loop0: detected capacity change from 0 to 32768
bcachefs (loop0): mounting version 1.7: mi_btree_bitmap opts=metadata_checksum=none,data_checksum=none,compression=lz4,nojournal_transaction_names
bcachefs (loop0): recovering from clean shutdown, journal seq 13
==================================================================
BUG: KASAN: use-after-free in memcpy_dir crypto/scatterwalk.c:23 [inline]
BUG: KASAN: use-after-free in scatterwalk_copychunks+0x168/0x410 crypto/scatterwalk.c:38
Read of size 32 at addr ffff88817bf20000 by task syz-executor.0/3272

CPU: 0 PID: 3272 Comm: syz-executor.0 Not tainted 6.9.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x108/0x280 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
 memcpy_dir crypto/scatterwalk.c:23 [inline]
 scatterwalk_copychunks+0x168/0x410 crypto/scatterwalk.c:38
 skcipher_next_slow+0x315/0x410 crypto/skcipher.c:295
 skcipher_walk_next+0x578/0xaa0 crypto/skcipher.c:380
 chacha_simd_stream_xor+0x690/0xcb0 arch/x86/crypto/chacha_glue.c:192
 do_encrypt_sg fs/bcachefs/checksum.c:107 [inline]
 do_encrypt+0x5c9/0x700 fs/bcachefs/checksum.c:127
 bset_encrypt fs/bcachefs/btree_io.h:120 [inline]
 bch2_btree_node_read_done+0x1875/0x57b0 fs/bcachefs/btree_io.c:1090
 btree_node_read_work+0x5d9/0x10e0 fs/bcachefs/btree_io.c:1345
 bch2_btree_node_read+0x203e/0x2b00
 __bch2_btree_root_read fs/bcachefs/btree_io.c:1769 [inline]
 bch2_btree_root_read+0x2d5/0x860 fs/bcachefs/btree_io.c:1793
 read_btree_roots+0x2bb/0x6a0 fs/bcachefs/recovery.c:469
 bch2_fs_recovery+0x41f7/0x68b0 fs/bcachefs/recovery.c:795
 bch2_fs_start+0x2d8/0x490 fs/bcachefs/super.c:1045
 bch2_fs_open+0x19b4/0x2a50 fs/bcachefs/super.c:2103
 bch2_mount+0x665/0x1150 fs/bcachefs/fs.c:1903
 legacy_get_tree+0xe9/0x180 fs/fs_context.c:662
 vfs_get_tree+0x82/0x190 fs/super.c:1779
 do_new_mount+0x21e/0x9b0 fs/namespace.c:3352
 do_mount fs/namespace.c:3692 [inline]
 __do_sys_mount fs/namespace.c:3898 [inline]
 __se_sys_mount+0x242/0x2e0 fs/namespace.c:3875
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x8f/0x1a0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4e2b87f3aa
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 09 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4e2c667ef8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f4e2c667f80 RCX: 00007f4e2b87f3aa
RDX: 000000002000f640 RSI: 000000002000f680 RDI: 00007f4e2c667f40
RBP: 000000002000f640 R08: 00007f4e2c667f80 R09: 0000000000010400
R10: 0000000000010400 R11: 0000000000000246 R12: 000000002000f680
R13: 00007f4e2c667f40 R14: 000000000000f631 R15: 00000000200000c0
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x17bf20
flags: 0x100000000000000(node=0|zone=2)
page_type: 0xffffff7f(buddy)
raw: 0100000000000000 ffffea0005a4b808 ffff88823fff9008 0000000000000000
raw: 0000000000000000 0000000000000005 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 5, migratetype Unmovable, gfp_mask 0x152cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 3271, tgid 429577886 (syz-executor.0), ts 3272, free_ts 52013611020
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x10f/0x130 mm/page_alloc.c:1534
 prep_new_page mm/page_alloc.c:1541 [inline]
 get_page_from_freelist+0x345c/0x3600 mm/page_alloc.c:3317
 __alloc_pages+0x256/0x670 mm/page_alloc.c:4575
 __alloc_pages_node include/linux/gfp.h:238 [inline]
 alloc_pages_node include/linux/gfp.h:261 [inline]
 __kmalloc_large_node+0x90/0x190 mm/slub.c:3911
 __do_kmalloc_node mm/slub.c:3954 [inline]
 __kmalloc_node+0x31d/0x4c0 mm/slub.c:3973
 kmalloc_node include/linux/slab.h:648 [inline]
 kvmalloc_node+0x42/0xf0 mm/util.c:634
 kvmalloc include/linux/slab.h:766 [inline]
 btree_node_data_alloc fs/bcachefs/btree_cache.c:98 [inline]
 __bch2_btree_node_mem_alloc+0x25c/0x500 fs/bcachefs/btree_cache.c:143
 bch2_fs_btree_cache_init+0x4ad/0x590 fs/bcachefs/btree_cache.c:479
 bch2_fs_alloc fs/bcachefs/super.c:925 [inline]
 bch2_fs_open+0x22b2/0x2a50 fs/bcachefs/super.c:2082
 bch2_mount+0x665/0x1150 fs/bcachefs/fs.c:1903
 legacy_get_tree+0xe9/0x180 fs/fs_context.c:662
 vfs_get_tree+0x82/0x190 fs/super.c:1779
 do_new_mount+0x21e/0x9b0 fs/namespace.c:3352
 do_mount fs/namespace.c:3692 [inline]
 __do_sys_mount fs/namespace.c:3898 [inline]
 __se_sys_mount+0x242/0x2e0 fs/namespace.c:3875
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x8f/0x1a0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 3272 tgid 3271 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1141 [inline]
 __free_pages_ok+0xac1/0xbe0 mm/page_alloc.c:1270
 __folio_put_large+0x142/0x1b0 mm/swap.c:132
 __folio_put+0x227/0x2d0 mm/swap.c:140
 folio_put include/linux/mm.h:1508 [inline]
 free_large_kmalloc+0xb5/0x170 mm/slub.c:4361
 kfree+0x1a7/0x350 mm/slub.c:4384
 btree_bounce_free fs/bcachefs/btree_io.c:118 [inline]
 bch2_btree_node_read_done+0x33b7/0x57b0 fs/bcachefs/btree_io.c:1222
 btree_node_read_work+0x5d9/0x10e0 fs/bcachefs/btree_io.c:1345
 bch2_btree_node_read+0x203e/0x2b00
 __bch2_btree_root_read fs/bcachefs/btree_io.c:1769 [inline]
 bch2_btree_root_read+0x2d5/0x860 fs/bcachefs/btree_io.c:1793
 read_btree_roots+0x2bb/0x6a0 fs/bcachefs/recovery.c:469
 bch2_fs_recovery+0x41f7/0x68b0 fs/bcachefs/recovery.c:795
 bch2_fs_start+0x2d8/0x490 fs/bcachefs/super.c:1045
 bch2_fs_open+0x19b4/0x2a50 fs/bcachefs/super.c:2103
 bch2_mount+0x665/0x1150 fs/bcachefs/fs.c:1903
 legacy_get_tree+0xe9/0x180 fs/fs_context.c:662
 vfs_get_tree+0x82/0x190 fs/super.c:1779

Memory state around the buggy address:
 ffff88817bf1ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88817bf1ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88817bf20000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff88817bf20080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88817bf20100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================