================================================================== BUG: KASAN: slab-use-after-free in ext4_ext_binsearch fs/ext4/extents.c:840 [inline] BUG: KASAN: slab-use-after-free in ext4_find_extent+0x94c/0xb0c fs/ext4/extents.c:955 Read of size 4 at addr ffff0000e703380c by task kworker/u8:5/210 CPU: 1 UID: 0 PID: 210 Comm: kworker/u8:5 Not tainted 6.14.0-rc5-syzkaller-g77c95b8c7a16 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Workqueue: writeback wb_workfn (flush-7:0) Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0x198/0x550 mm/kasan/report.c:521 kasan_report+0xd8/0x138 mm/kasan/report.c:634 __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380 ext4_ext_binsearch fs/ext4/extents.c:840 [inline] ext4_find_extent+0x94c/0xb0c fs/ext4/extents.c:955 ext4_ext_map_blocks+0x2b0/0x6600 fs/ext4/extents.c:4205 ext4_map_create_blocks fs/ext4/inode.c:516 [inline] ext4_map_blocks+0x710/0x15d0 fs/ext4/inode.c:702 mpage_map_one_extent fs/ext4/inode.c:2219 [inline] mpage_map_and_submit_extent fs/ext4/inode.c:2272 [inline] ext4_do_writepages+0x195c/0x318c fs/ext4/inode.c:2735 ext4_writepages+0x198/0x308 fs/ext4/inode.c:2824 do_writepages+0x304/0x7d0 mm/page-writeback.c:2687 __writeback_single_inode+0x15c/0x15a4 fs/fs-writeback.c:1680 writeback_sb_inodes+0x650/0x1088 fs/fs-writeback.c:1976 wb_writeback+0x3e0/0xe9c fs/fs-writeback.c:2156 wb_do_writeback fs/fs-writeback.c:2303 [inline] wb_workfn+0x38c/0x1048 fs/fs-writeback.c:2343 process_one_work+0x810/0x1638 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x97c/0xeec kernel/workqueue.c:3400 kthread+0x65c/0x7b0 kernel/kthread.c:464 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862 Allocated by task 0: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:562 unpoison_slab_object mm/kasan/common.c:319 [inline] __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:345 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4115 [inline] slab_alloc_node mm/slub.c:4164 [inline] kmem_cache_alloc_node_noprof+0x264/0x420 mm/slub.c:4216 kmalloc_reserve+0xdc/0x280 net/core/skbuff.c:515 __alloc_skb+0x20c/0x420 net/core/skbuff.c:606 skb_copy+0x13c/0x72c net/core/skbuff.c:2069 mac80211_hwsim_tx_frame_no_nl+0xce0/0x17b8 drivers/net/wireless/virtual/mac80211_hwsim.c:1866 mac80211_hwsim_tx_frame+0x1c4/0x1f8 drivers/net/wireless/virtual/mac80211_hwsim.c:2215 __mac80211_hwsim_beacon_tx+0x3c4/0x5f0 drivers/net/wireless/virtual/mac80211_hwsim.c:2265 mac80211_hwsim_beacon_tx+0x35c/0x70c drivers/net/wireless/virtual/mac80211_hwsim.c:2315 __iterate_interfaces+0x250/0x504 net/mac80211/util.c:760 ieee80211_iterate_active_interfaces_atomic+0xd4/0x180 net/mac80211/util.c:796 mac80211_hwsim_beacon+0xcc/0x1c8 drivers/net/wireless/virtual/mac80211_hwsim.c:2345 __run_hrtimer kernel/time/hrtimer.c:1801 [inline] __hrtimer_run_queues+0x47c/0xca4 kernel/time/hrtimer.c:1865 hrtimer_run_softirq+0x158/0x21c kernel/time/hrtimer.c:1882 handle_softirqs+0x320/0xd34 kernel/softirq.c:561 __do_softirq+0x14/0x20 kernel/softirq.c:595 Freed by task 34: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_free_info+0x54/0x6c mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x64/0x8c mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4609 [inline] kmem_cache_free+0x198/0x554 mm/slub.c:4711 skb_kfree_head net/core/skbuff.c:994 [inline] skb_free_head+0xc8/0x1bc net/core/skbuff.c:1008 skb_release_data+0x484/0x618 net/core/skbuff.c:1035 skb_release_all net/core/skbuff.c:1100 [inline] __kfree_skb net/core/skbuff.c:1114 [inline] sk_skb_reason_drop+0x1d4/0x43c net/core/skbuff.c:1152 kfree_skb_reason include/linux/skbuff.h:1271 [inline] kfree_skb include/linux/skbuff.h:1280 [inline] ieee80211_iface_work+0x21c/0xcd4 net/mac80211/iface.c:1667 cfg80211_wiphy_work+0x2cc/0x508 net/wireless/core.c:435 process_one_work+0x810/0x1638 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x97c/0xeec kernel/workqueue.c:3400 kthread+0x65c/0x7b0 kernel/kthread.c:464 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862 The buggy address belongs to the object at ffff0000e7033740 which belongs to the cache skbuff_small_head of size 704 The buggy address is located 204 bytes inside of freed 704-byte region [ffff0000e7033740, ffff0000e7033a00) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x127030 head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 05ffc00000000040 ffff0000c1be7b40 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000130013 00000000f5000000 0000000000000000 head: 05ffc00000000040 ffff0000c1be7b40 0000000000000000 dead000000000001 head: 0000000000000000 0000000000130013 00000000f5000000 0000000000000000 head: 05ffc00000000002 fffffdffc39c0c01 ffffffffffffffff 0000000000000000 head: 0000000f00000004 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000e7033700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff0000e7033780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff0000e7033800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff0000e7033880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff0000e7033900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== EXT4-fs error (device loop0): ext4_map_blocks:705: inode #15: block 62913225433136: comm kworker/u8:5: lblock 0 mapped to illegal pblock 62913225433136 (length 1) EXT4-fs (loop0): Delayed block allocation failed for inode 15 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop0): This should not happen!! Data will be lost EXT4-fs error (device loop0): ext4_map_blocks:705: inode #15: comm kworker/u8:5: lblock 0 mapped to illegal pblock 0 (length 1) EXT4-fs (loop0): Delayed block allocation failed for inode 15 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop0): This should not happen!! Data will be lost EXT4-fs error (device loop0): ext4_ext_split:1078: inode #15: comm kworker/u8:5: p_ext > EXT_MAX_EXTENT! EXT4-fs (loop0): Delayed block allocation failed for inode 15 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop0): This should not happen!! Data will be lost EXT4-fs error (device loop0): ext4_map_blocks:705: inode #15: block 1988569858048: comm kworker/u8:5: lblock 0 mapped to illegal pblock 1988569858048 (length 1) EXT4-fs (loop0): Delayed block allocation failed for inode 15 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop0): This should not happen!! Data will be lost EXT4-fs error (device loop0): ext4_map_blocks:705: inode #15: comm kworker/u8:5: lblock 0 mapped to illegal pblock 0 (length 1) EXT4-fs (loop0): Delayed block allocation failed for inode 15 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop0): This should not happen!! Data will be lost EXT4-fs error (device loop0): ext4_map_blocks:705: inode #15: block 143924354056192: comm kworker/u8:5: lblock 0 mapped to illegal pblock 143924354056192 (length 1) EXT4-fs (loop0): Delayed block allocation failed for inode 15 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop0): This should not happen!! Data will be lost EXT4-fs error (device loop0): ext4_map_blocks:705: inode #15: comm kworker/u8:5: lblock 0 mapped to illegal pblock 0 (length 1) EXT4-fs (loop0): Delayed block allocation failed for inode 15 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop0): This should not happen!! Data will be lost EXT4-fs error (device loop0): ext4_ext_split:1150: inode #15: comm kworker/u8:5: eh_entries 61440 != eh_max 43388! EXT4-fs (loop0): Delayed block allocation failed for inode 15 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop0): This should not happen!! Data will be lost EXT4-fs error (device loop0): ext4_ext_split:1150: inode #15: comm kworker/u8:5: eh_entries 61440 != eh_max 43388! EXT4-fs (loop0): Delayed block allocation failed for inode 15 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop0): This should not happen!! Data will be lost EXT4-fs error (device loop0): ext4_map_blocks:705: inode #15: block 32676111188136: comm kworker/u8:5: lblock 0 mapped to illegal pblock 32676111188136 (length 1) EXT4-fs (loop0): Delayed block allocation failed for inode 15 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop0): This should not happen!! Data will be lost EXT4-fs error (device loop0): ext4_ext_split:1078: inode #15: comm kworker/u8:5: p_ext > EXT_MAX_EXTENT! EXT4-fs (loop0): Delayed block allocation failed for inode 15 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop0): This should not happen!! Data will be lost EXT4-fs error (device loop0): ext4_map_blocks:705: inode #15: block 62913225433136: comm kworker/u8:5: lblock 0 mapped to illegal pblock 62913225433136 (length 1) EXT4-fs (loop0): Delayed block allocation failed for inode 15 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop0): This should not happen!! Data will be lost EXT4-fs error (device loop0): ext4_map_blocks:705: inode #15: block 112589081163878: comm kworker/u8:5: lblock 0 mapped to illegal pblock 112589081163878 (length 1) EXT4-fs (loop0): Delayed block allocation failed for inode 15 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop0): This should not happen!! Data will be lost EXT4-fs error (device loop0): ext4_ext_split:1150: inode #15: comm kworker/u8:5: eh_entries 61440 != eh_max 43388! EXT4-fs (loop0): Delayed block allocation failed for inode 15 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop0): This should not happen!! Data will be lost EXT4-fs error (device loop0): ext4_map_blocks:705: inode #15: block 160464273211391: comm kworker/u8:5: lblock 0 mapped to illegal pblock 160464273211391 (length 1) EXT4-fs (loop0): Delayed block allocation failed for inode 15 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop0): This should not happen!! Data will be lost EXT4-fs error (device loop0): ext4_map_blocks:705: inode #15: block 712964571200: comm kworker/u8:5: lblock 0 mapped to illegal pblock 712964571200 (length 1) EXT4-fs (loop0): Delayed block allocation failed for inode 15 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop0): This should not happen!! Data will be lost EXT4-fs error (device loop0): ext4_map_blocks:705: inode #15: block 153347512303616: comm kworker/u8:5: lblock 0 mapped to illegal pblock 153347512303616 (length 1) EXT4-fs (loop0): Delayed block allocation failed for inode 15 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (loop0): This should not happen!! Data will be lost