syzbot

EXT4-fs warning (device loop0): empty_inline_dir:1820: bad inline directory (dir #12) - no `..'
==================================================================
BUG: KASAN: use-after-free in ext4_xattr_delete_inode+0xc1f/0xc30 fs/ext4/xattr.c:2911
Read of size 4 at addr ffff8881db6b2000 by task syz-executor194/360

CPU: 1 PID: 360 Comm: syz-executor194 Not tainted 5.4.268-syzkaller-00001-g8322246edffa #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x600 mm/kasan/report.c:384
 __kasan_report+0xf3/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 ext4_xattr_delete_inode+0xc1f/0xc30 fs/ext4/xattr.c:2911
 ext4_evict_inode+0x1378/0x1ac0 fs/ext4/inode.c:318
 evict+0x29b/0x6a0 fs/inode.c:575
 d_delete_notify include/linux/fsnotify.h:224 [inline]
 vfs_rmdir+0x24b/0x3c0 fs/namei.c:3992
 do_rmdir+0x2c1/0x580 fs/namei.c:4040
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Allocated by task 179:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 __kasan_kmalloc+0x171/0x210 mm/kasan/common.c:529
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2829 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0xd9/0x250 mm/slub.c:2842
 mempool_alloc+0x11f/0x530 mm/mempool.c:393
 bio_alloc_bioset+0x1e0/0x650 block/bio.c:483
 bio_clone_fast+0x25/0x220 block/bio.c:665
 bio_split+0x75/0x190 block/bio.c:1905
 __blk_queue_split+0xe52/0x14f0 block/blk-merge.c:284
 blk_mq_make_request+0x1ad/0x1e10 block/blk-mq.c:2044
 generic_make_request+0x40c/0xc90 block/blk-core.c:1072
 submit_bio+0x1bf/0x6d0 block/blk-core.c:1199
 ext4_io_submit fs/ext4/page-io.c:350 [inline]
 io_submit_add_bh fs/ext4/page-io.c:393 [inline]
 ext4_bio_write_page+0xf49/0x1810 fs/ext4/page-io.c:518
 mpage_submit_page+0x1ae/0x230 fs/ext4/inode.c:2277
 mpage_map_and_submit_buffers fs/ext4/inode.c:2477 [inline]
 mpage_map_and_submit_extent fs/ext4/inode.c:2611 [inline]
 ext4_writepages+0x1fc9/0x3cc0 fs/ext4/inode.c:2940
 do_writepages+0x12b/0x270 mm/page-writeback.c:2344
 __writeback_single_inode+0xd9/0xcc0 fs/fs-writeback.c:1467
 writeback_sb_inodes+0x9e0/0x1800 fs/fs-writeback.c:1730
 __writeback_inodes_wb fs/fs-writeback.c:1801 [inline]
 wb_writeback+0x4b3/0xd70 fs/fs-writeback.c:1907
 wb_check_background_flush fs/fs-writeback.c:1975 [inline]
 wb_do_writeback fs/fs-writeback.c:2063 [inline]
 wb_workfn+0xce8/0x1230 fs/fs-writeback.c:2091
 process_one_work+0x765/0xd20 kernel/workqueue.c:2290
 worker_thread+0xaef/0x1470 kernel/workqueue.c:2436
 kthread+0x2da/0x360 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354

Freed by task 17:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 kasan_set_free_info mm/kasan/common.c:345 [inline]
 __kasan_slab_free+0x1b5/0x270 mm/kasan/common.c:487
 slab_free_hook mm/slub.c:1455 [inline]
 slab_free_freelist_hook mm/slub.c:1494 [inline]
 slab_free mm/slub.c:3080 [inline]
 kmem_cache_free+0x10b/0x2c0 mm/slub.c:3096
 bio_put block/bio.c:604 [inline]
 __bio_chain_endio block/bio.c:313 [inline]
 bio_endio+0x2f/0x790 block/bio.c:1865
 req_bio_endio block/blk-core.c:246 [inline]
 blk_update_request+0x37f/0xe40 block/blk-core.c:1481
 scsi_end_request+0x83/0x520 drivers/scsi/scsi_lib.c:588
 scsi_io_completion+0x1cb/0x480 drivers/scsi/scsi_lib.c:969
 blk_done_softirq+0x2f3/0x390 block/blk-softirq.c:37
 __do_softirq+0x23b/0x6b7 kernel/softirq.c:292

The buggy address belongs to the object at ffff8881db6b2000
 which belongs to the cache bio-0 of size 216
The buggy address is located 0 bytes inside of
 216-byte region [ffff8881db6b2000, ffff8881db6b20d8)
The buggy address belongs to the page:
page:ffffea00076dac80 refcount:1 mapcount:0 mapping:ffff8881f1cf1180 index:0x0
flags: 0x8000000000000200(slab)
raw: 8000000000000200 dead000000000100 dead000000000122 ffff8881f1cf1180
raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x92800(GFP_NOWAIT|__GFP_NOWARN|__GFP_NORETRY|__GFP_NOMEMALLOC)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x18f/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4891
 alloc_slab_page+0x39/0x3c0 mm/slub.c:343
 allocate_slab mm/slub.c:1683 [inline]
 new_slab+0x97/0x440 mm/slub.c:1749
 new_slab_objects mm/slub.c:2505 [inline]
 ___slab_alloc+0x2fe/0x490 mm/slub.c:2667
 __slab_alloc+0x62/0xa0 mm/slub.c:2707
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0x109/0x250 mm/slub.c:2842
 mempool_alloc+0x11f/0x530 mm/mempool.c:393
 bio_alloc_bioset+0x1e0/0x650 block/bio.c:483
 bio_clone_fast+0x25/0x220 block/bio.c:665
 bio_split+0x75/0x190 block/bio.c:1905
 __blk_queue_split+0xe52/0x14f0 block/blk-merge.c:284
 blk_mq_make_request+0x1ad/0x1e10 block/blk-mq.c:2044
 generic_make_request+0x40c/0xc90 block/blk-core.c:1072
 submit_bio+0x1bf/0x6d0 block/blk-core.c:1199
page_owner free stack trace missing

Memory state around the buggy address:
 ffff8881db6b1f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881db6b1f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8881db6b2000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8881db6b2080: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
 ffff8881db6b2100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================