================================================================== BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:841 [inline] BUG: KASAN: use-after-free in ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956 Read of size 4 at addr ffff888040543c70 by task kworker/u8:2/43 CPU: 0 UID: 0 PID: 43 Comm: kworker/u8:2 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026 Workqueue: writeback wb_workfn (flush-7:6) Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 ext4_ext_binsearch fs/ext4/extents.c:841 [inline] ext4_find_extent+0xae6/0xcc0 fs/ext4/extents.c:956 ext4_ext_map_blocks+0x29d/0x6b80 fs/ext4/extents.c:4208 ext4_map_create_blocks fs/ext4/inode.c:613 [inline] ext4_map_blocks+0x8da/0x1830 fs/ext4/inode.c:816 mpage_map_one_extent fs/ext4/inode.c:2380 [inline] mpage_map_and_submit_extent fs/ext4/inode.c:2474 [inline] ext4_do_writepages+0x22a4/0x4600 fs/ext4/inode.c:2932 ext4_writepages+0x241/0x3b0 fs/ext4/inode.c:3026 do_writepages+0x32e/0x550 mm/page-writeback.c:2598 __writeback_single_inode+0x133/0x1230 fs/fs-writeback.c:1737 writeback_sb_inodes+0x92e/0x1910 fs/fs-writeback.c:2030 wb_writeback+0x445/0xad0 fs/fs-writeback.c:2216 wb_do_writeback fs/fs-writeback.c:2363 [inline] wb_workfn+0x3fd/0xf00 fs/fs-writeback.c:2403 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xaec/0x17a0 kernel/workqueue.c:3340 worker_thread+0x89f/0xd90 kernel/workqueue.c:3421 kthread+0x726/0x8b0 kernel/kthread.c:463 ret_from_fork+0x51b/0xa40 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2dd pfn:0x40543 flags: 0x80000000000000(node=0|zone=1) raw: 0080000000000000 dead000000000100 dead000000000122 0000000000000000 raw: 00000000000002dd 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 8784, tgid 8783 (syz.1.362), ts 343308629942, free_ts 343641720252 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x228/0x280 mm/page_alloc.c:1884 prep_new_page mm/page_alloc.c:1892 [inline] get_page_from_freelist+0x28bb/0x2950 mm/page_alloc.c:3945 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5240 alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2486 folio_alloc_mpol_noprof+0x39/0xe0 mm/mempolicy.c:2505 shmem_alloc_folio mm/shmem.c:1890 [inline] shmem_alloc_and_add_folio mm/shmem.c:1932 [inline] shmem_get_folio_gfp+0x644/0x1a80 mm/shmem.c:2556 shmem_get_folio mm/shmem.c:2662 [inline] shmem_write_begin+0x166/0x320 mm/shmem.c:3315 generic_perform_write+0x2af/0x8b0 mm/filemap.c:4314 shmem_file_write_iter+0xfb/0x120 mm/shmem.c:3490 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x629/0xba0 fs/read_write.c:686 ksys_write+0x156/0x270 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 8784 tgid 8783 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1433 [inline] free_unref_folios+0xc13/0x17f0 mm/page_alloc.c:3030 folios_put_refs+0x56f/0x680 mm/swap.c:1002 folio_batch_release include/linux/pagevec.h:101 [inline] shmem_undo_range+0x529/0x1570 mm/shmem.c:1137 shmem_truncate_range mm/shmem.c:1249 [inline] shmem_evict_inode+0x240/0x9e0 mm/shmem.c:1379 evict+0x61e/0xb10 fs/inode.c:837 __dentry_kill+0x209/0x660 fs/dcache.c:670 finish_dput+0xc9/0x480 fs/dcache.c:879 __fput+0x6a0/0xa80 fs/file_table.c:476 fput_close_sync+0x11f/0x240 fs/file_table.c:573 __do_sys_close fs/open.c:1573 [inline] __se_sys_close fs/open.c:1558 [inline] __x64_sys_close+0x7e/0x110 fs/open.c:1558 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff888040543b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888040543b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888040543c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888040543c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888040543d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================