ocfs2: Mounting device (7,5) on (node local, slot 0) with ordered data mode. ================================================================== BUG: KASAN: slab-use-after-free in ocfs2_find_victim_chain fs/ocfs2/suballoc.c:1445 [inline] BUG: KASAN: slab-use-after-free in ocfs2_claim_suballoc_bits+0x950/0x1e0c fs/ocfs2/suballoc.c:1982 Read of size 4 at addr ffff0000f4b82000 by task syz.5.515/9224 CPU: 0 UID: 0 PID: 9224 Comm: syz.5.515 Not tainted 6.13.0-rc2-syzkaller-g2e7aff49b5da #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:484 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x198/0x538 mm/kasan/report.c:489 kasan_report+0xd8/0x138 mm/kasan/report.c:602 __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380 ocfs2_find_victim_chain fs/ocfs2/suballoc.c:1445 [inline] ocfs2_claim_suballoc_bits+0x950/0x1e0c fs/ocfs2/suballoc.c:1982 ocfs2_claim_new_inode+0x2dc/0x7a8 fs/ocfs2/suballoc.c:2267 ocfs2_mknod_locked+0x134/0x2e4 fs/ocfs2/namei.c:635 ocfs2_mknod+0x10a0/0x2438 fs/ocfs2/namei.c:381 ocfs2_mkdir+0x194/0x4d4 fs/ocfs2/namei.c:657 vfs_mkdir+0x27c/0x410 fs/namei.c:4311 do_mkdirat+0x248/0x574 fs/namei.c:4334 __do_sys_mkdirat fs/namei.c:4349 [inline] __se_sys_mkdirat fs/namei.c:4347 [inline] __arm64_sys_mkdirat+0x8c/0xa4 fs/namei.c:4347 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Allocated by task 9034: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:568 unpoison_slab_object mm/kasan/common.c:319 [inline] __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:345 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4104 [inline] slab_alloc_node mm/slub.c:4153 [inline] kmem_cache_alloc_noprof+0x254/0x410 mm/slub.c:4160 mempool_alloc_slab+0x58/0x74 mm/mempool.c:559 mempool_alloc_noprof+0x150/0x48c mm/mempool.c:402 bio_alloc_bioset+0x20c/0x1018 block/bio.c:554 bio_alloc include/linux/bio.h:374 [inline] submit_bh_wbc+0x1d8/0x4c8 fs/buffer.c:2794 submit_bh fs/buffer.c:2819 [inline] __bh_read_batch+0x11c/0x26c fs/buffer.c:3132 bh_readahead_batch include/linux/buffer_head.h:461 [inline] do_readahead fs/jbd2/recovery.c:105 [inline] jread+0x468/0x9b8 fs/jbd2/recovery.c:165 do_one_pass+0x344/0x36d0 fs/jbd2/recovery.c:646 jbd2_journal_skip_recovery+0x98/0x20c fs/jbd2/recovery.c:366 jbd2_journal_wipe+0xd0/0x114 fs/jbd2/journal.c:2517 ocfs2_journal_wipe+0xb0/0x29c fs/ocfs2/journal.c:1192 ocfs2_check_volume fs/ocfs2/super.c:2413 [inline] ocfs2_mount_volume+0x9d8/0x1508 fs/ocfs2/super.c:1817 ocfs2_fill_super+0x39d8/0x48d0 fs/ocfs2/super.c:1084 mount_bdev+0x1d4/0x2a0 fs/super.c:1693 ocfs2_mount+0x44/0x58 fs/ocfs2/super.c:1188 legacy_get_tree+0xd4/0x16c fs/fs_context.c:662 vfs_get_tree+0x90/0x28c fs/super.c:1814 do_new_mount+0x278/0x900 fs/namespace.c:3507 path_mount+0x590/0xe04 fs/namespace.c:3834 do_mount fs/namespace.c:3847 [inline] __do_sys_mount fs/namespace.c:4057 [inline] __se_sys_mount fs/namespace.c:4034 [inline] __arm64_sys_mount+0x4d4/0x5ac fs/namespace.c:4034 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Freed by task 9063: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_free_info+0x54/0x6c mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x64/0x8c mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2338 [inline] slab_free_after_rcu_debug+0x11c/0x2f8 mm/slub.c:4648 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x898/0x1b5c kernel/rcu/tree.c:2823 rcu_core_si+0x10/0x1c kernel/rcu/tree.c:2840 handle_softirqs+0x320/0xd34 kernel/softirq.c:554 __do_softirq+0x14/0x20 kernel/softirq.c:588 Last potentially related work creation: kasan_save_stack+0x40/0x6c mm/kasan/common.c:47 __kasan_record_aux_stack+0xb8/0xd0 mm/kasan/generic.c:544 kasan_record_aux_stack_noalloc+0x14/0x20 mm/kasan/generic.c:554 slab_free_hook mm/slub.c:2299 [inline] slab_free mm/slub.c:4598 [inline] kmem_cache_free+0x368/0x554 mm/slub.c:4700 mempool_free_slab+0x28/0x38 mm/mempool.c:566 mempool_free+0xbc/0x2e8 mm/mempool.c:548 bio_free+0x200/0x27c block/bio.c:237 bio_put+0x1b8/0x9dc end_bio_bh_io_sync+0xb8/0x184 fs/buffer.c:2767 bio_endio+0x840/0x87c block/bio.c:1645 blk_update_request+0x4ac/0xda0 block/blk-mq.c:981 blk_mq_end_request+0x54/0x88 block/blk-mq.c:1143 lo_complete_rq+0x188/0x2f4 drivers/block/loop.c:386 blk_complete_reqs block/blk-mq.c:1218 [inline] blk_done_softirq+0x11c/0x168 block/blk-mq.c:1223 handle_softirqs+0x320/0xd34 kernel/softirq.c:554 run_ksoftirqd+0x70/0xc0 kernel/softirq.c:943 smpboot_thread_fn+0x4b0/0x90c kernel/smpboot.c:164 kthread+0x288/0x310 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862 The buggy address belongs to the object at ffff0000f4b82000 which belongs to the cache bio-200 of size 200 The buggy address is located 0 bytes inside of freed 200-byte region [ffff0000f4b82000, ffff0000f4b820c8) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x134b82 flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 05ffc00000000000 ffff0000c2396c80 fffffdffc3329b80 dead000000000002 raw: 0000000000000000 00000000000c000c 00000001f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000f4b81f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0000f4b81f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff0000f4b82000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff0000f4b82080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc ffff0000f4b82100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== grow_buffers: requested out-of-range block 18446744073709551615 for device loop5 (syz.5.515,9224,1):ocfs2_read_blocks:239 ERROR: status = -12 (syz.5.515,9224,1):ocfs2_search_chain:1814 ERROR: status = -12 (syz.5.515,9224,1):ocfs2_search_chain:1926 ERROR: status = -12 (syz.5.515,9224,1):ocfs2_claim_suballoc_bits:1995 ERROR: status = -12 (syz.5.515,9224,1):ocfs2_claim_suballoc_bits:2038 ERROR: status = -12 (syz.5.515,9224,1):ocfs2_claim_new_inode:2273 ERROR: status = -12 (syz.5.515,9224,1):ocfs2_claim_new_inode:2288 ERROR: status = -12 (syz.5.515,9224,1):ocfs2_mknod_locked:639 ERROR: status = -12 (syz.5.515,9224,1):ocfs2_mknod:385 ERROR: status = -12 (syz.5.515,9224,1):ocfs2_mknod:502 ERROR: status = -12 (syz.5.515,9224,1):ocfs2_mkdir:659 ERROR: status = -12 ocfs2: Unmounting device (7,5) on (node local)