[Android 5.10] KASAN: use-after-free Read in ext4_xattr_inode_dec_ref_all

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 094fc3778d6b Merge 9d091e874b66 ("cpufreq: schedutil: Simp..
git tree: android13-5.10-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=13b8e198580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b0867136c1e117ab
dashboard link: https://syzkaller.appspot.com/bug?extid=786264827f156d1819c6
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=115d4a4c580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17b5343f980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e4ed50b42b79/disk-094fc377.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/89a1f19d8fd6/vmlinux-094fc377.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1ce7f082940d/bzImage-094fc377.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/595f05c3066f/mount_0.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=136f6de4580000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+786264...@syzkaller.appspotmail.com

EXT4-fs error (device loop1): ext4_xattr_inode_iget:409: comm syz-executor600: error while reading EA inode 4263244710 err=-117
==================================================================
BUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0xd04/0xfa0 fs/ext4/xattr.c:1134
Read of size 4 at addr ffff888120d450b0 by task syz-executor600/288

CPU: 1 PID: 288 Comm: syz-executor600 Not tainted 5.10.234-syzkaller-00033-g094fc3778d6b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
print_address_description+0x81/0x3b0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:435 [inline]
kasan_report+0x179/0x1c0 mm/kasan/report.c:452
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
ext4_xattr_inode_dec_ref_all+0xd04/0xfa0 fs/ext4/xattr.c:1134
ext4_xattr_delete_inode+0xaa6/0xc80 fs/ext4/xattr.c:2901
ext4_evict_inode+0x1095/0x1730 fs/ext4/inode.c:300
evict+0x526/0x9c0 fs/inode.c:612
iput_final fs/inode.c:1736 [inline]
iput+0x632/0x7e0 fs/inode.c:1762
do_unlinkat+0x48e/0x8b0 fs/namei.c:4042
__do_sys_unlink fs/namei.c:4082 [inline]
__se_sys_unlink fs/namei.c:4080 [inline]
__x64_sys_unlink+0x49/0x50 fs/namei.c:4080
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:-1
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fd44ef11a47
Code: 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffde92df868 EFLAGS: 00000206 ORIG_RAX: 0000000000000057
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd44ef11a47
RDX: 00007ffde92df890 RSI: 00007ffde92df920 RDI: 00007ffde92df920
RBP: 00007ffde92df920 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffde92e0a10
R13: 000055555ee7b800 R14: 431bde82d7b634db R15: 00007ffde92e1aa0

The buggy address belongs to the page:
page:ffffea0004835140 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x120d45
flags: 0x4000000000000000()
raw: 4000000000000000 ffffea0004835188 ffffea0004751f88 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
ffff888120d44f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888120d45000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888120d45080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888120d45100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888120d45180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[syzbot]

syzbot suspects this issue was fixed by commit:

commit 76c365fa7e2a8bb85f0190cdb4b8cdc99b2fdce3
Author: Bhupesh <bhu...@igalia.com>
Date: Tue Jan 28 08:27:50 2025 +0000

ext4: ignore xattrs past end

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=105dabf4580000
start commit: 094fc3778d6b Merge 9d091e874b66 ("cpufreq: schedutil: Simp..
git tree: android13-5.10-lts

kernel config: https://syzkaller.appspot.com/x/.config?x=b0867136c1e117ab
dashboard link: https://syzkaller.appspot.com/bug?extid=786264827f156d1819c6

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=115d4a4c580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17b5343f980000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: ext4: ignore xattrs past end

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

[syzbot]

Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.