XFS (loop1): Unmounting Filesystem acfebfcd-0806-4e27-9777-0ac4ff5ddf54
==================================================================
BUG: KASAN: slab-out-of-bounds in xlog_pack_data+0x501/0x570 fs/xfs/xfs_log.c:1822
Read of size 4 at addr ffff8880953e4e00 by task syz-executor.1/6615

CPU: 0 PID: 6615 Comm: syz-executor.1 Not tainted 6.4.0-rc6-syzkaller-00026-gfb054096aea0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351
 print_report mm/kasan/report.c:462 [inline]
 kasan_report+0x11c/0x130 mm/kasan/report.c:572
 xlog_pack_data+0x501/0x570 fs/xfs/xfs_log.c:1822
 xlog_sync+0x189/0xa50 fs/xfs/xfs_log.c:2093
 xlog_state_release_iclog+0x42e/0x7f0 fs/xfs/xfs_log.c:619
 xlog_force_iclog fs/xfs/xfs_log.c:888 [inline]
 xlog_force_and_check_iclog fs/xfs/xfs_log.c:3172 [inline]
 xlog_force_lsn+0x5d1/0x910 fs/xfs/xfs_log.c:3344
 xfs_log_force_seq+0x22b/0x630 fs/xfs/xfs_log.c:3409
 __xfs_trans_commit+0xac5/0xe20 fs/xfs/xfs_trans.c:1021
 xfs_sync_sb+0xfd/0x140 fs/xfs/libxfs/xfs_sb.c:1015
 xfs_log_cover fs/xfs/xfs_log.c:1300 [inline]
 xfs_log_quiesce+0x24d/0x320 fs/xfs/xfs_log.c:1109
 xfs_log_clean fs/xfs/xfs_log.c:1116 [inline]
 xfs_log_unmount+0x22/0x270 fs/xfs/xfs_log.c:1131
 xfs_unmountfs+0x151/0x290 fs/xfs/xfs_mount.c:1096
 xfs_fs_put_super+0x7b/0x3b0 fs/xfs/xfs_super.c:1130
 generic_shutdown_super+0x158/0x480 fs/super.c:500
 kill_block_super+0xa1/0x100 fs/super.c:1407
 deactivate_locked_super+0x98/0x160 fs/super.c:331
 deactivate_super+0xb1/0xd0 fs/super.c:362
 cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1177
 task_work_run+0x16f/0x270 kernel/task_work.c:179
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
 exit_to_user_mode_prepare+0x210/0x240 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
 syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297
 do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fc3ffa8d607
Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcc12a8a88 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fc3ffa8d607
RDX: 00007ffcc12a8b5a RSI: 000000000000000a RDI: 00007ffcc12a8b50
RBP: 00007ffcc12a8b50 R08: 00000000ffffffff R09: 00007ffcc12a8920
R10: 000055555738f893 R11: 0000000000000246 R12: 00007fc3ffae6cdc
R13: 00007ffcc12a9c10 R14: 000055555738f810 R15: 00007ffcc12a9c50
 </TASK>

The buggy address belongs to the physical page:
page:ffffea000254f000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x953c0
head:ffffea000254f000 order:6 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000010000(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000010000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 6, migratetype Unmovable, gfp_mask 0x146dc0(GFP_USER|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP|__GFP_ZERO), pid 13136, tgid 13135 (syz-executor.1), ts 1725373395793, free_ts 1724194185945
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2db/0x350 mm/page_alloc.c:1731
 prep_new_page mm/page_alloc.c:1738 [inline]
 get_page_from_freelist+0xf41/0x2c00 mm/page_alloc.c:3502
 __alloc_pages+0x1cb/0x4a0 mm/page_alloc.c:4768
 __alloc_pages_node include/linux/gfp.h:237 [inline]
 alloc_pages_node include/linux/gfp.h:260 [inline]
 __kmalloc_large_node+0x94/0x1d0 mm/slab_common.c:1107
 __do_kmalloc_node mm/slab_common.c:954 [inline]
 __kmalloc_node+0x10b/0x1a0 mm/slab_common.c:973
 kmalloc_node include/linux/slab.h:579 [inline]
 kvmalloc_node+0x76/0x1a0 mm/util.c:604
 kvmalloc include/linux/slab.h:697 [inline]
 kvzalloc include/linux/slab.h:705 [inline]
 xlog_alloc_log+0x755/0x1450 fs/xfs/xfs_log.c:1649
 xfs_log_mount+0xef/0x700 fs/xfs/xfs_log.c:658
 xfs_mountfs+0x11e1/0x1f60 fs/xfs/xfs_mount.c:819
 xfs_fs_fill_super+0x1490/0x1fc0 fs/xfs/xfs_super.c:1694
 get_tree_bdev+0x44a/0x770 fs/super.c:1303
 vfs_get_tree+0x8d/0x350 fs/super.c:1510
 do_new_mount fs/namespace.c:3039 [inline]
 path_mount+0x134b/0x1e40 fs/namespace.c:3369
 do_mount fs/namespace.c:3382 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount fs/namespace.c:3568 [inline]
 __x64_sys_mount+0x283/0x300 fs/namespace.c:3568
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1302 [inline]
 __free_pages_ok+0x77f/0x1060 mm/page_alloc.c:1441
 kvfree+0x46/0x50 mm/util.c:650
 kmem_free fs/xfs/kmem.h:62 [inline]
 xlog_find_verify_log_record+0x45a/0x650 fs/xfs/xfs_log_recover.c:480
 xlog_find_zeroed+0x368/0x5a0 fs/xfs/xfs_log_recover.c:1466
 xlog_find_head+0xc4/0x9c0 fs/xfs/xfs_log_recover.c:511
 xlog_find_tail+0xa9/0x990 fs/xfs/xfs_log_recover.c:1256
 xlog_recover+0x7d/0x500 fs/xfs/xfs_log_recover.c:3360
 xfs_log_mount+0x36e/0x700 fs/xfs/xfs_log.c:741
 xfs_mountfs+0x11e1/0x1f60 fs/xfs/xfs_mount.c:819
 xfs_fs_fill_super+0x1490/0x1fc0 fs/xfs/xfs_super.c:1694
 get_tree_bdev+0x44a/0x770 fs/super.c:1303
 vfs_get_tree+0x8d/0x350 fs/super.c:1510
 do_new_mount fs/namespace.c:3039 [inline]
 path_mount+0x134b/0x1e40 fs/namespace.c:3369
 do_mount fs/namespace.c:3382 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount fs/namespace.c:3568 [inline]
 __x64_sys_mount+0x283/0x300 fs/namespace.c:3568
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:
 ffff8880953e4d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880953e4d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880953e4e00: 01 fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
                   ^
 ffff8880953e4e80: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
 ffff8880953e4f00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
==================================================================