================================================================== BUG: KASAN: slab-out-of-bounds in dtSplitRoot+0x1330/0x14b0 fs/jfs/jfs_dtree.c:1984 Read of size 1 at addr ffff8880a1c3cfc0 by task syz-executor167/8007 CPU: 1 PID: 8007 Comm: syz-executor167 Not tainted 4.14.295-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351 kasan_report mm/kasan/report.c:409 [inline] __asan_report_load1_noabort+0x68/0x70 mm/kasan/report.c:427 dtSplitRoot+0x1330/0x14b0 fs/jfs/jfs_dtree.c:1984 dtSplitUp+0xeee/0x47d0 fs/jfs/jfs_dtree.c:997 dtInsert+0x77c/0x9e0 fs/jfs/jfs_dtree.c:875 jfs_mkdir.part.0+0x38d/0x7e0 fs/jfs/namei.c:283 jfs_mkdir+0x35/0x50 fs/jfs/namei.c:223 vfs_mkdir+0x463/0x6e0 fs/namei.c:3851 SYSC_mkdirat fs/namei.c:3874 [inline] SyS_mkdirat+0x1fd/0x270 fs/namei.c:3858 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x7fdd0a9b8fb9 RSP: 002b:00007ffd719056e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fdd0a9b8fb9 RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 RBP: 00007fdd0a978820 R08: 0000000000000000 R09: 00007fdd0a978820 R10: 00005555557682c0 R11: 0000000000000246 R12: 00000000f8008000 R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000 Allocated by task 4615: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551 kmem_cache_alloc+0x124/0x3c0 mm/slab.c:3552 kmem_cache_zalloc include/linux/slab.h:651 [inline] fill_pool lib/debugobjects.c:110 [inline] __debug_object_init+0x578/0x7a0 lib/debugobjects.c:341 debug_object_init lib/debugobjects.c:393 [inline] debug_object_activate+0x391/0x490 lib/debugobjects.c:474 debug_rcu_head_queue kernel/rcu/rcu.h:152 [inline] __call_rcu.constprop.0+0x31/0x7d0 kernel/rcu/tree.c:3050 dentry_free+0xab/0x120 fs/dcache.c:363 __dentry_kill+0x3ff/0x550 fs/dcache.c:605 shrink_dentry_list+0x2ab/0xac0 fs/dcache.c:1043 shrink_dcache_sb+0x105/0x1b0 fs/dcache.c:1191 do_remount_sb+0xdd/0x530 fs/super.c:852 do_remount fs/namespace.c:2393 [inline] do_mount+0x15f3/0x2a30 fs/namespace.c:2896 SYSC_mount fs/namespace.c:3121 [inline] SyS_mount+0xa8/0x120 fs/namespace.c:3098 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb Freed by task 24: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3496 [inline] kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758 free_obj_work+0x200/0x570 lib/debugobjects.c:207 process_one_work+0x793/0x14a0 kernel/workqueue.c:2117 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251 kthread+0x30d/0x420 kernel/kthread.c:232 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 The buggy address belongs to the object at ffff8880a1c3cf50 which belongs to the cache debug_objects_cache of size 40 The buggy address is located 72 bytes to the right of 40-byte region [ffff8880a1c3cf50, ffff8880a1c3cf78) The buggy address belongs to the page: page:ffffea0002870f00 count:1 mapcount:0 mapping:ffff8880a1c3c000 index:0xffff8880a1c3cfb9 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffff8880a1c3c000 ffff8880a1c3cfb9 0000000100000030 raw: ffffea0002c08d20 ffffea0002d82b20 ffff88813fe6bdc0 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a1c3ce80: 00 00 00 fc fc 00 00 00 00 00 fc fc fb fb fb fb ffff8880a1c3cf00: fb fc fc fb fb fb fb fb fc fc fb fb fb fb fb fc >ffff8880a1c3cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8880a1c3d000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880a1c3d080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================