================================================================== BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:840 [inline] BUG: KASAN: use-after-free in ext4_find_extent+0xb92/0xd80 fs/ext4/extents.c:955 Read of size 4 at addr ffff88805a1bfb50 by task syz.0.136/6785 CPU: 1 UID: 0 PID: 6785 Comm: syz.0.136 Not tainted 6.14.0-syzkaller-10764-gaa918db707fb #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0x16e/0x5b0 mm/kasan/report.c:521 kasan_report+0x143/0x180 mm/kasan/report.c:634 ext4_ext_binsearch fs/ext4/extents.c:840 [inline] ext4_find_extent+0xb92/0xd80 fs/ext4/extents.c:955 ext4_ext_map_blocks+0x2e6/0x7d80 fs/ext4/extents.c:4205 ext4_map_create_blocks fs/ext4/inode.c:517 [inline] ext4_map_blocks+0x909/0x1a70 fs/ext4/inode.c:703 mpage_map_one_extent fs/ext4/inode.c:2221 [inline] mpage_map_and_submit_extent fs/ext4/inode.c:2274 [inline] ext4_do_writepages+0x221d/0x3e50 fs/ext4/inode.c:2736 ext4_writepages+0x26f/0x450 fs/ext4/inode.c:2826 do_writepages+0x36a/0x890 mm/page-writeback.c:2687 filemap_fdatawrite_wbc mm/filemap.c:389 [inline] __filemap_fdatawrite_range mm/filemap.c:422 [inline] file_write_and_wait_range+0x2cf/0x3e0 mm/filemap.c:797 generic_buffers_fsync_noflush+0x71/0x180 fs/buffer.c:600 ext4_fsync_nojournal fs/ext4/fsync.c:88 [inline] ext4_sync_file+0x361/0xc30 fs/ext4/fsync.c:147 generic_write_sync include/linux/fs.h:2976 [inline] ext4_buffered_write_iter+0x2c3/0x390 fs/ext4/file.c:305 ext4_file_write_iter+0x97f/0x1da0 fs/ext4/file.c:-1 do_iter_readv_writev+0x71f/0x9d0 fs/read_write.c:-1 vfs_writev+0x38d/0xbc0 fs/read_write.c:1055 do_pwritev fs/read_write.c:1151 [inline] __do_sys_pwritev2 fs/read_write.c:1209 [inline] __se_sys_pwritev2+0x1b8/0x2d0 fs/read_write.c:1200 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fa05b98d169 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fa05c750038 EFLAGS: 00000246 ORIG_RAX: 0000000000000148 RAX: ffffffffffffffda RBX: 00007fa05bba5fa0 RCX: 00007fa05b98d169 RDX: 0000000000000001 RSI: 00002000000001c0 RDI: 0000000000000006 RBP: 00007fa05ba0e2a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000e7b R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fa05bba5fa0 R15: 00007fff36bcca08 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:ffff888078e16c20 index:0x759 pfn:0x5a1bf memcg:ffff888059bd6000 aops:shmem_aops ino:eb dentry name(?):"memfd:syzkaller" flags: 0xfff0000002003c(referenced|uptodate|dirty|lru|swapbacked|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff0000002003c ffffea0001686f88 ffffea0001698508 ffff888078e16c20 raw: 0000000000000759 0000000000000000 00000001ffffffff ffff888059bd6000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 6793, tgid 6791 (syz.4.137), ts 129492444560, free_ts 129092413633 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f4/0x240 mm/page_alloc.c:1585 prep_new_page mm/page_alloc.c:1593 [inline] get_page_from_freelist+0x3ab2/0x3c50 mm/page_alloc.c:3538 __alloc_frozen_pages_noprof+0x266/0x580 mm/page_alloc.c:4806 alloc_pages_mpol+0x339/0x690 mm/mempolicy.c:2301 folio_alloc_mpol_noprof+0x36/0x70 mm/mempolicy.c:2320 shmem_alloc_folio mm/shmem.c:1863 [inline] shmem_alloc_and_add_folio+0x490/0x1070 mm/shmem.c:1902 shmem_get_folio_gfp+0x655/0x1800 mm/shmem.c:2545 shmem_get_folio mm/shmem.c:2651 [inline] shmem_write_begin+0x17e/0x3a0 mm/shmem.c:3301 generic_perform_write+0x329/0xa10 mm/filemap.c:4114 shmem_file_write_iter+0xf9/0x120 mm/shmem.c:3477 new_sync_write fs/read_write.c:591 [inline] vfs_write+0x70f/0xd10 fs/read_write.c:684 ksys_write+0x19d/0x2d0 fs/read_write.c:736 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 6785 tgid 6784 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1130 [inline] free_unref_folios+0xdae/0x1790 mm/page_alloc.c:2764 folios_put_refs+0x779/0x880 mm/swap.c:994 free_pages_and_swap_cache+0x2ea/0x6a0 mm/swap_state.c:331 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline] tlb_batch_pages_flush mm/mmu_gather.c:149 [inline] tlb_flush_mmu_free mm/mmu_gather.c:389 [inline] tlb_flush_mmu+0x3a9/0x690 mm/mmu_gather.c:396 tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:488 vms_clear_ptes+0x431/0x540 mm/vma.c:1144 vms_complete_munmap_vmas+0x210/0x8f0 mm/vma.c:1186 do_vmi_align_munmap+0x5f3/0x6f0 mm/vma.c:1445 do_vmi_munmap+0x24e/0x2d0 mm/vma.c:1493 __vm_munmap+0x37b/0x520 mm/vma.c:2956 __do_sys_munmap mm/mmap.c:1084 [inline] __se_sys_munmap mm/mmap.c:1081 [inline] __x64_sys_munmap+0x60/0x70 mm/mmap.c:1081 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff88805a1bfa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88805a1bfa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88805a1bfb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff88805a1bfb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88805a1bfc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================