================================================================== BUG: KASAN: use-after-free in ext4_xattr_delete_inode+0xcd0/0xce0 fs/ext4/xattr.c:2904 Read of size 4 at addr ffff8881159fa000 by task syz-executor/295 CPU: 1 PID: 295 Comm: syz-executor Not tainted 5.15.150-syzkaller-00330-g9044d25b8ff5 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106 print_address_description+0x87/0x3b0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:427 [inline] kasan_report+0x179/0x1c0 mm/kasan/report.c:444 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308 ext4_xattr_delete_inode+0xcd0/0xce0 fs/ext4/xattr.c:2904 ext4_evict_inode+0xea1/0x14e0 fs/ext4/inode.c:300 evict+0x2a3/0x630 fs/inode.c:587 iput_final fs/inode.c:1705 [inline] iput+0x63b/0x7e0 fs/inode.c:1731 d_delete_notify include/linux/fsnotify.h:270 [inline] vfs_rmdir+0x359/0x470 fs/namei.c:4162 do_rmdir+0x3ab/0x630 fs/namei.c:4210 __do_sys_unlinkat fs/namei.c:4390 [inline] __se_sys_unlinkat fs/namei.c:4384 [inline] __x64_sys_unlinkat+0xdf/0xf0 fs/namei.c:4384 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7f8e17f89217 Code: 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 07 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffdbb7053c8 EFLAGS: 00000207 ORIG_RAX: 0000000000000107 RAX: ffffffffffffffda RBX: 0000000000000065 RCX: 00007f8e17f89217 RDX: 0000000000000200 RSI: 00007ffdbb706570 RDI: 00000000ffffff9c RBP: 00007f8e17ff7515 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000100 R11: 0000000000000207 R12: 00007ffdbb706570 R13: 00007f8e17ff7515 R14: 000000000000ca49 R15: 000000000000001d The buggy address belongs to the page: page:ffffea0004567e80 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x1159fa flags: 0x4000000000000000(zone=1) raw: 4000000000000000 ffffea00043c8288 ffffea000428f248 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffff7f 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0x502dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO|__GFP_ACCOUNT), pid 836, ts 50278595358, free_ts 50337671330 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook+0x1a3/0x1b0 mm/page_alloc.c:2604 prep_new_page+0x1b/0x110 mm/page_alloc.c:2610 get_page_from_freelist+0x3550/0x35d0 mm/page_alloc.c:4484 __alloc_pages+0x27e/0x8f0 mm/page_alloc.c:5776 __vmalloc_area_node mm/vmalloc.c:2955 [inline] __vmalloc_node_range+0x482/0x8d0 mm/vmalloc.c:3086 __vmalloc_node mm/vmalloc.c:3151 [inline] __vmalloc+0x7a/0x90 mm/vmalloc.c:3165 __vmalloc_array mm/util.c:723 [inline] __vcalloc+0x36/0x50 mm/util.c:746 memslot_rmap_alloc+0x6b/0x2a0 arch/x86/kvm/x86.c:11766 kvm_alloc_memslot_metadata arch/x86/kvm/x86.c:11834 [inline] kvm_arch_prepare_memory_region+0xc5/0xd20 arch/x86/kvm/x86.c:11907 kvm_set_memslot+0x513/0x1780 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1683 __kvm_set_memory_region+0xdf8/0x1060 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1843 kvm_set_memory_region arch/x86/kvm/../../../virt/kvm/kvm_main.c:1864 [inline] kvm_vm_ioctl_set_memory_region+0x73/0xa0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1876 kvm_vm_ioctl+0x91f/0xb60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4492 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl+0x114/0x190 fs/ioctl.c:860 __x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 page last free stack trace: reset_page_owner include/linux/page_owner.h:26 [inline] free_pages_prepare mm/page_alloc.c:1471 [inline] free_pcp_prepare mm/page_alloc.c:1543 [inline] free_unref_page_prepare+0x7c8/0x7d0 mm/page_alloc.c:3533 free_unref_page+0xe8/0x750 mm/page_alloc.c:3615 free_the_page mm/page_alloc.c:804 [inline] __free_pages+0x61/0xf0 mm/page_alloc.c:5852 __vunmap+0x7bc/0x8f0 mm/vmalloc.c:2652 __vfree mm/vmalloc.c:2700 [inline] vfree+0x7f/0xb0 mm/vmalloc.c:2731 kvfree+0x26/0x40 mm/util.c:662 memslot_rmap_free arch/x86/kvm/x86.c:11734 [inline] kvm_arch_free_memslot+0x40/0x150 arch/x86/kvm/x86.c:11743 kvm_free_memslot arch/x86/kvm/../../../virt/kvm/kvm_main.c:934 [inline] kvm_free_memslots arch/x86/kvm/../../../virt/kvm/kvm_main.c:948 [inline] kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1254 [inline] kvm_put_kvm+0xd04/0x1270 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1283 kvm_vm_release+0x46/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1306 __fput+0x3fe/0x910 fs/file_table.c:280 ____fput+0x15/0x20 fs/file_table.c:308 task_work_run+0x129/0x190 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop+0xc4/0xe0 kernel/entry/common.c:175 exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:208 __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline] syscall_exit_to_user_mode+0x26/0x160 kernel/entry/common.c:301 do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86 Memory state around the buggy address: ffff8881159f9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881159f9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8881159fa000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8881159fa080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881159fa100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== syz-executor (295) used greatest stack depth: 19616 bytes left