... Log Wrap ... Log Wrap ... Log Wrap ... ================================================================== BUG: KASAN: use-after-free in instrument_atomic_write include/linux/instrumented.h:86 [inline] BUG: KASAN: use-after-free in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] BUG: KASAN: use-after-free in txEnd+0x2c4/0x510 fs/jfs/jfs_txnmgr.c:554 Write of size 8 at addr ffff0000c7f6c040 by task jfsCommit/248 CPU: 1 PID: 248 Comm: jfsCommit Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025 Call trace: dump_backtrace+0x0/0x43c arch/arm64/kernel/stacktrace.c:152 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216 __dump_stack+0x30/0x40 lib/dump_stack.c:88 dump_stack_lvl+0xf8/0x160 lib/dump_stack.c:106 print_address_description+0x78/0x30c mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:434 [inline] kasan_report+0xec/0x15c mm/kasan/report.c:451 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x270/0x2b0 mm/kasan/generic.c:189 __kasan_check_write+0x44/0x54 mm/kasan/shadow.c:37 instrument_atomic_write include/linux/instrumented.h:86 [inline] clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] txEnd+0x2c4/0x510 fs/jfs/jfs_txnmgr.c:554 txLazyCommit fs/jfs/jfs_txnmgr.c:2718 [inline] jfs_lazycommit+0x4a4/0x9bc fs/jfs/jfs_txnmgr.c:2766 kthread+0x374/0x454 kernel/kthread.c:334 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:856 Allocated by task 5038: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] ____kasan_kmalloc mm/kasan/common.c:513 [inline] __kasan_kmalloc+0xb0/0xf0 mm/kasan/common.c:522 kasan_kmalloc include/linux/kasan.h:264 [inline] kmem_cache_alloc_trace+0x274/0x3fc mm/slub.c:3247 kmalloc include/linux/slab.h:604 [inline] kzalloc include/linux/slab.h:735 [inline] open_inline_log fs/jfs/jfs_logmgr.c:1167 [inline] lmLogOpen+0x288/0xd68 fs/jfs/jfs_logmgr.c:1077 jfs_mount_rw+0xe4/0x50c fs/jfs/jfs_mount.c:253 jfs_fill_super+0x49c/0x960 fs/jfs/super.c:570 mount_bdev+0x264/0x358 fs/super.c:1400 jfs_do_mount+0x44/0x58 fs/jfs/super.c:675 legacy_get_tree+0xd4/0x16c fs/fs_context.c:611 vfs_get_tree+0x90/0x274 fs/super.c:1530 do_new_mount+0x228/0x810 fs/namespace.c:3025 path_mount+0x5b4/0x1000 fs/namespace.c:3355 do_mount fs/namespace.c:3368 [inline] __do_sys_mount fs/namespace.c:3576 [inline] __se_sys_mount fs/namespace.c:3553 [inline] __arm64_sys_mount+0x514/0x5e4 fs/namespace.c:3553 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181 el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608 el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584 Freed by task 4777: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track+0x4c/0x84 mm/kasan/common.c:46 kasan_set_free_info+0x28/0x4c mm/kasan/generic.c:360 ____kasan_slab_free+0x118/0x164 mm/kasan/common.c:366 __kasan_slab_free+0x18/0x28 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:1705 [inline] slab_free_freelist_hook+0x128/0x1e8 mm/slub.c:1731 slab_free mm/slub.c:3499 [inline] kfree+0x170/0x40c mm/slub.c:4559 lmLogClose+0x250/0x4c8 fs/jfs/jfs_logmgr.c:-1 jfs_umount+0x244/0x328 fs/jfs/jfs_umount.c:116 jfs_put_super+0x90/0x188 fs/jfs/super.c:194 generic_shutdown_super+0x130/0x2f0 fs/super.c:475 kill_block_super+0x70/0xdc fs/super.c:1427 deactivate_locked_super+0xb8/0x13c fs/super.c:335 deactivate_super+0xf8/0x118 fs/super.c:366 cleanup_mnt+0x3a4/0x458 fs/namespace.c:1139 __cleanup_mnt+0x20/0x30 fs/namespace.c:1146 task_work_run+0x12c/0x1e0 kernel/task_work.c:188 tracehook_notify_resume include/linux/tracehook.h:189 [inline] do_notify_resume+0x24b4/0x3128 arch/arm64/kernel/signal.c:949 prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:133 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:138 [inline] el0_svc+0xf0/0x1e0 arch/arm64/kernel/entry-common.c:609 el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584 Last potentially related work creation: kasan_save_stack+0x38/0x68 mm/kasan/common.c:38 kasan_record_aux_stack+0xcc/0x114 mm/kasan/generic.c:348 __call_rcu kernel/rcu/tree.c:3011 [inline] call_rcu+0x114/0x8fc kernel/rcu/tree.c:3091 pwq_unbound_release_workfn+0x210/0x254 kernel/workqueue.c:-1 process_one_work+0x79c/0x1140 kernel/workqueue.c:2310 worker_thread+0x8f4/0x101c kernel/workqueue.c:2457 kthread+0x374/0x454 kernel/kthread.c:334 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:856 Second to last potentially related work creation: kasan_save_stack+0x38/0x68 mm/kasan/common.c:38 kasan_record_aux_stack+0xcc/0x114 mm/kasan/generic.c:348 kvfree_call_rcu+0xb8/0x66c kernel/rcu/tree.c:3600 drop_sysctl_table+0x274/0x39c fs/proc/proc_sysctl.c:1685 unregister_sysctl_table+0x94/0x134 fs/proc/proc_sysctl.c:1723 unregister_net_sysctl_table+0x20/0x30 net/sysctl_net.c:175 neigh_sysctl_unregister+0x78/0x9c net/core/neighbour.c:3737 addrconf_sysctl_unregister net/ipv6/addrconf.c:7160 [inline] addrconf_ifdown+0x1368/0x1688 net/ipv6/addrconf.c:3928 addrconf_notify+0x2f4/0xc6c net/ipv6/addrconf.c:-1 notifier_call_chain kernel/notifier.c:83 [inline] raw_notifier_call_chain+0xd4/0x164 kernel/notifier.c:391 call_netdevice_notifiers_info net/core/dev.c:2049 [inline] call_netdevice_notifiers_extack net/core/dev.c:2061 [inline] call_netdevice_notifiers net/core/dev.c:2075 [inline] unregister_netdevice_many+0xe10/0x17d0 net/core/dev.c:11134 ip_tunnel_delete_nets+0x2cc/0x320 net/ipv4/ip_tunnel.c:1151 erspan_exit_batch_net+0x30/0x40 net/ipv4/ip_gre.c:1729 ops_exit_list net/core/net_namespace.c:177 [inline] cleanup_net+0x644/0xa98 net/core/net_namespace.c:635 process_one_work+0x79c/0x1140 kernel/workqueue.c:2310 worker_thread+0x8f4/0x101c kernel/workqueue.c:2457 kthread+0x374/0x454 kernel/kthread.c:334 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:856 The buggy address belongs to the object at ffff0000c7f6c000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 64 bytes inside of 1024-byte region [ffff0000c7f6c000, ffff0000c7f6c400) The buggy address belongs to the page: page:0000000007bb899d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107f68 head:0000000007bb899d order:3 compound_mapcount:0 compound_pincount:0 flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000010200 dead000000000100 dead000000000122 ffff0000c0002780 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000c7f6bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000c7f6bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff0000c7f6c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff0000c7f6c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff0000c7f6c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... Unable to handle kernel paging request at virtual address dfff800000000006 Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 [dfff800000000006] address between user and kernel address ranges Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 248 Comm: jfsCommit Tainted: G B syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025 pstate: 02400005 (nzcv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--) pc : write_special_inodes fs/jfs/jfs_logmgr.c:207 [inline] pc : lmLogSync+0xe8/0x88c fs/jfs/jfs_logmgr.c:943 lr : write_special_inodes fs/jfs/jfs_logmgr.c:207 [inline] lr : lmLogSync+0xdc/0x88c fs/jfs/jfs_logmgr.c:943 sp : ffff80001efa7b40 x29: ffff80001efa7c10 x28: 1ffff00003d1b222 x27: dfff800000000000 x26: 1ffff000028dc1a0 x25: dfff800000000000 x24: ffff80001efa7b60 x23: 0000000000000002 x22: ffff700003df4f6c x21: 0000000000000030 x20: ffff0000c99311f0 x19: ffff0000cbc22800 x18: 0000000000000002 x17: 0000000040000000 x16: ffff8000082d647c x15: 0000000000000002 x14: 0000000000ff0100 x13: ffffffffffffffff x12: 0000000000ff0100 x11: 0000000000000000 x10: 0000000000000000 x9 : ffff80001ae3b210 x8 : 0000000000000006 x7 : 2222222222222222 x6 : ffff800011293b48 x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000097c20cc x2 : 0000000000000000 x1 : 0000000000000008 x0 : 0000000000000000 Call trace: write_special_inodes fs/jfs/jfs_logmgr.c:207 [inline] lmLogSync+0xe8/0x88c fs/jfs/jfs_logmgr.c:943 jfs_syncpt+0x70/0x94 fs/jfs/jfs_logmgr.c:1049 txEnd+0x294/0x510 fs/jfs/jfs_txnmgr.c:549 txLazyCommit fs/jfs/jfs_txnmgr.c:2718 [inline] jfs_lazycommit+0x4a4/0x9bc fs/jfs/jfs_txnmgr.c:2766 kthread+0x374/0x454 kernel/kthread.c:334 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:856 Code: 97c1ec28 f94002a8 9100c115 d343fea8 (387b6908) ---[ end trace c9faae4d9e08368c ]--- ---------------- Code disassembly (best guess): 0: 97c1ec28 bl 0xffffffffff07b0a0 4: f94002a8 ldr x8, [x21] 8: 9100c115 add x21, x8, #0x30 c: d343fea8 lsr x8, x21, #3 * 10: 387b6908 ldrb w8, [x8, x27] <-- trapping instruction