[v6.1] KASAN: use-after-free Read in ext4_xattr_list_entries

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: cd9b81672742 Linux 6.1.161
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=166a639a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b1adc0bfde2d8a4a
dashboard link: https://syzkaller.appspot.com/bug?extid=20a9a768711714797c43
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d21df4411014/disk-cd9b8167.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/246aed0358fb/vmlinux-cd9b8167.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a6f546504ec2/Image-cd9b8167.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+20a9a7...@syzkaller.appspotmail.com

loop0: detected capacity change from 0 to 2048
EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none.
==================================================================
BUG: KASAN: use-after-free in ext4_xattr_list_entries+0x278/0x334 fs/ext4/xattr.c:670
Read of size 4 at addr ffff0000fc4e1044 by task syz.0.122/4877

CPU: 0 PID: 4877 Comm: syz.0.122 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025
Call trace:
dump_backtrace+0x1c0/0x1ec arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack+0x30/0x40 lib/dump_stack.c:88
dump_stack_lvl+0xf4/0x15c lib/dump_stack.c:106
print_address_description+0x88/0x218 mm/kasan/report.c:316
print_report+0x50/0x68 mm/kasan/report.c:420
kasan_report+0xa8/0xfc mm/kasan/report.c:524
__asan_report_load4_noabort+0x2c/0x38 mm/kasan/report_generic.c:350
ext4_xattr_list_entries+0x278/0x334 fs/ext4/xattr.c:670
ext4_xattr_ibody_list fs/ext4/xattr.c:740 [inline]
ext4_listxattr+0x1a8/0x4e8 fs/ext4/xattr.c:765
vfs_listxattr fs/xattr.c:457 [inline]
listxattr+0x29c/0x3cc fs/xattr.c:804
path_listxattr+0xe0/0x1b8 fs/xattr.c:828
__do_sys_listxattr fs/xattr.c:840 [inline]
__se_sys_listxattr fs/xattr.c:837 [inline]
__arm64_sys_listxattr+0x80/0x94 fs/xattr.c:837
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b4 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x130 arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585

The buggy address belongs to the physical page:
page:0000000028cb180b refcount:1 mapcount:0 mapping:00000000a40099c4 index:0xc20 pfn:0x13c4e1
memcg:ffff0000c33c0000
aops:shmem_aops ino:d dentry name(?):"memfd:syzkaller"
flags: 0x5ffd8000008001e(referenced|uptodate|dirty|lru|swapbacked|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffd8000008001e fffffc0003ef22c8 fffffc0003874548 ffff0000cccaf508
raw: 0000000000000c20 0000000000000000 00000001ffffffff ffff0000c33c0000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff0000fc4e0f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000fc4e0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000fc4e1000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff0000fc4e1080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000fc4e1100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit: cd9b81672742 Linux 6.1.161
git tree: linux-6.1.y

console output: https://syzkaller.appspot.com/x/log.txt?x=11e77522580000

kernel config: https://syzkaller.appspot.com/x/.config?x=b1adc0bfde2d8a4a
dashboard link: https://syzkaller.appspot.com/bug?extid=20a9a768711714797c43
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11c88b9a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=138fab9a580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d21df4411014/disk-cd9b8167.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/246aed0358fb/vmlinux-cd9b8167.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a6f546504ec2/Image-cd9b8167.gz.xz

mounted in repro #1: https://storage.googleapis.com/syzbot-assets/95e99a3d59ca/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=14d32852580000)
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/b20c9e2170be/mount_6.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=168e93fa580000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+20a9a7...@syzkaller.appspotmail.com

loop0: detected capacity change from 0 to 2048
EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none.
==================================================================
BUG: KASAN: use-after-free in ext4_xattr_list_entries+0x278/0x334 fs/ext4/xattr.c:670

Read of size 4 at addr ffff0000eb560044 by task syz.0.17/4469

CPU: 0 PID: 4469 Comm: syz.0.17 Not tainted syzkaller #0

page:00000000ce41c8e4 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x12b560
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 fffffc0003ad5848 fffffc0003b27bc8 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff0000eb55ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000eb55ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000eb560000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff0000eb560080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000eb560100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.