syzbot

RBP: 00007fb698862390 R08: ffffffffffffffb0 R09: 00000000000124ce
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb698862390
R13: 0000000000000000 R14: 00007fb6988651c0 R15: 00007fb698790840
 </TASK>
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:71 [inline]
BUG: KASAN: use-after-free in test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:497
Read of size 8 at addr ffff888071da8090 by task syz-executor245/4168

CPU: 0 PID: 4168 Comm: syz-executor245 Not tainted 5.15.185-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
 print_address_description+0x60/0x2d0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0xdf/0x130 mm/kasan/report.c:451
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x27b/0x290 mm/kasan/generic.c:189
 instrument_atomic_read include/linux/instrumented.h:71 [inline]
 test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
 qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:497
 gfs2_quota_sync+0x5bf/0x6f0 fs/gfs2/quota.c:1336
 gfs2_sync_fs+0x48/0xb0 fs/gfs2/super.c:647
 sync_filesystem+0xe6/0x220 fs/sync.c:56
 generic_shutdown_super+0x6b/0x300 fs/super.c:448
 kill_block_super+0x7c/0xe0 fs/super.c:1427
 deactivate_locked_super+0x93/0xf0 fs/super.c:335
 cleanup_mnt+0x418/0x4d0 fs/namespace.c:1139
 task_work_run+0x125/0x1a0 kernel/task_work.c:188
 exit_task_work include/linux/task_work.h:33 [inline]
 do_exit+0x616/0x20a0 kernel/exit.c:874
 do_group_exit+0x12e/0x300 kernel/exit.c:996
 __do_sys_exit_group kernel/exit.c:1007 [inline]
 __se_sys_exit_group kernel/exit.c:1005 [inline]
 __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1005
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7fb6987c66d9
Code: Unable to access opcode bytes at RIP 0x7fb6987c66af.
RSP: 002b:00007ffc3d9c8e28 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb6987c66d9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 00007fb698862390 R08: ffffffffffffffb0 R09: 00000000000124ce
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb698862390
R13: 0000000000000000 R14: 00007fb6988651c0 R15: 00007fb698790840
 </TASK>

Allocated by task 4168:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 __kasan_slab_alloc+0x9c/0xd0 mm/kasan/common.c:467
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook+0x4c/0x380 mm/slab.h:519
 slab_alloc_node mm/slub.c:3220 [inline]
 slab_alloc mm/slub.c:3228 [inline]
 kmem_cache_alloc+0x100/0x290 mm/slub.c:3233
 kmem_cache_zalloc include/linux/slab.h:725 [inline]
 qd_alloc+0x50/0x260 fs/gfs2/quota.c:216
 gfs2_quota_init+0x730/0xe80 fs/gfs2/quota.c:1426
 gfs2_make_fs_rw+0x3f5/0x560 fs/gfs2/super.c:155
 gfs2_fill_super+0x188a/0x1f50 fs/gfs2/ops_fstype.c:1276
 get_tree_bdev+0x3f1/0x610 fs/super.c:1325
 gfs2_get_tree+0x4d/0x1e0 fs/gfs2/ops_fstype.c:1332
 vfs_get_tree+0x88/0x270 fs/super.c:1530
 do_new_mount+0x24a/0xa40 fs/namespace.c:3010
 do_mount fs/namespace.c:3353 [inline]
 __do_sys_mount fs/namespace.c:3561 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3538
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

Freed by task 14:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:46
 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
 ____kasan_slab_free+0xd5/0x110 mm/kasan/common.c:366
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1705 [inline]
 slab_free_freelist_hook+0xea/0x170 mm/slub.c:1731
 slab_free mm/slub.c:3499 [inline]
 kmem_cache_free+0x8f/0x210 mm/slub.c:3515
 rcu_do_batch kernel/rcu/tree.c:2523 [inline]
 rcu_core+0x962/0x15d0 kernel/rcu/tree.c:2763
 handle_softirqs+0x328/0x820 kernel/softirq.c:576
 run_ksoftirqd+0x98/0xf0 kernel/softirq.c:943
 smpboot_thread_fn+0x4f6/0x970 kernel/smpboot.c:164
 kthread+0x436/0x520 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287

Last potentially related work creation:
 kasan_save_stack+0x35/0x60 mm/kasan/common.c:38
 kasan_record_aux_stack+0xb8/0x100 mm/kasan/generic.c:348
 __call_rcu kernel/rcu/tree.c:3007 [inline]
 call_rcu+0x179/0x920 kernel/rcu/tree.c:3087
 gfs2_quota_cleanup+0x43c/0x6a0 fs/gfs2/quota.c:1490
 gfs2_make_fs_ro+0x237/0x5d0 fs/gfs2/super.c:557
 signal_our_withdraw fs/gfs2/util.c:166 [inline]
 gfs2_withdraw+0x5f9/0x1460 fs/gfs2/util.c:343
 gfs2_dinode_in fs/gfs2/glops.c:465 [inline]
 gfs2_inode_refresh+0xb5e/0xfe0 fs/gfs2/glops.c:485
 inode_go_lock+0x127/0x470 fs/gfs2/glops.c:510
 do_promote+0x741/0xab0 fs/gfs2/glock.c:507
 finish_xmote+0x514/0xb70 fs/gfs2/glock.c:678
 do_xmote+0x7b6/0x1120 fs/gfs2/glock.c:824
 gfs2_glock_nq+0xc7a/0x1550 fs/gfs2/glock.c:1534
 gfs2_glock_nq_init fs/gfs2/glock.h:246 [inline]
 do_sync+0x486/0xc00 fs/gfs2/quota.c:927
 gfs2_quota_sync+0x32c/0x6f0 fs/gfs2/quota.c:1329
 gfs2_sync_fs+0x48/0xb0 fs/gfs2/super.c:647
 sync_filesystem+0xe6/0x220 fs/sync.c:56
 generic_shutdown_super+0x6b/0x300 fs/super.c:448
 kill_block_super+0x7c/0xe0 fs/super.c:1427
 deactivate_locked_super+0x93/0xf0 fs/super.c:335
 cleanup_mnt+0x418/0x4d0 fs/namespace.c:1139
 task_work_run+0x125/0x1a0 kernel/task_work.c:188
 exit_task_work include/linux/task_work.h:33 [inline]
 do_exit+0x616/0x20a0 kernel/exit.c:874
 do_group_exit+0x12e/0x300 kernel/exit.c:996
 __do_sys_exit_group kernel/exit.c:1007 [inline]
 __se_sys_exit_group kernel/exit.c:1005 [inline]
 __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1005
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

The buggy address belongs to the object at ffff888071da8000
 which belongs to the cache gfs2_quotad of size 272
The buggy address is located 144 bytes inside of
 272-byte region [ffff888071da8000, ffff888071da8110)
The buggy address belongs to the page:
page:ffffea0001c76a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x71da8
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 0000000000000000 dead000000000122 ffff888146730280
raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x12c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_RECLAIMABLE), pid 4168, ts 52369467176, free_ts 12280218397
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x1b77/0x1c60 mm/page_alloc.c:4192
 __alloc_pages+0x1e1/0x470 mm/page_alloc.c:5474
 alloc_slab_page mm/slub.c:1775 [inline]
 allocate_slab mm/slub.c:1912 [inline]
 new_slab+0xc0/0x4b0 mm/slub.c:1975
 ___slab_alloc+0x81e/0xdf0 mm/slub.c:3008
 __slab_alloc mm/slub.c:3095 [inline]
 slab_alloc_node mm/slub.c:3186 [inline]
 slab_alloc mm/slub.c:3228 [inline]
 kmem_cache_alloc+0x195/0x290 mm/slub.c:3233
 kmem_cache_zalloc include/linux/slab.h:725 [inline]
 qd_alloc+0x50/0x260 fs/gfs2/quota.c:216
 gfs2_quota_init+0x730/0xe80 fs/gfs2/quota.c:1426
 gfs2_make_fs_rw+0x3f5/0x560 fs/gfs2/super.c:155
 gfs2_fill_super+0x188a/0x1f50 fs/gfs2/ops_fstype.c:1276
 get_tree_bdev+0x3f1/0x610 fs/super.c:1325
 gfs2_get_tree+0x4d/0x1e0 fs/gfs2/ops_fstype.c:1332
 vfs_get_tree+0x88/0x270 fs/super.c:1530
 do_new_mount+0x24a/0xa40 fs/namespace.c:3010
 do_mount fs/namespace.c:3353 [inline]
 __do_sys_mount fs/namespace.c:3561 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3538
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1340 [inline]
 free_pcp_prepare mm/page_alloc.c:1391 [inline]
 free_unref_page_prepare+0x637/0x6c0 mm/page_alloc.c:3317
 free_unref_page+0x94/0x280 mm/page_alloc.c:3396
 free_contig_range+0x96/0xf0 mm/page_alloc.c:9393
 destroy_args+0xef/0x8b0 mm/debug_vm_pgtable.c:1018
 debug_vm_pgtable+0x318/0x370 mm/debug_vm_pgtable.c:1331
 do_one_initcall+0x1ee/0x680 init/main.c:1302
 do_initcall_level+0x137/0x1f0 init/main.c:1375
 do_initcalls+0x4b/0x90 init/main.c:1391
 kernel_init_freeable+0x3ce/0x560 init/main.c:1615
 kernel_init+0x19/0x1b0 init/main.c:1506
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287

Memory state around the buggy address:
 ffff888071da7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888071da8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888071da8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff888071da8100: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888071da8180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================