./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor4090736273
<...>
Warning: Permanently added '10.128.1.19' (ED25519) to the list of known hosts.
execve("./syz-executor4090736273", ["./syz-executor4090736273"], 0x7ffd6f0fb630 /* 10 vars */) = 0
brk(NULL) = 0x555556ae4000
brk(0x555556ae4d00) = 0x555556ae4d00
arch_prctl(ARCH_SET_FS, 0x555556ae4380) = 0
set_tid_address(0x555556ae4650) = 5063
set_robust_list(0x555556ae4660, 24) = 0
rseq(0x555556ae4ca0, 0x20, 0, 0x53053053) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor4090736273", 4096) = 28
getrandom("\x13\x96\x1f\x59\xaf\x0a\x67\x18", 8, GRND_NONBLOCK) = 8
brk(NULL) = 0x555556ae4d00
brk(0x555556b05d00) = 0x555556b05d00
brk(0x555556b06000) = 0x555556b06000
mprotect(0x7fa301148000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
mkdir("./syzkaller.Pn4ZVp", 0700) = 0
chmod("./syzkaller.Pn4ZVp", 0777) = 0
chdir("./syzkaller.Pn4ZVp") = 0
mkdir("./0", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5064 attached
, child_tidptr=0x555556ae4650) = 5064
[pid 5064] set_robust_list(0x555556ae4660, 24) = 0
[pid 5064] chdir("./0") = 0
[pid 5064] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5064] setpgid(0, 0) = 0
[pid 5064] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5064] write(3, "1000", 4) = 4
[pid 5064] close(3) = 0
[pid 5064] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5064] memfd_create("syzkaller", 0) = 3
[pid 5064] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa2f8c95000
[pid 5064] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144
[pid 5064] munmap(0x7fa2f8c95000, 138412032) = 0
[pid 5064] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5064] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5064] close(3) = 0
[pid 5064] mkdir("./file1", 0777) = 0
[ 53.587551][ T5064] loop0: detected capacity change from 0 to 512
[ 53.614013][ T5064] EXT4-fs (loop0): 1 orphan inode deleted
[ 53.619875][ T5064] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback.
[pid 5064] mount("/dev/loop0", "./file1", "ext4", MS_REC, ",errors=continue") = 0
[pid 5064] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3
[pid 5064] chdir("./file1") = 0
[pid 5064] ioctl(4, LOOP_CLR_FD) = 0
[pid 5064] close(4) = 0
[pid 5064] openat(AT_FDCWD, "memory.current", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4
[pid 5064] write(4, "\x9e\x25\x9c\x32\x69\x46\xb9\xc0\x29\x8d\xdf\xa8\xb6\x29\x00\x00\x00\x10\x65\xd9\x4a\x7d\xf6\x0f\xaa\xee\x4d\x4b\xc1\x86\x47\xf6\x0f\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 172032
[pid 5064] mmap(0x20000000, 11755520, PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 4, 0) = 0x20000000
[pid 5064] preadv(4, 0x200015c0, 1, 0) = 171904
[pid 5064] open(0x20000540, O_RDONLY|O_CREAT, 000) = 5
[pid 5064] mount(0x20000380, 0x20000140, NULL, MS_BIND, NULL) = 0
[pid 5064] open(0x20000400, O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 6
[ 53.633038][ T5064] ext4 filesystem being mounted at /root/syzkaller.Pn4ZVp/0/file1 supports timestamps until 2038-01-19 (0x7fffffff)
[pid 5064] write(6, 0x20000700, 34136651) = 170240
[pid 5064] exit_group(0) = ?
[pid 5064] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5064, si_uid=0, si_status=0, si_utime=0, si_stime=4 /* 0.04 s */} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x555556ae56f0 /* 4 entries */, 32768) = 112
umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./0/binderfs") = 0
[ 53.758235][ T946] ==================================================================
[ 53.766309][ T946] BUG: KASAN: use-after-free in ext4_find_extent+0xbe8/0xce0
[ 53.773679][ T946] Read of size 4 at addr ffff888073c147e0 by task kworker/u4:5/946
[ 53.781546][ T946]
[ 53.783850][ T946] CPU: 0 PID: 946 Comm: kworker/u4:5 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
[ 53.793891][ T946] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
[ 53.803947][ T946] Workqueue: writeback wb_workfn (flush-7:0)
[ 53.809924][ T946] Call Trace:
[ 53.813188][ T946]
[ 53.816101][ T946] dump_stack_lvl+0xd9/0x1b0
[ 53.820689][ T946] print_report+0xc4/0x620
[ 53.825094][ T946] ? __virt_addr_valid+0x5e/0x2d0
[ 53.830101][ T946] ? __phys_addr+0xc6/0x140
[ 53.834587][ T946] kasan_report+0xda/0x110
[ 53.839010][ T946] ? ext4_find_extent+0xbe8/0xce0
[ 53.844015][ T946] ? ext4_find_extent+0xbe8/0xce0
[ 53.849024][ T946] ext4_find_extent+0xbe8/0xce0
[ 53.853857][ T946] ext4_ext_map_blocks+0x26b/0x5ae0
[ 53.859052][ T946] ? lockdep_unlock+0x11b/0x290
[ 53.863898][ T946] ? __lock_acquire+0x1fc1/0x3b20
[ 53.868920][ T946] ? ext4_ext_release+0x10/0x10
[ 53.873763][ T946] ? __down_write_common+0x17a/0x1400
[ 53.879132][ T946] ? up_write+0x510/0x510
[ 53.883456][ T946] ? lock_sync+0x190/0x190
[ 53.887867][ T946] ? preempt_count_sub+0x160/0x160
[ 53.892969][ T946] ? ext4_es_lookup_extent+0xc7/0xbf0
[ 53.898340][ T946] ext4_map_blocks+0x619/0x1770
[ 53.903190][ T946] ? ext4_issue_zeroout+0x1f0/0x1f0
[ 53.908380][ T946] ? trace_kmem_cache_alloc+0x26/0xa0
[ 53.913748][ T946] ? ext4_alloc_io_end_vec+0x145/0x1c0
[ 53.919200][ T946] ext4_do_writepages+0x184e/0x3350
[ 53.924401][ T946] ? __ext4_mark_inode_dirty+0x810/0x810
[ 53.930031][ T946] ext4_writepages+0x30c/0x780
[ 53.934789][ T946] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0
[ 53.941629][ T946] ? lockdep_unlock+0x11b/0x290
[ 53.946477][ T946] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0
[ 53.953318][ T946] do_writepages+0x1b4/0x690
[ 53.957909][ T946] ? writeback_set_ratelimit+0x140/0x140
[ 53.963536][ T946] ? writeback_sb_inodes+0x344/0x1080
[ 53.968896][ T946] ? find_held_lock+0x2d/0x110
[ 53.973658][ T946] ? wbc_attach_and_unlock_inode+0x446/0x910
[ 53.979635][ T946] ? reacquire_held_locks+0x4c0/0x4c0
[ 53.985010][ T946] __writeback_single_inode+0x158/0xe90
[ 53.990547][ T946] ? __mark_inode_dirty+0xd60/0xd60
[ 53.995733][ T946] ? _raw_spin_unlock+0x28/0x40
[ 54.000576][ T946] ? wbc_attach_and_unlock_inode+0x49c/0x910
[ 54.006548][ T946] writeback_sb_inodes+0x599/0x1080
[ 54.011748][ T946] ? _raw_spin_unlock+0x28/0x40
[ 54.016594][ T946] ? sync_inode_metadata+0xe0/0xe0
[ 54.021703][ T946] ? rcu_is_watching+0x12/0xb0
[ 54.026457][ T946] ? queue_io+0x3ed/0x4e0
[ 54.030774][ T946] wb_writeback+0x2a5/0xaa0
[ 54.035269][ T946] ? __writeback_inodes_wb+0x2d0/0x2d0
[ 54.040714][ T946] ? reacquire_held_locks+0x4c0/0x4c0
[ 54.046081][ T946] ? mark_held_locks+0x9f/0xe0
[ 54.050842][ T946] wb_workfn+0x29c/0xfe0
[ 54.055078][ T946] ? lockdep_hardirqs_on_prepare+0x331/0x420
[ 54.061057][ T946] ? inode_wait_for_writeback+0x30/0x30
[ 54.066596][ T946] ? lock_sync+0x190/0x190
[ 54.071009][ T946] ? lock_sync+0x190/0x190
[ 54.075422][ T946] ? reacquire_held_locks+0x4c0/0x4c0
[ 54.080791][ T946] process_one_work+0x886/0x15d0
[ 54.085726][ T946] ? lock_sync+0x190/0x190
[ 54.090138][ T946] ? workqueue_congested+0x300/0x300
[ 54.095422][ T946] ? assign_work+0x1a0/0x250
[ 54.100031][ T946] worker_thread+0x8b9/0x1290
[ 54.104723][ T946] ? process_one_work+0x15d0/0x15d0
[ 54.109921][ T946] kthread+0x2c6/0x3a0
[ 54.113986][ T946] ? _raw_spin_unlock_irq+0x23/0x50
[ 54.119177][ T946] ? kthread_complete_and_exit+0x40/0x40
[ 54.124806][ T946] ret_from_fork+0x45/0x80
[ 54.129215][ T946] ? kthread_complete_and_exit+0x40/0x40
[ 54.134840][ T946] ret_from_fork_asm+0x11/0x20
[ 54.139614][ T946]
[ 54.142630][ T946]
[ 54.144938][ T946] The buggy address belongs to the physical page:
[ 54.151331][ T946] page:ffffea0001cf0500 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x73c14
[ 54.161468][ T946] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 54.168563][ T946] page_type: 0xffffffff()
[ 54.172877][ T946] raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000
[ 54.181451][ T946] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[ 54.190017][ T946] page dumped because: kasan: bad access detected
[ 54.196412][ T946] page_owner tracks the page as freed
[ 54.201763][ T946] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5048, tgid 5048 (sshd), ts 46944198017, free_ts 47025991886
[ 54.219735][ T946] post_alloc_hook+0x2d0/0x350
[ 54.224504][ T946] get_page_from_freelist+0xa25/0x36d0
[ 54.229971][ T946] __alloc_pages+0x22e/0x2420
[ 54.234648][ T946] alloc_pages_mpol+0x258/0x5f0
[ 54.239491][ T946] vma_alloc_folio+0xad/0x220
[ 54.244159][ T946] __handle_mm_fault+0xe07/0x3d70
[ 54.249197][ T946] handle_mm_fault+0x47a/0xa10
[ 54.253968][ T946] do_user_addr_fault+0x30b/0x1000
[ 54.259081][ T946] exc_page_fault+0x5d/0xc0
[ 54.263587][ T946] asm_exc_page_fault+0x26/0x30
[ 54.268430][ T946] page last free stack trace:
[ 54.273086][ T946] free_unref_page_prepare+0x4fa/0xaa0
[ 54.278541][ T946] free_unref_page_list+0xe6/0xb40
[ 54.283650][ T946] release_pages+0x32a/0x14f0
[ 54.288314][ T946] tlb_batch_pages_flush+0x9a/0x190
[ 54.293505][ T946] tlb_finish_mmu+0x14b/0x6f0
[ 54.298174][ T946] unmap_region.constprop.0+0x2e6/0x3b0
[ 54.303709][ T946] do_vmi_align_munmap+0xde6/0x1600
[ 54.308897][ T946] do_vmi_munmap+0x20e/0x450
[ 54.313475][ T946] __vm_munmap+0x144/0x390
[ 54.317882][ T946] __x64_sys_munmap+0x62/0x80
[ 54.322552][ T946] do_syscall_64+0x40/0x110
[ 54.327048][ T946] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 54.332930][ T946]
[ 54.335236][ T946] Memory state around the buggy address:
[ 54.340848][ T946] ffff888073c14680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 54.348893][ T946] ffff888073c14700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 54.356939][ T946] >ffff888073c14780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 54.364985][ T946] ^
[ 54.372165][ T946] ffff888073c14800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 54.380211][ T946] ffff888073c14880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 54.388255][ T946] ==================================================================
[ 54.397591][ T946] Disabling lock debugging due to kernel taint
[ 54.406212][ T946] ==================================================================
[ 54.414287][ T946] BUG: KASAN: use-after-free in ext4_find_extent+0xbe8/0xce0
[ 54.421646][ T946] Read of size 4 at addr ffff888073c147e0 by task kworker/u4:5/946
[ 54.429510][ T946]
[ 54.431809][ T946] CPU: 1 PID: 946 Comm: kworker/u4:5 Tainted: G B 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
[ 54.443319][ T946] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
[ 54.453353][ T946] Workqueue: writeback wb_workfn (flush-7:0)
[ 54.459316][ T946] Call Trace:
[ 54.462572][ T946]
[ 54.465480][ T946] dump_stack_lvl+0xd9/0x1b0
[ 54.470058][ T946] print_report+0xc4/0x620
[ 54.474461][ T946] ? __virt_addr_valid+0x5e/0x2d0
[ 54.479464][ T946] ? __phys_addr+0xc6/0x140
[ 54.483948][ T946] kasan_report+0xda/0x110
[ 54.488347][ T946] ? ext4_find_extent+0xbe8/0xce0
[ 54.493350][ T946] ? ext4_find_extent+0xbe8/0xce0
[ 54.498354][ T946] ext4_find_extent+0xbe8/0xce0
[ 54.503187][ T946] ext4_ext_map_blocks+0x26b/0x5ae0
[ 54.508373][ T946] ? stack_trace_save+0x96/0xd0
[ 54.513205][ T946] ? filter_irq_stacks+0x90/0x90
[ 54.518127][ T946] ? __stack_depot_save+0x39/0x520
[ 54.523216][ T946] ? policy_nodemask+0x313/0x480
[ 54.528136][ T946] ? kasan_save_stack+0x43/0x50
[ 54.532969][ T946] ? ext4_ext_release+0x10/0x10
[ 54.537800][ T946] ? kmem_cache_alloc+0x15d/0x2f0
[ 54.542806][ T946] ? __down_write_common+0x17a/0x1400
[ 54.548160][ T946] ? up_write+0x510/0x510
[ 54.552467][ T946] ? rcu_is_watching+0x12/0xb0
[ 54.557207][ T946] ? lock_acquire+0x464/0x520
[ 54.561864][ T946] ? rcu_is_watching+0x12/0xb0
[ 54.566606][ T946] ? lock_sync+0x190/0x190
[ 54.571008][ T946] ? percpu_counter_add_batch+0x132/0x1f0
[ 54.576715][ T946] ? preempt_count_sub+0x160/0x160
[ 54.581803][ T946] ? ext4_es_lookup_extent+0xc7/0xbf0
[ 54.587166][ T946] ext4_map_blocks+0x619/0x1770
[ 54.592012][ T946] ? ext4_issue_zeroout+0x1f0/0x1f0
[ 54.597189][ T946] ? trace_kmem_cache_alloc+0x26/0xa0
[ 54.602543][ T946] ? ext4_alloc_io_end_vec+0x145/0x1c0
[ 54.607981][ T946] ext4_do_writepages+0x184e/0x3350
[ 54.613165][ T946] ? __ext4_mark_inode_dirty+0x810/0x810
[ 54.618778][ T946] ? trace_sched_overutilized_tp+0xf3/0x130
[ 54.624656][ T946] ? preempt_count_sub+0x160/0x160
[ 54.629751][ T946] ext4_writepages+0x30c/0x780
[ 54.634497][ T946] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0
[ 54.641326][ T946] ? rcu_is_watching+0x12/0xb0
[ 54.646070][ T946] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0
[ 54.652899][ T946] do_writepages+0x1b4/0x690
[ 54.657476][ T946] ? writeback_set_ratelimit+0x140/0x140
[ 54.663088][ T946] ? reacquire_held_locks+0x4c0/0x4c0
[ 54.668446][ T946] ? lock_release+0x4bf/0x690
[ 54.673105][ T946] ? rcu_is_watching+0x12/0xb0
[ 54.677847][ T946] ? lock_release+0x4bf/0x690
[ 54.682503][ T946] ? wbc_attach_and_unlock_inode+0x446/0x910
[ 54.688461][ T946] ? reacquire_held_locks+0x4c0/0x4c0
[ 54.693818][ T946] ? lock_release+0x4bf/0x690
[ 54.698474][ T946] __writeback_single_inode+0x158/0xe90
[ 54.703995][ T946] ? __mark_inode_dirty+0xd60/0xd60
[ 54.709168][ T946] ? _raw_spin_unlock+0x28/0x40
[ 54.714000][ T946] ? wbc_attach_and_unlock_inode+0x49c/0x910
[ 54.719958][ T946] writeback_sb_inodes+0x599/0x1080
[ 54.725135][ T946] ? _raw_spin_unlock+0x28/0x40
[ 54.729963][ T946] ? sync_inode_metadata+0xe0/0xe0
[ 54.735052][ T946] ? lock_acquire+0x441/0x520
[ 54.739716][ T946] ? rcu_is_watching+0x12/0xb0
[ 54.744457][ T946] ? queue_io+0x3ed/0x4e0
[ 54.748765][ T946] wb_writeback+0x2a5/0xaa0
[ 54.753250][ T946] ? __writeback_inodes_wb+0x2d0/0x2d0
[ 54.758687][ T946] ? reacquire_held_locks+0x4c0/0x4c0
[ 54.764042][ T946] ? spin_bug+0x1d0/0x1d0
[ 54.768356][ T946] ? rcu_is_watching+0x12/0xb0
[ 54.773112][ T946] wb_workfn+0x29c/0xfe0
[ 54.777332][ T946] ? spin_bug+0x1c1/0x1d0
[ 54.781644][ T946] ? inode_wait_for_writeback+0x30/0x30
[ 54.787183][ T946] ? do_raw_spin_unlock+0x173/0x230
[ 54.792374][ T946] ? rcu_is_watching+0x12/0xb0
[ 54.797118][ T946] ? lock_acquire+0x464/0x520
[ 54.801776][ T946] ? lock_sync+0x190/0x190
[ 54.806172][ T946] ? lock_sync+0x190/0x190
[ 54.810570][ T946] ? reacquire_held_locks+0x4c0/0x4c0
[ 54.815925][ T946] ? __schedule+0xee3/0x5af0
[ 54.820495][ T946] ? spin_bug+0x1d0/0x1d0
[ 54.824800][ T946] process_one_work+0x886/0x15d0
[ 54.829727][ T946] ? lock_sync+0x190/0x190
[ 54.834130][ T946] ? workqueue_congested+0x300/0x300
[ 54.839397][ T946] ? assign_work+0x1a0/0x250
[ 54.843965][ T946] worker_thread+0x8b9/0x1290
[ 54.848628][ T946] ? process_one_work+0x15d0/0x15d0
[ 54.853812][ T946] kthread+0x2c6/0x3a0
[ 54.857859][ T946] ? _raw_spin_unlock_irq+0x23/0x50
[ 54.863035][ T946] ? kthread_complete_and_exit+0x40/0x40
[ 54.868650][ T946] ret_from_fork+0x45/0x80
[ 54.873045][ T946] ? kthread_complete_and_exit+0x40/0x40
[ 54.878656][ T946] ret_from_fork_asm+0x11/0x20
[ 54.883402][ T946]
[ 54.886398][ T946]
[ 54.888700][ T946] The buggy address belongs to the physical page:
[ 54.895083][ T946] page:ffffea0001cf0500 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x73c14
[ 54.905206][ T946] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 54.912290][ T946] page_type: 0xffffffff()
[ 54.916595][ T946] raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000
[ 54.925154][ T946] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[ 54.933711][ T946] page dumped because: kasan: bad access detected
[ 54.940101][ T946] page_owner tracks the page as freed
[ 54.945442][ T946] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5048, tgid 5048 (sshd), ts 46944198017, free_ts 47025991886
[ 54.963398][ T946] post_alloc_hook+0x2d0/0x350
[ 54.968152][ T946] get_page_from_freelist+0xa25/0x36d0
[ 54.973590][ T946] __alloc_pages+0x22e/0x2420
[ 54.978243][ T946] alloc_pages_mpol+0x258/0x5f0
[ 54.983069][ T946] vma_alloc_folio+0xad/0x220
[ 54.987727][ T946] __handle_mm_fault+0xe07/0x3d70
[ 54.992731][ T946] handle_mm_fault+0x47a/0xa10
[ 54.997472][ T946] do_user_addr_fault+0x30b/0x1000
[ 55.002561][ T946] exc_page_fault+0x5d/0xc0
[ 55.007045][ T946] asm_exc_page_fault+0x26/0x30
[ 55.011875][ T946] page last free stack trace:
[ 55.016521][ T946] free_unref_page_prepare+0x4fa/0xaa0
[ 55.021960][ T946] free_unref_page_list+0xe6/0xb40
[ 55.027049][ T946] release_pages+0x32a/0x14f0
[ 55.031704][ T946] tlb_batch_pages_flush+0x9a/0x190
[ 55.036882][ T946] tlb_finish_mmu+0x14b/0x6f0
[ 55.041534][ T946] unmap_region.constprop.0+0x2e6/0x3b0
[ 55.047056][ T946] do_vmi_align_munmap+0xde6/0x1600
[ 55.052233][ T946] do_vmi_munmap+0x20e/0x450
[ 55.056804][ T946] __vm_munmap+0x144/0x390
[ 55.061197][ T946] __x64_sys_munmap+0x62/0x80
[ 55.065848][ T946] do_syscall_64+0x40/0x110
[ 55.070337][ T946] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 55.076206][ T946]
[ 55.078506][ T946] Memory state around the buggy address:
[ 55.084110][ T946] ffff888073c14680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 55.092151][ T946] ffff888073c14700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 55.100186][ T946] >ffff888073c14780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 55.108222][ T946] ^
[ 55.115387][ T946] ffff888073c14800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 55.123422][ T946] ffff888073c14880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 55.131455][ T946] ==================================================================
[ 55.143765][ T5063] EXT4-fs (loop0): unmounting filesystem 00000000-0000-0000-0000-000000000000.
[ 55.153950][ T5063] EXT4-fs error (device loop0) in ext4_reserve_inode_write:5761: Out of memory
umount2("./0/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0
umount2("./0/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./0/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0
umount2("./0/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./0/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(4, 0x555556aed730 /* 2 entries */, 32768) = 48
getdents64(4, 0x555556aed730 /* 0 entries */, 32768) = 0
close(4) = 0
rmdir("./0/file1") = 0
getdents64(3, 0x555556ae56f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./0") = 0
mkdir("./1", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5069 attached
, child_tidptr=0x555556ae4650) = 5069
[pid 5069] set_robust_list(0x555556ae4660, 24) = 0
[ 55.163231][ T5063] EXT4-fs error (device loop0): ext4_quota_off:7156: inode #3: comm syz-executor409: mark_inode_dirty error
[pid 5069] chdir("./1") = 0
[pid 5069] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5069] setpgid(0, 0) = 0
[pid 5069] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5069] write(3, "1000", 4) = 4
[pid 5069] close(3) = 0
[pid 5069] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5069] memfd_create("syzkaller", 0) = 3
[pid 5069] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa2f8c95000
[pid 5069] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144
[pid 5069] munmap(0x7fa2f8c95000, 138412032) = 0
[pid 5069] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5069] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5069] close(3) = 0
[pid 5069] mkdir("./file1", 0777) = 0
[ 55.277283][ T5069] loop0: detected capacity change from 0 to 512
[ 55.310350][ T5069] EXT4-fs (loop0): 1 orphan inode deleted
[pid 5069] mount("/dev/loop0", "./file1", "ext4", MS_REC, ",errors=continue") = 0
[pid 5069] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3
[pid 5069] chdir("./file1") = 0
[pid 5069] ioctl(4, LOOP_CLR_FD) = 0
[pid 5069] close(4) = 0
[pid 5069] openat(AT_FDCWD, "memory.current", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4
[pid 5069] write(4, "\x9e\x25\x9c\x32\x69\x46\xb9\xc0\x29\x8d\xdf\xa8\xb6\x29\x00\x00\x00\x10\x65\xd9\x4a\x7d\xf6\x0f\xaa\xee\x4d\x4b\xc1\x86\x47\xf6\x0f\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 172032
[pid 5069] mmap(0x20000000, 11755520, PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 4, 0) = 0x20000000
[pid 5069] preadv(4, 0x200015c0, 1, 0) = 171904
[ 55.316086][ T5069] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback.
[ 55.328657][ T5069] ext4 filesystem being mounted at /root/syzkaller.Pn4ZVp/1/file1 supports timestamps until 2038-01-19 (0x7fffffff)
[pid 5069] open(0x20000540, O_RDONLY|O_CREAT, 000) = 5
[pid 5069] mount(0x20000380, 0x20000140, NULL, MS_BIND, NULL) = 0
[pid 5069] open(0x20000400, O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 6
[pid 5069] write(6, 0x20000700, 34136651) = 170240
[pid 5069] exit_group(0) = ?
[pid 5069] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5069, si_uid=0, si_status=0, si_utime=0, si_stime=3 /* 0.03 s */} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x555556ae56f0 /* 4 entries */, 32768) = 112
umount2("./1/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./1/binderfs") = 0
umount2("./1/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0
umount2("./1/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./1/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0
umount2("./1/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./1/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(4, 0x555556aed730 /* 2 entries */, 32768) = 48
[ 55.471065][ T5063] EXT4-fs (loop0): unmounting filesystem 00000000-0000-0000-0000-000000000000.
[ 55.481231][ T5063] EXT4-fs error (device loop0) in ext4_reserve_inode_write:5761: Out of memory
[ 55.490678][ T5063] EXT4-fs error (device loop0): ext4_quota_off:7156: inode #3: comm syz-executor409: mark_inode_dirty error
getdents64(4, 0x555556aed730 /* 0 entries */, 32768) = 0
close(4) = 0
rmdir("./1/file1") = 0
getdents64(3, 0x555556ae56f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./1") = 0
mkdir("./2", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556ae4650) = 5072
./strace-static-x86_64: Process 5072 attached
[pid 5072] set_robust_list(0x555556ae4660, 24) = 0
[pid 5072] chdir("./2") = 0
[pid 5072] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5072] setpgid(0, 0) = 0
[pid 5072] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5072] write(3, "1000", 4) = 4
[pid 5072] close(3) = 0
[pid 5072] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5072] memfd_create("syzkaller", 0) = 3
[pid 5072] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa2f8c95000
[pid 5072] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144
[pid 5072] munmap(0x7fa2f8c95000, 138412032) = 0
[pid 5072] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5072] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5072] close(3) = 0
[pid 5072] mkdir("./file1", 0777) = 0
[ 55.688457][ T5072] loop0: detected capacity change from 0 to 512
[ 55.710292][ T5072] EXT4-fs (loop0): 1 orphan inode deleted
[ 55.716073][ T5072] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback.
[pid 5072] mount("/dev/loop0", "./file1", "ext4", MS_REC, ",errors=continue") = 0
[pid 5072] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3
[pid 5072] chdir("./file1") = 0
[pid 5072] ioctl(4, LOOP_CLR_FD) = 0
[pid 5072] close(4) = 0
[pid 5072] openat(AT_FDCWD, "memory.current", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4
[ 55.728739][ T5072] ext4 filesystem being mounted at /root/syzkaller.Pn4ZVp/2/file1 supports timestamps until 2038-01-19 (0x7fffffff)
[pid 5072] write(4, "\x9e\x25\x9c\x32\x69\x46\xb9\xc0\x29\x8d\xdf\xa8\xb6\x29\x00\x00\x00\x10\x65\xd9\x4a\x7d\xf6\x0f\xaa\xee\x4d\x4b\xc1\x86\x47\xf6\x0f\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 172032
[pid 5072] mmap(0x20000000, 11755520, PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 4, 0) = 0x20000000
[pid 5072] preadv(4, 0x200015c0, 1, 0) = 171904
[pid 5072] open(0x20000540, O_RDONLY|O_CREAT, 000) = 5
[pid 5072] mount(0x20000380, 0x20000140, NULL, MS_BIND, NULL) = 0
[pid 5072] open(0x20000400, O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 6
[pid 5072] write(6, 0x20000700, 34136651) = 170240
[pid 5072] exit_group(0) = ?
[pid 5072] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5072, si_uid=0, si_status=0, si_utime=0, si_stime=4 /* 0.04 s */} ---
umount2("./2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x555556ae56f0 /* 4 entries */, 32768) = 112
umount2("./2/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./2/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./2/binderfs") = 0
[ 55.856532][ T2887] ==================================================================
[ 55.864614][ T2887] BUG: KASAN: use-after-free in ext4_find_extent+0xbe8/0xce0
[ 55.871978][ T2887] Read of size 4 at addr ffff888073dec788 by task kworker/u4:7/2887
[ 55.879936][ T2887]
[ 55.882238][ T2887] CPU: 1 PID: 2887 Comm: kworker/u4:7 Tainted: G B 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
[ 55.893842][ T2887] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
[ 55.903887][ T2887] Workqueue: writeback wb_workfn (flush-7:0)
[ 55.909866][ T2887] Call Trace:
[ 55.913137][ T2887]
[ 55.916059][ T2887] dump_stack_lvl+0xd9/0x1b0
[ 55.920657][ T2887] print_report+0xc4/0x620
[ 55.925074][ T2887] ? __virt_addr_valid+0x5e/0x2d0
[ 55.930094][ T2887] ? __phys_addr+0xc6/0x140
[ 55.934636][ T2887] kasan_report+0xda/0x110
[ 55.939077][ T2887] ? ext4_find_extent+0xbe8/0xce0
[ 55.944108][ T2887] ? ext4_find_extent+0xbe8/0xce0
[ 55.949132][ T2887] ext4_find_extent+0xbe8/0xce0
[ 55.953980][ T2887] ext4_ext_map_blocks+0x26b/0x5ae0
[ 55.959179][ T2887] ? stack_trace_save+0x96/0xd0
[ 55.964022][ T2887] ? filter_irq_stacks+0x90/0x90
[ 55.968949][ T2887] ? __stack_depot_save+0x39/0x520
[ 55.974056][ T2887] ? kasan_save_stack+0x43/0x50
[ 55.978900][ T2887] ? ext4_ext_release+0x10/0x10
[ 55.983745][ T2887] ? kmem_cache_alloc+0x15d/0x2f0
[ 55.988765][ T2887] ? __down_write_common+0x17a/0x1400
[ 55.994129][ T2887] ? up_write+0x510/0x510
[ 55.998450][ T2887] ? rcu_is_watching+0x12/0xb0
[ 56.003205][ T2887] ? lock_acquire+0x464/0x520
[ 56.007881][ T2887] ? rcu_is_watching+0x12/0xb0
[ 56.012636][ T2887] ? lock_sync+0x190/0x190
[ 56.017081][ T2887] ? percpu_counter_add_batch+0x132/0x1f0
[ 56.022801][ T2887] ? preempt_count_sub+0x160/0x160
[ 56.027905][ T2887] ? ext4_es_lookup_extent+0xc7/0xbf0
[ 56.033276][ T2887] ext4_map_blocks+0x619/0x1770
[ 56.038123][ T2887] ? ext4_issue_zeroout+0x1f0/0x1f0
[ 56.043315][ T2887] ? trace_kmem_cache_alloc+0x26/0xa0
[ 56.048682][ T2887] ? ext4_alloc_io_end_vec+0x145/0x1c0
[ 56.054130][ T2887] ext4_do_writepages+0x184e/0x3350
[ 56.059330][ T2887] ? __ext4_mark_inode_dirty+0x810/0x810
[ 56.064954][ T2887] ? blk_mq_dispatch_rq_list+0x9e9/0x1fd0
[ 56.070667][ T2887] ? preempt_count_sub+0x160/0x160
[ 56.075769][ T2887] ext4_writepages+0x30c/0x780
[ 56.080523][ T2887] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0
[ 56.087367][ T2887] ? lock_release+0x4bf/0x690
[ 56.092035][ T2887] ? lock_sync+0x190/0x190
[ 56.096442][ T2887] ? __wb_calc_thresh+0x100/0x3f0
[ 56.101457][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 56.106825][ T2887] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0
[ 56.113667][ T2887] do_writepages+0x1b4/0x690
[ 56.118258][ T2887] ? writeback_set_ratelimit+0x140/0x140
[ 56.123890][ T2887] ? fprop_fraction_percpu+0x21a/0x380
[ 56.129347][ T2887] ? rcu_is_watching+0x12/0xb0
[ 56.134107][ T2887] ? lock_release+0x4bf/0x690
[ 56.138784][ T2887] ? wbc_attach_and_unlock_inode+0x446/0x910
[ 56.144755][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 56.150125][ T2887] ? lock_release+0x4bf/0x690
[ 56.154802][ T2887] __writeback_single_inode+0x158/0xe90
[ 56.160341][ T2887] ? __mark_inode_dirty+0xd60/0xd60
[ 56.165528][ T2887] ? _raw_spin_unlock+0x28/0x40
[ 56.170372][ T2887] ? wbc_attach_and_unlock_inode+0x49c/0x910
[ 56.176341][ T2887] writeback_sb_inodes+0x599/0x1080
[ 56.181531][ T2887] ? _raw_spin_unlock+0x28/0x40
[ 56.186371][ T2887] ? sync_inode_metadata+0xe0/0xe0
[ 56.191470][ T2887] ? lock_acquire+0x441/0x520
[ 56.196147][ T2887] ? rcu_is_watching+0x12/0xb0
[ 56.200902][ T2887] ? queue_io+0x3ed/0x4e0
[ 56.205219][ T2887] wb_writeback+0x2a5/0xaa0
[ 56.209716][ T2887] ? __writeback_inodes_wb+0x2d0/0x2d0
[ 56.215160][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 56.220528][ T2887] ? spin_bug+0x1d0/0x1d0
[ 56.224849][ T2887] ? rcu_is_watching+0x12/0xb0
[ 56.229606][ T2887] wb_workfn+0x29c/0xfe0
[ 56.233879][ T2887] ? spin_bug+0x1c1/0x1d0
[ 56.238214][ T2887] ? inode_wait_for_writeback+0x30/0x30
[ 56.243753][ T2887] ? do_raw_spin_unlock+0x173/0x230
[ 56.248940][ T2887] ? rcu_is_watching+0x12/0xb0
[ 56.253693][ T2887] ? lock_acquire+0x464/0x520
[ 56.258366][ T2887] ? lock_sync+0x190/0x190
[ 56.262776][ T2887] ? lock_sync+0x190/0x190
[ 56.267185][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 56.272555][ T2887] ? __schedule+0xee3/0x5af0
[ 56.277144][ T2887] ? spin_bug+0x1d0/0x1d0
[ 56.281466][ T2887] process_one_work+0x886/0x15d0
[ 56.286400][ T2887] ? lock_sync+0x190/0x190
[ 56.290811][ T2887] ? workqueue_congested+0x300/0x300
[ 56.296092][ T2887] ? assign_work+0x1a0/0x250
[ 56.300677][ T2887] worker_thread+0x8b9/0x1290
[ 56.305349][ T2887] ? __kthread_parkme+0x14b/0x220
[ 56.310361][ T2887] ? process_one_work+0x15d0/0x15d0
[ 56.315550][ T2887] kthread+0x2c6/0x3a0
[ 56.319608][ T2887] ? _raw_spin_unlock_irq+0x23/0x50
[ 56.324798][ T2887] ? kthread_complete_and_exit+0x40/0x40
[ 56.330421][ T2887] ret_from_fork+0x45/0x80
[ 56.334829][ T2887] ? kthread_complete_and_exit+0x40/0x40
[ 56.340452][ T2887] ret_from_fork_asm+0x11/0x20
[ 56.345212][ T2887]
[ 56.348214][ T2887]
[ 56.350522][ T2887] The buggy address belongs to the physical page:
[ 56.356915][ T2887] page:ffffea0001cf7b00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x73dec
[ 56.367049][ T2887] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 56.374161][ T2887] page_type: 0xffffffff()
[ 56.378487][ T2887] raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000
[ 56.387058][ T2887] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[ 56.395624][ T2887] page dumped because: kasan: bad access detected
[ 56.402023][ T2887] page_owner tracks the page as freed
[ 56.407371][ T2887] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5048, tgid 5048 (sshd), ts 46939660393, free_ts 47027440358
[ 56.425332][ T2887] post_alloc_hook+0x2d0/0x350
[ 56.430100][ T2887] get_page_from_freelist+0xa25/0x36d0
[ 56.435558][ T2887] __alloc_pages+0x22e/0x2420
[ 56.440232][ T2887] alloc_pages_mpol+0x258/0x5f0
[ 56.445073][ T2887] vma_alloc_folio+0xad/0x220
[ 56.449742][ T2887] __handle_mm_fault+0xe07/0x3d70
[ 56.454761][ T2887] handle_mm_fault+0x47a/0xa10
[ 56.459519][ T2887] do_user_addr_fault+0x30b/0x1000
[ 56.464618][ T2887] exc_page_fault+0x5d/0xc0
[ 56.469118][ T2887] asm_exc_page_fault+0x26/0x30
[ 56.473959][ T2887] page last free stack trace:
[ 56.478610][ T2887] free_unref_page_prepare+0x4fa/0xaa0
[ 56.484063][ T2887] free_unref_page_list+0xe6/0xb40
[ 56.489164][ T2887] release_pages+0x32a/0x14f0
[ 56.493829][ T2887] tlb_batch_pages_flush+0x9a/0x190
[ 56.499019][ T2887] tlb_finish_mmu+0x14b/0x6f0
[ 56.503685][ T2887] unmap_region.constprop.0+0x2e6/0x3b0
[ 56.509218][ T2887] do_vmi_align_munmap+0xde6/0x1600
[ 56.514404][ T2887] do_vmi_munmap+0x20e/0x450
[ 56.518986][ T2887] __vm_munmap+0x144/0x390
[ 56.523391][ T2887] __x64_sys_munmap+0x62/0x80
[ 56.528057][ T2887] do_syscall_64+0x40/0x110
[ 56.532550][ T2887] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 56.538428][ T2887]
[ 56.540733][ T2887] Memory state around the buggy address:
[ 56.546344][ T2887] ffff888073dec680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 56.554388][ T2887] ffff888073dec700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 56.562432][ T2887] >ffff888073dec780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 56.570474][ T2887] ^
[ 56.574810][ T2887] ffff888073dec800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 56.582853][ T2887] ffff888073dec880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 56.590894][ T2887] ==================================================================
[ 56.599478][ T2887] ==================================================================
[ 56.607550][ T2887] BUG: KASAN: use-after-free in ext4_find_extent+0xbe8/0xce0
[ 56.614940][ T2887] Read of size 4 at addr ffff888073deed74 by task kworker/u4:7/2887
[ 56.622921][ T2887]
[ 56.625223][ T2887] CPU: 1 PID: 2887 Comm: kworker/u4:7 Tainted: G B 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
[ 56.636827][ T2887] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
[ 56.646865][ T2887] Workqueue: writeback wb_workfn (flush-7:0)
[ 56.652833][ T2887] Call Trace:
[ 56.656093][ T2887]
[ 56.659004][ T2887] dump_stack_lvl+0xd9/0x1b0
[ 56.663578][ T2887] print_report+0xc4/0x620
[ 56.667979][ T2887] ? __virt_addr_valid+0x5e/0x2d0
[ 56.672986][ T2887] ? __phys_addr+0xc6/0x140
[ 56.677470][ T2887] kasan_report+0xda/0x110
[ 56.681870][ T2887] ? ext4_find_extent+0xbe8/0xce0
[ 56.686873][ T2887] ? ext4_find_extent+0xbe8/0xce0
[ 56.691878][ T2887] ext4_find_extent+0xbe8/0xce0
[ 56.696713][ T2887] ext4_ext_map_blocks+0x26b/0x5ae0
[ 56.701894][ T2887] ? stack_trace_save+0x96/0xd0
[ 56.706725][ T2887] ? filter_irq_stacks+0x90/0x90
[ 56.711652][ T2887] ? __stack_depot_save+0x39/0x520
[ 56.716758][ T2887] ? kasan_save_stack+0x43/0x50
[ 56.721604][ T2887] ? ext4_ext_release+0x10/0x10
[ 56.726448][ T2887] ? kmem_cache_alloc+0x15d/0x2f0
[ 56.731464][ T2887] ? __down_write_common+0x17a/0x1400
[ 56.736829][ T2887] ? up_write+0x510/0x510
[ 56.741147][ T2887] ? rcu_is_watching+0x12/0xb0
[ 56.745901][ T2887] ? lock_acquire+0x464/0x520
[ 56.750571][ T2887] ? rcu_is_watching+0x12/0xb0
[ 56.755325][ T2887] ? lock_sync+0x190/0x190
[ 56.759738][ T2887] ? percpu_counter_add_batch+0x132/0x1f0
[ 56.765454][ T2887] ? preempt_count_sub+0x160/0x160
[ 56.770554][ T2887] ? ext4_es_lookup_extent+0xc7/0xbf0
[ 56.775922][ T2887] ext4_map_blocks+0x619/0x1770
[ 56.780766][ T2887] ? ext4_issue_zeroout+0x1f0/0x1f0
[ 56.785950][ T2887] ? trace_kmem_cache_alloc+0x26/0xa0
[ 56.791316][ T2887] ? ext4_alloc_io_end_vec+0x145/0x1c0
[ 56.796765][ T2887] ext4_do_writepages+0x184e/0x3350
[ 56.801961][ T2887] ? __ext4_mark_inode_dirty+0x810/0x810
[ 56.807609][ T2887] ? blk_mq_dispatch_rq_list+0x9e9/0x1fd0
[ 56.813337][ T2887] ? preempt_count_sub+0x160/0x160
[ 56.818447][ T2887] ext4_writepages+0x30c/0x780
[ 56.823209][ T2887] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0
[ 56.830058][ T2887] ? lock_release+0x4bf/0x690
[ 56.834734][ T2887] ? lock_sync+0x190/0x190
[ 56.839147][ T2887] ? __wb_calc_thresh+0x100/0x3f0
[ 56.844165][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 56.849537][ T2887] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0
[ 56.856377][ T2887] do_writepages+0x1b4/0x690
[ 56.860966][ T2887] ? writeback_set_ratelimit+0x140/0x140
[ 56.866593][ T2887] ? fprop_fraction_percpu+0x21a/0x380
[ 56.872051][ T2887] ? rcu_is_watching+0x12/0xb0
[ 56.876808][ T2887] ? lock_release+0x4bf/0x690
[ 56.881485][ T2887] ? wbc_attach_and_unlock_inode+0x446/0x910
[ 56.887455][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 56.892823][ T2887] ? lock_release+0x4bf/0x690
[ 56.897497][ T2887] __writeback_single_inode+0x158/0xe90
[ 56.903038][ T2887] ? __mark_inode_dirty+0xd60/0xd60
[ 56.908224][ T2887] ? _raw_spin_unlock+0x28/0x40
[ 56.913064][ T2887] ? wbc_attach_and_unlock_inode+0x49c/0x910
[ 56.919034][ T2887] writeback_sb_inodes+0x599/0x1080
[ 56.924230][ T2887] ? _raw_spin_unlock+0x28/0x40
[ 56.929071][ T2887] ? sync_inode_metadata+0xe0/0xe0
[ 56.934173][ T2887] ? lock_acquire+0x441/0x520
[ 56.938850][ T2887] ? rcu_is_watching+0x12/0xb0
[ 56.943606][ T2887] ? queue_io+0x3ed/0x4e0
[ 56.947933][ T2887] wb_writeback+0x2a5/0xaa0
[ 56.952442][ T2887] ? __writeback_inodes_wb+0x2d0/0x2d0
[ 56.957899][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 56.963273][ T2887] ? spin_bug+0x1d0/0x1d0
[ 56.967594][ T2887] ? rcu_is_watching+0x12/0xb0
[ 56.972354][ T2887] wb_workfn+0x29c/0xfe0
[ 56.976586][ T2887] ? spin_bug+0x1c1/0x1d0
[ 56.980910][ T2887] ? inode_wait_for_writeback+0x30/0x30
[ 56.986446][ T2887] ? do_raw_spin_unlock+0x173/0x230
[ 56.991639][ T2887] ? rcu_is_watching+0x12/0xb0
[ 56.996397][ T2887] ? lock_acquire+0x464/0x520
[ 57.001074][ T2887] ? lock_sync+0x190/0x190
[ 57.005487][ T2887] ? lock_sync+0x190/0x190
[ 57.009903][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 57.015272][ T2887] ? __schedule+0xee3/0x5af0
[ 57.019860][ T2887] ? spin_bug+0x1d0/0x1d0
[ 57.024184][ T2887] process_one_work+0x886/0x15d0
[ 57.029120][ T2887] ? lock_sync+0x190/0x190
[ 57.033532][ T2887] ? workqueue_congested+0x300/0x300
[ 57.038814][ T2887] ? assign_work+0x1a0/0x250
[ 57.043399][ T2887] worker_thread+0x8b9/0x1290
[ 57.048076][ T2887] ? __kthread_parkme+0x14b/0x220
[ 57.053091][ T2887] ? process_one_work+0x15d0/0x15d0
[ 57.058284][ T2887] kthread+0x2c6/0x3a0
[ 57.062347][ T2887] ? _raw_spin_unlock_irq+0x23/0x50
[ 57.067555][ T2887] ? kthread_complete_and_exit+0x40/0x40
[ 57.073192][ T2887] ret_from_fork+0x45/0x80
[ 57.077605][ T2887] ? kthread_complete_and_exit+0x40/0x40
[ 57.083228][ T2887] ret_from_fork_asm+0x11/0x20
[ 57.087989][ T2887]
[ 57.090996][ T2887]
[ 57.093303][ T2887] The buggy address belongs to the physical page:
[ 57.099697][ T2887] page:ffffea0001cf7b80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x73dee
[ 57.109843][ T2887] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 57.116940][ T2887] page_type: 0xffffffff()
[ 57.121257][ T2887] raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000
[ 57.129833][ T2887] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[ 57.138398][ T2887] page dumped because: kasan: bad access detected
[ 57.144791][ T2887] page_owner tracks the page as freed
[ 57.150139][ T2887] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5048, tgid 5048 (sshd), ts 46911733709, free_ts 46951665773
[ 57.168097][ T2887] post_alloc_hook+0x2d0/0x350
[ 57.172859][ T2887] get_page_from_freelist+0xa25/0x36d0
[ 57.178317][ T2887] __alloc_pages+0x22e/0x2420
[ 57.182984][ T2887] alloc_pages_mpol+0x258/0x5f0
[ 57.187826][ T2887] vma_alloc_folio+0xad/0x220
[ 57.192491][ T2887] __handle_mm_fault+0xe07/0x3d70
[ 57.197511][ T2887] handle_mm_fault+0x47a/0xa10
[ 57.202270][ T2887] do_user_addr_fault+0x30b/0x1000
[ 57.207369][ T2887] exc_page_fault+0x5d/0xc0
[ 57.211868][ T2887] asm_exc_page_fault+0x26/0x30
[ 57.216703][ T2887] page last free stack trace:
[ 57.221359][ T2887] free_unref_page_prepare+0x4fa/0xaa0
[ 57.226809][ T2887] free_unref_page_list+0xe6/0xb40
[ 57.231912][ T2887] release_pages+0x32a/0x14f0
[ 57.236577][ T2887] tlb_batch_pages_flush+0x9a/0x190
[ 57.241775][ T2887] tlb_finish_mmu+0x14b/0x6f0
[ 57.246440][ T2887] unmap_region.constprop.0+0x2e6/0x3b0
[ 57.251975][ T2887] do_vmi_align_munmap+0xde6/0x1600
[ 57.257190][ T2887] do_vmi_munmap+0x20e/0x450
[ 57.261787][ T2887] __vm_munmap+0x144/0x390
[ 57.266195][ T2887] __x64_sys_munmap+0x62/0x80
[ 57.270868][ T2887] do_syscall_64+0x40/0x110
[ 57.275367][ T2887] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 57.281251][ T2887]
[ 57.283561][ T2887] Memory state around the buggy address:
[ 57.289178][ T2887] ffff888073deec00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 57.297227][ T2887] ffff888073deec80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 57.305274][ T2887] >ffff888073deed00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 57.313319][ T2887] ^
[ 57.321021][ T2887] ffff888073deed80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 57.329073][ T2887] ffff888073deee00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 57.337115][ T2887] ==================================================================
[ 57.345277][ T2887] ==================================================================
[ 57.353357][ T2887] BUG: KASAN: use-after-free in ext4_find_extent+0xbe8/0xce0
[ 57.360755][ T2887] Read of size 4 at addr ffff888073def6ec by task kworker/u4:7/2887
[ 57.368720][ T2887]
[ 57.371029][ T2887] CPU: 0 PID: 2887 Comm: kworker/u4:7 Tainted: G B 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
[ 57.382645][ T2887] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
[ 57.392700][ T2887] Workqueue: writeback wb_workfn (flush-7:0)
[ 57.398682][ T2887] Call Trace:
[ 57.401949][ T2887]
[ 57.404865][ T2887] dump_stack_lvl+0xd9/0x1b0
[ 57.409454][ T2887] print_report+0xc4/0x620
[ 57.413866][ T2887] ? __virt_addr_valid+0x5e/0x2d0
[ 57.418881][ T2887] ? __phys_addr+0xc6/0x140
[ 57.423375][ T2887] kasan_report+0xda/0x110
[ 57.427786][ T2887] ? ext4_find_extent+0xbe8/0xce0
[ 57.432804][ T2887] ? ext4_find_extent+0xbe8/0xce0
[ 57.437821][ T2887] ext4_find_extent+0xbe8/0xce0
[ 57.442675][ T2887] ext4_ext_map_blocks+0x26b/0x5ae0
[ 57.447865][ T2887] ? stack_trace_save+0x96/0xd0
[ 57.452706][ T2887] ? filter_irq_stacks+0x90/0x90
[ 57.457634][ T2887] ? __stack_depot_save+0x39/0x520
[ 57.462740][ T2887] ? kasan_save_stack+0x43/0x50
[ 57.467583][ T2887] ? ext4_ext_release+0x10/0x10
[ 57.472429][ T2887] ? kmem_cache_alloc+0x15d/0x2f0
[ 57.477447][ T2887] ? __down_write_common+0x17a/0x1400
[ 57.482811][ T2887] ? up_write+0x510/0x510
[ 57.487130][ T2887] ? rcu_is_watching+0x12/0xb0
[ 57.491892][ T2887] ? lock_acquire+0x464/0x520
[ 57.496569][ T2887] ? rcu_is_watching+0x12/0xb0
[ 57.501322][ T2887] ? lock_sync+0x190/0x190
[ 57.505735][ T2887] ? percpu_counter_add_batch+0x132/0x1f0
[ 57.511453][ T2887] ? preempt_count_sub+0x160/0x160
[ 57.516552][ T2887] ? ext4_es_lookup_extent+0xc7/0xbf0
[ 57.521918][ T2887] ext4_map_blocks+0x619/0x1770
[ 57.526761][ T2887] ? ext4_issue_zeroout+0x1f0/0x1f0
[ 57.531948][ T2887] ? trace_kmem_cache_alloc+0x26/0xa0
[ 57.537314][ T2887] ? ext4_alloc_io_end_vec+0x145/0x1c0
[ 57.542759][ T2887] ext4_do_writepages+0x184e/0x3350
[ 57.547956][ T2887] ? __ext4_mark_inode_dirty+0x810/0x810
[ 57.553578][ T2887] ? blk_mq_dispatch_rq_list+0x9e9/0x1fd0
[ 57.559287][ T2887] ? preempt_count_sub+0x160/0x160
[ 57.564389][ T2887] ext4_writepages+0x30c/0x780
[ 57.569142][ T2887] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0
[ 57.575989][ T2887] ? lock_release+0x4bf/0x690
[ 57.580666][ T2887] ? lock_sync+0x190/0x190
[ 57.585078][ T2887] ? __wb_calc_thresh+0x100/0x3f0
[ 57.590098][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 57.595464][ T2887] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0
[ 57.602305][ T2887] do_writepages+0x1b4/0x690
[ 57.606895][ T2887] ? writeback_set_ratelimit+0x140/0x140
[ 57.612520][ T2887] ? fprop_fraction_percpu+0x21a/0x380
[ 57.617971][ T2887] ? rcu_is_watching+0x12/0xb0
[ 57.622726][ T2887] ? lock_release+0x4bf/0x690
[ 57.627397][ T2887] ? wbc_attach_and_unlock_inode+0x446/0x910
[ 57.633361][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 57.638731][ T2887] ? lock_release+0x4bf/0x690
[ 57.643402][ T2887] __writeback_single_inode+0x158/0xe90
[ 57.648940][ T2887] ? __mark_inode_dirty+0xd60/0xd60
[ 57.654122][ T2887] ? _raw_spin_unlock+0x28/0x40
[ 57.658962][ T2887] ? wbc_attach_and_unlock_inode+0x49c/0x910
[ 57.664930][ T2887] writeback_sb_inodes+0x599/0x1080
[ 57.670125][ T2887] ? _raw_spin_unlock+0x28/0x40
[ 57.674966][ T2887] ? sync_inode_metadata+0xe0/0xe0
[ 57.680065][ T2887] ? lock_acquire+0x441/0x520
[ 57.684739][ T2887] ? rcu_is_watching+0x12/0xb0
[ 57.689496][ T2887] ? queue_io+0x3ed/0x4e0
[ 57.693814][ T2887] wb_writeback+0x2a5/0xaa0
[ 57.698308][ T2887] ? __writeback_inodes_wb+0x2d0/0x2d0
[ 57.703752][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 57.709123][ T2887] ? spin_bug+0x1d0/0x1d0
[ 57.713438][ T2887] ? rcu_is_watching+0x12/0xb0
[ 57.718194][ T2887] wb_workfn+0x29c/0xfe0
[ 57.722428][ T2887] ? spin_bug+0x1c1/0x1d0
[ 57.726744][ T2887] ? inode_wait_for_writeback+0x30/0x30
[ 57.732277][ T2887] ? do_raw_spin_unlock+0x173/0x230
[ 57.737463][ T2887] ? rcu_is_watching+0x12/0xb0
[ 57.742216][ T2887] ? lock_acquire+0x464/0x520
[ 57.746887][ T2887] ? lock_sync+0x190/0x190
[ 57.751299][ T2887] ? lock_sync+0x190/0x190
[ 57.755709][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 57.761076][ T2887] ? __schedule+0xee3/0x5af0
[ 57.765663][ T2887] ? spin_bug+0x1d0/0x1d0
[ 57.769983][ T2887] process_one_work+0x886/0x15d0
[ 57.774920][ T2887] ? lock_sync+0x190/0x190
[ 57.779334][ T2887] ? workqueue_congested+0x300/0x300
[ 57.784613][ T2887] ? assign_work+0x1a0/0x250
[ 57.789194][ T2887] worker_thread+0x8b9/0x1290
[ 57.793867][ T2887] ? __kthread_parkme+0x14b/0x220
[ 57.798879][ T2887] ? process_one_work+0x15d0/0x15d0
[ 57.804070][ T2887] kthread+0x2c6/0x3a0
[ 57.808129][ T2887] ? _raw_spin_unlock_irq+0x23/0x50
[ 57.813316][ T2887] ? kthread_complete_and_exit+0x40/0x40
[ 57.818940][ T2887] ret_from_fork+0x45/0x80
[ 57.823347][ T2887] ? kthread_complete_and_exit+0x40/0x40
[ 57.828969][ T2887] ret_from_fork_asm+0x11/0x20
[ 57.833758][ T2887]
[ 57.836771][ T2887]
[ 57.839086][ T2887] The buggy address belongs to the physical page:
[ 57.845476][ T2887] page:ffffea0001cf7bc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x73def
[ 57.855635][ T2887] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 57.862757][ T2887] page_type: 0xffffffff()
[ 57.867077][ T2887] raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000
[ 57.875652][ T2887] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[ 57.884229][ T2887] page dumped because: kasan: bad access detected
[ 57.890627][ T2887] page_owner tracks the page as freed
[ 57.895977][ T2887] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5048, tgid 5048 (sshd), ts 46889429030, free_ts 46950912613
[ 57.913943][ T2887] post_alloc_hook+0x2d0/0x350
[ 57.918710][ T2887] get_page_from_freelist+0xa25/0x36d0
[ 57.924162][ T2887] __alloc_pages+0x22e/0x2420
[ 57.928830][ T2887] alloc_pages_mpol+0x258/0x5f0
[ 57.933674][ T2887] vma_alloc_folio+0xad/0x220
[ 57.938343][ T2887] __handle_mm_fault+0xe07/0x3d70
[ 57.943364][ T2887] handle_mm_fault+0x47a/0xa10
[ 57.948119][ T2887] do_user_addr_fault+0x30b/0x1000
[ 57.953216][ T2887] exc_page_fault+0x5d/0xc0
[ 57.957715][ T2887] asm_exc_page_fault+0x26/0x30
[ 57.962557][ T2887] page last free stack trace:
[ 57.967212][ T2887] free_unref_page_prepare+0x4fa/0xaa0
[ 57.972670][ T2887] free_unref_page_list+0xe6/0xb40
[ 57.977775][ T2887] release_pages+0x32a/0x14f0
[ 57.982438][ T2887] tlb_batch_pages_flush+0x9a/0x190
[ 57.987625][ T2887] tlb_finish_mmu+0x14b/0x6f0
[ 57.992297][ T2887] unmap_region.constprop.0+0x2e6/0x3b0
[ 57.997830][ T2887] do_vmi_align_munmap+0xde6/0x1600
[ 58.003018][ T2887] do_vmi_munmap+0x20e/0x450
[ 58.007597][ T2887] __vm_munmap+0x144/0x390
[ 58.011999][ T2887] __x64_sys_munmap+0x62/0x80
[ 58.016667][ T2887] do_syscall_64+0x40/0x110
[ 58.021162][ T2887] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 58.027045][ T2887]
[ 58.029354][ T2887] Memory state around the buggy address:
[ 58.034964][ T2887] ffff888073def580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 58.043012][ T2887] ffff888073def600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 58.051057][ T2887] >ffff888073def680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 58.059100][ T2887] ^
[ 58.066534][ T2887] ffff888073def700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 58.074576][ T2887] ffff888073def780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 58.082633][ T2887] ==================================================================
[ 58.091655][ T2887] ==================================================================
[ 58.099745][ T2887] BUG: KASAN: use-after-free in ext4_find_extent+0xbe8/0xce0
[ 58.107143][ T2887] Read of size 4 at addr ffff888073defba8 by task kworker/u4:7/2887
[ 58.115109][ T2887]
[ 58.117423][ T2887] CPU: 0 PID: 2887 Comm: kworker/u4:7 Tainted: G B 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
[ 58.129035][ T2887] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
[ 58.139078][ T2887] Workqueue: writeback wb_workfn (flush-7:0)
[ 58.145060][ T2887] Call Trace:
[ 58.148331][ T2887]
[ 58.151250][ T2887] dump_stack_lvl+0xd9/0x1b0
[ 58.155834][ T2887] print_report+0xc4/0x620
[ 58.160245][ T2887] ? __virt_addr_valid+0x5e/0x2d0
[ 58.165262][ T2887] ? __phys_addr+0xc6/0x140
[ 58.169755][ T2887] kasan_report+0xda/0x110
[ 58.174166][ T2887] ? ext4_find_extent+0xbe8/0xce0
[ 58.179183][ T2887] ? ext4_find_extent+0xbe8/0xce0
[ 58.184201][ T2887] ext4_find_extent+0xbe8/0xce0
[ 58.189044][ T2887] ext4_ext_map_blocks+0x26b/0x5ae0
[ 58.194238][ T2887] ? stack_trace_save+0x96/0xd0
[ 58.199080][ T2887] ? filter_irq_stacks+0x90/0x90
[ 58.204003][ T2887] ? __stack_depot_save+0x39/0x520
[ 58.209105][ T2887] ? kasan_save_stack+0x43/0x50
[ 58.213948][ T2887] ? ext4_ext_release+0x10/0x10
[ 58.218803][ T2887] ? kmem_cache_alloc+0x15d/0x2f0
[ 58.223830][ T2887] ? __down_write_common+0x17a/0x1400
[ 58.229196][ T2887] ? up_write+0x510/0x510
[ 58.233518][ T2887] ? rcu_is_watching+0x12/0xb0
[ 58.238275][ T2887] ? lock_acquire+0x464/0x520
[ 58.242947][ T2887] ? rcu_is_watching+0x12/0xb0
[ 58.247700][ T2887] ? lock_sync+0x190/0x190
[ 58.252111][ T2887] ? percpu_counter_add_batch+0x132/0x1f0
[ 58.257830][ T2887] ? preempt_count_sub+0x160/0x160
[ 58.262927][ T2887] ? ext4_es_lookup_extent+0xc7/0xbf0
[ 58.268295][ T2887] ext4_map_blocks+0x619/0x1770
[ 58.273137][ T2887] ? ext4_issue_zeroout+0x1f0/0x1f0
[ 58.278330][ T2887] ? trace_kmem_cache_alloc+0x26/0xa0
[ 58.283699][ T2887] ? ext4_alloc_io_end_vec+0x145/0x1c0
[ 58.289153][ T2887] ext4_do_writepages+0x184e/0x3350
[ 58.294351][ T2887] ? __ext4_mark_inode_dirty+0x810/0x810
[ 58.299973][ T2887] ? blk_mq_dispatch_rq_list+0x9e9/0x1fd0
[ 58.305686][ T2887] ? preempt_count_sub+0x160/0x160
[ 58.310787][ T2887] ext4_writepages+0x30c/0x780
[ 58.315546][ T2887] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0
[ 58.322387][ T2887] ? lock_release+0x4bf/0x690
[ 58.327058][ T2887] ? lock_sync+0x190/0x190
[ 58.331467][ T2887] ? __wb_calc_thresh+0x100/0x3f0
[ 58.336482][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 58.341852][ T2887] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0
[ 58.348692][ T2887] do_writepages+0x1b4/0x690
[ 58.353280][ T2887] ? writeback_set_ratelimit+0x140/0x140
[ 58.358909][ T2887] ? fprop_fraction_percpu+0x21a/0x380
[ 58.364360][ T2887] ? rcu_is_watching+0x12/0xb0
[ 58.369118][ T2887] ? lock_release+0x4bf/0x690
[ 58.373794][ T2887] ? wbc_attach_and_unlock_inode+0x446/0x910
[ 58.379763][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 58.385128][ T2887] ? lock_release+0x4bf/0x690
[ 58.389803][ T2887] __writeback_single_inode+0x158/0xe90
[ 58.395339][ T2887] ? __mark_inode_dirty+0xd60/0xd60
[ 58.400523][ T2887] ? _raw_spin_unlock+0x28/0x40
[ 58.405363][ T2887] ? wbc_attach_and_unlock_inode+0x49c/0x910
[ 58.411331][ T2887] writeback_sb_inodes+0x599/0x1080
[ 58.416517][ T2887] ? _raw_spin_unlock+0x28/0x40
[ 58.421357][ T2887] ? sync_inode_metadata+0xe0/0xe0
[ 58.426456][ T2887] ? lock_acquire+0x441/0x520
[ 58.431130][ T2887] ? rcu_is_watching+0x12/0xb0
[ 58.435889][ T2887] ? queue_io+0x3ed/0x4e0
[ 58.440204][ T2887] wb_writeback+0x2a5/0xaa0
[ 58.444697][ T2887] ? __writeback_inodes_wb+0x2d0/0x2d0
[ 58.450146][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 58.455512][ T2887] ? spin_bug+0x1d0/0x1d0
[ 58.459828][ T2887] ? rcu_is_watching+0x12/0xb0
[ 58.464583][ T2887] wb_workfn+0x29c/0xfe0
[ 58.468818][ T2887] ? spin_bug+0x1c1/0x1d0
[ 58.473138][ T2887] ? inode_wait_for_writeback+0x30/0x30
[ 58.478674][ T2887] ? do_raw_spin_unlock+0x173/0x230
[ 58.483858][ T2887] ? rcu_is_watching+0x12/0xb0
[ 58.488614][ T2887] ? lock_acquire+0x464/0x520
[ 58.493284][ T2887] ? lock_sync+0x190/0x190
[ 58.497696][ T2887] ? lock_sync+0x190/0x190
[ 58.502106][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 58.507474][ T2887] ? __schedule+0xee3/0x5af0
[ 58.512058][ T2887] ? spin_bug+0x1d0/0x1d0
[ 58.516377][ T2887] process_one_work+0x886/0x15d0
[ 58.521311][ T2887] ? lock_sync+0x190/0x190
[ 58.525722][ T2887] ? workqueue_congested+0x300/0x300
[ 58.531003][ T2887] ? assign_work+0x1a0/0x250
[ 58.535587][ T2887] worker_thread+0x8b9/0x1290
[ 58.540264][ T2887] ? __kthread_parkme+0x14b/0x220
[ 58.545277][ T2887] ? process_one_work+0x15d0/0x15d0
[ 58.550471][ T2887] kthread+0x2c6/0x3a0
[ 58.554529][ T2887] ? _raw_spin_unlock_irq+0x23/0x50
[ 58.559717][ T2887] ? kthread_complete_and_exit+0x40/0x40
[ 58.565345][ T2887] ret_from_fork+0x45/0x80
[ 58.569756][ T2887] ? kthread_complete_and_exit+0x40/0x40
[ 58.575377][ T2887] ret_from_fork_asm+0x11/0x20
[ 58.580140][ T2887]
[ 58.583151][ T2887]
[ 58.585457][ T2887] The buggy address belongs to the physical page:
[ 58.591850][ T2887] page:ffffea0001cf7bc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x73def
[ 58.601988][ T2887] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 58.609081][ T2887] page_type: 0xffffffff()
[ 58.613394][ T2887] raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000
[ 58.621966][ T2887] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[ 58.630528][ T2887] page dumped because: kasan: bad access detected
[ 58.636920][ T2887] page_owner tracks the page as freed
[ 58.642269][ T2887] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5048, tgid 5048 (sshd), ts 46889429030, free_ts 46950912613
[ 58.660234][ T2887] post_alloc_hook+0x2d0/0x350
[ 58.664998][ T2887] get_page_from_freelist+0xa25/0x36d0
[ 58.670450][ T2887] __alloc_pages+0x22e/0x2420
[ 58.675121][ T2887] alloc_pages_mpol+0x258/0x5f0
[ 58.679969][ T2887] vma_alloc_folio+0xad/0x220
[ 58.684638][ T2887] __handle_mm_fault+0xe07/0x3d70
[ 58.689662][ T2887] handle_mm_fault+0x47a/0xa10
[ 58.694424][ T2887] do_user_addr_fault+0x30b/0x1000
[ 58.699526][ T2887] exc_page_fault+0x5d/0xc0
[ 58.704025][ T2887] asm_exc_page_fault+0x26/0x30
[ 58.708863][ T2887] page last free stack trace:
[ 58.713518][ T2887] free_unref_page_prepare+0x4fa/0xaa0
[ 58.718973][ T2887] free_unref_page_list+0xe6/0xb40
[ 58.724076][ T2887] release_pages+0x32a/0x14f0
[ 58.728744][ T2887] tlb_batch_pages_flush+0x9a/0x190
[ 58.733933][ T2887] tlb_finish_mmu+0x14b/0x6f0
[ 58.738598][ T2887] unmap_region.constprop.0+0x2e6/0x3b0
[ 58.744132][ T2887] do_vmi_align_munmap+0xde6/0x1600
[ 58.749319][ T2887] do_vmi_munmap+0x20e/0x450
[ 58.753895][ T2887] __vm_munmap+0x144/0x390
[ 58.758301][ T2887] __x64_sys_munmap+0x62/0x80
[ 58.762969][ T2887] do_syscall_64+0x40/0x110
[ 58.767462][ T2887] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 58.773343][ T2887]
[ 58.775653][ T2887] Memory state around the buggy address:
[ 58.781265][ T2887] ffff888073defa80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 58.789310][ T2887] ffff888073defb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 58.797370][ T2887] >ffff888073defb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 58.805417][ T2887] ^
[ 58.810769][ T2887] ffff888073defc00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 58.818817][ T2887] ffff888073defc80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 58.826859][ T2887] ==================================================================
[ 58.835406][ T2887] ==================================================================
[ 58.843474][ T2887] BUG: KASAN: use-after-free in ext4_find_extent+0xbe8/0xce0
[ 58.850873][ T2887] Read of size 4 at addr ffff888073defe0c by task kworker/u4:7/2887
[ 58.858867][ T2887]
[ 58.861181][ T2887] CPU: 0 PID: 2887 Comm: kworker/u4:7 Tainted: G B 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
[ 58.872796][ T2887] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
[ 58.882845][ T2887] Workqueue: writeback wb_workfn (flush-7:0)
[ 58.888829][ T2887] Call Trace:
[ 58.892098][ T2887]
[ 58.895014][ T2887] dump_stack_lvl+0xd9/0x1b0
[ 58.899599][ T2887] print_report+0xc4/0x620
[ 58.904011][ T2887] ? __virt_addr_valid+0x5e/0x2d0
[ 58.909025][ T2887] ? __phys_addr+0xc6/0x140
[ 58.913520][ T2887] kasan_report+0xda/0x110
[ 58.917932][ T2887] ? ext4_find_extent+0xbe8/0xce0
[ 58.922946][ T2887] ? ext4_find_extent+0xbe8/0xce0
[ 58.927963][ T2887] ext4_find_extent+0xbe8/0xce0
[ 58.932806][ T2887] ext4_ext_map_blocks+0x26b/0x5ae0
[ 58.937999][ T2887] ? stack_trace_save+0x96/0xd0
[ 58.942839][ T2887] ? filter_irq_stacks+0x90/0x90
[ 58.947764][ T2887] ? __stack_depot_save+0x39/0x520
[ 58.952869][ T2887] ? kasan_save_stack+0x43/0x50
[ 58.957713][ T2887] ? ext4_ext_release+0x10/0x10
[ 58.962556][ T2887] ? kmem_cache_alloc+0x15d/0x2f0
[ 58.967572][ T2887] ? __down_write_common+0x17a/0x1400
[ 58.972938][ T2887] ? up_write+0x510/0x510
[ 58.977258][ T2887] ? rcu_is_watching+0x12/0xb0
[ 58.982012][ T2887] ? lock_acquire+0x464/0x520
[ 58.986684][ T2887] ? rcu_is_watching+0x12/0xb0
[ 58.991435][ T2887] ? lock_sync+0x190/0x190
[ 58.995846][ T2887] ? percpu_counter_add_batch+0x132/0x1f0
[ 59.001564][ T2887] ? preempt_count_sub+0x160/0x160
[ 59.006669][ T2887] ? ext4_es_lookup_extent+0xc7/0xbf0
[ 59.012038][ T2887] ext4_map_blocks+0x619/0x1770
[ 59.016883][ T2887] ? ext4_issue_zeroout+0x1f0/0x1f0
[ 59.022070][ T2887] ? trace_kmem_cache_alloc+0x26/0xa0
[ 59.027436][ T2887] ? ext4_alloc_io_end_vec+0x145/0x1c0
[ 59.032887][ T2887] ext4_do_writepages+0x184e/0x3350
[ 59.038087][ T2887] ? __ext4_mark_inode_dirty+0x810/0x810
[ 59.043710][ T2887] ? blk_mq_dispatch_rq_list+0x9e9/0x1fd0
[ 59.049421][ T2887] ? preempt_count_sub+0x160/0x160
[ 59.054525][ T2887] ext4_writepages+0x30c/0x780
[ 59.059282][ T2887] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0
[ 59.066126][ T2887] ? lock_release+0x4bf/0x690
[ 59.070802][ T2887] ? lock_sync+0x190/0x190
[ 59.075218][ T2887] ? __wb_calc_thresh+0x100/0x3f0
[ 59.080237][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 59.085608][ T2887] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0
[ 59.092450][ T2887] do_writepages+0x1b4/0x690
[ 59.097039][ T2887] ? writeback_set_ratelimit+0x140/0x140
[ 59.102671][ T2887] ? fprop_fraction_percpu+0x21a/0x380
[ 59.108125][ T2887] ? rcu_is_watching+0x12/0xb0
[ 59.112882][ T2887] ? lock_release+0x4bf/0x690
[ 59.117553][ T2887] ? wbc_attach_and_unlock_inode+0x446/0x910
[ 59.123519][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 59.128886][ T2887] ? lock_release+0x4bf/0x690
[ 59.133555][ T2887] __writeback_single_inode+0x158/0xe90
[ 59.139091][ T2887] ? __mark_inode_dirty+0xd60/0xd60
[ 59.144274][ T2887] ? _raw_spin_unlock+0x28/0x40
[ 59.149113][ T2887] ? wbc_attach_and_unlock_inode+0x49c/0x910
[ 59.155081][ T2887] writeback_sb_inodes+0x599/0x1080
[ 59.160269][ T2887] ? _raw_spin_unlock+0x28/0x40
[ 59.165110][ T2887] ? sync_inode_metadata+0xe0/0xe0
[ 59.170209][ T2887] ? lock_acquire+0x441/0x520
[ 59.174893][ T2887] ? rcu_is_watching+0x12/0xb0
[ 59.179654][ T2887] ? queue_io+0x3ed/0x4e0
[ 59.183974][ T2887] wb_writeback+0x2a5/0xaa0
[ 59.188471][ T2887] ? __writeback_inodes_wb+0x2d0/0x2d0
[ 59.193915][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 59.199283][ T2887] ? spin_bug+0x1d0/0x1d0
[ 59.203601][ T2887] ? rcu_is_watching+0x12/0xb0
[ 59.208357][ T2887] wb_workfn+0x29c/0xfe0
[ 59.212586][ T2887] ? spin_bug+0x1c1/0x1d0
[ 59.216904][ T2887] ? inode_wait_for_writeback+0x30/0x30
[ 59.222437][ T2887] ? do_raw_spin_unlock+0x173/0x230
[ 59.227625][ T2887] ? rcu_is_watching+0x12/0xb0
[ 59.232382][ T2887] ? lock_acquire+0x464/0x520
[ 59.237053][ T2887] ? lock_sync+0x190/0x190
[ 59.241469][ T2887] ? lock_sync+0x190/0x190
[ 59.245883][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 59.251252][ T2887] ? __schedule+0xee3/0x5af0
[ 59.255838][ T2887] ? spin_bug+0x1d0/0x1d0
[ 59.260156][ T2887] process_one_work+0x886/0x15d0
[ 59.265088][ T2887] ? lock_sync+0x190/0x190
[ 59.269499][ T2887] ? workqueue_congested+0x300/0x300
[ 59.274776][ T2887] ? assign_work+0x1a0/0x250
[ 59.279359][ T2887] worker_thread+0x8b9/0x1290
[ 59.284033][ T2887] ? __kthread_parkme+0x14b/0x220
[ 59.289044][ T2887] ? process_one_work+0x15d0/0x15d0
[ 59.294232][ T2887] kthread+0x2c6/0x3a0
[ 59.298295][ T2887] ? _raw_spin_unlock_irq+0x23/0x50
[ 59.303484][ T2887] ? kthread_complete_and_exit+0x40/0x40
[ 59.309110][ T2887] ret_from_fork+0x45/0x80
[ 59.313522][ T2887] ? kthread_complete_and_exit+0x40/0x40
[ 59.319147][ T2887] ret_from_fork_asm+0x11/0x20
[ 59.323908][ T2887]
[ 59.326913][ T2887]
[ 59.329222][ T2887] The buggy address belongs to the physical page:
[ 59.335611][ T2887] page:ffffea0001cf7bc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x73def
[ 59.345748][ T2887] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 59.352842][ T2887] page_type: 0xffffffff()
[ 59.357161][ T2887] raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000
[ 59.365730][ T2887] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[ 59.374291][ T2887] page dumped because: kasan: bad access detected
[ 59.380686][ T2887] page_owner tracks the page as freed
[ 59.386034][ T2887] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5048, tgid 5048 (sshd), ts 46889429030, free_ts 46950912613
[ 59.403993][ T2887] post_alloc_hook+0x2d0/0x350
[ 59.408755][ T2887] get_page_from_freelist+0xa25/0x36d0
[ 59.414205][ T2887] __alloc_pages+0x22e/0x2420
[ 59.418874][ T2887] alloc_pages_mpol+0x258/0x5f0
[ 59.423716][ T2887] vma_alloc_folio+0xad/0x220
[ 59.428383][ T2887] __handle_mm_fault+0xe07/0x3d70
[ 59.433402][ T2887] handle_mm_fault+0x47a/0xa10
[ 59.438162][ T2887] do_user_addr_fault+0x30b/0x1000
[ 59.443264][ T2887] exc_page_fault+0x5d/0xc0
[ 59.447761][ T2887] asm_exc_page_fault+0x26/0x30
[ 59.452597][ T2887] page last free stack trace:
[ 59.457253][ T2887] free_unref_page_prepare+0x4fa/0xaa0
[ 59.462702][ T2887] free_unref_page_list+0xe6/0xb40
[ 59.467803][ T2887] release_pages+0x32a/0x14f0
[ 59.472464][ T2887] tlb_batch_pages_flush+0x9a/0x190
[ 59.477655][ T2887] tlb_finish_mmu+0x14b/0x6f0
[ 59.482321][ T2887] unmap_region.constprop.0+0x2e6/0x3b0
[ 59.487854][ T2887] do_vmi_align_munmap+0xde6/0x1600
[ 59.493042][ T2887] do_vmi_munmap+0x20e/0x450
[ 59.497619][ T2887] __vm_munmap+0x144/0x390
[ 59.502028][ T2887] __x64_sys_munmap+0x62/0x80
[ 59.506692][ T2887] do_syscall_64+0x40/0x110
[ 59.511186][ T2887] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 59.517065][ T2887]
[ 59.519371][ T2887] Memory state around the buggy address:
[ 59.524982][ T2887] ffff888073defd00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 59.533026][ T2887] ffff888073defd80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 59.541072][ T2887] >ffff888073defe00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 59.549115][ T2887] ^
[ 59.553423][ T2887] ffff888073defe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 59.561467][ T2887] ffff888073deff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 59.569508][ T2887] ==================================================================
[ 59.578446][ T2887] ==================================================================
[ 59.586530][ T2887] BUG: KASAN: use-after-free in ext4_find_extent+0xbe8/0xce0
[ 59.593928][ T2887] Read of size 4 at addr ffff888073deff38 by task kworker/u4:7/2887
[ 59.601907][ T2887]
[ 59.604210][ T2887] CPU: 1 PID: 2887 Comm: kworker/u4:7 Tainted: G B 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
[ 59.615819][ T2887] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
[ 59.625863][ T2887] Workqueue: writeback wb_workfn (flush-7:0)
[ 59.631843][ T2887] Call Trace:
[ 59.635108][ T2887]
[ 59.638022][ T2887] dump_stack_lvl+0xd9/0x1b0
[ 59.642615][ T2887] print_report+0xc4/0x620
[ 59.647053][ T2887] ? __virt_addr_valid+0x5e/0x2d0
[ 59.652064][ T2887] ? __phys_addr+0xc6/0x140
[ 59.656551][ T2887] kasan_report+0xda/0x110
[ 59.660955][ T2887] ? ext4_find_extent+0xbe8/0xce0
[ 59.665962][ T2887] ? ext4_find_extent+0xbe8/0xce0
[ 59.670973][ T2887] ext4_find_extent+0xbe8/0xce0
[ 59.675809][ T2887] ext4_ext_map_blocks+0x26b/0x5ae0
[ 59.680992][ T2887] ? stack_trace_save+0x96/0xd0
[ 59.685820][ T2887] ? filter_irq_stacks+0x90/0x90
[ 59.690736][ T2887] ? __stack_depot_save+0x39/0x520
[ 59.695829][ T2887] ? kasan_save_stack+0x43/0x50
[ 59.700664][ T2887] ? ext4_ext_release+0x10/0x10
[ 59.705493][ T2887] ? kmem_cache_alloc+0x15d/0x2f0
[ 59.710500][ T2887] ? __down_write_common+0x17a/0x1400
[ 59.715854][ T2887] ? up_write+0x510/0x510
[ 59.720167][ T2887] ? rcu_is_watching+0x12/0xb0
[ 59.724909][ T2887] ? lock_acquire+0x464/0x520
[ 59.729568][ T2887] ? rcu_is_watching+0x12/0xb0
[ 59.734315][ T2887] ? lock_sync+0x190/0x190
[ 59.738714][ T2887] ? percpu_counter_add_batch+0x132/0x1f0
[ 59.744418][ T2887] ? preempt_count_sub+0x160/0x160
[ 59.749510][ T2887] ? ext4_es_lookup_extent+0xc7/0xbf0
[ 59.754865][ T2887] ext4_map_blocks+0x619/0x1770
[ 59.759700][ T2887] ? ext4_issue_zeroout+0x1f0/0x1f0
[ 59.764875][ T2887] ? trace_kmem_cache_alloc+0x26/0xa0
[ 59.770231][ T2887] ? ext4_alloc_io_end_vec+0x145/0x1c0
[ 59.775668][ T2887] ext4_do_writepages+0x184e/0x3350
[ 59.780853][ T2887] ? __ext4_mark_inode_dirty+0x810/0x810
[ 59.786464][ T2887] ? blk_mq_dispatch_rq_list+0x9e9/0x1fd0
[ 59.792162][ T2887] ? preempt_count_sub+0x160/0x160
[ 59.797254][ T2887] ext4_writepages+0x30c/0x780
[ 59.801996][ T2887] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0
[ 59.808826][ T2887] ? lock_release+0x4bf/0x690
[ 59.813486][ T2887] ? lock_sync+0x190/0x190
[ 59.817882][ T2887] ? __wb_calc_thresh+0x100/0x3f0
[ 59.822890][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 59.828246][ T2887] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0
[ 59.835076][ T2887] do_writepages+0x1b4/0x690
[ 59.839658][ T2887] ? writeback_set_ratelimit+0x140/0x140
[ 59.845272][ T2887] ? fprop_fraction_percpu+0x21a/0x380
[ 59.850713][ T2887] ? rcu_is_watching+0x12/0xb0
[ 59.855454][ T2887] ? lock_release+0x4bf/0x690
[ 59.860116][ T2887] ? wbc_attach_and_unlock_inode+0x446/0x910
[ 59.866075][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 59.871433][ T2887] ? lock_release+0x4bf/0x690
[ 59.876100][ T2887] __writeback_single_inode+0x158/0xe90
[ 59.881630][ T2887] ? __mark_inode_dirty+0xd60/0xd60
[ 59.886809][ T2887] ? _raw_spin_unlock+0x28/0x40
[ 59.891642][ T2887] ? wbc_attach_and_unlock_inode+0x49c/0x910
[ 59.897602][ T2887] writeback_sb_inodes+0x599/0x1080
[ 59.902779][ T2887] ? _raw_spin_unlock+0x28/0x40
[ 59.907609][ T2887] ? sync_inode_metadata+0xe0/0xe0
[ 59.912697][ T2887] ? lock_acquire+0x441/0x520
[ 59.917360][ T2887] ? rcu_is_watching+0x12/0xb0
[ 59.922104][ T2887] ? queue_io+0x3ed/0x4e0
[ 59.926409][ T2887] wb_writeback+0x2a5/0xaa0
[ 59.930896][ T2887] ? __writeback_inodes_wb+0x2d0/0x2d0
[ 59.936333][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 59.941691][ T2887] ? spin_bug+0x1d0/0x1d0
[ 59.945997][ T2887] ? rcu_is_watching+0x12/0xb0
[ 59.950744][ T2887] wb_workfn+0x29c/0xfe0
[ 59.954966][ T2887] ? spin_bug+0x1c1/0x1d0
[ 59.959275][ T2887] ? inode_wait_for_writeback+0x30/0x30
[ 59.964799][ T2887] ? do_raw_spin_unlock+0x173/0x230
[ 59.969977][ T2887] ? rcu_is_watching+0x12/0xb0
[ 59.974719][ T2887] ? lock_acquire+0x464/0x520
[ 59.979376][ T2887] ? lock_sync+0x190/0x190
[ 59.983773][ T2887] ? lock_sync+0x190/0x190
[ 59.988169][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 59.993523][ T2887] ? __schedule+0xee3/0x5af0
[ 59.998096][ T2887] ? spin_bug+0x1d0/0x1d0
[ 60.002402][ T2887] process_one_work+0x886/0x15d0
[ 60.007324][ T2887] ? lock_sync+0x190/0x190
[ 60.011723][ T2887] ? workqueue_congested+0x300/0x300
[ 60.016987][ T2887] ? assign_work+0x1a0/0x250
[ 60.021559][ T2887] worker_thread+0x8b9/0x1290
[ 60.026221][ T2887] ? __kthread_parkme+0x14b/0x220
[ 60.031228][ T2887] ? process_one_work+0x15d0/0x15d0
[ 60.036408][ T2887] kthread+0x2c6/0x3a0
[ 60.040460][ T2887] ? _raw_spin_unlock_irq+0x23/0x50
[ 60.045636][ T2887] ? kthread_complete_and_exit+0x40/0x40
[ 60.051256][ T2887] ret_from_fork+0x45/0x80
[ 60.055657][ T2887] ? kthread_complete_and_exit+0x40/0x40
[ 60.061270][ T2887] ret_from_fork_asm+0x11/0x20
[ 60.066018][ T2887]
[ 60.069015][ T2887]
[ 60.071313][ T2887] The buggy address belongs to the physical page:
[ 60.077696][ T2887] page:ffffea0001cf7bc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x73def
[ 60.087822][ T2887] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 60.094905][ T2887] page_type: 0xffffffff()
[ 60.099210][ T2887] raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000
[ 60.107773][ T2887] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[ 60.116325][ T2887] page dumped because: kasan: bad access detected
[ 60.122713][ T2887] page_owner tracks the page as freed
[ 60.128058][ T2887] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5048, tgid 5048 (sshd), ts 46889429030, free_ts 46950912613
[ 60.146012][ T2887] post_alloc_hook+0x2d0/0x350
[ 60.150769][ T2887] get_page_from_freelist+0xa25/0x36d0
[ 60.156212][ T2887] __alloc_pages+0x22e/0x2420
[ 60.160874][ T2887] alloc_pages_mpol+0x258/0x5f0
[ 60.165706][ T2887] vma_alloc_folio+0xad/0x220
[ 60.170368][ T2887] __handle_mm_fault+0xe07/0x3d70
[ 60.175379][ T2887] handle_mm_fault+0x47a/0xa10
[ 60.180126][ T2887] do_user_addr_fault+0x30b/0x1000
[ 60.185218][ T2887] exc_page_fault+0x5d/0xc0
[ 60.189708][ T2887] asm_exc_page_fault+0x26/0x30
[ 60.194536][ T2887] page last free stack trace:
[ 60.199183][ T2887] free_unref_page_prepare+0x4fa/0xaa0
[ 60.204624][ T2887] free_unref_page_list+0xe6/0xb40
[ 60.209714][ T2887] release_pages+0x32a/0x14f0
[ 60.214367][ T2887] tlb_batch_pages_flush+0x9a/0x190
[ 60.219544][ T2887] tlb_finish_mmu+0x14b/0x6f0
[ 60.224199][ T2887] unmap_region.constprop.0+0x2e6/0x3b0
[ 60.229724][ T2887] do_vmi_align_munmap+0xde6/0x1600
[ 60.234898][ T2887] do_vmi_munmap+0x20e/0x450
[ 60.239468][ T2887] __vm_munmap+0x144/0x390
[ 60.243863][ T2887] __x64_sys_munmap+0x62/0x80
[ 60.248523][ T2887] do_syscall_64+0x40/0x110
[ 60.253009][ T2887] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 60.258885][ T2887]
[ 60.261187][ T2887] Memory state around the buggy address:
[ 60.266789][ T2887] ffff888073defe00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 60.274829][ T2887] ffff888073defe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 60.282871][ T2887] >ffff888073deff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 60.290908][ T2887] ^
[ 60.296773][ T2887] ffff888073deff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 60.304811][ T2887] ffff888073df0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 60.312852][ T2887] ==================================================================
[ 60.321618][ T2887] ==================================================================
[ 60.329688][ T2887] BUG: KASAN: use-after-free in ext4_find_extent+0xbe8/0xce0
[ 60.337054][ T2887] Read of size 4 at addr ffff888073deffd4 by task kworker/u4:7/2887
[ 60.345016][ T2887]
[ 60.347327][ T2887] CPU: 1 PID: 2887 Comm: kworker/u4:7 Tainted: G B 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
[ 60.358937][ T2887] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
[ 60.368984][ T2887] Workqueue: writeback wb_workfn (flush-7:0)
[ 60.374963][ T2887] Call Trace:
[ 60.378231][ T2887]
[ 60.381156][ T2887] dump_stack_lvl+0xd9/0x1b0
[ 60.385740][ T2887] print_report+0xc4/0x620
[ 60.390157][ T2887] ? __virt_addr_valid+0x5e/0x2d0
[ 60.395172][ T2887] ? __phys_addr+0xc6/0x140
[ 60.399670][ T2887] kasan_report+0xda/0x110
[ 60.404083][ T2887] ? ext4_find_extent+0xbe8/0xce0
[ 60.409097][ T2887] ? ext4_find_extent+0xbe8/0xce0
[ 60.414112][ T2887] ext4_find_extent+0xbe8/0xce0
[ 60.418964][ T2887] ext4_ext_map_blocks+0x26b/0x5ae0
[ 60.424158][ T2887] ? stack_trace_save+0x96/0xd0
[ 60.428996][ T2887] ? filter_irq_stacks+0x90/0x90
[ 60.433918][ T2887] ? __stack_depot_save+0x39/0x520
[ 60.439021][ T2887] ? kasan_save_stack+0x43/0x50
[ 60.443866][ T2887] ? ext4_ext_release+0x10/0x10
[ 60.448707][ T2887] ? kmem_cache_alloc+0x15d/0x2f0
[ 60.453729][ T2887] ? __down_write_common+0x17a/0x1400
[ 60.459098][ T2887] ? up_write+0x510/0x510
[ 60.463416][ T2887] ? rcu_is_watching+0x12/0xb0
[ 60.468168][ T2887] ? lock_acquire+0x464/0x520
[ 60.472841][ T2887] ? rcu_is_watching+0x12/0xb0
[ 60.477597][ T2887] ? lock_sync+0x190/0x190
[ 60.482006][ T2887] ? percpu_counter_add_batch+0x132/0x1f0
[ 60.487720][ T2887] ? preempt_count_sub+0x160/0x160
[ 60.492817][ T2887] ? ext4_es_lookup_extent+0xc7/0xbf0
[ 60.498187][ T2887] ext4_map_blocks+0x619/0x1770
[ 60.503033][ T2887] ? ext4_issue_zeroout+0x1f0/0x1f0
[ 60.508219][ T2887] ? trace_kmem_cache_alloc+0x26/0xa0
[ 60.513581][ T2887] ? ext4_alloc_io_end_vec+0x145/0x1c0
[ 60.519028][ T2887] ext4_do_writepages+0x184e/0x3350
[ 60.524222][ T2887] ? __ext4_mark_inode_dirty+0x810/0x810
[ 60.529842][ T2887] ? blk_mq_dispatch_rq_list+0x9e9/0x1fd0
[ 60.535550][ T2887] ? preempt_count_sub+0x160/0x160
[ 60.540653][ T2887] ext4_writepages+0x30c/0x780
[ 60.545412][ T2887] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0
[ 60.552259][ T2887] ? lock_release+0x4bf/0x690
[ 60.556930][ T2887] ? lock_sync+0x190/0x190
[ 60.561339][ T2887] ? __wb_calc_thresh+0x100/0x3f0
[ 60.566358][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 60.571732][ T2887] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0
[ 60.578571][ T2887] do_writepages+0x1b4/0x690
[ 60.583164][ T2887] ? writeback_set_ratelimit+0x140/0x140
[ 60.588797][ T2887] ? fprop_fraction_percpu+0x21a/0x380
[ 60.594247][ T2887] ? rcu_is_watching+0x12/0xb0
[ 60.599006][ T2887] ? lock_release+0x4bf/0x690
[ 60.603678][ T2887] ? wbc_attach_and_unlock_inode+0x446/0x910
[ 60.609647][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 60.615013][ T2887] ? lock_release+0x4bf/0x690
[ 60.619684][ T2887] __writeback_single_inode+0x158/0xe90
[ 60.625218][ T2887] ? __mark_inode_dirty+0xd60/0xd60
[ 60.630402][ T2887] ? _raw_spin_unlock+0x28/0x40
[ 60.635245][ T2887] ? wbc_attach_and_unlock_inode+0x49c/0x910
[ 60.641214][ T2887] writeback_sb_inodes+0x599/0x1080
[ 60.646402][ T2887] ? _raw_spin_unlock+0x28/0x40
[ 60.651242][ T2887] ? sync_inode_metadata+0xe0/0xe0
[ 60.656338][ T2887] ? lock_acquire+0x441/0x520
[ 60.661015][ T2887] ? rcu_is_watching+0x12/0xb0
[ 60.665766][ T2887] ? queue_io+0x3ed/0x4e0
[ 60.670083][ T2887] wb_writeback+0x2a5/0xaa0
[ 60.674576][ T2887] ? __writeback_inodes_wb+0x2d0/0x2d0
[ 60.680037][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 60.685406][ T2887] ? spin_bug+0x1d0/0x1d0
[ 60.689720][ T2887] ? rcu_is_watching+0x12/0xb0
[ 60.694476][ T2887] wb_workfn+0x29c/0xfe0
[ 60.698709][ T2887] ? spin_bug+0x1c1/0x1d0
[ 60.703026][ T2887] ? inode_wait_for_writeback+0x30/0x30
[ 60.708557][ T2887] ? do_raw_spin_unlock+0x173/0x230
[ 60.713740][ T2887] ? rcu_is_watching+0x12/0xb0
[ 60.718494][ T2887] ? lock_acquire+0x464/0x520
[ 60.723166][ T2887] ? lock_sync+0x190/0x190
[ 60.727577][ T2887] ? lock_sync+0x190/0x190
[ 60.731986][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 60.737353][ T2887] ? __schedule+0xee3/0x5af0
[ 60.741937][ T2887] ? spin_bug+0x1d0/0x1d0
[ 60.746255][ T2887] process_one_work+0x886/0x15d0
[ 60.751192][ T2887] ? lock_sync+0x190/0x190
[ 60.755604][ T2887] ? workqueue_congested+0x300/0x300
[ 60.760888][ T2887] ? assign_work+0x1a0/0x250
[ 60.765467][ T2887] worker_thread+0x8b9/0x1290
[ 60.770139][ T2887] ? __kthread_parkme+0x14b/0x220
[ 60.775157][ T2887] ? process_one_work+0x15d0/0x15d0
[ 60.780348][ T2887] kthread+0x2c6/0x3a0
[ 60.784405][ T2887] ? _raw_spin_unlock_irq+0x23/0x50
[ 60.789596][ T2887] ? kthread_complete_and_exit+0x40/0x40
[ 60.795222][ T2887] ret_from_fork+0x45/0x80
[ 60.799631][ T2887] ? kthread_complete_and_exit+0x40/0x40
[ 60.805258][ T2887] ret_from_fork_asm+0x11/0x20
[ 60.810020][ T2887]
[ 60.813026][ T2887]
[ 60.815333][ T2887] The buggy address belongs to the physical page:
[ 60.821724][ T2887] page:ffffea0001cf7bc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x73def
[ 60.831861][ T2887] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 60.838979][ T2887] page_type: 0xffffffff()
[ 60.843306][ T2887] raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000
[ 60.851887][ T2887] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[ 60.860458][ T2887] page dumped because: kasan: bad access detected
[ 60.866851][ T2887] page_owner tracks the page as freed
[ 60.872203][ T2887] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5048, tgid 5048 (sshd), ts 46889429030, free_ts 46950912613
[ 60.890167][ T2887] post_alloc_hook+0x2d0/0x350
[ 60.894931][ T2887] get_page_from_freelist+0xa25/0x36d0
[ 60.900388][ T2887] __alloc_pages+0x22e/0x2420
[ 60.905059][ T2887] alloc_pages_mpol+0x258/0x5f0
[ 60.909902][ T2887] vma_alloc_folio+0xad/0x220
[ 60.914570][ T2887] __handle_mm_fault+0xe07/0x3d70
[ 60.919611][ T2887] handle_mm_fault+0x47a/0xa10
[ 60.924375][ T2887] do_user_addr_fault+0x30b/0x1000
[ 60.929476][ T2887] exc_page_fault+0x5d/0xc0
[ 60.933973][ T2887] asm_exc_page_fault+0x26/0x30
[ 60.938809][ T2887] page last free stack trace:
[ 60.943462][ T2887] free_unref_page_prepare+0x4fa/0xaa0
[ 60.948916][ T2887] free_unref_page_list+0xe6/0xb40
[ 60.954019][ T2887] release_pages+0x32a/0x14f0
[ 60.958683][ T2887] tlb_batch_pages_flush+0x9a/0x190
[ 60.963872][ T2887] tlb_finish_mmu+0x14b/0x6f0
[ 60.968536][ T2887] unmap_region.constprop.0+0x2e6/0x3b0
[ 60.974070][ T2887] do_vmi_align_munmap+0xde6/0x1600
[ 60.979257][ T2887] do_vmi_munmap+0x20e/0x450
[ 60.983835][ T2887] __vm_munmap+0x144/0x390
[ 60.988236][ T2887] __x64_sys_munmap+0x62/0x80
[ 60.992902][ T2887] do_syscall_64+0x40/0x110
[ 60.997399][ T2887] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 61.003279][ T2887]
[ 61.005587][ T2887] Memory state around the buggy address:
[ 61.011202][ T2887] ffff888073defe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 61.019251][ T2887] ffff888073deff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 61.027295][ T2887] >ffff888073deff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 61.035336][ T2887] ^
[ 61.041991][ T2887] ffff888073df0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 61.050061][ T2887] ffff888073df0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 61.058117][ T2887] ==================================================================
[ 61.066808][ T2887] ==================================================================
[ 61.069609][ T5073] EXT4-fs warning (device loop0): kmmpd:167: kmmpd being stopped since MMP feature has been disabled.
[ 61.074869][ T2887] BUG: KASAN: use-after-free in ext4_find_extent+0xbe8/0xce0
[ 61.093163][ T2887] Read of size 4 at addr ffff888073dec788 by task kworker/u4:7/2887
[ 61.101166][ T2887]
[ 61.103509][ T2887] CPU: 1 PID: 2887 Comm: kworker/u4:7 Tainted: G B 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
[ 61.115143][ T2887] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
[ 61.125195][ T2887] Workqueue: writeback wb_workfn (flush-7:0)
[ 61.131180][ T2887] Call Trace:
[ 61.134448][ T2887]
[ 61.137368][ T2887] dump_stack_lvl+0xd9/0x1b0
[ 61.141956][ T2887] print_report+0xc4/0x620
[ 61.146366][ T2887] ? __virt_addr_valid+0x5e/0x2d0
[ 61.151381][ T2887] ? __phys_addr+0xc6/0x140
[ 61.155879][ T2887] kasan_report+0xda/0x110
[ 61.160292][ T2887] ? ext4_find_extent+0xbe8/0xce0
[ 61.165308][ T2887] ? ext4_find_extent+0xbe8/0xce0
[ 61.170326][ T2887] ext4_find_extent+0xbe8/0xce0
[ 61.175172][ T2887] ext4_split_extent+0x2a8/0x520
[ 61.180106][ T2887] ext4_ext_map_blocks+0x309e/0x5ae0
[ 61.185386][ T2887] ? __stack_depot_save+0x39/0x520
[ 61.190495][ T2887] ? kasan_save_stack+0x43/0x50
[ 61.195339][ T2887] ? ext4_ext_release+0x10/0x10
[ 61.200188][ T2887] ? kmem_cache_alloc+0x15d/0x2f0
[ 61.205207][ T2887] ? __down_write_common+0x17a/0x1400
[ 61.210574][ T2887] ? up_write+0x510/0x510
[ 61.214895][ T2887] ? rcu_is_watching+0x12/0xb0
[ 61.219651][ T2887] ? lock_acquire+0x464/0x520
[ 61.224333][ T2887] ? rcu_is_watching+0x12/0xb0
[ 61.229096][ T2887] ? lock_sync+0x190/0x190
[ 61.233510][ T2887] ? percpu_counter_add_batch+0x132/0x1f0
[ 61.239227][ T2887] ? preempt_count_sub+0x160/0x160
[ 61.244326][ T2887] ? ext4_es_lookup_extent+0xc7/0xbf0
[ 61.249698][ T2887] ext4_map_blocks+0x619/0x1770
[ 61.254543][ T2887] ? ext4_issue_zeroout+0x1f0/0x1f0
[ 61.259730][ T2887] ? trace_kmem_cache_alloc+0x26/0xa0
[ 61.265095][ T2887] ? ext4_alloc_io_end_vec+0x145/0x1c0
[ 61.270543][ T2887] ext4_do_writepages+0x184e/0x3350
[ 61.275742][ T2887] ? __ext4_mark_inode_dirty+0x810/0x810
[ 61.281368][ T2887] ? blk_mq_dispatch_rq_list+0x9e9/0x1fd0
[ 61.287076][ T2887] ? preempt_count_sub+0x160/0x160
[ 61.292180][ T2887] ext4_writepages+0x30c/0x780
[ 61.296939][ T2887] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0
[ 61.303786][ T2887] ? lock_release+0x4bf/0x690
[ 61.308458][ T2887] ? lock_sync+0x190/0x190
[ 61.312866][ T2887] ? __wb_calc_thresh+0x100/0x3f0
[ 61.317885][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 61.323253][ T2887] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0
[ 61.330093][ T2887] do_writepages+0x1b4/0x690
[ 61.334684][ T2887] ? writeback_set_ratelimit+0x140/0x140
[ 61.340314][ T2887] ? fprop_fraction_percpu+0x21a/0x380
[ 61.345769][ T2887] ? rcu_is_watching+0x12/0xb0
[ 61.350526][ T2887] ? lock_release+0x4bf/0x690
[ 61.355200][ T2887] ? wbc_attach_and_unlock_inode+0x446/0x910
[ 61.361170][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 61.366540][ T2887] ? lock_release+0x4bf/0x690
[ 61.371212][ T2887] __writeback_single_inode+0x158/0xe90
[ 61.376750][ T2887] ? __mark_inode_dirty+0xd60/0xd60
[ 61.381935][ T2887] ? _raw_spin_unlock+0x28/0x40
[ 61.386776][ T2887] ? wbc_attach_and_unlock_inode+0x49c/0x910
[ 61.392745][ T2887] writeback_sb_inodes+0x599/0x1080
[ 61.397936][ T2887] ? _raw_spin_unlock+0x28/0x40
[ 61.402777][ T2887] ? sync_inode_metadata+0xe0/0xe0
[ 61.407875][ T2887] ? lock_acquire+0x441/0x520
[ 61.412548][ T2887] ? rcu_is_watching+0x12/0xb0
[ 61.417304][ T2887] ? queue_io+0x3ed/0x4e0
[ 61.421619][ T2887] wb_writeback+0x2a5/0xaa0
[ 61.426115][ T2887] ? __writeback_inodes_wb+0x2d0/0x2d0
[ 61.431561][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 61.436927][ T2887] ? spin_bug+0x1d0/0x1d0
[ 61.441249][ T2887] ? rcu_is_watching+0x12/0xb0
[ 61.446005][ T2887] wb_workfn+0x29c/0xfe0
[ 61.450240][ T2887] ? spin_bug+0x1c1/0x1d0
[ 61.454559][ T2887] ? inode_wait_for_writeback+0x30/0x30
[ 61.460092][ T2887] ? do_raw_spin_unlock+0x173/0x230
[ 61.465277][ T2887] ? rcu_is_watching+0x12/0xb0
[ 61.470032][ T2887] ? lock_acquire+0x464/0x520
[ 61.474704][ T2887] ? lock_sync+0x190/0x190
[ 61.479114][ T2887] ? lock_sync+0x190/0x190
[ 61.483523][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 61.488892][ T2887] ? __schedule+0xee3/0x5af0
[ 61.493479][ T2887] ? spin_bug+0x1d0/0x1d0
[ 61.497798][ T2887] process_one_work+0x886/0x15d0
[ 61.502734][ T2887] ? lock_sync+0x190/0x190
[ 61.507146][ T2887] ? workqueue_congested+0x300/0x300
[ 61.512427][ T2887] ? assign_work+0x1a0/0x250
[ 61.517009][ T2887] worker_thread+0x8b9/0x1290
[ 61.521685][ T2887] ? __kthread_parkme+0x14b/0x220
[ 61.526699][ T2887] ? process_one_work+0x15d0/0x15d0
[ 61.531890][ T2887] kthread+0x2c6/0x3a0
[ 61.535950][ T2887] ? _raw_spin_unlock_irq+0x23/0x50
[ 61.541137][ T2887] ? kthread_complete_and_exit+0x40/0x40
[ 61.546761][ T2887] ret_from_fork+0x45/0x80
[ 61.551171][ T2887] ? kthread_complete_and_exit+0x40/0x40
[ 61.556796][ T2887] ret_from_fork_asm+0x11/0x20
[ 61.561556][ T2887]
[ 61.564570][ T2887]
[ 61.566881][ T2887] The buggy address belongs to the physical page:
[ 61.573275][ T2887] page:ffffea0001cf7b00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x73dec
[ 61.583417][ T2887] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 61.590517][ T2887] page_type: 0xffffffff()
[ 61.594838][ T2887] raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000
[ 61.603413][ T2887] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[ 61.611981][ T2887] page dumped because: kasan: bad access detected
[ 61.618375][ T2887] page_owner tracks the page as freed
[ 61.623721][ T2887] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5048, tgid 5048 (sshd), ts 46939660393, free_ts 47027440358
[ 61.641686][ T2887] post_alloc_hook+0x2d0/0x350
[ 61.646449][ T2887] get_page_from_freelist+0xa25/0x36d0
[ 61.651902][ T2887] __alloc_pages+0x22e/0x2420
[ 61.656574][ T2887] alloc_pages_mpol+0x258/0x5f0
[ 61.661417][ T2887] vma_alloc_folio+0xad/0x220
[ 61.666086][ T2887] __handle_mm_fault+0xe07/0x3d70
[ 61.671115][ T2887] handle_mm_fault+0x47a/0xa10
[ 61.675887][ T2887] do_user_addr_fault+0x30b/0x1000
[ 61.680996][ T2887] exc_page_fault+0x5d/0xc0
[ 61.685494][ T2887] asm_exc_page_fault+0x26/0x30
[ 61.690330][ T2887] page last free stack trace:
[ 61.694986][ T2887] free_unref_page_prepare+0x4fa/0xaa0
[ 61.700436][ T2887] free_unref_page_list+0xe6/0xb40
[ 61.705539][ T2887] release_pages+0x32a/0x14f0
[ 61.710200][ T2887] tlb_batch_pages_flush+0x9a/0x190
[ 61.715387][ T2887] tlb_finish_mmu+0x14b/0x6f0
[ 61.720054][ T2887] unmap_region.constprop.0+0x2e6/0x3b0
[ 61.725587][ T2887] do_vmi_align_munmap+0xde6/0x1600
[ 61.730773][ T2887] do_vmi_munmap+0x20e/0x450
[ 61.735354][ T2887] __vm_munmap+0x144/0x390
[ 61.739758][ T2887] __x64_sys_munmap+0x62/0x80
[ 61.744421][ T2887] do_syscall_64+0x40/0x110
[ 61.748911][ T2887] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 61.754803][ T2887]
[ 61.757117][ T2887] Memory state around the buggy address:
[ 61.762739][ T2887] ffff888073dec680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 61.770788][ T2887] ffff888073dec700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 61.778837][ T2887] >ffff888073dec780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 61.786878][ T2887] ^
[ 61.791190][ T2887] ffff888073dec800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 61.799237][ T2887] ffff888073dec880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 61.807280][ T2887] ==================================================================
[ 61.815596][ T2887] ==================================================================
[ 61.823670][ T2887] BUG: KASAN: use-after-free in ext4_find_extent+0xbe8/0xce0
[ 61.831065][ T2887] Read of size 4 at addr ffff888073deed80 by task kworker/u4:7/2887
[ 61.839031][ T2887]
[ 61.841341][ T2887] CPU: 1 PID: 2887 Comm: kworker/u4:7 Tainted: G B 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
[ 61.852955][ T2887] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
[ 61.863019][ T2887] Workqueue: writeback wb_workfn (flush-7:0)
[ 61.869014][ T2887] Call Trace:
[ 61.872289][ T2887]
[ 61.875214][ T2887] dump_stack_lvl+0xd9/0x1b0
[ 61.879812][ T2887] print_report+0xc4/0x620
[ 61.884228][ T2887] ? __virt_addr_valid+0x5e/0x2d0
[ 61.889247][ T2887] ? __phys_addr+0xc6/0x140
[ 61.893747][ T2887] kasan_report+0xda/0x110
[ 61.898167][ T2887] ? ext4_find_extent+0xbe8/0xce0
[ 61.903188][ T2887] ? ext4_find_extent+0xbe8/0xce0
[ 61.908205][ T2887] ext4_find_extent+0xbe8/0xce0
[ 61.913053][ T2887] ext4_split_extent+0x2a8/0x520
[ 61.917985][ T2887] ext4_ext_map_blocks+0x309e/0x5ae0
[ 61.923265][ T2887] ? __stack_depot_save+0x39/0x520
[ 61.928372][ T2887] ? kasan_save_stack+0x43/0x50
[ 61.933218][ T2887] ? ext4_ext_release+0x10/0x10
[ 61.938060][ T2887] ? kmem_cache_alloc+0x15d/0x2f0
[ 61.943077][ T2887] ? __down_write_common+0x17a/0x1400
[ 61.948445][ T2887] ? up_write+0x510/0x510
[ 61.952793][ T2887] ? rcu_is_watching+0x12/0xb0
[ 61.957566][ T2887] ? lock_acquire+0x464/0x520
[ 61.962246][ T2887] ? rcu_is_watching+0x12/0xb0
[ 61.966999][ T2887] ? lock_sync+0x190/0x190
[ 61.971413][ T2887] ? percpu_counter_add_batch+0x132/0x1f0
[ 61.977133][ T2887] ? preempt_count_sub+0x160/0x160
[ 61.982241][ T2887] ? ext4_es_lookup_extent+0xc7/0xbf0
[ 61.987610][ T2887] ext4_map_blocks+0x619/0x1770
[ 61.992461][ T2887] ? ext4_issue_zeroout+0x1f0/0x1f0
[ 61.997649][ T2887] ? trace_kmem_cache_alloc+0x26/0xa0
[ 62.003013][ T2887] ? ext4_alloc_io_end_vec+0x145/0x1c0
[ 62.008461][ T2887] ext4_do_writepages+0x184e/0x3350
[ 62.013657][ T2887] ? __ext4_mark_inode_dirty+0x810/0x810
[ 62.019284][ T2887] ? blk_mq_dispatch_rq_list+0x9e9/0x1fd0
[ 62.024993][ T2887] ? preempt_count_sub+0x160/0x160
[ 62.030096][ T2887] ext4_writepages+0x30c/0x780
[ 62.034856][ T2887] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0
[ 62.041700][ T2887] ? lock_release+0x4bf/0x690
[ 62.046370][ T2887] ? lock_sync+0x190/0x190
[ 62.050781][ T2887] ? __wb_calc_thresh+0x100/0x3f0
[ 62.055805][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 62.061176][ T2887] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0
[ 62.068016][ T2887] do_writepages+0x1b4/0x690
[ 62.072605][ T2887] ? writeback_set_ratelimit+0x140/0x140
[ 62.078237][ T2887] ? fprop_fraction_percpu+0x21a/0x380
[ 62.083688][ T2887] ? rcu_is_watching+0x12/0xb0
[ 62.088441][ T2887] ? lock_release+0x4bf/0x690
[ 62.093113][ T2887] ? wbc_attach_and_unlock_inode+0x446/0x910
[ 62.099083][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 62.104454][ T2887] ? lock_release+0x4bf/0x690
[ 62.109125][ T2887] __writeback_single_inode+0x158/0xe90
[ 62.114660][ T2887] ? __mark_inode_dirty+0xd60/0xd60
[ 62.119844][ T2887] ? _raw_spin_unlock+0x28/0x40
[ 62.124683][ T2887] ? wbc_attach_and_unlock_inode+0x49c/0x910
[ 62.130654][ T2887] writeback_sb_inodes+0x599/0x1080
[ 62.135842][ T2887] ? _raw_spin_unlock+0x28/0x40
[ 62.140685][ T2887] ? sync_inode_metadata+0xe0/0xe0
[ 62.145781][ T2887] ? lock_acquire+0x441/0x520
[ 62.150458][ T2887] ? rcu_is_watching+0x12/0xb0
[ 62.155213][ T2887] ? queue_io+0x3ed/0x4e0
[ 62.159530][ T2887] wb_writeback+0x2a5/0xaa0
[ 62.164022][ T2887] ? __writeback_inodes_wb+0x2d0/0x2d0
[ 62.169467][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 62.174835][ T2887] ? spin_bug+0x1d0/0x1d0
[ 62.179150][ T2887] ? rcu_is_watching+0x12/0xb0
[ 62.183907][ T2887] wb_workfn+0x29c/0xfe0
[ 62.188139][ T2887] ? spin_bug+0x1c1/0x1d0
[ 62.192457][ T2887] ? inode_wait_for_writeback+0x30/0x30
[ 62.197994][ T2887] ? do_raw_spin_unlock+0x173/0x230
[ 62.203179][ T2887] ? rcu_is_watching+0x12/0xb0
[ 62.207934][ T2887] ? lock_acquire+0x464/0x520
[ 62.212607][ T2887] ? lock_sync+0x190/0x190
[ 62.217022][ T2887] ? lock_sync+0x190/0x190
[ 62.221432][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 62.226799][ T2887] ? __schedule+0xee3/0x5af0
[ 62.231383][ T2887] ? spin_bug+0x1d0/0x1d0
[ 62.235700][ T2887] process_one_work+0x886/0x15d0
[ 62.240644][ T2887] ? lock_sync+0x190/0x190
[ 62.245054][ T2887] ? workqueue_congested+0x300/0x300
[ 62.250346][ T2887] ? assign_work+0x1a0/0x250
[ 62.254935][ T2887] worker_thread+0x8b9/0x1290
[ 62.259623][ T2887] ? __kthread_parkme+0x14b/0x220
[ 62.264640][ T2887] ? process_one_work+0x15d0/0x15d0
[ 62.269830][ T2887] kthread+0x2c6/0x3a0
[ 62.273889][ T2887] ? _raw_spin_unlock_irq+0x23/0x50
[ 62.279084][ T2887] ? kthread_complete_and_exit+0x40/0x40
[ 62.284713][ T2887] ret_from_fork+0x45/0x80
[ 62.289123][ T2887] ? kthread_complete_and_exit+0x40/0x40
[ 62.294749][ T2887] ret_from_fork_asm+0x11/0x20
[ 62.299510][ T2887]
[ 62.302513][ T2887]
[ 62.304818][ T2887] The buggy address belongs to the physical page:
[ 62.311213][ T2887] page:ffffea0001cf7b80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x73dee
[ 62.321356][ T2887] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 62.328456][ T2887] page_type: 0xffffffff()
[ 62.332772][ T2887] raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000
[ 62.341344][ T2887] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[ 62.349910][ T2887] page dumped because: kasan: bad access detected
[ 62.356306][ T2887] page_owner tracks the page as freed
[ 62.361655][ T2887] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5048, tgid 5048 (sshd), ts 46911733709, free_ts 46951665773
[ 62.379634][ T2887] post_alloc_hook+0x2d0/0x350
[ 62.384395][ T2887] get_page_from_freelist+0xa25/0x36d0
[ 62.389849][ T2887] __alloc_pages+0x22e/0x2420
[ 62.394520][ T2887] alloc_pages_mpol+0x258/0x5f0
[ 62.399365][ T2887] vma_alloc_folio+0xad/0x220
[ 62.404034][ T2887] __handle_mm_fault+0xe07/0x3d70
[ 62.409053][ T2887] handle_mm_fault+0x47a/0xa10
[ 62.413813][ T2887] do_user_addr_fault+0x30b/0x1000
[ 62.418916][ T2887] exc_page_fault+0x5d/0xc0
[ 62.423415][ T2887] asm_exc_page_fault+0x26/0x30
[ 62.428251][ T2887] page last free stack trace:
[ 62.432905][ T2887] free_unref_page_prepare+0x4fa/0xaa0
[ 62.438359][ T2887] free_unref_page_list+0xe6/0xb40
[ 62.443463][ T2887] release_pages+0x32a/0x14f0
[ 62.448129][ T2887] tlb_batch_pages_flush+0x9a/0x190
[ 62.453318][ T2887] tlb_finish_mmu+0x14b/0x6f0
[ 62.457986][ T2887] unmap_region.constprop.0+0x2e6/0x3b0
[ 62.463526][ T2887] do_vmi_align_munmap+0xde6/0x1600
[ 62.468723][ T2887] do_vmi_munmap+0x20e/0x450
[ 62.473305][ T2887] __vm_munmap+0x144/0x390
[ 62.477716][ T2887] __x64_sys_munmap+0x62/0x80
[ 62.482381][ T2887] do_syscall_64+0x40/0x110
[ 62.486875][ T2887] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 62.492758][ T2887]
[ 62.495063][ T2887] Memory state around the buggy address:
[ 62.500677][ T2887] ffff888073deec80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 62.508727][ T2887] ffff888073deed00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 62.516770][ T2887] >ffff888073deed80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 62.524816][ T2887] ^
[ 62.528866][ T2887] ffff888073deee00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 62.536912][ T2887] ffff888073deee80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 62.544956][ T2887] ==================================================================
[ 62.553428][ T2887] ==================================================================
[ 62.561506][ T2887] BUG: KASAN: use-after-free in ext4_find_extent+0xbe8/0xce0
[ 62.568874][ T2887] Read of size 4 at addr ffff888073def6f8 by task kworker/u4:7/2887
[ 62.576834][ T2887]
[ 62.579143][ T2887] CPU: 0 PID: 2887 Comm: kworker/u4:7 Tainted: G B 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
[ 62.590753][ T2887] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
[ 62.600801][ T2887] Workqueue: writeback wb_workfn (flush-7:0)
[ 62.606780][ T2887] Call Trace:
[ 62.610052][ T2887]
[ 62.612969][ T2887] dump_stack_lvl+0xd9/0x1b0
[ 62.617556][ T2887] print_report+0xc4/0x620
[ 62.621969][ T2887] ? __virt_addr_valid+0x5e/0x2d0
[ 62.626984][ T2887] ? __phys_addr+0xc6/0x140
[ 62.631488][ T2887] kasan_report+0xda/0x110
[ 62.635908][ T2887] ? ext4_find_extent+0xbe8/0xce0
[ 62.640933][ T2887] ? ext4_find_extent+0xbe8/0xce0
[ 62.645953][ T2887] ext4_find_extent+0xbe8/0xce0
[ 62.650803][ T2887] ext4_split_extent+0x2a8/0x520
[ 62.655736][ T2887] ext4_ext_map_blocks+0x309e/0x5ae0
[ 62.661025][ T2887] ? __stack_depot_save+0x39/0x520
[ 62.666145][ T2887] ? kasan_save_stack+0x43/0x50
[ 62.670990][ T2887] ? ext4_ext_release+0x10/0x10
[ 62.675834][ T2887] ? kmem_cache_alloc+0x15d/0x2f0
[ 62.680851][ T2887] ? __down_write_common+0x17a/0x1400
[ 62.686219][ T2887] ? up_write+0x510/0x510
[ 62.690540][ T2887] ? rcu_is_watching+0x12/0xb0
[ 62.695293][ T2887] ? lock_acquire+0x464/0x520
[ 62.699966][ T2887] ? rcu_is_watching+0x12/0xb0
[ 62.704722][ T2887] ? lock_sync+0x190/0x190
[ 62.709137][ T2887] ? percpu_counter_add_batch+0x132/0x1f0
[ 62.714857][ T2887] ? preempt_count_sub+0x160/0x160
[ 62.719954][ T2887] ? ext4_es_lookup_extent+0xc7/0xbf0
[ 62.725321][ T2887] ext4_map_blocks+0x619/0x1770
[ 62.730165][ T2887] ? ext4_issue_zeroout+0x1f0/0x1f0
[ 62.735352][ T2887] ? trace_kmem_cache_alloc+0x26/0xa0
[ 62.740719][ T2887] ? ext4_alloc_io_end_vec+0x145/0x1c0
[ 62.746167][ T2887] ext4_do_writepages+0x184e/0x3350
[ 62.751368][ T2887] ? __ext4_mark_inode_dirty+0x810/0x810
[ 62.756991][ T2887] ? blk_mq_dispatch_rq_list+0x9e9/0x1fd0
[ 62.762701][ T2887] ? preempt_count_sub+0x160/0x160
[ 62.767805][ T2887] ext4_writepages+0x30c/0x780
[ 62.772564][ T2887] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0
[ 62.779409][ T2887] ? lock_release+0x4bf/0x690
[ 62.784079][ T2887] ? lock_sync+0x190/0x190
[ 62.788488][ T2887] ? __wb_calc_thresh+0x100/0x3f0
[ 62.793507][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 62.798875][ T2887] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0
[ 62.805718][ T2887] do_writepages+0x1b4/0x690
[ 62.810306][ T2887] ? writeback_set_ratelimit+0x140/0x140
[ 62.815935][ T2887] ? fprop_fraction_percpu+0x21a/0x380
[ 62.821389][ T2887] ? rcu_is_watching+0x12/0xb0
[ 62.826171][ T2887] ? lock_release+0x4bf/0x690
[ 62.830864][ T2887] ? wbc_attach_and_unlock_inode+0x446/0x910
[ 62.836838][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 62.842209][ T2887] ? lock_release+0x4bf/0x690
[ 62.846887][ T2887] __writeback_single_inode+0x158/0xe90
[ 62.852426][ T2887] ? __mark_inode_dirty+0xd60/0xd60
[ 62.857616][ T2887] ? _raw_spin_unlock+0x28/0x40
[ 62.862460][ T2887] ? wbc_attach_and_unlock_inode+0x49c/0x910
[ 62.868430][ T2887] writeback_sb_inodes+0x599/0x1080
[ 62.873618][ T2887] ? _raw_spin_unlock+0x28/0x40
[ 62.878463][ T2887] ? sync_inode_metadata+0xe0/0xe0
[ 62.883563][ T2887] ? lock_acquire+0x441/0x520
[ 62.888240][ T2887] ? rcu_is_watching+0x12/0xb0
[ 62.892994][ T2887] ? queue_io+0x3ed/0x4e0
[ 62.897312][ T2887] wb_writeback+0x2a5/0xaa0
[ 62.901805][ T2887] ? __writeback_inodes_wb+0x2d0/0x2d0
[ 62.907248][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 62.912614][ T2887] ? spin_bug+0x1d0/0x1d0
[ 62.916931][ T2887] ? rcu_is_watching+0x12/0xb0
[ 62.921685][ T2887] wb_workfn+0x29c/0xfe0
[ 62.925916][ T2887] ? spin_bug+0x1c1/0x1d0
[ 62.930234][ T2887] ? inode_wait_for_writeback+0x30/0x30
[ 62.935769][ T2887] ? do_raw_spin_unlock+0x173/0x230
[ 62.940957][ T2887] ? rcu_is_watching+0x12/0xb0
[ 62.945711][ T2887] ? lock_acquire+0x464/0x520
[ 62.950383][ T2887] ? lock_sync+0x190/0x190
[ 62.954796][ T2887] ? lock_sync+0x190/0x190
[ 62.959206][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 62.964575][ T2887] ? __schedule+0xee3/0x5af0
[ 62.969161][ T2887] ? spin_bug+0x1d0/0x1d0
[ 62.973477][ T2887] process_one_work+0x886/0x15d0
[ 62.978409][ T2887] ? lock_sync+0x190/0x190
[ 62.982821][ T2887] ? workqueue_congested+0x300/0x300
[ 62.988100][ T2887] ? assign_work+0x1a0/0x250
[ 62.992681][ T2887] worker_thread+0x8b9/0x1290
[ 62.997355][ T2887] ? __kthread_parkme+0x14b/0x220
[ 63.002370][ T2887] ? process_one_work+0x15d0/0x15d0
[ 63.007561][ T2887] kthread+0x2c6/0x3a0
[ 63.011620][ T2887] ? _raw_spin_unlock_irq+0x23/0x50
[ 63.016810][ T2887] ? kthread_complete_and_exit+0x40/0x40
[ 63.022432][ T2887] ret_from_fork+0x45/0x80
[ 63.026839][ T2887] ? kthread_complete_and_exit+0x40/0x40
[ 63.032463][ T2887] ret_from_fork_asm+0x11/0x20
[ 63.037228][ T2887]
[ 63.040231][ T2887]
[ 63.042539][ T2887] The buggy address belongs to the physical page:
[ 63.048930][ T2887] page:ffffea0001cf7bc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x73def
[ 63.059067][ T2887] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 63.066159][ T2887] page_type: 0xffffffff()
[ 63.070475][ T2887] raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000
[ 63.079046][ T2887] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[ 63.087609][ T2887] page dumped because: kasan: bad access detected
[ 63.094000][ T2887] page_owner tracks the page as freed
[ 63.099349][ T2887] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5048, tgid 5048 (sshd), ts 46889429030, free_ts 46950912613
[ 63.117307][ T2887] post_alloc_hook+0x2d0/0x350
[ 63.122067][ T2887] get_page_from_freelist+0xa25/0x36d0
[ 63.127519][ T2887] __alloc_pages+0x22e/0x2420
[ 63.132188][ T2887] alloc_pages_mpol+0x258/0x5f0
[ 63.137028][ T2887] vma_alloc_folio+0xad/0x220
[ 63.141693][ T2887] __handle_mm_fault+0xe07/0x3d70
[ 63.146710][ T2887] handle_mm_fault+0x47a/0xa10
[ 63.151468][ T2887] do_user_addr_fault+0x30b/0x1000
[ 63.156569][ T2887] exc_page_fault+0x5d/0xc0
[ 63.161068][ T2887] asm_exc_page_fault+0x26/0x30
[ 63.165902][ T2887] page last free stack trace:
[ 63.170557][ T2887] free_unref_page_prepare+0x4fa/0xaa0
[ 63.176009][ T2887] free_unref_page_list+0xe6/0xb40
[ 63.181112][ T2887] release_pages+0x32a/0x14f0
[ 63.185773][ T2887] tlb_batch_pages_flush+0x9a/0x190
[ 63.190959][ T2887] tlb_finish_mmu+0x14b/0x6f0
[ 63.195625][ T2887] unmap_region.constprop.0+0x2e6/0x3b0
[ 63.201159][ T2887] do_vmi_align_munmap+0xde6/0x1600
[ 63.206436][ T2887] do_vmi_munmap+0x20e/0x450
[ 63.211028][ T2887] __vm_munmap+0x144/0x390
[ 63.215437][ T2887] __x64_sys_munmap+0x62/0x80
[ 63.220105][ T2887] do_syscall_64+0x40/0x110
[ 63.224601][ T2887] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 63.230480][ T2887]
[ 63.232790][ T2887] Memory state around the buggy address:
[ 63.238404][ T2887] ffff888073def580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 63.246448][ T2887] ffff888073def600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 63.254497][ T2887] >ffff888073def680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 63.262543][ T2887] ^
[ 63.270500][ T2887] ffff888073def700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 63.278548][ T2887] ffff888073def780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 63.286588][ T2887] ==================================================================
[ 63.295444][ T2887] ==================================================================
[ 63.303540][ T2887] BUG: KASAN: use-after-free in ext4_find_extent+0xbe8/0xce0
[ 63.310925][ T2887] Read of size 4 at addr ffff888073defbb4 by task kworker/u4:7/2887
[ 63.318910][ T2887]
[ 63.321237][ T2887] CPU: 1 PID: 2887 Comm: kworker/u4:7 Tainted: G B 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
[ 63.332853][ T2887] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
[ 63.342896][ T2887] Workqueue: writeback wb_workfn (flush-7:0)
[ 63.348878][ T2887] Call Trace:
[ 63.352147][ T2887]
[ 63.355069][ T2887] dump_stack_lvl+0xd9/0x1b0
[ 63.359656][ T2887] print_report+0xc4/0x620
[ 63.364068][ T2887] ? __virt_addr_valid+0x5e/0x2d0
[ 63.369083][ T2887] ? __phys_addr+0xc6/0x140
[ 63.373581][ T2887] kasan_report+0xda/0x110
[ 63.377995][ T2887] ? ext4_find_extent+0xbe8/0xce0
[ 63.383011][ T2887] ? ext4_find_extent+0xbe8/0xce0
[ 63.388025][ T2887] ext4_find_extent+0xbe8/0xce0
[ 63.392870][ T2887] ext4_split_extent+0x2a8/0x520
[ 63.397800][ T2887] ext4_ext_map_blocks+0x309e/0x5ae0
[ 63.403082][ T2887] ? __stack_depot_save+0x39/0x520
[ 63.408186][ T2887] ? kasan_save_stack+0x43/0x50
[ 63.413029][ T2887] ? ext4_ext_release+0x10/0x10
[ 63.417869][ T2887] ? kmem_cache_alloc+0x15d/0x2f0
[ 63.422885][ T2887] ? __down_write_common+0x17a/0x1400
[ 63.428249][ T2887] ? up_write+0x510/0x510
[ 63.432567][ T2887] ? rcu_is_watching+0x12/0xb0
[ 63.437322][ T2887] ? lock_acquire+0x464/0x520
[ 63.441992][ T2887] ? rcu_is_watching+0x12/0xb0
[ 63.446744][ T2887] ? lock_sync+0x190/0x190
[ 63.451151][ T2887] ? percpu_counter_add_batch+0x132/0x1f0
[ 63.456873][ T2887] ? preempt_count_sub+0x160/0x160
[ 63.461972][ T2887] ? ext4_es_lookup_extent+0xc7/0xbf0
[ 63.467342][ T2887] ext4_map_blocks+0x619/0x1770
[ 63.472187][ T2887] ? ext4_issue_zeroout+0x1f0/0x1f0
[ 63.477371][ T2887] ? trace_kmem_cache_alloc+0x26/0xa0
[ 63.482735][ T2887] ? ext4_alloc_io_end_vec+0x145/0x1c0
[ 63.488182][ T2887] ext4_do_writepages+0x184e/0x3350
[ 63.493378][ T2887] ? __ext4_mark_inode_dirty+0x810/0x810
[ 63.498999][ T2887] ? blk_mq_dispatch_rq_list+0x9e9/0x1fd0
[ 63.504708][ T2887] ? preempt_count_sub+0x160/0x160
[ 63.509808][ T2887] ext4_writepages+0x30c/0x780
[ 63.514560][ T2887] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0
[ 63.521401][ T2887] ? lock_release+0x4bf/0x690
[ 63.526070][ T2887] ? lock_sync+0x190/0x190
[ 63.530481][ T2887] ? __wb_calc_thresh+0x100/0x3f0
[ 63.535495][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 63.540861][ T2887] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0
[ 63.547700][ T2887] do_writepages+0x1b4/0x690
[ 63.552286][ T2887] ? writeback_set_ratelimit+0x140/0x140
[ 63.557914][ T2887] ? fprop_fraction_percpu+0x21a/0x380
[ 63.563365][ T2887] ? rcu_is_watching+0x12/0xb0
[ 63.568117][ T2887] ? lock_release+0x4bf/0x690
[ 63.572789][ T2887] ? wbc_attach_and_unlock_inode+0x446/0x910
[ 63.578755][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 63.584120][ T2887] ? lock_release+0x4bf/0x690
[ 63.588795][ T2887] __writeback_single_inode+0x158/0xe90
[ 63.594329][ T2887] ? __mark_inode_dirty+0xd60/0xd60
[ 63.599513][ T2887] ? _raw_spin_unlock+0x28/0x40
[ 63.604352][ T2887] ? wbc_attach_and_unlock_inode+0x49c/0x910
[ 63.610320][ T2887] writeback_sb_inodes+0x599/0x1080
[ 63.615507][ T2887] ? _raw_spin_unlock+0x28/0x40
[ 63.620347][ T2887] ? sync_inode_metadata+0xe0/0xe0
[ 63.625445][ T2887] ? lock_acquire+0x441/0x520
[ 63.630117][ T2887] ? rcu_is_watching+0x12/0xb0
[ 63.634873][ T2887] ? queue_io+0x3ed/0x4e0
[ 63.639190][ T2887] wb_writeback+0x2a5/0xaa0
[ 63.643686][ T2887] ? __writeback_inodes_wb+0x2d0/0x2d0
[ 63.649130][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 63.654501][ T2887] ? spin_bug+0x1d0/0x1d0
[ 63.658819][ T2887] ? rcu_is_watching+0x12/0xb0
[ 63.663574][ T2887] wb_workfn+0x29c/0xfe0
[ 63.667809][ T2887] ? spin_bug+0x1c1/0x1d0
[ 63.672128][ T2887] ? inode_wait_for_writeback+0x30/0x30
[ 63.677668][ T2887] ? do_raw_spin_unlock+0x173/0x230
[ 63.682853][ T2887] ? rcu_is_watching+0x12/0xb0
[ 63.687615][ T2887] ? lock_acquire+0x464/0x520
[ 63.692307][ T2887] ? lock_sync+0x190/0x190
[ 63.696718][ T2887] ? lock_sync+0x190/0x190
[ 63.701125][ T2887] ? reacquire_held_locks+0x4c0/0x4c0
[ 63.706492][ T2887] ? __schedule+0xee3/0x5af0
[ 63.711078][ T2887] ? spin_bug+0x1d0/0x1d0
[ 63.715396][ T2887] process_one_work+0x886/0x15d0
[ 63.720331][ T2887] ? lock_sync+0x190/0x190
[ 63.724742][ T2887] ? workqueue_congested+0x300/0x300
[ 63.730024][ T2887] ? assign_work+0x1a0/0x250
[ 63.734608][ T2887] worker_thread+0x8b9/0x1290
[ 63.739302][ T2887] ? __kthread_parkme+0x14b/0x220
[ 63.744316][ T2887] ? process_one_work+0x15d0/0x15d0
[ 63.749507][ T2887] kthread+0x2c6/0x3a0
[ 63.753566][ T2887] ? _raw_spin_unlock_irq+0x23/0x50
[ 63.758754][ T2887] ? kthread_complete_and_exit+0x40/0x40
[ 63.764376][ T2887] ret_from_fork+0x45/0x80
[ 63.768786][ T2887] ? kthread_complete_and_exit+0x40/0x40
[ 63.774406][ T2887] ret_from_fork_asm+0x11/0x20
[ 63.779168][ T2887]
[ 63.782180][ T2887]
[ 63.784487][ T2887] The buggy address belongs to the physical page: