================================================================== BUG: KASAN: out-of-bounds in ext4_xattr_set_entry+0xaf2/0x21d0 fs/ext4/xattr.c:1708 Read of size 18446744073709551600 at addr ffff8881457b15b8 by task syz.2.2440/8593 CPU: 1 PID: 8593 Comm: syz.2.2440 Tainted: G W syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 Call Trace: __dump_stack+0x21/0x24 lib/dump_stack.c:88 dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106 print_address_description+0x71/0x200 mm/kasan/report.c:316 print_report+0x4a/0x60 mm/kasan/report.c:420 kasan_report+0x122/0x150 mm/kasan/report.c:524 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x249/0x2a0 mm/kasan/generic.c:189 memmove+0x2d/0x70 mm/kasan/shadow.c:54 ext4_xattr_set_entry+0xaf2/0x21d0 fs/ext4/xattr.c:1708 ext4_xattr_ibody_set+0x24e/0x6c0 fs/ext4/xattr.c:2215 ext4_destroy_inline_data_nolock+0x234/0x5d0 fs/ext4/inline.c:468 ext4_convert_inline_data_nolock+0x3c0/0x9e0 fs/ext4/inline.c:1250 ext4_convert_inline_data+0x4b9/0x5f0 fs/ext4/inline.c:2111 ext4_page_mkwrite+0x2e8/0x1310 fs/ext4/inode.c:6257 do_page_mkwrite mm/memory.c:3039 [inline] do_shared_fault mm/memory.c:4823 [inline] do_fault+0xdb8/0x1ee0 mm/memory.c:4891 handle_pte_fault mm/memory.c:5183 [inline] __handle_mm_fault mm/memory.c:5325 [inline] handle_mm_fault+0x133a/0x26c0 mm/memory.c:5465 do_user_addr_fault+0x63b/0x1050 arch/x86/mm/fault.c:1372 handle_page_fault arch/x86/mm/fault.c:1464 [inline] exc_page_fault+0x51/0xb0 arch/x86/mm/fault.c:1517 asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:608 RIP: 0033:0x7f3a9316bcfc Code: 7c 10 8a 0e 74 0a 0f b7 74 16 fe 66 89 74 17 fe 88 0f c3 8b 4c 16 fc 8b 36 89 4c 17 fc 89 37 c3 c5 fa 6f 06 c5 fa 6f 4c 16 f0 fa 7f 07 c5 fa 7f 4c 17 f0 c3 66 0f 1f 84 00 00 00 00 00 48 8b RSP: 002b:00007ffcde237018 EFLAGS: 00010246 RAX: 0000200000000100 RBX: 0000000000000004 RCX: 000000000000003f RDX: 0000000000000010 RSI: 0000001b2f52077e RDI: 0000200000000100 RBP: fffffffffffffffe R08: 0000001b2f920000 R09: 0000000000000001 R10: 7fffffffffffffef R11: 0000000000000009 R12: 00007ffcde237140 R13: 00007f3a93415fac R14: 0000000000079ada R15: 00007f3a93415fa0 The buggy address belongs to the physical page: page:ffffea000515ec40 refcount:3 mapcount:0 mapping:ffff88810b6b7650 index:0x2 pfn:0x1457b1 memcg:ffff888113b257c0 aops:def_blk_aops ino:700002 flags: 0x460000000000206a(referenced|dirty|active|workingset|private|zone=1) raw: 460000000000206a 0000000000000000 dead000000000122 ffff88810b6b7650 raw: 0000000000000002 ffff88813b032348 00000003ffffffff ffff888113b257c0 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Movable, gfp_mask 0x148c48(GFP_NOFS|__GFP_NOFAIL|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 8593, tgid 8593 (syz.2.2440), ts 529684804568, free_ts 529369211605 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook+0x1f5/0x210 mm/page_alloc.c:2672 prep_new_page+0x1c/0x110 mm/page_alloc.c:2679 get_page_from_freelist+0x2d12/0x2d80 mm/page_alloc.c:4585 __alloc_pages+0x1fa/0x610 mm/page_alloc.c:5926 __folio_alloc+0x12/0x40 mm/page_alloc.c:5959 __folio_alloc_node include/linux/gfp.h:245 [inline] folio_alloc include/linux/gfp.h:274 [inline] filemap_alloc_folio include/linux/pagemap.h:515 [inline] __filemap_get_folio+0x6ee/0xa60 mm/filemap.c:2020 pagecache_get_page+0x2b/0x110 mm/folio-compat.c:110 find_or_create_page include/linux/pagemap.h:656 [inline] grow_dev_page fs/buffer.c:989 [inline] grow_buffers fs/buffer.c:1054 [inline] __getblk_slow fs/buffer.c:1081 [inline] __getblk_gfp+0x217/0x7d0 fs/buffer.c:1376 sb_getblk include/linux/buffer_head.h:356 [inline] __ext4_get_inode_loc+0x481/0xdf0 fs/ext4/inode.c:4516 ext4_get_inode_loc+0x81/0xf0 fs/ext4/inode.c:4644 ext4_read_inline_page+0x212/0x7f0 fs/ext4/inline.c:516 ext4_readpage_inline+0x1aa/0x210 fs/ext4/inline.c:548 ext4_read_folio+0xe0/0x220 fs/ext4/inode.c:3252 filemap_read_folio+0xff/0x2c0 mm/filemap.c:2518 filemap_fault+0xd14/0x1360 mm/filemap.c:3385 __do_fault mm/memory.c:4376 [inline] do_shared_fault mm/memory.c:4813 [inline] do_fault+0xb78/0x1ee0 mm/memory.c:4891 page last free stack trace: reset_page_owner include/linux/page_owner.h:26 [inline] free_pages_prepare mm/page_alloc.c:1580 [inline] free_pcp_prepare mm/page_alloc.c:1654 [inline] free_unref_page_prepare+0x7f8/0x800 mm/page_alloc.c:3620 free_unref_page_list+0x117/0x8c0 mm/page_alloc.c:3771 release_pages+0xc93/0xcf0 mm/swap.c:1053 __pagevec_release+0x71/0xe0 mm/swap.c:1073 pagevec_release include/linux/pagevec.h:71 [inline] folio_batch_release include/linux/pagevec.h:135 [inline] shmem_undo_range+0x574/0x1540 mm/shmem.c:951 shmem_truncate_range mm/shmem.c:1067 [inline] shmem_evict_inode+0x255/0xa50 mm/shmem.c:1176 evict+0x4d7/0x8f0 fs/inode.c:708 iput_final fs/inode.c:1844 [inline] iput+0x620/0x670 fs/inode.c:1870 dentry_unlink_inode+0x33d/0x3f0 fs/dcache.c:405 __dentry_kill+0x460/0x670 fs/dcache.c:611 dentry_kill+0xc0/0x2a0 fs/dcache.c:-1 dput+0x42/0x80 fs/dcache.c:918 __fput+0x5be/0x8f0 fs/file_table.c:328 ____fput+0x15/0x20 fs/file_table.c:348 task_work_run+0x1e1/0x250 kernel/task_work.c:203 exit_task_work include/linux/task_work.h:39 [inline] do_exit+0xa35/0x2660 kernel/exit.c:886 Memory state around the buggy address: ffff8881457b1480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881457b1500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8881457b1580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff8881457b1600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881457b1680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF