EXT4-fs error (device sda1): ext4_xattr_ibody_get:590: inode #16972: comm syz-fuzzer: corrupted in-inode xattr EXT4-fs error (device sda1): ext4_xattr_set_entry:1605: inode #16972: comm syz-fuzzer: corrupted xattr entries EXT4-fs error (device sda1): ext4_xattr_ibody_get:590: inode #16973: comm syz-fuzzer: corrupted in-inode xattr ================================================================== BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x3149/0x3230 fs/ext4/xattr.c:1602 Read of size 4 at addr ffff8880890b102e by task syz-fuzzer/7058 CPU: 1 PID: 7058 Comm: syz-fuzzer Not tainted 4.14.158-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x142/0x197 lib/dump_stack.c:58 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429 ext4_xattr_set_entry+0x3149/0x3230 fs/ext4/xattr.c:1602 ext4_xattr_ibody_set+0x7a/0x2a0 fs/ext4/xattr.c:2238 ext4_xattr_set_handle+0x4f5/0xda0 fs/ext4/xattr.c:2394 ext4_initxattrs+0xc0/0x130 fs/ext4/xattr_security.c:43 security_inode_init_security security/security.c:492 [inline] security_inode_init_security+0x26d/0x360 security/security.c:465 ext4_init_security+0x34/0x40 fs/ext4/xattr_security.c:57 __ext4_new_inode+0x3385/0x4860 fs/ext4/ialloc.c:1166 ext4_mkdir+0x331/0xc20 fs/ext4/namei.c:2657 vfs_mkdir+0x3ca/0x610 fs/namei.c:3846 SYSC_mkdirat fs/namei.c:3869 [inline] SyS_mkdirat+0x1c2/0x210 fs/namei.c:3853 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x47c530 RSP: 002b:000000c432b9f8e8 EFLAGS: 00000212 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000047c530 RDX: 00000000000001c0 RSI: 000000c420604fc0 RDI: ffffffffffffff9c RBP: 000000c432b9f948 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: ffffffffffffffff R13: 000000000000007f R14: 000000000000007e R15: 0000000000000100 The buggy address belongs to the page: page:ffffea0002242c40 count:0 mapcount:-127 mapping: (null) index:0x1 flags: 0xfffe0000000000() raw: 00fffe0000000000 0000000000000000 0000000000000001 00000000ffffff80 raw: ffffea0001a61d20 ffffea0001f9a1a0 0000000000000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880890b0f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880890b0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8880890b1000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8880890b1080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8880890b1100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================