(syz.3.60,4461,1):ocfs2_mount_volume:1882 ERROR: status = -22 (syz.3.60,4461,1):ocfs2_fill_super:1225 ERROR: status = -22 ocfs2: Unmounting device (7,3) on (node local) JBD2: Ignoring recovery information on journal ================================================================== BUG: KASAN: use-after-free in ocfs2_search_extent_list+0x14b/0x170 fs/ocfs2/alloc.c:792 Read of size 4 at addr ffff88008926b000 by task syz.3.61/4466 CPU: 1 PID: 4466 Comm: syz.3.61 Not tainted 4.19.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x10c/0x17a lib/dump_stack.c:113 print_address_description.cold.6+0x9/0x244 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report mm/kasan/report.c:412 [inline] kasan_report.cold.7+0x242/0x305 mm/kasan/report.c:396 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432 ocfs2_search_extent_list+0x14b/0x170 fs/ocfs2/alloc.c:792 ocfs2_get_clusters_nocache.isra.4+0x1e6/0xd20 fs/ocfs2/extent_map.c:453 ocfs2_get_clusters+0x68d/0xfa0 fs/ocfs2/extent_map.c:637 ocfs2_extent_map_get_blocks+0x174/0x800 fs/ocfs2/extent_map.c:684 ocfs2_bmap+0x417/0x5f0 fs/ocfs2/aops.c:503 bmap+0x82/0xc0 fs/inode.c:1593 jbd2_journal_bmap+0x48/0xd0 fs/jbd2/journal.c:819 do_readahead fs/jbd2/recovery.c:87 [inline] jread+0x3be/0x690 fs/jbd2/recovery.c:159 do_one_pass+0x207/0x1fd0 fs/jbd2/recovery.c:480 jbd2_journal_skip_recovery+0x82/0x12e fs/jbd2/recovery.c:317 jbd2_journal_wipe fs/jbd2/journal.c:2067 [inline] jbd2_journal_wipe.cold.26+0x6c/0x71 fs/jbd2/journal.c:2051 ocfs2_journal_wipe+0x85/0x1d0 fs/ocfs2/journal.c:1117 ocfs2_check_volume+0x29a/0x980 fs/ocfs2/super.c:2454 ocfs2_mount_volume fs/ocfs2/super.c:1880 [inline] ocfs2_fill_super+0x146c/0x2710 fs/ocfs2/super.c:1140 mount_bdev+0x272/0x330 fs/super.c:1158 ocfs2_mount+0x10/0x20 fs/ocfs2/super.c:1241 mount_fs+0x84/0x1f5 fs/super.c:1261 vfs_kern_mount.part.11+0x58/0x3d0 fs/namespace.c:961 vfs_kern_mount fs/namespace.c:951 [inline] do_new_mount fs/namespace.c:2457 [inline] do_mount+0x376/0x26e0 fs/namespace.c:2787 ksys_mount+0xb1/0xd0 fs/namespace.c:3003 __do_sys_mount fs/namespace.c:3017 [inline] __se_sys_mount fs/namespace.c:3014 [inline] __x64_sys_mount+0xb9/0x150 fs/namespace.c:3014 do_syscall_64+0xd0/0x340 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f6cabd646ba Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f6cab7e1e88 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f6cab7e1f10 RCX: 00007f6cabd646ba RDX: 0000000020004440 RSI: 0000000020000040 RDI: 00007f6cab7e1ed0 RBP: 0000000020004440 R08: 00007f6cab7e1f10 R09: 00000000000008c0 R10: 00000000000008c0 R11: 0000000000000246 R12: 0000000020000040 R13: 00007f6cab7e1ed0 R14: 0000000000004434 R15: 00000000200000c0 The buggy address belongs to the page: page:ffffea0002249ac0 count:0 mapcount:0 mapping:0000000000000000 index:0x1 flags: 0xfff00000000000() raw: 00fff00000000000 ffffea0002249b08 ffff8800baa30720 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner info is not active (free page?) Memory state around the buggy address: ffff88008926af00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88008926af80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88008926b000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88008926b080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88008926b100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================