program: bpf$TOKEN_CREATE(0x24, &(0x7f0000000040), 0x8) r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r1, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000340)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}}, 0x10) sendmsg$NFT_BATCH(r1, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000940)={&(0x7f0000000500)=ANY=[@ANYBLOB="140000001000010000000000000000000a00000a88000000060a0b040000000000000000020000005c000480580001800a000100696e6e65720000004800028008000240000000840800034000000007080004400000000f080001400000040024000580090001005d6574610000000014000280080001400000001408000240000000100900010073797a30000000000900020073797a3200000000140000001100010000000000000000000300000a"], 0xb0}}, 0x8840) r2 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$ETHTOOL_MSG_FEATURES_SET(r0, &(0x7f0000002540)={0x0, 0x0, &(0x7f0000002500)={&(0x7f00000003c0)=ANY=[@ANYBLOB='\v{B\nY2', @ANYRES16=r2, @ANYBLOB="010000000000000000000c00000004000380"], 0x18}, 0x1, 0x0, 0x0, 0x40890}, 0x0) bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x6, 0xb, &(0x7f0000000180)=ANY=[@ANYBLOB="18000000000000000000000000000000180500002020642500000000002020207b1af8ff00000000bfa1010000000100070100e200ffffffb782000008000000b703000834120000850000000800000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0xe, '\x00', 0x0, @xdp, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='pids.current\x00', 0x275a, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2, 0x28011, r3, 0x0) ftruncate(r3, 0xc17a) syz_mount_image$ext4(&(0x7f0000000500)='ext4\x00', &(0x7f0000000480)='./file0\x00', 0x0, &(0x7f0000000180)={[{}]}, 0x1, 0x453, &(0x7f0000001040)="$eJzs3U9sFFUcB/DvbrslAbRg/IP4r4JKEaW2NUESTCTKSS4GE88NLYRYqKE1EUKMJh68eTHx7EG5eeTgyXjAoyZ48aaejJEYIvGk1sx2ly5lt3RD26nu55PM7pud132/mdffzO7ryzRAzxoqHirJ1iTfJxlcWL25wtDC0/VrF47/ee3C8Urm54/9XqnX++PahePNqs2f21I8VJPhalL9oJKH2rQ7e+78mxPT01NnG+sjc6ffGpk9d/7ZU6cnTk6dnDozeuDgC+OjB8bGx1dtX1+9+O6xLa+9dOSjySu/zVz86csi3q2Nba37sVqGMnTzsWzx1Go3VrL7WsqV/hIDoSt9SYruqtXzfzB9Wey8wXzzY6nBAWtqvrCp4+b35oH/sUrKjgAoR/NCX3z/bS7r9dmD8l09vPAFsOj3641lYUt/qo06tSXf71fTUJJDl458USxZo3EYAAAAgF721eEkz7Qb/6vm/pZ6RfmBJDuSPJhkZ1Kf1/NwkkeSPJrkseZ8oi4srb90/KfSaQINq+Lq4eRQY27XzeN/zdG/bOtrrN1VrKRWOXFqeuq5JHcnGU5tU7E+ukwbl7/957tO21rH/4qlaL85FtiI49f+JX+fnpyYm7iTfWbR1feTnf3t+r9yYyZQkYKPJ9nVzRvXFos/79p7slO12/c/a2n+02RP2/xvnHivHKw/LTM/c6R+PhhpnhVu9eHo2Cud2tf/5Sryf/Ny/Z9sq7TO153tvo3LOy692Glb9+f/Hz4rzv8DldfrAQ40Xn1nYm7u7GgyUDl66+tj3cf839b5Q1PzeDSPV9H/w7vbX//vaXm33UmeSPJkY+7ynvq1P9mb5Okk+5aJ5u+XD7zRaZv8L1fR/5Nt8//G1IAl+d994dD2T452an9l+f98/Rd6uPGKz3+3t9IOKjtOAAAAAAAAAFZHtX4PvEp1/41ytbp//8I9/O7N5ur0zOzcvhMzb5+ZXLhX3rbUqs2ZXoMt80FH6+XF9bEl6+NJtif5uO+vxp0HZqYny9556HFbOuR/4Ze+sqMD1pz7tULvWkH+19YjDmD9uf5D75L/0LvkP/Qu+Q+9S/5D75L/0LtWnv8DaxoHsP5c/6En3cl9/TZaoT8bIoy2heb8qZLCaP5L/g1yNDZm4fOvk3Voqy/JRtnlZQplnpUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANo5/AwAA//9EA9s8") r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000400)='blkio.bfq.io_merged\x00', 0x275a, 0x0) ioctl$FS_IOC_SETFLAGS(r4, 0x40086602, &(0x7f00000002c0)=0x2000000) creat(&(0x7f0000000040)='./bus\x00', 0x0) r5 = socket(0x10, 0x803, 0x0) r6 = openat$tun(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0) ioctl$TUNSETIFF(r6, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101}) r7 = socket$unix(0x1, 0x1, 0x0) ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', 0x0}) sendmsg$nl_route_sched(r5, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000005c0)=@newqdisc={0x38, 0x24, 0x4ee4e6a52ff56541, 0x70bd2b, 0xffffffff, {0x0, 0x0, 0x0, r8, {0x0, 0x7}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_multiq={{0xb}, {0x8}}]}, 0x38}}, 0x0) r9 = socket(0x400000000010, 0x3, 0x0) r10 = socket$unix(0x1, 0x1, 0x0) ioctl$sock_SIOCGIFINDEX(r10, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', 0x0}) sendmsg$nl_route_sched(r9, &(0x7f0000000580)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000140)=@newtfilter={0x94, 0x2c, 0xd27, 0x30bd29, 0x25dfdbfd, {0x0, 0x0, 0x0, r11, {0xb, 0xfff3}, {}, {0x7}}, [@filter_kind_options=@f_matchall={{0xd}, {0x60, 0x2, [@TCA_MATCHALL_ACT={0x5c, 0x2, [@m_skbedit={0x58, 0x1, 0x0, 0x0, {{0xc}, {0x2c, 0x2, 0x0, 0x1, [@TCA_SKBEDIT_QUEUE_MAPPING={0x6, 0x4, 0x2}, @TCA_SKBEDIT_PARMS={0x18, 0x2, {0xb380, 0x4, 0x0, 0xd87, 0x6}}, @TCA_SKBEDIT_PTYPE={0x6, 0x7, 0x1}]}, {0x4}, {0xc}, {0xc, 0x8, {0x2, 0x3}}}}]}]}}]}, 0x94}, 0x1, 0x0, 0x0, 0x10}, 0x0) mount(&(0x7f0000000280)=@loop={'/dev/loop', 0x0}, &(0x7f0000000140)='./bus\x00', 0x0, 0x5000, 0x0) r12 = open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) ioctl$LOOP_SET_STATUS64(r12, 0x4c04, &(0x7f0000000540)={0x0, 0x0, 0x0, 0x0, 0x8005, 0x0, 0x0, 0x15, 0x1c, "ef359f413bb93852f7d6a4ae6dddfbd1ce5d29c2ee5e5ca9000ff8ee09e737ff0edf110ff4117639c2eb4b78c660e677df701905b9aafab4afaaf755a3f6a004", "036c47c6780820d1cbf7966d61fdcf335263bd9bffbcc2542ded71038259ca171ce1a311ef54ec32d71e14ef3dc177e9b48b00", "f28359738e229a4c66810000000000d300e6d602000000000000000000000001", [0x204]}) write$cgroup_int(r4, &(0x7f0000000380), 0x1040c) close(r4) [ 144.884988][ T4679] Bluetooth: hci0: command tx timeout [ 145.111722][ T5338] loop0: detected capacity change from 0 to 512 [ 145.165732][ T5338] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. [ 145.234531][ T5338] loop0: detected capacity change from 512 to 64 [ 145.272829][ T5338] syz.0.0: attempt to access beyond end of device [ 145.272829][ T5338] loop0: rw=2049, sector=258, nr_sectors = 24 limit=64 [ 145.279687][ T5338] EXT4-fs warning (device loop0): ext4_end_bio:372: I/O error 10 writing to inode 18 starting block 129) [ 145.285314][ T5338] Buffer I/O error on device loop0, logical block 129 [ 145.288585][ T5338] Buffer I/O error on device loop0, logical block 130 [ 145.291668][ T5338] Buffer I/O error on device loop0, logical block 131 [ 145.294602][ T5338] Buffer I/O error on device loop0, logical block 132 [ 145.299264][ T5338] Buffer I/O error on device loop0, logical block 133 [ 145.302273][ T5338] Buffer I/O error on device loop0, logical block 134 [ 145.305303][ T5338] Buffer I/O error on device loop0, logical block 135 [ 145.308166][ T5338] Buffer I/O error on device loop0, logical block 136 [ 145.312191][ T5338] Buffer I/O error on device loop0, logical block 137 [ 145.315399][ T5338] Buffer I/O error on device loop0, logical block 138 [ 145.426523][ T5338] ------------[ cut here ]------------ [ 145.429326][ T5338] kernel BUG at fs/ext4/mballoc.c:4787! [ 145.431750][ T5338] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI [ 145.434499][ T5338] CPU: 0 UID: 0 PID: 5338 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 145.438234][ T5338] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 145.442782][ T5338] RIP: 0010:ext4_mb_use_inode_pa+0x6c1/0x720 [ 145.445499][ T5338] Code: e8 84 61 a8 ff 48 ba 00 00 00 00 00 fc ff df e9 da fa ff ff e8 c0 b6 40 ff 90 0f 0b e8 b8 b6 40 ff 90 0f 0b e8 b0 b6 40 ff 90 <0f> 0b e8 a8 b6 40 ff 90 0f 0b 48 8b 0c 24 80 e1 07 80 c1 03 38 c1 [ 145.453524][ T5338] RSP: 0018:ffffc9000bbbec28 EFLAGS: 00010287 [ 145.456120][ T5338] RAX: ffffffff82804e70 RBX: 00000000ffffffe4 RCX: 0000000000100000 [ 145.459414][ T5338] RDX: ffffc900210d2000 RSI: 0000000000006170 RDI: 0000000000006171 [ 145.462884][ T5338] RBP: 1ffff11008e5fc98 R08: ffff8880472ff6d3 R09: 1ffff11008e5feda [ 145.466147][ T5338] R10: dffffc0000000000 R11: ffffed1008e5fedb R12: 0000000000000000 [ 145.469595][ T5338] R13: 0000000000000028 R14: 1ffff11008e5fedd R15: ffff8880472ff6e8 [ 145.472908][ T5338] FS: 00007f8ac0dea6c0(0000) GS:ffff88808d416000(0000) knlGS:0000000000000000 [ 145.476662][ T5338] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 145.479277][ T5338] CR2: 00005619e77f2920 CR3: 0000000042386000 CR4: 0000000000352ef0 [ 145.482690][ T5338] Call Trace: [ 145.484250][ T5338] [ 145.485604][ T5338] ext4_mb_use_preallocated+0x660/0x13f0 [ 145.487956][ T5338] ext4_mb_new_blocks+0x5a1/0x46a0 [ 145.489956][ T5338] ? __pfx_ext4_new_meta_blocks+0x10/0x10 [ 145.492344][ T5338] ? __pfx_ext4_mb_new_blocks+0x10/0x10 [ 145.494715][ T5338] ? ext4_block_to_path+0x297/0x6f0 [ 145.497020][ T5338] ext4_ind_map_blocks+0xe22/0x2190 [ 145.499242][ T5338] ? stack_trace_save+0x9c/0xe0 [ 145.501394][ T5338] ? __pfx_ext4_ind_map_blocks+0x10/0x10 [ 145.503497][ T5338] ? ext4_map_blocks+0x73f/0x16f0 [ 145.505576][ T5338] ? __pfx_down_write+0x10/0x10 [ 145.507543][ T5338] ? ext4_es_lookup_extent+0x6cd/0xb00 [ 145.509766][ T5338] ext4_map_blocks+0x7d2/0x16f0 [ 145.511813][ T5338] ? __pfx_ext4_map_blocks+0x10/0x10 [ 145.513971][ T5338] ? rcu_is_watching+0x15/0xb0 [ 145.516036][ T5338] ? trace_kmem_cache_alloc+0x1f/0xb0 [ 145.518163][ T5338] ? kmem_cache_alloc_noprof+0x3ce/0x710 [ 145.520445][ T5338] ? __ext4_journal_ensure_credits+0x30/0x450 [ 145.522904][ T5338] ext4_do_writepages+0x18bb/0x4500 [ 145.525073][ T5338] ? __pfx_ext4_do_writepages+0x10/0x10 [ 145.527459][ T5338] ? __lock_acquire+0x6b6/0x2cf0 [ 145.529704][ T5338] ? __free_object+0x442/0x5e0 [ 145.531714][ T5338] ? lockdep_hardirqs_on+0x7b/0x110 [ 145.533813][ T5338] ? _raw_spin_unlock_irqrestore+0x30/0x80 [ 145.536197][ T5338] ? ext4_writepages+0x1ca/0x350 [ 145.538260][ T5338] ? ext4_writepages+0x1ca/0x350 [ 145.540266][ T5338] ext4_writepages+0x203/0x350 [ 145.542257][ T5338] ? __pfx_ext4_writepages+0x10/0x10 [ 145.544413][ T5338] ? finish_task_switch+0x23d/0x940 [ 145.546492][ T5338] ? rcu_is_watching+0x15/0xb0 [ 145.548562][ T5338] ? __pfx_ext4_writepages+0x10/0x10 [ 145.550938][ T5338] do_writepages+0x32e/0x550 [ 145.553092][ T5338] __writeback_single_inode+0x133/0x1240 [ 145.555452][ T5338] ? do_raw_spin_unlock+0x4d/0x240 [ 145.557747][ T5338] writeback_single_inode+0x493/0xc70 [ 145.560149][ T5338] write_inode_now+0x160/0x1d0 [ 145.562244][ T5338] ? __pfx_write_inode_now+0x10/0x10 [ 145.564608][ T5338] ? do_raw_spin_unlock+0x4d/0x240 [ 145.566848][ T5338] iput+0xa77/0x1030 [ 145.568586][ T5338] __dentry_kill+0x209/0x660 [ 145.570628][ T5338] ? finish_dput+0xad/0x480 [ 145.572624][ T5338] finish_dput+0xc9/0x480 [ 145.574540][ T5338] __fput+0x68e/0xa70 [ 145.576332][ T5338] fput_close_sync+0x113/0x220 [ 145.578409][ T5338] ? __pfx_fput_close_sync+0x10/0x10 [ 145.580763][ T5338] __x64_sys_close+0x7f/0x110 [ 145.582803][ T5338] do_syscall_64+0xec/0xf80 [ 145.584773][ T5338] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 145.587389][ T5338] ? trace_irq_disable+0x37/0x100 [ 145.589562][ T5338] ? clear_bhb_loop+0x60/0xb0 [ 145.591590][ T5338] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 145.594116][ T5338] RIP: 0033:0x7f8abff8f7c9 [ 145.596140][ T5338] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 145.604236][ T5338] RSP: 002b:00007f8ac0dea038 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 145.607691][ T5338] RAX: ffffffffffffffda RBX: 00007f8ac01e5fa0 RCX: 00007f8abff8f7c9 [ 145.611060][ T5338] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000007 [ 145.614469][ T5338] RBP: 00007f8ac0013f91 R08: 0000000000000000 R09: 0000000000000000 [ 145.617887][ T5338] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 145.621373][ T5338] R13: 00007f8ac01e6038 R14: 00007f8ac01e5fa0 R15: 00007ffd59265448 [ 145.624872][ T5338] [ 145.626290][ T5338] Modules linked in: [ 145.628483][ T5338] ---[ end trace 0000000000000000 ]--- [ 145.631082][ T5338] RIP: 0010:ext4_mb_use_inode_pa+0x6c1/0x720 [ 145.633676][ T5338] Code: e8 84 61 a8 ff 48 ba 00 00 00 00 00 fc ff df e9 da fa ff ff e8 c0 b6 40 ff 90 0f 0b e8 b8 b6 40 ff 90 0f 0b e8 b0 b6 40 ff 90 <0f> 0b e8 a8 b6 40 ff 90 0f 0b 48 8b 0c 24 80 e1 07 80 c1 03 38 c1 [ 145.642128][ T5338] RSP: 0018:ffffc9000bbbec28 EFLAGS: 00010287 [ 145.644861][ T5338] RAX: ffffffff82804e70 RBX: 00000000ffffffe4 RCX: 0000000000100000 [ 145.648271][ T5338] RDX: ffffc900210d2000 RSI: 0000000000006170 RDI: 0000000000006171 [ 145.651537][ T5338] RBP: 1ffff11008e5fc98 R08: ffff8880472ff6d3 R09: 1ffff11008e5feda [ 145.654766][ T5338] R10: dffffc0000000000 R11: ffffed1008e5fedb R12: 0000000000000000 [ 145.658458][ T5338] R13: 0000000000000028 R14: 1ffff11008e5fedd R15: ffff8880472ff6e8 [ 145.661894][ T5338] FS: 00007f8ac0dea6c0(0000) GS:ffff88808d416000(0000) knlGS:0000000000000000 [ 145.666018][ T5338] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 145.668889][ T5338] CR2: 00005619e77f2920 CR3: 0000000042386000 CR4: 0000000000352ef0 [ 145.672463][ T5338] Kernel panic - not syncing: Fatal exception [ 145.675419][ T5338] Kernel Offset: disabled [ 145.677288][ T5338] Rebooting in 86400 seconds..