================================================================== BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:826 [inline] BUG: KASAN: use-after-free in ext4_find_extent+0xba3/0xd80 fs/ext4/extents.c:945 Read of size 4 at addr ffff88816d4d7058 by task kworker/u4:0/28167 CPU: 0 PID: 28167 Comm: kworker/u4:0 Tainted: G W 5.10.161-syzkaller-00019-g416c4356f372 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023 Workqueue: writeback wb_workfn (flush-7:3) Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118 print_address_description+0x81/0x3c0 mm/kasan/report.c:233 __kasan_report mm/kasan/report.c:419 [inline] kasan_report+0x1a4/0x1f0 mm/kasan/report.c:436 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308 ext4_ext_binsearch fs/ext4/extents.c:826 [inline] ext4_find_extent+0xba3/0xd80 fs/ext4/extents.c:945 ext4_ext_map_blocks+0x219/0x3a30 fs/ext4/extents.c:4097 ext4_map_blocks+0xa93/0x1ee0 fs/ext4/inode.c:638 mpage_map_one_extent+0x1bd/0x680 fs/ext4/inode.c:2441 mpage_map_and_submit_extent fs/ext4/inode.c:2494 [inline] ext4_writepages+0x15e9/0x3710 fs/ext4/inode.c:2862 do_writepages+0x13a/0x280 mm/page-writeback.c:2358 __writeback_single_inode+0xb8/0x6e0 fs/fs-writeback.c:1467 writeback_sb_inodes+0x999/0x1700 fs/fs-writeback.c:1730 wb_writeback+0x42f/0xc20 fs/fs-writeback.c:1905 wb_do_writeback+0x222/0xbd0 fs/fs-writeback.c:2050 wb_workfn+0xf8/0x3f0 fs/fs-writeback.c:2091 process_one_work+0x726/0xc10 kernel/workqueue.c:2296 worker_thread+0xb27/0x1550 kernel/workqueue.c:2442 kthread+0x349/0x3d0 kernel/kthread.c:313 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:299 The buggy address belongs to the page: page:ffffea0005b535c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x16d4d7 flags: 0x8000000000000000() raw: 8000000000000000 dead000000000100 dead000000000122 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x3100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|0x2000000), pid 485, ts 1029568283928, free_ts 1233794346008 set_page_owner include/linux/page_owner.h:35 [inline] post_alloc_hook mm/page_alloc.c:2386 [inline] prep_new_page mm/page_alloc.c:2392 [inline] get_page_from_freelist+0x755/0x810 mm/page_alloc.c:4073 __alloc_pages_nodemask+0x3b6/0x890 mm/page_alloc.c:5160 __alloc_pages include/linux/gfp.h:529 [inline] __alloc_pages_node include/linux/gfp.h:542 [inline] alloc_pages_node include/linux/gfp.h:556 [inline] alloc_pages include/linux/gfp.h:575 [inline] do_anonymous_page+0x307/0x1050 mm/memory.c:3922 handle_pte_fault+0x4cd/0x9d0 mm/memory.c:4735 ___handle_speculative_fault+0xfca/0x1470 mm/memory.c:5149 __handle_speculative_fault+0xc3/0x2b0 mm/memory.c:5192 handle_speculative_fault include/linux/mm.h:1817 [inline] do_user_addr_fault+0x885/0xce0 arch/x86/mm/fault.c:1319 handle_page_fault arch/x86/mm/fault.c:1462 [inline] exc_page_fault+0x71/0x1b0 arch/x86/mm/fault.c:1518 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:571 page last free stack trace: reset_page_owner include/linux/page_owner.h:28 [inline] free_pages_prepare mm/page_alloc.c:1332 [inline] free_pcp_prepare+0x18c/0x1c0 mm/page_alloc.c:1406 free_unref_page_prepare mm/page_alloc.c:3293 [inline] free_unref_page_list+0x11d/0x660 mm/page_alloc.c:3367 release_pages+0xc24/0xc60 mm/swap.c:1082 free_pages_and_swap_cache+0x97/0xb0 mm/swap_state.c:356 tlb_batch_pages_flush mm/mmu_gather.c:49 [inline] tlb_flush_mmu_free mm/mmu_gather.c:240 [inline] tlb_flush_mmu+0x8a0/0xa80 mm/mmu_gather.c:247 tlb_finish_mmu+0xd2/0x1f0 mm/mmu_gather.c:326 zap_page_range+0x6f4/0x7f0 mm/memory.c:1621 madvise_dontneed_single_vma mm/madvise.c:778 [inline] madvise_dontneed_free mm/madvise.c:833 [inline] madvise_vma mm/madvise.c:957 [inline] do_madvise+0xd2b/0x24f0 mm/madvise.c:1154 __do_sys_madvise mm/madvise.c:1180 [inline] __se_sys_madvise mm/madvise.c:1178 [inline] __x64_sys_madvise+0xa9/0xc0 mm/madvise.c:1178 do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x61/0xc6 Memory state around the buggy address: ffff88816d4d6f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88816d4d6f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88816d4d7000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88816d4d7080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88816d4d7100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== EXT4-fs error (device loop3): ext4_ext_split:1071: inode #19: comm kworker/u4:0: p_ext > EXT_MAX_EXTENT! EXT4-fs (loop3): Delayed block allocation failed for inode 19 at logical offset 0 with max blocks 16 with error 117 EXT4-fs (loop3): This should not happen!! Data will be lost EXT4-fs error (device loop2): ext4_map_blocks:718: inode #19: block 192: comm kworker/u4:0: lblock 0 mapped to illegal pblock 192 (length 1) EXT4-fs (loop2): Delayed block allocation failed for inode 19 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop2): This should not happen!! Data will be lost EXT4-fs error (device loop2): ext4_map_blocks:718: inode #19: block 192: comm kworker/u4:0: lblock 0 mapped to illegal pblock 192 (length 1) EXT4-fs (loop2): Delayed block allocation failed for inode 19 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop2): This should not happen!! Data will be lost EXT4-fs error (device loop2): ext4_map_blocks:718: inode #19: block 192: comm kworker/u4:0: lblock 0 mapped to illegal pblock 192 (length 1) EXT4-fs (loop2): Delayed block allocation failed for inode 19 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop2): This should not happen!! Data will be lost EXT4-fs error (device loop3): ext4_map_blocks:718: inode #19: block 192: comm kworker/u4:0: lblock 0 mapped to illegal pblock 192 (length 1) EXT4-fs (loop3): Delayed block allocation failed for inode 19 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop3): This should not happen!! Data will be lost EXT4-fs error (device loop1): ext4_map_blocks:718: inode #19: block 192: comm kworker/u4:0: lblock 0 mapped to illegal pblock 192 (length 1) EXT4-fs (loop1): Delayed block allocation failed for inode 19 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop1): This should not happen!! Data will be lost EXT4-fs error (device loop1): ext4_map_blocks:718: inode #19: block 192: comm kworker/u4:0: lblock 0 mapped to illegal pblock 192 (length 1) EXT4-fs (loop1): Delayed block allocation failed for inode 19 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop1): This should not happen!! Data will be lost EXT4-fs error (device loop2): ext4_map_blocks:718: inode #19: block 192: comm kworker/u4:0: lblock 0 mapped to illegal pblock 192 (length 1) EXT4-fs (loop2): Delayed block allocation failed for inode 19 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop2): This should not happen!! Data will be lost EXT4-fs error (device loop1): ext4_map_blocks:718: inode #19: block 192: comm kworker/u4:0: lblock 0 mapped to illegal pblock 192 (length 1) EXT4-fs (loop1): Delayed block allocation failed for inode 19 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop1): This should not happen!! Data will be lost EXT4-fs error (device loop3): ext4_map_blocks:718: inode #19: block 192: comm kworker/u4:0: lblock 0 mapped to illegal pblock 192 (length 1) EXT4-fs (loop3): Delayed block allocation failed for inode 19 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop3): This should not happen!! Data will be lost EXT4-fs error (device loop3): ext4_map_blocks:718: inode #19: block 192: comm kworker/u4:0: lblock 0 mapped to illegal pblock 192 (length 1) EXT4-fs (loop3): Delayed block allocation failed for inode 19 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop3): This should not happen!! Data will be lost EXT4-fs error (device loop2): ext4_map_blocks:718: inode #19: block 192: comm kworker/u4:0: lblock 0 mapped to illegal pblock 192 (length 1) EXT4-fs (loop2): Delayed block allocation failed for inode 19 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop2): This should not happen!! Data will be lost EXT4-fs error (device loop1): ext4_map_blocks:718: inode #19: block 192: comm kworker/u4:0: lblock 0 mapped to illegal pblock 192 (length 1) EXT4-fs (loop1): Delayed block allocation failed for inode 19 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop1): This should not happen!! Data will be lost EXT4-fs error (device loop1): ext4_map_blocks:718: inode #19: block 192: comm kworker/u4:0: lblock 0 mapped to illegal pblock 192 (length 1) EXT4-fs (loop1): Delayed block allocation failed for inode 19 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop1): This should not happen!! Data will be lost EXT4-fs error (device loop1): ext4_map_blocks:718: inode #19: block 192: comm kworker/u4:0: lblock 0 mapped to illegal pblock 192 (length 1)