================================================================== BUG: KASAN: slab-out-of-bounds in dtSplitRoot+0x140a/0x1590 fs/jfs/jfs_dtree.c:1985 Read of size 1 at addr ffff8880b5217fc0 by task syz-executor379/8101 CPU: 0 PID: 8101 Comm: syz-executor379 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load1_noabort+0x88/0x90 mm/kasan/report.c:430 dtSplitRoot+0x140a/0x1590 fs/jfs/jfs_dtree.c:1985 dtSplitUp+0x10ce/0x4e70 fs/jfs/jfs_dtree.c:998 dtInsert+0x7fd/0xa00 fs/jfs/jfs_dtree.c:876 jfs_mkdir.part.0+0x3ef/0x870 fs/jfs/namei.c:282 jfs_mkdir+0x3f/0x60 fs/jfs/namei.c:222 vfs_mkdir+0x508/0x7a0 fs/namei.c:3819 do_mkdirat+0x262/0x2d0 fs/namei.c:3842 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7fdddb73ffb9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc410adce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fdddb73ffb9 RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 RBP: 00007fdddb6ff820 R08: 0000000000000000 R09: 00007fdddb6ff820 R10: 0000555555b0d2c0 R11: 0000000000000246 R12: 00000000f8008000 R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000 Allocated by task 1: kmem_cache_alloc+0x122/0x370 mm/slab.c:3559 kmem_cache_zalloc include/linux/slab.h:699 [inline] __alloc_file+0x21/0x340 fs/file_table.c:100 alloc_empty_file+0x6d/0x170 fs/file_table.c:150 path_openat+0xe9/0x2df0 fs/namei.c:3526 do_filp_open+0x18c/0x3f0 fs/namei.c:3567 do_sys_open+0x3b3/0x520 fs/open.c:1085 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9: __cache_free mm/slab.c:3503 [inline] kmem_cache_free+0x7f/0x260 mm/slab.c:3765 __rcu_reclaim kernel/rcu/rcu.h:236 [inline] rcu_do_batch kernel/rcu/tree.c:2584 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2864 [inline] rcu_process_callbacks+0x8ff/0x18b0 kernel/rcu/tree.c:2881 __do_softirq+0x265/0x980 kernel/softirq.c:292 The buggy address belongs to the object at ffff8880b5217cc0 which belongs to the cache filp of size 456 The buggy address is located 312 bytes to the right of 456-byte region [ffff8880b5217cc0, ffff8880b5217e88) The buggy address belongs to the page: page:ffffea0002d485c0 count:1 mapcount:0 mapping:ffff88813be45080 index:0x0 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffffea0002d48588 ffffea0002782a88 ffff88813be45080 raw: 0000000000000000 ffff8880b5217040 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880b5217e80: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880b5217f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880b5217f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8880b5218000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880b5218080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================