program:
r0 = syz_mount_image$ext4(&(0x7f0000000040)='ext4\x00', &(0x7f0000000000)='./file1\x00', 0x446, &(0x7f0000000240)={[{@stripe={'stripe', 0x3d, 0x2}}, {@journal_dev={'journal_dev', 0x3d, 0x1045}}, {@oldalloc}, {@noauto_da_alloc}, {@minixdf}, {@barrier_val={'barrier', 0x3d, 0x2}}, {@delalloc}, {@nojournal_checksum}, {@orlov}, {@user_xattr}, {@quota}, {@delalloc}]}, 0x1, 0x553, &(0x7f0000001080)="$eJzs3d9rW1UcAPDvTdv91nUwhopIYQ9O5tK19ccEH+aj6HCg7zO0d2U0WUaTjrUO3B7ciy8yBBEH4ru++zj8B/wrBjoYMoo++BK56U2XrUmbddnSmc8Hbjkn9ybnfnPv9/TcnBsSwNCayP4UIl6OiG+SiIMRkeTrRiNfObG23er9q7PZkkSj8elfSXO7rN56rdbz9ueVlyLit68ijhc2tltbXlkolcvpYl6frFcuTdaWV05cqJTm0/n04vTMzKm3Z6bfe/edvsX6xtl/vv/k9oenvj66+t0vdw/dTOJ0HMjXtcfxBK61VyZiIn9PxuL0IxtO9aGxnSQZ9A6wLSN5no9F1gccjJE864H/vy8jogEMqUT+w5BqjQNa1/Z9ug5+btz7YO0CaGP8o2ufjcSe5rXRvtXkoSuj7Hp3vA/tZ238+uetm9kS/fscAmBL165HxMnR0Y39X5L3f9t3sodtHm1D/wfPzu1s/PNmp/FPYX38Ex3GP/s75O52bJ3/hbt9aKarbPz3fsfx7/qk1fhIXnuhOeYbS85fKKdZ3/ZiRByLsd1ZfbP5nFOrdxrd1rWP/7Ila781Fsz34+7o7oefM1eql54k5nb3rke80nH8m6wf/6TD8c/ej7M9tnEkvfVat3Vbx/90NX6KeL3j8X8wo5VsPj852TwfJltnxUZ/3zjye7f2Bx1/dvz3bR7/eNI+X1t7/DZ+3PNv2m3dQ/FH7+f/ruSzZnlX/tiVUr2+OBWxK/l44+PTD57bqre2z+I/dnTz/q/T+b83Ij7vMf4bh39+taf4B3T85x7r+D9+4c5HX/zQrf3e+r+3mqVj+SO99H+97uCTvHcAAAAAAACw0xQi4kAkheJ6uVAoFtfu7zgc+wrlaq1+/Hx16eJcNL8rOx5jhdZM98G2+yGm8vthW/XpR+ozEXEoIr4d2dusF2er5blBBw8AAAAAAAAAAAAAAAAAAAA7xP4u3//P/DEy6L0Dnjo/+Q3Da8v878cvPQE7kv//MLzkPwwv+Q/DS/7D8JL/MLzkPwwv+Q/DS/4DAAAAAAAAAAAAAAAAAAAAAAAAAABAX509cyZbGqv3r85m9bnLy0sL1csn5tLaQrGyNFucrS5eKs5Xq/PltDhbrWz1euVq9dLUdCxdmayntfpkbXnlXKW6dLF+7kKlNJ+eS8eeSVQAAAAAAAAAAAAAAAAAAADwfKktryyUyuV0UUFhW4XRnbEbCn0uDLpnAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAH/gsAAP//6AY3sQ==")
syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0)
prctl$PR_SET_MM_MAP(0x23, 0xe, &(0x7f0000000080)={&(0x7f0000ff7000/0x1000)=nil, &(0x7f0000ff1000/0xf000)=nil, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000ffc000/0x3000)=nil, &(0x7f0000ffa000/0x4000)=nil, &(0x7f0000ff8000/0x3000)=nil, &(0x7f0000ff1000/0x3000)=nil, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ff5000/0x1000)=nil, &(0x7f0000ffa000/0x1000)=nil, &(0x7f0000ffa000/0x2000)=nil, 0x0}, 0x68)
sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, 0x0}, 0x24004045)
r1 = io_uring_setup(0x1b7b, &(0x7f0000000040)={0x0, 0xc89f, 0xc000, 0x7, 0x20002f7})
bpf$BPF_PROG_WITH_BTFID_LOAD(0x5, &(0x7f0000000580)=@bpf_lsm={0x3, 0x3, &(0x7f00000000c0)=@framed={{0x7d, 0xa, 0xa, 0x0, 0x0, 0x79, 0x10, 0x74}}, 0x0}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000000)={0xffffffffffffffff, 0x18000000000002a0, 0x0, 0x0, &(0x7f0000000580), 0x0, 0x500, 0x60000000, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x2}, 0x50)
r2 = socket$inet(0x2, 0x80001, 0x84)
sendmsg$netlink(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000080)={0x10, 0x35, 0x1}, 0x10}], 0x1}, 0x0)
getsockopt$inet_sctp_SCTP_MAX_BURST(r2, 0x84, 0x14, &(0x7f0000000000)=@assoc_value, &(0x7f0000000300)=0x8)
sendmsg(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000200)=[{&(0x7f0000000000)='8', 0x1}], 0x1, 0x0, 0x0, 0x2c}, 0x4000845)
io_uring_enter(r1, 0x2219, 0x7721, 0x16, 0x0, 0x0)
sendmmsg$inet6(0xffffffffffffffff, &(0x7f0000007180)=[{{0x0, 0x0, &(0x7f00000012c0)=[{&(0x7f0000001040)="3c56a9", 0x3}], 0x1}}], 0x1, 0x4800)
r3 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x42, 0x0)
pwrite64(r0, &(0x7f0000000140)='3', 0x1, 0x8000c61)
r4 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x101042, 0x35)
pwrite64(r4, &(0x7f0000000140)='2', 0xfdef, 0xfecc)
getsockopt$inet_sctp_SCTP_PR_STREAM_STATUS(r4, 0x84, 0x74, &(0x7f0000000300)=""/230, &(0x7f00000000c0)=0xe6)
setxattr$trusted_overlay_upper(&(0x7f0000000000)='./file1\x00', &(0x7f0000000500), &(0x7f0000001040)=ANY=[], 0x841, 0x0)
ioctl$FIBMAP(r3, 0x1, &(0x7f0000000080)=0xfaeb)
[ 83.931582][ T45] Bluetooth: hci0: command tx timeout
[ 84.026333][ T5321] loop0: detected capacity change from 0 to 1024
[ 84.078026][ T5321] =======================================================
[ 84.078026][ T5321] WARNING: The mand mount option has been deprecated and
[ 84.078026][ T5321] and is ignored by this kernel. Remove the mand
[ 84.078026][ T5321] option from the mount to silence this warning.
[ 84.078026][ T5321] =======================================================
[ 84.155359][ T5321] EXT4-fs: Ignoring removed oldalloc option
[ 84.159111][ T5321] EXT4-fs: Ignoring removed orlov option
[ 84.181566][ T5321] EXT4-fs (loop0): stripe (2) is not aligned with cluster size (16), stripe is disabled
[ 84.212828][ T5321] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback.
[ 84.288399][ T5321] ==================================================================
[ 84.292698][ T5321] BUG: KASAN: use-after-free in ext4_find_extent+0xaea/0xcc0
[ 84.296115][ T5321] Read of size 4 at addr ffff88805076c018 by task syz.0.0/5321
[ 84.299985][ T5321]
[ 84.301357][ T5321] CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
[ 84.301372][ T5321] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 84.301380][ T5321] Call Trace:
[ 84.301388][ T5321]
[ 84.301394][ T5321] dump_stack_lvl+0xe8/0x150
[ 84.301413][ T5321] print_report+0xba/0x230
[ 84.301431][ T5321] ? ext4_find_extent+0xaea/0xcc0
[ 84.301448][ T5321] kasan_report+0x117/0x150
[ 84.301466][ T5321] ? ext4_find_extent+0xaea/0xcc0
[ 84.301485][ T5321] ext4_find_extent+0xaea/0xcc0
[ 84.301505][ T5321] ext4_ext_map_blocks+0x283/0x58b0
[ 84.301526][ T5321] ? kernel_text_address+0xa5/0xe0
[ 84.301545][ T5321] ? check_path+0x21/0x40
[ 84.301572][ T5321] ? lockdep_unlock+0x5d/0xd0
[ 84.301587][ T5321] ? __lock_acquire+0x146e/0x2cf0
[ 84.301608][ T5321] ? __pfx_ext4_ext_map_blocks+0x10/0x10
[ 84.301632][ T5321] ext4_map_create_blocks+0x11d/0x540
[ 84.301651][ T5321] ext4_map_blocks+0x7cd/0x11d0
[ 84.301674][ T5321] ? __pfx_ext4_map_blocks+0x10/0x10
[ 84.301697][ T5321] ? ext4_inode_journal_mode+0x193/0x470
[ 84.301713][ T5321] ext4_do_writepages+0x22c0/0x46e0
[ 84.301740][ T5321] ? unwind_get_return_address+0x4d/0x90
[ 84.301770][ T5321] ? __pfx_ext4_do_writepages+0x10/0x10
[ 84.301790][ T5321] ? add_lock_to_list+0xc7/0x100
[ 84.301811][ T5321] ? lockdep_unlock+0x5d/0xd0
[ 84.301827][ T5321] ? __lock_acquire+0x146e/0x2cf0
[ 84.301857][ T5321] ext4_writepages+0x241/0x3b0
[ 84.301876][ T5321] ? __pfx_ext4_writepages+0x10/0x10
[ 84.301898][ T5321] ? __pfx_ext4_writepages+0x10/0x10
[ 84.301913][ T5321] do_writepages+0x32e/0x550
[ 84.301935][ T5321] ? do_raw_spin_unlock+0x4d/0x210
[ 84.301952][ T5321] filemap_write_and_wait_range+0x335/0x3f0
[ 84.301972][ T5321] ? __pfx_filemap_write_and_wait_range+0x10/0x10
[ 84.301993][ T5321] ? down_read+0x272/0x2e0
[ 84.302055][ T5321] ext4_bmap+0x1ce/0x260
[ 84.302069][ T5321] ? __pfx_ext4_bmap+0x10/0x10
[ 84.302082][ T5321] bmap+0xac/0xe0
[ 84.302099][ T5321] file_ioctl+0x4ac/0x860
[ 84.302110][ T5321] ? __pfx_file_ioctl+0x10/0x10
[ 84.302123][ T5321] ? kasan_quarantine_put+0xbb/0x1f0
[ 84.302141][ T5321] ? tomoyo_path_number_perm+0x219/0x630
[ 84.302186][ T5321] ? tomoyo_path_number_perm+0x219/0x630
[ 84.302198][ T5321] do_vfs_ioctl+0xc26/0x1530
[ 84.302216][ T5321] ? __pfx_do_vfs_ioctl+0x10/0x10
[ 84.302229][ T5321] ? do_futex+0x395/0x420
[ 84.302246][ T5321] ? __fget_files+0x2a/0x420
[ 84.302258][ T5321] ? __fget_files+0x2a/0x420
[ 84.302269][ T5321] ? __fget_files+0x3a0/0x420
[ 84.302280][ T5321] ? __fget_files+0x2a/0x420
[ 84.302292][ T5321] ? bpf_lsm_file_ioctl+0x9/0x20
[ 84.302307][ T5321] __se_sys_ioctl+0x82/0x170
[ 84.302321][ T5321] do_syscall_64+0x14d/0xf80
[ 84.302335][ T5321] ? trace_irq_disable+0x3b/0x150
[ 84.302357][ T5321] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 84.302372][ T5321] ? clear_bhb_loop+0x40/0x90
[ 84.302383][ T5321] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 84.302395][ T5321] RIP: 0033:0x7f6925d9c799
[ 84.302407][ T5321] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[ 84.302415][ T5321] RSP: 002b:00007f6926bc9fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 84.302427][ T5321] RAX: ffffffffffffffda RBX: 00007f6926015fa0 RCX: 00007f6925d9c799
[ 84.302434][ T5321] RDX: 0000200000000080 RSI: 0000000000000001 RDI: 0000000000000006
[ 84.302440][ T5321] RBP: 00007f6925e32c99 R08: 0000000000000000 R09: 0000000000000000
[ 84.302446][ T5321] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 84.302452][ T5321] R13: 00007f6926016038 R14: 00007f6926015fa0 R15: 00007ffcb6e07ef8
[ 84.302464][ T5321]
[ 84.302468][ T5321]
[ 84.476997][ T5321] The buggy address belongs to the physical page:
[ 84.481151][ T5321] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5076c
[ 84.485340][ T5321] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[ 84.488129][ T5321] raw: 04fff00000000000 ffffea000141db88 ffffea000141da88 0000000000000000
[ 84.491757][ T5321] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 84.495803][ T5321] page dumped because: kasan: bad access detected
[ 84.499761][ T5321] page_owner info is not present (never set?)
[ 84.503160][ T5321]
[ 84.504326][ T5321] Memory state around the buggy address:
[ 84.506911][ T5321] ffff88805076bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 84.510442][ T5321] ffff88805076bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 84.513837][ T5321] >ffff88805076c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 84.517708][ T5321] ^
[ 84.520741][ T5321] ffff88805076c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 84.524221][ T5321] ffff88805076c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 84.527549][ T5321] ==================================================================
[ 84.542158][ T5321] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 84.545527][ T5321] CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
[ 84.550372][ T5321] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 84.554955][ T5321] Call Trace:
[ 84.556327][ T5321]
[ 84.557526][ T5321] vpanic+0x56c/0xa60
[ 84.559147][ T5321] ? __pfx_vpanic+0x10/0x10
[ 84.561321][ T5321] panic+0xc5/0xd0
[ 84.563196][ T5321] ? __pfx_panic+0x10/0x10
[ 84.565537][ T5321] ? preempt_schedule_thunk+0x16/0x30
[ 84.567981][ T5321] ? preempt_schedule_thunk+0x16/0x30
[ 84.570128][ T5321] ? ext4_find_extent+0xaea/0xcc0
[ 84.572196][ T5321] check_panic_on_warn+0x89/0xb0
[ 84.574211][ T5321] ? ext4_find_extent+0xaea/0xcc0
[ 84.577031][ T5321] end_report+0x73/0x180
[ 84.579761][ T5321] ? ext4_find_extent+0xaea/0xcc0
[ 84.582420][ T5321] kasan_report+0x128/0x150
[ 84.584600][ T5321] ? ext4_find_extent+0xaea/0xcc0
[ 84.586757][ T5321] ext4_find_extent+0xaea/0xcc0
[ 84.589051][ T5321] ext4_ext_map_blocks+0x283/0x58b0
[ 84.591374][ T5321] ? kernel_text_address+0xa5/0xe0
[ 84.593570][ T5321] ? check_path+0x21/0x40
[ 84.595319][ T5321] ? lockdep_unlock+0x5d/0xd0
[ 84.597208][ T5321] ? __lock_acquire+0x146e/0x2cf0
[ 84.599334][ T5321] ? __pfx_ext4_ext_map_blocks+0x10/0x10
[ 84.601851][ T5321] ext4_map_create_blocks+0x11d/0x540
[ 84.604805][ T5321] ext4_map_blocks+0x7cd/0x11d0
[ 84.607955][ T5321] ? __pfx_ext4_map_blocks+0x10/0x10
[ 84.610859][ T5321] ? ext4_inode_journal_mode+0x193/0x470
[ 84.613299][ T5321] ext4_do_writepages+0x22c0/0x46e0
[ 84.615721][ T5321] ? unwind_get_return_address+0x4d/0x90
[ 84.618429][ T5321] ? __pfx_ext4_do_writepages+0x10/0x10
[ 84.620828][ T5321] ? add_lock_to_list+0xc7/0x100
[ 84.622847][ T5321] ? lockdep_unlock+0x5d/0xd0
[ 84.625315][ T5321] ? __lock_acquire+0x146e/0x2cf0
[ 84.628951][ T5321] ext4_writepages+0x241/0x3b0
[ 84.631546][ T5321] ? __pfx_ext4_writepages+0x10/0x10
[ 84.633853][ T5321] ? __pfx_ext4_writepages+0x10/0x10
[ 84.635982][ T5321] do_writepages+0x32e/0x550
[ 84.637975][ T5321] ? do_raw_spin_unlock+0x4d/0x210
[ 84.640367][ T5321] filemap_write_and_wait_range+0x335/0x3f0
[ 84.643206][ T5321] ? __pfx_filemap_write_and_wait_range+0x10/0x10
[ 84.646554][ T5321] ? down_read+0x272/0x2e0
[ 84.648873][ T5321] ext4_bmap+0x1ce/0x260
[ 84.651092][ T5321] ? __pfx_ext4_bmap+0x10/0x10
[ 84.653176][ T5321] bmap+0xac/0xe0
[ 84.654824][ T5321] file_ioctl+0x4ac/0x860
[ 84.656923][ T5321] ? __pfx_file_ioctl+0x10/0x10
[ 84.659742][ T5321] ? kasan_quarantine_put+0xbb/0x1f0
[ 84.662567][ T5321] ? tomoyo_path_number_perm+0x219/0x630
[ 84.665341][ T5321] ? tomoyo_path_number_perm+0x219/0x630
[ 84.668018][ T5321] do_vfs_ioctl+0xc26/0x1530
[ 84.670240][ T5321] ? __pfx_do_vfs_ioctl+0x10/0x10
[ 84.672557][ T5321] ? do_futex+0x395/0x420
[ 84.674416][ T5321] ? __fget_files+0x2a/0x420
[ 84.676570][ T5321] ? __fget_files+0x2a/0x420
[ 84.679036][ T5321] ? __fget_files+0x3a0/0x420
[ 84.681527][ T5321] ? __fget_files+0x2a/0x420
[ 84.683547][ T5321] ? bpf_lsm_file_ioctl+0x9/0x20
[ 84.685547][ T5321] __se_sys_ioctl+0x82/0x170
[ 84.687656][ T5321] do_syscall_64+0x14d/0xf80
[ 84.689761][ T5321] ? trace_irq_disable+0x3b/0x150
[ 84.692644][ T5321] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 84.695977][ T5321] ? clear_bhb_loop+0x40/0x90
[ 84.698047][ T5321] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 84.700663][ T5321] RIP: 0033:0x7f6925d9c799
[ 84.702645][ T5321] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[ 84.712709][ T5321] RSP: 002b:00007f6926bc9fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 84.716289][ T5321] RAX: ffffffffffffffda RBX: 00007f6926015fa0 RCX: 00007f6925d9c799
[ 84.719619][ T5321] RDX: 0000200000000080 RSI: 0000000000000001 RDI: 0000000000000006
[ 84.722867][ T5321] RBP: 00007f6925e32c99 R08: 0000000000000000 R09: 0000000000000000
[ 84.726816][ T5321] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 84.730908][ T5321] R13: 00007f6926016038 R14: 00007f6926015fa0 R15: 00007ffcb6e07ef8
[ 84.734386][ T5321]
[ 84.735958][ T5321] Kernel Offset: disabled
[ 84.737987][ T5321] Rebooting in 86400 seconds..