syzbot

 ... Log Wrap ... Log Wrap ... Log Wrap ...
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_write include/linux/instrumented.h:82 [inline]
BUG: KASAN: slab-use-after-free in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
BUG: KASAN: slab-use-after-free in txEnd+0x32d/0x520 fs/jfs/jfs_txnmgr.c:554
Write of size 8 at addr ffff88807b63b040 by task jfsCommit/112

CPU: 0 PID: 112 Comm: jfsCommit Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xac/0x220 mm/kasan/report.c:468
 kasan_report+0x117/0x150 mm/kasan/report.c:581
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x288/0x290 mm/kasan/generic.c:187
 instrument_atomic_write include/linux/instrumented.h:82 [inline]
 clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
 txEnd+0x32d/0x520 fs/jfs/jfs_txnmgr.c:554
 txLazyCommit fs/jfs/jfs_txnmgr.c:2684 [inline]
 jfs_lazycommit+0x5a6/0xa60 fs/jfs/jfs_txnmgr.c:2732
 kthread+0x2fa/0x390 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
 </TASK>

Allocated by task 6013:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4e/0x70 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:383
 kmalloc include/linux/slab.h:600 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 open_inline_log fs/jfs/jfs_logmgr.c:1159 [inline]
 lmLogOpen+0x2df/0xfb0 fs/jfs/jfs_logmgr.c:1069
 jfs_mount_rw+0xea/0x670 fs/jfs/jfs_mount.c:257
 jfs_fill_super+0x592/0xac0 fs/jfs/super.c:565
 mount_bdev+0x22b/0x2d0 fs/super.c:1643
 legacy_get_tree+0xea/0x180 fs/fs_context.c:662
 vfs_get_tree+0x8c/0x280 fs/super.c:1764
 do_new_mount+0x24b/0xa40 fs/namespace.c:3386
 do_mount fs/namespace.c:3726 [inline]
 __do_sys_mount fs/namespace.c:3935 [inline]
 __se_sys_mount+0x2da/0x3c0 fs/namespace.c:3912
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

Freed by task 5902:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4e/0x70 mm/kasan/common.c:52
 kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:522
 ____kasan_slab_free+0x126/0x1e0 mm/kasan/common.c:236
 kasan_slab_free include/linux/kasan.h:164 [inline]
 slab_free_hook mm/slub.c:1811 [inline]
 slab_free_freelist_hook+0x130/0x1b0 mm/slub.c:1837
 slab_free mm/slub.c:3830 [inline]
 __kmem_cache_free+0xba/0x1f0 mm/slub.c:3843
 lmLogClose+0x297/0x520 fs/jfs/jfs_logmgr.c:-1
 jfs_umount+0x2ef/0x3c0 fs/jfs/jfs_umount.c:114
 jfs_put_super+0x8c/0x190 fs/jfs/super.c:194
 generic_shutdown_super+0x134/0x2b0 fs/super.c:693
 kill_block_super+0x44/0x90 fs/super.c:1660
 deactivate_locked_super+0x97/0x100 fs/super.c:481
 cleanup_mnt+0x429/0x4c0 fs/namespace.c:1259
 task_work_run+0x1ce/0x250 kernel/task_work.c:239
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop+0xe6/0x110 kernel/entry/common.c:177
 exit_to_user_mode_prepare+0xf6/0x180 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
 syscall_exit_to_user_mode+0x1a/0x50 kernel/entry/common.c:302
 do_syscall_64+0x61/0xb0 arch/x86/entry/common.c:87
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

The buggy address belongs to the object at ffff88807b63b000
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 64 bytes inside of
 freed 1024-byte region [ffff88807b63b000, ffff88807b63b400)

The buggy address belongs to the physical page:
page:ffffea0001ed8e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7b638
head:ffffea0001ed8e00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888017841dc0 0000000000000000 dead000000000001
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x152820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 5839, tgid 5839 (syz-executor), ts 74790048362, free_ts 73984353006
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1cd/0x210 mm/page_alloc.c:1554
 prep_new_page mm/page_alloc.c:1561 [inline]
 get_page_from_freelist+0x195c/0x19f0 mm/page_alloc.c:3191
 __alloc_pages+0x1e3/0x460 mm/page_alloc.c:4457
 alloc_slab_page+0x5d/0x170 mm/slub.c:1881
 allocate_slab mm/slub.c:2028 [inline]
 new_slab+0x87/0x2e0 mm/slub.c:2081
 ___slab_alloc+0xc6d/0x1300 mm/slub.c:3253
 __slab_alloc mm/slub.c:3339 [inline]
 __slab_alloc_node mm/slub.c:3392 [inline]
 slab_alloc_node mm/slub.c:3485 [inline]
 __kmem_cache_alloc_node+0x1a2/0x260 mm/slub.c:3534
 kmalloc_trace+0x2a/0xe0 mm/slab_common.c:1098
 kmalloc include/linux/slab.h:600 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 batadv_hardif_add_interface net/batman-adv/hard-interface.c:882 [inline]
 batadv_hard_if_event+0xde9/0x15b0 net/batman-adv/hard-interface.c:970
 notifier_call_chain+0x197/0x390 kernel/notifier.c:93
 call_netdevice_notifiers_extack net/core/dev.c:2064 [inline]
 call_netdevice_notifiers net/core/dev.c:2078 [inline]
 register_netdevice+0x160c/0x1ae0 net/core/dev.c:10313
 nsim_init_netdevsim drivers/net/netdevsim/netdev.c:343 [inline]
 nsim_create+0x3ca/0x4a0 drivers/net/netdevsim/netdev.c:401
 __nsim_dev_port_add+0x702/0xb00 drivers/net/netdevsim/dev.c:1393
 nsim_dev_port_add_all+0x35/0xe0 drivers/net/netdevsim/dev.c:1449
 nsim_drv_probe+0x884/0xb70 drivers/net/netdevsim/dev.c:1607
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x25b/0xb40 drivers/base/dd.c:658
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1154 [inline]
 free_unref_page_prepare+0x7ce/0x8e0 mm/page_alloc.c:2336
 free_unref_page+0x32/0x2e0 mm/page_alloc.c:2429
 kasan_depopulate_vmalloc_pte+0x75/0x90 mm/kasan/shadow.c:427
 apply_to_pte_range mm/memory.c:2603 [inline]
 apply_to_pmd_range mm/memory.c:2647 [inline]
 apply_to_pud_range mm/memory.c:2683 [inline]
 apply_to_p4d_range mm/memory.c:2719 [inline]
 __apply_to_page_range+0x878/0xdb0 mm/memory.c:2755
 kasan_release_vmalloc+0x97/0xb0 mm/kasan/shadow.c:544
 __purge_vmap_area_lazy+0x1640/0x1990 mm/vmalloc.c:1778
 drain_vmap_area_work+0x40/0xd0 mm/vmalloc.c:1812
 process_one_work kernel/workqueue.c:2634 [inline]
 process_scheduled_works+0xa45/0x15b0 kernel/workqueue.c:2711
 worker_thread+0xa55/0xfc0 kernel/workqueue.c:2792
 kthread+0x2fa/0x390 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293

Memory state around the buggy address:
 ffff88807b63af00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88807b63af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88807b63b000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff88807b63b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807b63b100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================