================================================================== BUG: KASAN: use-after-free in crc16+0x1fb/0x280 lib/crc16.c:58 Read of size 1 at addr ffff88806d6ca000 by task ext4lazyinit/27015 CPU: 1 PID: 27015 Comm: ext4lazyinit Not tainted 6.3.0-syzkaller-00436-g173ea743bf7a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:319 [inline] print_report+0x163/0x540 mm/kasan/report.c:430 kasan_report+0x176/0x1b0 mm/kasan/report.c:536 crc16+0x1fb/0x280 lib/crc16.c:58 ext4_group_desc_csum+0x90f/0xc50 fs/ext4/super.c:3189 ext4_group_desc_csum_set+0x19b/0x240 fs/ext4/super.c:3212 ext4_init_inode_table+0x655/0x800 fs/ext4/ialloc.c:1614 ext4_run_li_request fs/ext4/super.c:3679 [inline] ext4_lazyinit_thread+0x789/0x19a0 fs/ext4/super.c:3770 kthread+0x2b2/0x350 kernel/kthread.c:379 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 The buggy address belongs to the physical page: page:ffffea0001b5b280 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x6d6ca flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea0000772c88 ffffea0001eb4a88 0000000000000000 raw: 0000000000000000 0000000000000001 00000000ffffff7f 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0x140c40(GFP_NOFS|__GFP_COMP|__GFP_HARDWALL), pid 29515, tgid 29515 (kworker/1:32), ts 2476511023767, free_ts 2476945051382 prep_new_page mm/page_alloc.c:2553 [inline] get_page_from_freelist+0x3246/0x33c0 mm/page_alloc.c:4326 __alloc_pages+0x255/0x670 mm/page_alloc.c:5592 folio_alloc+0x1e/0x60 mm/mempolicy.c:2287 filemap_alloc_folio+0xde/0x500 mm/filemap.c:976 __filemap_get_folio+0x719/0xe50 mm/filemap.c:1970 pagecache_get_page+0x2c/0x240 mm/folio-compat.c:99 find_or_create_page include/linux/pagemap.h:632 [inline] gfs2_find_jhead+0x46f/0xef0 fs/gfs2/lops.c:537 gfs2_recover_func+0x6d2/0x1f00 fs/gfs2/recovery.c:460 process_one_work+0x8a0/0x10e0 kernel/workqueue.c:2390 worker_thread+0xa63/0x1210 kernel/workqueue.c:2537 kthread+0x2b2/0x350 kernel/kthread.c:379 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1454 [inline] free_pcp_prepare mm/page_alloc.c:1504 [inline] free_unref_page_prepare+0xe2f/0xe70 mm/page_alloc.c:3388 free_unref_page_list+0x596/0x830 mm/page_alloc.c:3529 release_pages+0x219e/0x2470 mm/swap.c:1042 __pagevec_release+0x84/0x100 mm/swap.c:1062 pagevec_release include/linux/pagevec.h:63 [inline] folio_batch_release include/linux/pagevec.h:132 [inline] truncate_inode_pages_range+0x45d/0x11d0 mm/truncate.c:372 inode_go_inval+0x1e3/0x2c0 fs/gfs2/glops.c:375 do_xmote+0x50b/0x1400 fs/gfs2/glock.c:733 glock_work_func+0x2d9/0x460 fs/gfs2/glock.c:1076 process_one_work+0x8a0/0x10e0 kernel/workqueue.c:2390 worker_thread+0xa63/0x1210 kernel/workqueue.c:2537 kthread+0x2b2/0x350 kernel/kthread.c:379 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 Memory state around the buggy address: ffff88806d6c9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88806d6c9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88806d6ca000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88806d6ca080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88806d6ca100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================