==================================================================
BUG: KASAN: slab-out-of-bounds in check_igot_inode fs/ext4/inode.c:-1 [inline]
BUG: KASAN: slab-out-of-bounds in __ext4_iget+0x254/0x319c fs/ext4/inode.c:4835
Read of size 8 at addr ffff0000f43c7f30 by task syz.1.5594/16772

CPU: 1 PID: 16772 Comm: syz.1.5594 Not tainted 6.1.132-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call trace:
 dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:316 [inline]
 print_report+0x174/0x4c0 mm/kasan/report.c:427
 kasan_report+0xd4/0x130 mm/kasan/report.c:531
 __asan_report_load8_noabort+0x2c/0x38 mm/kasan/report_generic.c:351
 check_igot_inode fs/ext4/inode.c:-1 [inline]
 __ext4_iget+0x254/0x319c fs/ext4/inode.c:4835
 __ext4_fill_super fs/ext4/super.c:5390 [inline]
 ext4_fill_super+0x5a60/0x73a4 fs/ext4/super.c:5654
 get_tree_bdev+0x360/0x54c fs/super.c:1366
 ext4_get_tree+0x28/0x38 fs/ext4/super.c:5684
 vfs_get_tree+0x90/0x274 fs/super.c:1573
 do_new_mount+0x278/0x8fc fs/namespace.c:3056
 path_mount+0x590/0xe5c fs/namespace.c:3386
 do_mount fs/namespace.c:3399 [inline]
 __do_sys_mount fs/namespace.c:3607 [inline]
 __se_sys_mount fs/namespace.c:3584 [inline]
 __arm64_sys_mount+0x498/0x588 fs/namespace.c:3584
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585

Allocated by task 16549:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
 kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
 __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:328
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook+0x74/0x458 mm/slab.h:737
 slab_alloc_node mm/slub.c:3398 [inline]
 slab_alloc mm/slub.c:3406 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3413 [inline]
 kmem_cache_alloc_lru+0x1ac/0x2f8 mm/slub.c:3429
 xas_alloc lib/xarray.c:377 [inline]
 xas_create+0xef4/0x13d4 lib/xarray.c:679
 xas_store+0x90/0x1598 lib/xarray.c:789
 shmem_add_to_page_cache+0x884/0x117c mm/shmem.c:729
 shmem_get_folio_gfp+0x11f0/0x21f0 mm/shmem.c:1971
 shmem_get_folio mm/shmem.c:2072 [inline]
 shmem_write_begin+0x13c/0x4e8 mm/shmem.c:2556
 generic_perform_write+0x278/0x55c mm/filemap.c:3845
 __generic_file_write_iter+0x168/0x388 mm/filemap.c:3973
 generic_file_write_iter+0xb8/0x2b4 mm/filemap.c:4005
 call_write_iter include/linux/fs.h:2265 [inline]
 new_sync_write fs/read_write.c:491 [inline]
 vfs_write+0x610/0x91c fs/read_write.c:584
 ksys_write+0x15c/0x26c fs/read_write.c:637
 __do_sys_write fs/read_write.c:649 [inline]
 __se_sys_write fs/read_write.c:646 [inline]
 __arm64_sys_write+0x7c/0x90 fs/read_write.c:646
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585

Freed by task 15:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
 kasan_save_free_info+0x38/0x5c mm/kasan/generic.c:516
 ____kasan_slab_free+0x144/0x1c0 mm/kasan/common.c:236
 __kasan_slab_free+0x18/0x28 mm/kasan/common.c:244
 kasan_slab_free include/linux/kasan.h:177 [inline]
 slab_free_hook mm/slub.c:1724 [inline]
 slab_free_freelist_hook mm/slub.c:1750 [inline]
 slab_free mm/slub.c:3661 [inline]
 kmem_cache_free+0x2f0/0x588 mm/slub.c:3683
 radix_tree_node_rcu_free+0x88/0x9c lib/radix-tree.c:302
 rcu_do_batch kernel/rcu/tree.c:2297 [inline]
 rcu_core+0x880/0x1c48 kernel/rcu/tree.c:2557
 rcu_core_si+0x10/0x1c kernel/rcu/tree.c:2574
 handle_softirqs+0x318/0xd58 kernel/softirq.c:578
 run_ksoftirqd+0x6c/0x29c kernel/softirq.c:945
 smpboot_thread_fn+0x4b0/0x96c kernel/smpboot.c:164
 kthread+0x250/0x2d8 kernel/kthread.c:376
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864

Last potentially related work creation:
 kasan_save_stack+0x40/0x70 mm/kasan/common.c:45
 __kasan_record_aux_stack+0xcc/0xe8 mm/kasan/generic.c:486
 kasan_record_aux_stack_noalloc+0x14/0x20 mm/kasan/generic.c:496
 call_rcu+0xfc/0xa40 kernel/rcu/tree.c:2845
 xa_node_free lib/xarray.c:260 [inline]
 xas_delete_node lib/xarray.c:497 [inline]
 update_node lib/xarray.c:761 [inline]
 xas_store+0xc58/0x1598 lib/xarray.c:846
 page_cache_delete mm/filemap.c:140 [inline]
 __filemap_remove_folio+0x488/0x604 mm/filemap.c:223
 filemap_remove_folio+0xd4/0x1cc mm/filemap.c:255
 truncate_inode_folio+0x6c/0x84 mm/truncate.c:195
 shmem_undo_range+0x428/0x16b8 mm/shmem.c:942
 shmem_truncate_range mm/shmem.c:1062 [inline]
 shmem_evict_inode+0x200/0x8a8 mm/shmem.c:1171
 evict+0x418/0x894 fs/inode.c:705
 iput_final fs/inode.c:1834 [inline]
 iput+0x7c0/0x8a4 fs/inode.c:1860
 dentry_unlink_inode+0x37c/0x4bc fs/dcache.c:405
 __dentry_kill+0x324/0x5e4 fs/dcache.c:611
 dentry_kill+0xc8/0x250 fs/dcache.c:-1
 dput+0x218/0x454 fs/dcache.c:918
 __fput+0x488/0x7c8 fs/file_table.c:328
 ____fput+0x20/0x30 fs/file_table.c:348
 task_work_run+0x240/0x2f0 kernel/task_work.c:203
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 do_notify_resume+0x2080/0x2cb8 arch/arm64/kernel/signal.c:1132
 prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
 el0_svc+0x9c/0x168 arch/arm64/kernel/entry-common.c:638
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585

Second to last potentially related work creation:
 kasan_save_stack+0x40/0x70 mm/kasan/common.c:45
 __kasan_record_aux_stack+0xcc/0xe8 mm/kasan/generic.c:486
 kasan_record_aux_stack_noalloc+0x14/0x20 mm/kasan/generic.c:496
 call_rcu+0xfc/0xa40 kernel/rcu/tree.c:2845
 xa_node_free lib/xarray.c:260 [inline]
 xas_delete_node lib/xarray.c:497 [inline]
 update_node lib/xarray.c:761 [inline]
 xas_store+0xc58/0x1598 lib/xarray.c:846
 page_cache_delete mm/filemap.c:140 [inline]
 __filemap_remove_folio+0x488/0x604 mm/filemap.c:223
 filemap_remove_folio+0xd4/0x1cc mm/filemap.c:255
 truncate_inode_folio+0x6c/0x84 mm/truncate.c:195
 shmem_undo_range+0x428/0x16b8 mm/shmem.c:942
 shmem_truncate_range mm/shmem.c:1062 [inline]
 shmem_evict_inode+0x200/0x8a8 mm/shmem.c:1171
 evict+0x418/0x894 fs/inode.c:705
 iput_final fs/inode.c:1834 [inline]
 iput+0x7c0/0x8a4 fs/inode.c:1860
 dentry_unlink_inode+0x37c/0x4bc fs/dcache.c:405
 __dentry_kill+0x324/0x5e4 fs/dcache.c:611
 dentry_kill+0xc8/0x250 fs/dcache.c:-1
 dput+0x218/0x454 fs/dcache.c:918
 __fput+0x488/0x7c8 fs/file_table.c:328
 ____fput+0x20/0x30 fs/file_table.c:348
 task_work_run+0x240/0x2f0 kernel/task_work.c:203
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 do_notify_resume+0x2080/0x2cb8 arch/arm64/kernel/signal.c:1132
 prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
 el0_svc+0x9c/0x168 arch/arm64/kernel/entry-common.c:638
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585

The buggy address belongs to the object at ffff0000f43c7c80
 which belongs to the cache radix_tree_node of size 576
The buggy address is located 112 bytes to the right of
 576-byte region [ffff0000f43c7c80, ffff0000f43c7ec0)

The buggy address belongs to the physical page:
page:00000000f769500b refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0000f43c6940 pfn:0x1343c4
head:00000000f769500b order:2 compound_mapcount:0 compound_pincount:0
memcg:ffff0000c9ae8601
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 fffffc0003fc3408 fffffc0003015c08 ffff0000c000d500
raw: ffff0000f43c6940 0000000000170007 00000001ffffffff ffff0000c9ae8601
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000f43c7e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000f43c7e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff0000f43c7f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                     ^
 ffff0000f43c7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000f43c8000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
EXT4-fs (loop1): revision level too high, forcing read-only mode
[EXT4 FS bs=4096, gc=2, bpg=34, ipg=32, mo=c040e018, mo2=0080]
EXT4-fs (loop1): orphan cleanup on readonly fs
EXT4-fs error (device loop1): ext4_validate_block_bitmap:438: comm syz.1.5594: bg 0: block 34: padding at end of block bitmap is not set
Quota error (device loop1): write_blk: dquota write failed
Quota error (device loop1): qtree_write_dquot: Error -28 occurred while creating quota
EXT4-fs error (device loop1): ext4_acquire_dquot:6795: comm syz.1.5594: Failed to acquire dquot type 1
EXT4-fs (loop1): 1 truncate cleaned up
EXT4-fs (loop1): mounted filesystem without journal. Quota mode: writeback.