EXT4-fs (loop0): failed to convert unwritten extents to written extents -- potential data loss!  (inode 18, error -117)
==================================================================
BUG: KASAN: slab-out-of-bounds in ext4_ext_binsearch fs/ext4/extents.c:826 [inline]
BUG: KASAN: slab-out-of-bounds in ext4_find_extent+0xbeb/0xe20 fs/ext4/extents.c:945
Read of size 4 at addr ffff88812dc0d068 by task kworker/u4:1/9

CPU: 1 PID: 9 Comm: kworker/u4:1 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Workqueue: ext4-rsv-conversion ext4_end_io_rsv_work
Call Trace:
 __dump_stack+0x21/0x24 lib/dump_stack.c:77
 dump_stack_lvl+0x1a7/0x208 lib/dump_stack.c:118
 print_address_description+0x7f/0x2c0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report+0xe2/0x130 mm/kasan/report.c:452
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
 ext4_ext_binsearch fs/ext4/extents.c:826 [inline]
 ext4_find_extent+0xbeb/0xe20 fs/ext4/extents.c:945
 ext4_ext_map_blocks+0x20b/0x5e00 fs/ext4/extents.c:4176
 ext4_map_blocks+0x985/0x1bd0 fs/ext4/inode.c:676
 ext4_convert_unwritten_extents+0x227/0x400 fs/ext4/extents.c:4878
 ext4_convert_unwritten_io_end_vec+0x103/0x180 fs/ext4/extents.c:4917
 ext4_end_io_end fs/ext4/page-io.c:189 [inline]
 ext4_do_flush_completed_IO fs/ext4/page-io.c:262 [inline]
 ext4_end_io_rsv_work+0x2c1/0x610 fs/ext4/page-io.c:276
 process_one_work+0x6e1/0xba0 kernel/workqueue.c:2301
 worker_thread+0xa6a/0x13c0 kernel/workqueue.c:2447
 kthread+0x346/0x3d0 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298

Allocated by task 378:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:430 [inline]
 __kasan_slab_alloc+0xbd/0xf0 mm/kasan/common.c:463
 kasan_slab_alloc include/linux/kasan.h:244 [inline]
 slab_post_alloc_hook+0x5d/0x2f0 mm/slab.h:580
 slab_alloc_node mm/slub.c:2952 [inline]
 slab_alloc mm/slub.c:2960 [inline]
 kmem_cache_alloc+0x162/0x2d0 mm/slub.c:2965
 kmem_cache_zalloc include/linux/slab.h:657 [inline]
 alloc_buffer_head+0x26/0x120 fs/buffer.c:3367
 alloc_page_buffers+0x10a/0x4a0 fs/buffer.c:858
 create_empty_buffers+0x3d/0x4c0 fs/buffer.c:1592
 ext4_block_write_begin+0x279/0x1340 fs/ext4/inode.c:1084
 ext4_da_write_begin+0x7db/0xf10 fs/ext4/inode.c:3100
 generic_perform_write+0x2ce/0x540 mm/filemap.c:3509
 ext4_buffered_write_iter+0x4b8/0x640 fs/ext4/file.c:271
 ext4_file_write_iter+0x53f/0x1980 fs/ext4/file.c:-1
 do_iter_readv_writev+0x478/0x5f0 fs/read_write.c:-1
 do_iter_write+0x189/0x630 fs/read_write.c:866
 vfs_iter_write+0x7d/0xa0 fs/read_write.c:907
 iter_file_splice_write+0x68c/0xcb0 fs/splice.c:689
 do_splice_from fs/splice.c:767 [inline]
 direct_splice_actor+0xe9/0x120 fs/splice.c:936
 splice_direct_to_actor+0x4cb/0xb30 fs/splice.c:891
 do_splice_direct+0x1c2/0x2d0 fs/splice.c:979
 do_sendfile+0x8df/0x1040 fs/read_write.c:1257
 __do_sys_sendfile64 fs/read_write.c:1318 [inline]
 __se_sys_sendfile64 fs/read_write.c:1304 [inline]
 __x64_sys_sendfile64+0x199/0x1f0 fs/read_write.c:1304
 do_syscall_64+0x31/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

The buggy address belongs to the object at ffff88812dc0d000
 which belongs to the cache buffer_head of size 104
The buggy address is located 0 bytes to the right of
 104-byte region [ffff88812dc0d000, ffff88812dc0d068)
The buggy address belongs to the page:
page:ffffea0004b70340 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12dc0d
flags: 0x4000000000000200(slab)
raw: 4000000000000200 dead000000000100 dead000000000122 ffff888100188180
raw: 0000000000000000 0000000000180018 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 378, ts 26792409693, free_ts 25266428682
 set_page_owner include/linux/page_owner.h:35 [inline]
 post_alloc_hook mm/page_alloc.c:2456 [inline]
 prep_new_page+0x179/0x180 mm/page_alloc.c:2462
 get_page_from_freelist+0x223b/0x23d0 mm/page_alloc.c:4254
 __alloc_pages_nodemask+0x290/0x620 mm/page_alloc.c:5384
 alloc_slab_page mm/slub.c:-1 [inline]
 allocate_slab mm/slub.c:1813 [inline]
 new_slab+0x84/0x3f0 mm/slub.c:1874
 new_slab_objects mm/slub.c:2632 [inline]
 ___slab_alloc+0x2a6/0x450 mm/slub.c:2796
 __slab_alloc+0x63/0xa0 mm/slub.c:2836
 slab_alloc_node mm/slub.c:2918 [inline]
 slab_alloc mm/slub.c:2960 [inline]
 kmem_cache_alloc+0x1ac/0x2d0 mm/slub.c:2965
 kmem_cache_zalloc include/linux/slab.h:657 [inline]
 alloc_buffer_head+0x26/0x120 fs/buffer.c:3367
 alloc_page_buffers+0x10a/0x4a0 fs/buffer.c:858
 create_empty_buffers+0x3d/0x4c0 fs/buffer.c:1592
 ext4_block_write_begin+0x279/0x1340 fs/ext4/inode.c:1084
 ext4_da_write_begin+0x7db/0xf10 fs/ext4/inode.c:3100
 generic_perform_write+0x2ce/0x540 mm/filemap.c:3509
 ext4_buffered_write_iter+0x4b8/0x640 fs/ext4/file.c:271
 ext4_file_write_iter+0x53f/0x1980 fs/ext4/file.c:-1
 do_iter_readv_writev+0x478/0x5f0 fs/read_write.c:-1
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:28 [inline]
 free_pages_prepare mm/page_alloc.c:1349 [inline]
 free_pcp_prepare mm/page_alloc.c:1421 [inline]
 free_unref_page_prepare+0x2b7/0x2d0 mm/page_alloc.c:3336
 free_unref_page_list+0x129/0x9c0 mm/page_alloc.c:3443
 release_pages+0xe52/0xea0 mm/swap.c:1103
 __pagevec_release+0x71/0xe0 mm/swap.c:1123
 pagevec_release include/linux/pagevec.h:88 [inline]
 shmem_undo_range+0x74a/0x1810 mm/shmem.c:965
 shmem_truncate_range mm/shmem.c:1069 [inline]
 shmem_evict_inode+0x210/0xa00 mm/shmem.c:1169
 evict+0x4ae/0x930 fs/inode.c:612
 iput_final fs/inode.c:1736 [inline]
 iput+0x638/0x7c0 fs/inode.c:1762
 do_unlinkat+0x347/0x680 fs/namei.c:4050
 __do_sys_unlink fs/namei.c:4090 [inline]
 __se_sys_unlink fs/namei.c:4088 [inline]
 __x64_sys_unlink+0x49/0x50 fs/namei.c:4088
 do_syscall_64+0x31/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

Memory state around the buggy address:
 ffff88812dc0cf00: fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88812dc0cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88812dc0d000: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
                                                          ^
 ffff88812dc0d080: fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00
 ffff88812dc0d100: 00 00 fc fc fc fc fc fc fc fc 00 00 00 00 00 00
==================================================================
EXT4-fs warning (device loop0): ext4_convert_unwritten_extents:4885: inode #18: block 132: len 4: ext4_ext_map_blocks returned -28
EXT4-fs (loop0): failed to convert unwritten extents to written extents -- potential data loss!  (inode 18, error -28)
EXT4-fs warning (device loop0): ext4_convert_unwritten_extents:4885: inode #18: block 136: len 4: ext4_ext_map_blocks returned -28
EXT4-fs (loop0): failed to convert unwritten extents to written extents -- potential data loss!  (inode 18, error -28)
EXT4-fs warning (device loop0): ext4_convert_unwritten_extents:4885: inode #18: block 140: len 4: ext4_ext_map_blocks returned -28
EXT4-fs (loop0): failed to convert unwritten extents to written extents -- potential data loss!  (inode 18, error -28)
EXT4-fs warning (device loop0): ext4_convert_unwritten_extents:4885: inode #18: block 144: len 4: ext4_ext_map_blocks returned -28
EXT4-fs (loop0): failed to convert unwritten extents to written extents -- potential data loss!  (inode 18, error -28)
EXT4-fs warning (device loop0): ext4_convert_unwritten_extents:4885: inode #18: block 148: len 4: ext4_ext_map_blocks returned -28
EXT4-fs (loop0): failed to convert unwritten extents to written extents -- potential data loss!  (inode 18, error -28)
EXT4-fs warning (device loop0): ext4_convert_unwritten_extents:4885: inode #18: block 152: len 4: ext4_ext_map_blocks returned -28
EXT4-fs (loop0): failed to convert unwritten extents to written extents -- potential data loss!  (inode 18, error -28)
EXT4-fs warning (device loop0): ext4_convert_unwritten_extents:4885: inode #18: block 156: len 4: ext4_ext_map_blocks returned -28
EXT4-fs (loop0): failed to convert unwritten extents to written extents -- potential data loss!  (inode 18, error -28)
EXT4-fs warning (device loop0): ext4_convert_unwritten_extents:4885: inode #18: block 160: len 4: ext4_ext_map_blocks returned -28
EXT4-fs warning (device loop0): ext4_convert_unwritten_extents:4885: inode #18: block 164: len 4: ext4_ext_map_blocks returned -28
device bridge_slave_1 left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
device bridge_slave_0 left promiscuous mode
bridge0: port 1(bridge_slave_0) entered disabled state
device veth1_macvtap left promiscuous mode
device veth0_vlan left promiscuous mode