program: r0 = socket$inet6_icmp(0xa, 0x2, 0x3a) syz_mount_image$ext4(&(0x7f0000000080)='ext4\x00', &(0x7f0000000000)='./file1\x00', 0x200000, &(0x7f0000000500), 0xfd, 0x574, &(0x7f0000000cc0)="$eJzs3U1rG0cfAPD/ylLenOexAyG0PZRADk0JkWO7LykUkh5LGxpo76mwFRMsR8GSQ+wGmhyaSy8lFEppoPQD9N5j6Bfopwi0gVCCaQ+l4LLyylFsyW+RIyX6/WDtGe1KM6PZ/2pmV2IDGFjH0z+5iFcj4pskYqRlXT6ylcdXt1t+fHMqXZJYWfn0zyTOrXutJPs/nGVeiYhfv4o4ldtYbm1xabZUqZTns/xYfe7aWG1x6fSVudJMeaZ8dWJy8uzbkxPvvftO19r65sW/v//k/odnvz6x/N3PD4/cTeJ8HM7Wpe3qQhG3WjPHS/9mqUKcX7fheBcK6ydJryvArgxlcV6I9BgwEkNZ1AMvvy8jYgUYUIn4hwHVHAc05/Zdmge/MB59sDoB2tj+/Oq5kTjQmBsdWk6emhml893RLpSflvHLH/fupktsfh7i4BZ5gB25dTsizuTzG49/SXb8270zjZPHm1tfxqB9/kAv3U/HP8mtiA3xn1sb/0Sb8c9wm9jdja3jP/ewC8V0lI7/3m87/l07dI0OZbn/NcZ8heTylUr5TET8PyJORmF/mt/ses7Z5Qcrnda1jv/SJS2/ORbM6vEwv//p50yX6qVnaXOrR7cjXms7/k3W+j9p0//p+3Fxm2UcK997vdO6rdu/t1Z+inijbf8/uaKVbH59cqyxP4w194qN/rpz7LdO5fe6/Wn/H9q8/aNJ6/Xa2s7L+PHAP+VO63a7/+9LPmuk92WP3SjV6/PjEfuSj/PD6x+fePLcZr65fdr+kyfax/9m+386+fp8m+2/c/ROx037of+nd9T/O088+OiLHzqVv73+f6uROpk9sp3j33Yr+CzvHQAAAAAAAPSbXEQcjiRXXEvncsXi6vc7jsahXKVaq5+6XF24Oh2N38qORiHXvNI90vJ9iPHs+7DN/MS6/GREHImIb4cONvLFqWpluteNBwAAAAAAAAAAAAAAAAAAgD4x3OH3/6nfh3pdO2DPNW5ssL/XtQB6Yctb/nfjTk9AX9oy/oGX1s7j35kBeFn4/IfBJf5hcIl/GFzbjf/CyB5XBHjufP7D4BL/AAAAAAAAAAAAAAAAAAAAAAAAAAAA0FUXL1xIl5Xlxzen0vz09cWF2er109Pl2mxxbmGqOFWdv1acqVZnKuXiVHVuq9erVKvXxidi4cZYvVyrj9UWly7NVReu1i9dmSvNlC+VC8+lVQAAAAAAAAAAAAAAAAAAAPBiqS0uzZYqlfK8RMfEueiLauxlA1ft6un5fmmFRFcTPT4wAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAECL/wIAAP//AzIzTA==") r1 = syz_open_dev$loop(&(0x7f0000000140), 0x0, 0x0) open(&(0x7f0000000300)='./file1\x00', 0x14927e, 0x0) ioctl$LOOP_SET_STATUS(r1, 0x4c02, &(0x7f0000009a40)={0x0, {}, 0x0, {}, 0x7, 0x0, 0x200000a, 0x0, "22536af39b7c7cb7435b0a43852dbc3a9ada34cc97af10fd4fc8a15748328c53096c2f359e9ba743d30b59c491a7b3e74d938981061383374a1d58471a2d2dfe", "0410b1617b6228918d46cc632e9e13be3626f4e25310f5db74161ccef2c5cf5e", [0x100000000]}) unlinkat(0xffffffffffffff9c, &(0x7f0000000380)='./file1\x00', 0x0) syz_mount_image$minix(&(0x7f0000000180), &(0x7f00000001c0)='./file0\x00', 0x0, &(0x7f0000000d00)=ANY=[@ANYBLOB="002040e5bef7992f528b1569775f2f4e483b0a29f718404977f70ca1fa501cb5b4f6e1c35bb151deb130ce735c6ea00c25438a0f0b4c56e3c872abd860e306df854e08000000a94daec0b37a85fb6fa3558d02ac6514a5d5"], 0x1, 0x168, &(0x7f0000000240)="$eJzs29tKOlEUx/HfqP9/ZudzdBUU1E2Op4Lu8lFEJ5PGkuxGCaJH6cl6Ab3oBZpolKnZBE2CDun3A7LXEhZr74vtLC9GAGbWhSRLltKSPM97vDq0tB/3pgBMhDdc3zwAsyfJ1QdmVL+c9J//LUkvrw/V3vCTjjg/9MsJf/34H9H7Uj8ftf7J8te9VLg+I2khyvzyPKg/Mvov/rJ/xqhfilw/OP/xQbh+WdKKpFVJa5LWJW1I2pS09U3/mtF/N2J/AAAAAACisJQ189AXCV02XCcX5P/8PB/k//28YOTFIJ/z82z11q2N6wgARpT44f4njfufMu4/gL+r3eleV1zXuSMgICAIgrh/mQCMm33fbNntTvek0azUnbpzUyidnpWK+fNcwfYnfzs8/wOYHp8P/bh3AgAAAAAAAAAAAAAARrUtaSfuTQAAAACYiEm8ThT3GQEAAAAAAAAAAAAAmHbvAQAA///oFUsF") truncate(&(0x7f0000000280)='./file1\x00', 0x1a71) r2 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$ifreq_SIOCGIFINDEX_wireguard(r2, 0x8933, &(0x7f0000000bc0)={'wg0\x00', 0x0}) ioctl$sock_inet6_SIOCSIFADDR(r0, 0x8916, &(0x7f0000000c00)={@empty, 0x62, r3}) [ 73.438334][ T5292] Bluetooth: hci0: command tx timeout [ 73.551056][ T5329] loop0: detected capacity change from 0 to 1024 [ 73.665047][ T5329] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. [ 73.728523][ T5329] loop0: detected capacity change from 1024 to 1023 [ 73.749473][ T5329] ================================================================== [ 73.752977][ T5329] BUG: KASAN: out-of-bounds in ext4_xattr_set_entry+0x9c1/0x1e20 [ 73.756215][ T5329] Read of size 18446744073709551600 at addr ffff88801fc472b8 by task syz.0.0/5329 [ 73.760119][ T5329] [ 73.761206][ T5329] CPU: 0 UID: 0 PID: 5329 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 73.761220][ T5329] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 73.761228][ T5329] Call Trace: [ 73.761235][ T5329] [ 73.761241][ T5329] dump_stack_lvl+0xe8/0x150 [ 73.761260][ T5329] print_address_description+0x55/0x1e0 [ 73.761273][ T5329] ? ext4_xattr_set_entry+0x9c1/0x1e20 [ 73.761292][ T5329] print_report+0x58/0x70 [ 73.761302][ T5329] kasan_report+0x117/0x150 [ 73.761318][ T5329] ? ext4_xattr_set_entry+0x9c1/0x1e20 [ 73.761334][ T5329] ? ext4_xattr_set_entry+0x9c1/0x1e20 [ 73.761350][ T5329] kasan_check_range+0x264/0x2c0 [ 73.761366][ T5329] ? ext4_xattr_set_entry+0x9c1/0x1e20 [ 73.761382][ T5329] __asan_memmove+0x29/0x70 [ 73.761394][ T5329] ext4_xattr_set_entry+0x9c1/0x1e20 [ 73.761417][ T5329] ext4_xattr_ibody_set+0x254/0x6a0 [ 73.761435][ T5329] ext4_destroy_inline_data_nolock+0x23a/0x5e0 [ 73.761450][ T5329] ? __pfx_ext4_destroy_inline_data_nolock+0x10/0x10 [ 73.761465][ T5329] ? trace_kmalloc+0x2a/0xf0 [ 73.761479][ T5329] ? __asan_memcpy+0x40/0x70 [ 73.761490][ T5329] ? ext4_read_inline_data+0x103/0x2c0 [ 73.761503][ T5329] ext4_convert_inline_data_nolock+0x208/0x990 [ 73.761518][ T5329] ? __pfx_ext4_convert_inline_data_nolock+0x10/0x10 [ 73.761530][ T5329] ? down_write+0x16d/0x200 [ 73.761586][ T5329] ext4_convert_inline_data+0x4ce/0x600 [ 73.761607][ T5329] ? __pfx_ext4_convert_inline_data+0x10/0x10 [ 73.761621][ T5329] ? ktime_get_coarse_real_ts64_mg+0x59/0x1e0 [ 73.761637][ T5329] ext4_setattr+0xef4/0x1d60 [ 73.761654][ T5329] ? __pfx_ext4_setattr+0x10/0x10 [ 73.761668][ T5329] notify_change+0xc1a/0xf40 [ 73.761687][ T5329] do_truncate+0x1c2/0x250 [ 73.761698][ T5329] ? __pfx_do_truncate+0x10/0x10 [ 73.761710][ T5329] ? apparmor_path_truncate+0x245/0x2e0 [ 73.761765][ T5329] vfs_truncate+0x4b4/0x540 [ 73.761781][ T5329] ? __pfx_vfs_truncate+0x10/0x10 [ 73.761795][ T5329] ? do_getname+0x151/0x250 [ 73.761809][ T5329] ksys_truncate+0xf3/0x1c0 [ 73.761821][ T5329] ? __pfx_ksys_truncate+0x10/0x10 [ 73.761836][ T5329] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.761846][ T5329] __x64_sys_truncate+0x5b/0x70 [ 73.761860][ T5329] do_syscall_64+0x174/0x580 [ 73.761871][ T5329] ? trace_irq_disable+0x3b/0x140 [ 73.761887][ T5329] ? clear_bhb_loop+0x40/0x90 [ 73.761898][ T5329] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.761909][ T5329] RIP: 0033:0x7fbec559ce59 [ 73.761921][ T5329] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 73.761930][ T5329] RSP: 002b:00007fbec19f4fe8 EFLAGS: 00000246 ORIG_RAX: 000000000000004c [ 73.761943][ T5329] RAX: ffffffffffffffda RBX: 00007fbec5815fa0 RCX: 00007fbec559ce59 [ 73.761952][ T5329] RDX: 0000000000000000 RSI: 0000000000001a71 RDI: 0000200000000280 [ 73.761958][ T5329] RBP: 00007fbec5632d6f R08: 0000000000000000 R09: 0000000000000000 [ 73.761965][ T5329] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 73.761970][ T5329] R13: 00007fbec5816038 R14: 00007fbec5815fa0 R15: 00007ffd6a1c6798 [ 73.761981][ T5329] [ 73.761985][ T5329] [ 73.889507][ T5329] The buggy address belongs to the physical page: [ 73.892219][ T5329] page: refcount:3 mapcount:0 mapping:ffff88801cc25940 index:0x2 pfn:0x1fc47 [ 73.895820][ T5329] memcg:ffff888037786980 [ 73.897562][ T5329] aops:def_blk_aops ino:700000 dentry name(?):"" [ 73.900195][ T5329] flags: 0xfff18000004204(referenced|workingset|private|node=0|zone=1|lastcpupid=0x7ff) [ 73.904158][ T5329] raw: 00fff18000004204 0000000000000000 dead000000000122 ffff88801cc25940 [ 73.907823][ T5329] raw: 0000000000000002 ffff888046ebf658 00000003ffffffff ffff888037786980 [ 73.913222][ T5329] page dumped because: kasan: bad access detected [ 73.916081][ T5329] page_owner tracks the page as allocated [ 73.918382][ T5329] page last allocated via order 0, migratetype Movable, gfp_mask 0x148c48(GFP_NOFS|__GFP_MOVABLE|__GFP_NOFAIL|__GFP_COMP|__GFP_HARDWALL), pid 5329, tgid 5328 (syz.0.0), ts 73744041302, free_ts 73741661077 [ 73.926591][ T5329] post_alloc_hook+0x22d/0x280 [ 73.928650][ T5329] get_page_from_freelist+0x2593/0x2610 [ 73.930904][ T5329] __alloc_frozen_pages_noprof+0x18d/0x380 [ 73.933183][ T5329] alloc_pages_mpol+0x235/0x490 [ 73.935110][ T5329] alloc_pages_noprof+0xac/0x2a0 [ 73.937088][ T5329] folio_alloc_noprof+0x1e/0x30 [ 73.939145][ T5329] filemap_alloc_folio_noprof+0x111/0x470 [ 73.941356][ T5329] __filemap_get_folio_mpol+0x3fc/0xb00 [ 73.943715][ T5329] bdev_getblk+0x1f6/0x6e0 [ 73.945442][ T5329] __ext4_get_inode_loc+0x528/0xfa0 [ 73.947452][ T5329] ext4_get_inode_loc+0x81/0xf0 [ 73.949439][ T5329] ext4_xattr_ibody_get+0x113/0x4c0 [ 73.951681][ T5329] ext4_xattr_get+0x123/0x6a0 [ 73.953732][ T5329] __vfs_getxattr+0x3f4/0x430 [ 73.955717][ T5329] cap_inode_need_killpriv+0x45/0x60 [ 73.957975][ T5329] security_inode_need_killpriv+0x85/0x240 [ 73.960453][ T5329] page last free pid 5329 tgid 5328 stack trace: [ 73.963114][ T5329] free_unref_folios+0xd9f/0x14c0 [ 73.965237][ T5329] folios_put_refs+0x9ff/0xb40 [ 73.967259][ T5329] shmem_undo_range+0x52c/0x1660 [ 73.969278][ T5329] shmem_evict_inode+0x289/0xae0 [ 73.971374][ T5329] evict+0x61e/0xb10 [ 73.972850][ T5329] __dentry_kill+0x1a2/0x690 [ 73.974829][ T5329] finish_dput+0xc9/0x480 [ 73.976599][ T5329] __fput+0x691/0xa60 [ 73.978322][ T5329] fput_close_sync+0x11f/0x240 [ 73.980304][ T5329] __x64_sys_close+0x7e/0x110 [ 73.982332][ T5329] do_syscall_64+0x174/0x580 [ 73.984233][ T5329] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.986722][ T5329] [ 73.987804][ T5329] Memory state around the buggy address: [ 73.990266][ T5329] ffff88801fc47180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 73.993668][ T5329] ffff88801fc47200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 73.996963][ T5329] >ffff88801fc47280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 74.000170][ T5329] ^ [ 74.002284][ T5329] ffff88801fc47300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 74.005167][ T5329] ffff88801fc47380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 74.008354][ T5329] ================================================================== [ 74.108999][ T5329] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 74.112077][ T5329] CPU: 0 UID: 0 PID: 5329 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 74.115732][ T5329] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 74.119771][ T5329] Call Trace: [ 74.121169][ T5329] [ 74.122678][ T5329] vpanic+0x56c/0xa60 [ 74.124215][ T5329] ? __pfx_vpanic+0x10/0x10 [ 74.126199][ T5329] ? __pfx___schedule+0x10/0x10 [ 74.128276][ T5329] panic+0xc5/0xd0 [ 74.129883][ T5329] ? __pfx_panic+0x10/0x10 [ 74.131831][ T5329] ? preempt_schedule_thunk+0x16/0x30 [ 74.133920][ T5329] ? ext4_xattr_set_entry+0x9c1/0x1e20 [ 74.136080][ T5329] check_panic_on_warn+0x89/0xb0 [ 74.138129][ T5329] ? ext4_xattr_set_entry+0x9c1/0x1e20 [ 74.140393][ T5329] end_report+0x73/0x170 [ 74.142265][ T5329] ? ext4_xattr_set_entry+0x9c1/0x1e20 [ 74.144600][ T5329] kasan_report+0x128/0x150 [ 74.146641][ T5329] ? ext4_xattr_set_entry+0x9c1/0x1e20 [ 74.149306][ T5329] ? ext4_xattr_set_entry+0x9c1/0x1e20 [ 74.152143][ T5329] kasan_check_range+0x264/0x2c0 [ 74.154199][ T5329] ? ext4_xattr_set_entry+0x9c1/0x1e20 [ 74.156644][ T5329] __asan_memmove+0x29/0x70 [ 74.158566][ T5329] ext4_xattr_set_entry+0x9c1/0x1e20 [ 74.160884][ T5329] ext4_xattr_ibody_set+0x254/0x6a0 [ 74.163092][ T5329] ext4_destroy_inline_data_nolock+0x23a/0x5e0 [ 74.165650][ T5329] ? __pfx_ext4_destroy_inline_data_nolock+0x10/0x10 [ 74.168447][ T5329] ? trace_kmalloc+0x2a/0xf0 [ 74.170347][ T5329] ? __asan_memcpy+0x40/0x70 [ 74.172184][ T5329] ? ext4_read_inline_data+0x103/0x2c0 [ 74.174454][ T5329] ext4_convert_inline_data_nolock+0x208/0x990 [ 74.177054][ T5329] ? __pfx_ext4_convert_inline_data_nolock+0x10/0x10 [ 74.179859][ T5329] ? down_write+0x16d/0x200 [ 74.181763][ T5329] ext4_convert_inline_data+0x4ce/0x600 [ 74.184065][ T5329] ? __pfx_ext4_convert_inline_data+0x10/0x10 [ 74.186557][ T5329] ? ktime_get_coarse_real_ts64_mg+0x59/0x1e0 [ 74.189069][ T5329] ext4_setattr+0xef4/0x1d60 [ 74.190869][ T5329] ? __pfx_ext4_setattr+0x10/0x10 [ 74.192768][ T5329] notify_change+0xc1a/0xf40 [ 74.194549][ T5329] do_truncate+0x1c2/0x250 [ 74.196374][ T5329] ? __pfx_do_truncate+0x10/0x10 [ 74.198351][ T5329] ? apparmor_path_truncate+0x245/0x2e0 [ 74.200556][ T5329] vfs_truncate+0x4b4/0x540 [ 74.202692][ T5329] ? __pfx_vfs_truncate+0x10/0x10 [ 74.205276][ T5329] ? do_getname+0x151/0x250 [ 74.207356][ T5329] ksys_truncate+0xf3/0x1c0 [ 74.209418][ T5329] ? __pfx_ksys_truncate+0x10/0x10 [ 74.211512][ T5329] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.213979][ T5329] __x64_sys_truncate+0x5b/0x70 [ 74.216250][ T5329] do_syscall_64+0x174/0x580 [ 74.218310][ T5329] ? trace_irq_disable+0x3b/0x140 [ 74.220464][ T5329] ? clear_bhb_loop+0x40/0x90 [ 74.222500][ T5329] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.225036][ T5329] RIP: 0033:0x7fbec559ce59 [ 74.227030][ T5329] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 74.235147][ T5329] RSP: 002b:00007fbec19f4fe8 EFLAGS: 00000246 ORIG_RAX: 000000000000004c [ 74.238738][ T5329] RAX: ffffffffffffffda RBX: 00007fbec5815fa0 RCX: 00007fbec559ce59 [ 74.242124][ T5329] RDX: 0000000000000000 RSI: 0000000000001a71 RDI: 0000200000000280 [ 74.245453][ T5329] RBP: 00007fbec5632d6f R08: 0000000000000000 R09: 0000000000000000 [ 74.248801][ T5329] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 74.252096][ T5329] R13: 00007fbec5816038 R14: 00007fbec5815fa0 R15: 00007ffd6a1c6798 [ 74.255367][ T5329] [ 74.257106][ T5329] Kernel Offset: disabled [ 74.259052][ T5329] Rebooting in 86400 seconds..