(kworker/u4:3,43,0):ocfs2_read_blocks_sync:112 ERROR: status = -12 (kworker/u4:3,43,0):ocfs2_read_locked_inode:599 ERROR: status = -12 ================================================================== BUG: KASAN: use-after-free in ocfs2_check_dir_entry+0x3a0/0x480 fs/ocfs2/dir.c:318 Read of size 2 at addr ffff88804818b780 by task kworker/u4:3/43 CPU: 0 UID: 0 PID: 43 Comm: kworker/u4:3 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: ocfs2_wq ocfs2_complete_recovery Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 ocfs2_check_dir_entry+0x3a0/0x480 fs/ocfs2/dir.c:318 ocfs2_dir_foreach_blk_id fs/ocfs2/dir.c:1826 [inline] ocfs2_dir_foreach_blk+0xfff/0x1420 fs/ocfs2/dir.c:1954 ocfs2_dir_foreach+0x42/0x70 fs/ocfs2/dir.c:1965 ocfs2_queue_orphans fs/ocfs2/journal.c:2215 [inline] ocfs2_recover_orphans fs/ocfs2/journal.c:2299 [inline] ocfs2_complete_recovery+0xc37/0x20b0 fs/ocfs2/journal.c:1366 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x599/0xb30 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x3e6 pfn:0x4818b flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) raw: 04fff00000000000 dead000000000100 dead000000000122 0000000000000000 raw: 00000000000003e6 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x141cca(GFP_HIGHUSER_MOVABLE|__GFP_WRITE|__GFP_COMP), pid 5303, tgid 5303 (sftp-server), ts 88227355815, free_ts 110905575400 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x234/0x290 mm/page_alloc.c:1846 compaction_alloc_noprof mm/compaction.c:1836 [inline] compaction_alloc+0x3089/0x3490 mm/compaction.c:1847 migrate_folio_unmap mm/migrate.c:1214 [inline] migrate_pages_batch+0x801/0x35e0 mm/migrate.c:1890 migrate_pages_sync mm/migrate.c:2007 [inline] migrate_pages+0x1b9a/0x28e0 mm/migrate.c:2116 compact_zone+0x25ba/0x4760 mm/compaction.c:2647 kcompactd_do_work mm/compaction.c:3098 [inline] kcompactd+0x953/0x1250 mm/compaction.c:3192 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x599/0xb30 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 page last free pid 30 tgid 30 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1395 [inline] __free_frozen_pages+0xbc8/0xd30 mm/page_alloc.c:2943 __folio_put+0x21b/0x2c0 mm/swap.c:112 migrate_folio_move mm/migrate.c:1412 [inline] migrate_folios_move mm/migrate.c:1721 [inline] migrate_pages_batch+0x22a3/0x35e0 mm/migrate.c:1977 migrate_pages_sync mm/migrate.c:2007 [inline] migrate_pages+0x1b9a/0x28e0 mm/migrate.c:2116 compact_zone+0x25ba/0x4760 mm/compaction.c:2647 kcompactd_do_work mm/compaction.c:3098 [inline] kcompactd+0x953/0x1250 mm/compaction.c:3192 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x599/0xb30 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 Memory state around the buggy address: ffff88804818b680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88804818b700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88804818b780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88804818b800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88804818b880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================