program: mknodat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x0, 0x0) (async) close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x2) (async) r0 = socket$inet6_icmp(0xa, 0x2, 0x3a) bind$inet6(r0, &(0x7f00000000c0)={0xa, 0x4e24, 0x80000, @loopback}, 0x1c) (async) pipe2$9p(&(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) write$P9_RVERSION(r2, &(0x7f0000000300)=ANY=[@ANYBLOB="1500000065ffff017f000e0800395032303030"], 0x15) (async) setsockopt$IPT_SO_SET_REPLACE(0xffffffffffffffff, 0x0, 0x40, &(0x7f0000000000)=@mangle={'mangle\x00', 0x44, 0x6, 0x3c8, 0x0, 0x298, 0x200, 0x200, 0x298, 0x330, 0x330, 0x330, 0x330, 0x330, 0x6, 0x0, {[{{@uncond, 0x0, 0x70, 0x98}, @common=@unspec=@STANDARD={0x28, '\x00', 0x0, 0x98}}, {{@ip={@remote, @local, 0x0, 0x0, 'vcan0\x00', 'veth0_virt_wifi\x00'}, 0x0, 0x70, 0xd0}, @common=@SET={0x60, 'SET\x00', 0x0, {{}, {0x0, [0x0, 0x0, 0x0, 0x0, 0x4]}}}}, {{@uncond, 0x0, 0x70, 0x98}, @ECN={0x28}}, {{@ip={@rand_addr, @multicast2, 0x0, 0x0, 'syzkaller0\x00', 'bond0\x00'}, 0x0, 0x70, 0x98}, @unspec=@CHECKSUM={0x28}}, {{@ip={@remote, @initdev={0xac, 0x1e, 0x0, 0x0}, 0x0, 0x0, 'lo\x00', 'batadv_slave_1\x00'}, 0x0, 0x70, 0x98}, @ECN={0x28}}], {{'\x00', 0x0, 0x70, 0x98}, {0x28}}}}, 0x428) (async) r3 = dup(r2) write$FUSE_BMAP(r3, &(0x7f0000000000)={0x18}, 0x18) (async) openat(r3, &(0x7f0000000540)='./file0\x00', 0x800, 0x40) syz_open_dev$evdev(&(0x7f0000000440), 0x8, 0x30203) (async) write$FUSE_DIRENTPLUS(r3, &(0x7f00000003c0)=ANY=[@ANYBLOB="b0"], 0xb0) write$FUSE_GETXATTR(r3, &(0x7f00000000c0)={0x18}, 0x18) (async, rerun: 32) write$FUSE_DIRENTPLUS(r3, &(0x7f0000000680)=ANY=[@ANYBLOB="b9000000000000", @ANYRES64], 0xb8) (async, rerun: 32) ioctl$AUTOFS_DEV_IOCTL_REQUESTER(r3, 0xc018937b, &(0x7f0000000480)={{0x1, 0x1, 0x18, r1, {0xee00, 0xffffffffffffffff}}, './file0\x00'}) mount$9p_fd(0x0, &(0x7f00000002c0)='./file0\x00', &(0x7f0000000080), 0x404, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r3}, 0x2c, {[{@cache_fscache}], [{@fowner_gt={'fowner>', r4}}]}}) r5 = openat(0xffffffffffffff9c, &(0x7f000000c380)='./file0\x00', 0x20842, 0x0) write$FUSE_DIRENTPLUS(r5, &(0x7f0000000840)={0x10}, 0x10) [ 58.915931][ T5301] Bluetooth: hci0: command tx timeout [ 58.935460][ T25] audit: type=1800 audit(1742359546.680:2): pid=5317 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed comm="syz.0.0" name="/" dev="9p" ino=2 res=0 errno=0 [ 58.951830][ T5317] ================================================================== [ 58.955083][ T5317] BUG: KASAN: slab-out-of-bounds in iov_iter_revert+0x1c1/0x590 [ 58.958302][ T5317] Read of size 4 at addr ffff888012367a18 by task syz.0.0/5317 [ 58.961206][ T5317] [ 58.962199][ T5317] CPU: 0 UID: 0 PID: 5317 Comm: syz.0.0 Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0 [ 58.962213][ T5317] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 58.962221][ T5317] Call Trace: [ 58.962227][ T5317] [ 58.962232][ T5317] dump_stack_lvl+0x241/0x360 [ 58.962248][ T5317] ? __pfx_dump_stack_lvl+0x10/0x10 [ 58.962259][ T5317] ? __pfx__printk+0x10/0x10 [ 58.962267][ T5317] ? _printk+0xd5/0x120 [ 58.962275][ T5317] ? __virt_addr_valid+0x183/0x530 [ 58.962286][ T5317] ? __virt_addr_valid+0x183/0x530 [ 58.962295][ T5317] print_report+0x16e/0x5b0 [ 58.962307][ T5317] ? __virt_addr_valid+0x183/0x530 [ 58.962316][ T5317] ? __virt_addr_valid+0x183/0x530 [ 58.962325][ T5317] ? __virt_addr_valid+0x45f/0x530 [ 58.962334][ T5317] ? __phys_addr+0xba/0x170 [ 58.962343][ T5317] ? iov_iter_revert+0x1c1/0x590 [ 58.962379][ T5317] kasan_report+0x143/0x180 [ 58.962391][ T5317] ? iov_iter_revert+0x1c1/0x590 [ 58.962404][ T5317] iov_iter_revert+0x1c1/0x590 [ 58.962418][ T5317] p9_client_write+0x444/0x7a0 [ 58.962474][ T5317] ? __pfx_p9_client_write+0x10/0x10 [ 58.962484][ T5317] ? do_raw_spin_lock+0x14f/0x370 [ 58.962499][ T5317] v9fs_issue_write+0xf0/0x1d0 [ 58.962513][ T5317] ? __pfx_v9fs_issue_write+0x10/0x10 [ 58.962528][ T5317] ? rcu_is_watching+0x15/0xb0 [ 58.962540][ T5317] netfs_end_issue_write+0x18d/0x420 [ 58.962555][ T5317] netfs_unbuffered_write+0x589/0x600 [ 58.962570][ T5317] ? __pfx_netfs_unbuffered_write+0x10/0x10 [ 58.962582][ T5317] ? __pfx_netfs_extract_user_iter+0x10/0x10 [ 58.962594][ T5317] netfs_unbuffered_write_iter_locked+0x456/0x9f0 [ 58.962607][ T5317] netfs_unbuffered_write_iter+0x4e1/0x6a0 [ 58.962620][ T5317] vfs_write+0xacf/0xd10 [ 58.962631][ T5317] ? __pfx_v9fs_file_write_iter+0x10/0x10 [ 58.962646][ T5317] ? __pfx_vfs_write+0x10/0x10 [ 58.962657][ T5317] ? rcu_is_watching+0x15/0xb0 [ 58.962670][ T5317] ksys_write+0x18f/0x2b0 [ 58.962680][ T5317] ? __pfx_ksys_write+0x10/0x10 [ 58.962690][ T5317] ? do_syscall_64+0x100/0x230 [ 58.962706][ T5317] ? do_syscall_64+0xb6/0x230 [ 58.962721][ T5317] do_syscall_64+0xf3/0x230 [ 58.962735][ T5317] ? clear_bhb_loop+0x35/0x90 [ 58.962796][ T5317] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 58.962809][ T5317] RIP: 0033:0x7fecb6b8d169 [ 58.962821][ T5317] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 58.962829][ T5317] RSP: 002b:00007fecb7ac9038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 58.962841][ T5317] RAX: ffffffffffffffda RBX: 00007fecb6da5fa0 RCX: 00007fecb6b8d169 [ 58.962849][ T5317] RDX: 0000000000000010 RSI: 0000400000000840 RDI: 0000000000000007 [ 58.962855][ T5317] RBP: 00007fecb6c0e2a0 R08: 0000000000000000 R09: 0000000000000000 [ 58.962862][ T5317] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 58.962868][ T5317] R13: 0000000000000000 R14: 00007fecb6da5fa0 R15: 00007ffcb48d62e8 [ 58.962877][ T5317] [ 58.962881][ T5317] [ 59.080102][ T5317] Allocated by task 5317: [ 59.081846][ T5317] kasan_save_track+0x3f/0x80 [ 59.083718][ T5317] __kasan_kmalloc+0x98/0xb0 [ 59.085581][ T5317] __kmalloc_noprof+0x285/0x4c0 [ 59.087547][ T5317] aa_label_asxprint+0x6e/0x130 [ 59.089492][ T5317] apparmor_lsmprop_to_secctx+0x9e/0x180 [ 59.091691][ T5317] security_lsmprop_to_secctx+0x93/0x2b0 [ 59.093828][ T5317] audit_log_task_context+0xff/0x260 [ 59.095828][ T5317] integrity_audit_message+0x228/0x4f0 [ 59.098050][ T5317] integrity_audit_msg+0x41/0x60 [ 59.100059][ T5317] ima_collect_measurement+0x83f/0xb20 [ 59.102210][ T5317] process_measurement+0x1351/0x1fb0 [ 59.104256][ T5317] ima_file_check+0xd9/0x120 [ 59.106073][ T5317] security_file_post_open+0xb9/0x280 [ 59.108271][ T5317] path_openat+0x2cca/0x3590 [ 59.110080][ T5317] do_filp_open+0x27f/0x4e0 [ 59.111943][ T5317] do_sys_openat2+0x13e/0x1d0 [ 59.113829][ T5317] __x64_sys_openat+0x247/0x2a0 [ 59.115793][ T5317] do_syscall_64+0xf3/0x230 [ 59.117547][ T5317] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 59.119925][ T5317] [ 59.120742][ T5317] Freed by task 5317: [ 59.122380][ T5317] kasan_save_track+0x3f/0x80 [ 59.124203][ T5317] kasan_save_free_info+0x40/0x50 [ 59.126219][ T5317] __kasan_slab_free+0x59/0x70 [ 59.128088][ T5317] kfree+0x196/0x430 [ 59.129637][ T5317] apparmor_release_secctx+0x6c/0xe0 [ 59.131805][ T5317] security_release_secctx+0x8c/0x160 [ 59.133947][ T5317] audit_log_task_context+0x155/0x260 [ 59.136111][ T5317] integrity_audit_message+0x228/0x4f0 [ 59.138340][ T5317] integrity_audit_msg+0x41/0x60 [ 59.140254][ T5317] ima_collect_measurement+0x83f/0xb20 [ 59.142411][ T5317] process_measurement+0x1351/0x1fb0 [ 59.144483][ T5317] ima_file_check+0xd9/0x120 [ 59.146241][ T5317] security_file_post_open+0xb9/0x280 [ 59.148535][ T5317] path_openat+0x2cca/0x3590 [ 59.150463][ T5317] do_filp_open+0x27f/0x4e0 [ 59.152518][ T5317] do_sys_openat2+0x13e/0x1d0 [ 59.154408][ T5317] __x64_sys_openat+0x247/0x2a0 [ 59.156295][ T5317] do_syscall_64+0xf3/0x230 [ 59.158131][ T5317] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 59.160506][ T5317] [ 59.161446][ T5317] The buggy address belongs to the object at ffff888012367a00 [ 59.161446][ T5317] which belongs to the cache kmalloc-16 of size 16 [ 59.166697][ T5317] The buggy address is located 8 bytes to the right of [ 59.166697][ T5317] allocated 16-byte region [ffff888012367a00, ffff888012367a10) [ 59.172248][ T5317] [ 59.173220][ T5317] The buggy address belongs to the physical page: [ 59.175757][ T5317] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12367 [ 59.179347][ T5317] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 59.182111][ T5317] page_type: f5(slab) [ 59.183713][ T5317] raw: 00fff00000000000 ffff88801b041640 dead000000000100 dead000000000122 [ 59.187067][ T5317] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 59.190441][ T5317] page dumped because: kasan: bad access detected [ 59.192838][ T5317] page_owner tracks the page as allocated [ 59.195100][ T5317] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x252800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid 5299, tgid 5299 (syz-executor), ts 57538728677, free_ts 57494496884 [ 59.202438][ T5317] post_alloc_hook+0x1f4/0x240 [ 59.204366][ T5317] get_page_from_freelist+0x365c/0x37a0 [ 59.206651][ T5317] __alloc_pages_slowpath+0x434/0x10b0 [ 59.208877][ T5317] __alloc_frozen_pages_noprof+0x49b/0x710 [ 59.211190][ T5317] allocate_slab+0x66/0x3a0 [ 59.213053][ T5317] ___slab_alloc+0xc27/0x14a0 [ 59.214956][ T5317] __slab_alloc+0x58/0xa0 [ 59.216671][ T5317] __kmalloc_cache_node_noprof+0x294/0x3a0 [ 59.219013][ T5317] hugetlb_cgroup_css_alloc+0x173/0x8c0 [ 59.221280][ T5317] cgroup_apply_control_enable+0x39c/0xaf0 [ 59.223548][ T5317] cgroup_mkdir+0xa83/0xd60 [ 59.225282][ T5317] kernfs_iop_mkdir+0x253/0x3f0 [ 59.227163][ T5317] vfs_mkdir+0x2f9/0x4f0 [ 59.228811][ T5317] do_mkdirat+0x264/0x3a0 [ 59.230512][ T5317] __x64_sys_mkdirat+0x87/0xa0 [ 59.232361][ T5317] do_syscall_64+0xf3/0x230 [ 59.234153][ T5317] page last free pid 5296 tgid 5296 stack trace: [ 59.236594][ T5317] free_frozen_pages+0xe0d/0x10e0 [ 59.238679][ T5317] __slab_free+0x2c2/0x380 [ 59.240594][ T5317] qlist_free_all+0x9a/0x140 [ 59.242470][ T5317] kasan_quarantine_reduce+0x14f/0x170 [ 59.244563][ T5317] __kasan_slab_alloc+0x23/0x80 [ 59.246564][ T5317] kmem_cache_alloc_noprof+0x1d9/0x380 [ 59.248744][ T5317] getname_flags+0xb7/0x540 [ 59.250817][ T5317] do_sys_openat2+0xd2/0x1d0 [ 59.252718][ T5317] __x64_sys_openat+0x247/0x2a0 [ 59.254656][ T5317] do_syscall_64+0xf3/0x230 [ 59.256529][ T5317] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 59.258988][ T5317] [ 59.260023][ T5317] Memory state around the buggy address: [ 59.262266][ T5317] ffff888012367900: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc [ 59.265417][ T5317] ffff888012367980: fa fb fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc [ 59.268660][ T5317] >ffff888012367a00: fa fb fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc [ 59.271643][ T5317] ^ [ 59.273558][ T5317] ffff888012367a80: 00 00 fc fc 00 00 fc fc 00 00 fc fc fc fc fc fc [ 59.276818][ T5317] ffff888012367b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.279966][ T5317] ================================================================== [ 59.291658][ T5317] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 59.294617][ T5317] CPU: 0 UID: 0 PID: 5317 Comm: syz.0.0 Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0 [ 59.298703][ T5317] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 59.302774][ T5317] Call Trace: [ 59.304096][ T5317] [ 59.305203][ T5317] dump_stack_lvl+0x241/0x360 [ 59.306979][ T5317] ? __pfx_dump_stack_lvl+0x10/0x10 [ 59.309048][ T5317] ? __pfx__printk+0x10/0x10 [ 59.310927][ T5317] ? preempt_schedule+0xe1/0xf0 [ 59.312743][ T5317] ? vscnprintf+0x5d/0x90 [ 59.314463][ T5317] panic+0x349/0x880 [ 59.316065][ T5317] ? check_panic_on_warn+0x21/0xb0 [ 59.318059][ T5317] ? __pfx_panic+0x10/0x10 [ 59.319827][ T5317] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 59.322132][ T5317] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 59.324627][ T5317] ? print_report+0x519/0x5b0 [ 59.326459][ T5317] check_panic_on_warn+0x86/0xb0 [ 59.328235][ T5317] ? iov_iter_revert+0x1c1/0x590 [ 59.329934][ T5317] end_report+0x77/0x160 [ 59.331426][ T5317] kasan_report+0x154/0x180 [ 59.333017][ T5317] ? iov_iter_revert+0x1c1/0x590 [ 59.334783][ T5317] iov_iter_revert+0x1c1/0x590 [ 59.336468][ T5317] p9_client_write+0x444/0x7a0 [ 59.338199][ T5317] ? __pfx_p9_client_write+0x10/0x10 [ 59.340115][ T5317] ? do_raw_spin_lock+0x14f/0x370 [ 59.341925][ T5317] v9fs_issue_write+0xf0/0x1d0 [ 59.343666][ T5317] ? __pfx_v9fs_issue_write+0x10/0x10 [ 59.345627][ T5317] ? rcu_is_watching+0x15/0xb0 [ 59.347429][ T5317] netfs_end_issue_write+0x18d/0x420 [ 59.349414][ T5317] netfs_unbuffered_write+0x589/0x600 [ 59.351447][ T5317] ? __pfx_netfs_unbuffered_write+0x10/0x10 [ 59.353808][ T5317] ? __pfx_netfs_extract_user_iter+0x10/0x10 [ 59.356170][ T5317] netfs_unbuffered_write_iter_locked+0x456/0x9f0 [ 59.358643][ T5317] netfs_unbuffered_write_iter+0x4e1/0x6a0 [ 59.360936][ T5317] vfs_write+0xacf/0xd10 [ 59.362671][ T5317] ? __pfx_v9fs_file_write_iter+0x10/0x10 [ 59.364973][ T5317] ? __pfx_vfs_write+0x10/0x10 [ 59.366929][ T5317] ? rcu_is_watching+0x15/0xb0 [ 59.368953][ T5317] ksys_write+0x18f/0x2b0 [ 59.370686][ T5317] ? __pfx_ksys_write+0x10/0x10 [ 59.372695][ T5317] ? do_syscall_64+0x100/0x230 [ 59.374664][ T5317] ? do_syscall_64+0xb6/0x230 [ 59.376612][ T5317] do_syscall_64+0xf3/0x230 [ 59.378489][ T5317] ? clear_bhb_loop+0x35/0x90 [ 59.380378][ T5317] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 59.382680][ T5317] RIP: 0033:0x7fecb6b8d169 [ 59.384551][ T5317] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 59.391679][ T5317] RSP: 002b:00007fecb7ac9038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 59.394770][ T5317] RAX: ffffffffffffffda RBX: 00007fecb6da5fa0 RCX: 00007fecb6b8d169 [ 59.397630][ T5317] RDX: 0000000000000010 RSI: 0000400000000840 RDI: 0000000000000007 [ 59.400460][ T5317] RBP: 00007fecb6c0e2a0 R08: 0000000000000000 R09: 0000000000000000 [ 59.403353][ T5317] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 59.406316][ T5317] R13: 0000000000000000 R14: 00007fecb6da5fa0 R15: 00007ffcb48d62e8 [ 59.409512][ T5317] [ 59.411061][ T5317] Kernel Offset: disabled [ 59.412814][ T5317] Rebooting in 86400 seconds..