binder: send failed reply for transaction 22, target dead EXT4-fs error (device sda1): ext4_xattr_set_entry:1604: inode #16641: comm syz-executor0: corrupted xattr entries binder: send failed reply for transaction 23, target dead ================================================================== binder: send failed reply for transaction 25, target dead BUG: KASAN: use-after-free in memset include/linux/string.h:329 [inline] BUG: KASAN: use-after-free in __ext4_expand_extra_isize.isra.0+0x10b/0x1c0 fs/ext4/inode.c:5787 Write of size 97 at addr ffff888177143fa0 by task syz-executor5/21918 CPU: 0 PID: 21918 Comm: syz-executor5 Not tainted 4.14.94+ #12 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xb9/0x10e lib/dump_stack.c:53 print_address_description+0x60/0x226 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0x88/0x2a5 mm/kasan/report.c:393 The buggy address belongs to the page: page:ffffea0005dc50c0 count:2 mapcount:0 mapping:ffff8881d9ea8950 index:0x475 flags: 0x4000000000001074(referenced|dirty|lru|active|private) raw: 4000000000001074 ffff8881d9ea8950 0000000000000475 00000002ffffffff raw: ffffea0005ef1120 ffffea0005d44460 ffff8881950cd9d8 ffff8881da81aa80 page dumped because: kasan: bad access detected page->mem_cgroup:ffff8881da81aa80 Memory state around the buggy address: ffff888177143f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888177143f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888177144000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888177144080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888177144100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== kauditd_printk_skb: 326 callbacks suppressed audit: type=1400 audit(1548079255.176:23164): avc: denied { map } for pid=3165 comm="blkid" path="/lib/x86_64-linux-gnu/libc-2.13.so" dev="sda1" ino=2784 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 binder: send failed reply for transaction 26, target dead audit: type=1400 audit(1548079255.176:23165): avc: denied { map } for pid=3165 comm="blkid" path="/lib/x86_64-linux-gnu/libc-2.13.so" dev="sda1" ino=2784 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 audit: type=1400 audit(1548079255.176:23166): avc: denied { map } for pid=3165 comm="blkid" path="/lib/x86_64-linux-gnu/libuuid.so.1.3.0" dev="sda1" ino=2819 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 audit: type=1400 audit(1548079255.176:23167): avc: denied { map } for pid=3165 comm="blkid" path="/lib/x86_64-linux-gnu/libuuid.so.1.3.0" dev="sda1" ino=2819 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 audit: type=1400 audit(1548079255.306:23168): avc: denied { map } for pid=3166 comm="blkid" path="/lib/x86_64-linux-gnu/libblkid.so.1.1.0" dev="sda1" ino=2825 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 audit: type=1400 audit(1548079255.306:23169): avc: denied { map } for pid=3166 comm="blkid" path="/lib/x86_64-linux-gnu/libblkid.so.1.1.0" dev="sda1" ino=2825 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1