EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. ================================================================== BUG: KASAN: use-after-free in ext4_ext_rm_leaf fs/ext4/extents.c:2601 [inline] BUG: KASAN: use-after-free in ext4_ext_remove_space+0x353c/0x4180 fs/ext4/extents.c:2939 Read of size 4 at addr ffff88811cf3fc18 by task syz-executor/360 CPU: 0 PID: 360 Comm: syz-executor Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: __dump_stack+0x21/0x30 lib/dump_stack.c:88 dump_stack_lvl+0xee/0x150 lib/dump_stack.c:106 print_address_description+0x7f/0x2c0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:427 [inline] kasan_report+0xf1/0x140 mm/kasan/report.c:444 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308 ext4_ext_rm_leaf fs/ext4/extents.c:2601 [inline] ext4_ext_remove_space+0x353c/0x4180 fs/ext4/extents.c:2939 ext4_ext_truncate+0x1a3/0x250 fs/ext4/extents.c:4473 ext4_truncate+0x9a6/0xfa0 fs/ext4/inode.c:4281 ext4_evict_inode+0xcb9/0x1450 fs/ext4/inode.c:290 evict+0x485/0x870 fs/inode.c:650 iput_final fs/inode.c:1779 [inline] iput+0x635/0x7c0 fs/inode.c:1805 do_unlinkat+0x375/0x6b0 fs/namei.c:4355 __do_sys_unlink fs/namei.c:4396 [inline] __se_sys_unlink fs/namei.c:4394 [inline] __x64_sys_unlink+0x49/0x50 fs/namei.c:4394 x64_sys_call+0x878/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:88 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 RIP: 0033:0x7f970bdc7577 Code: 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffe370cdb08 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f970bdc7577 RDX: 00007ffe370cdb30 RSI: 00007ffe370cdbc0 RDI: 00007ffe370cdbc0 RBP: 00007ffe370cdbc0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffe370cecb0 R13: 00007f970be4ad7d R14: 00000000000068d6 R15: 00007ffe370cfd80 The buggy address belongs to the page: page:ffffea000473cfc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11cf3f flags: 0x4000000000000000(zone=1) raw: 4000000000000000 0000000000000000 ffffea000473cfc8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 225, ts 15287366204, free_ts 15498481267 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook+0x192/0x1b0 mm/page_alloc.c:2605 prep_new_page+0x1c/0x110 mm/page_alloc.c:2611 get_page_from_freelist+0x2cc5/0x2d50 mm/page_alloc.c:4485 __alloc_pages+0x18f/0x440 mm/page_alloc.c:5808 __alloc_pages_node include/linux/gfp.h:595 [inline] alloc_pages_node include/linux/gfp.h:609 [inline] alloc_pages include/linux/gfp.h:622 [inline] skb_page_frag_refill+0x202/0x3a0 net/core/sock.c:2673 add_recvbuf_mergeable drivers/net/virtio_net.c:1361 [inline] try_fill_recv+0x4a0/0x13e0 drivers/net/virtio_net.c:1402 virtnet_receive drivers/net/virtio_net.c:1516 [inline] virtnet_poll+0x6a8/0xef0 drivers/net/virtio_net.c:1617 __napi_poll+0xbe/0x590 net/core/dev.c:7083 napi_poll net/core/dev.c:7150 [inline] net_rx_action+0x371/0x8e0 net/core/dev.c:7240 handle_softirqs+0x250/0x560 kernel/softirq.c:583 __do_softirq kernel/softirq.c:621 [inline] invoke_softirq kernel/softirq.c:443 [inline] __irq_exit_rcu+0x52/0xf0 kernel/softirq.c:670 irq_exit_rcu+0x9/0x10 kernel/softirq.c:682 common_interrupt+0xbe/0xe0 arch/x86/kernel/irq.c:242 asm_common_interrupt+0x27/0x40 arch/x86/include/asm/idtentry.h:667 page last free stack trace: reset_page_owner include/linux/page_owner.h:26 [inline] free_pages_prepare mm/page_alloc.c:1472 [inline] free_pcp_prepare mm/page_alloc.c:1544 [inline] free_unref_page_prepare+0x542/0x550 mm/page_alloc.c:3534 free_unref_page+0xa2/0x550 mm/page_alloc.c:3616 free_the_page mm/page_alloc.c:805 [inline] free_compound_page+0x78/0xa0 mm/page_alloc.c:828 destroy_compound_page include/linux/mm.h:1000 [inline] __put_compound_page+0x77/0xb0 mm/swap.c:111 __put_page+0xbc/0xe0 mm/swap.c:127 put_page include/linux/mm.h:1306 [inline] __skb_frag_unref include/linux/skbuff.h:3275 [inline] skb_release_data+0x3d3/0xa10 net/core/skbuff.c:673 skb_release_all net/core/skbuff.c:743 [inline] __kfree_skb+0x50/0x70 net/core/skbuff.c:757 sk_eat_skb include/net/sock.h:2786 [inline] tcp_recvmsg_locked+0x14ac/0x2640 net/ipv4/tcp.c:2517 tcp_recvmsg+0x21b/0x720 net/ipv4/tcp.c:2563 inet_recvmsg+0x134/0x470 net/ipv4/af_inet.c:861 sock_recvmsg_nosec net/socket.c:966 [inline] sock_recvmsg net/socket.c:984 [inline] sock_read_iter+0x2a2/0x340 net/socket.c:1057 call_read_iter include/linux/fs.h:2206 [inline] new_sync_read fs/read_write.c:404 [inline] vfs_read+0x68b/0xbe0 fs/read_write.c:485 ksys_read+0x140/0x240 fs/read_write.c:623 __do_sys_read fs/read_write.c:633 [inline] __se_sys_read fs/read_write.c:631 [inline] __x64_sys_read+0x7b/0x90 fs/read_write.c:631 x64_sys_call+0x96d/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:1 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80 Memory state around the buggy address: ffff88811cf3fb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88811cf3fb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88811cf3fc00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88811cf3fc80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88811cf3fd00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 89936448631952, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 89936448599342, count = 32622 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 89936448599328, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 47040422457616, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 47040422425276, count = 32342 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 47040422425264, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 246220057188736, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 246220057165847, count = 22903 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 246220057165840, count = 16 EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 273748212644088, count = 30968 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 273748212644080, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 273748212644088, count = 30968 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 273748212644080, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 273748212644088, count = 30968 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 273748212644080, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 273748212644088, count = 30968 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 273748212644080, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 273748212644088, count = 30968 EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 281470681745536, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 281470681743360, count = 2177 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 33092723016848, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 33092722985089, count = 31760 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 33092722985088, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 281470681745568, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 281470681743399, count = 2177 EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 35182332677760, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 35182332648832, count = 28944 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 35182332648832, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 69140920418192, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 69140920398096, count = 20098 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 69140920398096, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 281474720680192, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 281474720647433, count = 32767 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 281474720647424, count = 16 EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 281470997120160, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 281470997117984, count = 2177 EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 281470681745536, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 281470681743360, count = 2177 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 281470681776112, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 281470681743360, count = 32767 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 281470681743360, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 281470681745920, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 281470681743752, count = 2177 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 281470681743744, count = 16 EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 281471138318592, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 281471138316418, count = 2177 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 768, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 640, count = 130 EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): mb_free_blocks:1860: group 0, inode 20: block 241:freeing already freed block (bit 15); block bitmap corrupt. EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 273748212644088, count = 30968 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 273748212644080, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 273748212644088, count = 30968 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 273748212644080, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 273748212644088, count = 30968 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 273748212644080, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 273748212644088, count = 30968 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 273748212644080, count = 16 EXT4-fs error (device loop2): ext4_free_blocks:6218: comm syz-executor: Freeing blocks not in datazone - block = 273748212644088, count = 30968