loop0: detected capacity change from 0 to 32768 ================================================================== BUG: KASAN: slab-use-after-free in jfs_readdir+0x135b/0x4660 fs/jfs/jfs_dtree.c:2867 Read of size 8 at addr ffff88807a9e9bd0 by task syz-executor.0/6323 CPU: 0 PID: 6323 Comm: syz-executor.0 Not tainted 6.9.0-syzkaller-10729-gb6394d6f7159 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 jfs_readdir+0x135b/0x4660 fs/jfs/jfs_dtree.c:2867 wrap_directory_iterator+0x94/0xe0 fs/readdir.c:67 iterate_dir+0x65e/0x820 fs/readdir.c:110 __do_sys_getdents64 fs/readdir.c:409 [inline] __se_sys_getdents64+0x20d/0x4f0 fs/readdir.c:394 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7feb5fa7cee9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007feb608200c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 00007feb5fbabf80 RCX: 00007feb5fa7cee9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006 RBP: 00007feb5fac949e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007feb5fbabf80 R15: 00007ffce60f7378 Allocated by task 6323: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:312 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3940 [inline] slab_alloc_node mm/slub.c:4000 [inline] kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4007 mempool_alloc_noprof+0x197/0x5a0 mm/mempool.c:402 alloc_metapage fs/jfs/jfs_metapage.c:176 [inline] __get_metapage+0x593/0x1050 fs/jfs/jfs_metapage.c:651 dtSplitRoot+0x2af/0x1930 fs/jfs/jfs_dtree.c:1907 dtSplitUp fs/jfs/jfs_dtree.c:990 [inline] dtInsert+0x12fa/0x6b00 fs/jfs/jfs_dtree.c:868 jfs_mkdir+0x7fb/0xb90 fs/jfs/namei.c:270 vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4131 do_mkdirat+0x264/0x3a0 fs/namei.c:4154 __do_sys_mkdirat fs/namei.c:4169 [inline] __se_sys_mkdirat fs/namei.c:4167 [inline] __x64_sys_mkdirat+0x89/0xa0 fs/namei.c:4167 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6323: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2195 [inline] slab_free mm/slub.c:4436 [inline] kmem_cache_free+0x145/0x350 mm/slub.c:4511 free_metapage fs/jfs/jfs_metapage.c:191 [inline] drop_metapage fs/jfs/jfs_metapage.c:228 [inline] release_metapage+0x6e4/0x870 fs/jfs/jfs_metapage.c:786 dtReadNext fs/jfs/jfs_dtree.c:3172 [inline] jfs_readdir+0x1025/0x4660 fs/jfs/jfs_dtree.c:2860 wrap_directory_iterator+0x94/0xe0 fs/readdir.c:67 iterate_dir+0x65e/0x820 fs/readdir.c:110 __do_sys_getdents64 fs/readdir.c:409 [inline] __se_sys_getdents64+0x20d/0x4f0 fs/readdir.c:394 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88807a9e9ba0 which belongs to the cache jfs_mp of size 184 The buggy address is located 48 bytes inside of freed 184-byte region [ffff88807a9e9ba0, ffff88807a9e9c58) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7a9e9 anon flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffefff(slab) raw: 00fff00000000000 ffff888019f8b280 0000000000000000 0000000000000001 raw: 0000000000000000 0000000080100010 00000001ffffefff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x1d2800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 5326, tgid 5317 (syz-executor.0), ts 90379674693, free_ts 90375331895 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1468 prep_new_page mm/page_alloc.c:1476 [inline] get_page_from_freelist+0x2e2d/0x2ee0 mm/page_alloc.c:3402 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4660