f29e5659044d starts bisection 2026-03-18 05:36:36.979759365 +0000 UTC m=+50.510399280
bisecting cause commit starting from 5ee8dbf54602dc340d6235b1d6aa17c0f283f48c
building syzkaller on HEAD
ensuring issue is reproducible on original commit 5ee8dbf54602dc340d6235b1d6aa17c0f283f48c

testing commit 5ee8dbf54602dc340d6235b1d6aa17c0f283f48c gcc
compiler: gcc (Ubuntu 11.5.0-1ubuntu1~24.04) 11.5.0, GNU ld (GNU Binutils for Ubuntu) 2.42
kernel signature: 3b71b7a580c7d740f3bdddef98e3f9e4c60069f10c685ef3c8fe2bd4586c3bcb
run #0: crashed: kernel BUG in ext4_ext_map_blocks
run #1: crashed: KASAN: use-after-free Read in ext4_find_extent
run #2: crashed: KASAN: use-after-free Read in ext4_find_extent
run #3: crashed: KASAN: use-after-free Read in ext4_ext_try_to_merge_right
representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN-USE-AFTER-FREE-READ BUG]
check whether we can drop unnecessary instrumentation
disabling configs for [hang memleak ubsan locking atomic_sleep], they are not needed
testing commit 5ee8dbf54602dc340d6235b1d6aa17c0f283f48c gcc
compiler: gcc (Ubuntu 11.5.0-1ubuntu1~24.04) 11.5.0, GNU ld (GNU Binutils for Ubuntu) 2.42
kernel signature: 4d4249da0d024596d492354e42fa0914e92bcc69984062feadf5084db3d48729
run #0: crashed: kernel BUG in ext4_ext_map_blocks
run #1: crashed: KASAN: use-after-free Read in ext4_find_extent
run #2: crashed: KASAN: use-after-free Read in ext4_find_extent
run #3: crashed: kernel BUG in ext4_ext_map_blocks
representative crash: kernel BUG in ext4_ext_map_blocks, types: [BUG KASAN-USE-AFTER-FREE-READ]
the bug reproduces without the instrumentation
disabling configs for [hang memleak ubsan locking atomic_sleep], they are not needed
kconfig minimization: base=8051 full=8051 leaves diff=0
split chunks (needed=false): <0>
split chunk #0 of len 0 into 3 parts
disabling configs for [atomic_sleep hang memleak ubsan locking], they are not needed
picked [v6.19 v6.18 v6.17 v6.15 v6.13 v6.11 v6.9 v6.7 v6.4 v6.1 v5.18 v5.15 v5.12 v5.9 v5.6 v5.3 v5.0 v4.19] out of 42 release tags
testing release v6.19
testing commit 05f7e89ab9731565d8a62e3b5d1ec206485eeb0b gcc
compiler: gcc (Ubuntu 11.5.0-1ubuntu1~24.04) 11.5.0, GNU ld (GNU Binutils for Ubuntu) 2.42
kernel signature: 71ff987143dde4ca2612196ddb7094ebbe8639fbcc942555fba0bcffdf49f963
run #0: crashed: KASAN: use-after-free Read in ext4_find_extent
run #1: crashed: kernel BUG in ext4_ext_map_blocks
run #2: crashed: KASAN: use-after-free Read in ext4_find_extent
run #3: crashed: kernel BUG in __es_remove_extent
representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN-USE-AFTER-FREE-READ BUG]
testing release v6.18
testing commit 7d0a66e4bb9081d75c82ec4957c50034cb0ea449 gcc
compiler: gcc (Ubuntu 11.5.0-1ubuntu1~24.04) 11.5.0, GNU ld (GNU Binutils for Ubuntu) 2.42
kernel signature: e2d6c0dfabac318668f5ce20ed8f400effa2f2eda8b34309c7528cdb01abd9d4
run #0: crashed: kernel BUG in ext4_ext_map_blocks
run #1: crashed: KASAN: use-after-free Read in ext4_find_extent
run #2: crashed: KASAN: use-after-free Read in ext4_find_extent
run #3: crashed: KASAN: use-after-free Read in ext4_ext_try_to_merge_right
representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN-USE-AFTER-FREE-READ BUG]
testing release v6.17
testing commit e5f0a698b34ed76002dc5cff3804a61c80233a7a gcc
compiler: gcc (Ubuntu 11.5.0-1ubuntu1~24.04) 11.5.0, GNU ld (GNU Binutils for Ubuntu) 2.42
kernel signature: 449b1ba5a656640ea9452f71dab1fd98ad492b505afd2c182a8a4f1c9f61d7d0
all runs: crashed: KASAN: use-after-free Read in ext4_find_extent
representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN-USE-AFTER-FREE-READ]
testing release v6.15
testing commit 0ff41df1cb268fc69e703a08a57ee14ae967d0ca gcc
compiler: gcc (Ubuntu 11.5.0-1ubuntu1~24.04) 11.5.0, GNU ld (GNU Binutils for Ubuntu) 2.42
kernel signature: 0e365548d72aa3294eb5dd8d9d5470455593f99ac7eecf05329ddf077303a2df
all runs: OK
false negative chance: 0.000
# git bisect start e5f0a698b34ed76002dc5cff3804a61c80233a7a 0ff41df1cb268fc69e703a08a57ee14ae967d0ca
Bisecting: 15142 revisions left to test after this (roughly 14 steps)
[95eb0d389b4a518a2630b18fbc5916a008f519f1] Merge tag 'objtool_urgent_for_v6.16_rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

testing commit 95eb0d389b4a518a2630b18fbc5916a008f519f1 gcc
compiler: gcc (Ubuntu 11.5.0-1ubuntu1~24.04) 11.5.0, GNU ld (GNU Binutils for Ubuntu) 2.42
kernel signature: 8ca6d695093e23d0cebafb17b08ea009bae25f5f1941cde29c160538a4bce5dd
all runs: OK
false negative chance: 0.000
# git bisect good 95eb0d389b4a518a2630b18fbc5916a008f519f1
Bisecting: 7592 revisions left to test after this (roughly 13 steps)
[d50b07d05ca53fdb6c6d1581b9084c09d4e98f54] Merge tag 'trace-ringbuffer-v6.17' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace

testing commit d50b07d05ca53fdb6c6d1581b9084c09d4e98f54 gcc
compiler: gcc (Ubuntu 11.5.0-1ubuntu1~24.04) 11.5.0, GNU ld (GNU Binutils for Ubuntu) 2.42
kernel signature: 4b6fbaf3183b616740a3c2b32312a951c64af73215ed6bf917c5e733417a16fd
all runs: OK
false negative chance: 0.000
# git bisect good d50b07d05ca53fdb6c6d1581b9084c09d4e98f54
Bisecting: 3799 revisions left to test after this (roughly 12 steps)
[d6f38c12396397e48092ad9e8a4d7be4de51b942] Merge tag 'trace-v6.17' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace

testing commit d6f38c12396397e48092ad9e8a4d7be4de51b942 gcc
compiler: gcc (Ubuntu 11.5.0-1ubuntu1~24.04) 11.5.0, GNU ld (GNU Binutils for Ubuntu) 2.42
kernel signature: 2b7d4cf2c27fd7df13e10d382742887c48e839ba3db2099c1c8232c57792f48f
run #0: crashed: kernel BUG in ext4_ext_map_blocks
run #1: crashed: kernel BUG in ext4_ext_map_blocks
run #2: OK
run #3: boot failed: WARNING in __ww_mutex_wound
representative crash: kernel BUG in ext4_ext_map_blocks, types: [BUG]
# git bisect bad d6f38c12396397e48092ad9e8a4d7be4de51b942
Bisecting: 1848 revisions left to test after this (roughly 11 steps)
[260f6f4fda93c8485c8037865c941b42b9cba5d2] Merge tag 'drm-next-2025-07-30' of https://gitlab.freedesktop.org/drm/kernel

testing commit 260f6f4fda93c8485c8037865c941b42b9cba5d2 gcc
compiler: gcc (Ubuntu 11.5.0-1ubuntu1~24.04) 11.5.0, GNU ld (GNU Binutils for Ubuntu) 2.42
kernel signature: 481297f44321a654cba132cb1e3ced9668f2f41ec35b22d5c95063d3312f8ab2
all runs: OK
false negative chance: 0.001
# git bisect good 260f6f4fda93c8485c8037865c941b42b9cba5d2
Bisecting: 917 revisions left to test after this (roughly 10 steps)
[0cdee263bc5e7b20f657ea09f9272f50c568f35b] Merge tag 'media/v6.17-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media

testing commit 0cdee263bc5e7b20f657ea09f9272f50c568f35b gcc
compiler: gcc (Ubuntu 11.5.0-1ubuntu1~24.04) 11.5.0, GNU ld (GNU Binutils for Ubuntu) 2.42
kernel signature: 1966dbe5e24216745721e075628ce144606ac832d4967d7e7a2f4162807d1696
all runs: crashed: KASAN: use-after-free Read in ext4_find_extent
representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN-USE-AFTER-FREE-READ]
# git bisect bad 0cdee263bc5e7b20f657ea09f9272f50c568f35b
Bisecting: 447 revisions left to test after this (roughly 9 steps)
[2c8c9aae4492f813b9b9ae95f0931945a693100e] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

testing commit 2c8c9aae4492f813b9b9ae95f0931945a693100e gcc
compiler: gcc (Ubuntu 11.5.0-1ubuntu1~24.04) 11.5.0, GNU ld (GNU Binutils for Ubuntu) 2.42
kernel signature: 6bd492746077e147417126240981a38a67b79df6a4fb9a3bebaba748516e6cde
all runs: crashed: KASAN: use-after-free Read in ext4_find_extent
representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN-USE-AFTER-FREE-READ]
# git bisect bad 2c8c9aae4492f813b9b9ae95f0931945a693100e
Bisecting: 212 revisions left to test after this (roughly 8 steps)
[44a8c96edd0ee9320a1ad87afc7b10f38e55d5ec] Merge tag 'v6.17-p1' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6

testing commit 44a8c96edd0ee9320a1ad87afc7b10f38e55d5ec gcc
compiler: gcc (Ubuntu 11.5.0-1ubuntu1~24.04) 11.5.0, GNU ld (GNU Binutils for Ubuntu) 2.42
kernel signature: 0642e60dd9dfcdb74d6e88fac678904dccca7f0063b490550ad3325a281f1d76
all runs: OK
false negative chance: 0.001
# git bisect good 44a8c96edd0ee9320a1ad87afc7b10f38e55d5ec
Bisecting: 100 revisions left to test after this (roughly 7 steps)
[f1aa129d80fddd2ae33080524bf84dea1c3528de] Merge tag 'mips_6.17' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux

testing commit f1aa129d80fddd2ae33080524bf84dea1c3528de gcc
compiler: gcc (Ubuntu 11.5.0-1ubuntu1~24.04) 11.5.0, GNU ld (GNU Binutils for Ubuntu) 2.42
kernel signature: 0c0db2a283ad5c4d00f07d9da341b2fb23363934f3d8934aa2706b361d209ed9
run #0: crashed: KASAN: use-after-free Read in ext4_find_extent
run #1: crashed: KASAN: use-after-free Read in ext4_find_extent
run #2: crashed: KASAN: slab-use-after-free Read in ext4_find_extent
run #3: crashed: KASAN: use-after-free Read in ext4_find_extent
representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN-USE-AFTER-FREE-READ]
# git bisect bad f1aa129d80fddd2ae33080524bf84dea1c3528de
Bisecting: 57 revisions left to test after this (roughly 6 steps)
[440e6d7e1435bb1e1948eeae34ca8bef6c7c5f82] Merge tag 'jfs-6.17' of github.com:kleikamp/linux-shaggy

testing commit 440e6d7e1435bb1e1948eeae34ca8bef6c7c5f82 gcc
compiler: gcc (Ubuntu 11.5.0-1ubuntu1~24.04) 11.5.0, GNU ld (GNU Binutils for Ubuntu) 2.42
kernel signature: 630695c4bf4f6ff7d5268263f848e7a0e72ba3a53f3dd48cfb20d8af3a539e84
run #0: crashed: kernel BUG in ext4_ext_map_blocks
run #1: crashed: kernel BUG in ext4_ext_map_blocks
run #2: crashed: KASAN: use-after-free Read in ext4_find_extent
run #3: crashed: kernel BUG in __es_remove_extent
representative crash: kernel BUG in ext4_ext_map_blocks, types: [BUG KASAN-USE-AFTER-FREE-READ]
# git bisect bad 440e6d7e1435bb1e1948eeae34ca8bef6c7c5f82
Bisecting: 26 revisions left to test after this (roughly 5 steps)
[4d18a0b98259c2fa62f04ce5f94a7ec6e840f220] ext4: get rid of some obsolete EXT4_MB_HINT flags

testing commit 4d18a0b98259c2fa62f04ce5f94a7ec6e840f220 gcc
compiler: gcc (Ubuntu 11.5.0-1ubuntu1~24.04) 11.5.0, GNU ld (GNU Binutils for Ubuntu) 2.42
kernel signature: 4c0d5de85f8197a72c35f953879439498d398a1c57d7af4befe8d0858b24cf31
all runs: OK
false negative chance: 0.001
# git bisect good 4d18a0b98259c2fa62f04ce5f94a7ec6e840f220
Bisecting: 13 revisions left to test after this (roughly 4 steps)
[ff7dcfedf9b1c34d9d06588ced4aa588b6444c59] Merge tag 'ext4_for_linus_6.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4

testing commit ff7dcfedf9b1c34d9d06588ced4aa588b6444c59 gcc
compiler: gcc (Ubuntu 11.5.0-1ubuntu1~24.04) 11.5.0, GNU ld (GNU Binutils for Ubuntu) 2.42
kernel signature: 4b00271b2819380259aeede289312142e1e0e7758fc7aecc739b4e7fa3d8658c
run #0: crashed: KASAN: use-after-free Read in ext4_ext_try_to_merge_right
run #1: crashed: KASAN: use-after-free Read in ext4_find_extent
run #2: crashed: KASAN: use-after-free Read in ext4_find_extent
run #3: boot failed: WARNING in __ww_mutex_wound
representative crash: KASAN: use-after-free Read in ext4_ext_try_to_merge_right, types: [KASAN-USE-AFTER-FREE-READ]
# git bisect bad ff7dcfedf9b1c34d9d06588ced4aa588b6444c59
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[45704f92e55853fe287760e019feb45eeb9c988e] ext4: factor out __ext4_mb_scan_group()

testing commit 45704f92e55853fe287760e019feb45eeb9c988e gcc
compiler: gcc (Ubuntu 11.5.0-1ubuntu1~24.04) 11.5.0, GNU ld (GNU Binutils for Ubuntu) 2.42
kernel signature: 9f23276419755011c9b234b1c392246028a83922982ded427fe281851442a724
all runs: OK
false negative chance: 0.001
# git bisect good 45704f92e55853fe287760e019feb45eeb9c988e
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[f7eaacbb4e54f8a6c6674c16eff54f703ea63d5e] ext4: convert free groups order lists to xarrays

testing commit f7eaacbb4e54f8a6c6674c16eff54f703ea63d5e gcc
compiler: gcc (Ubuntu 11.5.0-1ubuntu1~24.04) 11.5.0, GNU ld (GNU Binutils for Ubuntu) 2.42
kernel signature: a71cb15f740e16653e284bff167bab4893882200ee23d3d3d810e036402c9d8d
all runs: OK
false negative chance: 0.001
# git bisect good f7eaacbb4e54f8a6c6674c16eff54f703ea63d5e
Bisecting: 1 revision left to test after this (roughly 1 step)
[a3ce570a5d6a70df616ae9a78635a188e6b5fd2f] ext4: implement linear-like traversal across order xarrays

testing commit a3ce570a5d6a70df616ae9a78635a188e6b5fd2f gcc
compiler: gcc (Ubuntu 11.5.0-1ubuntu1~24.04) 11.5.0, GNU ld (GNU Binutils for Ubuntu) 2.42
kernel signature: 559306c0e9a0cbd12510df2b4225d922d287a422cbced7dba475ebc496ef5775
run #0: crashed: kernel BUG in ext4_ext_map_blocks
run #1: crashed: KASAN: use-after-free Read in ext4_find_extent
run #2: crashed: kernel BUG in ext4_ext_map_blocks
run #3: crashed: kernel BUG in ext4_ext_map_blocks
representative crash: kernel BUG in ext4_ext_map_blocks, types: [BUG KASAN-USE-AFTER-FREE-READ]
# git bisect bad a3ce570a5d6a70df616ae9a78635a188e6b5fd2f
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[6347558764911f88acac06ab996e162f0c8a212d] ext4: refactor choose group to scan group

testing commit 6347558764911f88acac06ab996e162f0c8a212d gcc
compiler: gcc (Ubuntu 11.5.0-1ubuntu1~24.04) 11.5.0, GNU ld (GNU Binutils for Ubuntu) 2.42
kernel signature: 22cbf12217f5b8fc9b731d8b6ded77a478d36220d4232e2ad76cad9a73bc772e
all runs: crashed: KASAN: use-after-free Read in ext4_find_extent
representative crash: KASAN: use-after-free Read in ext4_find_extent, types: [KASAN-USE-AFTER-FREE-READ]
# git bisect bad 6347558764911f88acac06ab996e162f0c8a212d
6347558764911f88acac06ab996e162f0c8a212d is the first bad commit
commit 6347558764911f88acac06ab996e162f0c8a212d
Author: Baokun Li <libaokun1@huawei.com>
Date:   Mon Jul 14 21:03:26 2025 +0800

    ext4: refactor choose group to scan group
    
    This commit converts the `choose group` logic to `scan group` using
    previously prepared helper functions. This allows us to leverage xarrays
    for ordered non-linear traversal, thereby mitigating the "bouncing" issue
    inherent in the `choose group` mechanism.
    
    This also decouples linear and non-linear traversals, leading to cleaner
    and more readable code.
    
    Key changes:
    
     * ext4_mb_choose_next_group() is refactored to ext4_mb_scan_groups().
    
     * Replaced ext4_mb_good_group() with ext4_mb_scan_group() in non-linear
       traversals, and related functions now return error codes instead of
       group info.
    
     * Added ext4_mb_scan_groups_linear() for performing linear scans starting
       from a specific group for a set number of times.
    
     * Linear scans now execute up to sbi->s_mb_max_linear_groups times,
       so ac_groups_linear_remaining is removed as it's no longer used.
    
     * ac->ac_criteria is now used directly instead of passing cr around.
       Also, ac->ac_criteria is incremented directly after groups scan fails
       for the corresponding criteria.
    
     * Since we're now directly scanning groups instead of finding a good group
       then scanning, the following variables and flags are no longer needed,
       s_bal_cX_groups_considered is sufficient.
    
        s_bal_p2_aligned_bad_suggestions
        s_bal_goal_fast_bad_suggestions
        s_bal_best_avail_bad_suggestions
        EXT4_MB_CR_POWER2_ALIGNED_OPTIMIZED
        EXT4_MB_CR_GOAL_LEN_FAST_OPTIMIZED
        EXT4_MB_CR_BEST_AVAIL_LEN_OPTIMIZED
    
    Signed-off-by: Baokun Li <libaokun1@huawei.com>
    Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
    Link: https://patch.msgid.link/20250714130327.1830534-17-libaokun1@huawei.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>

 fs/ext4/ext4.h    |  12 ---
 fs/ext4/mballoc.c | 292 ++++++++++++++++++++++++------------------------------
 fs/ext4/mballoc.h |   1 -
 3 files changed, 131 insertions(+), 174 deletions(-)

accumulated error probability: 0.00
culprit signature: 22cbf12217f5b8fc9b731d8b6ded77a478d36220d4232e2ad76cad9a73bc772e
parent  signature: a71cb15f740e16653e284bff167bab4893882200ee23d3d3d810e036402c9d8d
revisions tested: 21, total time: 4h39m48.197462163s (build: 2h51m12.65807335s, test: 1h25m27.75679302s)
first bad commit: 6347558764911f88acac06ab996e162f0c8a212d ext4: refactor choose group to scan group
recipients (to): ["libaokun1@huawei.com" "tytso@mit.edu" "yi.zhang@huawei.com"]
recipients (cc): []
crash: KASAN: use-after-free Read in ext4_find_extent
EXT4-fs error (device loop0): ext4_truncate:4671: inode #15: comm syz-executor335: mark_inode_dirty error
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0x9ab/0xa00 fs/ext4/extents.c:956
Read of size 4 at addr ff110002ff57e400 by task syz-executor335/15969

CPU: 1 UID: 0 PID: 15969 Comm: syz-executor335 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xc5/0x130 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xcb/0x640 mm/kasan/report.c:521
 kasan_report+0xca/0x100 mm/kasan/report.c:634
 ext4_ext_binsearch fs/ext4/extents.c:841 [inline]
 ext4_find_extent+0x9ab/0xa00 fs/ext4/extents.c:956
 ext4_ext_map_blocks+0x24a/0x60a0 fs/ext4/extents.c:4208
 ext4_map_query_blocks+0x117/0x880 fs/ext4/inode.c:550
 ext4_map_blocks+0x494/0x1250 fs/ext4/inode.c:773
 _ext4_get_block+0x21b/0x570 fs/ext4/inode.c:910
 ext4_block_write_begin+0x804/0xfb0 fs/ext4/inode.c:1198
 ext4_write_begin+0x7a3/0x1480 fs/ext4/inode.c:1361
 generic_perform_write+0x3c0/0x860 mm/filemap.c:4112
 ext4_buffered_write_iter+0x11a/0x430 fs/ext4/file.c:299
 ext4_file_write_iter+0xa01/0x1c10 fs/ext4/file.c:723
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0xbbc/0xf80 fs/read_write.c:686
 ksys_write+0x121/0x240 fs/read_write.c:738
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x5f/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7feac793701d
Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007feac7906158 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007feac79e6d48 RCX: 00007feac793701d
RDX: 000000000000f000 RSI: 0000400000000080 RDI: 0000000000000004
RBP: 00007feac79e6d40 R08: 00007feac7906cdc R09: 0000000000000000
R10: 00007feac7906cdc R11: 0000000000000246 R12: 00007feac79e6d4c
R13: ffffffffffffffb8 R14: 0000000000000006 R15: 00007fff33eb6340
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7f32a1f55 pfn:0x2ff57e
flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
raw: 057ff00000000000 dead000000000100 dead000000000122 0000000000000000
raw: 00000007f32a1f55 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 8844, tgid 8844 (syz-executor), ts 62380827066, free_ts 62402968472
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xaa/0x1c0 mm/page_alloc.c:1704
 prep_new_page mm/page_alloc.c:1712 [inline]
 get_page_from_freelist+0x8ae/0x25a0 mm/page_alloc.c:3669
 __alloc_frozen_pages_noprof+0x217/0x3a0 mm/page_alloc.c:4959
 alloc_pages_mpol+0x1f1/0x530 mm/mempolicy.c:2419
 folio_alloc_mpol_noprof+0x38/0x2e0 mm/mempolicy.c:2438
 vma_alloc_folio_noprof+0xe3/0x1d0 mm/mempolicy.c:2473
 folio_prealloc mm/memory.c:1068 [inline]
 wp_page_copy mm/memory.c:3569 [inline]
 do_wp_page+0x1d9a/0x50c0 mm/memory.c:4030
 handle_pte_fault mm/memory.c:6085 [inline]
 __handle_mm_fault+0x1dfd/0x57e0 mm/memory.c:6212
 handle_mm_fault+0x38d/0x8e0 mm/memory.c:6381
 do_user_addr_fault+0x423/0xdb0 arch/x86/mm/fault.c:1336
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0xb9/0x140 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
page last free pid 8845 tgid 8844 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1248 [inline]
 free_unref_folios+0x601/0x1500 mm/page_alloc.c:2763
 folios_put_refs+0x550/0x700 mm/swap.c:992
 free_pages_and_swap_cache+0x39d/0x410 mm/swap_state.c:267
 __tlb_batch_free_encoded_pages+0xe9/0x260 mm/mmu_gather.c:136
 tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:397 [inline]
 tlb_flush_mmu mm/mmu_gather.c:404 [inline]
 tlb_finish_mmu+0x16d/0x7e0 mm/mmu_gather.c:497
 exit_mmap+0x3da/0xb40 mm/mmap.c:1297
 __mmput+0x128/0x410 kernel/fork.c:1121
 mmput+0x4f/0x60 kernel/fork.c:1144
 exit_mm kernel/exit.c:581 [inline]
 do_exit+0x781/0x2a80 kernel/exit.c:952
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1105
 get_signal+0x1fe9/0x2010 kernel/signal.c:3034
 arch_do_signal_or_restart+0x80/0x7d0 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop+0x7c/0x100 kernel/entry/common.c:111
 exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
 do_syscall_64+0x337/0xfa0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Memory state around the buggy address:
 ff110002ff57e300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ff110002ff57e380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ff110002ff57e400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ff110002ff57e480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ff110002ff57e500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================