ci2 starts bisection 2023-03-24 02:33:20.729768341 +0000 UTC m=+32861.233562695 bisecting fixing commit since 1b929c02afd37871d5afb9d498426f83432e71c2 building syzkaller on 9da18ae8fa827d046ef8da48cc23c97418553c23 ensuring issue is reproducible on original commit 1b929c02afd37871d5afb9d498426f83432e71c2 testing commit 1b929c02afd37871d5afb9d498426f83432e71c2 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6927188bf1b91dbe7bb012adf2384182c237d1faa33e3ce87a92147de9978b21 all runs: crashed: KASAN: slab-out-of-bounds Read in xfs_btree_lookup_get_block testing current HEAD 1e760fa3596e8c7f08412712c168288b79670d78 testing commit 1e760fa3596e8c7f08412712c168288b79670d78 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 90359298343713a097cd045907a8f7ab520decb99a15f15d83659df24484bcf5 all runs: crashed: KASAN: slab-out-of-bounds Read in xfs_btree_lookup_get_block revisions tested: 2, total time: 38m9.077958387s (build: 29m26.120956615s, test: 6m33.131877045s) the crash still happens on HEAD commit msg: Merge tag 'gfs2-v6.3-rc3-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2 crash: KASAN: slab-out-of-bounds Read in xfs_btree_lookup_get_block loop0: detected capacity change from 0 to 32768 XFS (loop0): Mounting V5 Filesystem bfdc47fc-10d8-4eed-a562-11a831b3f791 XFS (loop0): Torn write (CRC failure) detected at log block 0x180. Truncating head block from 0x200. XFS (loop0): Starting recovery (logdev: internal) ================================================================== BUG: KASAN: slab-out-of-bounds in xfs_btree_lookup_get_block+0x12d/0x680 Read of size 8 at addr ffff8880711eb258 by task syz-executor.0/5610 CPU: 0 PID: 5610 Comm: syz-executor.0 Not tainted 6.3.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 Call Trace: dump_stack_lvl+0x12e/0x1d0 print_report+0x163/0x510 kasan_report+0x108/0x140 xfs_btree_lookup_get_block+0x12d/0x680 xfs_btree_lookup+0x2f7/0xfe0 xfs_btree_simple_query_range+0xde/0x5a0 xfs_btree_query_range+0x2b7/0x360 xfs_refcount_recover_cow_leftovers+0x299/0xaa0 xfs_reflink_recover_cow+0x65/0x180 xlog_recover_finish+0x721/0x7f0 xfs_log_mount_finish+0x1c1/0x360 xfs_mountfs+0x116e/0x1cd0 xfs_fs_fill_super+0xb55/0xed0 get_tree_bdev+0x3d7/0x620 vfs_get_tree+0x7f/0x220 do_new_mount+0x1e5/0x940 __se_sys_mount+0x20d/0x2a0 do_syscall_64+0x41/0xc0 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f646028d5da Code: 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f6460fa1f88 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000000009712 RCX: 00007f646028d5da RDX: 0000000020000100 RSI: 0000000020009640 RDI: 00007f6460fa1fe0 RBP: 00007f6460fa2020 R08: 00007f6460fa2020 R09: 0000000000200800 R10: 0000000000200800 R11: 0000000000000246 R12: 0000000020000100 R13: 0000000020009640 R14: 00007f6460fa1fe0 R15: 0000000020000240 The buggy address belongs to the object at ffff8880711eb210 which belongs to the cache xfs_refcbt_cur of size 200 The buggy address is located 72 bytes inside of allocated 200-byte region [ffff8880711eb210, ffff8880711eb2d8) The buggy address belongs to the physical page: page:ffffea0001c47ac0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x711eb flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 ffff888145e63a00 dead000000000122 0000000000000000 raw: 0000000000000000 00000000800f000f 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 5610, tgid 5609 (syz-executor.0), ts 70122868955, free_ts 52786526579 get_page_from_freelist+0x31e9/0x3360 __alloc_pages+0x255/0x670 alloc_slab_page+0x6a/0x160 new_slab+0x84/0x2f0 ___slab_alloc+0xa07/0x1000 kmem_cache_alloc+0x1b9/0x2e0 xfs_refcountbt_init_cursor+0x82/0x340 xfs_refcount_recover_cow_leftovers+0x1de/0xaa0 xfs_reflink_recover_cow+0x65/0x180 xlog_recover_finish+0x721/0x7f0 xfs_log_mount_finish+0x1c1/0x360 xfs_mountfs+0x116e/0x1cd0 xfs_fs_fill_super+0xb55/0xed0 get_tree_bdev+0x3d7/0x620 vfs_get_tree+0x7f/0x220 do_new_mount+0x1e5/0x940 page last free stack trace: __free_pages_ok+0xc3d/0xc70 free_large_kmalloc+0xef/0x180 ieee80211_txq_teardown_flows+0x114/0x1b0 ieee80211_remove_interfaces+0x1a5/0x780 ieee80211_unregister_hw+0x53/0x1f0 mac80211_hwsim_del_radio+0x26a/0x450 hwsim_exit_net+0x3bf/0x5f0 cleanup_net+0x735/0xa30 process_one_work+0x7c4/0xe70 worker_thread+0x8c9/0xfd0 kthread+0x232/0x2b0 ret_from_fork+0x1f/0x30 Memory state around the buggy address: ffff8880711eb100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880711eb180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880711eb200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8880711eb280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880711eb300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================