================================================================== BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:826 [inline] BUG: KASAN: use-after-free in ext4_find_extent+0xbab/0xdb0 fs/ext4/extents.c:945 Read of size 4 at addr ffff88816cfd6058 by task syz-executor.3/16269 CPU: 1 PID: 16269 Comm: syz-executor.3 Not tainted 5.10.194-syzkaller-00508-ga27512601c2d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118 print_address_description+0x81/0x3b0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:435 [inline] kasan_report+0x179/0x1c0 mm/kasan/report.c:452 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308 ext4_ext_binsearch fs/ext4/extents.c:826 [inline] ext4_find_extent+0xbab/0xdb0 fs/ext4/extents.c:945 ext4_ext_map_blocks+0x26d/0x6be0 fs/ext4/extents.c:4097 ext4_map_blocks+0xaa7/0x1ec0 fs/ext4/inode.c:646 _ext4_get_block+0x21b/0x610 fs/ext4/inode.c:793 ext4_get_block_unwritten+0x2a/0x40 fs/ext4/inode.c:824 ext4_block_write_begin+0x61e/0x13b0 fs/ext4/inode.c:1077 ext4_write_begin+0x6fa/0x1730 ext4_da_write_begin+0x49d/0xf60 fs/ext4/inode.c:3021 generic_perform_write+0x2cd/0x570 mm/filemap.c:3506 ext4_buffered_write_iter+0x482/0x610 fs/ext4/file.c:271 ext4_file_write_iter+0x193/0x1c80 fs/ext4/file.c:685 do_iter_readv_writev+0x58e/0x790 do_iter_write+0x183/0x650 fs/read_write.c:866 vfs_iter_write+0x7c/0xa0 fs/read_write.c:907 iter_file_splice_write+0x7f1/0xf80 fs/splice.c:686 do_splice_from fs/splice.c:764 [inline] direct_splice_actor+0xff/0x130 fs/splice.c:933 splice_direct_to_actor+0x4d1/0xba0 fs/splice.c:888 do_splice_direct+0x27f/0x3c0 fs/splice.c:976 do_sendfile+0x8f4/0x10e0 fs/read_write.c:1257 __do_sys_sendfile64 fs/read_write.c:1318 [inline] __se_sys_sendfile64 fs/read_write.c:1304 [inline] __x64_sys_sendfile64+0x1ce/0x230 fs/read_write.c:1304 do_syscall_64+0x34/0x70 entry_SYSCALL_64_after_hwframe+0x61/0xc6 RIP: 0033:0x7fa742634ae9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fa738fd60c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 00007fa742754050 RCX: 00007fa742634ae9 RDX: 0000000000000000 RSI: 0000000000000007 RDI: 0000000000000006 RBP: 00007fa74268047a R08: 0000000000000000 R09: 0000000000000000 R10: 0001000000201008 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fa742754050 R15: 00007ffe9122f438 The buggy address belongs to the page: page:ffffea0005b3f580 refcount:1 mapcount:0 mapping:ffff88810c61a698 index:0xcdb pfn:0x16cfd6 aops:ext4_da_aops ino:7c5 dentry name:"file2" flags: 0x4000000000000016(referenced|uptodate|lru) raw: 4000000000000016 ffffea0005b3f548 ffffea0005b3f5c8 ffff88810c61a698 raw: 0000000000000cdb 0000000000000000 00000001ffffffff ffff88815f3f2000 page dumped because: kasan: bad access detected page->mem_cgroup:ffff88815f3f2000 page_owner tracks the page as allocated page last allocated via order 0, migratetype Movable, gfp_mask 0x112cca(GFP_HIGHUSER_MOVABLE|__GFP_NOWARN|__GFP_NORETRY), pid 16263, ts 867483405054, free_ts 866356483434 set_page_owner include/linux/page_owner.h:35 [inline] post_alloc_hook mm/page_alloc.c:2456 [inline] prep_new_page+0x166/0x180 mm/page_alloc.c:2462 get_page_from_freelist+0x2d8c/0x2f30 mm/page_alloc.c:4254 __alloc_pages_nodemask+0x435/0xaf0 mm/page_alloc.c:5346 __alloc_pages include/linux/gfp.h:544 [inline] __alloc_pages_node include/linux/gfp.h:557 [inline] alloc_pages_node include/linux/gfp.h:571 [inline] alloc_pages include/linux/gfp.h:590 [inline] __page_cache_alloc include/linux/pagemap.h:290 [inline] page_cache_ra_unbounded+0x363/0x890 mm/readahead.c:226 do_page_cache_ra mm/readahead.c:277 [inline] ondemand_readahead+0x863/0xc60 mm/readahead.c:559 page_cache_async_ra+0x294/0x2d0 mm/readahead.c:617 page_cache_async_readahead include/linux/pagemap.h:860 [inline] generic_file_buffered_read+0x895/0x2aa0 mm/filemap.c:2259 generic_file_read_iter+0x107/0x6b0 mm/filemap.c:2565 ext4_file_read_iter+0x287/0x4d0 call_read_iter include/linux/fs.h:1970 [inline] generic_file_splice_read+0x4aa/0x780 fs/splice.c:311 do_splice_to fs/splice.c:788 [inline] splice_direct_to_actor+0x419/0xba0 fs/splice.c:867 do_splice_direct+0x27f/0x3c0 fs/splice.c:976 do_sendfile+0x8f4/0x10e0 fs/read_write.c:1257 __do_sys_sendfile64 fs/read_write.c:1318 [inline] __se_sys_sendfile64 fs/read_write.c:1304 [inline] __x64_sys_sendfile64+0x1ce/0x230 fs/read_write.c:1304 do_syscall_64+0x34/0x70 entry_SYSCALL_64_after_hwframe+0x61/0xc6 page last free stack trace: reset_page_owner include/linux/page_owner.h:28 [inline] free_pages_prepare mm/page_alloc.c:1349 [inline] free_pcp_prepare mm/page_alloc.c:1421 [inline] free_unref_page_prepare+0x2ae/0x2d0 mm/page_alloc.c:3336 free_unref_page_list+0x122/0xb20 mm/page_alloc.c:3443 release_pages+0xea0/0xef0 mm/swap.c:1103 __pagevec_release+0x84/0x100 mm/swap.c:1123 pagevec_release include/linux/pagevec.h:88 [inline] shmem_undo_range+0x7d1/0x1a60 mm/shmem.c:965 shmem_truncate_range mm/shmem.c:1069 [inline] shmem_evict_inode+0x215/0x9d0 mm/shmem.c:1169 evict+0x2a3/0x6c0 fs/inode.c:577 iput_final fs/inode.c:1697 [inline] iput+0x632/0x7e0 fs/inode.c:1723 dentry_unlink_inode+0x2e5/0x3d0 fs/dcache.c:374 __dentry_kill+0x447/0x650 fs/dcache.c:579 dentry_kill+0xc0/0x2a0 dput+0x160/0x310 fs/dcache.c:878 __fput+0x4f4/0x760 fs/file_table.c:294 ____fput+0x15/0x20 fs/file_table.c:314 task_work_run+0x129/0x190 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_user_mode_loop+0xbf/0xd0 kernel/entry/common.c:172 Memory state around the buggy address: ffff88816cfd5f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88816cfd5f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88816cfd6000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff88816cfd6080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88816cfd6100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== EXT4-fs error (device loop3): ext4_map_blocks:716: inode #16: block 89391154331688: comm syz-executor.3: lblock 41 mapped to illegal pblock 89391154331688 (length 1) EXT4-fs error (device loop3) in ext4_reserve_inode_write:5886: Corrupt filesystem EXT4-fs error (device loop3): ext4_dirty_inode:6096: inode #16: comm syz-executor.3: mark_inode_dirty error EXT4-fs error (device loop3): ext4_map_blocks:602: inode #16: block 89391154331688: comm syz-executor.3: lblock 41 mapped to illegal pblock 89391154331688 (length 1) EXT4-fs error (device loop3): ext4_map_blocks:602: inode #16: block 89391154331688: comm syz-executor.3: lblock 41 mapped to illegal pblock 89391154331688 (length 1) EXT4-fs error (device loop3): ext4_map_blocks:602: inode #16: block 89391154331688: comm syz-executor.3: lblock 41 mapped to illegal pblock 89391154331688 (length 1) EXT4-fs error (device loop3): ext4_map_blocks:602: inode #16: block 89391154331688: comm syz-executor.3: lblock 41 mapped to illegal pblock 89391154331688 (length 1) EXT4-fs error (device loop3): ext4_read_block_bitmap_nowait:476: comm syz-executor.3: Invalid block bitmap block 0 in block_group 0 EXT4-fs error (device loop3): ext4_discard_preallocations:4569: comm syz-executor.3: Error -117 reading block bitmap for 0