program: syz_mount_image$ext4(&(0x7f0000000040)='ext4\x00', &(0x7f0000000140)='./file1\x00', 0x30000c6, &(0x7f0000000080), 0x1, 0x553, &(0x7f0000001080)="$eJzs3d9rW1UcAPDvTdv91nUwhopIYQ9O5tK19ccEH+aj6HCg7zO0d2U0WUaTjrUO3B7ciy8yBBEH4ru++zj8B/wrBjoYMoo++BK56U2XrUmbddnSmc8Hbjkn9ybnfnPv9/TcnBsSwNCayP4UIl6OiG+SiIMRkeTrRiNfObG23er9q7PZkkSj8elfSXO7rN56rdbz9ueVlyLit68ijhc2tltbXlkolcvpYl6frFcuTdaWV05cqJTm0/n04vTMzKm3Z6bfe/edvsX6xtl/vv/k9oenvj66+t0vdw/dTOJ0HMjXtcfxBK61VyZiIn9PxuL0IxtO9aGxnSQZ9A6wLSN5no9F1gccjJE864H/vy8jogEMqUT+w5BqjQNa1/Z9ug5+btz7YO0CaGP8o2ufjcSe5rXRvtXkoSuj7Hp3vA/tZ238+uetm9kS/fscAmBL165HxMnR0Y39X5L3f9t3sodtHm1D/wfPzu1s/PNmp/FPYX38Ex3GP/s75O52bJ3/hbt9aKarbPz3fsfx7/qk1fhIXnuhOeYbS85fKKdZ3/ZiRByLsd1ZfbP5nFOrdxrd1rWP/7Ila781Fsz34+7o7oefM1eql54k5nb3rke80nH8m6wf/6TD8c/ej7M9tnEkvfVat3Vbx/90NX6KeL3j8X8wo5VsPj852TwfJltnxUZ/3zjye7f2Bx1/dvz3bR7/eNI+X1t7/DZ+3PNv2m3dQ/FH7+f/ruSzZnlX/tiVUr2+OBWxK/l44+PTD57bqre2z+I/dnTz/q/T+b83Ij7vMf4bh39+taf4B3T85x7r+D9+4c5HX/zQrf3e+r+3mqVj+SO99H+97uCTvHcAAAAAAACw0xQi4kAkheJ6uVAoFtfu7zgc+wrlaq1+/Hx16eJcNL8rOx5jhdZM98G2+yGm8vthW/XpR+ozEXEoIr4d2dusF2er5blBBw8AAAAAAAAAAAAAAAAAAAA7xP4u3//P/DEy6L0Dnjo/+Q3Da8v878cvPQE7kv//MLzkPwwv+Q/DS/7D8JL/MLzkPwwv+Q/DS/4DAAAAAAAAAAAAAAAAAAAAAAAAAABAX509cyZbGqv3r85m9bnLy0sL1csn5tLaQrGyNFucrS5eKs5Xq/PltDhbrWz1euVq9dLUdCxdmayntfpkbXnlXKW6dLF+7kKlNJ+eS8eeSVQAAAAAAAAAAAAAAAAAAADwfKktryyUyuV0UUFhW4XRnbEbCn0uDLpnAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAH/gsAAP//6AY3sQ==") mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./bus\x00', 0x0) chdir(&(0x7f00000000c0)='./bus\x00') r0 = perf_event_open(&(0x7f0000000180)={0x1, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x80, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}, 0x0, 0x0, 0x0, 0x8}, 0x0, 0x0, r0, 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0, 0x3}, 0x0, 0xc884}, 0x0, 0x0, r0, 0x0) syz_clone(0x82288000, 0x0, 0x0, 0x0, 0x0, 0x0) lsetxattr$system_posix_acl(&(0x7f0000000400)='.\x00', &(0x7f0000000440)='system.posix_acl_default\x00', &(0x7f00000000c0)=ANY=[@ANYBLOB="02000000010000000000000002000000", @ANYRES32=0xee01, @ANYBLOB="02000000", @ANYRES32=0xee00, @ANYBLOB="02000000", @ANYRES32=0xee00, @ANYBLOB="02000000", @ANYRES32=0x0, @ANYBLOB="040000000000800008000000", @ANYRES32=0x0, @ANYBLOB='\b\x00\x00\x00', @ANYRES32=0x0, @ANYBLOB='\b\x00\x00\x00', @ANYRES32=0x0, @ANYBLOB="100000000000000020"], 0x5c, 0x0) syz_mount_image$fuse(0x0, &(0x7f0000000400)='./file0\x00', 0x0, 0x0, 0x0, 0x0, 0x0) setxattr$trusted_overlay_upper(&(0x7f0000000380)='./file0\x00', &(0x7f0000000680), &(0x7f00000006c0)=ANY=[], 0x835, 0x1) lsetxattr$trusted_overlay_upper(&(0x7f0000000180)='./file0\x00', &(0x7f00000001c0), 0x0, 0x0, 0x0) syz_mount_image$fuse(0x0, &(0x7f0000000180)='./file2\x00', 0x0, 0x0, 0x0, 0x0, 0x0) mount$overlay(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000000), 0x0, &(0x7f0000000140)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file2'}}], [], 0x2c}) mkdirat(0xffffffffffffff9c, &(0x7f0000000340)='./file1\x00', 0x0) mkdir(&(0x7f0000000300)='./bus\x00', 0x0) mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000900)={[{@upperdir={'upperdir', 0x3d, './file1'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@workdir={'workdir', 0x3d, './bus'}}]}) chdir(&(0x7f00000003c0)='./bus\x00') r1 = open(&(0x7f0000000000)='.\x00', 0x0, 0x0) mkdirat(r1, &(0x7f0000000200)='\x13\x13w\xc5\xfc5\xd4\x14T\xd5\xd4\x1d)\xad\x1a`)Y\x81F\xe6\xbe\x16nA\xad\r\xbd@T\x03<\x9f3\xbb\xda\x82$\xa2\xf3\xd7r\xe7cnH\xb3<\xbfp\x83r\xe8\xf1\xb9\x93>\xc5\x12wC\xbe\"\x06 \x9e\xf0-\xf9\xcb\xf2\xf6\xe8\x80\xd38/\x00', 0x18) [ 68.393597][ T4705] Bluetooth: hci0: command tx timeout [ 68.426643][ T5355] loop0: detected capacity change from 0 to 1024 [ 68.463451][ T5355] ======================================================= [ 68.463451][ T5355] WARNING: The mand mount option has been deprecated and [ 68.463451][ T5355] and is ignored by this kernel. Remove the mand [ 68.463451][ T5355] option from the mount to silence this warning. [ 68.463451][ T5355] ======================================================= [ 68.540299][ T5355] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. [ 68.634747][ T5355] overlayfs: fs on './file0' does not support file handles, falling back to index=off,nfs_export=off. [ 68.641271][ T5360] ================================================================== [ 68.644774][ T5360] BUG: KASAN: use-after-free in ext4_find_extent+0xae6/0xcc0 [ 68.648065][ T5360] Read of size 4 at addr ffff88804ca65018 by task syz.0.0/5360 [ 68.651290][ T5360] [ 68.652365][ T5360] CPU: 0 UID: 0 PID: 5360 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 68.652379][ T5360] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 68.652387][ T5360] Call Trace: [ 68.652394][ T5360] [ 68.652400][ T5360] dump_stack_lvl+0x189/0x250 [ 68.652418][ T5360] ? __virt_addr_valid+0x1c8/0x5c0 [ 68.652433][ T5360] ? rcu_is_watching+0x15/0xb0 [ 68.652446][ T5360] ? __pfx_dump_stack_lvl+0x10/0x10 [ 68.652458][ T5360] ? rcu_is_watching+0x15/0xb0 [ 68.652470][ T5360] ? lock_release+0x4b/0x3e0 [ 68.652486][ T5360] ? _raw_spin_lock_irqsave+0xb3/0xf0 [ 68.652546][ T5360] ? __virt_addr_valid+0x1c8/0x5c0 [ 68.652560][ T5360] ? __virt_addr_valid+0x4a5/0x5c0 [ 68.652575][ T5360] print_report+0xca/0x240 [ 68.652587][ T5360] ? ext4_find_extent+0xae6/0xcc0 [ 68.652602][ T5360] kasan_report+0x118/0x150 [ 68.652618][ T5360] ? ext4_find_extent+0xae6/0xcc0 [ 68.652635][ T5360] ext4_find_extent+0xae6/0xcc0 [ 68.652653][ T5360] ext4_ext_map_blocks+0x288/0x6ac0 [ 68.652669][ T5360] ? rcu_is_watching+0x15/0xb0 [ 68.652681][ T5360] ? preempt_schedule_irq+0xde/0x150 [ 68.652707][ T5360] ? __lock_acquire+0xab9/0xd20 [ 68.652726][ T5360] ? __pfx_ext4_ext_map_blocks+0x10/0x10 [ 68.652748][ T5360] ? ext4_es_lookup_extent+0x622/0xa70 [ 68.652763][ T5360] ext4_map_blocks+0x860/0x1740 [ 68.652779][ T5360] ? __pfx_ext4_map_blocks+0x10/0x10 [ 68.652791][ T5360] ? __lock_acquire+0xab9/0xd20 [ 68.652810][ T5360] ? percpu_ref_get_many+0x19/0x140 [ 68.652826][ T5360] _ext4_get_block+0x200/0x4c0 [ 68.652839][ T5360] ? __pfx__ext4_get_block+0x10/0x10 [ 68.652855][ T5360] ext4_get_block_unwritten+0x2e/0x100 [ 68.652869][ T5360] ext4_block_write_begin+0x993/0x1710 [ 68.652887][ T5360] ? __pfx_ext4_get_block_unwritten+0x10/0x10 [ 68.652900][ T5360] ? __pfx_ext4_block_write_begin+0x10/0x10 [ 68.652913][ T5360] ? folio_mapping+0x16f/0x240 [ 68.652924][ T5360] ? ext4_inode_journal_mode+0x18c/0x480 [ 68.652940][ T5360] ext4_write_begin+0xc04/0x19a0 [ 68.652964][ T5360] ? __pfx_ext4_write_begin+0x10/0x10 [ 68.652983][ T5360] ext4_da_write_begin+0x445/0xda0 [ 68.652995][ T5360] ? __pfx_seqcount_lockdep_reader_access+0x10/0x10 [ 68.653011][ T5360] ? file_remove_privs_flags+0x3b1/0x5f0 [ 68.653029][ T5360] ? __pfx_ext4_da_write_begin+0x10/0x10 [ 68.653043][ T5360] generic_perform_write+0x2c5/0x900 [ 68.653059][ T5360] ? __pfx_generic_perform_write+0x10/0x10 [ 68.653070][ T5360] ? file_modified_flags+0x374/0x560 [ 68.653083][ T5360] ? ext4_write_checks+0x24b/0x2c0 [ 68.653096][ T5360] ext4_buffered_write_iter+0xce/0x3a0 [ 68.653112][ T5360] ext4_file_write_iter+0x298/0x1bc0 [ 68.653128][ T5360] ? __get_user_pages+0x2a5c/0x2ce0 [ 68.653142][ T5360] ? __pfx_ext4_file_write_iter+0x10/0x10 [ 68.653158][ T5360] ? __pfx_ext4_file_write_iter+0x10/0x10 [ 68.653172][ T5360] __kernel_write_iter+0x428/0x910 [ 68.653185][ T5360] ? __pfx_ext4_file_write_iter+0x10/0x10 [ 68.653199][ T5360] ? __pfx___kernel_write_iter+0x10/0x10 [ 68.653211][ T5360] ? __up_read+0x280/0x680 [ 68.653225][ T5360] ? __asan_memset+0x22/0x50 [ 68.653236][ T5360] ? iov_iter_bvec+0xb8/0x180 [ 68.653254][ T5360] dump_user_range+0x8a0/0xc90 [ 68.653273][ T5360] ? __pfx_dump_user_range+0x10/0x10 [ 68.653287][ T5360] ? elf_coredump_extra_notes_write+0x42e/0x4b0 [ 68.653302][ T5360] ? __pfx_elf_coredump_extra_notes_write+0x10/0x10 [ 68.653314][ T5360] ? __kasan_kmalloc+0x93/0xb0 [ 68.653328][ T5360] ? dump_emit+0xa6/0xe0 [ 68.653341][ T5360] ? elf_core_dump+0x2cff/0x3990 [ 68.653357][ T5360] elf_core_dump+0x337b/0x3990 [ 68.653378][ T5360] ? __pfx_elf_core_dump+0x10/0x10 [ 68.653393][ T5360] ? kasan_save_track+0x4f/0x80 [ 68.653404][ T5360] ? kasan_save_track+0x3e/0x80 [ 68.653415][ T5360] ? __kasan_kmalloc+0x93/0xb0 [ 68.653427][ T5360] ? __kvmalloc_node_noprof+0x30d/0x5f0 [ 68.653441][ T5360] ? coredump_write+0x340/0x1900 [ 68.653454][ T5360] ? vfs_coredump+0x1daa/0x2a50 [ 68.653466][ T5360] ? get_signal+0x1109/0x1340 [ 68.653476][ T5360] ? arch_do_signal_or_restart+0x9a/0x750 [ 68.653493][ T5360] ? irqentry_exit_to_user_mode+0x81/0x120 [ 68.653509][ T5360] ? exc_page_fault+0x9f/0xf0 [ 68.653523][ T5360] ? asm_exc_page_fault+0x26/0x30 [ 68.653547][ T5360] ? 0xffffffffff600000 [ 68.653558][ T5360] ? up_write+0x1c4/0x420 [ 68.653572][ T5360] coredump_write+0x1169/0x1900 [ 68.653591][ T5360] ? __pfx_coredump_write+0x10/0x10 [ 68.653610][ T5360] ? unshare_files+0xa9/0x140 [ 68.653626][ T5360] vfs_coredump+0x1daa/0x2a50 [ 68.653643][ T5360] ? __pfx_vfs_coredump+0x10/0x10 [ 68.653655][ T5360] ? is_bpf_text_address+0x26/0x2b0 [ 68.653671][ T5360] ? __lock_acquire+0xab9/0xd20 [ 68.653690][ T5360] ? __lock_acquire+0xab9/0xd20 [ 68.653710][ T5360] ? is_bpf_text_address+0x26/0x2b0 [ 68.653727][ T5360] ? is_bpf_text_address+0x26/0x2b0 [ 68.653743][ T5360] ? is_bpf_text_address+0x292/0x2b0 [ 68.653757][ T5360] ? is_bpf_text_address+0x26/0x2b0 [ 68.653772][ T5360] ? kernel_text_address+0xa5/0xe0 [ 68.653788][ T5360] ? __kernel_text_address+0xd/0x40 [ 68.653802][ T5360] ? unwind_get_return_address+0x4d/0x90 [ 68.653815][ T5360] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 68.653829][ T5360] ? arch_stack_walk+0xfc/0x150 [ 68.653846][ T5360] ? stack_trace_save+0x9c/0xe0 [ 68.653859][ T5360] ? stack_depot_save_flags+0x40/0x860 [ 68.653875][ T5360] ? kasan_save_track+0x4f/0x80 [ 68.653886][ T5360] ? kasan_save_track+0x3e/0x80 [ 68.653897][ T5360] ? kasan_save_free_info+0x46/0x50 [ 68.653912][ T5360] ? __kasan_slab_free+0x5b/0x80 [ 68.653924][ T5360] ? kmem_cache_free+0x18f/0x400 [ 68.653937][ T5360] ? get_signal+0xa4c/0x1340 [ 68.653946][ T5360] ? arch_do_signal_or_restart+0x9a/0x750 [ 68.653962][ T5360] ? irqentry_exit_to_user_mode+0x81/0x120 [ 68.653978][ T5360] ? exc_page_fault+0x9f/0xf0 [ 68.653991][ T5360] ? asm_exc_page_fault+0x26/0x30 [ 68.654016][ T5360] ? _raw_spin_unlock_irq+0x23/0x50 [ 68.654031][ T5360] ? lockdep_hardirqs_on+0x9c/0x150 [ 68.654046][ T5360] get_signal+0x1109/0x1340 [ 68.654062][ T5360] arch_do_signal_or_restart+0x9a/0x750 [ 68.654080][ T5360] ? __pfx_arch_do_signal_or_restart+0x10/0x10 [ 68.654095][ T5360] ? __bad_area_nosemaphore+0x3fb/0x780 [ 68.654107][ T5360] ? local_irq_enable_exit_to_user+0x5/0x10 [ 68.654123][ T5360] irqentry_exit_to_user_mode+0x81/0x120 [ 68.654138][ T5360] exc_page_fault+0x9f/0xf0 [ 68.654153][ T5360] asm_exc_page_fault+0x26/0x30 [ 68.654164][ T5360] RIP: 0033:0x7f3b9a64f927 [ 68.654176][ T5360] Code: 88 15 d2 5d ea 00 88 05 cf 5d ea 00 c3 50 48 8d 35 01 25 1c 00 48 8d 3d 07 25 1c 00 31 c0 e8 20 f7 ff ff 53 89 fb 48 83 ec 10 <64> 8b 04 25 94 ff ff ff 85 c0 74 2a 89 fe 31 c0 bf 3c 00 00 00 e8 [ 68.654187][ T5360] RSP: 002b:00007f3b9b6741a0 EFLAGS: 00010206 [ 68.654199][ T5360] RAX: 0000000000000000 RBX: 000000000000000b RCX: 00007f3b9a78ebe9 [ 68.654207][ T5360] RDX: 00007f3b9b6741c0 RSI: 00007f3b9b6742f0 RDI: 000000000000000b [ 68.654215][ T5360] RBP: 00007f3b9a811e19 R08: 0000000000000000 R09: 0000000000000000 [ 68.654223][ T5360] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 [ 68.654230][ T5360] R13: 00007f3b9a9c6038 R14: 00007f3b9a9c5fa0 R15: 00007ffd6f1ef398 [ 68.654242][ T5360] [ 68.654247][ T5360] [ 68.943819][ T5360] The buggy address belongs to the physical page: [ 68.946409][ T5360] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ca65 [ 68.950348][ T5360] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 68.953931][ T5360] raw: 04fff00000000000 ffffea0001329988 ffffea0001329908 0000000000000000 [ 68.957522][ T5360] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 68.961457][ T5360] page dumped because: kasan: bad access detected [ 68.964194][ T5360] page_owner info is not present (never set?) [ 68.966718][ T5360] [ 68.967784][ T5360] Memory state around the buggy address: [ 68.970185][ T5360] ffff88804ca64f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.973532][ T5360] ffff88804ca64f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.977011][ T5360] >ffff88804ca65000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.980480][ T5360] ^ [ 68.982577][ T5360] ffff88804ca65080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.985963][ T5360] ffff88804ca65100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.989233][ T5360] ==================================================================