EXT4-fs error (device loop6): ext4_mb_mark_diskspace_used:3861: comm syz.6.1534: Allocating blocks 497-513 which overlap fs metadata
EXT4-fs error (device loop6): ext4_mb_mark_diskspace_used:3861: comm syz.6.1534: Allocating blocks 497-513 which overlap fs metadata
BUG: unable to handle page fault for address: ffffffffffffff93
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 7012067 P4D 7012067 PUD 7014067 PMD 0 
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 4990 Comm: syz.6.1534 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
RIP: 0010:ext4_ext_drop_refs fs/ext4/extents.c:119 [inline]
RIP: 0010:ext4_free_ext_path fs/ext4/extents.c:128 [inline]
RIP: 0010:ext4_ext_map_blocks+0x2e59/0x6200 fs/ext4/extents.c:4497
Code: 40 01 00 00 4d 85 f6 0f 84 bc 00 00 00 48 89 5c 24 20 49 8d 7e 08 48 89 f8 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 38 16 00 00 <41> 0f b7 46 08 c1 e0 04 48 8d 04 40 48 89 44 24 08 49 8d 46 28 48
RSP: 0018:ffffc9000157f300 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88810d133cc0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffffffff93
RBP: ffffc9000157f5b0 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff520002afd98 R12: dffffc0000000000
R13: 1ffff920002afe8c R14: ffffffffffffff8b R15: 0000000000000000
FS:  000055558f188500(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffff93 CR3: 0000000135745000 CR4: 00000000003526a0
DR0: 0000000000000000 DR1: ffffffffffffffff DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 ext4_map_blocks+0x9d8/0x1b70 fs/ext4/inode.c:679
 _ext4_get_block+0x1ea/0x540 fs/ext4/inode.c:822
 ext4_get_block+0x39/0x50 fs/ext4/inode.c:839
 __block_write_begin_int+0x482/0x1430 fs/buffer.c:2034
 __block_write_begin fs/buffer.c:2084 [inline]
 block_page_mkwrite+0x281/0x300 fs/buffer.c:2558
 ext4_page_mkwrite+0x4f8/0x1310 fs/ext4/inode.c:6330
 do_page_mkwrite mm/memory.c:3039 [inline]
 do_shared_fault mm/memory.c:4823 [inline]
 do_fault+0xdb8/0x1ee0 mm/memory.c:4891
 handle_pte_fault mm/memory.c:5183 [inline]
 __handle_mm_fault mm/memory.c:5325 [inline]
 handle_mm_fault+0x133a/0x26c0 mm/memory.c:5465
 do_user_addr_fault+0x905/0x1050 arch/x86/mm/fault.c:1321
 handle_page_fault arch/x86/mm/fault.c:1464 [inline]
 exc_page_fault+0x51/0xb0 arch/x86/mm/fault.c:1517
 asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:608
RIP: 0033:0x7f762e466522
Code: 30 48 8b 14 24 48 85 d2 74 17 8b 44 24 10 0f c8 89 c0 48 89 44 24 10 48 83 fa 01 0f 85 aa 02 00 00 48 8b 44 24 18 8b 74 24 10 <89> 30 e9 1e fe ff ff 48 8b 44 24 18 8b 10 48 8b 04 24 48 85 c0 0f
RSP: 002b:00007ffebdf46270 EFLAGS: 00010246
RAX: 0000200000000808 RBX: 0000000000000004 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000021 RDI: 000055558f1883d8
RBP: 00007ffebdf46390 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000021 R11: 0000000000000000 R12: 00007ffebdf463d0
R13: 00007f762e815fac R14: 00000000000316b9 R15: 00007f762e815fa0
 </TASK>
Modules linked in:
CR2: ffffffffffffff93
---[ end trace 0000000000000000 ]---
RIP: 0010:ext4_ext_drop_refs fs/ext4/extents.c:119 [inline]
RIP: 0010:ext4_free_ext_path fs/ext4/extents.c:128 [inline]
RIP: 0010:ext4_ext_map_blocks+0x2e59/0x6200 fs/ext4/extents.c:4497
Code: 40 01 00 00 4d 85 f6 0f 84 bc 00 00 00 48 89 5c 24 20 49 8d 7e 08 48 89 f8 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 38 16 00 00 <41> 0f b7 46 08 c1 e0 04 48 8d 04 40 48 89 44 24 08 49 8d 46 28 48
RSP: 0018:ffffc9000157f300 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88810d133cc0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffffffff93
RBP: ffffc9000157f5b0 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff520002afd98 R12: dffffc0000000000
R13: 1ffff920002afe8c R14: ffffffffffffff8b R15: 0000000000000000
FS:  000055558f188500(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffff93 CR3: 0000000135745000 CR4: 00000000003526a0
DR0: 0000000000000000 DR1: ffffffffffffffff DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	40 01 00             	rex add %eax,(%rax)
   3:	00 4d 85             	add    %cl,-0x7b(%rbp)
   6:	f6 0f 84             	testb  $0x84,(%rdi)
   9:	bc 00 00 00 48       	mov    $0x48000000,%esp
   e:	89 5c 24 20          	mov    %ebx,0x20(%rsp)
  12:	49 8d 7e 08          	lea    0x8(%r14),%rdi
  16:	48 89 f8             	mov    %rdi,%rax
  19:	48 c1 e8 03          	shr    $0x3,%rax
  1d:	42 0f b6 04 20       	movzbl (%rax,%r12,1),%eax
  22:	84 c0                	test   %al,%al
  24:	0f 85 38 16 00 00    	jne    0x1662
* 2a:	41 0f b7 46 08       	movzwl 0x8(%r14),%eax <-- trapping instruction
  2f:	c1 e0 04             	shl    $0x4,%eax
  32:	48 8d 04 40          	lea    (%rax,%rax,2),%rax
  36:	48 89 44 24 08       	mov    %rax,0x8(%rsp)
  3b:	49 8d 46 28          	lea    0x28(%r14),%rax
  3f:	48                   	rex.W