================================================================== BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:785 [inline] BUG: KASAN: use-after-free in ext4_find_extent+0xae9/0xcc0 fs/ext4/extents.c:905 Read of size 4 at addr ffff88804d40d238 by task kworker/u4:2/28410 CPU: 1 PID: 28410 Comm: kworker/u4:2 Not tainted 5.15.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: writeback wb_workfn (flush-7:3) Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106 print_address_description+0x66/0x3e0 mm/kasan/report.c:256 __kasan_report mm/kasan/report.c:442 [inline] kasan_report+0x19a/0x1f0 mm/kasan/report.c:459 ext4_ext_binsearch fs/ext4/extents.c:785 [inline] ext4_find_extent+0xae9/0xcc0 fs/ext4/extents.c:905 ext4_ext_map_blocks+0x220/0x7220 fs/ext4/extents.c:4066 ext4_map_blocks+0xaba/0x1cc0 fs/ext4/inode.c:637 mpage_map_one_extent fs/ext4/inode.c:2393 [inline] mpage_map_and_submit_extent fs/ext4/inode.c:2446 [inline] ext4_writepages+0x1727/0x4080 fs/ext4/inode.c:2798 do_writepages+0x49d/0x760 mm/page-writeback.c:2364 __writeback_single_inode+0xd4/0x590 fs/fs-writeback.c:1616 writeback_sb_inodes+0xd29/0x29e0 fs/fs-writeback.c:1881 wb_writeback+0x41c/0x9b0 fs/fs-writeback.c:2053 wb_do_writeback fs/fs-writeback.c:2196 [inline] wb_workfn+0x41b/0x1430 fs/fs-writeback.c:2237 process_one_work+0x853/0x1140 kernel/workqueue.c:2297 worker_thread+0xac1/0x1320 kernel/workqueue.c:2444 kthread+0x453/0x480 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 The buggy address belongs to the page: page:ffffea0001350340 refcount:0 mapcount:0 mapping:0000000000000000 index:0x100 pfn:0x4d40d flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea00013528c8 ffffea00023ba7c8 0000000000000000 raw: 0000000000000100 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x1101cca(GFP_HIGHUSER_MOVABLE|__GFP_WRITE), pid 13548, ts 356891507738, free_ts 358251311809 prep_new_page mm/page_alloc.c:2424 [inline] get_page_from_freelist+0x779/0xa30 mm/page_alloc.c:4153 __alloc_pages+0x255/0x580 mm/page_alloc.c:5375 __page_cache_alloc+0x79/0x1c0 mm/filemap.c:1022 pagecache_get_page+0x7cf/0xe80 mm/filemap.c:1940 grab_cache_page_write_begin+0x56/0x90 mm/filemap.c:3724 ext4_da_write_begin+0x561/0x9b0 fs/ext4/inode.c:2961 generic_perform_write+0x2dd/0x600 mm/filemap.c:3770 ext4_buffered_write_iter+0x43b/0x5b0 fs/ext4/file.c:269 ext4_file_write_iter+0x8f7/0x1bb0 call_write_iter include/linux/fs.h:2163 [inline] new_sync_write fs/read_write.c:507 [inline] vfs_write+0xb11/0xe90 fs/read_write.c:594 ksys_write+0x18f/0x2c0 fs/read_write.c:647 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1338 [inline] free_pcp_prepare+0xc29/0xd20 mm/page_alloc.c:1389 free_unref_page_prepare mm/page_alloc.c:3315 [inline] free_unref_page_list+0x11f/0xa50 mm/page_alloc.c:3431 release_pages+0x18cb/0x1b00 mm/swap.c:963 __pagevec_release+0x7d/0xf0 mm/swap.c:983 pagevec_release include/linux/pagevec.h:81 [inline] truncate_inode_pages_range+0x492/0x12d0 mm/truncate.c:329 ext4_evict_inode+0x424/0xf70 fs/ext4/inode.c:222 evict+0x2a4/0x620 fs/inode.c:588 do_unlinkat+0x578/0xa10 fs/namei.c:4176 __do_sys_unlink fs/namei.c:4217 [inline] __se_sys_unlink fs/namei.c:4215 [inline] __x64_sys_unlink+0x45/0x50 fs/namei.c:4215 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Memory state around the buggy address: ffff88804d40d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88804d40d180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88804d40d200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88804d40d280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88804d40d300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================