loop0: detected capacity change from 0 to 512 ================================================================== BUG: KASAN: out-of-bounds in ext4_xattr_set_entry+0xaf2/0x21d0 fs/ext4/xattr.c:1710 Read of size 18446744073709551584 at addr ffff88811c9fbfc8 by task syz-executor.0/5216 CPU: 0 PID: 5216 Comm: syz-executor.0 Not tainted 6.1.134-syzkaller-1169243-ga4fc1bef0501 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: __dump_stack+0x21/0x24 lib/dump_stack.c:88 dump_stack_lvl+0xee/0x150 lib/dump_stack.c:106 print_address_description+0x71/0x210 mm/kasan/report.c:316 print_report+0x4a/0x60 mm/kasan/report.c:427 kasan_report+0x122/0x150 mm/kasan/report.c:531 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x280/0x290 mm/kasan/generic.c:189 memmove+0x2d/0x70 mm/kasan/shadow.c:54 ext4_xattr_set_entry+0xaf2/0x21d0 fs/ext4/xattr.c:1710 ext4_xattr_ibody_set+0x24e/0x6c0 fs/ext4/xattr.c:2220 ext4_xattr_move_to_block fs/ext4/xattr.c:2623 [inline] ext4_xattr_make_inode_space fs/ext4/xattr.c:2691 [inline] ext4_expand_extra_isize_ea+0xf7b/0x1990 fs/ext4/xattr.c:2783 __ext4_expand_extra_isize+0x2fe/0x3e0 fs/ext4/inode.c:5938 ext4_try_to_expand_extra_isize fs/ext4/inode.c:5981 [inline] __ext4_mark_inode_dirty+0x3cf/0x600 fs/ext4/inode.c:6059 ext4_inline_data_truncate+0x4f4/0xb90 fs/ext4/inline.c:2050 ext4_truncate+0x334/0xf90 fs/ext4/inode.c:4246 ext4_process_orphan+0x1d9/0x320 fs/ext4/orphan.c:339 ext4_orphan_cleanup+0xb02/0x1210 fs/ext4/orphan.c:474 __ext4_fill_super fs/ext4/super.c:5510 [inline] ext4_fill_super+0x73ad/0x78f0 fs/ext4/super.c:5641 get_tree_bdev+0x444/0x680 fs/super.c:1368 ext4_get_tree+0x1c/0x20 fs/ext4/super.c:5671 vfs_get_tree+0x9a/0x270 fs/super.c:1575 do_new_mount+0x25a/0xa20 fs/namespace.c:3056 path_mount+0x675/0x1010 fs/namespace.c:3386 do_mount fs/namespace.c:3399 [inline] __do_sys_mount fs/namespace.c:3607 [inline] __se_sys_mount+0x318/0x380 fs/namespace.c:3584 __x64_sys_mount+0xbf/0xd0 fs/namespace.c:3584 x64_sys_call+0x65d/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:166 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 RIP: 0033:0x7fb5a347f46a Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 09 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fb5a42c8ef8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007fb5a42c8f80 RCX: 00007fb5a347f46a RDX: 0000000020000180 RSI: 00000000200000c0 RDI: 00007fb5a42c8f40 RBP: 0000000020000180 R08: 00007fb5a42c8f80 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000200000c0 R13: 00007fb5a42c8f40 R14: 000000000000046a R15: 0000000020000300 The buggy address belongs to the physical page: page:ffffea0004727ec0 refcount:3 mapcount:1 mapping:ffff88810054dfd0 index:0x1 pfn:0x11c9fb memcg:ffff888100332000 aops:def_blk_aops ino:700000 flags: 0x560000000002205e(referenced|uptodate|dirty|lru|workingset|private|mappedtodisk|zone=1) raw: 560000000002205e ffffea00046f5848 ffffea00045e1fc8 ffff88810054dfd0 raw: 0000000000000001 ffff8881006440a8 0000000300000000 ffff888100332000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x152c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 366, tgid 366 (udevd), ts 69120532592, free_ts 69105273858 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook+0x1f5/0x210 mm/page_alloc.c:2637 prep_new_page+0x1c/0x110 mm/page_alloc.c:2644 get_page_from_freelist+0x2c6e/0x2ce0 mm/page_alloc.c:4539 __alloc_pages+0x19e/0x3a0 mm/page_alloc.c:5838 __folio_alloc+0x12/0x40 mm/page_alloc.c:5870 __folio_alloc_node include/linux/gfp.h:245 [inline] folio_alloc include/linux/gfp.h:274 [inline] filemap_alloc_folio include/linux/pagemap.h:513 [inline] page_cache_ra_unbounded+0x234/0x720 mm/readahead.c:260 do_page_cache_ra mm/readahead.c:312 [inline] force_page_cache_ra mm/readahead.c:343 [inline] page_cache_sync_ra+0x3e3/0x490 mm/readahead.c:727 page_cache_sync_readahead include/linux/pagemap.h:1257 [inline] filemap_get_pages mm/filemap.c:2689 [inline] filemap_read+0x62d/0x22c0 mm/filemap.c:2784 blkdev_read_iter+0x41e/0x560 block/fops.c:614 call_read_iter include/linux/fs.h:2268 [inline] new_sync_read fs/read_write.c:389 [inline] vfs_read+0x41e/0x8c0 fs/read_write.c:470 ksys_read+0x140/0x240 fs/read_write.c:613 __do_sys_read fs/read_write.c:623 [inline] __se_sys_read fs/read_write.c:621 [inline] __x64_sys_read+0x7b/0x90 fs/read_write.c:621 x64_sys_call+0x2f/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:1 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 page last free stack trace: reset_page_owner include/linux/page_owner.h:26 [inline] free_pages_prepare mm/page_alloc.c:1545 [inline] free_pcp_prepare mm/page_alloc.c:1619 [inline] free_unref_page_prepare+0x742/0x750 mm/page_alloc.c:3581 free_unref_page_list+0xba/0x7c0 mm/page_alloc.c:3729 release_pages+0xad1/0xb20 mm/swap.c:1043 __pagevec_release+0x71/0xe0 mm/swap.c:1063 pagevec_release include/linux/pagevec.h:71 [inline] folio_batch_release include/linux/pagevec.h:135 [inline] invalidate_mapping_pagevec+0x3b4/0x460 mm/truncate.c:551 invalidate_mapping_pages+0x27/0x30 mm/truncate.c:575 invalidate_bdev+0xa6/0x150 block/bdev.c:88 ext4_put_super+0x718/0xac0 fs/ext4/super.c:1283 generic_shutdown_super+0x15f/0x370 fs/super.c:503 kill_block_super+0x7f/0xf0 fs/super.c:1472 deactivate_locked_super+0xb5/0x120 fs/super.c:334 deactivate_super+0xaf/0xe0 fs/super.c:365 cleanup_mnt+0x45f/0x4e0 fs/namespace.c:1186 __cleanup_mnt+0x19/0x20 fs/namespace.c:1193 task_work_run+0x1db/0x240 kernel/task_work.c:203 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop+0x9b/0xb0 kernel/entry/common.c:177 Memory state around the buggy address: ffff88811c9fbe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88811c9fbf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88811c9fbf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff88811c9fc000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88811c9fc080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== EXT4-fs error (device loop0): ext4_xattr_ibody_find:2186: inode #12: comm syz-executor.0: corrupted in-inode xattr EXT4-fs warning (device loop0): ext4_xattr_set_entry:1723: inode #12: comm syz-executor.0: unable to update i_inline_off EXT4-fs warning (device loop0): ext4_expand_extra_isize_ea:2809: Unable to expand inode 12. Delete some EAs or run e2fsck. EXT4-fs (loop0): 1 truncate cleaned up EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback.