================================================================== BUG: KASAN: slab-out-of-bounds in __lock_acquire+0x104/0x6800 kernel/locking/lockdep.c:4919 Read of size 8 at addr ffff0000d3b40bb0 by task gfs2_quotad/4667 CPU: 1 PID: 4667 Comm: gfs2_quotad Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/26/2026 Call trace: dump_backtrace+0x1c0/0x1ec arch/arm64/kernel/stacktrace.c:158 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165 __dump_stack+0x30/0x40 lib/dump_stack.c:88 dump_stack_lvl+0xf4/0x15c lib/dump_stack.c:106 print_address_description+0x88/0x218 mm/kasan/report.c:316 print_report+0x50/0x68 mm/kasan/report.c:420 kasan_report+0xa8/0xfc mm/kasan/report.c:524 __asan_report_load8_noabort+0x2c/0x38 mm/kasan/report_generic.c:351 __lock_acquire+0x104/0x6800 kernel/locking/lockdep.c:4919 lock_acquire+0x20c/0x63c kernel/locking/lockdep.c:5662 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x6c/0xb0 kernel/locking/spinlock.c:162 finish_wait+0xc8/0x1ac kernel/sched/wait.c:410 gfs2_quotad+0x390/0x500 fs/gfs2/quota.c:1579 kthread+0x250/0x2d8 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:850 Allocated by task 5504: kasan_save_stack mm/kasan/common.c:46 [inline] kasan_set_track+0x4c/0x80 mm/kasan/common.c:53 kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505 __kasan_slab_alloc+0x70/0x88 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook+0x74/0x430 mm/slab.h:737 slab_alloc_node mm/slub.c:3359 [inline] slab_alloc mm/slub.c:3367 [inline] __kmem_cache_alloc_lru mm/slub.c:3374 [inline] kmem_cache_alloc+0x22c/0x308 mm/slub.c:3383 sk_prot_alloc+0x60/0x1ec net/core/sock.c:2046 sk_alloc+0x44/0x390 net/core/sock.c:2108 inet_create+0x668/0xd54 net/ipv4/af_inet.c:319 __sock_create+0x4b0/0x8b4 net/socket.c:1549 sock_create net/socket.c:1605 [inline] __sys_socket_create net/socket.c:1642 [inline] __sys_socket+0xc0/0x1ac net/socket.c:1670 __do_sys_socket net/socket.c:1683 [inline] __se_sys_socket net/socket.c:1681 [inline] __arm64_sys_socket+0x7c/0x94 net/socket.c:1681 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b4 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140 do_el0_svc+0x58/0x130 arch/arm64/kernel/syscall.c:204 el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 The buggy address belongs to the object at ffff0000d3b40000 which belongs to the cache MPTCP of size 2856 The buggy address is located 136 bytes to the right of 2856-byte region [ffff0000d3b40000, ffff0000d3b40b28) The buggy address belongs to the physical page: page:0000000029767c85 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0000d3b40bc0 pfn:0x113b40 head:0000000029767c85 order:3 compound_mapcount:0 compound_pincount:0 memcg:ffff0000d018f901 flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c4cd1c80 raw: ffff0000d3b40bc0 00000000800a0008 00000001ffffffff ffff0000d018f901 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000d3b40a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0000d3b40b00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc >ffff0000d3b40b80: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ^ ffff0000d3b40c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0000d3b40c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 1 PID: 4667 Comm: gfs2_quotad Tainted: G B syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/26/2026 Call trace: dump_backtrace+0x1c0/0x1ec arch/arm64/kernel/stacktrace.c:158 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165 __dump_stack+0x30/0x40 lib/dump_stack.c:88 dump_stack_lvl+0xf4/0x15c lib/dump_stack.c:106 dump_stack+0x1c/0x5c lib/dump_stack.c:113 assign_lock_key+0x230/0x264 kernel/locking/lockdep.c:974 register_lock_class+0x1ac/0x694 kernel/locking/lockdep.c:1287 __lock_acquire+0x164/0x6800 kernel/locking/lockdep.c:4928 lock_acquire+0x20c/0x63c kernel/locking/lockdep.c:5662 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x6c/0xb0 kernel/locking/spinlock.c:162 finish_wait+0xc8/0x1ac kernel/sched/wait.c:410 gfs2_quotad+0x390/0x500 fs/gfs2/quota.c:1579 kthread+0x250/0x2d8 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:850 list_del corruption. prev->next should be ffff800021677d98, but was 0000000000000000. (prev=ffff0000d3b40bd8) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:61! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 1 PID: 4667 Comm: gfs2_quotad Tainted: G B syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/26/2026 pstate: 624000c5 (nZCv daIF +PAN -UAO +TCO -DIT -SSBS BTYPE=--) pc : __list_del_entry_valid+0x13c/0x158 lib/list_debug.c:59 lr : __list_del_entry_valid+0x13c/0x158 lib/list_debug.c:59 sp : ffff800021677c70 x29: ffff800021677c70 x28: 0000000000000000 x27: 0000000000000bb8 x26: 0000000000001770 x25: dfff800000000000 x24: dfff800000000000 x23: ffff0000d3b407c0 x22: dfff800000000000 x21: ffff0000d3b40bd8 x20: ffff0000d3b40bd8 x19: ffff800021677d98 x18: ffff800011b9bf60 x17: 20747562202c3839 x16: ffff8000082eef80 x15: 0000000000000000 x14: 0000000000000001 x13: 1ffff000042ceee4 x12: 0000000000ff0100 x11: ff00800008311668 x10: 0000000000000000 x9 : abdfd8937e9fa900 x8 : abdfd8937e9fa900 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff800021677738 x4 : ffff800015304cc0 x3 : ffff800008319678 x2 : 0000000000000001 x1 : 0000000100000001 x0 : 000000000000006d Call trace: __list_del_entry_valid+0x13c/0x158 lib/list_debug.c:59 __list_del_entry include/linux/list.h:134 [inline] list_del_init include/linux/list.h:206 [inline] finish_wait+0xd4/0x1ac kernel/sched/wait.c:411 gfs2_quotad+0x390/0x500 fs/gfs2/quota.c:1579 kthread+0x250/0x2d8 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:850 Code: 91300000 aa1303e1 aa1503e3 95c1ea98 (d4210000) ---[ end trace 0000000000000000 ]---