./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2029773333 <...> Warning: Permanently added '10.128.1.129' (ED25519) to the list of known hosts. execve("./syz-executor2029773333", ["./syz-executor2029773333"], 0x7ffc05b14dd0 /* 10 vars */) = 0 brk(NULL) = 0x5555569d0000 brk(0x5555569d0d00) = 0x5555569d0d00 arch_prctl(ARCH_SET_FS, 0x5555569d0380) = 0 set_tid_address(0x5555569d0650) = 5020 set_robust_list(0x5555569d0660, 24) = 0 rseq(0x5555569d0ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2029773333", 4096) = 28 getrandom("\x38\x45\x45\xf0\xc0\xc6\xa4\x23", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x5555569d0d00 brk(0x5555569f1d00) = 0x5555569f1d00 brk(0x5555569f2000) = 0x5555569f2000 mprotect(0x7ffb74967000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 mkdir("./syzkaller.9pxnuq", 0700) = 0 chmod("./syzkaller.9pxnuq", 0777) = 0 chdir("./syzkaller.9pxnuq") = 0 unshare(CLONE_NEWPID) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555569d0650) = 5021 ./strace-static-x86_64: Process 5021 attached [pid 5021] set_robust_list(0x5555569d0660, 24) = 0 [pid 5021] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy) [pid 5021] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5021] setsid() = 1 [pid 5021] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0 [pid 5021] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0 [pid 5021] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0 [pid 5021] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0 [pid 5021] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0 [pid 5021] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0 [pid 5021] unshare(CLONE_NEWNS) = 0 [pid 5021] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0 [pid 5021] unshare(CLONE_NEWIPC) = 0 [pid 5021] unshare(CLONE_NEWCGROUP) = 0 [pid 5021] unshare(CLONE_NEWUTS) = 0 [pid 5021] unshare(CLONE_SYSVSEM) = 0 [pid 5021] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3 [pid 5021] write(3, "16777216", 8) = 8 [pid 5021] close(3) = 0 [pid 5021] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3 [pid 5021] write(3, "536870912", 9) = 9 [pid 5021] close(3) = 0 [pid 5021] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3 [pid 5021] write(3, "1024", 4) = 4 [pid 5021] close(3) = 0 [pid 5021] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3 [pid 5021] write(3, "8192", 4) = 4 [pid 5021] close(3) = 0 [pid 5021] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3 [pid 5021] write(3, "1024", 4) = 4 [pid 5021] close(3) = 0 [pid 5021] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3 [pid 5021] write(3, "1024", 4) = 4 [pid 5021] close(3) = 0 [pid 5021] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3 [pid 5021] write(3, "1024 1048576 500 1024", 21) = 21 [pid 5021] close(3) = 0 [pid 5021] getpid() = 1 [pid 5021] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1< [ 42.806933][ T5021] dump_stack_lvl+0xd9/0x1b0 [ 42.811539][ T5021] print_report+0xc4/0x620 [ 42.815950][ T5021] ? __virt_addr_valid+0x5e/0x2d0 [ 42.820987][ T5021] kasan_report+0xda/0x110 [ 42.825398][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 42.831288][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 42.837178][ T5021] cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 42.842894][ T5021] ? work_on_cpu_safe+0xb0/0xb0 [ 42.847738][ T5021] free_journal_ram+0x160/0x650 [ 42.852584][ T5021] ? do_raw_spin_unlock+0x173/0x230 [ 42.857775][ T5021] ? _raw_spin_unlock+0x28/0x40 [ 42.862623][ T5021] journal_release+0x2a4/0x660 [ 42.867376][ T5021] ? reiserfs_end_persistent_transaction+0x1b0/0x1b0 [ 42.874043][ T5021] reiserfs_put_super+0xe9/0x5c0 [ 42.879006][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 42.884300][ T5021] ? fscrypt_destroy_keyring+0x1e/0x390 [ 42.889846][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 42.895143][ T5021] generic_shutdown_super+0x158/0x480 [ 42.900508][ T5021] kill_block_super+0x64/0xb0 [ 42.905197][ T5021] deactivate_locked_super+0x9a/0x170 [ 42.910561][ T5021] deactivate_super+0xde/0x100 [ 42.915314][ T5021] cleanup_mnt+0x222/0x3d0 [ 42.919728][ T5021] task_work_run+0x14d/0x240 [ 42.924317][ T5021] ? task_work_cancel+0x30/0x30 [ 42.929186][ T5021] ? __put_net+0x61/0x70 [ 42.933429][ T5021] do_exit+0xa99/0x2a20 [ 42.937583][ T5021] ? do_group_exit+0x1c5/0x2a0 [ 42.942350][ T5021] ? reacquire_held_locks+0x4b0/0x4b0 [ 42.947717][ T5021] ? do_raw_spin_lock+0x12e/0x2b0 [ 42.952741][ T5021] ? mm_update_next_owner+0x7d0/0x7d0 [ 42.958112][ T5021] ? spin_bug+0x1d0/0x1d0 [ 42.962441][ T5021] do_group_exit+0xd4/0x2a0 [ 42.966943][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 42.971966][ T5021] do_syscall_64+0x38/0xb0 [ 42.976375][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 42.982259][ T5021] RIP: 0033:0x7ffb748ef849 [ 42.986661][ T5021] Code: Unable to access opcode bytes at 0x7ffb748ef81f. [ 42.993659][ T5021] RSP: 002b:00007ffdf9c17ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 43.002058][ T5021] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ffb748ef849 [ 43.010020][ T5021] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 43.017976][ T5021] RBP: 00007ffb7496d390 R08: ffffffffffffffb8 R09: 00000000000000a0 [ 43.026044][ T5021] R10: 00000000000000a0 R11: 0000000000000246 R12: 00007ffb7496d390 [ 43.034012][ T5021] R13: 0000000000000000 R14: 00007ffb7496e100 R15: 00007ffb748bdd80 [ 43.041980][ T5021] [ 43.044991][ T5021] [ 43.047300][ T5021] The buggy address belongs to the virtual mapping at [ 43.047300][ T5021] [ffffc90000b1e000, ffffc90000b20000) created by: [ 43.047300][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 43.066310][ T5021] [ 43.068620][ T5021] The buggy address belongs to the physical page: [ 43.075012][ T5021] page:ffffea0000ae7380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b9ce [ 43.085148][ T5021] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 43.092246][ T5021] page_type: 0xffffffff() [ 43.096559][ T5021] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 [ 43.105130][ T5021] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 43.113693][ T5021] page dumped because: kasan: bad access detected [ 43.120090][ T5021] page_owner tracks the page as allocated [ 43.125782][ T5021] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5021, tgid 5021 (syz-executor202), ts 42629806900, free_ts 36642763402 [ 43.145305][ T5021] post_alloc_hook+0x2d2/0x350 [ 43.150065][ T5021] get_page_from_freelist+0x10a9/0x31e0 [ 43.155603][ T5021] __alloc_pages+0x1d0/0x4a0 [ 43.160189][ T5021] __alloc_pages_bulk+0x77a/0x1110 [ 43.165290][ T5021] alloc_pages_bulk_array_mempolicy+0x1ca/0x370 [ 43.171518][ T5021] __vmalloc_node_range+0xd08/0x1540 [ 43.176879][ T5021] vzalloc+0x6b/0x80 [ 43.180764][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 43.186740][ T5021] journal_init+0x3e2/0x64b0 [ 43.191317][ T5021] reiserfs_fill_super+0xcc6/0x3150 [ 43.196504][ T5021] mount_bdev+0x30d/0x3d0 [ 43.200821][ T5021] legacy_get_tree+0x109/0x220 [ 43.205571][ T5021] vfs_get_tree+0x88/0x350 [ 43.209978][ T5021] path_mount+0x1492/0x1ed0 [ 43.214469][ T5021] __x64_sys_mount+0x293/0x310 [ 43.219221][ T5021] do_syscall_64+0x38/0xb0 [ 43.223624][ T5021] page last free stack trace: [ 43.228277][ T5021] free_unref_page_prepare+0x508/0xb90 [ 43.233726][ T5021] free_unref_page_list+0xe6/0xb30 [ 43.238836][ T5021] release_pages+0x32a/0x14e0 [ 43.243498][ T5021] tlb_batch_pages_flush+0x9a/0x190 [ 43.248686][ T5021] tlb_finish_mmu+0x14b/0x7e0 [ 43.253349][ T5021] exit_mmap+0x2db/0x960 [ 43.257578][ T5021] __mmput+0x12a/0x4d0 [ 43.261632][ T5021] mmput+0x62/0x70 [ 43.265336][ T5021] do_exit+0x9b4/0x2a20 [ 43.269480][ T5021] do_group_exit+0xd4/0x2a0 [ 43.273974][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 43.279004][ T5021] do_syscall_64+0x38/0xb0 [ 43.283403][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 43.289280][ T5021] [ 43.291584][ T5021] Memory state around the buggy address: [ 43.297193][ T5021] ffffc90000b1df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 43.305330][ T5021] ffffc90000b1df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 43.313374][ T5021] >ffffc90000b1e000: 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 43.321417][ T5021] ^ [ 43.325727][ T5021] ffffc90000b1e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 43.333770][ T5021] ffffc90000b1e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 43.341813][ T5021] ================================================================== [ 43.350113][ T5021] Disabling lock debugging due to kernel taint [ 43.356342][ T5021] ================================================================== [ 43.364422][ T5021] BUG: KASAN: vmalloc-out-of-bounds in cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 43.373269][ T5021] Read of size 8 at addr ffffc90000b1e010 by task syz-executor202/5021 [ 43.381494][ T5021] [ 43.383805][ T5021] CPU: 0 PID: 5021 Comm: syz-executor202 Tainted: G B 6.5.0-rc4-syzkaller #0 [ 43.393937][ T5021] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 [ 43.403979][ T5021] Call Trace: [ 43.407245][ T5021] [ 43.410161][ T5021] dump_stack_lvl+0xd9/0x1b0 [ 43.414745][ T5021] print_report+0xc4/0x620 [ 43.419156][ T5021] ? __virt_addr_valid+0x5e/0x2d0 [ 43.424172][ T5021] kasan_report+0xda/0x110 [ 43.428580][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 43.434466][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 43.440361][ T5021] cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 43.446078][ T5021] ? work_on_cpu_safe+0xb0/0xb0 [ 43.450919][ T5021] free_journal_ram+0x160/0x650 [ 43.455764][ T5021] ? do_raw_spin_unlock+0x173/0x230 [ 43.460958][ T5021] ? _raw_spin_unlock+0x28/0x40 [ 43.465804][ T5021] journal_release+0x2a4/0x660 [ 43.470576][ T5021] ? reiserfs_end_persistent_transaction+0x1b0/0x1b0 [ 43.477247][ T5021] reiserfs_put_super+0xe9/0x5c0 [ 43.482175][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 43.487448][ T5021] ? fscrypt_destroy_keyring+0x1e/0x390 [ 43.492992][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 43.498268][ T5021] generic_shutdown_super+0x158/0x480 [ 43.503627][ T5021] kill_block_super+0x64/0xb0 [ 43.508290][ T5021] deactivate_locked_super+0x9a/0x170 [ 43.513650][ T5021] deactivate_super+0xde/0x100 [ 43.518400][ T5021] cleanup_mnt+0x222/0x3d0 [ 43.522817][ T5021] task_work_run+0x14d/0x240 [ 43.527484][ T5021] ? task_work_cancel+0x30/0x30 [ 43.532360][ T5021] ? __put_net+0x61/0x70 [ 43.536595][ T5021] do_exit+0xa99/0x2a20 [ 43.540751][ T5021] ? do_group_exit+0x1c5/0x2a0 [ 43.545542][ T5021] ? reacquire_held_locks+0x4b0/0x4b0 [ 43.550928][ T5021] ? do_raw_spin_lock+0x12e/0x2b0 [ 43.556033][ T5021] ? mm_update_next_owner+0x7d0/0x7d0 [ 43.561399][ T5021] ? spin_bug+0x1d0/0x1d0 [ 43.565723][ T5021] do_group_exit+0xd4/0x2a0 [ 43.570225][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 43.575266][ T5021] do_syscall_64+0x38/0xb0 [ 43.579671][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 43.585577][ T5021] RIP: 0033:0x7ffb748ef849 [ 43.589992][ T5021] Code: Unable to access opcode bytes at 0x7ffb748ef81f. [ 43.596991][ T5021] RSP: 002b:00007ffdf9c17ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 43.605389][ T5021] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ffb748ef849 [ 43.613352][ T5021] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 43.621311][ T5021] RBP: 00007ffb7496d390 R08: ffffffffffffffb8 R09: 00000000000000a0 [ 43.629269][ T5021] R10: 00000000000000a0 R11: 0000000000000246 R12: 00007ffb7496d390 [ 43.637228][ T5021] R13: 0000000000000000 R14: 00007ffb7496e100 R15: 00007ffb748bdd80 [ 43.645190][ T5021] [ 43.648197][ T5021] [ 43.650537][ T5021] The buggy address belongs to the virtual mapping at [ 43.650537][ T5021] [ffffc90000b1e000, ffffc90000b20000) created by: [ 43.650537][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 43.669564][ T5021] [ 43.671872][ T5021] The buggy address belongs to the physical page: [ 43.678261][ T5021] page:ffffea0000ae7380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b9ce [ 43.688394][ T5021] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 43.695495][ T5021] page_type: 0xffffffff() [ 43.699814][ T5021] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 [ 43.708379][ T5021] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 43.716945][ T5021] page dumped because: kasan: bad access detected [ 43.723341][ T5021] page_owner tracks the page as allocated [ 43.729056][ T5021] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5021, tgid 5021 (syz-executor202), ts 42629806900, free_ts 36642763402 [ 43.748499][ T5021] post_alloc_hook+0x2d2/0x350 [ 43.753263][ T5021] get_page_from_freelist+0x10a9/0x31e0 [ 43.758802][ T5021] __alloc_pages+0x1d0/0x4a0 [ 43.763385][ T5021] __alloc_pages_bulk+0x77a/0x1110 [ 43.768492][ T5021] alloc_pages_bulk_array_mempolicy+0x1ca/0x370 [ 43.774735][ T5021] __vmalloc_node_range+0xd08/0x1540 [ 43.780010][ T5021] vzalloc+0x6b/0x80 [ 43.783893][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 43.789867][ T5021] journal_init+0x3e2/0x64b0 [ 43.794441][ T5021] reiserfs_fill_super+0xcc6/0x3150 [ 43.799631][ T5021] mount_bdev+0x30d/0x3d0 [ 43.803953][ T5021] legacy_get_tree+0x109/0x220 [ 43.808737][ T5021] vfs_get_tree+0x88/0x350 [ 43.813140][ T5021] path_mount+0x1492/0x1ed0 [ 43.817626][ T5021] __x64_sys_mount+0x293/0x310 [ 43.822377][ T5021] do_syscall_64+0x38/0xb0 [ 43.826778][ T5021] page last free stack trace: [ 43.831430][ T5021] free_unref_page_prepare+0x508/0xb90 [ 43.836876][ T5021] free_unref_page_list+0xe6/0xb30 [ 43.841982][ T5021] release_pages+0x32a/0x14e0 [ 43.846639][ T5021] tlb_batch_pages_flush+0x9a/0x190 [ 43.851829][ T5021] tlb_finish_mmu+0x14b/0x7e0 [ 43.856496][ T5021] exit_mmap+0x2db/0x960 [ 43.860726][ T5021] __mmput+0x12a/0x4d0 [ 43.864782][ T5021] mmput+0x62/0x70 [ 43.868489][ T5021] do_exit+0x9b4/0x2a20 [ 43.872635][ T5021] do_group_exit+0xd4/0x2a0 [ 43.877127][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 43.882142][ T5021] do_syscall_64+0x38/0xb0 [ 43.886544][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 43.892428][ T5021] [ 43.894755][ T5021] Memory state around the buggy address: [ 43.900370][ T5021] ffffc90000b1df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 43.908447][ T5021] ffffc90000b1df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 43.916503][ T5021] >ffffc90000b1e000: 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 43.924566][ T5021] ^ [ 43.929143][ T5021] ffffc90000b1e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 43.937277][ T5021] ffffc90000b1e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 43.945317][ T5021] ================================================================== [ 43.954008][ T5021] ================================================================== [ 43.962083][ T5021] BUG: KASAN: vmalloc-out-of-bounds in cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 43.970934][ T5021] Read of size 8 at addr ffffc90000b1e018 by task syz-executor202/5021 [ 43.979154][ T5021] [ 43.981461][ T5021] CPU: 0 PID: 5021 Comm: syz-executor202 Tainted: G B 6.5.0-rc4-syzkaller #0 [ 43.991596][ T5021] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 [ 44.001633][ T5021] Call Trace: [ 44.004897][ T5021] [ 44.007815][ T5021] dump_stack_lvl+0xd9/0x1b0 [ 44.012396][ T5021] print_report+0xc4/0x620 [ 44.016893][ T5021] ? __virt_addr_valid+0x5e/0x2d0 [ 44.021911][ T5021] kasan_report+0xda/0x110 [ 44.026325][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 44.032229][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 44.038127][ T5021] cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 44.043844][ T5021] ? work_on_cpu_safe+0xb0/0xb0 [ 44.048694][ T5021] free_journal_ram+0x160/0x650 [ 44.053542][ T5021] ? do_raw_spin_unlock+0x173/0x230 [ 44.058883][ T5021] ? _raw_spin_unlock+0x28/0x40 [ 44.063744][ T5021] journal_release+0x2a4/0x660 [ 44.068510][ T5021] ? reiserfs_end_persistent_transaction+0x1b0/0x1b0 [ 44.075185][ T5021] reiserfs_put_super+0xe9/0x5c0 [ 44.080120][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 44.085403][ T5021] ? fscrypt_destroy_keyring+0x1e/0x390 [ 44.090949][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 44.096232][ T5021] generic_shutdown_super+0x158/0x480 [ 44.101597][ T5021] kill_block_super+0x64/0xb0 [ 44.106263][ T5021] deactivate_locked_super+0x9a/0x170 [ 44.111629][ T5021] deactivate_super+0xde/0x100 [ 44.116384][ T5021] cleanup_mnt+0x222/0x3d0 [ 44.120799][ T5021] task_work_run+0x14d/0x240 [ 44.125385][ T5021] ? task_work_cancel+0x30/0x30 [ 44.130232][ T5021] ? __put_net+0x61/0x70 [ 44.134466][ T5021] do_exit+0xa99/0x2a20 [ 44.138620][ T5021] ? do_group_exit+0x1c5/0x2a0 [ 44.143377][ T5021] ? reacquire_held_locks+0x4b0/0x4b0 [ 44.148746][ T5021] ? do_raw_spin_lock+0x12e/0x2b0 [ 44.153764][ T5021] ? mm_update_next_owner+0x7d0/0x7d0 [ 44.159134][ T5021] ? spin_bug+0x1d0/0x1d0 [ 44.163454][ T5021] do_group_exit+0xd4/0x2a0 [ 44.167950][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 44.172973][ T5021] do_syscall_64+0x38/0xb0 [ 44.177382][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 44.183262][ T5021] RIP: 0033:0x7ffb748ef849 [ 44.187747][ T5021] Code: Unable to access opcode bytes at 0x7ffb748ef81f. [ 44.194747][ T5021] RSP: 002b:00007ffdf9c17ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 44.203147][ T5021] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ffb748ef849 [ 44.211106][ T5021] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 44.219067][ T5021] RBP: 00007ffb7496d390 R08: ffffffffffffffb8 R09: 00000000000000a0 [ 44.227023][ T5021] R10: 00000000000000a0 R11: 0000000000000246 R12: 00007ffb7496d390 [ 44.234984][ T5021] R13: 0000000000000000 R14: 00007ffb7496e100 R15: 00007ffb748bdd80 [ 44.242945][ T5021] [ 44.245950][ T5021] [ 44.248260][ T5021] The buggy address belongs to the virtual mapping at [ 44.248260][ T5021] [ffffc90000b1e000, ffffc90000b20000) created by: [ 44.248260][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 44.267291][ T5021] [ 44.269601][ T5021] The buggy address belongs to the physical page: [ 44.275992][ T5021] page:ffffea0000ae7380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b9ce [ 44.286128][ T5021] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 44.293245][ T5021] page_type: 0xffffffff() [ 44.297561][ T5021] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 [ 44.306132][ T5021] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 44.314697][ T5021] page dumped because: kasan: bad access detected [ 44.321090][ T5021] page_owner tracks the page as allocated [ 44.326783][ T5021] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5021, tgid 5021 (syz-executor202), ts 42629806900, free_ts 36642763402 [ 44.346216][ T5021] post_alloc_hook+0x2d2/0x350 [ 44.350977][ T5021] get_page_from_freelist+0x10a9/0x31e0 [ 44.356515][ T5021] __alloc_pages+0x1d0/0x4a0 [ 44.361093][ T5021] __alloc_pages_bulk+0x77a/0x1110 [ 44.366191][ T5021] alloc_pages_bulk_array_mempolicy+0x1ca/0x370 [ 44.372419][ T5021] __vmalloc_node_range+0xd08/0x1540 [ 44.377691][ T5021] vzalloc+0x6b/0x80 [ 44.381570][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 44.387544][ T5021] journal_init+0x3e2/0x64b0 [ 44.392137][ T5021] reiserfs_fill_super+0xcc6/0x3150 [ 44.397325][ T5021] mount_bdev+0x30d/0x3d0 [ 44.401647][ T5021] legacy_get_tree+0x109/0x220 [ 44.406398][ T5021] vfs_get_tree+0x88/0x350 [ 44.410801][ T5021] path_mount+0x1492/0x1ed0 [ 44.415292][ T5021] __x64_sys_mount+0x293/0x310 [ 44.420067][ T5021] do_syscall_64+0x38/0xb0 [ 44.424468][ T5021] page last free stack trace: [ 44.429122][ T5021] free_unref_page_prepare+0x508/0xb90 [ 44.434570][ T5021] free_unref_page_list+0xe6/0xb30 [ 44.439669][ T5021] release_pages+0x32a/0x14e0 [ 44.444330][ T5021] tlb_batch_pages_flush+0x9a/0x190 [ 44.449514][ T5021] tlb_finish_mmu+0x14b/0x7e0 [ 44.454177][ T5021] exit_mmap+0x2db/0x960 [ 44.458406][ T5021] __mmput+0x12a/0x4d0 [ 44.462467][ T5021] mmput+0x62/0x70 [ 44.466175][ T5021] do_exit+0x9b4/0x2a20 [ 44.470323][ T5021] do_group_exit+0xd4/0x2a0 [ 44.474816][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 44.479831][ T5021] do_syscall_64+0x38/0xb0 [ 44.484232][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 44.490116][ T5021] [ 44.492421][ T5021] Memory state around the buggy address: [ 44.498042][ T5021] ffffc90000b1df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 44.506116][ T5021] ffffc90000b1df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 44.514162][ T5021] >ffffc90000b1e000: 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 44.522204][ T5021] ^ [ 44.527033][ T5021] ffffc90000b1e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 44.535080][ T5021] ffffc90000b1e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 44.543173][ T5021] ================================================================== [ 44.551682][ T5021] ================================================================== [ 44.559756][ T5021] BUG: KASAN: vmalloc-out-of-bounds in cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 44.568620][ T5021] Read of size 8 at addr ffffc90000b1e020 by task syz-executor202/5021 [ 44.576836][ T5021] [ 44.579144][ T5021] CPU: 0 PID: 5021 Comm: syz-executor202 Tainted: G B 6.5.0-rc4-syzkaller #0 [ 44.589281][ T5021] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 [ 44.599321][ T5021] Call Trace: [ 44.602597][ T5021] [ 44.605509][ T5021] dump_stack_lvl+0xd9/0x1b0 [ 44.610085][ T5021] print_report+0xc4/0x620 [ 44.614494][ T5021] ? __virt_addr_valid+0x5e/0x2d0 [ 44.619522][ T5021] kasan_report+0xda/0x110 [ 44.624007][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 44.629886][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 44.635771][ T5021] cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 44.641476][ T5021] ? work_on_cpu_safe+0xb0/0xb0 [ 44.646311][ T5021] free_journal_ram+0x160/0x650 [ 44.651169][ T5021] ? do_raw_spin_unlock+0x173/0x230 [ 44.656355][ T5021] ? _raw_spin_unlock+0x28/0x40 [ 44.661202][ T5021] journal_release+0x2a4/0x660 [ 44.665953][ T5021] ? reiserfs_end_persistent_transaction+0x1b0/0x1b0 [ 44.672617][ T5021] reiserfs_put_super+0xe9/0x5c0 [ 44.677545][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 44.682823][ T5021] ? fscrypt_destroy_keyring+0x1e/0x390 [ 44.688366][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 44.693641][ T5021] generic_shutdown_super+0x158/0x480 [ 44.699005][ T5021] kill_block_super+0x64/0xb0 [ 44.703669][ T5021] deactivate_locked_super+0x9a/0x170 [ 44.709026][ T5021] deactivate_super+0xde/0x100 [ 44.713780][ T5021] cleanup_mnt+0x222/0x3d0 [ 44.718195][ T5021] task_work_run+0x14d/0x240 [ 44.722777][ T5021] ? task_work_cancel+0x30/0x30 [ 44.727621][ T5021] ? __put_net+0x61/0x70 [ 44.731854][ T5021] do_exit+0xa99/0x2a20 [ 44.736003][ T5021] ? do_group_exit+0x1c5/0x2a0 [ 44.740758][ T5021] ? reacquire_held_locks+0x4b0/0x4b0 [ 44.746125][ T5021] ? do_raw_spin_lock+0x12e/0x2b0 [ 44.751141][ T5021] ? mm_update_next_owner+0x7d0/0x7d0 [ 44.756530][ T5021] ? spin_bug+0x1d0/0x1d0 [ 44.760855][ T5021] do_group_exit+0xd4/0x2a0 [ 44.765354][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 44.770372][ T5021] do_syscall_64+0x38/0xb0 [ 44.774775][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 44.780659][ T5021] RIP: 0033:0x7ffb748ef849 [ 44.785144][ T5021] Code: Unable to access opcode bytes at 0x7ffb748ef81f. [ 44.792144][ T5021] RSP: 002b:00007ffdf9c17ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 44.800545][ T5021] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ffb748ef849 [ 44.808503][ T5021] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 44.816460][ T5021] RBP: 00007ffb7496d390 R08: ffffffffffffffb8 R09: 00000000000000a0 [ 44.824417][ T5021] R10: 00000000000000a0 R11: 0000000000000246 R12: 00007ffb7496d390 [ 44.832374][ T5021] R13: 0000000000000000 R14: 00007ffb7496e100 R15: 00007ffb748bdd80 [ 44.840337][ T5021] [ 44.843348][ T5021] [ 44.845684][ T5021] The buggy address belongs to the virtual mapping at [ 44.845684][ T5021] [ffffc90000b1e000, ffffc90000b20000) created by: [ 44.845684][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 44.864702][ T5021] [ 44.867013][ T5021] The buggy address belongs to the physical page: [ 44.873474][ T5021] page:ffffea0000ae7380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b9ce [ 44.883610][ T5021] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 44.890698][ T5021] page_type: 0xffffffff() [ 44.895034][ T5021] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 [ 44.903602][ T5021] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 44.912189][ T5021] page dumped because: kasan: bad access detected [ 44.918590][ T5021] page_owner tracks the page as allocated [ 44.924377][ T5021] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5021, tgid 5021 (syz-executor202), ts 42629806900, free_ts 36642763402 [ 44.943815][ T5021] post_alloc_hook+0x2d2/0x350 [ 44.948582][ T5021] get_page_from_freelist+0x10a9/0x31e0 [ 44.954134][ T5021] __alloc_pages+0x1d0/0x4a0 [ 44.958717][ T5021] __alloc_pages_bulk+0x77a/0x1110 [ 44.963820][ T5021] alloc_pages_bulk_array_mempolicy+0x1ca/0x370 [ 44.970053][ T5021] __vmalloc_node_range+0xd08/0x1540 [ 44.975328][ T5021] vzalloc+0x6b/0x80 [ 44.979208][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 44.985183][ T5021] journal_init+0x3e2/0x64b0 [ 44.989756][ T5021] reiserfs_fill_super+0xcc6/0x3150 [ 44.994945][ T5021] mount_bdev+0x30d/0x3d0 [ 44.999263][ T5021] legacy_get_tree+0x109/0x220 [ 45.004015][ T5021] vfs_get_tree+0x88/0x350 [ 45.008415][ T5021] path_mount+0x1492/0x1ed0 [ 45.012909][ T5021] __x64_sys_mount+0x293/0x310 [ 45.017655][ T5021] do_syscall_64+0x38/0xb0 [ 45.022059][ T5021] page last free stack trace: [ 45.026711][ T5021] free_unref_page_prepare+0x508/0xb90 [ 45.032158][ T5021] free_unref_page_list+0xe6/0xb30 [ 45.037258][ T5021] release_pages+0x32a/0x14e0 [ 45.041921][ T5021] tlb_batch_pages_flush+0x9a/0x190 [ 45.047136][ T5021] tlb_finish_mmu+0x14b/0x7e0 [ 45.051800][ T5021] exit_mmap+0x2db/0x960 [ 45.056058][ T5021] __mmput+0x12a/0x4d0 [ 45.060135][ T5021] mmput+0x62/0x70 [ 45.063853][ T5021] do_exit+0x9b4/0x2a20 [ 45.068012][ T5021] do_group_exit+0xd4/0x2a0 [ 45.072507][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 45.077523][ T5021] do_syscall_64+0x38/0xb0 [ 45.081927][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 45.087809][ T5021] [ 45.090118][ T5021] Memory state around the buggy address: [ 45.095817][ T5021] ffffc90000b1df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 45.103881][ T5021] ffffc90000b1df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 45.111926][ T5021] >ffffc90000b1e000: 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 45.119967][ T5021] ^ [ 45.125057][ T5021] ffffc90000b1e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 45.133100][ T5021] ffffc90000b1e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 45.141146][ T5021] ================================================================== [ 45.152519][ T5021] ================================================================== [ 45.160574][ T5021] BUG: KASAN: vmalloc-out-of-bounds in cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 45.169429][ T5021] Read of size 8 at addr ffffc90000b1e028 by task syz-executor202/5021 [ 45.177648][ T5021] [ 45.179959][ T5021] CPU: 0 PID: 5021 Comm: syz-executor202 Tainted: G B 6.5.0-rc4-syzkaller #0 [ 45.190094][ T5021] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 [ 45.200131][ T5021] Call Trace: [ 45.203393][ T5021] [ 45.206328][ T5021] dump_stack_lvl+0xd9/0x1b0 [ 45.210911][ T5021] print_report+0xc4/0x620 [ 45.215322][ T5021] ? __virt_addr_valid+0x5e/0x2d0 [ 45.220342][ T5021] kasan_report+0xda/0x110 [ 45.224749][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 45.230639][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 45.236528][ T5021] cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 45.242246][ T5021] ? work_on_cpu_safe+0xb0/0xb0 [ 45.247119][ T5021] free_journal_ram+0x160/0x650 [ 45.251964][ T5021] ? do_raw_spin_unlock+0x173/0x230 [ 45.257263][ T5021] ? _raw_spin_unlock+0x28/0x40 [ 45.262111][ T5021] journal_release+0x2a4/0x660 [ 45.266865][ T5021] ? reiserfs_end_persistent_transaction+0x1b0/0x1b0 [ 45.273534][ T5021] reiserfs_put_super+0xe9/0x5c0 [ 45.278465][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 45.283740][ T5021] ? fscrypt_destroy_keyring+0x1e/0x390 [ 45.289280][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 45.294556][ T5021] generic_shutdown_super+0x158/0x480 [ 45.299913][ T5021] kill_block_super+0x64/0xb0 [ 45.304576][ T5021] deactivate_locked_super+0x9a/0x170 [ 45.309938][ T5021] deactivate_super+0xde/0x100 [ 45.314688][ T5021] cleanup_mnt+0x222/0x3d0 [ 45.319104][ T5021] task_work_run+0x14d/0x240 [ 45.323696][ T5021] ? task_work_cancel+0x30/0x30 [ 45.328542][ T5021] ? __put_net+0x61/0x70 [ 45.332771][ T5021] do_exit+0xa99/0x2a20 [ 45.336922][ T5021] ? do_group_exit+0x1c5/0x2a0 [ 45.341676][ T5021] ? reacquire_held_locks+0x4b0/0x4b0 [ 45.347040][ T5021] ? do_raw_spin_lock+0x12e/0x2b0 [ 45.352058][ T5021] ? mm_update_next_owner+0x7d0/0x7d0 [ 45.357509][ T5021] ? spin_bug+0x1d0/0x1d0 [ 45.361830][ T5021] do_group_exit+0xd4/0x2a0 [ 45.366325][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 45.371345][ T5021] do_syscall_64+0x38/0xb0 [ 45.375748][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 45.381627][ T5021] RIP: 0033:0x7ffb748ef849 [ 45.386026][ T5021] Code: Unable to access opcode bytes at 0x7ffb748ef81f. [ 45.393024][ T5021] RSP: 002b:00007ffdf9c17ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 45.401426][ T5021] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ffb748ef849 [ 45.409382][ T5021] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 45.417337][ T5021] RBP: 00007ffb7496d390 R08: ffffffffffffffb8 R09: 00000000000000a0 [ 45.425296][ T5021] R10: 00000000000000a0 R11: 0000000000000246 R12: 00007ffb7496d390 [ 45.433249][ T5021] R13: 0000000000000000 R14: 00007ffb7496e100 R15: 00007ffb748bdd80 [ 45.441211][ T5021] [ 45.444216][ T5021] [ 45.446526][ T5021] The buggy address belongs to the virtual mapping at [ 45.446526][ T5021] [ffffc90000b1e000, ffffc90000b20000) created by: [ 45.446526][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 45.465536][ T5021] [ 45.467848][ T5021] The buggy address belongs to the physical page: [ 45.474244][ T5021] page:ffffea0000ae7380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b9ce [ 45.484377][ T5021] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 45.491476][ T5021] page_type: 0xffffffff() [ 45.495790][ T5021] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 [ 45.504361][ T5021] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 45.512922][ T5021] page dumped because: kasan: bad access detected [ 45.519312][ T5021] page_owner tracks the page as allocated [ 45.525011][ T5021] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5021, tgid 5021 (syz-executor202), ts 42629806900, free_ts 36642763402 [ 45.544442][ T5021] post_alloc_hook+0x2d2/0x350 [ 45.549204][ T5021] get_page_from_freelist+0x10a9/0x31e0 [ 45.554739][ T5021] __alloc_pages+0x1d0/0x4a0 [ 45.559318][ T5021] __alloc_pages_bulk+0x77a/0x1110 [ 45.564427][ T5021] alloc_pages_bulk_array_mempolicy+0x1ca/0x370 [ 45.570661][ T5021] __vmalloc_node_range+0xd08/0x1540 [ 45.575933][ T5021] vzalloc+0x6b/0x80 [ 45.579839][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 45.585817][ T5021] journal_init+0x3e2/0x64b0 [ 45.590390][ T5021] reiserfs_fill_super+0xcc6/0x3150 [ 45.595583][ T5021] mount_bdev+0x30d/0x3d0 [ 45.599896][ T5021] legacy_get_tree+0x109/0x220 [ 45.604647][ T5021] vfs_get_tree+0x88/0x350 [ 45.609046][ T5021] path_mount+0x1492/0x1ed0 [ 45.613532][ T5021] __x64_sys_mount+0x293/0x310 [ 45.618278][ T5021] do_syscall_64+0x38/0xb0 [ 45.622682][ T5021] page last free stack trace: [ 45.627331][ T5021] free_unref_page_prepare+0x508/0xb90 [ 45.632809][ T5021] free_unref_page_list+0xe6/0xb30 [ 45.637930][ T5021] release_pages+0x32a/0x14e0 [ 45.642601][ T5021] tlb_batch_pages_flush+0x9a/0x190 [ 45.647792][ T5021] tlb_finish_mmu+0x14b/0x7e0 [ 45.652458][ T5021] exit_mmap+0x2db/0x960 [ 45.656689][ T5021] __mmput+0x12a/0x4d0 [ 45.660745][ T5021] mmput+0x62/0x70 [ 45.664462][ T5021] do_exit+0x9b4/0x2a20 [ 45.668612][ T5021] do_group_exit+0xd4/0x2a0 [ 45.673105][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 45.678123][ T5021] do_syscall_64+0x38/0xb0 [ 45.682524][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 45.688406][ T5021] [ 45.690713][ T5021] Memory state around the buggy address: [ 45.696410][ T5021] ffffc90000b1df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 45.704473][ T5021] ffffc90000b1df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 45.712519][ T5021] >ffffc90000b1e000: 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 45.720558][ T5021] ^ [ 45.725908][ T5021] ffffc90000b1e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 45.733955][ T5021] ffffc90000b1e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 45.742000][ T5021] ================================================================== [ 45.750252][ T5021] ================================================================== [ 45.758409][ T5021] BUG: KASAN: vmalloc-out-of-bounds in cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 45.767287][ T5021] Read of size 8 at addr ffffc90000b1e030 by task syz-executor202/5021 [ 45.775498][ T5021] [ 45.777821][ T5021] CPU: 1 PID: 5021 Comm: syz-executor202 Tainted: G B 6.5.0-rc4-syzkaller #0 [ 45.787948][ T5021] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 [ 45.797993][ T5021] Call Trace: [ 45.801279][ T5021] [ 45.804189][ T5021] dump_stack_lvl+0xd9/0x1b0 [ 45.808761][ T5021] print_report+0xc4/0x620 [ 45.813162][ T5021] ? __virt_addr_valid+0x5e/0x2d0 [ 45.818168][ T5021] kasan_report+0xda/0x110 [ 45.822577][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 45.828463][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 45.834342][ T5021] cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 45.840051][ T5021] ? work_on_cpu_safe+0xb0/0xb0 [ 45.844880][ T5021] free_journal_ram+0x160/0x650 [ 45.849715][ T5021] ? do_raw_spin_unlock+0x173/0x230 [ 45.854899][ T5021] ? _raw_spin_unlock+0x28/0x40 [ 45.859755][ T5021] journal_release+0x2a4/0x660 [ 45.864504][ T5021] ? reiserfs_end_persistent_transaction+0x1b0/0x1b0 [ 45.871163][ T5021] reiserfs_put_super+0xe9/0x5c0 [ 45.876107][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 45.881377][ T5021] ? fscrypt_destroy_keyring+0x1e/0x390 [ 45.886908][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 45.892176][ T5021] generic_shutdown_super+0x158/0x480 [ 45.897526][ T5021] kill_block_super+0x64/0xb0 [ 45.902208][ T5021] deactivate_locked_super+0x9a/0x170 [ 45.907561][ T5021] deactivate_super+0xde/0x100 [ 45.912309][ T5021] cleanup_mnt+0x222/0x3d0 [ 45.916712][ T5021] task_work_run+0x14d/0x240 [ 45.921289][ T5021] ? task_work_cancel+0x30/0x30 [ 45.926129][ T5021] ? __put_net+0x61/0x70 [ 45.930352][ T5021] do_exit+0xa99/0x2a20 [ 45.934493][ T5021] ? do_group_exit+0x1c5/0x2a0 [ 45.939271][ T5021] ? reacquire_held_locks+0x4b0/0x4b0 [ 45.944626][ T5021] ? do_raw_spin_lock+0x12e/0x2b0 [ 45.949634][ T5021] ? mm_update_next_owner+0x7d0/0x7d0 [ 45.955004][ T5021] ? spin_bug+0x1d0/0x1d0 [ 45.959322][ T5021] do_group_exit+0xd4/0x2a0 [ 45.963833][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 45.968842][ T5021] do_syscall_64+0x38/0xb0 [ 45.973245][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 45.979116][ T5021] RIP: 0033:0x7ffb748ef849 [ 45.983504][ T5021] Code: Unable to access opcode bytes at 0x7ffb748ef81f. [ 45.990509][ T5021] RSP: 002b:00007ffdf9c17ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 45.998899][ T5021] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ffb748ef849 [ 46.006847][ T5021] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 46.014818][ T5021] RBP: 00007ffb7496d390 R08: ffffffffffffffb8 R09: 00000000000000a0 [ 46.022784][ T5021] R10: 00000000000000a0 R11: 0000000000000246 R12: 00007ffb7496d390 [ 46.030743][ T5021] R13: 0000000000000000 R14: 00007ffb7496e100 R15: 00007ffb748bdd80 [ 46.038702][ T5021] [ 46.041717][ T5021] [ 46.044028][ T5021] The buggy address belongs to the virtual mapping at [ 46.044028][ T5021] [ffffc90000b1e000, ffffc90000b20000) created by: [ 46.044028][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 46.063039][ T5021] [ 46.065346][ T5021] The buggy address belongs to the physical page: [ 46.071733][ T5021] page:ffffea0000ae7380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b9ce [ 46.081861][ T5021] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 46.088961][ T5021] page_type: 0xffffffff() [ 46.093275][ T5021] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 [ 46.101845][ T5021] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 46.110411][ T5021] page dumped because: kasan: bad access detected [ 46.116796][ T5021] page_owner tracks the page as allocated [ 46.122503][ T5021] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5021, tgid 5021 (syz-executor202), ts 42629806900, free_ts 36642763402 [ 46.141930][ T5021] post_alloc_hook+0x2d2/0x350 [ 46.146681][ T5021] get_page_from_freelist+0x10a9/0x31e0 [ 46.152208][ T5021] __alloc_pages+0x1d0/0x4a0 [ 46.156781][ T5021] __alloc_pages_bulk+0x77a/0x1110 [ 46.161873][ T5021] alloc_pages_bulk_array_mempolicy+0x1ca/0x370 [ 46.168097][ T5021] __vmalloc_node_range+0xd08/0x1540 [ 46.173359][ T5021] vzalloc+0x6b/0x80 [ 46.177233][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 46.183220][ T5021] journal_init+0x3e2/0x64b0 [ 46.187785][ T5021] reiserfs_fill_super+0xcc6/0x3150 [ 46.192962][ T5021] mount_bdev+0x30d/0x3d0 [ 46.197268][ T5021] legacy_get_tree+0x109/0x220 [ 46.202013][ T5021] vfs_get_tree+0x88/0x350 [ 46.206404][ T5021] path_mount+0x1492/0x1ed0 [ 46.210882][ T5021] __x64_sys_mount+0x293/0x310 [ 46.215712][ T5021] do_syscall_64+0x38/0xb0 [ 46.220104][ T5021] page last free stack trace: [ 46.224748][ T5021] free_unref_page_prepare+0x508/0xb90 [ 46.230184][ T5021] free_unref_page_list+0xe6/0xb30 [ 46.235276][ T5021] release_pages+0x32a/0x14e0 [ 46.239929][ T5021] tlb_batch_pages_flush+0x9a/0x190 [ 46.245107][ T5021] tlb_finish_mmu+0x14b/0x7e0 [ 46.249786][ T5021] exit_mmap+0x2db/0x960 [ 46.254095][ T5021] __mmput+0x12a/0x4d0 [ 46.258140][ T5021] mmput+0x62/0x70 [ 46.261837][ T5021] do_exit+0x9b4/0x2a20 [ 46.265977][ T5021] do_group_exit+0xd4/0x2a0 [ 46.270463][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 46.275467][ T5021] do_syscall_64+0x38/0xb0 [ 46.279859][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 46.285727][ T5021] [ 46.288043][ T5021] Memory state around the buggy address: [ 46.293645][ T5021] ffffc90000b1df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 46.301684][ T5021] ffffc90000b1df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 46.309721][ T5021] >ffffc90000b1e000: 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 46.317766][ T5021] ^ [ 46.323371][ T5021] ffffc90000b1e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 46.331407][ T5021] ffffc90000b1e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 46.339448][ T5021] ================================================================== [ 46.348040][ T5021] ================================================================== [ 46.356106][ T5021] BUG: KASAN: vmalloc-out-of-bounds in cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 46.364983][ T5021] Read of size 8 at addr ffffc90000b1e038 by task syz-executor202/5021 [ 46.373193][ T5021] [ 46.375495][ T5021] CPU: 1 PID: 5021 Comm: syz-executor202 Tainted: G B 6.5.0-rc4-syzkaller #0 [ 46.385621][ T5021] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 [ 46.395654][ T5021] Call Trace: [ 46.398919][ T5021] [ 46.401831][ T5021] dump_stack_lvl+0xd9/0x1b0 [ 46.406401][ T5021] print_report+0xc4/0x620 [ 46.410803][ T5021] ? __virt_addr_valid+0x5e/0x2d0 [ 46.415809][ T5021] kasan_report+0xda/0x110 [ 46.420209][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 46.426088][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 46.431967][ T5021] cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 46.437674][ T5021] ? work_on_cpu_safe+0xb0/0xb0 [ 46.442507][ T5021] free_journal_ram+0x160/0x650 [ 46.447342][ T5021] ? do_raw_spin_unlock+0x173/0x230 [ 46.452525][ T5021] ? _raw_spin_unlock+0x28/0x40 [ 46.457361][ T5021] journal_release+0x2a4/0x660 [ 46.462129][ T5021] ? reiserfs_end_persistent_transaction+0x1b0/0x1b0 [ 46.468790][ T5021] reiserfs_put_super+0xe9/0x5c0 [ 46.473710][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 46.478978][ T5021] ? fscrypt_destroy_keyring+0x1e/0x390 [ 46.484508][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 46.489772][ T5021] generic_shutdown_super+0x158/0x480 [ 46.495125][ T5021] kill_block_super+0x64/0xb0 [ 46.499783][ T5021] deactivate_locked_super+0x9a/0x170 [ 46.505139][ T5021] deactivate_super+0xde/0x100 [ 46.509884][ T5021] cleanup_mnt+0x222/0x3d0 [ 46.514294][ T5021] task_work_run+0x14d/0x240 [ 46.518873][ T5021] ? task_work_cancel+0x30/0x30 [ 46.523714][ T5021] ? __put_net+0x61/0x70 [ 46.527937][ T5021] do_exit+0xa99/0x2a20 [ 46.532079][ T5021] ? do_group_exit+0x1c5/0x2a0 [ 46.536829][ T5021] ? reacquire_held_locks+0x4b0/0x4b0 [ 46.542185][ T5021] ? do_raw_spin_lock+0x12e/0x2b0 [ 46.547191][ T5021] ? mm_update_next_owner+0x7d0/0x7d0 [ 46.552548][ T5021] ? spin_bug+0x1d0/0x1d0 [ 46.556858][ T5021] do_group_exit+0xd4/0x2a0 [ 46.561346][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 46.566436][ T5021] do_syscall_64+0x38/0xb0 [ 46.570830][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 46.576698][ T5021] RIP: 0033:0x7ffb748ef849 [ 46.581092][ T5021] Code: Unable to access opcode bytes at 0x7ffb748ef81f. [ 46.588080][ T5021] RSP: 002b:00007ffdf9c17ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 46.596553][ T5021] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ffb748ef849 [ 46.604510][ T5021] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 46.612473][ T5021] RBP: 00007ffb7496d390 R08: ffffffffffffffb8 R09: 00000000000000a0 [ 46.620447][ T5021] R10: 00000000000000a0 R11: 0000000000000246 R12: 00007ffb7496d390 [ 46.628392][ T5021] R13: 0000000000000000 R14: 00007ffb7496e100 R15: 00007ffb748bdd80 [ 46.636472][ T5021] [ 46.639470][ T5021] [ 46.641773][ T5021] The buggy address belongs to the virtual mapping at [ 46.641773][ T5021] [ffffc90000b1e000, ffffc90000b20000) created by: [ 46.641773][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 46.660944][ T5021] [ 46.663245][ T5021] The buggy address belongs to the physical page: [ 46.669630][ T5021] page:ffffea0000ae7380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b9ce [ 46.679841][ T5021] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 46.686922][ T5021] page_type: 0xffffffff() [ 46.691225][ T5021] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 [ 46.699787][ T5021] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 46.708341][ T5021] page dumped because: kasan: bad access detected [ 46.714724][ T5021] page_owner tracks the page as allocated [ 46.720410][ T5021] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5021, tgid 5021 (syz-executor202), ts 42629806900, free_ts 36642763402 [ 46.739836][ T5021] post_alloc_hook+0x2d2/0x350 [ 46.744605][ T5021] get_page_from_freelist+0x10a9/0x31e0 [ 46.750136][ T5021] __alloc_pages+0x1d0/0x4a0 [ 46.754706][ T5021] __alloc_pages_bulk+0x77a/0x1110 [ 46.759799][ T5021] alloc_pages_bulk_array_mempolicy+0x1ca/0x370 [ 46.766022][ T5021] __vmalloc_node_range+0xd08/0x1540 [ 46.771284][ T5021] vzalloc+0x6b/0x80 [ 46.775157][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 46.781123][ T5021] journal_init+0x3e2/0x64b0 [ 46.785688][ T5021] reiserfs_fill_super+0xcc6/0x3150 [ 46.790870][ T5021] mount_bdev+0x30d/0x3d0 [ 46.795181][ T5021] legacy_get_tree+0x109/0x220 [ 46.799929][ T5021] vfs_get_tree+0x88/0x350 [ 46.804324][ T5021] path_mount+0x1492/0x1ed0 [ 46.808804][ T5021] __x64_sys_mount+0x293/0x310 [ 46.813546][ T5021] do_syscall_64+0x38/0xb0 [ 46.817954][ T5021] page last free stack trace: [ 46.822603][ T5021] free_unref_page_prepare+0x508/0xb90 [ 46.828046][ T5021] free_unref_page_list+0xe6/0xb30 [ 46.833135][ T5021] release_pages+0x32a/0x14e0 [ 46.837790][ T5021] tlb_batch_pages_flush+0x9a/0x190 [ 46.842968][ T5021] tlb_finish_mmu+0x14b/0x7e0 [ 46.847627][ T5021] exit_mmap+0x2db/0x960 [ 46.851850][ T5021] __mmput+0x12a/0x4d0 [ 46.855921][ T5021] mmput+0x62/0x70 [ 46.859618][ T5021] do_exit+0x9b4/0x2a20 [ 46.863755][ T5021] do_group_exit+0xd4/0x2a0 [ 46.868237][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 46.873244][ T5021] do_syscall_64+0x38/0xb0 [ 46.877637][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 46.883506][ T5021] [ 46.885806][ T5021] Memory state around the buggy address: [ 46.891414][ T5021] ffffc90000b1df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 46.899452][ T5021] ffffc90000b1df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 46.907488][ T5021] >ffffc90000b1e000: 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 46.915522][ T5021] ^ [ 46.921388][ T5021] ffffc90000b1e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 46.929447][ T5021] ffffc90000b1e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 46.937480][ T5021] ================================================================== [ 46.947655][ T5021] ================================================================== [ 46.955737][ T5021] BUG: KASAN: vmalloc-out-of-bounds in cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 46.964570][ T5021] Read of size 8 at addr ffffc90000b1e040 by task syz-executor202/5021 [ 46.972780][ T5021] [ 46.975086][ T5021] CPU: 1 PID: 5021 Comm: syz-executor202 Tainted: G B 6.5.0-rc4-syzkaller #0 [ 46.985214][ T5021] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 [ 46.995252][ T5021] Call Trace: [ 46.998518][ T5021] [ 47.001464][ T5021] dump_stack_lvl+0xd9/0x1b0 [ 47.006037][ T5021] print_report+0xc4/0x620 [ 47.010453][ T5021] ? __virt_addr_valid+0x5e/0x2d0 [ 47.015460][ T5021] kasan_report+0xda/0x110 [ 47.019861][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 47.025740][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 47.031620][ T5021] cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 47.037327][ T5021] ? work_on_cpu_safe+0xb0/0xb0 [ 47.042171][ T5021] free_journal_ram+0x160/0x650 [ 47.047035][ T5021] ? do_raw_spin_unlock+0x173/0x230 [ 47.052228][ T5021] ? _raw_spin_unlock+0x28/0x40 [ 47.057080][ T5021] journal_release+0x2a4/0x660 [ 47.061837][ T5021] ? reiserfs_end_persistent_transaction+0x1b0/0x1b0 [ 47.068531][ T5021] reiserfs_put_super+0xe9/0x5c0 [ 47.073477][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 47.078884][ T5021] ? fscrypt_destroy_keyring+0x1e/0x390 [ 47.084468][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 47.089752][ T5021] generic_shutdown_super+0x158/0x480 [ 47.095124][ T5021] kill_block_super+0x64/0xb0 [ 47.099794][ T5021] deactivate_locked_super+0x9a/0x170 [ 47.105161][ T5021] deactivate_super+0xde/0x100 [ 47.109913][ T5021] cleanup_mnt+0x222/0x3d0 [ 47.114323][ T5021] task_work_run+0x14d/0x240 [ 47.118908][ T5021] ? task_work_cancel+0x30/0x30 [ 47.123754][ T5021] ? __put_net+0x61/0x70 [ 47.127986][ T5021] do_exit+0xa99/0x2a20 [ 47.132135][ T5021] ? do_group_exit+0x1c5/0x2a0 [ 47.136892][ T5021] ? reacquire_held_locks+0x4b0/0x4b0 [ 47.142260][ T5021] ? do_raw_spin_lock+0x12e/0x2b0 [ 47.147279][ T5021] ? mm_update_next_owner+0x7d0/0x7d0 [ 47.152648][ T5021] ? spin_bug+0x1d0/0x1d0 [ 47.156974][ T5021] do_group_exit+0xd4/0x2a0 [ 47.161473][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 47.166518][ T5021] do_syscall_64+0x38/0xb0 [ 47.170924][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 47.176803][ T5021] RIP: 0033:0x7ffb748ef849 [ 47.181206][ T5021] Code: Unable to access opcode bytes at 0x7ffb748ef81f. [ 47.188204][ T5021] RSP: 002b:00007ffdf9c17ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 47.196601][ T5021] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ffb748ef849 [ 47.204556][ T5021] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 47.212515][ T5021] RBP: 00007ffb7496d390 R08: ffffffffffffffb8 R09: 00000000000000a0 [ 47.220474][ T5021] R10: 00000000000000a0 R11: 0000000000000246 R12: 00007ffb7496d390 [ 47.228460][ T5021] R13: 0000000000000000 R14: 00007ffb7496e100 R15: 00007ffb748bdd80 [ 47.236423][ T5021] [ 47.239425][ T5021] [ 47.241736][ T5021] The buggy address belongs to the virtual mapping at [ 47.241736][ T5021] [ffffc90000b1e000, ffffc90000b20000) created by: [ 47.241736][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 47.260749][ T5021] [ 47.263058][ T5021] The buggy address belongs to the physical page: [ 47.269482][ T5021] page:ffffea0000ae7380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b9ce [ 47.279620][ T5021] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 47.286711][ T5021] page_type: 0xffffffff() [ 47.291030][ T5021] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 [ 47.299600][ T5021] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 47.308161][ T5021] page dumped because: kasan: bad access detected [ 47.314551][ T5021] page_owner tracks the page as allocated [ 47.320245][ T5021] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5021, tgid 5021 (syz-executor202), ts 42629806900, free_ts 36642763402 [ 47.339675][ T5021] post_alloc_hook+0x2d2/0x350 [ 47.344467][ T5021] get_page_from_freelist+0x10a9/0x31e0 [ 47.350009][ T5021] __alloc_pages+0x1d0/0x4a0 [ 47.354590][ T5021] __alloc_pages_bulk+0x77a/0x1110 [ 47.359689][ T5021] alloc_pages_bulk_array_mempolicy+0x1ca/0x370 [ 47.365926][ T5021] __vmalloc_node_range+0xd08/0x1540 [ 47.371200][ T5021] vzalloc+0x6b/0x80 [ 47.375082][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 47.381091][ T5021] journal_init+0x3e2/0x64b0 [ 47.385665][ T5021] reiserfs_fill_super+0xcc6/0x3150 [ 47.390857][ T5021] mount_bdev+0x30d/0x3d0 [ 47.395177][ T5021] legacy_get_tree+0x109/0x220 [ 47.399929][ T5021] vfs_get_tree+0x88/0x350 [ 47.404334][ T5021] path_mount+0x1492/0x1ed0 [ 47.408819][ T5021] __x64_sys_mount+0x293/0x310 [ 47.413575][ T5021] do_syscall_64+0x38/0xb0 [ 47.417978][ T5021] page last free stack trace: [ 47.422630][ T5021] free_unref_page_prepare+0x508/0xb90 [ 47.428083][ T5021] free_unref_page_list+0xe6/0xb30 [ 47.433182][ T5021] release_pages+0x32a/0x14e0 [ 47.437841][ T5021] tlb_batch_pages_flush+0x9a/0x190 [ 47.443032][ T5021] tlb_finish_mmu+0x14b/0x7e0 [ 47.447708][ T5021] exit_mmap+0x2db/0x960 [ 47.451939][ T5021] __mmput+0x12a/0x4d0 [ 47.455994][ T5021] mmput+0x62/0x70 [ 47.459721][ T5021] do_exit+0x9b4/0x2a20 [ 47.463867][ T5021] do_group_exit+0xd4/0x2a0 [ 47.468361][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 47.473376][ T5021] do_syscall_64+0x38/0xb0 [ 47.477776][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 47.483659][ T5021] [ 47.485966][ T5021] Memory state around the buggy address: [ 47.491582][ T5021] ffffc90000b1df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 47.499630][ T5021] ffffc90000b1df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 47.507677][ T5021] >ffffc90000b1e000: 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 47.515720][ T5021] ^ [ 47.521852][ T5021] ffffc90000b1e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 47.529896][ T5021] ffffc90000b1e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 47.537940][ T5021] ================================================================== [ 47.555700][ T5021] ================================================================== [ 47.563796][ T5021] BUG: KASAN: vmalloc-out-of-bounds in cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 47.572640][ T5021] Read of size 8 at addr ffffc90000b1e048 by task syz-executor202/5021 [ 47.580881][ T5021] [ 47.583186][ T5021] CPU: 0 PID: 5021 Comm: syz-executor202 Tainted: G B 6.5.0-rc4-syzkaller #0 [ 47.593317][ T5021] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 [ 47.603537][ T5021] Call Trace: [ 47.606817][ T5021] [ 47.609748][ T5021] dump_stack_lvl+0xd9/0x1b0 [ 47.614341][ T5021] print_report+0xc4/0x620 [ 47.618757][ T5021] ? __virt_addr_valid+0x5e/0x2d0 [ 47.623767][ T5021] kasan_report+0xda/0x110 [ 47.628174][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 47.634062][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 47.639945][ T5021] cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 47.645662][ T5021] ? work_on_cpu_safe+0xb0/0xb0 [ 47.650523][ T5021] free_journal_ram+0x160/0x650 [ 47.655401][ T5021] ? do_raw_spin_unlock+0x173/0x230 [ 47.660592][ T5021] ? _raw_spin_unlock+0x28/0x40 [ 47.665455][ T5021] journal_release+0x2a4/0x660 [ 47.670242][ T5021] ? reiserfs_end_persistent_transaction+0x1b0/0x1b0 [ 47.676934][ T5021] reiserfs_put_super+0xe9/0x5c0 [ 47.681888][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 47.687169][ T5021] ? fscrypt_destroy_keyring+0x1e/0x390 [ 47.692715][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 47.698071][ T5021] generic_shutdown_super+0x158/0x480 [ 47.703419][ T5021] kill_block_super+0x64/0xb0 [ 47.708076][ T5021] deactivate_locked_super+0x9a/0x170 [ 47.713424][ T5021] deactivate_super+0xde/0x100 [ 47.718253][ T5021] cleanup_mnt+0x222/0x3d0 [ 47.722654][ T5021] task_work_run+0x14d/0x240 [ 47.727227][ T5021] ? task_work_cancel+0x30/0x30 [ 47.732063][ T5021] ? __put_net+0x61/0x70 [ 47.736294][ T5021] do_exit+0xa99/0x2a20 [ 47.740471][ T5021] ? do_group_exit+0x1c5/0x2a0 [ 47.745220][ T5021] ? reacquire_held_locks+0x4b0/0x4b0 [ 47.750576][ T5021] ? do_raw_spin_lock+0x12e/0x2b0 [ 47.755595][ T5021] ? mm_update_next_owner+0x7d0/0x7d0 [ 47.760966][ T5021] ? spin_bug+0x1d0/0x1d0 [ 47.765278][ T5021] do_group_exit+0xd4/0x2a0 [ 47.769788][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 47.774799][ T5021] do_syscall_64+0x38/0xb0 [ 47.779196][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 47.785071][ T5021] RIP: 0033:0x7ffb748ef849 [ 47.789461][ T5021] Code: Unable to access opcode bytes at 0x7ffb748ef81f. [ 47.796468][ T5021] RSP: 002b:00007ffdf9c17ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 47.804873][ T5021] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ffb748ef849 [ 47.812822][ T5021] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 47.820774][ T5021] RBP: 00007ffb7496d390 R08: ffffffffffffffb8 R09: 00000000000000a0 [ 47.828727][ T5021] R10: 00000000000000a0 R11: 0000000000000246 R12: 00007ffb7496d390 [ 47.836687][ T5021] R13: 0000000000000000 R14: 00007ffb7496e100 R15: 00007ffb748bdd80 [ 47.844655][ T5021] [ 47.847658][ T5021] [ 47.849970][ T5021] The buggy address belongs to the virtual mapping at [ 47.849970][ T5021] [ffffc90000b1e000, ffffc90000b20000) created by: [ 47.849970][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 47.868983][ T5021] [ 47.871297][ T5021] The buggy address belongs to the physical page: [ 47.877776][ T5021] page:ffffea0000ae7380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b9ce [ 47.887916][ T5021] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 47.895009][ T5021] page_type: 0xffffffff() [ 47.899323][ T5021] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 [ 47.907892][ T5021] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 47.916456][ T5021] page dumped because: kasan: bad access detected [ 47.922849][ T5021] page_owner tracks the page as allocated [ 47.928544][ T5021] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5021, tgid 5021 (syz-executor202), ts 42629806900, free_ts 36642763402 [ 47.947978][ T5021] post_alloc_hook+0x2d2/0x350 [ 47.952733][ T5021] get_page_from_freelist+0x10a9/0x31e0 [ 47.958354][ T5021] __alloc_pages+0x1d0/0x4a0 [ 47.962932][ T5021] __alloc_pages_bulk+0x77a/0x1110 [ 47.968030][ T5021] alloc_pages_bulk_array_mempolicy+0x1ca/0x370 [ 47.974256][ T5021] __vmalloc_node_range+0xd08/0x1540 [ 47.979525][ T5021] vzalloc+0x6b/0x80 [ 47.983403][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 47.989371][ T5021] journal_init+0x3e2/0x64b0 [ 47.993942][ T5021] reiserfs_fill_super+0xcc6/0x3150 [ 47.999167][ T5021] mount_bdev+0x30d/0x3d0 [ 48.003480][ T5021] legacy_get_tree+0x109/0x220 [ 48.008229][ T5021] vfs_get_tree+0x88/0x350 [ 48.012627][ T5021] path_mount+0x1492/0x1ed0 [ 48.017110][ T5021] __x64_sys_mount+0x293/0x310 [ 48.021856][ T5021] do_syscall_64+0x38/0xb0 [ 48.026255][ T5021] page last free stack trace: [ 48.030903][ T5021] free_unref_page_prepare+0x508/0xb90 [ 48.036348][ T5021] free_unref_page_list+0xe6/0xb30 [ 48.041443][ T5021] release_pages+0x32a/0x14e0 [ 48.046102][ T5021] tlb_batch_pages_flush+0x9a/0x190 [ 48.051284][ T5021] tlb_finish_mmu+0x14b/0x7e0 [ 48.055943][ T5021] exit_mmap+0x2db/0x960 [ 48.060169][ T5021] __mmput+0x12a/0x4d0 [ 48.064216][ T5021] mmput+0x62/0x70 [ 48.067916][ T5021] do_exit+0x9b4/0x2a20 [ 48.072066][ T5021] do_group_exit+0xd4/0x2a0 [ 48.076560][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 48.081579][ T5021] do_syscall_64+0x38/0xb0 [ 48.085983][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 48.091858][ T5021] [ 48.094164][ T5021] Memory state around the buggy address: [ 48.099774][ T5021] ffffc90000b1df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 48.107819][ T5021] ffffc90000b1df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 48.115871][ T5021] >ffffc90000b1e000: 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 48.123926][ T5021] ^ [ 48.130322][ T5021] ffffc90000b1e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 48.138364][ T5021] ffffc90000b1e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 48.146402][ T5021] ================================================================== [ 48.154979][ T5021] ================================================================== [ 48.163043][ T5021] BUG: KASAN: vmalloc-out-of-bounds in cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 48.171895][ T5021] Read of size 8 at addr ffffc90000b1e050 by task syz-executor202/5021 [ 48.180123][ T5021] [ 48.182443][ T5021] CPU: 0 PID: 5021 Comm: syz-executor202 Tainted: G B 6.5.0-rc4-syzkaller #0 [ 48.192581][ T5021] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 [ 48.202626][ T5021] Call Trace: [ 48.205897][ T5021] [ 48.208831][ T5021] dump_stack_lvl+0xd9/0x1b0 [ 48.213417][ T5021] print_report+0xc4/0x620 [ 48.217831][ T5021] ? __virt_addr_valid+0x5e/0x2d0 [ 48.222857][ T5021] kasan_report+0xda/0x110 [ 48.227270][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 48.233167][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 48.239063][ T5021] cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 48.244784][ T5021] ? work_on_cpu_safe+0xb0/0xb0 [ 48.249631][ T5021] free_journal_ram+0x160/0x650 [ 48.254476][ T5021] ? do_raw_spin_unlock+0x173/0x230 [ 48.259675][ T5021] ? _raw_spin_unlock+0x28/0x40 [ 48.264524][ T5021] journal_release+0x2a4/0x660 [ 48.269321][ T5021] ? reiserfs_end_persistent_transaction+0x1b0/0x1b0 [ 48.275993][ T5021] reiserfs_put_super+0xe9/0x5c0 [ 48.280934][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 48.286218][ T5021] ? fscrypt_destroy_keyring+0x1e/0x390 [ 48.291766][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 48.297047][ T5021] generic_shutdown_super+0x158/0x480 [ 48.302414][ T5021] kill_block_super+0x64/0xb0 [ 48.307084][ T5021] deactivate_locked_super+0x9a/0x170 [ 48.312447][ T5021] deactivate_super+0xde/0x100 [ 48.317201][ T5021] cleanup_mnt+0x222/0x3d0 [ 48.321623][ T5021] task_work_run+0x14d/0x240 [ 48.326209][ T5021] ? task_work_cancel+0x30/0x30 [ 48.331058][ T5021] ? __put_net+0x61/0x70 [ 48.335291][ T5021] do_exit+0xa99/0x2a20 [ 48.339444][ T5021] ? do_group_exit+0x1c5/0x2a0 [ 48.344205][ T5021] ? reacquire_held_locks+0x4b0/0x4b0 [ 48.349569][ T5021] ? do_raw_spin_lock+0x12e/0x2b0 [ 48.354585][ T5021] ? mm_update_next_owner+0x7d0/0x7d0 [ 48.359957][ T5021] ? spin_bug+0x1d0/0x1d0 [ 48.364369][ T5021] do_group_exit+0xd4/0x2a0 [ 48.368869][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 48.373892][ T5021] do_syscall_64+0x38/0xb0 [ 48.378303][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 48.384189][ T5021] RIP: 0033:0x7ffb748ef849 [ 48.388595][ T5021] Code: Unable to access opcode bytes at 0x7ffb748ef81f. [ 48.395599][ T5021] RSP: 002b:00007ffdf9c17ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 48.404006][ T5021] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ffb748ef849 [ 48.411970][ T5021] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 48.419935][ T5021] RBP: 00007ffb7496d390 R08: ffffffffffffffb8 R09: 00000000000000a0 [ 48.427895][ T5021] R10: 00000000000000a0 R11: 0000000000000246 R12: 00007ffb7496d390 [ 48.435945][ T5021] R13: 0000000000000000 R14: 00007ffb7496e100 R15: 00007ffb748bdd80 [ 48.443908][ T5021] [ 48.446930][ T5021] [ 48.449247][ T5021] The buggy address belongs to the virtual mapping at [ 48.449247][ T5021] [ffffc90000b1e000, ffffc90000b20000) created by: [ 48.449247][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 48.468254][ T5021] [ 48.470564][ T5021] The buggy address belongs to the physical page: [ 48.476963][ T5021] page:ffffea0000ae7380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b9ce [ 48.487099][ T5021] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 48.494196][ T5021] page_type: 0xffffffff() [ 48.498525][ T5021] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 [ 48.507099][ T5021] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 48.515665][ T5021] page dumped because: kasan: bad access detected [ 48.522066][ T5021] page_owner tracks the page as allocated [ 48.527765][ T5021] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5021, tgid 5021 (syz-executor202), ts 42629806900, free_ts 36642763402 [ 48.547199][ T5021] post_alloc_hook+0x2d2/0x350 [ 48.551958][ T5021] get_page_from_freelist+0x10a9/0x31e0 [ 48.557500][ T5021] __alloc_pages+0x1d0/0x4a0 [ 48.562086][ T5021] __alloc_pages_bulk+0x77a/0x1110 [ 48.567279][ T5021] alloc_pages_bulk_array_mempolicy+0x1ca/0x370 [ 48.573599][ T5021] __vmalloc_node_range+0xd08/0x1540 [ 48.578877][ T5021] vzalloc+0x6b/0x80 [ 48.582769][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 48.588755][ T5021] journal_init+0x3e2/0x64b0 [ 48.593334][ T5021] reiserfs_fill_super+0xcc6/0x3150 [ 48.598527][ T5021] mount_bdev+0x30d/0x3d0 [ 48.602847][ T5021] legacy_get_tree+0x109/0x220 [ 48.607602][ T5021] vfs_get_tree+0x88/0x350 [ 48.612006][ T5021] path_mount+0x1492/0x1ed0 [ 48.616498][ T5021] __x64_sys_mount+0x293/0x310 [ 48.621251][ T5021] do_syscall_64+0x38/0xb0 [ 48.625659][ T5021] page last free stack trace: [ 48.630313][ T5021] free_unref_page_prepare+0x508/0xb90 [ 48.635762][ T5021] free_unref_page_list+0xe6/0xb30 [ 48.640866][ T5021] release_pages+0x32a/0x14e0 [ 48.645536][ T5021] tlb_batch_pages_flush+0x9a/0x190 [ 48.650726][ T5021] tlb_finish_mmu+0x14b/0x7e0 [ 48.655419][ T5021] exit_mmap+0x2db/0x960 [ 48.659651][ T5021] __mmput+0x12a/0x4d0 [ 48.663711][ T5021] mmput+0x62/0x70 [ 48.667421][ T5021] do_exit+0x9b4/0x2a20 [ 48.671572][ T5021] do_group_exit+0xd4/0x2a0 [ 48.676069][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 48.681087][ T5021] do_syscall_64+0x38/0xb0 [ 48.685490][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 48.691376][ T5021] [ 48.693686][ T5021] Memory state around the buggy address: [ 48.699298][ T5021] ffffc90000b1df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 48.707344][ T5021] ffffc90000b1df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 48.715391][ T5021] >ffffc90000b1e000: 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 48.723435][ T5021] ^ [ 48.730089][ T5021] ffffc90000b1e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 48.738133][ T5021] ffffc90000b1e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 48.746179][ T5021] ================================================================== [ 48.754366][ T5021] ================================================================== [ 48.762431][ T5021] BUG: KASAN: vmalloc-out-of-bounds in cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 48.771314][ T5021] Read of size 8 at addr ffffc90000b1e058 by task syz-executor202/5021 [ 48.779562][ T5021] [ 48.781874][ T5021] CPU: 0 PID: 5021 Comm: syz-executor202 Tainted: G B 6.5.0-rc4-syzkaller #0 [ 48.792027][ T5021] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 [ 48.802068][ T5021] Call Trace: [ 48.805334][ T5021] [ 48.808252][ T5021] dump_stack_lvl+0xd9/0x1b0 [ 48.812836][ T5021] print_report+0xc4/0x620 [ 48.817254][ T5021] ? __virt_addr_valid+0x5e/0x2d0 [ 48.822274][ T5021] kasan_report+0xda/0x110 [ 48.826689][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 48.832579][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 48.838477][ T5021] cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 48.844200][ T5021] ? work_on_cpu_safe+0xb0/0xb0 [ 48.849052][ T5021] free_journal_ram+0x160/0x650 [ 48.853906][ T5021] ? do_raw_spin_unlock+0x173/0x230 [ 48.859204][ T5021] ? _raw_spin_unlock+0x28/0x40 [ 48.864065][ T5021] journal_release+0x2a4/0x660 [ 48.868821][ T5021] ? reiserfs_end_persistent_transaction+0x1b0/0x1b0 [ 48.875494][ T5021] reiserfs_put_super+0xe9/0x5c0 [ 48.880428][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 48.885709][ T5021] ? fscrypt_destroy_keyring+0x1e/0x390 [ 48.891254][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 48.896544][ T5021] generic_shutdown_super+0x158/0x480 [ 48.901916][ T5021] kill_block_super+0x64/0xb0 [ 48.906584][ T5021] deactivate_locked_super+0x9a/0x170 [ 48.911959][ T5021] deactivate_super+0xde/0x100 [ 48.916721][ T5021] cleanup_mnt+0x222/0x3d0 [ 48.921141][ T5021] task_work_run+0x14d/0x240 [ 48.925756][ T5021] ? task_work_cancel+0x30/0x30 [ 48.930602][ T5021] ? __put_net+0x61/0x70 [ 48.934861][ T5021] do_exit+0xa99/0x2a20 [ 48.939063][ T5021] ? do_group_exit+0x1c5/0x2a0 [ 48.943830][ T5021] ? reacquire_held_locks+0x4b0/0x4b0 [ 48.949213][ T5021] ? do_raw_spin_lock+0x12e/0x2b0 [ 48.954234][ T5021] ? mm_update_next_owner+0x7d0/0x7d0 [ 48.959606][ T5021] ? spin_bug+0x1d0/0x1d0 [ 48.964020][ T5021] do_group_exit+0xd4/0x2a0 [ 48.968522][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 48.973542][ T5021] do_syscall_64+0x38/0xb0 [ 48.977953][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 48.983838][ T5021] RIP: 0033:0x7ffb748ef849 [ 48.988244][ T5021] Code: Unable to access opcode bytes at 0x7ffb748ef81f. [ 48.995248][ T5021] RSP: 002b:00007ffdf9c17ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 49.003651][ T5021] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ffb748ef849 [ 49.011616][ T5021] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 49.019579][ T5021] RBP: 00007ffb7496d390 R08: ffffffffffffffb8 R09: 00000000000000a0 [ 49.027538][ T5021] R10: 00000000000000a0 R11: 0000000000000246 R12: 00007ffb7496d390 [ 49.035522][ T5021] R13: 0000000000000000 R14: 00007ffb7496e100 R15: 00007ffb748bdd80 [ 49.043508][ T5021] [ 49.046520][ T5021] [ 49.048836][ T5021] The buggy address belongs to the virtual mapping at [ 49.048836][ T5021] [ffffc90000b1e000, ffffc90000b20000) created by: [ 49.048836][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 49.067852][ T5021] [ 49.070163][ T5021] The buggy address belongs to the physical page: [ 49.076643][ T5021] page:ffffea0000ae7380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b9ce [ 49.086782][ T5021] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 49.093875][ T5021] page_type: 0xffffffff() [ 49.098191][ T5021] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 [ 49.106763][ T5021] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 49.115328][ T5021] page dumped because: kasan: bad access detected [ 49.121723][ T5021] page_owner tracks the page as allocated [ 49.127421][ T5021] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5021, tgid 5021 (syz-executor202), ts 42629806900, free_ts 36642763402 [ 49.146912][ T5021] post_alloc_hook+0x2d2/0x350 [ 49.151704][ T5021] get_page_from_freelist+0x10a9/0x31e0 [ 49.157336][ T5021] __alloc_pages+0x1d0/0x4a0 [ 49.161930][ T5021] __alloc_pages_bulk+0x77a/0x1110 [ 49.167096][ T5021] alloc_pages_bulk_array_mempolicy+0x1ca/0x370 [ 49.173332][ T5021] __vmalloc_node_range+0xd08/0x1540 [ 49.178617][ T5021] vzalloc+0x6b/0x80 [ 49.182507][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 49.188487][ T5021] journal_init+0x3e2/0x64b0 [ 49.193109][ T5021] reiserfs_fill_super+0xcc6/0x3150 [ 49.198302][ T5021] mount_bdev+0x30d/0x3d0 [ 49.202623][ T5021] legacy_get_tree+0x109/0x220 [ 49.207408][ T5021] vfs_get_tree+0x88/0x350 [ 49.211814][ T5021] path_mount+0x1492/0x1ed0 [ 49.216395][ T5021] __x64_sys_mount+0x293/0x310 [ 49.221153][ T5021] do_syscall_64+0x38/0xb0 [ 49.225566][ T5021] page last free stack trace: [ 49.230249][ T5021] free_unref_page_prepare+0x508/0xb90 [ 49.235720][ T5021] free_unref_page_list+0xe6/0xb30 [ 49.240836][ T5021] release_pages+0x32a/0x14e0 [ 49.245509][ T5021] tlb_batch_pages_flush+0x9a/0x190 [ 49.250701][ T5021] tlb_finish_mmu+0x14b/0x7e0 [ 49.255373][ T5021] exit_mmap+0x2db/0x960 [ 49.259613][ T5021] __mmput+0x12a/0x4d0 [ 49.263670][ T5021] mmput+0x62/0x70 [ 49.267379][ T5021] do_exit+0x9b4/0x2a20 [ 49.271531][ T5021] do_group_exit+0xd4/0x2a0 [ 49.276028][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 49.281051][ T5021] do_syscall_64+0x38/0xb0 [ 49.285457][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 49.291341][ T5021] [ 49.293652][ T5021] Memory state around the buggy address: [ 49.299269][ T5021] ffffc90000b1df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 49.307317][ T5021] ffffc90000b1df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 49.315368][ T5021] >ffffc90000b1e000: 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 49.323414][ T5021] ^ [ 49.330331][ T5021] ffffc90000b1e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 49.338377][ T5021] ffffc90000b1e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 49.346424][ T5021] ================================================================== [ 49.354862][ T5021] ================================================================== [ 49.362960][ T5021] BUG: KASAN: vmalloc-out-of-bounds in cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 49.371816][ T5021] Read of size 8 at addr ffffc90000b1e060 by task syz-executor202/5021 [ 49.380044][ T5021] [ 49.382353][ T5021] CPU: 0 PID: 5021 Comm: syz-executor202 Tainted: G B 6.5.0-rc4-syzkaller #0 [ 49.392490][ T5021] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 [ 49.402533][ T5021] Call Trace: [ 49.405801][ T5021] [ 49.408721][ T5021] dump_stack_lvl+0xd9/0x1b0 [ 49.413308][ T5021] print_report+0xc4/0x620 [ 49.417724][ T5021] ? __virt_addr_valid+0x5e/0x2d0 [ 49.422757][ T5021] kasan_report+0xda/0x110 [ 49.427174][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 49.433067][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 49.438964][ T5021] cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 49.444682][ T5021] ? work_on_cpu_safe+0xb0/0xb0 [ 49.449529][ T5021] free_journal_ram+0x160/0x650 [ 49.454377][ T5021] ? do_raw_spin_unlock+0x173/0x230 [ 49.459581][ T5021] ? _raw_spin_unlock+0x28/0x40 [ 49.464434][ T5021] journal_release+0x2a4/0x660 [ 49.469188][ T5021] ? reiserfs_end_persistent_transaction+0x1b0/0x1b0 [ 49.475968][ T5021] reiserfs_put_super+0xe9/0x5c0 [ 49.480916][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 49.486202][ T5021] ? fscrypt_destroy_keyring+0x1e/0x390 [ 49.491747][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 49.497026][ T5021] generic_shutdown_super+0x158/0x480 [ 49.502388][ T5021] kill_block_super+0x64/0xb0 [ 49.507062][ T5021] deactivate_locked_super+0x9a/0x170 [ 49.512428][ T5021] deactivate_super+0xde/0x100 [ 49.517182][ T5021] cleanup_mnt+0x222/0x3d0 [ 49.521598][ T5021] task_work_run+0x14d/0x240 [ 49.526187][ T5021] ? task_work_cancel+0x30/0x30 [ 49.531034][ T5021] ? __put_net+0x61/0x70 [ 49.535271][ T5021] do_exit+0xa99/0x2a20 [ 49.539429][ T5021] ? do_group_exit+0x1c5/0x2a0 [ 49.544191][ T5021] ? reacquire_held_locks+0x4b0/0x4b0 [ 49.549557][ T5021] ? do_raw_spin_lock+0x12e/0x2b0 [ 49.554578][ T5021] ? mm_update_next_owner+0x7d0/0x7d0 [ 49.559948][ T5021] ? spin_bug+0x1d0/0x1d0 [ 49.564276][ T5021] do_group_exit+0xd4/0x2a0 [ 49.568778][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 49.573798][ T5021] do_syscall_64+0x38/0xb0 [ 49.578205][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 49.584088][ T5021] RIP: 0033:0x7ffb748ef849 [ 49.588493][ T5021] Code: Unable to access opcode bytes at 0x7ffb748ef81f. [ 49.595492][ T5021] RSP: 002b:00007ffdf9c17ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 49.603889][ T5021] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ffb748ef849 [ 49.611852][ T5021] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 49.619810][ T5021] RBP: 00007ffb7496d390 R08: ffffffffffffffb8 R09: 00000000000000a0 [ 49.627766][ T5021] R10: 00000000000000a0 R11: 0000000000000246 R12: 00007ffb7496d390 [ 49.635726][ T5021] R13: 0000000000000000 R14: 00007ffb7496e100 R15: 00007ffb748bdd80 [ 49.643691][ T5021] [ 49.646695][ T5021] [ 49.649012][ T5021] The buggy address belongs to the virtual mapping at [ 49.649012][ T5021] [ffffc90000b1e000, ffffc90000b20000) created by: [ 49.649012][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 49.668042][ T5021] [ 49.670449][ T5021] The buggy address belongs to the physical page: [ 49.676843][ T5021] page:ffffea0000ae7380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b9ce [ 49.686985][ T5021] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 49.694085][ T5021] page_type: 0xffffffff() [ 49.698404][ T5021] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 [ 49.706989][ T5021] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 49.715558][ T5021] page dumped because: kasan: bad access detected [ 49.721959][ T5021] page_owner tracks the page as allocated [ 49.727659][ T5021] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5021, tgid 5021 (syz-executor202), ts 42629806900, free_ts 36642763402 [ 49.747094][ T5021] post_alloc_hook+0x2d2/0x350 [ 49.751862][ T5021] get_page_from_freelist+0x10a9/0x31e0 [ 49.757405][ T5021] __alloc_pages+0x1d0/0x4a0 [ 49.761998][ T5021] __alloc_pages_bulk+0x77a/0x1110 [ 49.767106][ T5021] alloc_pages_bulk_array_mempolicy+0x1ca/0x370 [ 49.773342][ T5021] __vmalloc_node_range+0xd08/0x1540 [ 49.778619][ T5021] vzalloc+0x6b/0x80 [ 49.782500][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 49.788482][ T5021] journal_init+0x3e2/0x64b0 [ 49.793061][ T5021] reiserfs_fill_super+0xcc6/0x3150 [ 49.798256][ T5021] mount_bdev+0x30d/0x3d0 [ 49.802604][ T5021] legacy_get_tree+0x109/0x220 [ 49.807377][ T5021] vfs_get_tree+0x88/0x350 [ 49.811789][ T5021] path_mount+0x1492/0x1ed0 [ 49.816290][ T5021] __x64_sys_mount+0x293/0x310 [ 49.821049][ T5021] do_syscall_64+0x38/0xb0 [ 49.825457][ T5021] page last free stack trace: [ 49.830112][ T5021] free_unref_page_prepare+0x508/0xb90 [ 49.835564][ T5021] free_unref_page_list+0xe6/0xb30 [ 49.840677][ T5021] release_pages+0x32a/0x14e0 [ 49.845344][ T5021] tlb_batch_pages_flush+0x9a/0x190 [ 49.850536][ T5021] tlb_finish_mmu+0x14b/0x7e0 [ 49.855212][ T5021] exit_mmap+0x2db/0x960 [ 49.859447][ T5021] __mmput+0x12a/0x4d0 [ 49.863504][ T5021] mmput+0x62/0x70 [ 49.867213][ T5021] do_exit+0x9b4/0x2a20 [ 49.871363][ T5021] do_group_exit+0xd4/0x2a0 [ 49.875865][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 49.880887][ T5021] do_syscall_64+0x38/0xb0 [ 49.885296][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 49.891183][ T5021] [ 49.893492][ T5021] Memory state around the buggy address: [ 49.899196][ T5021] ffffc90000b1df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 49.907245][ T5021] ffffc90000b1df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 49.915297][ T5021] >ffffc90000b1e000: 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 49.923362][ T5021] ^ [ 49.930550][ T5021] ffffc90000b1e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 49.938598][ T5021] ffffc90000b1e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 49.946642][ T5021] ================================================================== [ 49.954835][ T5021] ================================================================== [ 49.963001][ T5021] BUG: KASAN: vmalloc-out-of-bounds in cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 49.971883][ T5021] Read of size 8 at addr ffffc90000b1e068 by task syz-executor202/5021 [ 49.980112][ T5021] [ 49.982424][ T5021] CPU: 0 PID: 5021 Comm: syz-executor202 Tainted: G B 6.5.0-rc4-syzkaller #0 [ 49.992576][ T5021] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 [ 50.002618][ T5021] Call Trace: [ 50.005884][ T5021] [ 50.008803][ T5021] dump_stack_lvl+0xd9/0x1b0 [ 50.013389][ T5021] print_report+0xc4/0x620 [ 50.017800][ T5021] ? __virt_addr_valid+0x5e/0x2d0 [ 50.022821][ T5021] kasan_report+0xda/0x110 [ 50.027231][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 50.033126][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 50.039026][ T5021] cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 50.044745][ T5021] ? work_on_cpu_safe+0xb0/0xb0 [ 50.049590][ T5021] free_journal_ram+0x160/0x650 [ 50.054554][ T5021] ? do_raw_spin_unlock+0x173/0x230 [ 50.059775][ T5021] ? _raw_spin_unlock+0x28/0x40 [ 50.064627][ T5021] journal_release+0x2a4/0x660 [ 50.069383][ T5021] ? reiserfs_end_persistent_transaction+0x1b0/0x1b0 [ 50.076062][ T5021] reiserfs_put_super+0xe9/0x5c0 [ 50.080999][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 50.086276][ T5021] ? fscrypt_destroy_keyring+0x1e/0x390 [ 50.091823][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 50.097104][ T5021] generic_shutdown_super+0x158/0x480 [ 50.102474][ T5021] kill_block_super+0x64/0xb0 [ 50.107144][ T5021] deactivate_locked_super+0x9a/0x170 [ 50.112505][ T5021] deactivate_super+0xde/0x100 [ 50.117259][ T5021] cleanup_mnt+0x222/0x3d0 [ 50.121673][ T5021] task_work_run+0x14d/0x240 [ 50.126260][ T5021] ? task_work_cancel+0x30/0x30 [ 50.131103][ T5021] ? __put_net+0x61/0x70 [ 50.135342][ T5021] do_exit+0xa99/0x2a20 [ 50.139494][ T5021] ? do_group_exit+0x1c5/0x2a0 [ 50.144258][ T5021] ? reacquire_held_locks+0x4b0/0x4b0 [ 50.149657][ T5021] ? do_raw_spin_lock+0x12e/0x2b0 [ 50.154697][ T5021] ? mm_update_next_owner+0x7d0/0x7d0 [ 50.160075][ T5021] ? spin_bug+0x1d0/0x1d0 [ 50.164409][ T5021] do_group_exit+0xd4/0x2a0 [ 50.168916][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 50.173940][ T5021] do_syscall_64+0x38/0xb0 [ 50.178350][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 50.184238][ T5021] RIP: 0033:0x7ffb748ef849 [ 50.188643][ T5021] Code: Unable to access opcode bytes at 0x7ffb748ef81f. [ 50.195647][ T5021] RSP: 002b:00007ffdf9c17ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 50.204049][ T5021] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ffb748ef849 [ 50.212007][ T5021] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 50.219972][ T5021] RBP: 00007ffb7496d390 R08: ffffffffffffffb8 R09: 00000000000000a0 [ 50.227932][ T5021] R10: 00000000000000a0 R11: 0000000000000246 R12: 00007ffb7496d390 [ 50.235891][ T5021] R13: 0000000000000000 R14: 00007ffb7496e100 R15: 00007ffb748bdd80 [ 50.243855][ T5021] [ 50.246861][ T5021] [ 50.249175][ T5021] The buggy address belongs to the virtual mapping at [ 50.249175][ T5021] [ffffc90000b1e000, ffffc90000b20000) created by: [ 50.249175][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 50.268189][ T5021] [ 50.270503][ T5021] The buggy address belongs to the physical page: [ 50.276898][ T5021] page:ffffea0000ae7380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b9ce [ 50.287033][ T5021] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 50.294129][ T5021] page_type: 0xffffffff() [ 50.298447][ T5021] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 [ 50.307018][ T5021] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 50.315584][ T5021] page dumped because: kasan: bad access detected [ 50.321980][ T5021] page_owner tracks the page as allocated [ 50.327675][ T5021] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5021, tgid 5021 (syz-executor202), ts 42629806900, free_ts 36642763402 [ 50.347112][ T5021] post_alloc_hook+0x2d2/0x350 [ 50.351876][ T5021] get_page_from_freelist+0x10a9/0x31e0 [ 50.357419][ T5021] __alloc_pages+0x1d0/0x4a0 [ 50.362005][ T5021] __alloc_pages_bulk+0x77a/0x1110 [ 50.367113][ T5021] alloc_pages_bulk_array_mempolicy+0x1ca/0x370 [ 50.373344][ T5021] __vmalloc_node_range+0xd08/0x1540 [ 50.378621][ T5021] vzalloc+0x6b/0x80 [ 50.382516][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 50.388498][ T5021] journal_init+0x3e2/0x64b0 [ 50.393076][ T5021] reiserfs_fill_super+0xcc6/0x3150 [ 50.398264][ T5021] mount_bdev+0x30d/0x3d0 [ 50.402581][ T5021] legacy_get_tree+0x109/0x220 [ 50.407333][ T5021] vfs_get_tree+0x88/0x350 [ 50.411738][ T5021] path_mount+0x1492/0x1ed0 [ 50.416229][ T5021] __x64_sys_mount+0x293/0x310 [ 50.420985][ T5021] do_syscall_64+0x38/0xb0 [ 50.425391][ T5021] page last free stack trace: [ 50.430045][ T5021] free_unref_page_prepare+0x508/0xb90 [ 50.435494][ T5021] free_unref_page_list+0xe6/0xb30 [ 50.440601][ T5021] release_pages+0x32a/0x14e0 [ 50.445264][ T5021] tlb_batch_pages_flush+0x9a/0x190 [ 50.450456][ T5021] tlb_finish_mmu+0x14b/0x7e0 [ 50.455122][ T5021] exit_mmap+0x2db/0x960 [ 50.459355][ T5021] __mmput+0x12a/0x4d0 [ 50.463410][ T5021] mmput+0x62/0x70 [ 50.467115][ T5021] do_exit+0x9b4/0x2a20 [ 50.471266][ T5021] do_group_exit+0xd4/0x2a0 [ 50.475767][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 50.480785][ T5021] do_syscall_64+0x38/0xb0 [ 50.485191][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 50.491073][ T5021] [ 50.493382][ T5021] Memory state around the buggy address: [ 50.498998][ T5021] ffffc90000b1df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 50.507048][ T5021] ffffc90000b1df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 50.515133][ T5021] >ffffc90000b1e000: 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 50.523179][ T5021] ^ [ 50.530617][ T5021] ffffc90000b1e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 50.538663][ T5021] ffffc90000b1e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 50.546704][ T5021] ================================================================== [ 50.555006][ T5021] ================================================================== [ 50.563083][ T5021] BUG: KASAN: vmalloc-out-of-bounds in cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 50.572034][ T5021] Read of size 8 at addr ffffc90000b1e070 by task syz-executor202/5021 [ 50.580264][ T5021] [ 50.582575][ T5021] CPU: 0 PID: 5021 Comm: syz-executor202 Tainted: G B 6.5.0-rc4-syzkaller #0 [ 50.592739][ T5021] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 [ 50.602791][ T5021] Call Trace: [ 50.606065][ T5021] [ 50.608988][ T5021] dump_stack_lvl+0xd9/0x1b0 [ 50.613574][ T5021] print_report+0xc4/0x620 [ 50.617987][ T5021] ? __virt_addr_valid+0x5e/0x2d0 [ 50.623007][ T5021] kasan_report+0xda/0x110 [ 50.627422][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 50.633314][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 50.639212][ T5021] cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 50.644933][ T5021] ? work_on_cpu_safe+0xb0/0xb0 [ 50.649776][ T5021] free_journal_ram+0x160/0x650 [ 50.654712][ T5021] ? do_raw_spin_unlock+0x173/0x230 [ 50.659908][ T5021] ? _raw_spin_unlock+0x28/0x40 [ 50.664756][ T5021] journal_release+0x2a4/0x660 [ 50.669513][ T5021] ? reiserfs_end_persistent_transaction+0x1b0/0x1b0 [ 50.676273][ T5021] reiserfs_put_super+0xe9/0x5c0 [ 50.681205][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 50.686572][ T5021] ? fscrypt_destroy_keyring+0x1e/0x390 [ 50.692119][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 50.697399][ T5021] generic_shutdown_super+0x158/0x480 [ 50.702761][ T5021] kill_block_super+0x64/0xb0 [ 50.707432][ T5021] deactivate_locked_super+0x9a/0x170 [ 50.712793][ T5021] deactivate_super+0xde/0x100 [ 50.717547][ T5021] cleanup_mnt+0x222/0x3d0 [ 50.721963][ T5021] task_work_run+0x14d/0x240 [ 50.726550][ T5021] ? task_work_cancel+0x30/0x30 [ 50.731397][ T5021] ? __put_net+0x61/0x70 [ 50.735629][ T5021] do_exit+0xa99/0x2a20 [ 50.739782][ T5021] ? do_group_exit+0x1c5/0x2a0 [ 50.744542][ T5021] ? reacquire_held_locks+0x4b0/0x4b0 [ 50.749909][ T5021] ? do_raw_spin_lock+0x12e/0x2b0 [ 50.754942][ T5021] ? mm_update_next_owner+0x7d0/0x7d0 [ 50.760308][ T5021] ? spin_bug+0x1d0/0x1d0 [ 50.764631][ T5021] do_group_exit+0xd4/0x2a0 [ 50.769134][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 50.774154][ T5021] do_syscall_64+0x38/0xb0 [ 50.778559][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 50.784444][ T5021] RIP: 0033:0x7ffb748ef849 [ 50.788847][ T5021] Code: Unable to access opcode bytes at 0x7ffb748ef81f. [ 50.795847][ T5021] RSP: 002b:00007ffdf9c17ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 50.804248][ T5021] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ffb748ef849 [ 50.812209][ T5021] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 50.820167][ T5021] RBP: 00007ffb7496d390 R08: ffffffffffffffb8 R09: 00000000000000a0 [ 50.828124][ T5021] R10: 00000000000000a0 R11: 0000000000000246 R12: 00007ffb7496d390 [ 50.836087][ T5021] R13: 0000000000000000 R14: 00007ffb7496e100 R15: 00007ffb748bdd80 [ 50.844060][ T5021] [ 50.847068][ T5021] [ 50.849385][ T5021] The buggy address belongs to the virtual mapping at [ 50.849385][ T5021] [ffffc90000b1e000, ffffc90000b20000) created by: [ 50.849385][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 50.868420][ T5021] [ 50.870744][ T5021] The buggy address belongs to the physical page: [ 50.877150][ T5021] page:ffffea0000ae7380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b9ce [ 50.887292][ T5021] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 50.894409][ T5021] page_type: 0xffffffff() [ 50.898738][ T5021] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 [ 50.907316][ T5021] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 50.915885][ T5021] page dumped because: kasan: bad access detected [ 50.922284][ T5021] page_owner tracks the page as allocated [ 50.927977][ T5021] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5021, tgid 5021 (syz-executor202), ts 42629806900, free_ts 36642763402 [ 50.947522][ T5021] post_alloc_hook+0x2d2/0x350 [ 50.952302][ T5021] get_page_from_freelist+0x10a9/0x31e0 [ 50.957937][ T5021] __alloc_pages+0x1d0/0x4a0 [ 50.962523][ T5021] __alloc_pages_bulk+0x77a/0x1110 [ 50.967629][ T5021] alloc_pages_bulk_array_mempolicy+0x1ca/0x370 [ 50.973955][ T5021] __vmalloc_node_range+0xd08/0x1540 [ 50.979237][ T5021] vzalloc+0x6b/0x80 [ 50.983119][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 50.989097][ T5021] journal_init+0x3e2/0x64b0 [ 50.993717][ T5021] reiserfs_fill_super+0xcc6/0x3150 [ 50.998913][ T5021] mount_bdev+0x30d/0x3d0 [ 51.003237][ T5021] legacy_get_tree+0x109/0x220 [ 51.008000][ T5021] vfs_get_tree+0x88/0x350 [ 51.012639][ T5021] path_mount+0x1492/0x1ed0 [ 51.017155][ T5021] __x64_sys_mount+0x293/0x310 [ 51.021915][ T5021] do_syscall_64+0x38/0xb0 [ 51.026325][ T5021] page last free stack trace: [ 51.030983][ T5021] free_unref_page_prepare+0x508/0xb90 [ 51.036530][ T5021] free_unref_page_list+0xe6/0xb30 [ 51.041644][ T5021] release_pages+0x32a/0x14e0 [ 51.046316][ T5021] tlb_batch_pages_flush+0x9a/0x190 [ 51.051512][ T5021] tlb_finish_mmu+0x14b/0x7e0 [ 51.056185][ T5021] exit_mmap+0x2db/0x960 [ 51.060416][ T5021] __mmput+0x12a/0x4d0 [ 51.064474][ T5021] mmput+0x62/0x70 [ 51.068179][ T5021] do_exit+0x9b4/0x2a20 [ 51.072328][ T5021] do_group_exit+0xd4/0x2a0 [ 51.076827][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 51.081851][ T5021] do_syscall_64+0x38/0xb0 [ 51.086257][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 51.092138][ T5021] [ 51.094466][ T5021] Memory state around the buggy address: [ 51.100110][ T5021] ffffc90000b1df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 51.108160][ T5021] ffffc90000b1df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 51.116206][ T5021] >ffffc90000b1e000: 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 51.124348][ T5021] ^ [ 51.132047][ T5021] ffffc90000b1e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 51.140180][ T5021] ffffc90000b1e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 51.148309][ T5021] ================================================================== [ 51.156621][ T5021] ================================================================== [ 51.164691][ T5021] BUG: KASAN: vmalloc-out-of-bounds in cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 51.173526][ T5021] Read of size 8 at addr ffffc90000b1e078 by task syz-executor202/5021 [ 51.181742][ T5021] [ 51.184133][ T5021] CPU: 1 PID: 5021 Comm: syz-executor202 Tainted: G B 6.5.0-rc4-syzkaller #0 [ 51.194262][ T5021] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 [ 51.204301][ T5021] Call Trace: [ 51.207563][ T5021] [ 51.210475][ T5021] dump_stack_lvl+0xd9/0x1b0 [ 51.215073][ T5021] print_report+0xc4/0x620 [ 51.219478][ T5021] ? __virt_addr_valid+0x5e/0x2d0 [ 51.224487][ T5021] kasan_report+0xda/0x110 [ 51.228890][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 51.234769][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 51.240652][ T5021] cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 51.246357][ T5021] ? work_on_cpu_safe+0xb0/0xb0 [ 51.251194][ T5021] free_journal_ram+0x160/0x650 [ 51.256119][ T5021] ? do_raw_spin_unlock+0x173/0x230 [ 51.261304][ T5021] ? _raw_spin_unlock+0x28/0x40 [ 51.266144][ T5021] journal_release+0x2a4/0x660 [ 51.270889][ T5021] ? reiserfs_end_persistent_transaction+0x1b0/0x1b0 [ 51.277545][ T5021] reiserfs_put_super+0xe9/0x5c0 [ 51.282467][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 51.287823][ T5021] ? fscrypt_destroy_keyring+0x1e/0x390 [ 51.293394][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 51.298664][ T5021] generic_shutdown_super+0x158/0x480 [ 51.304020][ T5021] kill_block_super+0x64/0xb0 [ 51.308680][ T5021] deactivate_locked_super+0x9a/0x170 [ 51.314033][ T5021] deactivate_super+0xde/0x100 [ 51.318785][ T5021] cleanup_mnt+0x222/0x3d0 [ 51.323186][ T5021] task_work_run+0x14d/0x240 [ 51.327761][ T5021] ? task_work_cancel+0x30/0x30 [ 51.332597][ T5021] ? __put_net+0x61/0x70 [ 51.336818][ T5021] do_exit+0xa99/0x2a20 [ 51.340960][ T5021] ? do_group_exit+0x1c5/0x2a0 [ 51.345706][ T5021] ? reacquire_held_locks+0x4b0/0x4b0 [ 51.351068][ T5021] ? do_raw_spin_lock+0x12e/0x2b0 [ 51.356079][ T5021] ? mm_update_next_owner+0x7d0/0x7d0 [ 51.361440][ T5021] ? spin_bug+0x1d0/0x1d0 [ 51.365754][ T5021] do_group_exit+0xd4/0x2a0 [ 51.370240][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 51.375249][ T5021] do_syscall_64+0x38/0xb0 [ 51.379647][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 51.385519][ T5021] RIP: 0033:0x7ffb748ef849 [ 51.389912][ T5021] Code: Unable to access opcode bytes at 0x7ffb748ef81f. [ 51.396906][ T5021] RSP: 002b:00007ffdf9c17ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 51.405301][ T5021] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ffb748ef849 [ 51.413285][ T5021] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 51.421324][ T5021] RBP: 00007ffb7496d390 R08: ffffffffffffffb8 R09: 00000000000000a0 [ 51.429277][ T5021] R10: 00000000000000a0 R11: 0000000000000246 R12: 00007ffb7496d390 [ 51.437230][ T5021] R13: 0000000000000000 R14: 00007ffb7496e100 R15: 00007ffb748bdd80 [ 51.445187][ T5021] [ 51.448189][ T5021] [ 51.450498][ T5021] The buggy address belongs to the virtual mapping at [ 51.450498][ T5021] [ffffc90000b1e000, ffffc90000b20000) created by: [ 51.450498][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 51.469583][ T5021] [ 51.471887][ T5021] The buggy address belongs to the physical page: [ 51.478273][ T5021] page:ffffea0000ae7380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b9ce [ 51.488403][ T5021] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 51.495500][ T5021] page_type: 0xffffffff() [ 51.499811][ T5021] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 [ 51.508375][ T5021] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 51.516937][ T5021] page dumped because: kasan: bad access detected [ 51.523324][ T5021] page_owner tracks the page as allocated [ 51.529018][ T5021] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5021, tgid 5021 (syz-executor202), ts 42629806900, free_ts 36642763402 [ 51.548468][ T5021] post_alloc_hook+0x2d2/0x350 [ 51.553257][ T5021] get_page_from_freelist+0x10a9/0x31e0 [ 51.558891][ T5021] __alloc_pages+0x1d0/0x4a0 [ 51.563478][ T5021] __alloc_pages_bulk+0x77a/0x1110 [ 51.568576][ T5021] alloc_pages_bulk_array_mempolicy+0x1ca/0x370 [ 51.574799][ T5021] __vmalloc_node_range+0xd08/0x1540 [ 51.580070][ T5021] vzalloc+0x6b/0x80 [ 51.583951][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 51.589927][ T5021] journal_init+0x3e2/0x64b0 [ 51.594495][ T5021] reiserfs_fill_super+0xcc6/0x3150 [ 51.599681][ T5021] mount_bdev+0x30d/0x3d0 [ 51.603994][ T5021] legacy_get_tree+0x109/0x220 [ 51.608739][ T5021] vfs_get_tree+0x88/0x350 [ 51.613133][ T5021] path_mount+0x1492/0x1ed0 [ 51.617612][ T5021] __x64_sys_mount+0x293/0x310 [ 51.622357][ T5021] do_syscall_64+0x38/0xb0 [ 51.626752][ T5021] page last free stack trace: [ 51.631402][ T5021] free_unref_page_prepare+0x508/0xb90 [ 51.636847][ T5021] free_unref_page_list+0xe6/0xb30 [ 51.641947][ T5021] release_pages+0x32a/0x14e0 [ 51.646609][ T5021] tlb_batch_pages_flush+0x9a/0x190 [ 51.651795][ T5021] tlb_finish_mmu+0x14b/0x7e0 [ 51.656544][ T5021] exit_mmap+0x2db/0x960 [ 51.660772][ T5021] __mmput+0x12a/0x4d0 [ 51.664826][ T5021] mmput+0x62/0x70 [ 51.668538][ T5021] do_exit+0x9b4/0x2a20 [ 51.672703][ T5021] do_group_exit+0xd4/0x2a0 [ 51.677194][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 51.682203][ T5021] do_syscall_64+0x38/0xb0 [ 51.686598][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 51.692472][ T5021] [ 51.694772][ T5021] Memory state around the buggy address: [ 51.700409][ T5021] ffffc90000b1df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 51.708539][ T5021] ffffc90000b1df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 51.716581][ T5021] >ffffc90000b1e000: 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 51.724623][ T5021] ^ [ 51.732580][ T5021] ffffc90000b1e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 51.740707][ T5021] ffffc90000b1e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 51.748753][ T5021] ================================================================== [ 51.757434][ T5021] ================================================================== [ 51.765499][ T5021] BUG: KASAN: vmalloc-out-of-bounds in cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 51.774346][ T5021] Read of size 8 at addr ffffc90000b1e080 by task syz-executor202/5021 [ 51.782566][ T5021] [ 51.784876][ T5021] CPU: 1 PID: 5021 Comm: syz-executor202 Tainted: G B 6.5.0-rc4-syzkaller #0 [ 51.795009][ T5021] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 [ 51.805053][ T5021] Call Trace: [ 51.808316][ T5021] [ 51.811235][ T5021] dump_stack_lvl+0xd9/0x1b0 [ 51.815813][ T5021] print_report+0xc4/0x620 [ 51.820216][ T5021] ? __virt_addr_valid+0x5e/0x2d0 [ 51.825228][ T5021] kasan_report+0xda/0x110 [ 51.829628][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 51.835511][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 51.841398][ T5021] cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 51.847109][ T5021] ? work_on_cpu_safe+0xb0/0xb0 [ 51.851977][ T5021] free_journal_ram+0x160/0x650 [ 51.856820][ T5021] ? do_raw_spin_unlock+0x173/0x230 [ 51.862007][ T5021] ? _raw_spin_unlock+0x28/0x40 [ 51.866845][ T5021] journal_release+0x2a4/0x660 [ 51.871589][ T5021] ? reiserfs_end_persistent_transaction+0x1b0/0x1b0 [ 51.878247][ T5021] reiserfs_put_super+0xe9/0x5c0 [ 51.883168][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 51.888448][ T5021] ? fscrypt_destroy_keyring+0x1e/0x390 [ 51.893994][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 51.899262][ T5021] generic_shutdown_super+0x158/0x480 [ 51.904706][ T5021] kill_block_super+0x64/0xb0 [ 51.909365][ T5021] deactivate_locked_super+0x9a/0x170 [ 51.914739][ T5021] deactivate_super+0xde/0x100 [ 51.919487][ T5021] cleanup_mnt+0x222/0x3d0 [ 51.923892][ T5021] task_work_run+0x14d/0x240 [ 51.928503][ T5021] ? task_work_cancel+0x30/0x30 [ 51.933337][ T5021] ? __put_net+0x61/0x70 [ 51.937568][ T5021] do_exit+0xa99/0x2a20 [ 51.941718][ T5021] ? do_group_exit+0x1c5/0x2a0 [ 51.946471][ T5021] ? reacquire_held_locks+0x4b0/0x4b0 [ 51.951839][ T5021] ? do_raw_spin_lock+0x12e/0x2b0 [ 51.956853][ T5021] ? mm_update_next_owner+0x7d0/0x7d0 [ 51.962211][ T5021] ? spin_bug+0x1d0/0x1d0 [ 51.966530][ T5021] do_group_exit+0xd4/0x2a0 [ 51.971029][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 51.976049][ T5021] do_syscall_64+0x38/0xb0 [ 51.980447][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 51.986322][ T5021] RIP: 0033:0x7ffb748ef849 [ 51.990715][ T5021] Code: Unable to access opcode bytes at 0x7ffb748ef81f. [ 51.997708][ T5021] RSP: 002b:00007ffdf9c17ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 52.006099][ T5021] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ffb748ef849 [ 52.014054][ T5021] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 52.022007][ T5021] RBP: 00007ffb7496d390 R08: ffffffffffffffb8 R09: 00000000000000a0 [ 52.030034][ T5021] R10: 00000000000000a0 R11: 0000000000000246 R12: 00007ffb7496d390 [ 52.038000][ T5021] R13: 0000000000000000 R14: 00007ffb7496e100 R15: 00007ffb748bdd80 [ 52.045963][ T5021] [ 52.048969][ T5021] [ 52.051281][ T5021] The buggy address belongs to the virtual mapping at [ 52.051281][ T5021] [ffffc90000b1e000, ffffc90000b20000) created by: [ 52.051281][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 52.070281][ T5021] [ 52.072583][ T5021] The buggy address belongs to the physical page: [ 52.078972][ T5021] page:ffffea0000ae7380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b9ce [ 52.089102][ T5021] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 52.096213][ T5021] page_type: 0xffffffff() [ 52.100535][ T5021] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 [ 52.109151][ T5021] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 52.117742][ T5021] page dumped because: kasan: bad access detected [ 52.124181][ T5021] page_owner tracks the page as allocated [ 52.129907][ T5021] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5021, tgid 5021 (syz-executor202), ts 42629806900, free_ts 36642763402 [ 52.149363][ T5021] post_alloc_hook+0x2d2/0x350 [ 52.154211][ T5021] get_page_from_freelist+0x10a9/0x31e0 [ 52.159740][ T5021] __alloc_pages+0x1d0/0x4a0 [ 52.164313][ T5021] __alloc_pages_bulk+0x77a/0x1110 [ 52.169407][ T5021] alloc_pages_bulk_array_mempolicy+0x1ca/0x370 [ 52.175641][ T5021] __vmalloc_node_range+0xd08/0x1540 [ 52.180944][ T5021] vzalloc+0x6b/0x80 [ 52.184851][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 52.190877][ T5021] journal_init+0x3e2/0x64b0 [ 52.195467][ T5021] reiserfs_fill_super+0xcc6/0x3150 [ 52.200698][ T5021] mount_bdev+0x30d/0x3d0 [ 52.205046][ T5021] legacy_get_tree+0x109/0x220 [ 52.209795][ T5021] vfs_get_tree+0x88/0x350 [ 52.214190][ T5021] path_mount+0x1492/0x1ed0 [ 52.218669][ T5021] __x64_sys_mount+0x293/0x310 [ 52.223412][ T5021] do_syscall_64+0x38/0xb0 [ 52.227809][ T5021] page last free stack trace: [ 52.232457][ T5021] free_unref_page_prepare+0x508/0xb90 [ 52.237901][ T5021] free_unref_page_list+0xe6/0xb30 [ 52.243006][ T5021] release_pages+0x32a/0x14e0 [ 52.247668][ T5021] tlb_batch_pages_flush+0x9a/0x190 [ 52.252860][ T5021] tlb_finish_mmu+0x14b/0x7e0 [ 52.257532][ T5021] exit_mmap+0x2db/0x960 [ 52.261757][ T5021] __mmput+0x12a/0x4d0 [ 52.265806][ T5021] mmput+0x62/0x70 [ 52.269505][ T5021] do_exit+0x9b4/0x2a20 [ 52.273641][ T5021] do_group_exit+0xd4/0x2a0 [ 52.278126][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 52.283135][ T5021] do_syscall_64+0x38/0xb0 [ 52.287532][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 52.293412][ T5021] [ 52.295720][ T5021] Memory state around the buggy address: [ 52.301336][ T5021] ffffc90000b1df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 52.309385][ T5021] ffffc90000b1e000: 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 52.317425][ T5021] >ffffc90000b1e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 52.325467][ T5021] ^ [ 52.329516][ T5021] ffffc90000b1e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 52.337554][ T5021] ffffc90000b1e180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 52.345604][ T5021] ================================================================== [ 52.354369][ T5021] ================================================================== [ 52.362465][ T5021] BUG: KASAN: vmalloc-out-of-bounds in cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 52.371372][ T5021] Read of size 8 at addr ffffc90000b1e088 by task syz-executor202/5021 [ 52.379597][ T5021] [ 52.381905][ T5021] CPU: 1 PID: 5021 Comm: syz-executor202 Tainted: G B 6.5.0-rc4-syzkaller #0 [ 52.392156][ T5021] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 [ 52.402353][ T5021] Call Trace: [ 52.405652][ T5021] [ 52.408601][ T5021] dump_stack_lvl+0xd9/0x1b0 [ 52.413258][ T5021] print_report+0xc4/0x620 [ 52.417781][ T5021] ? __virt_addr_valid+0x5e/0x2d0 [ 52.422831][ T5021] kasan_report+0xda/0x110 [ 52.427250][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 52.433156][ T5021] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 52.439047][ T5021] cleanup_bitmap_list.part.0+0x4dd/0x5c0 [ 52.444753][ T5021] ? work_on_cpu_safe+0xb0/0xb0 [ 52.449590][ T5021] free_journal_ram+0x160/0x650 [ 52.454460][ T5021] ? do_raw_spin_unlock+0x173/0x230 [ 52.459650][ T5021] ? _raw_spin_unlock+0x28/0x40 [ 52.464495][ T5021] journal_release+0x2a4/0x660 [ 52.469247][ T5021] ? reiserfs_end_persistent_transaction+0x1b0/0x1b0 [ 52.475907][ T5021] reiserfs_put_super+0xe9/0x5c0 [ 52.480837][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 52.486112][ T5021] ? fscrypt_destroy_keyring+0x1e/0x390 [ 52.491644][ T5021] ? reiserfs_quota_read+0x4e0/0x4e0 [ 52.496910][ T5021] generic_shutdown_super+0x158/0x480 [ 52.502270][ T5021] kill_block_super+0x64/0xb0 [ 52.506941][ T5021] deactivate_locked_super+0x9a/0x170 [ 52.512314][ T5021] deactivate_super+0xde/0x100 [ 52.517076][ T5021] cleanup_mnt+0x222/0x3d0 [ 52.521508][ T5021] task_work_run+0x14d/0x240 [ 52.526101][ T5021] ? task_work_cancel+0x30/0x30 [ 52.530955][ T5021] ? __put_net+0x61/0x70 [ 52.535191][ T5021] do_exit+0xa99/0x2a20 [ 52.539379][ T5021] ? do_group_exit+0x1c5/0x2a0 [ 52.544142][ T5021] ? reacquire_held_locks+0x4b0/0x4b0 [ 52.549511][ T5021] ? do_raw_spin_lock+0x12e/0x2b0 [ 52.554531][ T5021] ? mm_update_next_owner+0x7d0/0x7d0 [ 52.559898][ T5021] ? spin_bug+0x1d0/0x1d0 [ 52.564223][ T5021] do_group_exit+0xd4/0x2a0 [ 52.568745][ T5021] __x64_sys_exit_group+0x3e/0x50 [ 52.573782][ T5021] do_syscall_64+0x38/0xb0 [ 52.578208][ T5021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 52.584119][ T5021] RIP: 0033:0x7ffb748ef849 [ 52.588532][ T5021] Code: Unable to access opcode bytes at 0x7ffb748ef81f. [ 52.595531][ T5021] RSP: 002b:00007ffdf9c17ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 52.604198][ T5021] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ffb748ef849 [ 52.612164][ T5021] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 52.620224][ T5021] RBP: 00007ffb7496d390 R08: ffffffffffffffb8 R09: 00000000000000a0 [ 52.628186][ T5021] R10: 00000000000000a0 R11: 0000000000000246 R12: 00007ffb7496d390 [ 52.636152][ T5021] R13: 0000000000000000 R14: 00007ffb7496e100 R15: 00007ffb748bdd80 [ 52.644126][ T5021] [ 52.647134][ T5021] [ 52.649450][ T5021] The buggy address belongs to the virtual mapping at [ 52.649450][ T5021] [ffffc90000b1e000, ffffc90000b20000) created by: [ 52.649450][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 52.668486][ T5021] [ 52.670806][ T5021] The buggy address belongs to the physical page: [ 52.677307][ T5021] page:ffffea0000ae7380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b9ce [ 52.687483][ T5021] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 52.694610][ T5021] page_type: 0xffffffff() [ 52.698933][ T5021] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 [ 52.707514][ T5021] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 52.716086][ T5021] page dumped because: kasan: bad access detected [ 52.722480][ T5021] page_owner tracks the page as allocated [ 52.728179][ T5021] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5021, tgid 5021 (syz-executor202), ts 42629806900, free_ts 36642763402 [ 52.747677][ T5021] post_alloc_hook+0x2d2/0x350 [ 52.752544][ T5021] get_page_from_freelist+0x10a9/0x31e0 [ 52.758225][ T5021] __alloc_pages+0x1d0/0x4a0 [ 52.762851][ T5021] __alloc_pages_bulk+0x77a/0x1110 [ 52.767980][ T5021] alloc_pages_bulk_array_mempolicy+0x1ca/0x370 [ 52.774306][ T5021] __vmalloc_node_range+0xd08/0x1540 [ 52.779586][ T5021] vzalloc+0x6b/0x80 [ 52.783473][ T5021] reiserfs_allocate_list_bitmaps+0x58/0x1c0 [ 52.789475][ T5021] journal_init+0x3e2/0x64b0