EXT4-fs error (device sda1): ext4_xattr_ibody_get:591: inode #16655: comm syz-fuzzer: corrupted in-inode xattr EXT4-fs error (device sda1): ext4_xattr_ibody_get:591: inode #16655: comm syz-fuzzer: corrupted in-inode xattr EXT4-fs error (device sda1): ext4_xattr_ibody_get:591: inode #16655: comm syz-fuzzer: corrupted in-inode xattr EXT4-fs error (device sda1): ext4_xattr_ibody_get:591: inode #16655: comm syz-fuzzer: corrupted in-inode xattr ================================================================== BUG: KASAN: use-after-free in memmove include/linux/string.h:367 [inline] BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x22ad/0x3d20 fs/ext4/xattr.c:1733 Read of size 4 at addr ffff8880769f3ffd by task syz-executor0/12326 CPU: 0 PID: 12326 Comm: syz-executor0 Not tainted 4.20.0+ #8 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1db/0x2d0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x123/0x190 mm/kasan/generic.c:191 memmove+0x24/0x50 mm/kasan/common.c:121 memmove include/linux/string.h:367 [inline] ext4_xattr_set_entry+0x22ad/0x3d20 fs/ext4/xattr.c:1733 ext4_xattr_ibody_set+0x80/0x2b0 fs/ext4/xattr.c:2235 ext4_xattr_set_handle+0x983/0x17d0 fs/ext4/xattr.c:2391 ext4_initxattrs+0xc0/0x130 fs/ext4/xattr_security.c:43 security_inode_init_security+0x32f/0x430 security/security.c:513 ext4_init_security+0x34/0x40 fs/ext4/xattr_security.c:57 __ext4_new_inode+0x4a47/0x6cb0 fs/ext4/ialloc.c:1160 ext4_mkdir+0x45a/0xef0 fs/ext4/namei.c:2626 vfs_mkdir+0x433/0x690 fs/namei.c:3816 do_mkdirat+0x271/0x2f0 fs/namei.c:3839 __do_sys_mkdir fs/namei.c:3855 [inline] __se_sys_mkdir fs/namei.c:3853 [inline] __x64_sys_mkdir+0x5c/0x80 fs/namei.c:3853 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4572e7 Code: 1f 40 00 b8 5a 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 3d c3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 1d c3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffd845dfbc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000053 RAX: ffffffffffffffda RBX: 000000000003a2f8 RCX: 00000000004572e7 RDX: 0000000000000035 RSI: 00000000000001c0 RDI: 00007ffd845dfd80 RBP: 0000000000000001 R08: 000000000000f8f8 R09: 0000000000033600 R10: 0000000000000011 R11: 0000000000000246 R12: 00000000000000c2 R13: 00007ffd845dfd80 R14: 8421084210842109 R15: 00007ffd845dfd8c The buggy address belongs to the page: page:ffffea0001da7cc0 count:2 mapcount:0 mapping:ffff88809e078b18 index:0x432 def_blk_aops flags: 0x1fffc000000203a(referenced|dirty|lru|active|private) raw: 01fffc000000203a ffffea0001e852c8 ffffea0001cb5608 ffff88809e078b18 raw: 0000000000000432 ffff888096b38d20 00000002ffffffff ffff88808b326380 page dumped because: kasan: bad access detected page->mem_cgroup:ffff88808b326380 Memory state around the buggy address: ffff8880769f3f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880769f3f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8880769f4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8880769f4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8880769f4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================