EXT4-fs (loop1): mounted filesystem without journal. Opts: grpjquota=,bsdgroups,bsddf,min_batch_time=0x0000000000000068,block_validity,,errors=continue ================================================================== BUG: KASAN: out-of-bounds in ext4_xattr_set_entry+0x1326/0x3860 fs/ext4/xattr.c:1729 Read of size 18446744073709551600 at addr ffff888129a592b8 by task syz.1.77/588 CPU: 0 PID: 588 Comm: syz.1.77 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 Call Trace: __dump_stack+0x21/0x24 lib/dump_stack.c:77 dump_stack_lvl+0x1a7/0x208 lib/dump_stack.c:118 print_address_description+0x7f/0x2c0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:435 [inline] kasan_report+0xe2/0x130 mm/kasan/report.c:452 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x249/0x2a0 mm/kasan/generic.c:189 memmove+0x2d/0x70 mm/kasan/shadow.c:54 ext4_xattr_set_entry+0x1326/0x3860 fs/ext4/xattr.c:1729 ext4_xattr_ibody_set+0x122/0x360 fs/ext4/xattr.c:2229 ext4_destroy_inline_data_nolock+0x20f/0x5e0 fs/ext4/inline.c:464 ext4_destroy_inline_data+0x84/0xe0 fs/ext4/inline.c:1896 ext4_writepages+0x766/0x2eb0 fs/ext4/inode.c:2779 do_writepages+0x128/0x280 mm/page-writeback.c:2380 __filemap_fdatawrite_range+0x2a0/0x350 mm/filemap.c:427 file_write_and_wait_range+0x8c/0x110 mm/filemap.c:766 ext4_sync_file+0x1a9/0x9f0 fs/ext4/fsync.c:151 vfs_fsync_range+0x190/0x1a0 fs/sync.c:202 generic_write_sync include/linux/fs.h:2920 [inline] ext4_buffered_write_iter+0x59b/0x640 fs/ext4/file.c:278 ext4_file_write_iter+0x53f/0x1980 fs/ext4/file.c:-1 call_write_iter include/linux/fs.h:2066 [inline] new_sync_write fs/read_write.c:518 [inline] vfs_write+0x758/0xdc0 fs/read_write.c:605 ksys_pwrite64 fs/read_write.c:712 [inline] __do_sys_pwrite64 fs/read_write.c:722 [inline] __se_sys_pwrite64 fs/read_write.c:719 [inline] __x64_sys_pwrite64+0x197/0x220 fs/read_write.c:719 do_syscall_64+0x31/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7f10bbf06799 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f10ba961028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012 RAX: ffffffffffffffda RBX: 00007f10bc17ffa0 RCX: 00007f10bbf06799 RDX: 0000000000000001 RSI: 00002000000005c0 RDI: 0000000000000004 RBP: 00007f10bbf9cc99 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000004fed0 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f10bc180038 R14: 00007f10bc17ffa0 R15: 00007ffdcdee13f8 The buggy address belongs to the page: page:ffffea0004a69640 refcount:3 mapcount:0 mapping:ffff88810919ed10 index:0x2 pfn:0x129a59 aops:def_blk_aops ino:0 flags: 0x400000000000202a(referenced|dirty|active|private) raw: 400000000000202a dead000000000100 dead000000000122 ffff88810919ed10 raw: 0000000000000002 ffff88812e4e7dc8 00000003ffffffff ffff88810d5c0000 page dumped because: kasan: bad access detected page->mem_cgroup:ffff88810d5c0000 page_owner tracks the page as allocated page last allocated via order 0, migratetype Movable, gfp_mask 0x108c48(GFP_NOFS|__GFP_NOFAIL|__GFP_HARDWALL|__GFP_MOVABLE), pid 588, ts 39692896336, free_ts 39691658009 set_page_owner include/linux/page_owner.h:35 [inline] post_alloc_hook mm/page_alloc.c:2456 [inline] prep_new_page+0x179/0x180 mm/page_alloc.c:2462 get_page_from_freelist+0x223b/0x23d0 mm/page_alloc.c:4254 __alloc_pages_nodemask+0x290/0x620 mm/page_alloc.c:5384 __alloc_pages include/linux/gfp.h:544 [inline] __alloc_pages_node include/linux/gfp.h:557 [inline] alloc_pages_node include/linux/gfp.h:571 [inline] alloc_pages include/linux/gfp.h:590 [inline] __page_cache_alloc include/linux/pagemap.h:290 [inline] pagecache_get_page+0x63e/0x930 mm/filemap.c:1848 find_or_create_page include/linux/pagemap.h:402 [inline] grow_dev_page fs/buffer.c:976 [inline] grow_buffers fs/buffer.c:1045 [inline] __getblk_slow fs/buffer.c:1072 [inline] __getblk_gfp+0x212/0x780 fs/buffer.c:1370 sb_getblk include/linux/buffer_head.h:361 [inline] __ext4_get_inode_loc+0x467/0xc30 fs/ext4/inode.c:4449 ext4_get_inode_loc+0xba/0x130 fs/ext4/inode.c:4575 ext4_xattr_ibody_get+0x119/0x690 fs/ext4/xattr.c:594 ext4_xattr_get+0x116/0x820 fs/ext4/xattr.c:655 ext4_xattr_security_get+0x32/0x40 fs/ext4/xattr_security.c:20 __vfs_getxattr+0x5af/0x6b0 fs/xattr.c:399 cap_inode_need_killpriv+0x4b/0x70 security/commoncap.c:300 security_inode_need_killpriv+0x62/0x90 security/security.c:1340 dentry_needs_remove_privs fs/inode.c:1953 [inline] file_remove_privs+0x203/0x5b0 fs/inode.c:1993 file_modified+0x19/0xb0 fs/inode.c:2062 ext4_write_checks fs/ext4/file.c:250 [inline] ext4_buffered_write_iter+0x334/0x640 fs/ext4/file.c:266 page last free stack trace: reset_page_owner include/linux/page_owner.h:28 [inline] free_pages_prepare mm/page_alloc.c:1349 [inline] free_pcp_prepare mm/page_alloc.c:1421 [inline] free_unref_page_prepare+0x2b7/0x2d0 mm/page_alloc.c:3336 free_unref_page_list+0x129/0x9c0 mm/page_alloc.c:3443 release_pages+0xe52/0xea0 mm/swap.c:1103 __pagevec_release+0x71/0xe0 mm/swap.c:1123 pagevec_release include/linux/pagevec.h:88 [inline] invalidate_inode_pages2_range+0xc1c/0xda0 mm/truncate.c:769 generic_file_direct_write+0x37e/0x680 mm/filemap.c:3396 __generic_file_write_iter+0x298/0x480 mm/filemap.c:3595 blkdev_write_iter+0x2f2/0x3f0 fs/block_dev.c:1929 call_write_iter include/linux/fs.h:2066 [inline] aio_write+0x4d2/0x6d0 fs/aio.c:1595 __io_submit_one fs/aio.c:-1 [inline] io_submit_one+0x73b/0x1940 fs/aio.c:2014 __do_sys_io_submit fs/aio.c:2073 [inline] __se_sys_io_submit+0x17b/0x3d0 fs/aio.c:2043 __x64_sys_io_submit+0x7b/0x90 fs/aio.c:2043 do_syscall_64+0x31/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x61/0xcb Memory state around the buggy address: ffff888129a59180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888129a59200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888129a59280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff888129a59300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888129a59380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== EXT4-fs (loop1): Delayed block allocation failed for inode 15 at logical offset 319 with max blocks 1 with error 28 EXT4-fs (loop1): This should not happen!! Data will be lost