program:
syz_mount_image$ext4(&(0x7f0000000040)='ext4\x00', &(0x7f0000000000)='./file1\x00', 0x446, &(0x7f0000000080)={[{@stripe={'stripe', 0x3d, 0x2}}, {@journal_dev={'journal_dev', 0x3d, 0x1045}}, {@oldalloc}, {@noquota}, {@minixdf}, {@barrier_val={'barrier', 0x3d, 0x2}}, {@delalloc}, {@nojournal_checksum}, {@orlov}, {@user_xattr}, {@quota}, {@delalloc}]}, 0x1, 0x553, &(0x7f0000001080)="$eJzs3d9rW1UcAPDvTdv91nUwhopIYQ9O5tK19ccEH+aj6HCg7zO0d2U0WUaTjrUO3B7ciy8yBBEH4ru++zj8B/wrBjoYMoo++BK56U2XrUmbddnSmc8Hbjkn9ybnfnPv9/TcnBsSwNCayP4UIl6OiG+SiIMRkeTrRiNfObG23er9q7PZkkSj8elfSXO7rN56rdbz9ueVlyLit68ijhc2tltbXlkolcvpYl6frFcuTdaWV05cqJTm0/n04vTMzKm3Z6bfe/edvsX6xtl/vv/k9oenvj66+t0vdw/dTOJ0HMjXtcfxBK61VyZiIn9PxuL0IxtO9aGxnSQZ9A6wLSN5no9F1gccjJE864H/vy8jogEMqUT+w5BqjQNa1/Z9ug5+btz7YO0CaGP8o2ufjcSe5rXRvtXkoSuj7Hp3vA/tZ238+uetm9kS/fscAmBL165HxMnR0Y39X5L3f9t3sodtHm1D/wfPzu1s/PNmp/FPYX38Ex3GP/s75O52bJ3/hbt9aKarbPz3fsfx7/qk1fhIXnuhOeYbS85fKKdZ3/ZiRByLsd1ZfbP5nFOrdxrd1rWP/7Ila781Fsz34+7o7oefM1eql54k5nb3rke80nH8m6wf/6TD8c/ej7M9tnEkvfVat3Vbx/90NX6KeL3j8X8wo5VsPj852TwfJltnxUZ/3zjye7f2Bx1/dvz3bR7/eNI+X1t7/DZ+3PNv2m3dQ/FH7+f/ruSzZnlX/tiVUr2+OBWxK/l44+PTD57bqre2z+I/dnTz/q/T+b83Ij7vMf4bh39+taf4B3T85x7r+D9+4c5HX/zQrf3e+r+3mqVj+SO99H+97uCTvHcAAAAAAACw0xQi4kAkheJ6uVAoFtfu7zgc+wrlaq1+/Hx16eJcNL8rOx5jhdZM98G2+yGm8vthW/XpR+ozEXEoIr4d2dusF2er5blBBw8AAAAAAAAAAAAAAAAAAAA7xP4u3//P/DEy6L0Dnjo/+Q3Da8v878cvPQE7kv//MLzkPwwv+Q/DS/7D8JL/MLzkPwwv+Q/DS/4DAAAAAAAAAAAAAAAAAAAAAAAAAABAX509cyZbGqv3r85m9bnLy0sL1csn5tLaQrGyNFucrS5eKs5Xq/PltDhbrWz1euVq9dLUdCxdmayntfpkbXnlXKW6dLF+7kKlNJ+eS8eeSVQAAAAAAAAAAAAAAAAAAADwfKktryyUyuV0UUFhW4XRnbEbCn0uDLpnAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAH/gsAAP//6AY3sQ==")
r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x42, 0x0)
pwrite64(r0, &(0x7f0000000140)='2', 0x1, 0x8000c61)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x42, 0x10)
mmap(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x27ffff7, 0x4012011, r1, 0x0)
readv(r0, &(0x7f0000000680)=[{&(0x7f0000000180)=""/74, 0x4a}, {&(0x7f0000000200)=""/161, 0xa1}, {&(0x7f00000002c0)=""/180, 0xb4}, {&(0x7f0000000380)=""/24, 0x18}, {&(0x7f00000003c0)=""/22, 0x16}, {&(0x7f0000000400)=""/211, 0xd3}, {&(0x7f0000001600)=""/4096, 0x1000}, {&(0x7f0000000540)=""/150, 0x96}, {&(0x7f0000000600)=""/10, 0xa}, {&(0x7f0000000640)=""/8, 0x8}], 0xa)
r2 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x101042, 0x35)
pwrite64(r2, &(0x7f0000000140)='2', 0xfdef, 0xfecc)
setxattr$trusted_overlay_upper(&(0x7f0000000000)='./file1\x00', &(0x7f0000000500), &(0x7f0000000740)=ANY=[@ANYRESHEX=r2, @ANYBLOB="56b6ffa9712e8e7b2ec89c5d908603e158e6bf03f25966e2308d243dfdb57382a4fbb431946e0419c5b2eec84b2809400053ff0b1822e81a7423c852a963c9cc6a47e5e4c619914f80cf5266dfcb8dbc65895d6a5ff759c8025d9d14adfbd54d7e9eb61d5ec3f15335a1d079813f03dd85ebeb1aa065", @ANYRESHEX=0x0], 0x841, 0x0)
r3 = openat(0xffffffffffffff9c, &(0x7f0000000100)='./file1\x00', 0x42, 0x0)
r4 = syz_open_dev$tty1(0xc, 0x4, 0x2)
capset(&(0x7f0000000040)={0x20080522}, &(0x7f0000000080))
ioctl$KDSETMODE(r4, 0x4b3a, 0x1)
write$FUSE_WRITE(r3, &(0x7f00000000c0)={0x18}, 0xfffffdef)

[   85.767601][ T5326] loop0: detected capacity change from 0 to 1024
[   85.881663][ T5326] =======================================================
[   85.881663][ T5326] WARNING: The mand mount option has been deprecated and
[   85.881663][ T5326]          and is ignored by this kernel. Remove the mand
[   85.881663][ T5326]          option from the mount to silence this warning.
[   85.881663][ T5326] =======================================================
[   86.053597][ T4665] Bluetooth: hci0: command tx timeout
[   86.056637][ T5326] EXT4-fs: Ignoring removed oldalloc option
[   86.088533][ T5326] EXT4-fs: Ignoring removed orlov option
[   86.132033][ T5326] EXT4-fs (loop0): stripe (2) is not aligned with cluster size (16), stripe is disabled
[   86.242246][ T5326] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback.
[   86.464669][   T13] ==================================================================
[   86.480988][   T13] BUG: KASAN: use-after-free in ext4_find_extent+0xae6/0xcc0
[   86.484271][   T13] Read of size 4 at addr ffff88800dc80434 by task kworker/u4:1/13
[   86.490143][   T13] 
[   86.492189][   T13] CPU: 0 UID: 0 PID: 13 Comm: kworker/u4:1 Not tainted syzkaller #0 PREEMPT(full) 
[   86.492207][   T13] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   86.492216][   T13] Workqueue: ext4-rsv-conversion ext4_end_io_rsv_work
[   86.492235][   T13] Call Trace:
[   86.492243][   T13]  <TASK>
[   86.492249][   T13]  dump_stack_lvl+0x189/0x250
[   86.492264][   T13]  ? __virt_addr_valid+0x1c8/0x5c0
[   86.492275][   T13]  ? rcu_is_watching+0x15/0xb0
[   86.492290][   T13]  ? __pfx_dump_stack_lvl+0x10/0x10
[   86.492300][   T13]  ? rcu_is_watching+0x15/0xb0
[   86.492313][   T13]  ? lock_release+0x4b/0x3e0
[   86.492326][   T13]  ? _raw_spin_lock_irqsave+0xb3/0xf0
[   86.492951][   T13]  ? __virt_addr_valid+0x1c8/0x5c0
[   86.492967][   T13]  ? __virt_addr_valid+0x4a5/0x5c0
[   86.492978][   T13]  print_report+0xca/0x240
[   86.492991][   T13]  ? ext4_find_extent+0xae6/0xcc0
[   86.493003][   T13]  kasan_report+0x118/0x150
[   86.493019][   T13]  ? ext4_find_extent+0xae6/0xcc0
[   86.493033][   T13]  ext4_find_extent+0xae6/0xcc0
[   86.493047][   T13]  ext4_ext_map_blocks+0x288/0x6ac0
[   86.493065][   T13]  ? __lock_acquire+0xab9/0xd20
[   86.493080][   T13]  ? __pfx_ext4_ext_map_blocks+0x10/0x10
[   86.493097][   T13]  ? ext4_es_lookup_extent+0x622/0xa70
[   86.493115][   T13]  ext4_map_blocks+0x860/0x1740
[   86.493134][   T13]  ? __pfx_ext4_map_blocks+0x10/0x10
[   86.493150][   T13]  ? _raw_spin_unlock_irq+0x2e/0x50
[   86.493166][   T13]  ? __ext4_journal_start_sb+0x27e/0x5c0
[   86.493179][   T13]  ext4_convert_unwritten_extents+0x2ae/0x5d0
[   86.493196][   T13]  ? __pfx_ext4_convert_unwritten_extents+0x10/0x10
[   86.493212][   T13]  ? _raw_spin_unlock_irqrestore+0x85/0x110
[   86.493228][   T13]  ext4_convert_unwritten_io_end_vec+0xff/0x170
[   86.493243][   T13]  ext4_end_io_end+0xc7/0x410
[   86.493256][   T13]  ext4_end_io_rsv_work+0x262/0x330
[   86.493268][   T13]  ? __pfx_ext4_end_io_rsv_work+0x10/0x10
[   86.493279][   T13]  ? _raw_spin_unlock_irq+0x23/0x50
[   86.493292][   T13]  ? process_scheduled_works+0x9ef/0x17b0
[   86.493306][   T13]  ? process_scheduled_works+0x9ef/0x17b0
[   86.493321][   T13]  process_scheduled_works+0xae1/0x17b0
[   86.493341][   T13]  ? __pfx_process_scheduled_works+0x10/0x10
[   86.493359][   T13]  worker_thread+0x8a0/0xda0
[   86.493379][   T13]  kthread+0x711/0x8a0
[   86.493391][   T13]  ? __pfx_worker_thread+0x10/0x10
[   86.493405][   T13]  ? __pfx_kthread+0x10/0x10
[   86.493416][   T13]  ? _raw_spin_unlock_irq+0x23/0x50
[   86.493430][   T13]  ? lockdep_hardirqs_on+0x9c/0x150
[   86.493446][   T13]  ? __pfx_kthread+0x10/0x10
[   86.493456][   T13]  ret_from_fork+0x4bc/0x870
[   86.493470][   T13]  ? __pfx_ret_from_fork+0x10/0x10
[   86.493485][   T13]  ? __pfx_kthread+0x10/0x10
[   86.493495][   T13]  ret_from_fork_asm+0x1a/0x30
[   86.493512][   T13]  </TASK>
[   86.493516][   T13] 
[   86.730279][   T13] The buggy address belongs to the physical page:
[   86.732656][   T13] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7b pfn:0xdc80
[   86.735928][   T13] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   86.738657][   T13] page_type: f0(buddy)
[   86.740531][   T13] raw: 00fff00000000000 ffffea00007f1808 ffffea00007f3808 0000000000000000
[   86.744851][   T13] raw: 000000000000007b 0000000000000005 00000000f0000000 0000000000000000
[   86.749790][   T13] page dumped because: kasan: bad access detected
[   86.753531][   T13] page_owner tracks the page as freed
[   86.755912][   T13] page last allocated via order 0, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_MOVABLE|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 1, tgid 1 (init), ts 26932667860, free_ts 82724649183
[   86.766338][   T13]  post_alloc_hook+0x240/0x2a0
[   86.768885][   T13]  get_page_from_freelist+0x2365/0x2440
[   86.773768][   T13]  __alloc_frozen_pages_noprof+0x181/0x370
[   86.779492][   T13]  alloc_pages_mpol+0x232/0x4a0
[   86.783275][   T13]  alloc_pages_noprof+0xa9/0x190
[   86.785530][   T13]  folio_alloc_noprof+0x1e/0x30
[   86.787745][   T13]  filemap_alloc_folio_noprof+0xdf/0x470
[   86.790646][   T13]  page_cache_ra_unbounded+0x35d/0x9a0
[   86.795648][   T13]  filemap_get_pages+0x7fd/0x1de0
[   86.798396][   T13]  filemap_read+0x3f6/0x11a0
[   86.801630][   T13]  __kernel_read+0x4cf/0x960
[   86.805548][   T13]  integrity_kernel_read+0x89/0xd0
[   86.810109][   T13]  ima_calc_file_hash+0x85e/0x16f0
[   86.816501][   T13]  ima_collect_measurement+0x428/0x8f0
[   86.820322][   T13]  process_measurement+0x1121/0x1a40
[   86.823043][   T13]  ima_file_check+0xd7/0x120
[   86.824954][   T13] page last free pid 79 tgid 79 stack trace:
[   86.828546][   T13]  free_unref_folios+0xdb3/0x14f0
[   86.831842][   T13]  shrink_folio_list+0x44ab/0x4c70
[   86.835968][   T13]  evict_folios+0x471e/0x57c0
[   86.837856][   T13]  try_to_shrink_lruvec+0x8a3/0xb50
[   86.850442][   T13]  shrink_one+0x21b/0x7c0
[   86.852281][   T13]  shrink_node+0x315d/0x3780
[   86.854222][   T13]  kswapd+0x147c/0x2800
[   86.856130][   T13]  kthread+0x711/0x8a0
[   86.858211][   T13]  ret_from_fork+0x4bc/0x870
[   86.862399][   T13]  ret_from_fork_asm+0x1a/0x30
[   86.871402][   T13] 
[   86.872449][   T13] Memory state around the buggy address:
[   86.874777][   T13]  ffff88800dc80300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   86.881787][   T13]  ffff88800dc80380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   86.885110][   T13] >ffff88800dc80400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   86.888404][   T13]                                      ^
[   86.900877][   T13]  ffff88800dc80480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   86.904317][   T13]  ffff88800dc80500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   86.907614][   T13] ==================================================================
[   87.025835][    T9] cfg80211: failed to load regulatory.db
[   87.298357][   T13] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   87.313158][   T13] CPU: 0 UID: 0 PID: 13 Comm: kworker/u4:1 Not tainted syzkaller #0 PREEMPT(full) 
[   87.318217][   T13] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   87.325224][   T13] Workqueue: ext4-rsv-conversion ext4_end_io_rsv_work
[   87.328821][   T13] Call Trace:
[   87.330760][   T13]  <TASK>
[   87.333032][   T13]  dump_stack_lvl+0x99/0x250
[   87.337703][   T13]  ? __asan_memcpy+0x40/0x70
[   87.340519][   T13]  ? __pfx_dump_stack_lvl+0x10/0x10
[   87.344100][   T13]  ? __pfx__printk+0x10/0x10
[   87.346624][   T13]  vpanic+0x237/0x6d0
[   87.348204][   T13]  ? __pfx_vpanic+0x10/0x10
[   87.350750][   T13]  ? preempt_schedule+0xae/0xc0
[   87.353716][   T13]  ? __pfx_preempt_schedule+0x10/0x10
[   87.357392][   T13]  panic+0xb9/0xc0
[   87.359823][   T13]  ? __pfx_panic+0x10/0x10
[   87.364736][   T13]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   87.368862][   T13]  ? is_module_address+0x17/0xf0
[   87.371180][   T13]  ? ext4_find_extent+0xae6/0xcc0
[   87.373677][   T13]  check_panic_on_warn+0x89/0xb0
[   87.378216][   T13]  ? ext4_find_extent+0xae6/0xcc0
[   87.381599][   T13]  end_report+0x78/0x160
[   87.383764][   T13]  kasan_report+0x129/0x150
[   87.385827][   T13]  ? ext4_find_extent+0xae6/0xcc0
[   87.388478][   T13]  ext4_find_extent+0xae6/0xcc0
[   87.390773][   T13]  ext4_ext_map_blocks+0x288/0x6ac0
[   87.393070][   T13]  ? __lock_acquire+0xab9/0xd20
[   87.395273][   T13]  ? __pfx_ext4_ext_map_blocks+0x10/0x10
[   87.398060][   T13]  ? ext4_es_lookup_extent+0x622/0xa70
[   87.400666][   T13]  ext4_map_blocks+0x860/0x1740
[   87.421965][   T13]  ? __pfx_ext4_map_blocks+0x10/0x10
[   87.424441][   T13]  ? _raw_spin_unlock_irq+0x2e/0x50
[   87.426859][   T13]  ? __ext4_journal_start_sb+0x27e/0x5c0
[   87.429420][   T13]  ext4_convert_unwritten_extents+0x2ae/0x5d0
[   87.431959][   T13]  ? __pfx_ext4_convert_unwritten_extents+0x10/0x10
[   87.434464][   T13]  ? _raw_spin_unlock_irqrestore+0x85/0x110
[   87.436811][   T13]  ext4_convert_unwritten_io_end_vec+0xff/0x170
[   87.439406][   T13]  ext4_end_io_end+0xc7/0x410
[   87.441691][   T13]  ext4_end_io_rsv_work+0x262/0x330
[   87.444580][   T13]  ? __pfx_ext4_end_io_rsv_work+0x10/0x10
[   87.447131][   T13]  ? _raw_spin_unlock_irq+0x23/0x50
[   87.449166][   T13]  ? process_scheduled_works+0x9ef/0x17b0
[   87.451568][   T13]  ? process_scheduled_works+0x9ef/0x17b0
[   87.454535][   T13]  process_scheduled_works+0xae1/0x17b0
[   87.457721][   T13]  ? __pfx_process_scheduled_works+0x10/0x10
[   87.460181][   T13]  worker_thread+0x8a0/0xda0
[   87.461995][   T13]  kthread+0x711/0x8a0
[   87.463632][   T13]  ? __pfx_worker_thread+0x10/0x10
[   87.465631][   T13]  ? __pfx_kthread+0x10/0x10
[   87.467596][   T13]  ? _raw_spin_unlock_irq+0x23/0x50
[   87.469877][   T13]  ? lockdep_hardirqs_on+0x9c/0x150
[   87.472696][   T13]  ? __pfx_kthread+0x10/0x10
[   87.474508][   T13]  ret_from_fork+0x4bc/0x870
[   87.476382][   T13]  ? __pfx_ret_from_fork+0x10/0x10
[   87.478351][   T13]  ? __pfx_kthread+0x10/0x10
[   87.480260][   T13]  ret_from_fork_asm+0x1a/0x30
[   87.482147][   T13]  </TASK>
[   87.483981][   T13] Kernel Offset: disabled
[   87.487228][   T13] Rebooting in 86400 seconds..