ERROR: (device loop7): txAbort: 
ERROR: (device loop7): remounting filesystem as read-only
==================================================================
BUG: KASAN: slab-use-after-free in drop_metapage fs/jfs/jfs_metapage.c:229 [inline]
BUG: KASAN: slab-use-after-free in release_metapage+0x67c/0xa38 fs/jfs/jfs_metapage.c:784
Read of size 8 at addr ffff0000e3b146f0 by task syz.7.147/7620

CPU: 1 UID: 0 PID: 7620 Comm: syz.7.147 Not tainted 6.12.0-rc6-syzkaller-g563047e691f2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:484 (C)
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x198/0x538 mm/kasan/report.c:488
 kasan_report+0xd8/0x138 mm/kasan/report.c:601
 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381
 drop_metapage fs/jfs/jfs_metapage.c:229 [inline]
 release_metapage+0x67c/0xa38 fs/jfs/jfs_metapage.c:784
 write_metapage fs/jfs/jfs_metapage.h:75 [inline]
 flush_metapage fs/jfs/jfs_metapage.h:81 [inline]
 ea_put fs/jfs/xattr.c:618 [inline]
 __jfs_setxattr+0xdf4/0x12f8 fs/jfs/xattr.c:787
 jfs_initxattrs+0x100/0x1ac fs/jfs/xattr.c:1035
 security_inode_init_security+0x73c/0x908 security/security.c:1848
 jfs_init_security+0xb4/0x118 fs/jfs/xattr.c:1047
 jfs_mkdir+0x25c/0xa08 fs/jfs/namei.c:240
 vfs_mkdir+0x27c/0x410 fs/namei.c:4257
 do_mkdirat+0x248/0x574 fs/namei.c:4280
 __do_sys_mkdirat fs/namei.c:4295 [inline]
 __se_sys_mkdirat fs/namei.c:4293 [inline]
 __arm64_sys_mkdirat+0x8c/0xa4 fs/namei.c:4293
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

Allocated by task 7620:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:565
 unpoison_slab_object mm/kasan/common.c:319 [inline]
 __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:345
 kasan_slab_alloc include/linux/kasan.h:247 [inline]
 slab_post_alloc_hook mm/slub.c:4085 [inline]
 slab_alloc_node mm/slub.c:4134 [inline]
 kmem_cache_alloc_noprof+0x1c0/0x354 mm/slub.c:4141
 mempool_alloc_slab+0x58/0x74 mm/mempool.c:559
 mempool_alloc_noprof+0x150/0x48c mm/mempool.c:402
 alloc_metapage fs/jfs/jfs_metapage.c:182 [inline]
 __get_metapage+0x57c/0xeac fs/jfs/jfs_metapage.c:652
 ea_get+0x8b4/0xf1c fs/jfs/xattr.c:528
 __jfs_setxattr+0x41c/0x12f8 fs/jfs/xattr.c:722
 jfs_initxattrs+0x100/0x1ac fs/jfs/xattr.c:1035
 security_inode_init_security+0x73c/0x908 security/security.c:1848
 jfs_init_security+0xb4/0x118 fs/jfs/xattr.c:1047
 jfs_mkdir+0x25c/0xa08 fs/jfs/namei.c:240
 vfs_mkdir+0x27c/0x410 fs/namei.c:4257
 do_mkdirat+0x248/0x574 fs/namei.c:4280
 __do_sys_mkdirat fs/namei.c:4295 [inline]
 __se_sys_mkdirat fs/namei.c:4293 [inline]
 __arm64_sys_mkdirat+0x8c/0xa4 fs/namei.c:4293
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

Freed by task 7610:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_free_info+0x54/0x6c mm/kasan/generic.c:579
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x64/0x8c mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:2342 [inline]
 slab_free mm/slub.c:4579 [inline]
 kmem_cache_free+0x19c/0x560 mm/slub.c:4681
 mempool_free_slab+0x28/0x38 mm/mempool.c:566
 mempool_free+0xbc/0x2e8 mm/mempool.c:548
 free_metapage fs/jfs/jfs_metapage.c:197 [inline]
 metapage_release_folio+0x388/0x4a0 fs/jfs/jfs_metapage.c:552
 metapage_invalidate_folio+0x148/0x1c8 fs/jfs/jfs_metapage.c:564
 folio_invalidate mm/truncate.c:141 [inline]
 truncate_cleanup_folio+0x260/0x4cc mm/truncate.c:161
 truncate_inode_folio mm/truncate.c:177 [inline]
 truncate_inode_pages_range+0xb20/0xf64 mm/truncate.c:399
 truncate_inode_pages+0x2c/0x3c mm/truncate.c:423
 jfs_remount+0x2dc/0x594 fs/jfs/super.c:451
 legacy_reconfigure+0xfc/0x114 fs/fs_context.c:685
 reconfigure_super+0x1d0/0x6f0 fs/super.c:1083
 vfs_cmd_reconfigure fs/fsopen.c:262 [inline]
 vfs_fsconfig_locked fs/fsopen.c:291 [inline]
 __do_sys_fsconfig fs/fsopen.c:472 [inline]
 __se_sys_fsconfig fs/fsopen.c:344 [inline]
 __arm64_sys_fsconfig+0x90c/0xca0 fs/fsopen.c:344
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

The buggy address belongs to the object at ffff0000e3b146c8
 which belongs to the cache jfs_mp of size 184
The buggy address is located 40 bytes inside of
 freed 184-byte region [ffff0000e3b146c8, ffff0000e3b14780)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x123b14
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 05ffc00000000000 ffff0000c3e9edc0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000e3b14580: 00 00 fc fc fc fc fc fc fc fc 00 00 00 00 00 00
 ffff0000e3b14600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000e3b14680: 00 fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb
                                                             ^
 ffff0000e3b14700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000e3b14780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================