==================================================================
BUG: KASAN: use-after-free in list_empty include/linux/list.h:292 [inline]
BUG: KASAN: use-after-free in gfs2_discard fs/gfs2/aops.c:618 [inline]
BUG: KASAN: use-after-free in gfs2_invalidate_folio+0x38c/0x770 fs/gfs2/aops.c:656
Read of size 8 at addr ffff0000cba16168 by task syz-executor/4304
CPU: 1 PID: 4304 Comm: syz-executor Not tainted 6.1.138-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack+0x30/0x40 lib/dump_stack.c:88
dump_stack_lvl+0xf8/0x160 lib/dump_stack.c:106
print_address_description+0x88/0x220 mm/kasan/report.c:316
print_report+0x50/0x68 mm/kasan/report.c:427
kasan_report+0xa8/0x100 mm/kasan/report.c:531
__asan_report_load8_noabort+0x2c/0x38 mm/kasan/report_generic.c:351
list_empty include/linux/list.h:292 [inline]
gfs2_discard fs/gfs2/aops.c:618 [inline]
gfs2_invalidate_folio+0x38c/0x770 fs/gfs2/aops.c:656
folio_invalidate mm/truncate.c:158 [inline]
truncate_cleanup_folio+0x1b4/0x330 mm/truncate.c:178
truncate_inode_pages_range+0x1f8/0xd20 mm/truncate.c:368
truncate_inode_pages mm/truncate.c:451 [inline]
truncate_inode_pages_final+0x8c/0xbc mm/truncate.c:486
gfs2_evict_inode+0x890/0xe20 fs/gfs2/super.c:1511
evict+0x3c8/0x810 fs/inode.c:705
iput_final fs/inode.c:1834 [inline]
iput+0x764/0x7f4 fs/inode.c:1860
gfs2_put_super+0x330/0x764 fs/gfs2/super.c:616
generic_shutdown_super+0x130/0x324 fs/super.c:501
kill_block_super+0x70/0xdc fs/super.c:1470
gfs2_kill_sb+0xc0/0xd4 fs/gfs2/ops_fstype.c:-1
deactivate_locked_super+0xac/0x124 fs/super.c:332
deactivate_super+0xe8/0x108 fs/super.c:363
cleanup_mnt+0x37c/0x404 fs/namespace.c:1186
__cleanup_mnt+0x20/0x30 fs/namespace.c:1193
task_work_run+0x1ec/0x270 kernel/task_work.c:203
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
do_notify_resume+0x1f70/0x2b0c arch/arm64/kernel/signal.c:1137
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x98/0x138 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Allocated by task 4903:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_alloc_info+0x28/0x34 mm/kasan/generic.c:505
__kasan_slab_alloc+0x70/0x88 mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook+0x74/0x43c mm/slab.h:737
slab_alloc_node mm/slub.c:3398 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x234/0x318 mm/slub.c:3422
kmem_cache_zalloc include/linux/slab.h:689 [inline]
gfs2_alloc_bufdata fs/gfs2/trans.c:168 [inline]
gfs2_trans_add_data+0x1dc/0x624 fs/gfs2/trans.c:209
gfs2_unstuffer_page fs/gfs2/bmap.c:83 [inline]
__gfs2_unstuff_inode fs/gfs2/bmap.c:121 [inline]
gfs2_unstuff_dinode+0xb98/0xfbc fs/gfs2/bmap.c:168
gfs2_adjust_quota+0x1d8/0x808 fs/gfs2/quota.c:847
gfs2_set_dqblk+0x784/0xa00 fs/gfs2/quota.c:1738
quota_setquota+0x400/0x490 fs/quota/quota.c:310
do_quotactl+0x65c/0x738 fs/quota/quota.c:802
__do_sys_quotactl fs/quota/quota.c:960 [inline]
__se_sys_quotactl fs/quota/quota.c:916 [inline]
__arm64_sys_quotactl+0x2ac/0x730 fs/quota/quota.c:916
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x138 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Freed by task 4457:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_free_info+0x3c/0x60 mm/kasan/generic.c:516
____kasan_slab_free+0x148/0x1b0 mm/kasan/common.c:236
__kasan_slab_free+0x18/0x28 mm/kasan/common.c:244
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1724 [inline]
slab_free_freelist_hook+0x16c/0x1ec mm/slub.c:1750
slab_free mm/slub.c:3661 [inline]
kmem_cache_free+0x11c/0x324 mm/slub.c:3683
trans_drain fs/gfs2/log.c:1023 [inline]
gfs2_log_flush+0xecc/0x1aa0 fs/gfs2/log.c:1161
gfs2_write_inode+0x184/0x34c fs/gfs2/super.c:453
write_inode fs/fs-writeback.c:1460 [inline]
__writeback_single_inode+0x5e0/0x157c fs/fs-writeback.c:1677
writeback_sb_inodes+0x824/0x1404 fs/fs-writeback.c:1903
wb_writeback+0x400/0xfb0 fs/fs-writeback.c:2077
wb_do_writeback fs/fs-writeback.c:2220 [inline]
wb_workfn+0x34c/0xd98 fs/fs-writeback.c:2260
process_one_work+0x7f4/0x13a8 kernel/workqueue.c:2292
worker_thread+0x8c8/0xfbc kernel/workqueue.c:2439
kthread+0x250/0x2d8 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864
The buggy address belongs to the object at ffff0000cba16150
which belongs to the cache gfs2_bufdata of size 80
The buggy address is located 24 bytes inside of
80-byte region [ffff0000cba16150, ffff0000cba161a0)
The buggy address belongs to the physical page:
page:0000000068bfa138 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10ba16
flags: 0x5ffc00000000200(slab|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000200 0000000000000000 dead000000000122 ffff0000c6f9f380
raw: 0000000000000000 0000000080240024 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000cba16000: fa fb fb fb fb fb fb fb fb fb fc fc fc fc fa fb
ffff0000cba16080: fb fb fb fb fb fb fb fb fc fc fc fc fa fb fb fb
>ffff0000cba16100: fb fb fb fb fb fb fc fc fc fc fa fb fb fb fb fb
^
ffff0000cba16180: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000cba16200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Unable to handle kernel paging request at virtual address dfff800000000005
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
[dfff800000000005] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 4304 Comm: syz-executor Tainted: G B 6.1.138-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : gfs2_remove_from_journal+0x3ac/0x820 fs/gfs2/meta_io.c:350
lr : gfs2_remove_from_journal+0x3a0/0x820 fs/gfs2/meta_io.c:350
sp : ffff800020ed71d0
x29: ffff800020ed71f0 x28: dfff800000000000 x27: ffff0000cba16170
x26: ffff0000cba16170 x25: 1fffe0001bfc205f x24: 0000000000010000
x23: 000000000000002c x22: 0000000000000000 x21: ffff0000dfe102f8
x20: ffff0000cba16150 x19: ffff0000dfe102b8 x18: ffff800011a7bd00
x17: 0000000000000000 x16: ffff8000082e6770 x15: 0000000000000000
x14: 00000000ffffffff x13: 0000000000000001 x12: 0000000000ff0100
x11: ff0080000a1ab6d8 x10: 0000000000000000 x9 : ffff80000a1ab6d8
x8 : 0000000000000005 x7 : 0000000000000001 x6 : ffff80000a1af3b0
x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff80000a1ab684
x2 : 0000000000000001 x1 : 0000000000000000 x0 : 0000000000000001
Call trace:
gfs2_remove_from_journal+0x3ac/0x820 fs/gfs2/meta_io.c:350
gfs2_discard fs/gfs2/aops.c:622 [inline]
gfs2_invalidate_folio+0x498/0x770 fs/gfs2/aops.c:656
folio_invalidate mm/truncate.c:158 [inline]
truncate_cleanup_folio+0x1b4/0x330 mm/truncate.c:178
truncate_inode_pages_range+0x1f8/0xd20 mm/truncate.c:368
truncate_inode_pages mm/truncate.c:451 [inline]
truncate_inode_pages_final+0x8c/0xbc mm/truncate.c:486
gfs2_evict_inode+0x890/0xe20 fs/gfs2/super.c:1511
evict+0x3c8/0x810 fs/inode.c:705
iput_final fs/inode.c:1834 [inline]
iput+0x764/0x7f4 fs/inode.c:1860
gfs2_put_super+0x330/0x764 fs/gfs2/super.c:616
generic_shutdown_super+0x130/0x324 fs/super.c:501
kill_block_super+0x70/0xdc fs/super.c:1470
gfs2_kill_sb+0xc0/0xd4 fs/gfs2/ops_fstype.c:-1
deactivate_locked_super+0xac/0x124 fs/super.c:332
deactivate_super+0xe8/0x108 fs/super.c:363
cleanup_mnt+0x37c/0x404 fs/namespace.c:1186
__cleanup_mnt+0x20/0x30 fs/namespace.c:1193
task_work_run+0x1ec/0x270 kernel/task_work.c:203
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
do_notify_resume+0x1f70/0x2b0c arch/arm64/kernel/signal.c:1137
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x98/0x138 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Code: 978bd67e a94067f6 9100b2d7 d343fee8 (38fc6908)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: 978bd67e bl 0xfffffffffe2f59f8
4: a94067f6 ldp x22, x25, [sp]
8: 9100b2d7 add x23, x22, #0x2c
c: d343fee8 lsr x8, x23, #3
* 10: 38fc6908 ldrsb w8, [x8, x28] <-- trapping instruction