EXT4-fs (loop5): mounted filesystem without journal. Opts: ,errors=continue. Quota mode: none. ================================================================== BUG: KASAN: out-of-bounds in ext4_xattr_set_entry+0x13ba/0x3940 fs/ext4/xattr.c:1736 Read of size 18446744073709551600 at addr ffff8881106282b8 by task syz.5.1578/5160 CPU: 0 PID: 5160 Comm: syz.5.1578 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 Call Trace: __dump_stack+0x21/0x30 lib/dump_stack.c:88 dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106 print_address_description+0x7f/0x2c0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:427 [inline] kasan_report+0xf1/0x140 mm/kasan/report.c:444 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x249/0x2a0 mm/kasan/generic.c:189 memmove+0x2d/0x70 mm/kasan/shadow.c:54 ext4_xattr_set_entry+0x13ba/0x3940 fs/ext4/xattr.c:1736 ext4_xattr_ibody_set+0x122/0x360 fs/ext4/xattr.c:2238 ext4_destroy_inline_data_nolock+0x234/0x5d0 fs/ext4/inline.c:468 ext4_convert_inline_data_to_extent fs/ext4/inline.c:633 [inline] ext4_try_to_write_inline_data+0x6ef/0x1190 fs/ext4/inline.c:774 ext4_write_begin+0x243/0x12e0 fs/ext4/inode.c:1192 ext4_da_write_begin+0x321/0xbf0 fs/ext4/inode.c:2988 generic_perform_write+0x2b7/0x690 mm/filemap.c:3870 ext4_buffered_write_iter+0x4ed/0x670 fs/ext4/file.c:270 ext4_file_write_iter+0x440/0x1540 fs/ext4/file.c:-1 do_iter_readv_writev+0x478/0x5f0 fs/read_write.c:-1 do_iter_write+0x1fa/0x7b0 fs/read_write.c:855 vfs_writev+0x2df/0x570 fs/read_write.c:928 do_pwritev fs/read_write.c:1025 [inline] __do_sys_pwritev2 fs/read_write.c:1084 [inline] __se_sys_pwritev2+0x1af/0x2b0 fs/read_write.c:1075 __x64_sys_pwritev2+0xbf/0xd0 fs/read_write.c:1075 x64_sys_call+0x346/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:329 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 RIP: 0033:0x7fe6bb639799 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fe6ba094028 EFLAGS: 00000246 ORIG_RAX: 0000000000000148 RAX: ffffffffffffffda RBX: 00007fe6bb8b2fa0 RCX: 00007fe6bb639799 RDX: 0000000000000001 RSI: 0000200000000100 RDI: 0000000000000006 RBP: 00007fe6bb6cfbd9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000005412 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fe6bb8b3038 R14: 00007fe6bb8b2fa0 R15: 00007fff090b5c18 The buggy address belongs to the page: page:ffffea0004418a00 refcount:3 mapcount:1 mapping:ffff8881092cfa18 index:0x2 pfn:0x110628 memcg:ffff88810e1e6780 aops:def_blk_aops ino:700005 flags: 0x400000000002203e(referenced|uptodate|dirty|lru|active|private|mappedtodisk|zone=1) raw: 400000000002203e ffffea0005445ec8 ffff88810e1d88b0 ffff8881092cfa18 raw: 0000000000000002 ffff8881296543f0 0000000300000000 ffff88810e1e6780 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 5160, ts 204594028559, free_ts 204419481784 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook+0x192/0x1b0 mm/page_alloc.c:2605 prep_new_page+0x1c/0x110 mm/page_alloc.c:2611 get_page_from_freelist+0x2d3a/0x2dc0 mm/page_alloc.c:4485 __alloc_pages+0x1a2/0x460 mm/page_alloc.c:5822 __alloc_pages_node include/linux/gfp.h:595 [inline] alloc_pages_node include/linux/gfp.h:609 [inline] alloc_pages include/linux/gfp.h:622 [inline] __page_cache_alloc include/linux/pagemap.h:305 [inline] page_cache_ra_unbounded+0x2d5/0x9a0 mm/readahead.c:227 do_page_cache_ra+0xf2/0x110 mm/readahead.c:280 do_sync_mmap_readahead+0x699/0x960 mm/filemap.c:3018 filemap_fault+0xb32/0x1770 mm/filemap.c:3161 __do_fault+0x264/0x2f0 mm/memory.c:4192 do_read_fault mm/memory.c:4556 [inline] do_fault mm/memory.c:4697 [inline] handle_pte_fault+0x187d/0x2710 mm/memory.c:4911 __handle_mm_fault mm/memory.c:-1 [inline] do_handle_mm_fault+0x1af9/0x1de0 mm/memory.c:5333 handle_mm_fault include/linux/mm.h:1847 [inline] faultin_page mm/gup.c:976 [inline] __get_user_pages+0x80e/0x10c0 mm/gup.c:1197 populate_vma_page_range mm/gup.c:1529 [inline] __mm_populate+0x324/0x470 mm/gup.c:1638 mm_populate include/linux/mm.h:2704 [inline] vm_mmap_pgoff+0x262/0x430 mm/util.c:560 ksys_mmap_pgoff+0x161/0x1d0 mm/mmap.c:1647 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:93 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline] __x64_sys_mmap+0xfa/0x110 arch/x86/kernel/sys_x86_64.c:86 page last free stack trace: reset_page_owner include/linux/page_owner.h:26 [inline] free_pages_prepare mm/page_alloc.c:1472 [inline] free_pcp_prepare mm/page_alloc.c:1544 [inline] free_unref_page_prepare+0x542/0x550 mm/page_alloc.c:3534 free_unref_page_list+0x13a/0x9d0 mm/page_alloc.c:3671 release_pages+0x1006/0x1060 mm/swap.c:1015 free_pages_and_swap_cache+0x86/0xa0 mm/swap_state.c:320 tlb_batch_pages_flush mm/mmu_gather.c:49 [inline] tlb_flush_mmu_free mm/mmu_gather.c:240 [inline] tlb_flush_mmu mm/mmu_gather.c:247 [inline] tlb_finish_mmu+0x17e/0x310 mm/mmu_gather.c:338 exit_mmap+0x43b/0x8b0 mm/mmap.c:3248 __mmput+0x93/0x320 kernel/fork.c:1180 mmput+0x50/0x150 kernel/fork.c:1203 exit_mm kernel/exit.c:554 [inline] do_exit+0x9f2/0x27e0 kernel/exit.c:876 do_group_exit+0x141/0x310 kernel/exit.c:1003 get_signal+0x66a/0x1480 kernel/signal.c:2907 arch_do_signal_or_restart+0xdf/0x11c0 arch/x86/kernel/signal.c:867 handle_signal_work kernel/entry/common.c:154 [inline] exit_to_user_mode_loop+0xa7/0xe0 kernel/entry/common.c:178 exit_to_user_mode_prepare+0x87/0xd0 kernel/entry/common.c:214 __syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline] syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:307 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:86 Memory state around the buggy address: ffff888110628180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888110628200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888110628280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff888110628300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888110628380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== EXT4-fs error (device loop5): ext4_validate_block_bitmap:438: comm syz.5.1578: bg 0: block 32: padding at end of block bitmap is not set