Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in __ocfs2_flush_truncate_log

[syzbot <syzbot+4d55dad3a9e8e9f7d2b5@syzkaller.appspotmail.com>]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
UBSAN: signed-integer-overflow in ip_idents_reserve

================================================================================
UBSAN: signed-integer-overflow in ./arch/x86/include/asm/atomic.h:165:11
895131917 + 1491632920 cannot be represented in type 'int'
CPU: 0 PID: 127 Comm: kworker/u4:3 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Workqueue: wg-kex-wg0 wg_packet_handshake_send_worker
Call Trace:
 <IRQ>
 dump_stack+0xfd/0x16e lib/dump_stack.c:118
 ubsan_epilogue+0xa/0x30 lib/ubsan.c:148
 handle_overflow+0x192/0x1b0 lib/ubsan.c:180
 arch_atomic_add_return arch/x86/include/asm/atomic.h:165 [inline]
 atomic_add_return include/asm-generic/atomic-instrumented.h:73 [inline]
 ip_idents_reserve+0x14a/0x170 net/ipv4/route.c:521
 __ip_select_ident+0xe4/0x1c0 net/ipv4/route.c:538
 ip_select_ident_segs include/net/ip.h:525 [inline]
 ip_select_ident include/net/ip.h:532 [inline]
 __ip_make_skb+0xf78/0x19b0 net/ipv4/ip_output.c:1551
 ip_finish_skb include/net/ip.h:244 [inline]
 ip_push_pending_frames+0x2c/0x150 net/ipv4/ip_output.c:1606
 __icmp_send+0xc22/0xf70 net/ipv4/icmp.c:776
 icmp_send include/net/icmp.h:43 [inline]
 __udp4_lib_rcv+0x14e9/0x2070 net/ipv4/udp.c:2438
 ip_protocol_deliver_rcu+0x405/0x7e0 net/ipv4/ip_input.c:204
 ip_local_deliver_finish+0x1d5/0x330 net/ipv4/ip_input.c:231
 NF_HOOK+0x258/0x2c0 include/linux/netfilter.h:296
 NF_HOOK+0x258/0x2c0 include/linux/netfilter.h:296
 __netif_receive_skb_one_core net/core/dev.c:5395 [inline]
 __netif_receive_skb+0x144/0x380 net/core/dev.c:5509
 process_backlog+0x4ef/0x6e0 net/core/dev.c:6416
 napi_poll net/core/dev.c:6867 [inline]
 net_rx_action+0x4b1/0xc30 net/core/dev.c:6937
 __do_softirq+0x267/0x92e kernel/softirq.c:298
 asm_call_irq_on_stack+0xf/0x20
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0x9b/0xe0 arch/x86/kernel/irq_64.c:77
 do_softirq+0xc4/0x100 kernel/softirq.c:343
 __local_bh_enable_ip+0x121/0x160 kernel/softirq.c:195
 wg_socket_send_skb_to_peer+0x167/0x1c0 drivers/net/wireguard/socket.c:184
 wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline]
 wg_packet_handshake_send_worker+0x16b/0x280 drivers/net/wireguard/send.c:51
 process_one_work+0x85b/0xfe0 kernel/workqueue.c:2282
 worker_thread+0xa9b/0x1430 kernel/workqueue.c:2428
 kthread+0x384/0x410 kernel/kthread.c:328
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
================================================================================


Tested on:

commit:         d3d0b4e2 Linux 5.10.245
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-5.10.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14627734580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=bf23b541eb2e03cb
dashboard link: https://syzkaller.appspot.com/bug?extid=4d55dad3a9e8e9f7d2b5
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=11ba8c92580000