================================================================== BUG: KFENCE: use-after-free read in constant_test_bit arch/x86/include/asm/bitops.h:207 [inline] BUG: KFENCE: use-after-free read in arch_test_bit arch/x86/include/asm/bitops.h:239 [inline] BUG: KFENCE: use-after-free read in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:142 [inline] BUG: KFENCE: use-after-free read in mapping_unevictable include/linux/pagemap.h:252 [inline] BUG: KFENCE: use-after-free read in folio_evictable mm/internal.h:138 [inline] BUG: KFENCE: use-after-free read in lru_add_fn+0x2f3/0x1ac0 mm/swap.c:210 Use-after-free read at 0xffff88823bd60540 (in kfence-#175): constant_test_bit arch/x86/include/asm/bitops.h:207 [inline] arch_test_bit arch/x86/include/asm/bitops.h:239 [inline] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:142 [inline] mapping_unevictable include/linux/pagemap.h:252 [inline] folio_evictable mm/internal.h:138 [inline] lru_add_fn+0x2f3/0x1ac0 mm/swap.c:210 folio_batch_move_lru+0x31a/0x720 mm/swap.c:246 folio_add_lru+0x46a/0xd70 mm/swap.c:534 wp_page_copy+0xce7/0x18c0 mm/memory.c:3204 handle_pte_fault mm/memory.c:5031 [inline] __handle_mm_fault mm/memory.c:5155 [inline] handle_mm_fault+0x2525/0x5340 mm/memory.c:5276 do_user_addr_fault arch/x86/mm/fault.c:1340 [inline] handle_page_fault arch/x86/mm/fault.c:1431 [inline] exc_page_fault+0x26f/0x620 arch/x86/mm/fault.c:1487 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570 kfence-#175: 0xffff88823bd60000-0xffff88823bd605e7, size=1512, cache=nilfs2_inode_cache allocated by task 6363 on cpu 1 at 182.138511s: alloc_inode_sb include/linux/fs.h:3193 [inline] nilfs_alloc_inode+0x2a/0xe0 fs/nilfs2/super.c:154 alloc_inode fs/inode.c:261 [inline] iget5_locked+0x9c/0x270 fs/inode.c:1285 nilfs_iget_locked+0x127/0x180 fs/nilfs2/inode.c:605 nilfs_ifile_read+0x2e/0x170 fs/nilfs2/ifile.c:187 nilfs_attach_checkpoint+0x260/0x4d0 fs/nilfs2/super.c:572 nilfs_fill_super+0x349/0x660 fs/nilfs2/super.c:1095 nilfs_mount+0x679/0x9a0 fs/nilfs2/super.c:1347 legacy_get_tree+0xeb/0x180 fs/fs_context.c:632 vfs_get_tree+0x88/0x270 fs/super.c:1562 do_new_mount+0x2ba/0xb40 fs/namespace.c:3051 do_mount fs/namespace.c:3394 [inline] __do_sys_mount fs/namespace.c:3602 [inline] __se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3579 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 freed by task 6278 on cpu 0 at 182.998334s: rcu_do_batch kernel/rcu/tree.c:2296 [inline] rcu_core+0xad5/0x1810 kernel/rcu/tree.c:2556 handle_softirqs+0x2ee/0xa40 kernel/softirq.c:571 __do_softirq kernel/softirq.c:605 [inline] invoke_softirq kernel/softirq.c:445 [inline] __irq_exit_rcu+0x157/0x240 kernel/softirq.c:654 irq_exit_rcu+0x5/0x20 kernel/softirq.c:666 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1106 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:653 console_emit_next_record+0xd67/0x1000 kernel/printk/printk.c:2786 console_unlock+0x278/0x7c0 kernel/printk/printk.c:2906 vprintk_emit+0x523/0x740 kernel/printk/printk.c:2303 _printk+0xd1/0x111 kernel/printk/printk.c:2328 batadv_hardif_activate_interface+0x15d/0x3a0 net/batman-adv/hard-interface.c:674 batadv_hard_if_event+0xbc/0x1540 net/batman-adv/hard-interface.c:971 notifier_call_chain kernel/notifier.c:87 [inline] raw_notifier_call_chain+0xd0/0x170 kernel/notifier.c:455 __dev_notify_flags+0x304/0x610 dev_change_flags+0xe7/0x190 net/core/dev.c:8661 do_setlink+0xcf4/0x3de0 net/core/rtnetlink.c:2801 __rtnl_newlink net/core/rtnetlink.c:3576 [inline] rtnl_newlink+0x172c/0x2050 net/core/rtnetlink.c:3623 rtnetlink_rcv_msg+0x818/0xff0 net/core/rtnetlink.c:6121 netlink_rcv_skb+0x1cd/0x410 net/netlink/af_netlink.c:2508 netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline] netlink_unicast+0x7d8/0x970 net/netlink/af_netlink.c:1352 netlink_sendmsg+0xa26/0xd60 net/netlink/af_netlink.c:1874 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg net/socket.c:730 [inline] __sys_sendto+0x480/0x600 net/socket.c:2148 __do_sys_sendto net/socket.c:2160 [inline] __se_sys_sendto net/socket.c:2156 [inline] __x64_sys_sendto+0xda/0xf0 net/socket.c:2156 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 CPU: 0 PID: 6401 Comm: syz-executor.4 Not tainted 6.1.94-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 RIP: 0010:constant_test_bit arch/x86/include/asm/bitops.h:207 [inline] RIP: 0010:arch_test_bit arch/x86/include/asm/bitops.h:239 [inline] RIP: 0010:_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:142 [inline] RIP: 0010:mapping_unevictable include/linux/pagemap.h:252 [inline] RIP: 0010:folio_evictable mm/internal.h:138 [inline] RIP: 0010:lru_add_fn+0x2f3/0x1ac0 mm/swap.c:210 Code: df be 08 00 00 00 e8 ec c3 25 00 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 80 3c 08 00 74 08 48 89 df e8 3d c2 25 00 <48> 8b 1b 48 89 de 48 83 e6 08 31 ff e8 bc 45 ce ff 48 83 e3 08 0f RSP: 0000:ffffc900039ff900 EFLAGS: 00010046 RAX: 1ffff110477ac0a8 RBX: ffff88823bd60540 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88823bd60540 RBP: 0000000000000000 R08: dffffc0000000000 R09: ffffed10477ac0a9 R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000 R13: ffffffff81bc5084 R14: ffffea00008d58c0 R15: 0000000000000001 FS: 0000555556f9a480(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88823bd60540 CR3: 0000000060eb9000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: folio_batch_move_lru+0x31a/0x720 mm/swap.c:246 folio_add_lru+0x46a/0xd70 mm/swap.c:534 wp_page_copy+0xce7/0x18c0 mm/memory.c:3204 handle_pte_fault mm/memory.c:5031 [inline] __handle_mm_fault mm/memory.c:5155 [inline] handle_mm_fault+0x2525/0x5340 mm/memory.c:5276 do_user_addr_fault arch/x86/mm/fault.c:1340 [inline] handle_page_fault arch/x86/mm/fault.c:1431 [inline] exc_page_fault+0x26f/0x620 arch/x86/mm/fault.c:1487 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570 RIP: 0033:0x7fb808438e75 Code: 08 48 83 c0 08 48 83 c2 08 49 39 d4 75 e7 4c 8d 60 08 49 29 dc 49 c1 fc 03 e9 9f fe ff ff 0f 1f 80 00 00 00 00 4c 89 f6 eb 9f <4c> 89 1c f7 e9 2e ff ff ff 66 90 41 56 49 89 fe 41 55 41 54 55 48 RSP: 002b:00007fff9e458690 EFLAGS: 00010246 RAX: 0000000083f090d5 RBX: 00007fb807dff008 RCX: 0000000083f090d5 RDX: 0000000083f090d9 RSI: 00000000000010d5 RDI: 00007fb8085a0000 RBP: 0000000000000004 R08: 0000000080000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000083f090d5 R12: ffffffff83f098c7 R13: 0000000000000004 R14: ffffffff83f090d5 R15: 00007fb8085b4018 ================================================================== ---------------- Code disassembly (best guess): 0: df be 08 00 00 00 fistpll 0x8(%rsi) 6: e8 ec c3 25 00 call 0x25c3f7 b: 48 89 d8 mov %rbx,%rax e: 48 c1 e8 03 shr $0x3,%rax 12: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx 19: fc ff df 1c: 80 3c 08 00 cmpb $0x0,(%rax,%rcx,1) 20: 74 08 je 0x2a 22: 48 89 df mov %rbx,%rdi 25: e8 3d c2 25 00 call 0x25c267 * 2a: 48 8b 1b mov (%rbx),%rbx <-- trapping instruction 2d: 48 89 de mov %rbx,%rsi 30: 48 83 e6 08 and $0x8,%rsi 34: 31 ff xor %edi,%edi 36: e8 bc 45 ce ff call 0xffce45f7 3b: 48 83 e3 08 and $0x8,%rbx 3f: 0f .byte 0xf