option from the mount to silence this warning. ======================================================= overlayfs: "xino" feature enabled using 3 upper inode bits. ================================================================== BUG: KASAN: slab-out-of-bounds in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:132 [inline] BUG: KASAN: slab-out-of-bounds in _raw_spin_lock_irqsave+0x40/0x60 kernel/locking/spinlock.c:166 Read of size 1 at addr ffff8881b594c150 by task syz.0.17/5813 CPU: 1 UID: 0 PID: 5813 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description+0x55/0x1e0 mm/kasan/report.c:378 print_report+0x58/0x70 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:574 kasan_check_byte include/linux/kasan.h:402 [inline] lock_acquire+0x84/0x350 kernel/locking/lockdep.c:5842 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:132 [inline] _raw_spin_lock_irqsave+0x40/0x60 kernel/locking/spinlock.c:166 complete_with_flags kernel/sched/completion.c:25 [inline] complete+0x28/0x1b0 kernel/sched/completion.c:52 d_complete_waiters fs/dcache.c:651 [inline] dentry_unlist fs/dcache.c:664 [inline] __dentry_kill+0x552/0x690 fs/dcache.c:733 finish_dput+0xc9/0x480 fs/dcache.c:928 ovl_cache_update+0x68e/0xc30 fs/overlayfs/readdir.c:643 ovl_iterate_merged fs/overlayfs/readdir.c:882 [inline] ovl_iterate+0x686/0x21a0 fs/overlayfs/readdir.c:930 wrap_directory_iterator+0x96/0xe0 fs/readdir.c:67 iterate_dir+0x399/0x570 fs/readdir.c:110 __do_sys_getdents64 fs/readdir.c:399 [inline] __se_sys_getdents64+0xf1/0x280 fs/readdir.c:384 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f9dc399cdd9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f9dc48de028 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 00007f9dc3c15fa0 RCX: 00007f9dc399cdd9 RDX: 0000000000001000 RSI: 0000200000000400 RDI: 0000000000000003 RBP: 00007f9dc3a32d69 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f9dc3c16038 R14: 00007f9dc3c15fa0 R15: 00007ffdf71c5aa8 Allocated by task 5813: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 unpoison_slab_object mm/kasan/common.c:340 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4569 [inline] slab_alloc_node mm/slub.c:4898 [inline] kmem_cache_alloc_lru_noprof+0x2b8/0x640 mm/slub.c:4917 __d_alloc+0x37/0x6f0 fs/dcache.c:1808 __d_alloc_parallel+0xe3/0x1660 fs/dcache.c:2758 ovl_cache_update+0x2c4/0xc30 fs/overlayfs/readdir.c:577 ovl_iterate_merged fs/overlayfs/readdir.c:882 [inline] ovl_iterate+0x686/0x21a0 fs/overlayfs/readdir.c:930 wrap_directory_iterator+0x96/0xe0 fs/readdir.c:67 iterate_dir+0x399/0x570 fs/readdir.c:110 __do_sys_getdents64 fs/readdir.c:399 [inline] __se_sys_getdents64+0xf1/0x280 fs/readdir.c:384 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Last potentially related work creation: kasan_save_stack+0x3e/0x60 mm/kasan/common.c:57 kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:556 __call_rcu_common kernel/rcu/tree.c:3131 [inline] call_rcu+0xee/0x890 kernel/rcu/tree.c:3251 __dentry_kill+0x4a9/0x690 fs/dcache.c:738 finish_dput+0xc9/0x480 fs/dcache.c:928 ovl_cache_update+0x68e/0xc30 fs/overlayfs/readdir.c:643 ovl_iterate_merged fs/overlayfs/readdir.c:882 [inline] ovl_iterate+0x686/0x21a0 fs/overlayfs/readdir.c:930 wrap_directory_iterator+0x96/0xe0 fs/readdir.c:67 iterate_dir+0x399/0x570 fs/readdir.c:110 __do_sys_getdents64 fs/readdir.c:399 [inline] __se_sys_getdents64+0xf1/0x280 fs/readdir.c:384 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff8881b594c000 which belongs to the cache dentry of size 312 The buggy address is located 24 bytes to the right of allocated 312-byte region [ffff8881b594c000, ffff8881b594c138) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1b594c head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff8881b594ded9 flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 057ff00000000040 ffff88816041a140 dead000000000100 dead000000000122 raw: 0000000000000000 0000000800150015 00000000f5000000 ffff8881b594ded9 head: 057ff00000000040 ffff88816041a140 dead000000000100 dead000000000122 head: 0000000000000000 0000000800150015 00000000f5000000 ffff8881b594ded9 head: 057ff00000000001 ffffffffffffff81 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 1, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_RECLAIMABLE|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5813, tgid 5812 (syz.0.17), ts 74310503158, free_ts 68548113228 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x231/0x280 mm/page_alloc.c:1858 prep_new_page mm/page_alloc.c:1866 [inline] get_page_from_freelist+0x24ba/0x2540 mm/page_alloc.c:3946 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5226 alloc_slab_page mm/slub.c:3278 [inline] allocate_slab+0x77/0x660 mm/slub.c:3467 new_slab mm/slub.c:3525 [inline] refill_objects+0x339/0x3d0 mm/slub.c:7251 refill_sheaf mm/slub.c:2816 [inline] __pcs_replace_empty_main+0x321/0x720 mm/slub.c:4651 alloc_from_pcs mm/slub.c:4749 [inline] slab_alloc_node mm/slub.c:4883 [inline] kmem_cache_alloc_lru_noprof+0x37c/0x640 mm/slub.c:4917 __d_alloc+0x37/0x6f0 fs/dcache.c:1808 __d_alloc_parallel+0xe3/0x1660 fs/dcache.c:2758 ovl_cache_update+0x2c4/0xc30 fs/overlayfs/readdir.c:577 ovl_iterate_merged fs/overlayfs/readdir.c:882 [inline] ovl_iterate+0x686/0x21a0 fs/overlayfs/readdir.c:930 wrap_directory_iterator+0x96/0xe0 fs/readdir.c:67 iterate_dir+0x399/0x570 fs/readdir.c:110 __do_sys_getdents64 fs/readdir.c:399 [inline] __se_sys_getdents64+0xf1/0x280 fs/readdir.c:384 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5615 tgid 5615 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1402 [inline] free_unref_folios+0xcec/0x1480 mm/page_alloc.c:3004 folios_put_refs+0x9ff/0xb40 mm/swap.c:1008 free_pages_and_swap_cache+0x2b9/0x490 mm/swap_state.c:401 __tlb_batch_free_encoded_pages mm/mmu_gather.c:138 [inline] tlb_batch_pages_flush mm/mmu_gather.c:151 [inline] tlb_flush_mmu_free mm/mmu_gather.c:417 [inline] tlb_flush_mmu+0x6d3/0xa30 mm/mmu_gather.c:424 tlb_finish_mmu+0xf9/0x230 mm/mmu_gather.c:549 unmap_region+0x2a5/0x330 mm/vma.c:491 vms_clear_ptes mm/vma.c:1303 [inline] vms_complete_munmap_vmas+0x493/0xc60 mm/vma.c:1345 do_vmi_align_munmap+0x3b7/0x4b0 mm/vma.c:1604 do_vmi_munmap+0x252/0x2d0 mm/vma.c:1652 __vm_munmap+0x22c/0x3d0 mm/vma.c:3284 __do_sys_munmap mm/mmap.c:1079 [inline] __se_sys_munmap mm/mmap.c:1076 [inline] __x64_sys_munmap+0x60/0x70 mm/mmap.c:1076 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff8881b594c000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881b594c080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8881b594c100: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc 00 ^ ffff8881b594c180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881b594c200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================