./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor673484165
<...>
Warning: Permanently added '10.128.0.64' (ED25519) to the list of known hosts.
execve("./syz-executor673484165", ["./syz-executor673484165"], 0x7ffd8860a4d0 /* 10 vars */) = 0
brk(NULL) = 0x55557e60b000
brk(0x55557e60bd00) = 0x55557e60bd00
arch_prctl(ARCH_SET_FS, 0x55557e60b380) = 0
set_tid_address(0x55557e60b650) = 5837
set_robust_list(0x55557e60b660, 24) = 0
rseq(0x55557e60bca0, 0x20, 0, 0x53053053) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor673484165", 4096) = 27
getrandom("\xed\xb6\xca\x82\xbb\xac\x24\xae", 8, GRND_NONBLOCK) = 8
brk(NULL) = 0x55557e60bd00
brk(0x55557e62cd00) = 0x55557e62cd00
brk(0x55557e62d000) = 0x55557e62d000
mprotect(0x7fd8881dc000, 16384, PROT_READ) = 0
mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000
mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000
mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5839 attached
, child_tidptr=0x55557e60b650) = 5839
[pid 5839] set_robust_list(0x55557e60b660, 24) = 0
[pid 5839] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5839] setpgid(0, 0) = 0
[pid 5839] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5839] write(3, "1000", 4) = 4
[pid 5839] close(3) = 0
[pid 5839] write(1, "executing program\n", 18executing program
) = 18
[pid 5839] memfd_create("syzkaller", 0) = 3
[pid 5839] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd87fc00000
[pid 5839] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216
[pid 5839] munmap(0x7fd87fc00000, 138412032) = 0
[pid 5839] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5839] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5839] close(3) = 0
[pid 5839] close(4) = 0
[pid 5839] mkdir("./file1", 0777) = 0
[ 88.822761][ T5839] loop0: detected capacity change from 0 to 32768
[ 88.908925][ T5839] bcachefs (loop0): starting version 1.7: mi_btree_bitmap opts=errors=continue,metadata_checksum=none,data_checksum=none,compression=lz4,nochanges,nojournal_transaction_names,noexcl,read_only,nocow
[ 88.908925][ T5839] allowing incompatible features above 0.0: (unknown version)
[ 88.908925][ T5839] features: lz4,new_siphash,inline_data,new_extent_overwrite,btree_ptr_v2,new_varint,journal_no_flush,alloc_v2,extents_across_btree_nodes
[ 88.950180][ T5839] bcachefs (loop0): Using encoding defined by superblock: utf8-12.1.0
[ 88.959609][ T5839] bcachefs (loop0): invalid journal entry, version=1.7: mi_btree_bitmap type=clock in superblock: bad rw, fixing
[ 88.973418][ T5839] bcachefs (loop0): invalid journal entry, version=1.7: mi_btree_bitmap type=blacklist in superblock: invalid journal seq blacklist entry: bad size, fixing
[ 88.989799][ T5839] bcachefs (loop0): invalid bkey in superblock btree=xattrs level=1: u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 2285c34bed0abe32 written 16 min_key POS_MIN durability: 0 crc: c_size 1 size 1 offset 0 nonce 0 csum none 12010b:10004000b compress none
[ 88.989826][ T5839] has non ptr field, deleting
[ 89.019701][ T5839] bcachefs (loop0): recovering from clean shutdown, journal seq 10
[ 89.027810][ T5839] bcachefs (loop0): Version upgrade from 1.3: rebalance_work to 1.7: mi_btree_bitmap incomplete
[ 89.027810][ T5839] Doing compatible version upgrade from 1.3: rebalance_work to 1.28: inode_has_case_insensitive
[ 89.027810][ T5839] running recovery passes: check_allocations,check_extents_to_backpointers,check_subvols,check_inodes,check_dirents
[ 89.078308][ T5839] bcachefs (loop0): accounting_read... done
[ 89.085510][ T5839] bcachefs (loop0): alloc_read... done
[ 89.091575][ T5839] bcachefs (loop0): snapshots_read... done
[ 89.097958][ T5839] bcachefs (loop0): check_allocations...
[ 89.101036][ T5839] bcachefs (loop0): bucket 0:26 data type btree ptr gen 0 missing in alloc btree
[ 89.101059][ T5839] while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq ac62141f8dc7e261 written 24 min_key POS_MIN durability: 1 ptr: 0:26:0 gen 0, fixing
[ 89.131954][ T5839] bcachefs (loop0): bucket 0:26 gen 0 different types of data in same bucket: journal, btree
[ 89.131969][ T5839] while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq ac62141f8dc7e261 written 24 min_key POS_MIN durability: 1 ptr: 0:26:0 gen 0, fixing
[ 89.160391][ T5839] bcachefs (loop0): bucket 0:38 data type btree ptr gen 0 missing in alloc btree
[ 89.160407][ T5839] while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 7589ab5e0c11cc7a written 24 min_key POS_MIN durability: 1 ptr: 0:38:0 gen 0, fixing
[ 89.185825][ T5839] bcachefs (loop0): bucket 0:38 gen 0 different types of data in same bucket: journal, btree
[ 89.185840][ T5839] while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 7589ab5e0c11cc7a written 24 min_key POS_MIN durability: 1 ptr: 0:38:0 gen 0, fixing
[ 89.213053][ T5839] bcachefs (loop0): bucket 0:41 data type btree ptr gen 0 missing in alloc btree
[ 89.213068][ T5839] while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 9aa2895aefce4bdf written 24 min_key POS_MIN durability: 1 ptr: 0:41:0 gen 0, fixing
[ 89.237890][ T5839] bcachefs (loop0): bucket 0:41 gen 0 different types of data in same bucket: journal, btree
[ 89.237909][ T5839] while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 9aa2895aefce4bdf written 24 min_key POS_MIN durability: 1 ptr: 0:41:0 gen 0, fixing
[ 89.264922][ T5839] bcachefs (loop0): bucket 0:35 data type btree ptr gen 0 missing in alloc btree
[ 89.264938][ T5839] while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq c0bef60d07ceb940 written 16 min_key POS_MIN durability: 1 ptr: 0:35:0 gen 0, fixing
[ 89.289764][ T5839] bcachefs (loop0): bucket 0:35 gen 0 different types of data in same bucket: journal, btree
[ 89.289779][ T5839] while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq c0bef60d07ceb940 written 16 min_key POS_MIN durability: 1 ptr: 0:35:0 gen 0, fixing
[ 89.316931][ T5839] bcachefs (loop0): bucket 0:32 gen 0 different types of data in same bucket: journal, btree
[ 89.316947][ T5839] while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq ebb8d5a9e3463bdb written 16 min_key POS_MIN durability: 1 ptr: 0:32:0 gen 0, fixing
[ 89.344169][ T5839] bcachefs (loop0): bucket 0:28 gen 0 different types of data in same bucket: journal, btree
[ 89.344185][ T5839] while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 28f61e078e70b95c written 16 min_key POS_MIN durability: 1 ptr: 0:28:0 gen 0, fixing
[ 89.371039][ T5839] bcachefs (loop0): bucket 0:29 data type btree ptr gen 0 missing in alloc btree
[ 89.371053][ T5839] while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq e81e1ed936acf3df written 32 min_key POS_MIN durability: 1 ptr: 0:29:0 gen 0, fixing
[ 89.395982][ T5839] bcachefs (loop0): bucket 0:29 gen 0 different types of data in same bucket: journal, btree
[ 89.395996][ T5839] while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq e81e1ed936acf3df written 32 min_key POS_MIN durability: 1 ptr: 0:29:0 gen 0, fixing
[ 89.423013][ T5839] bcachefs (loop0): bucket 0:37 gen 0 different types of data in same bucket: journal, btree
[ 89.423028][ T5839] while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 4a8b0fa43a9980a6 written 24 min_key POS_MIN durability: 1 ptr: 0:37:0 gen 0, fixing
[ 89.449891][ T5839] bcachefs (loop0): bucket 0:42 gen 0 different types of data in same bucket: journal, btree
[ 89.449906][ T5839] while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 1db8f60c84bb244c written 8 min_key POS_MIN durability: 1 ptr: 0:42:0 gen 0, fixing
[ 89.477153][ T5839] bcachefs (loop0): bucket 0:0 gen 0 data type sb has wrong cached_sectors: got 458752, should be 0, fixing
[ 89.489566][ T5839] bcachefs (loop0): bucket 0:1 gen 0 has wrong data_type: got free, should be sb, fixing
[ 89.499635][ T5839] bcachefs (loop0): bucket 0:1 gen 0 data type sb has wrong dirty_sectors: got 0, should be 256, fixing
[ 89.511370][ T5839] bcachefs (loop0): bucket 0:2 gen 0 has wrong data_type: got free, should be sb, fixing
[ 89.521493][ T5839] bcachefs (loop0): bucket 0:2 gen 0 data type sb has wrong dirty_sectors: got 0, should be 256, fixing
[ 89.533038][ T5839] bcachefs (loop0): bucket 0:3 gen 0 has wrong data_type: got free, should be sb, fixing
[ 89.543376][ T5839] bcachefs (loop0): bucket 0:3 gen 0 data type sb has wrong dirty_sectors: got 0, should be 256, fixing
[ 89.554807][ T5839] bcachefs (loop0): bucket 0:4 gen 0 has wrong data_type: got free, should be sb, fixing
[ 89.564844][ T5839] bcachefs (loop0): bucket 0:4 gen 0 data type sb has wrong dirty_sectors: got 0, should be 256, fixing
[ 89.576264][ T5839] bcachefs (loop0): bucket 0:5 gen 0 has wrong data_type: got free, should be sb, fixing
[ 89.586267][ T5839] bcachefs (loop0): bucket 0:5 gen 0 data type sb has wrong dirty_sectors: got 0, should be 256, fixing
[ 89.597864][ T5839] bcachefs (loop0): bucket 0:6 gen 0 has wrong data_type: got free, should be sb, fixing
[ 89.607882][ T5839] bcachefs (loop0): bucket 0:6 gen 0 data type sb has wrong dirty_sectors: got 0, should be 256, fixing
[ 89.619335][ T5839] bcachefs (loop0): bucket 0:7 gen 0 has wrong data_type: got free, should be sb, fixing
[ 89.629348][ T5839] bcachefs (loop0): bucket 0:7 gen 0 data type sb has wrong dirty_sectors: got 0, should be 256, fixing
[ 89.640723][ T5839] bcachefs (loop0): bucket 0:8 gen 0 has wrong data_type: got free, should be sb, fixing
[ 89.650733][ T5839] bcachefs (loop0): bucket 0:8 gen 0 data type sb has wrong dirty_sectors: got 0, should be 8, fixing
[ 89.662349][ T5839] bcachefs (loop0): bucket 0:9 gen 0 has wrong data_type: got free, should be journal, fixing
[ 89.672792][ T5839] bcachefs (loop0): bucket 0:9 gen 0 data type journal has wrong dirty_sectors: got 0, should be 256, fixing
[ 89.684590][ T5839] bcachefs (loop0): bucket 0:10 gen 0 has wrong data_type: got free, should be journal, fixing
[ 89.695131][ T5839] bcachefs (loop0): bucket 0:10 gen 0 data type journal has wrong dirty_sectors: got 0, should be 256, fixing
[ 89.707100][ T5839] bcachefs (loop0): bucket 0:11 gen 0 has wrong data_type: got free, should be journal, fixing
[ 89.707115][ T5839] Ratelimiting new instances of previous error
[ 89.724081][ T5839] bcachefs (loop0): bucket 0:11 gen 0 data type journal has wrong dirty_sectors: got 0, should be 256, fixing
[ 89.724101][ T5839] Ratelimiting new instances of previous error
[ 89.756284][ T5839] done
[ 89.759566][ T5839] bcachefs (loop0): going read-write
[ 89.787445][ T5839] bcachefs (loop0): journal_replay...
[ 89.790918][ T67] bcachefs (loop0): u64s 13 type alloc_v4 0:25:0 len 0 ver 0:
[ 89.790943][ T67] gen 0 oldest_gen 0 data_type journal
[ 89.790951][ T67] journal_seq_nonempty 0
[ 89.790958][ T67] journal_seq_empty 0
[ 89.790966][ T67] need_discard 0
[ 89.790973][ T67] need_inc_gen 0
[ 89.790980][ T67] dirty_sectors 256
[ 89.790987][ T67] stripe_sectors 0
[ 89.790995][ T67] cached_sectors 0
[ 89.791002][ T67] stripe 0
[ 89.791009][ T67] stripe_redundancy 0
[ 89.791016][ T67] io_time[READ] 0
[ 89.791023][ T67] io_time[WRITE] 0
[ 89.791030][ T67] fragmentation 0
[ 89.791037][ T67] bp_start 8
[ 89.791044][ T67]
[ 89.791050][ T67] incorrectly set at freespace:0:25:0 (free 0, genbits 0 should be 0), fixing
[ 89.883028][ T67] bcachefs (loop0): u64s 13 type alloc_v4 0:30:0 len 0 ver 0:
[ 89.883042][ T67] gen 0 oldest_gen 0 data_type journal
[ 89.883050][ T67] journal_seq_nonempty 0
[ 89.883058][ T67] journal_seq_empty 0
[ 89.883065][ T67] need_discard 0
[ 89.883072][ T67] need_inc_gen 0
[ 89.883079][ T67] dirty_sectors 256
[ 89.883087][ T67] stripe_sectors 0
[ 89.883095][ T67] cached_sectors 0
[ 89.883103][ T67] stripe 0
[ 89.883110][ T67] stripe_redundancy 0
[ 89.883117][ T67] io_time[READ] 0
[ 89.883124][ T67] io_time[WRITE] 0
[ 89.883131][ T67] fragmentation 0
[ 89.883138][ T67] bp_start 8
[ 89.883145][ T67]
[ 89.883151][ T67] incorrectly set at freespace:0:30:0 (free 0, genbits 0 should be 0), fixing
[ 89.967899][ T67] ==================================================================
[ 89.976053][ T67] BUG: KASAN: slab-use-after-free in bch2_bucket_alloc_trans+0x1aa0/0x2410
[ 89.984737][ T67] Read of size 8 at addr ffff8880798e7d20 by task kworker/u8:4/67
[ 89.992541][ T67]
[ 89.994898][ T67] CPU: 1 UID: 0 PID: 67 Comm: kworker/u8:4 Not tainted 6.16.0-rc1-next-20250611-syzkaller #0 PREEMPT(full)
[ 89.994916][ T67] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 89.994927][ T67] Workqueue: btree_node_rewrite async_btree_node_rewrite_work
[ 89.994951][ T67] Call Trace:
[ 89.994959][ T67]
[ 89.994966][ T67] dump_stack_lvl+0x189/0x250
[ 89.994980][ T67] ? __virt_addr_valid+0x1c8/0x5c0
[ 89.994995][ T67] ? rcu_is_watching+0x15/0xb0
[ 89.995007][ T67] ? __kasan_check_byte+0x12/0x40
[ 89.995021][ T67] ? __pfx_dump_stack_lvl+0x10/0x10
[ 89.995033][ T67] ? rcu_is_watching+0x15/0xb0
[ 89.995044][ T67] ? lock_release+0x4b/0x3e0
[ 89.995066][ T67] ? __virt_addr_valid+0x1c8/0x5c0
[ 89.995079][ T67] ? __virt_addr_valid+0x4a5/0x5c0
[ 89.995094][ T67] print_report+0xd2/0x2b0
[ 89.995113][ T67] ? bch2_bucket_alloc_trans+0x1aa0/0x2410
[ 89.995132][ T67] kasan_report+0x118/0x150
[ 89.995147][ T67] ? bch2_bucket_alloc_trans+0x1aa0/0x2410
[ 89.995169][ T67] bch2_bucket_alloc_trans+0x1aa0/0x2410
[ 89.995195][ T67] ? bch2_bucket_alloc_trans+0xcb4/0x2410
[ 89.995220][ T67] ? __pfx_bch2_bucket_alloc_trans+0x10/0x10
[ 89.995242][ T67] ? bch2_bucket_alloc_trans+0xcb4/0x2410
[ 89.995263][ T67] ? bch2_bucket_alloc_set_trans+0x1eb/0xe70
[ 89.995284][ T67] bch2_bucket_alloc_set_trans+0x5a6/0xe70
[ 89.995306][ T67] ? bch2_bucket_alloc_set_trans+0x1eb/0xe70
[ 89.995331][ T67] ? __open_bucket_add_buckets+0x783/0x1e40
[ 89.995355][ T67] __open_bucket_add_buckets+0x1437/0x1e40
[ 89.995386][ T67] open_bucket_add_buckets+0x2ee/0x440
[ 89.995409][ T67] bch2_alloc_sectors_start_trans+0xd26/0x1e80
[ 89.995431][ T67] ? __mutex_unlock_slowpath+0x1cd/0x700
[ 89.995463][ T67] bch2_btree_reserve_get+0x618/0x1510
[ 89.995488][ T67] ? __pfx_bch2_btree_reserve_get+0x10/0x10
[ 89.995504][ T67] ? bch2_is_superblock_bucket+0x300/0x3e0
[ 89.995524][ T67] ? bch2_btree_update_start+0xadb/0x1dc0
[ 89.995548][ T67] bch2_btree_update_start+0x147e/0x1dc0
[ 89.995568][ T67] ? bch2_btree_path_traverse_one+0x91e/0x21d0
[ 89.995596][ T67] ? bch2_btree_node_rewrite+0x17e/0x1120
[ 89.995619][ T67] ? __pfx_bch2_btree_update_start+0x10/0x10
[ 89.995646][ T67] ? bch2_btree_path_traverse_one+0x91e/0x21d0
[ 89.995669][ T67] ? async_btree_node_rewrite_work+0x1e1/0x840
[ 89.995683][ T67] ? bch2_btree_iter_peek_node+0x566/0xbc0
[ 89.995697][ T67] ? bch2_btree_iter_verify+0x1d/0x360
[ 89.995712][ T67] bch2_btree_node_rewrite+0x17e/0x1120
[ 89.995740][ T67] async_btree_node_rewrite_work+0x370/0x840
[ 89.995759][ T67] ? __pfx_async_btree_node_rewrite_work+0x10/0x10
[ 89.995785][ T67] ? async_btree_node_rewrite_work+0x1d2/0x840
[ 89.995799][ T67] ? _raw_spin_unlock_irq+0x23/0x50
[ 89.995814][ T67] ? process_scheduled_works+0x9ef/0x17b0
[ 89.995835][ T67] ? process_scheduled_works+0x9ef/0x17b0
[ 89.995856][ T67] process_scheduled_works+0xade/0x17b0
[ 89.995888][ T67] ? __pfx_process_scheduled_works+0x10/0x10
[ 89.995915][ T67] worker_thread+0x8a0/0xda0
[ 89.995928][ T67] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 89.995947][ T67] ? __kthread_parkme+0x7b/0x200
[ 89.995964][ T67] kthread+0x711/0x8a0
[ 89.995981][ T67] ? __pfx_worker_thread+0x10/0x10
[ 89.995992][ T67] ? __pfx_kthread+0x10/0x10
[ 89.996008][ T67] ? _raw_spin_unlock_irq+0x23/0x50
[ 89.996023][ T67] ? lockdep_hardirqs_on+0x9c/0x150
[ 89.996040][ T67] ? __pfx_kthread+0x10/0x10
[ 89.996055][ T67] ret_from_fork+0x3f9/0x770
[ 89.996076][ T67] ? __pfx_ret_from_fork+0x10/0x10
[ 89.996098][ T67] ? __switch_to_asm+0x39/0x70
[ 89.996112][ T67] ? __switch_to_asm+0x33/0x70
[ 89.996125][ T67] ? __pfx_kthread+0x10/0x10
[ 89.996141][ T67] ret_from_fork_asm+0x1a/0x30
[ 89.996161][ T67]
[ 89.996166][ T67]
[ 90.369029][ T67] Allocated by task 67:
[ 90.373182][ T67] kasan_save_track+0x3e/0x80
[ 90.377868][ T67] __kasan_kmalloc+0x93/0xb0
[ 90.382457][ T67] __kmalloc_node_track_caller_noprof+0x271/0x4e0
[ 90.388959][ T67] krealloc_noprof+0x124/0x340
[ 90.393739][ T67] __bch2_trans_kmalloc+0x26c/0xc80
[ 90.398984][ T67] bch2_alloc_sectors_start_trans+0x1d59/0x1e80
[ 90.405765][ T67] bch2_btree_reserve_get+0x618/0x1510
[ 90.411222][ T67] bch2_btree_update_start+0x147e/0x1dc0
[ 90.416861][ T67] bch2_btree_node_rewrite+0x17e/0x1120
[ 90.422431][ T67] async_btree_node_rewrite_work+0x370/0x840
[ 90.428422][ T67] process_scheduled_works+0xade/0x17b0
[ 90.434047][ T67] worker_thread+0x8a0/0xda0
[ 90.438652][ T67] kthread+0x711/0x8a0
[ 90.442724][ T67] ret_from_fork+0x3f9/0x770
[ 90.447319][ T67] ret_from_fork_asm+0x1a/0x30
[ 90.452090][ T67]
[ 90.454407][ T67] Freed by task 67:
[ 90.458218][ T67] kasan_save_track+0x3e/0x80
[ 90.462926][ T67] kasan_save_free_info+0x46/0x50
[ 90.467953][ T67] __kasan_slab_free+0x62/0x70
[ 90.472739][ T67] kfree+0x18e/0x440
[ 90.476639][ T67] krealloc_noprof+0x1cd/0x340
[ 90.481411][ T67] __bch2_trans_kmalloc+0x26c/0xc80
[ 90.486611][ T67] __bch2_trans_subbuf_alloc+0x2da/0x460
[ 90.492246][ T67] bch2_trans_log_str+0xd5/0x3c0
[ 90.497202][ T67] __bch2_fsck_err+0xc11/0xfb0
[ 90.501975][ T67] bch2_check_discard_freespace_key+0x71b/0xce0
[ 90.508217][ T67] bch2_bucket_alloc_trans+0x1333/0x2410
[ 90.513952][ T67] bch2_bucket_alloc_set_trans+0x5a6/0xe70
[ 90.519760][ T67] __open_bucket_add_buckets+0x1437/0x1e40
[ 90.525576][ T67] open_bucket_add_buckets+0x2ee/0x440
[ 90.531040][ T67] bch2_alloc_sectors_start_trans+0xd26/0x1e80
[ 90.537205][ T67] bch2_btree_reserve_get+0x618/0x1510
[ 90.542675][ T67] bch2_btree_update_start+0x147e/0x1dc0
[ 90.548312][ T67] bch2_btree_node_rewrite+0x17e/0x1120
[ 90.553969][ T67] async_btree_node_rewrite_work+0x370/0x840
[ 90.559952][ T67] process_scheduled_works+0xade/0x17b0
[ 90.565520][ T67] worker_thread+0x8a0/0xda0
[ 90.570208][ T67] kthread+0x711/0x8a0
[ 90.574296][ T67] ret_from_fork+0x3f9/0x770
[ 90.578930][ T67] ret_from_fork_asm+0x1a/0x30
[ 90.583694][ T67]
[ 90.586015][ T67] The buggy address belongs to the object at ffff8880798e7c00
[ 90.586015][ T67] which belongs to the cache kmalloc-512 of size 512
[ 90.600150][ T67] The buggy address is located 288 bytes inside of
[ 90.600150][ T67] freed 512-byte region [ffff8880798e7c00, ffff8880798e7e00)
[ 90.614043][ T67]
[ 90.616373][ T67] The buggy address belongs to the physical page:
[ 90.622824][ T67] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x798e4
[ 90.631594][ T67] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 90.640101][ T67] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[ 90.647738][ T67] page_type: f5(slab)
[ 90.651810][ T67] raw: 00fff00000000040 ffff88801a441c80 ffffea0000a09000 dead000000000002
[ 90.660396][ T67] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[ 90.669249][ T67] head: 00fff00000000040 ffff88801a441c80 ffffea0000a09000 dead000000000002
[ 90.677976][ T67] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[ 90.686668][ T67] head: 00fff00000000002 ffffea0001e63901 00000000ffffffff 00000000ffffffff
[ 90.695430][ T67] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
[ 90.704114][ T67] page dumped because: kasan: bad access detected
[ 90.710534][ T67] page_owner tracks the page as allocated
[ 90.716247][ T67] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5206, tgid 5206 (udevadm), ts 37281871003, free_ts 31590955416
[ 90.737262][ T67] post_alloc_hook+0x240/0x2a0
[ 90.742120][ T67] get_page_from_freelist+0x21e4/0x22c0
[ 90.747693][ T67] __alloc_frozen_pages_noprof+0x181/0x370
[ 90.753502][ T67] alloc_pages_mpol+0x232/0x4a0
[ 90.758358][ T67] allocate_slab+0x8a/0x3b0
[ 90.762954][ T67] ___slab_alloc+0xbfc/0x1480
[ 90.767628][ T67] __kmalloc_cache_noprof+0x296/0x3d0
[ 90.772999][ T67] kernfs_fop_open+0x397/0xca0
[ 90.777765][ T67] do_dentry_open+0xdf3/0x1970
[ 90.782546][ T67] vfs_open+0x3b/0x340
[ 90.786617][ T67] path_openat+0x2ee5/0x3830
[ 90.791226][ T67] do_filp_open+0x1fa/0x410
[ 90.795730][ T67] do_sys_openat2+0x121/0x1c0
[ 90.800441][ T67] __x64_sys_openat+0x138/0x170
[ 90.805294][ T67] do_syscall_64+0xfa/0x3b0
[ 90.809803][ T67] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 90.815693][ T67] page last free pid 1 tgid 1 stack trace:
[ 90.821493][ T67] __free_frozen_pages+0xc71/0xe70
[ 90.826607][ T67] free_contig_range+0x1bd/0x4a0
[ 90.831551][ T67] destroy_args+0x7e/0x5d0
[ 90.835982][ T67] debug_vm_pgtable+0x412/0x450
[ 90.840830][ T67] do_one_initcall+0x233/0x820
[ 90.845593][ T67] do_initcall_level+0x137/0x1f0
[ 90.850565][ T67] do_initcalls+0x69/0xd0
[ 90.855023][ T67] kernel_init_freeable+0x3d9/0x570
[ 90.860231][ T67] kernel_init+0x1d/0x1d0
[ 90.864559][ T67] ret_from_fork+0x3f9/0x770
[ 90.869154][ T67] ret_from_fork_asm+0x1a/0x30
[ 90.874058][ T67]
[ 90.876394][ T67] Memory state around the buggy address:
[ 90.882027][ T67] ffff8880798e7c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 90.890093][ T67] ffff8880798e7c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 90.898151][ T67] >ffff8880798e7d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 90.906204][ T67] ^
[ 90.911310][ T67] ffff8880798e7d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 90.919462][ T67] ffff8880798e7e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 90.927530][ T67] ==================================================================
[ 90.936303][ T67] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 90.943625][ T67] CPU: 1 UID: 0 PID: 67 Comm: kworker/u8:4 Not tainted 6.16.0-rc1-next-20250611-syzkaller #0 PREEMPT(full)
[ 90.955175][ T67] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 90.965258][ T67] Workqueue: btree_node_rewrite async_btree_node_rewrite_work
[ 90.972727][ T67] Call Trace:
[ 90.976022][ T67]
[ 90.978954][ T67] dump_stack_lvl+0x99/0x250
[ 90.983629][ T67] ? __asan_memcpy+0x40/0x70
[ 90.988227][ T67] ? __pfx_dump_stack_lvl+0x10/0x10
[ 90.993438][ T67] ? __pfx__printk+0x10/0x10
[ 90.998035][ T67] panic+0x2db/0x790
[ 91.001946][ T67] ? __pfx_panic+0x10/0x10
[ 91.006372][ T67] ? _raw_spin_unlock_irqrestore+0xfd/0x110
[ 91.012270][ T67] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 91.018597][ T67] ? print_memory_metadata+0x314/0x400
[ 91.024150][ T67] ? bch2_bucket_alloc_trans+0x1aa0/0x2410
[ 91.030064][ T67] check_panic_on_warn+0x89/0xb0
[ 91.035004][ T67] ? bch2_bucket_alloc_trans+0x1aa0/0x2410
[ 91.040905][ T67] end_report+0x78/0x160
[ 91.045151][ T67] kasan_report+0x129/0x150
[ 91.049671][ T67] ? bch2_bucket_alloc_trans+0x1aa0/0x2410
[ 91.055493][ T67] bch2_bucket_alloc_trans+0x1aa0/0x2410
[ 91.061142][ T67] ? bch2_bucket_alloc_trans+0xcb4/0x2410
[ 91.066886][ T67] ? __pfx_bch2_bucket_alloc_trans+0x10/0x10
[ 91.072882][ T67] ? bch2_bucket_alloc_trans+0xcb4/0x2410
[ 91.078613][ T67] ? bch2_bucket_alloc_set_trans+0x1eb/0xe70
[ 91.084615][ T67] bch2_bucket_alloc_set_trans+0x5a6/0xe70
[ 91.090433][ T67] ? bch2_bucket_alloc_set_trans+0x1eb/0xe70
[ 91.096451][ T67] ? __open_bucket_add_buckets+0x783/0x1e40
[ 91.102381][ T67] __open_bucket_add_buckets+0x1437/0x1e40
[ 91.108230][ T67] open_bucket_add_buckets+0x2ee/0x440
[ 91.113699][ T67] bch2_alloc_sectors_start_trans+0xd26/0x1e80
[ 91.119908][ T67] ? __mutex_unlock_slowpath+0x1cd/0x700
[ 91.125578][ T67] bch2_btree_reserve_get+0x618/0x1510
[ 91.131054][ T67] ? __pfx_bch2_btree_reserve_get+0x10/0x10
[ 91.137036][ T67] ? bch2_is_superblock_bucket+0x300/0x3e0
[ 91.142851][ T67] ? bch2_btree_update_start+0xadb/0x1dc0
[ 91.148580][ T67] bch2_btree_update_start+0x147e/0x1dc0
[ 91.154221][ T67] ? bch2_btree_path_traverse_one+0x91e/0x21d0
[ 91.160389][ T67] ? bch2_btree_node_rewrite+0x17e/0x1120
[ 91.166137][ T67] ? __pfx_bch2_btree_update_start+0x10/0x10
[ 91.172129][ T67] ? bch2_btree_path_traverse_one+0x91e/0x21d0
[ 91.178290][ T67] ? async_btree_node_rewrite_work+0x1e1/0x840
[ 91.184534][ T67] ? bch2_btree_iter_peek_node+0x566/0xbc0
[ 91.190342][ T67] ? bch2_btree_iter_verify+0x1d/0x360
[ 91.195803][ T67] bch2_btree_node_rewrite+0x17e/0x1120
[ 91.201380][ T67] async_btree_node_rewrite_work+0x370/0x840
[ 91.207367][ T67] ? __pfx_async_btree_node_rewrite_work+0x10/0x10
[ 91.213880][ T67] ? async_btree_node_rewrite_work+0x1d2/0x840
[ 91.220410][ T67] ? _raw_spin_unlock_irq+0x23/0x50
[ 91.225612][ T67] ? process_scheduled_works+0x9ef/0x17b0
[ 91.231342][ T67] ? process_scheduled_works+0x9ef/0x17b0
[ 91.237071][ T67] process_scheduled_works+0xade/0x17b0
[ 91.242638][ T67] ? __pfx_process_scheduled_works+0x10/0x10
[ 91.248660][ T67] worker_thread+0x8a0/0xda0
[ 91.253250][ T67] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 91.259667][ T67] ? __kthread_parkme+0x7b/0x200
[ 91.264607][ T67] kthread+0x711/0x8a0
[ 91.268673][ T67] ? __pfx_worker_thread+0x10/0x10
[ 91.273775][ T67] ? __pfx_kthread+0x10/0x10
[ 91.278371][ T67] ? _raw_spin_unlock_irq+0x23/0x50
[ 91.283665][ T67] ? lockdep_hardirqs_on+0x9c/0x150
[ 91.288865][ T67] ? __pfx_kthread+0x10/0x10
[ 91.293461][ T67] ret_from_fork+0x3f9/0x770
[ 91.298064][ T67] ? __pfx_ret_from_fork+0x10/0x10
[ 91.303191][ T67] ? __switch_to_asm+0x39/0x70
[ 91.308039][ T67] ? __switch_to_asm+0x33/0x70
[ 91.312851][ T67] ? __pfx_kthread+0x10/0x10
[ 91.317446][ T67] ret_from_fork_asm+0x1a/0x30
[ 91.322220][ T67]
[ 91.326827][ T67] Kernel Offset: disabled
[ 91.331163][ T67] Rebooting in 86400 seconds..