================================================================== BUG: KFENCE: use-after-free read in drop_metapage fs/jfs/jfs_metapage.c:223 [inline] BUG: KFENCE: use-after-free read in release_metapage+0x2c0/0xf80 fs/jfs/jfs_metapage.c:757 Use-after-free read at 0xffff88807edb8f70 (in kfence-#219): drop_metapage fs/jfs/jfs_metapage.c:223 [inline] release_metapage+0x2c0/0xf80 fs/jfs/jfs_metapage.c:757 write_metapage fs/jfs/jfs_metapage.h:75 [inline] flush_metapage fs/jfs/jfs_metapage.h:81 [inline] ea_put fs/jfs/xattr.c:614 [inline] __jfs_setxattr+0xd26/0x1010 fs/jfs/xattr.c:783 jfs_initxattrs+0x14f/0x200 fs/jfs/xattr.c:1020 security_inode_init_security+0x1c8/0x370 security/security.c:1147 jfs_init_security+0x86/0xb0 fs/jfs/xattr.c:1032 jfs_mkdir+0x3cc/0xb00 fs/jfs/namei.c:240 vfs_mkdir+0x242/0x460 fs/namei.c:4038 do_mkdirat+0x28d/0x310 fs/namei.c:4061 __do_sys_mkdirat fs/namei.c:4076 [inline] __se_sys_mkdirat fs/namei.c:4074 [inline] __x64_sys_mkdirat+0x119/0x170 fs/namei.c:4074 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd kfence-#219: 0xffff88807edb8f48-0xffff88807edb8fff, size=184, cache=jfs_mp allocated by task 5503 on cpu 2 at 286.537154s: mempool_alloc+0x158/0x360 mm/mempool.c:398 alloc_metapage fs/jfs/jfs_metapage.c:176 [inline] __get_metapage+0x60e/0x1170 fs/jfs/jfs_metapage.c:651 ea_get+0xdb5/0x12e0 fs/jfs/xattr.c:526 __jfs_setxattr+0x1b5/0x1010 fs/jfs/xattr.c:718 jfs_initxattrs+0x14f/0x200 fs/jfs/xattr.c:1020 security_inode_init_security+0x1c8/0x370 security/security.c:1147 jfs_init_security+0x86/0xb0 fs/jfs/xattr.c:1032 jfs_mkdir+0x3cc/0xb00 fs/jfs/namei.c:240 vfs_mkdir+0x242/0x460 fs/namei.c:4038 do_mkdirat+0x28d/0x310 fs/namei.c:4061 __do_sys_mkdirat fs/namei.c:4076 [inline] __se_sys_mkdirat fs/namei.c:4074 [inline] __x64_sys_mkdirat+0x119/0x170 fs/namei.c:4074 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd freed by task 101 on cpu 3 at 286.549366s: mempool_free+0xe7/0x3b0 mm/mempool.c:507 free_metapage fs/jfs/jfs_metapage.c:191 [inline] metapage_release_folio+0x2b9/0x4a0 fs/jfs/jfs_metapage.c:551 filemap_release_folio+0x13f/0x1b0 mm/filemap.c:4121 shrink_folio_list+0x1fe3/0x3c80 mm/vmscan.c:2010 evict_folios+0x794/0x1940 mm/vmscan.c:5121 try_to_shrink_lruvec+0x82c/0xb90 mm/vmscan.c:5297 shrink_one+0x46b/0x810 mm/vmscan.c:5341 shrink_many mm/vmscan.c:5394 [inline] lru_gen_shrink_node mm/vmscan.c:5511 [inline] shrink_node+0x2064/0x35f0 mm/vmscan.c:6459 kswapd_shrink_node mm/vmscan.c:7262 [inline] balance_pgdat+0xa02/0x1ac0 mm/vmscan.c:7452 kswapd+0x677/0xd60 mm/vmscan.c:7712 kthread+0x2e8/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 CPU: 2 PID: 5503 Comm: syz-executor.3 Not tainted 6.3.0-rc3-syzkaller-00338-gda8e7da11e4b #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 RIP: 0010:drop_metapage fs/jfs/jfs_metapage.c:223 [inline] RIP: 0010:release_metapage+0x2c0/0xf80 fs/jfs/jfs_metapage.c:757 Code: 04 24 85 c0 0f 85 8e 08 00 00 e8 0b c1 98 fe 4c 89 fa 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 a8 0b 00 00 <4c> 8b 7d 28 31 ff 4c 89 fe e8 52 bd 98 fe 4d 85 ff 0f 85 5d 01 00 RSP: 0000:ffffc900027d7850 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff88807edb8ff0 RCX: ffffc90002ea1000 RDX: 1ffff1100fdb71ee RSI: ffffffff82e94455 RDI: 0000000000000001 RBP: ffff88807edb8f48 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffea00013295c0 R13: ffff88807edb8f68 R14: ffffea00013295c8 R15: ffff88807edb8f70 FS: 00007fae9fcd8700(0000) GS:ffff88802cb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88807edb8f70 CR3: 0000000043884000 CR4: 0000000000152ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: write_metapage fs/jfs/jfs_metapage.h:75 [inline] flush_metapage fs/jfs/jfs_metapage.h:81 [inline] ea_put fs/jfs/xattr.c:614 [inline] __jfs_setxattr+0xd26/0x1010 fs/jfs/xattr.c:783 jfs_initxattrs+0x14f/0x200 fs/jfs/xattr.c:1020 security_inode_init_security+0x1c8/0x370 security/security.c:1147 jfs_init_security+0x86/0xb0 fs/jfs/xattr.c:1032 jfs_mkdir+0x3cc/0xb00 fs/jfs/namei.c:240 vfs_mkdir+0x242/0x460 fs/namei.c:4038 do_mkdirat+0x28d/0x310 fs/namei.c:4061 __do_sys_mkdirat fs/namei.c:4076 [inline] __se_sys_mkdirat fs/namei.c:4074 [inline] __x64_sys_mkdirat+0x119/0x170 fs/namei.c:4074 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fae9ee8c0f9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fae9fcd8168 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 00007fae9efabf80 RCX: 00007fae9ee8c0f9 RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000005 RBP: 00007fae9eee7b39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd1aa04d6f R14: 00007fae9fcd8300 R15: 0000000000022000 ================================================================== ---------------- Code disassembly (best guess): 0: 04 24 add $0x24,%al 2: 85 c0 test %eax,%eax 4: 0f 85 8e 08 00 00 jne 0x898 a: e8 0b c1 98 fe callq 0xfe98c11a f: 4c 89 fa mov %r15,%rdx 12: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 19: fc ff df 1c: 48 c1 ea 03 shr $0x3,%rdx 20: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) 24: 0f 85 a8 0b 00 00 jne 0xbd2 * 2a: 4c 8b 7d 28 mov 0x28(%rbp),%r15 <-- trapping instruction 2e: 31 ff xor %edi,%edi 30: 4c 89 fe mov %r15,%rsi 33: e8 52 bd 98 fe callq 0xfe98bd8a 38: 4d 85 ff test %r15,%r15 3b: 0f .byte 0xf 3c: 85 5d 01 test %ebx,0x1(%rbp)