Warning: Permanently added '10.128.0.206' (ED25519) to the list of known hosts. executing program syzkaller login: [ 35.357328][ T4290] loop0: detected capacity change from 0 to 32768 [ 35.368339][ T4290] ================================================================== [ 35.370615][ T4290] BUG: KASAN: use-after-free in diWrite+0xb48/0x15cc [ 35.372381][ T4290] Write of size 32 at addr ffff0000dac6e0c0 by task syz-executor365/4290 [ 35.374663][ T4290] [ 35.375283][ T4290] CPU: 0 PID: 4290 Comm: syz-executor365 Not tainted 6.1.128-syzkaller #0 [ 35.377633][ T4290] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 35.380415][ T4290] Call trace: [ 35.381259][ T4290] dump_backtrace+0x1c8/0x1f4 [ 35.382569][ T4290] show_stack+0x2c/0x3c [ 35.383674][ T4290] dump_stack_lvl+0x108/0x170 [ 35.384967][ T4290] print_report+0x174/0x4c0 [ 35.386188][ T4290] kasan_report+0xd4/0x130 [ 35.387411][ T4290] kasan_check_range+0x264/0x2a4 [ 35.388845][ T4290] memcpy+0x60/0x90 [ 35.389869][ T4290] diWrite+0xb48/0x15cc [ 35.391043][ T4290] txCommit+0x750/0x5574 [ 35.392206][ T4290] add_missing_indices+0x760/0xa8c [ 35.393606][ T4290] jfs_readdir+0x18ac/0x3030 [ 35.394939][ T4290] iterate_dir+0x1f4/0x4ec [ 35.396078][ T4290] __arm64_sys_getdents64+0x1c4/0x4a0 [ 35.397565][ T4290] invoke_syscall+0x98/0x2bc [ 35.398816][ T4290] el0_svc_common+0x138/0x258 [ 35.400105][ T4290] do_el0_svc+0x58/0x13c [ 35.401202][ T4290] el0_svc+0x58/0x168 [ 35.402345][ T4290] el0t_64_sync_handler+0x84/0xf0 [ 35.403720][ T4290] el0t_64_sync+0x18c/0x190 [ 35.404872][ T4290] [ 35.405478][ T4290] Allocated by task 4156: [ 35.406725][ T4290] kasan_set_track+0x4c/0x80 [ 35.407957][ T4290] kasan_save_alloc_info+0x24/0x30 [ 35.409363][ T4290] __kasan_slab_alloc+0x74/0x8c [ 35.410746][ T4290] slab_post_alloc_hook+0x74/0x458 [ 35.412168][ T4290] kmem_cache_alloc+0x230/0x37c [ 35.413509][ T4290] mas_alloc_nodes+0x228/0x704 [ 35.414843][ T4290] mas_preallocate+0x124/0x2dc [ 35.416109][ T4290] __vma_adjust+0x2e4/0x1774 [ 35.417407][ T4290] __split_vma+0x324/0x448 [ 35.418604][ T4290] do_mas_align_munmap+0x374/0x1160 [ 35.419990][ T4290] mmap_region+0x8f8/0x2208 [ 35.421226][ T4290] do_mmap+0x9ac/0x110c [ 35.422397][ T4290] vm_mmap_pgoff+0x1a4/0x2b4 [ 35.423621][ T4290] ksys_mmap_pgoff+0x3c8/0x5b0 [ 35.424920][ T4290] __arm64_sys_mmap+0xf8/0x110 [ 35.426291][ T4290] invoke_syscall+0x98/0x2bc [ 35.427594][ T4290] el0_svc_common+0x138/0x258 [ 35.428849][ T4290] do_el0_svc+0x58/0x13c [ 35.429991][ T4290] el0_svc+0x58/0x168 [ 35.431048][ T4290] el0t_64_sync_handler+0x84/0xf0 [ 35.432441][ T4290] el0t_64_sync+0x18c/0x190 [ 35.433676][ T4290] [ 35.434325][ T4290] Freed by task 4161: [ 35.435412][ T4290] kasan_set_track+0x4c/0x80 [ 35.436718][ T4290] kasan_save_free_info+0x38/0x5c [ 35.438102][ T4290] ____kasan_slab_free+0x144/0x1c0 [ 35.439550][ T4290] __kasan_slab_free+0x18/0x28 [ 35.440814][ T4290] kmem_cache_free+0x2f0/0x588 [ 35.442156][ T4290] mt_free_rcu+0x28/0x38 [ 35.443352][ T4290] rcu_core+0x880/0x1c48 [ 35.444493][ T4290] rcu_core_si+0x10/0x1c [ 35.445739][ T4290] handle_softirqs+0x318/0xd58 [ 35.447036][ T4290] __do_softirq+0x14/0x20 [ 35.448215][ T4290] [ 35.448795][ T4290] Last potentially related work creation: [ 35.450360][ T4290] kasan_save_stack+0x40/0x70 [ 35.451686][ T4290] __kasan_record_aux_stack+0xcc/0xe8 [ 35.453162][ T4290] kasan_record_aux_stack_noalloc+0x14/0x20 [ 35.454785][ T4290] call_rcu+0xfc/0xa40 [ 35.455936][ T4290] mas_wmb_replace+0xac4/0xfb0 [ 35.457251][ T4290] mas_wr_modify+0x2978/0x3e64 [ 35.458506][ T4290] mas_wr_store_entry+0x744/0xaf8 [ 35.459919][ T4290] mas_store_prealloc+0x280/0x3ac [ 35.461312][ T4290] vma_mas_store+0x19c/0x490 [ 35.462619][ T4290] __vma_adjust+0x1108/0x1774 [ 35.463891][ T4290] __split_vma+0x324/0x448 [ 35.465051][ T4290] split_vma+0xa0/0xf8 [ 35.466141][ T4290] mprotect_fixup+0x400/0x624 [ 35.467449][ T4290] __arm64_sys_mprotect+0x764/0xc24 [ 35.468934][ T4290] invoke_syscall+0x98/0x2bc [ 35.470134][ T4290] el0_svc_common+0x138/0x258 [ 35.471414][ T4290] do_el0_svc+0x58/0x13c [ 35.472638][ T4290] el0_svc+0x58/0x168 [ 35.473811][ T4290] el0t_64_sync_handler+0x84/0xf0 [ 35.475151][ T4290] el0t_64_sync+0x18c/0x190 [ 35.476358][ T4290] [ 35.477000][ T4290] The buggy address belongs to the object at ffff0000dac6e000 [ 35.477000][ T4290] which belongs to the cache maple_node of size 256 [ 35.480912][ T4290] The buggy address is located 192 bytes inside of [ 35.480912][ T4290] 256-byte region [ffff0000dac6e000, ffff0000dac6e100) [ 35.484494][ T4290] [ 35.485132][ T4290] The buggy address belongs to the physical page: [ 35.486870][ T4290] page:0000000021855c0c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11ac6e [ 35.489681][ T4290] head:0000000021855c0c order:1 compound_mapcount:0 compound_pincount:0 [ 35.492002][ T4290] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 35.494124][ T4290] raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c000d680 [ 35.496451][ T4290] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 35.498865][ T4290] page dumped because: kasan: bad access detected [ 35.500659][ T4290] [ 35.501303][ T4290] Memory state around the buggy address: [ 35.502879][ T4290] ffff0000dac6df80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.505099][ T4290] ffff0000dac6e000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.507400][ T4290] >ffff0000dac6e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.509582][ T4290] ^ [ 35.511283][ T4290] ffff0000dac6e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.513636][ T4290] ffff0000dac6e180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.515967][ T4290] ================================================================== [ 35.518470][ T4290] Disabling lock debugging due to kernel taint [ 35.520748][ T4290] ERROR: (device loop0): jfs_readdir: JFS:Dtree error: ino = 2, bn=0, index = 0 [ 35.520748][ T4290] [ 35.524103][ T4290] ERROR: (device loop0): remounting filesystem as read-only