syzbot |
sign-in | mailing list | source | docs |
================================================================== BUG: KASAN: use-after-free in ext4_xattr_shift_entries fs/ext4/xattr.c:2536 [inline] BUG: KASAN: use-after-free in ext4_expand_extra_isize_ea+0x15b8/0x1930 fs/ext4/xattr.c:2785 Write of size 72 at addr ffff888126c4c000 by task syz-executor/276 CPU: 0 PID: 276 Comm: syz-executor Tainted: G W syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 Call Trace: __dump_stack+0x21/0x24 lib/dump_stack.c:77 dump_stack_lvl+0x1a7/0x208 lib/dump_stack.c:118 print_address_description+0x7f/0x2c0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:435 [inline] kasan_report+0xe2/0x130 mm/kasan/report.c:452 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x249/0x2a0 mm/kasan/generic.c:189 memmove+0x44/0x70 mm/kasan/shadow.c:55 ext4_xattr_shift_entries fs/ext4/xattr.c:2536 [inline] ext4_expand_extra_isize_ea+0x15b8/0x1930 fs/ext4/xattr.c:2785 __ext4_expand_extra_isize+0x2fe/0x3e0 fs/ext4/inode.c:6003 ext4_try_to_expand_extra_isize fs/ext4/inode.c:6046 [inline] __ext4_mark_inode_dirty+0x3cf/0x610 fs/ext4/inode.c:6123 ext4_dirty_inode+0xe0/0x120 fs/ext4/inode.c:6162 __mark_inode_dirty+0xbe/0x9c0 fs/fs-writeback.c:2258 mark_inode_dirty_sync include/linux/fs.h:2361 [inline] iput+0x157/0x7c0 fs/inode.c:1759 dentry_unlink_inode+0x2cf/0x380 fs/dcache.c:378 __dentry_kill+0x44f/0x650 fs/dcache.c:583 shrink_dentry_list+0x38e/0x500 fs/dcache.c:1146 shrink_dcache_parent+0xa9/0x270 fs/dcache.c:-1 do_one_tree+0x27/0x150 fs/dcache.c:1627 shrink_dcache_for_umount+0x6a/0x110 fs/dcache.c:1644 generic_shutdown_super+0x66/0x320 fs/super.c:447 kill_block_super+0x7f/0xf0 fs/super.c:1469 deactivate_locked_super+0xa0/0x100 fs/super.c:335 deactivate_super+0xaf/0xe0 fs/super.c:366 cleanup_mnt+0x45b/0x510 fs/namespace.c:1123 __cleanup_mnt+0x19/0x20 fs/namespace.c:1130 task_work_run+0x127/0x190 kernel/task_work.c:189 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_user_mode_loop+0xcb/0xe0 kernel/entry/common.c:172 exit_to_user_mode_prepare+0x76/0xa0 kernel/entry/common.c:199 syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:274 do_syscall_64+0x3d/0x40 arch/x86/entry/common.c:56 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7f71851f1a57 Code: a2 c7 05 9c fc 24 00 00 00 00 00 eb 96 e8 e1 12 00 00 90 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 e8 ff ff ff f7 d8 64 89 02 b8 RSP: 002b:00007ffdab35ccd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 RAX: 0000000000000000 RBX: 00007f7185286048 RCX: 00007f71851f1a57 RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffdab35cd90 RBP: 00007ffdab35cd90 R08: 00007ffdab35dd90 R09: 00000000ffffffff R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdab35de20 R13: 00007f7185286048 R14: 000000000000d772 R15: 00007ffdab35de60 The buggy address belongs to the page: page:ffffea00049b1300 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x126c4c flags: 0x4000000000000000() raw: 4000000000000000 ffffea0004949b08 ffffea000475abc8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 898, ts 53167360552, free_ts 55352338780 set_page_owner include/linux/page_owner.h:35 [inline] post_alloc_hook mm/page_alloc.c:2456 [inline] prep_new_page+0x179/0x180 mm/page_alloc.c:2462 get_page_from_freelist+0x223b/0x23d0 mm/page_alloc.c:4254 __alloc_pages_nodemask+0x290/0x620 mm/page_alloc.c:5384 __vmalloc_area_node mm/vmalloc.c:-1 [inline] __vmalloc_node_range+0x353/0x790 mm/vmalloc.c:2629 alloc_thread_stack_node kernel/fork.c:253 [inline] dup_task_struct+0x40f/0xbd0 kernel/fork.c:916 copy_process+0x5cd/0x3300 kernel/fork.c:2101 kernel_clone+0x233/0x960 kernel/fork.c:2650 __do_sys_clone3 kernel/fork.c:2934 [inline] __se_sys_clone3 kernel/fork.c:2918 [inline] __x64_sys_clone3+0x2da/0x370 kernel/fork.c:2918 do_syscall_64+0x31/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x61/0xcb page last free stack trace: reset_page_owner include/linux/page_owner.h:28 [inline] free_pages_prepare mm/page_alloc.c:1349 [inline] free_pcp_prepare mm/page_alloc.c:1421 [inline] free_unref_page_prepare+0x2b7/0x2d0 mm/page_alloc.c:3336 free_unref_page mm/page_alloc.c:3391 [inline] free_the_page mm/page_alloc.c:5443 [inline] __free_pages+0x146/0x3b0 mm/page_alloc.c:5454 __vunmap+0x86d/0x9f0 mm/vmalloc.c:2307 free_work+0x5a/0x80 mm/vmalloc.c:69 process_one_work+0x6e1/0xba0 kernel/workqueue.c:2301 worker_thread+0xa6a/0x13c0 kernel/workqueue.c:2447 kthread+0x346/0x3d0 kernel/kthread.c:313 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 Memory state around the buggy address: ffff888126c4bf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888126c4bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888126c4c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888126c4c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888126c4c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2026/04/20 13:41 | android13-5.10-lts | cc0ae2abdc73 | 303e2802 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-5-10 | KASAN: use-after-free Write in ext4_expand_extra_isize_ea |