[moderation] [jfs?] KASAN: slab-out-of-bounds Read in dtReadFirst
2 views
Skip to first unread message
syzbot
Jul 2, 2025, 1:37:32 AM7/2/25
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 35e261cd95dd Merge tag 'acpi-6.16-rc4' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17f6508c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=79da270cec5ffd65
dashboard link: https://syzkaller.appspot.com/bug?extid=e8672e997d29f64e92d2
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
CC: [jfs-dis...@lists.sourceforge.net linux-...@vger.kernel.org sha...@kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-35e261cd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0c1a9d0d2c80/vmlinux-35e261cd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/604ca2f72c49/bzImage-35e261cd.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e8672e...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 32768
==================================================================
BUG: KASAN: slab-out-of-bounds in addressPXD fs/jfs/jfs_types.h:80 [inline]
BUG: KASAN: slab-out-of-bounds in dtReadFirst+0x502/0x930 fs/jfs/jfs_dtree.c:3120
Read of size 4 at addr ffff888044054028 by task syz.0.0/5318
CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted 6.16.0-rc3-syzkaller-00233-g35e261cd95dd #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xd2/0x2b0 mm/kasan/report.c:521
kasan_report+0x118/0x150 mm/kasan/report.c:634
addressPXD fs/jfs/jfs_types.h:80 [inline]
dtReadFirst+0x502/0x930 fs/jfs/jfs_dtree.c:3120
jfs_readdir+0x709/0x3ae0 fs/jfs/jfs_dtree.c:2832
wrap_directory_iterator+0x93/0xe0 fs/readdir.c:65
iterate_dir+0x5ac/0x770 fs/readdir.c:108
__do_sys_getdents64 fs/readdir.c:410 [inline]
__se_sys_getdents64+0xe4/0x260 fs/readdir.c:396
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5a5458e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5a554e0038 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007f5a547b5fa0 RCX: 00007f5a5458e929
RDX: 0000000000000099 RSI: 0000200000000400 RDI: 0000000000000007
RBP: 00007f5a54610b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f5a547b5fa0 R15: 00007ffff1970c88
</TASK>
Allocated by task 5318:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:319 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4148 [inline]
slab_alloc_node mm/slub.c:4197 [inline]
kmem_cache_alloc_lru_noprof+0x1c6/0x3d0 mm/slub.c:4216
jfs_alloc_inode+0x28/0x70 fs/jfs/super.c:105
alloc_inode+0x6a/0x1b0 fs/inode.c:346
new_inode+0x22/0x170 fs/inode.c:1145
ialloc+0x4c/0x8f0 fs/jfs/jfs_inode.c:48
jfs_create+0x18d/0xa80 fs/jfs/namei.c:92
lookup_open fs/namei.c:3717 [inline]
open_last_lookups fs/namei.c:3816 [inline]
path_openat+0x14f1/0x3830 fs/namei.c:4052
do_filp_open+0x1fa/0x410 fs/namei.c:4082
do_sys_openat2+0x121/0x1c0 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_openat fs/open.c:1468 [inline]
__se_sys_openat fs/open.c:1463 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1463
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888044053750
which belongs to the cache jfs_ip of size 2232
The buggy address is located 32 bytes to the right of
allocated 2232-byte region [ffff888044053750, ffff888044054008)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x44050
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff888043224701
flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 04fff00000000040 ffff888032509b40 dead000000000122 0000000000000000
raw: 0000000000000000 00000000800d000d 00000000f5000000 ffff888043224701
head: 04fff00000000040 ffff888032509b40 dead000000000122 0000000000000000
head: 0000000000000000 00000000800d000d 00000000f5000000 ffff888043224701
head: 04fff00000000003 ffffea0001101401 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_RECLAIMABLE|__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5318, tgid 5317 (syz.0.0), ts 75506420002, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
prep_new_page mm/page_alloc.c:1712 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
alloc_slab_page mm/slub.c:2451 [inline]
allocate_slab+0x8a/0x3b0 mm/slub.c:2619
new_slab mm/slub.c:2673 [inline]
___slab_alloc+0xbfc/0x1480 mm/slub.c:3859
__slab_alloc mm/slub.c:3949 [inline]
__slab_alloc_node mm/slub.c:4024 [inline]
slab_alloc_node mm/slub.c:4185 [inline]
kmem_cache_alloc_lru_noprof+0x288/0x3d0 mm/slub.c:4216
jfs_alloc_inode+0x28/0x70 fs/jfs/super.c:105
alloc_inode+0x6a/0x1b0 fs/inode.c:346
new_inode+0x22/0x170 fs/inode.c:1145
jfs_fill_super+0x569/0xd90 fs/jfs/super.c:511
get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1681
vfs_get_tree+0x92/0x2b0 fs/super.c:1804
do_new_mount+0x24a/0xa40 fs/namespace.c:3902
do_mount fs/namespace.c:4239 [inline]
__do_sys_mount fs/namespace.c:4450 [inline]
__se_sys_mount+0x317/0x410 fs/namespace.c:4427
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
page_owner free stack trace missing
Memory state around the buggy address:
ffff888044053f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888044053f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888044054000: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888044054080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888044054100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 35e261cd95dd Merge tag 'acpi-6.16-rc4' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17f6508c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=79da270cec5ffd65
dashboard link: https://syzkaller.appspot.com/bug?extid=e8672e997d29f64e92d2
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
CC: [jfs-dis...@lists.sourceforge.net linux-...@vger.kernel.org sha...@kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-35e261cd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0c1a9d0d2c80/vmlinux-35e261cd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/604ca2f72c49/bzImage-35e261cd.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e8672e...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 32768
==================================================================
BUG: KASAN: slab-out-of-bounds in addressPXD fs/jfs/jfs_types.h:80 [inline]
BUG: KASAN: slab-out-of-bounds in dtReadFirst+0x502/0x930 fs/jfs/jfs_dtree.c:3120
Read of size 4 at addr ffff888044054028 by task syz.0.0/5318
CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted 6.16.0-rc3-syzkaller-00233-g35e261cd95dd #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xd2/0x2b0 mm/kasan/report.c:521
kasan_report+0x118/0x150 mm/kasan/report.c:634
addressPXD fs/jfs/jfs_types.h:80 [inline]
dtReadFirst+0x502/0x930 fs/jfs/jfs_dtree.c:3120
jfs_readdir+0x709/0x3ae0 fs/jfs/jfs_dtree.c:2832
wrap_directory_iterator+0x93/0xe0 fs/readdir.c:65
iterate_dir+0x5ac/0x770 fs/readdir.c:108
__do_sys_getdents64 fs/readdir.c:410 [inline]
__se_sys_getdents64+0xe4/0x260 fs/readdir.c:396
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5a5458e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5a554e0038 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007f5a547b5fa0 RCX: 00007f5a5458e929
RDX: 0000000000000099 RSI: 0000200000000400 RDI: 0000000000000007
RBP: 00007f5a54610b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f5a547b5fa0 R15: 00007ffff1970c88
</TASK>
Allocated by task 5318:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:319 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4148 [inline]
slab_alloc_node mm/slub.c:4197 [inline]
kmem_cache_alloc_lru_noprof+0x1c6/0x3d0 mm/slub.c:4216
jfs_alloc_inode+0x28/0x70 fs/jfs/super.c:105
alloc_inode+0x6a/0x1b0 fs/inode.c:346
new_inode+0x22/0x170 fs/inode.c:1145
ialloc+0x4c/0x8f0 fs/jfs/jfs_inode.c:48
jfs_create+0x18d/0xa80 fs/jfs/namei.c:92
lookup_open fs/namei.c:3717 [inline]
open_last_lookups fs/namei.c:3816 [inline]
path_openat+0x14f1/0x3830 fs/namei.c:4052
do_filp_open+0x1fa/0x410 fs/namei.c:4082
do_sys_openat2+0x121/0x1c0 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_openat fs/open.c:1468 [inline]
__se_sys_openat fs/open.c:1463 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1463
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888044053750
which belongs to the cache jfs_ip of size 2232
The buggy address is located 32 bytes to the right of
allocated 2232-byte region [ffff888044053750, ffff888044054008)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x44050
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff888043224701
flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 04fff00000000040 ffff888032509b40 dead000000000122 0000000000000000
raw: 0000000000000000 00000000800d000d 00000000f5000000 ffff888043224701
head: 04fff00000000040 ffff888032509b40 dead000000000122 0000000000000000
head: 0000000000000000 00000000800d000d 00000000f5000000 ffff888043224701
head: 04fff00000000003 ffffea0001101401 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_RECLAIMABLE|__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5318, tgid 5317 (syz.0.0), ts 75506420002, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
prep_new_page mm/page_alloc.c:1712 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
alloc_slab_page mm/slub.c:2451 [inline]
allocate_slab+0x8a/0x3b0 mm/slub.c:2619
new_slab mm/slub.c:2673 [inline]
___slab_alloc+0xbfc/0x1480 mm/slub.c:3859
__slab_alloc mm/slub.c:3949 [inline]
__slab_alloc_node mm/slub.c:4024 [inline]
slab_alloc_node mm/slub.c:4185 [inline]
kmem_cache_alloc_lru_noprof+0x288/0x3d0 mm/slub.c:4216
jfs_alloc_inode+0x28/0x70 fs/jfs/super.c:105
alloc_inode+0x6a/0x1b0 fs/inode.c:346
new_inode+0x22/0x170 fs/inode.c:1145
jfs_fill_super+0x569/0xd90 fs/jfs/super.c:511
get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1681
vfs_get_tree+0x92/0x2b0 fs/super.c:1804
do_new_mount+0x24a/0xa40 fs/namespace.c:3902
do_mount fs/namespace.c:4239 [inline]
__do_sys_mount fs/namespace.c:4450 [inline]
__se_sys_mount+0x317/0x410 fs/namespace.c:4427
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
page_owner free stack trace missing
Memory state around the buggy address:
ffff888044053f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888044053f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888044054000: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888044054080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888044054100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jul 9, 2025, 7:01:33 AM7/9/25
to syzkaller-upst...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: ec4801305969 Merge branches 'for-next/core' and 'for-next/..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=1693ea8c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9e99b6fcd403d050
dashboard link: https://syzkaller.appspot.com/bug?extid=e8672e997d29f64e92d2
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1774ff70580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1193ea8c580000
CC: [jfs-dis...@lists.sourceforge.net linux-...@vger.kernel.org sha...@kernel.org]
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/64d8dc107d9d/disk-ec480130.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/31280b2dee28/vmlinux-ec480130.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b3f9fb3d09f8/Image-ec480130.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/7dab6c48056d/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=1374ff70580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e8672e...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 32768
==================================================================
BUG: KASAN: slab-out-of-bounds in addressPXD fs/jfs/jfs_types.h:80 [inline]
BUG: KASAN: slab-out-of-bounds in dtReadFirst+0x408/0x7b8 fs/jfs/jfs_dtree.c:3120
Read of size 4 at addr ffff0000e3e6c028 by task syz.0.16/6711
CPU: 1 UID: 0 PID: 6711 Comm: syz.0.16 Not tainted 6.16.0-rc5-syzkaller-gec4801305969 #0 PREEMPT
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
__dump_stack+0x30/0x40 lib/dump_stack.c:94
dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
print_address_description+0xa8/0x254 mm/kasan/report.c:408
print_report+0x68/0x84 mm/kasan/report.c:521
kasan_report+0xb0/0x110 mm/kasan/report.c:634
__asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380
addressPXD fs/jfs/jfs_types.h:80 [inline]
dtReadFirst+0x408/0x7b8 fs/jfs/jfs_dtree.c:3120
jfs_readdir+0x548/0x3018 fs/jfs/jfs_dtree.c:2832
wrap_directory_iterator+0x90/0xf0 fs/readdir.c:65
shared_jfs_readdir+0x30/0x40 fs/jfs/namei.c:1540
iterate_dir+0x458/0x5e0 fs/readdir.c:108
__do_sys_getdents64 fs/readdir.c:410 [inline]
__se_sys_getdents64 fs/readdir.c:396 [inline]
__arm64_sys_getdents64+0x110/0x2fc fs/readdir.c:396
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879
el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
Allocated by task 6711:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x40/0x78 mm/kasan/common.c:68
kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562
unpoison_slab_object mm/kasan/common.c:319 [inline]
__kasan_slab_alloc+0x70/0x88 mm/kasan/common.c:345
jfs_alloc_inode+0x2c/0x68 fs/jfs/super.c:105
alloc_inode+0x68/0x19c fs/inode.c:346
new_inode+0x2c/0x130 fs/inode.c:1145
ialloc+0x54/0x78c fs/jfs/jfs_inode.c:48
jfs_create+0x170/0x8c4 fs/jfs/namei.c:92
do_filp_open+0x18c/0x36c fs/namei.c:4082
do_sys_openat2+0x11c/0x1b4 fs/open.c:1437
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879
el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
The buggy address belongs to the object at ffff0000e3e6b750
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x123e68
flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 05ffc00000000040 ffff0000c47e08c0 dead000000000122 0000000000000000
raw: 0000000000000000 00000000800d000d 00000000f5000000 ffff0000d151df01
head: 05ffc00000000040 ffff0000c47e08c0 dead000000000122 0000000000000000
head: 0000000000000000 00000000800d000d 00000000f5000000 ffff0000d151df01
head: 05ffc00000000003 fffffdffc38f9a01 00000000ffffffff 00000000ffffffff
ffff0000e3e6bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000e3e6c000: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0000e3e6c080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000e3e6c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
ERROR: (device loop0): dtReadFirst: btstack overrun
ERROR: (device loop0): remounting filesystem as read-only
btstack dump:
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: ec4801305969 Merge branches 'for-next/core' and 'for-next/..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=1693ea8c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9e99b6fcd403d050
dashboard link: https://syzkaller.appspot.com/bug?extid=e8672e997d29f64e92d2
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1774ff70580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1193ea8c580000
CC: [jfs-dis...@lists.sourceforge.net linux-...@vger.kernel.org sha...@kernel.org]
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/64d8dc107d9d/disk-ec480130.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/31280b2dee28/vmlinux-ec480130.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b3f9fb3d09f8/Image-ec480130.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/7dab6c48056d/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=1374ff70580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e8672e...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 32768
==================================================================
BUG: KASAN: slab-out-of-bounds in addressPXD fs/jfs/jfs_types.h:80 [inline]
Read of size 4 at addr ffff0000e3e6c028 by task syz.0.16/6711
CPU: 1 UID: 0 PID: 6711 Comm: syz.0.16 Not tainted 6.16.0-rc5-syzkaller-gec4801305969 #0 PREEMPT
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
__dump_stack+0x30/0x40 lib/dump_stack.c:94
dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
print_address_description+0xa8/0x254 mm/kasan/report.c:408
print_report+0x68/0x84 mm/kasan/report.c:521
kasan_report+0xb0/0x110 mm/kasan/report.c:634
__asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380
addressPXD fs/jfs/jfs_types.h:80 [inline]
dtReadFirst+0x408/0x7b8 fs/jfs/jfs_dtree.c:3120
jfs_readdir+0x548/0x3018 fs/jfs/jfs_dtree.c:2832
wrap_directory_iterator+0x90/0xf0 fs/readdir.c:65
shared_jfs_readdir+0x30/0x40 fs/jfs/namei.c:1540
iterate_dir+0x458/0x5e0 fs/readdir.c:108
__do_sys_getdents64 fs/readdir.c:410 [inline]
__se_sys_getdents64 fs/readdir.c:396 [inline]
__arm64_sys_getdents64+0x110/0x2fc fs/readdir.c:396
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879
el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
Allocated by task 6711:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x40/0x78 mm/kasan/common.c:68
kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562
unpoison_slab_object mm/kasan/common.c:319 [inline]
__kasan_slab_alloc+0x70/0x88 mm/kasan/common.c:345
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4148 [inline]
slab_alloc_node mm/slub.c:4197 [inline]
kmem_cache_alloc_lru_noprof+0x23c/0x3ec mm/slub.c:4216
slab_post_alloc_hook mm/slub.c:4148 [inline]
slab_alloc_node mm/slub.c:4197 [inline]
jfs_alloc_inode+0x2c/0x68 fs/jfs/super.c:105
alloc_inode+0x68/0x19c fs/inode.c:346
new_inode+0x2c/0x130 fs/inode.c:1145
ialloc+0x54/0x78c fs/jfs/jfs_inode.c:48
jfs_create+0x170/0x8c4 fs/jfs/namei.c:92
lookup_open fs/namei.c:3717 [inline]
open_last_lookups fs/namei.c:3816 [inline]
path_openat+0x12d8/0x2c40 fs/namei.c:4052
open_last_lookups fs/namei.c:3816 [inline]
do_filp_open+0x18c/0x36c fs/namei.c:4082
do_sys_openat2+0x11c/0x1b4 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_openat fs/open.c:1468 [inline]
__se_sys_openat fs/open.c:1463 [inline]
__arm64_sys_openat+0x120/0x158 fs/open.c:1463
__do_sys_openat fs/open.c:1468 [inline]
__se_sys_openat fs/open.c:1463 [inline]
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879
el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
The buggy address belongs to the object at ffff0000e3e6b750
which belongs to the cache jfs_ip of size 2232
The buggy address is located 32 bytes to the right of
allocated 2232-byte region [ffff0000e3e6b750, ffff0000e3e6c008)
The buggy address is located 32 bytes to the right of
The buggy address belongs to the physical page:
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff0000d151df01
flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 05ffc00000000040 ffff0000c47e08c0 dead000000000122 0000000000000000
raw: 0000000000000000 00000000800d000d 00000000f5000000 ffff0000d151df01
head: 05ffc00000000040 ffff0000c47e08c0 dead000000000122 0000000000000000
head: 0000000000000000 00000000800d000d 00000000f5000000 ffff0000d151df01
head: 05ffc00000000003 fffffdffc38f9a01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000e3e6bf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000e3e6bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000e3e6c000: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0000e3e6c080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000e3e6c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
ERROR: (device loop0): dtReadFirst: btstack overrun
ERROR: (device loop0): remounting filesystem as read-only
btstack dump:
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
syzbot
Jul 9, 2025, 7:02:23 AM7/9/25
to syzkaller-upst...@googlegroups.com
Sending this report to the next reporting stage.
Reply all
Reply to author
Forward
0 new messages