Hello, syzbot found the following issue on: HEAD commit: 03275585cabd afs: Fix accidental truncation when storing d.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=17a74308a80000 kernel config: https://syzkaller.appspot.com/x/.config?x=656155ea96f6ea1d dashboard link: https://syzkaller.appspot.com/bug?extid=009d9721acf40a64eab9 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 Unfortunately, I don't have any reproducer for this issue yet. Downloadable assets: disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-03275585.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/d7fbd69351b6/vmlinux-03275585.xz kernel image: https://storage.googleapis.com/syzbot-assets/ca0f98a100ed/bzImage-03275585.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+009d9721acf40a64eab9@xxxxxxxxxxxxxxxxxxxxxxxxx ================================================================== BUG: KASAN: slab-use-after-free in move_to_new_folio+0x64a/0x6e0 mm/migrate.c:957 Read of size 8 at addr ffff88803374aee8 by task kcompactd0/44 CPU: 1 PID: 44 Comm: kcompactd0 Not tainted 6.4.0-syzkaller-11472-g03275585cabd #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:364 print_report mm/kasan/report.c:475 [inline] kasan_report+0x11d/0x130 mm/kasan/report.c:588 move_to_new_folio+0x64a/0x6e0 mm/migrate.c:957 migrate_folio_move mm/migrate.c:1272 [inline] migrate_pages_batch+0x1bcf/0x2cc0 mm/migrate.c:1757 migrate_pages_sync mm/migrate.c:1823 [inline] migrate_pages+0x1962/0x2490 mm/migrate.c:1927 compact_zone+0x18d1/0x3bc0 mm/compaction.c:2484 proactive_compact_node+0x103/0x1b0 mm/compaction.c:2749 kcompactd+0x837/0xcc0 mm/compaction.c:3069 kthread+0x344/0x440 kernel/kthread.c:389 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 </TASK> Allocated by task 4548: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x7f/0x90 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:186 [inline] slab_post_alloc_hook mm/slab.h:750 [inline] slab_alloc_node mm/slab.c:3237 [inline] slab_alloc mm/slab.c:3246 [inline] __kmem_cache_alloc_lru mm/slab.c:3423 [inline] kmem_cache_alloc+0x14e/0x3f0 mm/slab.c:3432 gfs2_glock_get+0x203/0x1320 fs/gfs2/glock.c:1167 gfs2_inode_lookup+0x258/0x8a0 fs/gfs2/inode.c:135 gfs2_dir_search+0x213/0x2d0 fs/gfs2/dir.c:1664 gfs2_lookupi+0x481/0x640 fs/gfs2/inode.c:332 gfs2_jindex_hold fs/gfs2/ops_fstype.c:608 [inline] init_journal fs/gfs2/ops_fstype.c:750 [inline] init_inodes+0x768/0x2b60 fs/gfs2/ops_fstype.c:885 gfs2_fill_super+0x1a26/0x2aa0 fs/gfs2/ops_fstype.c:1248 get_tree_bdev+0x43e/0x7d0 fs/super.c:1318 gfs2_get_tree+0x4e/0x270 fs/gfs2/ops_fstype.c:1333 vfs_get_tree+0x8d/0x350 fs/super.c:1519 do_new_mount fs/namespace.c:3335 [inline] path_mount+0x136e/0x1e70 fs/namespace.c:3662 do_mount fs/namespace.c:3675 [inline] __do_sys_mount fs/namespace.c:3884 [inline] __se_sys_mount fs/namespace.c:3861 [inline] __x64_sys_mount+0x283/0x300 fs/namespace.c:3861 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Last potentially related work creation: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 __kasan_record_aux_stack+0x78/0x80 mm/kasan/generic.c:491 __call_rcu_common.constprop.0+0x99/0x7e0 kernel/rcu/tree.c:2649 gfs2_glock_free+0x6f3/0x10f0 fs/gfs2/glock.c:177 gfs2_glock_put+0x33/0x40 fs/gfs2/glock.c:307 gfs2_glock_put_eventually fs/gfs2/super.c:1278 [inline] gfs2_evict_inode+0x5cd/0x1c60 fs/gfs2/super.c:1560 evict+0x2ed/0x6b0 fs/inode.c:665 iput_final fs/inode.c:1789 [inline] iput.part.0+0x50a/0x740 fs/inode.c:1815 iput+0x5c/0x80 fs/inode.c:1805 gfs2_jindex_free+0x391/0x560 fs/gfs2/super.c:75 init_journal fs/gfs2/ops_fstype.c:867 [inline] init_inodes+0x1202/0x2b60 fs/gfs2/ops_fstype.c:885 gfs2_fill_super+0x1a26/0x2aa0 fs/gfs2/ops_fstype.c:1248 get_tree_bdev+0x43e/0x7d0 fs/super.c:1318 gfs2_get_tree+0x4e/0x270 fs/gfs2/ops_fstype.c:1333 vfs_get_tree+0x8d/0x350 fs/super.c:1519 do_new_mount fs/namespace.c:3335 [inline] path_mount+0x136e/0x1e70 fs/namespace.c:3662 do_mount fs/namespace.c:3675 [inline] __do_sys_mount fs/namespace.c:3884 [inline] __se_sys_mount fs/namespace.c:3861 [inline] __x64_sys_mount+0x283/0x300 fs/namespace.c:3861 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Second to last potentially related work creation: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 __kasan_record_aux_stack+0x78/0x80 mm/kasan/generic.c:491 insert_work+0x48/0x360 kernel/workqueue.c:1553 __queue_work+0x625/0x1120 kernel/workqueue.c:1714 __queue_delayed_work+0x1c8/0x270 kernel/workqueue.c:1864 queue_delayed_work_on+0x109/0x120 kernel/workqueue.c:1900 queue_delayed_work include/linux/workqueue.h:521 [inline] __gfs2_glock_queue_work+0x2a/0xb0 fs/gfs2/glock.c:252 gfs2_glock_queue_work fs/gfs2/glock.c:266 [inline] do_xmote+0x98b/0xd70 fs/gfs2/glock.c:801 run_queue+0x3cf/0x660 fs/gfs2/glock.c:844 glock_work_func+0xc2/0x3b0 fs/gfs2/glock.c:1076 process_one_work+0xa34/0x16f0 kernel/workqueue.c:2597 worker_thread+0x67d/0x10c0 kernel/workqueue.c:2748 kthread+0x344/0x440 kernel/kthread.c:389 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 The buggy address belongs to the object at ffff88803374aa90 which belongs to the cache gfs2_glock(aspace) of size 1224 The buggy address is located 1112 bytes inside of freed 1224-byte region [ffff88803374aa90, ffff88803374af58) The buggy address belongs to the physical page: page:ffffea0000cdd280 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88803374affd pfn:0x3374a flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) page_type: 0x1() raw: 00fff00000000200 ffff888105198800 ffffea0000ba3050 ffffea0000cba510 raw: ffff88803374affd ffff88803374a000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x342040(__GFP_IO|__GFP_NOWARN|__GFP_COMP|__GFP_HARDWALL|__GFP_THISNODE), pid 4244, tgid 4243 (syz-executor.2), ts 2200319898346, free_ts 2200315160610 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x2db/0x350 mm/page_alloc.c:1570 prep_new_page mm/page_alloc.c:1577 [inline] get_page_from_freelist+0xfed/0x2d30 mm/page_alloc.c:3221 __alloc_pages+0x1cb/0x4a0 mm/page_alloc.c:4477 __alloc_pages_node include/linux/gfp.h:237 [inline] kmem_getpages mm/slab.c:1356 [inline] cache_grow_begin+0x9b/0x3b0 mm/slab.c:2550 cache_alloc_refill+0x289/0x3a0 mm/slab.c:2923 ____cache_alloc mm/slab.c:2999 [inline] ____cache_alloc mm/slab.c:2982 [inline] __do_cache_alloc mm/slab.c:3182 [inline] slab_alloc_node mm/slab.c:3230 [inline] slab_alloc mm/slab.c:3246 [inline] __kmem_cache_alloc_lru mm/slab.c:3423 [inline] kmem_cache_alloc+0x397/0x3f0 mm/slab.c:3432 gfs2_glock_get+0x203/0x1320 fs/gfs2/glock.c:1167 gfs2_inode_lookup+0x258/0x8a0 fs/gfs2/inode.c:135 gfs2_dir_search+0x213/0x2d0 fs/gfs2/dir.c:1664 gfs2_lookupi+0x481/0x640 fs/gfs2/inode.c:332 gfs2_lookup_simple+0x9d/0xe0 fs/gfs2/inode.c:273 init_inodes+0x129e/0x2b60 fs/gfs2/ops_fstype.c:891 gfs2_fill_super+0x1a26/0x2aa0 fs/gfs2/ops_fstype.c:1248 get_tree_bdev+0x43e/0x7d0 fs/super.c:1318 gfs2_get_tree+0x4e/0x270 fs/gfs2/ops_fstype.c:1333 vfs_get_tree+0x8d/0x350 fs/super.c:1519 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1161 [inline] free_unref_page_prepare+0x62e/0xcb0 mm/page_alloc.c:2348 free_unref_page_list+0xe3/0xa70 mm/page_alloc.c:2489 release_pages+0xcd8/0x1380 mm/swap.c:1042 __folio_batch_release+0x77/0xe0 mm/swap.c:1062 folio_batch_release include/linux/pagevec.h:83 [inline] truncate_inode_pages_range+0x2ec/0xf10 mm/truncate.c:372 inode_go_inval+0x385/0x420 fs/gfs2/glops.c:380 do_xmote+0x73d/0xd70 fs/gfs2/glock.c:733 run_queue+0x3cf/0x660 fs/gfs2/glock.c:844 glock_work_func+0xc2/0x3b0 fs/gfs2/glock.c:1076 process_one_work+0xa34/0x16f0 kernel/workqueue.c:2597 worker_thread+0x67d/0x10c0 kernel/workqueue.c:2748 kthread+0x344/0x440 kernel/kthread.c:389 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 Memory state around the buggy address: ffff88803374ad80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88803374ae00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88803374ae80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88803374af00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc ffff88803374af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the bug is already fixed, let syzbot know by replying with: #syz fix: exact-commit-title If you want to change bug's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the bug is a duplicate of another bug, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup
