syzbot

EXT4-fs: inline encryption not supported
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:840 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xaea/0xcc0 fs/ext4/extents.c:956
Read of size 4 at addr ffff88805fabf400 by task syz.0.496/8220

CPU: 0 UID: 0 PID: 8220 Comm: syz.0.496 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engi[  180.197696][ T8220] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xba/0x230 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 ext4_ext_binsearch fs/ext4/extents.c:840 [inline]
 ext4_find_extent+0xaea/0xcc0 fs/ext4/extents.c:956
 ext4_ext_map_blocks+0x283/0x58b0 fs/ext4/extents.c:4261
 ext4_map_query_blocks+0x13b/0xa00 fs/ext4/inode.c:553
 ext4_map_blocks+0x444/0x11d0 fs/ext4/inode.c:771
 _ext4_get_block+0x1e3/0x470 fs/ext4/inode.c:909
 ext4_get_block_unwritten+0x2e/0x100 fs/ext4/inode.c:942
 ext4_block_write_begin+0xb14/0x1950 fs/ext4/inode.c:1196
 ext4_write_begin+0xb40/0x18c0 fs/ext4/ext4_jbd2.h:-1
 ext4_da_write_begin+0x355/0xd90 fs/ext4/inode.c:3123
 generic_perform_write+0x2af/0x8b0 mm/filemap.c:4314
 ext4_buffered_write_iter+0xd0/0x3a0 fs/ext4/file.c:300
 ext4_file_write_iter+0x299/0x1c10 fs/ext4/file.c:-1
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x629/0xba0 fs/read_write.c:688
 ksys_pwrite64 fs/read_write.c:795 [inline]
 __do_sys_pwrite64 fs/read_write.c:803 [inline]
 __se_sys_pwrite64 fs/read_write.c:800 [inline]
 __x64_sys_pwrite64+0x19c/0x230 fs/read_write.c:800
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9daa2bc629
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9da991e028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
RAX: ffffffffffffffda RBX: 00007f9daa535fa0 RCX: 00007f9daa2bc629
RDX: 000000000000fdef RSI: 0000200000000140 RDI: 0000000000000004
RBP: 00007f9daa352b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000c00 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f9daa536038 R14: 00007f9daa535fa0 R15: 00007ffd9113dcf8
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7 pfn:0x5fabf
flags: 0x80000000000000(node=0|zone=1)
raw: 0080000000000000 ffffea00017eaf88 ffffea00012cc088 0000000000000000
raw: 0000000000000007 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 8209, tgid 8207 (syz.1.494), ts 179745220216, free_ts 179764330214
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x28bb/0x2950 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2484
 folio_alloc_mpol_noprof+0x39/0xe0 mm/mempolicy.c:2503
 shmem_alloc_folio mm/shmem.c:1930 [inline]
 shmem_alloc_and_add_folio mm/shmem.c:1972 [inline]
 shmem_get_folio_gfp+0x644/0x1a80 mm/shmem.c:2567
 shmem_get_folio mm/shmem.c:2673 [inline]
 shmem_write_begin+0x166/0x320 mm/shmem.c:3327
 generic_perform_write+0x2af/0x8b0 mm/filemap.c:4314
 shmem_file_write_iter+0xfb/0x120 mm/shmem.c:3502
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x629/0xba0 fs/read_write.c:688
 ksys_write+0x156/0x270 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 8209 tgid 8207 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 free_unref_folios+0xe7b/0x1c70 mm/page_alloc.c:3040
 folios_put_refs+0x56f/0x680 mm/swap.c:1002
 folio_batch_release include/linux/pagevec.h:101 [inline]
 shmem_undo_range+0x52c/0x1660 mm/shmem.c:1149
 shmem_truncate_range mm/shmem.c:1277 [inline]
 shmem_evict_inode+0x240/0x9e0 mm/shmem.c:1407
 evict+0x61e/0xb10 fs/inode.c:846
 __dentry_kill+0x1a2/0x5e0 fs/dcache.c:670
 finish_dput+0xc9/0x480 fs/dcache.c:879
 __fput+0x6a3/0xa90 fs/file_table.c:477
 fput_close_sync+0x11f/0x240 fs/file_table.c:574
 __do_sys_close fs/open.c:1509 [inline]
 __se_sys_close fs/open.c:1494 [inline]
 __x64_sys_close+0x7e/0x110 fs/open.c:1494
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88805fabf300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88805fabf380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88805fabf400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff88805fabf480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88805fabf500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================