================================================================== BUG: KASAN: slab-out-of-bounds in generic_test_bit include/asm-generic/bitops/generic-non-atomic.h:128 [inline] BUG: KASAN: slab-out-of-bounds in ext4_test_inode_flag fs/ext4/ext4.h:1924 [inline] BUG: KASAN: slab-out-of-bounds in ext4_statfs+0x520/0xb0c fs/ext4/super.c:6690 Read of size 8 at addr ffff0000dd547f30 by task syz-executor.4/11468 CPU: 0 PID: 11468 Comm: syz-executor.4 Not tainted 6.3.0-rc1-syzkaller-gfe15c26ee26e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 Call trace: dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:319 [inline] print_report+0x174/0x514 mm/kasan/report.c:430 kasan_report+0xd4/0x130 mm/kasan/report.c:536 __asan_report_load8_noabort+0x2c/0x38 mm/kasan/report_generic.c:381 generic_test_bit include/asm-generic/bitops/generic-non-atomic.h:128 [inline] ext4_test_inode_flag fs/ext4/ext4.h:1924 [inline] ext4_statfs+0x520/0xb0c fs/ext4/super.c:6690 statfs_by_dentry fs/statfs.c:66 [inline] vfs_statfs+0x140/0x2bc fs/statfs.c:90 ovl_check_namelen fs/overlayfs/super.c:919 [inline] ovl_lower_dir fs/overlayfs/super.c:939 [inline] ovl_get_lowerstack+0x1c4/0x1868 fs/overlayfs/super.c:1742 ovl_fill_super+0x1218/0x2240 fs/overlayfs/super.c:2010 mount_nodev+0x68/0x104 fs/super.c:1417 ovl_mount+0x3c/0x50 fs/overlayfs/super.c:2091 legacy_get_tree+0xd4/0x16c fs/fs_context.c:610 vfs_get_tree+0x90/0x274 fs/super.c:1501 do_new_mount+0x25c/0x8c8 fs/namespace.c:3042 path_mount+0x590/0xe20 fs/namespace.c:3372 do_mount fs/namespace.c:3385 [inline] __do_sys_mount fs/namespace.c:3594 [inline] __se_sys_mount fs/namespace.c:3571 [inline] __arm64_sys_mount+0x45c/0x594 fs/namespace.c:3571 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:193 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591 Allocated by task 5996: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4c/0x7c mm/kasan/common.c:52 kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:510 __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:186 [inline] slab_post_alloc_hook+0x80/0x488 mm/slab.h:769 slab_alloc_node mm/slub.c:3452 [inline] slab_alloc mm/slub.c:3460 [inline] __kmem_cache_alloc_lru mm/slub.c:3467 [inline] kmem_cache_alloc+0x288/0x37c mm/slub.c:3476 radix_tree_node_alloc+0x1ac/0x3c0 lib/radix-tree.c:251 idr_get_free+0x234/0x89c lib/radix-tree.c:1505 idr_alloc_u32 lib/idr.c:46 [inline] idr_alloc_cyclic+0x18c/0x4f4 lib/idr.c:125 __kernfs_new_node+0x124/0x66c fs/kernfs/dir.c:617 kernfs_new_node+0x98/0x184 fs/kernfs/dir.c:673 __kernfs_create_file+0x60/0x2d4 fs/kernfs/file.c:1047 sysfs_add_file_mode_ns+0x1dc/0x298 fs/sysfs/file.c:294 create_files fs/sysfs/group.c:64 [inline] internal_create_group+0x428/0xbec fs/sysfs/group.c:148 internal_create_groups fs/sysfs/group.c:188 [inline] sysfs_create_groups+0x60/0x130 fs/sysfs/group.c:214 device_add_groups drivers/base/core.c:2678 [inline] device_add_attrs+0x178/0x750 drivers/base/core.c:2798 device_add+0x5e0/0xf58 drivers/base/core.c:3543 netdev_register_kobject+0x15c/0x2d8 net/core/net-sysfs.c:2043 register_netdevice+0xcb8/0x1270 net/core/dev.c:10046 veth_newlink+0x730/0xb88 drivers/net/veth.c:1837 rtnl_newlink_create net/core/rtnetlink.c:3440 [inline] __rtnl_newlink net/core/rtnetlink.c:3657 [inline] rtnl_newlink+0x1174/0x1b1c net/core/rtnetlink.c:3670 rtnetlink_rcv_msg+0x744/0xdb8 net/core/rtnetlink.c:6174 netlink_rcv_skb+0x214/0x3c4 net/netlink/af_netlink.c:2574 rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:6192 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0x660/0x8d4 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x834/0xb18 net/netlink/af_netlink.c:1942 sock_sendmsg_nosec net/socket.c:722 [inline] sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x3b4/0x538 net/socket.c:2145 __do_sys_sendto net/socket.c:2157 [inline] __se_sys_sendto net/socket.c:2153 [inline] __arm64_sys_sendto+0xd8/0xf8 net/socket.c:2153 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:193 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591 The buggy address belongs to the object at ffff0000dd547c80 which belongs to the cache radix_tree_node of size 576 The buggy address is located 112 bytes to the right of allocated 576-byte region [ffff0000dd547c80, ffff0000dd547ec0) The buggy address belongs to the physical page: page:00000000805eca39 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11d544 head:00000000805eca39 order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000010200 ffff0000c000d500 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000170017 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000dd547e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0000dd547e80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc >ffff0000dd547f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff0000dd547f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000dd548000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================