audit: type=1800 audit(1571650296.689:10664): pid=17301 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op=collect_data cause=failed(directio) comm="syz-executor.4" name="file0" dev="sda1" ino=17121 res=0 EXT4-fs error (device sda1): ext4_xattr_set_entry:1607: inode #17201: comm syz-executor.1: corrupted xattr entries ================================================================== BUG: KASAN: use-after-free in memset include/linux/string.h:333 [inline] BUG: KASAN: use-after-free in __ext4_expand_extra_isize+0x175/0x250 fs/ext4/inode.c:5916 Write of size 213664719 at addr ffff88808223c1a0 by task rs:main Q:Reg/7385 CPU: 0 PID: 7385 Comm: rs:main Q:Reg Not tainted 4.19.80 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report mm/kasan/report.c:412 [inline] kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x123/0x190 mm/kasan/kasan.c:267 memset+0x24/0x40 mm/kasan/kasan.c:285 memset include/linux/string.h:333 [inline] __ext4_expand_extra_isize+0x175/0x250 fs/ext4/inode.c:5916 ext4_try_to_expand_extra_isize fs/ext4/inode.c:5968 [inline] ext4_mark_inode_dirty+0x6f0/0x940 fs/ext4/inode.c:6044 ext4_dirty_inode+0x8f/0xc0 fs/ext4/inode.c:6078 __mark_inode_dirty+0x915/0x1280 fs/fs-writeback.c:2173 mark_inode_dirty include/linux/fs.h:2082 [inline] __generic_write_end+0x1b9/0x240 fs/buffer.c:2118 generic_write_end+0x6c/0x90 fs/buffer.c:2163 ext4_da_write_end+0x3c5/0xa50 fs/ext4/inode.c:3184 generic_perform_write+0x2ed/0x520 mm/filemap.c:3172 __generic_file_write_iter+0x25e/0x630 mm/filemap.c:3286 ext4_file_write_iter+0x32b/0x1060 fs/ext4/file.c:270 call_write_iter include/linux/fs.h:1820 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x587/0x810 fs/read_write.c:487 EXT4-fs error (device sda1): ext4_expand_extra_isize_ea:2732: inode #17234: comm syz-executor.0: corrupted in-inode xattr BUG: unable to handle kernel paging request at ffff88804b908870 PGD b001067 P4D b001067 vfs_write+0x20c/0x560 fs/read_write.c:549 PUD 914d8063 ksys_write+0x14f/0x2d0 fs/read_write.c:599 PMD 5c2ab063 PTE 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 17269 Comm: syz-executor.2 Not tainted 4.19.80 #0 __do_sys_write fs/read_write.c:611 [inline] __se_sys_write fs/read_write.c:608 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:608 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293 RIP: 0010:__read_once_size include/linux/compiler.h:193 [inline] RIP: 0010:arch_atomic64_read arch/x86/include/asm/atomic64_64.h:22 [inline] RIP: 0010:atomic64_read include/asm-generic/atomic-instrumented.h:28 [inline] RIP: 0010:atomic_long_read include/asm-generic/atomic-long.h:47 [inline] RIP: 0010:filp_close+0x43/0x170 fs/open.c:1159 entry_SYSCALL_64_after_hwframe+0x49/0xbe Code: c1 ff be 08 00 00 00 4c 89 f7 e8 48 09 f8 ff 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 19 01 00 00 <49> 8b 5c 24 70 31 ff 48 89 de e8 be 85 c1 ff 48 85 db 0f 84 9d 73 RIP: 0033:0x7f4205c0b19d RSP: 0018:ffff88807f3bfe90 EFLAGS: 00010246 Code: d1 20 00 00 75 10 b8 01 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 be fa ff ff 48 89 04 24 b8 01 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 07 fb ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007f42041ac000 EFLAGS: 00000293 RAX: dffffc0000000000 RBX: ffff888094790958 RCX: ffffffff81a942f8 ORIG_RAX: 0000000000000001 RDX: 1ffff1100972110e RSI: 0000000000000008 RDI: ffff88804b908870 RAX: ffffffffffffffda RBX: 00000000000000a4 RCX: 00007f4205c0b19d RBP: ffff88807f3bfeb0 R08: 1ffff1100972110e R09: ffffed100972110f RDX: 00000000000000a4 RSI: 00000000008b9a90 RDI: 0000000000000001 R10: ffffed100972110e R11: ffff88804b908877 R12: ffff88804b908800 RBP: 00000000008b9a90 R08: 00000000008b9a90 R09: 0000000000000000 R13: ffff888056bb43c0 R14: ffff88804b908870 R15: ffff888056bb4480 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 FS: 0000000001387940(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 R13: 00007f42041ac480 R14: 0000000000000001 R15: 00000000008b9890 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88804b908870 CR3: 000000009c6e8000 CR4: 00000000001406e0 The buggy address belongs to the page: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 page:ffffea0002088f00 count:2 mapcount:0 mapping:ffff888219d26ad8 index:0x427 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __close_fd+0x13a/0x210 fs/file.c:636 flags: 0x1fffc0000001074(referenced|dirty|lru|active|private) __do_sys_close fs/open.c:1184 [inline] __se_sys_close fs/open.c:1182 [inline] __x64_sys_close+0x69/0xf0 fs/open.c:1182 raw: 01fffc0000001074 ffffea0002239e88 ffffea00020a85c8 ffff888219d26ad8 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293 raw: 0000000000000427 ffff888082777150 00000002ffffffff ffff8880aa1c6c00 entry_SYSCALL_64_after_hwframe+0x49/0xbe page dumped because: kasan: bad access detected RIP: 0033:0x413741 page->mem_cgroup:ffff8880aa1c6c00 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007ffc10cb9f80 EFLAGS: 00000293 Memory state around the buggy address: ORIG_RAX: 0000000000000003 ffff88808239ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000413741 ffff88808239ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 RDX: 0000001b2c120000 RSI: 0000000000001bc4 RDI: 0000000000000003 >ffff8880823a0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff RBP: 0000000000000001 R08: 00000000f1849bc6 R09: ffffffffffffffff ^ R10: 00007ffc10cba060 R11: 0000000000000293 R12: 000000000075c9a0 ffff8880823a0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff R13: 000000000075c9a0 R14: 0000000000762ac0 R15: 000000000075bfd4 ffff8880823a0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Modules linked in: ================================================================== CR2: ffff88804b908870 ---[ end trace a1fc740cb1adbfe5 ]--- BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 PGD 848ea067 RIP: 0010:__read_once_size include/linux/compiler.h:193 [inline] RIP: 0010:arch_atomic64_read arch/x86/include/asm/atomic64_64.h:22 [inline] RIP: 0010:atomic64_read include/asm-generic/atomic-instrumented.h:28 [inline] RIP: 0010:atomic_long_read include/asm-generic/atomic-long.h:47 [inline] RIP: 0010:filp_close+0x43/0x170 fs/open.c:1159 P4D 848ea067 Code: c1 ff be 08 00 00 00 4c 89 f7 e8 48 09 f8 ff 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 19 01 00 00 <49> 8b 5c 24 70 31 ff 48 89 de e8 be 85 c1 ff 48 85 db 0f 84 9d 73 PUD 940dd067 RSP: 0018:ffff88807f3bfe90 EFLAGS: 00010246 PMD 0 RAX: dffffc0000000000 RBX: ffff888094790958 RCX: ffffffff81a942f8 Oops: 0010 [#2] PREEMPT SMP KASAN RDX: 1ffff1100972110e RSI: 0000000000000008 RDI: ffff88804b908870 CPU: 0 PID: 7385 Comm: rs:main Q:Reg Tainted: G B D 4.19.80 #0 RBP: ffff88807f3bfeb0 R08: 1ffff1100972110e R09: ffffed100972110f Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 R10: ffffed100972110e R11: ffff88804b908877 R12: ffff88804b908800 RIP: 0010: (null) R13: ffff888056bb43c0 R14: ffff88804b908870 R15: ffff888056bb4480 Code: Bad RIP value. FS: 0000000001387940(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 RSP: 0018:ffff8880ae807d10 EFLAGS: 00010206 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88804b908870 CR3: 000000009c6e8000 CR4: 00000000001406e0 RAX: 0000000000000000 RBX: ffff88805c051f40 RCX: ffffffff815b10ea DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 RDX: 0000000000000100 RSI: ffffffff815b0cc1 RDI: ffff88805c051f40 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400