program:
r0 = bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000040)='kmem_cache_free\x00'}, 0x10)
syz_open_dev$tty1(0xc, 0x4, 0x1)
socket$isdn_base(0x22, 0x3, 0x0)
prctl$PR_SET_MM_MAP(0x23, 0xe, &(0x7f0000000080)={&(0x7f0000ff7000/0x1000)=nil, &(0x7f0000ff1000/0xf000)=nil, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000ffc000/0x3000)=nil, &(0x7f0000ffa000/0x4000)=nil, &(0x7f0000ff8000/0x3000)=nil, &(0x7f0000ff1000/0x3000)=nil, &(0x7f0000ff3000/0x3000)=nil, &(0x7f0000ff6000/0x1000)=nil, &(0x7f0000ffa000/0x1000)=nil, &(0x7f0000ffa000/0x2000)=nil, 0x0}, 0x68)
sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, 0x0}, 0x24004045)
r1 = io_uring_setup(0x1b7b, &(0x7f0000000040)={0x0, 0xc89f, 0xc000, 0x2, 0x20002f7})
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000093c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000000)=@deltfilter={0x24, 0x2d, 0x1, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, {}, {}, {0x0, 0xffff}}}, 0x24}}, 0x0)
r2 = socket$inet(0x2, 0x80001, 0x84)
getsockopt$inet_sctp_SCTP_MAX_BURST(r2, 0x84, 0x14, &(0x7f0000000000)=@assoc_value, &(0x7f0000000300)=0x8)
sendmsg(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000200)=[{&(0x7f0000000000)='8', 0x1}], 0x1, 0x0, 0x0, 0x2c}, 0x4000845)
io_uring_enter(r1, 0x2219, 0x7721, 0x16, 0x0, 0x0)
syz_mount_image$ext4(&(0x7f0000000040)='ext4\x00', &(0x7f0000000140)='./file1\x00', 0x30000c6, &(0x7f0000000080), 0x1, 0x561, &(0x7f0000000f80)="$eJzs3U1rG0cfAPD/ylbenycOhNCWUgw9NCWNHNt9SaGH9NyGBtp7KuyNCZajYMkhdgNNDs25hF5KA6X30nOPoV+gh36GQBsIJZj20IvLyivFL5ItJ7KtVL8frJnZXWl2NPsfz2gkFMDAGs3+FCJejoivk4jjEZHkx4YjPzi6et7yk1tT2ZbEysqnfyaN87J887majzuaZ16KiF++ijhT2FxubXFptlyppPN5fqw+d32strh09upceSadSa9NTE6ef2dy4v333u1ZXd+89Pe3nzwYynMn7iVxIY7lubX1eA6312ZGYzR/TYpxYcOJ4z0orJ8kbff+tOfXwc4M5XFejKwPOB5DedQD/31fRsQKMKCSHcf/b8XduRJgbzXHAc25fY/mwS+Mxx+uToA213949b2RONSYGx1ZTtbNjLL57kgPys/K+PmP+/eyLXr3PgTAtm7fiYhzw8Ob+78k7/+e3bkuztlYhv4P9s6DbPzzVrvxT6E1/ok245+jbWL3WWwf/4VHPSimo2z890Hb8W9r0WpkKM/9rzHmKyZXrlbSrG/7f0ScjuLBLL/Ves755YcrnY6tHf9lW1Z+cyyYX8ej4YPrHzNdrpefp85rPb4T8Urb8W/Sav+kTftnr8elLss4ld5/rdOx7eu/u1Z+iHijbfs/XdFKtl6fHGvcD2PNu2Kzv+6e+rVT+ftd/6z9j2xd/5Fk7XptbedlfH/onzRa68nrrat/dH//H0g+a6QP5Ptuluv1+fGIA8nHrf2F5v6Jp49t5pvnZ/U//frW/V+7+/9wRHzeZf3vnvzx1U7H+qH9p9u2f2t2u6H9d554+NEX33Uqv7v+7+1G6nS+p5v+r9sLfJ7XDgAAAAAAAPpNISKORVIotdKFQqm0+vmOk3GkUKnW6meuVBeuTUfju7IjUSw0V7qPr/k8xHi+YtjMT2zIT0bEiYj4ZuhwI1+aqlam97vyAAAAAAAAAAAAAAAAAAAA0CeOdvj+f+b3of2+OmDX+clvGFzbxn8vfukJ6Ev+/8PgEv8wuMQ/DC7xD4NL/MPgEv8wuMQ/DC7xDwAAAAAAAAAAAAAAAAAAAAAAAAAAAD116eLFbFtZfnJrKstP31hcmK3eODud1mZLcwtTpanq/PXSTLU6U0lLU9W57Z6vUq1eH5+IhZtj9bRWH6stLl2eqy5cq1++OleeSS+nxT2pFQAAAAAAAAAAAAAAAAAAALxYaotLs+VKJZ2XkHimxHB/XIZEjxP73TMBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwFP/BgAA//9q6zMB")
ioctl$AUTOFS_DEV_IOCTL_VERSION(0xffffffffffffffff, 0xc0189371, &(0x7f0000000000)={{0x1, 0x1, 0x18, r0}, './file1\x00'})
setxattr$incfs_metadata(&(0x7f0000000240)='./file1\x00', &(0x7f0000000280), &(0x7f00000002c0)="30573472b621739991c336124406e8a5c812ca847e3bf9b837c91d46ab", 0x1d, 0x1)
lsetxattr$trusted_overlay_upper(&(0x7f00000001c0)='./file1\x00', &(0x7f0000000180), &(0x7f0000000800)=ANY=[], 0x361, 0x0)
creat(&(0x7f0000000200)='./file1/file0\x00', 0x80)
lsetxattr$trusted_overlay_upper(&(0x7f0000000100)='./file1\x00', &(0x7f00000000c0), &(0x7f0000000000)=ANY=[], 0xfe37, 0x0)

[   75.132223][ T5302] Bluetooth: hci0: command tx timeout
[   75.261431][ T5323] loop0: detected capacity change from 0 to 1024
[   75.276938][ T5323] =======================================================
[   75.276938][ T5323] WARNING: The mand mount option has been deprecated and
[   75.276938][ T5323]          and is ignored by this kernel. Remove the mand
[   75.276938][ T5323]          option from the mount to silence this warning.
[   75.276938][ T5323] =======================================================
[   75.381643][ T5323] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
[   75.428427][ T5323] ==================================================================
[   75.431517][ T5323] BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x179e/0x1e20
[   75.434223][ T5323] Read of size 12404 at addr ffff888012eb4800 by task syz.0.0/5323
[   75.437157][ T5323] 
[   75.438199][ T5323] CPU: 0 UID: 0 PID: 5323 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   75.438220][ T5323] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   75.438233][ T5323] Call Trace:
[   75.438240][ T5323]  <TASK>
[   75.438250][ T5323]  dump_stack_lvl+0xe8/0x150
[   75.438269][ T5323]  print_report+0xba/0x230
[   75.438283][ T5323]  ? ext4_xattr_set_entry+0x179e/0x1e20
[   75.438298][ T5323]  kasan_report+0x117/0x150
[   75.438311][ T5323]  ? ext4_xattr_set_entry+0x179e/0x1e20
[   75.438325][ T5323]  kasan_check_range+0x264/0x2c0
[   75.438335][ T5323]  ? ext4_xattr_set_entry+0x179e/0x1e20
[   75.438348][ T5323]  __asan_memmove+0x29/0x70
[   75.438366][ T5323]  ext4_xattr_set_entry+0x179e/0x1e20
[   75.438387][ T5323]  ext4_xattr_block_set+0x621/0x2ad0
[   75.438399][ T5323]  ? __pfx_ext4_free_in_core_inode+0x10/0x10
[   75.438417][ T5323]  ? __pfx_evict+0x10/0x10
[   75.438429][ T5323]  ? do_raw_spin_unlock+0x4d/0x210
[   75.438441][ T5323]  ? _raw_spin_unlock+0x28/0x50
[   75.438514][ T5323]  ? iput+0xcc2/0x1020
[   75.438528][ T5323]  ? __pfx_ext4_xattr_block_set+0x10/0x10
[   75.438541][ T5323]  ? ext4_xattr_ibody_set+0x510/0x6a0
[   75.438554][ T5323]  ext4_xattr_set_handle+0xe34/0x14c0
[   75.438570][ T5323]  ? __pfx_ext4_xattr_set_handle+0x10/0x10
[   75.438581][ T5323]  ? ext4_journal_check_start+0x1c/0x2b0
[   75.438595][ T5323]  ? __ext4_journal_start_sb+0x259/0x570
[   75.438606][ T5323]  ext4_xattr_set+0x255/0x340
[   75.438619][ T5323]  ? __pfx_ext4_xattr_set+0x10/0x10
[   75.438631][ T5323]  ? __pfx_evm_protect_xattr+0x10/0x10
[   75.438680][ T5323]  ? __pfx_ext4_xattr_trusted_set+0x10/0x10
[   75.438694][ T5323]  __vfs_setxattr+0x43c/0x480
[   75.438714][ T5323]  __vfs_setxattr_noperm+0x12d/0x660
[   75.438732][ T5323]  vfs_setxattr+0x16a/0x2e0
[   75.438750][ T5323]  ? __pfx_vfs_setxattr+0x10/0x10
[   75.438767][ T5323]  filename_setxattr+0x281/0x630
[   75.438779][ T5323]  ? __pfx_filename_setxattr+0x10/0x10
[   75.438790][ T5323]  ? getname_flags+0x1e4/0x540
[   75.438806][ T5323]  path_setxattrat+0x3f3/0x430
[   75.438820][ T5323]  ? __pfx_path_setxattrat+0x10/0x10
[   75.438831][ T5323]  ? do_futex+0x395/0x420
[   75.438853][ T5323]  ? rcu_is_watching+0x15/0xb0
[   75.438888][ T5323]  __x64_sys_lsetxattr+0xbf/0xe0
[   75.438901][ T5323]  do_syscall_64+0xe2/0xf80
[   75.438914][ T5323]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.438927][ T5323]  ? trace_irq_disable+0x37/0x100
[   75.438939][ T5323]  ? clear_bhb_loop+0x60/0xb0
[   75.438952][ T5323]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.438963][ T5323] RIP: 0033:0x7f5a9e39aeb9
[   75.438975][ T5323] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[   75.438984][ T5323] RSP: 002b:00007f5a9f259028 EFLAGS: 00000246 ORIG_RAX: 00000000000000bd
[   75.438998][ T5323] RAX: ffffffffffffffda RBX: 00007f5a9e615fa0 RCX: 00007f5a9e39aeb9
[   75.439006][ T5323] RDX: 0000200000000000 RSI: 00002000000000c0 RDI: 0000200000000100
[   75.439014][ T5323] RBP: 00007f5a9e408c1f R08: 0000000000000000 R09: 0000000000000000
[   75.439022][ T5323] R10: 000000000000fe37 R11: 0000000000000246 R12: 0000000000000000
[   75.439029][ T5323] R13: 00007f5a9e616038 R14: 00007f5a9e615fa0 R15: 00007ffe9e5f4f78
[   75.439042][ T5323]  </TASK>
[   75.439045][ T5323] 
[   75.578449][ T5323] The buggy address belongs to the physical page:
[   75.581627][ T5323] page: refcount:2 mapcount:0 mapping:ffff88803207cd80 index:0x1c pfn:0x12eb4
[   75.585381][ T5323] memcg:ffff888030410d40
[   75.587238][ T5323] aops:def_blk_aops ino:700000 dentry name(?):""
[   75.589897][ T5323] flags: 0xfff58000004234(referenced|dirty|lru|workingset|private|node=0|zone=1|lastcpupid=0x7ff)
[   75.594301][ T5323] raw: 00fff58000004234 ffffea0000724788 ffffea00007238c8 ffff88803207cd80
[   75.597934][ T5323] raw: 000000000000001c ffff88801280a9f8 00000002ffffffff ffff888030410d40
[   75.601443][ T5323] page dumped because: kasan: bad access detected
[   75.604211][ T5323] page_owner tracks the page as allocated
[   75.606644][ T5323] page last allocated via order 0, migratetype Movable, gfp_mask 0x148c48(GFP_NOFS|__GFP_MOVABLE|__GFP_NOFAIL|__GFP_COMP|__GFP_HARDWALL), pid 5323, tgid 5322 (syz.0.0), ts 75413302853, free_ts 75299309963
[   75.614775][ T5323]  post_alloc_hook+0x228/0x280
[   75.617001][ T5323]  get_page_from_freelist+0x24dc/0x2580
[   75.619500][ T5323]  __alloc_frozen_pages_noprof+0x18d/0x380
[   75.622126][ T5323]  alloc_pages_mpol+0x232/0x4a0
[   75.624313][ T5323]  alloc_pages_noprof+0xa8/0x190
[   75.626516][ T5323]  folio_alloc_noprof+0x1e/0x30
[   75.628651][ T5323]  filemap_alloc_folio_noprof+0x111/0x470
[   75.631163][ T5323]  __filemap_get_folio_mpol+0x3fc/0xb00
[   75.633468][ T5323]  bdev_getblk+0x1f6/0x6e0
[   75.635451][ T5323]  ext4_xattr_block_set+0x1d71/0x2ad0
[   75.637838][ T5323]  ext4_xattr_set_handle+0xe34/0x14c0
[   75.639992][ T5323]  ext4_xattr_set+0x255/0x340
[   75.642001][ T5323]  __vfs_setxattr+0x43c/0x480
[   75.644120][ T5323]  __vfs_setxattr_noperm+0x12d/0x660
[   75.646425][ T5323]  vfs_setxattr+0x16a/0x2e0
[   75.648323][ T5323]  filename_setxattr+0x281/0x630
[   75.650466][ T5323] page last free pid 78 tgid 78 stack trace:
[   75.652985][ T5323]  free_unref_folios+0xdce/0x1510
[   75.655179][ T5323]  shrink_folio_list+0x4930/0x5160
[   75.657408][ T5323]  evict_folios+0x4795/0x5880
[   75.659319][ T5323]  try_to_shrink_lruvec+0x88b/0xb20
[   75.661576][ T5323]  shrink_one+0x25c/0x710
[   75.663554][ T5323]  shrink_node+0x2f8b/0x35f0
[   75.665663][ T5323]  kswapd+0x144c/0x2800
[   75.667516][ T5323]  kthread+0x726/0x8b0
[   75.669346][ T5323]  ret_from_fork+0x51b/0xa40
[   75.671492][ T5323]  ret_from_fork_asm+0x1a/0x30
[   75.673419][ T5323] 
[   75.674488][ T5323] Memory state around the buggy address:
[   75.677009][ T5323]  ffff888012eb6f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   75.680299][ T5323]  ffff888012eb6f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   75.683538][ T5323] >ffff888012eb7000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   75.686947][ T5323]                    ^
[   75.688714][ T5323]  ffff888012eb7080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   75.692053][ T5323]  ffff888012eb7100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   75.695572][ T5323] ==================================================================
[   75.768114][ T5323] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   75.771400][ T5323] CPU: 0 UID: 0 PID: 5323 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   75.775104][ T5323] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   75.779559][ T5323] Call Trace:
[   75.781094][ T5323]  <TASK>
[   75.782474][ T5323]  vpanic+0x1e0/0x670
[   75.784299][ T5323]  panic+0xc5/0xd0
[   75.785956][ T5323]  ? __pfx_panic+0x10/0x10
[   75.787867][ T5323]  ? preempt_schedule_thunk+0x16/0x30
[   75.790259][ T5323]  ? ext4_xattr_set_entry+0x179e/0x1e20
[   75.792549][ T5323]  check_panic_on_warn+0x89/0xb0
[   75.794653][ T5323]  ? ext4_xattr_set_entry+0x179e/0x1e20
[   75.797104][ T5323]  end_report+0x6f/0x140
[   75.799002][ T5323]  kasan_report+0x128/0x150
[   75.801015][ T5323]  ? ext4_xattr_set_entry+0x179e/0x1e20
[   75.803397][ T5323]  kasan_check_range+0x264/0x2c0
[   75.805582][ T5323]  ? ext4_xattr_set_entry+0x179e/0x1e20
[   75.808018][ T5323]  __asan_memmove+0x29/0x70
[   75.809902][ T5323]  ext4_xattr_set_entry+0x179e/0x1e20
[   75.812264][ T5323]  ext4_xattr_block_set+0x621/0x2ad0
[   75.814423][ T5323]  ? __pfx_ext4_free_in_core_inode+0x10/0x10
[   75.817051][ T5323]  ? __pfx_evict+0x10/0x10
[   75.818920][ T5323]  ? do_raw_spin_unlock+0x4d/0x210
[   75.821143][ T5323]  ? _raw_spin_unlock+0x28/0x50
[   75.823101][ T5323]  ? iput+0xcc2/0x1020
[   75.824880][ T5323]  ? __pfx_ext4_xattr_block_set+0x10/0x10
[   75.827239][ T5323]  ? ext4_xattr_ibody_set+0x510/0x6a0
[   75.829530][ T5323]  ext4_xattr_set_handle+0xe34/0x14c0
[   75.831968][ T5323]  ? __pfx_ext4_xattr_set_handle+0x10/0x10
[   75.834578][ T5323]  ? ext4_journal_check_start+0x1c/0x2b0
[   75.837364][ T5323]  ? __ext4_journal_start_sb+0x259/0x570
[   75.839842][ T5323]  ext4_xattr_set+0x255/0x340
[   75.841969][ T5323]  ? __pfx_ext4_xattr_set+0x10/0x10
[   75.844253][ T5323]  ? __pfx_evm_protect_xattr+0x10/0x10
[   75.846687][ T5323]  ? __pfx_ext4_xattr_trusted_set+0x10/0x10
[   75.849382][ T5323]  __vfs_setxattr+0x43c/0x480
[   75.851544][ T5323]  __vfs_setxattr_noperm+0x12d/0x660
[   75.853915][ T5323]  vfs_setxattr+0x16a/0x2e0
[   75.855841][ T5323]  ? __pfx_vfs_setxattr+0x10/0x10
[   75.857800][ T5323]  filename_setxattr+0x281/0x630
[   75.859717][ T5323]  ? __pfx_filename_setxattr+0x10/0x10
[   75.861656][ T5323]  ? getname_flags+0x1e4/0x540
[   75.863396][ T5323]  path_setxattrat+0x3f3/0x430
[   75.865523][ T5323]  ? __pfx_path_setxattrat+0x10/0x10
[   75.867706][ T5323]  ? do_futex+0x395/0x420
[   75.869459][ T5323]  ? rcu_is_watching+0x15/0xb0
[   75.871601][ T5323]  __x64_sys_lsetxattr+0xbf/0xe0
[   75.873843][ T5323]  do_syscall_64+0xe2/0xf80
[   75.875946][ T5323]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.878674][ T5323]  ? trace_irq_disable+0x37/0x100
[   75.880904][ T5323]  ? clear_bhb_loop+0x60/0xb0
[   75.883009][ T5323]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.885692][ T5323] RIP: 0033:0x7f5a9e39aeb9
[   75.887695][ T5323] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[   75.896165][ T5323] RSP: 002b:00007f5a9f259028 EFLAGS: 00000246 ORIG_RAX: 00000000000000bd
[   75.899841][ T5323] RAX: ffffffffffffffda RBX: 00007f5a9e615fa0 RCX: 00007f5a9e39aeb9
[   75.903276][ T5323] RDX: 0000200000000000 RSI: 00002000000000c0 RDI: 0000200000000100
[   75.906855][ T5323] RBP: 00007f5a9e408c1f R08: 0000000000000000 R09: 0000000000000000
[   75.910318][ T5323] R10: 000000000000fe37 R11: 0000000000000246 R12: 0000000000000000
[   75.913870][ T5323] R13: 00007f5a9e616038 R14: 00007f5a9e615fa0 R15: 00007ffe9e5f4f78
[   75.917346][ T5323]  </TASK>
[   75.919194][ T5323] Kernel Offset: disabled
[   75.921178][ T5323] Rebooting in 86400 seconds..