program:
r0 = syz_init_net_socket$nl_rdma(0x10, 0x3, 0x10)
sendmsg$netlink(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000480)=[{&(0x7f0000000040)={0x18, 0x28, 0x1, 0x0, 0x25dfdbfc, "", [@typed={0x6, 0x141, 0x0, 0x0, @str='[\x00'}]}, 0x18}], 0x1, 0x0, 0x0, 0x1}, 0x0)
syz_usbip_server_init(0x142efa27c63a9ee8)
r1 = syz_open_procfs(0x0, &(0x7f0000000100)='fd\x00')
syz_mount_image$ext4(&(0x7f0000000040)='ext4\x00', &(0x7f0000000000)='./file1\x00', 0x446, &(0x7f0000000080)={[{@stripe={'stripe', 0x3d, 0x2}}, {@journal_dev={'journal_dev', 0x3d, 0x1045}}, {@oldalloc}, {@noquota}, {@minixdf}, {@barrier_val={'barrier', 0x3d, 0x2}}, {@delalloc}, {@nojournal_checksum}, {@orlov}, {@user_xattr}, {@quota}, {@bh}]}, 0x1, 0x568, &(0x7f0000000600)="$eJzs3d9rW1UcAPDvTX/sp66DMVRECntwMpeurT8m+DAfRYcDfZ+hvSuj6TKadKx14Ca4F19kCCJOxHd993H4D/hXDHQwZBR98KVy05sta5M2XbM1NZ8P3Pac3Jue882538O5vQkJoG+NZj8KES9GxNdJxKGISPJ9g5HvHF09bvnBtalsS2Jl5eO/kvpxWb3xtxrPO5BXXoiI376MOFFY3251cWm2VC6n83l9rDZ3eay6uHTy4lxpJp1JL01MTp5+c3Linbffat/5H5ItxfrauX++++jO+6e/Orb87S/3Dt9K4kwczPc1x7EN15srozGavyZDcWbNgeNdaKyXbG0k6BUDeZ4PRTYHHIqBPOuB/7/PI2IF6FOJ/Ic+1VgHNK7tu3QdvGvcf2/1Amh9/IMx+kX2e2/92mj/cvLYlVF2vTvShfZHI+LXP2/fyrbo3v8hADZ1/UZEnBocXD//Jav/G96GUx0cs7YN8x88O3ey9c/rrdY/hTw399Z/rl3/HGiRu09i8/wv3OtCM21l6793W65/H960GhnIa8/V13xDyYWL5TSb256PiOMxtCerb3Q/5/Ty3ZV2+5rXf9mWtd9YC+b9uDe45/HnTJdqpe3E3Oz+jYiXWq5/k4fjn7QY/+z1ONdhG0fT26+027d5/E/Xyk8Rr7Yc/0d3tJKN70+O1c+HscZZsd7fN4/+3q79nY4/G//9G8c/kjTfr61uvY0f9/6bttv3WPzR+fk/nHxSLw/nj10t1Wrz4xHDyYfrH5949NxGvXF8Fv/xYxvPf63O/30R8WmH8d888vPLHcW/Q+M/vaXx33rh7geffd+u/c7mvzfqpeP5I53Mf512cDuvHQAAAAAAAPSaQkQcjKRQfFguFIrF1fd3HIn9hXKlWjtxobJwaTrqn5UdiaFC4073oab3Q4zn74dt1CfW1Ccj4nBEfDOwr14vTlXK0zsdPAAAAAAAAAAAAAAAAAAAAPSIA20+/5/5Y2Cnewc8db7yG/rXpvnfjW96AnpSI/+Hd7gfwLNn/Q/9S/5D/5L/0L/kP/Qv+Q/9S/5D/5L/AAAAAAAAAAAAAAAAAAAAAAAAAAAA0FXnzp7NtpXlB9emsvr0lcWF2cqVk9NpdbY4tzBVnKrMXy7OVCoz5bQ4VZnb7O+VK5XL4xOxcHWsllZrY9XFpfNzlYVLtfMX50oz6fl06JlEBQAAAAAAAAAAAAAAAAAAALtLdXFptlQup/MKCk9UGOyNbmSFPflJ3Sv92dWFHZ6YAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKDJfwEAAP//T5w1aQ==")
r2 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x42, 0x0)
pwrite64(r2, &(0x7f0000000140)='2', 0x1, 0x8000c61)
syz_mount_image$ext4(&(0x7f0000000580)='ext4\x00', &(0x7f00000005c0)='./file0\x00', 0x1008002, &(0x7f0000000040), 0x3, 0x5eb, &(0x7f0000000c00)="$eJzs3ctvFEcaAPCvxw9sjNYDWu0ue1gsrVYg7WJjAysU5QDXCFnkoVxyiYMNIRiwsKPEJBJGIpdIUS5RFCmnHEL+iwSFK6fklEMuOUVIKIk4RspEPdNtPHaPX9jTiP79pGG6q6Zd1djfVHVNVU8AlTWS/lOLOBgRc0nEcLK0nNcbWeZI63WPfnv/fPpIotF4+Zckkiwtf32SPQ9lBw9ExHffJnGgZ22584s3Lk/Nzs5cz/bHFq7Mjc0v3jh66crUxZmLM1cn/j9x6uSJk6fGj23rvG4WpJ29/dY7wx9Ovvbl578n41/9OJnE6Xghe+HK89gpIzHS/D9J1mYNndrpwkrSk/2dNBqNRp6W9JZbJzYv//31RcTfYzh64vEvbzg+eLHUygG7qpG03ruBKkrEP1RU3g/Ir+1XXwfXSumVAN3w8ExrAGBt/Pe2xgZjoDk2sPdREiuHdZKI2N7IXLt9EXH/3uTtC/cmb8cujcMBxZZuRcQ/iuI/acZ/PQai3oz/Wlv8p/2Cc9lzmv7SNstfPVQs/qF7WvE/sG78R4f4fz19vtmK4Te2WX798eabg23xP7jdUwIAAAAAAIDKunsmIv5X9Pl/bXn+TxTM/xmKiNM7UP7Iqv21n//XHuxAMUCBh2cini+c/1vLZ//We1YsYa1HX3Lh0uzMsYj4S0Qcib496f74OmUc/ejAZ53yRrL5f/kjLf9+Nhcwq8eD3j3tx0xPLUw9wSkDmYe3Iv5ZOP83WW7/k4L2P31nmNtkGQf+c+dcp7yN4x/YLY0vIg4Xtv+P71qRrH9/jrFmf2As7xWs9a/3Pv66U/nbjX+3mIAnl7b/e9eP/3qy8n4981sv4/hib6NT3nb7//3JK827CvVnae9OLSxcH4/oT872pKlt6RNbrzM8i/J4yOMljf8j/15//K+o/z8YEUurfnbya/ua4tzf/hj6qVN99P+hPGn8T2+p/d/6xsSd+jedyt9c+3+i2dYfyVKM/0HLp3mY9renF4Rjb1FWt+sLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAM+CWkTsi6Q2urxdq42ORgxFxF9jb2322vzCfy9ce/vqdJrX/P7/Wv5Nv8Ot/ST//v/6iv2JVfvHI2J/RHzSM9jcHz1/bXa67JMHAAAAAAAAAAAAAAAAAACAp8RQh/X/qZ97yq4dsOt6y64AUJqC+P++jHoA3af9h+oS/1Bd4h+qS/xDdYl/qC7xD9Ul/qG6xD8AAAAAADxT9h+6+0MSEUvPDTYfqf4sr6/UmgG7rVZ2BYDSuMUPVJepP1BdrvGBZIP8gY4HbXTkeubOP8HBAAAAAAAAAAAAAFA5hw9a/w9VZf0/VJf1/1Bd+fr/QyXXA+g+1/hAbLCSv3D9/4ZHAQAAAAAAAAAAAAA7aX7xxuWp2dmZ6zZefTqq0c2NRqNxM/0reFrqs/MbSTZDvSuF5lPhu3+m/Zs5wXyt3+Z+cnnvSQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQLs/AwAA//+JjCTl")
r3 = open$dir(&(0x7f0000000100)='./file0\x00', 0x0, 0x0)
ioctl$FS_IOC_SET_ENCRYPTION_POLICY(r3, 0x4004662b, &(0x7f0000000140)=@v1={0x0, @aes128, 0x0, @desc3})
r4 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x101042, 0x35)
socket$nl_netfilter(0x10, 0x3, 0xc)
socket$nl_rdma(0x10, 0x3, 0x14)
pwrite64(r4, &(0x7f0000000140)='2', 0xfdef, 0xfecc)
syz_emit_ethernet(0x1f, &(0x7f00000000c0)={@link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x2}, @multicast, @void, {@llc_tr={0x11, {@llc={0x42, 0x42, "03", "9b200650812f6e7ef6aa95062603"}}}}}, 0x0)
setxattr$trusted_overlay_upper(&(0x7f0000000000)='./file1\x00', &(0x7f0000000500), &(0x7f0000001040)=ANY=[], 0x841, 0x0)
truncate(&(0x7f0000000180)='./file1\x00', 0x6)
r5 = openat(0xffffffffffffff9c, &(0x7f0000000100)='./file1\x00', 0x42, 0x0)
write$FUSE_WRITE(r5, &(0x7f00000000c0)={0x18}, 0xfffffdef)
fchdir(r1)
ioctl$sock_SIOCDELDLCI(r1, 0x8981, &(0x7f0000000000)={'gre0\x00', 0x10})
[ 134.660317][ T5304] Bluetooth: hci0: command tx timeout
[ 134.795835][ T5324] loop0: detected capacity change from 0 to 1024
[ 134.829338][ T5324] =======================================================
[ 134.829338][ T5324] WARNING: The mand mount option has been deprecated and
[ 134.829338][ T5324] and is ignored by this kernel. Remove the mand
[ 134.829338][ T5324] option from the mount to silence this warning.
[ 134.829338][ T5324] =======================================================
[ 134.912375][ T5324] EXT4-fs: Ignoring removed oldalloc option
[ 134.915521][ T5324] EXT4-fs: Ignoring removed orlov option
[ 134.918245][ T5324] EXT4-fs: Ignoring removed bh option
[ 134.932138][ T5324] EXT4-fs (loop0): stripe (2) is not aligned with cluster size (16), stripe is disabled
[ 134.967652][ T5324] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback.
[ 135.063988][ T5324] ==================================================================
[ 135.067866][ T5324] BUG: KASAN: use-after-free in ext4_ext_remove_space+0x3170/0x4280
[ 135.071452][ T5324] Read of size 4 at addr ffff8880508e73e4 by task syz.0.0/5324
[ 135.074969][ T5324]
[ 135.076398][ T5324] CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
[ 135.076420][ T5324] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 135.076430][ T5324] Call Trace:
[ 135.076448][ T5324]
[ 135.076456][ T5324] dump_stack_lvl+0xe8/0x150
[ 135.076484][ T5324] print_report+0xba/0x230
[ 135.076505][ T5324] ? ext4_ext_remove_space+0x3170/0x4280
[ 135.076525][ T5324] kasan_report+0x117/0x150
[ 135.076541][ T5324] ? ext4_ext_remove_space+0x3170/0x4280
[ 135.076558][ T5324] ext4_ext_remove_space+0x3170/0x4280
[ 135.076575][ T5324] ? __es_remove_extent+0x13d3/0x1da0
[ 135.076599][ T5324] ? __pfx_ext4_ext_remove_space+0x10/0x10
[ 135.076614][ T5324] ? ext4_es_remove_extent+0x2a7/0x4c0
[ 135.076632][ T5324] ext4_ext_truncate+0x17e/0x2f0
[ 135.076648][ T5324] ext4_truncate+0xb63/0x13b0
[ 135.076666][ T5324] ? unmap_mapping_range+0xe6/0x180
[ 135.076681][ T5324] ? __pfx_ext4_truncate+0x10/0x10
[ 135.076700][ T5324] ext4_setattr+0x106e/0x1c60
[ 135.076717][ T5324] ? __pfx_ext4_setattr+0x10/0x10
[ 135.076730][ T5324] notify_change+0xc1a/0xf40
[ 135.076747][ T5324] do_truncate+0x1c2/0x250
[ 135.076761][ T5324] ? __pfx_do_truncate+0x10/0x10
[ 135.076773][ T5324] ? apparmor_path_truncate+0x245/0x2e0
[ 135.076868][ T5324] vfs_truncate+0x4b4/0x540
[ 135.076884][ T5324] ? __pfx_vfs_truncate+0x10/0x10
[ 135.076899][ T5324] ? do_getname+0x151/0x250
[ 135.076915][ T5324] do_sys_truncate+0xf3/0x1c0
[ 135.076928][ T5324] ? __pfx_do_sys_truncate+0x10/0x10
[ 135.076944][ T5324] __x64_sys_truncate+0x5b/0x70
[ 135.076957][ T5324] do_syscall_64+0x14d/0xf80
[ 135.077045][ T5324] ? trace_irq_disable+0x3b/0x150
[ 135.077068][ T5324] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 135.077082][ T5324] ? clear_bhb_loop+0x40/0x90
[ 135.077095][ T5324] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 135.077134][ T5324] RIP: 0033:0x7fac4299c799
[ 135.077146][ T5324] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[ 135.077154][ T5324] RSP: 002b:00007fac43810fe8 EFLAGS: 00000246 ORIG_RAX: 000000000000004c
[ 135.077166][ T5324] RAX: ffffffffffffffda RBX: 00007fac42c15fa0 RCX: 00007fac4299c799
[ 135.077171][ T5324] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000200000000180
[ 135.077176][ T5324] RBP: 00007fac42a32bd9 R08: 0000000000000000 R09: 0000000000000000
[ 135.077180][ T5324] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 135.077187][ T5324] R13: 00007fac42c16038 R14: 00007fac42c15fa0 R15: 00007ffc985bfd08
[ 135.077196][ T5324]
[ 135.077201][ T5324]
[ 135.199159][ T5324] The buggy address belongs to the physical page:
[ 135.201850][ T5324] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x508e7
[ 135.205776][ T5324] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[ 135.209363][ T5324] raw: 04fff00000000000 ffffea0001423a08 ffffea0001423988 0000000000000000
[ 135.213166][ T5324] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 135.217533][ T5324] page dumped because: kasan: bad access detected
[ 135.221174][ T5324] page_owner info is not present (never set?)
[ 135.224442][ T5324]
[ 135.225760][ T5324] Memory state around the buggy address:
[ 135.228332][ T5324] ffff8880508e7280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 135.232258][ T5324] ffff8880508e7300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 135.235945][ T5324] >ffff8880508e7380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 135.240598][ T5324] ^
[ 135.245627][ T5324] ffff8880508e7400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 135.249418][ T5324] ffff8880508e7480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 135.252955][ T5324] ==================================================================
[ 135.362890][ T5324] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 135.366748][ T5324] CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
[ 135.372605][ T5324] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 135.377921][ T5324] Call Trace:
[ 135.379457][ T5324]
[ 135.380673][ T5324] vpanic+0x56c/0xa60
[ 135.382375][ T5324] ? __pfx_vpanic+0x10/0x10
[ 135.384383][ T5324] panic+0xc5/0xd0
[ 135.386234][ T5324] ? __pfx_panic+0x10/0x10
[ 135.388303][ T5324] ? preempt_schedule_thunk+0x16/0x30
[ 135.391028][ T5324] ? ext4_ext_remove_space+0x3170/0x4280
[ 135.393630][ T5324] ? preempt_schedule_thunk+0x16/0x30
[ 135.396328][ T5324] ? ext4_ext_remove_space+0x3170/0x4280
[ 135.399598][ T5324] check_panic_on_warn+0x89/0xb0
[ 135.401795][ T5324] ? ext4_ext_remove_space+0x3170/0x4280
[ 135.404585][ T5324] end_report+0x73/0x180
[ 135.406776][ T5324] ? ext4_ext_remove_space+0x3170/0x4280
[ 135.409209][ T5324] kasan_report+0x128/0x150
[ 135.411056][ T5324] ? ext4_ext_remove_space+0x3170/0x4280
[ 135.413629][ T5324] ext4_ext_remove_space+0x3170/0x4280
[ 135.416994][ T5324] ? __es_remove_extent+0x13d3/0x1da0
[ 135.420044][ T5324] ? __pfx_ext4_ext_remove_space+0x10/0x10
[ 135.423210][ T5324] ? ext4_es_remove_extent+0x2a7/0x4c0
[ 135.425845][ T5324] ext4_ext_truncate+0x17e/0x2f0
[ 135.428316][ T5324] ext4_truncate+0xb63/0x13b0
[ 135.430480][ T5324] ? unmap_mapping_range+0xe6/0x180
[ 135.432808][ T5324] ? __pfx_ext4_truncate+0x10/0x10
[ 135.435226][ T5324] ext4_setattr+0x106e/0x1c60
[ 135.437666][ T5324] ? __pfx_ext4_setattr+0x10/0x10
[ 135.440327][ T5324] notify_change+0xc1a/0xf40
[ 135.442723][ T5324] do_truncate+0x1c2/0x250
[ 135.444757][ T5324] ? __pfx_do_truncate+0x10/0x10
[ 135.446725][ T5324] ? apparmor_path_truncate+0x245/0x2e0
[ 135.448887][ T5324] vfs_truncate+0x4b4/0x540
[ 135.450831][ T5324] ? __pfx_vfs_truncate+0x10/0x10
[ 135.452932][ T5324] ? do_getname+0x151/0x250
[ 135.455791][ T5324] do_sys_truncate+0xf3/0x1c0
[ 135.458691][ T5324] ? __pfx_do_sys_truncate+0x10/0x10
[ 135.461535][ T5324] __x64_sys_truncate+0x5b/0x70
[ 135.465449][ T5324] do_syscall_64+0x14d/0xf80
[ 135.467520][ T5324] ? trace_irq_disable+0x3b/0x150
[ 135.469752][ T5324] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 135.472200][ T5324] ? clear_bhb_loop+0x40/0x90
[ 135.474172][ T5324] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 135.476939][ T5324] RIP: 0033:0x7fac4299c799
[ 135.479346][ T5324] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[ 135.488896][ T5324] RSP: 002b:00007fac43810fe8 EFLAGS: 00000246 ORIG_RAX: 000000000000004c
[ 135.493267][ T5324] RAX: ffffffffffffffda RBX: 00007fac42c15fa0 RCX: 00007fac4299c799
[ 135.497506][ T5324] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000200000000180
[ 135.502098][ T5324] RBP: 00007fac42a32bd9 R08: 0000000000000000 R09: 0000000000000000
[ 135.505597][ T5324] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 135.509605][ T5324] R13: 00007fac42c16038 R14: 00007fac42c15fa0 R15: 00007ffc985bfd08
[ 135.513708][ T5324]
[ 135.516008][ T5324] Kernel Offset: disabled
[ 135.518622][ T5324] Rebooting in 86400 seconds..