KASAN: slab-out-of-bounds Read in dtReadFirst

Title	Replies (including bot)	Last reply
[syzbot] [jfs?] KASAN: slab-out-of-bounds Read in dtReadFirst	0 (2)	2025/07/09 18:31

Title

Replies (including bot)

Last reply

[syzbot] [jfs?] KASAN: slab-out-of-bounds Read in dtReadFirst

0 (2)

2025/07/09 18:31

Kernel	Title	Rank 🛈	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
linux-6.1	UBSAN: array-index-out-of-bounds in dtReadFirst origin:lts-only	19	C		error	23	163d	327d	0/3	upstream: reported C repro on 2024/11/25 10:09
upstream	UBSAN: array-index-out-of-bounds in dtReadFirst jfs	19	C	error		200	307d	535d	28/29	fixed on 2024/12/16 09:50
linux-5.15	UBSAN: array-index-out-of-bounds in dtReadFirst origin:upstream	17	C		error	33	3d15h	538d	0/3	upstream: reported C repro on 2024/04/28 12:32
upstream	UBSAN: array-index-out-of-bounds in dtReadFirst (2) jfs	19	C	error		119	173d	301d	28/29	fixed on 2025/06/10 16:19

Created	Duration	User	Patch	Repo	Result
2025/09/13 16:40	17m	retest repro		upstream	report log
2025/07/31 13:56	39m	retest repro		git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	report log
2025/07/09 18:31	21m	dmantipov@yandex.ru	patch	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 733923397fd95405a48f165c9b1fbc8c4b0a4681	OK log

Created

Duration

User

Patch

Repo

Result

2025/09/13 16:40

17m

retest repro

upstream

report log

2025/07/31 13:56

39m

retest repro

git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci

report log

2025/07/09 18:31

21m

dmantipov@yandex.ru

patch

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 733923397fd95405a48f165c9b1fbc8c4b0a4681

OK log

loop0: detected capacity change from 0 to 32768 ================================================================== BUG: KASAN: slab-out-of-bounds in addressPXD fs/jfs/jfs_types.h:80 [inline] BUG: KASAN: slab-out-of-bounds in dtReadFirst+0x502/0x930 fs/jfs/jfs_dtree.c:3120 Read of size 4 at addr ffff888074d5c028 by task syz-executor123/5848 CPU: 0 UID: 0 PID: 5848 Comm: syz-executor123 Not tainted 6.16.0-rc5-syzkaller-00038-g733923397fd9 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xd2/0x2b0 mm/kasan/report.c:521 kasan_report+0x118/0x150 mm/kasan/report.c:634 addressPXD fs/jfs/jfs_types.h:80 [inline] dtReadFirst+0x502/0x930 fs/jfs/jfs_dtree.c:3120 jfs_readdir+0x709/0x3ae0 fs/jfs/jfs_dtree.c:2832 wrap_directory_iterator+0x96/0xe0 fs/readdir.c:65 iterate_dir+0x5af/0x770 fs/readdir.c:108 __do_sys_getdents64 fs/readdir.c:410 [inline] __se_sys_getdents64+0xe4/0x260 fs/readdir.c:396 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f13b44af6b9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffe15ba1748 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 00007ffe15ba1918 RCX: 00007f13b44af6b9 RDX: 00000000000000a2 RSI: 00002000000002c0 RDI: 0000000000000005 RBP: 00007f13b4528610 R08: 0000000000000000 R09: 00007ffe15ba1918 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007ffe15ba1908 R14: 0000000000000001 R15: 0000000000000001 </TASK> Allocated by task 5848: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:319 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4148 [inline] slab_alloc_node mm/slub.c:4197 [inline] kmem_cache_alloc_lru_noprof+0x1c6/0x3d0 mm/slub.c:4216 jfs_alloc_inode+0x28/0x70 fs/jfs/super.c:105 alloc_inode+0x6a/0x1b0 fs/inode.c:346 new_inode+0x22/0x170 fs/inode.c:1145 ialloc+0x4c/0x8f0 fs/jfs/jfs_inode.c:48 jfs_create+0x18d/0xa80 fs/jfs/namei.c:92 lookup_open fs/namei.c:3717 [inline] open_last_lookups fs/namei.c:3816 [inline] path_openat+0x14f4/0x3830 fs/namei.c:4052 do_filp_open+0x1fa/0x410 fs/namei.c:4082 do_sys_openat2+0x121/0x1c0 fs/open.c:1437 do_sys_open fs/open.c:1452 [inline] __do_sys_openat fs/open.c:1468 [inline] __se_sys_openat fs/open.c:1463 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1463 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888074d5b750 which belongs to the cache jfs_ip of size 2232 The buggy address is located 32 bytes to the right of allocated 2232-byte region [ffff888074d5b750, ffff888074d5c008) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x74d58 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff8881432b5780 dead000000000122 0000000000000000 raw: 0000000000000000 00000000800d000d 00000000f5000000 0000000000000000 head: 00fff00000000040 ffff8881432b5780 dead000000000122 0000000000000000 head: 0000000000000000 00000000800d000d 00000000f5000000 0000000000000000 head: 00fff00000000003 ffffea0001d35601 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_RECLAIMABLE|__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5848, tgid 5848 (syz-executor123), ts 94621289604, free_ts 30638481918 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704 prep_new_page mm/page_alloc.c:1712 [inline] get_page_from_freelist+0x21d5/0x22b0 mm/page_alloc.c:3669 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419 alloc_slab_page mm/slub.c:2451 [inline] allocate_slab+0x8a/0x3b0 mm/slub.c:2619 new_slab mm/slub.c:2673 [inline] ___slab_alloc+0xbfc/0x1480 mm/slub.c:3859 __slab_alloc mm/slub.c:3949 [inline] __slab_alloc_node mm/slub.c:4024 [inline] slab_alloc_node mm/slub.c:4185 [inline] kmem_cache_alloc_lru_noprof+0x288/0x3d0 mm/slub.c:4216 jfs_alloc_inode+0x28/0x70 fs/jfs/super.c:105 alloc_inode+0x6a/0x1b0 fs/inode.c:346 new_inode+0x22/0x170 fs/inode.c:1145 jfs_fill_super+0x569/0xd90 fs/jfs/super.c:511 get_tree_bdev_flags+0x40b/0x4d0 fs/super.c:1681 vfs_get_tree+0x92/0x2b0 fs/super.c:1804 do_new_mount+0x24a/0xa40 fs/namespace.c:3902 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount+0x317/0x410 fs/namespace.c:4427 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 page last free pid 1 tgid 1 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1248 [inline] __free_frozen_pages+0xc65/0xe60 mm/page_alloc.c:2706 __free_pages mm/page_alloc.c:5071 [inline] free_contig_range+0x1bd/0x4a0 mm/page_alloc.c:6927 destroy_args+0x7e/0x5d0 mm/debug_vm_pgtable.c:1009 debug_vm_pgtable+0x412/0x450 mm/debug_vm_pgtable.c:1389 do_one_initcall+0x233/0x820 init/main.c:1274 do_initcall_level+0x137/0x1f0 init/main.c:1336 do_initcalls+0x69/0xd0 init/main.c:1352 kernel_init_freeable+0x3d9/0x570 init/main.c:1584 kernel_init+0x1d/0x1d0 init/main.c:1474 ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Memory state around the buggy address: ffff888074d5bf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888074d5bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888074d5c000: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888074d5c080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888074d5c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================

Crashes (34):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2025/07/09 11:55	upstream	733923397fd9	f4e5e155	.config	strace log	report	syz / log	C		[disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)]	ci2-upstream-fs	KASAN: slab-out-of-bounds Read in dtReadFirst
2025/07/09 11:01	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	ec4801305969	abade794	.config	console log	report	syz / log	C		[disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)]	ci-upstream-gce-arm64	KASAN: slab-out-of-bounds Read in dtReadFirst
2025/08/25 17:46	upstream	b6add54ba618	bf27483f	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-upstream-fs	KASAN: slab-out-of-bounds Read in dtReadFirst
2025/07/17 09:18	upstream	e2291551827f	44f8051e	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-upstream-fs	KASAN: slab-out-of-bounds Read in dtReadFirst
2025/08/10 07:06	upstream	561c80369df0	32a0e5ed	.config	console log	report				[disk image (non-bootable)] [vmlinux] [kernel image]	ci-snapshot-upstream-root	KASAN: slab-out-of-bounds Read in dtReadFirst
2025/08/06 06:57	upstream	6bcdbd62bd56	ffe1dd46	.config	console log	report				[disk image (non-bootable)] [vmlinux] [kernel image]	ci-snapshot-upstream-root	KASAN: slab-out-of-bounds Read in dtReadFirst
2025/08/03 04:04	upstream	eacf91b0c78a	7368264b	.config	console log	report				[disk image (non-bootable)] [vmlinux] [kernel image]	ci-snapshot-upstream-root	KASAN: slab-out-of-bounds Read in dtReadFirst
2025/06/28 05:29	upstream	35e261cd95dd	fc9d8ee5	.config	console log	report				[disk image (non-bootable)] [vmlinux] [kernel image]	ci-snapshot-upstream-root	KASAN: slab-out-of-bounds Read in dtReadFirst
2025/09/30 17:39	linux-next	3b9b1f8df454	65a0eece	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-linux-next-kasan-gce-root	KASAN: slab-out-of-bounds Read in dtReadFirst
2025/10/11 07:56	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	bf45a62baffc	ff1712fe	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: slab-out-of-bounds Read in dtReadFirst
2025/10/02 14:31	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	2213e57a69f0	49379ee0	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: slab-out-of-bounds Read in dtReadFirst
2025/10/01 12:53	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	2213e57a69f0	a1859138	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: slab-out-of-bounds Read in dtReadFirst
2025/09/30 11:06	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	2213e57a69f0	86341da6	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: slab-out-of-bounds Read in dtReadFirst
2025/09/30 10:01	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	2213e57a69f0	86341da6	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: slab-out-of-bounds Read in dtReadFirst
2025/08/19 11:29	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	8f5ae30d69d7	523f460e	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: slab-out-of-bounds Read in dtReadFirst
2025/08/11 01:13	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	82af5ea7c611	32a0e5ed	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: slab-out-of-bounds Read in dtReadFirst
2025/07/09 10:18	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	ec4801305969	abade794	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: slab-out-of-bounds Read in dtReadFirst
2025/10/01 05:46	upstream	50c19e20ed2e	65a0eece	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-root	KASAN: slab-use-after-free Read in dtReadFirst
2025/10/01 05:46	upstream	50c19e20ed2e	65a0eece	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-root	KASAN: slab-use-after-free Read in dtReadFirst
2025/10/01 02:34	upstream	30d4efb2f5a5	65a0eece	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-root	KASAN: slab-use-after-free Read in dtReadFirst
2025/09/30 17:39	upstream	30d4efb2f5a5	65a0eece	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-upstream-fs	KASAN: slab-use-after-free Read in dtReadFirst
2025/09/14 01:39	upstream	5cd64d4f9268	e2beed91	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-upstream-fs	KASAN: slab-use-after-free Read in dtReadFirst
2025/08/25 17:46	upstream	b6add54ba618	bf27483f	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-upstream-fs	KASAN: slab-use-after-free Read in dtReadFirst
2025/09/30 17:39	linux-next	3b9b1f8df454	65a0eece	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-linux-next-kasan-gce-root	KASAN: slab-use-after-free Read in dtReadFirst
2025/10/02 14:31	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	2213e57a69f0	49379ee0	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: slab-use-after-free Read in dtReadFirst
2025/10/02 14:29	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	2213e57a69f0	49379ee0	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: slab-use-after-free Read in dtReadFirst
2025/10/01 12:53	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	2213e57a69f0	a1859138	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: slab-use-after-free Read in dtReadFirst
2025/10/01 12:52	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	2213e57a69f0	a1859138	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: slab-use-after-free Read in dtReadFirst
2025/09/30 14:04	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	2213e57a69f0	65a0eece	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: slab-use-after-free Read in dtReadFirst
2025/09/30 11:05	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	2213e57a69f0	86341da6	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: slab-use-after-free Read in dtReadFirst
2025/09/30 11:04	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	2213e57a69f0	86341da6	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: slab-use-after-free Read in dtReadFirst
2025/09/30 11:04	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	2213e57a69f0	86341da6	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: slab-use-after-free Read in dtReadFirst
2025/09/30 10:04	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	2213e57a69f0	86341da6	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: slab-use-after-free Read in dtReadFirst
2025/09/30 10:03	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	2213e57a69f0	86341da6	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: slab-use-after-free Read in dtReadFirst

Crashes (34):

Assets (help?)

2025/07/09 11:55

upstream