================================================================== BUG: KASAN: stack-out-of-bounds in instrument_atomic_read_write include/linux/instrumented.h:102 [inline] BUG: KASAN: stack-out-of-bounds in atomic_dec include/linux/atomic/atomic-instrumented.h:257 [inline] BUG: KASAN: stack-out-of-bounds in put_bh include/linux/buffer_head.h:320 [inline] BUG: KASAN: stack-out-of-bounds in end_buffer_read_sync+0x8f/0xe0 fs/buffer.c:161 Write of size 4 at addr ffffc900048cf978 by task ksoftirqd/0/15 CPU: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 6.2.0-syzkaller-06695-gd8ca6dbb8de7 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description.constprop.0+0x28/0x360 mm/kasan/report.c:306 print_report mm/kasan/report.c:417 [inline] kasan_report+0x11c/0x130 mm/kasan/report.c:517 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x141/0x190 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:102 [inline] atomic_dec include/linux/atomic/atomic-instrumented.h:257 [inline] put_bh include/linux/buffer_head.h:320 [inline] end_buffer_read_sync+0x8f/0xe0 fs/buffer.c:161 end_bio_bh_io_sync+0xde/0x130 fs/buffer.c:2703 bio_endio+0x651/0x810 block/bio.c:1606 req_bio_endio block/blk-mq.c:795 [inline] blk_update_request+0x436/0x1650 block/blk-mq.c:927 blk_mq_end_request+0x4f/0x80 block/blk-mq.c:1054 lo_complete_rq+0x1c6/0x280 drivers/block/loop.c:370 blk_complete_reqs+0xad/0xe0 block/blk-mq.c:1132 __do_softirq+0x2e3/0xae3 kernel/softirq.c:571 run_ksoftirqd kernel/softirq.c:934 [inline] run_ksoftirqd+0x31/0x60 kernel/softirq.c:926 smpboot_thread_fn+0x659/0xa20 kernel/smpboot.c:164 kthread+0x2e8/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 The buggy address belongs to the virtual mapping at [ffffc900048c8000, ffffc900048d1000) created by: kernel_clone+0xeb/0xa10 kernel/fork.c:2687 The buggy address belongs to the physical page: page:ffffea0000712e40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1c4b9 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5070, tgid 5070 (syz-executor111), ts 118087996143, free_ts 117092263174 prep_new_page mm/page_alloc.c:2531 [inline] get_page_from_freelist+0x119c/0x2d00 mm/page_alloc.c:4283 __alloc_pages+0x1cb/0x5c0 mm/page_alloc.c:5549 alloc_pages+0x1aa/0x270 mm/mempolicy.c:2287 vm_area_alloc_pages mm/vmalloc.c:2989 [inline] __vmalloc_area_node mm/vmalloc.c:3057 [inline] __vmalloc_node_range+0xb3b/0x1310 mm/vmalloc.c:3227 alloc_thread_stack_node kernel/fork.c:311 [inline] dup_task_struct kernel/fork.c:987 [inline] copy_process+0x1320/0x76c0 kernel/fork.c:2103 kernel_clone+0xeb/0xa10 kernel/fork.c:2687 __do_sys_clone+0xba/0x100 kernel/fork.c:2828 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1446 [inline] free_pcp_prepare+0x66a/0xc30 mm/page_alloc.c:1496 free_unref_page_prepare mm/page_alloc.c:3369 [inline] free_unref_page_list+0x176/0xcd0 mm/page_alloc.c:3510 release_pages+0xcd7/0x1380 mm/swap.c:1046 tlb_batch_pages_flush+0xa8/0x1a0 mm/mmu_gather.c:97 tlb_flush_mmu_free mm/mmu_gather.c:292 [inline] tlb_flush_mmu mm/mmu_gather.c:299 [inline] tlb_finish_mmu+0x14b/0x7e0 mm/mmu_gather.c:391 exit_mmap+0x202/0x7c0 mm/mmap.c:3100 __mmput+0x128/0x4c0 kernel/fork.c:1212 mmput+0x60/0x70 kernel/fork.c:1234 exit_mm kernel/exit.c:563 [inline] do_exit+0x9d7/0x2a40 kernel/exit.c:856 do_group_exit+0xd4/0x2a0 kernel/exit.c:1019 __do_sys_exit_group kernel/exit.c:1030 [inline] __se_sys_exit_group kernel/exit.c:1028 [inline] __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1028 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Memory state around the buggy address: ffffc900048cf800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc900048cf880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc900048cf900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffffc900048cf980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc900048cfa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================