[v5.15] KASAN: out-of-bounds Read in ext4_xattr_set_entry
0 views
Skip to first unread message
syzbot
Mar 15, 2025, 2:50:39 PMMar 15
Hello,
syzbot found the following issue on:
HEAD commit: 0c935c049b5c Linux 5.15.179
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15f5f04c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=bcb6af887426ce59
dashboard link: https://syzkaller.appspot.com/bug?extid=a6e8001e6c89306ea653
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/75b060834e1e/disk-0c935c04.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d42b06ae465d/vmlinux-0c935c04.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d5217676cd35/bzImage-0c935c04.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
==================================================================
BUG: KASAN: out-of-bounds in ext4_xattr_set_entry+0x11f1/0x4130 fs/ext4/xattr.c:1738
Read of size 18446744073709551552 at addr ffff8880736582e8 by task syz.9.1062/8410
CPU: 1 PID: 8410 Comm: syz.9.1062 Not tainted 5.15.179-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
print_address_description+0x63/0x3b0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x16b/0x1c0 mm/kasan/report.c:451
kasan_check_range+0x27e/0x290 mm/kasan/generic.c:189
memmove+0x25/0x60 mm/kasan/shadow.c:54
ext4_xattr_set_entry+0x11f1/0x4130 fs/ext4/xattr.c:1738
ext4_xattr_ibody_set+0x11d/0x330 fs/ext4/xattr.c:2243
ext4_xattr_move_to_block fs/ext4/xattr.c:2630 [inline]
ext4_xattr_make_inode_space fs/ext4/xattr.c:2698 [inline]
ext4_expand_extra_isize_ea+0x1128/0x1bb0 fs/ext4/xattr.c:2790
__ext4_expand_extra_isize+0x2f7/0x3d0 fs/ext4/inode.c:5857
ext4_try_to_expand_extra_isize fs/ext4/inode.c:5900 [inline]
__ext4_mark_inode_dirty+0x539/0x860 fs/ext4/inode.c:5978
ext4_dirty_inode+0xbf/0x100 fs/ext4/inode.c:6010
__mark_inode_dirty+0x2fd/0xd60 fs/fs-writeback.c:2464
generic_update_time fs/inode.c:1881 [inline]
inode_update_time fs/inode.c:1894 [inline]
touch_atime+0x3fa/0x680 fs/inode.c:1966
file_accessed include/linux/fs.h:2521 [inline]
filemap_read+0x2779/0x2980 mm/filemap.c:2715
__kernel_read+0x5ac/0xa60 fs/read_write.c:443
integrity_kernel_read+0xac/0xf0 security/integrity/iint.c:228
ima_calc_file_hash_tfm security/integrity/ima/ima_crypto.c:485 [inline]
ima_calc_file_shash security/integrity/ima/ima_crypto.c:516 [inline]
ima_calc_file_hash+0xa5d/0x1c00 security/integrity/ima/ima_crypto.c:573
ima_collect_measurement+0x323/0x820 security/integrity/ima/ima_api.c:255
process_measurement+0x1363/0x21c0 security/integrity/ima/ima_main.c:351
ima_file_check+0xf3/0x180 security/integrity/ima/ima_main.c:533
do_open fs/namei.c:3610 [inline]
path_openat+0x2748/0x2f20 fs/namei.c:3742
do_filp_open+0x21c/0x460 fs/namei.c:3769
do_sys_openat2+0x13b/0x4f0 fs/open.c:1253
do_sys_open fs/open.c:1269 [inline]
__do_sys_openat fs/open.c:1285 [inline]
__se_sys_openat fs/open.c:1280 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1280
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f15f438d169
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f15f21f6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f15f45a5fa0 RCX: 00007f15f438d169
RDX: 0000000000000042 RSI: 0000400000000100 RDI: ffffffffffffff9c
RBP: 00007f15f440e2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f15f45a5fa0 R15: 00007ffc018dbed8
</TASK>
The buggy address belongs to the page:
page:ffffea0001cd9600 refcount:2 mapcount:0 mapping:ffff888147824f30 index:0x2 pfn:0x73658
memcg:ffff8880673b0000
aops:def_blk_aops ino:700009
flags: 0xfff00000002036(referenced|uptodate|lru|active|private|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002036 ffffea00009ab608 ffffea00007ed988 ffff888147824f30
raw: 0000000000000002 ffff888061c92910 00000002ffffffff ffff8880673b0000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Movable, gfp_mask 0x108c48(GFP_NOFS|__GFP_NOFAIL|__GFP_HARDWALL|__GFP_MOVABLE), pid 8410, ts 243652785744, free_ts 243641439861
prep_new_page mm/page_alloc.c:2426 [inline]
get_page_from_freelist+0x3b78/0x3d40 mm/page_alloc.c:4192
__alloc_pages+0x272/0x700 mm/page_alloc.c:5466
__page_cache_alloc+0xd4/0x4a0 mm/filemap.c:1022
pagecache_get_page+0xa91/0x1010 mm/filemap.c:1940
find_or_create_page include/linux/pagemap.h:420 [inline]
grow_dev_page fs/buffer.c:949 [inline]
grow_buffers fs/buffer.c:1014 [inline]
__getblk_slow fs/buffer.c:1041 [inline]
__getblk_gfp+0x22a/0xaf0 fs/buffer.c:1336
sb_getblk include/linux/buffer_head.h:361 [inline]
__ext4_get_inode_loc+0x4ce/0xcd0 fs/ext4/inode.c:4325
__ext4_get_inode_loc_noinmem fs/ext4/inode.c:4433 [inline]
__ext4_iget+0x4ff/0x3f00 fs/ext4/inode.c:4663
ext4_lookup+0x691/0xaa0 fs/ext4/namei.c:1858
lookup_open fs/namei.c:3440 [inline]
open_last_lookups fs/namei.c:3532 [inline]
path_openat+0x111d/0x2f20 fs/namei.c:3739
do_filp_open+0x21c/0x460 fs/namei.c:3769
do_sys_openat2+0x13b/0x4f0 fs/open.c:1253
do_sys_open fs/open.c:1269 [inline]
__do_sys_openat fs/open.c:1285 [inline]
__se_sys_openat fs/open.c:1280 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1280
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1340 [inline]
free_pcp_prepare mm/page_alloc.c:1391 [inline]
free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
free_unref_page_list+0x1f7/0x8e0 mm/page_alloc.c:3433
release_pages+0x1bb9/0x1f40 mm/swap.c:963
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
tlb_flush_mmu mm/mmu_gather.c:247 [inline]
tlb_finish_mmu+0x177/0x320 mm/mmu_gather.c:338
exit_mmap+0x3cd/0x620 mm/mmap.c:3206
__mmput+0x112/0x3b0 kernel/fork.c:1127
exit_mm+0x688/0x7f0 kernel/exit.c:550
do_exit+0x626/0x2480 kernel/exit.c:861
do_group_exit+0x144/0x310 kernel/exit.c:996
__do_sys_exit_group kernel/exit.c:1007 [inline]
__se_sys_exit_group kernel/exit.c:1005 [inline]
__x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1005
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
Memory state around the buggy address:
ffff888073658180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888073658200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888073658280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff888073658300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888073658380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 0c935c049b5c Linux 5.15.179
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15f5f04c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=bcb6af887426ce59
dashboard link: https://syzkaller.appspot.com/bug?extid=a6e8001e6c89306ea653
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/75b060834e1e/disk-0c935c04.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d42b06ae465d/vmlinux-0c935c04.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d5217676cd35/bzImage-0c935c04.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
==================================================================
BUG: KASAN: out-of-bounds in ext4_xattr_set_entry+0x11f1/0x4130 fs/ext4/xattr.c:1738
Read of size 18446744073709551552 at addr ffff8880736582e8 by task syz.9.1062/8410
CPU: 1 PID: 8410 Comm: syz.9.1062 Not tainted 5.15.179-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
print_address_description+0x63/0x3b0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x16b/0x1c0 mm/kasan/report.c:451
kasan_check_range+0x27e/0x290 mm/kasan/generic.c:189
memmove+0x25/0x60 mm/kasan/shadow.c:54
ext4_xattr_set_entry+0x11f1/0x4130 fs/ext4/xattr.c:1738
ext4_xattr_ibody_set+0x11d/0x330 fs/ext4/xattr.c:2243
ext4_xattr_move_to_block fs/ext4/xattr.c:2630 [inline]
ext4_xattr_make_inode_space fs/ext4/xattr.c:2698 [inline]
ext4_expand_extra_isize_ea+0x1128/0x1bb0 fs/ext4/xattr.c:2790
__ext4_expand_extra_isize+0x2f7/0x3d0 fs/ext4/inode.c:5857
ext4_try_to_expand_extra_isize fs/ext4/inode.c:5900 [inline]
__ext4_mark_inode_dirty+0x539/0x860 fs/ext4/inode.c:5978
ext4_dirty_inode+0xbf/0x100 fs/ext4/inode.c:6010
__mark_inode_dirty+0x2fd/0xd60 fs/fs-writeback.c:2464
generic_update_time fs/inode.c:1881 [inline]
inode_update_time fs/inode.c:1894 [inline]
touch_atime+0x3fa/0x680 fs/inode.c:1966
file_accessed include/linux/fs.h:2521 [inline]
filemap_read+0x2779/0x2980 mm/filemap.c:2715
__kernel_read+0x5ac/0xa60 fs/read_write.c:443
integrity_kernel_read+0xac/0xf0 security/integrity/iint.c:228
ima_calc_file_hash_tfm security/integrity/ima/ima_crypto.c:485 [inline]
ima_calc_file_shash security/integrity/ima/ima_crypto.c:516 [inline]
ima_calc_file_hash+0xa5d/0x1c00 security/integrity/ima/ima_crypto.c:573
ima_collect_measurement+0x323/0x820 security/integrity/ima/ima_api.c:255
process_measurement+0x1363/0x21c0 security/integrity/ima/ima_main.c:351
ima_file_check+0xf3/0x180 security/integrity/ima/ima_main.c:533
do_open fs/namei.c:3610 [inline]
path_openat+0x2748/0x2f20 fs/namei.c:3742
do_filp_open+0x21c/0x460 fs/namei.c:3769
do_sys_openat2+0x13b/0x4f0 fs/open.c:1253
do_sys_open fs/open.c:1269 [inline]
__do_sys_openat fs/open.c:1285 [inline]
__se_sys_openat fs/open.c:1280 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1280
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f15f438d169
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f15f21f6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f15f45a5fa0 RCX: 00007f15f438d169
RDX: 0000000000000042 RSI: 0000400000000100 RDI: ffffffffffffff9c
RBP: 00007f15f440e2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f15f45a5fa0 R15: 00007ffc018dbed8
</TASK>
The buggy address belongs to the page:
page:ffffea0001cd9600 refcount:2 mapcount:0 mapping:ffff888147824f30 index:0x2 pfn:0x73658
memcg:ffff8880673b0000
aops:def_blk_aops ino:700009
flags: 0xfff00000002036(referenced|uptodate|lru|active|private|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002036 ffffea00009ab608 ffffea00007ed988 ffff888147824f30
raw: 0000000000000002 ffff888061c92910 00000002ffffffff ffff8880673b0000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Movable, gfp_mask 0x108c48(GFP_NOFS|__GFP_NOFAIL|__GFP_HARDWALL|__GFP_MOVABLE), pid 8410, ts 243652785744, free_ts 243641439861
prep_new_page mm/page_alloc.c:2426 [inline]
get_page_from_freelist+0x3b78/0x3d40 mm/page_alloc.c:4192
__alloc_pages+0x272/0x700 mm/page_alloc.c:5466
__page_cache_alloc+0xd4/0x4a0 mm/filemap.c:1022
pagecache_get_page+0xa91/0x1010 mm/filemap.c:1940
find_or_create_page include/linux/pagemap.h:420 [inline]
grow_dev_page fs/buffer.c:949 [inline]
grow_buffers fs/buffer.c:1014 [inline]
__getblk_slow fs/buffer.c:1041 [inline]
__getblk_gfp+0x22a/0xaf0 fs/buffer.c:1336
sb_getblk include/linux/buffer_head.h:361 [inline]
__ext4_get_inode_loc+0x4ce/0xcd0 fs/ext4/inode.c:4325
__ext4_get_inode_loc_noinmem fs/ext4/inode.c:4433 [inline]
__ext4_iget+0x4ff/0x3f00 fs/ext4/inode.c:4663
ext4_lookup+0x691/0xaa0 fs/ext4/namei.c:1858
lookup_open fs/namei.c:3440 [inline]
open_last_lookups fs/namei.c:3532 [inline]
path_openat+0x111d/0x2f20 fs/namei.c:3739
do_filp_open+0x21c/0x460 fs/namei.c:3769
do_sys_openat2+0x13b/0x4f0 fs/open.c:1253
do_sys_open fs/open.c:1269 [inline]
__do_sys_openat fs/open.c:1285 [inline]
__se_sys_openat fs/open.c:1280 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1280
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1340 [inline]
free_pcp_prepare mm/page_alloc.c:1391 [inline]
free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
free_unref_page_list+0x1f7/0x8e0 mm/page_alloc.c:3433
release_pages+0x1bb9/0x1f40 mm/swap.c:963
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
tlb_flush_mmu mm/mmu_gather.c:247 [inline]
tlb_finish_mmu+0x177/0x320 mm/mmu_gather.c:338
exit_mmap+0x3cd/0x620 mm/mmap.c:3206
__mmput+0x112/0x3b0 kernel/fork.c:1127
exit_mm+0x688/0x7f0 kernel/exit.c:550
do_exit+0x626/0x2480 kernel/exit.c:861
do_group_exit+0x144/0x310 kernel/exit.c:996
__do_sys_exit_group kernel/exit.c:1007 [inline]
__se_sys_exit_group kernel/exit.c:1005 [inline]
__x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1005
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
Memory state around the buggy address:
ffff888073658180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888073658200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888073658280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff888073658300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888073658380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Apr 4, 2025, 7:19:23 AMApr 4
syzbot has found a reproducer for the following issue on:
HEAD commit: 0c935c049b5c Linux 5.15.179
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1399023f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=98c228fbc016eb3a
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=172b27cf980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15262fb0580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d5477072f336/disk-0c935c04.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/77d15907ffb3/vmlinux-0c935c04.xz
kernel image: https://storage.googleapis.com/syzbot-assets/efe5d79cb16a/Image-0c935c04.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/c729649c7bc6/mount_0.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=12088be4580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
EXT4-fs (loop0): mounted filesystem without journal. Opts: nogrpid,min_batch_time=0x0000000000000000,debug_want_extra_isize=0x0000000000000068,nobarrier,nodiscard,quota,,errors=continue. Quota mode: writeback.
==================================================================
BUG: KASAN: out-of-bounds in ext4_xattr_set_entry+0xe28/0x3078 fs/ext4/xattr.c:1738
Read of size 18446744073709551540 at addr ffff0000c9061070 by task syz-executor583/4018
CPU: 0 PID: 4018 Comm: syz-executor583 Not tainted 5.15.179-syzkaller #0
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x174/0x1e4 mm/kasan/report.c:451
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x274/0x2b4 mm/kasan/generic.c:189
memmove+0x90/0xe8 mm/kasan/shadow.c:54
ext4_xattr_set_entry+0xe28/0x3078 fs/ext4/xattr.c:1738
ext4_xattr_block_set+0x8ec/0x2dcc fs/ext4/xattr.c:1995
ext4_xattr_set_handle+0xe44/0x12d8 fs/ext4/xattr.c:2403
ext4_xattr_set+0x220/0x340 fs/ext4/xattr.c:2513
ext4_xattr_trusted_set+0x4c/0x64 fs/ext4/xattr_trusted.c:38
__vfs_setxattr+0x388/0x3a4 fs/xattr.c:182
__vfs_setxattr_noperm+0x110/0x528 fs/xattr.c:216
__vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:277
vfs_setxattr+0x1a8/0x344 fs/xattr.c:303
do_setxattr fs/xattr.c:588 [inline]
setxattr+0x250/0x2b4 fs/xattr.c:611
path_setxattr+0x17c/0x258 fs/xattr.c:630
__do_sys_lsetxattr fs/xattr.c:653 [inline]
__se_sys_lsetxattr fs/xattr.c:649 [inline]
__arm64_sys_lsetxattr+0xbc/0xd8 fs/xattr.c:649
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Allocated by task 4018:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc+0xbc/0xfc mm/kasan/common.c:513
__kasan_kmalloc+0x10/0x1c mm/kasan/common.c:522
kasan_kmalloc include/linux/kasan.h:264 [inline]
__kmalloc_track_caller+0x218/0x3d8 mm/slub.c:4930
kmemdup+0xcc/0x144 mm/util.c:128
ext4_xattr_block_set+0x7c0/0x2dcc fs/ext4/xattr.c:1943
ext4_xattr_set_handle+0xe44/0x12d8 fs/ext4/xattr.c:2403
ext4_xattr_set+0x220/0x340 fs/ext4/xattr.c:2513
ext4_xattr_trusted_set+0x4c/0x64 fs/ext4/xattr_trusted.c:38
__vfs_setxattr+0x388/0x3a4 fs/xattr.c:182
__vfs_setxattr_noperm+0x110/0x528 fs/xattr.c:216
__vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:277
vfs_setxattr+0x1a8/0x344 fs/xattr.c:303
do_setxattr fs/xattr.c:588 [inline]
setxattr+0x250/0x2b4 fs/xattr.c:611
path_setxattr+0x17c/0x258 fs/xattr.c:630
__do_sys_lsetxattr fs/xattr.c:653 [inline]
__se_sys_lsetxattr fs/xattr.c:649 [inline]
__arm64_sys_lsetxattr+0xbc/0xd8 fs/xattr.c:649
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
The buggy address belongs to the object at ffff0000c9061000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 112 bytes inside of
1024-byte region [ffff0000c9061000, ffff0000c9061400)
head:00000000b4c33ad1 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002780
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
ffff0000c9060f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000c9061000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff0000c9061080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000c9061100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 0c935c049b5c Linux 5.15.179
git tree: linux-5.15.y
kernel config: https://syzkaller.appspot.com/x/.config?x=98c228fbc016eb3a
dashboard link: https://syzkaller.appspot.com/bug?extid=a6e8001e6c89306ea653
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=172b27cf980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15262fb0580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d5477072f336/disk-0c935c04.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/77d15907ffb3/vmlinux-0c935c04.xz
kernel image: https://storage.googleapis.com/syzbot-assets/efe5d79cb16a/Image-0c935c04.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/c729649c7bc6/mount_0.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=12088be4580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
==================================================================
BUG: KASAN: out-of-bounds in ext4_xattr_set_entry+0xe28/0x3078 fs/ext4/xattr.c:1738
Read of size 18446744073709551540 at addr ffff0000c9061070 by task syz-executor583/4018
CPU: 0 PID: 4018 Comm: syz-executor583 Not tainted 5.15.179-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x174/0x1e4 mm/kasan/report.c:451
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x274/0x2b4 mm/kasan/generic.c:189
memmove+0x90/0xe8 mm/kasan/shadow.c:54
ext4_xattr_set_entry+0xe28/0x3078 fs/ext4/xattr.c:1738
ext4_xattr_block_set+0x8ec/0x2dcc fs/ext4/xattr.c:1995
ext4_xattr_set_handle+0xe44/0x12d8 fs/ext4/xattr.c:2403
ext4_xattr_set+0x220/0x340 fs/ext4/xattr.c:2513
ext4_xattr_trusted_set+0x4c/0x64 fs/ext4/xattr_trusted.c:38
__vfs_setxattr+0x388/0x3a4 fs/xattr.c:182
__vfs_setxattr_noperm+0x110/0x528 fs/xattr.c:216
__vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:277
vfs_setxattr+0x1a8/0x344 fs/xattr.c:303
do_setxattr fs/xattr.c:588 [inline]
setxattr+0x250/0x2b4 fs/xattr.c:611
path_setxattr+0x17c/0x258 fs/xattr.c:630
__do_sys_lsetxattr fs/xattr.c:653 [inline]
__se_sys_lsetxattr fs/xattr.c:649 [inline]
__arm64_sys_lsetxattr+0xbc/0xd8 fs/xattr.c:649
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Allocated by task 4018:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc+0xbc/0xfc mm/kasan/common.c:513
__kasan_kmalloc+0x10/0x1c mm/kasan/common.c:522
kasan_kmalloc include/linux/kasan.h:264 [inline]
__kmalloc_track_caller+0x218/0x3d8 mm/slub.c:4930
kmemdup+0xcc/0x144 mm/util.c:128
ext4_xattr_block_set+0x7c0/0x2dcc fs/ext4/xattr.c:1943
ext4_xattr_set_handle+0xe44/0x12d8 fs/ext4/xattr.c:2403
ext4_xattr_set+0x220/0x340 fs/ext4/xattr.c:2513
ext4_xattr_trusted_set+0x4c/0x64 fs/ext4/xattr_trusted.c:38
__vfs_setxattr+0x388/0x3a4 fs/xattr.c:182
__vfs_setxattr_noperm+0x110/0x528 fs/xattr.c:216
__vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:277
vfs_setxattr+0x1a8/0x344 fs/xattr.c:303
do_setxattr fs/xattr.c:588 [inline]
setxattr+0x250/0x2b4 fs/xattr.c:611
path_setxattr+0x17c/0x258 fs/xattr.c:630
__do_sys_lsetxattr fs/xattr.c:653 [inline]
__se_sys_lsetxattr fs/xattr.c:649 [inline]
__arm64_sys_lsetxattr+0xbc/0xd8 fs/xattr.c:649
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
The buggy address belongs to the object at ffff0000c9061000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 112 bytes inside of
1024-byte region [ffff0000c9061000, ffff0000c9061400)
The buggy address belongs to the page:
page:00000000b4c33ad1 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109060
head:00000000b4c33ad1 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002780
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000c9060f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000c9060f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000c9061000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff0000c9061080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000c9061100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Reply all
Reply to author
Forward
0 new messages