program: syz_mount_image$ext4(&(0x7f0000000040)='ext4\x00', &(0x7f0000000000)='./file1\x00', 0x446, &(0x7f0000000080)={[{@stripe={'stripe', 0x3d, 0x2}}, {@journal_dev={'journal_dev', 0x3d, 0x1045}}, {@oldalloc}, {@noquota}, {@minixdf}, {@barrier_val={'barrier', 0x3d, 0x2}}, {@delalloc}, {@nojournal_checksum}, {@orlov}, {@user_xattr}, {@quota}, {@delalloc}]}, 0x1, 0x553, &(0x7f0000001080)="$eJzs3d9rW1UcAPDvTdv91nUwhopIYQ9O5tK19ccEH+aj6HCg7zO0d2U0WUaTjrUO3B7ciy8yBBEH4ru++zj8B/wrBjoYMoo++BK56U2XrUmbddnSmc8Hbjkn9ybnfnPv9/TcnBsSwNCayP4UIl6OiG+SiIMRkeTrRiNfObG23er9q7PZkkSj8elfSXO7rN56rdbz9ueVlyLit68ijhc2tltbXlkolcvpYl6frFcuTdaWV05cqJTm0/n04vTMzKm3Z6bfe/edvsX6xtl/vv/k9oenvj66+t0vdw/dTOJ0HMjXtcfxBK61VyZiIn9PxuL0IxtO9aGxnSQZ9A6wLSN5no9F1gccjJE864H/vy8jogEMqUT+w5BqjQNa1/Z9ug5+btz7YO0CaGP8o2ufjcSe5rXRvtXkoSuj7Hp3vA/tZ238+uetm9kS/fscAmBL165HxMnR0Y39X5L3f9t3sodtHm1D/wfPzu1s/PNmp/FPYX38Ex3GP/s75O52bJ3/hbt9aKarbPz3fsfx7/qk1fhIXnuhOeYbS85fKKdZ3/ZiRByLsd1ZfbP5nFOrdxrd1rWP/7Ila781Fsz34+7o7oefM1eql54k5nb3rke80nH8m6wf/6TD8c/ej7M9tnEkvfVat3Vbx/90NX6KeL3j8X8wo5VsPj852TwfJltnxUZ/3zjye7f2Bx1/dvz3bR7/eNI+X1t7/DZ+3PNv2m3dQ/FH7+f/ruSzZnlX/tiVUr2+OBWxK/l44+PTD57bqre2z+I/dnTz/q/T+b83Ij7vMf4bh39+taf4B3T85x7r+D9+4c5HX/zQrf3e+r+3mqVj+SO99H+97uCTvHcAAAAAAACw0xQi4kAkheJ6uVAoFtfu7zgc+wrlaq1+/Hx16eJcNL8rOx5jhdZM98G2+yGm8vthW/XpR+ozEXEoIr4d2dusF2er5blBBw8AAAAAAAAAAAAAAAAAAAA7xP4u3//P/DEy6L0Dnjo/+Q3Da8v878cvPQE7kv//MLzkPwwv+Q/DS/7D8JL/MLzkPwwv+Q/DS/4DAAAAAAAAAAAAAAAAAAAAAAAAAABAX509cyZbGqv3r85m9bnLy0sL1csn5tLaQrGyNFucrS5eKs5Xq/PltDhbrWz1euVq9dLUdCxdmayntfpkbXnlXKW6dLF+7kKlNJ+eS8eeSVQAAAAAAAAAAAAAAAAAAADwfKktryyUyuV0UUFhW4XRnbEbCn0uDLpnAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAH/gsAAP//6AY3sQ==") r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x42, 0x0) pwrite64(r0, &(0x7f0000000140)='2', 0x1, 0x8000c61) r1 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x42, 0x10) mmap(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x27ffff7, 0x4012011, r1, 0x0) r2 = socket$nl_route(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000180)={'wlan1\x00', 0x0}) r4 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000280)={'macvlan1\x00', 0x0}) sendto$packet(r4, 0x0, 0x0, 0x0, &(0x7f0000000000)={0x11, 0x1c, r5, 0x1, 0x20, 0x6, @random="78e163d0fb74"}, 0x14) sendmsg$nl_route(r2, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000280)=ANY=[@ANYBLOB="2000000010000104000000000000000000480000", @ANYRES32=r3, @ANYBLOB="ae"], 0x20}}, 0x0) ioctl$SIOCGSTAMP(r2, 0x8906, &(0x7f0000000180)) r6 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x101042, 0x35) pwrite64(r6, &(0x7f0000000140)='2', 0xfdef, 0xfecc) setxattr$trusted_overlay_upper(&(0x7f0000000000)='./file1\x00', &(0x7f0000000500), &(0x7f00000001c0)=ANY=[@ANYBLOB="47f1b0f4bff21629c7b842879764d315c25444e58b265eb12b7a12cdbb3a4f916dbd64711c34fc97f618f14a8bdd5ddd39cbb2f19404423adea01efbc930baeb2f172e36226e0c4937159eb0a012a817350ac984186f02aef244f7a73dbfa2"], 0x841, 0x0) r7 = openat(0xffffffffffffff9c, &(0x7f0000000100)='./file1\x00', 0x42, 0x0) write$FUSE_WRITE(r7, &(0x7f00000000c0)={0x18}, 0xfffffdef) [ 75.996321][ T46] Bluetooth: hci0: command tx timeout [ 76.078878][ T5338] loop0: detected capacity change from 0 to 1024 [ 76.121186][ T5338] ======================================================= [ 76.121186][ T5338] WARNING: The mand mount option has been deprecated and [ 76.121186][ T5338] and is ignored by this kernel. Remove the mand [ 76.121186][ T5338] option from the mount to silence this warning. [ 76.121186][ T5338] ======================================================= [ 76.178424][ T5338] EXT4-fs: Ignoring removed oldalloc option [ 76.181134][ T5338] EXT4-fs: Ignoring removed orlov option [ 76.189078][ T5338] EXT4-fs (loop0): stripe (2) is not aligned with cluster size (16), stripe is disabled [ 76.212497][ T5338] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback. [ 76.313109][ T5338] ================================================================== [ 76.316738][ T5338] BUG: KASAN: use-after-free in ext4_find_extent+0xae6/0xcc0 [ 76.320148][ T5338] Read of size 4 at addr ffff888055dc302c by task syz.0.0/5338 [ 76.323473][ T5338] [ 76.324574][ T5338] CPU: 0 UID: 0 PID: 5338 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 76.324589][ T5338] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 76.324596][ T5338] Call Trace: [ 76.324603][ T5338] [ 76.324609][ T5338] dump_stack_lvl+0x189/0x250 [ 76.324627][ T5338] ? __virt_addr_valid+0x1c8/0x5c0 [ 76.324643][ T5338] ? rcu_is_watching+0x15/0xb0 [ 76.324657][ T5338] ? __pfx_dump_stack_lvl+0x10/0x10 [ 76.324669][ T5338] ? rcu_is_watching+0x15/0xb0 [ 76.324682][ T5338] ? lock_release+0x4b/0x3b0 [ 76.324692][ T5338] ? _raw_spin_lock_irqsave+0xb3/0xf0 [ 76.324749][ T5338] ? __virt_addr_valid+0x1c8/0x5c0 [ 76.324763][ T5338] ? __virt_addr_valid+0x4a5/0x5c0 [ 76.324777][ T5338] print_report+0xca/0x240 [ 76.324788][ T5338] ? ext4_find_extent+0xae6/0xcc0 [ 76.324801][ T5338] kasan_report+0x118/0x150 [ 76.324811][ T5338] ? ext4_find_extent+0xae6/0xcc0 [ 76.324826][ T5338] ext4_find_extent+0xae6/0xcc0 [ 76.324842][ T5338] ext4_ext_map_blocks+0x278/0x69c0 [ 76.324866][ T5338] ? lockdep_unlock+0x89/0x120 [ 76.324884][ T5338] ? __pfx_ext4_ext_map_blocks+0x10/0x10 [ 76.324929][ T5338] ? ext4_es_lookup_extent+0x6cd/0xb00 [ 76.324941][ T5338] ext4_map_blocks+0x82c/0x16f0 [ 76.324954][ T5338] ? kasan_save_track+0x4f/0x80 [ 76.324970][ T5338] ? __pfx_ext4_map_blocks+0x10/0x10 [ 76.324979][ T5338] ? ext4_da_write_begin+0x352/0xd30 [ 76.324995][ T5338] ? obj_cgroup_charge_account+0x13b/0x650 [ 76.325011][ T5338] _ext4_get_block+0x1fa/0x4c0 [ 76.325020][ T5338] ? __pfx__ext4_get_block+0x10/0x10 [ 76.325029][ T5338] ext4_get_block_unwritten+0x2e/0x100 [ 76.325035][ T5338] ext4_block_write_begin+0xb03/0x1940 [ 76.325053][ T5338] ? __pfx_ext4_get_block_unwritten+0x10/0x10 [ 76.325060][ T5338] ? __pfx_ext4_block_write_begin+0x10/0x10 [ 76.325068][ T5338] ? folio_mapping+0x16f/0x1f0 [ 76.325075][ T5338] ? ext4_inode_journal_mode+0x193/0x470 [ 76.325084][ T5338] ext4_write_begin+0xb3a/0x1860 [ 76.325099][ T5338] ? __pfx_ext4_write_begin+0x10/0x10 [ 76.325110][ T5338] ext4_da_write_begin+0x352/0xd30 [ 76.325122][ T5338] ? __pfx___might_resched+0x10/0x10 [ 76.325132][ T5338] ? __pfx_ext4_da_write_begin+0x10/0x10 [ 76.325151][ T5338] generic_perform_write+0x2c5/0x900 [ 76.325165][ T5338] ? __pfx_generic_perform_write+0x10/0x10 [ 76.325175][ T5338] ? file_update_time_flags+0x448/0x4e0 [ 76.325191][ T5338] ? ext4_write_checks+0x24b/0x2c0 [ 76.325205][ T5338] ext4_buffered_write_iter+0xce/0x3a0 [ 76.325218][ T5338] ext4_file_write_iter+0x292/0x1bc0 [ 76.325234][ T5338] ? __pfx_ext4_file_write_iter+0x10/0x10 [ 76.325248][ T5338] vfs_write+0x5c9/0xb30 [ 76.325263][ T5338] ? __pfx_ext4_file_write_iter+0x10/0x10 [ 76.325275][ T5338] ? __pfx_vfs_write+0x10/0x10 [ 76.325289][ T5338] ? __fget_files+0x2a/0x420 [ 76.325301][ T5338] ksys_write+0x145/0x250 [ 76.325315][ T5338] ? __pfx_ksys_write+0x10/0x10 [ 76.325330][ T5338] ? do_syscall_64+0xbe/0xf80 [ 76.325341][ T5338] do_syscall_64+0xfa/0xf80 [ 76.325351][ T5338] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.325359][ T5338] ? clear_bhb_loop+0x60/0xb0 [ 76.325370][ T5338] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.325380][ T5338] RIP: 0033:0x7fe78398f7c9 [ 76.325392][ T5338] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 76.325403][ T5338] RSP: 002b:00007fe7847e2038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 76.325416][ T5338] RAX: ffffffffffffffda RBX: 00007fe783be5fa0 RCX: 00007fe78398f7c9 [ 76.325423][ T5338] RDX: 00000000fffffdef RSI: 00002000000000c0 RDI: 0000000000000009 [ 76.325431][ T5338] RBP: 00007fe783a13f91 R08: 0000000000000000 R09: 0000000000000000 [ 76.325437][ T5338] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 76.325443][ T5338] R13: 00007fe783be6038 R14: 00007fe783be5fa0 R15: 00007ffc89c168f8 [ 76.325455][ T5338] [ 76.325459][ T5338] [ 76.492382][ T5338] The buggy address belongs to the physical page: [ 76.494841][ T5338] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x55dc3 [ 76.498650][ T5338] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 76.501864][ T5338] raw: 04fff00000000000 ffffea0001577108 ffffea0001577088 0000000000000000 [ 76.505218][ T5338] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 76.509107][ T5338] page dumped because: kasan: bad access detected [ 76.511561][ T5338] page_owner info is not present (never set?) [ 76.514012][ T5338] [ 76.515145][ T5338] Memory state around the buggy address: [ 76.517689][ T5338] ffff888055dc2f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 76.520937][ T5338] ffff888055dc2f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 76.524263][ T5338] >ffff888055dc3000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 76.527412][ T5338] ^ [ 76.529731][ T5338] ffff888055dc3080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 76.533081][ T5338] ffff888055dc3100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 76.536306][ T5338] ================================================================== [ 76.547744][ T1314] ieee802154 phy0 wpan0: encryption failed: -22 [ 76.553964][ T1314] ieee802154 phy1 wpan1: encryption failed: -22 [ 76.566784][ T5338] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 76.569900][ T5338] CPU: 0 UID: 0 PID: 5338 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 76.573766][ T5338] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 76.578385][ T5338] Call Trace: [ 76.579882][ T5338] [ 76.581241][ T5338] dump_stack_lvl+0x99/0x250 [ 76.583300][ T5338] ? __asan_memcpy+0x40/0x70 [ 76.585396][ T5338] ? __pfx_dump_stack_lvl+0x10/0x10 [ 76.587736][ T5338] ? __pfx__printk+0x10/0x10 [ 76.589701][ T5338] vpanic+0x237/0x6d0 [ 76.591549][ T5338] ? __pfx_vpanic+0x10/0x10 [ 76.593512][ T5338] ? preempt_schedule+0xae/0xc0 [ 76.595677][ T5338] ? __pfx_preempt_schedule+0x10/0x10 [ 76.597880][ T5338] panic+0xb9/0xc0 [ 76.599597][ T5338] ? __pfx_panic+0x10/0x10 [ 76.601589][ T5338] ? _raw_spin_unlock_irqrestore+0xfd/0x110 [ 76.604322][ T5338] ? is_module_address+0x17/0xf0 [ 76.606626][ T5338] ? ext4_find_extent+0xae6/0xcc0 [ 76.609006][ T5338] check_panic_on_warn+0x89/0xb0 [ 76.611295][ T5338] ? ext4_find_extent+0xae6/0xcc0 [ 76.613717][ T5338] end_report+0x6f/0x140 [ 76.615571][ T5338] kasan_report+0x129/0x150 [ 76.617598][ T5338] ? ext4_find_extent+0xae6/0xcc0 [ 76.619849][ T5338] ext4_find_extent+0xae6/0xcc0 [ 76.622142][ T5338] ext4_ext_map_blocks+0x278/0x69c0 [ 76.624447][ T5338] ? lockdep_unlock+0x89/0x120 [ 76.626598][ T5338] ? __pfx_ext4_ext_map_blocks+0x10/0x10 [ 76.629188][ T5338] ? ext4_es_lookup_extent+0x6cd/0xb00 [ 76.631631][ T5338] ext4_map_blocks+0x82c/0x16f0 [ 76.633806][ T5338] ? kasan_save_track+0x4f/0x80 [ 76.636009][ T5338] ? __pfx_ext4_map_blocks+0x10/0x10 [ 76.638374][ T5338] ? ext4_da_write_begin+0x352/0xd30 [ 76.640826][ T5338] ? obj_cgroup_charge_account+0x13b/0x650 [ 76.643505][ T5338] _ext4_get_block+0x1fa/0x4c0 [ 76.645565][ T5338] ? __pfx__ext4_get_block+0x10/0x10 [ 76.647927][ T5338] ext4_get_block_unwritten+0x2e/0x100 [ 76.650196][ T5338] ext4_block_write_begin+0xb03/0x1940 [ 76.652490][ T5338] ? __pfx_ext4_get_block_unwritten+0x10/0x10 [ 76.655156][ T5338] ? __pfx_ext4_block_write_begin+0x10/0x10 [ 76.657772][ T5338] ? folio_mapping+0x16f/0x1f0 [ 76.659842][ T5338] ? ext4_inode_journal_mode+0x193/0x470 [ 76.662109][ T5338] ext4_write_begin+0xb3a/0x1860 [ 76.664075][ T5338] ? __pfx_ext4_write_begin+0x10/0x10 [ 76.666314][ T5338] ext4_da_write_begin+0x352/0xd30 [ 76.668575][ T5338] ? __pfx___might_resched+0x10/0x10 [ 76.670894][ T5338] ? __pfx_ext4_da_write_begin+0x10/0x10 [ 76.673297][ T5338] generic_perform_write+0x2c5/0x900 [ 76.675611][ T5338] ? __pfx_generic_perform_write+0x10/0x10 [ 76.678079][ T5338] ? file_update_time_flags+0x448/0x4e0 [ 76.680580][ T5338] ? ext4_write_checks+0x24b/0x2c0 [ 76.682802][ T5338] ext4_buffered_write_iter+0xce/0x3a0 [ 76.685147][ T5338] ext4_file_write_iter+0x292/0x1bc0 [ 76.687446][ T5338] ? __pfx_ext4_file_write_iter+0x10/0x10 [ 76.689902][ T5338] vfs_write+0x5c9/0xb30 [ 76.691718][ T5338] ? __pfx_ext4_file_write_iter+0x10/0x10 [ 76.694101][ T5338] ? __pfx_vfs_write+0x10/0x10 [ 76.696208][ T5338] ? __fget_files+0x2a/0x420 [ 76.698227][ T5338] ksys_write+0x145/0x250 [ 76.700041][ T5338] ? __pfx_ksys_write+0x10/0x10 [ 76.702068][ T5338] ? do_syscall_64+0xbe/0xf80 [ 76.703954][ T5338] do_syscall_64+0xfa/0xf80 [ 76.705894][ T5338] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.708563][ T5338] ? clear_bhb_loop+0x60/0xb0 [ 76.710645][ T5338] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.713323][ T5338] RIP: 0033:0x7fe78398f7c9 [ 76.715284][ T5338] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 76.723559][ T5338] RSP: 002b:00007fe7847e2038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 76.727088][ T5338] RAX: ffffffffffffffda RBX: 00007fe783be5fa0 RCX: 00007fe78398f7c9 [ 76.730656][ T5338] RDX: 00000000fffffdef RSI: 00002000000000c0 RDI: 0000000000000009 [ 76.734088][ T5338] RBP: 00007fe783a13f91 R08: 0000000000000000 R09: 0000000000000000 [ 76.737494][ T5338] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 76.740873][ T5338] R13: 00007fe783be6038 R14: 00007fe783be5fa0 R15: 00007ffc89c168f8 [ 76.744348][ T5338] [ 76.746055][ T5338] Kernel Offset: disabled [ 76.747934][ T5338] Rebooting in 86400 seconds..