==================================================================
BUG: KASAN: slab-out-of-bounds in sysv_new_inode+0xd54/0xec8 fs/sysv/ialloc.c:153
Read of size 2 at addr ffff0000cfa9d1ce by task syz-executor.0/8062

CPU: 1 PID: 8062 Comm: syz-executor.0 Not tainted 5.15.189-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call trace:
 dump_backtrace+0x0/0x43c arch/arm64/kernel/stacktrace.c:152
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
 __dump_stack+0x30/0x40 lib/dump_stack.c:88
 dump_stack_lvl+0xf8/0x160 lib/dump_stack.c:106
 print_address_description+0x78/0x30c mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0xec/0x15c mm/kasan/report.c:451
 __asan_report_load2_noabort+0x44/0x50 mm/kasan/report_generic.c:307
 sysv_new_inode+0xd54/0xec8 fs/sysv/ialloc.c:153
 sysv_mknod+0x5c/0x100 fs/sysv/namei.c:53
 sysv_create+0x38/0x4c fs/sysv/namei.c:67
 lookup_open fs/namei.c:3462 [inline]
 open_last_lookups fs/namei.c:3532 [inline]
 path_openat+0x1144/0x26e4 fs/namei.c:3739
 do_filp_open+0x164/0x330 fs/namei.c:3769
 do_sys_openat2+0x128/0x3d8 fs/open.c:1253
 do_sys_open fs/open.c:1269 [inline]
 __do_sys_openat fs/open.c:1285 [inline]
 __se_sys_openat fs/open.c:1280 [inline]
 __arm64_sys_openat+0x120/0x154 fs/open.c:1280
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

Allocated by task 4736:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 __kasan_slab_alloc+0x8c/0xcc mm/kasan/common.c:467
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook+0x74/0x408 mm/slab.h:519
 slab_alloc_node mm/slub.c:3220 [inline]
 slab_alloc mm/slub.c:3228 [inline]
 kmem_cache_alloc+0x1e0/0x3e4 mm/slub.c:3233
 kmem_cache_zalloc include/linux/slab.h:725 [inline]
 __kernfs_new_node+0xe4/0x5d8 fs/kernfs/dir.c:593
 kernfs_new_node+0x11c/0x240 fs/kernfs/dir.c:669
 __kernfs_create_file+0x60/0x2d4 fs/kernfs/file.c:985
 sysfs_add_file_mode_ns+0x2c4/0x3a4 fs/sysfs/file.c:317
 create_files fs/sysfs/group.c:64 [inline]
 internal_create_group+0x3d8/0xad0 fs/sysfs/group.c:149
 internal_create_groups fs/sysfs/group.c:189 [inline]
 sysfs_create_groups+0x60/0x134 fs/sysfs/group.c:215
 create_dir lib/kobject.c:100 [inline]
 kobject_add_internal+0x6d8/0xc54 lib/kobject.c:263
 kobject_add_varg lib/kobject.c:398 [inline]
 kobject_init_and_add+0x118/0x17c lib/kobject.c:481
 netdev_queue_add_kobject net/core/net-sysfs.c:1666 [inline]
 netdev_queue_update_kobjects+0x168/0x3b4 net/core/net-sysfs.c:1711
 register_queue_kobjects net/core/net-sysfs.c:1772 [inline]
 netdev_register_kobject+0x228/0x2d4 net/core/net-sysfs.c:2018
 register_netdevice+0xd44/0x1304 net/core/dev.c:10397
 __rtnl_newlink net/core/rtnetlink.c:3526 [inline]
 rtnl_newlink+0xfcc/0x1404 net/core/rtnetlink.c:3572
 rtnetlink_rcv_msg+0x9d4/0xd04 net/core/rtnetlink.c:5650
 netlink_rcv_skb+0x208/0x3c4 net/netlink/af_netlink.c:2507
 rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:5668
 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
 netlink_unicast+0x624/0x8b0 net/netlink/af_netlink.c:1344
 netlink_sendmsg+0x6e8/0x9cc net/netlink/af_netlink.c:1918
 sock_sendmsg_nosec net/socket.c:704 [inline]
 __sock_sendmsg net/socket.c:716 [inline]
 __sys_sendto+0x2e8/0x3d8 net/socket.c:2063
 __do_sys_sendto net/socket.c:2075 [inline]
 __se_sys_sendto net/socket.c:2071 [inline]
 __arm64_sys_sendto+0xd8/0xf8 net/socket.c:2071
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

The buggy address belongs to the object at ffff0000cfa9d0e8
 which belongs to the cache kernfs_node_cache of size 168
The buggy address is located 62 bytes to the right of
 168-byte region [ffff0000cfa9d0e8, ffff0000cfa9d190)
The buggy address belongs to the page:
page:00000000004e04ce refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0000cfa9d9f8 pfn:0x10fa9d
flags: 0x5ffc00000000200(slab|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000200 fffffc00033e2f48 fffffc00033ea788 ffff0000c0840900
raw: ffff0000cfa9d9f8 000000000011000b 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000cfa9d080: 00 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00
 ffff0000cfa9d100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000cfa9d180: 00 00 fc fc fc fc fc fc fc fc 00 00 00 00 00 00
                                              ^
 ffff0000cfa9d200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc
 ffff0000cfa9d280: fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00
==================================================================
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_inode: inode 0,1,2 or nonexistent inode