loop0: detected capacity change from 0 to 32768 XFS (loop0): Mounting V5 Filesystem bfdc47fc-10d8-4eed-a562-11a831b3f791 XFS (loop0): Torn write (CRC failure) detected at log block 0x180. Truncating head block from 0x200. XFS (loop0): Starting recovery (logdev: internal) ================================================================== BUG: KASAN: slab-out-of-bounds in xfs_btree_lookup_get_block+0x12d/0x680 Read of size 8 at addr ffff888070481258 by task syz-executor.0/5563 CPU: 0 PID: 5563 Comm: syz-executor.0 Not tainted 6.2.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023 Call Trace: dump_stack_lvl+0x12e/0x1d0 print_report+0x163/0x4c0 kasan_report+0xce/0x100 xfs_btree_lookup_get_block+0x12d/0x680 xfs_btree_lookup+0x2f7/0xfe0 xfs_btree_simple_query_range+0xde/0x5a0 xfs_btree_query_range+0x2b7/0x360 xfs_refcount_recover_cow_leftovers+0x29a/0xc00 xfs_reflink_recover_cow+0x7e/0x140 xlog_recover_finish+0x71f/0x7f0 xfs_log_mount_finish+0x1c1/0x360 xfs_mountfs+0x116e/0x1cd0 xfs_fs_fill_super+0xb55/0xed0 get_tree_bdev+0x3d7/0x620 vfs_get_tree+0x7f/0x220 do_new_mount+0x1e5/0x940 __se_sys_mount+0x20d/0x2a0 do_syscall_64+0x41/0xc0 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f377968d5da Code: 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f377a3c3f88 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000000009712 RCX: 00007f377968d5da RDX: 0000000020000100 RSI: 0000000020009640 RDI: 00007f377a3c3fe0 RBP: 00007f377a3c4020 R08: 00007f377a3c4020 R09: 0000000000200800 R10: 0000000000200800 R11: 0000000000000246 R12: 0000000020000100 R13: 0000000020009640 R14: 00007f377a3c3fe0 R15: 0000000020000240 The buggy address belongs to the object at ffff888070481210 which belongs to the cache xfs_refcbt_cur of size 200 The buggy address is located 72 bytes inside of 200-byte region [ffff888070481210, ffff8880704812d8) The buggy address belongs to the physical page: page:ffffea0001c12040 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x70481 flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 ffff8881408c0500 dead000000000122 0000000000000000 raw: 0000000000000000 00000000800f000f 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 5563, tgid 5562 (syz-executor.0), ts 76548179324, free_ts 76544345667 get_page_from_freelist+0x3434/0x35b0 __alloc_pages+0x291/0x7f0 alloc_slab_page+0x6a/0x160 new_slab+0x84/0x2f0 ___slab_alloc+0xa07/0x1000 kmem_cache_alloc+0x1b0/0x280 xfs_refcountbt_init_cursor+0x82/0x340 xfs_refcount_recover_cow_leftovers+0x1e0/0xc00 xfs_reflink_recover_cow+0x7e/0x140 xlog_recover_finish+0x71f/0x7f0 xfs_log_mount_finish+0x1c1/0x360 xfs_mountfs+0x116e/0x1cd0 xfs_fs_fill_super+0xb55/0xed0 get_tree_bdev+0x3d7/0x620 vfs_get_tree+0x7f/0x220 do_new_mount+0x1e5/0x940 page last free stack trace: __free_pages_ok+0xcda/0xd40 free_large_kmalloc+0xef/0x180 xlog_do_recovery_pass+0x994/0xc00 xlog_do_log_recovery+0x4c/0x60 xlog_do_recover+0x11e/0x4e0 xlog_recover+0x386/0x450 xfs_log_mount+0x331/0x640 xfs_mountfs+0xb36/0x1cd0 xfs_fs_fill_super+0xb55/0xed0 get_tree_bdev+0x3d7/0x620 vfs_get_tree+0x7f/0x220 do_new_mount+0x1e5/0x940 __se_sys_mount+0x20d/0x2a0 do_syscall_64+0x41/0xc0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Memory state around the buggy address: ffff888070481100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888070481180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888070481200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888070481280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888070481300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================