EXT4-fs error (device loop6): ext4_free_blocks:6706: comm syz.6.11716: Freeing blocks not in datazone - block = 0, count = 4096
EXT4-fs error (device loop6): ext4_map_blocks:778: inode #3: block 3: comm syz.6.11716: lblock 3 mapped to illegal pblock 3 (length 1)
==================================================================
BUG: KCSAN: data-race in _prb_read_valid / prb_reserve

write to 0xffffffff86943a50 of 88 bytes by task 12898 on cpu 0:
 prb_reserve+0x695/0xaf0 kernel/printk/printk_ringbuffer.c:1651
 vprintk_store+0x56d/0x860 kernel/printk/printk.c:2299
 vprintk_emit+0x10d/0x580 kernel/printk/printk.c:2399
 vprintk_deferred kernel/printk/printk.c:4577 [inline]
 _printk_deferred+0x82/0xb0 kernel/printk/printk.c:4586
 ___ratelimit+0x4b1/0x4f0 lib/ratelimit.c:86
 validate_nla lib/nlattr.c:414 [inline]
 __nla_validate_parse+0x4ef/0x1d00 lib/nlattr.c:635
 __nla_parse+0x40/0x60 lib/nlattr.c:732
 nla_parse_nested_deprecated include/net/netlink.h:1379 [inline]
 tcf_action_get_1 net/sched/act_api.c:1714 [inline]
 tca_action_gd+0x1ae/0x1290 net/sched/act_api.c:2030
 tc_ctl_action+0x208/0x830 net/sched/act_api.c:-1
 rtnetlink_rcv_msg+0x65a/0x6d0 net/core/rtnetlink.c:6960
 netlink_rcv_skb+0x123/0x220 net/netlink/af_netlink.c:2552
 rtnetlink_rcv+0x1c/0x30 net/core/rtnetlink.c:6978
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x5c0/0x690 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x58b/0x6b0 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg+0x145/0x180 net/socket.c:742
 ____sys_sendmsg+0x31e/0x4e0 net/socket.c:2630
 ___sys_sendmsg+0x17b/0x1d0 net/socket.c:2684
 __sys_sendmsg net/socket.c:2716 [inline]
 __do_sys_sendmsg net/socket.c:2721 [inline]
 __se_sys_sendmsg net/socket.c:2719 [inline]
 __x64_sys_sendmsg+0xd4/0x160 net/socket.c:2719
 x64_sys_call+0x191e/0x3000 arch/x86/include/generated/asm/syscalls_64.h:47
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

read to 0xffffffff86943a50 of 8 bytes by task 12889 on cpu 1:
 desc_read kernel/printk/printk_ringbuffer.c:483 [inline]
 prb_first_seq kernel/printk/printk_ringbuffer.c:1975 [inline]
 _prb_read_valid+0x383/0x920 kernel/printk/printk_ringbuffer.c:2132
 desc_update_last_finalized kernel/printk/printk_ringbuffer.c:1531 [inline]
 prb_final_commit+0x136/0x1e0 kernel/printk/printk_ringbuffer.c:1800
 vprintk_store+0x741/0x860 kernel/printk/printk.c:2325
 vprintk_emit+0x10d/0x580 kernel/printk/printk.c:2399
 vprintk_default+0x26/0x30 kernel/printk/printk.c:2438
 vprintk+0x1d/0x30 kernel/printk/printk_safe.c:82
 _printk+0x79/0xa0 kernel/printk/printk.c:2448
 __ext4_error_inode+0x30f/0x3f0 fs/ext4/super.c:848
 __check_block_validity fs/ext4/inode.c:390 [inline]
 ext4_map_blocks+0xa14/0xd00 fs/ext4/inode.c:-1
 ext4_getblk+0x114/0x510 fs/ext4/inode.c:978
 ext4_bread+0x28/0x110 fs/ext4/inode.c:1041
 ext4_quota_read+0xe8/0x260 fs/ext4/super.c:7263
 read_blk fs/quota/quota_tree.c:61 [inline]
 find_free_dqentry+0x133/0x690 fs/quota/quota_tree.c:275
 do_insert_tree+0x537/0x9b0 fs/quota/quota_tree.c:400
 do_insert_tree+0x753/0x9b0 fs/quota/quota_tree.c:402
 do_insert_tree+0x753/0x9b0 fs/quota/quota_tree.c:402
 do_insert_tree+0x753/0x9b0 fs/quota/quota_tree.c:402
 dq_insert_tree fs/quota/quota_tree.c:432 [inline]
 qtree_write_dquot+0x2cb/0x300 fs/quota/quota_tree.c:451
 v2_write_dquot+0xda/0x140 fs/quota/quota_v2.c:372
 dquot_acquire+0x1c3/0x2b0 fs/quota/dquot.c:473
 ext4_acquire_dquot+0x15f/0x200 fs/ext4/super.c:6941
 dqget+0x535/0x8d0 fs/quota/dquot.c:980
 __dquot_initialize+0x27f/0x7c0 fs/quota/dquot.c:1508
 dquot_initialize+0x1a/0x30 fs/quota/dquot.c:1570
 ext4_free_inode+0x17c/0x870 fs/ext4/ialloc.c:272
 ext4_evict_inode+0xb0c/0xd90 fs/ext4/inode.c:306
 evict+0x2e3/0x550 fs/inode.c:810
 iput_final fs/inode.c:1914 [inline]
 iput+0x4ed/0x650 fs/inode.c:1966
 ext4_process_orphan+0x1a9/0x1c0 fs/ext4/orphan.c:356
 ext4_orphan_cleanup+0x6a8/0xa00 fs/ext4/orphan.c:470
 __ext4_fill_super fs/ext4/super.c:5617 [inline]
 ext4_fill_super+0x3483/0x3810 fs/ext4/super.c:5736
 get_tree_bdev_flags+0x291/0x300 fs/super.c:1691
 get_tree_bdev+0x1f/0x30 fs/super.c:1714
 ext4_get_tree+0x1c/0x30 fs/ext4/super.c:5768
 vfs_get_tree+0x57/0x1d0 fs/super.c:1751
 fc_mount fs/namespace.c:1208 [inline]
 do_new_mount_fc fs/namespace.c:3651 [inline]
 do_new_mount+0x24d/0x660 fs/namespace.c:3727
 path_mount+0x4a5/0xb70 fs/namespace.c:4037
 do_mount fs/namespace.c:4050 [inline]
 __do_sys_mount fs/namespace.c:4238 [inline]
 __se_sys_mount+0x28c/0x2e0 fs/namespace.c:4215
 __x64_sys_mount+0x67/0x80 fs/namespace.c:4215
 x64_sys_call+0x2b51/0x3000 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

value changed: 0x0000000000003f2c -> 0x0000000000005f2c

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 12889 Comm: syz.6.11716 Tainted: G        W           syzkaller #0 PREEMPT(voluntary) 
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
==================================================================
EXT4-fs error (device loop6): ext4_acquire_dquot:6945: comm syz.6.11716: Failed to acquire dquot type 0
EXT4-fs (loop6): 1 orphan inode deleted
EXT4-fs (loop6): mounted filesystem 00000000-0000-0000-0000-000000000000 ro without journal. Quota mode: writeback.