================================================================== BUG: KASAN: use-after-free in lbmIODone+0xdfd/0x10d0 fs/jfs/jfs_logmgr.c:2187 Read of size 4 at addr ffff88807aca1208 by task ksoftirqd/1/21 CPU: 1 PID: 21 Comm: ksoftirqd/1 Not tainted 5.17.0-rc6-next-20220303-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313 print_report mm/kasan/report.c:429 [inline] kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491 lbmIODone+0xdfd/0x10d0 fs/jfs/jfs_logmgr.c:2187 bio_endio+0x5ec/0x770 block/bio.c:1550 req_bio_endio block/blk-mq.c:685 [inline] blk_update_request+0x401/0x1250 block/blk-mq.c:813 blk_mq_end_request+0x55/0x5f0 block/blk-mq.c:934 lo_complete_rq+0x1c2/0x280 drivers/block/loop.c:369 blk_complete_reqs+0xad/0xe0 block/blk-mq.c:1005 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 run_ksoftirqd kernel/softirq.c:921 [inline] run_ksoftirqd+0x2d/0x60 kernel/softirq.c:913 smpboot_thread_fn+0x645/0x9c0 kernel/smpboot.c:164 kthread+0x2e9/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Allocated by task 10739: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] ____kasan_kmalloc mm/kasan/common.c:515 [inline] ____kasan_kmalloc mm/kasan/common.c:474 [inline] __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524 kmalloc include/linux/slab.h:584 [inline] lbmLogInit fs/jfs/jfs_logmgr.c:1830 [inline] lmLogInit+0x3af/0x17a0 fs/jfs/jfs_logmgr.c:1278 open_inline_log fs/jfs/jfs_logmgr.c:1183 [inline] lmLogOpen+0x7c8/0x13e0 fs/jfs/jfs_logmgr.c:1077 jfs_mount_rw+0x321/0x5d0 fs/jfs/jfs_mount.c:253 jfs_fill_super+0x9bc/0xc70 fs/jfs/super.c:569 mount_bdev+0x34d/0x410 fs/super.c:1367 legacy_get_tree+0x105/0x220 fs/fs_context.c:610 vfs_get_tree+0x89/0x2f0 fs/super.c:1497 do_new_mount fs/namespace.c:3025 [inline] path_mount+0x1320/0x1fa0 fs/namespace.c:3355 do_mount fs/namespace.c:3368 [inline] __do_sys_mount fs/namespace.c:3576 [inline] __se_sys_mount fs/namespace.c:3553 [inline] __x64_sys_mount+0x27f/0x300 fs/namespace.c:3553 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 10739: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free+0x166/0x1a0 mm/kasan/common.c:328 kasan_slab_free include/linux/kasan.h:200 [inline] slab_free_hook mm/slub.c:1728 [inline] slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1754 slab_free mm/slub.c:3523 [inline] kfree+0xd6/0x4d0 mm/slub.c:4576 lbmLogShutdown fs/jfs/jfs_logmgr.c:1873 [inline] lmLogShutdown+0x345/0x600 fs/jfs/jfs_logmgr.c:1692 lmLogClose+0x55f/0x700 fs/jfs/jfs_logmgr.c:1468 jfs_umount+0x2d3/0x3f0 fs/jfs/jfs_umount.c:116 jfs_fill_super+0xa47/0xc70 fs/jfs/super.c:604 mount_bdev+0x34d/0x410 fs/super.c:1367 legacy_get_tree+0x105/0x220 fs/fs_context.c:610 vfs_get_tree+0x89/0x2f0 fs/super.c:1497 do_new_mount fs/namespace.c:3025 [inline] path_mount+0x1320/0x1fa0 fs/namespace.c:3355 do_mount fs/namespace.c:3368 [inline] __do_sys_mount fs/namespace.c:3576 [inline] __se_sys_mount fs/namespace.c:3553 [inline] __x64_sys_mount+0x27f/0x300 fs/namespace.c:3553 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Last potentially related work creation: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 __kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348 insert_work+0x48/0x350 kernel/workqueue.c:1358 __queue_work+0x62e/0x1140 kernel/workqueue.c:1517 queue_work_on+0xee/0x110 kernel/workqueue.c:1545 queue_work include/linux/workqueue.h:503 [inline] loop_queue_work drivers/block/loop.c:892 [inline] loop_queue_rq+0x5f2/0xf50 drivers/block/loop.c:1845 __blk_mq_issue_directly block/blk-mq.c:2434 [inline] __blk_mq_try_issue_directly+0x56a/0x790 block/blk-mq.c:2487 blk_mq_try_issue_directly+0x21/0x90 block/blk-mq.c:2511 blk_mq_submit_bio+0x157d/0x20c0 block/blk-mq.c:2848 __submit_bio+0x2b7/0x340 block/blk-core.c:680 __submit_bio_noacct_mq block/blk-core.c:757 [inline] submit_bio_noacct_nocheck block/blk-core.c:774 [inline] submit_bio_noacct_nocheck+0x6c9/0x8a0 block/blk-core.c:763 submit_bio_noacct+0x995/0x1be0 block/blk-core.c:881 submit_bio block/blk-core.c:941 [inline] submit_bio+0x1a0/0x350 block/blk-core.c:905 lbmStartIO+0x29d/0x360 fs/jfs/jfs_logmgr.c:2137 lmLogShutdown+0x499/0x600 fs/jfs/jfs_logmgr.c:1682 lmLogClose+0x55f/0x700 fs/jfs/jfs_logmgr.c:1468 jfs_umount+0x2d3/0x3f0 fs/jfs/jfs_umount.c:116 jfs_put_super+0x81/0x190 fs/jfs/super.c:194 generic_shutdown_super+0x14c/0x400 fs/super.c:462 kill_block_super+0x97/0xf0 fs/super.c:1394 deactivate_locked_super+0x94/0x160 fs/super.c:332 deactivate_super+0xad/0xd0 fs/super.c:363 cleanup_mnt+0x3a2/0x540 fs/namespace.c:1171 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_user_mode_loop kernel/entry/common.c:176 [inline] exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:208 __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:301 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae Second to last potentially related work creation: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 __kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348 insert_work+0x48/0x350 kernel/workqueue.c:1358 __queue_work+0x62e/0x1140 kernel/workqueue.c:1517 queue_work_on+0xee/0x110 kernel/workqueue.c:1545 queue_work include/linux/workqueue.h:503 [inline] loop_queue_work drivers/block/loop.c:892 [inline] loop_queue_rq+0x5f2/0xf50 drivers/block/loop.c:1845 __blk_mq_issue_directly block/blk-mq.c:2434 [inline] __blk_mq_try_issue_directly+0x56a/0x790 block/blk-mq.c:2487 blk_mq_try_issue_directly+0x21/0x90 block/blk-mq.c:2511 blk_mq_submit_bio+0x157d/0x20c0 block/blk-mq.c:2848 __submit_bio+0x2b7/0x340 block/blk-core.c:680 __submit_bio_noacct_mq block/blk-core.c:757 [inline] submit_bio_noacct_nocheck block/blk-core.c:774 [inline] submit_bio_noacct_nocheck+0x6c9/0x8a0 block/blk-core.c:763 submit_bio_noacct+0x995/0x1be0 block/blk-core.c:881 submit_bio block/blk-core.c:941 [inline] submit_bio+0x1a0/0x350 block/blk-core.c:905 lbmRead+0x34a/0x550 fs/jfs/jfs_logmgr.c:1995 lmLogShutdown+0x262/0x600 fs/jfs/jfs_logmgr.c:1676 lmLogClose+0x55f/0x700 fs/jfs/jfs_logmgr.c:1468 jfs_umount+0x2d3/0x3f0 fs/jfs/jfs_umount.c:116 jfs_put_super+0x81/0x190 fs/jfs/super.c:194 generic_shutdown_super+0x14c/0x400 fs/super.c:462 kill_block_super+0x97/0xf0 fs/super.c:1394 deactivate_locked_super+0x94/0x160 fs/super.c:332 deactivate_super+0xad/0xd0 fs/super.c:363 cleanup_mnt+0x3a2/0x540 fs/namespace.c:1171 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_user_mode_loop kernel/entry/common.c:176 [inline] exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:208 __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:301 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88807aca1200 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 8 bytes inside of 192-byte region [ffff88807aca1200, ffff88807aca12c0) The buggy address belongs to the physical page: page:ffffea0001eb2840 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7aca1 flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 ffffea0001d95500 dead000000000002 ffff888010c41a00 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 3623, tgid 3623 (syz-executor.4), ts 205029639218, free_ts 204993616540 prep_new_page mm/page_alloc.c:2438 [inline] get_page_from_freelist+0xa7f/0x3ec0 mm/page_alloc.c:4182 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5400 __alloc_pages_node include/linux/gfp.h:585 [inline] alloc_slab_page mm/slub.c:1801 [inline] allocate_slab+0x80/0x3c0 mm/slub.c:1944 new_slab mm/slub.c:2004 [inline] ___slab_alloc+0x8d0/0xf30 mm/slub.c:3018 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3105 slab_alloc_node mm/slub.c:3196 [inline] __kmalloc_node+0x2cb/0x390 mm/slub.c:4482 kmalloc_array_node include/linux/slab.h:679 [inline] kcalloc_node include/linux/slab.h:684 [inline] memcg_alloc_slab_cgroups+0x8b/0x140 mm/memcontrol.c:2797 account_slab mm/slab.h:652 [inline] allocate_slab+0x2c9/0x3c0 mm/slub.c:1960 new_slab mm/slub.c:2004 [inline] ___slab_alloc+0x8d0/0xf30 mm/slub.c:3018 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3105 slab_alloc_node mm/slub.c:3196 [inline] slab_alloc mm/slub.c:3238 [inline] __kmem_cache_alloc_lru mm/slub.c:3245 [inline] kmem_cache_alloc_lru+0x504/0x720 mm/slub.c:3262 alloc_inode_sb include/linux/fs.h:3017 [inline] sock_alloc_inode+0x23/0x1d0 net/socket.c:304 alloc_inode+0x61/0x230 fs/inode.c:260 new_inode_pseudo+0x14/0xe0 fs/inode.c:1018 sock_alloc+0x3c/0x260 net/socket.c:627 __sock_create+0xb9/0x790 net/socket.c:1432 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1353 [inline] free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1403 free_unref_page_prepare mm/page_alloc.c:3325 [inline] free_unref_page+0x19/0x690 mm/page_alloc.c:3420 qlink_free mm/kasan/quarantine.c:157 [inline] qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:176 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:283 __kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:446 kasan_slab_alloc include/linux/kasan.h:224 [inline] slab_post_alloc_hook mm/slab.h:749 [inline] slab_alloc_node mm/slub.c:3230 [inline] kmem_cache_alloc_node+0x255/0x3f0 mm/slub.c:3280 __alloc_skb+0x215/0x340 net/core/skbuff.c:414 alloc_skb include/linux/skbuff.h:1233 [inline] nlmsg_new include/net/netlink.h:953 [inline] rtnl_getlink+0x5b9/0xae0 net/core/rtnetlink.c:3630 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5598 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] netlink_unicast+0x539/0x7e0 net/netlink/af_netlink.c:1343 netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:705 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:725 __sys_sendto+0x21c/0x320 net/socket.c:2040 __do_sys_sendto net/socket.c:2052 [inline] __se_sys_sendto net/socket.c:2048 [inline] __x64_sys_sendto+0xdd/0x1b0 net/socket.c:2048 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 Memory state around the buggy address: ffff88807aca1100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88807aca1180: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88807aca1200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88807aca1280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88807aca1300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================