================================================================== BUG: KASAN: out-of-bounds in ext4_xattr_set_entry+0x11db/0x3a80 fs/ext4/xattr.c:1736 Read of size 18446744073709551600 at addr ffff88813be3e6b8 by task kworker/u4:1/10 CPU: 1 PID: 10 Comm: kworker/u4:1 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Workqueue: writeback wb_workfn (flush-7:2) Call Trace: __dump_stack+0x21/0x30 lib/dump_stack.c:88 dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106 print_address_description+0x7f/0x2c0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:427 [inline] kasan_report+0x10f/0x150 mm/kasan/report.c:444 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x249/0x2a0 mm/kasan/generic.c:189 memmove+0x2d/0x70 mm/kasan/shadow.c:54 ext4_xattr_set_entry+0x11db/0x3a80 fs/ext4/xattr.c:1736 ext4_xattr_ibody_set+0x114/0x330 fs/ext4/xattr.c:2238 ext4_destroy_inline_data_nolock+0x234/0x5e0 fs/ext4/inline.c:468 ext4_destroy_inline_data+0x84/0xe0 fs/ext4/inline.c:1915 ext4_writepages+0x64c/0x30a0 fs/ext4/inode.c:2750 do_writepages+0x476/0x6d0 mm/page-writeback.c:2388 __writeback_single_inode+0xd9/0x9e0 fs/fs-writeback.c:1657 writeback_sb_inodes+0x9f3/0x1610 fs/fs-writeback.c:1940 wb_writeback+0x3eb/0x990 fs/fs-writeback.c:2116 wb_do_writeback fs/fs-writeback.c:2263 [inline] wb_workfn+0x3ac/0xf30 fs/fs-writeback.c:2304 process_one_work+0x6c8/0xbb0 kernel/workqueue.c:2328 worker_thread+0xaa0/0x1250 kernel/workqueue.c:2475 kthread+0x3f5/0x4f0 kernel/kthread.c:337 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287 The buggy address belongs to the page: page:ffffea0004ef8f80 refcount:2 mapcount:0 mapping:ffff8881092c62d8 index:0x11 pfn:0x13be3e memcg:ffff88810f8a5640 aops:def_blk_aops ino:700002 flags: 0x4000000000022036(referenced|uptodate|lru|active|private|mappedtodisk|zone=1) raw: 4000000000022036 ffffea0004ef8fc8 ffffea0005183948 ffff8881092c62d8 raw: 0000000000000011 ffff88812961d738 00000002ffffffff ffff88810f8a5640 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 4124, ts 200434850141, free_ts 199950311527 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook+0x192/0x1b0 mm/page_alloc.c:2605 prep_new_page+0x1c/0x110 mm/page_alloc.c:2611 get_page_from_freelist+0x2c3a/0x2cd0 mm/page_alloc.c:4485 __alloc_pages+0x1a2/0x460 mm/page_alloc.c:5822 __alloc_pages_node include/linux/gfp.h:595 [inline] alloc_pages_node include/linux/gfp.h:609 [inline] alloc_pages include/linux/gfp.h:622 [inline] __page_cache_alloc include/linux/pagemap.h:305 [inline] page_cache_ra_unbounded+0x2bc/0x960 mm/readahead.c:227 do_page_cache_ra+0xf2/0x110 mm/readahead.c:280 do_sync_mmap_readahead+0x699/0x960 mm/filemap.c:3018 filemap_fault+0xb41/0x1770 mm/filemap.c:3161 __do_fault+0x25f/0x2f0 mm/memory.c:4195 do_read_fault mm/memory.c:4568 [inline] do_fault mm/memory.c:4709 [inline] handle_pte_fault+0x1bc0/0x2770 mm/memory.c:4923 __handle_mm_fault mm/memory.c:-1 [inline] do_handle_mm_fault+0x1b3b/0x1e30 mm/memory.c:5345 handle_mm_fault include/linux/mm.h:1847 [inline] faultin_page mm/gup.c:976 [inline] __get_user_pages+0x80e/0x10c0 mm/gup.c:1197 populate_vma_page_range mm/gup.c:1529 [inline] __mm_populate+0x324/0x470 mm/gup.c:1638 mm_populate include/linux/mm.h:2704 [inline] vm_mmap_pgoff+0x245/0x410 mm/util.c:560 ksys_mmap_pgoff+0x161/0x1d0 mm/mmap.c:1647 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:93 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline] __x64_sys_mmap+0xfa/0x110 arch/x86/kernel/sys_x86_64.c:86 page last free stack trace: reset_page_owner include/linux/page_owner.h:26 [inline] free_pages_prepare mm/page_alloc.c:1472 [inline] free_pcp_prepare mm/page_alloc.c:1544 [inline] free_unref_page_prepare+0x542/0x550 mm/page_alloc.c:3534 free_unref_page+0xae/0x540 mm/page_alloc.c:3616 free_the_page mm/page_alloc.c:805 [inline] __free_pages+0x6c/0x100 mm/page_alloc.c:5898 __vunmap+0x801/0x980 mm/vmalloc.c:2660 __vfree mm/vmalloc.c:2709 [inline] vfree+0x8b/0xc0 mm/vmalloc.c:2740 kvfree+0x26/0x40 mm/util.c:659 memslot_rmap_free arch/x86/kvm/x86.c:11791 [inline] kvm_arch_free_memslot+0xb1/0x150 arch/x86/kvm/x86.c:11800 kvm_free_memslot virt/kvm/kvm_main.c:934 [inline] kvm_free_memslots virt/kvm/kvm_main.c:948 [inline] kvm_destroy_vm virt/kvm/kvm_main.c:1254 [inline] kvm_put_kvm+0xc58/0x1190 virt/kvm/kvm_main.c:1283 kvm_vm_release+0x46/0x50 virt/kvm/kvm_main.c:1306 __fput+0x22b/0x900 fs/file_table.c:311 ____fput+0x15/0x20 fs/file_table.c:339 task_work_run+0x127/0x190 kernel/task_work.c:188 exit_task_work include/linux/task_work.h:33 [inline] do_exit+0xb70/0x29a0 kernel/exit.c:890 do_group_exit+0x149/0x310 kernel/exit.c:1004 get_signal+0x64f/0x1430 kernel/signal.c:2907 arch_do_signal_or_restart+0xe2/0x1100 arch/x86/kernel/signal.c:867 Memory state around the buggy address: ffff88813be3e580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88813be3e600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88813be3e680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff88813be3e700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88813be3e780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== EXT4-fs error (device loop2): ext4_read_block_bitmap_nowait:476: comm kworker/u4:1: Invalid block bitmap block 0 in block_group 0 EXT4-fs (loop2): Remounting filesystem read-only