syzbot

==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956
Read of size 4 at addr ffff888048c63018 b[  191.506987][ T7602] Read of size 4 at addr ffff888048c63018 by task syz.1.318/7602

CPU: 0 UID: 0 PID: 7602 Comm: syz.1.318 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
 ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956
 ext4_ext_map_blocks+0x278/0x69c0 fs/ext4/extents.c:4208
 ext4_map_create_blocks fs/ext4/inode.c:613 [inline]
 ext4_map_blocks+0x82c/0x16f0 fs/ext4/inode.c:816
 ext4_iomap_alloc fs/ext4/inode.c:3749 [inline]
 ext4_iomap_begin+0x1358/0x1820 fs/ext4/inode.c:3825
 iomap_iter+0x5ef/0xeb0 fs/iomap/iter.c:110
 __iomap_dio_rw+0xc3d/0x1d90 fs/iomap/direct-io.c:752
 iomap_dio_rw+0x45/0xb0 fs/iomap/direct-io.c:847
 ext4_dio_write_iter fs/ext4/file.c:580 [inline]
 ext4_file_write_iter+0x16a8/0x1be0 fs/ext4/file.c:721
 iter_file_splice_write+0x977/0x10b0 fs/splice.c:738
 do_splice_from fs/splice.c:938 [inline]
 direct_splice_actor+0x104/0x160 fs/splice.c:1161
 splice_direct_to_actor+0x5b3/0xcd0 fs/splice.c:1105
 do_splice_direct_actor fs/splice.c:1204 [inline]
 do_splice_direct+0x187/0x270 fs/splice.c:1230
 do_sendfile+0x4ec/0x7f0 fs/read_write.c:1370
 __do_sys_sendfile64 fs/read_write.c:1431 [inline]
 __se_sys_sendfile64+0x13e/0x190 fs/read_write.c:1417
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4aee49f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4aedb0e038 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007f4aee6f5fa0 RCX: 00007f4aee49f749
RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004
RBP: 00007f4aee523f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000020fffe82 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f4aee6f6038 R14: 00007f4aee6f5fa0 R15: 00007ffce557eca8
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x11d pfn:0x48c63
flags: 0x80000000000000(node=0|zone=1)
raw: 0080000000000000 dead000000000100 dead000000000122 0000000000000000
raw: 000000000000011d 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 7569, tgid 7565 (syz.1.313), ts 190448494277, free_ts 190927489897
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x234/0x290 mm/page_alloc.c:1846
 prep_new_page mm/page_alloc.c:1854 [inline]
 get_page_from_freelist+0x28c0/0x2960 mm/page_alloc.c:3915
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210
 alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2486
 folio_alloc_mpol_noprof+0x39/0xe0 mm/mempolicy.c:2505
 shmem_alloc_folio mm/shmem.c:1890 [inline]
 shmem_alloc_and_add_folio mm/shmem.c:1932 [inline]
 shmem_get_folio_gfp+0x633/0x1a70 mm/shmem.c:2556
 shmem_get_folio mm/shmem.c:2662 [inline]
 shmem_write_begin+0x166/0x320 mm/shmem.c:3315
 generic_perform_write+0x29d/0x8c0 mm/filemap.c:4314
 shmem_file_write_iter+0xfb/0x120 mm/shmem.c:3490
 iter_file_splice_write+0x977/0x10b0 fs/splice.c:738
 do_splice_from fs/splice.c:938 [inline]
 direct_splice_actor+0x104/0x160 fs/splice.c:1161
 splice_direct_to_actor+0x5b3/0xcd0 fs/splice.c:1105
 do_splice_direct_actor fs/splice.c:1204 [inline]
 do_splice_direct+0x187/0x270 fs/splice.c:1230
 do_sendfile+0x4ec/0x7f0 fs/read_write.c:1370
 __do_sys_sendfile64 fs/read_write.c:1431 [inline]
 __se_sys_sendfile64+0x13e/0x190 fs/read_write.c:1417
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
page last free pid 5927 tgid 5927 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 free_unref_folios+0xc28/0x1810 mm/page_alloc.c:3000
 folios_put_refs+0x569/0x670 mm/swap.c:1002
 folio_batch_release include/linux/pagevec.h:101 [inline]
 shmem_undo_range+0x49e/0x1490 mm/shmem.c:1137
 shmem_truncate_range mm/shmem.c:1249 [inline]
 shmem_evict_inode+0x26e/0xa70 mm/shmem.c:1379
 evict+0x5f4/0xae0 fs/inode.c:837
 do_unlinkat+0x340/0x570 fs/namei.c:5443
 __do_sys_unlink fs/namei.c:5474 [inline]
 __se_sys_unlink fs/namei.c:5472 [inline]
 __x64_sys_unlink+0x47/0x50 fs/namei.c:5472
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888048c62f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888048c62f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888048c63000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                            ^
 ffff888048c63080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888048c63100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================