUG: KASAN: use-after-free in ext4_dir_entry_len fs/ext4/ext4.h:4096 [inline] BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x65a/0xc40 fs/ext4/dir.c:96 Read of size 1 at addr ffff88816be85045 by task syz.2.21/5880 CPU: 1 UID: 0 PID: 5880 Comm: syz.2.21 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description+0x55/0x1e0 mm/kasan/report.c:378 print_report+0x58/0x70 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 ext4_dirent_get_data_len fs/ext4/ext4.h:4069 [inline] ext4_dir_entry_len fs/ext4/ext4.h:4096 [inline] __ext4_check_dir_entry+0x65a/0xc40 fs/ext4/dir.c:96 ext4_find_dest_de+0x136/0x770 fs/ext4/namei.c:2203 ext4_add_dirent_to_inline+0xcf/0x430 fs/ext4/inline.c:984 ext4_try_add_inline_entry+0x235/0x8e0 fs/ext4/inline.c:1213 __ext4_add_entry+0x390/0x1f40 fs/ext4/namei.c:2529 ext4_add_entry fs/ext4/namei.c:2613 [inline] ext4_add_nondir+0x111/0x310 fs/ext4/namei.c:2936 ext4_create+0x2e9/0x470 fs/ext4/namei.c:2982 lookup_open fs/namei.c:4511 [inline] open_last_lookups fs/namei.c:4611 [inline] path_openat+0x1395/0x3860 fs/namei.c:4855 do_file_open+0x23e/0x4a0 fs/namei.c:4887 do_sys_openat2+0x113/0x200 fs/open.c:1364 do_sys_open fs/open.c:1370 [inline] __do_sys_openat fs/open.c:1386 [inline] __se_sys_openat fs/open.c:1381 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1381 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5713b9ce59 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff672b25f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007f5713e15fa0 RCX: 00007f5713b9ce59 RDX: 0000000000042042 RSI: 0000200000000080 RDI: 0000000000000004 RBP: 00007f5713c32d6f R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000014a R11: 0000000000000246 R12: 0000000000000000 R13: 00007f5713e15fac R14: 00007f5713e15fa0 R15: 00007f5713e15fa0 </TASK> The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x16be85 flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff) page_type: f0(buddy) raw: 057ff00000000000 ffffea0005afa0c8 ffffea0005afa1c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000f0000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0xcc0(GFP_KERNEL), pid 5630, tgid 5630 (syz-executor), ts 67290853657, free_ts 69321168948 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x2593/0x2610 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 ___alloc_pages_bulk mm/kasan/shadow.c:345 [inline] __kasan_populate_vmalloc_do mm/kasan/shadow.c:370 [inline] __kasan_populate_vmalloc+0xc1/0x1d0 mm/kasan/shadow.c:424 kasan_populate_vmalloc include/linux/kasan.h:580 [inline] alloc_vmap_area+0xd47/0x1480 mm/vmalloc.c:2123 __get_vm_area_node+0x1f8/0x300 mm/vmalloc.c:3226 __vmalloc_node_range_noprof+0x36a/0x1750 mm/vmalloc.c:4024 vmalloc_user_noprof+0xad/0xe0 mm/vmalloc.c:4218 kcov_ioctl+0x55/0x620 kernel/kcov.c:726 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5693 tgid 5693 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc1c/0xd30 mm/page_alloc.c:2938 kasan_depopulate_vmalloc_pte+0x6d/0x90 mm/kasan/shadow.c:484 apply_to_pte_range mm/memory.c:3338 [inline] apply_to_pmd_range mm/memory.c:3382 [inline] apply_to_pud_range mm/memory.c:3418 [inline] apply_to_p4d_range mm/memory.c:3454 [inline] __apply_to_page_range+0xbdc/0x1420 mm/memory.c:3490 __kasan_release_vmalloc+0xa2/0xd0 mm/kasan/shadow.c:602 kasan_release_vmalloc include/linux/kasan.h:593 [inline] kasan_release_vmalloc_node mm/vmalloc.c:2284 [inline] purge_vmap_node+0x220/0x960 mm/vmalloc.c:2306 __purge_vmap_area_lazy+0x779/0xb40 mm/vmalloc.c:2396 drain_vmap_area_work+0x27/0x40 mm/vmalloc.c:2430 process_one_work kernel/workqueue.c:3314 [inline] process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3397 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3478 kthread+0x389/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Memory state around the buggy address: ffff88816be84f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88816be84f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88816be85000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88816be85080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88816be85100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== *** If these findings have caused you to resend the series or submit a separate fix, please add the following tag to your commit message: Tested-by: syzbot@syzkaller.appspotmail.com --- This report is generated by a bot. It may contain errors. syzbot ci engineers can be reached at syzkaller@googlegroups.com. To test a patch for this bug, please reply with `#syz test` (should be on a separate line). The patch should be attached to the email. Note: arguments like custom git repos and branches are not supported. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [syzbot ci] Re: Data in direntry (dirdata) feature 2026-06-11 10:29 ` [syzbot ci] Re: Data in direntry (dirdata) feature syzbot ci @ 2026-06-19 14:10 ` Artem Blagodarenko 2026-06-19 14:11 ` syzbot 2026-06-19 14:50 ` syzbot ci 2026-06-19 16:45 ` Artem Blagodarenko 1 sibling, 2 replies; 10+ messages in thread From: Artem Blagodarenko @ 2026-06-19 14:10 UTC (permalink / raw) To: adilger, artem.blagodarenko, linux-ext4, pravin.shelar Cc: syzbot, syzkaller-bugs [-- Attachment #1.1: Type: text/plain, Size: 43669 bytes --] Thanks for the report. The attached patch addresses the issues found in the dirdata series review (dx_get_dx_info/get_dx_countlimit blocksize fallback, dfid parameter shadowing in ext4_dirdata_get, and the unsafe delete-before-add in EXT4_IOC_SET_LUFID). #syz test On Thu, Jun 11, 2026 11:29 AM, syzbot ci < syzbot+cid7b922cb3d448114@syzkaller.appspotmail.com> wrote: > syzbot ci has tested the following series > > [v2] Data in direntry (dirdata) feature > > https://lore.kernel.org/all/20260610152417.13576-1-ablagodarenko@thelustrecollective.com > * [PATCH v2 01/10] ext4: replace ext4_dir_entry with ext4_dir_entry_2 > * [PATCH v2 02/10] ext4: add ext4_dir_entry_is_tail() > * [PATCH v2 03/10] ext4: refactor dx_root to support variable dirent sizes > * [PATCH v2 04/10] ext4: add dirdata format definitions and access helpers > * [PATCH v2 05/10] ext4: preserve dirdata bits in get_dtype() > * [PATCH v2 06/10] ext4: add ext4_dir_entry_len() and harden dirdata > parsing > * [PATCH v2 07/10] ext4: rename ext4_dir_rec_len() and clarify dirdata > usage > * [PATCH v2 08/10] ext4: dirdata feature > * [PATCH v2 09/10] ext4: add dirdata set/get helpers > * [PATCH v2 10/10] ext4: Add EXT4_IOC_SET_LUFID ioctl for setting LUFID on > directory entries > > and found the following issues: > * KASAN: slab-out-of-bounds Read in __ext4_check_dir_entry > * KASAN: slab-out-of-bounds Read in ext4_inlinedir_to_tree > * KASAN: slab-use-after-free Read in __ext4_check_dir_entry > * KASAN: slab-use-after-free Read in ext4_inlinedir_to_tree > * KASAN: use-after-free Read in __ext4_check_dir_entry > > Full report is available here: > https://ci.syzbot.org/series/5bf0e2fa-2e68-4532-8396-4568879b2788 > > *** > > KASAN: slab-out-of-bounds Read in __ext4_check_dir_entry > > tree: torvalds > URL: > https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux > base: 9716c086c8e8b141d35aa61f2e96a2e83de212a7 > arch: amd64 > compiler: Debian clang version 21.1.8 > (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > config: > https://ci.syzbot.org/builds/ddf6ee7c-dfa8-4383-b004-10140edc081c/config > syz repro: > https://ci.syzbot.org/findings/b0854918-13f9-49dd-ab30-12154f0debe2/syz_repro > > loop0: lost filesystem error report for type 5 error -117 > EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 > r/w without journal. Quota mode: none. > ================================================================== > BUG: KASAN: slab-out-of-bounds in ext4_dirent_get_data_len > fs/ext4/ext4.h:4069 [inline] > BUG: KASAN: slab-out-of-bounds in ext4_dir_entry_len fs/ext4/ext4.h:4096 > [inline] > BUG: KASAN: slab-out-of-bounds in __ext4_check_dir_entry+0x65a/0xc40 > fs/ext4/dir.c:96 > Read of size 1 at addr ffff8881022db7f5 by task syz.0.23/5815 > > CPU: 1 UID: 0 PID: 5815 Comm: syz.0.23 Not tainted syzkaller #0 > PREEMPT(full) > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS > 1.16.2-debian-1.16.2-1 04/01/2014 > Call Trace: > <TASK> > dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 > print_address_description+0x55/0x1e0 mm/kasan/report.c:378 > print_report+0x58/0x70 mm/kasan/report.c:482 > kasan_report+0x117/0x150 mm/kasan/report.c:595 > ext4_dirent_get_data_len fs/ext4/ext4.h:4069 [inline] > ext4_dir_entry_len fs/ext4/ext4.h:4096 [inline] > __ext4_check_dir_entry+0x65a/0xc40 fs/ext4/dir.c:96 > ext4_check_all_de+0x66/0x150 fs/ext4/dir.c:657 > ext4_convert_inline_data_nolock+0x1b7/0x990 fs/ext4/inline.c:1121 > ext4_try_add_inline_entry+0x604/0x8e0 fs/ext4/inline.c:1247 > __ext4_add_entry+0x390/0x1f40 fs/ext4/namei.c:2529 > ext4_add_entry fs/ext4/namei.c:2613 [inline] > ext4_mkdir+0x5e5/0xce0 fs/ext4/namei.c:3175 > vfs_mkdir+0x413/0x630 fs/namei.c:5271 > filename_mkdirat+0x285/0x510 fs/namei.c:5304 > __do_sys_mkdirat fs/namei.c:5325 [inline] > __se_sys_mkdirat+0x35/0x150 fs/namei.c:5322 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > RIP: 0033:0x7f669359bcc7 > Code: 00 66 90 48 89 f2 b9 00 01 00 00 48 89 fe bf 9c ff ff ff e9 db f7 ff > ff 66 2e 0f 1f 84 00 00 00 00 00 90 b8 02 01 00 00 0f 05 <48> 3d 01 f0 ff > ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007ffd42381d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 > RAX: ffffffffffffffda RBX: 00007ffd42381dc0 RCX: 00007f669359bcc7 > RDX: 00000000000001ff RSI: 0000200000001200 RDI: 00000000ffffff9c > RBP: 00002000000024c0 R08: 0000200000000240 R09: 0000000000000000 > R10: 00002000000024c0 R11: 0000000000000246 R12: 0000200000001200 > R13: 00007ffd42381d80 R14: 0000000000000000 R15: 0000000000000000 > </TASK> > > Allocated by task 5066: > kasan_save_stack mm/kasan/common.c:57 [inline] > kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 > poison_kmalloc_redzone mm/kasan/common.c:398 [inline] > __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 > kasan_kmalloc include/linux/kasan.h:263 [inline] > __kmalloc_cache_noprof+0x31c/0x660 mm/slub.c:5420 > kmalloc_noprof include/linux/slab.h:950 [inline] > kzalloc_noprof include/linux/slab.h:1188 [inline] > kernfs_get_open_node fs/kernfs/file.c:543 [inline] > kernfs_fop_open+0x862/0xda0 fs/kernfs/file.c:718 > do_dentry_open+0x822/0x13a0 fs/open.c:947 > vfs_open+0x3b/0x340 fs/open.c:1079 > do_open fs/namei.c:4699 [inline] > path_openat+0x2e08/0x3860 fs/namei.c:4858 > do_file_open+0x23e/0x4a0 fs/namei.c:4887 > do_sys_openat2+0x113/0x200 fs/open.c:1364 > do_sys_open fs/open.c:1370 [inline] > __do_sys_openat fs/open.c:1386 [inline] > __se_sys_openat fs/open.c:1381 [inline] > __x64_sys_openat+0x138/0x170 fs/open.c:1381 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > Last potentially related work creation: > kasan_save_stack+0x3e/0x60 mm/kasan/common.c:57 > kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:556 > kvfree_call_rcu+0x100/0x430 mm/slab_common.c:1970 > kernfs_unlink_open_file+0x3fe/0x4b0 fs/kernfs/file.c:604 > kernfs_fop_release+0x2eb/0x440 fs/kernfs/file.c:783 > __fput+0x44f/0xa60 fs/file_table.c:510 > fput_close_sync+0x11f/0x240 fs/file_table.c:615 > __do_sys_close fs/open.c:1507 [inline] > __se_sys_close fs/open.c:1492 [inline] > __x64_sys_close+0x7e/0x110 fs/open.c:1492 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > The buggy address belongs to the object at ffff8881022db700 > which belongs to the cache kmalloc-128 of size 128 > The buggy address is located 117 bytes to the right of > allocated 128-byte region [ffff8881022db700, ffff8881022db780) > > The buggy address belongs to the physical page: > page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1022db > flags: 0x17ff00000000000(node=0|zone=2|lastcpupid=0x7ff) > page_type: f5(slab) > raw: 017ff00000000000 ffff888100041a00 dead000000000100 dead000000000122 > raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000 > page dumped because: kasan: bad access detected > page_owner tracks the page as allocated > page last allocated via order 0, migratetype Unmovable, gfp_mask > 0xd2000(__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 0, > tgid 0 (swapper/0), ts 2408938923, free_ts 0 > set_page_owner include/linux/page_owner.h:32 [inline] > post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 > prep_new_page mm/page_alloc.c:1861 [inline] > get_page_from_freelist+0x2593/0x2610 mm/page_alloc.c:3941 > __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 > alloc_slab_page mm/slub.c:3278 [inline] > allocate_slab+0x77/0x660 mm/slub.c:3467 > new_slab mm/slub.c:3525 [inline] > refill_objects+0x339/0x3d0 mm/slub.c:7272 > refill_sheaf mm/slub.c:2816 [inline] > __pcs_replace_empty_main+0x321/0x720 mm/slub.c:4652 > alloc_from_pcs mm/slub.c:4750 [inline] > slab_alloc_node mm/slub.c:4884 [inline] > __do_kmalloc_node mm/slub.c:5295 [inline] > __kmalloc_noprof+0x474/0x760 mm/slub.c:5308 > kmalloc_noprof include/linux/slab.h:954 [inline] > kzalloc_noprof include/linux/slab.h:1188 [inline] > __alloc_empty_sheaf mm/slub.c:2768 [inline] > alloc_empty_sheaf mm/slub.c:2783 [inline] > __pcs_replace_empty_main+0x2df/0x720 mm/slub.c:4647 > alloc_from_pcs mm/slub.c:4750 [inline] > slab_alloc_node mm/slub.c:4884 [inline] > kmem_cache_alloc_noprof+0x37d/0x650 mm/slub.c:4906 > dup_fd+0x55/0xb40 fs/file.c:390 > copy_files+0xc8/0x120 kernel/fork.c:1639 > copy_process+0x1d94/0x4440 kernel/fork.c:2252 > kernel_clone+0x2d7/0x940 kernel/fork.c:2722 > user_mode_thread+0x110/0x180 kernel/fork.c:2798 > rest_init+0x23/0x300 init/main.c:727 > start_kernel+0x38a/0x3e0 init/main.c:1220 > page_owner free stack trace missing > > Memory state around the buggy address: > ffff8881022db680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff8881022db700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > >ffff8881022db780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ^ > ffff8881022db800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ffff8881022db880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ================================================================== > > > *** > > KASAN: slab-out-of-bounds Read in ext4_inlinedir_to_tree > > tree: torvalds > URL: > https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux > base: 9716c086c8e8b141d35aa61f2e96a2e83de212a7 > arch: amd64 > compiler: Debian clang version 21.1.8 > (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > config: > https://ci.syzbot.org/builds/ddf6ee7c-dfa8-4383-b004-10140edc081c/config > syz repro: > https://ci.syzbot.org/findings/2dff870b-f382-4c93-8d8d-b2291d921224/syz_repro > > loop1: lost filesystem error report for type 5 error -117 > EXT4-fs (loop1): mounted filesystem 00000000-0000-0000-0000-000000000000 > r/w without journal. Quota mode: none. > ================================================================== > BUG: KASAN: slab-out-of-bounds in ext4_dir_entry_len fs/ext4/ext4.h:4095 > [inline] > BUG: KASAN: slab-out-of-bounds in ext4_inlinedir_to_tree+0xda5/0x10d0 > fs/ext4/inline.c:1335 > Read of size 2 at addr ffff888115a3183c by task syz.1.18/5839 > > CPU: 1 UID: 0 PID: 5839 Comm: syz.1.18 Not tainted syzkaller #0 > PREEMPT(full) > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS > 1.16.2-debian-1.16.2-1 04/01/2014 > Call Trace: > <TASK> > dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 > print_address_description+0x55/0x1e0 mm/kasan/report.c:378 > print_report+0x58/0x70 mm/kasan/report.c:482 > kasan_report+0x117/0x150 mm/kasan/report.c:595 > ext4_dir_entry_len fs/ext4/ext4.h:4095 [inline] > ext4_inlinedir_to_tree+0xda5/0x10d0 fs/ext4/inline.c:1335 > ext4_htree_fill_tree+0x517/0x1230 fs/ext4/namei.c:1182 > ext4_dx_readdir fs/ext4/dir.c:600 [inline] > ext4_readdir+0x2db4/0x3640 fs/ext4/dir.c:146 > iterate_dir+0x399/0x570 fs/readdir.c:110 > __do_sys_getdents64 fs/readdir.c:399 [inline] > __se_sys_getdents64+0xf1/0x280 fs/readdir.c:384 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > RIP: 0033:0x7f3e02b9ce59 > Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007f3e03ad5028 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 > RAX: ffffffffffffffda RBX: 00007f3e02e15fa0 RCX: 00007f3e02b9ce59 > RDX: 0000000000001000 RSI: 0000200000000f80 RDI: 0000000000000004 > RBP: 00007f3e02c32d6f R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 > R13: 00007f3e02e16038 R14: 00007f3e02e15fa0 R15: 00007ffcaa902298 > </TASK> > > Allocated by task 5839: > kasan_save_stack mm/kasan/common.c:57 [inline] > kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 > poison_kmalloc_redzone mm/kasan/common.c:398 [inline] > __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 > kasan_kmalloc include/linux/kasan.h:263 [inline] > __do_kmalloc_node mm/slub.c:5296 [inline] > __kmalloc_noprof+0x35c/0x760 mm/slub.c:5308 > kmalloc_noprof include/linux/slab.h:954 [inline] > ext4_inlinedir_to_tree+0x312/0x10d0 fs/ext4/inline.c:1292 > ext4_htree_fill_tree+0x517/0x1230 fs/ext4/namei.c:1182 > ext4_dx_readdir fs/ext4/dir.c:600 [inline] > ext4_readdir+0x2db4/0x3640 fs/ext4/dir.c:146 > iterate_dir+0x399/0x570 fs/readdir.c:110 > __do_sys_getdents64 fs/readdir.c:399 [inline] > __se_sys_getdents64+0xf1/0x280 fs/readdir.c:384 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > The buggy address belongs to the object at ffff888115a31800 > which belongs to the cache kmalloc-64 of size 64 > The buggy address is located 0 bytes to the right of > allocated 60-byte region [ffff888115a31800, ffff888115a3183c) > > The buggy address belongs to the physical page: > page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x115a31 > flags: 0x17ff00000000000(node=0|zone=2|lastcpupid=0x7ff) > page_type: f5(slab) > raw: 017ff00000000000 ffff8881000418c0 dead000000000100 dead000000000122 > raw: 0000000000000000 0000000800200020 00000000f5000000 0000000000000000 > page dumped because: kasan: bad access detected > page_owner tracks the page as allocated > page last allocated via order 0, migratetype Unmovable, gfp_mask > 0xd2c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), > pid 5051, tgid 5051 (acpid), ts 27203740677, free_ts 27201732767 > set_page_owner include/linux/page_owner.h:32 [inline] > post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 > prep_new_page mm/page_alloc.c:1861 [inline] > get_page_from_freelist+0x2593/0x2610 mm/page_alloc.c:3941 > __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 > alloc_slab_page mm/slub.c:3278 [inline] > allocate_slab+0x77/0x660 mm/slub.c:3467 > new_slab mm/slub.c:3525 [inline] > refill_objects+0x339/0x3d0 mm/slub.c:7272 > refill_sheaf mm/slub.c:2816 [inline] > __pcs_replace_empty_main+0x321/0x720 mm/slub.c:4652 > alloc_from_pcs mm/slub.c:4750 [inline] > slab_alloc_node mm/slub.c:4884 [inline] > __do_kmalloc_node mm/slub.c:5295 [inline] > __kmalloc_noprof+0x474/0x760 mm/slub.c:5308 > kmalloc_noprof include/linux/slab.h:954 [inline] > kzalloc_noprof include/linux/slab.h:1188 [inline] > tomoyo_get_name+0x20c/0x590 security/tomoyo/memory.c:173 > tomoyo_parse_name_union+0xd9/0x130 security/tomoyo/util.c:260 > tomoyo_update_path_acl security/tomoyo/file.c:399 [inline] > tomoyo_write_file+0x3a6/0xc50 security/tomoyo/file.c:1027 > tomoyo_write_domain2 security/tomoyo/common.c:1160 [inline] > tomoyo_add_entry security/tomoyo/common.c:2177 [inline] > tomoyo_supervisor+0x1208/0x1570 security/tomoyo/common.c:2238 > tomoyo_audit_path_log security/tomoyo/file.c:169 [inline] > tomoyo_path_permission+0x25a/0x380 security/tomoyo/file.c:592 > tomoyo_check_open_permission+0x2b2/0x470 security/tomoyo/file.c:782 > security_file_open+0xa9/0x240 security/security.c:2739 > do_dentry_open+0x4a8/0x13a0 fs/open.c:924 > vfs_open+0x3b/0x340 fs/open.c:1079 > page last free pid 15 tgid 15 stack trace: > reset_page_owner include/linux/page_owner.h:25 [inline] > __free_pages_prepare mm/page_alloc.c:1397 [inline] > __free_frozen_pages+0xc1c/0xd30 mm/page_alloc.c:2938 > __tlb_remove_table_free mm/mmu_gather.c:228 [inline] > tlb_remove_table_rcu+0x85/0x100 mm/mmu_gather.c:291 > rcu_do_batch kernel/rcu/tree.c:2617 [inline] > rcu_core+0x7cd/0x1070 kernel/rcu/tree.c:2869 > handle_softirqs+0x22a/0x840 kernel/softirq.c:622 > run_ksoftirqd+0x36/0x60 kernel/softirq.c:1076 > smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160 > kthread+0x389/0x470 kernel/kthread.c:436 > ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 > > Memory state around the buggy address: > ffff888115a31700: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > ffff888115a31780: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc > >ffff888115a31800: 00 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc > ^ > ffff888115a31880: 00 00 00 00 00 00 02 fc fc fc fc fc fc fc fc fc > ffff888115a31900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > ================================================================== > > > *** > > KASAN: slab-use-after-free Read in __ext4_check_dir_entry > > tree: torvalds > URL: > https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux > base: 9716c086c8e8b141d35aa61f2e96a2e83de212a7 > arch: amd64 > compiler: Debian clang version 21.1.8 > (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > config: > https://ci.syzbot.org/builds/ddf6ee7c-dfa8-4383-b004-10140edc081c/config > syz repro: > https://ci.syzbot.org/findings/f1d48ea1-6e87-4d64-9c13-8bf8aed109fc/syz_repro > > loop0: lost filesystem error report for type 5 error -117 > EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 > r/w without journal. Quota mode: none. > ================================================================== > BUG: KASAN: slab-use-after-free in ext4_dirent_get_data_len > fs/ext4/ext4.h:4069 [inline] > BUG: KASAN: slab-use-after-free in ext4_dir_entry_len fs/ext4/ext4.h:4096 > [inline] > BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x65a/0xc40 > fs/ext4/dir.c:96 > Read of size 1 at addr ffff888114d8c045 by task syz.0.20/5821 > > CPU: 1 UID: 0 PID: 5821 Comm: syz.0.20 Not tainted syzkaller #0 > PREEMPT(full) > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS > 1.16.2-debian-1.16.2-1 04/01/2014 > Call Trace: > <TASK> > dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 > print_address_description+0x55/0x1e0 mm/kasan/report.c:378 > print_report+0x58/0x70 mm/kasan/report.c:482 > kasan_report+0x117/0x150 mm/kasan/report.c:595 > ext4_dirent_get_data_len fs/ext4/ext4.h:4069 [inline] > ext4_dir_entry_len fs/ext4/ext4.h:4096 [inline] > __ext4_check_dir_entry+0x65a/0xc40 fs/ext4/dir.c:96 > ext4_find_dest_de+0x136/0x770 fs/ext4/namei.c:2203 > ext4_add_dirent_to_inline+0xcf/0x430 fs/ext4/inline.c:984 > ext4_try_add_inline_entry+0x235/0x8e0 fs/ext4/inline.c:1213 > __ext4_add_entry+0x390/0x1f40 fs/ext4/namei.c:2529 > ext4_add_entry fs/ext4/namei.c:2613 [inline] > ext4_add_nondir+0x111/0x310 fs/ext4/namei.c:2936 > ext4_create+0x2e9/0x470 fs/ext4/namei.c:2982 > lookup_open fs/namei.c:4511 [inline] > open_last_lookups fs/namei.c:4611 [inline] > path_openat+0x1395/0x3860 fs/namei.c:4855 > do_file_open+0x23e/0x4a0 fs/namei.c:4887 > do_sys_openat2+0x113/0x200 fs/open.c:1364 > do_sys_open fs/open.c:1370 [inline] > __do_sys_openat fs/open.c:1386 [inline] > __se_sys_openat fs/open.c:1381 [inline] > __x64_sys_openat+0x138/0x170 fs/open.c:1381 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > RIP: 0033:0x7f922219ce59 > Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007f9223137028 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 > RAX: ffffffffffffffda RBX: 00007f9222415fa0 RCX: 00007f922219ce59 > RDX: 0000000000042042 RSI: 0000200000000080 RDI: 0000000000000004 > RBP: 00007f9222232d6f R08: 0000000000000000 R09: 0000000000000000 > R10: 000000000000014a R11: 0000000000000246 R12: 0000000000000000 > R13: 00007f9222416038 R14: 00007f9222415fa0 R15: 00007ffd01a2d448 > </TASK> > > Allocated by task 5484: > kasan_save_stack mm/kasan/common.c:57 [inline] > kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 > unpoison_slab_object mm/kasan/common.c:340 [inline] > __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 > kasan_slab_alloc include/linux/kasan.h:253 [inline] > slab_post_alloc_hook mm/slub.c:4570 [inline] > slab_alloc_node mm/slub.c:4899 [inline] > kmem_cache_alloc_node_noprof+0x384/0x690 mm/slub.c:4951 > kmalloc_reserve net/core/skbuff.c:613 [inline] > __alloc_skb+0x27d/0x7d0 net/core/skbuff.c:713 > alloc_skb include/linux/skbuff.h:1385 [inline] > nlmsg_new include/net/netlink.h:1055 [inline] > mpls_netconf_notify_devconf+0x46/0x100 net/mpls/af_mpls.c:1217 > mpls_dev_notify+0xb2d/0xd10 net/mpls/af_mpls.c:1691 > notifier_call_chain+0x1ad/0x3d0 kernel/notifier.c:85 > call_netdevice_notifiers_extack net/core/dev.c:2287 [inline] > call_netdevice_notifiers net/core/dev.c:2301 [inline] > unregister_netdevice_many_notify+0x17a5/0x22c0 net/core/dev.c:12421 > ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] > ops_undo_list+0x3d3/0x940 net/core/net_namespace.c:248 > cleanup_net+0x56b/0x800 net/core/net_namespace.c:702 > process_one_work kernel/workqueue.c:3314 [inline] > process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3397 > worker_thread+0xa53/0xfc0 kernel/workqueue.c:3478 > kthread+0x389/0x470 kernel/kthread.c:436 > ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 > > Freed by task 5484: > kasan_save_stack mm/kasan/common.c:57 [inline] > kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 > kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 > poison_slab_object mm/kasan/common.c:253 [inline] > __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 > kasan_slab_free include/linux/kasan.h:235 [inline] > slab_free_hook mm/slub.c:2689 [inline] > slab_free mm/slub.c:6251 [inline] > kfree+0x1c5/0x640 mm/slub.c:6566 > skb_kfree_head net/core/skbuff.c:1075 [inline] > skb_free_head net/core/skbuff.c:1087 [inline] > skb_release_data+0x828/0xa60 net/core/skbuff.c:1114 > skb_release_all net/core/skbuff.c:1189 [inline] > __kfree_skb+0x5d/0x210 net/core/skbuff.c:1203 > netlink_broadcast_filtered+0xe18/0xf20 net/netlink/af_netlink.c:1540 > nlmsg_multicast_filtered include/net/netlink.h:1165 [inline] > nlmsg_multicast include/net/netlink.h:1184 [inline] > nlmsg_notify+0xf0/0x1a0 net/netlink/af_netlink.c:2598 > mpls_dev_notify+0xb2d/0xd10 net/mpls/af_mpls.c:1691 > notifier_call_chain+0x1ad/0x3d0 kernel/notifier.c:85 > call_netdevice_notifiers_extack net/core/dev.c:2287 [inline] > call_netdevice_notifiers net/core/dev.c:2301 [inline] > unregister_netdevice_many_notify+0x17a5/0x22c0 net/core/dev.c:12421 > ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] > ops_undo_list+0x3d3/0x940 net/core/net_namespace.c:248 > cleanup_net+0x56b/0x800 net/core/net_namespace.c:702 > process_one_work kernel/workqueue.c:3314 [inline] > process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3397 > worker_thread+0xa53/0xfc0 kernel/workqueue.c:3478 > kthread+0x389/0x470 kernel/kthread.c:436 > ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 > > The buggy address belongs to the object at ffff888114d8c000 > which belongs to the cache skbuff_small_head of size 704 > The buggy address is located 69 bytes inside of > freed 704-byte region [ffff888114d8c000, ffff888114d8c2c0) > > The buggy address belongs to the physical page: > page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x114d8c > head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 > flags: 0x17ff00000000040(head|node=0|zone=2|lastcpupid=0x7ff) > page_type: f5(slab) > raw: 017ff00000000040 ffff888160416b40 dead000000000100 dead000000000122 > raw: 0000000000000000 0000000800120012 00000000f5000000 0000000000000000 > head: 017ff00000000040 ffff888160416b40 dead000000000100 dead000000000122 > head: 0000000000000000 0000000800120012 00000000f5000000 0000000000000000 > head: 017ff00000000002 ffffffffffffff01 00000000ffffffff 00000000ffffffff > head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 > page dumped because: kasan: bad access detected > page_owner tracks the page as allocated > page last allocated via order 2, migratetype Unmovable, gfp_mask > 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), > pid 5484, tgid 5484 (kworker/u8:2), ts 72573003529, free_ts 72546506446 > set_page_owner include/linux/page_owner.h:32 [inline] > post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 > prep_new_page mm/page_alloc.c:1861 [inline] > get_page_from_freelist+0x2593/0x2610 mm/page_alloc.c:3941 > __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 > alloc_slab_page mm/slub.c:3278 [inline] > allocate_slab+0x77/0x660 mm/slub.c:3467 > new_slab mm/slub.c:3525 [inline] > refill_objects+0x339/0x3d0 mm/slub.c:7272 > refill_sheaf mm/slub.c:2816 [inline] > __pcs_replace_empty_main+0x321/0x720 mm/slub.c:4652 > alloc_from_pcs mm/slub.c:4750 [inline] > slab_alloc_node mm/slub.c:4884 [inline] > kmem_cache_alloc_node_noprof+0x441/0x690 mm/slub.c:4951 > kmalloc_reserve net/core/skbuff.c:613 [inline] > __alloc_skb+0x27d/0x7d0 net/core/skbuff.c:713 > alloc_skb include/linux/skbuff.h:1385 [inline] > nlmsg_new include/net/netlink.h:1055 [inline] > mpls_netconf_notify_devconf+0x46/0x100 net/mpls/af_mpls.c:1217 > mpls_dev_notify+0xb2d/0xd10 net/mpls/af_mpls.c:1691 > notifier_call_chain+0x1ad/0x3d0 kernel/notifier.c:85 > call_netdevice_notifiers_extack net/core/dev.c:2287 [inline] > call_netdevice_notifiers net/core/dev.c:2301 [inline] > unregister_netdevice_many_notify+0x17a5/0x22c0 net/core/dev.c:12421 > ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] > ops_undo_list+0x3d3/0x940 net/core/net_namespace.c:248 > cleanup_net+0x56b/0x800 net/core/net_namespace.c:702 > process_one_work kernel/workqueue.c:3314 [inline] > process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3397 > worker_thread+0xa53/0xfc0 kernel/workqueue.c:3478 > page last free pid 5484 tgid 5484 stack trace: > reset_page_owner include/linux/page_owner.h:25 [inline] > __free_pages_prepare mm/page_alloc.c:1397 [inline] > __free_frozen_pages+0xc1c/0xd30 mm/page_alloc.c:2938 > stack_depot_save_flags+0x40e/0x810 lib/stackdepot.c:735 > kasan_save_stack mm/kasan/common.c:58 [inline] > kasan_save_track+0x4f/0x80 mm/kasan/common.c:78 > unpoison_slab_object mm/kasan/common.c:340 [inline] > __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 > kasan_slab_alloc include/linux/kasan.h:253 [inline] > slab_post_alloc_hook mm/slub.c:4570 [inline] > slab_alloc_node mm/slub.c:4899 [inline] > kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4906 > kmem_alloc_batch lib/debugobjects.c:371 [inline] > fill_pool+0x156/0x580 lib/debugobjects.c:420 > debug_objects_fill_pool lib/debugobjects.c:752 [inline] > debug_object_activate+0x4a3/0x580 lib/debugobjects.c:841 > debug_rcu_head_queue kernel/rcu/rcu.h:236 [inline] > __call_rcu_common kernel/rcu/tree.c:3116 [inline] > call_rcu+0x43/0x890 kernel/rcu/tree.c:3251 > kernfs_put+0x259/0x520 fs/kernfs/dir.c:618 > kernfs_remove_by_name_ns+0xc8/0x140 fs/kernfs/dir.c:1799 > device_remove_class_symlinks+0x178/0x190 drivers/base/core.c:3479 > device_del+0x400/0x8f0 drivers/base/core.c:3881 > unregister_netdevice_many_notify+0x1d5f/0x22c0 net/core/dev.c:12456 > ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] > ops_undo_list+0x3d3/0x940 net/core/net_namespace.c:248 > cleanup_net+0x56b/0x800 net/core/net_namespace.c:702 > process_one_work kernel/workqueue.c:3314 [inline] > process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3397 > > Memory state around the buggy address: > ffff888114d8bf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ffff888114d8bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > >ffff888114d8c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ^ > ffff888114d8c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff888114d8c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ================================================================== > > > *** > > KASAN: slab-use-after-free Read in ext4_inlinedir_to_tree > > tree: torvalds > URL: > https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux > base: 9716c086c8e8b141d35aa61f2e96a2e83de212a7 > arch: amd64 > compiler: Debian clang version 21.1.8 > (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > config: > https://ci.syzbot.org/builds/ddf6ee7c-dfa8-4383-b004-10140edc081c/config > syz repro: > https://ci.syzbot.org/findings/f42da242-e16e-4f10-bf25-0bd7e192d989/syz_repro > > loop0: lost filesystem error report for type 5 error -117 > EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 > r/w without journal. Quota mode: none. > ================================================================== > BUG: KASAN: slab-use-after-free in ext4_dirent_get_data_len > fs/ext4/ext4.h:4069 [inline] > BUG: KASAN: slab-use-after-free in ext4_dir_entry_len fs/ext4/ext4.h:4096 > [inline] > BUG: KASAN: slab-use-after-free in ext4_inlinedir_to_tree+0x94c/0x10d0 > fs/ext4/inline.c:1335 > Read of size 1 at addr ffff88816fee8825 by task syz.0.20/5867 > > CPU: 1 UID: 0 PID: 5867 Comm: syz.0.20 Not tainted syzkaller #0 > PREEMPT(full) > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS > 1.16.2-debian-1.16.2-1 04/01/2014 > Call Trace: > <TASK> > dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 > print_address_description+0x55/0x1e0 mm/kasan/report.c:378 > print_report+0x58/0x70 mm/kasan/report.c:482 > kasan_report+0x117/0x150 mm/kasan/report.c:595 > ext4_dirent_get_data_len fs/ext4/ext4.h:4069 [inline] > ext4_dir_entry_len fs/ext4/ext4.h:4096 [inline] > ext4_inlinedir_to_tree+0x94c/0x10d0 fs/ext4/inline.c:1335 > ext4_htree_fill_tree+0x517/0x1230 fs/ext4/namei.c:1182 > ext4_dx_readdir fs/ext4/dir.c:600 [inline] > ext4_readdir+0x2db4/0x3640 fs/ext4/dir.c:146 > iterate_dir+0x399/0x570 fs/readdir.c:110 > __do_sys_getdents fs/readdir.c:319 [inline] > __se_sys_getdents+0xf1/0x270 fs/readdir.c:304 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > RIP: 0033:0x7f010ad9ce59 > Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007f010bc0f028 EFLAGS: 00000246 ORIG_RAX: 000000000000004e > RAX: ffffffffffffffda RBX: 00007f010b015fa0 RCX: 00007f010ad9ce59 > RDX: 0000000000000054 RSI: 0000000000000000 RDI: 0000000000000004 > RBP: 00007f010ae32d6f R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 > R13: 00007f010b016038 R14: 00007f010b015fa0 R15: 00007ffd93577348 > </TASK> > > Allocated by task 5064: > kasan_save_stack mm/kasan/common.c:57 [inline] > kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 > poison_kmalloc_redzone mm/kasan/common.c:398 [inline] > __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 > kasan_kmalloc include/linux/kasan.h:263 [inline] > __do_kmalloc_node mm/slub.c:5296 [inline] > __kmalloc_noprof+0x35c/0x760 mm/slub.c:5308 > kmalloc_noprof include/linux/slab.h:954 [inline] > kzalloc_noprof include/linux/slab.h:1188 [inline] > tomoyo_encode2 security/tomoyo/realpath.c:45 [inline] > tomoyo_encode+0x28b/0x550 security/tomoyo/realpath.c:80 > tomoyo_realpath_from_path+0x58d/0x5d0 security/tomoyo/realpath.c:283 > tomoyo_get_realpath security/tomoyo/file.c:151 [inline] > tomoyo_path_perm+0x283/0x560 security/tomoyo/file.c:827 > security_inode_getattr+0x12b/0x310 security/security.c:1895 > vfs_getattr fs/stat.c:259 [inline] > vfs_fstat fs/stat.c:281 [inline] > vfs_fstatat+0xb4/0x170 fs/stat.c:371 > __do_sys_newfstatat fs/stat.c:538 [inline] > __se_sys_newfstatat fs/stat.c:532 [inline] > __x64_sys_newfstatat+0x151/0x200 fs/stat.c:532 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > Freed by task 5064: > kasan_save_stack mm/kasan/common.c:57 [inline] > kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 > kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 > poison_slab_object mm/kasan/common.c:253 [inline] > __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 > kasan_slab_free include/linux/kasan.h:235 [inline] > slab_free_hook mm/slub.c:2689 [inline] > slab_free mm/slub.c:6251 [inline] > kfree+0x1c5/0x640 mm/slub.c:6566 > tomoyo_path_perm+0x403/0x560 security/tomoyo/file.c:847 > security_inode_getattr+0x12b/0x310 security/security.c:1895 > vfs_getattr fs/stat.c:259 [inline] > vfs_fstat fs/stat.c:281 [inline] > vfs_fstatat+0xb4/0x170 fs/stat.c:371 > __do_sys_newfstatat fs/stat.c:538 [inline] > __se_sys_newfstatat fs/stat.c:532 [inline] > __x64_sys_newfstatat+0x151/0x200 fs/stat.c:532 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > The buggy address belongs to the object at ffff88816fee8800 > which belongs to the cache kmalloc-64 of size 64 > The buggy address is located 37 bytes inside of > freed 64-byte region [ffff88816fee8800, ffff88816fee8840) > > The buggy address belongs to the physical page: > page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x16fee8 > flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff) > page_type: f5(slab) > raw: 057ff00000000000 ffff8881000418c0 dead000000000100 dead000000000122 > raw: 0000000000000000 0000000800200020 00000000f5000000 0000000000000000 > page dumped because: kasan: bad access detected > page_owner tracks the page as allocated > page last allocated via order 0, migratetype Unmovable, gfp_mask > 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), > pid 1, tgid 1 (swapper/0), ts 21294026082, free_ts 0 > set_page_owner include/linux/page_owner.h:32 [inline] > post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 > prep_new_page mm/page_alloc.c:1861 [inline] > get_page_from_freelist+0x2593/0x2610 mm/page_alloc.c:3941 > __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 > alloc_slab_page mm/slub.c:3278 [inline] > allocate_slab+0x77/0x660 mm/slub.c:3467 > new_slab mm/slub.c:3525 [inline] > refill_objects+0x339/0x3d0 mm/slub.c:7272 > refill_sheaf mm/slub.c:2816 [inline] > __pcs_replace_empty_main+0x321/0x720 mm/slub.c:4652 > alloc_from_pcs mm/slub.c:4750 [inline] > slab_alloc_node mm/slub.c:4884 [inline] > __do_kmalloc_node mm/slub.c:5295 [inline] > __kmalloc_noprof+0x474/0x760 mm/slub.c:5308 > kmalloc_noprof include/linux/slab.h:954 [inline] > kzalloc_noprof include/linux/slab.h:1188 [inline] > handler_new_ref+0x261/0x9c0 drivers/media/v4l2-core/v4l2-ctrls-core.c:1882 > v4l2_ctrl_add_handler+0x19f/0x290 > drivers/media/v4l2-core/v4l2-ctrls-core.c:2443 > vivid_create_controls+0x332d/0x3bd0 > drivers/media/test-drivers/vivid/vivid-ctrls.c:2072 > vivid_create_instance drivers/media/test-drivers/vivid/vivid-core.c:1933 > [inline] > vivid_probe+0x4261/0x72b0 > drivers/media/test-drivers/vivid/vivid-core.c:2095 > platform_probe+0xf9/0x190 drivers/base/platform.c:1432 > call_driver_probe drivers/base/dd.c:-1 [inline] > really_probe+0x267/0xaf0 drivers/base/dd.c:709 > __driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871 > driver_probe_device+0x4f/0x240 drivers/base/dd.c:901 > __driver_attach+0x34c/0x640 drivers/base/dd.c:1295 > page_owner free stack trace missing > > Memory state around the buggy address: > ffff88816fee8700: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc > ffff88816fee8780: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc > >ffff88816fee8800: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > ^ > ffff88816fee8880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > ffff88816fee8900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > ================================================================== > > > *** > > KASAN: use-after-free Read in __ext4_check_dir_entry > > tree: torvalds > URL: > https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux > base: 9716c086c8e8b141d35aa61f2e96a2e83de212a7 > arch: amd64 > compiler: Debian clang version 21.1.8 > (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > config: > https://ci.syzbot.org/builds/ddf6ee7c-dfa8-4383-b004-10140edc081c/config > syz repro: > https://ci.syzbot.org/findings/57c0b75a-8922-4dc1-9a20-ca947564792b/syz_repro > > ================================================================== > BUG: KASAN: use-after-free in ext4_dirent_get_data_len fs/ext4/ext4.h:4069 > [inline] > BUG: KASAN: use-after-free in ext4_dir_entry_len fs/ext4/ext4.h:4096 > [inline] > BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x65a/0xc40 > fs/ext4/dir.c:96 > Read of size 1 at addr ffff88816be85045 by task syz.2.21/5880 > > CPU: 1 UID: 0 PID: 5880 Comm: syz.2.21 Not tainted syzkaller #0 > PREEMPT(full) > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS > 1.16.2-debian-1.16.2-1 04/01/2014 > Call Trace: > <TASK> > dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 > print_address_description+0x55/0x1e0 mm/kasan/report.c:378 > print_report+0x58/0x70 mm/kasan/report.c:482 > kasan_report+0x117/0x150 mm/kasan/report.c:595 > ext4_dirent_get_data_len fs/ext4/ext4.h:4069 [inline] > ext4_dir_entry_len fs/ext4/ext4.h:4096 [inline] > __ext4_check_dir_entry+0x65a/0xc40 fs/ext4/dir.c:96 > ext4_find_dest_de+0x136/0x770 fs/ext4/namei.c:2203 > ext4_add_dirent_to_inline+0xcf/0x430 fs/ext4/inline.c:984 > ext4_try_add_inline_entry+0x235/0x8e0 fs/ext4/inline.c:1213 > __ext4_add_entry+0x390/0x1f40 fs/ext4/namei.c:2529 > ext4_add_entry fs/ext4/namei.c:2613 [inline] > ext4_add_nondir+0x111/0x310 fs/ext4/namei.c:2936 > ext4_create+0x2e9/0x470 fs/ext4/namei.c:2982 > lookup_open fs/namei.c:4511 [inline] > open_last_lookups fs/namei.c:4611 [inline] > path_openat+0x1395/0x3860 fs/namei.c:4855 > do_file_open+0x23e/0x4a0 fs/namei.c:4887 > do_sys_openat2+0x113/0x200 fs/open.c:1364 > do_sys_open fs/open.c:1370 [inline] > __do_sys_openat fs/open.c:1386 [inline] > __se_sys_openat fs/open.c:1381 [inline] > __x64_sys_openat+0x138/0x170 fs/open.c:1381 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > RIP: 0033:0x7f5713b9ce59 > Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007fff672b25f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 > RAX: ffffffffffffffda RBX: 00007f5713e15fa0 RCX: 00007f5713b9ce59 > RDX: 0000000000042042 RSI: 0000200000000080 RDI: 0000000000000004 > RBP: 00007f5713c32d6f R08: 0000000000000000 R09: 0000000000000000 > R10: 000000000000014a R11: 0000000000000246 R12: 0000000000000000 > R13: 00007f5713e15fac R14: 00007f5713e15fa0 R15: 00007f5713e15fa0 > </TASK> > > The buggy address belongs to the physical page: > page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x16be85 > flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff) > page_type: f0(buddy) > raw: 057ff00000000000 ffffea0005afa0c8 ffffea0005afa1c8 0000000000000000 > raw: 0000000000000000 0000000000000000 00000000f0000000 0000000000000000 > page dumped because: kasan: bad access detected > page_owner tracks the page as freed > page last allocated via order 0, migratetype Unmovable, gfp_mask > 0xcc0(GFP_KERNEL), pid 5630, tgid 5630 (syz-executor), ts 67290853657, > free_ts 69321168948 > set_page_owner include/linux/page_owner.h:32 [inline] > post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 > prep_new_page mm/page_alloc.c:1861 [inline] > get_page_from_freelist+0x2593/0x2610 mm/page_alloc.c:3941 > __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 > __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 > alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 > ___alloc_pages_bulk mm/kasan/shadow.c:345 [inline] > __kasan_populate_vmalloc_do mm/kasan/shadow.c:370 [inline] > __kasan_populate_vmalloc+0xc1/0x1d0 mm/kasan/shadow.c:424 > kasan_populate_vmalloc include/linux/kasan.h:580 [inline] > alloc_vmap_area+0xd47/0x1480 mm/vmalloc.c:2123 > __get_vm_area_node+0x1f8/0x300 mm/vmalloc.c:3226 > __vmalloc_node_range_noprof+0x36a/0x1750 mm/vmalloc.c:4024 > vmalloc_user_noprof+0xad/0xe0 mm/vmalloc.c:4218 > kcov_ioctl+0x55/0x620 kernel/kcov.c:726 > vfs_ioctl fs/ioctl.c:51 [inline] > __do_sys_ioctl fs/ioctl.c:597 [inline] > __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > page last free pid 5693 tgid 5693 stack trace: > reset_page_owner include/linux/page_owner.h:25 [inline] > __free_pages_prepare mm/page_alloc.c:1397 [inline] > __free_frozen_pages+0xc1c/0xd30 mm/page_alloc.c:2938 > kasan_depopulate_vmalloc_pte+0x6d/0x90 mm/kasan/shadow.c:484 > apply_to_pte_range mm/memory.c:3338 [inline] > apply_to_pmd_range mm/memory.c:3382 [inline] > apply_to_pud_range mm/memory.c:3418 [inline] > apply_to_p4d_range mm/memory.c:3454 [inline] > __apply_to_page_range+0xbdc/0x1420 mm/memory.c:3490 > __kasan_release_vmalloc+0xa2/0xd0 mm/kasan/shadow.c:602 > kasan_release_vmalloc include/linux/kasan.h:593 [inline] > kasan_release_vmalloc_node mm/vmalloc.c:2284 [inline] > purge_vmap_node+0x220/0x960 mm/vmalloc.c:2306 > __purge_vmap_area_lazy+0x779/0xb40 mm/vmalloc.c:2396 > drain_vmap_area_work+0x27/0x40 mm/vmalloc.c:2430 > process_one_work kernel/workqueue.c:3314 [inline] > process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3397 > worker_thread+0xa53/0xfc0 kernel/workqueue.c:3478 > kthread+0x389/0x470 kernel/kthread.c:436 > ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 > > Memory state around the buggy address: > ffff88816be84f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ffff88816be84f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > >ffff88816be85000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > ^ > ffff88816be85080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > ffff88816be85100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > ================================================================== > > > *** > > If these findings have caused you to resend the series or submit a > separate fix, please add the following tag to your commit message: > Tested-by: syzbot@syzkaller.appspotmail.com > > --- > This report is generated by a bot. It may contain errors. > syzbot ci engineers can be reached at syzkaller@googlegroups.com. > > To test a patch for this bug, please reply with `#syz test` > (should be on a separate line). > > The patch should be attached to the email. > Note: arguments like custom git repos and branches are not supported. > > [-- Attachment #1.2: Type: text/html, Size: 49607 bytes --] [-- Attachment #2: dirdata-syzbot-fix.patch --] [-- Type: application/octet-stream, Size: 11438 bytes --] From e3d5c74f1ec0fbefb9a4b9193a474614b98d640a Mon Sep 17 00:00:00 2001 From: Artem Blagodarenko <artem.blagodarenko@gmail.com> Date: Fri, 19 Jun 2026 09:48:12 -0400 Subject: [PATCH] ext4: fix issues reported by syzbot/CI on the dirdata series Address the following issues found by automated review of the v2 dirdata patch series: - dx_get_dx_info() called ext4_dir_entry_len() with dir hardcoded to NULL, forcing its blocksize fallback to 4096 regardless of the real filesystem blocksize, and never validated that the computed offset stayed within the block. Thread the real inode through and reject out-of-bounds results. - get_dx_countlimit() had the same NULL-dir blocksize-fallback bug at a separate call site; pass the real inode through there too. - ext4_dirdata_get() declared a local "dfid" inside the EXT4_DIRENT_LUFID branch that shadowed the function's own "dfid" output parameter, so the LUFID copy never reached the caller's buffer. Rename the local and copy into the real parameter. Also, both ext4_dirdata_get() and ext4_dirdata_set() compared offsets against the raw on-disk de->rec_len instead of decoding it via ext4_rec_len_from_disk(), which is wrong on big-endian hosts and mishandles the "0/65535 means full block" sentinel. - ext4_dirdata_set_lufid() (EXT4_IOC_SET_LUFID) deleted the existing directory entry and then tried to re-add it with the new LUFID data; if ext4_add_entry() failed, the inode was left with no directory entry pointing at it. On failure, attempt to restore the original entry, and loudly flag inode corruption if that also fails. Signed-off-by: Artem Blagodarenko <artem.blagodarenko@gmail.com> --- fs/ext4/namei.c | 105 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 78 insertions(+), 27 deletions(-) diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c index 65c53c08213a..e6f54dba735e 100644 --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -412,7 +412,7 @@ static struct dx_countlimit *get_dx_countlimit(struct inode *inode, if (le16_to_cpu(de->rec_len) != (blocksize - rlen)) return NULL; /* de->rec_len covers whole dx_root block, calculate actual length */ - dotdot_rec_len = ext4_dir_entry_len(de, NULL); + dotdot_rec_len = ext4_dir_entry_len(de, inode); root = (struct dx_root_info *)(((char *)de + dotdot_rec_len)); if (root->reserved_zero || root->info_length != sizeof(struct dx_root_info)) @@ -520,13 +520,20 @@ ext4_next_entry(struct ext4_dir_entry_2 *p, unsigned long blocksize) * Future: use high four bits of block for coalesce-on-delete flags * Mask them off for now. */ -static struct dx_root_info *dx_get_dx_info(void *de_buf) +static struct dx_root_info *dx_get_dx_info(struct inode *dir, void *de_buf) { + unsigned int blocksize = dir->i_sb->s_blocksize; + void *base = de_buf; + /* get dotdot first */ - de_buf += ext4_dir_entry_len(de_buf, NULL); + de_buf += ext4_dir_entry_len(de_buf, dir); /* dx root info is after dotdot entry */ - de_buf += ext4_dir_entry_len(de_buf, NULL); + de_buf += ext4_dir_entry_len(de_buf, dir); + + if (de_buf < base || (char *)de_buf - (char *)base + + sizeof(struct dx_root_info) > blocksize) + return ERR_PTR(-EFSCORRUPTED); return (struct dx_root_info *)de_buf; } @@ -577,7 +584,9 @@ static inline unsigned dx_root_limit(struct inode *dir, struct dx_root_info *info; unsigned int entry_space; - info = dx_get_dx_info(dot_de); + info = dx_get_dx_info(dir, dot_de); + if (IS_ERR(info)) + return 0; entry_space = dir->i_sb->s_blocksize - ((char *)info - (char *)dot_de) - info->info_length; @@ -793,7 +802,9 @@ dx_probe(struct ext4_filename *fname, struct inode *dir, if (IS_ERR(frame->bh)) return (struct dx_frame *) frame->bh; - info = dx_get_dx_info((struct ext4_dir_entry_2 *)frame->bh->b_data); + info = dx_get_dx_info(dir, (struct ext4_dir_entry_2 *)frame->bh->b_data); + if (IS_ERR(info)) + goto fail; if (info->hash_version != DX_HASH_TEA && info->hash_version != DX_HASH_HALF_MD4 && info->hash_version != DX_HASH_LEGACY && @@ -938,7 +949,7 @@ dx_probe(struct ext4_filename *fname, struct inode *dir, return ret_err; } -static void dx_release(struct dx_frame *frames) +static void dx_release(struct inode *dir, struct dx_frame *frames) { struct dx_root_info *info; int i; @@ -947,7 +958,9 @@ static void dx_release(struct dx_frame *frames) if (frames[0].bh == NULL) return; - info = dx_get_dx_info((struct ext4_dir_entry_2 *)frames[0].bh->b_data); + info = dx_get_dx_info(dir, (struct ext4_dir_entry_2 *)frames[0].bh->b_data); + if (IS_ERR(info)) + return; /* save local copy, "info" may be freed after brelse() */ indirect_levels = info->indirect_levels; for (i = 0; i <= indirect_levels; i++) { @@ -1253,12 +1266,12 @@ int ext4_htree_fill_tree(struct file *dir_file, __u32 start_hash, (count && ((hashval & 1) == 0))) break; } - dx_release(frames); + dx_release(dir, frames); dxtrace(printk(KERN_DEBUG "Fill tree: returned %d entries, " "next hash: %x\n", count, *next_hash)); return count; errout: - dx_release(frames); + dx_release(dir, frames); return (err); } @@ -1296,8 +1309,10 @@ unsigned char ext4_dirdata_get(struct ext4_dir_entry_2 *de, struct inode *dir, { unsigned char ret = 0; unsigned int data_offset = de->name_len + 1; + unsigned int rec_len = ext4_rec_len_from_disk(de->rec_len, + dir->i_sb->s_blocksize); - if (data_offset > de->rec_len) + if (data_offset > rec_len) return ret; /* compatibility: hash stored inline after filename (no dirdata) */ @@ -1312,19 +1327,20 @@ unsigned char ext4_dirdata_get(struct ext4_dir_entry_2 *de, struct inode *dir, /* EXT4_DIRENT_* are not expected without flag in i_sb */ if (de->file_type & EXT4_DIRENT_LUFID) { - struct ext4_dirent_fid *dfid = + struct ext4_dirent_fid *disk_fid = (struct ext4_dirent_fid *)(de->name + data_offset); unsigned int dlen; - if (data_offset + sizeof(dfid->df_header) > de->rec_len) + if (data_offset + sizeof(disk_fid->df_header) > rec_len) return ret; - dlen = dfid->df_header.ddh_length; - if (dlen < sizeof(*dfid) || data_offset + dlen > de->rec_len) + dlen = disk_fid->df_header.ddh_length; + if (dlen < sizeof(*disk_fid) || data_offset + dlen > rec_len) return ret; if (dfid) { - memcpy(dfid, dfid->df_fid, dfid->df_header.ddh_length); + memcpy(dfid, disk_fid->df_fid, + disk_fid->df_header.ddh_length); ret |= EXT4_DIRENT_LUFID; } data_offset += dlen; @@ -1336,11 +1352,11 @@ unsigned char ext4_dirdata_get(struct ext4_dir_entry_2 *de, struct inode *dir, (struct ext4_dirent_data_header *)(de->name + data_offset); unsigned int dlen; - if (data_offset + sizeof(*ddh) > de->rec_len) + if (data_offset + sizeof(*ddh) > rec_len) return ret; dlen = ddh->ddh_length; - if (dlen < sizeof(*ddh) || data_offset + dlen > de->rec_len) + if (dlen < sizeof(*ddh) || data_offset + dlen > rec_len) return ret; data_offset += dlen; @@ -1355,7 +1371,7 @@ unsigned char ext4_dirdata_get(struct ext4_dir_entry_2 *de, struct inode *dir, unsigned int dlen; dlen = dh->dh_header.ddh_length; - if (dlen < sizeof(*dh) || data_offset + dlen > de->rec_len) + if (dlen < sizeof(*dh) || data_offset + dlen > rec_len) return ret; hinfo->hash = le32_to_cpu(dh->dh_hash.hash); @@ -1383,12 +1399,14 @@ static void ext4_dirdata_set(struct ext4_dir_entry_2 *de, struct inode *dir, { struct dx_hash_info *hinfo = &fname->hinfo; unsigned int data_offset = de->name_len + 1; + unsigned int rec_len = ext4_rec_len_from_disk(de->rec_len, + dir->i_sb->s_blocksize); if (dfid) { unsigned int dlen = dfid->df_header.ddh_length; - if (data_offset + dlen > de->rec_len) { + if (data_offset + dlen > rec_len) { EXT4_ERROR_INODE(dir, "Can not insert FID"); return; } @@ -1406,7 +1424,7 @@ static void ext4_dirdata_set(struct ext4_dir_entry_2 *de, struct inode *dir, struct ext4_dirent_hash *dh = (struct ext4_dirent_hash *)(de->name + data_offset); - if (data_offset + sizeof(*dh) > de->rec_len) { + if (data_offset + sizeof(*dh) > rec_len) { EXT4_ERROR_INODE(dir, "Can not insert dhash dirdata"); return; } @@ -1418,7 +1436,7 @@ static void ext4_dirdata_set(struct ext4_dir_entry_2 *de, struct inode *dir, } else { /* Compatibility: store hash inline after filename */ if (data_offset + sizeof(struct ext4_dir_entry_hash) > - de-> rec_len) { + rec_len) { EXT4_ERROR_INODE(dir, "Can not insert dhash"); return; } @@ -1906,7 +1924,7 @@ static struct buffer_head * ext4_dx_find_entry(struct inode *dir, errout: dxtrace(printk(KERN_DEBUG "%s not found\n", fname->usr_fname->name)); success: - dx_release(frames); + dx_release(dir, frames); return bh; } @@ -2425,7 +2443,12 @@ static int make_indexed_dir(handle_t *handle, struct ext4_filename *fname, blocksize); /* initialize hashing info */ - dx_info = dx_get_dx_info(dot_de); + dx_info = dx_get_dx_info(dir, dot_de); + if (IS_ERR(dx_info)) { + brelse(bh2); + brelse(bh); + return PTR_ERR(dx_info); + } memset(dx_info, 0, sizeof(*dx_info)); dx_info->info_length = sizeof(*dx_info); if (ext4_hash_in_dirent(dir)) @@ -2483,7 +2506,7 @@ static int make_indexed_dir(handle_t *handle, struct ext4_filename *fname, */ if (retval) ext4_mark_inode_dirty(handle, dir); - dx_release(frames); + dx_release(dir, frames); brelse(bh2); return retval; } @@ -2759,8 +2782,13 @@ static int ext4_dx_add_entry(handle_t *handle, struct ext4_filename *fname, /* Set up root */ dx_set_count(entries, 1); dx_set_block(entries + 0, newblock); - info = dx_get_dx_info((struct ext4_dir_entry_2 *) + info = dx_get_dx_info(dir, (struct ext4_dir_entry_2 *) frames[0].bh->b_data); + if (IS_ERR(info)) { + err = PTR_ERR(info); + brelse(bh2); + goto journal_error; + } info->indirect_levels += 1; dxtrace(printk(KERN_DEBUG "Creating %d level index...\n", @@ -2788,7 +2816,7 @@ static int ext4_dx_add_entry(handle_t *handle, struct ext4_filename *fname, ext4_std_error(dir->i_sb, err); /* this is a no-op if err == 0 */ cleanup: brelse(bh); - dx_release(frames); + dx_release(dir, frames); /* @restart is true means htree-path has been changed, we need to * repeat dx_probe() to find out valid htree-path */ @@ -4463,6 +4491,29 @@ int ext4_dirdata_set_lufid(struct inode *dir, const char *filename, } EXT4_I(inode)->i_dirdata = old_dirdata; + if (err) { + /* + * The original entry was already removed above and the + * re-add with the new LUFID failed; try to restore the + * original entry so the inode isn't left without any + * directory entry pointing at it. + */ + struct dentry parent_dentry = { .d_inode = dir }; + struct dentry orig_dentry = { + .d_name = d_name, + .d_parent = &parent_dentry, + .d_inode = inode, + }; + int rollback_err = ext4_add_entry(handle, &orig_dentry, inode); + + if (rollback_err) + EXT4_ERROR_INODE(dir, + "Failed to set LUFID on '%.*s' (err=%d) and failed to restore the original directory entry (err=%d); inode %llu may be orphaned", + namelen, filename, err, rollback_err, + inode->i_ino); + goto out_unlock; + } + /* Update inode times */ inode_set_ctime_current(dir); inode_inc_iversion(dir); -- 2.43.7 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [syzbot ci] Re: Data in direntry (dirdata) feature 2026-06-19 14:10 ` Artem Blagodarenko @ 2026-06-19 14:11 ` syzbot 2026-06-19 14:50 ` syzbot ci 1 sibling, 0 replies; 10+ messages in thread From: syzbot @ 2026-06-19 14:11 UTC (permalink / raw) To: artem.blagodarenko Cc: adilger, artem.blagodarenko, linux-ext4, pravin.shelar, syzbot, syzkaller-bugs > Thanks for the report. The attached patch addresses the issues found in > the dirdata series review (dx_get_dx_info/get_dx_countlimit blocksize > fallback, dfid parameter shadowing in ext4_dirdata_get, and the unsafe > delete-before-add in EXT4_IOC_SET_LUFID). > > > #syz test I see the command but can't find the corresponding bug. The email is sent to syzbot+HASH@syzkaller.appspotmail.com address but the HASH does not correspond to any known bug. Please double check the address. > > On Thu, Jun 11, 2026 11:29 AM, syzbot ci < > syzbot+cid7b922cb3d448114@syzkaller.appspotmail.com> wrote: > >> syzbot ci has tested the following series >> >> [v2] Data in direntry (dirdata) feature >> >> https://lore.kernel.org/all/20260610152417.13576-1-ablagodarenko@thelustrecollective.com >> * [PATCH v2 01/10] ext4: replace ext4_dir_entry with ext4_dir_entry_2 >> * [PATCH v2 02/10] ext4: add ext4_dir_entry_is_tail() >> * [PATCH v2 03/10] ext4: refactor dx_root to support variable dirent sizes >> * [PATCH v2 04/10] ext4: add dirdata format definitions and access helpers >> * [PATCH v2 05/10] ext4: preserve dirdata bits in get_dtype() >> * [PATCH v2 06/10] ext4: add ext4_dir_entry_len() and harden dirdata >> parsing >> * [PATCH v2 07/10] ext4: rename ext4_dir_rec_len() and clarify dirdata >> usage >> * [PATCH v2 08/10] ext4: dirdata feature >> * [PATCH v2 09/10] ext4: add dirdata set/get helpers >> * [PATCH v2 10/10] ext4: Add EXT4_IOC_SET_LUFID ioctl for setting LUFID on >> directory entries >> >> and found the following issues: >> * KASAN: slab-out-of-bounds Read in __ext4_check_dir_entry >> * KASAN: slab-out-of-bounds Read in ext4_inlinedir_to_tree >> * KASAN: slab-use-after-free Read in __ext4_check_dir_entry >> * KASAN: slab-use-after-free Read in ext4_inlinedir_to_tree >> * KASAN: use-after-free Read in __ext4_check_dir_entry >> >> Full report is available here: >> https://ci.syzbot.org/series/5bf0e2fa-2e68-4532-8396-4568879b2788 >> >> *** >> >> KASAN: slab-out-of-bounds Read in __ext4_check_dir_entry >> >> tree: torvalds >> URL: >> https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux >> base: 9716c086c8e8b141d35aa61f2e96a2e83de212a7 >> arch: amd64 >> compiler: Debian clang version 21.1.8 >> (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 >> config: >> https://ci.syzbot.org/builds/ddf6ee7c-dfa8-4383-b004-10140edc081c/config >> syz repro: >> https://ci.syzbot.org/findings/b0854918-13f9-49dd-ab30-12154f0debe2/syz_repro >> >> loop0: lost filesystem error report for type 5 error -117 >> EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 >> r/w without journal. Quota mode: none. >> ================================================================== >> BUG: KASAN: slab-out-of-bounds in ext4_dirent_get_data_len >> fs/ext4/ext4.h:4069 [inline] >> BUG: KASAN: slab-out-of-bounds in ext4_dir_entry_len fs/ext4/ext4.h:4096 >> [inline] >> BUG: KASAN: slab-out-of-bounds in __ext4_check_dir_entry+0x65a/0xc40 >> fs/ext4/dir.c:96 >> Read of size 1 at addr ffff8881022db7f5 by task syz.0.23/5815 >> >> CPU: 1 UID: 0 PID: 5815 Comm: syz.0.23 Not tainted syzkaller #0 >> PREEMPT(full) >> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS >> 1.16.2-debian-1.16.2-1 04/01/2014 >> Call Trace: >> <TASK> >> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 >> print_address_description+0x55/0x1e0 mm/kasan/report.c:378 >> print_report+0x58/0x70 mm/kasan/report.c:482 >> kasan_report+0x117/0x150 mm/kasan/report.c:595 >> ext4_dirent_get_data_len fs/ext4/ext4.h:4069 [inline] >> ext4_dir_entry_len fs/ext4/ext4.h:4096 [inline] >> __ext4_check_dir_entry+0x65a/0xc40 fs/ext4/dir.c:96 >> ext4_check_all_de+0x66/0x150 fs/ext4/dir.c:657 >> ext4_convert_inline_data_nolock+0x1b7/0x990 fs/ext4/inline.c:1121 >> ext4_try_add_inline_entry+0x604/0x8e0 fs/ext4/inline.c:1247 >> __ext4_add_entry+0x390/0x1f40 fs/ext4/namei.c:2529 >> ext4_add_entry fs/ext4/namei.c:2613 [inline] >> ext4_mkdir+0x5e5/0xce0 fs/ext4/namei.c:3175 >> vfs_mkdir+0x413/0x630 fs/namei.c:5271 >> filename_mkdirat+0x285/0x510 fs/namei.c:5304 >> __do_sys_mkdirat fs/namei.c:5325 [inline] >> __se_sys_mkdirat+0x35/0x150 fs/namei.c:5322 >> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] >> do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 >> entry_SYSCALL_64_after_hwframe+0x77/0x7f >> RIP: 0033:0x7f669359bcc7 >> Code: 00 66 90 48 89 f2 b9 00 01 00 00 48 89 fe bf 9c ff ff ff e9 db f7 ff >> ff 66 2e 0f 1f 84 00 00 00 00 00 90 b8 02 01 00 00 0f 05 <48> 3d 01 f0 ff >> ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 >> RSP: 002b:00007ffd42381d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 >> RAX: ffffffffffffffda RBX: 00007ffd42381dc0 RCX: 00007f669359bcc7 >> RDX: 00000000000001ff RSI: 0000200000001200 RDI: 00000000ffffff9c >> RBP: 00002000000024c0 R08: 0000200000000240 R09: 0000000000000000 >> R10: 00002000000024c0 R11: 0000000000000246 R12: 0000200000001200 >> R13: 00007ffd42381d80 R14: 0000000000000000 R15: 0000000000000000 >> </TASK> >> >> Allocated by task 5066: >> kasan_save_stack mm/kasan/common.c:57 [inline] >> kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 >> poison_kmalloc_redzone mm/kasan/common.c:398 [inline] >> __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 >> kasan_kmalloc include/linux/kasan.h:263 [inline] >> __kmalloc_cache_noprof+0x31c/0x660 mm/slub.c:5420 >> kmalloc_noprof include/linux/slab.h:950 [inline] >> kzalloc_noprof include/linux/slab.h:1188 [inline] >> kernfs_get_open_node fs/kernfs/file.c:543 [inline] >> kernfs_fop_open+0x862/0xda0 fs/kernfs/file.c:718 >> do_dentry_open+0x822/0x13a0 fs/open.c:947 >> vfs_open+0x3b/0x340 fs/open.c:1079 >> do_open fs/namei.c:4699 [inline] >> path_openat+0x2e08/0x3860 fs/namei.c:4858 >> do_file_open+0x23e/0x4a0 fs/namei.c:4887 >> do_sys_openat2+0x113/0x200 fs/open.c:1364 >> do_sys_open fs/open.c:1370 [inline] >> __do_sys_openat fs/open.c:1386 [inline] >> __se_sys_openat fs/open.c:1381 [inline] >> __x64_sys_openat+0x138/0x170 fs/open.c:1381 >> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] >> do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 >> entry_SYSCALL_64_after_hwframe+0x77/0x7f >> >> Last potentially related work creation: >> kasan_save_stack+0x3e/0x60 mm/kasan/common.c:57 >> kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:556 >> kvfree_call_rcu+0x100/0x430 mm/slab_common.c:1970 >> kernfs_unlink_open_file+0x3fe/0x4b0 fs/kernfs/file.c:604 >> kernfs_fop_release+0x2eb/0x440 fs/kernfs/file.c:783 >> __fput+0x44f/0xa60 fs/file_table.c:510 >> fput_close_sync+0x11f/0x240 fs/file_table.c:615 >> __do_sys_close fs/open.c:1507 [inline] >> __se_sys_close fs/open.c:1492 [inline] >> __x64_sys_close+0x7e/0x110 fs/open.c:1492 >> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] >> do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 >> entry_SYSCALL_64_after_hwframe+0x77/0x7f >> >> The buggy address belongs to the object at ffff8881022db700 >> which belongs to the cache kmalloc-128 of size 128 >> The buggy address is located 117 bytes to the right of >> allocated 128-byte region [ffff8881022db700, ffff8881022db780) >> >> The buggy address belongs to the physical page: >> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1022db >> flags: 0x17ff00000000000(node=0|zone=2|lastcpupid=0x7ff) >> page_type: f5(slab) >> raw: 017ff00000000000 ffff888100041a00 dead000000000100 dead000000000122 >> raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000 >> page dumped because: kasan: bad access detected >> page_owner tracks the page as allocated >> page last allocated via order 0, migratetype Unmovable, gfp_mask >> 0xd2000(__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 0, >> tgid 0 (swapper/0), ts 2408938923, free_ts 0 >> set_page_owner include/linux/page_owner.h:32 [inline] >> post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 >> prep_new_page mm/page_alloc.c:1861 [inline] >> get_page_from_freelist+0x2593/0x2610 mm/page_alloc.c:3941 >> __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 >> alloc_slab_page mm/slub.c:3278 [inline] >> allocate_slab+0x77/0x660 mm/slub.c:3467 >> new_slab mm/slub.c:3525 [inline] >> refill_objects+0x339/0x3d0 mm/slub.c:7272 >> refill_sheaf mm/slub.c:2816 [inline] >> __pcs_replace_empty_main+0x321/0x720 mm/slub.c:4652 >> alloc_from_pcs mm/slub.c:4750 [inline] >> slab_alloc_node mm/slub.c:4884 [inline] >> __do_kmalloc_node mm/slub.c:5295 [inline] >> __kmalloc_noprof+0x474/0x760 mm/slub.c:5308 >> kmalloc_noprof include/linux/slab.h:954 [inline] >> kzalloc_noprof include/linux/slab.h:1188 [inline] >> __alloc_empty_sheaf mm/slub.c:2768 [inline] >> alloc_empty_sheaf mm/slub.c:2783 [inline] >> __pcs_replace_empty_main+0x2df/0x720 mm/slub.c:4647 >> alloc_from_pcs mm/slub.c:4750 [inline] >> slab_alloc_node mm/slub.c:4884 [inline] >> kmem_cache_alloc_noprof+0x37d/0x650 mm/slub.c:4906 >> dup_fd+0x55/0xb40 fs/file.c:390 >> copy_files+0xc8/0x120 kernel/fork.c:1639 >> copy_process+0x1d94/0x4440 kernel/fork.c:2252 >> kernel_clone+0x2d7/0x940 kernel/fork.c:2722 >> user_mode_thread+0x110/0x180 kernel/fork.c:2798 >> rest_init+0x23/0x300 init/main.c:727 >> start_kernel+0x38a/0x3e0 init/main.c:1220 >> page_owner free stack trace missing >> >> Memory state around the buggy address: >> ffff8881022db680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >> ffff8881022db700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >> >ffff8881022db780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >> ^ >> ffff8881022db800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >> ffff8881022db880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >> ================================================================== >> >> >> *** >> >> KASAN: slab-out-of-bounds Read in ext4_inlinedir_to_tree >> >> tree: torvalds >> URL: >> https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux >> base: 9716c086c8e8b141d35aa61f2e96a2e83de212a7 >> arch: amd64 >> compiler: Debian clang version 21.1.8 >> (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 >> config: >> https://ci.syzbot.org/builds/ddf6ee7c-dfa8-4383-b004-10140edc081c/config >> syz repro: >> https://ci.syzbot.org/findings/2dff870b-f382-4c93-8d8d-b2291d921224/syz_repro >> >> loop1: lost filesystem error report for type 5 error -117 >> EXT4-fs (loop1): mounted filesystem 00000000-0000-0000-0000-000000000000 >> r/w without journal. Quota mode: none. >> ================================================================== >> BUG: KASAN: slab-out-of-bounds in ext4_dir_entry_len fs/ext4/ext4.h:4095 >> [inline] >> BUG: KASAN: slab-out-of-bounds in ext4_inlinedir_to_tree+0xda5/0x10d0 >> fs/ext4/inline.c:1335 >> Read of size 2 at addr ffff888115a3183c by task syz.1.18/5839 >> >> CPU: 1 UID: 0 PID: 5839 Comm: syz.1.18 Not tainted syzkaller #0 >> PREEMPT(full) >> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS >> 1.16.2-debian-1.16.2-1 04/01/2014 >> Call Trace: >> <TASK> >> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 >> print_address_description+0x55/0x1e0 mm/kasan/report.c:378 >> print_report+0x58/0x70 mm/kasan/report.c:482 >> kasan_report+0x117/0x150 mm/kasan/report.c:595 >> ext4_dir_entry_len fs/ext4/ext4.h:4095 [inline] >> ext4_inlinedir_to_tree+0xda5/0x10d0 fs/ext4/inline.c:1335 >> ext4_htree_fill_tree+0x517/0x1230 fs/ext4/namei.c:1182 >> ext4_dx_readdir fs/ext4/dir.c:600 [inline] >> ext4_readdir+0x2db4/0x3640 fs/ext4/dir.c:146 >> iterate_dir+0x399/0x570 fs/readdir.c:110 >> __do_sys_getdents64 fs/readdir.c:399 [inline] >> __se_sys_getdents64+0xf1/0x280 fs/readdir.c:384 >> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] >> do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 >> entry_SYSCALL_64_after_hwframe+0x77/0x7f >> RIP: 0033:0x7f3e02b9ce59 >> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 >> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff >> ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 >> RSP: 002b:00007f3e03ad5028 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 >> RAX: ffffffffffffffda RBX: 00007f3e02e15fa0 RCX: 00007f3e02b9ce59 >> RDX: 0000000000001000 RSI: 0000200000000f80 RDI: 0000000000000004 >> RBP: 00007f3e02c32d6f R08: 0000000000000000 R09: 0000000000000000 >> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 >> R13: 00007f3e02e16038 R14: 00007f3e02e15fa0 R15: 00007ffcaa902298 >> </TASK> >> >> Allocated by task 5839: >> kasan_save_stack mm/kasan/common.c:57 [inline] >> kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 >> poison_kmalloc_redzone mm/kasan/common.c:398 [inline] >> __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 >> kasan_kmalloc include/linux/kasan.h:263 [inline] >> __do_kmalloc_node mm/slub.c:5296 [inline] >> __kmalloc_noprof+0x35c/0x760 mm/slub.c:5308 >> kmalloc_noprof include/linux/slab.h:954 [inline] >> ext4_inlinedir_to_tree+0x312/0x10d0 fs/ext4/inline.c:1292 >> ext4_htree_fill_tree+0x517/0x1230 fs/ext4/namei.c:1182 >> ext4_dx_readdir fs/ext4/dir.c:600 [inline] >> ext4_readdir+0x2db4/0x3640 fs/ext4/dir.c:146 >> iterate_dir+0x399/0x570 fs/readdir.c:110 >> __do_sys_getdents64 fs/readdir.c:399 [inline] >> __se_sys_getdents64+0xf1/0x280 fs/readdir.c:384 >> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] >> do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 >> entry_SYSCALL_64_after_hwframe+0x77/0x7f >> >> The buggy address belongs to the object at ffff888115a31800 >> which belongs to the cache kmalloc-64 of size 64 >> The buggy address is located 0 bytes to the right of >> allocated 60-byte region [ffff888115a31800, ffff888115a3183c) >> >> The buggy address belongs to the physical page: >> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x115a31 >> flags: 0x17ff00000000000(node=0|zone=2|lastcpupid=0x7ff) >> page_type: f5(slab) >> raw: 017ff00000000000 ffff8881000418c0 dead000000000100 dead000000000122 >> raw: 0000000000000000 0000000800200020 00000000f5000000 0000000000000000 >> page dumped because: kasan: bad access detected >> page_owner tracks the page as allocated >> page last allocated via order 0, migratetype Unmovable, gfp_mask >> 0xd2c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), >> pid 5051, tgid 5051 (acpid), ts 27203740677, free_ts 27201732767 >> set_page_owner include/linux/page_owner.h:32 [inline] >> post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 >> prep_new_page mm/page_alloc.c:1861 [inline] >> get_page_from_freelist+0x2593/0x2610 mm/page_alloc.c:3941 >> __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 >> alloc_slab_page mm/slub.c:3278 [inline] >> allocate_slab+0x77/0x660 mm/slub.c:3467 >> new_slab mm/slub.c:3525 [inline] >> refill_objects+0x339/0x3d0 mm/slub.c:7272 >> refill_sheaf mm/slub.c:2816 [inline] >> __pcs_replace_empty_main+0x321/0x720 mm/slub.c:4652 >> alloc_from_pcs mm/slub.c:4750 [inline] >> slab_alloc_node mm/slub.c:4884 [inline] >> __do_kmalloc_node mm/slub.c:5295 [inline] >> __kmalloc_noprof+0x474/0x760 mm/slub.c:5308 >> kmalloc_noprof include/linux/slab.h:954 [inline] >> kzalloc_noprof include/linux/slab.h:1188 [inline] >> tomoyo_get_name+0x20c/0x590 security/tomoyo/memory.c:173 >> tomoyo_parse_name_union+0xd9/0x130 security/tomoyo/util.c:260 >> tomoyo_update_path_acl security/tomoyo/file.c:399 [inline] >> tomoyo_write_file+0x3a6/0xc50 security/tomoyo/file.c:1027 >> tomoyo_write_domain2 security/tomoyo/common.c:1160 [inline] >> tomoyo_add_entry security/tomoyo/common.c:2177 [inline] >> tomoyo_supervisor+0x1208/0x1570 security/tomoyo/common.c:2238 >> tomoyo_audit_path_log security/tomoyo/file.c:169 [inline] >> tomoyo_path_permission+0x25a/0x380 security/tomoyo/file.c:592 >> tomoyo_check_open_permission+0x2b2/0x470 security/tomoyo/file.c:782 >> security_file_open+0xa9/0x240 security/security.c:2739 >> do_dentry_open+0x4a8/0x13a0 fs/open.c:924 >> vfs_open+0x3b/0x340 fs/open.c:1079 >> page last free pid 15 tgid 15 stack trace: >> reset_page_owner include/linux/page_owner.h:25 [inline] >> __free_pages_prepare mm/page_alloc.c:1397 [inline] >> __free_frozen_pages+0xc1c/0xd30 mm/page_alloc.c:2938 >> __tlb_remove_table_free mm/mmu_gather.c:228 [inline] >> tlb_remove_table_rcu+0x85/0x100 mm/mmu_gather.c:291 >> rcu_do_batch kernel/rcu/tree.c:2617 [inline] >> rcu_core+0x7cd/0x1070 kernel/rcu/tree.c:2869 >> handle_softirqs+0x22a/0x840 kernel/softirq.c:622 >> run_ksoftirqd+0x36/0x60 kernel/softirq.c:1076 >> smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160 >> kthread+0x389/0x470 kernel/kthread.c:436 >> ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 >> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 >> >> Memory state around the buggy address: >> ffff888115a31700: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >> ffff888115a31780: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc >> >ffff888115a31800: 00 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc >> ^ >> ffff888115a31880: 00 00 00 00 00 00 02 fc fc fc fc fc fc fc fc fc >> ffff888115a31900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >> ================================================================== >> >> >> *** >> >> KASAN: slab-use-after-free Read in __ext4_check_dir_entry >> >> tree: torvalds >> URL: >> https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux >> base: 9716c086c8e8b141d35aa61f2e96a2e83de212a7 >> arch: amd64 >> compiler: Debian clang version 21.1.8 >> (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 >> config: >> https://ci.syzbot.org/builds/ddf6ee7c-dfa8-4383-b004-10140edc081c/config >> syz repro: >> https://ci.syzbot.org/findings/f1d48ea1-6e87-4d64-9c13-8bf8aed109fc/syz_repro >> >> loop0: lost filesystem error report for type 5 error -117 >> EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 >> r/w without journal. Quota mode: none. >> ================================================================== >> BUG: KASAN: slab-use-after-free in ext4_dirent_get_data_len >> fs/ext4/ext4.h:4069 [inline] >> BUG: KASAN: slab-use-after-free in ext4_dir_entry_len fs/ext4/ext4.h:4096 >> [inline] >> BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x65a/0xc40 >> fs/ext4/dir.c:96 >> Read of size 1 at addr ffff888114d8c045 by task syz.0.20/5821 >> >> CPU: 1 UID: 0 PID: 5821 Comm: syz.0.20 Not tainted syzkaller #0 >> PREEMPT(full) >> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS >> 1.16.2-debian-1.16.2-1 04/01/2014 >> Call Trace: >> <TASK> >> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 >> print_address_description+0x55/0x1e0 mm/kasan/report.c:378 >> print_report+0x58/0x70 mm/kasan/report.c:482 >> kasan_report+0x117/0x150 mm/kasan/report.c:595 >> ext4_dirent_get_data_len fs/ext4/ext4.h:4069 [inline] >> ext4_dir_entry_len fs/ext4/ext4.h:4096 [inline] >> __ext4_check_dir_entry+0x65a/0xc40 fs/ext4/dir.c:96 >> ext4_find_dest_de+0x136/0x770 fs/ext4/namei.c:2203 >> ext4_add_dirent_to_inline+0xcf/0x430 fs/ext4/inline.c:984 >> ext4_try_add_inline_entry+0x235/0x8e0 fs/ext4/inline.c:1213 >> __ext4_add_entry+0x390/0x1f40 fs/ext4/namei.c:2529 >> ext4_add_entry fs/ext4/namei.c:2613 [inline] >> ext4_add_nondir+0x111/0x310 fs/ext4/namei.c:2936 >> ext4_create+0x2e9/0x470 fs/ext4/namei.c:2982 >> lookup_open fs/namei.c:4511 [inline] >> open_last_lookups fs/namei.c:4611 [inline] >> path_openat+0x1395/0x3860 fs/namei.c:4855 >> do_file_open+0x23e/0x4a0 fs/namei.c:4887 >> do_sys_openat2+0x113/0x200 fs/open.c:1364 >> do_sys_open fs/open.c:1370 [inline] >> __do_sys_openat fs/open.c:1386 [inline] >> __se_sys_openat fs/open.c:1381 [inline] >> __x64_sys_openat+0x138/0x170 fs/open.c:1381 >> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] >> do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 >> entry_SYSCALL_64_after_hwframe+0x77/0x7f >> RIP: 0033:0x7f922219ce59 >> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 >> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff >> ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 >> RSP: 002b:00007f9223137028 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 >> RAX: ffffffffffffffda RBX: 00007f9222415fa0 RCX: 00007f922219ce59 >> RDX: 0000000000042042 RSI: 0000200000000080 RDI: 0000000000000004 >> RBP: 00007f9222232d6f R08: 0000000000000000 R09: 0000000000000000 >> R10: 000000000000014a R11: 0000000000000246 R12: 0000000000000000 >> R13: 00007f9222416038 R14: 00007f9222415fa0 R15: 00007ffd01a2d448 >> </TASK> >> >> Allocated by task 5484: >> kasan_save_stack mm/kasan/common.c:57 [inline] >> kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 >> unpoison_slab_object mm/kasan/common.c:340 [inline] >> __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 >> kasan_slab_alloc include/linux/kasan.h:253 [inline] >> slab_post_alloc_hook mm/slub.c:4570 [inline] >> slab_alloc_node mm/slub.c:4899 [inline] >> kmem_cache_alloc_node_noprof+0x384/0x690 mm/slub.c:4951 >> kmalloc_reserve net/core/skbuff.c:613 [inline] >> __alloc_skb+0x27d/0x7d0 net/core/skbuff.c:713 >> alloc_skb include/linux/skbuff.h:1385 [inline] >> nlmsg_new include/net/netlink.h:1055 [inline] >> mpls_netconf_notify_devconf+0x46/0x100 net/mpls/af_mpls.c:1217 >> mpls_dev_notify+0xb2d/0xd10 net/mpls/af_mpls.c:1691 >> notifier_call_chain+0x1ad/0x3d0 kernel/notifier.c:85 >> call_netdevice_notifiers_extack net/core/dev.c:2287 [inline] >> call_netdevice_notifiers net/core/dev.c:2301 [inline] >> unregister_netdevice_many_notify+0x17a5/0x22c0 net/core/dev.c:12421 >> ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] >> ops_undo_list+0x3d3/0x940 net/core/net_namespace.c:248 >> cleanup_net+0x56b/0x800 net/core/net_namespace.c:702 >> process_one_work kernel/workqueue.c:3314 [inline] >> process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3397 >> worker_thread+0xa53/0xfc0 kernel/workqueue.c:3478 >> kthread+0x389/0x470 kernel/kthread.c:436 >> ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 >> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 >> >> Freed by task 5484: >> kasan_save_stack mm/kasan/common.c:57 [inline] >> kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 >> kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 >> poison_slab_object mm/kasan/common.c:253 [inline] >> __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 >> kasan_slab_free include/linux/kasan.h:235 [inline] >> slab_free_hook mm/slub.c:2689 [inline] >> slab_free mm/slub.c:6251 [inline] >> kfree+0x1c5/0x640 mm/slub.c:6566 >> skb_kfree_head net/core/skbuff.c:1075 [inline] >> skb_free_head net/core/skbuff.c:1087 [inline] >> skb_release_data+0x828/0xa60 net/core/skbuff.c:1114 >> skb_release_all net/core/skbuff.c:1189 [inline] >> __kfree_skb+0x5d/0x210 net/core/skbuff.c:1203 >> netlink_broadcast_filtered+0xe18/0xf20 net/netlink/af_netlink.c:1540 >> nlmsg_multicast_filtered include/net/netlink.h:1165 [inline] >> nlmsg_multicast include/net/netlink.h:1184 [inline] >> nlmsg_notify+0xf0/0x1a0 net/netlink/af_netlink.c:2598 >> mpls_dev_notify+0xb2d/0xd10 net/mpls/af_mpls.c:1691 >> notifier_call_chain+0x1ad/0x3d0 kernel/notifier.c:85 >> call_netdevice_notifiers_extack net/core/dev.c:2287 [inline] >> call_netdevice_notifiers net/core/dev.c:2301 [inline] >> unregister_netdevice_many_notify+0x17a5/0x22c0 net/core/dev.c:12421 >> ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] >> ops_undo_list+0x3d3/0x940 net/core/net_namespace.c:248 >> cleanup_net+0x56b/0x800 net/core/net_namespace.c:702 >> process_one_work kernel/workqueue.c:3314 [inline] >> process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3397 >> worker_thread+0xa53/0xfc0 kernel/workqueue.c:3478 >> kthread+0x389/0x470 kernel/kthread.c:436 >> ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 >> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 >> >> The buggy address belongs to the object at ffff888114d8c000 >> which belongs to the cache skbuff_small_head of size 704 >> The buggy address is located 69 bytes inside of >> freed 704-byte region [ffff888114d8c000, ffff888114d8c2c0) >> >> The buggy address belongs to the physical page: >> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x114d8c >> head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 >> flags: 0x17ff00000000040(head|node=0|zone=2|lastcpupid=0x7ff) >> page_type: f5(slab) >> raw: 017ff00000000040 ffff888160416b40 dead000000000100 dead000000000122 >> raw: 0000000000000000 0000000800120012 00000000f5000000 0000000000000000 >> head: 017ff00000000040 ffff888160416b40 dead000000000100 dead000000000122 >> head: 0000000000000000 0000000800120012 00000000f5000000 0000000000000000 >> head: 017ff00000000002 ffffffffffffff01 00000000ffffffff 00000000ffffffff >> head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 >> page dumped because: kasan: bad access detected >> page_owner tracks the page as allocated >> page last allocated via order 2, migratetype Unmovable, gfp_mask >> 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), >> pid 5484, tgid 5484 (kworker/u8:2), ts 72573003529, free_ts 72546506446 >> set_page_owner include/linux/page_owner.h:32 [inline] >> post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 >> prep_new_page mm/page_alloc.c:1861 [inline] >> get_page_from_freelist+0x2593/0x2610 mm/page_alloc.c:3941 >> __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 >> alloc_slab_page mm/slub.c:3278 [inline] >> allocate_slab+0x77/0x660 mm/slub.c:3467 >> new_slab mm/slub.c:3525 [inline] >> refill_objects+0x339/0x3d0 mm/slub.c:7272 >> refill_sheaf mm/slub.c:2816 [inline] >> __pcs_replace_empty_main+0x321/0x720 mm/slub.c:4652 >> alloc_from_pcs mm/slub.c:4750 [inline] >> slab_alloc_node mm/slub.c:4884 [inline] >> kmem_cache_alloc_node_noprof+0x441/0x690 mm/slub.c:4951 >> kmalloc_reserve net/core/skbuff.c:613 [inline] >> __alloc_skb+0x27d/0x7d0 net/core/skbuff.c:713 >> alloc_skb include/linux/skbuff.h:1385 [inline] >> nlmsg_new include/net/netlink.h:1055 [inline] >> mpls_netconf_notify_devconf+0x46/0x100 net/mpls/af_mpls.c:1217 >> mpls_dev_notify+0xb2d/0xd10 net/mpls/af_mpls.c:1691 >> notifier_call_chain+0x1ad/0x3d0 kernel/notifier.c:85 >> call_netdevice_notifiers_extack net/core/dev.c:2287 [inline] >> call_netdevice_notifiers net/core/dev.c:2301 [inline] >> unregister_netdevice_many_notify+0x17a5/0x22c0 net/core/dev.c:12421 >> ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] >> ops_undo_list+0x3d3/0x940 net/core/net_namespace.c:248 >> cleanup_net+0x56b/0x800 net/core/net_namespace.c:702 >> process_one_work kernel/workqueue.c:3314 [inline] >> process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3397 >> worker_thread+0xa53/0xfc0 kernel/workqueue.c:3478 >> page last free pid 5484 tgid 5484 stack trace: >> reset_page_owner include/linux/page_owner.h:25 [inline] >> __free_pages_prepare mm/page_alloc.c:1397 [inline] >> __free_frozen_pages+0xc1c/0xd30 mm/page_alloc.c:2938 >> stack_depot_save_flags+0x40e/0x810 lib/stackdepot.c:735 >> kasan_save_stack mm/kasan/common.c:58 [inline] >> kasan_save_track+0x4f/0x80 mm/kasan/common.c:78 >> unpoison_slab_object mm/kasan/common.c:340 [inline] >> __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 >> kasan_slab_alloc include/linux/kasan.h:253 [inline] >> slab_post_alloc_hook mm/slub.c:4570 [inline] >> slab_alloc_node mm/slub.c:4899 [inline] >> kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4906 >> kmem_alloc_batch lib/debugobjects.c:371 [inline] >> fill_pool+0x156/0x580 lib/debugobjects.c:420 >> debug_objects_fill_pool lib/debugobjects.c:752 [inline] >> debug_object_activate+0x4a3/0x580 lib/debugobjects.c:841 >> debug_rcu_head_queue kernel/rcu/rcu.h:236 [inline] >> __call_rcu_common kernel/rcu/tree.c:3116 [inline] >> call_rcu+0x43/0x890 kernel/rcu/tree.c:3251 >> kernfs_put+0x259/0x520 fs/kernfs/dir.c:618 >> kernfs_remove_by_name_ns+0xc8/0x140 fs/kernfs/dir.c:1799 >> device_remove_class_symlinks+0x178/0x190 drivers/base/core.c:3479 >> device_del+0x400/0x8f0 drivers/base/core.c:3881 >> unregister_netdevice_many_notify+0x1d5f/0x22c0 net/core/dev.c:12456 >> ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] >> ops_undo_list+0x3d3/0x940 net/core/net_namespace.c:248 >> cleanup_net+0x56b/0x800 net/core/net_namespace.c:702 >> process_one_work kernel/workqueue.c:3314 [inline] >> process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3397 >> >> Memory state around the buggy address: >> ffff888114d8bf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >> ffff888114d8bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >> >ffff888114d8c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >> ^ >> ffff888114d8c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >> ffff888114d8c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >> ================================================================== >> >> >> *** >> >> KASAN: slab-use-after-free Read in ext4_inlinedir_to_tree >> >> tree: torvalds >> URL: >> https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux >> base: 9716c086c8e8b141d35aa61f2e96a2e83de212a7 >> arch: amd64 >> compiler: Debian clang version 21.1.8 >> (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 >> config: >> https://ci.syzbot.org/builds/ddf6ee7c-dfa8-4383-b004-10140edc081c/config >> syz repro: >> https://ci.syzbot.org/findings/f42da242-e16e-4f10-bf25-0bd7e192d989/syz_repro >> >> loop0: lost filesystem error report for type 5 error -117 >> EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 >> r/w without journal. Quota mode: none. >> ================================================================== >> BUG: KASAN: slab-use-after-free in ext4_dirent_get_data_len >> fs/ext4/ext4.h:4069 [inline] >> BUG: KASAN: slab-use-after-free in ext4_dir_entry_len fs/ext4/ext4.h:4096 >> [inline] >> BUG: KASAN: slab-use-after-free in ext4_inlinedir_to_tree+0x94c/0x10d0 >> fs/ext4/inline.c:1335 >> Read of size 1 at addr ffff88816fee8825 by task syz.0.20/5867 >> >> CPU: 1 UID: 0 PID: 5867 Comm: syz.0.20 Not tainted syzkaller #0 >> PREEMPT(full) >> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS >> 1.16.2-debian-1.16.2-1 04/01/2014 >> Call Trace: >> <TASK> >> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 >> print_address_description+0x55/0x1e0 mm/kasan/report.c:378 >> print_report+0x58/0x70 mm/kasan/report.c:482 >> kasan_report+0x117/0x150 mm/kasan/report.c:595 >> ext4_dirent_get_data_len fs/ext4/ext4.h:4069 [inline] >> ext4_dir_entry_len fs/ext4/ext4.h:4096 [inline] >> ext4_inlinedir_to_tree+0x94c/0x10d0 fs/ext4/inline.c:1335 >> ext4_htree_fill_tree+0x517/0x1230 fs/ext4/namei.c:1182 >> ext4_dx_readdir fs/ext4/dir.c:600 [inline] >> ext4_readdir+0x2db4/0x3640 fs/ext4/dir.c:146 >> iterate_dir+0x399/0x570 fs/readdir.c:110 >> __do_sys_getdents fs/readdir.c:319 [inline] >> __se_sys_getdents+0xf1/0x270 fs/readdir.c:304 >> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] >> do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 >> entry_SYSCALL_64_after_hwframe+0x77/0x7f >> RIP: 0033:0x7f010ad9ce59 >> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 >> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff >> ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 >> RSP: 002b:00007f010bc0f028 EFLAGS: 00000246 ORIG_RAX: 000000000000004e >> RAX: ffffffffffffffda RBX: 00007f010b015fa0 RCX: 00007f010ad9ce59 >> RDX: 0000000000000054 RSI: 0000000000000000 RDI: 0000000000000004 >> RBP: 00007f010ae32d6f R08: 0000000000000000 R09: 0000000000000000 >> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 >> R13: 00007f010b016038 R14: 00007f010b015fa0 R15: 00007ffd93577348 >> </TASK> >> >> Allocated by task 5064: >> kasan_save_stack mm/kasan/common.c:57 [inline] >> kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 >> poison_kmalloc_redzone mm/kasan/common.c:398 [inline] >> __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 >> kasan_kmalloc include/linux/kasan.h:263 [inline] >> __do_kmalloc_node mm/slub.c:5296 [inline] >> __kmalloc_noprof+0x35c/0x760 mm/slub.c:5308 >> kmalloc_noprof include/linux/slab.h:954 [inline] >> kzalloc_noprof include/linux/slab.h:1188 [inline] >> tomoyo_encode2 security/tomoyo/realpath.c:45 [inline] >> tomoyo_encode+0x28b/0x550 security/tomoyo/realpath.c:80 >> tomoyo_realpath_from_path+0x58d/0x5d0 security/tomoyo/realpath.c:283 >> tomoyo_get_realpath security/tomoyo/file.c:151 [inline] >> tomoyo_path_perm+0x283/0x560 security/tomoyo/file.c:827 >> security_inode_getattr+0x12b/0x310 security/security.c:1895 >> vfs_getattr fs/stat.c:259 [inline] >> vfs_fstat fs/stat.c:281 [inline] >> vfs_fstatat+0xb4/0x170 fs/stat.c:371 >> __do_sys_newfstatat fs/stat.c:538 [inline] >> __se_sys_newfstatat fs/stat.c:532 [inline] >> __x64_sys_newfstatat+0x151/0x200 fs/stat.c:532 >> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] >> do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 >> entry_SYSCALL_64_after_hwframe+0x77/0x7f >> >> Freed by task 5064: >> kasan_save_stack mm/kasan/common.c:57 [inline] >> kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 >> kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 >> poison_slab_object mm/kasan/common.c:253 [inline] >> __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 >> kasan_slab_free include/linux/kasan.h:235 [inline] >> slab_free_hook mm/slub.c:2689 [inline] >> slab_free mm/slub.c:6251 [inline] >> kfree+0x1c5/0x640 mm/slub.c:6566 >> tomoyo_path_perm+0x403/0x560 security/tomoyo/file.c:847 >> security_inode_getattr+0x12b/0x310 security/security.c:1895 >> vfs_getattr fs/stat.c:259 [inline] >> vfs_fstat fs/stat.c:281 [inline] >> vfs_fstatat+0xb4/0x170 fs/stat.c:371 >> __do_sys_newfstatat fs/stat.c:538 [inline] >> __se_sys_newfstatat fs/stat.c:532 [inline] >> __x64_sys_newfstatat+0x151/0x200 fs/stat.c:532 >> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] >> do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 >> entry_SYSCALL_64_after_hwframe+0x77/0x7f >> >> The buggy address belongs to the object at ffff88816fee8800 >> which belongs to the cache kmalloc-64 of size 64 >> The buggy address is located 37 bytes inside of >> freed 64-byte region [ffff88816fee8800, ffff88816fee8840) >> >> The buggy address belongs to the physical page: >> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x16fee8 >> flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff) >> page_type: f5(slab) >> raw: 057ff00000000000 ffff8881000418c0 dead000000000100 dead000000000122 >> raw: 0000000000000000 0000000800200020 00000000f5000000 0000000000000000 >> page dumped because: kasan: bad access detected >> page_owner tracks the page as allocated >> page last allocated via order 0, migratetype Unmovable, gfp_mask >> 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), >> pid 1, tgid 1 (swapper/0), ts 21294026082, free_ts 0 >> set_page_owner include/linux/page_owner.h:32 [inline] >> post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 >> prep_new_page mm/page_alloc.c:1861 [inline] >> get_page_from_freelist+0x2593/0x2610 mm/page_alloc.c:3941 >> __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 >> alloc_slab_page mm/slub.c:3278 [inline] >> allocate_slab+0x77/0x660 mm/slub.c:3467 >> new_slab mm/slub.c:3525 [inline] >> refill_objects+0x339/0x3d0 mm/slub.c:7272 >> refill_sheaf mm/slub.c:2816 [inline] >> __pcs_replace_empty_main+0x321/0x720 mm/slub.c:4652 >> alloc_from_pcs mm/slub.c:4750 [inline] >> slab_alloc_node mm/slub.c:4884 [inline] >> __do_kmalloc_node mm/slub.c:5295 [inline] >> __kmalloc_noprof+0x474/0x760 mm/slub.c:5308 >> kmalloc_noprof include/linux/slab.h:954 [inline] >> kzalloc_noprof include/linux/slab.h:1188 [inline] >> handler_new_ref+0x261/0x9c0 drivers/media/v4l2-core/v4l2-ctrls-core.c:1882 >> v4l2_ctrl_add_handler+0x19f/0x290 >> drivers/media/v4l2-core/v4l2-ctrls-core.c:2443 >> vivid_create_controls+0x332d/0x3bd0 >> drivers/media/test-drivers/vivid/vivid-ctrls.c:2072 >> vivid_create_instance drivers/media/test-drivers/vivid/vivid-core.c:1933 >> [inline] >> vivid_probe+0x4261/0x72b0 >> drivers/media/test-drivers/vivid/vivid-core.c:2095 >> platform_probe+0xf9/0x190 drivers/base/platform.c:1432 >> call_driver_probe drivers/base/dd.c:-1 [inline] >> really_probe+0x267/0xaf0 drivers/base/dd.c:709 >> __driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871 >> driver_probe_device+0x4f/0x240 drivers/base/dd.c:901 >> __driver_attach+0x34c/0x640 drivers/base/dd.c:1295 >> page_owner free stack trace missing >> >> Memory state around the buggy address: >> ffff88816fee8700: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc >> ffff88816fee8780: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc >> >ffff88816fee8800: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >> ^ >> ffff88816fee8880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >> ffff88816fee8900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >> ================================================================== >> >> >> *** >> >> KASAN: use-after-free Read in __ext4_check_dir_entry >> >> tree: torvalds >> URL: >> https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux >> base: 9716c086c8e8b141d35aa61f2e96a2e83de212a7 >> arch: amd64 >> compiler: Debian clang version 21.1.8 >> (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 >> config: >> https://ci.syzbot.org/builds/ddf6ee7c-dfa8-4383-b004-10140edc081c/config >> syz repro: >> https://ci.syzbot.org/findings/57c0b75a-8922-4dc1-9a20-ca947564792b/syz_repro >> >> ================================================================== >> BUG: KASAN: use-after-free in ext4_dirent_get_data_len fs/ext4/ext4.h:4069 >> [inline] >> BUG: KASAN: use-after-free in ext4_dir_entry_len fs/ext4/ext4.h:4096 >> [inline] >> BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x65a/0xc40 >> fs/ext4/dir.c:96 >> Read of size 1 at addr ffff88816be85045 by task syz.2.21/5880 >> >> CPU: 1 UID: 0 PID: 5880 Comm: syz.2.21 Not tainted syzkaller #0 >> PREEMPT(full) >> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS >> 1.16.2-debian-1.16.2-1 04/01/2014 >> Call Trace: >> <TASK> >> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 >> print_address_description+0x55/0x1e0 mm/kasan/report.c:378 >> print_report+0x58/0x70 mm/kasan/report.c:482 >> kasan_report+0x117/0x150 mm/kasan/report.c:595 >> ext4_dirent_get_data_len fs/ext4/ext4.h:4069 [inline] >> ext4_dir_entry_len fs/ext4/ext4.h:4096 [inline] >> __ext4_check_dir_entry+0x65a/0xc40 fs/ext4/dir.c:96 >> ext4_find_dest_de+0x136/0x770 fs/ext4/namei.c:2203 >> ext4_add_dirent_to_inline+0xcf/0x430 fs/ext4/inline.c:984 >> ext4_try_add_inline_entry+0x235/0x8e0 fs/ext4/inline.c:1213 >> __ext4_add_entry+0x390/0x1f40 fs/ext4/namei.c:2529 >> ext4_add_entry fs/ext4/namei.c:2613 [inline] >> ext4_add_nondir+0x111/0x310 fs/ext4/namei.c:2936 >> ext4_create+0x2e9/0x470 fs/ext4/namei.c:2982 >> lookup_open fs/namei.c:4511 [inline] >> open_last_lookups fs/namei.c:4611 [inline] >> path_openat+0x1395/0x3860 fs/namei.c:4855 >> do_file_open+0x23e/0x4a0 fs/namei.c:4887 >> do_sys_openat2+0x113/0x200 fs/open.c:1364 >> do_sys_open fs/open.c:1370 [inline] >> __do_sys_openat fs/open.c:1386 [inline] >> __se_sys_openat fs/open.c:1381 [inline] >> __x64_sys_openat+0x138/0x170 fs/open.c:1381 >> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] >> do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 >> entry_SYSCALL_64_after_hwframe+0x77/0x7f >> RIP: 0033:0x7f5713b9ce59 >> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 >> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff >> ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 >> RSP: 002b:00007fff672b25f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 >> RAX: ffffffffffffffda RBX: 00007f5713e15fa0 RCX: 00007f5713b9ce59 >> RDX: 0000000000042042 RSI: 0000200000000080 RDI: 0000000000000004 >> RBP: 00007f5713c32d6f R08: 0000000000000000 R09: 0000000000000000 >> R10: 000000000000014a R11: 0000000000000246 R12: 0000000000000000 >> R13: 00007f5713e15fac R14: 00007f5713e15fa0 R15: 00007f5713e15fa0 >> </TASK> >> >> The buggy address belongs to the physical page: >> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x16be85 >> flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff) >> page_type: f0(buddy) >> raw: 057ff00000000000 ffffea0005afa0c8 ffffea0005afa1c8 0000000000000000 >> raw: 0000000000000000 0000000000000000 00000000f0000000 0000000000000000 >> page dumped because: kasan: bad access detected >> page_owner tracks the page as freed >> page last allocated via order 0, migratetype Unmovable, gfp_mask >> 0xcc0(GFP_KERNEL), pid 5630, tgid 5630 (syz-executor), ts 67290853657, >> free_ts 69321168948 >> set_page_owner include/linux/page_owner.h:32 [inline] >> post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 >> prep_new_page mm/page_alloc.c:1861 [inline] >> get_page_from_freelist+0x2593/0x2610 mm/page_alloc.c:3941 >> __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 >> __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 >> alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 >> ___alloc_pages_bulk mm/kasan/shadow.c:345 [inline] >> __kasan_populate_vmalloc_do mm/kasan/shadow.c:370 [inline] >> __kasan_populate_vmalloc+0xc1/0x1d0 mm/kasan/shadow.c:424 >> kasan_populate_vmalloc include/linux/kasan.h:580 [inline] >> alloc_vmap_area+0xd47/0x1480 mm/vmalloc.c:2123 >> __get_vm_area_node+0x1f8/0x300 mm/vmalloc.c:3226 >> __vmalloc_node_range_noprof+0x36a/0x1750 mm/vmalloc.c:4024 >> vmalloc_user_noprof+0xad/0xe0 mm/vmalloc.c:4218 >> kcov_ioctl+0x55/0x620 kernel/kcov.c:726 >> vfs_ioctl fs/ioctl.c:51 [inline] >> __do_sys_ioctl fs/ioctl.c:597 [inline] >> __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 >> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] >> do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 >> entry_SYSCALL_64_after_hwframe+0x77/0x7f >> page last free pid 5693 tgid 5693 stack trace: >> reset_page_owner include/linux/page_owner.h:25 [inline] >> __free_pages_prepare mm/page_alloc.c:1397 [inline] >> __free_frozen_pages+0xc1c/0xd30 mm/page_alloc.c:2938 >> kasan_depopulate_vmalloc_pte+0x6d/0x90 mm/kasan/shadow.c:484 >> apply_to_pte_range mm/memory.c:3338 [inline] >> apply_to_pmd_range mm/memory.c:3382 [inline] >> apply_to_pud_range mm/memory.c:3418 [inline] >> apply_to_p4d_range mm/memory.c:3454 [inline] >> __apply_to_page_range+0xbdc/0x1420 mm/memory.c:3490 >> __kasan_release_vmalloc+0xa2/0xd0 mm/kasan/shadow.c:602 >> kasan_release_vmalloc include/linux/kasan.h:593 [inline] >> kasan_release_vmalloc_node mm/vmalloc.c:2284 [inline] >> purge_vmap_node+0x220/0x960 mm/vmalloc.c:2306 >> __purge_vmap_area_lazy+0x779/0xb40 mm/vmalloc.c:2396 >> drain_vmap_area_work+0x27/0x40 mm/vmalloc.c:2430 >> process_one_work kernel/workqueue.c:3314 [inline] >> process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3397 >> worker_thread+0xa53/0xfc0 kernel/workqueue.c:3478 >> kthread+0x389/0x470 kernel/kthread.c:436 >> ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 >> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 >> >> Memory state around the buggy address: >> ffff88816be84f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >> ffff88816be84f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >> >ffff88816be85000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >> ^ >> ffff88816be85080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >> ffff88816be85100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >> ================================================================== >> >> >> *** >> >> If these findings have caused you to resend the series or submit a >> separate fix, please add the following tag to your commit message: >> Tested-by: syzbot@syzkaller.appspotmail.com >> >> --- >> This report is generated by a bot. It may contain errors. >> syzbot ci engineers can be reached at syzkaller@googlegroups.com. >> >> To test a patch for this bug, please reply with `#syz test` >> (should be on a separate line). >> >> The patch should be attached to the email. >> Note: arguments like custom git repos and branches are not supported. >> >> > > -- > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com. > To view this discussion visit https://groups.google.com/d/msgid/syzkaller-bugs/CA%2BrD4x_2wXOP%3D4RwPY-A2vJjK4Vv9hGUSVFzprCe1H%2B8MTOKhA%40mail.gmail.com. ^ permalink raw reply [flat|nested] 10+ messages in thread
* [syzbot ci] Re: Data in direntry (dirdata) feature 2026-06-19 14:10 ` Artem Blagodarenko 2026-06-19 14:11 ` syzbot @ 2026-06-19 14:50 ` syzbot ci 1 sibling, 0 replies; 10+ messages in thread From: syzbot ci @ 2026-06-19 14:50 UTC (permalink / raw) To: artem.blagodarenko, adilger, linux-ext4, pravin.shelar, syzbot, syzkaller-bugs Cc: syzbot, syzkaller-bugs syzbot ci has tested the suggested fix patch on top of the following series: [v2] Data in direntry (dirdata) feature https://lore.kernel.org/all/20260610152417.13576-1-ablagodarenko@thelustrecollective.com Patch: https://ci.syzbot.org/jobs/2471bcf5-fa8b-4932-846b-3db72cc2b56c/patch Testing results: * [build 0] Build Patched: passed * [build 0] Boot test: Patched: passed Full report is available here: https://ci.syzbot.org/session/08769134-a853-4686-a652-a4c24e8773d7 --- This report is generated by a bot. It may contain errors. syzbot ci engineers can be reached at syzkaller@googlegroups.com. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [syzbot ci] Re: Data in direntry (dirdata) feature 2026-06-11 10:29 ` [syzbot ci] Re: Data in direntry (dirdata) feature syzbot ci 2026-06-19 14:10 ` Artem Blagodarenko @ 2026-06-19 16:45 ` Artem Blagodarenko 2026-06-19 17:39 ` syzbot ci 1 sibling, 1 reply; 10+ messages in thread From: Artem Blagodarenko @ 2026-06-19 16:45 UTC (permalink / raw) To: syzbot+cid7b922cb3d448114; +Cc: syzbot [-- Attachment #1.1: Type: text/plain, Size: 44745 bytes --] Re-sending with the correct recipient address (the prior attempt's #syz test was bounced for not addressing the bug-specific hash). Patch addressing the issues found in the dirdata series review (dx_get_dx_info/get_dx_countlimit blocksize fallback, dfid parameter shadowing in ext4_dirdata_get, and the unsafe delete-before-add in EXT4_IOC_SET_LUFID) is attached. Please attach it manually before sending — see note below. #syz test On Thu, Jun 11, 2026 11:29 AM, syzbot ci < syzbot+cid7b922cb3d448114@syzkaller.appspotmail.com> wrote: > syzbot ci has tested the following series > > [v2] Data in direntry (dirdata) feature > > https://lore.kernel.org/all/20260610152417.13576-1-ablagodarenko@thelustrecollective.com > * [PATCH v2 01/10] ext4: replace ext4_dir_entry with ext4_dir_entry_2 > * [PATCH v2 02/10] ext4: add ext4_dir_entry_is_tail() > * [PATCH v2 03/10] ext4: refactor dx_root to support variable dirent sizes > * [PATCH v2 04/10] ext4: add dirdata format definitions and access helpers > * [PATCH v2 05/10] ext4: preserve dirdata bits in get_dtype() > * [PATCH v2 06/10] ext4: add ext4_dir_entry_len() and harden dirdata > parsing > * [PATCH v2 07/10] ext4: rename ext4_dir_rec_len() and clarify dirdata > usage > * [PATCH v2 08/10] ext4: dirdata feature > * [PATCH v2 09/10] ext4: add dirdata set/get helpers > * [PATCH v2 10/10] ext4: Add EXT4_IOC_SET_LUFID ioctl for setting LUFID on > directory entries > > and found the following issues: > * KASAN: slab-out-of-bounds Read in __ext4_check_dir_entry > * KASAN: slab-out-of-bounds Read in ext4_inlinedir_to_tree > * KASAN: slab-use-after-free Read in __ext4_check_dir_entry > * KASAN: slab-use-after-free Read in ext4_inlinedir_to_tree > * KASAN: use-after-free Read in __ext4_check_dir_entry > > Full report is available here: > https://ci.syzbot.org/series/5bf0e2fa-2e68-4532-8396-4568879b2788 > > *** > > KASAN: slab-out-of-bounds Read in __ext4_check_dir_entry > > tree: torvalds > URL: > https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux > base: 9716c086c8e8b141d35aa61f2e96a2e83de212a7 > arch: amd64 > compiler: Debian clang version 21.1.8 > (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > config: > https://ci.syzbot.org/builds/ddf6ee7c-dfa8-4383-b004-10140edc081c/config > syz repro: > https://ci.syzbot.org/findings/b0854918-13f9-49dd-ab30-12154f0debe2/syz_repro > > loop0: lost filesystem error report for type 5 error -117 > EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 > r/w without journal. Quota mode: none. > ================================================================== > BUG: KASAN: slab-out-of-bounds in ext4_dirent_get_data_len > fs/ext4/ext4.h:4069 [inline] > BUG: KASAN: slab-out-of-bounds in ext4_dir_entry_len fs/ext4/ext4.h:4096 > [inline] > BUG: KASAN: slab-out-of-bounds in __ext4_check_dir_entry+0x65a/0xc40 > fs/ext4/dir.c:96 > Read of size 1 at addr ffff8881022db7f5 by task syz.0.23/5815 > > CPU: 1 UID: 0 PID: 5815 Comm: syz.0.23 Not tainted syzkaller #0 > PREEMPT(full) > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS > 1.16.2-debian-1.16.2-1 04/01/2014 > Call Trace: > <TASK> > dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 > print_address_description+0x55/0x1e0 mm/kasan/report.c:378 > print_report+0x58/0x70 mm/kasan/report.c:482 > kasan_report+0x117/0x150 mm/kasan/report.c:595 > ext4_dirent_get_data_len fs/ext4/ext4.h:4069 [inline] > ext4_dir_entry_len fs/ext4/ext4.h:4096 [inline] > __ext4_check_dir_entry+0x65a/0xc40 fs/ext4/dir.c:96 > ext4_check_all_de+0x66/0x150 fs/ext4/dir.c:657 > ext4_convert_inline_data_nolock+0x1b7/0x990 fs/ext4/inline.c:1121 > ext4_try_add_inline_entry+0x604/0x8e0 fs/ext4/inline.c:1247 > __ext4_add_entry+0x390/0x1f40 fs/ext4/namei.c:2529 > ext4_add_entry fs/ext4/namei.c:2613 [inline] > ext4_mkdir+0x5e5/0xce0 fs/ext4/namei.c:3175 > vfs_mkdir+0x413/0x630 fs/namei.c:5271 > filename_mkdirat+0x285/0x510 fs/namei.c:5304 > __do_sys_mkdirat fs/namei.c:5325 [inline] > __se_sys_mkdirat+0x35/0x150 fs/namei.c:5322 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > RIP: 0033:0x7f669359bcc7 > Code: 00 66 90 48 89 f2 b9 00 01 00 00 48 89 fe bf 9c ff ff ff e9 db f7 ff > ff 66 2e 0f 1f 84 00 00 00 00 00 90 b8 02 01 00 00 0f 05 <48> 3d 01 f0 ff > ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007ffd42381d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 > RAX: ffffffffffffffda RBX: 00007ffd42381dc0 RCX: 00007f669359bcc7 > RDX: 00000000000001ff RSI: 0000200000001200 RDI: 00000000ffffff9c > RBP: 00002000000024c0 R08: 0000200000000240 R09: 0000000000000000 > R10: 00002000000024c0 R11: 0000000000000246 R12: 0000200000001200 > R13: 00007ffd42381d80 R14: 0000000000000000 R15: 0000000000000000 > </TASK> > > Allocated by task 5066: > kasan_save_stack mm/kasan/common.c:57 [inline] > kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 > poison_kmalloc_redzone mm/kasan/common.c:398 [inline] > __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 > kasan_kmalloc include/linux/kasan.h:263 [inline] > __kmalloc_cache_noprof+0x31c/0x660 mm/slub.c:5420 > kmalloc_noprof include/linux/slab.h:950 [inline] > kzalloc_noprof include/linux/slab.h:1188 [inline] > kernfs_get_open_node fs/kernfs/file.c:543 [inline] > kernfs_fop_open+0x862/0xda0 fs/kernfs/file.c:718 > do_dentry_open+0x822/0x13a0 fs/open.c:947 > vfs_open+0x3b/0x340 fs/open.c:1079 > do_open fs/namei.c:4699 [inline] > path_openat+0x2e08/0x3860 fs/namei.c:4858 > do_file_open+0x23e/0x4a0 fs/namei.c:4887 > do_sys_openat2+0x113/0x200 fs/open.c:1364 > do_sys_open fs/open.c:1370 [inline] > __do_sys_openat fs/open.c:1386 [inline] > __se_sys_openat fs/open.c:1381 [inline] > __x64_sys_openat+0x138/0x170 fs/open.c:1381 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > Last potentially related work creation: > kasan_save_stack+0x3e/0x60 mm/kasan/common.c:57 > kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:556 > kvfree_call_rcu+0x100/0x430 mm/slab_common.c:1970 > kernfs_unlink_open_file+0x3fe/0x4b0 fs/kernfs/file.c:604 > kernfs_fop_release+0x2eb/0x440 fs/kernfs/file.c:783 > __fput+0x44f/0xa60 fs/file_table.c:510 > fput_close_sync+0x11f/0x240 fs/file_table.c:615 > __do_sys_close fs/open.c:1507 [inline] > __se_sys_close fs/open.c:1492 [inline] > __x64_sys_close+0x7e/0x110 fs/open.c:1492 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > The buggy address belongs to the object at ffff8881022db700 > which belongs to the cache kmalloc-128 of size 128 > The buggy address is located 117 bytes to the right of > allocated 128-byte region [ffff8881022db700, ffff8881022db780) > > The buggy address belongs to the physical page: > page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1022db > flags: 0x17ff00000000000(node=0|zone=2|lastcpupid=0x7ff) > page_type: f5(slab) > raw: 017ff00000000000 ffff888100041a00 dead000000000100 dead000000000122 > raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000 > page dumped because: kasan: bad access detected > page_owner tracks the page as allocated > page last allocated via order 0, migratetype Unmovable, gfp_mask > 0xd2000(__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 0, > tgid 0 (swapper/0), ts 2408938923, free_ts 0 > set_page_owner include/linux/page_owner.h:32 [inline] > post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 > prep_new_page mm/page_alloc.c:1861 [inline] > get_page_from_freelist+0x2593/0x2610 mm/page_alloc.c:3941 > __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 > alloc_slab_page mm/slub.c:3278 [inline] > allocate_slab+0x77/0x660 mm/slub.c:3467 > new_slab mm/slub.c:3525 [inline] > refill_objects+0x339/0x3d0 mm/slub.c:7272 > refill_sheaf mm/slub.c:2816 [inline] > __pcs_replace_empty_main+0x321/0x720 mm/slub.c:4652 > alloc_from_pcs mm/slub.c:4750 [inline] > slab_alloc_node mm/slub.c:4884 [inline] > __do_kmalloc_node mm/slub.c:5295 [inline] > __kmalloc_noprof+0x474/0x760 mm/slub.c:5308 > kmalloc_noprof include/linux/slab.h:954 [inline] > kzalloc_noprof include/linux/slab.h:1188 [inline] > __alloc_empty_sheaf mm/slub.c:2768 [inline] > alloc_empty_sheaf mm/slub.c:2783 [inline] > __pcs_replace_empty_main+0x2df/0x720 mm/slub.c:4647 > alloc_from_pcs mm/slub.c:4750 [inline] > slab_alloc_node mm/slub.c:4884 [inline] > kmem_cache_alloc_noprof+0x37d/0x650 mm/slub.c:4906 > dup_fd+0x55/0xb40 fs/file.c:390 > copy_files+0xc8/0x120 kernel/fork.c:1639 > copy_process+0x1d94/0x4440 kernel/fork.c:2252 > kernel_clone+0x2d7/0x940 kernel/fork.c:2722 > user_mode_thread+0x110/0x180 kernel/fork.c:2798 > rest_init+0x23/0x300 init/main.c:727 > start_kernel+0x38a/0x3e0 init/main.c:1220 > page_owner free stack trace missing > > Memory state around the buggy address: > ffff8881022db680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff8881022db700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > >ffff8881022db780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ^ > ffff8881022db800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ffff8881022db880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ================================================================== > > > *** > > KASAN: slab-out-of-bounds Read in ext4_inlinedir_to_tree > > tree: torvalds > URL: > https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux > base: 9716c086c8e8b141d35aa61f2e96a2e83de212a7 > arch: amd64 > compiler: Debian clang version 21.1.8 > (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > config: > https://ci.syzbot.org/builds/ddf6ee7c-dfa8-4383-b004-10140edc081c/config > syz repro: > https://ci.syzbot.org/findings/2dff870b-f382-4c93-8d8d-b2291d921224/syz_repro > > loop1: lost filesystem error report for type 5 error -117 > EXT4-fs (loop1): mounted filesystem 00000000-0000-0000-0000-000000000000 > r/w without journal. Quota mode: none. > ================================================================== > BUG: KASAN: slab-out-of-bounds in ext4_dir_entry_len fs/ext4/ext4.h:4095 > [inline] > BUG: KASAN: slab-out-of-bounds in ext4_inlinedir_to_tree+0xda5/0x10d0 > fs/ext4/inline.c:1335 > Read of size 2 at addr ffff888115a3183c by task syz.1.18/5839 > > CPU: 1 UID: 0 PID: 5839 Comm: syz.1.18 Not tainted syzkaller #0 > PREEMPT(full) > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS > 1.16.2-debian-1.16.2-1 04/01/2014 > Call Trace: > <TASK> > dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 > print_address_description+0x55/0x1e0 mm/kasan/report.c:378 > print_report+0x58/0x70 mm/kasan/report.c:482 > kasan_report+0x117/0x150 mm/kasan/report.c:595 > ext4_dir_entry_len fs/ext4/ext4.h:4095 [inline] > ext4_inlinedir_to_tree+0xda5/0x10d0 fs/ext4/inline.c:1335 > ext4_htree_fill_tree+0x517/0x1230 fs/ext4/namei.c:1182 > ext4_dx_readdir fs/ext4/dir.c:600 [inline] > ext4_readdir+0x2db4/0x3640 fs/ext4/dir.c:146 > iterate_dir+0x399/0x570 fs/readdir.c:110 > __do_sys_getdents64 fs/readdir.c:399 [inline] > __se_sys_getdents64+0xf1/0x280 fs/readdir.c:384 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > RIP: 0033:0x7f3e02b9ce59 > Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007f3e03ad5028 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 > RAX: ffffffffffffffda RBX: 00007f3e02e15fa0 RCX: 00007f3e02b9ce59 > RDX: 0000000000001000 RSI: 0000200000000f80 RDI: 0000000000000004 > RBP: 00007f3e02c32d6f R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 > R13: 00007f3e02e16038 R14: 00007f3e02e15fa0 R15: 00007ffcaa902298 > </TASK> > > Allocated by task 5839: > kasan_save_stack mm/kasan/common.c:57 [inline] > kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 > poison_kmalloc_redzone mm/kasan/common.c:398 [inline] > __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 > kasan_kmalloc include/linux/kasan.h:263 [inline] > __do_kmalloc_node mm/slub.c:5296 [inline] > __kmalloc_noprof+0x35c/0x760 mm/slub.c:5308 > kmalloc_noprof include/linux/slab.h:954 [inline] > ext4_inlinedir_to_tree+0x312/0x10d0 fs/ext4/inline.c:1292 > ext4_htree_fill_tree+0x517/0x1230 fs/ext4/namei.c:1182 > ext4_dx_readdir fs/ext4/dir.c:600 [inline] > ext4_readdir+0x2db4/0x3640 fs/ext4/dir.c:146 > iterate_dir+0x399/0x570 fs/readdir.c:110 > __do_sys_getdents64 fs/readdir.c:399 [inline] > __se_sys_getdents64+0xf1/0x280 fs/readdir.c:384 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > The buggy address belongs to the object at ffff888115a31800 > which belongs to the cache kmalloc-64 of size 64 > The buggy address is located 0 bytes to the right of > allocated 60-byte region [ffff888115a31800, ffff888115a3183c) > > The buggy address belongs to the physical page: > page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x115a31 > flags: 0x17ff00000000000(node=0|zone=2|lastcpupid=0x7ff) > page_type: f5(slab) > raw: 017ff00000000000 ffff8881000418c0 dead000000000100 dead000000000122 > raw: 0000000000000000 0000000800200020 00000000f5000000 0000000000000000 > page dumped because: kasan: bad access detected > page_owner tracks the page as allocated > page last allocated via order 0, migratetype Unmovable, gfp_mask > 0xd2c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), > pid 5051, tgid 5051 (acpid), ts 27203740677, free_ts 27201732767 > set_page_owner include/linux/page_owner.h:32 [inline] > post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 > prep_new_page mm/page_alloc.c:1861 [inline] > get_page_from_freelist+0x2593/0x2610 mm/page_alloc.c:3941 > __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 > alloc_slab_page mm/slub.c:3278 [inline] > allocate_slab+0x77/0x660 mm/slub.c:3467 > new_slab mm/slub.c:3525 [inline] > refill_objects+0x339/0x3d0 mm/slub.c:7272 > refill_sheaf mm/slub.c:2816 [inline] > __pcs_replace_empty_main+0x321/0x720 mm/slub.c:4652 > alloc_from_pcs mm/slub.c:4750 [inline] > slab_alloc_node mm/slub.c:4884 [inline] > __do_kmalloc_node mm/slub.c:5295 [inline] > __kmalloc_noprof+0x474/0x760 mm/slub.c:5308 > kmalloc_noprof include/linux/slab.h:954 [inline] > kzalloc_noprof include/linux/slab.h:1188 [inline] > tomoyo_get_name+0x20c/0x590 security/tomoyo/memory.c:173 > tomoyo_parse_name_union+0xd9/0x130 security/tomoyo/util.c:260 > tomoyo_update_path_acl security/tomoyo/file.c:399 [inline] > tomoyo_write_file+0x3a6/0xc50 security/tomoyo/file.c:1027 > tomoyo_write_domain2 security/tomoyo/common.c:1160 [inline] > tomoyo_add_entry security/tomoyo/common.c:2177 [inline] > tomoyo_supervisor+0x1208/0x1570 security/tomoyo/common.c:2238 > tomoyo_audit_path_log security/tomoyo/file.c:169 [inline] > tomoyo_path_permission+0x25a/0x380 security/tomoyo/file.c:592 > tomoyo_check_open_permission+0x2b2/0x470 security/tomoyo/file.c:782 > security_file_open+0xa9/0x240 security/security.c:2739 > do_dentry_open+0x4a8/0x13a0 fs/open.c:924 > vfs_open+0x3b/0x340 fs/open.c:1079 > page last free pid 15 tgid 15 stack trace: > reset_page_owner include/linux/page_owner.h:25 [inline] > __free_pages_prepare mm/page_alloc.c:1397 [inline] > __free_frozen_pages+0xc1c/0xd30 mm/page_alloc.c:2938 > __tlb_remove_table_free mm/mmu_gather.c:228 [inline] > tlb_remove_table_rcu+0x85/0x100 mm/mmu_gather.c:291 > rcu_do_batch kernel/rcu/tree.c:2617 [inline] > rcu_core+0x7cd/0x1070 kernel/rcu/tree.c:2869 > handle_softirqs+0x22a/0x840 kernel/softirq.c:622 > run_ksoftirqd+0x36/0x60 kernel/softirq.c:1076 > smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160 > kthread+0x389/0x470 kernel/kthread.c:436 > ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 > > Memory state around the buggy address: > ffff888115a31700: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > ffff888115a31780: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc > >ffff888115a31800: 00 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc > ^ > ffff888115a31880: 00 00 00 00 00 00 02 fc fc fc fc fc fc fc fc fc > ffff888115a31900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > ================================================================== > > > *** > > KASAN: slab-use-after-free Read in __ext4_check_dir_entry > > tree: torvalds > URL: > https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux > base: 9716c086c8e8b141d35aa61f2e96a2e83de212a7 > arch: amd64 > compiler: Debian clang version 21.1.8 > (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > config: > https://ci.syzbot.org/builds/ddf6ee7c-dfa8-4383-b004-10140edc081c/config > syz repro: > https://ci.syzbot.org/findings/f1d48ea1-6e87-4d64-9c13-8bf8aed109fc/syz_repro > > loop0: lost filesystem error report for type 5 error -117 > EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 > r/w without journal. Quota mode: none. > ================================================================== > BUG: KASAN: slab-use-after-free in ext4_dirent_get_data_len > fs/ext4/ext4.h:4069 [inline] > BUG: KASAN: slab-use-after-free in ext4_dir_entry_len fs/ext4/ext4.h:4096 > [inline] > BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x65a/0xc40 > fs/ext4/dir.c:96 > Read of size 1 at addr ffff888114d8c045 by task syz.0.20/5821 > > CPU: 1 UID: 0 PID: 5821 Comm: syz.0.20 Not tainted syzkaller #0 > PREEMPT(full) > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS > 1.16.2-debian-1.16.2-1 04/01/2014 > Call Trace: > <TASK> > dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 > print_address_description+0x55/0x1e0 mm/kasan/report.c:378 > print_report+0x58/0x70 mm/kasan/report.c:482 > kasan_report+0x117/0x150 mm/kasan/report.c:595 > ext4_dirent_get_data_len fs/ext4/ext4.h:4069 [inline] > ext4_dir_entry_len fs/ext4/ext4.h:4096 [inline] > __ext4_check_dir_entry+0x65a/0xc40 fs/ext4/dir.c:96 > ext4_find_dest_de+0x136/0x770 fs/ext4/namei.c:2203 > ext4_add_dirent_to_inline+0xcf/0x430 fs/ext4/inline.c:984 > ext4_try_add_inline_entry+0x235/0x8e0 fs/ext4/inline.c:1213 > __ext4_add_entry+0x390/0x1f40 fs/ext4/namei.c:2529 > ext4_add_entry fs/ext4/namei.c:2613 [inline] > ext4_add_nondir+0x111/0x310 fs/ext4/namei.c:2936 > ext4_create+0x2e9/0x470 fs/ext4/namei.c:2982 > lookup_open fs/namei.c:4511 [inline] > open_last_lookups fs/namei.c:4611 [inline] > path_openat+0x1395/0x3860 fs/namei.c:4855 > do_file_open+0x23e/0x4a0 fs/namei.c:4887 > do_sys_openat2+0x113/0x200 fs/open.c:1364 > do_sys_open fs/open.c:1370 [inline] > __do_sys_openat fs/open.c:1386 [inline] > __se_sys_openat fs/open.c:1381 [inline] > __x64_sys_openat+0x138/0x170 fs/open.c:1381 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > RIP: 0033:0x7f922219ce59 > Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007f9223137028 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 > RAX: ffffffffffffffda RBX: 00007f9222415fa0 RCX: 00007f922219ce59 > RDX: 0000000000042042 RSI: 0000200000000080 RDI: 0000000000000004 > RBP: 00007f9222232d6f R08: 0000000000000000 R09: 0000000000000000 > R10: 000000000000014a R11: 0000000000000246 R12: 0000000000000000 > R13: 00007f9222416038 R14: 00007f9222415fa0 R15: 00007ffd01a2d448 > </TASK> > > Allocated by task 5484: > kasan_save_stack mm/kasan/common.c:57 [inline] > kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 > unpoison_slab_object mm/kasan/common.c:340 [inline] > __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 > kasan_slab_alloc include/linux/kasan.h:253 [inline] > slab_post_alloc_hook mm/slub.c:4570 [inline] > slab_alloc_node mm/slub.c:4899 [inline] > kmem_cache_alloc_node_noprof+0x384/0x690 mm/slub.c:4951 > kmalloc_reserve net/core/skbuff.c:613 [inline] > __alloc_skb+0x27d/0x7d0 net/core/skbuff.c:713 > alloc_skb include/linux/skbuff.h:1385 [inline] > nlmsg_new include/net/netlink.h:1055 [inline] > mpls_netconf_notify_devconf+0x46/0x100 net/mpls/af_mpls.c:1217 > mpls_dev_notify+0xb2d/0xd10 net/mpls/af_mpls.c:1691 > notifier_call_chain+0x1ad/0x3d0 kernel/notifier.c:85 > call_netdevice_notifiers_extack net/core/dev.c:2287 [inline] > call_netdevice_notifiers net/core/dev.c:2301 [inline] > unregister_netdevice_many_notify+0x17a5/0x22c0 net/core/dev.c:12421 > ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] > ops_undo_list+0x3d3/0x940 net/core/net_namespace.c:248 > cleanup_net+0x56b/0x800 net/core/net_namespace.c:702 > process_one_work kernel/workqueue.c:3314 [inline] > process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3397 > worker_thread+0xa53/0xfc0 kernel/workqueue.c:3478 > kthread+0x389/0x470 kernel/kthread.c:436 > ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 > > Freed by task 5484: > kasan_save_stack mm/kasan/common.c:57 [inline] > kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 > kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 > poison_slab_object mm/kasan/common.c:253 [inline] > __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 > kasan_slab_free include/linux/kasan.h:235 [inline] > slab_free_hook mm/slub.c:2689 [inline] > slab_free mm/slub.c:6251 [inline] > kfree+0x1c5/0x640 mm/slub.c:6566 > skb_kfree_head net/core/skbuff.c:1075 [inline] > skb_free_head net/core/skbuff.c:1087 [inline] > skb_release_data+0x828/0xa60 net/core/skbuff.c:1114 > skb_release_all net/core/skbuff.c:1189 [inline] > __kfree_skb+0x5d/0x210 net/core/skbuff.c:1203 > netlink_broadcast_filtered+0xe18/0xf20 net/netlink/af_netlink.c:1540 > nlmsg_multicast_filtered include/net/netlink.h:1165 [inline] > nlmsg_multicast include/net/netlink.h:1184 [inline] > nlmsg_notify+0xf0/0x1a0 net/netlink/af_netlink.c:2598 > mpls_dev_notify+0xb2d/0xd10 net/mpls/af_mpls.c:1691 > notifier_call_chain+0x1ad/0x3d0 kernel/notifier.c:85 > call_netdevice_notifiers_extack net/core/dev.c:2287 [inline] > call_netdevice_notifiers net/core/dev.c:2301 [inline] > unregister_netdevice_many_notify+0x17a5/0x22c0 net/core/dev.c:12421 > ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] > ops_undo_list+0x3d3/0x940 net/core/net_namespace.c:248 > cleanup_net+0x56b/0x800 net/core/net_namespace.c:702 > process_one_work kernel/workqueue.c:3314 [inline] > process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3397 > worker_thread+0xa53/0xfc0 kernel/workqueue.c:3478 > kthread+0x389/0x470 kernel/kthread.c:436 > ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 > > The buggy address belongs to the object at ffff888114d8c000 > which belongs to the cache skbuff_small_head of size 704 > The buggy address is located 69 bytes inside of > freed 704-byte region [ffff888114d8c000, ffff888114d8c2c0) > > The buggy address belongs to the physical page: > page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x114d8c > head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 > flags: 0x17ff00000000040(head|node=0|zone=2|lastcpupid=0x7ff) > page_type: f5(slab) > raw: 017ff00000000040 ffff888160416b40 dead000000000100 dead000000000122 > raw: 0000000000000000 0000000800120012 00000000f5000000 0000000000000000 > head: 017ff00000000040 ffff888160416b40 dead000000000100 dead000000000122 > head: 0000000000000000 0000000800120012 00000000f5000000 0000000000000000 > head: 017ff00000000002 ffffffffffffff01 00000000ffffffff 00000000ffffffff > head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 > page dumped because: kasan: bad access detected > page_owner tracks the page as allocated > page last allocated via order 2, migratetype Unmovable, gfp_mask > 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), > pid 5484, tgid 5484 (kworker/u8:2), ts 72573003529, free_ts 72546506446 > set_page_owner include/linux/page_owner.h:32 [inline] > post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 > prep_new_page mm/page_alloc.c:1861 [inline] > get_page_from_freelist+0x2593/0x2610 mm/page_alloc.c:3941 > __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 > alloc_slab_page mm/slub.c:3278 [inline] > allocate_slab+0x77/0x660 mm/slub.c:3467 > new_slab mm/slub.c:3525 [inline] > refill_objects+0x339/0x3d0 mm/slub.c:7272 > refill_sheaf mm/slub.c:2816 [inline] > __pcs_replace_empty_main+0x321/0x720 mm/slub.c:4652 > alloc_from_pcs mm/slub.c:4750 [inline] > slab_alloc_node mm/slub.c:4884 [inline] > kmem_cache_alloc_node_noprof+0x441/0x690 mm/slub.c:4951 > kmalloc_reserve net/core/skbuff.c:613 [inline] > __alloc_skb+0x27d/0x7d0 net/core/skbuff.c:713 > alloc_skb include/linux/skbuff.h:1385 [inline] > nlmsg_new include/net/netlink.h:1055 [inline] > mpls_netconf_notify_devconf+0x46/0x100 net/mpls/af_mpls.c:1217 > mpls_dev_notify+0xb2d/0xd10 net/mpls/af_mpls.c:1691 > notifier_call_chain+0x1ad/0x3d0 kernel/notifier.c:85 > call_netdevice_notifiers_extack net/core/dev.c:2287 [inline] > call_netdevice_notifiers net/core/dev.c:2301 [inline] > unregister_netdevice_many_notify+0x17a5/0x22c0 net/core/dev.c:12421 > ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] > ops_undo_list+0x3d3/0x940 net/core/net_namespace.c:248 > cleanup_net+0x56b/0x800 net/core/net_namespace.c:702 > process_one_work kernel/workqueue.c:3314 [inline] > process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3397 > worker_thread+0xa53/0xfc0 kernel/workqueue.c:3478 > page last free pid 5484 tgid 5484 stack trace: > reset_page_owner include/linux/page_owner.h:25 [inline] > __free_pages_prepare mm/page_alloc.c:1397 [inline] > __free_frozen_pages+0xc1c/0xd30 mm/page_alloc.c:2938 > stack_depot_save_flags+0x40e/0x810 lib/stackdepot.c:735 > kasan_save_stack mm/kasan/common.c:58 [inline] > kasan_save_track+0x4f/0x80 mm/kasan/common.c:78 > unpoison_slab_object mm/kasan/common.c:340 [inline] > __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 > kasan_slab_alloc include/linux/kasan.h:253 [inline] > slab_post_alloc_hook mm/slub.c:4570 [inline] > slab_alloc_node mm/slub.c:4899 [inline] > kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4906 > kmem_alloc_batch lib/debugobjects.c:371 [inline] > fill_pool+0x156/0x580 lib/debugobjects.c:420 > debug_objects_fill_pool lib/debugobjects.c:752 [inline] > debug_object_activate+0x4a3/0x580 lib/debugobjects.c:841 > debug_rcu_head_queue kernel/rcu/rcu.h:236 [inline] > __call_rcu_common kernel/rcu/tree.c:3116 [inline] > call_rcu+0x43/0x890 kernel/rcu/tree.c:3251 > kernfs_put+0x259/0x520 fs/kernfs/dir.c:618 > kernfs_remove_by_name_ns+0xc8/0x140 fs/kernfs/dir.c:1799 > device_remove_class_symlinks+0x178/0x190 drivers/base/core.c:3479 > device_del+0x400/0x8f0 drivers/base/core.c:3881 > unregister_netdevice_many_notify+0x1d5f/0x22c0 net/core/dev.c:12456 > ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] > ops_undo_list+0x3d3/0x940 net/core/net_namespace.c:248 > cleanup_net+0x56b/0x800 net/core/net_namespace.c:702 > process_one_work kernel/workqueue.c:3314 [inline] > process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3397 > > Memory state around the buggy address: > ffff888114d8bf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ffff888114d8bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > >ffff888114d8c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ^ > ffff888114d8c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff888114d8c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ================================================================== > > > *** > > KASAN: slab-use-after-free Read in ext4_inlinedir_to_tree > > tree: torvalds > URL: > https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux > base: 9716c086c8e8b141d35aa61f2e96a2e83de212a7 > arch: amd64 > compiler: Debian clang version 21.1.8 > (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > config: > https://ci.syzbot.org/builds/ddf6ee7c-dfa8-4383-b004-10140edc081c/config > syz repro: > https://ci.syzbot.org/findings/f42da242-e16e-4f10-bf25-0bd7e192d989/syz_repro > > loop0: lost filesystem error report for type 5 error -117 > EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 > r/w without journal. Quota mode: none. > ================================================================== > BUG: KASAN: slab-use-after-free in ext4_dirent_get_data_len > fs/ext4/ext4.h:4069 [inline] > BUG: KASAN: slab-use-after-free in ext4_dir_entry_len fs/ext4/ext4.h:4096 > [inline] > BUG: KASAN: slab-use-after-free in ext4_inlinedir_to_tree+0x94c/0x10d0 > fs/ext4/inline.c:1335 > Read of size 1 at addr ffff88816fee8825 by task syz.0.20/5867 > > CPU: 1 UID: 0 PID: 5867 Comm: syz.0.20 Not tainted syzkaller #0 > PREEMPT(full) > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS > 1.16.2-debian-1.16.2-1 04/01/2014 > Call Trace: > <TASK> > dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 > print_address_description+0x55/0x1e0 mm/kasan/report.c:378 > print_report+0x58/0x70 mm/kasan/report.c:482 > kasan_report+0x117/0x150 mm/kasan/report.c:595 > ext4_dirent_get_data_len fs/ext4/ext4.h:4069 [inline] > ext4_dir_entry_len fs/ext4/ext4.h:4096 [inline] > ext4_inlinedir_to_tree+0x94c/0x10d0 fs/ext4/inline.c:1335 > ext4_htree_fill_tree+0x517/0x1230 fs/ext4/namei.c:1182 > ext4_dx_readdir fs/ext4/dir.c:600 [inline] > ext4_readdir+0x2db4/0x3640 fs/ext4/dir.c:146 > iterate_dir+0x399/0x570 fs/readdir.c:110 > __do_sys_getdents fs/readdir.c:319 [inline] > __se_sys_getdents+0xf1/0x270 fs/readdir.c:304 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > RIP: 0033:0x7f010ad9ce59 > Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007f010bc0f028 EFLAGS: 00000246 ORIG_RAX: 000000000000004e > RAX: ffffffffffffffda RBX: 00007f010b015fa0 RCX: 00007f010ad9ce59 > RDX: 0000000000000054 RSI: 0000000000000000 RDI: 0000000000000004 > RBP: 00007f010ae32d6f R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 > R13: 00007f010b016038 R14: 00007f010b015fa0 R15: 00007ffd93577348 > </TASK> > > Allocated by task 5064: > kasan_save_stack mm/kasan/common.c:57 [inline] > kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 > poison_kmalloc_redzone mm/kasan/common.c:398 [inline] > __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 > kasan_kmalloc include/linux/kasan.h:263 [inline] > __do_kmalloc_node mm/slub.c:5296 [inline] > __kmalloc_noprof+0x35c/0x760 mm/slub.c:5308 > kmalloc_noprof include/linux/slab.h:954 [inline] > kzalloc_noprof include/linux/slab.h:1188 [inline] > tomoyo_encode2 security/tomoyo/realpath.c:45 [inline] > tomoyo_encode+0x28b/0x550 security/tomoyo/realpath.c:80 > tomoyo_realpath_from_path+0x58d/0x5d0 security/tomoyo/realpath.c:283 > tomoyo_get_realpath security/tomoyo/file.c:151 [inline] > tomoyo_path_perm+0x283/0x560 security/tomoyo/file.c:827 > security_inode_getattr+0x12b/0x310 security/security.c:1895 > vfs_getattr fs/stat.c:259 [inline] > vfs_fstat fs/stat.c:281 [inline] > vfs_fstatat+0xb4/0x170 fs/stat.c:371 > __do_sys_newfstatat fs/stat.c:538 [inline] > __se_sys_newfstatat fs/stat.c:532 [inline] > __x64_sys_newfstatat+0x151/0x200 fs/stat.c:532 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > Freed by task 5064: > kasan_save_stack mm/kasan/common.c:57 [inline] > kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 > kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 > poison_slab_object mm/kasan/common.c:253 [inline] > __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 > kasan_slab_free include/linux/kasan.h:235 [inline] > slab_free_hook mm/slub.c:2689 [inline] > slab_free mm/slub.c:6251 [inline] > kfree+0x1c5/0x640 mm/slub.c:6566 > tomoyo_path_perm+0x403/0x560 security/tomoyo/file.c:847 > security_inode_getattr+0x12b/0x310 security/security.c:1895 > vfs_getattr fs/stat.c:259 [inline] > vfs_fstat fs/stat.c:281 [inline] > vfs_fstatat+0xb4/0x170 fs/stat.c:371 > __do_sys_newfstatat fs/stat.c:538 [inline] > __se_sys_newfstatat fs/stat.c:532 [inline] > __x64_sys_newfstatat+0x151/0x200 fs/stat.c:532 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > The buggy address belongs to the object at ffff88816fee8800 > which belongs to the cache kmalloc-64 of size 64 > The buggy address is located 37 bytes inside of > freed 64-byte region [ffff88816fee8800, ffff88816fee8840) > > The buggy address belongs to the physical page: > page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x16fee8 > flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff) > page_type: f5(slab) > raw: 057ff00000000000 ffff8881000418c0 dead000000000100 dead000000000122 > raw: 0000000000000000 0000000800200020 00000000f5000000 0000000000000000 > page dumped because: kasan: bad access detected > page_owner tracks the page as allocated > page last allocated via order 0, migratetype Unmovable, gfp_mask > 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), > pid 1, tgid 1 (swapper/0), ts 21294026082, free_ts 0 > set_page_owner include/linux/page_owner.h:32 [inline] > post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 > prep_new_page mm/page_alloc.c:1861 [inline] > get_page_from_freelist+0x2593/0x2610 mm/page_alloc.c:3941 > __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 > alloc_slab_page mm/slub.c:3278 [inline] > allocate_slab+0x77/0x660 mm/slub.c:3467 > new_slab mm/slub.c:3525 [inline] > refill_objects+0x339/0x3d0 mm/slub.c:7272 > refill_sheaf mm/slub.c:2816 [inline] > __pcs_replace_empty_main+0x321/0x720 mm/slub.c:4652 > alloc_from_pcs mm/slub.c:4750 [inline] > slab_alloc_node mm/slub.c:4884 [inline] > __do_kmalloc_node mm/slub.c:5295 [inline] > __kmalloc_noprof+0x474/0x760 mm/slub.c:5308 > kmalloc_noprof include/linux/slab.h:954 [inline] > kzalloc_noprof include/linux/slab.h:1188 [inline] > handler_new_ref+0x261/0x9c0 drivers/media/v4l2-core/v4l2-ctrls-core.c:1882 > v4l2_ctrl_add_handler+0x19f/0x290 > drivers/media/v4l2-core/v4l2-ctrls-core.c:2443 > vivid_create_controls+0x332d/0x3bd0 > drivers/media/test-drivers/vivid/vivid-ctrls.c:2072 > vivid_create_instance drivers/media/test-drivers/vivid/vivid-core.c:1933 > [inline] > vivid_probe+0x4261/0x72b0 > drivers/media/test-drivers/vivid/vivid-core.c:2095 > platform_probe+0xf9/0x190 drivers/base/platform.c:1432 > call_driver_probe drivers/base/dd.c:-1 [inline] > really_probe+0x267/0xaf0 drivers/base/dd.c:709 > __driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871 > driver_probe_device+0x4f/0x240 drivers/base/dd.c:901 > __driver_attach+0x34c/0x640 drivers/base/dd.c:1295 > page_owner free stack trace missing > > Memory state around the buggy address: > ffff88816fee8700: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc > ffff88816fee8780: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc > >ffff88816fee8800: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > ^ > ffff88816fee8880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > ffff88816fee8900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > ================================================================== > > > *** > > KASAN: use-after-free Read in __ext4_check_dir_entry > > tree: torvalds > URL: > https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux > base: 9716c086c8e8b141d35aa61f2e96a2e83de212a7 > arch: amd64 > compiler: Debian clang version 21.1.8 > (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > config: > https://ci.syzbot.org/builds/ddf6ee7c-dfa8-4383-b004-10140edc081c/config > syz repro: > https://ci.syzbot.org/findings/57c0b75a-8922-4dc1-9a20-ca947564792b/syz_repro > > ================================================================== > BUG: KASAN: use-after-free in ext4_dirent_get_data_len fs/ext4/ext4.h:4069 > [inline] > BUG: KASAN: use-after-free in ext4_dir_entry_len fs/ext4/ext4.h:4096 > [inline] > BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x65a/0xc40 > fs/ext4/dir.c:96 > Read of size 1 at addr ffff88816be85045 by task syz.2.21/5880 > > CPU: 1 UID: 0 PID: 5880 Comm: syz.2.21 Not tainted syzkaller #0 > PREEMPT(full) > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS > 1.16.2-debian-1.16.2-1 04/01/2014 > Call Trace: > <TASK> > dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 > print_address_description+0x55/0x1e0 mm/kasan/report.c:378 > print_report+0x58/0x70 mm/kasan/report.c:482 > kasan_report+0x117/0x150 mm/kasan/report.c:595 > ext4_dirent_get_data_len fs/ext4/ext4.h:4069 [inline] > ext4_dir_entry_len fs/ext4/ext4.h:4096 [inline] > __ext4_check_dir_entry+0x65a/0xc40 fs/ext4/dir.c:96 > ext4_find_dest_de+0x136/0x770 fs/ext4/namei.c:2203 > ext4_add_dirent_to_inline+0xcf/0x430 fs/ext4/inline.c:984 > ext4_try_add_inline_entry+0x235/0x8e0 fs/ext4/inline.c:1213 > __ext4_add_entry+0x390/0x1f40 fs/ext4/namei.c:2529 > ext4_add_entry fs/ext4/namei.c:2613 [inline] > ext4_add_nondir+0x111/0x310 fs/ext4/namei.c:2936 > ext4_create+0x2e9/0x470 fs/ext4/namei.c:2982 > lookup_open fs/namei.c:4511 [inline] > open_last_lookups fs/namei.c:4611 [inline] > path_openat+0x1395/0x3860 fs/namei.c:4855 > do_file_open+0x23e/0x4a0 fs/namei.c:4887 > do_sys_openat2+0x113/0x200 fs/open.c:1364 > do_sys_open fs/open.c:1370 [inline] > __do_sys_openat fs/open.c:1386 [inline] > __se_sys_openat fs/open.c:1381 [inline] > __x64_sys_openat+0x138/0x170 fs/open.c:1381 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > RIP: 0033:0x7f5713b9ce59 > Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007fff672b25f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 > RAX: ffffffffffffffda RBX: 00007f5713e15fa0 RCX: 00007f5713b9ce59 > RDX: 0000000000042042 RSI: 0000200000000080 RDI: 0000000000000004 > RBP: 00007f5713c32d6f R08: 0000000000000000 R09: 0000000000000000 > R10: 000000000000014a R11: 0000000000000246 R12: 0000000000000000 > R13: 00007f5713e15fac R14: 00007f5713e15fa0 R15: 00007f5713e15fa0 > </TASK> > > The buggy address belongs to the physical page: > page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x16be85 > flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff) > page_type: f0(buddy) > raw: 057ff00000000000 ffffea0005afa0c8 ffffea0005afa1c8 0000000000000000 > raw: 0000000000000000 0000000000000000 00000000f0000000 0000000000000000 > page dumped because: kasan: bad access detected > page_owner tracks the page as freed > page last allocated via order 0, migratetype Unmovable, gfp_mask > 0xcc0(GFP_KERNEL), pid 5630, tgid 5630 (syz-executor), ts 67290853657, > free_ts 69321168948 > set_page_owner include/linux/page_owner.h:32 [inline] > post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 > prep_new_page mm/page_alloc.c:1861 [inline] > get_page_from_freelist+0x2593/0x2610 mm/page_alloc.c:3941 > __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 > __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 > alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 > ___alloc_pages_bulk mm/kasan/shadow.c:345 [inline] > __kasan_populate_vmalloc_do mm/kasan/shadow.c:370 [inline] > __kasan_populate_vmalloc+0xc1/0x1d0 mm/kasan/shadow.c:424 > kasan_populate_vmalloc include/linux/kasan.h:580 [inline] > alloc_vmap_area+0xd47/0x1480 mm/vmalloc.c:2123 > __get_vm_area_node+0x1f8/0x300 mm/vmalloc.c:3226 > __vmalloc_node_range_noprof+0x36a/0x1750 mm/vmalloc.c:4024 > vmalloc_user_noprof+0xad/0xe0 mm/vmalloc.c:4218 > kcov_ioctl+0x55/0x620 kernel/kcov.c:726 > vfs_ioctl fs/ioctl.c:51 [inline] > __do_sys_ioctl fs/ioctl.c:597 [inline] > __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > page last free pid 5693 tgid 5693 stack trace: > reset_page_owner include/linux/page_owner.h:25 [inline] > __free_pages_prepare mm/page_alloc.c:1397 [inline] > __free_frozen_pages+0xc1c/0xd30 mm/page_alloc.c:2938 > kasan_depopulate_vmalloc_pte+0x6d/0x90 mm/kasan/shadow.c:484 > apply_to_pte_range mm/memory.c:3338 [inline] > apply_to_pmd_range mm/memory.c:3382 [inline] > apply_to_pud_range mm/memory.c:3418 [inline] > apply_to_p4d_range mm/memory.c:3454 [inline] > __apply_to_page_range+0xbdc/0x1420 mm/memory.c:3490 > __kasan_release_vmalloc+0xa2/0xd0 mm/kasan/shadow.c:602 > kasan_release_vmalloc include/linux/kasan.h:593 [inline] > kasan_release_vmalloc_node mm/vmalloc.c:2284 [inline] > purge_vmap_node+0x220/0x960 mm/vmalloc.c:2306 > __purge_vmap_area_lazy+0x779/0xb40 mm/vmalloc.c:2396 > drain_vmap_area_work+0x27/0x40 mm/vmalloc.c:2430 > process_one_work kernel/workqueue.c:3314 [inline] > process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3397 > worker_thread+0xa53/0xfc0 kernel/workqueue.c:3478 > kthread+0x389/0x470 kernel/kthread.c:436 > ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 > > Memory state around the buggy address: > ffff88816be84f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ffff88816be84f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > >ffff88816be85000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > ^ > ffff88816be85080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > ffff88816be85100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > ================================================================== > > > *** > > If these findings have caused you to resend the series or submit a > separate fix, please add the following tag to your commit message: > Tested-by: syzbot@syzkaller.appspotmail.com > > --- > This report is generated by a bot. It may contain errors. > syzbot ci engineers can be reached at syzkaller@googlegroups.com. > > To test a patch for this bug, please reply with `#syz test` > (should be on a separate line). > > The patch should be attached to the email. > Note: arguments like custom git repos and branches are not supported. > > [-- Attachment #1.2: Type: text/html, Size: 49844 bytes --] [-- Attachment #2: dirdata-syzbot-fix.patch --] [-- Type: application/octet-stream, Size: 11438 bytes --] From e3d5c74f1ec0fbefb9a4b9193a474614b98d640a Mon Sep 17 00:00:00 2001 From: Artem Blagodarenko <artem.blagodarenko@gmail.com> Date: Fri, 19 Jun 2026 09:48:12 -0400 Subject: [PATCH] ext4: fix issues reported by syzbot/CI on the dirdata series Address the following issues found by automated review of the v2 dirdata patch series: - dx_get_dx_info() called ext4_dir_entry_len() with dir hardcoded to NULL, forcing its blocksize fallback to 4096 regardless of the real filesystem blocksize, and never validated that the computed offset stayed within the block. Thread the real inode through and reject out-of-bounds results. - get_dx_countlimit() had the same NULL-dir blocksize-fallback bug at a separate call site; pass the real inode through there too. - ext4_dirdata_get() declared a local "dfid" inside the EXT4_DIRENT_LUFID branch that shadowed the function's own "dfid" output parameter, so the LUFID copy never reached the caller's buffer. Rename the local and copy into the real parameter. Also, both ext4_dirdata_get() and ext4_dirdata_set() compared offsets against the raw on-disk de->rec_len instead of decoding it via ext4_rec_len_from_disk(), which is wrong on big-endian hosts and mishandles the "0/65535 means full block" sentinel. - ext4_dirdata_set_lufid() (EXT4_IOC_SET_LUFID) deleted the existing directory entry and then tried to re-add it with the new LUFID data; if ext4_add_entry() failed, the inode was left with no directory entry pointing at it. On failure, attempt to restore the original entry, and loudly flag inode corruption if that also fails. Signed-off-by: Artem Blagodarenko <artem.blagodarenko@gmail.com> --- fs/ext4/namei.c | 105 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 78 insertions(+), 27 deletions(-) diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c index 65c53c08213a..e6f54dba735e 100644 --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -412,7 +412,7 @@ static struct dx_countlimit *get_dx_countlimit(struct inode *inode, if (le16_to_cpu(de->rec_len) != (blocksize - rlen)) return NULL; /* de->rec_len covers whole dx_root block, calculate actual length */ - dotdot_rec_len = ext4_dir_entry_len(de, NULL); + dotdot_rec_len = ext4_dir_entry_len(de, inode); root = (struct dx_root_info *)(((char *)de + dotdot_rec_len)); if (root->reserved_zero || root->info_length != sizeof(struct dx_root_info)) @@ -520,13 +520,20 @@ ext4_next_entry(struct ext4_dir_entry_2 *p, unsigned long blocksize) * Future: use high four bits of block for coalesce-on-delete flags * Mask them off for now. */ -static struct dx_root_info *dx_get_dx_info(void *de_buf) +static struct dx_root_info *dx_get_dx_info(struct inode *dir, void *de_buf) { + unsigned int blocksize = dir->i_sb->s_blocksize; + void *base = de_buf; + /* get dotdot first */ - de_buf += ext4_dir_entry_len(de_buf, NULL); + de_buf += ext4_dir_entry_len(de_buf, dir); /* dx root info is after dotdot entry */ - de_buf += ext4_dir_entry_len(de_buf, NULL); + de_buf += ext4_dir_entry_len(de_buf, dir); + + if (de_buf < base || (char *)de_buf - (char *)base + + sizeof(struct dx_root_info) > blocksize) + return ERR_PTR(-EFSCORRUPTED); return (struct dx_root_info *)de_buf; } @@ -577,7 +584,9 @@ static inline unsigned dx_root_limit(struct inode *dir, struct dx_root_info *info; unsigned int entry_space; - info = dx_get_dx_info(dot_de); + info = dx_get_dx_info(dir, dot_de); + if (IS_ERR(info)) + return 0; entry_space = dir->i_sb->s_blocksize - ((char *)info - (char *)dot_de) - info->info_length; @@ -793,7 +802,9 @@ dx_probe(struct ext4_filename *fname, struct inode *dir, if (IS_ERR(frame->bh)) return (struct dx_frame *) frame->bh; - info = dx_get_dx_info((struct ext4_dir_entry_2 *)frame->bh->b_data); + info = dx_get_dx_info(dir, (struct ext4_dir_entry_2 *)frame->bh->b_data); + if (IS_ERR(info)) + goto fail; if (info->hash_version != DX_HASH_TEA && info->hash_version != DX_HASH_HALF_MD4 && info->hash_version != DX_HASH_LEGACY && @@ -938,7 +949,7 @@ dx_probe(struct ext4_filename *fname, struct inode *dir, return ret_err; } -static void dx_release(struct dx_frame *frames) +static void dx_release(struct inode *dir, struct dx_frame *frames) { struct dx_root_info *info; int i; @@ -947,7 +958,9 @@ static void dx_release(struct dx_frame *frames) if (frames[0].bh == NULL) return; - info = dx_get_dx_info((struct ext4_dir_entry_2 *)frames[0].bh->b_data); + info = dx_get_dx_info(dir, (struct ext4_dir_entry_2 *)frames[0].bh->b_data); + if (IS_ERR(info)) + return; /* save local copy, "info" may be freed after brelse() */ indirect_levels = info->indirect_levels; for (i = 0; i <= indirect_levels; i++) { @@ -1253,12 +1266,12 @@ int ext4_htree_fill_tree(struct file *dir_file, __u32 start_hash, (count && ((hashval & 1) == 0))) break; } - dx_release(frames); + dx_release(dir, frames); dxtrace(printk(KERN_DEBUG "Fill tree: returned %d entries, " "next hash: %x\n", count, *next_hash)); return count; errout: - dx_release(frames); + dx_release(dir, frames); return (err); } @@ -1296,8 +1309,10 @@ unsigned char ext4_dirdata_get(struct ext4_dir_entry_2 *de, struct inode *dir, { unsigned char ret = 0; unsigned int data_offset = de->name_len + 1; + unsigned int rec_len = ext4_rec_len_from_disk(de->rec_len, + dir->i_sb->s_blocksize); - if (data_offset > de->rec_len) + if (data_offset > rec_len) return ret; /* compatibility: hash stored inline after filename (no dirdata) */ @@ -1312,19 +1327,20 @@ unsigned char ext4_dirdata_get(struct ext4_dir_entry_2 *de, struct inode *dir, /* EXT4_DIRENT_* are not expected without flag in i_sb */ if (de->file_type & EXT4_DIRENT_LUFID) { - struct ext4_dirent_fid *dfid = + struct ext4_dirent_fid *disk_fid = (struct ext4_dirent_fid *)(de->name + data_offset); unsigned int dlen; - if (data_offset + sizeof(dfid->df_header) > de->rec_len) + if (data_offset + sizeof(disk_fid->df_header) > rec_len) return ret; - dlen = dfid->df_header.ddh_length; - if (dlen < sizeof(*dfid) || data_offset + dlen > de->rec_len) + dlen = disk_fid->df_header.ddh_length; + if (dlen < sizeof(*disk_fid) || data_offset + dlen > rec_len) return ret; if (dfid) { - memcpy(dfid, dfid->df_fid, dfid->df_header.ddh_length); + memcpy(dfid, disk_fid->df_fid, + disk_fid->df_header.ddh_length); ret |= EXT4_DIRENT_LUFID; } data_offset += dlen; @@ -1336,11 +1352,11 @@ unsigned char ext4_dirdata_get(struct ext4_dir_entry_2 *de, struct inode *dir, (struct ext4_dirent_data_header *)(de->name + data_offset); unsigned int dlen; - if (data_offset + sizeof(*ddh) > de->rec_len) + if (data_offset + sizeof(*ddh) > rec_len) return ret; dlen = ddh->ddh_length; - if (dlen < sizeof(*ddh) || data_offset + dlen > de->rec_len) + if (dlen < sizeof(*ddh) || data_offset + dlen > rec_len) return ret; data_offset += dlen; @@ -1355,7 +1371,7 @@ unsigned char ext4_dirdata_get(struct ext4_dir_entry_2 *de, struct inode *dir, unsigned int dlen; dlen = dh->dh_header.ddh_length; - if (dlen < sizeof(*dh) || data_offset + dlen > de->rec_len) + if (dlen < sizeof(*dh) || data_offset + dlen > rec_len) return ret; hinfo->hash = le32_to_cpu(dh->dh_hash.hash); @@ -1383,12 +1399,14 @@ static void ext4_dirdata_set(struct ext4_dir_entry_2 *de, struct inode *dir, { struct dx_hash_info *hinfo = &fname->hinfo; unsigned int data_offset = de->name_len + 1; + unsigned int rec_len = ext4_rec_len_from_disk(de->rec_len, + dir->i_sb->s_blocksize); if (dfid) { unsigned int dlen = dfid->df_header.ddh_length; - if (data_offset + dlen > de->rec_len) { + if (data_offset + dlen > rec_len) { EXT4_ERROR_INODE(dir, "Can not insert FID"); return; } @@ -1406,7 +1424,7 @@ static void ext4_dirdata_set(struct ext4_dir_entry_2 *de, struct inode *dir, struct ext4_dirent_hash *dh = (struct ext4_dirent_hash *)(de->name + data_offset); - if (data_offset + sizeof(*dh) > de->rec_len) { + if (data_offset + sizeof(*dh) > rec_len) { EXT4_ERROR_INODE(dir, "Can not insert dhash dirdata"); return; } @@ -1418,7 +1436,7 @@ static void ext4_dirdata_set(struct ext4_dir_entry_2 *de, struct inode *dir, } else { /* Compatibility: store hash inline after filename */ if (data_offset + sizeof(struct ext4_dir_entry_hash) > - de-> rec_len) { + rec_len) { EXT4_ERROR_INODE(dir, "Can not insert dhash"); return; } @@ -1906,7 +1924,7 @@ static struct buffer_head * ext4_dx_find_entry(struct inode *dir, errout: dxtrace(printk(KERN_DEBUG "%s not found\n", fname->usr_fname->name)); success: - dx_release(frames); + dx_release(dir, frames); return bh; } @@ -2425,7 +2443,12 @@ static int make_indexed_dir(handle_t *handle, struct ext4_filename *fname, blocksize); /* initialize hashing info */ - dx_info = dx_get_dx_info(dot_de); + dx_info = dx_get_dx_info(dir, dot_de); + if (IS_ERR(dx_info)) { + brelse(bh2); + brelse(bh); + return PTR_ERR(dx_info); + } memset(dx_info, 0, sizeof(*dx_info)); dx_info->info_length = sizeof(*dx_info); if (ext4_hash_in_dirent(dir)) @@ -2483,7 +2506,7 @@ static int make_indexed_dir(handle_t *handle, struct ext4_filename *fname, */ if (retval) ext4_mark_inode_dirty(handle, dir); - dx_release(frames); + dx_release(dir, frames); brelse(bh2); return retval; } @@ -2759,8 +2782,13 @@ static int ext4_dx_add_entry(handle_t *handle, struct ext4_filename *fname, /* Set up root */ dx_set_count(entries, 1); dx_set_block(entries + 0, newblock); - info = dx_get_dx_info((struct ext4_dir_entry_2 *) + info = dx_get_dx_info(dir, (struct ext4_dir_entry_2 *) frames[0].bh->b_data); + if (IS_ERR(info)) { + err = PTR_ERR(info); + brelse(bh2); + goto journal_error; + } info->indirect_levels += 1; dxtrace(printk(KERN_DEBUG "Creating %d level index...\n", @@ -2788,7 +2816,7 @@ static int ext4_dx_add_entry(handle_t *handle, struct ext4_filename *fname, ext4_std_error(dir->i_sb, err); /* this is a no-op if err == 0 */ cleanup: brelse(bh); - dx_release(frames); + dx_release(dir, frames); /* @restart is true means htree-path has been changed, we need to * repeat dx_probe() to find out valid htree-path */ @@ -4463,6 +4491,29 @@ int ext4_dirdata_set_lufid(struct inode *dir, const char *filename, } EXT4_I(inode)->i_dirdata = old_dirdata; + if (err) { + /* + * The original entry was already removed above and the + * re-add with the new LUFID failed; try to restore the + * original entry so the inode isn't left without any + * directory entry pointing at it. + */ + struct dentry parent_dentry = { .d_inode = dir }; + struct dentry orig_dentry = { + .d_name = d_name, + .d_parent = &parent_dentry, + .d_inode = inode, + }; + int rollback_err = ext4_add_entry(handle, &orig_dentry, inode); + + if (rollback_err) + EXT4_ERROR_INODE(dir, + "Failed to set LUFID on '%.*s' (err=%d) and failed to restore the original directory entry (err=%d); inode %llu may be orphaned", + namelen, filename, err, rollback_err, + inode->i_ino); + goto out_unlock; + } + /* Update inode times */ inode_set_ctime_current(dir); inode_inc_iversion(dir); -- 2.43.7 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* [syzbot ci] Re: Data in direntry (dirdata) feature 2026-06-19 16:45 ` Artem Blagodarenko @ 2026-06-19 17:39 ` syzbot ci 0 siblings, 0 replies; 10+ messages in thread From: syzbot ci @ 2026-06-19 17:39 UTC (permalink / raw) To: artem.blagodarenko, syzbot; +Cc: syzbot, syzkaller-bugs syzbot ci has tested the suggested fix patch on top of the following series: [v2] Data in direntry (dirdata) feature https://lore.kernel.org/all/20260610152417.13576-1-ablagodarenko@thelustrecollective.com Patch: https://ci.syzbot.org/jobs/7b048bf9-1956-4726-960c-6439488b701f/patch Testing results: * [build 0] Build Patched: passed * [build 0] Boot test: Patched: passed Full report is available here: https://ci.syzbot.org/session/40a7ca8a-ac83-4f97-91a0-233437f73a40 --- This report is generated by a bot. It may contain errors. syzbot ci engineers can be reached at syzkaller@googlegroups.com. ^ permalink raw reply [flat|nested] 10+ messages in thread
[parent not found: <20260619191022.27008-1-ablagodarenko@thelustrecollective.com>]
* [syzbot ci] Re: Data in direntry (dirdata) feature [not found] <20260619191022.27008-1-ablagodarenko@thelustrecollective.com> @ 2026-06-20 6:55 ` syzbot ci 0 siblings, 0 replies; 10+ messages in thread From: syzbot ci @ 2026-06-20 6:55 UTC (permalink / raw) To: adilger.kernel, adilger, adilger, artem.blagodarenko, linux-ext4, pravin.shelar Cc: syzbot, syzkaller-bugs syzbot ci has tested the following series [v3] Data in direntry (dirdata) feature https://lore.kernel.org/all/20260619191022.27008-1-ablagodarenko@thelustrecollective.com * [PATCH v3 01/10] ext4: replace ext4_dir_entry with ext4_dir_entry_2 * [PATCH v3 02/10] ext4: add ext4_dir_entry_is_tail() * [PATCH v3 03/10] ext4: refactor dx_root to support variable dirent sizes * [PATCH v3 04/10] ext4: add dirdata format definitions and access helpers * [PATCH v3 05/10] ext4: preserve dirdata bits in get_dtype() * [PATCH v3 06/10] ext4: add ext4_dir_entry_len() and harden dirdata parsing * [PATCH v3 07/10] ext4: rename ext4_dir_rec_len() and clarify dirdata usage * [PATCH v3 08/10] ext4: dirdata feature * [PATCH v3 09/10] ext4: add dirdata set/get helpers * [PATCH v3 10/10] ext4: Add EXT4_IOC_SET_LUFID ioctl for setting LUFID on directory entries and found the following issues: * KASAN: slab-out-of-bounds Read in __ext4_check_dir_entry * KASAN: slab-out-of-bounds Read in ext4_inlinedir_to_tree * KASAN: slab-use-after-free Read in __ext4_check_dir_entry * KASAN: slab-use-after-free Read in ext4_inlinedir_to_tree * KASAN: use-after-free Read in __ext4_check_dir_entry Full report is available here: https://ci.syzbot.org/series/a3c6e513-a6eb-4583-86f6-89176398b397 *** KASAN: slab-out-of-bounds Read in __ext4_check_dir_entry tree: torvalds URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux base: 08c7183f5b9ffe4408e74fff848a4cc2105361d4 arch: amd64 compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6 config: https://ci.syzbot.org/builds/0efdb868-daeb-4649-9bcb-5af41d993e73/config syz repro: https://ci.syzbot.org/findings/ec557d64-7b60-46c9-a0eb-feaa7a3eb2cd/syz_repro loop0: lost filesystem error report for type 5 error -117 EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. ================================================================== BUG: KASAN: slab-out-of-bounds in ext4_dirent_get_data_len fs/ext4/ext4.h:4156 [inline] BUG: KASAN: slab-out-of-bounds in ext4_dir_entry_len fs/ext4/ext4.h:4183 [inline] BUG: KASAN: slab-out-of-bounds in __ext4_check_dir_entry+0x659/0xbe0 fs/ext4/dir.c:96 Read of size 1 at addr ffff88816e86bcd9 by task syz.0.21/5783 CPU: 1 UID: 0 PID: 5783 Comm: syz.0.21 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description+0x55/0x1e0 mm/kasan/report.c:378 print_report+0x58/0x70 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 ext4_dirent_get_data_len fs/ext4/ext4.h:4156 [inline] ext4_dir_entry_len fs/ext4/ext4.h:4183 [inline] __ext4_check_dir_entry+0x659/0xbe0 fs/ext4/dir.c:96 ext4_check_all_de+0x6a/0x140 fs/ext4/dir.c:657 ext4_convert_inline_data_nolock+0x1b7/0x980 fs/ext4/inline.c:1121 ext4_try_add_inline_entry+0x5cc/0x8a0 fs/ext4/inline.c:1247 __ext4_add_entry+0x385/0x3470 fs/ext4/namei.c:2552 ext4_add_entry fs/ext4/namei.c:2636 [inline] ext4_mkdir+0x5f3/0xd30 fs/ext4/namei.c:3203 vfs_mkdir+0x406/0x620 fs/namei.c:5272 filename_mkdirat+0x285/0x510 fs/namei.c:5305 __do_sys_mkdirat fs/namei.c:5326 [inline] __se_sys_mkdirat+0x35/0x150 fs/namei.c:5323 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb4c839ce59 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffd4b254a88 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 00007fb4c8615fa0 RCX: 00007fb4c839ce59 RDX: 0000000000000037 RSI: 0000200000000380 RDI: 0000000000000004 RBP: 00007fb4c8432e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fb4c8615fac R14: 00007fb4c8615fa0 R15: 00007fb4c8615fa0 </TASK> Allocated by task 5056: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __kmalloc_cache_noprof+0x318/0x660 mm/slub.c:5451 _kmalloc_noprof include/linux/slab.h:969 [inline] _kzalloc_noprof include/linux/slab.h:1286 [inline] kernfs_get_open_node fs/kernfs/file.c:536 [inline] kernfs_fop_open+0x7e6/0xce0 fs/kernfs/file.c:711 do_dentry_open+0x816/0x1380 fs/open.c:947 vfs_open+0x3b/0x340 fs/open.c:1079 do_open fs/namei.c:4700 [inline] path_openat+0x2e44/0x3830 fs/namei.c:4859 do_file_open+0x23e/0x4a0 fs/namei.c:4888 do_sys_openat2+0x115/0x200 fs/open.c:1395 do_sys_open fs/open.c:1401 [inline] __do_sys_openat fs/open.c:1417 [inline] __se_sys_openat fs/open.c:1412 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1412 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88816e86bc00 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 89 bytes to the right of allocated 128-byte region [ffff88816e86bc00, ffff88816e86bc80) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88816e86bf00 pfn:0x16e86b flags: 0x57ff00000000200(workingset|node=1|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 057ff00000000200 ffff888100041a00 ffff888160400648 ffff888160400648 raw: ffff88816e86bf00 000000080010000f 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5056, tgid 5056 (udevd), ts 53238350188, free_ts 53091667410 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 alloc_slab_page mm/slub.c:3289 [inline] allocate_slab+0x74/0x5d0 mm/slub.c:3404 new_slab mm/slub.c:3447 [inline] refill_objects+0x328/0x3c0 mm/slub.c:7241 refill_sheaf mm/slub.c:2827 [inline] __pcs_replace_empty_main+0x2e0/0x6b0 mm/slub.c:4692 alloc_from_pcs mm/slub.c:4790 [inline] slab_alloc_node mm/slub.c:4924 [inline] __kmalloc_cache_noprof+0x388/0x660 mm/slub.c:5446 _kmalloc_noprof include/linux/slab.h:969 [inline] _kzalloc_noprof include/linux/slab.h:1286 [inline] kernfs_get_open_node fs/kernfs/file.c:536 [inline] kernfs_fop_open+0x7e6/0xce0 fs/kernfs/file.c:711 do_dentry_open+0x816/0x1380 fs/open.c:947 vfs_open+0x3b/0x340 fs/open.c:1079 do_open fs/namei.c:4700 [inline] path_openat+0x2e44/0x3830 fs/namei.c:4859 do_file_open+0x23e/0x4a0 fs/namei.c:4888 do_sys_openat2+0x115/0x200 fs/open.c:1395 do_sys_open fs/open.c:1401 [inline] __do_sys_openat fs/open.c:1417 [inline] __se_sys_openat fs/open.c:1412 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1412 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 23 tgid 23 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 __tlb_remove_table_free mm/mmu_gather.c:228 [inline] tlb_remove_table_rcu+0x85/0x100 mm/mmu_gather.c:291 rcu_do_batch kernel/rcu/tree.c:2645 [inline] rcu_core+0x78b/0x10a0 kernel/rcu/tree.c:2897 handle_softirqs+0x225/0x840 kernel/softirq.c:622 run_ksoftirqd+0x36/0x60 kernel/softirq.c:1076 smpboot_thread_fn+0x57c/0xa80 kernel/smpboot.c:160 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Memory state around the buggy address: ffff88816e86bb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88816e86bc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88816e86bc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88816e86bd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88816e86bd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== *** KASAN: slab-out-of-bounds Read in ext4_inlinedir_to_tree tree: torvalds URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux base: 08c7183f5b9ffe4408e74fff848a4cc2105361d4 arch: amd64 compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6 config: https://ci.syzbot.org/builds/0efdb868-daeb-4649-9bcb-5af41d993e73/config syz repro: https://ci.syzbot.org/findings/bb78d414-4cff-400b-aaf6-76d450b12cda/syz_repro ================================================================== BUG: KASAN: slab-out-of-bounds in ext4_dir_entry_len fs/ext4/ext4.h:4182 [inline] BUG: KASAN: slab-out-of-bounds in ext4_inlinedir_to_tree+0xd95/0x10a0 fs/ext4/inline.c:1335 Read of size 2 at addr ffff88816f219a3c by task syz.1.18/5830 CPU: 1 UID: 0 PID: 5830 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description+0x55/0x1e0 mm/kasan/report.c:378 print_report+0x58/0x70 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 ext4_dir_entry_len fs/ext4/ext4.h:4182 [inline] ext4_inlinedir_to_tree+0xd95/0x10a0 fs/ext4/inline.c:1335 ext4_htree_fill_tree+0x4c9/0x2480 fs/ext4/namei.c:1195 ext4_dx_readdir fs/ext4/dir.c:600 [inline] ext4_readdir+0x2e2a/0x3720 fs/ext4/dir.c:146 iterate_dir+0x2e2/0x4d0 fs/readdir.c:110 __do_sys_getdents fs/readdir.c:319 [inline] __se_sys_getdents+0xf1/0x270 fs/readdir.c:304 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe51459ce59 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fe515527028 EFLAGS: 00000246 ORIG_RAX: 000000000000004e RAX: ffffffffffffffda RBX: 00007fe514815fa0 RCX: 00007fe51459ce59 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006 RBP: 00007fe514632e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fe514816038 R14: 00007fe514815fa0 R15: 00007fffd9b381d8 </TASK> Allocated by task 5830: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __do_kmalloc_node mm/slub.c:5334 [inline] __kmalloc_noprof+0x358/0x750 mm/slub.c:5347 _kmalloc_noprof include/linux/slab.h:973 [inline] ext4_inlinedir_to_tree+0x2ec/0x10a0 fs/ext4/inline.c:1292 ext4_htree_fill_tree+0x4c9/0x2480 fs/ext4/namei.c:1195 ext4_dx_readdir fs/ext4/dir.c:600 [inline] ext4_readdir+0x2e2a/0x3720 fs/ext4/dir.c:146 iterate_dir+0x2e2/0x4d0 fs/readdir.c:110 __do_sys_getdents fs/readdir.c:319 [inline] __se_sys_getdents+0xf1/0x270 fs/readdir.c:304 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88816f219a00 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes to the right of allocated 60-byte region [ffff88816f219a00, ffff88816f219a3c) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x16f219 flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 057ff00000000000 ffff8881000418c0 dead000000000100 dead000000000122 raw: 0000000000000000 0000000800200020 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 10138712683, free_ts 10137977139 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 alloc_slab_page mm/slub.c:3289 [inline] allocate_slab+0x74/0x5d0 mm/slub.c:3404 new_slab mm/slub.c:3447 [inline] refill_objects+0x328/0x3c0 mm/slub.c:7241 refill_sheaf mm/slub.c:2827 [inline] __pcs_replace_empty_main+0x2e0/0x6b0 mm/slub.c:4692 alloc_from_pcs mm/slub.c:4790 [inline] slab_alloc_node mm/slub.c:4924 [inline] __do_kmalloc_node mm/slub.c:5333 [inline] __kmalloc_noprof+0x464/0x750 mm/slub.c:5347 _kmalloc_noprof include/linux/slab.h:973 [inline] _kzalloc_noprof include/linux/slab.h:1286 [inline] kobject_get_path+0xc5/0x2f0 lib/kobject.c:161 kobject_uevent_env+0x29e/0x9e0 lib/kobject_uevent.c:548 device_add+0x544/0xb80 drivers/base/core.c:3738 scsi_add_host_with_dma+0x5db/0xd00 drivers/scsi/hosts.c:287 ata_scsi_add_hosts+0x29b/0x4b0 drivers/ata/libata-scsi.c:4659 ata_host_register+0x1c5/0x7d0 drivers/ata/libata-core.c:6131 ata_host_activate+0x33c/0x3c0 drivers/ata/libata-core.c:6234 ahci_init_one+0x1afa/0x22b0 drivers/ata/ahci.c:3090 local_pci_probe drivers/pci/pci-driver.c:332 [inline] pci_call_probe drivers/pci/pci-driver.c:394 [inline] __pci_device_probe drivers/pci/pci-driver.c:455 [inline] pci_device_probe+0x431/0xc90 drivers/pci/pci-driver.c:489 page last free pid 36 tgid 36 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 __kasan_populate_vmalloc_do mm/kasan/shadow.c:393 [inline] __kasan_populate_vmalloc+0x1a8/0x1c0 mm/kasan/shadow.c:424 kasan_populate_vmalloc include/linux/kasan.h:580 [inline] alloc_vmap_area+0xd1a/0x1420 mm/vmalloc.c:2123 __get_vm_area_node+0x1f2/0x300 mm/vmalloc.c:3226 __vmalloc_node_range_noprof+0x358/0x1730 mm/vmalloc.c:4024 __vmalloc_node_noprof+0xc2/0x100 mm/vmalloc.c:4124 alloc_thread_stack_node kernel/fork.c:358 [inline] dup_task_struct+0x28e/0x850 kernel/fork.c:928 copy_process+0x81b/0x42e0 kernel/fork.c:2109 kernel_clone+0x2d7/0x940 kernel/fork.c:2745 user_mode_thread+0x110/0x180 kernel/fork.c:2821 call_usermodehelper_exec_work+0x5c/0x230 kernel/umh.c:171 process_one_work kernel/workqueue.c:3322 [inline] process_scheduled_works+0xa8e/0x14e0 kernel/workqueue.c:3405 worker_thread+0xa47/0xfb0 kernel/workqueue.c:3486 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Memory state around the buggy address: ffff88816f219900: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff88816f219980: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff88816f219a00: 00 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc ^ ffff88816f219a80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88816f219b00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ================================================================== *** KASAN: slab-use-after-free Read in __ext4_check_dir_entry tree: torvalds URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux base: 08c7183f5b9ffe4408e74fff848a4cc2105361d4 arch: amd64 compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6 config: https://ci.syzbot.org/builds/0efdb868-daeb-4649-9bcb-5af41d993e73/config syz repro: https://ci.syzbot.org/findings/f322e293-7a3f-469a-ae1f-677c84eb4c0f/syz_repro ================================================================== BUG: KASAN: slab-use-after-free in ext4_dirent_get_data_len fs/ext4/ext4.h:4156 [inline] BUG: KASAN: slab-use-after-free in ext4_dir_entry_len fs/ext4/ext4.h:4183 [inline] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x659/0xbe0 fs/ext4/dir.c:96 Read of size 1 at addr ffff888103e89c1d by task syz.2.19/5867 CPU: 0 UID: 0 PID: 5867 Comm: syz.2.19 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description+0x55/0x1e0 mm/kasan/report.c:378 print_report+0x58/0x70 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 ext4_dirent_get_data_len fs/ext4/ext4.h:4156 [inline] ext4_dir_entry_len fs/ext4/ext4.h:4183 [inline] __ext4_check_dir_entry+0x659/0xbe0 fs/ext4/dir.c:96 ext4_check_all_de+0x6a/0x140 fs/ext4/dir.c:657 ext4_convert_inline_data_nolock+0x1b7/0x980 fs/ext4/inline.c:1121 ext4_try_add_inline_entry+0x5cc/0x8a0 fs/ext4/inline.c:1247 __ext4_add_entry+0x385/0x3470 fs/ext4/namei.c:2552 ext4_add_entry fs/ext4/namei.c:2636 [inline] ext4_mkdir+0x5f3/0xd30 fs/ext4/namei.c:3203 vfs_mkdir+0x406/0x620 fs/namei.c:5272 filename_mkdirat+0x285/0x510 fs/namei.c:5305 __do_sys_mkdirat fs/namei.c:5326 [inline] __se_sys_mkdirat+0x35/0x150 fs/namei.c:5323 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb01d39ce59 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fb01e269028 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 00007fb01d615fa0 RCX: 00007fb01d39ce59 RDX: 0000000000000037 RSI: 0000200000000380 RDI: 0000000000000004 RBP: 00007fb01d432e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fb01d616038 R14: 00007fb01d615fa0 R15: 00007ffdec822cc8 </TASK> Allocated by task 5630: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __kmalloc_cache_noprof+0x318/0x660 mm/slub.c:5451 _kmalloc_noprof include/linux/slab.h:969 [inline] __hw_addr_create+0x62/0x240 net/core/dev_addr_lists.c:69 __hw_addr_add_ex+0x1ce/0x520 net/core/dev_addr_lists.c:127 __hw_addr_add net/core/dev_addr_lists.c:144 [inline] dev_addr_init+0x15a/0x240 net/core/dev_addr_lists.c:696 alloc_netdev_mqs+0x2b4/0x1270 net/core/dev.c:12064 __ip_tunnel_create+0x348/0x560 net/ipv4/ip_tunnel.c:255 ip_tunnel_init_net+0x2ea/0x810 net/ipv4/ip_tunnel.c:1150 ops_init+0x35d/0x5d0 net/core/net_namespace.c:137 setup_net+0x118/0x350 net/core/net_namespace.c:446 copy_net_ns+0x4f9/0x720 net/core/net_namespace.c:579 create_new_namespaces+0x3f0/0x6b0 kernel/nsproxy.c:132 unshare_nsproxy_namespaces+0x149/0x190 kernel/nsproxy.c:234 ksys_unshare+0x57d/0xa00 kernel/fork.c:3266 __do_sys_unshare kernel/fork.c:3340 [inline] __se_sys_unshare kernel/fork.c:3338 [inline] __x64_sys_unshare+0x38/0x50 kernel/fork.c:3338 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 68: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2700 [inline] slab_free_freelist_hook mm/slub.c:2729 [inline] slab_free_bulk mm/slub.c:6344 [inline] kmem_cache_free_bulk+0x30f/0x1180 mm/slub.c:7076 kfree_bulk include/linux/slab.h:891 [inline] kvfree_rcu_bulk+0xc6/0x190 mm/slab_common.c:1502 kvfree_rcu_drain_ready mm/slab_common.c:1704 [inline] kfree_rcu_monitor+0x21a/0x2b0 mm/slab_common.c:1777 process_one_work kernel/workqueue.c:3322 [inline] process_scheduled_works+0xa8e/0x14e0 kernel/workqueue.c:3405 worker_thread+0xa47/0xfb0 kernel/workqueue.c:3486 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Last potentially related work creation: kasan_save_stack+0x3e/0x60 mm/kasan/common.c:57 kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:556 kvfree_call_rcu+0x100/0x430 mm/slab_common.c:1970 __hw_addr_flush net/core/dev_addr_lists.c:500 [inline] dev_addr_flush+0x16c/0x210 net/core/dev_addr_lists.c:673 free_netdev+0x26c/0x6e0 net/core/dev.c:12209 netdev_run_todo+0xf3d/0x10d0 net/core/dev.c:11743 ops_exit_rtnl_list net/core/net_namespace.c:189 [inline] ops_undo_list+0x396/0x8d0 net/core/net_namespace.c:248 cleanup_net+0x572/0x810 net/core/net_namespace.c:702 process_one_work kernel/workqueue.c:3322 [inline] process_scheduled_works+0xa8e/0x14e0 kernel/workqueue.c:3405 worker_thread+0xa47/0xfb0 kernel/workqueue.c:3486 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 The buggy address belongs to the object at ffff888103e89c00 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 29 bytes inside of freed 128-byte region [ffff888103e89c00, ffff888103e89c80) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103e89 flags: 0x17ff00000000000(node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 017ff00000000000 ffff888100041a00 dead000000000100 dead000000000122 raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 2773920656, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 alloc_slab_page mm/slub.c:3289 [inline] allocate_slab+0x74/0x5d0 mm/slub.c:3404 new_slab mm/slub.c:3447 [inline] refill_objects+0x328/0x3c0 mm/slub.c:7241 refill_sheaf mm/slub.c:2827 [inline] __pcs_replace_empty_main+0x2e0/0x6b0 mm/slub.c:4692 alloc_from_pcs mm/slub.c:4790 [inline] slab_alloc_node mm/slub.c:4924 [inline] __do_kmalloc_node mm/slub.c:5333 [inline] __kmalloc_noprof+0x464/0x750 mm/slub.c:5347 _kmalloc_noprof include/linux/slab.h:973 [inline] _kzalloc_noprof include/linux/slab.h:1286 [inline] __alloc_empty_sheaf+0x24/0x40 mm/slub.c:2774 alloc_empty_sheaf mm/slub.c:2794 [inline] __pcs_replace_empty_main+0x447/0x6b0 mm/slub.c:4687 alloc_from_pcs mm/slub.c:4790 [inline] slab_alloc_node mm/slub.c:4924 [inline] kmem_cache_alloc_lru_noprof+0x372/0x640 mm/slub.c:4958 alloc_inode+0x6a/0x1b0 fs/inode.c:341 new_inode+0x1f/0x170 fs/inode.c:1177 debugfs_get_inode fs/debugfs/inode.c:72 [inline] debugfs_create_dir+0x68/0x350 fs/debugfs/inode.c:578 blk_dev_init+0xdf/0x150 block/blk-core.c:1333 genhd_device_init+0x1c/0x50 block/genhd.c:1002 do_one_initcall+0x250/0x870 init/main.c:1347 page_owner free stack trace missing Memory state around the buggy address: ffff888103e89b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888103e89b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888103e89c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888103e89c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888103e89d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== *** KASAN: slab-use-after-free Read in ext4_inlinedir_to_tree tree: torvalds URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux base: 08c7183f5b9ffe4408e74fff848a4cc2105361d4 arch: amd64 compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6 config: https://ci.syzbot.org/builds/0efdb868-daeb-4649-9bcb-5af41d993e73/config syz repro: https://ci.syzbot.org/findings/b1e2a550-a6c3-410a-ae53-ca1e5366cc94/syz_repro loop0: lost filesystem error report for type 5 error -117 EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. ================================================================== BUG: KASAN: slab-use-after-free in ext4_dirent_get_data_len fs/ext4/ext4.h:4156 [inline] BUG: KASAN: slab-use-after-free in ext4_dir_entry_len fs/ext4/ext4.h:4183 [inline] BUG: KASAN: slab-use-after-free in ext4_inlinedir_to_tree+0x8f0/0x10a0 fs/ext4/inline.c:1335 Read of size 1 at addr ffff888111d0149d by task syz.0.19/5801 CPU: 1 UID: 0 PID: 5801 Comm: syz.0.19 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description+0x55/0x1e0 mm/kasan/report.c:378 print_report+0x58/0x70 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 ext4_dirent_get_data_len fs/ext4/ext4.h:4156 [inline] ext4_dir_entry_len fs/ext4/ext4.h:4183 [inline] ext4_inlinedir_to_tree+0x8f0/0x10a0 fs/ext4/inline.c:1335 ext4_htree_fill_tree+0x4c9/0x2480 fs/ext4/namei.c:1195 ext4_dx_readdir fs/ext4/dir.c:600 [inline] ext4_readdir+0x2e2a/0x3720 fs/ext4/dir.c:146 iterate_dir+0x2e2/0x4d0 fs/readdir.c:110 __do_sys_getdents fs/readdir.c:319 [inline] __se_sys_getdents+0xf1/0x270 fs/readdir.c:304 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f6e8459ce59 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffef0bce788 EFLAGS: 00000246 ORIG_RAX: 000000000000004e RAX: ffffffffffffffda RBX: 00007f6e84815fa0 RCX: 00007f6e8459ce59 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 00007f6e84632e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f6e84815fac R14: 00007f6e84815fa0 R15: 00007f6e84815fa0 </TASK> Allocated by task 5738: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __kmalloc_cache_noprof+0x318/0x660 mm/slub.c:5451 _kmalloc_noprof include/linux/slab.h:969 [inline] __kthread_create_on_node+0x115/0x3d0 kernel/kthread.c:483 kthread_create_on_node+0xeb/0x140 kernel/kthread.c:559 napi_kthread_create net/core/dev.c:1656 [inline] netif_napi_add_weight_locked+0x699/0x940 net/core/dev.c:7594 netif_napi_add_weight include/linux/netdevice.h:2870 [inline] netif_napi_add include/linux/netdevice.h:2887 [inline] wg_peer_create+0x52d/0x860 drivers/net/wireguard/peer.c:57 set_peer drivers/net/wireguard/netlink.c:392 [inline] wg_set_device_doit+0xf3a/0x2120 drivers/net/wireguard/netlink.c:569 genl_family_rcv_msg_doit+0x233/0x340 net/netlink/genetlink.c:1114 genl_family_rcv_msg net/netlink/genetlink.c:1194 [inline] genl_rcv_msg+0x614/0x7a0 net/netlink/genetlink.c:1209 netlink_rcv_skb+0x226/0x4a0 net/netlink/af_netlink.c:2556 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1218 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x7bb/0x940 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1900 sock_sendmsg_nosec+0x13a/0x180 net/socket.c:775 __sock_sendmsg net/socket.c:790 [inline] __sys_sendto+0x408/0x5a0 net/socket.c:2252 __do_sys_sendto net/socket.c:2259 [inline] __se_sys_sendto net/socket.c:2255 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2255 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5738: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2700 [inline] slab_free mm/slub.c:6310 [inline] kfree+0x1c5/0x640 mm/slub.c:6625 __kthread_create_on_node+0x2fe/0x3d0 kernel/kthread.c:523 kthread_create_on_node+0xeb/0x140 kernel/kthread.c:559 napi_kthread_create net/core/dev.c:1656 [inline] netif_napi_add_weight_locked+0x699/0x940 net/core/dev.c:7594 netif_napi_add_weight include/linux/netdevice.h:2870 [inline] netif_napi_add include/linux/netdevice.h:2887 [inline] wg_peer_create+0x52d/0x860 drivers/net/wireguard/peer.c:57 set_peer drivers/net/wireguard/netlink.c:392 [inline] wg_set_device_doit+0xf3a/0x2120 drivers/net/wireguard/netlink.c:569 genl_family_rcv_msg_doit+0x233/0x340 net/netlink/genetlink.c:1114 genl_family_rcv_msg net/netlink/genetlink.c:1194 [inline] genl_rcv_msg+0x614/0x7a0 net/netlink/genetlink.c:1209 netlink_rcv_skb+0x226/0x4a0 net/netlink/af_netlink.c:2556 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1218 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x7bb/0x940 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1900 sock_sendmsg_nosec+0x13a/0x180 net/socket.c:775 __sock_sendmsg net/socket.c:790 [inline] __sys_sendto+0x408/0x5a0 net/socket.c:2252 __do_sys_sendto net/socket.c:2259 [inline] __se_sys_sendto net/socket.c:2255 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2255 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888111d01480 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 29 bytes inside of freed 64-byte region [ffff888111d01480, ffff888111d014c0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x111d01 flags: 0x17ff00000000000(node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 017ff00000000000 ffff8881000418c0 dead000000000100 dead000000000122 raw: 0000000000000000 0000000800200020 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1113, tgid 1113 (kworker/u9:4), ts 18841797934, free_ts 18841792693 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 alloc_slab_page mm/slub.c:3289 [inline] allocate_slab+0x74/0x5d0 mm/slub.c:3404 new_slab mm/slub.c:3447 [inline] refill_objects+0x328/0x3c0 mm/slub.c:7241 refill_sheaf mm/slub.c:2827 [inline] __pcs_replace_empty_main+0x2e0/0x6b0 mm/slub.c:4692 alloc_from_pcs mm/slub.c:4790 [inline] slab_alloc_node mm/slub.c:4924 [inline] __do_kmalloc_node mm/slub.c:5333 [inline] __kmalloc_node_noprof+0x56a/0x7b0 mm/slub.c:5340 _kmalloc_node_noprof include/linux/slab.h:1174 [inline] __vmalloc_area_node mm/vmalloc.c:3857 [inline] __vmalloc_node_range_noprof+0x5d9/0x1730 mm/vmalloc.c:4064 __vmalloc_node_noprof+0xc2/0x100 mm/vmalloc.c:4124 alloc_thread_stack_node kernel/fork.c:358 [inline] dup_task_struct+0x28e/0x850 kernel/fork.c:928 copy_process+0x81b/0x42e0 kernel/fork.c:2109 kernel_clone+0x2d7/0x940 kernel/fork.c:2745 user_mode_thread+0x110/0x180 kernel/fork.c:2821 call_usermodehelper_exec_work+0x5c/0x230 kernel/umh.c:171 process_one_work kernel/workqueue.c:3322 [inline] process_scheduled_works+0xa8e/0x14e0 kernel/workqueue.c:3405 worker_thread+0xa47/0xfb0 kernel/workqueue.c:3486 page last free pid 1113 tgid 1113 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 __kasan_populate_vmalloc_do mm/kasan/shadow.c:393 [inline] __kasan_populate_vmalloc+0x1a8/0x1c0 mm/kasan/shadow.c:424 kasan_populate_vmalloc include/linux/kasan.h:580 [inline] alloc_vmap_area+0xd1a/0x1420 mm/vmalloc.c:2123 __get_vm_area_node+0x1f2/0x300 mm/vmalloc.c:3226 __vmalloc_node_range_noprof+0x358/0x1730 mm/vmalloc.c:4024 __vmalloc_node_noprof+0xc2/0x100 mm/vmalloc.c:4124 alloc_thread_stack_node kernel/fork.c:358 [inline] dup_task_struct+0x28e/0x850 kernel/fork.c:928 copy_process+0x81b/0x42e0 kernel/fork.c:2109 kernel_clone+0x2d7/0x940 kernel/fork.c:2745 user_mode_thread+0x110/0x180 kernel/fork.c:2821 call_usermodehelper_exec_work+0x5c/0x230 kernel/umh.c:171 process_one_work kernel/workqueue.c:3322 [inline] process_scheduled_works+0xa8e/0x14e0 kernel/workqueue.c:3405 worker_thread+0xa47/0xfb0 kernel/workqueue.c:3486 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Memory state around the buggy address: ffff888111d01380: 00 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc ffff888111d01400: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff888111d01480: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff888111d01500: 00 00 00 00 00 00 02 fc fc fc fc fc fc fc fc fc ffff888111d01580: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ================================================================== *** KASAN: use-after-free Read in __ext4_check_dir_entry tree: torvalds URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux base: 08c7183f5b9ffe4408e74fff848a4cc2105361d4 arch: amd64 compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6 config: https://ci.syzbot.org/builds/0efdb868-daeb-4649-9bcb-5af41d993e73/config syz repro: https://ci.syzbot.org/findings/07c4f835-36f6-4535-a165-aa25c5af571c/syz_repro EXT4-fs error (device loop2): ext4_inlinedir_to_tree:1343: inode #21: block 10: comm syz.2.19: path /: bad entry in directory: directory entry overrun - offset=20, inode=0, rec_len=1024, size=60 fake=0 ================================================================== BUG: KASAN: use-after-free in ext4_dirent_get_data_len fs/ext4/ext4.h:4156 [inline] BUG: KASAN: use-after-free in ext4_dir_entry_len fs/ext4/ext4.h:4183 [inline] BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x659/0xbe0 fs/ext4/dir.c:96 Read of size 1 at addr ffff888112785045 by task syz.2.19/5869 CPU: 0 UID: 0 PID: 5869 Comm: syz.2.19 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description+0x55/0x1e0 mm/kasan/report.c:378 print_report+0x58/0x70 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 ext4_dirent_get_data_len fs/ext4/ext4.h:4156 [inline] ext4_dir_entry_len fs/ext4/ext4.h:4183 [inline] __ext4_check_dir_entry+0x659/0xbe0 fs/ext4/dir.c:96 ext4_find_dest_de+0x14e/0x6e0 fs/ext4/namei.c:2221 ext4_add_dirent_to_inline+0xcc/0x410 fs/ext4/inline.c:984 ext4_try_add_inline_entry+0x21e/0x8a0 fs/ext4/inline.c:1213 __ext4_add_entry+0x385/0x3470 fs/ext4/namei.c:2552 __ext4_link+0x498/0x720 fs/ext4/namei.c:3649 ext4_link+0x1dc/0x2b0 fs/ext4/namei.c:3689 vfs_link+0x491/0x650 fs/namei.c:5787 ovl_do_link fs/overlayfs/overlayfs.h:233 [inline] ovl_copy_up_tmpfile fs/overlayfs/copy_up.c:891 [inline] ovl_do_copy_up fs/overlayfs/copy_up.c:986 [inline] ovl_copy_up_one fs/overlayfs/copy_up.c:1189 [inline] ovl_copy_up_flags+0x1c52/0x3930 fs/overlayfs/copy_up.c:1243 ovl_open+0x13f/0x300 fs/overlayfs/file.c:211 do_dentry_open+0x816/0x1380 fs/open.c:947 vfs_open+0x3b/0x340 fs/open.c:1079 dentry_open+0x61/0xa0 fs/open.c:1102 ima_calc_file_hash+0x15f/0x890 security/integrity/ima/ima_crypto.c:269 ima_collect_measurement+0x51b/0xa00 security/integrity/ima/ima_api.c:300 process_measurement+0x1272/0x1c10 security/integrity/ima/ima_main.c:425 ima_file_check+0xe1/0x130 security/integrity/ima/ima_main.c:685 security_file_post_open+0xb3/0x260 security/security.c:2755 do_open fs/namei.c:4702 [inline] path_openat+0x2e90/0x3830 fs/namei.c:4859 do_file_open+0x23e/0x4a0 fs/namei.c:4888 do_sys_openat2+0x115/0x200 fs/open.c:1395 do_sys_open fs/open.c:1401 [inline] __do_sys_openat fs/open.c:1417 [inline] __se_sys_openat fs/open.c:1412 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1412 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fae54f9ce59 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fae55ddb028 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007fae55215fa0 RCX: 00007fae54f9ce59 RDX: 000000000000003f RSI: 0000200000000380 RDI: ffffffffffffff9c RBP: 00007fae55032e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000186 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fae55216038 R14: 00007fae55215fa0 R15: 00007ffedd6a9a88 </TASK> The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112785 flags: 0x17ff00000000000(node=0|zone=2|lastcpupid=0x7ff) page_type: f0(buddy) raw: 017ff00000000000 ffffea000449e048 ffffea000449e2c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000f0000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0xcc0(GFP_KERNEL), pid 26, tgid 26 (kworker/u9:0), ts 18747225753, free_ts 49527089310 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 ___alloc_pages_bulk mm/kasan/shadow.c:345 [inline] __kasan_populate_vmalloc_do mm/kasan/shadow.c:370 [inline] __kasan_populate_vmalloc+0xb7/0x1c0 mm/kasan/shadow.c:424 kasan_populate_vmalloc include/linux/kasan.h:580 [inline] alloc_vmap_area+0xd1a/0x1420 mm/vmalloc.c:2123 __get_vm_area_node+0x1f2/0x300 mm/vmalloc.c:3226 __vmalloc_node_range_noprof+0x358/0x1730 mm/vmalloc.c:4024 __vmalloc_node_noprof+0xc2/0x100 mm/vmalloc.c:4124 alloc_thread_stack_node kernel/fork.c:358 [inline] dup_task_struct+0x28e/0x850 kernel/fork.c:928 copy_process+0x81b/0x42e0 kernel/fork.c:2109 kernel_clone+0x2d7/0x940 kernel/fork.c:2745 user_mode_thread+0x110/0x180 kernel/fork.c:2821 call_usermodehelper_exec_work+0x5c/0x230 kernel/umh.c:171 process_one_work kernel/workqueue.c:3322 [inline] process_scheduled_works+0xa8e/0x14e0 kernel/workqueue.c:3405 page last free pid 5625 tgid 5625 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 kasan_depopulate_vmalloc_pte+0x6d/0x90 mm/kasan/shadow.c:484 apply_to_pte_range mm/memory.c:3338 [inline] apply_to_pmd_range mm/memory.c:3382 [inline] apply_to_pud_range mm/memory.c:3418 [inline] apply_to_p4d_range mm/memory.c:3454 [inline] __apply_to_page_range+0xbd8/0x1420 mm/memory.c:3490 __kasan_release_vmalloc+0xa2/0xd0 mm/kasan/shadow.c:602 kasan_release_vmalloc include/linux/kasan.h:593 [inline] kasan_release_vmalloc_node mm/vmalloc.c:2284 [inline] purge_vmap_node+0x220/0x960 mm/vmalloc.c:2306 __purge_vmap_area_lazy+0x783/0xb40 mm/vmalloc.c:2396 drain_vmap_area_work+0x27/0x40 mm/vmalloc.c:2430 process_one_work kernel/workqueue.c:3322 [inline] process_scheduled_works+0xa8e/0x14e0 kernel/workqueue.c:3405 worker_thread+0xa47/0xfb0 kernel/workqueue.c:3486 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Memory state around the buggy address: ffff888112784f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888112784f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888112785000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888112785080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888112785100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== *** If these findings have caused you to resend the series or submit a separate fix, please add the following tag to your commit message: Tested-by: syzbot@syzkaller.appspotmail.com --- This report is generated by a bot. It may contain errors. syzbot ci engineers can be reached at syzkaller@googlegroups.com. To test a patch for this bug, please reply with `#syz test` (should be on a separate line). The patch should be attached to the email. Note: arguments like custom git repos and branches are not supported. ^ permalink raw reply [flat|nested] 10+ messages in thread
[parent not found: <20260417213723.74204-1-artem.blagodarenko@gmail.com>]
* [syzbot ci] Re: Data in direntry (dirdata) feature [not found] <20260417213723.74204-1-artem.blagodarenko@gmail.com> @ 2026-04-18 6:47 ` syzbot ci 2026-04-22 9:34 ` Artem Blagodarenko 0 siblings, 1 reply; 10+ messages in thread From: syzbot ci @ 2026-04-18 6:47 UTC (permalink / raw) To: adilger.kernel, adilger, artem.blagodarenko, linux-ext4, pravin.shelar Cc: syzbot, syzkaller-bugs syzbot ci has tested the following series [v1] Data in direntry (dirdata) feature https://lore.kernel.org/all/20260417213723.74204-1-artem.blagodarenko@gmail.com * [PATCH 1/3] ext4: make dirdata work with metadata_csum * [PATCH 2/3] ext4: add dirdata support structures and helpers * [PATCH 3/3] ext4: dirdata feature and found the following issues: * KASAN: slab-out-of-bounds Read in __ext4_check_dir_entry * KASAN: slab-out-of-bounds Read in dx_probe * KASAN: slab-use-after-free Read in __ext4_check_dir_entry * KASAN: slab-use-after-free Read in dx_probe * KASAN: use-after-free Read in __ext4_check_dir_entry Full report is available here: https://ci.syzbot.org/series/590e846e-42c0-4497-b6ae-b95ed4468941 *** KASAN: slab-out-of-bounds Read in __ext4_check_dir_entry tree: torvalds URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux base: 70b672833f4025341c11b22c7f83778a5cd611bc arch: amd64 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 config: https://ci.syzbot.org/builds/7b860156-1ca9-441f-b899-ebfb5a09620d/config syz repro: https://ci.syzbot.org/findings/d27eccd2-4663-4047-abb9-9c24cb32f887/syz_repro loop0: lost filesystem error report for type 5 error -117 EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. ================================================================== BUG: KASAN: slab-out-of-bounds in ext4_dirent_get_data_len fs/ext4/ext4.h:4040 [inline] BUG: KASAN: slab-out-of-bounds in ext4_dir_entry_len fs/ext4/ext4.h:4060 [inline] BUG: KASAN: slab-out-of-bounds in __ext4_check_dir_entry+0x527/0xa70 fs/ext4/dir.c:96 Read of size 1 at addr ffff8881090bfe5c by task syz.0.20/5967 CPU: 1 UID: 0 PID: 5967 Comm: syz.0.20 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 ext4_dirent_get_data_len fs/ext4/ext4.h:4040 [inline] ext4_dir_entry_len fs/ext4/ext4.h:4060 [inline] __ext4_check_dir_entry+0x527/0xa70 fs/ext4/dir.c:96 ext4_inlinedir_to_tree+0x6be/0xbf0 fs/ext4/inline.c:1322 ext4_htree_fill_tree+0x50b/0x1230 fs/ext4/namei.c:1184 ext4_dx_readdir fs/ext4/dir.c:600 [inline] ext4_readdir+0x2f7b/0x3870 fs/ext4/dir.c:146 iterate_dir+0x399/0x570 fs/readdir.c:108 __do_sys_getdents64 fs/readdir.c:412 [inline] __se_sys_getdents64+0xf1/0x280 fs/readdir.c:397 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe47219c819 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fe4730c0028 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 00007fe472415fa0 RCX: 00007fe47219c819 RDX: 000000000000ff80 RSI: 9999999999999999 RDI: 0000000000000004 RBP: 00007fe472232c91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fe472416038 R14: 00007fe472415fa0 R15: 00007ffff595c618 </TASK> Allocated by task 5967: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __do_kmalloc_node mm/slub.c:5260 [inline] __kmalloc_noprof+0x35c/0x760 mm/slub.c:5272 kmalloc_noprof include/linux/slab.h:954 [inline] ext4_mb_init+0x15d/0x2ad0 fs/ext4/mballoc.c:3729 __ext4_fill_super fs/ext4/super.c:5623 [inline] ext4_fill_super+0x5647/0x6320 fs/ext4/super.c:5793 get_tree_bdev_flags+0x431/0x4f0 fs/super.c:1694 vfs_get_tree+0x92/0x2a0 fs/super.c:1754 fc_mount fs/namespace.c:1193 [inline] do_new_mount_fc fs/namespace.c:3763 [inline] do_new_mount+0x341/0xd30 fs/namespace.c:3839 do_mount fs/namespace.c:4172 [inline] __do_sys_mount fs/namespace.c:4361 [inline] __se_sys_mount+0x31d/0x420 fs/namespace.c:4338 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff8881090bfe00 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 44 bytes to the right of allocated 48-byte region [ffff8881090bfe00, ffff8881090bfe30) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1090bf flags: 0x17ff00000000000(node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 017ff00000000000 ffff8881000418c0 dead000000000100 dead000000000122 raw: 0000000000000000 0000000800200020 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 16414655371, free_ts 15537272896 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889 prep_new_page mm/page_alloc.c:1897 [inline] get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250 alloc_slab_page mm/slub.c:3292 [inline] allocate_slab+0x77/0x660 mm/slub.c:3481 new_slab mm/slub.c:3539 [inline] refill_objects+0x331/0x3c0 mm/slub.c:7175 refill_sheaf mm/slub.c:2812 [inline] __pcs_replace_empty_main+0x2e6/0x730 mm/slub.c:4615 alloc_from_pcs mm/slub.c:4717 [inline] slab_alloc_node mm/slub.c:4851 [inline] __do_kmalloc_node mm/slub.c:5259 [inline] __kmalloc_noprof+0x474/0x760 mm/slub.c:5272 kmalloc_noprof include/linux/slab.h:954 [inline] kzalloc_noprof include/linux/slab.h:1188 [inline] kobject_get_path+0xc5/0x2f0 lib/kobject.c:161 kobject_uevent_env+0x2a1/0x9e0 lib/kobject_uevent.c:545 really_probe+0x789/0xaf0 drivers/base/dd.c:771 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:863 driver_probe_device+0x4f/0x240 drivers/base/dd.c:893 __device_attach_driver+0x279/0x430 drivers/base/dd.c:1021 bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500 __device_attach+0x2c5/0x450 drivers/base/dd.c:1093 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1148 page last free pid 33 tgid 33 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1433 [inline] __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978 vfree+0x25a/0x400 mm/vmalloc.c:3479 delayed_vfree_work+0x55/0x80 mm/vmalloc.c:3398 process_one_work kernel/workqueue.c:3276 [inline] process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Memory state around the buggy address: ffff8881090bfd00: 00 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc ffff8881090bfd80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc >ffff8881090bfe00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ^ ffff8881090bfe80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8881090bff00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ================================================================== *** KASAN: slab-out-of-bounds Read in dx_probe tree: torvalds URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux base: 70b672833f4025341c11b22c7f83778a5cd611bc arch: amd64 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 config: https://ci.syzbot.org/builds/7b860156-1ca9-441f-b899-ebfb5a09620d/config syz repro: https://ci.syzbot.org/findings/a5fcf3bd-f1ae-4b81-b5d2-f96899ea7690/syz_repro ================================================================== BUG: KASAN: slab-out-of-bounds in ext4_dir_entry_is_tail fs/ext4/ext4.h:4001 [inline] BUG: KASAN: slab-out-of-bounds in ext4_dirent_get_data_len fs/ext4/ext4.h:4024 [inline] BUG: KASAN: slab-out-of-bounds in ext4_dir_entry_len fs/ext4/ext4.h:4060 [inline] BUG: KASAN: slab-out-of-bounds in dx_root_limit fs/ext4/namei.c:583 [inline] BUG: KASAN: slab-out-of-bounds in dx_probe+0x1ac9/0x1d90 fs/ext4/namei.c:861 Read of size 4 at addr ffff88816a408c10 by task syz.2.19/5980 CPU: 1 UID: 0 PID: 5980 Comm: syz.2.19 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 ext4_dir_entry_is_tail fs/ext4/ext4.h:4001 [inline] ext4_dirent_get_data_len fs/ext4/ext4.h:4024 [inline] ext4_dir_entry_len fs/ext4/ext4.h:4060 [inline] dx_root_limit fs/ext4/namei.c:583 [inline] dx_probe+0x1ac9/0x1d90 fs/ext4/namei.c:861 ext4_dx_find_entry fs/ext4/namei.c:1812 [inline] __ext4_find_entry+0x5a9/0x2140 fs/ext4/namei.c:1652 ext4_lookup_entry fs/ext4/namei.c:1794 [inline] ext4_lookup+0x17b/0x710 fs/ext4/namei.c:1860 __lookup_slow+0x2b7/0x410 fs/namei.c:1916 lookup_slow+0x53/0x70 fs/namei.c:1933 walk_component fs/namei.c:2279 [inline] lookup_last fs/namei.c:2780 [inline] path_lookupat+0x3f5/0x8c0 fs/namei.c:2804 filename_lookup+0x256/0x5d0 fs/namei.c:2833 user_path_at+0x40/0x160 fs/namei.c:3612 do_mount fs/namespace.c:4169 [inline] __do_sys_mount fs/namespace.c:4361 [inline] __se_sys_mount+0x2dc/0x420 fs/namespace.c:4338 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f518919c819 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f5189fbb028 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f5189415fa0 RCX: 00007f518919c819 RDX: 0000200000000140 RSI: 0000200000000100 RDI: 0000000000000000 RBP: 00007f5189232c91 R08: 0000200000000d80 R09: 0000000000000000 R10: 0000000001302060 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f5189416038 R14: 00007f5189415fa0 R15: 00007ffc5d8d15b8 </TASK> Allocated by task 5243: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __do_kmalloc_node mm/slub.c:5260 [inline] __kvmalloc_node_noprof+0x528/0x8a0 mm/slub.c:6752 evdev_open+0xeb/0x5b0 drivers/input/evdev.c:468 chrdev_open+0x4cd/0x5e0 fs/char_dev.c:411 do_dentry_open+0x785/0x14e0 fs/open.c:949 vfs_open+0x3b/0x340 fs/open.c:1081 do_open fs/namei.c:4671 [inline] path_openat+0x2e08/0x3860 fs/namei.c:4830 do_file_open+0x23e/0x4a0 fs/namei.c:4859 do_sys_openat2+0x113/0x200 fs/open.c:1366 do_sys_open fs/open.c:1372 [inline] __do_sys_openat fs/open.c:1388 [inline] __se_sys_openat fs/open.c:1383 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1383 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88816a408000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1088 bytes to the right of allocated 2000-byte region [ffff88816a408000, ffff88816a4087d0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x16a408 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 057ff00000000040 ffff888100042000 dead000000000100 dead000000000122 raw: 0000000000000000 0000000800080008 00000000f5000000 0000000000000000 head: 057ff00000000040 ffff888100042000 dead000000000100 dead000000000122 head: 0000000000000000 0000000800080008 00000000f5000000 0000000000000000 head: 057ff00000000003 ffffea0005a90201 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5243, tgid 5243 (acpid), ts 25906150911, free_ts 21905842969 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889 prep_new_page mm/page_alloc.c:1897 [inline] get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250 alloc_slab_page mm/slub.c:3292 [inline] allocate_slab+0x77/0x660 mm/slub.c:3481 new_slab mm/slub.c:3539 [inline] refill_objects+0x331/0x3c0 mm/slub.c:7175 refill_sheaf mm/slub.c:2812 [inline] __pcs_replace_empty_main+0x2e6/0x730 mm/slub.c:4615 alloc_from_pcs mm/slub.c:4717 [inline] slab_alloc_node mm/slub.c:4851 [inline] __do_kmalloc_node mm/slub.c:5259 [inline] __kvmalloc_node_noprof+0x657/0x8a0 mm/slub.c:6752 evdev_open+0xeb/0x5b0 drivers/input/evdev.c:468 chrdev_open+0x4cd/0x5e0 fs/char_dev.c:411 do_dentry_open+0x785/0x14e0 fs/open.c:949 vfs_open+0x3b/0x340 fs/open.c:1081 do_open fs/namei.c:4671 [inline] path_openat+0x2e08/0x3860 fs/namei.c:4830 do_file_open+0x23e/0x4a0 fs/namei.c:4859 do_sys_openat2+0x113/0x200 fs/open.c:1366 do_sys_open fs/open.c:1372 [inline] __do_sys_openat fs/open.c:1388 [inline] __se_sys_openat fs/open.c:1383 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1383 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 page last free pid 9 tgid 9 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1433 [inline] __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978 vfree+0x25a/0x400 mm/vmalloc.c:3479 delayed_vfree_work+0x55/0x80 mm/vmalloc.c:3398 process_one_work kernel/workqueue.c:3276 [inline] process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Memory state around the buggy address: ffff88816a408b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88816a408b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88816a408c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88816a408c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88816a408d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== *** KASAN: slab-use-after-free Read in __ext4_check_dir_entry tree: torvalds URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux base: 70b672833f4025341c11b22c7f83778a5cd611bc arch: amd64 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 config: https://ci.syzbot.org/builds/7b860156-1ca9-441f-b899-ebfb5a09620d/config syz repro: https://ci.syzbot.org/findings/e493ff66-4032-4979-9b5d-5118b2768ca5/syz_repro EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. ================================================================== BUG: KASAN: slab-use-after-free in ext4_dirent_get_data_len fs/ext4/ext4.h:4040 [inline] BUG: KASAN: slab-use-after-free in ext4_dir_entry_len fs/ext4/ext4.h:4060 [inline] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x527/0xa70 fs/ext4/dir.c:96 Read of size 1 at addr ffff88810138889c by task syz.0.24/5978 CPU: 0 UID: 0 PID: 5978 Comm: syz.0.24 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 ext4_dirent_get_data_len fs/ext4/ext4.h:4040 [inline] ext4_dir_entry_len fs/ext4/ext4.h:4060 [inline] __ext4_check_dir_entry+0x527/0xa70 fs/ext4/dir.c:96 ext4_inlinedir_to_tree+0x6be/0xbf0 fs/ext4/inline.c:1322 ext4_htree_fill_tree+0x50b/0x1230 fs/ext4/namei.c:1184 ext4_dx_readdir fs/ext4/dir.c:600 [inline] ext4_readdir+0x2f7b/0x3870 fs/ext4/dir.c:146 iterate_dir+0x399/0x570 fs/readdir.c:108 __do_sys_getdents64 fs/readdir.c:412 [inline] __se_sys_getdents64+0xf1/0x280 fs/readdir.c:397 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff3fe19c819 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ff3fefac028 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 00007ff3fe415fa0 RCX: 00007ff3fe19c819 RDX: 000000000000ff80 RSI: 9999999999999999 RDI: 0000000000000004 RBP: 00007ff3fe232c91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ff3fe416038 R14: 00007ff3fe415fa0 R15: 00007ffd39a74998 </TASK> Allocated by task 5766: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __do_kmalloc_node mm/slub.c:5260 [inline] __kmalloc_noprof+0x35c/0x760 mm/slub.c:5272 kmalloc_noprof include/linux/slab.h:954 [inline] kzalloc_noprof include/linux/slab.h:1188 [inline] tomoyo_encode2 security/tomoyo/realpath.c:45 [inline] tomoyo_encode+0x28b/0x550 security/tomoyo/realpath.c:80 tomoyo_realpath_from_path+0x58d/0x5d0 security/tomoyo/realpath.c:283 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_check_open_permission+0x229/0x470 security/tomoyo/file.c:776 security_file_open+0xa9/0x240 security/security.c:2637 do_dentry_open+0x384/0x14e0 fs/open.c:926 vfs_open+0x3b/0x340 fs/open.c:1081 do_open fs/namei.c:4671 [inline] path_openat+0x2e08/0x3860 fs/namei.c:4830 do_file_open+0x23e/0x4a0 fs/namei.c:4859 do_sys_openat2+0x113/0x200 fs/open.c:1366 do_sys_open fs/open.c:1372 [inline] __do_sys_openat fs/open.c:1388 [inline] __se_sys_openat fs/open.c:1383 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1383 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5766: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2685 [inline] slab_free mm/slub.c:6165 [inline] kfree+0x1c1/0x630 mm/slub.c:6483 tomoyo_check_open_permission+0x32c/0x470 security/tomoyo/file.c:791 security_file_open+0xa9/0x240 security/security.c:2637 do_dentry_open+0x384/0x14e0 fs/open.c:926 vfs_open+0x3b/0x340 fs/open.c:1081 do_open fs/namei.c:4671 [inline] path_openat+0x2e08/0x3860 fs/namei.c:4830 do_file_open+0x23e/0x4a0 fs/namei.c:4859 do_sys_openat2+0x113/0x200 fs/open.c:1366 do_sys_open fs/open.c:1372 [inline] __do_sys_openat fs/open.c:1388 [inline] __se_sys_openat fs/open.c:1383 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1383 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888101388880 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 28 bytes inside of freed 64-byte region [ffff888101388880, ffff8881013888c0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101388 flags: 0x17ff00000000000(node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 017ff00000000000 ffff8881000418c0 dead000000000100 dead000000000122 raw: 0000000000000000 0000000800200020 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 26, tgid 26 (kworker/u9:0), ts 4100832473, free_ts 4100767003 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889 prep_new_page mm/page_alloc.c:1897 [inline] get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250 alloc_slab_page mm/slub.c:3292 [inline] allocate_slab+0x77/0x660 mm/slub.c:3481 new_slab mm/slub.c:3539 [inline] refill_objects+0x331/0x3c0 mm/slub.c:7175 refill_sheaf mm/slub.c:2812 [inline] alloc_full_sheaf mm/slub.c:2834 [inline] __pcs_replace_empty_main+0x40a/0x730 mm/slub.c:4626 alloc_from_pcs mm/slub.c:4717 [inline] slab_alloc_node mm/slub.c:4851 [inline] __do_kmalloc_node mm/slub.c:5259 [inline] __kmalloc_noprof+0x474/0x760 mm/slub.c:5272 kmalloc_noprof include/linux/slab.h:954 [inline] kzalloc_noprof include/linux/slab.h:1188 [inline] lsm_blob_alloc security/security.c:193 [inline] lsm_task_alloc security/security.c:245 [inline] security_task_alloc+0x4d/0x330 security/security.c:2683 copy_process+0x16df/0x3cd0 kernel/fork.c:2206 kernel_clone+0x248/0x8e0 kernel/fork.c:2658 user_mode_thread+0x110/0x180 kernel/fork.c:2734 call_usermodehelper_exec_work+0x5c/0x230 kernel/umh.c:171 process_one_work kernel/workqueue.c:3276 [inline] process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 page last free pid 26 tgid 26 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1433 [inline] __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978 __kasan_populate_vmalloc_do mm/kasan/shadow.c:393 [inline] __kasan_populate_vmalloc+0x1b2/0x1d0 mm/kasan/shadow.c:424 kasan_populate_vmalloc include/linux/kasan.h:580 [inline] alloc_vmap_area+0xd73/0x14b0 mm/vmalloc.c:2129 __get_vm_area_node+0x1f8/0x300 mm/vmalloc.c:3232 __vmalloc_node_range_noprof+0x372/0x1730 mm/vmalloc.c:4024 __vmalloc_node_noprof+0xc2/0x100 mm/vmalloc.c:4124 alloc_thread_stack_node kernel/fork.c:355 [inline] dup_task_struct+0x292/0x9e0 kernel/fork.c:924 copy_process+0x508/0x3cd0 kernel/fork.c:2051 kernel_clone+0x248/0x8e0 kernel/fork.c:2658 user_mode_thread+0x110/0x180 kernel/fork.c:2734 call_usermodehelper_exec_work+0x5c/0x230 kernel/umh.c:171 process_one_work kernel/workqueue.c:3276 [inline] process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Memory state around the buggy address: ffff888101388780: 00 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc ffff888101388800: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff888101388880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff888101388900: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc ffff888101388980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ================================================================== *** KASAN: slab-use-after-free Read in dx_probe tree: torvalds URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux base: 70b672833f4025341c11b22c7f83778a5cd611bc arch: amd64 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 config: https://ci.syzbot.org/builds/7b860156-1ca9-441f-b899-ebfb5a09620d/config syz repro: https://ci.syzbot.org/findings/5524eff5-62fb-4cff-8d4e-7e3750aa921b/syz_repro EXT4-fs (loop2): mounted filesystem 00000000-0000-0000-0000-000000000000 ro without journal. Quota mode: none. ================================================================== BUG: KASAN: slab-use-after-free in ext4_dir_entry_is_tail fs/ext4/ext4.h:4001 [inline] BUG: KASAN: slab-use-after-free in ext4_dirent_get_data_len fs/ext4/ext4.h:4024 [inline] BUG: KASAN: slab-use-after-free in ext4_dir_entry_len fs/ext4/ext4.h:4060 [inline] BUG: KASAN: slab-use-after-free in dx_root_limit fs/ext4/namei.c:583 [inline] BUG: KASAN: slab-use-after-free in dx_probe+0x1ac9/0x1d90 fs/ext4/namei.c:861 Read of size 4 at addr ffff888109c42c10 by task syz.2.20/5984 CPU: 0 UID: 0 PID: 5984 Comm: syz.2.20 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 ext4_dir_entry_is_tail fs/ext4/ext4.h:4001 [inline] ext4_dirent_get_data_len fs/ext4/ext4.h:4024 [inline] ext4_dir_entry_len fs/ext4/ext4.h:4060 [inline] dx_root_limit fs/ext4/namei.c:583 [inline] dx_probe+0x1ac9/0x1d90 fs/ext4/namei.c:861 ext4_dx_find_entry fs/ext4/namei.c:1812 [inline] __ext4_find_entry+0x5a9/0x2140 fs/ext4/namei.c:1652 ext4_lookup_entry fs/ext4/namei.c:1794 [inline] ext4_lookup+0x17b/0x710 fs/ext4/namei.c:1860 lookup_open fs/namei.c:4456 [inline] open_last_lookups fs/namei.c:4583 [inline] path_openat+0x11ac/0x3860 fs/namei.c:4827 do_file_open+0x23e/0x4a0 fs/namei.c:4859 do_sys_openat2+0x113/0x200 fs/open.c:1366 do_sys_open fs/open.c:1372 [inline] __do_sys_openat fs/open.c:1388 [inline] __se_sys_openat fs/open.c:1383 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1383 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb97dd9c819 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fb97ec96028 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007fb97e015fa0 RCX: 00007fb97dd9c819 RDX: 0000000000042041 RSI: 0000200000000700 RDI: ffffffffffffff9c RBP: 00007fb97de32c91 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000001d R11: 0000000000000246 R12: 0000000000000000 R13: 00007fb97e016038 R14: 00007fb97e015fa0 R15: 00007fffcac5f5a8 </TASK> Allocated by task 5828: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __do_kmalloc_node mm/slub.c:5260 [inline] __kmalloc_noprof+0x35c/0x760 mm/slub.c:5272 kmalloc_noprof include/linux/slab.h:954 [inline] tomoyo_realpath_from_path+0xe3/0x5d0 security/tomoyo/realpath.c:251 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x283/0x560 security/tomoyo/file.c:827 tomoyo_path_symlink+0xab/0xf0 security/tomoyo/tomoyo.c:212 security_path_symlink+0x16f/0x360 security/security.c:1477 filename_symlinkat+0x134/0x410 fs/namei.c:5638 __do_sys_symlink fs/namei.c:5667 [inline] __se_sys_symlink+0x4d/0x2b0 fs/namei.c:5663 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5828: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2685 [inline] slab_free mm/slub.c:6165 [inline] kfree+0x1c1/0x630 mm/slub.c:6483 tomoyo_realpath_from_path+0x598/0x5d0 security/tomoyo/realpath.c:286 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x283/0x560 security/tomoyo/file.c:827 tomoyo_path_symlink+0xab/0xf0 security/tomoyo/tomoyo.c:212 security_path_symlink+0x16f/0x360 security/security.c:1477 filename_symlinkat+0x134/0x410 fs/namei.c:5638 __do_sys_symlink fs/namei.c:5667 [inline] __se_sys_symlink+0x4d/0x2b0 fs/namei.c:5663 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888109c42000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 3088 bytes inside of freed 4096-byte region [ffff888109c42000, ffff888109c43000) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109c40 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x17ff00000000040(head|node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 017ff00000000040 ffff888100042140 dead000000000100 dead000000000122 raw: 0000000000000000 0000000800040004 00000000f5000000 0000000000000000 head: 017ff00000000040 ffff888100042140 dead000000000100 dead000000000122 head: 0000000000000000 0000000800040004 00000000f5000000 0000000000000000 head: 017ff00000000003 ffffea0004271001 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5828, tgid 5828 (udevd), ts 67573015608, free_ts 47549723112 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889 prep_new_page mm/page_alloc.c:1897 [inline] get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250 alloc_slab_page mm/slub.c:3292 [inline] allocate_slab+0x77/0x660 mm/slub.c:3481 new_slab mm/slub.c:3539 [inline] refill_objects+0x331/0x3c0 mm/slub.c:7175 refill_sheaf mm/slub.c:2812 [inline] __pcs_replace_empty_main+0x2e6/0x730 mm/slub.c:4615 alloc_from_pcs mm/slub.c:4717 [inline] slab_alloc_node mm/slub.c:4851 [inline] __do_kmalloc_node mm/slub.c:5259 [inline] __kmalloc_noprof+0x474/0x760 mm/slub.c:5272 kmalloc_noprof include/linux/slab.h:954 [inline] tomoyo_realpath_from_path+0xe3/0x5d0 security/tomoyo/realpath.c:251 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x283/0x560 security/tomoyo/file.c:827 tomoyo_path_symlink+0xab/0xf0 security/tomoyo/tomoyo.c:212 security_path_symlink+0x16f/0x360 security/security.c:1477 filename_symlinkat+0x134/0x410 fs/namei.c:5638 __do_sys_symlink fs/namei.c:5667 [inline] __se_sys_symlink+0x4d/0x2b0 fs/namei.c:5663 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5718 tgid 5718 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1433 [inline] __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978 __slab_free+0x263/0x2b0 mm/slub.c:5573 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4538 [inline] slab_alloc_node mm/slub.c:4866 [inline] kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4873 alloc_filename fs/namei.c:142 [inline] do_getname+0x2e/0x250 fs/namei.c:182 getname include/linux/fs.h:2512 [inline] getname_maybe_null include/linux/fs.h:2519 [inline] class_filename_maybe_null_constructor include/linux/fs.h:2543 [inline] vfs_fstatat+0x45/0x170 fs/stat.c:368 __do_sys_newfstatat fs/stat.c:538 [inline] __se_sys_newfstatat fs/stat.c:532 [inline] __x64_sys_newfstatat+0x151/0x200 fs/stat.c:532 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff888109c42b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888109c42b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888109c42c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888109c42c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888109c42d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== *** KASAN: use-after-free Read in __ext4_check_dir_entry tree: torvalds URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux base: 70b672833f4025341c11b22c7f83778a5cd611bc arch: amd64 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 config: https://ci.syzbot.org/builds/7b860156-1ca9-441f-b899-ebfb5a09620d/config syz repro: https://ci.syzbot.org/findings/21333690-a422-407b-92c7-9247a0075b74/syz_repro loop1: lost filesystem error report for type 5 error -117 EXT4-fs (loop1): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. ================================================================== BUG: KASAN: use-after-free in ext4_dirent_get_data_len fs/ext4/ext4.h:4040 [inline] BUG: KASAN: use-after-free in ext4_dir_entry_len fs/ext4/ext4.h:4060 [inline] BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x527/0xa70 fs/ext4/dir.c:96 Read of size 1 at addr ffff88810da3609c by task syz.1.20/5966 CPU: 0 UID: 0 PID: 5966 Comm: syz.1.20 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 ext4_dirent_get_data_len fs/ext4/ext4.h:4040 [inline] ext4_dir_entry_len fs/ext4/ext4.h:4060 [inline] __ext4_check_dir_entry+0x527/0xa70 fs/ext4/dir.c:96 ext4_inlinedir_to_tree+0x6be/0xbf0 fs/ext4/inline.c:1322 ext4_htree_fill_tree+0x50b/0x1230 fs/ext4/namei.c:1184 ext4_dx_readdir fs/ext4/dir.c:600 [inline] ext4_readdir+0x2f7b/0x3870 fs/ext4/dir.c:146 iterate_dir+0x399/0x570 fs/readdir.c:108 __do_sys_getdents64 fs/readdir.c:412 [inline] __se_sys_getdents64+0xf1/0x280 fs/readdir.c:397 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb82a19c819 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fb82b01a028 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 00007fb82a415fa0 RCX: 00007fb82a19c819 RDX: 000000000000ff80 RSI: 9999999999999999 RDI: 0000000000000004 RBP: 00007fb82a232c91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fb82a416038 R14: 00007fb82a415fa0 R15: 00007ffdc30464e8 </TASK> The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810da36000 pfn:0x10da36 flags: 0x17ff00000000000(node=0|zone=2|lastcpupid=0x7ff) page_type: f0(buddy) raw: 017ff00000000000 ffffea0004364708 ffffea000436a7c8 0000000000000000 raw: ffff88810da36000 0000000000000000 00000000f0000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 15037633903, free_ts 26770192426 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889 prep_new_page mm/page_alloc.c:1897 [inline] get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250 alloc_slab_page mm/slub.c:3292 [inline] allocate_slab+0x77/0x660 mm/slub.c:3481 new_slab mm/slub.c:3539 [inline] refill_objects+0x331/0x3c0 mm/slub.c:7175 refill_sheaf mm/slub.c:2812 [inline] __pcs_replace_empty_main+0x2e6/0x730 mm/slub.c:4615 alloc_from_pcs mm/slub.c:4717 [inline] slab_alloc_node mm/slub.c:4851 [inline] __do_kmalloc_node mm/slub.c:5259 [inline] __kmalloc_noprof+0x474/0x760 mm/slub.c:5272 kmalloc_noprof include/linux/slab.h:954 [inline] usb_alloc_urb+0x46/0x150 drivers/usb/core/urb.c:75 usb_internal_control_msg drivers/usb/core/message.c:110 [inline] usb_control_msg+0x118/0x3e0 drivers/usb/core/message.c:167 usb_get_descriptor+0xb1/0x3e0 drivers/usb/core/message.c:852 usb_get_configuration+0x3b9/0x54f0 drivers/usb/core/config.c:986 usb_enumerate_device drivers/usb/core/hub.c:2527 [inline] usb_new_device+0x145/0x16f0 drivers/usb/core/hub.c:2665 register_root_hub+0x270/0x5f0 drivers/usb/core/hcd.c:990 usb_add_hcd+0xba1/0x10b0 drivers/usb/core/hcd.c:2987 vhci_hcd_probe+0x1fa/0x3e0 drivers/usb/usbip/vhci_hcd.c:1401 platform_probe+0xf9/0x190 drivers/base/platform.c:1418 page last free pid 5262 tgid 5262 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1433 [inline] __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978 __slab_free+0x263/0x2b0 mm/slub.c:5573 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4538 [inline] slab_alloc_node mm/slub.c:4866 [inline] kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4873 alloc_empty_file+0x55/0x1d0 fs/file_table.c:237 path_openat+0x10f/0x3860 fs/namei.c:4816 do_file_open+0x23e/0x4a0 fs/namei.c:4859 do_sys_openat2+0x113/0x200 fs/open.c:1366 do_sys_open fs/open.c:1372 [inline] __do_sys_openat fs/open.c:1388 [inline] __se_sys_openat fs/open.c:1383 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1383 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff88810da35f80: 00 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc ffff88810da36000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88810da36080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88810da36100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88810da36180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== *** If these findings have caused you to resend the series or submit a separate fix, please add the following tag to your commit message: Tested-by: syzbot@syzkaller.appspotmail.com --- This report is generated by a bot. It may contain errors. syzbot ci engineers can be reached at syzkaller@googlegroups.com. To test a patch for this bug, please reply with `#syz test` (should be on a separate line). The patch should be attached to the email. Note: arguments like custom git repos and branches are not supported. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [syzbot ci] Re: Data in direntry (dirdata) feature 2026-04-18 6:47 ` syzbot ci @ 2026-04-22 9:34 ` Artem Blagodarenko 2026-04-22 10:09 ` syzbot ci 0 siblings, 1 reply; 10+ messages in thread From: Artem Blagodarenko @ 2026-04-22 9:34 UTC (permalink / raw) To: syzbot ci; +Cc: syzbot@lists.linux.dev [-- Attachment #1.1: Type: text/plain, Size: 42587 bytes --] #syz test From: syzbot ci <syzbot+ci6167b51351f50705@syzkaller.appspotmail.com> Date: Saturday, 18 April 2026 at 07:47 To: adilger.kernel@dilger.ca <adilger.kernel@dilger.ca>, adilger@dilger.ca <adilger@dilger.ca>, artem.blagodarenko@gmail.com <artem.blagodarenko@gmail.com>, linux-ext4@vger.kernel.org <linux-ext4@vger.kernel.org>, pravin.shelar@sun.com <pravin.shelar@sun.com> Cc: syzbot@lists.linux.dev <syzbot@lists.linux.dev>, syzkaller-bugs@googlegroups.com <syzkaller-bugs@googlegroups.com> Subject: [syzbot ci] Re: Data in direntry (dirdata) feature syzbot ci has tested the following series [v1] Data in direntry (dirdata) feature https://lore.kernel.org/all/20260417213723.74204-1-artem.blagodarenko@gmail.com * [PATCH 1/3] ext4: make dirdata work with metadata_csum * [PATCH 2/3] ext4: add dirdata support structures and helpers * [PATCH 3/3] ext4: dirdata feature and found the following issues: * KASAN: slab-out-of-bounds Read in __ext4_check_dir_entry * KASAN: slab-out-of-bounds Read in dx_probe * KASAN: slab-use-after-free Read in __ext4_check_dir_entry * KASAN: slab-use-after-free Read in dx_probe * KASAN: use-after-free Read in __ext4_check_dir_entry Full report is available here: https://ci.syzbot.org/series/590e846e-42c0-4497-b6ae-b95ed4468941 *** KASAN: slab-out-of-bounds Read in __ext4_check_dir_entry tree: torvalds URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux base: 70b672833f4025341c11b22c7f83778a5cd611bc arch: amd64 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 config: https://ci.syzbot.org/builds/7b860156-1ca9-441f-b899-ebfb5a09620d/config syz repro: https://ci.syzbot.org/findings/d27eccd2-4663-4047-abb9-9c24cb32f887/syz_repro loop0: lost filesystem error report for type 5 error -117 EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. ================================================================== BUG: KASAN: slab-out-of-bounds in ext4_dirent_get_data_len fs/ext4/ext4.h:4040 [inline] BUG: KASAN: slab-out-of-bounds in ext4_dir_entry_len fs/ext4/ext4.h:4060 [inline] BUG: KASAN: slab-out-of-bounds in __ext4_check_dir_entry+0x527/0xa70 fs/ext4/dir.c:96 Read of size 1 at addr ffff8881090bfe5c by task syz.0.20/5967 CPU: 1 UID: 0 PID: 5967 Comm: syz.0.20 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 ext4_dirent_get_data_len fs/ext4/ext4.h:4040 [inline] ext4_dir_entry_len fs/ext4/ext4.h:4060 [inline] __ext4_check_dir_entry+0x527/0xa70 fs/ext4/dir.c:96 ext4_inlinedir_to_tree+0x6be/0xbf0 fs/ext4/inline.c:1322 ext4_htree_fill_tree+0x50b/0x1230 fs/ext4/namei.c:1184 ext4_dx_readdir fs/ext4/dir.c:600 [inline] ext4_readdir+0x2f7b/0x3870 fs/ext4/dir.c:146 iterate_dir+0x399/0x570 fs/readdir.c:108 __do_sys_getdents64 fs/readdir.c:412 [inline] __se_sys_getdents64+0xf1/0x280 fs/readdir.c:397 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe47219c819 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fe4730c0028 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 00007fe472415fa0 RCX: 00007fe47219c819 RDX: 000000000000ff80 RSI: 9999999999999999 RDI: 0000000000000004 RBP: 00007fe472232c91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fe472416038 R14: 00007fe472415fa0 R15: 00007ffff595c618 </TASK> Allocated by task 5967: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __do_kmalloc_node mm/slub.c:5260 [inline] __kmalloc_noprof+0x35c/0x760 mm/slub.c:5272 kmalloc_noprof include/linux/slab.h:954 [inline] ext4_mb_init+0x15d/0x2ad0 fs/ext4/mballoc.c:3729 __ext4_fill_super fs/ext4/super.c:5623 [inline] ext4_fill_super+0x5647/0x6320 fs/ext4/super.c:5793 get_tree_bdev_flags+0x431/0x4f0 fs/super.c:1694 vfs_get_tree+0x92/0x2a0 fs/super.c:1754 fc_mount fs/namespace.c:1193 [inline] do_new_mount_fc fs/namespace.c:3763 [inline] do_new_mount+0x341/0xd30 fs/namespace.c:3839 do_mount fs/namespace.c:4172 [inline] __do_sys_mount fs/namespace.c:4361 [inline] __se_sys_mount+0x31d/0x420 fs/namespace.c:4338 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff8881090bfe00 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 44 bytes to the right of allocated 48-byte region [ffff8881090bfe00, ffff8881090bfe30) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1090bf flags: 0x17ff00000000000(node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 017ff00000000000 ffff8881000418c0 dead000000000100 dead000000000122 raw: 0000000000000000 0000000800200020 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 16414655371, free_ts 15537272896 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889 prep_new_page mm/page_alloc.c:1897 [inline] get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250 alloc_slab_page mm/slub.c:3292 [inline] allocate_slab+0x77/0x660 mm/slub.c:3481 new_slab mm/slub.c:3539 [inline] refill_objects+0x331/0x3c0 mm/slub.c:7175 refill_sheaf mm/slub.c:2812 [inline] __pcs_replace_empty_main+0x2e6/0x730 mm/slub.c:4615 alloc_from_pcs mm/slub.c:4717 [inline] slab_alloc_node mm/slub.c:4851 [inline] __do_kmalloc_node mm/slub.c:5259 [inline] __kmalloc_noprof+0x474/0x760 mm/slub.c:5272 kmalloc_noprof include/linux/slab.h:954 [inline] kzalloc_noprof include/linux/slab.h:1188 [inline] kobject_get_path+0xc5/0x2f0 lib/kobject.c:161 kobject_uevent_env+0x2a1/0x9e0 lib/kobject_uevent.c:545 really_probe+0x789/0xaf0 drivers/base/dd.c:771 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:863 driver_probe_device+0x4f/0x240 drivers/base/dd.c:893 __device_attach_driver+0x279/0x430 drivers/base/dd.c:1021 bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500 __device_attach+0x2c5/0x450 drivers/base/dd.c:1093 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1148 page last free pid 33 tgid 33 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1433 [inline] __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978 vfree+0x25a/0x400 mm/vmalloc.c:3479 delayed_vfree_work+0x55/0x80 mm/vmalloc.c:3398 process_one_work kernel/workqueue.c:3276 [inline] process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Memory state around the buggy address: ffff8881090bfd00: 00 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc ffff8881090bfd80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc >ffff8881090bfe00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ^ ffff8881090bfe80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8881090bff00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ================================================================== *** KASAN: slab-out-of-bounds Read in dx_probe tree: torvalds URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux base: 70b672833f4025341c11b22c7f83778a5cd611bc arch: amd64 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 config: https://ci.syzbot.org/builds/7b860156-1ca9-441f-b899-ebfb5a09620d/config syz repro: https://ci.syzbot.org/findings/a5fcf3bd-f1ae-4b81-b5d2-f96899ea7690/syz_repro ================================================================== BUG: KASAN: slab-out-of-bounds in ext4_dir_entry_is_tail fs/ext4/ext4.h:4001 [inline] BUG: KASAN: slab-out-of-bounds in ext4_dirent_get_data_len fs/ext4/ext4.h:4024 [inline] BUG: KASAN: slab-out-of-bounds in ext4_dir_entry_len fs/ext4/ext4.h:4060 [inline] BUG: KASAN: slab-out-of-bounds in dx_root_limit fs/ext4/namei.c:583 [inline] BUG: KASAN: slab-out-of-bounds in dx_probe+0x1ac9/0x1d90 fs/ext4/namei.c:861 Read of size 4 at addr ffff88816a408c10 by task syz.2.19/5980 CPU: 1 UID: 0 PID: 5980 Comm: syz.2.19 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 ext4_dir_entry_is_tail fs/ext4/ext4.h:4001 [inline] ext4_dirent_get_data_len fs/ext4/ext4.h:4024 [inline] ext4_dir_entry_len fs/ext4/ext4.h:4060 [inline] dx_root_limit fs/ext4/namei.c:583 [inline] dx_probe+0x1ac9/0x1d90 fs/ext4/namei.c:861 ext4_dx_find_entry fs/ext4/namei.c:1812 [inline] __ext4_find_entry+0x5a9/0x2140 fs/ext4/namei.c:1652 ext4_lookup_entry fs/ext4/namei.c:1794 [inline] ext4_lookup+0x17b/0x710 fs/ext4/namei.c:1860 __lookup_slow+0x2b7/0x410 fs/namei.c:1916 lookup_slow+0x53/0x70 fs/namei.c:1933 walk_component fs/namei.c:2279 [inline] lookup_last fs/namei.c:2780 [inline] path_lookupat+0x3f5/0x8c0 fs/namei.c:2804 filename_lookup+0x256/0x5d0 fs/namei.c:2833 user_path_at+0x40/0x160 fs/namei.c:3612 do_mount fs/namespace.c:4169 [inline] __do_sys_mount fs/namespace.c:4361 [inline] __se_sys_mount+0x2dc/0x420 fs/namespace.c:4338 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f518919c819 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f5189fbb028 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f5189415fa0 RCX: 00007f518919c819 RDX: 0000200000000140 RSI: 0000200000000100 RDI: 0000000000000000 RBP: 00007f5189232c91 R08: 0000200000000d80 R09: 0000000000000000 R10: 0000000001302060 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f5189416038 R14: 00007f5189415fa0 R15: 00007ffc5d8d15b8 </TASK> Allocated by task 5243: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __do_kmalloc_node mm/slub.c:5260 [inline] __kvmalloc_node_noprof+0x528/0x8a0 mm/slub.c:6752 evdev_open+0xeb/0x5b0 drivers/input/evdev.c:468 chrdev_open+0x4cd/0x5e0 fs/char_dev.c:411 do_dentry_open+0x785/0x14e0 fs/open.c:949 vfs_open+0x3b/0x340 fs/open.c:1081 do_open fs/namei.c:4671 [inline] path_openat+0x2e08/0x3860 fs/namei.c:4830 do_file_open+0x23e/0x4a0 fs/namei.c:4859 do_sys_openat2+0x113/0x200 fs/open.c:1366 do_sys_open fs/open.c:1372 [inline] __do_sys_openat fs/open.c:1388 [inline] __se_sys_openat fs/open.c:1383 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1383 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88816a408000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1088 bytes to the right of allocated 2000-byte region [ffff88816a408000, ffff88816a4087d0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x16a408 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 057ff00000000040 ffff888100042000 dead000000000100 dead000000000122 raw: 0000000000000000 0000000800080008 00000000f5000000 0000000000000000 head: 057ff00000000040 ffff888100042000 dead000000000100 dead000000000122 head: 0000000000000000 0000000800080008 00000000f5000000 0000000000000000 head: 057ff00000000003 ffffea0005a90201 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5243, tgid 5243 (acpid), ts 25906150911, free_ts 21905842969 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889 prep_new_page mm/page_alloc.c:1897 [inline] get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250 alloc_slab_page mm/slub.c:3292 [inline] allocate_slab+0x77/0x660 mm/slub.c:3481 new_slab mm/slub.c:3539 [inline] refill_objects+0x331/0x3c0 mm/slub.c:7175 refill_sheaf mm/slub.c:2812 [inline] __pcs_replace_empty_main+0x2e6/0x730 mm/slub.c:4615 alloc_from_pcs mm/slub.c:4717 [inline] slab_alloc_node mm/slub.c:4851 [inline] __do_kmalloc_node mm/slub.c:5259 [inline] __kvmalloc_node_noprof+0x657/0x8a0 mm/slub.c:6752 evdev_open+0xeb/0x5b0 drivers/input/evdev.c:468 chrdev_open+0x4cd/0x5e0 fs/char_dev.c:411 do_dentry_open+0x785/0x14e0 fs/open.c:949 vfs_open+0x3b/0x340 fs/open.c:1081 do_open fs/namei.c:4671 [inline] path_openat+0x2e08/0x3860 fs/namei.c:4830 do_file_open+0x23e/0x4a0 fs/namei.c:4859 do_sys_openat2+0x113/0x200 fs/open.c:1366 do_sys_open fs/open.c:1372 [inline] __do_sys_openat fs/open.c:1388 [inline] __se_sys_openat fs/open.c:1383 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1383 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 page last free pid 9 tgid 9 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1433 [inline] __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978 vfree+0x25a/0x400 mm/vmalloc.c:3479 delayed_vfree_work+0x55/0x80 mm/vmalloc.c:3398 process_one_work kernel/workqueue.c:3276 [inline] process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Memory state around the buggy address: ffff88816a408b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88816a408b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88816a408c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88816a408c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88816a408d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== *** KASAN: slab-use-after-free Read in __ext4_check_dir_entry tree: torvalds URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux base: 70b672833f4025341c11b22c7f83778a5cd611bc arch: amd64 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 config: https://ci.syzbot.org/builds/7b860156-1ca9-441f-b899-ebfb5a09620d/config syz repro: https://ci.syzbot.org/findings/e493ff66-4032-4979-9b5d-5118b2768ca5/syz_repro EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. ================================================================== BUG: KASAN: slab-use-after-free in ext4_dirent_get_data_len fs/ext4/ext4.h:4040 [inline] BUG: KASAN: slab-use-after-free in ext4_dir_entry_len fs/ext4/ext4.h:4060 [inline] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x527/0xa70 fs/ext4/dir.c:96 Read of size 1 at addr ffff88810138889c by task syz.0.24/5978 CPU: 0 UID: 0 PID: 5978 Comm: syz.0.24 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 ext4_dirent_get_data_len fs/ext4/ext4.h:4040 [inline] ext4_dir_entry_len fs/ext4/ext4.h:4060 [inline] __ext4_check_dir_entry+0x527/0xa70 fs/ext4/dir.c:96 ext4_inlinedir_to_tree+0x6be/0xbf0 fs/ext4/inline.c:1322 ext4_htree_fill_tree+0x50b/0x1230 fs/ext4/namei.c:1184 ext4_dx_readdir fs/ext4/dir.c:600 [inline] ext4_readdir+0x2f7b/0x3870 fs/ext4/dir.c:146 iterate_dir+0x399/0x570 fs/readdir.c:108 __do_sys_getdents64 fs/readdir.c:412 [inline] __se_sys_getdents64+0xf1/0x280 fs/readdir.c:397 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff3fe19c819 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ff3fefac028 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 00007ff3fe415fa0 RCX: 00007ff3fe19c819 RDX: 000000000000ff80 RSI: 9999999999999999 RDI: 0000000000000004 RBP: 00007ff3fe232c91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ff3fe416038 R14: 00007ff3fe415fa0 R15: 00007ffd39a74998 </TASK> Allocated by task 5766: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __do_kmalloc_node mm/slub.c:5260 [inline] __kmalloc_noprof+0x35c/0x760 mm/slub.c:5272 kmalloc_noprof include/linux/slab.h:954 [inline] kzalloc_noprof include/linux/slab.h:1188 [inline] tomoyo_encode2 security/tomoyo/realpath.c:45 [inline] tomoyo_encode+0x28b/0x550 security/tomoyo/realpath.c:80 tomoyo_realpath_from_path+0x58d/0x5d0 security/tomoyo/realpath.c:283 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_check_open_permission+0x229/0x470 security/tomoyo/file.c:776 security_file_open+0xa9/0x240 security/security.c:2637 do_dentry_open+0x384/0x14e0 fs/open.c:926 vfs_open+0x3b/0x340 fs/open.c:1081 do_open fs/namei.c:4671 [inline] path_openat+0x2e08/0x3860 fs/namei.c:4830 do_file_open+0x23e/0x4a0 fs/namei.c:4859 do_sys_openat2+0x113/0x200 fs/open.c:1366 do_sys_open fs/open.c:1372 [inline] __do_sys_openat fs/open.c:1388 [inline] __se_sys_openat fs/open.c:1383 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1383 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5766: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2685 [inline] slab_free mm/slub.c:6165 [inline] kfree+0x1c1/0x630 mm/slub.c:6483 tomoyo_check_open_permission+0x32c/0x470 security/tomoyo/file.c:791 security_file_open+0xa9/0x240 security/security.c:2637 do_dentry_open+0x384/0x14e0 fs/open.c:926 vfs_open+0x3b/0x340 fs/open.c:1081 do_open fs/namei.c:4671 [inline] path_openat+0x2e08/0x3860 fs/namei.c:4830 do_file_open+0x23e/0x4a0 fs/namei.c:4859 do_sys_openat2+0x113/0x200 fs/open.c:1366 do_sys_open fs/open.c:1372 [inline] __do_sys_openat fs/open.c:1388 [inline] __se_sys_openat fs/open.c:1383 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1383 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888101388880 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 28 bytes inside of freed 64-byte region [ffff888101388880, ffff8881013888c0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101388 flags: 0x17ff00000000000(node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 017ff00000000000 ffff8881000418c0 dead000000000100 dead000000000122 raw: 0000000000000000 0000000800200020 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 26, tgid 26 (kworker/u9:0), ts 4100832473, free_ts 4100767003 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889 prep_new_page mm/page_alloc.c:1897 [inline] get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250 alloc_slab_page mm/slub.c:3292 [inline] allocate_slab+0x77/0x660 mm/slub.c:3481 new_slab mm/slub.c:3539 [inline] refill_objects+0x331/0x3c0 mm/slub.c:7175 refill_sheaf mm/slub.c:2812 [inline] alloc_full_sheaf mm/slub.c:2834 [inline] __pcs_replace_empty_main+0x40a/0x730 mm/slub.c:4626 alloc_from_pcs mm/slub.c:4717 [inline] slab_alloc_node mm/slub.c:4851 [inline] __do_kmalloc_node mm/slub.c:5259 [inline] __kmalloc_noprof+0x474/0x760 mm/slub.c:5272 kmalloc_noprof include/linux/slab.h:954 [inline] kzalloc_noprof include/linux/slab.h:1188 [inline] lsm_blob_alloc security/security.c:193 [inline] lsm_task_alloc security/security.c:245 [inline] security_task_alloc+0x4d/0x330 security/security.c:2683 copy_process+0x16df/0x3cd0 kernel/fork.c:2206 kernel_clone+0x248/0x8e0 kernel/fork.c:2658 user_mode_thread+0x110/0x180 kernel/fork.c:2734 call_usermodehelper_exec_work+0x5c/0x230 kernel/umh.c:171 process_one_work kernel/workqueue.c:3276 [inline] process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 page last free pid 26 tgid 26 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1433 [inline] __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978 __kasan_populate_vmalloc_do mm/kasan/shadow.c:393 [inline] __kasan_populate_vmalloc+0x1b2/0x1d0 mm/kasan/shadow.c:424 kasan_populate_vmalloc include/linux/kasan.h:580 [inline] alloc_vmap_area+0xd73/0x14b0 mm/vmalloc.c:2129 __get_vm_area_node+0x1f8/0x300 mm/vmalloc.c:3232 __vmalloc_node_range_noprof+0x372/0x1730 mm/vmalloc.c:4024 __vmalloc_node_noprof+0xc2/0x100 mm/vmalloc.c:4124 alloc_thread_stack_node kernel/fork.c:355 [inline] dup_task_struct+0x292/0x9e0 kernel/fork.c:924 copy_process+0x508/0x3cd0 kernel/fork.c:2051 kernel_clone+0x248/0x8e0 kernel/fork.c:2658 user_mode_thread+0x110/0x180 kernel/fork.c:2734 call_usermodehelper_exec_work+0x5c/0x230 kernel/umh.c:171 process_one_work kernel/workqueue.c:3276 [inline] process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Memory state around the buggy address: ffff888101388780: 00 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc ffff888101388800: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff888101388880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff888101388900: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc ffff888101388980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ================================================================== *** KASAN: slab-use-after-free Read in dx_probe tree: torvalds URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux base: 70b672833f4025341c11b22c7f83778a5cd611bc arch: amd64 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 config: https://ci.syzbot.org/builds/7b860156-1ca9-441f-b899-ebfb5a09620d/config syz repro: https://ci.syzbot.org/findings/5524eff5-62fb-4cff-8d4e-7e3750aa921b/syz_repro EXT4-fs (loop2): mounted filesystem 00000000-0000-0000-0000-000000000000 ro without journal. Quota mode: none. ================================================================== BUG: KASAN: slab-use-after-free in ext4_dir_entry_is_tail fs/ext4/ext4.h:4001 [inline] BUG: KASAN: slab-use-after-free in ext4_dirent_get_data_len fs/ext4/ext4.h:4024 [inline] BUG: KASAN: slab-use-after-free in ext4_dir_entry_len fs/ext4/ext4.h:4060 [inline] BUG: KASAN: slab-use-after-free in dx_root_limit fs/ext4/namei.c:583 [inline] BUG: KASAN: slab-use-after-free in dx_probe+0x1ac9/0x1d90 fs/ext4/namei.c:861 Read of size 4 at addr ffff888109c42c10 by task syz.2.20/5984 CPU: 0 UID: 0 PID: 5984 Comm: syz.2.20 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 ext4_dir_entry_is_tail fs/ext4/ext4.h:4001 [inline] ext4_dirent_get_data_len fs/ext4/ext4.h:4024 [inline] ext4_dir_entry_len fs/ext4/ext4.h:4060 [inline] dx_root_limit fs/ext4/namei.c:583 [inline] dx_probe+0x1ac9/0x1d90 fs/ext4/namei.c:861 ext4_dx_find_entry fs/ext4/namei.c:1812 [inline] __ext4_find_entry+0x5a9/0x2140 fs/ext4/namei.c:1652 ext4_lookup_entry fs/ext4/namei.c:1794 [inline] ext4_lookup+0x17b/0x710 fs/ext4/namei.c:1860 lookup_open fs/namei.c:4456 [inline] open_last_lookups fs/namei.c:4583 [inline] path_openat+0x11ac/0x3860 fs/namei.c:4827 do_file_open+0x23e/0x4a0 fs/namei.c:4859 do_sys_openat2+0x113/0x200 fs/open.c:1366 do_sys_open fs/open.c:1372 [inline] __do_sys_openat fs/open.c:1388 [inline] __se_sys_openat fs/open.c:1383 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1383 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb97dd9c819 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fb97ec96028 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007fb97e015fa0 RCX: 00007fb97dd9c819 RDX: 0000000000042041 RSI: 0000200000000700 RDI: ffffffffffffff9c RBP: 00007fb97de32c91 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000001d R11: 0000000000000246 R12: 0000000000000000 R13: 00007fb97e016038 R14: 00007fb97e015fa0 R15: 00007fffcac5f5a8 </TASK> Allocated by task 5828: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __do_kmalloc_node mm/slub.c:5260 [inline] __kmalloc_noprof+0x35c/0x760 mm/slub.c:5272 kmalloc_noprof include/linux/slab.h:954 [inline] tomoyo_realpath_from_path+0xe3/0x5d0 security/tomoyo/realpath.c:251 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x283/0x560 security/tomoyo/file.c:827 tomoyo_path_symlink+0xab/0xf0 security/tomoyo/tomoyo.c:212 security_path_symlink+0x16f/0x360 security/security.c:1477 filename_symlinkat+0x134/0x410 fs/namei.c:5638 __do_sys_symlink fs/namei.c:5667 [inline] __se_sys_symlink+0x4d/0x2b0 fs/namei.c:5663 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5828: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2685 [inline] slab_free mm/slub.c:6165 [inline] kfree+0x1c1/0x630 mm/slub.c:6483 tomoyo_realpath_from_path+0x598/0x5d0 security/tomoyo/realpath.c:286 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x283/0x560 security/tomoyo/file.c:827 tomoyo_path_symlink+0xab/0xf0 security/tomoyo/tomoyo.c:212 security_path_symlink+0x16f/0x360 security/security.c:1477 filename_symlinkat+0x134/0x410 fs/namei.c:5638 __do_sys_symlink fs/namei.c:5667 [inline] __se_sys_symlink+0x4d/0x2b0 fs/namei.c:5663 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888109c42000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 3088 bytes inside of freed 4096-byte region [ffff888109c42000, ffff888109c43000) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109c40 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x17ff00000000040(head|node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 017ff00000000040 ffff888100042140 dead000000000100 dead000000000122 raw: 0000000000000000 0000000800040004 00000000f5000000 0000000000000000 head: 017ff00000000040 ffff888100042140 dead000000000100 dead000000000122 head: 0000000000000000 0000000800040004 00000000f5000000 0000000000000000 head: 017ff00000000003 ffffea0004271001 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5828, tgid 5828 (udevd), ts 67573015608, free_ts 47549723112 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889 prep_new_page mm/page_alloc.c:1897 [inline] get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250 alloc_slab_page mm/slub.c:3292 [inline] allocate_slab+0x77/0x660 mm/slub.c:3481 new_slab mm/slub.c:3539 [inline] refill_objects+0x331/0x3c0 mm/slub.c:7175 refill_sheaf mm/slub.c:2812 [inline] __pcs_replace_empty_main+0x2e6/0x730 mm/slub.c:4615 alloc_from_pcs mm/slub.c:4717 [inline] slab_alloc_node mm/slub.c:4851 [inline] __do_kmalloc_node mm/slub.c:5259 [inline] __kmalloc_noprof+0x474/0x760 mm/slub.c:5272 kmalloc_noprof include/linux/slab.h:954 [inline] tomoyo_realpath_from_path+0xe3/0x5d0 security/tomoyo/realpath.c:251 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x283/0x560 security/tomoyo/file.c:827 tomoyo_path_symlink+0xab/0xf0 security/tomoyo/tomoyo.c:212 security_path_symlink+0x16f/0x360 security/security.c:1477 filename_symlinkat+0x134/0x410 fs/namei.c:5638 __do_sys_symlink fs/namei.c:5667 [inline] __se_sys_symlink+0x4d/0x2b0 fs/namei.c:5663 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5718 tgid 5718 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1433 [inline] __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978 __slab_free+0x263/0x2b0 mm/slub.c:5573 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4538 [inline] slab_alloc_node mm/slub.c:4866 [inline] kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4873 alloc_filename fs/namei.c:142 [inline] do_getname+0x2e/0x250 fs/namei.c:182 getname include/linux/fs.h:2512 [inline] getname_maybe_null include/linux/fs.h:2519 [inline] class_filename_maybe_null_constructor include/linux/fs.h:2543 [inline] vfs_fstatat+0x45/0x170 fs/stat.c:368 __do_sys_newfstatat fs/stat.c:538 [inline] __se_sys_newfstatat fs/stat.c:532 [inline] __x64_sys_newfstatat+0x151/0x200 fs/stat.c:532 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff888109c42b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888109c42b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888109c42c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888109c42c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888109c42d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== *** KASAN: use-after-free Read in __ext4_check_dir_entry tree: torvalds URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux base: 70b672833f4025341c11b22c7f83778a5cd611bc arch: amd64 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 config: https://ci.syzbot.org/builds/7b860156-1ca9-441f-b899-ebfb5a09620d/config syz repro: https://ci.syzbot.org/findings/21333690-a422-407b-92c7-9247a0075b74/syz_repro loop1: lost filesystem error report for type 5 error -117 EXT4-fs (loop1): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. ================================================================== BUG: KASAN: use-after-free in ext4_dirent_get_data_len fs/ext4/ext4.h:4040 [inline] BUG: KASAN: use-after-free in ext4_dir_entry_len fs/ext4/ext4.h:4060 [inline] BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x527/0xa70 fs/ext4/dir.c:96 Read of size 1 at addr ffff88810da3609c by task syz.1.20/5966 CPU: 0 UID: 0 PID: 5966 Comm: syz.1.20 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 ext4_dirent_get_data_len fs/ext4/ext4.h:4040 [inline] ext4_dir_entry_len fs/ext4/ext4.h:4060 [inline] __ext4_check_dir_entry+0x527/0xa70 fs/ext4/dir.c:96 ext4_inlinedir_to_tree+0x6be/0xbf0 fs/ext4/inline.c:1322 ext4_htree_fill_tree+0x50b/0x1230 fs/ext4/namei.c:1184 ext4_dx_readdir fs/ext4/dir.c:600 [inline] ext4_readdir+0x2f7b/0x3870 fs/ext4/dir.c:146 iterate_dir+0x399/0x570 fs/readdir.c:108 __do_sys_getdents64 fs/readdir.c:412 [inline] __se_sys_getdents64+0xf1/0x280 fs/readdir.c:397 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb82a19c819 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fb82b01a028 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 00007fb82a415fa0 RCX: 00007fb82a19c819 RDX: 000000000000ff80 RSI: 9999999999999999 RDI: 0000000000000004 RBP: 00007fb82a232c91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fb82a416038 R14: 00007fb82a415fa0 R15: 00007ffdc30464e8 </TASK> The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810da36000 pfn:0x10da36 flags: 0x17ff00000000000(node=0|zone=2|lastcpupid=0x7ff) page_type: f0(buddy) raw: 017ff00000000000 ffffea0004364708 ffffea000436a7c8 0000000000000000 raw: ffff88810da36000 0000000000000000 00000000f0000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 15037633903, free_ts 26770192426 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889 prep_new_page mm/page_alloc.c:1897 [inline] get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250 alloc_slab_page mm/slub.c:3292 [inline] allocate_slab+0x77/0x660 mm/slub.c:3481 new_slab mm/slub.c:3539 [inline] refill_objects+0x331/0x3c0 mm/slub.c:7175 refill_sheaf mm/slub.c:2812 [inline] __pcs_replace_empty_main+0x2e6/0x730 mm/slub.c:4615 alloc_from_pcs mm/slub.c:4717 [inline] slab_alloc_node mm/slub.c:4851 [inline] __do_kmalloc_node mm/slub.c:5259 [inline] __kmalloc_noprof+0x474/0x760 mm/slub.c:5272 kmalloc_noprof include/linux/slab.h:954 [inline] usb_alloc_urb+0x46/0x150 drivers/usb/core/urb.c:75 usb_internal_control_msg drivers/usb/core/message.c:110 [inline] usb_control_msg+0x118/0x3e0 drivers/usb/core/message.c:167 usb_get_descriptor+0xb1/0x3e0 drivers/usb/core/message.c:852 usb_get_configuration+0x3b9/0x54f0 drivers/usb/core/config.c:986 usb_enumerate_device drivers/usb/core/hub.c:2527 [inline] usb_new_device+0x145/0x16f0 drivers/usb/core/hub.c:2665 register_root_hub+0x270/0x5f0 drivers/usb/core/hcd.c:990 usb_add_hcd+0xba1/0x10b0 drivers/usb/core/hcd.c:2987 vhci_hcd_probe+0x1fa/0x3e0 drivers/usb/usbip/vhci_hcd.c:1401 platform_probe+0xf9/0x190 drivers/base/platform.c:1418 page last free pid 5262 tgid 5262 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1433 [inline] __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978 __slab_free+0x263/0x2b0 mm/slub.c:5573 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4538 [inline] slab_alloc_node mm/slub.c:4866 [inline] kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4873 alloc_empty_file+0x55/0x1d0 fs/file_table.c:237 path_openat+0x10f/0x3860 fs/namei.c:4816 do_file_open+0x23e/0x4a0 fs/namei.c:4859 do_sys_openat2+0x113/0x200 fs/open.c:1366 do_sys_open fs/open.c:1372 [inline] __do_sys_openat fs/open.c:1388 [inline] __se_sys_openat fs/open.c:1383 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1383 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff88810da35f80: 00 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc ffff88810da36000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88810da36080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88810da36100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88810da36180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== *** If these findings have caused you to resend the series or submit a separate fix, please add the following tag to your commit message: Tested-by: syzbot@syzkaller.appspotmail.com --- This report is generated by a bot. It may contain errors. syzbot ci engineers can be reached at syzkaller@googlegroups.com. To test a patch for this bug, please reply with `#syz test` (should be on a separate line). The patch should be attached to the email. Note: arguments like custom git repos and branches are not supported. [-- Attachment #1.2: Type: text/html, Size: 53647 bytes --] [-- Attachment #2: 0001-ext4-fix-syzbot.patch --] [-- Type: application/octet-stream, Size: 4000 bytes --] From 18df6683799e259479dc53260e59b5d1fdc6a143 Mon Sep 17 00:00:00 2001 From: Artem Blagodarenko <artem.blagodarenko@gmail.com> Date: Sat, 18 Apr 2026 17:33:23 -0400 Subject: [PATCH] ext4: fix syzbot Signed-off-by: Artem Blagodarenko <artem.blagodarenko@gmail.com> --- fs/ext4/ext4.h | 33 ++++++++++++++++++++++++++++----- fs/ext4/inline.c | 8 +++++++- 2 files changed, 35 insertions(+), 6 deletions(-) diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h index 28271d42bfaf..c5d4aaed8e6e 100644 --- a/fs/ext4/ext4.h +++ b/fs/ext4/ext4.h @@ -4007,6 +4007,7 @@ static inline bool ext4_dir_entry_is_tail(struct ext4_dir_entry_2 *de) /* * ext4_dirent_get_data_len() - Compute the total dirdata length for an entry. * @de: directory entry + * @rec_len: the record length of the directory entry (decoded) * * Computes the length of optional data stored after the filename (and its * implicit NUL terminator). Each extension is indicated by a bit in the @@ -4015,21 +4016,39 @@ static inline bool ext4_dir_entry_is_tail(struct ext4_dir_entry_2 *de) * * Returns 0 for tail entries and for entries with no dirdata. */ -static inline int ext4_dirent_get_data_len(struct ext4_dir_entry_2 *de) +static inline int ext4_dirent_get_data_len(struct ext4_dir_entry_2 *de, + unsigned int rec_len) { __u8 extra_data_flags; struct ext4_dirent_data_header *ddh; int dlen = 0; + unsigned int offset; if (ext4_dir_entry_is_tail(de)) return 0; extra_data_flags = (de->file_type & ~EXT4_FT_MASK) >> 4; - ddh = (struct ext4_dirent_data_header *)(de->name + de->name_len + - 1 /* NUL terminator */); + /* offset from start of entry to after filename + NUL */ + offset = EXT4_BASE_DIR_LEN + de->name_len + 1; + + /* bounds check: ensure we start reading within the entry */ + if (offset >= rec_len) + return 0; + + ddh = (struct ext4_dirent_data_header *)((char *)de + offset); while (extra_data_flags) { if (extra_data_flags & 1) { + /* bounds check before reading ddh_length */ + if (offset + sizeof(struct ext4_dirent_data_header) > + rec_len) + return dlen; + + /* validate ddh_length is reasonable */ + if (ddh->ddh_length == 0 || ddh->ddh_length > + rec_len - offset) + return dlen; + /* * The first dirdata field is preceded by a NUL * terminator byte that is already included in ddh's @@ -4038,7 +4057,9 @@ static inline int ext4_dirent_get_data_len(struct ext4_dir_entry_2 *de) if (dlen == 0) dlen = 1; /* NUL terminator */ dlen += ddh->ddh_length; - ddh = ext4_dirdata_next(ddh); + offset += ddh->ddh_length; + ddh = (struct ext4_dirent_data_header *) + ((char *)ddh + ddh->ddh_length); } extra_data_flags >>= 1; } @@ -4057,7 +4078,9 @@ static inline int ext4_dirent_get_data_len(struct ext4_dir_entry_2 *de) static inline unsigned int ext4_dir_entry_len(struct ext4_dir_entry_2 *de, const struct inode *dir) { - unsigned int dirdata = ext4_dirent_get_data_len(de); + unsigned int blocksize = (dir && dir->i_sb) ? dir->i_sb->s_blocksize : 4096; + unsigned int rec_len = ext4_rec_len_from_disk(de->rec_len, blocksize); + unsigned int dirdata = ext4_dirent_get_data_len(de, rec_len); return ext4_dirent_rec_len(de->name_len + dirdata, dir); } diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c index 071a637c8869..709acbf5e198 100644 --- a/fs/ext4/inline.c +++ b/fs/ext4/inline.c @@ -1318,7 +1318,13 @@ int ext4_inlinedir_to_tree(struct file *dir_file, pos = EXT4_INLINE_DOTDOT_SIZE; } else { de = (struct ext4_dir_entry_2 *)(dir_buf + pos); - pos += ext4_rec_len_from_disk(de->rec_len, inline_size); + /* Use ext4_dir_entry_len to account for dirdata extensions */ + pos += ext4_dir_entry_len(de, dir); + /* Validate pos doesn't exceed buffer to prevent use-after-free */ + if (pos > inline_size) { + ret = count; + goto out; + } if (ext4_check_dir_entry(inode, dir_file, de, iloc.bh, dir_buf, inline_size, pos)) { -- 2.43.7 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* [syzbot ci] Re: Data in direntry (dirdata) feature 2026-04-22 9:34 ` Artem Blagodarenko @ 2026-04-22 10:09 ` syzbot ci 0 siblings, 0 replies; 10+ messages in thread From: syzbot ci @ 2026-04-22 10:09 UTC (permalink / raw) To: artem.blagodarenko, syzbot; +Cc: syzbot, syzkaller-bugs syzbot ci has tested the suggested fix patch on top of the following series: [v1] Data in direntry (dirdata) feature https://lore.kernel.org/all/20260417213723.74204-1-artem.blagodarenko@gmail.com Patch: https://ci.syzbot.org/jobs/85bfb76c-4e56-4c94-a48e-da4f5b05ab28/patch Testing results: * [build 0] Build Patched: passed * [build 0] Boot test: Patched: passed Full report is available here: https://ci.syzbot.org/session/3c8010c2-cb0e-4292-a935-ecb59d1a9d82 --- This report is generated by a bot. It may contain errors. syzbot ci engineers can be reached at syzkaller@googlegroups.com. ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2026-06-20 6:55 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20260610152417.13576-1-ablagodarenko@thelustrecollective.com>
2026-06-11 10:29 ` [syzbot ci] Re: Data in direntry (dirdata) feature syzbot ci
2026-06-19 14:10 ` Artem Blagodarenko
2026-06-19 14:11 ` syzbot
2026-06-19 14:50 ` syzbot ci
2026-06-19 16:45 ` Artem Blagodarenko
2026-06-19 17:39 ` syzbot ci
[not found] <20260619191022.27008-1-ablagodarenko@thelustrecollective.com>
2026-06-20 6:55 ` syzbot ci
[not found] <20260417213723.74204-1-artem.blagodarenko@gmail.com>
2026-04-18 6:47 ` syzbot ci
2026-04-22 9:34 ` Artem Blagodarenko
2026-04-22 10:09 ` syzbot ci
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox