================================================================== BUG: KASAN: use-after-free in memset include/linux/string.h:332 [inline] BUG: KASAN: use-after-free in __ext4_expand_extra_isize+0x14f/0x220 fs/ext4/inode.c:5754 Write of size 16777184 at addr ffff8880842582a0 by task rs:main Q:Reg/6703 CPU: 0 PID: 6703 Comm: rs:main Q:Reg Not tainted 4.14.141 #37 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x138/0x197 lib/dump_stack.c:53 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x123/0x190 mm/kasan/kasan.c:267 memset+0x24/0x40 mm/kasan/kasan.c:285 memset include/linux/string.h:332 [inline] __ext4_expand_extra_isize+0x14f/0x220 fs/ext4/inode.c:5754 ext4_try_to_expand_extra_isize fs/ext4/inode.c:5806 [inline] ext4_mark_inode_dirty+0x664/0x860 fs/ext4/inode.c:5882 list_del corruption. prev->next should be ffff88809a309410, but was (null) ext4_dirty_inode+0x73/0xa0 fs/ext4/inode.c:5916 __mark_inode_dirty+0x54c/0x1040 fs/fs-writeback.c:2141 mark_inode_dirty include/linux/fs.h:2019 [inline] generic_write_end+0x1b7/0x290 fs/buffer.c:2218 ext4_da_write_end+0x344/0x8e0 fs/ext4/inode.c:3187 generic_perform_write+0x29f/0x480 mm/filemap.c:3057 ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:51! invalid opcode: 0000 [#1] PREEMPT SMP KASAN __generic_file_write_iter+0x239/0x5b0 mm/filemap.c:3171 Modules linked in: ext4_file_write_iter+0x2ac/0xe90 fs/ext4/file.c:268 CPU: 1 PID: 6877 Comm: syz-executor.5 Not tainted 4.14.141 #37 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff888066d78200 task.stack: ffff888066d80000 RIP: 0010:__list_del_entry_valid.cold+0xf/0x4f lib/list_debug.c:51 call_write_iter include/linux/fs.h:1777 [inline] new_sync_write fs/read_write.c:469 [inline] __vfs_write+0x4a7/0x6b0 fs/read_write.c:482 RSP: 0018:ffff888066d87d18 EFLAGS: 00010282 RAX: 0000000000000054 RBX: ffff88809a309410 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff866d10e0 RDI: ffffed100cdb0f99 RBP: ffff888066d87d30 R08: 0000000000000054 R09: ffff888066d78af0 R10: 0000000000000000 R11: 0000000000000000 R12: ffff88807f955450 vfs_write+0x198/0x500 fs/read_write.c:544 R13: ffff88809a3ad3d0 R14: ffff88809a309410 R15: 0000000000000000 SYSC_write fs/read_write.c:590 [inline] SyS_write+0xfd/0x230 fs/read_write.c:582 FS: 0000000001dca940(0000) GS:ffff8880aef00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffcb24fdfd8 CR3: 0000000066d6a000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: entry_SYSCALL_64_after_hwframe+0x42/0xb7 __list_del_entry include/linux/list.h:117 [inline] list_del_init include/linux/list.h:159 [inline] list_lru_del+0x105/0x4e0 mm/list_lru.c:134 RIP: 0033:0x7f4e3536d19d RSP: 002b:00007f4e3390e000 EFLAGS: 00000293 inode_lru_list_del fs/inode.c:428 [inline] iput_final fs/inode.c:1513 [inline] iput fs/inode.c:1543 [inline] iput+0x44a/0x900 fs/inode.c:1528 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00000000000000f5 RCX: 00007f4e3536d19d do_unlinkat+0x38b/0x600 fs/namei.c:4095 RDX: 00000000000000f5 RSI: 0000000000dd5a90 RDI: 0000000000000005 RBP: 0000000000dd5a90 R08: 0000000000dd5af9 R09: 00007f4e34cea347 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 00007f4e3390e480 R14: 0000000000000002 R15: 0000000000dd5890 SYSC_unlink fs/namei.c:4136 [inline] SyS_unlink+0x1b/0x20 fs/namei.c:4134 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 The buggy address belongs to the page: page:ffffea0002109600 count:2 mapcount:0 mapping:ffff8882174254e0 index:0x427 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x4595c7 flags: 0x1fffc0000001074(referenced|dirty|lru|active|private) RSP: 002b:00007ffcb24fe798 EFLAGS: 00000246 raw: 01fffc0000001074 ffff8882174254e0 0000000000000427 00000002ffffffff ORIG_RAX: 0000000000000057 raw: ffffea00020c83a0 ffffea00020b4ce0 ffff88807fa8bf18 ffff88821b7321c0 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004595c7 page dumped because: kasan: bad access detected RDX: 00007ffcb24fe7b0 RSI: 00007ffcb24fe7b0 RDI: 00007ffcb24fe840 page->mem_cgroup:ffff88821b7321c0 RBP: 00000000000001ed R08: 0000000000000000 R09: 000000000000000c R10: 0000000000000006 R11: 0000000000000246 R12: 00007ffcb24ff8d0 Memory state around the buggy address: R13: 0000000001dcb940 R14: 0000000000000000 R15: 00007ffcb24ff8d0 ffff888084519f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Code: ffff888084519f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 86 >ffff88808451a000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff e8 ^ f8 ffff88808451a080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 ffff88808451a100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 72 ================================================================== fe kasan: CONFIG_KASAN_INLINE enabled 0f 0b 48 89 f1 48 c7 c7 40 2f 9d 86 4c 89 e6 e8 kobject: 'loop1' (ffff8880a49b76e0): kobject_uevent_env e4 b1 72 fe 0f 0b 4c 89 f6 48 c7 c7 e0 30 9d 86 e8 d3 b1 72 fe <0f> 0b 4c 89 ea 4c 89 f6 48 c7 c7 20 30 9d 86 e8 bf kasan: CONFIG_KASAN_INLINE enabled b1 72 fe 0f RIP: __list_del_entry_valid.cold+0xf/0x4f lib/list_debug.c:51 RSP: ffff888066d87d18 ---[ end trace 0976a1d1658a296b ]--- BUG: unable to handle kernel