loop0: rw=1, sector=131324, nr_sectors = 4 limit=32768 gfs2: fsid=syz:syz.0: Error 10 writing to journal, jid=0 gfs2: fsid=syz:syz.0: fatal: I/O error(s) gfs2: fsid=syz:syz.0: about to withdraw this file system BUG: sleeping function called from invalid context at fs/gfs2/util.c:159 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 6458, name: syz-executor.0 preempt_count: 1, expected: 0 RCU nest depth: 0, expected: 0 5 locks held by syz-executor.0/6458: #0: ffff0000c1cee0e0 (&type->s_umount_key#52){+.+.}-{3:3}, at: __super_lock fs/super.c:56 [inline] #0: ffff0000c1cee0e0 (&type->s_umount_key#52){+.+.}-{3:3}, at: __super_lock_excl fs/super.c:71 [inline] #0: ffff0000c1cee0e0 (&type->s_umount_key#52){+.+.}-{3:3}, at: deactivate_super+0xd8/0x100 fs/super.c:516 #1: ffff0000d61dcb78 (&sdp->sd_quota_sync_mutex){+.+.}-{3:3}, at: gfs2_quota_sync+0x1b0/0x584 fs/gfs2/quota.c:1354 #2: ffff0000d61dd060 (&sdp->sd_log_flush_lock){++++}-{3:3}, at: gfs2_log_flush+0xc0/0x2054 fs/gfs2/log.c:1042 #3: ffff0000d61dce88 (&sdp->sd_log_lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] #3: ffff0000d61dce88 (&sdp->sd_log_lock){+.+.}-{2:2}, at: gfs2_log_lock fs/gfs2/log.h:32 [inline] #3: ffff0000d61dce88 (&sdp->sd_log_lock){+.+.}-{2:2}, at: gfs2_flush_revokes+0x50/0x94 fs/gfs2/log.c:814 #4: ffff0000d61dd248 (&sdp->sd_freeze_mutex){+.+.}-{3:3}, at: signal_our_withdraw fs/gfs2/util.c:152 [inline] #4: ffff0000d61dd248 (&sdp->sd_freeze_mutex){+.+.}-{3:3}, at: gfs2_withdraw+0x3b8/0x12c4 fs/gfs2/util.c:342 Preemption disabled at: [] spin_lock include/linux/spinlock.h:351 [inline] [] gfs2_log_lock fs/gfs2/log.h:32 [inline] [] gfs2_flush_revokes+0x50/0x94 fs/gfs2/log.c:814 CPU: 0 PID: 6458 Comm: syz-executor.0 Not tainted 6.7.0-rc5-syzkaller-00083-gd5b235ec8eab #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 Call trace: dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106 dump_stack+0x1c/0x28 lib/dump_stack.c:113 __might_resched+0x374/0x4d0 kernel/sched/core.c:10151 __might_sleep+0x90/0xe4 kernel/sched/core.c:10080 signal_our_withdraw fs/gfs2/util.c:157 [inline] gfs2_withdraw+0x400/0x12c4 fs/gfs2/util.c:342 gfs2_ail1_empty+0x734/0x7c4 fs/gfs2/log.c:377 gfs2_flush_revokes+0x5c/0x94 fs/gfs2/log.c:815 revoke_lo_before_commit+0x3c/0x640 fs/gfs2/lops.c:867 lops_before_commit fs/gfs2/lops.h:42 [inline] gfs2_log_flush+0x90c/0x2054 fs/gfs2/log.c:1101 do_sync+0x8f8/0xacc fs/gfs2/quota.c:1010 gfs2_quota_sync+0x338/0x584 fs/gfs2/quota.c:1370 gfs2_sync_fs+0x4c/0xc4 fs/gfs2/super.c:669 sync_filesystem+0xe8/0x218 fs/sync.c:56 generic_shutdown_super+0x70/0x2b8 fs/super.c:669 kill_block_super+0x44/0x90 fs/super.c:1667 gfs2_kill_sb+0x2cc/0x330 deactivate_locked_super+0xc4/0x144 fs/super.c:484 deactivate_super+0xe0/0x100 fs/super.c:517 cleanup_mnt+0x34c/0x3dc fs/namespace.c:1256 __cleanup_mnt+0x20/0x30 fs/namespace.c:1263 task_work_run+0x230/0x2e0 kernel/task_work.c:180 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] do_notify_resume+0x214c/0x393c arch/arm64/kernel/signal.c:1305 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:137 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:144 [inline] el0_svc+0x9c/0x158 arch/arm64/kernel/entry-common.c:679 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595 BUG: scheduling while atomic: syz-executor.0/6458/0x00000002 5 locks held by syz-executor.0/6458: #0: ffff0000c1cee0e0 (&type->s_umount_key#52){+.+.}-{3:3}, at: __super_lock fs/super.c:56 [inline] #0: ffff0000c1cee0e0 (&type->s_umount_key#52){+.+.}-{3:3}, at: __super_lock_excl fs/super.c:71 [inline] #0: ffff0000c1cee0e0 (&type->s_umount_key#52){+.+.}-{3:3}, at: deactivate_super+0xd8/0x100 fs/super.c:516 #1: ffff0000d61dcb78 (&sdp->sd_quota_sync_mutex){+.+.}-{3:3}, at: gfs2_quota_sync+0x1b0/0x584 fs/gfs2/quota.c:1354 #2: ffff0000d61dd060 (&sdp->sd_log_flush_lock){++++}-{3:3}, at: gfs2_log_flush+0xc0/0x2054 fs/gfs2/log.c:1042 #3: ffff0000d61dce88 (&sdp->sd_log_lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] #3: ffff0000d61dce88 (&sdp->sd_log_lock){+.+.}-{2:2}, at: gfs2_log_lock fs/gfs2/log.h:32 [inline] #3: ffff0000d61dce88 (&sdp->sd_log_lock){+.+.}-{2:2}, at: gfs2_flush_revokes+0x50/0x94 fs/gfs2/log.c:814 #4: ffff0000d61dd248 (&sdp->sd_freeze_mutex){+.+.}-{3:3}, at: signal_our_withdraw fs/gfs2/util.c:152 [inline] #4: ffff0000d61dd248 (&sdp->sd_freeze_mutex){+.+.}-{3:3}, at: gfs2_withdraw+0x3b8/0x12c4 fs/gfs2/util.c:342 Modules linked in: Preemption disabled at: [] spin_lock include/linux/spinlock.h:351 [inline] [] gfs2_log_lock fs/gfs2/log.h:32 [inline] [] gfs2_flush_revokes+0x50/0x94 fs/gfs2/log.c:814 CPU: 0 PID: 6458 Comm: syz-executor.0 Tainted: G W 6.7.0-rc5-syzkaller-00083-gd5b235ec8eab #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 Call trace: dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106 dump_stack+0x1c/0x28 lib/dump_stack.c:113 __schedule_bug+0x10c/0x19c kernel/sched/core.c:5919 schedule_debug kernel/sched/core.c:5946 [inline] __schedule+0x13fc/0x2360 kernel/sched/core.c:6581 __schedule_loop kernel/sched/core.c:6763 [inline] schedule+0xb8/0x19c kernel/sched/core.c:6778 schedule_timeout+0x1d8/0x348 kernel/time/timer.c:2167 signal_our_withdraw fs/gfs2/util.c:157 [inline] gfs2_withdraw+0x490/0x12c4 fs/gfs2/util.c:342 gfs2_ail1_empty+0x734/0x7c4 fs/gfs2/log.c:377 gfs2_flush_revokes+0x5c/0x94 fs/gfs2/log.c:815 revoke_lo_before_commit+0x3c/0x640 fs/gfs2/lops.c:867 lops_before_commit fs/gfs2/lops.h:42 [inline] gfs2_log_flush+0x90c/0x2054 fs/gfs2/log.c:1101 do_sync+0x8f8/0xacc fs/gfs2/quota.c:1010 gfs2_quota_sync+0x338/0x584 fs/gfs2/quota.c:1370 gfs2_sync_fs+0x4c/0xc4 fs/gfs2/super.c:669 sync_filesystem+0xe8/0x218 fs/sync.c:56 generic_shutdown_super+0x70/0x2b8 fs/super.c:669 kill_block_super+0x44/0x90 fs/super.c:1667 gfs2_kill_sb+0x2cc/0x330 deactivate_locked_super+0xc4/0x144 fs/super.c:484 deactivate_super+0xe0/0x100 fs/super.c:517 cleanup_mnt+0x34c/0x3dc fs/namespace.c:1256 __cleanup_mnt+0x20/0x30 fs/namespace.c:1263 task_work_run+0x230/0x2e0 kernel/task_work.c:180 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] do_notify_resume+0x214c/0x393c arch/arm64/kernel/signal.c:1305 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:137 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:144 [inline] el0_svc+0x9c/0x158 arch/arm64/kernel/entry-common.c:679 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595 gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 ============================= [ BUG: Invalid wait context ] 6.7.0-rc5-syzkaller-00083-gd5b235ec8eab #0 Tainted: G W ----------------------------- syz-executor.0/6458 is trying to lock: ffff8000912b15a8 (uevent_sock_mutex){+.+.}-{3:3}, at: kobject_uevent_env+0x4d0/0x874 lib/kobject_uevent.c:586 other info that might help us debug this: context-{4:4} 4 locks held by syz-executor.0/6458: #0: ffff0000c1cee0e0 (&type->s_umount_key#52){+.+.}-{3:3}, at: __super_lock fs/super.c:56 [inline] #0: ffff0000c1cee0e0 (&type->s_umount_key#52){+.+.}-{3:3}, at: __super_lock_excl fs/super.c:71 [inline] #0: ffff0000c1cee0e0 (&type->s_umount_key#52){+.+.}-{3:3}, at: deactivate_super+0xd8/0x100 fs/super.c:516 #1: ffff0000d61dcb78 (&sdp->sd_quota_sync_mutex){+.+.}-{3:3}, at: gfs2_quota_sync+0x1b0/0x584 fs/gfs2/quota.c:1354 #2: ffff0000d61dd060 (&sdp->sd_log_flush_lock){++++}-{3:3}, at: gfs2_log_flush+0xc0/0x2054 fs/gfs2/log.c:1042 #3: ffff0000d61dce88 (&sdp->sd_log_lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] #3: ffff0000d61dce88 (&sdp->sd_log_lock){+.+.}-{2:2}, at: gfs2_log_lock fs/gfs2/log.h:32 [inline] #3: ffff0000d61dce88 (&sdp->sd_log_lock){+.+.}-{2:2}, at: gfs2_flush_revokes+0x50/0x94 fs/gfs2/log.c:814 stack backtrace: CPU: 0 PID: 6458 Comm: syz-executor.0 Tainted: G W 6.7.0-rc5-syzkaller-00083-gd5b235ec8eab #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 Call trace: dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106 dump_stack+0x1c/0x28 lib/dump_stack.c:113 print_lock_invalid_wait_context kernel/locking/lockdep.c:4751 [inline] check_wait_context kernel/locking/lockdep.c:4821 [inline] __lock_acquire+0x1be4/0x763c kernel/locking/lockdep.c:5087 lock_acquire+0x23c/0x71c kernel/locking/lockdep.c:5754 __mutex_lock_common+0x190/0x21a0 kernel/locking/mutex.c:603 __mutex_lock kernel/locking/mutex.c:747 [inline] mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:799 kobject_uevent_env+0x4d0/0x874 lib/kobject_uevent.c:586 kobject_uevent+0x2c/0x3c lib/kobject_uevent.c:642 gfs2_withdraw+0xcb4/0x12c4 fs/gfs2/util.c:344 gfs2_ail1_empty+0x734/0x7c4 fs/gfs2/log.c:377 gfs2_flush_revokes+0x5c/0x94 fs/gfs2/log.c:815 revoke_lo_before_commit+0x3c/0x640 fs/gfs2/lops.c:867 lops_before_commit fs/gfs2/lops.h:42 [inline] gfs2_log_flush+0x90c/0x2054 fs/gfs2/log.c:1101 do_sync+0x8f8/0xacc fs/gfs2/quota.c:1010 gfs2_quota_sync+0x338/0x584 fs/gfs2/quota.c:1370 gfs2_sync_fs+0x4c/0xc4 fs/gfs2/super.c:669 sync_filesystem+0xe8/0x218 fs/sync.c:56 generic_shutdown_super+0x70/0x2b8 fs/super.c:669 kill_block_super+0x44/0x90 fs/super.c:1667 gfs2_kill_sb+0x2cc/0x330 deactivate_locked_super+0xc4/0x144 fs/super.c:484 deactivate_super+0xe0/0x100 fs/super.c:517 cleanup_mnt+0x34c/0x3dc fs/namespace.c:1256 __cleanup_mnt+0x20/0x30 fs/namespace.c:1263 task_work_run+0x230/0x2e0 kernel/task_work.c:180 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] do_notify_resume+0x214c/0x393c arch/arm64/kernel/signal.c:1305 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:137 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:144 [inline] el0_svc+0x9c/0x158 arch/arm64/kernel/entry-common.c:679 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595 gfs2: fsid=syz:syz.0: File system withdrawn CPU: 0 PID: 6458 Comm: syz-executor.0 Tainted: G W 6.7.0-rc5-syzkaller-00083-gd5b235ec8eab #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 Call trace: dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106 dump_stack+0x1c/0x28 lib/dump_stack.c:113 gfs2_withdraw+0xda4/0x12c4 fs/gfs2/util.c:355 gfs2_ail1_empty+0x734/0x7c4 fs/gfs2/log.c:377 gfs2_flush_revokes+0x5c/0x94 fs/gfs2/log.c:815 revoke_lo_before_commit+0x3c/0x640 fs/gfs2/lops.c:867 lops_before_commit fs/gfs2/lops.h:42 [inline] gfs2_log_flush+0x90c/0x2054 fs/gfs2/log.c:1101 do_sync+0x8f8/0xacc fs/gfs2/quota.c:1010 gfs2_quota_sync+0x338/0x584 fs/gfs2/quota.c:1370 gfs2_sync_fs+0x4c/0xc4 fs/gfs2/super.c:669 sync_filesystem+0xe8/0x218 fs/sync.c:56 generic_shutdown_super+0x70/0x2b8 fs/super.c:669 kill_block_super+0x44/0x90 fs/super.c:1667 gfs2_kill_sb+0x2cc/0x330 deactivate_locked_super+0xc4/0x144 fs/super.c:484 deactivate_super+0xe0/0x100 fs/super.c:517 cleanup_mnt+0x34c/0x3dc fs/namespace.c:1256 __cleanup_mnt+0x20/0x30 fs/namespace.c:1263 task_work_run+0x230/0x2e0 kernel/task_work.c:180 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] do_notify_resume+0x214c/0x393c arch/arm64/kernel/signal.c:1305 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:137 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:144 [inline] el0_svc+0x9c/0x158 arch/arm64/kernel/entry-common.c:679 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595 ================================================================== BUG: KASAN: slab-use-after-free in list_empty include/linux/list.h:373 [inline] BUG: KASAN: slab-use-after-free in gfs2_discard fs/gfs2/aops.c:620 [inline] BUG: KASAN: slab-use-after-free in gfs2_invalidate_folio+0x3c0/0x788 fs/gfs2/aops.c:658 Read of size 8 at addr ffff0000c209e168 by task syz-executor.0/6458 CPU: 0 PID: 6458 Comm: syz-executor.0 Tainted: G W 6.7.0-rc5-syzkaller-00083-gd5b235ec8eab #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 Call trace: dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0x174/0x514 mm/kasan/report.c:475 kasan_report+0xd8/0x138 mm/kasan/report.c:588 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 list_empty include/linux/list.h:373 [inline] gfs2_discard fs/gfs2/aops.c:620 [inline] gfs2_invalidate_folio+0x3c0/0x788 fs/gfs2/aops.c:658 folio_invalidate mm/truncate.c:158 [inline] truncate_cleanup_folio+0x1fc/0x3ac mm/truncate.c:178 truncate_inode_pages_range+0x240/0xf34 mm/truncate.c:367 truncate_inode_pages mm/truncate.c:448 [inline] truncate_inode_pages_final+0x90/0xc0 mm/truncate.c:483 gfs2_evict_inode+0x2ec/0xf80 fs/gfs2/super.c:1525 evict+0x260/0x68c fs/inode.c:666 iput_final fs/inode.c:1777 [inline] iput+0x734/0x818 fs/inode.c:1803 gfs2_put_super+0x338/0x750 fs/gfs2/super.c:625 generic_shutdown_super+0x130/0x2b8 fs/super.c:696 kill_block_super+0x44/0x90 fs/super.c:1667 gfs2_kill_sb+0x2cc/0x330 deactivate_locked_super+0xc4/0x144 fs/super.c:484 deactivate_super+0xe0/0x100 fs/super.c:517 cleanup_mnt+0x34c/0x3dc fs/namespace.c:1256 __cleanup_mnt+0x20/0x30 fs/namespace.c:1263 task_work_run+0x230/0x2e0 kernel/task_work.c:180 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] do_notify_resume+0x214c/0x393c arch/arm64/kernel/signal.c:1305 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:137 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:144 [inline] el0_svc+0x9c/0x158 arch/arm64/kernel/entry-common.c:679 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595 Allocated by task 6458: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4c/0x7c mm/kasan/common.c:52 kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:511 __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook+0x90/0x498 mm/slab.h:763 slab_alloc_node mm/slub.c:3478 [inline] slab_alloc mm/slub.c:3486 [inline] __kmem_cache_alloc_lru mm/slub.c:3493 [inline] kmem_cache_alloc+0x288/0x410 mm/slub.c:3502 kmem_cache_zalloc include/linux/slab.h:711 [inline] gfs2_alloc_bufdata fs/gfs2/trans.c:168 [inline] gfs2_trans_add_data+0x1e8/0x634 fs/gfs2/trans.c:209 gfs2_unstuffer_folio fs/gfs2/bmap.c:81 [inline] __gfs2_unstuff_inode fs/gfs2/bmap.c:119 [inline] gfs2_unstuff_dinode+0xc80/0x1060 fs/gfs2/bmap.c:166 gfs2_adjust_quota+0x23c/0x8f4 fs/gfs2/quota.c:879 do_sync+0x744/0xacc fs/gfs2/quota.c:990 gfs2_quota_sync+0x338/0x584 fs/gfs2/quota.c:1370 gfs2_sync_fs+0x4c/0xc4 fs/gfs2/super.c:669 sync_filesystem+0xe8/0x218 fs/sync.c:56 generic_shutdown_super+0x70/0x2b8 fs/super.c:669 kill_block_super+0x44/0x90 fs/super.c:1667 gfs2_kill_sb+0x2cc/0x330 deactivate_locked_super+0xc4/0x144 fs/super.c:484 deactivate_super+0xe0/0x100 fs/super.c:517 cleanup_mnt+0x34c/0x3dc fs/namespace.c:1256 __cleanup_mnt+0x20/0x30 fs/namespace.c:1263 task_work_run+0x230/0x2e0 kernel/task_work.c:180 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] do_notify_resume+0x214c/0x393c arch/arm64/kernel/signal.c:1305 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:137 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:144 [inline] el0_svc+0x9c/0x158 arch/arm64/kernel/entry-common.c:679 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595 Freed by task 6458: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4c/0x7c mm/kasan/common.c:52 kasan_save_free_info+0x38/0x5c mm/kasan/generic.c:522 ____kasan_slab_free+0x144/0x1c0 mm/kasan/common.c:236 __kasan_slab_free+0x18/0x28 mm/kasan/common.c:244 kasan_slab_free include/linux/kasan.h:164 [inline] slab_free_hook mm/slub.c:1800 [inline] slab_free_freelist_hook mm/slub.c:1826 [inline] slab_free mm/slub.c:3809 [inline] kmem_cache_free+0x2e4/0x56c mm/slub.c:3831 trans_drain fs/gfs2/log.c:1022 [inline] gfs2_log_flush+0x1018/0x2054 fs/gfs2/log.c:1160 do_sync+0x8f8/0xacc fs/gfs2/quota.c:1010 gfs2_quota_sync+0x338/0x584 fs/gfs2/quota.c:1370 gfs2_sync_fs+0x4c/0xc4 fs/gfs2/super.c:669 sync_filesystem+0xe8/0x218 fs/sync.c:56 generic_shutdown_super+0x70/0x2b8 fs/super.c:669 kill_block_super+0x44/0x90 fs/super.c:1667 gfs2_kill_sb+0x2cc/0x330 deactivate_locked_super+0xc4/0x144 fs/super.c:484 deactivate_super+0xe0/0x100 fs/super.c:517 cleanup_mnt+0x34c/0x3dc fs/namespace.c:1256 __cleanup_mnt+0x20/0x30 fs/namespace.c:1263 task_work_run+0x230/0x2e0 kernel/task_work.c:180 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] do_notify_resume+0x214c/0x393c arch/arm64/kernel/signal.c:1305 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:137 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:144 [inline] el0_svc+0x9c/0x158 arch/arm64/kernel/entry-common.c:679 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595 The buggy address belongs to the object at ffff0000c209e150 which belongs to the cache gfs2_bufdata of size 80 The buggy address is located 24 bytes inside of freed 80-byte region [ffff0000c209e150, ffff0000c209e1a0) The buggy address belongs to the physical page: page:00000000777dca45 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10209e flags: 0x5ffc00000000800(slab|node=0|zone=2|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 05ffc00000000800 ffff0000c509d500 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080240024 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000c209e000: fa fb fb fb fb fb fb fb fb fb fc fc fc fc fa fb ffff0000c209e080: fb fb fb fb fb fb fb fb fc fc fc fc fa fb fb fb >ffff0000c209e100: fb fb fb fb fb fb fc fc fc fc fa fb fb fb fb fb ^ ffff0000c209e180: fb fb fb fb fc fc fc fc fa fb fb fb fb fb fb fb ffff0000c209e200: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== Unable to handle kernel paging request at virtual address dfff800000000005 KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault Data abort info: ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [dfff800000000005] address between user and kernel address ranges Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 6458 Comm: syz-executor.0 Tainted: G B W 6.7.0-rc5-syzkaller-00083-gd5b235ec8eab #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : gfs2_remove_from_journal+0x390/0x7e8 fs/gfs2/meta_io.c:345 lr : gfs2_remove_from_journal+0x384/0x7e8 fs/gfs2/meta_io.c:345 sp : ffff8000970170f0 x29: ffff800097017110 x28: dfff800000000000 x27: ffff0000c209e170 x26: ffff0000c209e170 x25: 1fffe0001bd72d81 x24: 0000000000010000 x23: 000000000000002c x22: 0000000000000000 x21: ffff0000deb96c08 x20: ffff0000c209e150 x19: ffff0000deb96bc8 x18: 1fffe000368261ce x17: 3d3d3d3d3d3d3d3d x16: ffff80008a82e2a0 x15: 0000000000000001 x14: 1fffe0001ac3b9d7 x13: 0000000000000000 x12: 0000000000000000 x11: ffff60001ac3b9d8 x10: 0000000000ff0100 x9 : 0000000000000000 x8 : 0000000000000005 x7 : 0000000000000001 x6 : ffff80008249122c x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff80008248d10c x2 : 0000000000000001 x1 : 0000000000000000 x0 : 0000000000000001 Call trace: gfs2_remove_from_journal+0x390/0x7e8 fs/gfs2/meta_io.c:345 gfs2_discard fs/gfs2/aops.c:624 [inline] gfs2_invalidate_folio+0x4c4/0x788 fs/gfs2/aops.c:658 folio_invalidate mm/truncate.c:158 [inline] truncate_cleanup_folio+0x1fc/0x3ac mm/truncate.c:178 truncate_inode_pages_range+0x240/0xf34 mm/truncate.c:367 truncate_inode_pages mm/truncate.c:448 [inline] truncate_inode_pages_final+0x90/0xc0 mm/truncate.c:483 gfs2_evict_inode+0x2ec/0xf80 fs/gfs2/super.c:1525 evict+0x260/0x68c fs/inode.c:666 iput_final fs/inode.c:1777 [inline] iput+0x734/0x818 fs/inode.c:1803 gfs2_put_super+0x338/0x750 fs/gfs2/super.c:625 generic_shutdown_super+0x130/0x2b8 fs/super.c:696 kill_block_super+0x44/0x90 fs/super.c:1667 gfs2_kill_sb+0x2cc/0x330 deactivate_locked_super+0xc4/0x144 fs/super.c:484 deactivate_super+0xe0/0x100 fs/super.c:517 cleanup_mnt+0x34c/0x3dc fs/namespace.c:1256 __cleanup_mnt+0x20/0x30 fs/namespace.c:1263 task_work_run+0x230/0x2e0 kernel/task_work.c:180 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] do_notify_resume+0x214c/0x393c arch/arm64/kernel/signal.c:1305 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:137 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:144 [inline] el0_svc+0x9c/0x158 arch/arm64/kernel/entry-common.c:679 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595 Code: 978246a4 a94067f6 9100b2d7 d343fee8 (38fc6908) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: 978246a4 bl 0xfffffffffe091a90 4: a94067f6 ldp x22, x25, [sp] 8: 9100b2d7 add x23, x22, #0x2c c: d343fee8 lsr x8, x23, #3 * 10: 38fc6908 ldrsb w8, [x8, x28] <-- trapping instruction