./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2138027100
<...>
Warning: Permanently added '10.128.0.153' (ECDSA) to the list of known hosts.
execve("./syz-executor2138027100", ["./syz-executor2138027100"], 0x7fff84ba5240 /* 10 vars */) = 0
brk(NULL) = 0x555556333000
brk(0x555556333c40) = 0x555556333c40
arch_prctl(ARCH_SET_FS, 0x555556333300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor2138027100", 4096) = 28
brk(0x555556354c40) = 0x555556354c40
brk(0x555556355000) = 0x555556355000
mprotect(0x7fa612f4f000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
getpid() = 5072
openat(AT_FDCWD, "/sys/kernel/debug/x86/nmi_longest_ns", O_WRONLY|O_CLOEXEC) = 3
write(3, "10000000000", 11) = 11
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/hung_task_check_interval_secs", O_WRONLY|O_CLOEXEC) = 3
write(3, "20", 2) = 2
close(3) = 0
openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_kallsyms", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_harden", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/kptr_restrict", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/softlockup_all_cpu_backtrace", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3
write(3, "100", 3) = 3
close(3) = 0
openat(AT_FDCWD, "/proc/sys/vm/oom_dump_tasks", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/debug/exception-trace", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/printk", O_WRONLY|O_CLOEXEC) = 3
write(3, "7 4 1 3", 7) = 7
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/keys/gc_delay", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/vm/oom_kill_allocating_task", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/ctrl-alt-del", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/cad_pid", O_WRONLY|O_CLOEXEC) = 3
write(3, "5072", 4) = 4
close(3) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555563335d0) = 5073
./strace-static-x86_64: Process 5073 attached
[pid 5073] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5073] setpgid(0, 0) = 0
[pid 5073] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5073] write(3, "1000", 4) = 4
[pid 5073] close(3) = 0
[pid 5073] open("./file0", O_RDWR|O_CREAT|0x3c, 000) = 3
[pid 5073] memfd_create("syzkaller", 0) = 4
[pid 5073] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa60aa8b000
[pid 5073] write(4, "\xb5\x84\x31\x7b\xb6\x84\x31\x7b\xb7\x84\x31\x7b\xb8\x84\x31\x7b\xb9\x84\x31\x7b\xba\x84\x31\x7b\xbb\x84\x31\x7b\xbc\x84\x31\x7b\xbd\x84\x31\x7b\xbe\x84\x31\x7b\xbf\x84\x31\x7b\xc0\x84\x31\x7b\xc1\x84\x31\x7b\xc2\x84\x31\x7b\xc3\x84\x31\x7b\xc4\x84\x31\x7b\xc5\x84\x31\x7b\xc6\x84\x31\x7b\xc7\x84\x31\x7b\xc8\x84\x31\x7b\xc9\x84\x31\x7b\xca\x84\x31\x7b\xcb\x84\x31\x7b\xcc\x84\x31\x7b\xcd\x84\x31\x7b"..., 65536) = 65536
[pid 5073] munmap(0x7fa60aa8b000, 65536) = 0
[pid 5073] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5
[pid 5073] ioctl(5, LOOP_SET_FD, 4) = 0
[pid 5073] close(4) = 0
[pid 5073] mkdir("./file0", 0777) = -1 EEXIST (File exists)
[pid 5073] mount("/dev/loop0", "./file0", "sysv", 0, "") = 0
[pid 5073] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = -1 ENOTDIR (Not a directory)
[pid 5073] ioctl(5, LOOP_CLR_FD) = 0
[pid 5073] close(5) = 0
syzkaller login: [ 66.317538][ T5073] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=5073 'syz-executor213'
[ 66.338832][ T5073] loop0: detected capacity change from 0 to 128
[ 66.352956][ T5073] VFS: Found a Xenix FS (block size = 512) on device loop0
[ 66.375266][ T5073] sysv_free_block: flc_count > flc_size
[ 66.381414][ T5073] sysv_free_block: flc_count > flc_size
[ 66.387542][ T5073] sysv_free_block: flc_count > flc_size
[ 66.393147][ T5073] sysv_free_block: flc_count > flc_size
[ 66.399044][ T5073] sysv_free_block: flc_count > flc_size
[ 66.404958][ T5073] sysv_free_block: flc_count > flc_size
[ 66.410534][ T5073] sysv_free_block: flc_count > flc_size
[ 66.416371][ T5073] sysv_free_block: flc_count > flc_size
[pid 5073] creat("./file0", 000) = 4
[ 66.421928][ T5073] sysv_free_block: flc_count > flc_size
[ 66.427748][ T5073] sysv_free_block: flc_count > flc_size
[ 66.435811][ T5073] ==================================================================
[ 66.443895][ T5073] BUG: KASAN: use-after-free in sysv_new_block+0x78c/0x960
[ 66.451212][ T5073] Read of size 4 at addr ffff888072d2f0c8 by task syz-executor213/5073
[ 66.459462][ T5073]
[ 66.461785][ T5073] CPU: 1 PID: 5073 Comm: syz-executor213 Not tainted 6.3.0-rc4-syzkaller-00161-g62bad54b26db #0
[ 66.472193][ T5073] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
[ 66.482248][ T5073] Call Trace:
[ 66.485532][ T5073]
[ 66.488469][ T5073] dump_stack_lvl+0x1e7/0x2d0
[ 66.493173][ T5073] ? nf_tcp_handle_invalid+0x650/0x650
[ 66.498927][ T5073] ? panic+0x770/0x770
[ 66.502999][ T5073] ? _printk+0xd5/0x120
[ 66.507168][ T5073] print_report+0x163/0x540
[ 66.511698][ T5073] ? __virt_addr_valid+0x22f/0x2e0
[ 66.516820][ T5073] ? __phys_addr+0xba/0x170
[ 66.521332][ T5073] ? sysv_new_block+0x78c/0x960
[ 66.526191][ T5073] kasan_report+0x176/0x1b0
[ 66.530701][ T5073] ? sysv_new_block+0x78c/0x960
[ 66.535568][ T5073] sysv_new_block+0x78c/0x960
[ 66.540279][ T5073] get_block+0x2fc/0x16a0
[ 66.544626][ T5073] ? create_page_buffers+0x1d2/0x4c0
[ 66.549924][ T5073] ? sysv_truncate+0x1050/0x1050
[ 66.554871][ T5073] ? attach_page_private+0x110/0x300
[ 66.560166][ T5073] ? create_page_buffers+0x24e/0x4c0
[ 66.565459][ T5073] __block_write_begin_int+0x548/0x1a50
[ 66.571022][ T5073] ? sysv_truncate+0x1050/0x1050
[ 66.575971][ T5073] ? page_zero_new_buffers+0x660/0x660
[ 66.581454][ T5073] ? PageHeadHuge+0xa5/0x1d0
[ 66.586054][ T5073] ? sysv_truncate+0x1050/0x1050
[ 66.591000][ T5073] block_write_begin+0x9c/0x1f0
[ 66.595854][ T5073] ? sysv_write_begin+0x1a/0x70
[ 66.600715][ T5073] sysv_write_begin+0x31/0x70
[ 66.605399][ T5073] generic_perform_write+0x300/0x5e0
[ 66.610691][ T5073] ? generic_file_direct_write+0x460/0x460
[ 66.616512][ T5073] ? __file_remove_privs+0x640/0x640
[ 66.621813][ T5073] ? generic_write_checks+0x160/0x1c0
[ 66.627187][ T5073] __generic_file_write_iter+0x17a/0x400
[ 66.636408][ T5073] generic_file_write_iter+0xaf/0x310
[ 66.641785][ T5073] vfs_write+0x7b2/0xbb0
[ 66.646060][ T5073] ? file_end_write+0x250/0x250
[ 66.651011][ T5073] ? lockdep_hardirqs_on+0x98/0x140
[ 66.656222][ T5073] ? __fdget_pos+0x265/0x2f0
[ 66.660823][ T5073] ksys_write+0x1a0/0x2c0
[ 66.665170][ T5073] ? __ia32_sys_read+0x90/0x90
[ 66.669953][ T5073] ? syscall_enter_from_user_mode+0x32/0x230
[ 66.675948][ T5073] ? syscall_enter_from_user_mode+0x8c/0x230
[ 66.681935][ T5073] do_syscall_64+0x41/0xc0
[ 66.686393][ T5073] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 66.692296][ T5073] RIP: 0033:0x7fa612edfe99
[ 66.696729][ T5073] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 66.716340][ T5073] RSP: 002b:00007ffc2160cf88 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 66.724776][ T5073] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00007fa612edfe99
[ 66.732837][ T5073] RDX: 00000000fffffd5e RSI: 000000002000ad00 RDI: 0000000000000004
[ 66.740816][ T5073] RBP: 0000000000000000 R08: 0000000000000140 R09: 0000000000000140
[ 66.748791][ T5073] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffc2160cfc0
[ 66.756784][ T5073] R13: 00007ffc2160d0a0 R14: 431bde82d7b634db R15: 00007ffc2160cfa0
[ 66.764792][ T5073]
[ 66.767811][ T5073]
[ 66.770133][ T5073] The buggy address belongs to the physical page:
[ 66.776539][ T5073] page:ffffea0001cb4bc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x72d2f
[ 66.786692][ T5073] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 66.793806][ T5073] raw: 00fff00000000000 ffffea0001cb4c08 ffffea0001cb4b88 0000000000000000
[ 66.802391][ T5073] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[ 66.810968][ T5073] page dumped because: kasan: bad access detected
[ 66.817376][ T5073] page_owner tracks the page as freed
[ 66.822740][ T5073] page last allocated via order 0, migratetype Movable, gfp_mask 0x8(__GFP_MOVABLE), pid 1, tgid 1 (swapper/0), ts 16687348309, free_ts 18019806101
[ 66.837677][ T5073] split_map_pages+0x24a/0x510
[ 66.842450][ T5073] isolate_freepages_range+0x480/0x4e0
[ 66.847918][ T5073] alloc_contig_range+0x62e/0x9a0
[ 66.852950][ T5073] alloc_contig_pages+0x3e8/0x4e0
[ 66.858072][ T5073] debug_vm_pgtable_alloc_huge_page+0xb9/0x110
[ 66.864247][ T5073] init_args+0x836/0xb10
[ 66.868491][ T5073] debug_vm_pgtable+0xa8/0x490
[ 66.873261][ T5073] do_one_initcall+0x23d/0x7d0
[ 66.878042][ T5073] do_initcall_level+0x157/0x210
[ 66.882992][ T5073] do_initcalls+0x3f/0x80
[ 66.887332][ T5073] kernel_init_freeable+0x477/0x630
[ 66.892538][ T5073] kernel_init+0x1d/0x2a0
[ 66.896876][ T5073] ret_from_fork+0x1f/0x30
[ 66.901299][ T5073] page last free stack trace:
[ 66.905968][ T5073] free_unref_page_prepare+0xe2f/0xe70
[ 66.911427][ T5073] free_unref_page+0x37/0x3f0
[ 66.916109][ T5073] free_contig_range+0x9e/0x150
[ 66.920997][ T5073] destroy_args+0x102/0x9a0
[ 66.925507][ T5073] debug_vm_pgtable+0x405/0x490
[ 66.930357][ T5073] do_one_initcall+0x23d/0x7d0
[ 66.935125][ T5073] do_initcall_level+0x157/0x210
[ 66.940075][ T5073] do_initcalls+0x3f/0x80
[ 66.944416][ T5073] kernel_init_freeable+0x477/0x630
[ 66.949657][ T5073] kernel_init+0x1d/0x2a0
[ 66.954003][ T5073] ret_from_fork+0x1f/0x30
[ 66.958444][ T5073]
[ 66.960776][ T5073] Memory state around the buggy address:
[ 66.966433][ T5073] ffff888072d2ef80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 66.974503][ T5073] ffff888072d2f000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 66.982578][ T5073] >ffff888072d2f080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 66.990633][ T5073] ^
[ 66.997059][ T5073] ffff888072d2f100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 67.005119][ T5073] ffff888072d2f180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 67.013320][ T5073] ==================================================================
[ 67.021596][ T5073] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 67.028826][ T5073] CPU: 0 PID: 5073 Comm: syz-executor213 Not tainted 6.3.0-rc4-syzkaller-00161-g62bad54b26db #0
[ 67.039282][ T5073] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
[ 67.049348][ T5073] Call Trace:
[ 67.052645][ T5073]
[ 67.055604][ T5073] dump_stack_lvl+0x1e7/0x2d0
[ 67.060343][ T5073] ? nf_tcp_handle_invalid+0x650/0x650
[ 67.065835][ T5073] ? panic+0x770/0x770
[ 67.069933][ T5073] ? preempt_schedule_common+0x83/0xc0
[ 67.075423][ T5073] ? vscnprintf+0x5d/0x80
[ 67.079789][ T5073] panic+0x31c/0x770
[ 67.083699][ T5073] ? check_panic_on_warn+0x21/0xa0
[ 67.088824][ T5073] ? memcpy_page_flushcache+0x100/0x100
[ 67.094387][ T5073] ? _raw_spin_unlock_irqrestore+0x12c/0x140
[ 67.100404][ T5073] ? _raw_spin_unlock+0x40/0x40
[ 67.105276][ T5073] check_panic_on_warn+0x82/0xa0
[ 67.110228][ T5073] ? sysv_new_block+0x78c/0x960
[ 67.115088][ T5073] end_report+0x63/0x110
[ 67.119338][ T5073] kasan_report+0x183/0x1b0
[ 67.123852][ T5073] ? sysv_new_block+0x78c/0x960
[ 67.128715][ T5073] sysv_new_block+0x78c/0x960
[ 67.133410][ T5073] get_block+0x2fc/0x16a0
[ 67.137777][ T5073] ? create_page_buffers+0x1d2/0x4c0
[ 67.143086][ T5073] ? sysv_truncate+0x1050/0x1050
[ 67.148043][ T5073] ? attach_page_private+0x110/0x300
[ 67.153364][ T5073] ? create_page_buffers+0x24e/0x4c0
[ 67.158675][ T5073] __block_write_begin_int+0x548/0x1a50
[ 67.164250][ T5073] ? sysv_truncate+0x1050/0x1050
[ 67.169207][ T5073] ? page_zero_new_buffers+0x660/0x660
[ 67.174702][ T5073] ? PageHeadHuge+0xa5/0x1d0
[ 67.179304][ T5073] ? sysv_truncate+0x1050/0x1050
[ 67.184251][ T5073] block_write_begin+0x9c/0x1f0
[ 67.189115][ T5073] ? sysv_write_begin+0x1a/0x70
[ 67.193979][ T5073] sysv_write_begin+0x31/0x70
[ 67.198677][ T5073] generic_perform_write+0x300/0x5e0
[ 67.204105][ T5073] ? generic_file_direct_write+0x460/0x460
[ 67.209934][ T5073] ? __file_remove_privs+0x640/0x640
[ 67.215252][ T5073] ? generic_write_checks+0x160/0x1c0
[ 67.220639][ T5073] __generic_file_write_iter+0x17a/0x400
[ 67.226284][ T5073] generic_file_write_iter+0xaf/0x310
[ 67.231667][ T5073] vfs_write+0x7b2/0xbb0
[ 67.235925][ T5073] ? file_end_write+0x250/0x250
[ 67.240787][ T5073] ? lockdep_hardirqs_on+0x98/0x140
[ 67.245994][ T5073] ? __fdget_pos+0x265/0x2f0
[ 67.250594][ T5073] ksys_write+0x1a0/0x2c0
[ 67.254936][ T5073] ? __ia32_sys_read+0x90/0x90
[ 67.259709][ T5073] ? syscall_enter_from_user_mode+0x32/0x230
[ 67.265696][ T5073] ? syscall_enter_from_user_mode+0x8c/0x230
[ 67.271685][ T5073] do_syscall_64+0x41/0xc0
[ 67.276124][ T5073] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 67.282032][ T5073] RIP: 0033:0x7fa612edfe99
[ 67.286453][ T5073] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 67.306061][ T5073] RSP: 002b:00007ffc2160cf88 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 67.314483][ T5073] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00007fa612edfe99
[ 67.322460][ T5073] RDX: 00000000fffffd5e RSI: 000000002000ad00 RDI: 0000000000000004
[ 67.330430][ T5073] RBP: 0000000000000000 R08: 0000000000000140 R09: 0000000000000140
[ 67.338401][ T5073] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffc2160cfc0
[ 67.346392][ T5073] R13: 00007ffc2160d0a0 R14: 431bde82d7b634db R15: 00007ffc2160cfa0
[ 67.354466][ T5073]
[ 67.357767][ T5073] Kernel Offset: disabled
[ 67.362122][ T5073] Rebooting in 86400 seconds..