ci2 starts bisection 2023-06-08 09:59:57.117714082 +0000 UTC m=+59869.355355587 bisecting cause commit starting from 43c801dc3325b9f07f8869e95ad87b05a9f21eb6 building syzkaller on 058b3a5a6a945a55767811552eb7b9f4a20307f8 ensuring issue is reproducible on original commit 43c801dc3325b9f07f8869e95ad87b05a9f21eb6 testing commit 43c801dc3325b9f07f8869e95ad87b05a9f21eb6 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 122d701048eb8a739a70b55c7ec5a91f5266aa671053b4c544948e4659390f8e all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.178 testing commit 791a854ae5a5f5988f1291ae91168a149bd5ba57 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ab556a5b08a36edb1ddde35ad49f33454ca09abd9d98f3b63db1a11338ada0e3 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.177 testing commit 387078f9030cf336cd9fef521540db75b61615e0 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 91e88d9fa9973fd4e7571460697252d1ba812a74a9e2a1f660dce2b01a23cc17 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.176 testing commit ca9787bdecfa2174b0a169a54916e22b89b0ef5b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 95368c6fc3ad06d3f8f8c242749d25b4b2012e74b03c14493edef67cfa89b288 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.175 testing commit de26e1b2103b1f56451f6ad77f0190c9066c87dc gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 750cbc2e7bf28de03c56ae1e55be42257cbb537237dd0d51ddb3b62f4081ec24 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.174 testing commit 955623617f2f505ac08d0efda2bb50c1a52e2c96 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1e149759198bfc14e6adf18a930053055d951de0fe729f7cb58c08d47d84504b all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.173 testing commit e5f315b55f8e09ac17c968da42f9345f64efcdd2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4def817e2c052578ce9cfee9d15aac2bb4e2bab2b61f2f8f9dfe0ea629c4c68b all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.172 testing commit 9fd42770b50756c08f04b4070ab6572adb2d6e1b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0fbfa833093eecc2c3f29eeef9fd29bed48097e24e0ccb82a312de2fbfa9cd9a all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.171 testing commit a25aa776b0c49b17c67ee047e58537552f16776f gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 730ed4645b30f5a507380ed756f2d847407f643ff50248b3c02a041629c22038 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.170 testing commit 22d269bb30db7f5a4e71a8a813a0f4df5255f7de gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: db60acace9148cb99b6c830feb6541b1feab9624c624b18406e02db6f313e909 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.169 testing commit 2ae73796985b582b79711dfed2941d190b571fb5 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 141d3482b37de0bce647dec3189b52523d73a15769bcb12131ea812d462dc74d all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.168 testing commit 707c48210a5384a72c82655a37895b7e822755f2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ebdd2cd008dfffe6790e1c644fac3a8533184815180eb35a98644067394583be all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.167 testing commit a5acb54d4066f27e9707af9d93f047f542d5ad88 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: cb585364ab792b74cdccf7b4e7156a98f6a0427cae7fbae198a7160c79d27a2d all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.166 testing commit 8d823aaa220eebec88c9f307225d3e163252ea95 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f976b84b215f672aaa60800ca2aa79188ddea7002392893255d2ca97c46cd0ef all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.165 testing commit 179624a57b78c02de833370b7bdf0b0f4a27ca31 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 04979a5985cb9d66efed229422733e9fe1d553d3785f0fea21b84aafb7f22ea2 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.164 testing commit 3a9f1b907bc434a91f0d295533d2c7e3758efe92 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 515e75e0f75b21c34a7f16daa6cba95df329f9783f4fb41f8530baa84d919d55 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.163 testing commit 19ff2d645f7a9626146b6b3ba698488d60aa04de gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 849e6c2cbdca9c8d8e66c1c4cfb15c94340e6db31a853dd1e3799beee3e0879f all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.162 testing commit 0fe4548663f7dc2c3b549ef54ce9bb6d40a235be gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 01c958588900119cfc193c10774774d7297cbe82c6cc043fcec4727571fe4925 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.161 testing commit 1a9148dfd8e03835dc7617cee696dd18c0000e99 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2fa39fb6f47c0687df7ac8b4dad9634291d32e4d010af82f00204c6431cf2c60 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.160 testing commit a2428a8dcb4f3eb80e7d38dba0bf71e4ff20cecd gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 74ab684a3910967a7320fac58b208f7c30982508c2e488827568a064e05afd74 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.159 testing commit 931578be69875087a62524da69964d575426d287 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: cac1b96d7214ad9814061e6b56fd6b64774ec4cd8cdd7c8b0dff813d81779d12 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.158 testing commit 592346d5dc9b61e7fb4a3876ec498aa96ee11ac8 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 83154e8ff72c3e4c242a67eeca31836be5cfca9f7846c858cb75d89794f30a16 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.157 testing commit f4245f05389c29c0d556fea359b2fcfd8dce7bdb gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3b6909fa73083aceba2c9f2d81321a7a88535125ceed012586f65eeca0e30785 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.156 testing commit 6d46ef50b123f2da3871690e619f5169eb97af92 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5fec53de8b53c5fa2fe79da494f83c942e637dd01d0d536b19d3a649d2b6ca9e all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.155 testing commit 41217963b1d97ec170f24fc4155953a2b0835191 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 29de7d5aacd6dd3065629828bf45e969a75d0e97e4e9f52944e30a88fd232e07 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.154 testing commit f5b40c0eb9ea3d8233b9a2e9af6784c81204d454 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6f0bef202631ac9e42a731bf52684c3ee8b8b3db11dfbbcc688afadac6c49369 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.153 testing commit 95aa34f72132ee42ee3f632a5540c84a5ee8624f gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 958803b57cf3e8721199ef40e04e16103a83f12ad72f69385e88caecc578b585 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.152 testing commit 7d51b4c67cfb95a069ccbe52f13963bfd9fe85b0 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b984b804d449d5ff10b9972d3964852d717d79a4bc2630211299bac1cd294919 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.151 testing commit c34d1b22fef329d5cecd003d7be249937ec70a3c gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 717d85328705426e57f0898ab988a9b167c0e406a69efbe3b33edf106c52d369 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.150 testing commit a10a57a224f32035b58ef68b069f5b7491dd13e2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d1e8001358542eeac30f425e6ee61cd8ffbe2b295aade07e6f3ad3dcaa7dcaa5 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.149 testing commit 09be132bfe3a3075ddf160cc75865370ea35a0aa gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d5b9457779ed30653520601a7583e3b73a607e3e1a1091b8aa60fa691842fd55 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.148 testing commit 3783e64fee4a624f3ed1d7d6ae630890922edb7b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3e1d988e09ce8f7ac1cb14f96984c48d2b8f6b5b7d4a9aab066162c2e859b338 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.147 testing commit 014862eecf03f58066a957027dde73cbecdf4395 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b561d78c5194e70ff74430147ea9757ab08e07894fe576c40183504219d9b389 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.146 testing commit 62aea694445d5fc0f51b45afe8003ff3b7431141 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f063b6b1d9cf2a92f50916e108b21c0cd996379af7372068e381042bf7c00717 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.145 testing commit 4a77e6ef2057d9d4e2e1df3f7739622477e8738d gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 241bb88336b469b3e068488133a41595f3d935ec9383de052fde34e9e7bd89de all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.144 testing commit 99c2dfe47a9c6613e040f1721368c2c298383257 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1300003dcdfb28f6d3d0e39ae5bc468c69ea704fae73f64289a866f8fcc2893d all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.143 testing commit f1101295c145e9710b1b37e9b0a13ef9af9af0c9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2b119f1160376c693a79f7f42ce978e82df0e0483e96284eeffb250110eaec77 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.142 testing commit 281e81a5e2b211e2ecdca7362330acf9b238a1a6 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: dd8a916ec12ef69134c3fc8107781159b82ff3784e156b00d5c608496f8def9d all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.141 testing commit 0b8e37cbaa7637a81ac6c535b551865c5a062395 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3b6c0c2ab15480824724fbb179ae0f97fddb81a6db4438d3aadb5175eecb7f64 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.140 testing commit 18ed766f3642fa75262885462d3052ad7c8c87a2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b1965fe2d10b084b45c0bdccde4ddce7b3ed5fb49c321197b5742cd6f489a482 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.139 testing commit 665ee746071bf02ce8b7b9d729c8beab704393c2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d33c8c638e1f2f5eb3157ad5ac8757917e724cad146f6d87a6d96de040369e0e all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.138 testing commit fa3303d70b423dd3e855f57febaba77e15069650 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0161362232ef34a7397ddf589fae1d8a80827df5517c9b991990be4ec39ce79c all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.137 testing commit 74ded189e5e4df83aaa1478f7a021f904105c8dc gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0b6f47d575956109e61ecb9bd7748a5ff25499513c4dbfe2ce2e760ab76bced7 all runs: crashed: general protection fault in ext4_xattr_set_entry testing release v5.10.136 testing commit 6eae1503ddf94b4c3581092d566b17ed12d80f20 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f5ed296eb99b2dd9e6988615fe9b720265224ad02ddffb5b191b3bbc5155a075 all runs: OK # git bisect start 74ded189e5e4df83aaa1478f7a021f904105c8dc 6eae1503ddf94b4c3581092d566b17ed12d80f20 Bisecting: 270 revisions left to test after this (roughly 8 steps) [b0e82f95fded729dc63336819cd0ba43d250612f] mtd: rawnand: meson: Fix a potential double free issue testing commit b0e82f95fded729dc63336819cd0ba43d250612f gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1e90cec6e3be41ccbe28cb2a6b8fce379a25fd45d10a167967ab9224363197b7 all runs: OK # git bisect good b0e82f95fded729dc63336819cd0ba43d250612f Bisecting: 135 revisions left to test after this (roughly 7 steps) [9c2ad32ed91665ca09ddb25d8bda8bbf9963b6f0] s390/zcore: fix race when reading from hardware system area testing commit 9c2ad32ed91665ca09ddb25d8bda8bbf9963b6f0 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 740172a7654c23a2c19dc82d3a01bedf54315d01d13e5d4190c7c972c97d895f all runs: OK # git bisect good 9c2ad32ed91665ca09ddb25d8bda8bbf9963b6f0 Bisecting: 67 revisions left to test after this (roughly 6 steps) [de4534ac28c434e03b0c556f0f5167edf7f5ea99] PCI/ERR: Rename reset_link() to reset_subordinates() testing commit de4534ac28c434e03b0c556f0f5167edf7f5ea99 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ddb6c933b73a69e2f73435458f7d8ca1716505ecd10ba5561abd33815a13127d all runs: OK # git bisect good de4534ac28c434e03b0c556f0f5167edf7f5ea99 Bisecting: 33 revisions left to test after this (roughly 5 steps) [135d9e0710992db7ffa43bd248600f5a2bc7db3c] xen-blkfront: Apply 'feature_persistent' parameter when connect testing commit 135d9e0710992db7ffa43bd248600f5a2bc7db3c gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2602878f1d8fde93e7ae0142f72e58e6dbf2f30c0e66abe53132b9df22033a2d all runs: OK # git bisect good 135d9e0710992db7ffa43bd248600f5a2bc7db3c Bisecting: 16 revisions left to test after this (roughly 4 steps) [4c85e207c1b58249ea521670df577324ad69442c] KVM: x86: Check lapic_in_kernel() before attempting to set a SynIC irq testing commit 4c85e207c1b58249ea521670df577324ad69442c gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 61efa7eb5860bfaefc02f586ccf8c3f156cf8cbb94501f0f94f920c22ac9dd74 all runs: crashed: general protection fault in ext4_xattr_set_entry # git bisect bad 4c85e207c1b58249ea521670df577324ad69442c Bisecting: 8 revisions left to test after this (roughly 3 steps) [bb8592efcf8ef2f62947745d3182ea05b5256a15] ext4: fix use-after-free in ext4_xattr_set_entry testing commit bb8592efcf8ef2f62947745d3182ea05b5256a15 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e0ccbf6a045bbc4f98ff1a6cb66b41409314dd0980c72c261583b56eb9789ab8 all runs: crashed: general protection fault in ext4_xattr_set_entry # git bisect bad bb8592efcf8ef2f62947745d3182ea05b5256a15 Bisecting: 3 revisions left to test after this (roughly 2 steps) [1571c4613059fce2a02508bb8206af75e24c0d58] ext4: check if directory block is within i_size testing commit 1571c4613059fce2a02508bb8206af75e24c0d58 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0110f6cfd85a4de843d47d193435bdf66fe30fa638eeaf506f45a1bd35e26f67 all runs: OK # git bisect good 1571c4613059fce2a02508bb8206af75e24c0d58 Bisecting: 1 revision left to test after this (roughly 1 step) [e1682c7171a6c0ff576fe8116b8cba5b8f538b94] ext4: fix warning in ext4_iomap_begin as race between bmap and write testing commit e1682c7171a6c0ff576fe8116b8cba5b8f538b94 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c05453017ba15140b5a07fc8a7c8cdec4ee3a9139621154e0dc5de28547225ac all runs: OK # git bisect good e1682c7171a6c0ff576fe8116b8cba5b8f538b94 Bisecting: 0 revisions left to test after this (roughly 0 steps) [69d1a36eb4b2337a42c376357bcaeae1f3ffd5ed] ext4: make sure ext4_append() always allocates new block testing commit 69d1a36eb4b2337a42c376357bcaeae1f3ffd5ed gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 183d36615e2d42c721a4b6c885fe531229432a0c3249b224fa87329ca87ba35e all runs: OK # git bisect good 69d1a36eb4b2337a42c376357bcaeae1f3ffd5ed bb8592efcf8ef2f62947745d3182ea05b5256a15 is the first bad commit commit bb8592efcf8ef2f62947745d3182ea05b5256a15 Author: Baokun Li Date: Thu Jun 16 10:13:56 2022 +0800 ext4: fix use-after-free in ext4_xattr_set_entry commit 67d7d8ad99beccd9fe92d585b87f1760dc9018e3 upstream. Hulk Robot reported a issue: ================================================================== BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x18ab/0x3500 Write of size 4105 at addr ffff8881675ef5f4 by task syz-executor.0/7092 CPU: 1 PID: 7092 Comm: syz-executor.0 Not tainted 4.19.90-dirty #17 Call Trace: [...] memcpy+0x34/0x50 mm/kasan/kasan.c:303 ext4_xattr_set_entry+0x18ab/0x3500 fs/ext4/xattr.c:1747 ext4_xattr_ibody_inline_set+0x86/0x2a0 fs/ext4/xattr.c:2205 ext4_xattr_set_handle+0x940/0x1300 fs/ext4/xattr.c:2386 ext4_xattr_set+0x1da/0x300 fs/ext4/xattr.c:2498 __vfs_setxattr+0x112/0x170 fs/xattr.c:149 __vfs_setxattr_noperm+0x11b/0x2a0 fs/xattr.c:180 __vfs_setxattr_locked+0x17b/0x250 fs/xattr.c:238 vfs_setxattr+0xed/0x270 fs/xattr.c:255 setxattr+0x235/0x330 fs/xattr.c:520 path_setxattr+0x176/0x190 fs/xattr.c:539 __do_sys_lsetxattr fs/xattr.c:561 [inline] __se_sys_lsetxattr fs/xattr.c:557 [inline] __x64_sys_lsetxattr+0xc2/0x160 fs/xattr.c:557 do_syscall_64+0xdf/0x530 arch/x86/entry/common.c:298 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x459fe9 RSP: 002b:00007fa5e54b4c08 EFLAGS: 00000246 ORIG_RAX: 00000000000000bd RAX: ffffffffffffffda RBX: 000000000051bf60 RCX: 0000000000459fe9 RDX: 00000000200003c0 RSI: 0000000020000180 RDI: 0000000020000140 RBP: 000000000051bf60 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000001009 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc73c93fc0 R14: 000000000051bf60 R15: 00007fa5e54b4d80 [...] ================================================================== Above issue may happen as follows: ------------------------------------- ext4_xattr_set ext4_xattr_set_handle ext4_xattr_ibody_find >> s->end < s->base >> no EXT4_STATE_XATTR >> xattr_check_inode is not executed ext4_xattr_ibody_set ext4_xattr_set_entry >> size_t min_offs = s->end - s->base >> UAF in memcpy we can easily reproduce this problem with the following commands: mkfs.ext4 -F /dev/sda mount -o debug_want_extra_isize=128 /dev/sda /mnt touch /mnt/file setfattr -n user.cat -v `seq -s z 4096|tr -d '[:digit:]'` /mnt/file In ext4_xattr_ibody_find, we have the following assignment logic: header = IHDR(inode, raw_inode) = raw_inode + EXT4_GOOD_OLD_INODE_SIZE + i_extra_isize is->s.base = IFIRST(header) = header + sizeof(struct ext4_xattr_ibody_header) is->s.end = raw_inode + s_inode_size In ext4_xattr_set_entry min_offs = s->end - s->base = s_inode_size - EXT4_GOOD_OLD_INODE_SIZE - i_extra_isize - sizeof(struct ext4_xattr_ibody_header) last = s->first free = min_offs - ((void *)last - s->base) - sizeof(__u32) = s_inode_size - EXT4_GOOD_OLD_INODE_SIZE - i_extra_isize - sizeof(struct ext4_xattr_ibody_header) - sizeof(__u32) In the calculation formula, all values except s_inode_size and i_extra_size are fixed values. When i_extra_size is the maximum value s_inode_size - EXT4_GOOD_OLD_INODE_SIZE, min_offs is -4 and free is -8. The value overflows. As a result, the preceding issue is triggered when memcpy is executed. Therefore, when finding xattr or setting xattr, check whether there is space for storing xattr in the inode to resolve this issue. Cc: stable@kernel.org Reported-by: Hulk Robot Signed-off-by: Baokun Li Reviewed-by: Ritesh Harjani (IBM) Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20220616021358.2504451-3-libaokun1@huawei.com Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman fs/ext4/xattr.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) culprit signature: e0ccbf6a045bbc4f98ff1a6cb66b41409314dd0980c72c261583b56eb9789ab8 parent signature: 183d36615e2d42c721a4b6c885fe531229432a0c3249b224fa87329ca87ba35e revisions tested: 53, total time: 7h24m33.433444377s (build: 4h10m8.609847071s, test: 3h9m46.085951078s) first bad commit: bb8592efcf8ef2f62947745d3182ea05b5256a15 ext4: fix use-after-free in ext4_xattr_set_entry recipients (to): ["gregkh@linuxfoundation.org" "jack@suse.cz" "libaokun1@huawei.com" "ritesh.list@gmail.com" "tytso@mit.edu"] recipients (cc): [] crash: general protection fault in ext4_xattr_set_entry EXT4-fs (loop0): 1 truncate cleaned up EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 431 Comm: syz-executor.0 Not tainted 5.10.136-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 RIP: 0010:ext4_xattr_set_entry+0x1e20/0x3ed0 fs/ext4/xattr.c:1586 Code: 00 00 fc ff df 48 89 df 48 c1 ef 03 80 3c 07 00 0f 85 04 1f 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 2b 4c 89 ef 48 c1 ef 03 <0f> b6 3c 07 4c 89 e8 83 e0 07 83 c0 03 40 38 f8 7c 09 40 84 ff 0f RSP: 0018:ffffc900008671c8 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffffc90000867530 RCX: 0000000000000001 RDX: 0000000000000000 RSI: 00000000ffffffc3 RDI: 0000000000000000 RBP: ffffc900008673d0 R08: 0000000000000001 R09: ffff88811c0f4577 R10: 00000000ffffffc3 R11: 00000000ffffffc3 R12: ffffc900008674a0 R13: 0000000000000000 R14: 000000000000001a R15: 0000000000000000 FS: 00007f07da5db700(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f07dab84000 CR3: 0000000108bde000 CR4: 00000000003506b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ext4_xattr_ibody_set+0x67/0x270 fs/ext4/xattr.c:2227 ext4_xattr_set_handle+0x7ec/0x1140 fs/ext4/xattr.c:2384 ext4_initxattrs+0xa3/0x100 fs/ext4/xattr_security.c:43 security_inode_init_security+0x18f/0x2d0 security/security.c:1069 ext4_init_security+0x1c/0x20 fs/ext4/xattr_security.c:57 __ext4_new_inode+0x3649/0x43a0 fs/ext4/ialloc.c:1319 ext4_create+0x267/0x450 fs/ext4/namei.c:2671 lookup_open fs/namei.c:3101 [inline] open_last_lookups fs/namei.c:3171 [inline] path_openat+0x23dd/0x38e0 fs/namei.c:3361 do_filp_open+0x17d/0x3b0 fs/namei.c:3391 do_sys_openat2+0x120/0x3c0 fs/open.c:1180 do_sys_open fs/open.c:1196 [inline] __do_sys_creat fs/open.c:1270 [inline] __se_sys_creat fs/open.c:1264 [inline] __x64_sys_creat+0xd4/0x130 fs/open.c:1264 do_syscall_64+0x32/0x80 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x61/0xc6 RIP: 0033:0x7f07daa68169 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f07da5db168 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 RAX: ffffffffffffffda RBX: 00007f07dab87f80 RCX: 00007f07daa68169 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200000c0 RBP: 00007f07daac3ca1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff4fea1a0f R14: 00007f07da5db300 R15: 0000000000022000 Modules linked in: ---[ end trace 70dbd12e74199636 ]--- RIP: 0010:ext4_xattr_set_entry+0x1e20/0x3ed0 fs/ext4/xattr.c:1586 Code: 00 00 fc ff df 48 89 df 48 c1 ef 03 80 3c 07 00 0f 85 04 1f 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 2b 4c 89 ef 48 c1 ef 03 <0f> b6 3c 07 4c 89 e8 83 e0 07 83 c0 03 40 38 f8 7c 09 40 84 ff 0f RSP: 0018:ffffc900008671c8 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffffc90000867530 RCX: 0000000000000001 RDX: 0000000000000000 RSI: 00000000ffffffc3 RDI: 0000000000000000 RBP: ffffc900008673d0 R08: 0000000000000001 R09: ffff88811c0f4577 R10: 00000000ffffffc3 R11: 00000000ffffffc3 R12: ffffc900008674a0 R13: 0000000000000000 R14: 000000000000001a R15: 0000000000000000 FS: 00007f07da5db700(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f07dab84000 CR3: 0000000108bde000 CR4: 00000000003506b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess), 4 bytes skipped: 0: df 48 89 fisttps -0x77(%rax) 3: df 48 c1 fisttps -0x3f(%rax) 6: ef out %eax,(%dx) 7: 03 80 3c 07 00 0f add 0xf00073c(%rax),%eax d: 85 04 1f test %eax,(%rdi,%rbx,1) 10: 00 00 add %al,(%rax) 12: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 19: fc ff df 1c: 4c 8b 2b mov (%rbx),%r13 1f: 4c 89 ef mov %r13,%rdi 22: 48 c1 ef 03 shr $0x3,%rdi * 26: 0f b6 3c 07 movzbl (%rdi,%rax,1),%edi <-- trapping instruction 2a: 4c 89 e8 mov %r13,%rax 2d: 83 e0 07 and $0x7,%eax 30: 83 c0 03 add $0x3,%eax 33: 40 38 f8 cmp %dil,%al 36: 7c 09 jl 0x41 38: 40 84 ff test %dil,%dil 3b: 0f .byte 0xf