================================================================== BUG: KASAN: use-after-free in copy_page_from_iter_atomic+0x8d3/0x10f0 Read of size 4096 at addr ffff888079353000 by task kworker/u4:6/2851 CPU: 0 PID: 2851 Comm: kworker/u4:6 Not tainted 6.2.0-rc6-syzkaller-00239-g0136d86b7852 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 Workqueue: loop0 loop_workfn Call Trace: dump_stack_lvl+0x1b5/0x2a0 print_report+0x163/0x4c0 kasan_report+0xce/0x100 kasan_check_range+0x283/0x290 memcpy+0x29/0x70 copy_page_from_iter_atomic+0x8d3/0x10f0 generic_perform_write+0x340/0x5c0 __generic_file_write_iter+0x17a/0x400 generic_file_write_iter+0xaf/0x310 do_iter_write+0x6bc/0xc20 loop_process_work+0x1384/0x2150 process_one_work+0x96c/0x13e0 worker_thread+0xa63/0x1210 kthread+0x270/0x300 ret_from_fork+0x1f/0x30 The buggy address belongs to the physical page: page:ffffea0001e4d4c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x79353 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea0001f65508 ffffea0000aab908 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0x100dc0(GFP_USER|__GFP_ZERO), pid 5944, tgid 5943 (syz-executor.0), ts 1851143627815, free_ts 1851170590301 get_page_from_freelist+0x3403/0x3580 __alloc_pages+0x291/0x7e0 lmLogInit+0x319/0x1b00 lmLogOpen+0x556/0x1030 jfs_mount_rw+0xeb/0x780 jfs_fill_super+0x681/0xc50 mount_bdev+0x271/0x3a0 legacy_get_tree+0xef/0x190 vfs_get_tree+0x8c/0x270 do_new_mount+0x28f/0xae0 __se_sys_mount+0x2c9/0x3b0 do_syscall_64+0x41/0xc0 entry_SYSCALL_64_after_hwframe+0x63/0xcd page last free stack trace: free_unref_page_prepare+0xf3a/0x1040 free_unref_page+0x37/0x3f0 lmLogShutdown+0x4bc/0x930 lmLogClose+0x297/0x530 jfs_umount+0x2ce/0x3a0 jfs_fill_super+0x91a/0xc50 mount_bdev+0x271/0x3a0 legacy_get_tree+0xef/0x190 vfs_get_tree+0x8c/0x270 do_new_mount+0x28f/0xae0 __se_sys_mount+0x2c9/0x3b0 do_syscall_64+0x41/0xc0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Memory state around the buggy address: ffff888079352f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888079352f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888079353000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888079353080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888079353100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================