================================================================== BUG: KASAN: stack-out-of-bounds in sg_mark_end include/linux/scatterlist.h:258 [inline] BUG: KASAN: stack-out-of-bounds in __bch2_encrypt_bio+0x792/0xa60 fs/bcachefs/checksum.c:354 Read of size 8 at addr ffffc90004767720 by task kworker/u4:14/1280 CPU: 0 PID: 1280 Comm: kworker/u4:14 Not tainted 6.7.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Workqueue: events_unbound __bch2_read_endio Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xf8/0x260 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0x167/0x540 mm/kasan/report.c:475 kasan_report+0x142/0x180 mm/kasan/report.c:588 sg_mark_end include/linux/scatterlist.h:258 [inline] __bch2_encrypt_bio+0x792/0xa60 fs/bcachefs/checksum.c:354 bch2_encrypt_bio fs/bcachefs/checksum.h:73 [inline] __bch2_read_endio+0xa83/0x1f40 fs/bcachefs/io_read.c:597 process_one_work kernel/workqueue.c:2627 [inline] process_scheduled_works+0x7e9/0xfd0 kernel/workqueue.c:2700 worker_thread+0x868/0xca0 kernel/workqueue.c:2781 kthread+0x267/0x2c0 kernel/kthread.c:388 ret_from_fork+0x32/0x60 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242 The buggy address belongs to stack of task kworker/u4:14/1280 and is located at offset 1120 in frame: __bch2_encrypt_bio+0x0/0xa60 fs/bcachefs/checksum.c:72 This frame has 5 objects: [32, 48) 'nonce.i108' [64, 528) '__req_desc.i109' [592, 608) 'nonce.i' [624, 1088) '__req_desc.i' [1152, 1664) 'sgl' The buggy address belongs to the virtual mapping at [ffffc90004760000, ffffc90004769000) created by: copy_process+0x40f/0x3640 kernel/fork.c:2332 The buggy address belongs to the physical page: page:ffffea000437cb00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10df2c flags: 0x100000000000000(node=0|zone=2) page_type: 0xffffffff() raw: 0100000000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 2, tgid 2 (kthreadd), ts 4541507685, free_ts 4541238255 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x10f/0x130 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1544 [inline] get_page_from_freelist+0x3e5f/0x4080 mm/page_alloc.c:3312 __alloc_pages+0x255/0x650 mm/page_alloc.c:4568 alloc_pages_mpol+0x27f/0x4d0 mm/mempolicy.c:2133 vm_area_alloc_pages mm/vmalloc.c:3063 [inline] __vmalloc_area_node mm/vmalloc.c:3139 [inline] __vmalloc_node_range+0x761/0x1060 mm/vmalloc.c:3320 alloc_thread_stack_node kernel/fork.c:309 [inline] dup_task_struct+0x841/0x9a0 kernel/fork.c:1118 copy_process+0x40f/0x3640 kernel/fork.c:2332 kernel_clone+0x194/0x6c0 kernel/fork.c:2907 kernel_thread+0x1b7/0x230 kernel/fork.c:2969 create_kthread kernel/kthread.c:411 [inline] kthreadd+0x4b4/0x660 kernel/kthread.c:764 ret_from_fork+0x32/0x60 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1137 [inline] free_unref_page_prepare+0x7e7/0x900 mm/page_alloc.c:2347 free_unref_page+0x37/0x3a0 mm/page_alloc.c:2487 vfree+0x10e/0x210 mm/vmalloc.c:2842 delayed_vfree_work+0x3c/0x70 mm/vmalloc.c:2763 process_one_work kernel/workqueue.c:2627 [inline] process_scheduled_works+0x7e9/0xfd0 kernel/workqueue.c:2700 worker_thread+0x868/0xca0 kernel/workqueue.c:2781 kthread+0x267/0x2c0 kernel/kthread.c:388 ret_from_fork+0x32/0x60 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242 Memory state around the buggy address: ffffc90004767600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc90004767680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc90004767700: f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 ^ ffffc90004767780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc90004767800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================