ocfs2: Mounting device (7,4) on (node local, slot 0) with ordered data mode. ================================================================== BUG: KASAN: use-after-free in ocfs2_find_victim_chain fs/ocfs2/suballoc.c:1445 [inline] BUG: KASAN: use-after-free in ocfs2_claim_suballoc_bits+0x950/0x1e20 fs/ocfs2/suballoc.c:1982 Read of size 4 at addr ffff0000f1fe0000 by task syz.4.68/6770 CPU: 0 UID: 0 PID: 6770 Comm: syz.4.68 Not tainted 6.11.0-rc7-syzkaller-g5f5673607153 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call trace: dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:319 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:326 __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x198/0x538 mm/kasan/report.c:488 kasan_report+0xd8/0x138 mm/kasan/report.c:601 __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380 ocfs2_find_victim_chain fs/ocfs2/suballoc.c:1445 [inline] ocfs2_claim_suballoc_bits+0x950/0x1e20 fs/ocfs2/suballoc.c:1982 __ocfs2_claim_clusters+0x2a0/0x8a8 fs/ocfs2/suballoc.c:2395 ocfs2_claim_clusters fs/ocfs2/suballoc.c:2432 [inline] ocfs2_block_group_alloc_contig fs/ocfs2/suballoc.c:432 [inline] ocfs2_block_group_alloc fs/ocfs2/suballoc.c:699 [inline] ocfs2_reserve_suballoc_bits+0xd44/0x4288 fs/ocfs2/suballoc.c:832 ocfs2_reserve_new_metadata_blocks+0x384/0x848 fs/ocfs2/suballoc.c:982 ocfs2_mknod+0xdc8/0x243c fs/ocfs2/namei.c:345 ocfs2_mkdir+0x194/0x4e0 fs/ocfs2/namei.c:655 vfs_mkdir+0x27c/0x410 fs/namei.c:4210 do_mkdirat+0x248/0x574 fs/namei.c:4233 __do_sys_mkdirat fs/namei.c:4248 [inline] __se_sys_mkdirat fs/namei.c:4246 [inline] __arm64_sys_mkdirat+0x8c/0xa4 fs/namei.c:4246 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x98a pfn:0x131fe0 flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) page_type: 0xbfffffff(buddy) raw: 05ffc00000000000 fffffdffc3bd8008 fffffdffc3753008 0000000000000000 raw: 000000000000098a 0000000000000005 00000000bfffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000f1fdff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0000f1fdff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff0000f1fe0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff0000f1fe0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff0000f1fe0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== (syz.4.68,6770,1):ocfs2_read_blocks:240 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_search_chain:1814 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_search_chain:1926 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_claim_suballoc_bits:1995 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_claim_suballoc_bits:2038 ERROR: status = -12 (syz.4.68,6770,1):__ocfs2_claim_clusters:2412 ERROR: status = -12 (syz.4.68,6770,1):__ocfs2_claim_clusters:2420 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_block_group_alloc_contig:437 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_block_group_alloc:709 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_block_group_alloc:762 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_reserve_suballoc_bits:837 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_reserve_suballoc_bits:854 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_reserve_new_metadata_blocks:994 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_reserve_new_metadata_blocks:1017 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_mknod:348 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_mknod:500 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_mkdir:657 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_read_blocks:240 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_search_chain:1814 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_search_chain:1926 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_claim_suballoc_bits:1995 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_claim_suballoc_bits:2038 ERROR: status = -12 (syz.4.68,6770,1):__ocfs2_claim_clusters:2412 ERROR: status = -12 (syz.4.68,6770,1):__ocfs2_claim_clusters:2420 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_block_group_alloc_contig:437 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_block_group_alloc:709 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_block_group_alloc:762 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_reserve_suballoc_bits:837 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_reserve_suballoc_bits:854 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_reserve_new_metadata_blocks:994 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_reserve_new_metadata_blocks:1017 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_mknod:348 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_mknod:500 ERROR: status = -12 (syz.4.68,6770,1):ocfs2_mkdir:657 ERROR: status = -12