ci2 starts bisection 2025-05-28 08:54:34.628733374 +0000 UTC m=+151159.818194661 bisecting fixing commit since 094fc3778d6b9c795d8075cf20171fe70ace5af2 building syzkaller on 20510e8871e31b24ba7dfd19ee03a482ae2ad722 ensuring issue is reproducible on original commit 094fc3778d6b9c795d8075cf20171fe70ace5af2 testing commit 094fc3778d6b9c795d8075cf20171fe70ace5af2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: afec970c84712c1164168a87a85aafbe5f03922625f153219672c791af3125d8 run #0: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #1: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #2: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #3: crashed: KASAN: slab-out-of-bounds Read in ext4_xattr_inode_dec_ref_all run #4: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #5: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #6: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #7: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #8: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #9: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #10: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #11: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #12: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #13: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #14: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #15: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #16: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #17: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #18: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #19: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all representative crash: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 094fc3778d6b9c795d8075cf20171fe70ace5af2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e21575cd46f6341cc4036e92ab7317ddc3d9216d698bf11a81846cf36edc2856 run #0: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #1: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #2: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #3: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #4: crashed: KASAN: slab-out-of-bounds Read in ext4_xattr_inode_dec_ref_all run #5: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #6: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #7: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #8: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #9: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all representative crash: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed kconfig minimization: base=4788 full=6023 leaves diff=246 split chunks (needed=false): <246> split chunk #0 of len 246 into 5 parts testing without sub-chunk 1/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 094fc3778d6b9c795d8075cf20171fe70ace5af2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7be06b4089c3eb9bc97236de544ce5df66b3ffcba2bbe16b39674c0fd6bf5a5c run #0: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #1: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #2: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #3: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #4: crashed: KASAN: slab-out-of-bounds Read in ext4_xattr_inode_dec_ref_all run #5: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #6: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #7: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #8: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #9: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all representative crash: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 094fc3778d6b9c795d8075cf20171fe70ace5af2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2379e11b2ede246622e7323f6c647145a3eda84dc8217bd2c07273e4556fccb2 all runs: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all representative crash: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 094fc3778d6b9c795d8075cf20171fe70ace5af2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8c8151ed4068613940f19116e9f3924fefd458171065f8aeb9a4a4006679a7b4 all runs: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all representative crash: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 094fc3778d6b9c795d8075cf20171fe70ace5af2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 50e01da081643a440e3d974406f06a7b286bb32cd861567385d826af34ddd731 run #0: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #1: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #2: crashed: KASAN: slab-out-of-bounds Read in ext4_xattr_inode_dec_ref_all run #3: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #4: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #5: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #6: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #7: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #8: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #9: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all representative crash: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 094fc3778d6b9c795d8075cf20171fe70ace5af2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 failed building 094fc3778d6b9c795d8075cf20171fe70ace5af2: net/socket.c:1128: undefined reference to `wext_handle_ioctl' net/socket.c:3397: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:346: undefined reference to `wext_proc_exit' net/core/net-procfs.c:330: undefined reference to `wext_proc_init' minimized to 46 configs; suspects: [HID_ZEROPLUS USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM USB_XHCI_PCI_RENESAS WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF] disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing current HEAD cf6ed0f1511dde4812a5a30a1450af323934dad9 testing commit cf6ed0f1511dde4812a5a30a1450af323934dad9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 365462d3def657699489bbec10966657f4cc3d2e8ad8dd9ecb10b3f29a4aead3 run #0: basic kernel testing failed: failed to copy binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/tmp/syz-executor1372092059" "root@10.128.10.22:./syz-executor1372092059"]: exit status 255 Executing: program /usr/bin/ssh host 10.128.10.22, user root, command sftp OpenSSH_9.2p1 Debian-2+deb12u5, OpenSSL 3.0.15 3 Sep 2024 debug1: Reading configuration data /dev/null debug1: Connecting to 10.128.10.22 [10.128.10.22] port 22. debug1: fd 3 clearing O_NONBLOCK debug1: Connection established. debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa_sk type -1 debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: identity file /root/.ssh/id_ed25519_sk type -1 debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /root/.ssh/id_xmss type -1 debug1: identity file /root/.ssh/id_xmss-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u5 Connection timed out during banner exchange Connection to 10.128.10.22 port 22 timed out scp: Connection closed run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK false negative chance: 0.000 # git bisect start cf6ed0f1511dde4812a5a30a1450af323934dad9 094fc3778d6b9c795d8075cf20171fe70ace5af2 Bisecting: 497 revisions left to test after this (roughly 9 steps) [71b1af48c858e2906a029aac178b85418660d697] drm/amd/display: fix odm scaling determine whether the revision contains the guilty commit checking the merge base 9d091e874b660fb70feb5e69ac34c66fcda4eea5 no existing result, test the revision testing commit 9d091e874b660fb70feb5e69ac34c66fcda4eea5 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ad0072b77dbafd68e3f352986999a1eacb028dd015868a386714810f189c1c27 all runs: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all representative crash: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all, types: [KASAN] testing commit 71b1af48c858e2906a029aac178b85418660d697 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: cc445a625fc12f4c8cc2b4a05372a41513d068569d8d04b30828d35eccc570f3 all runs: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all representative crash: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all, types: [KASAN] # git bisect good 71b1af48c858e2906a029aac178b85418660d697 Bisecting: 248 revisions left to test after this (roughly 8 steps) [3257386be6a7eb8a8bfc9cbfb746df4eb4fc70e8] sctp: detect and prevent references to a freed transport in sendmsg determine whether the revision contains the guilty commit revision 9d091e874b660fb70feb5e69ac34c66fcda4eea5 crashed and is reachable testing commit 3257386be6a7eb8a8bfc9cbfb746df4eb4fc70e8 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8e617dab37c32364ca6cc3c0760cc052b8a6a52602a3bbffc9a9680466dcf661 all runs: OK false negative chance: 0.000 # git bisect bad 3257386be6a7eb8a8bfc9cbfb746df4eb4fc70e8 Bisecting: 124 revisions left to test after this (roughly 7 steps) [177310d6649f869fb2fae6053493a8a770de576a] sched/deadline: Use online cpus for validating runtime determine whether the revision contains the guilty commit revision 9d091e874b660fb70feb5e69ac34c66fcda4eea5 crashed and is reachable testing commit 177310d6649f869fb2fae6053493a8a770de576a gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9fa05173955b74ef459f2252b746da86631953f1e250a17733d8a13667d436fc all runs: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all representative crash: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all, types: [KASAN] # git bisect good 177310d6649f869fb2fae6053493a8a770de576a Bisecting: 62 revisions left to test after this (roughly 6 steps) [7eea46e6ac08d3b2db73a85b603f2723e3c41972] fs/jfs: cast inactags to s64 to prevent potential overflow determine whether the revision contains the guilty commit revision 9d091e874b660fb70feb5e69ac34c66fcda4eea5 crashed and is reachable testing commit 7eea46e6ac08d3b2db73a85b603f2723e3c41972 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 24e79f3d7ba61e2366afa42e69ec55c2437f36bd2e39db0767442587aa6c788e run #0: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #1: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #2: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #3: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #4: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #5: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #6: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #7: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #8: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all run #9: crashed: KASAN: out-of-bounds Read in ext4_xattr_inode_dec_ref_all representative crash: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all, types: [KASAN] # git bisect good 7eea46e6ac08d3b2db73a85b603f2723e3c41972 Bisecting: 31 revisions left to test after this (roughly 5 steps) [449fcd8c33de555362f3a011c0b423fc2c1492cb] media: i2c: adv748x: Fix test pattern selection mask determine whether the revision contains the guilty commit revision 9d091e874b660fb70feb5e69ac34c66fcda4eea5 crashed and is reachable testing commit 449fcd8c33de555362f3a011c0b423fc2c1492cb gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5ed38f0a4b35d24bf52fadabb0620a93e47f7917b6f13f9e013e9181877cff13 all runs: OK false negative chance: 0.000 # git bisect bad 449fcd8c33de555362f3a011c0b423fc2c1492cb Bisecting: 15 revisions left to test after this (roughly 4 steps) [c96c3b98129fdae08a64c139bb13310d99e607df] drm: panel-orientation-quirks: Add support for AYANEO 2S determine whether the revision contains the guilty commit revision 9d091e874b660fb70feb5e69ac34c66fcda4eea5 crashed and is reachable testing commit c96c3b98129fdae08a64c139bb13310d99e607df gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7ec79f52b76691eb060a6d978f683ceb3d549a677a9ea8dba2ff00933cf93524 all runs: OK false negative chance: 0.000 # git bisect bad c96c3b98129fdae08a64c139bb13310d99e607df Bisecting: 7 revisions left to test after this (roughly 3 steps) [e8a8522080eb5014f6228a8cd75e21853f3ad927] ext4: protect ext4_release_dquot against freezing determine whether the revision contains the guilty commit revision 7eea46e6ac08d3b2db73a85b603f2723e3c41972 crashed and is reachable testing commit e8a8522080eb5014f6228a8cd75e21853f3ad927 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: dea3470c0047925720395a39c70bd0028920e89d48a7c1f60c0c6276fdddaeec all runs: crashed: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all representative crash: KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all, types: [KASAN] # git bisect good e8a8522080eb5014f6228a8cd75e21853f3ad927 Bisecting: 3 revisions left to test after this (roughly 2 steps) [b1e3eeb037256a2f1206a8d69810ec47eb152026] net: vlan: don't propagate flags on open determine whether the revision contains the guilty commit revision 177310d6649f869fb2fae6053493a8a770de576a crashed and is reachable testing commit b1e3eeb037256a2f1206a8d69810ec47eb152026 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 12cc7d8d0bf1c0a1d2eb62e16d47c9b6d8d76be22295dde0f47b9544fddcefa5 all runs: OK false negative chance: 0.000 # git bisect bad b1e3eeb037256a2f1206a8d69810ec47eb152026 Bisecting: 1 revision left to test after this (roughly 1 step) [574b399a7fb6ae71c97e26d122205c4a720c0e43] scsi: st: Fix array overflow in st_setup() determine whether the revision contains the guilty commit revision 177310d6649f869fb2fae6053493a8a770de576a crashed and is reachable testing commit 574b399a7fb6ae71c97e26d122205c4a720c0e43 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6f08cd9c3fab7c9b3fa5cd71e75ad24a16f77f9eaa6509fbfdba2655adac5074 all runs: OK false negative chance: 0.000 # git bisect bad 574b399a7fb6ae71c97e26d122205c4a720c0e43 Bisecting: 0 revisions left to test after this (roughly 0 steps) [76c365fa7e2a8bb85f0190cdb4b8cdc99b2fdce3] ext4: ignore xattrs past end determine whether the revision contains the guilty commit revision 177310d6649f869fb2fae6053493a8a770de576a crashed and is reachable testing commit 76c365fa7e2a8bb85f0190cdb4b8cdc99b2fdce3 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9891409e0f1eb3211b01696b50d302684f81b18eb116ddb7eb6157cc5dabe5ab all runs: OK false negative chance: 0.000 # git bisect bad 76c365fa7e2a8bb85f0190cdb4b8cdc99b2fdce3 76c365fa7e2a8bb85f0190cdb4b8cdc99b2fdce3 is the first bad commit commit 76c365fa7e2a8bb85f0190cdb4b8cdc99b2fdce3 Author: Bhupesh Date: Tue Jan 28 13:57:50 2025 +0530 ext4: ignore xattrs past end [ Upstream commit c8e008b60492cf6fd31ef127aea6d02fd3d314cd ] Once inside 'ext4_xattr_inode_dec_ref_all' we should ignore xattrs entries past the 'end' entry. This fixes the following KASAN reported issue: ================================================================== BUG: KASAN: slab-use-after-free in ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 Read of size 4 at addr ffff888012c120c4 by task repro/2065 CPU: 1 UID: 0 PID: 2065 Comm: repro Not tainted 6.13.0-rc2+ #11 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x1fd/0x300 ? tcp_gro_dev_warn+0x260/0x260 ? _printk+0xc0/0x100 ? read_lock_is_recursive+0x10/0x10 ? irq_work_queue+0x72/0xf0 ? __virt_addr_valid+0x17b/0x4b0 print_address_description+0x78/0x390 print_report+0x107/0x1f0 ? __virt_addr_valid+0x17b/0x4b0 ? __virt_addr_valid+0x3ff/0x4b0 ? __phys_addr+0xb5/0x160 ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 kasan_report+0xcc/0x100 ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 ? ext4_xattr_delete_inode+0xd30/0xd30 ? __ext4_journal_ensure_credits+0x5f0/0x5f0 ? __ext4_journal_ensure_credits+0x2b/0x5f0 ? inode_update_timestamps+0x410/0x410 ext4_xattr_delete_inode+0xb64/0xd30 ? ext4_truncate+0xb70/0xdc0 ? ext4_expand_extra_isize_ea+0x1d20/0x1d20 ? __ext4_mark_inode_dirty+0x670/0x670 ? ext4_journal_check_start+0x16f/0x240 ? ext4_inode_is_fast_symlink+0x2f2/0x3a0 ext4_evict_inode+0xc8c/0xff0 ? ext4_inode_is_fast_symlink+0x3a0/0x3a0 ? do_raw_spin_unlock+0x53/0x8a0 ? ext4_inode_is_fast_symlink+0x3a0/0x3a0 evict+0x4ac/0x950 ? proc_nr_inodes+0x310/0x310 ? trace_ext4_drop_inode+0xa2/0x220 ? _raw_spin_unlock+0x1a/0x30 ? iput+0x4cb/0x7e0 do_unlinkat+0x495/0x7c0 ? try_break_deleg+0x120/0x120 ? 0xffffffff81000000 ? __check_object_size+0x15a/0x210 ? strncpy_from_user+0x13e/0x250 ? getname_flags+0x1dc/0x530 __x64_sys_unlinkat+0xc8/0xf0 do_syscall_64+0x65/0x110 entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x434ffd Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 8 RSP: 002b:00007ffc50fa7b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000107 RAX: ffffffffffffffda RBX: 00007ffc50fa7e18 RCX: 0000000000434ffd RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005 RBP: 00007ffc50fa7be0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007ffc50fa7e08 R14: 00000000004bbf30 R15: 0000000000000001 The buggy address belongs to the object at ffff888012c12000 which belongs to the cache filp of size 360 The buggy address is located 196 bytes inside of freed 360-byte region [ffff888012c12000, ffff888012c12168) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c12 head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x40(head|node=0|zone=0) page_type: f5(slab) raw: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004 raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004 head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 0000000000000001 ffffea00004b0481 ffffffffffffffff 0000000000000000 head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888012c11f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888012c12000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff888012c12080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888012c12100: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ffff888012c12180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== Reported-by: syzbot+b244bda78289b00204ed@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=b244bda78289b00204ed Suggested-by: Thadeu Lima de Souza Cascardo Signed-off-by: Bhupesh Link: https://patch.msgid.link/20250128082751.124948-2-bhupesh@igalia.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin fs/ext4/xattr.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) accumulated error probability: 0.00 culprit signature: 9891409e0f1eb3211b01696b50d302684f81b18eb116ddb7eb6157cc5dabe5ab parent signature: dea3470c0047925720395a39c70bd0028920e89d48a7c1f60c0c6276fdddaeec revisions tested: 18, total time: 4h44m46.350540866s (build: 1h1m46.138851331s, test: 3h40m12.736411468s) first good commit: 76c365fa7e2a8bb85f0190cdb4b8cdc99b2fdce3 ext4: ignore xattrs past end recipients (to): ["bhupesh@igalia.com" "sashal@kernel.org" "tytso@mit.edu"] recipients (cc): []