./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3668638695
<...>
Warning: Permanently added '10.128.0.228' (ECDSA) to the list of known hosts.
execve("./syz-executor3668638695", ["./syz-executor3668638695"], 0x7ffd72c67120 /* 10 vars */) = 0
brk(NULL) = 0x5555571aa000
brk(0x5555571aac40) = 0x5555571aac40
arch_prctl(ARCH_SET_FS, 0x5555571aa300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor3668638695", 4096) = 28
brk(0x5555571cbc40) = 0x5555571cbc40
brk(0x5555571cc000) = 0x5555571cc000
mprotect(0x7f63c551d000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
getpid() = 5075
mkdir("./syzkaller.muG5zX", 0700) = 0
chmod("./syzkaller.muG5zX", 0777) = 0
chdir("./syzkaller.muG5zX") = 0
mkdir("./0", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571aa5d0) = 5076
./strace-static-x86_64: Process 5076 attached
[pid 5076] chdir("./0") = 0
[pid 5076] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5076] setpgid(0, 0) = 0
[pid 5076] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5076] write(3, "1000", 4) = 4
[pid 5076] close(3) = 0
[pid 5076] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5076] memfd_create("syzkaller", 0) = 3
[pid 5076] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f63bd061000
[pid 5076] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 1048576) = 1048576
[pid 5076] munmap(0x7f63bd061000, 1048576) = 0
[pid 5076] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5076] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5076] close(3) = 0
[pid 5076] mkdir("./file0", 0777) = 0
[ 53.967390][ T5076] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=5076 'syz-executor366'
[ 53.994976][ T5076] loop0: detected capacity change from 0 to 2048
[pid 5076] mount("/dev/loop0", "./file0", "ext4", MS_DIRSYNC|MS_NOATIME|MS_LAZYTIME, ",errors=continue") = 0
[pid 5076] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
[pid 5076] chdir("./file0") = 0
[pid 5076] ioctl(4, LOOP_CLR_FD) = 0
[pid 5076] close(4) = 0
[pid 5076] open("./bus", O_RDWR|O_CREAT|O_NOCTTY|O_NOFOLLOW|O_NOATIME, 000) = 4
[pid 5076] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0
[pid 5076] openat(AT_FDCWD, "./bus", O_RDONLY) = 5
[pid 5076] openat(AT_FDCWD, "./bus", O_RDWR|O_SYNC|O_NOATIME|O_CLOEXEC) = 6
[pid 5076] read(6, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 8254) = 8254
[pid 5076] sendfile(6, 5, NULL, 131071) = 131071
[ 54.016476][ T5076] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 without journal. Quota mode: none.
[ 54.057327][ T5076] EXT4-fs error (device loop0): ext4_xattr_ibody_get:669: inode #18: comm syz-executor366: corrupted in-inode xattr: bad magic number in in-inode xattr
[ 54.075129][ T5076] ==================================================================
[ 54.083227][ T5076] BUG: KASAN: slab-use-after-free in get_max_inline_xattr_value_size+0x369/0x510
[ 54.092345][ T5076] Read of size 4 at addr ffff88807c4ac084 by task syz-executor366/5076
[ 54.100566][ T5076]
[ 54.102937][ T5076] CPU: 0 PID: 5076 Comm: syz-executor366 Not tainted 6.3.0-rc3-syzkaller-00338-gda8e7da11e4b #0
[ 54.113365][ T5076] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
[ 54.123699][ T5076] Call Trace:
[ 54.127016][ T5076]
[ 54.130114][ T5076] dump_stack_lvl+0x1e7/0x2d0
[ 54.134887][ T5076] ? nf_tcp_handle_invalid+0x650/0x650
[ 54.140530][ T5076] ? panic+0x770/0x770
[ 54.144837][ T5076] ? _printk+0xd5/0x120
[ 54.149177][ T5076] print_report+0x163/0x540
[ 54.153688][ T5076] ? __virt_addr_valid+0x22f/0x2e0
[ 54.158809][ T5076] ? __phys_addr+0xba/0x170
[ 54.163307][ T5076] ? get_max_inline_xattr_value_size+0x369/0x510
[ 54.169638][ T5076] kasan_report+0x176/0x1b0
[ 54.174147][ T5076] ? get_max_inline_xattr_value_size+0x369/0x510
[ 54.180510][ T5076] get_max_inline_xattr_value_size+0x369/0x510
[ 54.186686][ T5076] ext4_get_max_inline_size+0x141/0x200
[ 54.192255][ T5076] ? ext4_ind_truncate_ensure_credits+0x780/0x780
[ 54.198668][ T5076] ? ext4_get_inode_loc+0x14f/0x1a0
[ 54.203878][ T5076] ? ext4_journal_check_start+0x179/0x240
[ 54.209586][ T5076] ext4_prepare_inline_data+0x87/0x1d0
[ 54.215032][ T5076] ext4_da_write_inline_data_begin+0x208/0xe40
[ 54.221197][ T5076] ? ext4_journalled_write_inline_data+0x620/0x620
[ 54.227686][ T5076] ext4_da_write_begin+0x4da/0x960
[ 54.232878][ T5076] ? ext4_dirty_folio+0x310/0x310
[ 54.237893][ T5076] ? fault_in_iov_iter_readable+0xdf/0x280
[ 54.243702][ T5076] generic_perform_write+0x300/0x5e0
[ 54.249531][ T5076] ? generic_file_direct_write+0x460/0x460
[ 54.255357][ T5076] ? clear_nonspinnable+0x60/0x60
[ 54.260469][ T5076] ? __lock_acquire+0x125b/0x1f80
[ 54.265491][ T5076] ? ext4_write_checks+0x255/0x2c0
[ 54.270739][ T5076] ext4_buffered_write_iter+0x122/0x3a0
[ 54.276286][ T5076] ext4_file_write_iter+0x1d6/0x1930
[ 54.281558][ T5076] ? read_lock_is_recursive+0x20/0x20
[ 54.286917][ T5076] ? ext4_file_read_iter+0x670/0x670
[ 54.292185][ T5076] ? __rwlock_init+0x150/0x150
[ 54.296953][ T5076] vfs_write+0x7b2/0xbb0
[ 54.301199][ T5076] ? file_end_write+0x250/0x250
[ 54.306054][ T5076] ? lockdep_hardirqs_on+0x98/0x140
[ 54.311266][ T5076] ? __fdget_pos+0x265/0x2f0
[ 54.315853][ T5076] ksys_write+0x1a0/0x2c0
[ 54.320279][ T5076] ? __ia32_sys_read+0x90/0x90
[ 54.325078][ T5076] ? syscall_enter_from_user_mode+0x32/0x260
[ 54.331059][ T5076] ? syscall_enter_from_user_mode+0x8c/0x260
[ 54.337066][ T5076] do_syscall_64+0x41/0xc0
[ 54.341490][ T5076] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 54.347501][ T5076] RIP: 0033:0x7f63c54aea99
[ 54.351915][ T5076] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 54.371520][ T5076] RSP: 002b:00007fff3f17f0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 54.379955][ T5076] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f63c54aea99
[ 54.387940][ T5076] RDX: 0000000000000010 RSI: 0000000020000100 RDI: 0000000000000004
[ 54.395902][ T5076] RBP: 0000000000000000 R08: 00007fff3f17f0f0 R09: 00007fff3f17f0f0
[ 54.403860][ T5076] R10: 00007fff3f17f0f0 R11: 0000000000000246 R12: 00007f63c546d960
[ 54.411815][ T5076] R13: 00007fff3f17f120 R14: 00007fff3f17f100 R15: 0000000000000000
[ 54.419776][ T5076]
[ 54.422780][ T5076]
[ 54.425087][ T5076] Allocated by task 4998:
[ 54.429393][ T5076] kasan_set_track+0x4f/0x70
[ 54.433974][ T5076] __kasan_slab_alloc+0x66/0x70
[ 54.438818][ T5076] slab_post_alloc_hook+0x68/0x3a0
[ 54.443927][ T5076] kmem_cache_alloc+0x11f/0x2e0
[ 54.448788][ T5076] anon_vma_fork+0x1fa/0x580
[ 54.453366][ T5076] copy_mm+0xae3/0x1670
[ 54.457505][ T5076] copy_process+0x1905/0x3fc0
[ 54.462162][ T5076] kernel_clone+0x222/0x800
[ 54.466732][ T5076] __x64_sys_clone+0x235/0x280
[ 54.471476][ T5076] do_syscall_64+0x41/0xc0
[ 54.475879][ T5076] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 54.481759][ T5076]
[ 54.484083][ T5076] Freed by task 5013:
[ 54.488059][ T5076] kasan_set_track+0x4f/0x70
[ 54.492636][ T5076] kasan_save_free_info+0x2b/0x40
[ 54.497646][ T5076] ____kasan_slab_free+0xd6/0x120
[ 54.502654][ T5076] kmem_cache_free+0x297/0x520
[ 54.507424][ T5076] unlink_anon_vmas+0x59e/0x5f0
[ 54.512270][ T5076] free_pgtables+0x348/0x4f0
[ 54.516840][ T5076] exit_mmap+0x2c1/0x850
[ 54.521064][ T5076] __mmput+0x115/0x3c0
[ 54.525114][ T5076] exit_mm+0x227/0x310
[ 54.529165][ T5076] do_exit+0x612/0x2290
[ 54.533303][ T5076] do_group_exit+0x206/0x2c0
[ 54.537878][ T5076] __x64_sys_exit_group+0x3f/0x40
[ 54.542972][ T5076] do_syscall_64+0x41/0xc0
[ 54.547402][ T5076] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 54.553290][ T5076]
[ 54.555597][ T5076] The buggy address belongs to the object at ffff88807c4ac070
[ 54.555597][ T5076] which belongs to the cache anon_vma_chain of size 80
[ 54.569829][ T5076] The buggy address is located 20 bytes inside of
[ 54.569829][ T5076] freed 80-byte region [ffff88807c4ac070, ffff88807c4ac0c0)
[ 54.583441][ T5076]
[ 54.585764][ T5076] The buggy address belongs to the physical page:
[ 54.592168][ T5076] page:ffffea0001f12b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7c4ac
[ 54.602301][ T5076] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 54.609833][ T5076] raw: 00fff00000000200 ffff888140007280 dead000000000122 0000000000000000
[ 54.618485][ T5076] raw: 0000000000000000 0000000000240024 00000001ffffffff 0000000000000000
[ 54.627045][ T5076] page dumped because: kasan: bad access detected
[ 54.633448][ T5076] page_owner tracks the page as allocated
[ 54.639144][ T5076] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12800(GFP_NOWAIT|__GFP_NOWARN|__GFP_NORETRY), pid 4998, tgid 4998 (dhcpcd-run-hook), ts 47082738820, free_ts 47079213294
[ 54.657713][ T5076] get_page_from_freelist+0x3246/0x33c0
[ 54.663256][ T5076] __alloc_pages+0x255/0x670
[ 54.667830][ T5076] alloc_slab_page+0x6a/0x160
[ 54.672491][ T5076] new_slab+0x84/0x2f0
[ 54.676541][ T5076] ___slab_alloc+0xa85/0x10a0
[ 54.681199][ T5076] kmem_cache_alloc+0x1b9/0x2e0
[ 54.686037][ T5076] anon_vma_clone+0x98/0x4d0
[ 54.690613][ T5076] anon_vma_fork+0x87/0x580
[ 54.695103][ T5076] copy_mm+0xae3/0x1670
[ 54.699239][ T5076] copy_process+0x1905/0x3fc0
[ 54.703895][ T5076] kernel_clone+0x222/0x800
[ 54.708376][ T5076] __x64_sys_clone+0x235/0x280
[ 54.713119][ T5076] do_syscall_64+0x41/0xc0
[ 54.717521][ T5076] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 54.723398][ T5076] page last free stack trace:
[ 54.728061][ T5076] free_unref_page_prepare+0xe2f/0xe70
[ 54.733602][ T5076] free_unref_page_list+0x596/0x830
[ 54.738783][ T5076] release_pages+0x219e/0x2470
[ 54.743545][ T5076] tlb_flush_mmu+0x100/0x210
[ 54.748127][ T5076] tlb_finish_mmu+0xd4/0x1f0
[ 54.752717][ T5076] exit_mmap+0x2c9/0x850
[ 54.756943][ T5076] __mmput+0x115/0x3c0
[ 54.760994][ T5076] exit_mm+0x227/0x310
[ 54.765044][ T5076] do_exit+0x612/0x2290
[ 54.769184][ T5076] do_group_exit+0x206/0x2c0
[ 54.773769][ T5076] __x64_sys_exit_group+0x3f/0x40
[ 54.778777][ T5076] do_syscall_64+0x41/0xc0
[ 54.783180][ T5076] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 54.789071][ T5076]
[ 54.791402][ T5076] Memory state around the buggy address:
[ 54.797023][ T5076] ffff88807c4abf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 54.805068][ T5076] ffff88807c4ac000: fa fb fb fb fb fb fb fb fb fb fc fc fc fc fa fb
[ 54.813109][ T5076] >ffff88807c4ac080: fb fb fb fb fb fb fb fb fc fc fc fc fa fb fb fb
[ 54.821146][ T5076] ^
[ 54.825205][ T5076] ffff88807c4ac100: fb fb fb fb fb fb fc fc fc fc fa fb fb fb fb fb
[ 54.833245][ T5076] ffff88807c4ac180: fb fb fb fb fc fc fc fc fa fb fb fb fb fb fb fb
[ 54.841282][ T5076] ==================================================================
[ 54.850302][ T5076] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 54.857541][ T5076] CPU: 0 PID: 5076 Comm: syz-executor366 Not tainted 6.3.0-rc3-syzkaller-00338-gda8e7da11e4b #0
[ 54.867948][ T5076] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
[ 54.877994][ T5076] Call Trace:
[ 54.881268][ T5076]
[ 54.884195][ T5076] dump_stack_lvl+0x1e7/0x2d0
[ 54.888880][ T5076] ? nf_tcp_handle_invalid+0x650/0x650
[ 54.894334][ T5076] ? panic+0x770/0x770
[ 54.898400][ T5076] ? vscnprintf+0x5d/0x80
[ 54.902751][ T5076] panic+0x31c/0x770
[ 54.906640][ T5076] ? asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 54.912797][ T5076] ? check_panic_on_warn+0x21/0xa0
[ 54.917904][ T5076] ? memcpy_page_flushcache+0x100/0x100
[ 54.923448][ T5076] ? _raw_spin_unlock_irqrestore+0x12c/0x140
[ 54.929429][ T5076] ? _raw_spin_unlock+0x40/0x40
[ 54.934278][ T5076] check_panic_on_warn+0x82/0xa0
[ 54.939211][ T5076] ? get_max_inline_xattr_value_size+0x369/0x510
[ 54.945534][ T5076] end_report+0x63/0x110
[ 54.949775][ T5076] kasan_report+0x183/0x1b0
[ 54.954272][ T5076] ? get_max_inline_xattr_value_size+0x369/0x510
[ 54.960597][ T5076] get_max_inline_xattr_value_size+0x369/0x510
[ 54.966775][ T5076] ext4_get_max_inline_size+0x141/0x200
[ 54.972320][ T5076] ? ext4_ind_truncate_ensure_credits+0x780/0x780
[ 54.978732][ T5076] ? ext4_get_inode_loc+0x14f/0x1a0
[ 54.983926][ T5076] ? ext4_journal_check_start+0x179/0x240
[ 54.989640][ T5076] ext4_prepare_inline_data+0x87/0x1d0
[ 54.995109][ T5076] ext4_da_write_inline_data_begin+0x208/0xe40
[ 55.001274][ T5076] ? ext4_journalled_write_inline_data+0x620/0x620
[ 55.007775][ T5076] ext4_da_write_begin+0x4da/0x960
[ 55.012888][ T5076] ? ext4_dirty_folio+0x310/0x310
[ 55.017911][ T5076] ? fault_in_iov_iter_readable+0xdf/0x280
[ 55.023712][ T5076] generic_perform_write+0x300/0x5e0
[ 55.028995][ T5076] ? generic_file_direct_write+0x460/0x460
[ 55.034881][ T5076] ? clear_nonspinnable+0x60/0x60
[ 55.039903][ T5076] ? __lock_acquire+0x125b/0x1f80
[ 55.044948][ T5076] ? ext4_write_checks+0x255/0x2c0
[ 55.050055][ T5076] ext4_buffered_write_iter+0x122/0x3a0
[ 55.055597][ T5076] ext4_file_write_iter+0x1d6/0x1930
[ 55.060877][ T5076] ? read_lock_is_recursive+0x20/0x20
[ 55.066267][ T5076] ? ext4_file_read_iter+0x670/0x670
[ 55.071571][ T5076] ? __rwlock_init+0x150/0x150
[ 55.076350][ T5076] vfs_write+0x7b2/0xbb0
[ 55.080598][ T5076] ? file_end_write+0x250/0x250
[ 55.085449][ T5076] ? lockdep_hardirqs_on+0x98/0x140
[ 55.090642][ T5076] ? __fdget_pos+0x265/0x2f0
[ 55.095229][ T5076] ksys_write+0x1a0/0x2c0
[ 55.099561][ T5076] ? __ia32_sys_read+0x90/0x90
[ 55.104321][ T5076] ? syscall_enter_from_user_mode+0x32/0x260
[ 55.110297][ T5076] ? syscall_enter_from_user_mode+0x8c/0x260
[ 55.116271][ T5076] do_syscall_64+0x41/0xc0
[ 55.120685][ T5076] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 55.126576][ T5076] RIP: 0033:0x7f63c54aea99
[ 55.130985][ T5076] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 55.150587][ T5076] RSP: 002b:00007fff3f17f0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 55.159084][ T5076] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f63c54aea99
[ 55.167063][ T5076] RDX: 0000000000000010 RSI: 0000000020000100 RDI: 0000000000000004
[ 55.175028][ T5076] RBP: 0000000000000000 R08: 00007fff3f17f0f0 R09: 00007fff3f17f0f0
[ 55.183008][ T5076] R10: 00007fff3f17f0f0 R11: 0000000000000246 R12: 00007f63c546d960
[ 55.191065][ T5076] R13: 00007fff3f17f120 R14: 00007fff3f17f100 R15: 0000000000000000
[ 55.199037][ T5076]
[ 55.202200][ T5076] Kernel Offset: disabled
[ 55.206516][ T5076] Rebooting in 86400 seconds..