program: creat(&(0x7f0000000240)='./file0\x00', 0x0) pipe2$9p(&(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RVERSION(r1, &(0x7f0000000500)=ANY=[@ANYBLOB="1500000065ffff048000000800395032303030"], 0x15) r2 = dup(r1) write$FUSE_BMAP(r2, &(0x7f0000000080)={0x18, 0x0, 0x0, {0x4}}, 0x18) write$FUSE_NOTIFY_RETRIEVE(r2, &(0x7f00000000c0)={0x14c}, 0x137) mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000040), 0x0, &(0x7f0000000380)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r0, @ANYBLOB=',wfdno=', @ANYRESHEX=r2]) chmod(&(0x7f0000000180)='./file0\x00', 0x1d0) r3 = creat(&(0x7f0000000300)='./file0\x00', 0x0) pwritev2(r3, &(0x7f0000000480)=[{&(0x7f0000000340)='L', 0x1}, {&(0x7f0000000540)="a6aada2162a9eca7b6f983", 0xb}], 0x2, 0x8, 0x8000, 0x4) (fail_nth: 29) [ 75.401555][ T4672] Bluetooth: hci0: command tx timeout [ 75.494541][ T5326] FAULT_INJECTION: forcing a failure. [ 75.494541][ T5326] name failslab, interval 1, probability 0, space 0, times 1 [ 75.499263][ T5326] CPU: 0 UID: 0 PID: 5326 Comm: syz.0.0 Not tainted 6.15.0-rc1-syzkaller-00025-gbec7dcbc242c #0 PREEMPT(full) [ 75.499278][ T5326] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.499285][ T5326] Call Trace: [ 75.499290][ T5326] [ 75.499296][ T5326] dump_stack_lvl+0x241/0x360 [ 75.499406][ T5326] ? __pfx_dump_stack_lvl+0x10/0x10 [ 75.499421][ T5326] ? __pfx__printk+0x10/0x10 [ 75.499440][ T5326] ? __pfx___might_resched+0x10/0x10 [ 75.499457][ T5326] should_fail_ex+0x424/0x570 [ 75.499499][ T5326] should_failslab+0xac/0x100 [ 75.499516][ T5326] kmem_cache_alloc_noprof+0x78/0x390 [ 75.499530][ T5326] ? p9_client_prepare_req+0x178/0xf00 [ 75.499589][ T5326] p9_client_prepare_req+0x178/0xf00 [ 75.499610][ T5326] ? __pfx_p9_client_prepare_req+0x10/0x10 [ 75.499633][ T5326] p9_client_rpc+0x19c/0xad0 [ 75.499659][ T5326] ? __pfx_p9_client_rpc+0x10/0x10 [ 75.499675][ T5326] ? __phys_addr+0xba/0x170 [ 75.499699][ T5326] ? iov_iter_revert+0x371/0x5a0 [ 75.499719][ T5326] p9_client_write+0x338/0x850 [ 75.499740][ T5326] ? __pfx_p9_client_write+0x10/0x10 [ 75.499749][ T5326] ? do_raw_spin_lock+0x151/0x370 [ 75.499774][ T5326] v9fs_issue_write+0xf1/0x1d0 [ 75.499786][ T5326] ? __pfx_v9fs_issue_write+0x10/0x10 [ 75.499802][ T5326] ? rcu_is_watching+0x15/0xb0 [ 75.499818][ T5326] netfs_end_issue_write+0x18d/0x420 [ 75.499836][ T5326] netfs_unbuffered_write+0x5c0/0x630 [ 75.499853][ T5326] ? __pfx_netfs_unbuffered_write+0x10/0x10 [ 75.499865][ T5326] ? __pfx_netfs_extract_user_iter+0x10/0x10 [ 75.499895][ T5326] netfs_unbuffered_write_iter_locked+0x456/0x9f0 [ 75.499917][ T5326] netfs_unbuffered_write_iter+0x4e2/0x6a0 [ 75.499937][ T5326] do_iter_readv_writev+0x71f/0x9d0 [ 75.499958][ T5326] ? __pfx_do_iter_readv_writev+0x10/0x10 [ 75.499969][ T5326] ? rcu_read_lock_any_held+0xbb/0x160 [ 75.499994][ T5326] vfs_writev+0x38d/0xbc0 [ 75.500016][ T5326] ? __lock_acquire+0xad5/0xd80 [ 75.500028][ T5326] ? __pfx_vfs_writev+0x10/0x10 [ 75.500054][ T5326] ? __fget_files+0x2a/0x420 [ 75.500064][ T5326] ? __fget_files+0x39d/0x420 [ 75.500072][ T5326] ? __fget_files+0x2a/0x420 [ 75.500087][ T5326] __se_sys_pwritev2+0x1b8/0x2d0 [ 75.500102][ T5326] ? __pfx___se_sys_pwritev2+0x10/0x10 [ 75.500118][ T5326] ? __x64_sys_pwritev2+0x21/0xf0 [ 75.500133][ T5326] do_syscall_64+0xf3/0x230 [ 75.500146][ T5326] ? clear_bhb_loop+0x45/0xa0 [ 75.500159][ T5326] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.500169][ T5326] RIP: 0033:0x7fb74038d169 [ 75.500181][ T5326] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 75.500190][ T5326] RSP: 002b:00007fb74114a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000148 [ 75.500202][ T5326] RAX: ffffffffffffffda RBX: 00007fb7405a5fa0 RCX: 00007fb74038d169 [ 75.500210][ T5326] RDX: 0000000000000002 RSI: 0000200000000480 RDI: 0000000000000007 [ 75.500217][ T5326] RBP: 00007fb74114a090 R08: 0000000000008000 R09: 0000000000000004 [ 75.500223][ T5326] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000002 [ 75.500229][ T5326] R13: 0000000000000000 R14: 00007fb7405a5fa0 R15: 00007ffee43802a8 [ 75.500245][ T5326] [ 75.634882][ T1034] ================================================================== [ 75.637942][ T1034] BUG: KASAN: slab-out-of-bounds in iov_iter_revert+0x1c1/0x5a0 [ 75.640659][ T1034] Read of size 4 at addr ffff888040964bf8 by task kworker/u4:6/1034 [ 75.643621][ T1034] [ 75.644560][ T1034] CPU: 0 UID: 0 PID: 1034 Comm: kworker/u4:6 Not tainted 6.15.0-rc1-syzkaller-00025-gbec7dcbc242c #0 PREEMPT(full) [ 75.644575][ T1034] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.644584][ T1034] Workqueue: events_unbound netfs_write_collection_worker [ 75.644600][ T1034] Call Trace: [ 75.644611][ T1034] [ 75.644617][ T1034] dump_stack_lvl+0x241/0x360 [ 75.644634][ T1034] ? __pfx_dump_stack_lvl+0x10/0x10 [ 75.644647][ T1034] ? rcu_is_watching+0x15/0xb0 [ 75.644660][ T1034] ? __virt_addr_valid+0x183/0x530 [ 75.644674][ T1034] ? lock_release+0x4e/0x3e0 [ 75.644684][ T1034] ? __virt_addr_valid+0x183/0x530 [ 75.644697][ T1034] ? __virt_addr_valid+0x183/0x530 [ 75.644710][ T1034] print_report+0x16e/0x5b0 [ 75.644723][ T1034] ? __virt_addr_valid+0x183/0x530 [ 75.644735][ T1034] ? __virt_addr_valid+0x183/0x530 [ 75.644747][ T1034] ? __virt_addr_valid+0x45f/0x530 [ 75.644759][ T1034] ? __phys_addr+0xba/0x170 [ 75.644772][ T1034] ? iov_iter_revert+0x1c1/0x5a0 [ 75.644785][ T1034] kasan_report+0x143/0x180 [ 75.644798][ T1034] ? iov_iter_revert+0x1c1/0x5a0 [ 75.644812][ T1034] iov_iter_revert+0x1c1/0x5a0 [ 75.644827][ T1034] netfs_retry_writes+0x17f2/0x19d0 [ 75.644839][ T1034] ? ret_from_fork_asm+0x1a/0x30 [ 75.644848][ T1034] ? ret_from_fork_asm+0x1a/0x30 [ 75.644860][ T1034] ? __pfx_netfs_retry_writes+0x10/0x10 [ 75.644872][ T1034] ? __pfx_stack_trace_save+0x10/0x10 [ 75.644890][ T1034] netfs_write_collection_worker+0x2fc0/0x3bf0 [ 75.644911][ T1034] ? process_scheduled_works+0x9cb/0x18e0 [ 75.644923][ T1034] process_scheduled_works+0xac3/0x18e0 [ 75.644939][ T1034] ? __pfx_process_scheduled_works+0x10/0x10 [ 75.644952][ T1034] ? assign_work+0x367/0x3d0 [ 75.644964][ T1034] worker_thread+0x870/0xd50 [ 75.644978][ T1034] ? __kthread_parkme+0x1a8/0x200 [ 75.644991][ T1034] ? __pfx_worker_thread+0x10/0x10 [ 75.645002][ T1034] kthread+0x7b7/0x940 [ 75.645016][ T1034] ? __pfx_worker_thread+0x10/0x10 [ 75.645028][ T1034] ? __pfx_kthread+0x10/0x10 [ 75.645040][ T1034] ? __pfx_kthread+0x10/0x10 [ 75.645053][ T1034] ? __pfx_kthread+0x10/0x10 [ 75.645065][ T1034] ? __pfx_kthread+0x10/0x10 [ 75.645078][ T1034] ? _raw_spin_unlock_irq+0x23/0x50 [ 75.645089][ T1034] ? lockdep_hardirqs_on+0x9d/0x150 [ 75.645100][ T1034] ? __pfx_kthread+0x10/0x10 [ 75.645113][ T1034] ret_from_fork+0x4b/0x80 [ 75.645125][ T1034] ? __pfx_kthread+0x10/0x10 [ 75.645143][ T1034] ret_from_fork_asm+0x1a/0x30 [ 75.645156][ T1034] [ 75.645159][ T1034] [ 75.741194][ T1034] Allocated by task 5326: [ 75.742868][ T1034] kasan_save_track+0x3f/0x80 [ 75.744545][ T1034] __kasan_kmalloc+0x9d/0xb0 [ 75.746515][ T1034] __kmalloc_cache_noprof+0x236/0x370 [ 75.748700][ T1034] kmem_cache_free+0x16e/0x410 [ 75.750618][ T1034] p9_req_put+0x19c/0x1f0 [ 75.752185][ T1034] p9_client_write+0x411/0x850 [ 75.754096][ T1034] v9fs_issue_write+0xf1/0x1d0 [ 75.755847][ T1034] netfs_end_issue_write+0x18d/0x420 [ 75.757910][ T1034] netfs_unbuffered_write+0x5c0/0x630 [ 75.760056][ T1034] netfs_unbuffered_write_iter_locked+0x456/0x9f0 [ 75.762553][ T1034] netfs_unbuffered_write_iter+0x4e2/0x6a0 [ 75.764823][ T1034] do_iter_readv_writev+0x71f/0x9d0 [ 75.767025][ T1034] vfs_writev+0x38d/0xbc0 [ 75.768818][ T1034] __se_sys_pwritev2+0x1b8/0x2d0 [ 75.770814][ T1034] do_syscall_64+0xf3/0x230 [ 75.772592][ T1034] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.774821][ T1034] [ 75.775751][ T1034] Last potentially related work creation: [ 75.778038][ T1034] kasan_save_stack+0x3f/0x60 [ 75.780034][ T1034] kasan_record_aux_stack+0xbf/0xd0 [ 75.782192][ T1034] call_rcu+0x172/0xad0 [ 75.783659][ T1034] kmem_cache_free+0x312/0x410 [ 75.785460][ T1034] p9_req_put+0x19c/0x1f0 [ 75.787109][ T1034] p9_client_write+0x411/0x850 [ 75.788672][ T1034] v9fs_issue_write+0xf1/0x1d0 [ 75.790326][ T1034] netfs_end_issue_write+0x18d/0x420 [ 75.792192][ T1034] netfs_unbuffered_write+0x5c0/0x630 [ 75.794371][ T1034] netfs_unbuffered_write_iter_locked+0x456/0x9f0 [ 75.796967][ T1034] netfs_unbuffered_write_iter+0x4e2/0x6a0 [ 75.799298][ T1034] do_iter_readv_writev+0x71f/0x9d0 [ 75.801193][ T1034] vfs_writev+0x38d/0xbc0 [ 75.802919][ T1034] __se_sys_pwritev2+0x1b8/0x2d0 [ 75.804850][ T1034] do_syscall_64+0xf3/0x230 [ 75.806690][ T1034] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.808946][ T1034] [ 75.809884][ T1034] The buggy address belongs to the object at ffff888040964bc0 [ 75.809884][ T1034] which belongs to the cache kmalloc-32 of size 32 [ 75.815083][ T1034] The buggy address is located 32 bytes to the right of [ 75.815083][ T1034] allocated 24-byte region [ffff888040964bc0, ffff888040964bd8) [ 75.820420][ T1034] [ 75.821319][ T1034] The buggy address belongs to the physical page: [ 75.823639][ T1034] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x40964 [ 75.826829][ T1034] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 75.829368][ T1034] page_type: f5(slab) [ 75.830854][ T1034] raw: 04fff00000000000 ffff88801b041780 dead000000000100 dead000000000122 [ 75.833979][ T1034] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 75.837339][ T1034] page dumped because: kasan: bad access detected [ 75.839708][ T1034] page_owner tracks the page as allocated [ 75.841792][ T1034] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP), pid 5084, tgid 5084 (rm), ts 47260756646, free_ts 47232864334 [ 75.848422][ T1034] post_alloc_hook+0x1f4/0x240 [ 75.850630][ T1034] get_page_from_freelist+0x352b/0x36c0 [ 75.852774][ T1034] __alloc_frozen_pages_noprof+0x211/0x5b0 [ 75.855202][ T1034] alloc_pages_mpol+0x339/0x690 [ 75.857155][ T1034] allocate_slab+0x8f/0x3a0 [ 75.859037][ T1034] ___slab_alloc+0xc3b/0x1500 [ 75.860963][ T1034] __slab_alloc+0x58/0xa0 [ 75.862672][ T1034] __kmalloc_cache_noprof+0x26a/0x370 [ 75.864762][ T1034] kmem_cache_free+0x16e/0x410 [ 75.866698][ T1034] __put_anon_vma+0x128/0x2d0 [ 75.868543][ T1034] unlink_anon_vmas+0x492/0x5f0 [ 75.870508][ T1034] free_pgtables+0x44e/0x6f0 [ 75.872337][ T1034] exit_mmap+0x5a9/0xde0 [ 75.874153][ T1034] __mmput+0x115/0x420 [ 75.875780][ T1034] exit_mm+0x221/0x310 [ 75.877458][ T1034] do_exit+0x994/0x27f0 [ 75.879059][ T1034] page last free pid 15 tgid 15 stack trace: [ 75.881314][ T1034] __free_frozen_pages+0xde8/0x10a0 [ 75.883462][ T1034] rcu_core+0xaac/0x17a0 [ 75.885118][ T1034] handle_softirqs+0x2d6/0x9b0 [ 75.887026][ T1034] run_ksoftirqd+0xcf/0x130 [ 75.888728][ T1034] smpboot_thread_fn+0x576/0xaa0 [ 75.890767][ T1034] kthread+0x7b7/0x940 [ 75.892709][ T1034] ret_from_fork+0x4b/0x80 [ 75.894869][ T1034] ret_from_fork_asm+0x1a/0x30 [ 75.896822][ T1034] [ 75.897748][ T1034] Memory state around the buggy address: [ 75.900039][ T1034] ffff888040964a80: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 75.903188][ T1034] ffff888040964b00: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 75.906500][ T1034] >ffff888040964b80: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 75.909625][ T1034] ^ [ 75.912742][ T1034] ffff888040964c00: 00 00 00 00 fc fc fc fc 00 00 00 00 fc fc fc fc [ 75.915878][ T1034] ffff888040964c80: 00 00 00 00 fc fc fc fc 00 00 00 00 fc fc fc fc [ 75.919026][ T1034] ================================================================== [ 75.944564][ T1034] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 75.948689][ T1034] CPU: 0 UID: 0 PID: 1034 Comm: kworker/u4:6 Not tainted 6.15.0-rc1-syzkaller-00025-gbec7dcbc242c #0 PREEMPT(full) [ 75.953516][ T1034] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.957805][ T1034] Workqueue: events_unbound netfs_write_collection_worker [ 75.960639][ T1034] Call Trace: [ 75.961998][ T1034] [ 75.963243][ T1034] dump_stack_lvl+0x241/0x360 [ 75.965128][ T1034] ? __pfx_dump_stack_lvl+0x10/0x10 [ 75.967281][ T1034] ? __pfx__printk+0x10/0x10 [ 75.969262][ T1034] ? vscnprintf+0x5d/0x90 [ 75.970848][ T1034] panic+0x349/0x880 [ 75.972366][ T1034] ? check_panic_on_warn+0x21/0xb0 [ 75.974364][ T1034] ? __pfx_panic+0x10/0x10 [ 75.976128][ T1034] ? _raw_spin_unlock_irqrestore+0x134/0x140 [ 75.978474][ T1034] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 75.980947][ T1034] ? print_report+0x519/0x5b0 [ 75.982885][ T1034] check_panic_on_warn+0x86/0xb0 [ 75.984920][ T1034] ? iov_iter_revert+0x1c1/0x5a0 [ 75.986881][ T1034] end_report+0x77/0x160 [ 75.988706][ T1034] kasan_report+0x154/0x180 [ 75.990469][ T1034] ? iov_iter_revert+0x1c1/0x5a0 [ 75.992443][ T1034] iov_iter_revert+0x1c1/0x5a0 [ 75.994362][ T1034] netfs_retry_writes+0x17f2/0x19d0 [ 75.996364][ T1034] ? ret_from_fork_asm+0x1a/0x30 [ 75.998391][ T1034] ? ret_from_fork_asm+0x1a/0x30 [ 76.000412][ T1034] ? __pfx_netfs_retry_writes+0x10/0x10 [ 76.002665][ T1034] ? __pfx_stack_trace_save+0x10/0x10 [ 76.004919][ T1034] netfs_write_collection_worker+0x2fc0/0x3bf0 [ 76.007257][ T1034] ? process_scheduled_works+0x9cb/0x18e0 [ 76.009539][ T1034] process_scheduled_works+0xac3/0x18e0 [ 76.011847][ T1034] ? __pfx_process_scheduled_works+0x10/0x10 [ 76.014346][ T1034] ? assign_work+0x367/0x3d0 [ 76.016197][ T1034] worker_thread+0x870/0xd50 [ 76.018104][ T1034] ? __kthread_parkme+0x1a8/0x200 [ 76.020081][ T1034] ? __pfx_worker_thread+0x10/0x10 [ 76.022079][ T1034] kthread+0x7b7/0x940 [ 76.023762][ T1034] ? __pfx_worker_thread+0x10/0x10 [ 76.025902][ T1034] ? __pfx_kthread+0x10/0x10 [ 76.027610][ T1034] ? __pfx_kthread+0x10/0x10 [ 76.029373][ T1034] ? __pfx_kthread+0x10/0x10 [ 76.031069][ T1034] ? __pfx_kthread+0x10/0x10 [ 76.032801][ T1034] ? _raw_spin_unlock_irq+0x23/0x50 [ 76.034740][ T1034] ? lockdep_hardirqs_on+0x9d/0x150 [ 76.036577][ T1034] ? __pfx_kthread+0x10/0x10 [ 76.038241][ T1034] ret_from_fork+0x4b/0x80 [ 76.039885][ T1034] ? __pfx_kthread+0x10/0x10 [ 76.041761][ T1034] ret_from_fork_asm+0x1a/0x30 [ 76.043605][ T1034] [ 76.045015][ T1034] Kernel Offset: disabled [ 76.046639][ T1034] Rebooting in 86400 seconds..