[v5.15] KASAN: use-after-free Read in ocfs2_dir_foreach_blk
0 views
Skip to first unread message
syzbot
Sep 17, 2025, 9:54:32 AM (4 days ago) Sep 17
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 43bb85222e53 Linux 5.15.193
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1042c534580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e1bb6d24ef2164eb
dashboard link: https://syzkaller.appspot.com/bug?extid=7594196c6b2e25ddda51
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/aa8fda38f146/disk-43bb8522.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5cfcd43783fc/vmlinux-43bb8522.xz
kernel image: https://storage.googleapis.com/syzbot-assets/582ede77e278/bzImage-43bb8522.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+759419...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ocfs2_check_dir_entry fs/ocfs2/dir.c:305 [inline]
BUG: KASAN: use-after-free in ocfs2_dir_foreach_blk_id fs/ocfs2/dir.c:1799 [inline]
BUG: KASAN: use-after-free in ocfs2_dir_foreach_blk+0x1566/0x1900 fs/ocfs2/dir.c:1927
Read of size 2 at addr ffff888071430cf0 by task syz.7.316/6592
CPU: 1 PID: 6592 Comm: syz.7.316 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Call Trace:
<TASK>
dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
print_address_description+0x60/0x2d0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0xdf/0x130 mm/kasan/report.c:451
ocfs2_check_dir_entry fs/ocfs2/dir.c:305 [inline]
ocfs2_dir_foreach_blk_id fs/ocfs2/dir.c:1799 [inline]
ocfs2_dir_foreach_blk+0x1566/0x1900 fs/ocfs2/dir.c:1927
ocfs2_readdir+0x21a/0x460 fs/ocfs2/dir.c:1970
iterate_dir+0x218/0x560 fs/readdir.c:-1
__do_sys_getdents fs/readdir.c:286 [inline]
__se_sys_getdents+0xe5/0x250 fs/readdir.c:271
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7fe81610fba9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe814335038 EFLAGS: 00000246 ORIG_RAX: 000000000000004e
RAX: ffffffffffffffda RBX: 00007fe816357180 RCX: 00007fe81610fba9
RDX: 0000000000000054 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007fe816192e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fe816357218 R14: 00007fe816357180 R15: 00007ffd35f73e88
</TASK>
The buggy address belongs to the page:
page:ffffea0001c50c00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x71430
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001547148 ffffea0001c828c8 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x1100cca(GFP_HIGHUSER_MOVABLE), pid 6510, ts 181425600498, free_ts 181728629853
prep_new_page mm/page_alloc.c:2426 [inline]
get_page_from_freelist+0x1b77/0x1c60 mm/page_alloc.c:4192
__alloc_pages+0x1e1/0x470 mm/page_alloc.c:5487
alloc_pages_vma+0x393/0x7c0 mm/mempolicy.c:2146
shmem_alloc_page mm/shmem.c:1586 [inline]
shmem_alloc_and_acct_page+0x427/0xb70 mm/shmem.c:1611
shmem_getpage_gfp+0x14f4/0x2d40 mm/shmem.c:1906
shmem_getpage mm/shmem.c:151 [inline]
shmem_write_begin+0xcd/0x1a0 mm/shmem.c:2474
generic_perform_write+0x2aa/0x530 mm/filemap.c:3785
__generic_file_write_iter+0x25f/0x4e0 mm/filemap.c:3912
generic_file_write_iter+0xa6/0x1b0 mm/filemap.c:3944
call_write_iter include/linux/fs.h:2172 [inline]
new_sync_write fs/read_write.c:507 [inline]
vfs_write+0x712/0xd00 fs/read_write.c:594
ksys_write+0x14d/0x250 fs/read_write.c:647
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1340 [inline]
free_pcp_prepare mm/page_alloc.c:1391 [inline]
free_unref_page_prepare+0x637/0x6c0 mm/page_alloc.c:3317
free_unref_page_list+0x122/0x7e0 mm/page_alloc.c:3433
release_pages+0x184b/0x1bb0 mm/swap.c:963
__pagevec_release+0x6d/0xe0 mm/swap.c:983
pagevec_release include/linux/pagevec.h:81 [inline]
shmem_undo_range+0x5cb/0x1880 mm/shmem.c:964
shmem_truncate_range mm/shmem.c:1063 [inline]
shmem_evict_inode+0x20d/0xa00 mm/shmem.c:1145
evict+0x485/0x870 fs/inode.c:647
__dentry_kill+0x431/0x650 fs/dcache.c:586
dentry_kill+0xb8/0x290 fs/dcache.c:-1
dput+0xd8/0x1a0 fs/dcache.c:893
__fput+0x5ee/0x930 fs/file_table.c:319
task_work_run+0x125/0x1a0 kernel/task_work.c:188
exit_task_work include/linux/task_work.h:33 [inline]
do_exit+0x61e/0x20a0 kernel/exit.c:883
do_group_exit+0x12e/0x300 kernel/exit.c:997
get_signal+0x6ca/0x12c0 kernel/signal.c:2900
arch_do_signal_or_restart+0xc1/0x1300 arch/x86/kernel/signal.c:867
Memory state around the buggy address:
ffff888071430b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888071430c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888071430c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888071430d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888071430d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 43bb85222e53 Linux 5.15.193
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1042c534580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e1bb6d24ef2164eb
dashboard link: https://syzkaller.appspot.com/bug?extid=7594196c6b2e25ddda51
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/aa8fda38f146/disk-43bb8522.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5cfcd43783fc/vmlinux-43bb8522.xz
kernel image: https://storage.googleapis.com/syzbot-assets/582ede77e278/bzImage-43bb8522.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+759419...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ocfs2_check_dir_entry fs/ocfs2/dir.c:305 [inline]
BUG: KASAN: use-after-free in ocfs2_dir_foreach_blk_id fs/ocfs2/dir.c:1799 [inline]
BUG: KASAN: use-after-free in ocfs2_dir_foreach_blk+0x1566/0x1900 fs/ocfs2/dir.c:1927
Read of size 2 at addr ffff888071430cf0 by task syz.7.316/6592
CPU: 1 PID: 6592 Comm: syz.7.316 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Call Trace:
<TASK>
dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
print_address_description+0x60/0x2d0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0xdf/0x130 mm/kasan/report.c:451
ocfs2_check_dir_entry fs/ocfs2/dir.c:305 [inline]
ocfs2_dir_foreach_blk_id fs/ocfs2/dir.c:1799 [inline]
ocfs2_dir_foreach_blk+0x1566/0x1900 fs/ocfs2/dir.c:1927
ocfs2_readdir+0x21a/0x460 fs/ocfs2/dir.c:1970
iterate_dir+0x218/0x560 fs/readdir.c:-1
__do_sys_getdents fs/readdir.c:286 [inline]
__se_sys_getdents+0xe5/0x250 fs/readdir.c:271
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7fe81610fba9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe814335038 EFLAGS: 00000246 ORIG_RAX: 000000000000004e
RAX: ffffffffffffffda RBX: 00007fe816357180 RCX: 00007fe81610fba9
RDX: 0000000000000054 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007fe816192e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fe816357218 R14: 00007fe816357180 R15: 00007ffd35f73e88
</TASK>
The buggy address belongs to the page:
page:ffffea0001c50c00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x71430
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001547148 ffffea0001c828c8 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x1100cca(GFP_HIGHUSER_MOVABLE), pid 6510, ts 181425600498, free_ts 181728629853
prep_new_page mm/page_alloc.c:2426 [inline]
get_page_from_freelist+0x1b77/0x1c60 mm/page_alloc.c:4192
__alloc_pages+0x1e1/0x470 mm/page_alloc.c:5487
alloc_pages_vma+0x393/0x7c0 mm/mempolicy.c:2146
shmem_alloc_page mm/shmem.c:1586 [inline]
shmem_alloc_and_acct_page+0x427/0xb70 mm/shmem.c:1611
shmem_getpage_gfp+0x14f4/0x2d40 mm/shmem.c:1906
shmem_getpage mm/shmem.c:151 [inline]
shmem_write_begin+0xcd/0x1a0 mm/shmem.c:2474
generic_perform_write+0x2aa/0x530 mm/filemap.c:3785
__generic_file_write_iter+0x25f/0x4e0 mm/filemap.c:3912
generic_file_write_iter+0xa6/0x1b0 mm/filemap.c:3944
call_write_iter include/linux/fs.h:2172 [inline]
new_sync_write fs/read_write.c:507 [inline]
vfs_write+0x712/0xd00 fs/read_write.c:594
ksys_write+0x14d/0x250 fs/read_write.c:647
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1340 [inline]
free_pcp_prepare mm/page_alloc.c:1391 [inline]
free_unref_page_prepare+0x637/0x6c0 mm/page_alloc.c:3317
free_unref_page_list+0x122/0x7e0 mm/page_alloc.c:3433
release_pages+0x184b/0x1bb0 mm/swap.c:963
__pagevec_release+0x6d/0xe0 mm/swap.c:983
pagevec_release include/linux/pagevec.h:81 [inline]
shmem_undo_range+0x5cb/0x1880 mm/shmem.c:964
shmem_truncate_range mm/shmem.c:1063 [inline]
shmem_evict_inode+0x20d/0xa00 mm/shmem.c:1145
evict+0x485/0x870 fs/inode.c:647
__dentry_kill+0x431/0x650 fs/dcache.c:586
dentry_kill+0xb8/0x290 fs/dcache.c:-1
dput+0xd8/0x1a0 fs/dcache.c:893
__fput+0x5ee/0x930 fs/file_table.c:319
task_work_run+0x125/0x1a0 kernel/task_work.c:188
exit_task_work include/linux/task_work.h:33 [inline]
do_exit+0x61e/0x20a0 kernel/exit.c:883
do_group_exit+0x12e/0x300 kernel/exit.c:997
get_signal+0x6ca/0x12c0 kernel/signal.c:2900
arch_do_signal_or_restart+0xc1/0x1300 arch/x86/kernel/signal.c:867
Memory state around the buggy address:
ffff888071430b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888071430c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888071430c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888071430d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888071430d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Sep 17, 2025, 10:54:35 AM (4 days ago) Sep 17
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 43bb85222e53 Linux 5.15.193
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=118b0712580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=100c9f62580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/aa8fda38f146/disk-43bb8522.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5cfcd43783fc/vmlinux-43bb8522.xz
kernel image: https://storage.googleapis.com/syzbot-assets/582ede77e278/bzImage-43bb8522.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/0388b66b1735/mount_0.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=14ab8c7c580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+759419...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 32768
ocfs2: Mounting device (7,0) on (node local, slot 0) with writeback data mode.
CPU: 0 PID: 4377 Comm: syz.0.25 Not tainted syzkaller #0
RAX: ffffffffffffffda RBX: 00007f39881b4fa0 RCX: 00007f3987f6dba9
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea00016e0e88 ffffea00016e0688 0000000000000000
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
exit_to_user_mode_loop+0x10f/0x130 kernel/entry/common.c:181
exit_to_user_mode_prepare+0xee/0x180 kernel/entry/common.c:214
__syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline]
syscall_exit_to_user_mode+0x16/0x40 kernel/entry/common.c:307
do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:86
Memory state around the buggy address:
ffff88805b839b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88805b839c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88805b839c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88805b839d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88805b839d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 43bb85222e53 Linux 5.15.193
git tree: linux-5.15.y
kernel config: https://syzkaller.appspot.com/x/.config?x=e1bb6d24ef2164eb
dashboard link: https://syzkaller.appspot.com/bug?extid=7594196c6b2e25ddda51
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17b08f62580000
dashboard link: https://syzkaller.appspot.com/bug?extid=7594196c6b2e25ddda51
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=100c9f62580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/aa8fda38f146/disk-43bb8522.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5cfcd43783fc/vmlinux-43bb8522.xz
kernel image: https://storage.googleapis.com/syzbot-assets/582ede77e278/bzImage-43bb8522.xz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=14ab8c7c580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+759419...@syzkaller.appspotmail.com
ocfs2: Mounting device (7,0) on (node local, slot 0) with writeback data mode.
==================================================================
BUG: KASAN: use-after-free in ocfs2_check_dir_entry fs/ocfs2/dir.c:305 [inline]
BUG: KASAN: use-after-free in ocfs2_dir_foreach_blk_id fs/ocfs2/dir.c:1799 [inline]
BUG: KASAN: use-after-free in ocfs2_dir_foreach_blk+0x1566/0x1900 fs/ocfs2/dir.c:1927
Read of size 2 at addr ffff88805b839cf0 by task syz.0.25/4377
BUG: KASAN: use-after-free in ocfs2_check_dir_entry fs/ocfs2/dir.c:305 [inline]
BUG: KASAN: use-after-free in ocfs2_dir_foreach_blk_id fs/ocfs2/dir.c:1799 [inline]
BUG: KASAN: use-after-free in ocfs2_dir_foreach_blk+0x1566/0x1900 fs/ocfs2/dir.c:1927
CPU: 0 PID: 4377 Comm: syz.0.25 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Call Trace:
<TASK>
dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
print_address_description+0x60/0x2d0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0xdf/0x130 mm/kasan/report.c:451
ocfs2_check_dir_entry fs/ocfs2/dir.c:305 [inline]
ocfs2_dir_foreach_blk_id fs/ocfs2/dir.c:1799 [inline]
ocfs2_dir_foreach_blk+0x1566/0x1900 fs/ocfs2/dir.c:1927
ocfs2_readdir+0x21a/0x460 fs/ocfs2/dir.c:1970
iterate_dir+0x218/0x560 fs/readdir.c:-1
__do_sys_getdents fs/readdir.c:286 [inline]
__se_sys_getdents+0xe5/0x250 fs/readdir.c:271
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f3987f6dba9
Call Trace:
<TASK>
dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
print_address_description+0x60/0x2d0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0xdf/0x130 mm/kasan/report.c:451
ocfs2_check_dir_entry fs/ocfs2/dir.c:305 [inline]
ocfs2_dir_foreach_blk_id fs/ocfs2/dir.c:1799 [inline]
ocfs2_dir_foreach_blk+0x1566/0x1900 fs/ocfs2/dir.c:1927
ocfs2_readdir+0x21a/0x460 fs/ocfs2/dir.c:1970
iterate_dir+0x218/0x560 fs/readdir.c:-1
__do_sys_getdents fs/readdir.c:286 [inline]
__se_sys_getdents+0xe5/0x250 fs/readdir.c:271
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd93ce7a78 EFLAGS: 00000246 ORIG_RAX: 000000000000004e
RAX: ffffffffffffffda RBX: 00007f39881b4fa0 RCX: 00007f3987f6dba9
RDX: 0000000000000054 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007f3987ff0e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f39881b4fa0 R14: 00007f39881b4fa0 R15: 0000000000000003
</TASK>
The buggy address belongs to the page:
page:ffffea00016e0e40 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x5b839
The buggy address belongs to the page:
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea00016e0e88 ffffea00016e0688 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x1100cca(GFP_HIGHUSER_MOVABLE), pid 4374, ts 90152769677, free_ts 90470709678
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
exit_to_user_mode_loop+0x10f/0x130 kernel/entry/common.c:181
exit_to_user_mode_prepare+0xee/0x180 kernel/entry/common.c:214
__syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline]
syscall_exit_to_user_mode+0x16/0x40 kernel/entry/common.c:307
do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:86
Memory state around the buggy address:
ffff88805b839c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88805b839c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88805b839d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88805b839d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Reply all
Reply to author
Forward
0 new messages