FAULT_INJECTION: forcing a failure.
name fail_page_alloc, interval 1, probability 0, space 0, times 1
CPU: 0 UID: 0 PID: 5329 Comm: syz.0.0 Not tainted 6.12.0-rc7-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 fail_dump lib/fault-inject.c:53 [inline]
 should_fail_ex+0x3b0/0x4e0 lib/fault-inject.c:154
 prepare_alloc_pages+0x1da/0x5b0 mm/page_alloc.c:4497
 __alloc_pages_noprof+0x16f/0x710 mm/page_alloc.c:4724
 alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
 pagetable_alloc_noprof include/linux/mm.h:2886 [inline]
 __pte_alloc_one_noprof include/asm-generic/pgalloc.h:70 [inline]
 pte_alloc_one+0x8f/0x610 arch/x86/mm/pgtable.c:33
 __pte_alloc+0x79/0x3c0 mm/memory.c:448
 do_anonymous_page mm/memory.c:4752 [inline]
 do_pte_missing mm/memory.c:3963 [inline]
 handle_pte_fault+0x50dd/0x6820 mm/memory.c:5766
 __handle_mm_fault mm/memory.c:5909 [inline]
 handle_mm_fault+0x1106/0x1bb0 mm/memory.c:6077
 do_user_addr_fault arch/x86/mm/fault.c:1338 [inline]
 handle_page_fault arch/x86/mm/fault.c:1481 [inline]
 exc_page_fault+0x459/0x8c0 arch/x86/mm/fault.c:1539
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7fc2cf441833
Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c
RSP: 002b:00007fc2d02fb4a0 EFLAGS: 00010202
RAX: 0000000000000000 RBX: 00007fc2d02fb540 RCX: 00007fc2c4400000
RDX: 00007fc2d02fb6e0 RSI: 0000000000000019 RDI: 00007fc2d02fb5e0
RBP: 000000000000013c R08: 0000000000000006 R09: 000000000000001f
R10: 0000000000000024 R11: 00007fc2d02fb540 R12: 00007fc2d02fb540
R13: 00007fc2cf605e20 R14: 0000000000000002 R15: 00007fc2d02fb5e0
 </TASK>
Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF
loop0: detected capacity change from 0 to 32768
==================================================================
BUG: KASAN: use-after-free in __ocfs2_find_path+0x203/0x7e0 fs/ocfs2/alloc.c:1824
Read of size 4 at addr ffff888051126000 by task syz.0.0/5329

CPU: 0 UID: 0 PID: 5329 Comm: syz.0.0 Not tainted 6.12.0-rc7-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 __ocfs2_find_path+0x203/0x7e0 fs/ocfs2/alloc.c:1824
 ocfs2_find_leaf+0xcf/0x230 fs/ocfs2/alloc.c:1938
 ocfs2_get_clusters_nocache+0x1ad/0xbf0 fs/ocfs2/extent_map.c:418
 ocfs2_get_clusters+0x5bd/0xbd0 fs/ocfs2/extent_map.c:621
 ocfs2_extent_map_get_blocks+0x24c/0x7d0 fs/ocfs2/extent_map.c:668
 ocfs2_read_virt_blocks+0x313/0xb20 fs/ocfs2/extent_map.c:983
 ocfs2_read_dir_block fs/ocfs2/dir.c:508 [inline]
 ocfs2_find_entry_el fs/ocfs2/dir.c:715 [inline]
 ocfs2_find_entry+0x43b/0x2780 fs/ocfs2/dir.c:1080
 ocfs2_find_files_on_disk+0xff/0x360 fs/ocfs2/dir.c:1981
 ocfs2_lookup_ino_from_name+0xb1/0x1e0 fs/ocfs2/dir.c:2003
 _ocfs2_get_system_file_inode fs/ocfs2/sysfile.c:136 [inline]
 ocfs2_get_system_file_inode+0x305/0x7b0 fs/ocfs2/sysfile.c:112
 ocfs2_init_global_system_inodes+0x32c/0x730 fs/ocfs2/super.c:457
 ocfs2_initialize_super fs/ocfs2/super.c:2248 [inline]
 ocfs2_fill_super+0x2f47/0x5750 fs/ocfs2/super.c:994
 mount_bdev+0x20a/0x2d0 fs/super.c:1693
 legacy_get_tree+0xee/0x190 fs/fs_context.c:662
 vfs_get_tree+0x90/0x2b0 fs/super.c:1814
 do_new_mount+0x2be/0xb40 fs/namespace.c:3507
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4034
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc2cf57feba
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc2d02fbe68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fc2d02fbef0 RCX: 00007fc2cf57feba
RDX: 0000000020004440 RSI: 0000000020000780 RDI: 00007fc2d02fbeb0
RBP: 0000000020004440 R08: 00007fc2d02fbef0 R09: 0000000001000000
R10: 0000000001000000 R11: 0000000000000246 R12: 0000000020000780
R13: 00007fc2d02fbeb0 R14: 000000000000444a R15: 00000000200005c0
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x51126
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 ffffea00014449c8 ffff88801fc44cb0 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffff888051125f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888051125f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888051126000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff888051126080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888051126100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================