================================================================== BUG: KASAN: slab-out-of-bounds in dbAllocDmapLev+0x233/0x280 fs/jfs/jfs_dmap.c:2030 Read of size 1 at addr ffff888098a98fcd by task syz-executor331/7971 CPU: 1 PID: 7971 Comm: syz-executor331 Not tainted 4.14.302-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351 kasan_report mm/kasan/report.c:409 [inline] __asan_report_load1_noabort+0x68/0x70 mm/kasan/report.c:427 dbAllocDmapLev+0x233/0x280 fs/jfs/jfs_dmap.c:2030 dbAllocCtl+0x426/0x680 fs/jfs/jfs_dmap.c:1874 dbAllocAG+0x684/0x9f0 fs/jfs/jfs_dmap.c:1415 dbAlloc+0x415/0x980 fs/jfs/jfs_dmap.c:871 dtSplitUp+0x316/0x47d0 fs/jfs/jfs_dtree.c:986 dtInsert+0x77c/0x9e0 fs/jfs/jfs_dtree.c:875 jfs_create.part.0+0x364/0x800 fs/jfs/namei.c:150 jfs_create+0x35/0x50 fs/jfs/namei.c:90 lookup_open+0x77a/0x1750 fs/namei.c:3241 do_last fs/namei.c:3334 [inline] path_openat+0xe08/0x2970 fs/namei.c:3571 do_filp_open+0x179/0x3c0 fs/namei.c:3605 do_sys_open+0x296/0x410 fs/open.c:1081 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 RIP: 0033:0x7f17f07db7e9 RSP: 002b:00007ffd49983bc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f17f07db7e9 RDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c RBP: 00007f17f079b080 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f17f079b110 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 1: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551 kmem_cache_alloc+0x124/0x3c0 mm/slab.c:3552 kmem_cache_zalloc include/linux/slab.h:651 [inline] get_empty_filp+0x86/0x3f0 fs/file_table.c:123 path_openat+0x84/0x2970 fs/namei.c:3547 do_filp_open+0x179/0x3c0 fs/namei.c:3605 do_sys_open+0x296/0x410 fs/open.c:1081 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 Freed by task 7: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3496 [inline] kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758 __rcu_reclaim kernel/rcu/rcu.h:195 [inline] rcu_do_batch kernel/rcu/tree.c:2699 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2929 [inline] rcu_process_callbacks+0x780/0x1180 kernel/rcu/tree.c:2946 __do_softirq+0x24d/0x9ff kernel/softirq.c:288 The buggy address belongs to the object at ffff888098a98d00 which belongs to the cache filp of size 456 The buggy address is located 261 bytes to the right of 456-byte region [ffff888098a98d00, ffff888098a98ec8) The buggy address belongs to the page: page:ffffea000262a600 count:1 mapcount:0 mapping:ffff888098a98080 index:0x0 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffff888098a98080 0000000000000000 0000000100000006 raw: ffffea000262a5a0 ffffea00025fe460 ffff8880b60c9080 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888098a98e80: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc ffff888098a98f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888098a98f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888098a99000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888098a99080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================