program:
syz_mount_image$ext4(&(0x7f0000000040)='ext4\x00', &(0x7f0000000140)='./file1\x00', 0x30000c6, &(0x7f0000000080), 0x1, 0x553, &(0x7f0000001080)="$eJzs3d9rW1UcAPDvTdv91nUwhopIYQ9O5tK19ccEH+aj6HCg7zO0d2U0WUaTjrUO3B7ciy8yBBEH4ru++zj8B/wrBjoYMoo++BK56U2XrUmbddnSmc8Hbjkn9ybnfnPv9/TcnBsSwNCayP4UIl6OiG+SiIMRkeTrRiNfObG23er9q7PZkkSj8elfSXO7rN56rdbz9ueVlyLit68ijhc2tltbXlkolcvpYl6frFcuTdaWV05cqJTm0/n04vTMzKm3Z6bfe/edvsX6xtl/vv/k9oenvj66+t0vdw/dTOJ0HMjXtcfxBK61VyZiIn9PxuL0IxtO9aGxnSQZ9A6wLSN5no9F1gccjJE864H/vy8jogEMqUT+w5BqjQNa1/Z9ug5+btz7YO0CaGP8o2ufjcSe5rXRvtXkoSuj7Hp3vA/tZ238+uetm9kS/fscAmBL165HxMnR0Y39X5L3f9t3sodtHm1D/wfPzu1s/PNmp/FPYX38Ex3GP/s75O52bJ3/hbt9aKarbPz3fsfx7/qk1fhIXnuhOeYbS85fKKdZ3/ZiRByLsd1ZfbP5nFOrdxrd1rWP/7Ila781Fsz34+7o7oefM1eql54k5nb3rke80nH8m6wf/6TD8c/ej7M9tnEkvfVat3Vbx/90NX6KeL3j8X8wo5VsPj852TwfJltnxUZ/3zjye7f2Bx1/dvz3bR7/eNI+X1t7/DZ+3PNv2m3dQ/FH7+f/ruSzZnlX/tiVUr2+OBWxK/l44+PTD57bqre2z+I/dnTz/q/T+b83Ij7vMf4bh39+taf4B3T85x7r+D9+4c5HX/zQrf3e+r+3mqVj+SO99H+97uCTvHcAAAAAAACw0xQi4kAkheJ6uVAoFtfu7zgc+wrlaq1+/Hx16eJcNL8rOx5jhdZM98G2+yGm8vthW/XpR+ozEXEoIr4d2dusF2er5blBBw8AAAAAAAAAAAAAAAAAAAA7xP4u3//P/DEy6L0Dnjo/+Q3Da8v878cvPQE7kv//MLzkPwwv+Q/DS/7D8JL/MLzkPwwv+Q/DS/4DAAAAAAAAAAAAAAAAAAAAAAAAAABAX509cyZbGqv3r85m9bnLy0sL1csn5tLaQrGyNFucrS5eKs5Xq/PltDhbrWz1euVq9dLUdCxdmayntfpkbXnlXKW6dLF+7kKlNJ+eS8eeSVQAAAAAAAAAAAAAAAAAAADwfKktryyUyuV0UUFhW4XRnbEbCn0uDLpnAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAH/gsAAP//6AY3sQ==")
mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./bus\x00', 0x0)
chdir(&(0x7f00000000c0)='./bus\x00')
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
sendmmsg(r0, &(0x7f000000a740)=[{{0x0, 0x0, 0x0, 0x0, &(0x7f0000000c40)=[{0x10, 0x109, 0x7}], 0x10}}], 0x1, 0x40000c0)
r1 = add_key$user(&(0x7f0000000200), &(0x7f0000000240)={'syz', 0x0}, &(0x7f0000000280)="0851a30c9cf24771050a3f31f02e0b54b7187bdaf7449c41aa0c105265c13ed9cfeb5236d7f9d12f4053bcf02053eb84771b59cf674257e9aef98144c7299b12241b17d2490b81357964586e25bf9fd3da62cf9181eaf32595aa5f4c7bf4a7d624a31f8c5be9123164e2923efe1116cec681c9ef4a4e4be3e3e17b7022b2b34265fbcfe48f5aeea6a62c67d0e1", 0x8d, 0xfffffffffffffffc)
keyctl$update(0x2, r1, &(0x7f0000000340)="df09bc2b63bc508a2ec7397b2dbacd8541e1ae378e463dd50fb2843dc28d2d21ff52c6e08f9ee69eb65cbbe2", 0x2c)
lsetxattr$system_posix_acl(&(0x7f0000000400)='.\x00', &(0x7f0000000440)='system.posix_acl_default\x00', &(0x7f00000000c0)=ANY=[@ANYBLOB="02000000010000000000000002000000", @ANYRES32=0xee01, @ANYBLOB="02000000", @ANYRES32=0xee00, @ANYBLOB="02000000", @ANYRES32=0xee00, @ANYBLOB="02000000", @ANYRES32=0x0, @ANYBLOB="040000000000800008000000", @ANYRES32=0x0, @ANYBLOB='\b\x00\x00\x00', @ANYRES32=0x0, @ANYBLOB='\b\x00\x00\x00', @ANYRES32=0x0, @ANYBLOB="100000000000000020"], 0x5c, 0x0)
syz_mount_image$fuse(0x0, &(0x7f0000000400)='./file0\x00', 0x0, 0x0, 0x0, 0x0, 0x0)
r2 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_int(r2, 0x6, 0x13, &(0x7f0000000000)=0x100000001, 0x4)
connect$inet6(r2, &(0x7f0000000200)={0xa, 0x0, 0x0, @loopback}, 0x1c)
setsockopt$inet6_tcp_TCP_ULP(r2, 0x6, 0x1f, &(0x7f00000000c0), 0x4)
setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r2, 0x6, 0x14, &(0x7f0000000280)=0x1, 0x4)
setsockopt$inet6_tcp_TLS_TX(r2, 0x11a, 0x1, &(0x7f0000000500)=@gcm_128={{0x303}, "a959fc5ec5071900", "8e083700daf38a6d69e9b5e9c2f133d7", "e2739528", "12772541f8ebfebb"}, 0x28)
r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='memory.current\x00', 0x275a, 0x0)
r4 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r5 = ioctl$KVM_CREATE_VM(r4, 0xae01, 0x0)
r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0)
ioctl$KVM_SET_CPUID(r6, 0x4008ae8a, &(0x7f00000000c0)={0x1, 0x0, [{0x1, 0x3b8, 0x8002, 0x3e60, 0x1}]})
ioctl$KVM_SET_MSRS(r6, 0x4008ae89, &(0x7f0000000100)={0x1, 0x0, [{0x486, 0x0, 0x40000000}]})
write$cgroup_int(r3, &(0x7f0000000000), 0xffffff6a)
sendfile(r2, r3, 0x0, 0xffffffff004)
setxattr$trusted_overlay_upper(&(0x7f0000000380)='./file0\x00', &(0x7f0000000680), &(0x7f00000006c0)=ANY=[], 0x835, 0x1)
lsetxattr$trusted_overlay_upper(&(0x7f0000000180)='./file0\x00', &(0x7f00000001c0), 0x0, 0x0, 0x0)
syz_mount_image$fuse(0x0, &(0x7f0000000180)='./file2\x00', 0x0, 0x0, 0x0, 0x0, 0x0)
mount$overlay(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000000), 0x0, &(0x7f0000000140)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file2'}}], [], 0x2c})

[  113.433771][ T4669] Bluetooth: hci0: command tx timeout
[  113.531021][ T5338] loop0: detected capacity change from 0 to 1024
[  113.548876][ T5338] =======================================================
[  113.548876][ T5338] WARNING: The mand mount option has been deprecated and
[  113.548876][ T5338]          and is ignored by this kernel. Remove the mand
[  113.548876][ T5338]          option from the mount to silence this warning.
[  113.548876][ T5338] =======================================================
[  113.615482][ T5338] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
[  113.718561][ T5338] EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:4113: comm syz.0.0: Allocating blocks 497-513 which overlap fs metadata
[  113.780273][ T5338] EXT4-fs (loop0): pa ffff888043ef7910: logic 128, phys. 385, len 8
[  113.784415][ T5338] EXT4-fs error (device loop0): ext4_mb_release_inode_pa:5364: group 0, free 0, pa_free 1
[  113.794843][ T5338] ==================================================================
[  113.798386][ T5338] BUG: KASAN: use-after-free in ext4_ext_remove_space+0x3211/0x42f0
[  113.801877][ T5338] Read of size 4 at addr ffff88804cf1ec18 by task syz.0.0/5338
[  113.805092][ T5338] 
[  113.806236][ T5338] CPU: 0 UID: 0 PID: 5338 Comm: syz.0.0 Not tainted 6.16.0-rc3-syzkaller-00057-g92ca6c498a5e #0 PREEMPT(full) 
[  113.806251][ T5338] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[  113.806257][ T5338] Call Trace:
[  113.806263][ T5338]  <TASK>
[  113.806268][ T5338]  dump_stack_lvl+0x189/0x250
[  113.806285][ T5338]  ? __virt_addr_valid+0x1c8/0x5c0
[  113.806294][ T5338]  ? rcu_is_watching+0x15/0xb0
[  113.806307][ T5338]  ? __kasan_check_byte+0x12/0x40
[  113.806315][ T5338]  ? __pfx_dump_stack_lvl+0x10/0x10
[  113.806324][ T5338]  ? rcu_is_watching+0x15/0xb0
[  113.806333][ T5338]  ? lock_release+0x4b/0x3e0
[  113.806345][ T5338]  ? __virt_addr_valid+0x1c8/0x5c0
[  113.806365][ T5338]  ? __virt_addr_valid+0x4a5/0x5c0
[  113.806379][ T5338]  print_report+0xd2/0x2b0
[  113.806394][ T5338]  ? ext4_ext_remove_space+0x3211/0x42f0
[  113.806406][ T5338]  kasan_report+0x118/0x150
[  113.806420][ T5338]  ? ext4_ext_remove_space+0x3211/0x42f0
[  113.806434][ T5338]  ext4_ext_remove_space+0x3211/0x42f0
[  113.806448][ T5338]  ? __es_remove_extent+0xdbe/0x1780
[  113.806462][ T5338]  ? ext4_es_remove_extent+0x218/0x420
[  113.806473][ T5338]  ? __pfx_ext4_ext_remove_space+0x10/0x10
[  113.806482][ T5338]  ? ext4_es_remove_extent+0x263/0x420
[  113.806492][ T5338]  ext4_ext_truncate+0x17e/0x300
[  113.806504][ T5338]  ext4_truncate+0x9bb/0x1100
[  113.806517][ T5338]  ? down_write+0x162/0x1f0
[  113.806615][ T5338]  ? __pfx_ext4_truncate+0x10/0x10
[  113.806629][ T5338]  ? __ext4_journal_stop+0x34/0x1a0
[  113.806640][ T5338]  ext4_write_begin+0xf59/0x1680
[  113.806658][ T5338]  ? __pfx_ext4_write_begin+0x10/0x10
[  113.806671][ T5338]  ext4_da_write_begin+0x449/0xd20
[  113.806684][ T5338]  ? ext4_mark_iloc_dirty+0x6f3/0x1ca0
[  113.806691][ T5338]  ? __pfx_ext4_da_write_begin+0x10/0x10
[  113.806700][ T5338]  generic_perform_write+0x2c7/0x910
[  113.806719][ T5338]  ? __pfx_generic_perform_write+0x10/0x10
[  113.806728][ T5338]  ? file_modified_flags+0x4bb/0x560
[  113.806741][ T5338]  ? ext4_write_checks+0x24b/0x2c0
[  113.806752][ T5338]  ext4_buffered_write_iter+0xce/0x3a0
[  113.806764][ T5338]  ext4_file_write_iter+0x298/0x1bc0
[  113.806779][ T5338]  ? __pfx_ext4_file_write_iter+0x10/0x10
[  113.806791][ T5338]  vfs_write+0x54b/0xa90
[  113.806806][ T5338]  ? __pfx_ext4_file_write_iter+0x10/0x10
[  113.806818][ T5338]  ? __pfx_vfs_write+0x10/0x10
[  113.806834][ T5338]  ? __fget_files+0x2a/0x420
[  113.806846][ T5338]  ksys_write+0x145/0x250
[  113.806856][ T5338]  ? __pfx_ksys_write+0x10/0x10
[  113.806865][ T5338]  ? rcu_is_watching+0x15/0xb0
[  113.806882][ T5338]  ? do_syscall_64+0xbe/0x3b0
[  113.806894][ T5338]  do_syscall_64+0xfa/0x3b0
[  113.806901][ T5338]  ? lockdep_hardirqs_on+0x9c/0x150
[  113.806914][ T5338]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  113.806923][ T5338]  ? clear_bhb_loop+0x60/0xb0
[  113.806936][ T5338]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  113.806949][ T5338] RIP: 0033:0x7fbbe1d8e929
[  113.806962][ T5338] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[  113.806971][ T5338] RSP: 002b:00007fbbe2b4e038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[  113.806985][ T5338] RAX: ffffffffffffffda RBX: 00007fbbe1fb5fa0 RCX: 00007fbbe1d8e929
[  113.806993][ T5338] RDX: 00000000ffffff6a RSI: 0000200000000000 RDI: 0000000000000006
[  113.807000][ T5338] RBP: 00007fbbe1e10b39 R08: 0000000000000000 R09: 0000000000000000
[  113.807006][ T5338] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  113.807013][ T5338] R13: 0000000000000000 R14: 00007fbbe1fb5fa0 R15: 00007ffc3a498a88
[  113.807022][ T5338]  </TASK>
[  113.807025][ T5338] 
[  113.961616][ T5338] The buggy address belongs to the physical page:
[  113.964455][ T5338] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4cf1e
[  113.968442][ T5338] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[  113.971663][ T5338] raw: 04fff00000000000 ffffea000133c788 ffffea000133c788 0000000000000000
[  113.975690][ T5338] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[  113.979599][ T5338] page dumped because: kasan: bad access detected
[  113.982428][ T5338] page_owner info is not present (never set?)
[  113.985174][ T5338] 
[  113.986286][ T5338] Memory state around the buggy address:
[  113.988877][ T5338]  ffff88804cf1eb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[  113.992702][ T5338]  ffff88804cf1eb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[  113.996277][ T5338] >ffff88804cf1ec00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[  113.999946][ T5338]                             ^
[  114.002047][ T5338]  ffff88804cf1ec80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[  114.005529][ T5338]  ffff88804cf1ed00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[  114.009581][ T5338] ==================================================================
[  114.024625][ T5338] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[  114.028045][ T5338] CPU: 0 UID: 0 PID: 5338 Comm: syz.0.0 Not tainted 6.16.0-rc3-syzkaller-00057-g92ca6c498a5e #0 PREEMPT(full) 
[  114.033321][ T5338] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[  114.038066][ T5338] Call Trace:
[  114.039599][ T5338]  <TASK>
[  114.040931][ T5338]  dump_stack_lvl+0x99/0x250
[  114.042961][ T5338]  ? __asan_memcpy+0x40/0x70
[  114.044933][ T5338]  ? __pfx_dump_stack_lvl+0x10/0x10
[  114.047227][ T5338]  ? __pfx__printk+0x10/0x10
[  114.049381][ T5338]  panic+0x2db/0x790
[  114.051153][ T5338]  ? __pfx_panic+0x10/0x10
[  114.053142][ T5338]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[  114.055831][ T5338]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[  114.058676][ T5338]  ? print_memory_metadata+0x314/0x400
[  114.061204][ T5338]  ? ext4_ext_remove_space+0x3211/0x42f0
[  114.063441][ T5338]  check_panic_on_warn+0x89/0xb0
[  114.065485][ T5338]  ? ext4_ext_remove_space+0x3211/0x42f0
[  114.067688][ T5338]  end_report+0x78/0x160
[  114.069717][ T5338]  kasan_report+0x129/0x150
[  114.071799][ T5338]  ? ext4_ext_remove_space+0x3211/0x42f0
[  114.074141][ T5338]  ext4_ext_remove_space+0x3211/0x42f0
[  114.076359][ T5338]  ? __es_remove_extent+0xdbe/0x1780
[  114.078783][ T5338]  ? ext4_es_remove_extent+0x218/0x420
[  114.081095][ T5338]  ? __pfx_ext4_ext_remove_space+0x10/0x10
[  114.083750][ T5338]  ? ext4_es_remove_extent+0x263/0x420
[  114.086251][ T5338]  ext4_ext_truncate+0x17e/0x300
[  114.088646][ T5338]  ext4_truncate+0x9bb/0x1100
[  114.090778][ T5338]  ? down_write+0x162/0x1f0
[  114.092747][ T5338]  ? __pfx_ext4_truncate+0x10/0x10
[  114.094954][ T5338]  ? __ext4_journal_stop+0x34/0x1a0
[  114.097137][ T5338]  ext4_write_begin+0xf59/0x1680
[  114.099372][ T5338]  ? __pfx_ext4_write_begin+0x10/0x10
[  114.101734][ T5338]  ext4_da_write_begin+0x449/0xd20
[  114.104517][ T5338]  ? ext4_mark_iloc_dirty+0x6f3/0x1ca0
[  114.107517][ T5338]  ? __pfx_ext4_da_write_begin+0x10/0x10
[  114.110138][ T5338]  generic_perform_write+0x2c7/0x910
[  114.112598][ T5338]  ? __pfx_generic_perform_write+0x10/0x10
[  114.115445][ T5338]  ? file_modified_flags+0x4bb/0x560
[  114.118220][ T5338]  ? ext4_write_checks+0x24b/0x2c0
[  114.120744][ T5338]  ext4_buffered_write_iter+0xce/0x3a0
[  114.122840][ T5338]  ext4_file_write_iter+0x298/0x1bc0
[  114.125689][ T5338]  ? __pfx_ext4_file_write_iter+0x10/0x10
[  114.128144][ T5338]  vfs_write+0x54b/0xa90
[  114.130227][ T5338]  ? __pfx_ext4_file_write_iter+0x10/0x10
[  114.132560][ T5338]  ? __pfx_vfs_write+0x10/0x10
[  114.134588][ T5338]  ? __fget_files+0x2a/0x420
[  114.136551][ T5338]  ksys_write+0x145/0x250
[  114.138446][ T5338]  ? __pfx_ksys_write+0x10/0x10
[  114.140514][ T5338]  ? rcu_is_watching+0x15/0xb0
[  114.142468][ T5338]  ? do_syscall_64+0xbe/0x3b0
[  114.144214][ T5338]  do_syscall_64+0xfa/0x3b0
[  114.146228][ T5338]  ? lockdep_hardirqs_on+0x9c/0x150
[  114.148572][ T5338]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  114.151843][ T5338]  ? clear_bhb_loop+0x60/0xb0
[  114.154346][ T5338]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  114.157333][ T5338] RIP: 0033:0x7fbbe1d8e929
[  114.159198][ T5338] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[  114.168003][ T5338] RSP: 002b:00007fbbe2b4e038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[  114.171420][ T5338] RAX: ffffffffffffffda RBX: 00007fbbe1fb5fa0 RCX: 00007fbbe1d8e929
[  114.175128][ T5338] RDX: 00000000ffffff6a RSI: 0000200000000000 RDI: 0000000000000006
[  114.178588][ T5338] RBP: 00007fbbe1e10b39 R08: 0000000000000000 R09: 0000000000000000
[  114.182112][ T5338] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  114.185325][ T5338] R13: 0000000000000000 R14: 00007fbbe1fb5fa0 R15: 00007ffc3a498a88
[  114.188633][ T5338]  </TASK>
[  114.190306][ T5338] Kernel Offset: disabled
[  114.192034][ T5338] Rebooting in 86400 seconds..