EXT4-fs (loop1): failed to convert unwritten extents to written extents -- potential data loss! (inode 19, error -117) ================================================================== BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:827 [inline] BUG: KASAN: use-after-free in ext4_find_extent+0xbab/0xdb0 fs/ext4/extents.c:946 Read of size 4 at addr ffff888124bf5900 by task kworker/u4:4/398 CPU: 0 PID: 398 Comm: kworker/u4:4 Not tainted 5.15.147-syzkaller-1068928-g1c3a1f32bcbd #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Workqueue: ext4-rsv-conversion ext4_end_io_rsv_work Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106 print_address_description+0x87/0x3b0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:427 [inline] kasan_report+0x179/0x1c0 mm/kasan/report.c:444 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308 ext4_ext_binsearch fs/ext4/extents.c:827 [inline] ext4_find_extent+0xbab/0xdb0 fs/ext4/extents.c:946 ext4_ext_map_blocks+0x254/0x7250 fs/ext4/extents.c:4103 ext4_map_blocks+0xaa7/0x1e00 fs/ext4/inode.c:646 ext4_convert_unwritten_extents+0x2e0/0x6c0 fs/ext4/extents.c:4815 ext4_convert_unwritten_io_end_vec+0x104/0x180 fs/ext4/extents.c:4854 ext4_end_io_end fs/ext4/page-io.c:186 [inline] ext4_do_flush_completed_IO fs/ext4/page-io.c:259 [inline] ext4_end_io_rsv_work+0x358/0x690 fs/ext4/page-io.c:273 process_one_work+0x6bb/0xc10 kernel/workqueue.c:2317 worker_thread+0xad5/0x12a0 kernel/workqueue.c:2464 kthread+0x421/0x510 kernel/kthread.c:337 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 The buggy address belongs to the page: page:ffffea000492fd40 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x124bf5 flags: 0x4000000000000000(zone=1) raw: 4000000000000000 ffffea0004763d88 ffffea0004926348 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x108c48(GFP_NOFS|__GFP_NOFAIL|__GFP_HARDWALL|__GFP_MOVABLE), pid 414, ts 46118418247, free_ts 46284303924 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook+0x1a3/0x1b0 mm/page_alloc.c:2604 prep_new_page+0x1b/0x110 mm/page_alloc.c:2610 get_page_from_freelist+0x3550/0x35d0 mm/page_alloc.c:4484 __alloc_pages+0x27e/0x8f0 mm/page_alloc.c:5776 __alloc_pages_node include/linux/gfp.h:591 [inline] alloc_pages_node include/linux/gfp.h:605 [inline] alloc_pages include/linux/gfp.h:618 [inline] __page_cache_alloc include/linux/pagemap.h:305 [inline] pagecache_get_page+0xb18/0xeb0 mm/filemap.c:1940 find_or_create_page include/linux/pagemap.h:418 [inline] grow_dev_page fs/buffer.c:949 [inline] grow_buffers fs/buffer.c:1014 [inline] __getblk_slow fs/buffer.c:1041 [inline] __getblk_gfp+0x21e/0x7c0 fs/buffer.c:1336 sb_getblk include/linux/buffer_head.h:361 [inline] ext4_getblk+0x259/0x700 fs/ext4/inode.c:854 ext4_bread_batch+0x67/0x4c0 fs/ext4/inode.c:921 __ext4_find_entry+0xfbe/0x1af0 fs/ext4/namei.c:1670 ext4_lookup_entry fs/ext4/namei.c:1771 [inline] ext4_lookup+0x3c6/0xaa0 fs/ext4/namei.c:1839 __lookup_slow+0x2b9/0x400 fs/namei.c:1663 lookup_slow+0x5a/0x80 fs/namei.c:1680 walk_component+0x48c/0x610 fs/namei.c:1976 lookup_last fs/namei.c:2431 [inline] path_lookupat+0x16d/0x450 fs/namei.c:2455 filename_lookup+0x230/0x5c0 fs/namei.c:2484 user_path_at_empty+0x43/0x1a0 fs/namei.c:2883 page last free stack trace: reset_page_owner include/linux/page_owner.h:26 [inline] free_pages_prepare mm/page_alloc.c:1471 [inline] free_pcp_prepare mm/page_alloc.c:1543 [inline] free_unref_page_prepare+0x7c8/0x7d0 mm/page_alloc.c:3533 free_unref_page_list+0x14b/0xa60 mm/page_alloc.c:3670 release_pages+0x1310/0x1370 mm/swap.c:1009 __pagevec_release+0x84/0x100 mm/swap.c:1029 pagevec_release include/linux/pagevec.h:81 [inline] invalidate_inode_pages2_range+0xc14/0xdf0 mm/truncate.c:670 generic_file_direct_write+0x3af/0x6b0 mm/filemap.c:3733 __generic_file_write_iter+0x2bc/0x4b0 mm/filemap.c:3927 blkdev_write_iter+0x392/0x540 block/fops.c:534 do_iter_readv_writev+0x58e/0x790 do_iter_write+0x1f5/0x760 fs/read_write.c:855 vfs_iter_write+0x7c/0xa0 fs/read_write.c:896 iter_file_splice_write+0x7f8/0xf90 fs/splice.c:689 do_splice_from fs/splice.c:767 [inline] direct_splice_actor+0xff/0x130 fs/splice.c:936 splice_direct_to_actor+0x4f1/0xbe0 fs/splice.c:891 do_splice_direct+0x27f/0x3c0 fs/splice.c:979 do_sendfile+0x616/0xfe0 fs/read_write.c:1249 Memory state around the buggy address: ffff888124bf5800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888124bf5880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888124bf5900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888124bf5980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888124bf5a00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== EXT4-fs error (device loop1): ext4_map_blocks:716: inode #19: block 222221607927665: comm kworker/u4:4: lblock 45 mapped to illegal pblock 222221607927665 (length 1) EXT4-fs warning (device loop1): ext4_convert_unwritten_extents:4822: inode #19: block 45: len 1: ext4_ext_map_blocks returned -117 EXT4-fs error (device loop1): __ext4_get_inode_loc:4340: comm kworker/u4:4: Invalid inode table block 34360905424 in block_group 0 EXT4-fs error (device loop1) in ext4_reserve_inode_write:5820: Corrupt filesystem EXT4-fs error (device loop1): ext4_convert_unwritten_extents:4823: inode #19: comm kworker/u4:4: mark_inode_dirty error EXT4-fs (loop1): failed to convert unwritten extents to written extents -- potential data loss! (inode 19, error -117) EXT4-fs error (device loop4): __ext4_get_inode_loc:4340: comm kworker/u4:4: Invalid inode table block 34360905424 in block_group 0 EXT4-fs error (device loop4): __ext4_get_inode_loc:4340: comm kworker/u4:4: Invalid inode table block 34360905424 in block_group 0 EXT4-fs error (device loop3): ext4_map_blocks:716: inode #19: block 225: comm kworker/u4:4: lblock 17 mapped to illegal pblock 225 (length 1) EXT4-fs warning (device loop3): ext4_convert_unwritten_extents:4822: inode #19: block 17: len 1: ext4_ext_map_blocks returned -117 EXT4-fs error (device loop3): __ext4_get_inode_loc:4340: comm kworker/u4:4: Invalid inode table block 34360905424 in block_group 0 EXT4-fs error (device loop3) in ext4_reserve_inode_write:5820: Corrupt filesystem EXT4-fs error (device loop3): ext4_convert_unwritten_extents:4823: inode #19: comm kworker/u4:4: mark_inode_dirty error EXT4-fs (loop3): failed to convert unwritten extents to written extents -- potential data loss! (inode 19, error -117) EXT4-fs error (device loop3): ext4_map_blocks:716: inode #19: block 116500986162: comm kworker/u4:4: lblock 18 mapped to illegal pblock 116500986162 (length 1) EXT4-fs warning (device loop3): ext4_convert_unwritten_extents:4822: inode #19: block 18: len 1: ext4_ext_map_blocks returned -117 EXT4-fs error (device loop3): __ext4_get_inode_loc:4340: comm kworker/u4:4: Invalid inode table block 34360905424 in block_group 0 EXT4-fs error (device loop3) in ext4_reserve_inode_write:5820: Corrupt filesystem EXT4-fs error (device loop3): ext4_convert_unwritten_extents:4823: inode #19: comm kworker/u4:4: mark_inode_dirty error EXT4-fs (loop3): failed to convert unwritten extents to written extents -- potential data loss! (inode 19, error -117)