EXT4-fs error (device loop8): ext4_mb_mark_diskspace_used:3861: comm syz.8.1145: Allocating blocks 497-513 which overlap fs metadata
EXT4-fs error (device loop8): ext4_mb_mark_diskspace_used:3861: comm syz.8.1145: Allocating blocks 497-513 which overlap fs metadata
BUG: unable to handle page fault for address: ffffffffffffff93
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 7012067 P4D 7012067 PUD 7014067 PMD 0 
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 3981 Comm: syz.8.1145 Tainted: G        W          syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
RIP: 0010:ext4_ext_drop_refs fs/ext4/extents.c:119 [inline]
RIP: 0010:ext4_free_ext_path fs/ext4/extents.c:128 [inline]
RIP: 0010:ext4_ext_map_blocks+0x2e59/0x6200 fs/ext4/extents.c:4497
Code: 40 01 00 00 4d 85 f6 0f 84 bc 00 00 00 48 89 5c 24 20 49 8d 7e 08 48 89 f8 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 38 16 00 00 <41> 0f b7 46 08 c1 e0 04 48 8d 04 40 48 89 44 24 08 49 8d 46 28 48
RSP: 0018:ffffc9000648f300 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88813bfad100
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffffffff93
RBP: ffffc9000648f5b0 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff52000c91d98 R12: dffffc0000000000
R13: 1ffff92000c91e8c R14: ffffffffffffff8b R15: 0000000000000000
FS:  00005555627d1500(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffff93 CR3: 000000014299a000 CR4: 00000000003526b0
Call Trace:
 <TASK>
 ext4_map_blocks+0x9d8/0x1b70 fs/ext4/inode.c:679
 _ext4_get_block+0x1ea/0x540 fs/ext4/inode.c:822
 ext4_get_block+0x39/0x50 fs/ext4/inode.c:839
 __block_write_begin_int+0x482/0x1430 fs/buffer.c:2034
 __block_write_begin fs/buffer.c:2084 [inline]
 block_page_mkwrite+0x281/0x300 fs/buffer.c:2558
 ext4_page_mkwrite+0x4f8/0x1310 fs/ext4/inode.c:6330
 do_page_mkwrite mm/memory.c:3039 [inline]
 do_shared_fault mm/memory.c:4823 [inline]
 do_fault+0xdb8/0x1ee0 mm/memory.c:4891
 handle_pte_fault mm/memory.c:5183 [inline]
 __handle_mm_fault mm/memory.c:5325 [inline]
 handle_mm_fault+0x133a/0x26c0 mm/memory.c:5465
 do_user_addr_fault+0x905/0x1050 arch/x86/mm/fault.c:1321
 handle_page_fault arch/x86/mm/fault.c:1464 [inline]
 exc_page_fault+0x51/0xb0 arch/x86/mm/fault.c:1517
 asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:608
RIP: 0033:0x7f2cd8072777
Code: 83 ea 01 48 d3 e2 44 89 c1 49 d3 e1 f7 d2 89 c1 22 17 49 f7 d1 89 d0 4c 21 ce 48 d3 e6 09 f0 88 07 c3 90 48 85 d2 75 98 89 f0 <88> 07 c3 48 89 d7 e8 6e 22 fe ff 66 2e 0f 1f 84 00 00 00 00 00 66
RSP: 002b:00007ffff3fe38c8 EFLAGS: 00010246
RAX: 0000000000000001 RBX: 0000000000000001 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 00002000000015c1
RBP: 00007ffff3fe39f0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 00007ffff3fe3a30
R13: 00007f2cd8415fac R14: 0000000000031565 R15: 00007f2cd8415fa0
 </TASK>
Modules linked in:
CR2: ffffffffffffff93
---[ end trace 0000000000000000 ]---
RIP: 0010:ext4_ext_drop_refs fs/ext4/extents.c:119 [inline]
RIP: 0010:ext4_free_ext_path fs/ext4/extents.c:128 [inline]
RIP: 0010:ext4_ext_map_blocks+0x2e59/0x6200 fs/ext4/extents.c:4497
Code: 40 01 00 00 4d 85 f6 0f 84 bc 00 00 00 48 89 5c 24 20 49 8d 7e 08 48 89 f8 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 38 16 00 00 <41> 0f b7 46 08 c1 e0 04 48 8d 04 40 48 89 44 24 08 49 8d 46 28 48
RSP: 0018:ffffc9000648f300 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88813bfad100
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffffffff93
RBP: ffffc9000648f5b0 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff52000c91d98 R12: dffffc0000000000
R13: 1ffff92000c91e8c R14: ffffffffffffff8b R15: 0000000000000000
FS:  00005555627d1500(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffff93 CR3: 000000014299a000 CR4: 00000000003526b0
----------------
Code disassembly (best guess):
   0:	40 01 00             	rex add %eax,(%rax)
   3:	00 4d 85             	add    %cl,-0x7b(%rbp)
   6:	f6 0f 84             	testb  $0x84,(%rdi)
   9:	bc 00 00 00 48       	mov    $0x48000000,%esp
   e:	89 5c 24 20          	mov    %ebx,0x20(%rsp)
  12:	49 8d 7e 08          	lea    0x8(%r14),%rdi
  16:	48 89 f8             	mov    %rdi,%rax
  19:	48 c1 e8 03          	shr    $0x3,%rax
  1d:	42 0f b6 04 20       	movzbl (%rax,%r12,1),%eax
  22:	84 c0                	test   %al,%al
  24:	0f 85 38 16 00 00    	jne    0x1662
* 2a:	41 0f b7 46 08       	movzwl 0x8(%r14),%eax <-- trapping instruction
  2f:	c1 e0 04             	shl    $0x4,%eax
  32:	48 8d 04 40          	lea    (%rax,%rax,2),%rax
  36:	48 89 44 24 08       	mov    %rax,0x8(%rsp)
  3b:	49 8d 46 28          	lea    0x28(%r14),%rax
  3f:	48                   	rex.W