================================================================== BUG: KASAN: stack-out-of-bounds in arch_atomic_read arch/x86/include/asm/atomic.h:31 [inline] BUG: KASAN: stack-out-of-bounds in atomic_read include/linux/atomic/atomic-instrumented.h:28 [inline] BUG: KASAN: stack-out-of-bounds in xfs_buf_lock+0x43e/0x490 fs/xfs/xfs_buf.c:1117 Read of size 4 at addr ffffc9000372fbf4 by task kswapd0/82 CPU: 0 PID: 82 Comm: kswapd0 Not tainted 6.4.0-rc2-next-20230515-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351 print_report mm/kasan/report.c:462 [inline] kasan_report+0x11c/0x130 mm/kasan/report.c:571 arch_atomic_read arch/x86/include/asm/atomic.h:31 [inline] atomic_read include/linux/atomic/atomic-instrumented.h:28 [inline] xfs_buf_lock+0x43e/0x490 fs/xfs/xfs_buf.c:1117 xfs_buf_delwri_submit_buffers+0x131/0x9e0 fs/xfs/xfs_buf.c:2164 xfs_buf_delwri_submit+0x8a/0x2c0 fs/xfs/xfs_buf.c:2242 xfs_qm_shrink_scan fs/xfs/xfs_qm.c:522 [inline] xfs_qm_shrink_scan+0x1a7/0x370 fs/xfs/xfs_qm.c:503 do_shrink_slab+0x428/0xaa0 mm/vmscan.c:912 shrink_slab+0x1c8/0x8a0 mm/vmscan.c:1075 shrink_one+0x4f9/0x710 mm/vmscan.c:5380 shrink_many mm/vmscan.c:5430 [inline] lru_gen_shrink_node mm/vmscan.c:5547 [inline] shrink_node+0x1fd5/0x3500 mm/vmscan.c:6488 kswapd_shrink_node mm/vmscan.c:7288 [inline] balance_pgdat+0xa02/0x1ac0 mm/vmscan.c:7478 kswapd+0x677/0xd60 mm/vmscan.c:7738 kthread+0x344/0x440 kernel/kthread.c:379 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 The buggy address belongs to the virtual mapping at [ffffc90003728000, ffffc90003731000) created by: kernel_clone+0xeb/0x890 kernel/fork.c:2914 The buggy address belongs to the physical page: page:ffffea0001f73340 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7dccd memcg:ffff888029a46f82 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff ffff888029a46f82 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 24172, tgid 24172 (syz-executor.5), ts 1210343677459, free_ts 1209911542113 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x2db/0x350 mm/page_alloc.c:1731 prep_new_page mm/page_alloc.c:1738 [inline] get_page_from_freelist+0xf67/0x2a80 mm/page_alloc.c:3539 __alloc_pages+0x1cb/0x4a0 mm/page_alloc.c:4805 alloc_pages+0x1aa/0x270 mm/mempolicy.c:2279 vm_area_alloc_pages mm/vmalloc.c:3009 [inline] __vmalloc_area_node mm/vmalloc.c:3085 [inline] __vmalloc_node_range+0xb73/0x1490 mm/vmalloc.c:3257 alloc_thread_stack_node kernel/fork.c:309 [inline] dup_task_struct kernel/fork.c:1112 [inline] copy_process+0x13bb/0x7600 kernel/fork.c:2329 kernel_clone+0xeb/0x890 kernel/fork.c:2914 __do_sys_clone+0xba/0x100 kernel/fork.c:3057 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1302 [inline] free_unref_page_prepare+0x4dd/0xb90 mm/page_alloc.c:2600 free_unref_page_list+0xe3/0xa70 mm/page_alloc.c:2741 release_pages+0xcd8/0x1380 mm/swap.c:1042 __pagevec_release+0x77/0xe0 mm/swap.c:1062 pagevec_release include/linux/pagevec.h:63 [inline] folio_batch_release include/linux/pagevec.h:132 [inline] shmem_undo_range+0x583/0x1240 mm/shmem.c:954 shmem_truncate_range mm/shmem.c:1064 [inline] shmem_evict_inode+0x32f/0xb60 mm/shmem.c:1179 evict+0x2ed/0x6b0 fs/inode.c:665 iput_final fs/inode.c:1747 [inline] iput fs/inode.c:1773 [inline] iput+0x4a7/0x7a0 fs/inode.c:1759 dentry_unlink_inode+0x2b1/0x460 fs/dcache.c:401 __dentry_kill+0x3c0/0x640 fs/dcache.c:607 dentry_kill fs/dcache.c:733 [inline] dput+0x865/0xe10 fs/dcache.c:913 __fput+0x3cc/0xa90 fs/file_table.c:329 task_work_run+0x16f/0x270 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x210/0x240 kernel/entry/common.c:204 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297 do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 Memory state around the buggy address: ffffc9000372fa80: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 f3 f3 00 00 ffffc9000372fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc9000372fb80: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 ^ ffffc9000372fc00: 04 f2 04 f2 00 f2 f2 f2 00 f3 f3 f3 00 00 00 00 ffffc9000372fc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================