... Log Wrap ... Log Wrap ... Log Wrap ... ================================================================== BUG: KFENCE: use-after-free write in jfs_lazycommit+0x695/0xb80 fs/jfs/jfs_txnmgr.c:2736 Use-after-free write at 0xffff88823bdb8094 (in kfence-#219): jfs_lazycommit+0x695/0xb80 fs/jfs/jfs_txnmgr.c:2736 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 kfence-#219: 0xffff88823bdb8000-0xffff88823bdb80df, size=224, cache=kmalloc-256 allocated by task 6831 on cpu 0 at 159.166595s: kfence_alloc include/linux/kfence.h:129 [inline] slab_alloc_node mm/slub.c:3984 [inline] kmalloc_trace_noprof+0x237/0x2c0 mm/slub.c:4147 kmalloc_noprof include/linux/slab.h:660 [inline] kzalloc_noprof include/linux/slab.h:778 [inline] jfs_fill_super+0xff/0xc50 fs/jfs/super.c:495 mount_bdev+0x20a/0x2d0 fs/super.c:1659 legacy_get_tree+0xee/0x190 fs/fs_context.c:662 vfs_get_tree+0x90/0x2a0 fs/super.c:1780 do_new_mount+0x2be/0xb40 fs/namespace.c:3352 do_mount fs/namespace.c:3692 [inline] __do_sys_mount fs/namespace.c:3898 [inline] __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3875 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f freed by task 6114 on cpu 0 at 159.577694s: generic_shutdown_super+0x136/0x2d0 fs/super.c:642 kill_block_super+0x44/0x90 fs/super.c:1676 deactivate_locked_super+0xc4/0x130 fs/super.c:473 cleanup_mnt+0x426/0x4c0 fs/namespace.c:1267 task_work_run+0x24f/0x310 kernel/task_work.c:180 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop kernel/entry/common.c:114 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x168/0x370 kernel/entry/common.c:218 do_syscall_64+0x102/0x240 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 1 PID: 114 Comm: jfsCommit Not tainted 6.9.0-rc7-next-20240510-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 RIP: 0010:jfs_lazycommit+0x695/0xb80 fs/jfs/jfs_txnmgr.c:2736 Code: 48 c7 c7 e0 22 8f 94 e8 69 a1 6a 08 49 89 c4 48 b8 00 00 00 00 00 fc ff df 48 8b 4c 24 40 0f b6 04 01 84 c0 0f 85 32 01 00 00 <41> 80 65 00 fe 4c 8b 35 8f 6d 64 11 48 c7 c0 20 23 8f 94 49 39 c6 RSP: 0018:ffffc9000254fda0 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000002 RCX: 1ffff110477b7012 RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffffc9000254fc80 RBP: ffffc9000254fed0 R08: 0000000000000003 R09: fffff520004a9f90 R10: dffffc0000000000 R11: fffff520004a9f90 R12: 0000000000000246 R13: ffff88823bdb8094 R14: ffffc90002678110 R15: ffff88802d491800 FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88823bdb8094 CR3: 000000000e132000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 ================================================================== ---------------- Code disassembly (best guess): 0: 48 c7 c7 e0 22 8f 94 mov $0xffffffff948f22e0,%rdi 7: e8 69 a1 6a 08 call 0x86aa175 c: 49 89 c4 mov %rax,%r12 f: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 16: fc ff df 19: 48 8b 4c 24 40 mov 0x40(%rsp),%rcx 1e: 0f b6 04 01 movzbl (%rcx,%rax,1),%eax 22: 84 c0 test %al,%al 24: 0f 85 32 01 00 00 jne 0x15c * 2a: 41 80 65 00 fe andb $0xfe,0x0(%r13) <-- trapping instruction 2f: 4c 8b 35 8f 6d 64 11 mov 0x11646d8f(%rip),%r14 # 0x11646dc5 36: 48 c7 c0 20 23 8f 94 mov $0xffffffff948f2320,%rax 3d: 49 39 c6 cmp %rax,%r14