./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2513096916
<...>
Warning: Permanently added '10.128.0.238' (ED25519) to the list of known hosts.
execve("./syz-executor2513096916", ["./syz-executor2513096916"], 0x7ffc95733b00 /* 10 vars */) = 0
brk(NULL) = 0x55558536a000
brk(0x55558536ad00) = 0x55558536ad00
arch_prctl(ARCH_SET_FS, 0x55558536a380) = 0
set_tid_address(0x55558536a650) = 5233
set_robust_list(0x55558536a660, 24) = 0
rseq(0x55558536aca0, 0x20, 0, 0x53053053) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor2513096916", 4096) = 28
getrandom("\x23\x15\x89\xd5\xbd\xb5\xc1\x1f", 8, GRND_NONBLOCK) = 8
brk(NULL) = 0x55558536ad00
brk(0x55558538bd00) = 0x55558538bd00
brk(0x55558538c000) = 0x55558538c000
mprotect(0x7fe1352b9000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5234 attached
, child_tidptr=0x55558536a650) = 5234
[pid 5234] set_robust_list(0x55558536a660, 24) = 0
[pid 5234] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5234] setpgid(0, 0) = 0
[pid 5234] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5234] write(3, "1000", 4) = 4
[pid 5234] close(3executing program
) = 0
[pid 5234] write(1, "executing program\n", 18) = 18
[pid 5234] memfd_create("syzkaller", 0) = 3
[pid 5234] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe12cc00000
[pid 5234] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216
[pid 5234] munmap(0x7fe12cc00000, 138412032) = 0
[pid 5234] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5234] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5234] close(3) = 0
[pid 5234] close(4) = 0
[pid 5234] mkdir("./file2", 0777) = 0
[ 72.104714][ T5234] loop0: detected capacity change from 0 to 32768
[ 72.200239][ T5234] bcachefs (loop0): starting version 1.7: mi_btree_bitmap opts=metadata_checksum=none,data_checksum=xxhash,str_hash=crc32c,nojournal_transaction_names,reconstruct_alloc,version_upgrade=none
[ 72.219596][ T5234] bcachefs (loop0): recovering from clean shutdown, journal seq 8
[ 72.227851][ T5234] bcachefs (loop0): dropping and reconstructing all alloc info
[ 72.237542][ T5234] ==================================================================
[ 72.245622][ T5234] BUG: KASAN: slab-use-after-free in bch2_reconstruct_alloc+0x2af/0xac0
[ 72.253975][ T5234] Read of size 8 at addr ffff888075728f58 by task syz-executor251/5234
[ 72.262204][ T5234]
[ 72.264549][ T5234] CPU: 1 UID: 0 PID: 5234 Comm: syz-executor251 Not tainted 6.12.0-rc3-next-20241016-syzkaller #0
[ 72.275164][ T5234] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 72.285224][ T5234] Call Trace:
[ 72.288521][ T5234]
[ 72.291461][ T5234] dump_stack_lvl+0x241/0x360
[ 72.296151][ T5234] ? __pfx_dump_stack_lvl+0x10/0x10
[ 72.301346][ T5234] ? __pfx__printk+0x10/0x10
[ 72.305980][ T5234] ? _printk+0xd5/0x120
[ 72.310147][ T5234] ? __virt_addr_valid+0x183/0x530
[ 72.315265][ T5234] ? __virt_addr_valid+0x183/0x530
[ 72.320391][ T5234] print_report+0x169/0x550
[ 72.324897][ T5234] ? __virt_addr_valid+0x183/0x530
[ 72.330026][ T5234] ? __virt_addr_valid+0x183/0x530
[ 72.335148][ T5234] ? __virt_addr_valid+0x45f/0x530
[ 72.340263][ T5234] ? __phys_addr+0xba/0x170
[ 72.344766][ T5234] ? bch2_reconstruct_alloc+0x2af/0xac0
[ 72.350327][ T5234] kasan_report+0x143/0x180
[ 72.354873][ T5234] ? bch2_reconstruct_alloc+0x2af/0xac0
[ 72.360455][ T5234] bch2_reconstruct_alloc+0x2af/0xac0
[ 72.365853][ T5234] ? __pfx_bch2_reconstruct_alloc+0x10/0x10
[ 72.371801][ T5234] ? __mutex_unlock_slowpath+0x21d/0x750
[ 72.377451][ T5234] ? __pfx___mutex_unlock_slowpath+0x10/0x10
[ 72.383442][ T5234] ? bch2_get_next_dev+0x26/0x500
[ 72.388496][ T5234] ? bch2_journal_pos_from_member_info_resume+0x344/0x3a0
[ 72.395617][ T5234] ? __pfx_bch2_journal_pos_from_member_info_resume+0x10/0x10
[ 72.403093][ T5234] ? bch2_sb_field_get_id+0xd3/0x110
[ 72.408485][ T5234] ? bch2_blacklist_table_initialize+0x117/0x400
[ 72.414827][ T5234] ? bch2_latest_compatible_version+0x156/0x180
[ 72.421182][ T5234] ? bch2_recovery_passes_from_stable+0x128/0x140
[ 72.427603][ T5234] bch2_fs_recovery+0x12dd/0x39a0
[ 72.432639][ T5234] ? __pfx_bch2_fs_recovery+0x10/0x10
[ 72.438029][ T5234] ? __pfx_lock_release+0x10/0x10
[ 72.443058][ T5234] ? bch2_get_next_online_dev+0x2b/0x4f0
[ 72.448697][ T5234] ? __pfx_lock_release+0x10/0x10
[ 72.453742][ T5234] ? bch2_get_next_online_dev+0x2b/0x4f0
[ 72.459380][ T5234] ? bch2_get_next_online_dev+0x4b9/0x4f0
[ 72.465097][ T5234] ? bch2_get_next_online_dev+0x2b/0x4f0
[ 72.470733][ T5234] ? llist_reverse_order+0x72/0x90
[ 72.475861][ T5234] bch2_fs_start+0x356/0x5b0
[ 72.480467][ T5234] bch2_fs_get_tree+0xd68/0x1710
[ 72.485426][ T5234] ? __pfx_bch2_fs_get_tree+0x10/0x10
[ 72.490818][ T5234] ? generic_parse_monolithic+0x387/0x400
[ 72.496609][ T5234] ? apparmor_capable+0x13b/0x1b0
[ 72.501683][ T5234] vfs_get_tree+0x90/0x2b0
[ 72.506123][ T5234] do_new_mount+0x2be/0xb40
[ 72.510641][ T5234] ? __pfx_do_new_mount+0x10/0x10
[ 72.515678][ T5234] __se_sys_mount+0x2d6/0x3c0
[ 72.520358][ T5234] ? __pfx___se_sys_mount+0x10/0x10
[ 72.525570][ T5234] ? do_syscall_64+0x100/0x230
[ 72.530345][ T5234] ? __x64_sys_mount+0x20/0xc0
[ 72.535116][ T5234] do_syscall_64+0xf3/0x230
[ 72.539616][ T5234] ? clear_bhb_loop+0x35/0x90
[ 72.544309][ T5234] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 72.550211][ T5234] RIP: 0033:0x7fe135241f6a
[ 72.554629][ T5234] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 72.574257][ T5234] RSP: 002b:00007ffc99fea9d8 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
[ 72.582683][ T5234] RAX: ffffffffffffffda RBX: 00007ffc99fea9f0 RCX: 00007fe135241f6a
[ 72.590673][ T5234] RDX: 0000000020005b00 RSI: 0000000020005b40 RDI: 00007ffc99fea9f0
[ 72.598645][ T5234] RBP: 0000000000000004 R08: 00007ffc99feaa30 R09: 0000000000005b27
[ 72.606618][ T5234] R10: 0000000000000000 R11: 0000000000000282 R12: 0000000000000000
[ 72.614590][ T5234] R13: 00007ffc99feaa30 R14: 0000000000000003 R15: 0000000001000000
[ 72.622568][ T5234]
[ 72.625585][ T5234]
[ 72.627903][ T5234] Allocated by task 5234:
[ 72.632245][ T5234] kasan_save_track+0x3f/0x80
[ 72.636937][ T5234] __kasan_kmalloc+0x98/0xb0
[ 72.641531][ T5234] __kmalloc_node_track_caller_noprof+0x28b/0x4c0
[ 72.647961][ T5234] krealloc_noprof+0x65/0x100
[ 72.652658][ T5234] bch2_sb_realloc+0x2d2/0x660
[ 72.657432][ T5234] __copy_super+0x5dc/0xe70
[ 72.661960][ T5234] bch2_sb_to_fs+0xab/0x150
[ 72.666468][ T5234] bch2_fs_open+0x16b2/0x2fa0
[ 72.671149][ T5234] bch2_fs_get_tree+0x738/0x1710
[ 72.676106][ T5234] vfs_get_tree+0x90/0x2b0
[ 72.680528][ T5234] do_new_mount+0x2be/0xb40
[ 72.685042][ T5234] __se_sys_mount+0x2d6/0x3c0
[ 72.689783][ T5234] do_syscall_64+0xf3/0x230
[ 72.694339][ T5234] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 72.700243][ T5234]
[ 72.702565][ T5234] Freed by task 5234:
[ 72.706544][ T5234] kasan_save_track+0x3f/0x80
[ 72.711225][ T5234] kasan_save_free_info+0x40/0x50
[ 72.716261][ T5234] __kasan_slab_free+0x59/0x70
[ 72.721026][ T5234] kfree+0x1a0/0x460
[ 72.724919][ T5234] krealloc_noprof+0xc9/0x100
[ 72.729612][ T5234] bch2_sb_realloc+0x2d2/0x660
[ 72.734376][ T5234] bch2_sb_field_resize_id+0x140/0x7c0
[ 72.739838][ T5234] bch2_sb_counters_from_cpu+0xac/0x300
[ 72.745393][ T5234] bch2_write_super+0xe80/0x3c50
[ 72.750334][ T5234] bch2_reconstruct_alloc+0x28c/0xac0
[ 72.755706][ T5234] bch2_fs_recovery+0x12dd/0x39a0
[ 72.760753][ T5234] bch2_fs_start+0x356/0x5b0
[ 72.765363][ T5234] bch2_fs_get_tree+0xd68/0x1710
[ 72.770378][ T5234] vfs_get_tree+0x90/0x2b0
[ 72.774794][ T5234] do_new_mount+0x2be/0xb40
[ 72.779328][ T5234] __se_sys_mount+0x2d6/0x3c0
[ 72.784007][ T5234] do_syscall_64+0xf3/0x230
[ 72.788508][ T5234] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 72.794398][ T5234]
[ 72.796716][ T5234] The buggy address belongs to the object at ffff888075728000
[ 72.796716][ T5234] which belongs to the cache kmalloc-4k of size 4096
[ 72.810780][ T5234] The buggy address is located 3928 bytes inside of
[ 72.810780][ T5234] freed 4096-byte region [ffff888075728000, ffff888075729000)
[ 72.824782][ T5234]
[ 72.827108][ T5234] The buggy address belongs to the physical page:
[ 72.833528][ T5234] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x75728
[ 72.842292][ T5234] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 72.850803][ T5234] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[ 72.858454][ T5234] page_type: f5(slab)
[ 72.862438][ T5234] raw: 00fff00000000040 ffff88801ac42140 dead000000000122 0000000000000000
[ 72.871024][ T5234] raw: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000
[ 72.879603][ T5234] head: 00fff00000000040 ffff88801ac42140 dead000000000122 0000000000000000
[ 72.888284][ T5234] head: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000
[ 72.896975][ T5234] head: 00fff00000000003 ffffea0001d5ca01 ffffffffffffffff 0000000000000000
[ 72.905655][ T5234] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[ 72.914333][ T5234] page dumped because: kasan: bad access detected
[ 72.920769][ T5234] page_owner tracks the page as allocated
[ 72.926503][ T5234] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5234, tgid 5234 (syz-executor251), ts 72141103867, free_ts 58943313114
[ 72.947399][ T5234] post_alloc_hook+0x1f3/0x230
[ 72.952170][ T5234] get_page_from_freelist+0x3123/0x3270
[ 72.957741][ T5234] __alloc_pages_noprof+0x292/0x710
[ 72.962955][ T5234] alloc_pages_mpol_noprof+0x3e8/0x680
[ 72.968421][ T5234] alloc_slab_page+0x6a/0x120
[ 72.973108][ T5234] allocate_slab+0x5a/0x2f0
[ 72.977608][ T5234] ___slab_alloc+0xcd1/0x14b0
[ 72.982280][ T5234] __slab_alloc+0x58/0xa0
[ 72.986607][ T5234] __kmalloc_node_track_caller_noprof+0x2e9/0x4c0
[ 72.993028][ T5234] krealloc_noprof+0x65/0x100
[ 72.997714][ T5234] bch2_sb_realloc+0x2d2/0x660
[ 73.002477][ T5234] __copy_super+0x5dc/0xe70
[ 73.006980][ T5234] bch2_sb_to_fs+0xab/0x150
[ 73.011486][ T5234] bch2_fs_open+0x16b2/0x2fa0
[ 73.016162][ T5234] bch2_fs_get_tree+0x738/0x1710
[ 73.021096][ T5234] vfs_get_tree+0x90/0x2b0
[ 73.025524][ T5234] page last free pid 5215 tgid 5215 stack trace:
[ 73.031852][ T5234] free_unref_page+0xcfb/0xf20
[ 73.036618][ T5234] __folio_put+0x2c7/0x440
[ 73.041049][ T5234] pipe_read+0x6ed/0x13e0
[ 73.045382][ T5234] vfs_read+0x9bb/0xbc0
[ 73.049534][ T5234] ksys_read+0x183/0x2b0
[ 73.053790][ T5234] do_syscall_64+0xf3/0x230
[ 73.058306][ T5234] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 73.064236][ T5234]
[ 73.066563][ T5234] Memory state around the buggy address:
[ 73.072212][ T5234] ffff888075728e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 73.080303][ T5234] ffff888075728e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 73.088362][ T5234] >ffff888075728f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 73.096419][ T5234] ^
[ 73.103363][ T5234] ffff888075728f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 73.111423][ T5234] ffff888075729000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 73.119477][ T5234] ==================================================================
[ 73.127723][ T5234] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 73.134939][ T5234] CPU: 1 UID: 0 PID: 5234 Comm: syz-executor251 Not tainted 6.12.0-rc3-next-20241016-syzkaller #0
[ 73.145527][ T5234] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 73.155589][ T5234] Call Trace:
[ 73.158874][ T5234]
[ 73.161809][ T5234] dump_stack_lvl+0x241/0x360
[ 73.166497][ T5234] ? __pfx_dump_stack_lvl+0x10/0x10
[ 73.171699][ T5234] ? __pfx__printk+0x10/0x10
[ 73.176302][ T5234] ? preempt_schedule+0xe1/0xf0
[ 73.181167][ T5234] ? vscnprintf+0x5d/0x90
[ 73.185504][ T5234] panic+0x349/0x880
[ 73.189407][ T5234] ? check_panic_on_warn+0x21/0xb0
[ 73.194521][ T5234] ? __pfx_panic+0x10/0x10
[ 73.198943][ T5234] ? _raw_spin_unlock_irqrestore+0x130/0x140
[ 73.204934][ T5234] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 73.211272][ T5234] ? print_report+0x502/0x550
[ 73.215957][ T5234] check_panic_on_warn+0x86/0xb0
[ 73.220912][ T5234] ? bch2_reconstruct_alloc+0x2af/0xac0
[ 73.226464][ T5234] end_report+0x77/0x160
[ 73.230730][ T5234] kasan_report+0x154/0x180
[ 73.235277][ T5234] ? bch2_reconstruct_alloc+0x2af/0xac0
[ 73.240834][ T5234] bch2_reconstruct_alloc+0x2af/0xac0
[ 73.246212][ T5234] ? __pfx_bch2_reconstruct_alloc+0x10/0x10
[ 73.252250][ T5234] ? __mutex_unlock_slowpath+0x21d/0x750
[ 73.257891][ T5234] ? __pfx___mutex_unlock_slowpath+0x10/0x10
[ 73.263879][ T5234] ? bch2_get_next_dev+0x26/0x500
[ 73.268922][ T5234] ? bch2_journal_pos_from_member_info_resume+0x344/0x3a0
[ 73.276044][ T5234] ? __pfx_bch2_journal_pos_from_member_info_resume+0x10/0x10
[ 73.283519][ T5234] ? bch2_sb_field_get_id+0xd3/0x110
[ 73.288905][ T5234] ? bch2_blacklist_table_initialize+0x117/0x400
[ 73.295236][ T5234] ? bch2_latest_compatible_version+0x156/0x180
[ 73.301482][ T5234] ? bch2_recovery_passes_from_stable+0x128/0x140
[ 73.307901][ T5234] bch2_fs_recovery+0x12dd/0x39a0
[ 73.312934][ T5234] ? __pfx_bch2_fs_recovery+0x10/0x10
[ 73.318316][ T5234] ? __pfx_lock_release+0x10/0x10
[ 73.323343][ T5234] ? bch2_get_next_online_dev+0x2b/0x4f0
[ 73.329003][ T5234] ? __pfx_lock_release+0x10/0x10
[ 73.334043][ T5234] ? bch2_get_next_online_dev+0x2b/0x4f0
[ 73.339681][ T5234] ? bch2_get_next_online_dev+0x4b9/0x4f0
[ 73.345407][ T5234] ? bch2_get_next_online_dev+0x2b/0x4f0
[ 73.351065][ T5234] ? llist_reverse_order+0x72/0x90
[ 73.356187][ T5234] bch2_fs_start+0x356/0x5b0
[ 73.360811][ T5234] bch2_fs_get_tree+0xd68/0x1710
[ 73.365779][ T5234] ? __pfx_bch2_fs_get_tree+0x10/0x10
[ 73.371172][ T5234] ? generic_parse_monolithic+0x387/0x400
[ 73.376927][ T5234] ? apparmor_capable+0x13b/0x1b0
[ 73.381962][ T5234] vfs_get_tree+0x90/0x2b0
[ 73.386386][ T5234] do_new_mount+0x2be/0xb40
[ 73.390902][ T5234] ? __pfx_do_new_mount+0x10/0x10
[ 73.395957][ T5234] __se_sys_mount+0x2d6/0x3c0
[ 73.400648][ T5234] ? __pfx___se_sys_mount+0x10/0x10
[ 73.405854][ T5234] ? do_syscall_64+0x100/0x230
[ 73.410635][ T5234] ? __x64_sys_mount+0x20/0xc0
[ 73.415411][ T5234] do_syscall_64+0xf3/0x230
[ 73.420024][ T5234] ? clear_bhb_loop+0x35/0x90
[ 73.424731][ T5234] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 73.430632][ T5234] RIP: 0033:0x7fe135241f6a
[ 73.435052][ T5234] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 73.454660][ T5234] RSP: 002b:00007ffc99fea9d8 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
[ 73.463079][ T5234] RAX: ffffffffffffffda RBX: 00007ffc99fea9f0 RCX: 00007fe135241f6a
[ 73.471054][ T5234] RDX: 0000000020005b00 RSI: 0000000020005b40 RDI: 00007ffc99fea9f0
[ 73.479030][ T5234] RBP: 0000000000000004 R08: 00007ffc99feaa30 R09: 0000000000005b27
[ 73.487007][ T5234] R10: 0000000000000000 R11: 0000000000000282 R12: 0000000000000000
[ 73.494987][ T5234] R13: 00007ffc99feaa30 R14: 0000000000000003 R15: 0000000001000000
[ 73.502967][ T5234]
[ 73.506321][ T5234] Kernel Offset: disabled
[ 73.510646][ T5234] Rebooting in 86400 seconds..