================================================================== BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:827 [inline] BUG: KASAN: use-after-free in ext4_find_extent+0xbeb/0xe20 fs/ext4/extents.c:946 Read of size 4 at addr ffff8881260d5900 by task kworker/u4:4/408 CPU: 0 PID: 408 Comm: kworker/u4:4 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: ext4-rsv-conversion ext4_end_io_rsv_work Call Trace: __dump_stack+0x21/0x30 lib/dump_stack.c:88 dump_stack_lvl+0xee/0x150 lib/dump_stack.c:106 print_address_description+0x7f/0x2c0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:427 [inline] kasan_report+0xf1/0x140 mm/kasan/report.c:444 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308 ext4_ext_binsearch fs/ext4/extents.c:827 [inline] ext4_find_extent+0xbeb/0xe20 fs/ext4/extents.c:946 ext4_ext_map_blocks+0x1db/0x6270 fs/ext4/extents.c:4166 ext4_map_blocks+0x97b/0x1b20 fs/ext4/inode.c:674 ext4_convert_unwritten_extents+0x2a2/0x5c0 fs/ext4/extents.c:4869 ext4_convert_unwritten_io_end_vec+0x103/0x180 fs/ext4/extents.c:4908 ext4_end_io_end fs/ext4/page-io.c:186 [inline] ext4_do_flush_completed_IO fs/ext4/page-io.c:259 [inline] ext4_end_io_rsv_work+0x2b9/0x600 fs/ext4/page-io.c:273 process_one_work+0x6be/0xba0 kernel/workqueue.c:2325 worker_thread+0xa59/0x1200 kernel/workqueue.c:2472 kthread+0x411/0x500 kernel/kthread.c:337 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287 The buggy address belongs to the page: page:ffffea0004983540 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x1260d5 flags: 0x4000000000000000(zone=1) raw: 4000000000000000 ffffea0004983588 ffffea0004983508 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner info is not present (never set?) Memory state around the buggy address: ffff8881260d5800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881260d5880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8881260d5900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8881260d5980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881260d5a00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== EXT4-fs warning (device loop4): ext4_convert_unwritten_extents:4876: inode #19: block 0: len 1: ext4_ext_map_blocks returned -28 EXT4-fs error (device loop4): __ext4_get_inode_loc:4358: comm kworker/u4:4: Invalid inode table block 34360905424 in block_group 0 EXT4-fs error (device loop4) in ext4_reserve_inode_write:5881: Corrupt filesystem EXT4-fs error (device loop4): ext4_convert_unwritten_extents:4877: inode #19: comm kworker/u4:4: mark_inode_dirty error EXT4-fs (loop4): failed to convert unwritten extents to written extents -- potential data loss! (inode 19, error -28) EXT4-fs error (device loop4): ext4_ext_split:1074: inode #19: comm kworker/u4:4: p_ext > EXT_MAX_EXTENT! EXT4-fs warning (device loop4): ext4_convert_unwritten_extents:4876: inode #19: block 1: len 1: ext4_ext_map_blocks returned -117 EXT4-fs error (device loop4): __ext4_get_inode_loc:4358: comm kworker/u4:4: Invalid inode table block 34360905424 in block_group 0 EXT4-fs error (device loop4) in ext4_reserve_inode_write:5881: Corrupt filesystem EXT4-fs error (device loop4): ext4_convert_unwritten_extents:4877: inode #19: comm kworker/u4:4: mark_inode_dirty error EXT4-fs (loop4): failed to convert unwritten extents to written extents -- potential data loss! (inode 19, error -117) EXT4-fs error (device loop4): ext4_ext_split:1074: inode #19: comm kworker/u4:4: p_ext > EXT_MAX_EXTENT! EXT4-fs warning (device loop4): ext4_convert_unwritten_extents:4876: inode #19: block 2: len 1: ext4_ext_map_blocks returned -117 EXT4-fs error (device loop4): __ext4_get_inode_loc:4358: comm kworker/u4:4: Invalid inode table block 34360905424 in block_group 0 EXT4-fs (loop4): failed to convert unwritten extents to written extents -- potential data loss! (inode 19, error -117) EXT4-fs warning (device loop4): ext4_convert_unwritten_extents:4876: inode #19: block 3: len 1: ext4_ext_map_blocks returned -117 EXT4-fs (loop4): failed to convert unwritten extents to written extents -- potential data loss! (inode 19, error -117) EXT4-fs warning (device loop4): ext4_convert_unwritten_extents:4876: inode #19: block 4: len 1: ext4_ext_map_blocks returned -117 EXT4-fs (loop4): failed to convert unwritten extents to written extents -- potential data loss! (inode 19, error -117) EXT4-fs warning (device loop4): ext4_convert_unwritten_extents:4876: inode #19: block 5: len 1: ext4_ext_map_blocks returned -117 EXT4-fs (loop4): failed to convert unwritten extents to written extents -- potential data loss! (inode 19, error -117) EXT4-fs warning (device loop4): ext4_convert_unwritten_extents:4876: inode #19: block 6: len 1: ext4_ext_map_blocks returned -117 EXT4-fs (loop4): failed to convert unwritten extents to written extents -- potential data loss! (inode 19, error -117) EXT4-fs warning (device loop4): ext4_convert_unwritten_extents:4876: inode #19: block 7: len 1: ext4_ext_map_blocks returned -117 EXT4-fs (loop4): failed to convert unwritten extents to written extents -- potential data loss! (inode 19, error -117) EXT4-fs warning (device loop4): ext4_convert_unwritten_extents:4876: inode #19: block 8: len 1: ext4_ext_map_blocks returned -117 EXT4-fs warning (device loop4): ext4_convert_unwritten_extents:4876: inode #19: block 9: len 1: ext4_ext_map_blocks returned -117 EXT4-fs error (device loop2): ext4_map_blocks:740: inode #19: block 227: comm kworker/u4:4: lblock 19 mapped to illegal pblock 227 (length 1) EXT4-fs warning (device loop2): ext4_convert_unwritten_extents:4876: inode #19: block 19: len 1: ext4_ext_map_blocks returned -117 EXT4-fs error (device loop2): __ext4_get_inode_loc:4358: comm kworker/u4:4: Invalid inode table block 34360905424 in block_group 0 EXT4-fs error (device loop2) in ext4_reserve_inode_write:5881: Corrupt filesystem EXT4-fs error (device loop2): ext4_convert_unwritten_extents:4877: inode #19: comm kworker/u4:4: mark_inode_dirty error EXT4-fs (loop2): failed to convert unwritten extents to written extents -- potential data loss! (inode 19, error -117) EXT4-fs warning (device loop5): ext4_convert_unwritten_extents:4876: inode #19: block 21: len 1: ext4_ext_map_blocks returned -28 EXT4-fs error (device loop5): __ext4_get_inode_loc:4358: comm kworker/u4:4: Invalid inode table block 34360905424 in block_group 0 EXT4-fs error (device loop5) in ext4_reserve_inode_write:5881: Corrupt filesystem EXT4-fs error (device loop5): ext4_convert_unwritten_extents:4877: inode #19: comm kworker/u4:4: mark_inode_dirty error EXT4-fs (loop5): failed to convert unwritten extents to written extents -- potential data loss! (inode 19, error -28) EXT4-fs warning (device loop5): ext4_convert_unwritten_extents:4876: inode #19: block 22: len 1: ext4_ext_map_blocks returned -28 EXT4-fs error (device loop5): __ext4_get_inode_loc:4358: comm kworker/u4:4: Invalid inode table block 34360905424 in block_group 0 EXT4-fs error (device loop5) in ext4_reserve_inode_write:5881: Corrupt filesystem EXT4-fs (loop5): failed to convert unwritten extents to written extents -- potential data loss! (inode 19, error -28) EXT4-fs error (device loop3): __ext4_get_inode_loc:4358: comm kworker/u4:4: Invalid inode table block 34360905424 in block_group 0 EXT4-fs error (device loop3): __ext4_get_inode_loc:4358: comm kworker/u4:4: Invalid inode table block 34360905424 in block_group 0 EXT4-fs error (device loop5): __ext4_get_inode_loc:4358: comm kworker/u4:4: Invalid inode table block 34360905424 in block_group 0 EXT4-fs error (device loop5): __ext4_get_inode_loc:4358: comm kworker/u4:4: Invalid inode table block 34360905424 in block_group 0 EXT4-fs error (device loop1): __ext4_get_inode_loc:4358: comm kworker/u4:4: Invalid inode table block 34360905424 in block_group 0 EXT4-fs error (device loop0): __ext4_get_inode_loc:4358: comm kworker/u4:4: Invalid inode table block 34360905424 in block_group 0 EXT4-fs error (device loop0): __ext4_get_inode_loc:4358: comm kworker/u4:4: Invalid inode table block 34360905424 in block_group 0 EXT4-fs error (device loop0): ext4_map_blocks:740: inode #19: block 205: comm kworker/u4:4: lblock 13 mapped to illegal pblock 205 (length 1) EXT4-fs warning (device loop0): ext4_convert_unwritten_extents:4876: inode #19: block 13: len 1: ext4_ext_map_blocks returned -117 EXT4-fs error (device loop0): __ext4_get_inode_loc:4358: comm kworker/u4:4: Invalid inode table block 34360905424 in block_group 0 EXT4-fs error (device loop0) in ext4_reserve_inode_write:5881: Corrupt filesystem EXT4-fs error (device loop0): ext4_convert_unwritten_extents:4877: inode #19: comm kworker/u4:4: mark_inode_dirty error EXT4-fs (loop0): failed to convert unwritten extents to written extents -- potential data loss! (inode 19, error -117)