EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue EXT4-fs error (device loop4): ext4_xattr_ibody_get:591: inode #18: comm syz-executor.4: corrupted in-inode xattr ================================================================== BUG: KASAN: use-after-free in get_max_inline_xattr_value_size+0x373/0x510 fs/ext4/inline.c:61 Read of size 4 at addr ffff8881e1024084 by task syz-executor.4/9457 CPU: 1 PID: 9457 Comm: syz-executor.4 Not tainted 5.4.219-syzkaller-00002-ga0eae55f26a0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d8/0x241 lib/dump_stack.c:118 print_address_description+0x8c/0x630 mm/kasan/report.c:384 __kasan_report+0xf6/0x130 mm/kasan/report.c:516 kasan_report+0x30/0x60 mm/kasan/common.c:653 get_max_inline_xattr_value_size+0x373/0x510 fs/ext4/inline.c:61 ext4_get_max_inline_size+0x139/0x1f0 fs/ext4/inline.c:112 ext4_try_to_write_inline_data+0xd9/0x1750 fs/ext4/inline.c:673 ext4_write_begin+0x247/0x1d50 fs/ext4/inode.c:1312 ext4_da_write_begin+0x4a8/0xf80 fs/ext4/inode.c:3110 generic_perform_write+0x2f9/0x5a0 mm/filemap.c:3311 __generic_file_write_iter+0x239/0x490 mm/filemap.c:3440 ext4_file_write_iter+0x495/0x10e0 fs/ext4/file.c:270 do_iter_readv_writev+0x529/0x740 fs/read_write.c:690 do_iter_write+0x16f/0x570 fs/read_write.c:970 iter_file_splice_write+0x887/0x10f0 fs/splice.c:746 splice_direct_to_actor+0x4c4/0xb20 fs/splice.c:976 do_splice_direct+0x2a0/0x3f0 fs/splice.c:1064 do_sendfile+0x8f2/0xf10 fs/read_write.c:1464 __do_sys_sendfile64 fs/read_write.c:1525 [inline] __se_sys_sendfile64 fs/read_write.c:1511 [inline] __x64_sys_sendfile64+0x1ce/0x230 fs/read_write.c:1511 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 The buggy address belongs to the page: page:ffffea0007840900 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x8000000000000000() raw: 8000000000000000 dead000000000100 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x100cc0(GFP_USER) set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook mm/page_alloc.c:2165 [inline] prep_new_page+0x194/0x380 mm/page_alloc.c:2171 get_page_from_freelist+0x524/0x560 mm/page_alloc.c:3794 __alloc_pages_nodemask+0x372/0x860 mm/page_alloc.c:4891 mempool_init_node+0x1f6/0x500 mm/mempool.c:202 mempool_create_node mm/mempool.c:271 [inline] mempool_create+0x77/0xc0 mm/mempool.c:256 mempool_create_page_pool include/linux/mempool.h:107 [inline] fscrypt_initialize+0x64/0x90 fs/crypto/crypto.c:330 fscrypt_setup_encryption_info+0x100/0x1550 fs/crypto/keysetup.c:554 fscrypt_get_encryption_info+0x347/0x430 fs/crypto/keysetup.c:663 fscrypt_setup_filename+0x27c/0xb00 fs/crypto/fname.c:402 __fscrypt_prepare_lookup+0x28/0xf0 fs/crypto/hooks.c:102 fscrypt_prepare_lookup include/linux/fscrypt.h:821 [inline] ext4_fname_prepare_lookup fs/ext4/ext4.h:2452 [inline] ext4_lookup_entry fs/ext4/namei.c:1720 [inline] ext4_lookup+0x257/0xb20 fs/ext4/namei.c:1795 lookup_open fs/namei.c:3288 [inline] do_last fs/namei.c:3401 [inline] path_openat+0x1c7b/0x3ea0 fs/namei.c:3614 do_filp_open+0x208/0x450 fs/namei.c:3644 do_sys_open+0x393/0x7e0 fs/open.c:1113 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1176 [inline] free_pcp_prepare+0x1a4/0x290 mm/page_alloc.c:1233 free_unref_page_prepare mm/page_alloc.c:3085 [inline] free_unref_page mm/page_alloc.c:3134 [inline] free_the_page mm/page_alloc.c:4951 [inline] __free_pages+0x9c/0x250 mm/page_alloc.c:4959 __free_slab+0x22b/0x2e0 mm/slub.c:1774 free_slab mm/slub.c:1789 [inline] discard_slab mm/slub.c:1795 [inline] unfreeze_partials+0x14f/0x180 mm/slub.c:2288 put_cpu_partial+0xb5/0x150 mm/slub.c:2324 __slab_free+0x2ac/0x370 mm/slub.c:2971 qlist_free_all+0x4c/0xb0 mm/kasan/quarantine.c:167 quarantine_reduce+0x174/0x190 mm/kasan/quarantine.c:260 __kasan_kmalloc+0x43/0x1e0 mm/kasan/common.c:507 slab_post_alloc_hook mm/slab.h:584 [inline] slab_alloc_node mm/slub.c:2829 [inline] slab_alloc mm/slub.c:2837 [inline] kmem_cache_alloc+0xd0/0x210 mm/slub.c:2842 getname_flags+0xb8/0x4e0 fs/namei.c:141 getname fs/namei.c:212 [inline] __do_sys_unlink fs/namei.c:4191 [inline] __se_sys_unlink fs/namei.c:4189 [inline] __x64_sys_unlink+0x38/0x50 fs/namei.c:4189 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 Memory state around the buggy address: ffff8881e1023f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881e1024000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8881e1024080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8881e1024100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881e1024180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== EXT4-fs error (device loop4): ext4_read_block_bitmap_nowait:430: comm syz-executor.4: Invalid block bitmap block 0 in block_group 0