bcachefs (loop4): dirent points to missing inode: u64s 7 type dirent 4096:2695648408715017799:U32_MAX len 0 ver 0: file2 -> 536870913 type reg, fixing ================================================================== BUG: KASAN: use-after-free in check_dirent fs/bcachefs/fsck.c:2395 [inline] BUG: KASAN: use-after-free in bch2_check_dirents+0x1818/0x2760 fs/bcachefs/fsck.c:2421 Read of size 1 at addr ffff00010a360110 by task syz.4.678/9543 CPU: 0 UID: 0 PID: 9543 Comm: syz.4.678 Not tainted 6.16.0-rc7-syzkaller-g82af5ea7c611 #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xa8/0x220 mm/kasan/report.c:378 print_report+0x68/0x84 mm/kasan/report.c:480 kasan_report+0xb0/0x110 mm/kasan/report.c:593 __asan_report_load1_noabort+0x20/0x2c mm/kasan/report_generic.c:378 check_dirent fs/bcachefs/fsck.c:2395 [inline] bch2_check_dirents+0x1818/0x2760 fs/bcachefs/fsck.c:2421 bch2_run_recovery_pass fs/bcachefs/recovery_passes.c:484 [inline] __bch2_run_recovery_passes+0x29c/0xd18 fs/bcachefs/recovery_passes.c:539 bch2_run_recovery_passes+0x174/0x1f4 fs/bcachefs/recovery_passes.c:610 bch2_fs_recovery+0x1c34/0x2fb4 fs/bcachefs/recovery.c:1016 bch2_fs_start+0x940/0xbec fs/bcachefs/super.c:1213 bch2_fs_get_tree+0x880/0x107c fs/bcachefs/fs.c:2488 vfs_get_tree+0x90/0x28c fs/super.c:1804 do_new_mount+0x228/0x814 fs/namespace.c:3902 path_mount+0x5b4/0xde0 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount fs/namespace.c:4427 [inline] __arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4427 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14a360 flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) page_type: f0(buddy) raw: 05ffc00000000000 fffffdffc3ac0008 ffff0001fea8bbc8 0000000000000000 raw: 0000000000000000 0000000000000005 00000000f0000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff00010a360000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff00010a360080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff00010a360100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff00010a360180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff00010a360200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== bcachefs (loop4): hash table key at wrong offset: should be at 5178636093158006573 u64s 8 type dirent 4096:8130059955150870709:U32_MAX len 0 ver 0: lost+foun -> 4097 type dir, fixing bcachefs (loop4): dirent points to missing inode: u64s 8 type dirent 4096:9097378837824744618:U32_MAX len 0 ver 0: file.cold -> 172335562754 type reg, fixing bcachefs (loop4): fsck counted subdirectories wrong for inum 4096:4294967295: got 1 should be 2 bcachefs (loop4): check_dirents requires second pass done bcachefs (loop4): resume_logged_ops... done bcachefs (loop4): delete_dead_inodes... done bcachefs (loop4): Fixed errors, running fsck a second time to verify fs is clean bcachefs (loop4): check_extents_to_backpointers... done bcachefs (loop4): check_subvols... done bcachefs (loop4): check_inodes... done bcachefs (loop4): check_dirents... done bcachefs (loop4): resume_logged_ops... done bcachefs (loop4): delete_dead_inodes... done bcachefs (loop4): done starting filesystem iommufd_mock iommufd_mock0: Adding to iommu group 0