syzbot

loop0: detected capacity change from 0 to 32768
==================================================================
BUG: KASAN: slab-use-after-free in dtCompare fs/jfs/jfs_dtree.c:3345 [inline]
BUG: KASAN: slab-use-after-free in dtSearch+0x1683/0x21b0 fs/jfs/jfs_dtree.c:650
Read of size 1 at addr ffff8880410f86c8 by task syz.0.19/6102

CPU: 1 UID: 0 PID: 6102 Comm: syz.0.19 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 dtCompare fs/jfs/jfs_dtree.c:3345 [inline]
 dtSearch+0x1683/0x21b0 fs/jfs/jfs_dtree.c:650
 jfs_lookup+0x155/0x380 fs/jfs/namei.c:1461
 lookup_open fs/namei.c:3774 [inline]
 open_last_lookups fs/namei.c:3895 [inline]
 path_openat+0x110d/0x3840 fs/namei.c:4131
 do_filp_open+0x1fa/0x410 fs/namei.c:4161
 do_sys_openat2+0x121/0x1c0 fs/open.c:1437
 do_sys_open fs/open.c:1452 [inline]
 __do_sys_openat fs/open.c:1468 [inline]
 __se_sys_openat fs/open.c:1463 [inline]
 __x64_sys_openat+0x138/0x170 fs/open.c:1463
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcd5c08efc9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff10491598 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fcd5c2e5fa0 RCX: 00007fcd5c08efc9
RDX: 0000000000000000 RSI: 0000200000000280 RDI: ffffffffffffff9c
RBP: 00007fcd5c111f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fcd5c2e5fa0 R14: 00007fcd5c2e5fa0 R15: 0000000000000004
 </TASK>

Allocated by task 5943:
 kasan_save_stack mm/kasan/common.c:56 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
 unpoison_slab_object mm/kasan/common.c:342 [inline]
 __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:368
 kasan_slab_alloc include/linux/kasan.h:252 [inline]
 slab_post_alloc_hook mm/slub.c:4962 [inline]
 slab_alloc_node mm/slub.c:5272 [inline]
 kmem_cache_alloc_lru_noprof+0x188/0x6b0 mm/slub.c:5291
 alloc_inode+0x6a/0x1b0 fs/inode.c:346
 new_inode+0x22/0x170 fs/inode.c:1145
 debugfs_get_inode fs/debugfs/inode.c:72 [inline]
 __debugfs_create_file+0x14d/0x4f0 fs/debugfs/inode.c:442
 debugfs_create_file_short+0x3f/0x60 fs/debugfs/inode.c:480
 add_common_files net/mac80211/debugfs_netdev.c:825 [inline]
 add_files net/mac80211/debugfs_netdev.c:945 [inline]
 ieee80211_debugfs_add_netdev net/mac80211/debugfs_netdev.c:1009 [inline]
 ieee80211_debugfs_recreate_netdev+0x3d2/0x1460 net/mac80211/debugfs_netdev.c:1033
 ieee80211_if_add+0xc17/0x1390 net/mac80211/iface.c:2269
 ieee80211_register_hw+0x35a5/0x40d0 net/mac80211/main.c:1608
 mac80211_hwsim_new_radio+0x2efe/0x5160 drivers/net/wireless/virtual/mac80211_hwsim.c:5803
 hwsim_new_radio_nl+0xf5b/0x1bd0 drivers/net/wireless/virtual/mac80211_hwsim.c:6497
 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115
 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
 genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg+0x21c/0x270 net/socket.c:742
 __sys_sendto+0x3c7/0x520 net/socket.c:2244
 __do_sys_sendto net/socket.c:2251 [inline]
 __se_sys_sendto net/socket.c:2247 [inline]
 __x64_sys_sendto+0xde/0x100 net/socket.c:2247
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 20:
 kasan_save_stack mm/kasan/common.c:56 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
 __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587
 kasan_save_free_info mm/kasan/kasan.h:406 [inline]
 poison_slab_object mm/kasan/common.c:252 [inline]
 __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284
 kasan_slab_free include/linux/kasan.h:234 [inline]
 slab_free_hook mm/slub.c:2530 [inline]
 slab_free mm/slub.c:6619 [inline]
 kmem_cache_free+0x19a/0x910 mm/slub.c:6729
 rcu_do_batch kernel/rcu/tree.c:2605 [inline]
 rcu_core kernel/rcu/tree.c:2861 [inline]
 rcu_cpu_kthread+0xbf6/0x1b50 kernel/rcu/tree.c:2949
 smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Last potentially related work creation:
 kasan_save_stack+0x3e/0x60 mm/kasan/common.c:56
 kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:559
 __call_rcu_common kernel/rcu/tree.c:3123 [inline]
 call_rcu+0x157/0x9c0 kernel/rcu/tree.c:3243
 destroy_inode fs/inode.c:401 [inline]
 evict+0x847/0x9c0 fs/inode.c:834
 __dentry_kill+0x209/0x660 fs/dcache.c:669
 dput+0x19f/0x2b0 fs/dcache.c:911
 find_next_child+0x1e5/0x250 fs/libfs.c:600
 __simple_recursive_removal+0x10b/0x510 fs/libfs.c:617
 debugfs_remove+0x5b/0x70 fs/debugfs/inode.c:800
 ieee80211_debugfs_remove_netdev+0x52/0xb0 net/mac80211/debugfs_netdev.c:1019
 ieee80211_teardown_sdata+0x5a/0x140 net/mac80211/iface.c:859
 ieee80211_if_change_type+0x14c/0x990 net/mac80211/iface.c:2007
 ieee80211_change_iface+0xd5/0x510 net/mac80211/cfg.c:254
 rdev_change_virtual_intf net/wireless/rdev-ops.h:74 [inline]
 cfg80211_change_iface+0x795/0xef0 net/wireless/util.c:1238
 nl80211_set_interface+0x773/0xaa0 net/wireless/nl80211.c:4633
 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115
 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
 genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg+0x21c/0x270 net/socket.c:742
 __sys_sendto+0x3c7/0x520 net/socket.c:2244
 __do_sys_sendto net/socket.c:2251 [inline]
 __se_sys_sendto net/socket.c:2247 [inline]
 __x64_sys_sendto+0xde/0x100 net/socket.c:2247
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff8880410f8590
 which belongs to the cache debugfs_inode_cache of size 1296
The buggy address is located 312 bytes inside of
 freed 1296-byte region [ffff8880410f8590, ffff8880410f8aa0)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880410fde90 pfn:0x410f8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0x80000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000040 ffff88801cefb640 0000000000000000 0000000000000001
raw: ffff8880410fde90 0000000000170015 00000000f5000000 0000000000000000
head: 0080000000000040 ffff88801cefb640 0000000000000000 0000000000000001
head: ffff8880410fde90 0000000000170015 00000000f5000000 0000000000000000
head: 0080000000000003 ffffea0001043e01 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_RECLAIMABLE|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5815, tgid 5815 (syz-executor), ts 91205558086, free_ts 0
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1850
 prep_new_page mm/page_alloc.c:1858 [inline]
 get_page_from_freelist+0x28c0/0x2960 mm/page_alloc.c:3884
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5183
 alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2416
 alloc_slab_page mm/slub.c:3046 [inline]
 allocate_slab+0x96/0x3a0 mm/slub.c:3219
 new_slab mm/slub.c:3273 [inline]
 ___slab_alloc+0xb12/0x13f0 mm/slub.c:4643
 __slab_alloc+0xc6/0x1f0 mm/slub.c:4762
 __slab_alloc_node mm/slub.c:4838 [inline]
 slab_alloc_node mm/slub.c:5260 [inline]
 kmem_cache_alloc_lru_noprof+0xf0/0x6b0 mm/slub.c:5291
 alloc_inode+0x6a/0x1b0 fs/inode.c:346
 new_inode+0x22/0x170 fs/inode.c:1145
 debugfs_get_inode fs/debugfs/inode.c:72 [inline]
 __debugfs_create_file+0x14d/0x4f0 fs/debugfs/inode.c:442
 debugfs_create_file_full+0x3f/0x60 fs/debugfs/inode.c:469
 ref_tracker_dir_debugfs+0x154/0x270 lib/ref_tracker.c:441
 ref_tracker_dir_init include/linux/ref_tracker.h:70 [inline]
 preinit_net+0x3a4/0x770 net/core/net_namespace.c:411
 copy_net_ns+0x223/0x4e0 net/core/net_namespace.c:570
 create_new_namespaces+0x3f3/0x720 kernel/nsproxy.c:110
page_owner free stack trace missing

Memory state around the buggy address:
 ffff8880410f8580: fc fc fa fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880410f8600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880410f8680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                              ^
 ffff8880410f8700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880410f8780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================