program: bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x3, 0x4, &(0x7f00000000c0)=ANY=[@ANYBLOB="b40500000000000061108c00bf6b1c8f937ac83501409f6500000000bd0000000000000095000000000000"], 0x0, 0x5, 0xc3, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8, 0x10, &(0x7f0000000000), 0x10}, 0x94) bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x1, 0xe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}, 0x94) syz_mount_image$ext4(&(0x7f0000000040)='ext4\x00', &(0x7f0000000000)='./file1\x00', 0x3000046, &(0x7f00000004c0), 0x1, 0x553, &(0x7f0000000800)="$eJzs3d9rW1UcAPDvTdv91nUwhopIYQ9O5tK19ccEH+aj6HCg7zO0d2U0WUaTjrUO3B7ciy8yBBEH4ru++zj8B/wrBjoYMoo++BK56U2XrUmbddnSmc8Hbjkn9ybnfnPv9/TcnBsSwNCayP4UIl6OiG+SiIMRkeTrRiNfObG23er9q7PZkkSj8elfSXO7rN56rdbz9ueVlyLit68ijhc2tltbXlkolcvpYl6frFcuTdaWV05cqJTm0/n04vTMzKm3Z6bfe/edvsX6xtl/vv/k9oenvj66+t0vdw/dTOJ0HMjXtcfxBK61VyZiIn9PxuL0IxtO9aGxnSQZ9A6wLSN5no9F1gccjJE864H/vy8jogEMqUT+w5BqjQNa1/Z9ug5+btz7YO0CaGP8o2ufjcSe5rXRvtXkoSuj7Hp3vA/tZ238+uetm9kS/fscAmBL165HxMnR0Y39X5L3f9t3sodtHm1D/wfPzu1s/PNmp/FPYX38Ex3GP/s75O52bJ3/hbt9aKarbPz3fsfx7/qk1fhIXnuhOeYbS85fKKdZ3/ZiRByLsd1ZfbP5nFOrdxrd1rWP/7Ila781Fsz34+7o7oefM1eql54k5nb3rke80nH8m6wf/6TD8c/ej7M9tnEkvfVat3Vbx/90NX6KeL3j8X8wo5VsPj852TwfJltnxUZ/3zjye7f2Bx1/dvz3bR7/eNI+X1t7/DZ+3PNv2m3dQ/FH7+f/ruSzZnlX/tiVUr2+OBWxK/l44+PTD57bqre2z+I/dnTz/q/T+b83Ij7vMf4bh39+taf4B3T85x7r+D9+4c5HX/zQrf3e+r+3mqVj+SO99H+97uCTvHcAAAAAAACw0xQi4kAkheJ6uVAoFtfu7zgc+wrlaq1+/Hx16eJcNL8rOx5jhdZM98G2+yGm8vthW/XpR+ozEXEoIr4d2dusF2er5blBBw8AAAAAAAAAAAAAAAAAAAA7xP4u3//P/DEy6L0Dnjo/+Q3Da8v878cvPQE7kv//MLzkPwwv+Q/DS/7D8JL/MLzkPwwv+Q/DS/4DAAAAAAAAAAAAAAAAAAAAAAAAAABAX509cyZbGqv3r85m9bnLy0sL1csn5tLaQrGyNFucrS5eKs5Xq/PltDhbrWz1euVq9dLUdCxdmayntfpkbXnlXKW6dLF+7kKlNJ+eS8eeSVQAAAAAAAAAAAAAAAAAAADwfKktryyUyuV0UUFhW4XRnbEbCn0uDLpnAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAH/gsAAP//6AY3sQ==") ioctl$TIOCVHANGUP(0xffffffffffffffff, 0x5437, 0x0) ioctl$TIOCSISO7816(0xffffffffffffffff, 0xc0285443, 0x0) write(0xffffffffffffffff, &(0x7f0000000280), 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000300)=0x7) r0 = getpid() sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x3) r1 = syz_clone(0x8000, 0x0, 0xfffffffffffffe7e, 0x0, 0x0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, r1, 0x1, 0x0) syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) bind$alg(0xffffffffffffffff, 0x0, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x1) sendmmsg$sock(0xffffffffffffffff, 0x0, 0x0, 0x4080044) sendmmsg$inet6(0xffffffffffffffff, &(0x7f00000090c0)=[{{&(0x7f0000000080)={0xa, 0x4e21, 0x0, @empty}, 0x1c, 0x0}}], 0x1, 0xf7ffff7f00000000) setxattr$trusted_overlay_upper(&(0x7f0000000000)='./file1\x00', &(0x7f00000001c0), &(0x7f0000000140)=ANY=[], 0x841, 0x1) [ 74.951497][ T5338] Bluetooth: hci0: command tx timeout [ 75.027008][ T5359] loop0: detected capacity change from 0 to 1024 [ 75.039825][ T5359] ======================================================= [ 75.039825][ T5359] WARNING: The mand mount option has been deprecated and [ 75.039825][ T5359] and is ignored by this kernel. Remove the mand [ 75.039825][ T5359] option from the mount to silence this warning. [ 75.039825][ T5359] ======================================================= [ 75.123859][ T5359] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. [ 75.187559][ T5364] ================================================================== [ 75.190743][ T5364] BUG: KASAN: use-after-free in ext4_find_extent+0xae6/0xcc0 [ 75.194032][ T5364] Read of size 4 at addr ffff88804cec3018 by task syz.0.0/5364 [ 75.197249][ T5364] [ 75.198458][ T5364] CPU: 0 UID: 0 PID: 5364 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 75.198473][ T5364] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.198479][ T5364] Call Trace: [ 75.198486][ T5364] [ 75.198491][ T5364] dump_stack_lvl+0x189/0x250 [ 75.198509][ T5364] ? __virt_addr_valid+0x1c8/0x5c0 [ 75.198523][ T5364] ? rcu_is_watching+0x15/0xb0 [ 75.198535][ T5364] ? __pfx_dump_stack_lvl+0x10/0x10 [ 75.198547][ T5364] ? rcu_is_watching+0x15/0xb0 [ 75.198557][ T5364] ? lock_release+0x4b/0x3e0 [ 75.198573][ T5364] ? _raw_spin_lock_irqsave+0xb3/0xf0 [ 75.198639][ T5364] ? __virt_addr_valid+0x1c8/0x5c0 [ 75.198653][ T5364] ? __virt_addr_valid+0x4a5/0x5c0 [ 75.198665][ T5364] print_report+0xca/0x240 [ 75.198675][ T5364] ? ext4_find_extent+0xae6/0xcc0 [ 75.198691][ T5364] kasan_report+0x118/0x150 [ 75.198706][ T5364] ? ext4_find_extent+0xae6/0xcc0 [ 75.198731][ T5364] ext4_find_extent+0xae6/0xcc0 [ 75.198748][ T5364] ext4_ext_map_blocks+0x288/0x6ac0 [ 75.198759][ T5364] ? __lock_acquire+0xab9/0xd20 [ 75.198777][ T5364] ? __lock_acquire+0xab9/0xd20 [ 75.198793][ T5364] ? __pfx_ext4_ext_map_blocks+0x10/0x10 [ 75.198807][ T5364] ? ext4_es_lookup_extent+0x622/0xa70 [ 75.198822][ T5364] ext4_map_blocks+0x860/0x1740 [ 75.198837][ T5364] ? __pfx_ext4_map_blocks+0x10/0x10 [ 75.198849][ T5364] ? __lock_acquire+0xab9/0xd20 [ 75.198865][ T5364] ? percpu_ref_get_many+0x19/0x140 [ 75.198881][ T5364] _ext4_get_block+0x200/0x4c0 [ 75.198894][ T5364] ? __pfx__ext4_get_block+0x10/0x10 [ 75.198910][ T5364] ext4_get_block_unwritten+0x2e/0x100 [ 75.198923][ T5364] ext4_block_write_begin+0x993/0x1710 [ 75.198936][ T5364] ? __pfx_ext4_get_block_unwritten+0x10/0x10 [ 75.198946][ T5364] ? __pfx_ext4_block_write_begin+0x10/0x10 [ 75.198960][ T5364] ? folio_mapping+0x16f/0x240 [ 75.198971][ T5364] ? ext4_inode_journal_mode+0x18c/0x480 [ 75.198987][ T5364] ext4_write_begin+0xc04/0x19a0 [ 75.199004][ T5364] ? __pfx_ext4_write_begin+0x10/0x10 [ 75.199013][ T5364] ? __ext4_handle_dirty_metadata+0x2fd/0x810 [ 75.199031][ T5364] ext4_da_write_begin+0x445/0xda0 [ 75.199045][ T5364] ? __pfx_ext4_da_write_begin+0x10/0x10 [ 75.199058][ T5364] generic_perform_write+0x2c5/0x900 [ 75.199073][ T5364] ? __pfx_generic_perform_write+0x10/0x10 [ 75.199083][ T5364] ? file_modified_flags+0x4bb/0x560 [ 75.199095][ T5364] ? ext4_write_checks+0x24b/0x2c0 [ 75.199109][ T5364] ext4_buffered_write_iter+0xce/0x3a0 [ 75.199121][ T5364] ext4_file_write_iter+0x298/0x1bc0 [ 75.199132][ T5364] ? __get_user_pages+0x2a5c/0x2ce0 [ 75.199140][ T5364] ? __pfx_ext4_file_write_iter+0x10/0x10 [ 75.199148][ T5364] ? __lock_acquire+0xab9/0xd20 [ 75.199160][ T5364] ? __pfx_ext4_file_write_iter+0x10/0x10 [ 75.199168][ T5364] __kernel_write_iter+0x428/0x910 [ 75.199177][ T5364] ? __pfx_ext4_file_write_iter+0x10/0x10 [ 75.199186][ T5364] ? __pfx___kernel_write_iter+0x10/0x10 [ 75.199197][ T5364] ? do_raw_spin_unlock+0x4d/0x240 [ 75.199210][ T5364] ? __asan_memset+0x22/0x50 [ 75.199220][ T5364] ? iov_iter_bvec+0xb8/0x180 [ 75.199233][ T5364] dump_user_range+0x8a0/0xc90 [ 75.199251][ T5364] ? __pfx_dump_user_range+0x10/0x10 [ 75.199265][ T5364] ? elf_coredump_extra_notes_write+0x42e/0x4b0 [ 75.199277][ T5364] ? __pfx_elf_coredump_extra_notes_write+0x10/0x10 [ 75.199285][ T5364] ? __kasan_kmalloc+0x93/0xb0 [ 75.199297][ T5364] ? dump_emit+0xa6/0xe0 [ 75.199310][ T5364] ? elf_core_dump+0x2cff/0x3990 [ 75.199326][ T5364] elf_core_dump+0x337b/0x3990 [ 75.199344][ T5364] ? __pfx_elf_core_dump+0x10/0x10 [ 75.199358][ T5364] ? kasan_save_track+0x4f/0x80 [ 75.199369][ T5364] ? kasan_save_track+0x3e/0x80 [ 75.199379][ T5364] ? __kasan_kmalloc+0x93/0xb0 [ 75.199391][ T5364] ? __kvmalloc_node_noprof+0x30d/0x5f0 [ 75.199404][ T5364] ? coredump_write+0x340/0x1900 [ 75.199417][ T5364] ? vfs_coredump+0x1daa/0x2a50 [ 75.199425][ T5364] ? get_signal+0x1109/0x1340 [ 75.199432][ T5364] ? arch_do_signal_or_restart+0x9a/0x750 [ 75.199443][ T5364] ? irqentry_exit_to_user_mode+0x81/0x120 [ 75.199452][ T5364] ? exc_page_fault+0x9f/0xf0 [ 75.199458][ T5364] ? asm_exc_page_fault+0x26/0x30 [ 75.199474][ T5364] ? 0xffffffffff600000 [ 75.199480][ T5364] ? up_write+0x1c4/0x420 [ 75.199492][ T5364] coredump_write+0x1169/0x1900 [ 75.199508][ T5364] ? __pfx_coredump_write+0x10/0x10 [ 75.199526][ T5364] ? unshare_files+0xa9/0x140 [ 75.199539][ T5364] vfs_coredump+0x1daa/0x2a50 [ 75.199556][ T5364] ? __pfx_vfs_coredump+0x10/0x10 [ 75.199569][ T5364] ? is_bpf_text_address+0x26/0x2b0 [ 75.199587][ T5364] ? __lock_acquire+0xab9/0xd20 [ 75.199606][ T5364] ? __lock_acquire+0xab9/0xd20 [ 75.199624][ T5364] ? is_bpf_text_address+0x26/0x2b0 [ 75.199643][ T5364] ? is_bpf_text_address+0x26/0x2b0 [ 75.199660][ T5364] ? is_bpf_text_address+0x292/0x2b0 [ 75.199677][ T5364] ? is_bpf_text_address+0x26/0x2b0 [ 75.199694][ T5364] ? kernel_text_address+0xa5/0xe0 [ 75.199710][ T5364] ? __kernel_text_address+0xd/0x40 [ 75.199731][ T5364] ? unwind_get_return_address+0x4d/0x90 [ 75.199743][ T5364] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 75.199758][ T5364] ? arch_stack_walk+0xfc/0x150 [ 75.199773][ T5364] ? stack_trace_save+0x9c/0xe0 [ 75.199786][ T5364] ? stack_depot_save_flags+0x40/0x860 [ 75.199803][ T5364] ? kasan_save_track+0x4f/0x80 [ 75.199812][ T5364] ? kasan_save_track+0x3e/0x80 [ 75.199822][ T5364] ? kasan_save_free_info+0x46/0x50 [ 75.199831][ T5364] ? __kasan_slab_free+0x5b/0x80 [ 75.199842][ T5364] ? kmem_cache_free+0x18f/0x400 [ 75.199853][ T5364] ? get_signal+0xa4c/0x1340 [ 75.199862][ T5364] ? arch_do_signal_or_restart+0x9a/0x750 [ 75.199878][ T5364] ? irqentry_exit_to_user_mode+0x81/0x120 [ 75.199890][ T5364] ? exc_page_fault+0x9f/0xf0 [ 75.199901][ T5364] ? asm_exc_page_fault+0x26/0x30 [ 75.199919][ T5364] ? _raw_spin_unlock_irq+0x23/0x50 [ 75.199926][ T5364] ? lockdep_hardirqs_on+0x9c/0x150 [ 75.199934][ T5364] get_signal+0x1109/0x1340 [ 75.199945][ T5364] arch_do_signal_or_restart+0x9a/0x750 [ 75.199960][ T5364] ? __rseq_handle_notify_resume+0x37e/0x11f0 [ 75.199972][ T5364] ? __pfx_arch_do_signal_or_restart+0x10/0x10 [ 75.199991][ T5364] ? local_irq_enable_exit_to_user+0x5/0x10 [ 75.200008][ T5364] irqentry_exit_to_user_mode+0x81/0x120 [ 75.200021][ T5364] exc_page_fault+0x9f/0xf0 [ 75.200032][ T5364] asm_exc_page_fault+0x26/0x30 [ 75.200042][ T5364] RIP: 0033:0x7fc304b8eed1 [ 75.200053][ T5364] Code: 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 48 3d 01 f0 ff ff 73 01 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f [ 75.200062][ T5364] RSP: 002b:fffffffffffffe70 EFLAGS: 00010217 [ 75.200074][ T5364] RAX: 0000000000000000 RBX: 00007fc304de5fa0 RCX: 00007fc304b8eec9 [ 75.200082][ T5364] RDX: 0000000000000000 RSI: fffffffffffffe70 RDI: 0000000000008000 [ 75.200089][ T5364] RBP: 00007fc304c11f91 R08: 0000000000000000 R09: 0000000000000000 [ 75.200096][ T5364] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 [ 75.200103][ T5364] R13: 00007fc304de6038 R14: 00007fc304de5fa0 R15: 00007ffcd6c16318 [ 75.200114][ T5364] [ 75.200119][ T5364] [ 75.488780][ T5364] The buggy address belongs to the physical page: [ 75.491302][ T5364] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4cec3 [ 75.495154][ T5364] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 75.498302][ T5364] raw: 04fff00000000000 ffffea000133b108 ffffea000133b088 0000000000000000 [ 75.502287][ T5364] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 75.505729][ T5364] page dumped because: kasan: bad access detected [ 75.508393][ T5364] page_owner info is not present (never set?) [ 75.510932][ T5364] [ 75.511900][ T5364] Memory state around the buggy address: [ 75.514050][ T5364] ffff88804cec2f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 75.517343][ T5364] ffff88804cec2f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 75.520655][ T5364] >ffff88804cec3000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 75.523932][ T5364] ^ [ 75.526028][ T5364] ffff88804cec3080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 75.529434][ T5364] ffff88804cec3100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 75.532487][ T5364] ==================================================================