================================================================== BUG: KASAN: use-after-free in ocfs2_find_victim_chain fs/ocfs2/suballoc.c:1445 [inline] BUG: KASAN: use-after-free in ocfs2_claim_suballoc_bits+0x9b2/0x2310 fs/ocfs2/suballoc.c:1982 Read of size 4 at addr ffff88805342b000 by task syz.0.0/5323 CPU: 0 UID: 0 PID: 5323 Comm: syz.0.0 Not tainted 6.15.0-rc4-syzkaller-00256-g95d3481af6dc #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xb4/0x290 mm/kasan/report.c:521 kasan_report+0x118/0x150 mm/kasan/report.c:634 ocfs2_find_victim_chain fs/ocfs2/suballoc.c:1445 [inline] ocfs2_claim_suballoc_bits+0x9b2/0x2310 fs/ocfs2/suballoc.c:1982 __ocfs2_claim_clusters+0x307/0x910 fs/ocfs2/suballoc.c:2395 ocfs2_add_clusters_in_btree+0x336/0xf80 fs/ocfs2/alloc.c:4834 ocfs2_add_inode_data+0xce/0x120 fs/ocfs2/file.c:550 ocfs2_write_cluster fs/ocfs2/aops.c:1114 [inline] ocfs2_write_cluster_by_desc+0x530/0x1c90 fs/ocfs2/aops.c:1218 ocfs2_write_begin_nolock+0x31a3/0x4340 fs/ocfs2/aops.c:1795 ocfs2_dio_wr_get_block+0xb6f/0x1770 fs/ocfs2/aops.c:2211 get_more_blocks fs/direct-io.c:648 [inline] do_direct_IO fs/direct-io.c:936 [inline] __blockdev_direct_IO+0x1649/0x3310 fs/direct-io.c:1243 ocfs2_direct_IO+0x25f/0x2d0 fs/ocfs2/aops.c:2438 generic_file_direct_write+0x1d8/0x3e0 mm/filemap.c:4037 __generic_file_write_iter+0x11d/0x230 mm/filemap.c:4206 ocfs2_file_write_iter+0x157a/0x1d10 fs/ocfs2/file.c:2469 iter_file_splice_write+0x937/0x1000 fs/splice.c:738 do_splice_from fs/splice.c:935 [inline] direct_splice_actor+0xfe/0x160 fs/splice.c:1158 splice_direct_to_actor+0x5a5/0xcc0 fs/splice.c:1102 do_splice_direct_actor fs/splice.c:1201 [inline] do_splice_direct+0x181/0x270 fs/splice.c:1227 do_sendfile+0x4da/0x7d0 fs/read_write.c:1368 __do_sys_sendfile64 fs/read_write.c:1429 [inline] __se_sys_sendfile64+0x13e/0x190 fs/read_write.c:1415 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fd6f118e969 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fd6f2056038 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 00007fd6f13b6160 RCX: 00007fd6f118e969 RDX: 0000000000000000 RSI: 0000000000000011 RDI: 0000000000000010 RBP: 00007fd6f1210ab1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000fffe82 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000001 R14: 00007fd6f13b6160 R15: 00007ffc8c2b90d8 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5342b flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) raw: 04fff00000000000 ffffea00014d0b08 ffff88801fe3f8b0 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner info is not present (never set?) Memory state around the buggy address: ffff88805342af00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88805342af80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88805342b000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88805342b080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88805342b100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================