syzbot

==================================================================
BUG: KASAN: use-after-free in ext4_xattr_delete_inode+0xc1f/0xc30 fs/ext4/xattr.c:2911
Read of size 4 at addr ffff8881dc435000 by task syz-executor276/358

CPU: 1 PID: 358 Comm: syz-executor276 Not tainted 5.4.276-syzkaller-00021-g58de09405d1e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x600 mm/kasan/report.c:384
 __kasan_report+0xf3/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 ext4_xattr_delete_inode+0xc1f/0xc30 fs/ext4/xattr.c:2911
 ext4_evict_inode+0x1378/0x1ac0 fs/ext4/inode.c:318
 evict+0x29b/0x6a0 fs/inode.c:575
 d_delete_notify include/linux/fsnotify.h:224 [inline]
 vfs_rmdir+0x24b/0x3c0 fs/namei.c:4040
 do_rmdir+0x2c1/0x580 fs/namei.c:4088
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
RIP: 0033:0x7f0f2bda8dc7
Code: 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 54 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe00b92938 EFLAGS: 00000207 ORIG_RAX: 0000000000000054
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0f2bda8dc7
RDX: 0000000000008890 RSI: 0000000000000000 RDI: 00007ffe00b93ae0
RBP: 0000000000000065 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000207 R12: 00007ffe00b93ae0
R13: 00005555574f0740 R14: 431bde82d7b634db R15: 00007ffe00b95c60

Allocated by task 326:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 __kasan_kmalloc+0x171/0x210 mm/kasan/common.c:529
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2829 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0xd9/0x250 mm/slub.c:2842
 anon_vma_chain_alloc mm/rmap.c:131 [inline]
 anon_vma_clone+0x9d/0x4d0 mm/rmap.c:271
 __split_vma+0x19f/0x440 mm/mmap.c:2720
 __do_munmap+0x349/0x850 mm/mmap.c:2823
 __vm_munmap mm/mmap.c:2898 [inline]
 __do_sys_munmap mm/mmap.c:2924 [inline]
 __se_sys_munmap+0x11d/0x1a0 mm/mmap.c:2920
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Freed by task 326:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 kasan_set_free_info mm/kasan/common.c:345 [inline]
 __kasan_slab_free+0x1b5/0x270 mm/kasan/common.c:487
 slab_free_hook mm/slub.c:1455 [inline]
 slab_free_freelist_hook mm/slub.c:1494 [inline]
 slab_free mm/slub.c:3080 [inline]
 kmem_cache_free+0x10b/0x2c0 mm/slub.c:3096
 anon_vma_chain_free mm/rmap.c:136 [inline]
 unlink_anon_vmas+0x2c6/0x590 mm/rmap.c:404
 free_pgtables+0x79/0x280 mm/memory.c:413
 unmap_region+0x30e/0x370 mm/mmap.c:2642
 __do_munmap+0x649/0x850 mm/mmap.c:2875
 __vm_munmap mm/mmap.c:2898 [inline]
 __do_sys_munmap mm/mmap.c:2924 [inline]
 __se_sys_munmap+0x11d/0x1a0 mm/mmap.c:2920
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

The buggy address belongs to the object at ffff8881dc435000
 which belongs to the cache anon_vma_chain of size 64
The buggy address is located 0 bytes inside of
 64-byte region [ffff8881dc435000, ffff8881dc435040)
The buggy address belongs to the page:
page:ffffea0007710d40 refcount:1 mapcount:0 mapping:ffff8881f5cf8c80 index:0x0
flags: 0x8000000000000200(slab)
raw: 8000000000000200 dead000000000100 dead000000000122 ffff8881f5cf8c80
raw: 0000000000000000 00000000002a002a 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12800(GFP_NOWAIT|__GFP_NOWARN|__GFP_NORETRY)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x18f/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4893
 alloc_slab_page+0x39/0x3c0 mm/slub.c:343
 allocate_slab mm/slub.c:1683 [inline]
 new_slab+0x97/0x440 mm/slub.c:1749
 new_slab_objects mm/slub.c:2505 [inline]
 ___slab_alloc+0x2fe/0x490 mm/slub.c:2667
 __slab_alloc+0x62/0xa0 mm/slub.c:2707
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0x109/0x250 mm/slub.c:2842
 anon_vma_chain_alloc mm/rmap.c:131 [inline]
 anon_vma_clone+0x9d/0x4d0 mm/rmap.c:271
 __split_vma+0x19f/0x440 mm/mmap.c:2720
 __do_munmap+0x349/0x850 mm/mmap.c:2823
 __vm_munmap mm/mmap.c:2898 [inline]
 __do_sys_munmap mm/mmap.c:2924 [inline]
 __se_sys_munmap+0x11d/0x1a0 mm/mmap.c:2920
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1176 [inline]
 free_pcp_prepare mm/page_alloc.c:1233 [inline]
 free_unref_page_prepare+0x297/0x380 mm/page_alloc.c:3085
 free_unref_page mm/page_alloc.c:3134 [inline]
 free_the_page mm/page_alloc.c:4953 [inline]
 __free_pages mm/page_alloc.c:4961 [inline]
 free_pages+0x114/0x1b0 mm/page_alloc.c:4969
 tlb_batch_list_free mm/mmu_gather.c:61 [inline]
 tlb_finish_mmu+0x249/0x320 mm/mmu_gather.c:280
 unmap_region+0x31c/0x370 mm/mmap.c:2644
 __do_munmap+0x649/0x850 mm/mmap.c:2875
 __vm_munmap mm/mmap.c:2898 [inline]
 __do_sys_munmap mm/mmap.c:2924 [inline]
 __se_sys_munmap+0x11d/0x1a0 mm/mmap.c:2920
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Memory state around the buggy address:
 ffff8881dc434f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881dc434f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8881dc435000: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb
                   ^
 ffff8881dc435080: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb
 ffff8881dc435100: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc
==================================================================
EXT4-fs error (device loop0): ext4_xattr_inode_iget:402: comm syz-executor276: inode #1: comm syz-executor276: iget: illegal inode #
EXT4-fs error (device loop0): ext4_xattr_inode_iget:407: comm syz-executor276: error while reading EA inode 1 err=-117
EXT4-fs error (device loop0): ext4_xattr_inode_iget:402: comm syz-executor276: inode #1: comm syz-executor276: iget: illegal inode #
EXT4-fs error (device loop0): ext4_xattr_inode_iget:407: comm syz-executor276: error while reading EA inode 1 err=-117