================================================================== BUG: KASAN: out-of-bounds in ext4_xattr_set_entry+0x8ca/0x1f30 fs/ext4/xattr.c:1732 Read of size 18446744073709551572 at addr ffff888024f50050 by task syz.0.1664/12346 CPU: 1 PID: 12346 Comm: syz.0.1664 Tainted: G W 6.1.122-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 print_address_description mm/kasan/report.c:316 [inline] print_report+0x15f/0x4f0 mm/kasan/report.c:427 kasan_report+0x136/0x160 mm/kasan/report.c:531 kasan_check_range+0x27f/0x290 mm/kasan/generic.c:189 memmove+0x25/0x60 mm/kasan/shadow.c:54 ext4_xattr_set_entry+0x8ca/0x1f30 fs/ext4/xattr.c:1732 ext4_xattr_block_set+0xa58/0x3920 fs/ext4/xattr.c:1979 ext4_xattr_move_to_block fs/ext4/xattr.c:2616 [inline] ext4_xattr_make_inode_space fs/ext4/xattr.c:2691 [inline] ext4_expand_extra_isize_ea+0x10d5/0x1bb0 fs/ext4/xattr.c:2783 __ext4_expand_extra_isize+0x2f7/0x3d0 fs/ext4/inode.c:5936 ext4_try_to_expand_extra_isize fs/ext4/inode.c:5979 [inline] __ext4_mark_inode_dirty+0x54f/0x920 fs/ext4/inode.c:6057 ext4_dirty_inode+0xbf/0x100 fs/ext4/inode.c:6089 __mark_inode_dirty+0x331/0xf80 fs/fs-writeback.c:2433 mark_inode_dirty include/linux/fs.h:2546 [inline] ext4_setattr+0x755/0x1a00 fs/ext4/inode.c:5613 notify_change+0xce3/0xfc0 fs/attr.c:499 chmod_common+0x2a7/0x4b0 fs/open.c:606 do_fchmodat fs/open.c:645 [inline] __do_sys_chmod fs/open.c:663 [inline] __se_sys_chmod fs/open.c:661 [inline] __x64_sys_chmod+0xf4/0x180 fs/open.c:661 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 RIP: 0033:0x7efd4d585d29 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007efd4e484038 EFLAGS: 00000246 ORIG_RAX: 000000000000005a RAX: ffffffffffffffda RBX: 00007efd4d775fa0 RCX: 00007efd4d585d29 RDX: 0000000000000000 RSI: 0000000000000022 RDI: 0000000020000300 RBP: 00007efd4d601b08 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007efd4d775fa0 R15: 00007ffeffeec588 Allocated by task 12346: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:383 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slab_common.c:936 [inline] __kmalloc_node_track_caller+0xb1/0x220 mm/slab_common.c:956 kmemdup+0x26/0x60 mm/util.c:129 ext4_xattr_block_set+0x884/0x3920 fs/ext4/xattr.c:1927 ext4_xattr_move_to_block fs/ext4/xattr.c:2616 [inline] ext4_xattr_make_inode_space fs/ext4/xattr.c:2691 [inline] ext4_expand_extra_isize_ea+0x10d5/0x1bb0 fs/ext4/xattr.c:2783 __ext4_expand_extra_isize+0x2f7/0x3d0 fs/ext4/inode.c:5936 ext4_try_to_expand_extra_isize fs/ext4/inode.c:5979 [inline] __ext4_mark_inode_dirty+0x54f/0x920 fs/ext4/inode.c:6057 ext4_dirty_inode+0xbf/0x100 fs/ext4/inode.c:6089 __mark_inode_dirty+0x331/0xf80 fs/fs-writeback.c:2433 mark_inode_dirty include/linux/fs.h:2546 [inline] ext4_setattr+0x755/0x1a00 fs/ext4/inode.c:5613 notify_change+0xce3/0xfc0 fs/attr.c:499 chmod_common+0x2a7/0x4b0 fs/open.c:606 do_fchmodat fs/open.c:645 [inline] __do_sys_chmod fs/open.c:663 [inline] __se_sys_chmod fs/open.c:661 [inline] __x64_sys_chmod+0xf4/0x180 fs/open.c:661 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Last potentially related work creation: kasan_save_stack+0x3b/0x60 mm/kasan/common.c:45 __kasan_record_aux_stack+0xb0/0xc0 mm/kasan/generic.c:486 call_rcu+0x163/0xa10 kernel/rcu/tree.c:2845 qdisc_put net/sched/sch_generic.c:1104 [inline] dev_shutdown+0x359/0x440 net/sched/sch_generic.c:1492 unregister_netdevice_many+0xaac/0x17a0 net/core/dev.c:10936 unregister_netdevice_queue+0x2e6/0x350 net/core/dev.c:10876 unregister_netdevice include/linux/netdevice.h:3067 [inline] nsim_destroy+0x44/0x140 drivers/net/netdevsim/netdev.c:382 __nsim_dev_port_del+0x153/0x1b0 drivers/net/netdevsim/dev.c:1433 nsim_dev_port_del_all drivers/net/netdevsim/dev.c:1445 [inline] nsim_dev_reload_destroy+0x286/0x490 drivers/net/netdevsim/dev.c:1662 nsim_drv_remove+0x5c/0x160 drivers/net/netdevsim/dev.c:1678 device_remove drivers/base/dd.c:548 [inline] __device_release_driver drivers/base/dd.c:1260 [inline] device_release_driver_internal+0x4f3/0x880 drivers/base/dd.c:1286 bus_remove_device+0x2e5/0x400 drivers/base/bus.c:531 device_del+0x6e2/0xbd0 drivers/base/core.c:3884 device_unregister+0x1c/0xc0 drivers/base/core.c:3927 nsim_bus_dev_del drivers/net/netdevsim/bus.c:310 [inline] del_device_store+0x35f/0x480 drivers/net/netdevsim/bus.c:219 kernfs_fop_write_iter+0x3a2/0x4f0 fs/kernfs/file.c:334 call_write_iter include/linux/fs.h:2265 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x857/0xbc0 fs/read_write.c:584 ksys_write+0x19c/0x2c0 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 The buggy address belongs to the object at ffff888024f50000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 80 bytes inside of 1024-byte region [ffff888024f50000, ffff888024f50400) The buggy address belongs to the physical page: page:ffffea000093d400 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888024f52800 pfn:0x24f50 head:ffffea000093d400 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 ffffea0000a2aa00 dead000000000003 ffff888017c41dc0 raw: ffff888024f52800 000000008010000f 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 6665155711, free_ts 0 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2532 prep_new_page mm/page_alloc.c:2539 [inline] get_page_from_freelist+0x3731/0x38d0 mm/page_alloc.c:4328 __alloc_pages+0x28d/0x770 mm/page_alloc.c:5605 __alloc_pages_node include/linux/gfp.h:237 [inline] alloc_slab_page+0x59/0x150 mm/slub.c:1796 allocate_slab mm/slub.c:1939 [inline] new_slab+0x84/0x2d0 mm/slub.c:1992 ___slab_alloc+0xc20/0x1270 mm/slub.c:3180 __slab_alloc mm/slub.c:3279 [inline] slab_alloc_node mm/slub.c:3364 [inline] __kmem_cache_alloc_node+0x19f/0x260 mm/slub.c:3437 __do_kmalloc_node mm/slab_common.c:935 [inline] __kmalloc_node+0xa2/0x230 mm/slab_common.c:943 kmalloc_node include/linux/slab.h:589 [inline] kvmalloc_node+0x6e/0x180 mm/util.c:581 kvzalloc_node include/linux/slab.h:720 [inline] sbitmap_init_node+0x2c7/0x6c0 lib/sbitmap.c:132 sbitmap_queue_init_node+0x37/0x4b0 lib/sbitmap.c:447 bt_alloc block/blk-mq-tag.c:545 [inline] blk_mq_init_bitmaps block/blk-mq-tag.c:557 [inline] blk_mq_init_tags+0x105/0x270 block/blk-mq-tag.c:588 blk_mq_alloc_rq_map block/blk-mq.c:3355 [inline] blk_mq_alloc_map_and_rqs+0xc7/0x9c0 block/blk-mq.c:3807 __blk_mq_alloc_map_and_rqs block/blk-mq.c:3829 [inline] __blk_mq_alloc_rq_maps block/blk-mq.c:4348 [inline] blk_mq_alloc_set_map_and_rqs+0x19c/0x830 block/blk-mq.c:4379 blk_mq_alloc_tag_set+0x763/0xd60 block/blk-mq.c:4536 loop_add+0x2f4/0x9a0 drivers/block/loop.c:2021 page_owner free stack trace missing Memory state around the buggy address: ffff888024f4ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888024f4ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888024f50000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff888024f50080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888024f50100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================