================================================================== EXT4-fs error (device sda1): ext4_expand_extra_isize_ea:2734: inode #16732: comm syz-executor5: corrupted in-inode xattr BUG: KASAN: use-after-free in memset include/linux/string.h:337 [inline] BUG: KASAN: use-after-free in __ext4_expand_extra_isize+0x16f/0x240 fs/ext4/inode.c:5897 Write of size 4192256 at addr ffff8881abb0f980 by task syz-executor1/4389 CPU: 0 PID: 4389 Comm: syz-executor1 Not tainted 4.20.0-rc7+ #155 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 EXT4-fs error (device sda1): ext4_expand_extra_isize_ea:2734: inode #16733: comm syz-executor0: corrupted in-inode xattr Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x244/0x39d lib/dump_stack.c:113 print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412 EXT4-fs (sda1): re-mounted. Opts: debug_want_extra_isize=0x00000000003ff800, check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 memset+0x23/0x40 mm/kasan/kasan.c:285 memset include/linux/string.h:337 [inline] __ext4_expand_extra_isize+0x16f/0x240 fs/ext4/inode.c:5897 ext4_try_to_expand_extra_isize fs/ext4/inode.c:5949 [inline] ext4_mark_inode_dirty+0x8f9/0xb20 fs/ext4/inode.c:6025 ext4_dirty_inode+0x97/0xc0 fs/ext4/inode.c:6059 __mark_inode_dirty+0x7c3/0x1510 fs/fs-writeback.c:2122 ------------[ cut here ]------------ DEBUG_LOCKS_WARN_ON(sem->owner != get_current()) WARNING: CPU: 1 PID: 6018 at kernel/locking/rwsem.c:134 up_write+0x1d6/0x220 kernel/locking/rwsem.c:134 Kernel panic - not syncing: panic_on_warn set ... generic_update_time+0x26a/0x450 fs/inode.c:1654 update_time fs/inode.c:1670 [inline] file_update_time+0x390/0x640 fs/inode.c:1880 __generic_file_write_iter+0x1dc/0x630 mm/filemap.c:3215 ext4_file_write_iter+0x390/0x1420 fs/ext4/file.c:266 call_write_iter include/linux/fs.h:1857 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x6b8/0x9f0 fs/read_write.c:487 vfs_write+0x1fc/0x560 fs/read_write.c:549 ksys_write+0x101/0x260 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:607 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457669 Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fa4f186ec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457669 RDX: 00000000000010a9 RSI: 0000000020000980 RDI: 0000000000000003 RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa4f186f6d4 R13: 00000000004c5fdb R14: 00000000004dab20 R15: 00000000ffffffff CPU: 1 PID: 6018 Comm: rs:main Q:Reg Not tainted 4.20.0-rc7+ #155 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 The buggy address belongs to the page: Call Trace: page:ffffea0006aec3c0 count:2 mapcount:0 mapping:ffff8881cc90b658 index:0x437 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x244/0x39d lib/dump_stack.c:113 flags: 0x2fffc000000203a(referenced|dirty|lru|active|private) raw: 02fffc000000203a ffffea0006ecdd08 ffffea0006cb5788 ffff8881cc90b658 panic+0x2ad/0x55c kernel/panic.c:188 raw: 0000000000000437 ffff8881c2ccbd20 00000002ffffffff ffff8881d8c349c0 page dumped because: kasan: bad access detected page->mem_cgroup:ffff8881d8c349c0 Memory state around the buggy address: __warn.cold.8+0x20/0x45 kernel/panic.c:540 ffff8881abb0ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881abb0ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8881abb10000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff report_bug+0x254/0x2d0 lib/bug.c:186 ^ fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271 ffff8881abb10080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:290 ffff8881abb10100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973 ================================================================== RIP: 0010:up_write+0x1d6/0x220 kernel/locking/rwsem.c:134 BUG: KASAN: double-free or invalid-free in __rcu_reclaim kernel/rcu/rcu.h:233 [inline] BUG: KASAN: double-free or invalid-free in rcu_do_batch kernel/rcu/tree.c:2437 [inline] BUG: KASAN: double-free or invalid-free in invoke_rcu_callbacks kernel/rcu/tree.c:2716 [inline] BUG: KASAN: double-free or invalid-free in rcu_process_callbacks+0x1140/0x1ac0 kernel/rcu/tree.c:2697 Code: 03 38 d0 7c 04 84 d2 75 5e 8b 05 b5 f5 b5 08 85 c0 0f 85 1c ff ff ff 48 c7 c6 a0 32 2b 88 48 c7 c7 e0 32 2b 88 e8 6a 66 e8 ff <0f> 0b e9 02 ff ff ff e8 be 6b 62 00 e9 bc fe ff ff 4c 89 ff e8 d1 RSP: 0018:ffff8881d8f6efa0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8881afe51718 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8165e495 RDI: 0000000000000006 RBP: ffff8881d8f6f028 R08: ffff8881d83e6180 R09: fffffbfff12b2314 R10: fffffbfff12b2314 R11: ffffffff895918a3 R12: dffffc0000000000 R13: 1ffff1103b1eddf4 R14: ffff8881d8f6f000 R15: ffff8881afe51770 ext4_write_unlock_xattr fs/ext4/xattr.h:159 [inline] ext4_try_to_expand_extra_isize fs/ext4/inode.c:5951 [inline] ext4_mark_inode_dirty+0x94a/0xb20 fs/ext4/inode.c:6025 ext4_dirty_inode+0x97/0xc0 fs/ext4/inode.c:6059 __mark_inode_dirty+0x7c3/0x1510 fs/fs-writeback.c:2122 mark_inode_dirty include/linux/fs.h:2119 [inline] __generic_write_end+0x320/0x400 fs/buffer.c:2117 generic_write_end+0x6c/0x90 fs/buffer.c:2162 ext4_da_write_end+0x2e0/0xcd0 fs/ext4/inode.c:3203 generic_perform_write+0x4ca/0x6a0 mm/filemap.c:3151 __generic_file_write_iter+0x26e/0x630 mm/filemap.c:3265 ext4_file_write_iter+0x390/0x1420 fs/ext4/file.c:266 call_write_iter include/linux/fs.h:1857 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x6b8/0x9f0 fs/read_write.c:487 vfs_write+0x1fc/0x560 fs/read_write.c:549 ksys_write+0x101/0x260 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:607 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7fe5b85b919d Code: d1 20 00 00 75 10 b8 01 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 be fa ff ff 48 89 04 24 b8 01 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 07 fb ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007fe5b6b59f90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000400 RCX: 00007fe5b85b919d RDX: 0000000000000400 RSI: 0000000000b0fa90 RDI: 0000000000000001 RBP: 0000000000b0fa90 R08: 0000000000b54de0 R09: 3020373120636544 R10: 2031323a37303a34 R11: 0000000000000293 R12: 0000000000000000 R13: 00007fe5b6b5a410 R14: 0000000000b54de0 R15: 0000000000b0f890 CPU: 0 PID: 4389 Comm: syz-executor1 Tainted: G B 4.20.0-rc7+ #155 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x244/0x39d lib/dump_stack.c:113 print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256 kasan_report_invalid_free+0x64/0xa0 mm/kasan/report.c:336 __kasan_slab_free+0x13a/0x150 mm/kasan/kasan.c:501 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xcf/0x230 mm/slab.c:3817 __rcu_reclaim kernel/rcu/rcu.h:233 [inline] rcu_do_batch kernel/rcu/tree.c:2437 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2716 [inline] rcu_process_callbacks+0x1140/0x1ac0 kernel/rcu/tree.c:2697 __do_softirq+0x308/0xb7e kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x17f/0x1c0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:536 [inline] smp_apic_timer_interrupt+0x1cb/0x760 arch/x86/kernel/apic/apic.c:1061 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:761 [inline] RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline] RIP: 0010:_raw_spin_unlock_irqrestore+0xaf/0xd0 kernel/locking/spinlock.c:184 Code: f0 00 52 89 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 28 48 83 3d 18 bf 76 01 00 74 15 48 89 df 57 9d <0f> 1f 44 00 00 eb ad e8 1c 3b 25 f9 eb bb 0f 0b 0f 0b e8 0a a8 e7 RSP: 0018:ffff8881837c71e8 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13 RAX: dffffc0000000000 RBX: 0000000000000286 RCX: ffffc90007e6a000 RDX: 1ffffffff12a401e RSI: ffffffff8185ad04 RDI: 0000000000000286 RBP: ffff8881837c71f8 R08: ffff8881818d81c0 R09: fffffbfff12c7248 R10: fffffbfff12c7248 R11: ffffffff89639243 R12: ffffffff89639240 R13: 0000000000000001 R14: ffff8881abb10000 R15: 00000000003ff800 spin_unlock_irqrestore include/linux/spinlock.h:384 [inline] kasan_end_report+0x32/0x4f mm/kasan/report.c:178 kasan_report_error mm/kasan/report.c:359 [inline] kasan_report.cold.8+0x76/0x309 mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 memset+0x23/0x40 mm/kasan/kasan.c:285 memset include/linux/string.h:337 [inline] __ext4_expand_extra_isize+0x16f/0x240 fs/ext4/inode.c:5897 ext4_try_to_expand_extra_isize fs/ext4/inode.c:5949 [inline] ext4_mark_inode_dirty+0x8f9/0xb20 fs/ext4/inode.c:6025 ext4_dirty_inode+0x97/0xc0 fs/ext4/inode.c:6059 __mark_inode_dirty+0x7c3/0x1510 fs/fs-writeback.c:2122 generic_update_time+0x26a/0x450 fs/inode.c:1654 update_time fs/inode.c:1670 [inline] file_update_time+0x390/0x640 fs/inode.c:1880 __generic_file_write_iter+0x1dc/0x630 mm/filemap.c:3215 ext4_file_write_iter+0x390/0x1420 fs/ext4/file.c:266 call_write_iter include/linux/fs.h:1857 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x6b8/0x9f0 fs/read_write.c:487 vfs_write+0x1fc/0x560 fs/read_write.c:549 ksys_write+0x101/0x260 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:607 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457669 Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fa4f186ec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457669 RDX: 00000000000010a9 RSI: 0000000020000980 RDI: 0000000000000003 RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa4f186f6d4 R13: 00000000004c5fdb R14: 00000000004dab20 R15: 00000000ffffffff Allocated by task 0: (stack is not available) Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8881afe20760 which belongs to the cache dentry of size 288 The buggy address is located 272 bytes inside of 288-byte region [ffff8881afe20760, ffff8881afe20880) The buggy address belongs to the page: page:ffffea0006bf8800 count:1 mapcount:0 mapping:ffff8881da986cc0 index:0x0 flags: 0x2fffc0000000200(slab) raw: 02fffc0000000200 ffffea0006f55948 ffffea0006bf7608 ffff8881da986cc0 raw: 0000000000000000 ffff8881afe20080 000000010000000b 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881afe20700: 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00 00 ffff8881afe20780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8881afe20800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff8881afe20880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8881afe20900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Kernel Offset: disabled Rebooting in 86400 seconds..