syzbot

loop0: detected capacity change from 0 to 32768
==================================================================
BUG: KASAN: slab-use-after-free in jfs_readdir+0x118f/0x3ae0 fs/jfs/jfs_dtree.c:2881
Read of size 8 at addr ffff88801df67d98 by task syz.0.17/5988

CPU: 1 UID: 0 PID: 5988 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 jfs_readdir+0x118f/0x3ae0 fs/jfs/jfs_dtree.c:2881
 wrap_directory_iterator+0x99/0xe0 fs/readdir.c:65
 iterate_dir+0x3a5/0x580 fs/readdir.c:108
 __do_sys_getdents64 fs/readdir.c:410 [inline]
 __se_sys_getdents64+0xe4/0x260 fs/readdir.c:396
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f505a60f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdfa86c878 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007f505a865fa0 RCX: 00007f505a60f749
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 00007f505a693f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f505a865fa0 R14: 00007f505a865fa0 R15: 0000000000000003
 </TASK>

Allocated by task 5988:
 kasan_save_stack mm/kasan/common.c:56 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
 unpoison_slab_object mm/kasan/common.c:342 [inline]
 __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:368
 kasan_slab_alloc include/linux/kasan.h:252 [inline]
 slab_post_alloc_hook mm/slub.c:4948 [inline]
 slab_alloc_node mm/slub.c:5258 [inline]
 kmem_cache_alloc_noprof+0x181/0x6d0 mm/slub.c:5265
 mempool_alloc_noprof+0x185/0x390 mm/mempool.c:567
 alloc_metapage fs/jfs/jfs_metapage.c:264 [inline]
 __get_metapage+0x509/0xde0 fs/jfs/jfs_metapage.c:760
 dtSplitRoot+0x202/0x16c0 fs/jfs/jfs_dtree.c:1910
 dtSplitUp fs/jfs/jfs_dtree.c:993 [inline]
 dtInsert+0xef8/0x5f40 fs/jfs/jfs_dtree.c:871
 jfs_create+0x6c8/0xa80 fs/jfs/namei.c:137
 lookup_open fs/namei.c:4440 [inline]
 open_last_lookups fs/namei.c:4540 [inline]
 path_openat+0x18d1/0x3df0 fs/namei.c:4784
 do_filp_open+0x1fa/0x410 fs/namei.c:4814
 do_sys_openat2+0x121/0x200 fs/open.c:1430
 do_sys_open fs/open.c:1436 [inline]
 __do_sys_openat fs/open.c:1452 [inline]
 __se_sys_openat fs/open.c:1447 [inline]
 __x64_sys_openat+0x138/0x170 fs/open.c:1447
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 5988:
 kasan_save_stack mm/kasan/common.c:56 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
 __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587
 kasan_save_free_info mm/kasan/kasan.h:406 [inline]
 poison_slab_object mm/kasan/common.c:252 [inline]
 __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284
 kasan_slab_free include/linux/kasan.h:234 [inline]
 slab_free_hook mm/slub.c:2540 [inline]
 slab_free mm/slub.c:6663 [inline]
 kmem_cache_free+0x18f/0x8d0 mm/slub.c:6774
 mempool_free+0xf5/0x140 mm/mempool.c:712
 free_metapage fs/jfs/jfs_metapage.c:279 [inline]
 drop_metapage fs/jfs/jfs_metapage.c:316 [inline]
 release_metapage+0x84c/0xab0 fs/jfs/jfs_metapage.c:892
 dtReadNext fs/jfs/jfs_dtree.c:3202 [inline]
 jfs_readdir+0xece/0x3ae0 fs/jfs/jfs_dtree.c:2874
 wrap_directory_iterator+0x99/0xe0 fs/readdir.c:65
 iterate_dir+0x3a5/0x580 fs/readdir.c:108
 __do_sys_getdents64 fs/readdir.c:410 [inline]
 __se_sys_getdents64+0xe4/0x260 fs/readdir.c:396
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88801df67d68
 which belongs to the cache jfs_mp of size 248
The buggy address is located 48 bytes inside of
 freed 248-byte region [ffff88801df67d68, ffff88801df67e60)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1df67
flags: 0x80000000000000(node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000000 ffff88801dbb7a00 dead000000000122 0000000000000000
raw: 0000000000000000 00000000800d000d 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5988, tgid 5988 (syz.0.17), ts 113749003289, free_ts 113080378553
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x234/0x290 mm/page_alloc.c:1845
 prep_new_page mm/page_alloc.c:1853 [inline]
 get_page_from_freelist+0x28c0/0x2960 mm/page_alloc.c:3879
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5183
 alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2416
 alloc_slab_page mm/slub.c:3075 [inline]
 allocate_slab+0x86/0x3b0 mm/slub.c:3248
 new_slab mm/slub.c:3302 [inline]
 ___slab_alloc+0xb10/0x1400 mm/slub.c:4651
 __slab_alloc+0xc6/0x1f0 mm/slub.c:4774
 __slab_alloc_node mm/slub.c:4850 [inline]
 slab_alloc_node mm/slub.c:5246 [inline]
 kmem_cache_alloc_noprof+0xec/0x6d0 mm/slub.c:5265
 mempool_alloc_noprof+0x185/0x390 mm/mempool.c:567
 alloc_metapage fs/jfs/jfs_metapage.c:264 [inline]
 __get_metapage+0x509/0xde0 fs/jfs/jfs_metapage.c:760
 diReadSpecial+0x25b/0x710 fs/jfs/jfs_imap.c:447
 jfs_mount+0x73/0x870 fs/jfs/jfs_mount.c:87
 jfs_fill_super+0x6bc/0xd80 fs/jfs/super.c:523
 get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1699
 vfs_get_tree+0x92/0x2a0 fs/super.c:1759
 fc_mount fs/namespace.c:1199 [inline]
 do_new_mount_fc fs/namespace.c:3636 [inline]
 do_new_mount+0x302/0xa10 fs/namespace.c:3712
page last free pid 5912 tgid 5912 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1394 [inline]
 __free_frozen_pages+0xfb6/0x1140 mm/page_alloc.c:2901
 discard_slab mm/slub.c:3346 [inline]
 __put_partials+0x149/0x170 mm/slub.c:3886
 __slab_free+0x139/0x210 mm/slub.c:5947
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:352
 kasan_slab_alloc include/linux/kasan.h:252 [inline]
 slab_post_alloc_hook mm/slub.c:4948 [inline]
 slab_alloc_node mm/slub.c:5258 [inline]
 kmem_cache_alloc_node_noprof+0x23b/0x700 mm/slub.c:5310
 __alloc_skb+0x255/0x430 net/core/skbuff.c:679
 netlink_sendmsg+0x5c6/0xb30 net/netlink/af_netlink.c:1869
 sock_sendmsg_nosec net/socket.c:718 [inline]
 __sock_sendmsg+0x21c/0x270 net/socket.c:733
 __sys_sendto+0x3c7/0x520 net/socket.c:2197
 __do_sys_sendto net/socket.c:2204 [inline]
 __se_sys_sendto net/socket.c:2200 [inline]
 __x64_sys_sendto+0xde/0x100 net/socket.c:2200
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88801df67c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88801df67d00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fa fb fb
>ffff88801df67d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff88801df67e00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff88801df67e80: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================