EXT4-fs (loop2): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0x8dc/0xa8c fs/ext4/extents.c:956
Read of size 4 at addr ffff0000e644db64 by task syz.2.232/7677

CPU: 0 UID: 0 PID: 7677 Comm: syz.2.232 Not tainted 6.16.0-rc7-syzkaller-g82af5ea7c611 #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 print_address_description+0xa8/0x220 mm/kasan/report.c:378
 print_report+0x68/0x84 mm/kasan/report.c:480
 kasan_report+0xb0/0x110 mm/kasan/report.c:593
 __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380
 ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
 ext4_find_extent+0x8dc/0xa8c fs/ext4/extents.c:956
 ext4_ext_map_blocks+0x258/0x5494 fs/ext4/extents.c:4208
 ext4_map_create_blocks fs/ext4/inode.c:609 [inline]
 ext4_map_blocks+0x708/0x1434 fs/ext4/inode.c:813
 mpage_map_one_extent fs/ext4/inode.c:2348 [inline]
 mpage_map_and_submit_extent fs/ext4/inode.c:2401 [inline]
 ext4_do_writepages+0x196c/0x32b0 fs/ext4/inode.c:2863
 ext4_writepages+0x178/0x2a0 fs/ext4/inode.c:2953
 do_writepages+0x270/0x468 mm/page-writeback.c:2636
 filemap_fdatawrite_wbc mm/filemap.c:386 [inline]
 __filemap_fdatawrite_range mm/filemap.c:419 [inline]
 file_write_and_wait_range+0x1c8/0x2b8 mm/filemap.c:794
 generic_buffers_fsync_noflush+0x78/0x188 fs/buffer.c:609
 ext4_fsync_nojournal fs/ext4/fsync.c:88 [inline]
 ext4_sync_file+0x2e8/0xb44 fs/ext4/fsync.c:147
 vfs_fsync_range+0x160/0x19c fs/sync.c:187
 generic_write_sync include/linux/fs.h:3031 [inline]
 ext4_buffered_write_iter+0x458/0x528 fs/ext4/file.c:305
 ext4_file_write_iter+0x1d8/0x1864 fs/ext4/file.c:-1
 aio_write+0x328/0x49c fs/aio.c:1634
 __io_submit_one fs/aio.c:-1 [inline]
 io_submit_one+0x5e0/0xf10 fs/aio.c:2053
 __do_sys_io_submit fs/aio.c:2112 [inline]
 __se_sys_io_submit fs/aio.c:2082 [inline]
 __arm64_sys_io_submit+0x21c/0x38c fs/aio.c:2082
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xae4 pfn:0x12644d
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000ae4 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000e644da00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff0000e644da80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff0000e644db00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                       ^
 ffff0000e644db80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff0000e644dc00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs error (device loop2): ext4_map_blocks:816: inode #15: block 1: comm syz.2.232: lblock 1 mapped to illegal pblock 1 (length 3)
EXT4-fs (loop2): Delayed block allocation failed for inode 15 at logical offset 1 with max blocks 3 with error 117
EXT4-fs (loop2): This should not happen!! Data will be lost

------------[ cut here ]------------
kernel BUG at fs/ext4/extents.c:2153!
Internal error: Oops - BUG: 00000000f2000800 [#1]  SMP
Modules linked in:
CPU: 1 UID: 0 PID: 7677 Comm: syz.2.232 Tainted: G    B               6.16.0-rc7-syzkaller-g82af5ea7c611 #0 PREEMPT 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : ext4_ext_insert_extent+0x3c88/0x3d90 fs/ext4/extents.c:2153
lr : ext4_ext_insert_extent+0x3c88/0x3d90 fs/ext4/extents.c:2153
sp : ffff8000a1b063e0
x29: ffff8000a1b06560 x28: ffff8000a1b067b0 x27: 1fffe0001a955948
x26: dfff800000000000 x25: 0000000000000000 x24: ffff0000e64612b0
x23: 0000000000000000 x22: ffff0000d4aaca40 x21: 0000000000000000
x20: ffff0000e643a400 x19: ffff0000d4aaca00 x18: 1fffe000337d6476
x17: 0000000000000000 x16: ffff80008af00d1c x15: 0000000000000001
x14: 1fffe000182b413f x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000080000 x10: 000000000007ffff x9 : ffff8000a73f2000
x8 : 0000000000080000 x7 : 0000000100008003 x6 : 0000800300000001
x5 : 0000000000000001 x4 : ffff0000c15a09f8 x3 : ffff8000810631b4
x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
 ext4_ext_insert_extent+0x3c88/0x3d90 fs/ext4/extents.c:2153 (P)
 ext4_ext_map_blocks+0x11cc/0x5494 fs/ext4/extents.c:4404
 ext4_map_create_blocks fs/ext4/inode.c:609 [inline]
 ext4_map_blocks+0x708/0x1434 fs/ext4/inode.c:813
 ext4_convert_unwritten_extents+0x244/0x500 fs/ext4/extents.c:4932
 ext4_convert_unwritten_io_end_vec+0xf0/0x170 fs/ext4/extents.c:4972
 ext4_end_io_end+0xb4/0x334 fs/ext4/page-io.c:199
 ext4_put_io_end+0x13c/0x1d4 fs/ext4/page-io.c:335
 ext4_do_writepages+0xe74/0x32b0 fs/ext4/inode.c:2896
 ext4_writepages+0x178/0x2a0 fs/ext4/inode.c:2953
 do_writepages+0x270/0x468 mm/page-writeback.c:2636
 filemap_fdatawrite_wbc mm/filemap.c:386 [inline]
 __filemap_fdatawrite_range mm/filemap.c:419 [inline]
 file_write_and_wait_range+0x1c8/0x2b8 mm/filemap.c:794
 generic_buffers_fsync_noflush+0x78/0x188 fs/buffer.c:609
 ext4_fsync_nojournal fs/ext4/fsync.c:88 [inline]
 ext4_sync_file+0x2e8/0xb44 fs/ext4/fsync.c:147
 vfs_fsync_range+0x160/0x19c fs/sync.c:187
 generic_write_sync include/linux/fs.h:3031 [inline]
 ext4_buffered_write_iter+0x458/0x528 fs/ext4/file.c:305
 ext4_file_write_iter+0x1d8/0x1864 fs/ext4/file.c:-1
 aio_write+0x328/0x49c fs/aio.c:1634
 __io_submit_one fs/aio.c:-1 [inline]
 io_submit_one+0x5e0/0xf10 fs/aio.c:2053
 __do_sys_io_submit fs/aio.c:2112 [inline]
 __se_sys_io_submit fs/aio.c:2082 [inline]
 __arm64_sys_io_submit+0x21c/0x38c fs/aio.c:2082
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
Code: 54ffed4b 97ef5e82 17ffff68 97daeb8a (d4210000) 
---[ end trace 0000000000000000 ]---