u64s 7 type dirent 4098:8977922886548783724:U32_MAX len 0 ver 0: f - u64s 7 type dirent 4098:8977922886548783724:U32_MAX len 0 ver 0: f -> 4099 type reg, fixing ================================================================== BUG: KASAN: slab-use-after-free in bch2_str_hash_repair_key+0xaa0/0x223c fs/bcachefs/str_hash.c:335 Read of size 8 at addr ffff0000fb6d2428 by task syz-executor/6524 CPU: 1 UID: 0 PID: 6524 Comm: syz-executor Not tainted 6.16.0-rc2-syzkaller-g9aa9b43d689e #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xa8/0x254 mm/kasan/report.c:408 print_report+0x68/0x84 mm/kasan/report.c:521 kasan_report+0xb0/0x110 mm/kasan/report.c:634 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 bch2_str_hash_repair_key+0xaa0/0x223c fs/bcachefs/str_hash.c:335 __bch2_str_hash_check_key+0x708/0x88c fs/bcachefs/str_hash.c:394 bch2_str_hash_check_key fs/bcachefs/str_hash.h:429 [inline] bch2_readdir+0xa08/0xdc4 fs/bcachefs/dirent.c:685 bch2_vfs_readdir+0x3a8/0x55c fs/bcachefs/fs.c:1581 iterate_dir+0x458/0x5e0 fs/readdir.c:108 __do_sys_getdents64 fs/readdir.c:410 [inline] __se_sys_getdents64 fs/readdir.c:396 [inline] __arm64_sys_getdents64+0x110/0x2fc fs/readdir.c:396 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Allocated by task 6524: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4328 [inline] __kmalloc_node_track_caller_noprof+0x304/0x4d0 mm/slub.c:4347 __do_krealloc mm/slub.c:4905 [inline] krealloc_noprof+0x11c/0x2f0 mm/slub.c:4958 __bch2_trans_kmalloc+0x1f4/0xb8c fs/bcachefs/btree_iter.c:3187 bch2_trans_kmalloc_ip fs/bcachefs/btree_iter.h:604 [inline] bch2_trans_kmalloc+0x10c/0x160 fs/bcachefs/btree_iter.h:616 bch2_str_hash_repair_key+0x1c4/0x223c fs/bcachefs/str_hash.c:251 __bch2_str_hash_check_key+0x708/0x88c fs/bcachefs/str_hash.c:394 bch2_str_hash_check_key fs/bcachefs/str_hash.h:429 [inline] bch2_readdir+0xa08/0xdc4 fs/bcachefs/dirent.c:685 bch2_vfs_readdir+0x3a8/0x55c fs/bcachefs/fs.c:1581 iterate_dir+0x458/0x5e0 fs/readdir.c:108 __do_sys_getdents64 fs/readdir.c:410 [inline] __se_sys_getdents64 fs/readdir.c:396 [inline] __arm64_sys_getdents64+0x110/0x2fc fs/readdir.c:396 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Freed by task 6524: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x68/0x88 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2381 [inline] slab_free mm/slub.c:4643 [inline] kfree+0x17c/0x474 mm/slub.c:4842 krealloc_noprof+0x214/0x2f0 mm/slub.c:-1 __bch2_trans_kmalloc+0x1f4/0xb8c fs/bcachefs/btree_iter.c:3187 bch2_trans_kmalloc_ip fs/bcachefs/btree_iter.h:604 [inline] bch2_trans_kmalloc+0x10c/0x160 fs/bcachefs/btree_iter.h:616 bch2_hash_delete_at fs/bcachefs/str_hash.h:364 [inline] bch2_str_hash_repair_key+0xeb8/0x223c fs/bcachefs/str_hash.c:289 __bch2_str_hash_check_key+0x708/0x88c fs/bcachefs/str_hash.c:394 bch2_str_hash_check_key fs/bcachefs/str_hash.h:429 [inline] bch2_readdir+0xa08/0xdc4 fs/bcachefs/dirent.c:685 bch2_vfs_readdir+0x3a8/0x55c fs/bcachefs/fs.c:1581 iterate_dir+0x458/0x5e0 fs/readdir.c:108 __do_sys_getdents64 fs/readdir.c:410 [inline] __se_sys_getdents64 fs/readdir.c:396 [inline] __arm64_sys_getdents64+0x110/0x2fc fs/readdir.c:396 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 The buggy address belongs to the object at ffff0000fb6d2400 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 40 bytes inside of freed 128-byte region [ffff0000fb6d2400, ffff0000fb6d2480) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13b6d2 ksm flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 05ffc00000000000 ffff0000c0001a00 fffffdffc36cf780 dead000000000003 raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000fb6d2300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0000fb6d2380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff0000fb6d2400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff0000fb6d2480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000fb6d2500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== Unable to handle kernel paging request at virtual address fffffffffffffffc KASAN: maybe wild-memory-access in range [0x0003ffffffffffe0-0x0003ffffffffffe7] Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 48-bit VAs, pgdp=000000020730f000 [fffffffffffffffc] pgd=0000000000000000, p4d=000000020b077403, pud=000000020b078403, pmd=0000000000000000 Internal error: Oops: 0000000096000006 [#1] SMP Modules linked in: CPU: 1 UID: 0 PID: 6524 Comm: syz-executor Tainted: G B 6.16.0-rc2-syzkaller-g9aa9b43d689e #0 PREEMPT Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : key_visible_in_snapshot fs/bcachefs/fsck.c:704 [inline] pc : ref_visible+0xd8/0x294 fs/bcachefs/fsck.c:748 lr : key_visible_in_snapshot fs/bcachefs/fsck.c:703 [inline] lr : ref_visible+0x84/0x294 fs/bcachefs/fsck.c:748 sp : ffff8000a3276c60 x29: ffff8000a3276c60 x28: ffff8000a3276dfc x27: 1fffe0001b15fec3 x26: 1fffe0001b15fec5 x25: dfff800000000000 x24: 0000000000000000 x23: ffff0000d8aff618 x22: 00000000ffffffff x21: ffff0000d8aff628 x20: ffff0000e8780000 x19: 00000000ffffffff x18: 00000000ffffffff x17: 5f3233553a383930 x16: ffff80008aecb65c x15: 0000000000000003 x14: 1ffff0001464edba x13: 0000000000000000 x12: 0000000000001003 x11: ffff70001464edbd x10: 0000000000ff0100 x9 : 0000000000000000 x8 : fffffffffffffffc x7 : 0000000000000000 x6 : 00001003ffffffff x5 : ffff8000a3276de4 x4 : ffff8000a3276b00 x3 : 00000000ffffffff x2 : 00000000ffffffff x1 : 00000000ffffffff x0 : 00000000ffffffff Call trace: key_visible_in_snapshot fs/bcachefs/fsck.c:704 [inline] (P) ref_visible+0xd8/0x294 fs/bcachefs/fsck.c:748 (P) get_visible_inodes+0x248/0xa4c fs/bcachefs/fsck.c:867 bch2_fsck_update_backpointers+0x170/0x328 fs/bcachefs/fsck.c:991 bch2_str_hash_repair_key+0x1508/0x223c fs/bcachefs/str_hash.c:292 __bch2_str_hash_check_key+0x708/0x88c fs/bcachefs/str_hash.c:394 bch2_str_hash_check_key fs/bcachefs/str_hash.h:429 [inline] bch2_readdir+0xa08/0xdc4 fs/bcachefs/dirent.c:685 bch2_vfs_readdir+0x3a8/0x55c fs/bcachefs/fs.c:1581 iterate_dir+0x458/0x5e0 fs/readdir.c:108 __do_sys_getdents64 fs/readdir.c:410 [inline] __se_sys_getdents64 fs/readdir.c:396 [inline] __arm64_sys_getdents64+0x110/0x2fc fs/readdir.c:396 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Code: d1001108 d343fd09 38f96929 35000c69 (b9400118) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: d1001108 sub x8, x8, #0x4 4: d343fd09 lsr x9, x8, #3 8: 38f96929 ldrsb w9, [x9, x25] c: 35000c69 cbnz w9, 0x198 * 10: b9400118 ldr w24, [x8] <-- trapping instruction