features: lz4,new_siphash,inline_data,new_extent_overwrite,btree_ptr_v2,new_varint,journal_no_flush,alloc_v2,extents_across_btree_nodes
bcachefs (loop7): Using encoding defined by superblock: utf8-12.1.0
------------[ cut here ]------------
precision 55606 too large
WARNING: CPU: 0 PID: 8337 at lib/vsprintf.c:2742 set_precision lib/vsprintf.c:2742 [inline]
WARNING: CPU: 0 PID: 8337 at lib/vsprintf.c:2742 vsnprintf+0x9c8/0xd60 lib/vsprintf.c:2847
Modules linked in:
CPU: 0 UID: 0 PID: 8337 Comm: syz.7.246 Not tainted 6.16.0-rc7-syzkaller-g82af5ea7c611 #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : set_precision lib/vsprintf.c:2742 [inline]
pc : vsnprintf+0x9c8/0xd60 lib/vsprintf.c:2847
lr : set_precision lib/vsprintf.c:2742 [inline]
lr : vsnprintf+0x9c8/0xd60 lib/vsprintf.c:2847
sp : ffff80009c506300
x29: ffff80009c506340 x28: ffff80008b463040 x27: dfff800000000000
x26: 0000000000000003 x25: ffff80009c506460 x24: ffff80009c506468
x23: ffff0000efa45a5e x22: ffff80008b463043 x21: ffff80009c506478
x20: ffff0000efa45a80 x19: 000000000000d936 x18: 1fffe000337d1c76
x17: 0000000000000000 x16: ffff80008ae69508 x15: ffff700011ee0158
x14: 1ffff00011ee0158 x13: 0000000000000004 x12: ffffffffffffffff
x11: 0000000000080000 x10: 000000000007ffff x9 : 7af07dd18c264300
x8 : 7af07dd18c264300 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff80009c505c58 x4 : ffff80008f776bc0 x3 : ffff80008054bdfc
x2 : 0000000000000000 x1 : 0000000100000000 x0 : 0000000000000000
Call trace:
 set_precision lib/vsprintf.c:2742 [inline] (P)
 vsnprintf+0x9c8/0xd60 lib/vsprintf.c:2847 (P)
 bch2_prt_printf+0x170/0x598 fs/bcachefs/printbuf.c:183
 bch2_dirent_to_text+0x184/0x8b0 fs/bcachefs/dirent.c:216
 bch2_val_to_text fs/bcachefs/bkey_methods.c:321 [inline]
 bch2_bkey_val_to_text+0xf0/0x140 fs/bcachefs/bkey_methods.c:331
 __bch2_bkey_fsck_err+0x338/0x4a0 fs/bcachefs/error.c:691
 __bch2_bkey_validate+0x6b8/0x8c8 fs/bcachefs/bkey_methods.c:196
 bch2_bkey_validate+0xc0/0x2c8 fs/bcachefs/bkey_methods.c:250
 journal_validate_key+0x540/0xc0c fs/bcachefs/journal_io.c:388
 journal_entry_btree_root_validate+0x184/0x4a0 fs/bcachefs/journal_io.c:480
 bch2_journal_entry_validate+0x114/0x188 fs/bcachefs/journal_io.c:874
 bch2_sb_clean_validate_late+0x1c4/0x370 fs/bcachefs/sb-clean.c:44
 bch2_read_superblock_clean+0xbc/0x238 fs/bcachefs/sb-clean.c:172
 bch2_fs_recovery+0x134/0x2fb4 fs/bcachefs/recovery.c:738
 bch2_fs_start+0x940/0xbec fs/bcachefs/super.c:1213
 bch2_fs_get_tree+0x880/0x107c fs/bcachefs/fs.c:2488
 vfs_get_tree+0x90/0x28c fs/super.c:1804
 do_new_mount+0x228/0x814 fs/namespace.c:3902
 path_mount+0x5b4/0xde0 fs/namespace.c:4226
 do_mount fs/namespace.c:4239 [inline]
 __do_sys_mount fs/namespace.c:4450 [inline]
 __se_sys_mount fs/namespace.c:4427 [inline]
 __arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4427
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
irq event stamp: 49236
hardirqs last  enabled at (49235): [<ffff8000805532e8>] __up_console_sem kernel/printk/printk.c:344 [inline]
hardirqs last  enabled at (49235): [<ffff8000805532e8>] __console_unlock+0x70/0xc4 kernel/printk/printk.c:2885
hardirqs last disabled at (49236): [<ffff80008aefc634>] el1_brk64+0x1c/0x48 arch/arm64/kernel/entry-common.c:574
softirqs last  enabled at (48648): [<ffff8000803cedfc>] softirq_handle_end kernel/softirq.c:425 [inline]
softirqs last  enabled at (48648): [<ffff8000803cedfc>] handle_softirqs+0xaf8/0xc88 kernel/softirq.c:607
softirqs last disabled at (48489): [<ffff800080020efc>] __do_softirq+0x14/0x20 kernel/softirq.c:613
---[ end trace 0000000000000000 ]---
==================================================================
BUG: KASAN: slab-use-after-free in string_nocheck lib/vsprintf.c:639 [inline]
BUG: KASAN: slab-use-after-free in string+0x200/0x290 lib/vsprintf.c:721
Read of size 1 at addr ffff0000da68de75 by task syz.7.246/8337

CPU: 1 UID: 0 PID: 8337 Comm: syz.7.246 Tainted: G        W           6.16.0-rc7-syzkaller-g82af5ea7c611 #0 PREEMPT 
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 print_address_description+0xa8/0x220 mm/kasan/report.c:378
 print_report+0x68/0x84 mm/kasan/report.c:480
 kasan_report+0xb0/0x110 mm/kasan/report.c:593
 __asan_report_load1_noabort+0x20/0x2c mm/kasan/report_generic.c:378
 string_nocheck lib/vsprintf.c:639 [inline]
 string+0x200/0x290 lib/vsprintf.c:721
 vsnprintf+0x814/0xd60 lib/vsprintf.c:2874
 bch2_prt_printf+0x170/0x598 fs/bcachefs/printbuf.c:183
 bch2_dirent_to_text+0x20c/0x8b0 fs/bcachefs/dirent.c:220
 bch2_val_to_text fs/bcachefs/bkey_methods.c:321 [inline]
 bch2_bkey_val_to_text+0xf0/0x140 fs/bcachefs/bkey_methods.c:331
 __bch2_bkey_fsck_err+0x338/0x4a0 fs/bcachefs/error.c:691
 __bch2_bkey_validate+0x6b8/0x8c8 fs/bcachefs/bkey_methods.c:196
 bch2_bkey_validate+0xc0/0x2c8 fs/bcachefs/bkey_methods.c:250
 journal_validate_key+0x540/0xc0c fs/bcachefs/journal_io.c:388
 journal_entry_btree_root_validate+0x184/0x4a0 fs/bcachefs/journal_io.c:480
 bch2_journal_entry_validate+0x114/0x188 fs/bcachefs/journal_io.c:874
 bch2_sb_clean_validate_late+0x1c4/0x370 fs/bcachefs/sb-clean.c:44
 bch2_read_superblock_clean+0xbc/0x238 fs/bcachefs/sb-clean.c:172
 bch2_fs_recovery+0x134/0x2fb4 fs/bcachefs/recovery.c:738
 bch2_fs_start+0x940/0xbec fs/bcachefs/super.c:1213
 bch2_fs_get_tree+0x880/0x107c fs/bcachefs/fs.c:2488
 vfs_get_tree+0x90/0x28c fs/super.c:1804
 do_new_mount+0x228/0x814 fs/namespace.c:3902
 path_mount+0x5b4/0xde0 fs/namespace.c:4226
 do_mount fs/namespace.c:4239 [inline]
 __do_sys_mount fs/namespace.c:4450 [inline]
 __se_sys_mount fs/namespace.c:4427 [inline]
 __arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4427
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596

Allocated by task 8273:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __do_kmalloc_node mm/slub.c:4328 [inline]
 __kmalloc_noprof+0x2fc/0x4c8 mm/slub.c:4340
 kmalloc_noprof include/linux/slab.h:909 [inline]
 kmalloc_array_noprof include/linux/slab.h:948 [inline]
 mb_cache_create+0x12c/0x3ac fs/mbcache.c:368
 ext4_xattr_create_cache+0x18/0x24 fs/ext4/xattr.c:3212
 __ext4_fill_super fs/ext4/super.c:5452 [inline]
 ext4_fill_super+0x36a0/0x4e88 fs/ext4/super.c:5724
 get_tree_bdev_flags+0x360/0x414 fs/super.c:1681
 get_tree_bdev+0x2c/0x3c fs/super.c:1704
 ext4_get_tree+0x28/0x38 fs/ext4/super.c:5756
 vfs_get_tree+0x90/0x28c fs/super.c:1804
 do_new_mount+0x228/0x814 fs/namespace.c:3902
 path_mount+0x5b4/0xde0 fs/namespace.c:4226
 do_mount fs/namespace.c:4239 [inline]
 __do_sys_mount fs/namespace.c:4450 [inline]
 __se_sys_mount fs/namespace.c:4427 [inline]
 __arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4427
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596

Freed by task 8273:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x68/0x88 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2381 [inline]
 slab_free mm/slub.c:4643 [inline]
 kfree+0x17c/0x474 mm/slub.c:4842
 mb_cache_destroy+0x284/0x2ac fs/mbcache.c:422
 ext4_xattr_destroy_cache+0x28/0x40 fs/ext4/xattr.c:3218
 ext4_put_super+0x700/0xaa8 fs/ext4/super.c:1350
 generic_shutdown_super+0x12c/0x2b8 fs/super.c:643
 kill_block_super+0x44/0x90 fs/super.c:1755
 ext4_kill_sb+0x68/0xa4 fs/ext4/super.c:7391
 deactivate_locked_super+0xc4/0x12c fs/super.c:474
 deactivate_super+0xe0/0x100 fs/super.c:507
 cleanup_mnt+0x31c/0x3ac fs/namespace.c:1417
 __cleanup_mnt+0x20/0x30 fs/namespace.c:1424
 task_work_run+0x1dc/0x260 kernel/task_work.c:227
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 do_notify_resume+0x174/0x1f4 arch/arm64/kernel/entry-common.c:155
 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:173 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:182 [inline]
 el0_svc+0xb8/0x180 arch/arm64/kernel/entry-common.c:880
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596

The buggy address belongs to the object at ffff0000da68c000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 7797 bytes inside of
 freed 8192-byte region [ffff0000da68c000, ffff0000da68e000)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11a688
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 05ffc00000000040 ffff0000c0002280 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
head: 05ffc00000000040 ffff0000c0002280 dead000000000100 dead000000000122
head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
head: 05ffc00000000003 fffffdffc369a201 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000da68dd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000da68dd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff0000da68de00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff0000da68de80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000da68df00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
bcachefs (loop7): invalid bkey in superblock btree=freespace level=1: u64s 11 type dirent SPOS_MAX len 0 ver 0: è  (casefold ) -> 0 type (bad d_type)
  invalid key type for btree internal btree node (dirent), deleting
bcachefs (loop7): recovering from clean shutdown, journal seq 10
bcachefs (loop7): Version upgrade required:
Version upgrade from 0.24: unwritten_extents to 1.7: mi_btree_bitmap incomplete
Doing incompatible version upgrade from 0.24: unwritten_extents to 1.28: inode_has_case_insensitive
  running recovery passes: check_allocations,check_alloc_info,check_lrus,check_btree_backpointers,check_backpointers_to_extents,check_extents_to_backpointers,check_alloc_to_lru_refs,bucket_gens_init,check_snapshot_trees,check_snapshots,check_subvols,check_subvol_children,delete_dead_snapshots,check_inodes,check_extents,check_indirect_extents,check_dirents,check_xattrs,check_root,check_unreachable_inodes,check_subvolume_structure,check_directory_structure,check_nlinks,check_rebalance_work,set_fs_needs_rebalance
bcachefs (loop7): dropping and reconstructing all alloc info
bcachefs (loop7): error reading btree root btree=inodes level=0: btree_node_read_error, fixing
bcachefs (loop7): invalid bkey in btree_node btree=dirents level=0: u64s 7 type dirent 4098:5675548428000973578:U32_MAX len 0 ver 0:  -> 593924 type unknown
  dirent has stray data after name's NUL, deleting
bcachefs (loop7): check_topology...
bcachefs (loop7): btree root inodes unreadable, must recover from scan
bcachefs (loop7): running recovery pass scan_for_btree_nodes (1), currently at check_topology (2) - rewinding
bcachefs (loop7): bch2_check_root(): error restart_recovery
bcachefs (loop7): scan_for_btree_nodes...
bcachefs (loop7): btree node scan found 1 nodes after overwrites
 done
bcachefs (loop7): check_topology...
bcachefs (loop7): btree root inodes unreadable, must recover from scan
bcachefs (loop7): no nodes found for btree inodes, exiting
  Unable to continue, halting
bcachefs (loop7): bch2_check_root(): error fsck_errors_not_fixed
bcachefs (loop7): error in recovery: fsck_errors_not_fixed
  emergency read only at seq 10
bcachefs (loop7): bch2_fs_start(): error starting filesystem fsck_errors_not_fixed
bcachefs (loop7): shutting down
bcachefs (loop7): shutdown complete
bcachefs: bch2_fs_get_tree() error: fsck_errors_not_fixed