================================================================== BUG: KASAN: use-after-free in get_max_inline_xattr_value_size+0x36e/0x510 fs/ext4/inline.c:62 Read of size 4 at addr ffff88811fb5e05c by task syz-executor369/5014 CPU: 1 PID: 5014 Comm: syz-executor369 Not tainted 5.15.94-syzkaller-03204-g5448b2fda85f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106 print_address_description+0x87/0x3b0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:427 [inline] kasan_report+0x179/0x1c0 mm/kasan/report.c:444 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308 get_max_inline_xattr_value_size+0x36e/0x510 fs/ext4/inline.c:62 ext4_get_max_inline_size+0x13d/0x1f0 fs/ext4/inline.c:113 ext4_prepare_inline_data+0x93/0x1f0 fs/ext4/inline.c:395 ext4_da_write_inline_data_begin+0x223/0xc40 fs/ext4/inline.c:952 ext4_da_write_begin+0x527/0xc30 fs/ext4/inode.c:3003 generic_perform_write+0x2bc/0x5a0 mm/filemap.c:3830 ext4_buffered_write_iter+0x49c/0x630 fs/ext4/file.c:271 ext4_file_write_iter+0x443/0x1cc0 do_iter_readv_writev+0x58e/0x790 do_iter_write+0x1f5/0x760 fs/read_write.c:855 vfs_iter_write+0x7c/0xa0 fs/read_write.c:896 iter_file_splice_write+0x7f8/0xf90 fs/splice.c:689 do_splice_from fs/splice.c:767 [inline] direct_splice_actor+0xff/0x130 fs/splice.c:936 splice_direct_to_actor+0x4f1/0xbe0 fs/splice.c:891 do_splice_direct+0x27f/0x3c0 fs/splice.c:979 do_sendfile+0x616/0xfe0 fs/read_write.c:1249 __do_sys_sendfile64 fs/read_write.c:1317 [inline] __se_sys_sendfile64 fs/read_write.c:1303 [inline] __x64_sys_sendfile64+0x1ce/0x230 fs/read_write.c:1303 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7fc15cc30849 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fc15cbdc2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 00007fc15ccb57e0 RCX: 00007fc15cc30849 RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000006 RBP: 00007fc15cc8284c R08: 0000000000000000 R09: 0000000000000000 R10: 000000000001ffff R11: 0000000000000246 R12: 00007fc15cc820e0 R13: 0030656c69662f2e R14: 6f6f6c2f7665642f R15: 00007fc15ccb57e8 The buggy address belongs to the page: page:ffffea00047ed780 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11fb5e flags: 0x4000000000000000(zone=1) raw: 4000000000000000 ffffea0004791608 ffffea0004374048 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0xcc0(GFP_KERNEL), pid 2854, ts 800386261940, free_ts 840116138084 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook+0x1a3/0x1b0 mm/page_alloc.c:2502 prep_new_page mm/page_alloc.c:2508 [inline] get_page_from_freelist+0x2c14/0x2cf0 mm/page_alloc.c:4291 __alloc_pages+0x386/0x7b0 mm/page_alloc.c:5569 __alloc_pages_node include/linux/gfp.h:591 [inline] alloc_pages_node include/linux/gfp.h:605 [inline] alloc_pages include/linux/gfp.h:618 [inline] __get_free_pages+0xe/0x30 mm/page_alloc.c:5606 kasan_populate_vmalloc_pte+0x39/0x130 mm/kasan/shadow.c:266 apply_to_pte_range mm/memory.c:2591 [inline] apply_to_pmd_range mm/memory.c:2635 [inline] apply_to_pud_range mm/memory.c:2671 [inline] apply_to_p4d_range mm/memory.c:2707 [inline] __apply_to_page_range+0x8dd/0xbe0 mm/memory.c:2741 apply_to_page_range+0x3b/0x50 mm/memory.c:2760 kasan_populate_vmalloc+0x65/0x70 mm/kasan/shadow.c:297 alloc_vmap_area+0x192f/0x1a80 mm/vmalloc.c:1576 __get_vm_area_node+0x158/0x360 mm/vmalloc.c:2439 __vmalloc_node_range+0xdf/0x7d0 mm/vmalloc.c:3045 alloc_thread_stack_node kernel/fork.c:254 [inline] dup_task_struct+0x416/0xc60 kernel/fork.c:936 copy_process+0x5c4/0x3260 kernel/fork.c:2086 kernel_clone+0x21e/0x9e0 kernel/fork.c:2659 __do_sys_clone kernel/fork.c:2785 [inline] __se_sys_clone kernel/fork.c:2769 [inline] __x64_sys_clone+0x23f/0x290 kernel/fork.c:2769 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 page last free stack trace: reset_page_owner include/linux/page_owner.h:26 [inline] free_pages_prepare mm/page_alloc.c:1370 [inline] free_pcp_prepare mm/page_alloc.c:1442 [inline] free_unref_page_prepare+0x7c8/0x7d0 mm/page_alloc.c:3441 free_unref_page+0xac/0x2c0 mm/page_alloc.c:3521 free_the_page mm/page_alloc.c:711 [inline] __free_pages+0x61/0xf0 mm/page_alloc.c:5645 free_pages+0x7c/0x90 mm/page_alloc.c:5656 kasan_depopulate_vmalloc_pte+0x6a/0x90 mm/kasan/shadow.c:354 apply_to_pte_range mm/memory.c:2591 [inline] apply_to_pmd_range mm/memory.c:2635 [inline] apply_to_pud_range mm/memory.c:2671 [inline] apply_to_p4d_range mm/memory.c:2707 [inline] __apply_to_page_range+0x8dd/0xbe0 mm/memory.c:2741 apply_to_existing_page_range+0x38/0x50 mm/memory.c:2774 kasan_release_vmalloc+0x9a/0xb0 mm/kasan/shadow.c:464 __purge_vmap_area_lazy+0x154a/0x1690 mm/vmalloc.c:1715 try_purge_vmap_area_lazy+0x38/0x50 mm/vmalloc.c:1734 free_vmap_area_noflush+0x9df/0xa20 mm/vmalloc.c:1776 free_unmap_vmap_area mm/vmalloc.c:1789 [inline] remove_vm_area+0x1d9/0x200 mm/vmalloc.c:2544 vm_remove_mappings mm/vmalloc.c:2573 [inline] __vunmap+0x24b/0x8f0 mm/vmalloc.c:2642 free_work+0x5b/0x80 mm/vmalloc.c:96 process_one_work+0x6bb/0xc10 kernel/workqueue.c:2313 worker_thread+0xad5/0x12a0 kernel/workqueue.c:2460 Memory state around the buggy address: ffff88811fb5df00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88811fb5df80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88811fb5e000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88811fb5e080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88811fb5e100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== EXT4-fs error (device loop4): __ext4_get_inode_loc:4347: comm syz-executor369: Invalid inode table block 8387954787021251444 in block_group 0