syzbot


KASAN: slab-out-of-bounds Read in dtReadFirst

Status: upstream: reported C repro on 2025/07/09 11:02
Subsystems: jfs
[Documentation on labels]
Reported-by: syzbot+2de68371153f0da8af8c@syzkaller.appspotmail.com
First crash: 117d, last: 16m
Cause bisection: failed (error log, bisect log)
  
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [jfs?] KASAN: slab-out-of-bounds Read in dtReadFirst 0 (2) 2025/07/09 18:31
Similar bugs (4)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 UBSAN: array-index-out-of-bounds in dtReadFirst origin:lts-only 19 C error 23 168d 332d 0/3 upstream: reported C repro on 2024/11/25 10:09
upstream UBSAN: array-index-out-of-bounds in dtReadFirst jfs 19 C error 200 312d 540d 28/29 fixed on 2024/12/16 09:50
linux-5.15 UBSAN: array-index-out-of-bounds in dtReadFirst origin:upstream 17 C error 33 8d15h 543d 0/3 upstream: reported C repro on 2024/04/28 12:32
upstream UBSAN: array-index-out-of-bounds in dtReadFirst (2) jfs 19 C error 119 178d 306d 28/29 fixed on 2025/06/10 16:19
Last patch testing requests (3)
Created Duration User Patch Repo Result
2025/09/13 16:40 17m retest repro upstream report log
2025/07/31 13:56 39m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2025/07/09 18:31 21m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 733923397fd95405a48f165c9b1fbc8c4b0a4681 OK log

Sample crash report:
loop0: detected capacity change from 0 to 32768
==================================================================
BUG: KASAN: slab-out-of-b[  121.657564][ T6065] BUG: KASAN: slab-out-of-bounds in addressPXD fs/jfs/jfs_types.h:80 [inline]
BUG: KASAN: slab-out-of-b[  121.657564][ T6065] BUG: KASAN: slab-out-of-bounds in dtReadFirst+0x502/0x930 fs/jfs/jfs_dtree.c:3120
Read of size 4 at addr ffff8880579f2f60 by task syz.0.17/6065

CPU: 1 UID: 0 PID: 6065 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 addressPXD fs/jfs/jfs_types.h:80 [inline]
 dtReadFirst+0x502/0x930 fs/jfs/jfs_dtree.c:3120
 jfs_readdir+0x70c/0x3ae0 fs/jfs/jfs_dtree.c:2832
 wrap_directory_iterator+0x99/0xe0 fs/readdir.c:65
 iterate_dir+0x3a5/0x580 fs/readdir.c:108
 __do_sys_getdents64 fs/readdir.c:410 [inline]
 __se_sys_getdents64+0xe4/0x260 fs/readdir.c:396
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa5ebbbefc9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcda5c8d08 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007fa5ebe15fa0 RCX: 00007fa5ebbbefc9
RDX: 0000000000000099 RSI: 0000200000000400 RDI: 0000000000000005
RBP: 00007fa5ebc41f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fa5ebe15fa0 R14: 00007fa5ebe15fa0 R15: 0000000000000003
 </TASK>

The buggy address belongs to the object at ffff8880579f2700
 which belongs to the cache jfs_ip of size 2368
The buggy address is located 2144 bytes inside of
 allocated 2368-byte region [ffff8880579f2700, ffff8880579f3040)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x579f0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff888048eb4c01
flags: 0x80000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000040 ffff88801eb4ba00 dead000000000122 0000000000000000
raw: 0000000000000000 00000000800d000d 00000000f5000000 ffff888048eb4c01
head: 0080000000000040 ffff88801eb4ba00 dead000000000122 0000000000000000
head: 0000000000000000 00000000800d000d 00000000f5000000 ffff888048eb4c01
head: 0080000000000003 ffffea00015e7c01 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_RECLAIMABLE|__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6065, tgid 6065 (syz.0.17), ts 121611315597, free_ts 0
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1850
 prep_new_page mm/page_alloc.c:1858 [inline]
 get_page_from_freelist+0x28c0/0x2960 mm/page_alloc.c:3884
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5183
 alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2416
 alloc_slab_page mm/slub.c:3046 [inline]
 allocate_slab+0x96/0x3a0 mm/slub.c:3219
 new_slab mm/slub.c:3273 [inline]
 ___slab_alloc+0xb12/0x13f0 mm/slub.c:4643
 __slab_alloc+0xc6/0x1f0 mm/slub.c:4762
 __slab_alloc_node mm/slub.c:4838 [inline]
 slab_alloc_node mm/slub.c:5260 [inline]
 kmem_cache_alloc_lru_noprof+0xf0/0x6b0 mm/slub.c:5291
 jfs_alloc_inode+0x28/0x70 fs/jfs/super.c:105
 alloc_inode+0x6a/0x1b0 fs/inode.c:346
 new_inode+0x22/0x170 fs/inode.c:1145
 diReadSpecial+0x52/0x710 fs/jfs/jfs_imap.c:426
 jfs_mount+0x174/0x870 fs/jfs/jfs_mount.c:108
 jfs_fill_super+0x6bc/0xd80 fs/jfs/super.c:523
 get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1691
 vfs_get_tree+0x92/0x2b0 fs/super.c:1751
page_owner free stack trace missing

Memory state around the buggy address:
 ffff8880579f2e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880579f2e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880579f2f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                       ^
 ffff8880579f2f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880579f3000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (37):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/10/23 16:24 upstream 43e9ad0c55a3 c0460fcd .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-upstream-fs KASAN: slab-out-of-bounds Read in dtReadFirst
2025/07/09 11:55 upstream 733923397fd9 f4e5e155 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-upstream-fs KASAN: slab-out-of-bounds Read in dtReadFirst
2025/10/22 09:48 upstream 552c50713f27 252fbbad .config console log report syz / log C [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci-snapshot-upstream-root KASAN: slab-out-of-bounds Read in dtReadFirst
2025/07/09 11:01 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci ec4801305969 abade794 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in dtReadFirst
2025/08/25 17:46 upstream b6add54ba618 bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: slab-out-of-bounds Read in dtReadFirst
2025/07/17 09:18 upstream e2291551827f 44f8051e .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: slab-out-of-bounds Read in dtReadFirst
2025/10/22 09:08 upstream 552c50713f27 252fbbad .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-out-of-bounds Read in dtReadFirst
2025/08/10 07:06 upstream 561c80369df0 32a0e5ed .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-out-of-bounds Read in dtReadFirst
2025/08/06 06:57 upstream 6bcdbd62bd56 ffe1dd46 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-out-of-bounds Read in dtReadFirst
2025/08/03 04:04 upstream eacf91b0c78a 7368264b .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-out-of-bounds Read in dtReadFirst
2025/06/28 05:29 upstream 35e261cd95dd fc9d8ee5 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-out-of-bounds Read in dtReadFirst
2025/09/30 17:39 linux-next 3b9b1f8df454 65a0eece .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-out-of-bounds Read in dtReadFirst
2025/10/11 07:56 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bf45a62baffc ff1712fe .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in dtReadFirst
2025/10/02 14:31 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 2213e57a69f0 49379ee0 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in dtReadFirst
2025/10/01 12:53 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 2213e57a69f0 a1859138 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in dtReadFirst
2025/09/30 11:06 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 2213e57a69f0 86341da6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in dtReadFirst
2025/09/30 10:01 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 2213e57a69f0 86341da6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in dtReadFirst
2025/08/19 11:29 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 8f5ae30d69d7 523f460e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in dtReadFirst
2025/08/11 01:13 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 82af5ea7c611 32a0e5ed .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in dtReadFirst
2025/07/09 10:18 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci ec4801305969 abade794 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in dtReadFirst
2025/10/01 05:46 upstream 50c19e20ed2e 65a0eece .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: slab-use-after-free Read in dtReadFirst
2025/10/01 05:46 upstream 50c19e20ed2e 65a0eece .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: slab-use-after-free Read in dtReadFirst
2025/10/01 02:34 upstream 30d4efb2f5a5 65a0eece .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: slab-use-after-free Read in dtReadFirst
2025/09/30 17:39 upstream 30d4efb2f5a5 65a0eece .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: slab-use-after-free Read in dtReadFirst
2025/09/14 01:39 upstream 5cd64d4f9268 e2beed91 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: slab-use-after-free Read in dtReadFirst
2025/08/25 17:46 upstream b6add54ba618 bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: slab-use-after-free Read in dtReadFirst
2025/09/30 17:39 linux-next 3b9b1f8df454 65a0eece .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Read in dtReadFirst
2025/10/02 14:31 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 2213e57a69f0 49379ee0 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in dtReadFirst
2025/10/02 14:29 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 2213e57a69f0 49379ee0 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in dtReadFirst
2025/10/01 12:53 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 2213e57a69f0 a1859138 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in dtReadFirst
2025/10/01 12:52 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 2213e57a69f0 a1859138 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in dtReadFirst
2025/09/30 14:04 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 2213e57a69f0 65a0eece .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in dtReadFirst
2025/09/30 11:05 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 2213e57a69f0 86341da6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in dtReadFirst
2025/09/30 11:04 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 2213e57a69f0 86341da6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in dtReadFirst
2025/09/30 11:04 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 2213e57a69f0 86341da6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in dtReadFirst
2025/09/30 10:04 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 2213e57a69f0 86341da6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in dtReadFirst
2025/09/30 10:03 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 2213e57a69f0 86341da6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in dtReadFirst
* Struck through repros no longer work on HEAD.