syzbot

==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:840 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xb92/0xd80 fs/ext4/extents.c:955
Read of size 4 at addr ffff888078554d18 by task kworker/u8:1/13

CPU: 1 UID: 0 PID: 13 Comm: kworker/u8:1 Not tainted 6.14.0-syzkaller-03576-g1e1ba8d23dae #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Workqueue: writeback wb_workfn (flush-7:3)
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0x16e/0x5b0 mm/kasan/report.c:521
 kasan_report+0x143/0x180 mm/kasan/report.c:634
 ext4_ext_binsearch fs/ext4/extents.c:840 [inline]
 ext4_find_extent+0xb92/0xd80 fs/ext4/extents.c:955
 ext4_ext_map_blocks+0x2e6/0x7d80 fs/ext4/extents.c:4205
 ext4_map_create_blocks fs/ext4/inode.c:516 [inline]
 ext4_map_blocks+0x909/0x1a70 fs/ext4/inode.c:702
 mpage_map_one_extent fs/ext4/inode.c:2219 [inline]
 mpage_map_and_submit_extent fs/ext4/inode.c:2272 [inline]
 ext4_do_writepages+0x21cd/0x3e00 fs/ext4/inode.c:2735
 ext4_writepages+0x203/0x3c0 fs/ext4/inode.c:2824
 do_writepages+0x36a/0x890 mm/page-writeback.c:2687
 __writeback_single_inode+0x14f/0x10d0 fs/fs-writeback.c:1680
 writeback_sb_inodes+0x822/0x1360 fs/fs-writeback.c:1976
 __writeback_inodes_wb+0x11b/0x260 fs/fs-writeback.c:2047
 wb_writeback+0x429/0xb90 fs/fs-writeback.c:2158
 wb_check_old_data_flush fs/fs-writeback.c:2262 [inline]
 wb_do_writeback fs/fs-writeback.c:2315 [inline]
 wb_workfn+0xbbc/0x10b0 fs/fs-writeback.c:2343
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xac3/0x18e0 kernel/workqueue.c:3319
 worker_thread+0x870/0xd30 kernel/workqueue.c:3400
 kthread+0x7a9/0x920 kernel/kthread.c:464
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xe pfn:0x78554
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000
raw: 000000000000000e 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 6763, tgid 6763 (syz-executor423), ts 102180888823, free_ts 102196582757
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f4/0x240 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0x368a/0x37d0 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x2c5/0x7b0 mm/page_alloc.c:4740
 alloc_pages_mpol+0x339/0x690 mm/mempolicy.c:2301
 folio_alloc_mpol_noprof+0x36/0x70 mm/mempolicy.c:2320
 shmem_alloc_folio mm/shmem.c:1863 [inline]
 shmem_alloc_and_add_folio+0x490/0x1070 mm/shmem.c:1902
 shmem_get_folio_gfp+0x655/0x1800 mm/shmem.c:2545
 shmem_get_folio mm/shmem.c:2651 [inline]
 shmem_write_begin+0x17e/0x3a0 mm/shmem.c:3301
 generic_perform_write+0x329/0xa10 mm/filemap.c:4102
 shmem_file_write_iter+0xf9/0x120 mm/shmem.c:3477
 new_sync_write fs/read_write.c:591 [inline]
 vfs_write+0x70f/0xd10 fs/read_write.c:684
 ksys_write+0x19d/0x2d0 fs/read_write.c:736
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 6763 tgid 6763 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_unref_folios+0xe5b/0x18d0 mm/page_alloc.c:2707
 folios_put_refs+0x779/0x880 mm/swap.c:994
 folio_batch_release include/linux/pagevec.h:101 [inline]
 shmem_undo_range+0x595/0x1820 mm/shmem.c:1112
 shmem_truncate_range mm/shmem.c:1224 [inline]
 shmem_evict_inode+0x29d/0xa80 mm/shmem.c:1352
 evict+0x4f9/0x9b0 fs/inode.c:810
 __dentry_kill+0x20d/0x630 fs/dcache.c:643
 dput+0x19f/0x2b0 fs/dcache.c:885
 __fput+0x60b/0x9f0 fs/file_table.c:473
 fput_close_sync+0x1ef/0x270 fs/file_table.c:570
 __do_sys_close fs/open.c:1581 [inline]
 __se_sys_close fs/open.c:1566 [inline]
 __x64_sys_close+0x7f/0x110 fs/open.c:1566
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888078554c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888078554c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888078554d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                            ^
 ffff888078554d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888078554e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================