[BUG] JFS: KASAN: slab-out-of-bounds Read in dtDelete
From: Shuangpeng
Date: Thu Mar 26 2026 - 14:03:10 EST
Hi Kernel Maintainers,
I hit the following KASAN report while testing current upstream kernel:
KASAN: slab-out-of-bounds in dtDelete
on commit: bbeb83d3182abe0d245318e274e8531e5dd7a948 (Mar 24 2026)
The reproducer and .config files are here.
https://gist.github.com/shuangpengbai/4ad3a69150cb229cf850926f2bc1769c
I’m happy to test debug patches or provide additional information.
Reported-by: Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx>
[ 56.093493][ T8441] ==================================================================
[ 56.094327][ T8441] BUG: KASAN: slab-out-of-bounds in dtDelete (fs/jfs/jfs_dtree.c:2209)
[ 56.095091][ T8441] Read of size 4 at addr ffff88816b0926ac by task a.out/8441
[ 56.095855][ T8441]
[ 56.096115][ T8441] CPU: 1 UID: 0 PID: 8441 Comm: a.out Not tainted 7.0.0-rc5-00051-gbbeb83d3182a #35 PREEMPT(full
[ 56.096124][ T8441] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 56.096131][ T8441] Call Trace:
[ 56.096134][ T8441] <TASK>
[ 56.096137][ T8441] dump_stack_lvl (lib/dump_stack.c:122)
[ 56.096147][ T8441] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
[ 56.096210][ T8441] kasan_report (mm/kasan/report.c:597)
[ 56.096229][ T8441] dtDelete (fs/jfs/jfs_dtree.c:2209)
[ 56.096334][ T8441] jfs_rename (fs/jfs/namei.c:1241)
[ 56.096445][ T8441] vfs_rename (fs/namei.c:6028)
[ 56.096498][ T8441] filename_renameat2 (fs/namei.c:6144)
[ 56.096570][ T8441] __se_sys_rename (fs/namei.c:6188 fs/namei.c:6184)
[ 56.096580][ T8441] do_syscall_64 (arch/x86/entry/syscall_64.c:?)
[ 56.096589][ T8441] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 56.096597][ T8441] RIP: 0033:0x7f92ac6d6f29
[ 56.096605][ T8441] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 48
Code starting with the faulting instruction
===========================================
0: 00 c3 add %al,%bl
2: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
9: 00 00 00
c: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 48 rex.W
[ 56.096611][ T8441] RSP: 002b:00007fff78733e18 EFLAGS: 00000206 ORIG_RAX: 0000000000000052
[ 56.096618][ T8441] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f92ac6d6f29
[ 56.096623][ T8441] RDX: 0030656c69662f30 RSI: 00000000200003c0 RDI: 0000000020000240
[ 56.096628][ T8441] RBP: 00007fff78733e20 R08: 0000000000000000 R09: 0000559bdee2ea40
[ 56.096632][ T8441] R10: 00007fff78733c70 R11: 0000000000000206 R12: 0000559bdee2d1a0
[ 56.096637][ T8441] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 56.096643][ T8441] </TASK>
[ 56.096646][ T8441]
[ 56.132532][ T8441] Allocated by task 8441 on cpu 1 at 56.090446s:
[ 56.133181][ T8441] kasan_save_track (mm/kasan/common.c:58 mm/kasan/common.c:78)
[ 56.133677][ T8441] __kasan_slab_alloc (mm/kasan/common.c:369)
[ 56.134180][ T8441] kmem_cache_alloc_lru_noprof (./include/linux/kasan.h:253 mm/slub.c:4538 mm/slub.c:4866 mm/slub.c:4885)
[ 56.134779][ T8441] jfs_alloc_inode (fs/jfs/super.c:106)
[ 56.135248][ T8441] alloc_inode (fs/inode.c:?)
[ 56.135692][ T8441] iget_locked (fs/inode.c:1481)
[ 56.136147][ T8441] jfs_iget (fs/jfs/inode.c:30)
[ 56.136571][ T8441] jfs_fill_super (fs/jfs/super.c:547)
[ 56.137056][ T8441] get_tree_bdev_flags (fs/super.c:1695)
[ 56.137574][ T8441] vfs_get_tree (fs/super.c:1754)
[ 56.138029][ T8441] do_new_mount (fs/namespace.c:1194 fs/namespace.c:3763 fs/namespace.c:3839)
[ 56.138496][ T8441] __se_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338)
[ 56.138982][ T8441] do_syscall_64 (arch/x86/entry/syscall_64.c:?)
[ 56.139445][ T8441] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 56.140044][ T8441]
[ 56.140290][ T8441] The buggy address belongs to the object at ffff88816b092130
[ 56.140290][ T8441] which belongs to the cache jfs_ip of size 1288
[ 56.141643][ T8441] The buggy address is located 116 bytes to the right of
[ 56.141643][ T8441] allocated 1288-byte region [ffff88816b092130, ffff88816b092638)
[ 56.143096][ T8441]
[ 56.143341][ T8441] The buggy address belongs to the physical page:
[ 56.143993][ T8441] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88816b094260 pfn:0x16b090
[ 56.145020][ T8441] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 56.145879][ T8441] memcg:ffff88816b097f39
[ 56.146320][ T8441] flags: 0x17ff00000000240(workingset|head|node=0|zone=2|lastcpupid=0x7ff)
[ 56.147208][ T8441] page_type: f5(slab)
[ 56.147627][ T8441] raw: 017ff00000000240 ffff88810cef4500 ffff88810c6ac810 ffff88810c6ac810
[ 56.148502][ T8441] raw: ffff88816b094260 000000080017000c 00000000f5000000 ffff88816b097f39
[ 56.149379][ T8441] head: 017ff00000000240 ffff88810cef4500 ffff88810c6ac810 ffff88810c6ac810
[ 56.150262][ T8441] head: ffff88816b094260 000000080017000c 00000000f5000000 ffff88816b097f39
[ 56.151153][ T8441] head: 017ff00000000003 ffffea0005ac2401 00000000ffffffff 00000000ffffffff
[ 56.152041][ T8441] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[ 56.152925][ T8441] page dumped because: kasan: bad access detected
[ 56.153582][ T8441] page_owner tracks the page as allocated
[ 56.154168][ T8441] page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_RECLAIMABLE|_3
[ 56.156359][ T8441] post_alloc_hook (./include/linux/page_owner.h:? mm/page_alloc.c:1889)
[ 56.156858][ T8441] get_page_from_freelist (mm/page_alloc.c:? mm/page_alloc.c:3962)
[ 56.157433][ T8441] __alloc_frozen_pages_noprof (mm/page_alloc.c:5250)
[ 56.158036][ T8441] allocate_slab (mm/slub.c:3294 mm/slub.c:3481)
[ 56.158512][ T8441] refill_objects (mm/slub.c:7176)
[ 56.159007][ T8441] __pcs_replace_empty_main (mm/slub.c:2815 mm/slub.c:2834 mm/slub.c:4626)
[ 56.159583][ T8441] kmem_cache_alloc_lru_noprof (mm/slub.c:4718 mm/slub.c:4851 mm/slub.c:4885)
[ 56.160191][ T8441] jfs_alloc_inode (fs/jfs/super.c:106)
[ 56.160662][ T8441] alloc_inode (fs/inode.c:?)
[ 56.161103][ T8441] new_inode (fs/inode.c:1185)
[ 56.161521][ T8441] jfs_fill_super (fs/jfs/super.c:512)
[ 56.162000][ T8441] get_tree_bdev_flags (fs/super.c:1695)
[ 56.162517][ T8441] vfs_get_tree (fs/super.c:1754)
[ 56.162971][ T8441] do_new_mount (fs/namespace.c:1194 fs/namespace.c:3763 fs/namespace.c:3839)
[ 56.163437][ T8441] __se_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338)
[ 56.163921][ T8441] do_syscall_64 (arch/x86/entry/syscall_64.c:?)
[ 56.164385][ T8441] page last free pid 1 tgid 1 stack trace:
[ 56.164970][ T8441] __free_frozen_pages (./include/linux/page_owner.h:? mm/page_alloc.c:1433 mm/page_alloc.c:2978)
[ 56.165488][ T8441] free_contig_range (mm/page_alloc.c:7373)
[ 56.165976][ T8441] destroy_args (mm/debug_vm_pgtable.c:995)
[ 56.166440][ T8441] debug_vm_pgtable (mm/debug_vm_pgtable.c:?)
[ 56.166947][ T8441] do_one_initcall (init/main.c:?)
[ 56.167436][ T8441] do_initcall_level (init/main.c:1443)
[ 56.167937][ T8441] do_initcalls (init/main.c:1457)
[ 56.168378][ T8441] kernel_init_freeable (init/main.c:1696)
[ 56.168905][ T8441] kernel_init (init/main.c:1584)
[ 56.169362][ T8441] ret_from_fork (arch/x86/kernel/process.c:164)
[ 56.169846][ T8441] ret_from_fork_asm (arch/x86/entry/entry_64.S:255)
[ 56.170346][ T8441]
[ 56.170596][ T8441] Memory state around the buggy address:
[ 56.171181][ T8441] ffff88816b092580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 56.172003][ T8441] ffff88816b092600: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
[ 56.172822][ T8441] >ffff88816b092680: fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00
[ 56.173642][ T8441] ^
[ 56.174197][ T8441] ffff88816b092700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 56.175023][ T8441] ffff88816b092780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 56.175844][ T8441] ==================================================================
Best,
Shuangpeng