==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:840 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0x8dc/0xa8c fs/ext4/extents.c:955
Read of size 4 at addr ffff0000ff074e18 by task kworker/u8:9/664

CPU: 0 UID: 0 PID: 664 Comm: kworker/u8:9 Not tainted 6.15.0-rc4-syzkaller-ge0f4c8dd9d2d #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Workqueue: writeback wb_workfn (flush-7:0)
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 print_address_description+0xa8/0x254 mm/kasan/report.c:408
 print_report+0x68/0x84 mm/kasan/report.c:521
 kasan_report+0xb0/0x110 mm/kasan/report.c:634
 __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380
 ext4_ext_binsearch fs/ext4/extents.c:840 [inline]
 ext4_find_extent+0x8dc/0xa8c fs/ext4/extents.c:955
 ext4_ext_map_blocks+0x258/0x52ec fs/ext4/extents.c:4205
 ext4_map_create_blocks fs/ext4/inode.c:520 [inline]
 ext4_map_blocks+0x6a8/0x13ac fs/ext4/inode.c:706
 mpage_map_one_extent fs/ext4/inode.c:2224 [inline]
 mpage_map_and_submit_extent fs/ext4/inode.c:2277 [inline]
 ext4_do_writepages+0x1944/0x3304 fs/ext4/inode.c:2739
 ext4_writepages+0x174/0x29c fs/ext4/inode.c:2829
 do_writepages+0x2c0/0x6a8 mm/page-writeback.c:2656
 __writeback_single_inode+0x15c/0x13e8 fs/fs-writeback.c:1680
 writeback_sb_inodes+0x558/0xe38 fs/fs-writeback.c:1976
 wb_writeback+0x3cc/0xd70 fs/fs-writeback.c:2156
 wb_do_writeback fs/fs-writeback.c:2303 [inline]
 wb_workfn+0x338/0xdc0 fs/fs-writeback.c:2343
 process_one_work+0x7e8/0x156c kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x958/0xed8 kernel/workqueue.c:3400
 kthread+0x5fc/0x75c kernel/kthread.c:464
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x355 pfn:0x13f074
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000355 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000ff074d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff0000ff074d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff0000ff074e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                            ^
 ffff0000ff074e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff0000ff074f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs error (device loop0): ext4_ext_split:1078: inode #15: comm kworker/u8:9: p_ext > EXT_MAX_EXTENT!
EXT4
EXT4-fs (loop0): Delayed block allocation failed for inode 15 at logical offset 0 with max blocks 1 with error 117
EXT4-fs (loop0): This should not happen!! Data will be lost

EXT4-fs (loop0): start 0, size 131072, fe_logical 131072
------------[ cut here ]------------
kernel BUG at fs/ext4/mballoc.c:4555!
Internal error: Oops - BUG: 00000000f2000800 [#1]  SMP
Modules linked in:
CPU: 1 UID: 0 PID: 664 Comm: kworker/u8:9 Tainted: G    B               6.15.0-rc4-syzkaller-ge0f4c8dd9d2d #0 PREEMPT 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Workqueue: writeback wb_workfn (flush-7:0)
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : ext4_mb_normalize_request+0x1898/0x18c4 fs/ext4/mballoc.c:4551
lr : ext4_mb_normalize_request+0x1898/0x18c4 fs/ext4/mballoc.c:4551
sp : ffff80009cff6440
x29: ffff80009cff6500 x28: 0000000000020000 x27: dfff800000000000
x26: ffffffffffffffff x25: 0000000000020000 x24: ffff0000ddb891b0
x23: 0000000000000000 x22: 0000000000020000 x21: 0000000000020000
x20: 1fffe0001bb71237 x19: ffff0000ddb891b8 x18: 1fffe00036711a76
x17: 0000000000000000 x16: ffff80008ada5d6c x15: 0000000000000001
x14: 1ffff000139febcc x13: 0000000000000000 x12: 0000000000000000
x11: ffff7000139febcd x10: 0000000000ff0100 x9 : f3b055b547311600
x8 : f3b055b547311600 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff80009cff5c98 x4 : ffff80008f3f4fa0 x3 : ffff800082faeee4
x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000038
Call trace:
 ext4_mb_normalize_request+0x1898/0x18c4 fs/ext4/mballoc.c:4551 (P)
 ext4_mb_new_blocks+0xaf4/0x4208 fs/ext4/mballoc.c:6208
 ext4_ext_map_blocks+0x1090/0x52ec fs/ext4/extents.c:4379
 ext4_map_create_blocks fs/ext4/inode.c:520 [inline]
 ext4_map_blocks+0x6a8/0x13ac fs/ext4/inode.c:706
 mpage_map_one_extent fs/ext4/inode.c:2224 [inline]
 mpage_map_and_submit_extent fs/ext4/inode.c:2277 [inline]
 ext4_do_writepages+0x1944/0x3304 fs/ext4/inode.c:2739
 ext4_writepages+0x174/0x29c fs/ext4/inode.c:2829
 do_writepages+0x2c0/0x6a8 mm/page-writeback.c:2656
 __writeback_single_inode+0x15c/0x13e8 fs/fs-writeback.c:1680
 writeback_sb_inodes+0x558/0xe38 fs/fs-writeback.c:1976
 wb_writeback+0x3cc/0xd70 fs/fs-writeback.c:2156
 wb_do_writeback fs/fs-writeback.c:2303 [inline]
 wb_workfn+0x338/0xdc0 fs/fs-writeback.c:2343
 process_one_work+0x7e8/0x156c kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x958/0xed8 kernel/workqueue.c:3400
 kthread+0x5fc/0x75c kernel/kthread.c:464
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862
Code: f9400100 aa1603e4 aa1503e5 9401f72c (d4210000) 
---[ end trace 0000000000000000 ]---