================================================================== BUG: KASAN: use-after-free in copy_page_from_iter_atomic+0x9c7/0x1540 lib/iov_iter.c:922 Read of size 4096 at addr ffff88808c6fb000 by task kworker/u4:1/10 CPU: 0 PID: 10 Comm: kworker/u4:1 Not tainted 5.15.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: loop4 loop_rootcg_workfn Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106 print_address_description+0x66/0x3e0 mm/kasan/report.c:256 __kasan_report mm/kasan/report.c:442 [inline] kasan_report+0x19a/0x1f0 mm/kasan/report.c:459 kasan_check_range+0x2b5/0x2f0 mm/kasan/generic.c:189 memcpy+0x25/0x60 mm/kasan/shadow.c:65 copy_page_from_iter_atomic+0x9c7/0x1540 lib/iov_iter.c:922 generic_perform_write+0x356/0x600 mm/filemap.c:3778 __generic_file_write_iter+0x243/0x4f0 mm/filemap.c:3897 generic_file_write_iter+0xa7/0x1b0 mm/filemap.c:3929 do_iter_readv_writev+0x54f/0x740 do_iter_write+0x21e/0x7b0 fs/read_write.c:855 lo_write_bvec+0x277/0x6f0 drivers/block/loop.c:328 lo_write_simple drivers/block/loop.c:350 [inline] do_req_filebacked drivers/block/loop.c:668 [inline] loop_handle_cmd drivers/block/loop.c:2201 [inline] loop_process_work+0x2242/0x2d40 drivers/block/loop.c:2241 process_one_work+0x853/0x1140 kernel/workqueue.c:2297 worker_thread+0xac1/0x1320 kernel/workqueue.c:2444 kthread+0x453/0x480 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 The buggy address belongs to the page: page:ffffea000231bec0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8c6fb flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea0002360888 ffffea0001e3db48 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0xdc0(GFP_KERNEL|__GFP_ZERO), pid 24376, ts 1674553208190, free_ts 1674711698112 prep_new_page mm/page_alloc.c:2424 [inline] get_page_from_freelist+0x779/0xa30 mm/page_alloc.c:4153 __alloc_pages+0x255/0x580 mm/page_alloc.c:5375 lbmLogInit fs/jfs/jfs_logmgr.c:1824 [inline] lmLogInit+0x37c/0x1f50 fs/jfs/jfs_logmgr.c:1278 open_inline_log fs/jfs/jfs_logmgr.c:1183 [inline] lmLogOpen+0x505/0x1190 fs/jfs/jfs_logmgr.c:1077 jfs_mount_rw+0xe3/0x680 fs/jfs/jfs_mount.c:260 jfs_fill_super+0x6a9/0xcf0 fs/jfs/super.c:570 mount_bdev+0x26c/0x3a0 fs/super.c:1368 legacy_get_tree+0xea/0x180 fs/fs_context.c:610 vfs_get_tree+0x86/0x270 fs/super.c:1498 do_new_mount fs/namespace.c:2988 [inline] path_mount+0x1986/0x2c30 fs/namespace.c:3318 do_mount fs/namespace.c:3331 [inline] __do_sys_mount fs/namespace.c:3539 [inline] __se_sys_mount+0x308/0x3c0 fs/namespace.c:3516 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1338 [inline] free_pcp_prepare+0xc29/0xd20 mm/page_alloc.c:1389 free_unref_page_prepare mm/page_alloc.c:3315 [inline] free_unref_page+0x7d/0x580 mm/page_alloc.c:3394 lbmLogShutdown fs/jfs/jfs_logmgr.c:1872 [inline] lmLogShutdown+0x4ed/0x960 fs/jfs/jfs_logmgr.c:1692 lmLogClose+0x2c2/0x560 fs/jfs/jfs_logmgr.c:1468 jfs_umount+0x297/0x370 fs/jfs/jfs_umount.c:116 jfs_put_super+0x86/0x190 fs/jfs/super.c:194 generic_shutdown_super+0x12e/0x2b0 fs/super.c:465 kill_block_super+0x79/0xd0 fs/super.c:1395 deactivate_locked_super+0xa7/0xf0 fs/super.c:335 cleanup_mnt+0x462/0x510 fs/namespace.c:1137 task_work_run+0x146/0x1c0 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop kernel/entry/common.c:175 [inline] exit_to_user_mode_prepare+0x209/0x220 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x2e/0x70 kernel/entry/common.c:300 do_syscall_64+0x53/0xd0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae Memory state around the buggy address: ffff88808c6faf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88808c6faf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88808c6fb000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88808c6fb080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88808c6fb100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================