bond0: Enslaving bond_slave_0 as an active interface with an up link IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready ================================================================== IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x3149/0x3230 fs/ext4/xattr.c:1602 IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready Read of size 4 at addr ffff88808db21183 by task syz-executor.3/6953 CPU: 1 PID: 6953 Comm: syz-executor.3 Not tainted 4.14.158-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x142/0x197 lib/dump_stack.c:58 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252 IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393 IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429 IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready ext4_xattr_set_entry+0x3149/0x3230 fs/ext4/xattr.c:1602 bridge0: port 2(bridge_slave_1) entered blocking state bridge0: port 2(bridge_slave_1) entered forwarding state ext4_xattr_ibody_set+0x7a/0x2a0 fs/ext4/xattr.c:2238 ext4_xattr_set_handle+0x4f5/0xda0 fs/ext4/xattr.c:2394 bond0: Enslaving bond_slave_1 as an active interface with an up link ext4_initxattrs+0xc0/0x130 fs/ext4/xattr_security.c:43 security_inode_init_security security/security.c:492 [inline] security_inode_init_security+0x26d/0x360 security/security.c:465 IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready ext4_init_security+0x34/0x40 fs/ext4/xattr_security.c:57 __ext4_new_inode+0x3385/0x4860 fs/ext4/ialloc.c:1166 8021q: adding VLAN 0 to HW filter on device bond0 IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready ext4_mkdir+0x331/0xc20 fs/ext4/namei.c:2657 IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready vfs_mkdir+0x3ca/0x610 fs/namei.c:3846 IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready SYSC_mkdirat fs/namei.c:3869 [inline] SyS_mkdirat fs/namei.c:3853 [inline] SYSC_mkdir fs/namei.c:3880 [inline] SyS_mkdir+0x1b7/0x200 fs/namei.c:3878 kobject: 'veth0_to_team' (ffff8880998c49f0): kobject_add_internal: parent: 'net', set: 'devices' kobject: 'veth0_to_team' (ffff8880998c49f0): kobject_uevent_env kobject: 'veth0_to_team' (ffff8880998c49f0): fill_kobj_path: path = '/devices/virtual/net/veth0_to_team' kobject: 'queues' (ffff8880a5bd5448): kobject_add_internal: parent: 'veth0_to_team', set: '' do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x459d27 RSP: 002b:00007ffde2917fa8 EFLAGS: 00000202 ORIG_RAX: 0000000000000053 RAX: ffffffffffffffda RBX: 000000000000b6ae RCX: 0000000000459d27 RDX: 00007ffde2917ff3 RSI: 00000000000001ff RDI: 00007ffde2917ff0 kobject: 'queues' (ffff8880a5bd5448): kobject_uevent_env RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000003 kobject: 'queues' (ffff8880a5bd5448): kobject_uevent_env: filter function caused the event to drop! R10: 0000000000000064 R11: 0000000000000202 R12: 0000000000000003 kobject: 'rx-0' (ffff8880a0f7b3d0): kobject_add_internal: parent: 'queues', set: 'queues' R13: 00007ffde2917fe0 R14: 000000000000b672 R15: 00007ffde2917ff0 kobject: 'rx-0' (ffff8880a0f7b3d0): kobject_uevent_env The buggy address belongs to the page: page:ffffea000236c840 count:0 mapcount:0 mapping: (null) index:0x1 flags: 0xfffe0000000000() raw: 00fffe0000000000 0000000000000000 0000000000000001 00000000ffffffff raw: ffffea000242a6e0 ffffea000236d7e0 0000000000000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88808db21080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88808db21100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88808db21180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88808db21200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88808db21280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff kobject: 'rx-0' (ffff8880a0f7b3d0): fill_kobj_path: path = '/devices/virtual/net/veth0_to_team/queues/rx-0' ==================================================================