syzbot

==================================================================
BUG: KASAN: out-of-bounds in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: out-of-bounds in atomic_dec include/linux/atomic/atomic-instrumented.h:592 [inline]
BUG: KASAN: out-of-bounds in put_bh include/linux/buffer_head.h:302 [inline]
BUG: KASAN: out-of-bounds in end_buffer_read_sync+0xc1/0xd0 fs/buffer.c:161
Write of size 4 at addr ffffc90003c07660 by task kworker/u8:3/53

CPU: 0 UID: 0 PID: 53 Comm: kworker/u8:3 Not tainted 6.14.0-rc7-syzkaller-00196-g88d324e69ea9 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Workqueue:  0x0 (loop0)
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0x16e/0x5b0 mm/kasan/report.c:521
 kasan_report+0x143/0x180 mm/kasan/report.c:634
 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
 instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
 atomic_dec include/linux/atomic/atomic-instrumented.h:592 [inline]
 put_bh include/linux/buffer_head.h:302 [inline]
 end_buffer_read_sync+0xc1/0xd0 fs/buffer.c:161
 end_bio_bh_io_sync+0xc1/0x120 fs/buffer.c:2766
 blk_update_request+0x5e5/0x1160 block/blk-mq.c:983
 blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1145
 blk_complete_reqs block/blk-mq.c:1220 [inline]
 blk_done_softirq+0x102/0x150 block/blk-mq.c:1225
 handle_softirqs+0x2d6/0x9b0 kernel/softirq.c:561
 __do_softirq kernel/softirq.c:595 [inline]
 invoke_softirq kernel/softirq.c:435 [inline]
 __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678
 instr_sysvec_call_function_single arch/x86/kernel/smp.c:266 [inline]
 sysvec_call_function_single+0xa3/0xc0 arch/x86/kernel/smp.c:266
 </IRQ>
 <TASK>
 asm_sysvec_call_function_single+0x1a/0x20 arch/x86/include/asm/idtentry.h:709
RIP: 0010:lockdep_enabled kernel/locking/lockdep.c:122 [inline]
RIP: 0010:lock_release+0x125/0xa30 kernel/locking/lockdep.c:5864
Code: 8b 05 4f 8f 65 7e 85 c0 0f 85 46 05 00 00 65 48 8b 04 25 80 d6 03 00 48 89 44 24 20 48 8d 98 ec 0a 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 fb 05 00 00 83 3b 00 0f 85 14 05 00 00
RSP: 0018:ffffc90000be7bc0 EFLAGS: 00000217
RAX: 1ffff11003bd48dd RBX: ffff88801dea46ec RCX: ffffffff819cfae0
RDX: 0000000000000000 RSI: ffffffff8c810080 RDI: ffffffff8c810040
RBP: ffffc90000be7ce8 R08: ffffffff903cfb77 R09: 1ffffffff2079f6e
R10: dffffc0000000000 R11: fffffbfff2079f6f R12: 1ffff9200017cf84
R13: ffffffff8c0a1b10 R14: ffffffff8e9f6b80 R15: dffffc0000000000
 sched_submit_work kernel/sched/core.c:6823 [inline]
 schedule+0x127/0x320 kernel/sched/core.c:6856
 worker_thread+0xa30/0xd30 kernel/workqueue.c:3415
 kthread+0x7ab/0x920 kernel/kthread.c:464
 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

The buggy address belongs to the virtual mapping at
 [ffffc90003c00000, ffffc90003c09000) created by:
 copy_process+0x5d1/0x3cf0 kernel/fork.c:2233

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x1f0 pfn:0x2fff4
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 00000000000001f0 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5839, tgid 5839 (syz-executor111), ts 96823546505, free_ts 96731282802
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f4/0x240 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0x365c/0x37a0 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x292/0x710 mm/page_alloc.c:4740
 alloc_pages_mpol+0x311/0x660 mm/mempolicy.c:2270
 alloc_frozen_pages_noprof mm/mempolicy.c:2341 [inline]
 alloc_pages_noprof+0x121/0x190 mm/mempolicy.c:2361
 vm_area_alloc_pages mm/vmalloc.c:3591 [inline]
 __vmalloc_area_node mm/vmalloc.c:3669 [inline]
 __vmalloc_node_range_noprof+0x9c6/0x1380 mm/vmalloc.c:3846
 alloc_thread_stack_node kernel/fork.c:314 [inline]
 dup_task_struct+0x444/0x8c0 kernel/fork.c:1127
 copy_process+0x5d1/0x3cf0 kernel/fork.c:2233
 kernel_clone+0x226/0x8e0 kernel/fork.c:2815
 __do_sys_clone kernel/fork.c:2958 [inline]
 __se_sys_clone kernel/fork.c:2942 [inline]
 __x64_sys_clone+0x267/0x2e0 kernel/fork.c:2942
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5839 tgid 5839 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_unref_folios+0xe40/0x18b0 mm/page_alloc.c:2707
 folios_put_refs+0x76c/0x860 mm/swap.c:994
 folio_batch_release include/linux/pagevec.h:101 [inline]
 truncate_inode_pages_range+0x460/0x10e0 mm/truncate.c:330
 kill_bdev block/bdev.c:91 [inline]
 blkdev_flush_mapping+0x108/0x270 block/bdev.c:670
 blkdev_put_whole block/bdev.c:677 [inline]
 bdev_release+0x460/0x700 block/bdev.c:1102
 blkdev_release+0x15/0x20 block/fops.c:660
 __fput+0x3eb/0x9f0 fs/file_table.c:464
 task_work_run+0x251/0x310 kernel/task_work.c:227
 ptrace_notify+0x2d9/0x380 kernel/signal.c:2522
 ptrace_report_syscall include/linux/ptrace.h:415 [inline]
 ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline]
 syscall_exit_work+0xc7/0x1d0 kernel/entry/common.c:173
 syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline]
 syscall_exit_to_user_mode+0x24a/0x340 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffffc90003c07500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90003c07580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc90003c07600: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
                                                          ^
 ffffc90003c07680: 00 00 00 f2 f2 f2 f2 f2 00 f2 f2 f2 01 f3 f3 f3
 ffffc90003c07700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
   0:	8b 05 4f 8f 65 7e    	mov    0x7e658f4f(%rip),%eax        # 0x7e658f55
   6:	85 c0                	test   %eax,%eax
   8:	0f 85 46 05 00 00    	jne    0x554
   e:	65 48 8b 04 25 80 d6 	mov    %gs:0x3d680,%rax
  15:	03 00
  17:	48 89 44 24 20       	mov    %rax,0x20(%rsp)
  1c:	48 8d 98 ec 0a 00 00 	lea    0xaec(%rax),%rbx
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 0f b6 04 38       	movzbl (%rax,%r15,1),%eax <-- trapping instruction
  2f:	84 c0                	test   %al,%al
  31:	0f 85 fb 05 00 00    	jne    0x632
  37:	83 3b 00             	cmpl   $0x0,(%rbx)
  3a:	0f 85 14 05 00 00    	jne    0x554