KASAN: slab-out-of-bounds Read in dtSplitRoot

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16efbf34880000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=328f86b3e17c9a721855
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10dd658a880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1377c90c880000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/985605a75873/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+328f86...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-out-of-bounds in dtSplitRoot+0x140a/0x1590 fs/jfs/jfs_dtree.c:1985
Read of size 1 at addr ffff8880b5217fc0 by task syz-executor379/8101

CPU: 0 PID: 8101 Comm: syz-executor379 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load1_noabort+0x88/0x90 mm/kasan/report.c:430
dtSplitRoot+0x140a/0x1590 fs/jfs/jfs_dtree.c:1985
dtSplitUp+0x10ce/0x4e70 fs/jfs/jfs_dtree.c:998
dtInsert+0x7fd/0xa00 fs/jfs/jfs_dtree.c:876
jfs_mkdir.part.0+0x3ef/0x870 fs/jfs/namei.c:282
jfs_mkdir+0x3f/0x60 fs/jfs/namei.c:222
vfs_mkdir+0x508/0x7a0 fs/namei.c:3819
do_mkdirat+0x262/0x2d0 fs/namei.c:3842
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fdddb73ffb9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc410adce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fdddb73ffb9
RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003
RBP: 00007fdddb6ff820 R08: 0000000000000000 R09: 00007fdddb6ff820
R10: 0000555555b0d2c0 R11: 0000000000000246 R12: 00000000f8008000
R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000

Allocated by task 1:
kmem_cache_alloc+0x122/0x370 mm/slab.c:3559
kmem_cache_zalloc include/linux/slab.h:699 [inline]
__alloc_file+0x21/0x340 fs/file_table.c:100
alloc_empty_file+0x6d/0x170 fs/file_table.c:150
path_openat+0xe9/0x2df0 fs/namei.c:3526
do_filp_open+0x18c/0x3f0 fs/namei.c:3567
do_sys_open+0x3b3/0x520 fs/open.c:1085
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 9:
__cache_free mm/slab.c:3503 [inline]
kmem_cache_free+0x7f/0x260 mm/slab.c:3765
__rcu_reclaim kernel/rcu/rcu.h:236 [inline]
rcu_do_batch kernel/rcu/tree.c:2584 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2864 [inline]
rcu_process_callbacks+0x8ff/0x18b0 kernel/rcu/tree.c:2881
__do_softirq+0x265/0x980 kernel/softirq.c:292

The buggy address belongs to the object at ffff8880b5217cc0
which belongs to the cache filp of size 456
The buggy address is located 312 bytes to the right of
456-byte region [ffff8880b5217cc0, ffff8880b5217e88)
The buggy address belongs to the page:
page:ffffea0002d485c0 count:1 mapcount:0 mapping:ffff88813be45080 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0002d48588 ffffea0002782a88 ffff88813be45080
raw: 0000000000000000 ffff8880b5217040 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff8880b5217e80: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880b5217f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880b5217f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880b5218000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880b5218080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 9d5c0b3a8e1a Linux 4.14.295
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12e32762880000
kernel config: https://syzkaller.appspot.com/x/.config?x=746c079015a92425
dashboard link: https://syzkaller.appspot.com/bug?extid=33c9105dadf38db104ab

compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1359a872880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=174fc90c880000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ed6fcf5895a2/disk-9d5c0b3a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/341aa3534116/vmlinux-9d5c0b3a.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/262f41fe21ba/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:

Reported-by: syzbot+33c910...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-out-of-bounds in dtSplitRoot+0x1330/0x14b0 fs/jfs/jfs_dtree.c:1984
Read of size 1 at addr ffff8880a1c3cfc0 by task syz-executor167/8007

CPU: 1 PID: 8007 Comm: syz-executor167 Not tainted 4.14.295-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
Call Trace:

__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_load1_noabort+0x68/0x70 mm/kasan/report.c:427
dtSplitRoot+0x1330/0x14b0 fs/jfs/jfs_dtree.c:1984
dtSplitUp+0xeee/0x47d0 fs/jfs/jfs_dtree.c:997
dtInsert+0x77c/0x9e0 fs/jfs/jfs_dtree.c:875
jfs_mkdir.part.0+0x38d/0x7e0 fs/jfs/namei.c:283
jfs_mkdir+0x35/0x50 fs/jfs/namei.c:223
vfs_mkdir+0x463/0x6e0 fs/namei.c:3851
SYSC_mkdirat fs/namei.c:3874 [inline]
SyS_mkdirat+0x1fd/0x270 fs/namei.c:3858
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7fdd0a9b8fb9
RSP: 002b:00007ffd719056e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fdd0a9b8fb9

RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003

RBP: 00007fdd0a978820 R08: 0000000000000000 R09: 00007fdd0a978820
R10: 00005555557682c0 R11: 0000000000000246 R12: 00000000f8008000

R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000

Allocated by task 4615:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
kmem_cache_alloc+0x124/0x3c0 mm/slab.c:3552
kmem_cache_zalloc include/linux/slab.h:651 [inline]
fill_pool lib/debugobjects.c:110 [inline]
__debug_object_init+0x578/0x7a0 lib/debugobjects.c:341
debug_object_init lib/debugobjects.c:393 [inline]
debug_object_activate+0x391/0x490 lib/debugobjects.c:474
debug_rcu_head_queue kernel/rcu/rcu.h:152 [inline]
__call_rcu.constprop.0+0x31/0x7d0 kernel/rcu/tree.c:3050
dentry_free+0xab/0x120 fs/dcache.c:363
__dentry_kill+0x3ff/0x550 fs/dcache.c:605
shrink_dentry_list+0x2ab/0xac0 fs/dcache.c:1043
shrink_dcache_sb+0x105/0x1b0 fs/dcache.c:1191
do_remount_sb+0xdd/0x530 fs/super.c:852
do_remount fs/namespace.c:2393 [inline]
do_mount+0x15f3/0x2a30 fs/namespace.c:2896
SYSC_mount fs/namespace.c:3121 [inline]
SyS_mount+0xa8/0x120 fs/namespace.c:3098
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb

Freed by task 24:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758
free_obj_work+0x200/0x570 lib/debugobjects.c:207
process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

The buggy address belongs to the object at ffff8880a1c3cf50
which belongs to the cache debug_objects_cache of size 40
The buggy address is located 72 bytes to the right of
40-byte region [ffff8880a1c3cf50, ffff8880a1c3cf78)

The buggy address belongs to the page:

page:ffffea0002870f00 count:1 mapcount:0 mapping:ffff8880a1c3c000 index:0xffff8880a1c3cfb9
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffff8880a1c3c000 ffff8880a1c3cfb9 0000000100000030
raw: ffffea0002c08d20 ffffea0002d82b20 ffff88813fe6bdc0 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff8880a1c3ce80: 00 00 00 fc fc 00 00 00 00 00 fc fc fb fb fb fb
ffff8880a1c3cf00: fb fc fc fb fb fb fb fb fc fc fb fb fb fb fb fc
>ffff8880a1c3cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880a1c3d000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880a1c3d080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00