running recovery passes: check_allocations,check_extents_to_backpointers ================================================================== BUG: KASAN: use-after-free in string_nocheck lib/vsprintf.c:639 [inline] BUG: KASAN: use-after-free in string+0x1f7/0x240 lib/vsprintf.c:721 Read of size 1 at addr ffff88812f1f74f7 by task syz.1.18/4921 CPU: 1 UID: 0 PID: 4921 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(undef) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 Call Trace: dump_stack_lvl+0xf4/0x170 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xd2/0x2b0 mm/kasan/report.c:521 kasan_report+0x118/0x150 mm/kasan/report.c:634 string_nocheck lib/vsprintf.c:639 [inline] string+0x1f7/0x240 lib/vsprintf.c:721 vsnprintf+0x734/0xc60 lib/vsprintf.c:2852 bch2_prt_printf+0x1cb/0x860 fs/bcachefs/printbuf.c:183 bch2_dirent_to_text+0x1ee/0xaf0 fs/bcachefs/dirent.c:219 __bch2_bkey_fsck_err+0x329/0x470 fs/bcachefs/error.c:676 bch2_dirent_validate+0x5cb/0xd60 fs/bcachefs/dirent.c:163 bch2_bkey_val_validate+0x1bf/0x3a0 fs/bcachefs/bkey_methods.c:143 btree_node_bkey_val_validate fs/bcachefs/btree_io.c:884 [inline] bch2_btree_node_read_done+0x2fbd/0x48c0 fs/bcachefs/btree_io.c:1297 btree_node_read_work+0x398/0xbd0 fs/bcachefs/btree_io.c:1400 bch2_btree_node_read+0x1e0c/0x22a0 fs/bcachefs/btree_io.c:1818 __bch2_btree_root_read fs/bcachefs/btree_io.c:1859 [inline] bch2_btree_root_read+0x29d/0x690 fs/bcachefs/btree_io.c:1881 read_btree_roots+0x3a3/0x610 fs/bcachefs/recovery.c:586 bch2_fs_recovery+0x19ed/0x2e70 fs/bcachefs/recovery.c:959 bch2_fs_start+0x9c0/0xc60 fs/bcachefs/super.c:1171 bch2_fs_get_tree+0x4d2/0x1130 fs/bcachefs/fs.c:2484 vfs_get_tree+0x84/0x1a0 fs/super.c:1759 do_new_mount+0x1c7/0x850 fs/namespace.c:3884 do_mount fs/namespace.c:4224 [inline] __do_sys_mount fs/namespace.c:4435 [inline] __se_sys_mount+0x218/0x2b0 fs/namespace.c:4412 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x8f/0x180 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fd8af05038a Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fd8ae6bde68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007fd8ae6bdef0 RCX: 00007fd8af05038a RDX: 0000200000000040 RSI: 0000200000004940 RDI: 00007fd8ae6bdeb0 RBP: 0000200000000040 R08: 00007fd8ae6bdef0 R09: 0000000000004000 R10: 0000000000004000 R11: 0000000000000246 R12: 0000200000004940 R13: 00007fd8ae6bdeb0 R14: 000000000000496e R15: 0000200000000000 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12f1f7 flags: 0x100000000000000(node=0|zone=2) raw: 0100000000000000 ffffea0004bc7dc8 ffffea0004bc7dc8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner info is not present (never set?) Memory state around the buggy address: ffff88812f1f7380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88812f1f7400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88812f1f7480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88812f1f7500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88812f1f7580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================