------------[ cut here ]------------ WARNING: CPU: 1 PID: 5307 at fs/inode.c:389 inc_nlink+0x128/0x154 fs/inode.c:389 Modules linked in: CPU: 1 PID: 5307 Comm: syz-executor.0 Not tainted 6.1.86-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : inc_nlink+0x128/0x154 fs/inode.c:389 lr : inc_nlink+0x128/0x154 fs/inode.c:389 sp : ffff80001f017b70 x29: ffff80001f017b70 x28: dfff800000000000 x27: 0000000000000000 x26: 1fffe0001b260815 x25: ffff800012532208 x24: 00000000000001c0 x23: 1fffe0001e3dd810 x22: dfff800000000000 x21: 0000000000000000 x20: ffff0000f1eec038 x19: ffff0000f1eec080 x18: ffff80001f0173c0 x17: ffff8000188cd000 x16: ffff800012155cc4 x15: 0000000000000002 x14: 00000000ffff8000 x13: 000000009598c0c9 x12: 0000000000040000 x11: 000000000003ffff x10: ffff80001dda9000 x9 : ffff800008aab938 x8 : 0000000000040000 x7 : 0000000000000000 x6 : 000000000000003f x5 : 0000000000000040 x4 : 0000000000000001 x3 : 00000000000001c0 x2 : ffff0000e2131490 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: inc_nlink+0x128/0x154 fs/inode.c:389 inode_inc_link_count include/linux/fs.h:2571 [inline] sysv_mkdir+0x2c/0x138 fs/sysv/namei.c:119 vfs_mkdir+0x334/0x4e4 fs/namei.c:4108 do_mkdirat+0x220/0x510 fs/namei.c:4133 __do_sys_mkdirat fs/namei.c:4148 [inline] __se_sys_mkdirat fs/namei.c:4146 [inline] __arm64_sys_mkdirat+0x90/0xa8 fs/namei.c:4146 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 irq event stamp: 37287258 hardirqs last enabled at (37287257): [] kasan_quarantine_put+0xdc/0x204 mm/kasan/quarantine.c:242 hardirqs last disabled at (37287258): [] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:405 softirqs last enabled at (37284750): [] softirq_handle_end kernel/softirq.c:414 [inline] softirqs last enabled at (37284750): [] __do_softirq+0xc1c/0xe38 kernel/softirq.c:600 softirqs last disabled at (37284741): [] ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:80 ---[ end trace 0000000000000000 ]--- unable to read i-node block ================================================================== BUG: KASAN: slab-out-of-bounds in sysv_new_block+0x618/0x7e4 fs/sysv/balloc.c:113 Read of size 4 at addr ffff0000f2c150c8 by task syz-executor.0/5307 CPU: 1 PID: 5307 Comm: syz-executor.0 Tainted: G W 6.1.86-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call trace: dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x174/0x4c0 mm/kasan/report.c:395 kasan_report+0xd4/0x130 mm/kasan/report.c:495 __asan_report_load4_noabort+0x2c/0x38 mm/kasan/report_generic.c:350 sysv_new_block+0x618/0x7e4 fs/sysv/balloc.c:113 alloc_branch fs/sysv/itree.c:134 [inline] get_block+0x254/0x1360 fs/sysv/itree.c:253 __block_write_begin_int+0x340/0x13b4 fs/buffer.c:1991 __block_write_begin+0x7c/0xa0 fs/buffer.c:2041 sysv_prepare_chunk+0x3c/0x50 fs/sysv/itree.c:468 sysv_make_empty+0x98/0x500 fs/sysv/dir.c:257 sysv_mkdir+0x88/0x138 fs/sysv/namei.c:130 vfs_mkdir+0x334/0x4e4 fs/namei.c:4108 do_mkdirat+0x220/0x510 fs/namei.c:4133 __do_sys_mkdirat fs/namei.c:4148 [inline] __se_sys_mkdirat fs/namei.c:4146 [inline] __arm64_sys_mkdirat+0x90/0xa8 fs/namei.c:4146 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 Allocated by task 5310: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4c/0x80 mm/kasan/common.c:52 kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505 __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook+0x74/0x458 mm/slab.h:737 slab_alloc_node mm/slub.c:3398 [inline] slab_alloc mm/slub.c:3406 [inline] __kmem_cache_alloc_lru mm/slub.c:3413 [inline] kmem_cache_alloc+0x230/0x37c mm/slub.c:3422 vm_area_alloc+0x2c/0xe0 kernel/fork.c:458 mmap_region+0xb4c/0x1a98 mm/mmap.c:2743 do_mmap+0xa00/0x1108 mm/mmap.c:1425 vm_mmap_pgoff+0x1a4/0x2b4 mm/util.c:520 ksys_mmap_pgoff+0xd0/0x5b0 mm/mmap.c:1471 __do_sys_mmap arch/arm64/kernel/sys.c:28 [inline] __se_sys_mmap arch/arm64/kernel/sys.c:21 [inline] __arm64_sys_mmap+0xf8/0x110 arch/arm64/kernel/sys.c:21 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 The buggy address belongs to the object at ffff0000f2c15000 which belongs to the cache vm_area_struct of size 152 The buggy address is located 48 bytes to the right of 152-byte region [ffff0000f2c15000, ffff0000f2c15098) The buggy address belongs to the physical page: page:00000000a8dd32fd refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0000f2c15870 pfn:0x132c15 memcg:ffff0000d21dd601 flags: 0x5ffe00000000200(slab|node=0|zone=2|lastcpupid=0xfff) raw: 05ffe00000000200 fffffc0003353408 fffffc0003500188 ffff0000c03dd680 raw: ffff0000f2c15870 0000000000120004 00000001ffffffff ffff0000d21dd601 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000f2c14f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0000f2c15000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff0000f2c15080: 00 00 00 fc fc fc fc fc fc fc fc 00 00 00 00 00 ^ ffff0000f2c15100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc ffff0000f2c15180: fc fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb ================================================================== sysv_free_inode: unable to read inode block on device loop0 sysv_free_block: flc_count > flc_size sysv_free_block: flc_count > flc_size sysv_free_block: flc_count > flc_size sysv_free_block: flc_count > flc_size sysv_free_block: flc_count > flc_size sysv_free_block: flc_count > flc_size sysv_free_block: flc_count > flc_size sysv_free_block: flc_count > flc_size sysv_free_block: flc_count > flc_size sysv_free_block: flc_count > flc_size sysv_free_inode: inode 0,1,2 or nonexistent inode