Re: [syzbot] [xfs?] KFENCE: memory corruption in xfs_idata_realloc

[Christoph Hellwig]

[adding the kfence maintainers]

On Tue, Oct 08, 2024 at 04:43:23PM -0700, syzbot wrote:
> dashboard link: https://syzkaller.appspot.com/bug?extid=8a8170685a482c92e86a

[...]

> XFS (loop2): Quotacheck: Done.
> ==================================================================
> BUG: KFENCE: memory corruption in krealloc_noprof+0x160/0x2e0
> 
> Corrupted memory at 0xffff88823bedafeb [ 0x03 0x00 0xd8 0x62 0x75 0x73 0x01 0x00 0x00 0x11 0x4c 0x00 0x00 0x00 0x00 0x00 ] (in kfence-#108):
>  krealloc_noprof+0x160/0x2e0
>  xfs_idata_realloc+0x116/0x1b0 fs/xfs/libxfs/xfs_inode_fork.c:523

I've tried to make sense of this report and failed.

Documentation/dev-tools/kfence.rst explains these messages as:

KFENCE also uses pattern-based redzones on the other side of an object's guard
page, to detect out-of-bounds writes on the unprotected side of the object.
These are reported on frees::

But doesn't explain what "the other side of an object's guard page" is.

Either way this is in the common krealloc code, which is a bit special
as it uses ksize to figure out what the actual underlying allocation
size of an object is to make use of that.  Without understanding the
actual error I wonder if that's something kfence can't cope with?