./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2674518139 <...> Warning: Permanently added '10.128.10.40' (ECDSA) to the list of known hosts. execve("./syz-executor2674518139", ["./syz-executor2674518139"], 0x7ffc5a733bb0 /* 10 vars */) = 0 brk(NULL) = 0x555555c3a000 brk(0x555555c3ac40) = 0x555555c3ac40 arch_prctl(ARCH_SET_FS, 0x555555c3a300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x555555c3a5d0) = 4999 set_robust_list(0x555555c3a5e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7f3de0d10a80, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f3de0d11150}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7f3de0d10b20, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f3de0d11150}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2674518139", 4096) = 28 brk(0x555555c5bc40) = 0x555555c5bc40 brk(0x555555c5c000) = 0x555555c5c000 mprotect(0x7f3de0df2000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) = 3 socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) = 4 sendto(4, [{nlmsg_len=36, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x03\x00\x00\x00\x0d\x00\x02\x00\x6e\x6c\x38\x30\x32\x31\x35\x34\x00\x00\x00\x00"], 36, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 36 recvfrom(4, [{nlmsg_len=784, nlmsg_type=nlctrl, nlmsg_flags=0, nlmsg_seq=0, nlmsg_pid=4999}, "\x01\x02\x00\x00\x0d\x00\x02\x00\x6e\x6c\x38\x30\x32\x31\x35\x34\x00\x00\x00\x00\x06\x00\x01\x00\x1d\x00\x00\x00\x08\x00\x03\x00\x01\x00\x00\x00\x08\x00\x04\x00\x00\x00\x00\x00\x08\x00\x05\x00\x2e\x00\x00\x00\x98\x02\x06\x00\x14\x00\x01\x00\x08\x00\x01\x00\x01\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x02\x00\x08\x00\x01\x00\x05\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x03\x00"...], 4096, 0, NULL, NULL) = 784 recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=4999}, {error=0, msg={nlmsg_len=36, nlmsg_type=nlctrl, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 access("/proc/net", R_OK) = 0 access("/proc/net/unix", R_OK) = 0 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan0", ifr_ifindex=11}) = 0 close(5) = 0 sendto(4, [{nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x0b\x00\x00\x00\x08\x00\x03\x00\x0b\x00\x00\x00\x06\x00\x0a\x00\xa0\xaa\x00\x00"], 36, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 36 recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=4999}, {error=0, msg={nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan0", ifr_ifindex=11}) = 0 close(5) = 0 sendto(3, [{nlmsg_len=44, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x00\x00\x00\x00\x0b\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x0c\x00\x01\x00\x02\x00\xaa\xaa\xaa\xaa\xaa\xaa"], 44, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 44 recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=4999}, {error=0, msg={nlmsg_len=44, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 sendto(3, [{nlmsg_len=68, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|NLM_F_EXCL|NLM_F_CREATE, nlmsg_seq=0, nlmsg_pid=0}, {ifi_family=AF_UNSPEC, ifi_type=ARPHRD_NETROM, ifi_index=0, ifi_flags=0, ifi_change=0}, [[{nla_len=11, nla_type=IFLA_IFNAME}, "lowpan0"...], [{nla_len=16, nla_type=IFLA_LINKINFO}, [{nla_len=10, nla_type=IFLA_INFO_KIND}, "lowpan"...]], [{nla_len=8, nla_type=IFLA_LINK}, 11]]], 68, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 68 recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=4999}, {error=0, msg={nlmsg_len=68, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|NLM_F_EXCL|NLM_F_CREATE, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan1", ifr_ifindex=12}) = 0 close(5) = 0 sendto(4, [{nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x0b\x00\x00\x00\x08\x00\x03\x00\x0c\x00\x00\x00\x06\x00\x0a\x00\xa1\xaa\x00\x00"], 36, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 36 recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=4999}, {error=0, msg={nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan1", ifr_ifindex=12}) = 0 close(5) = 0 sendto(3, [{nlmsg_len=44, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, {ifi_family=AF_UNSPEC, ifi_type=ARPHRD_NETROM, ifi_index=if_nametoindex("wpan1"), ifi_flags=IFF_UP, ifi_change=0x1}, [{nla_len=12, nla_type=IFLA_ADDRESS}, 02:01:aa:aa:aa:aa:aa]], 44, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 44 recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=4999}, {error=0, msg={nlmsg_len=44, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 close(3) = 0 close(4) = 0 unshare(CLONE_NEWPID) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555c3a5d0) = 5001 ./strace-static-x86_64: Process 5001 attached [pid 5001] set_robust_list(0x555555c3a5e0, 24) = 0 [pid 5001] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy) [pid 5001] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5001] setsid() = 1 [pid 5001] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0 [pid 5001] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0 [pid 5001] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0 [pid 5001] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0 [pid 5001] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0 [pid 5001] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0 [pid 5001] unshare(CLONE_NEWNS) = 0 [pid 5001] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0 [pid 5001] unshare(CLONE_NEWIPC) = 0 [pid 5001] unshare(CLONE_NEWCGROUP) = 0 [pid 5001] unshare(CLONE_NEWUTS) = 0 [pid 5001] unshare(CLONE_SYSVSEM) = 0 [pid 5001] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3 [pid 5001] write(3, "16777216", 8) = 8 [pid 5001] close(3) = 0 [pid 5001] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3 [pid 5001] write(3, "536870912", 9) = 9 [pid 5001] close(3) = 0 [pid 5001] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3 [pid 5001] write(3, "1024", 4) = 4 [pid 5001] close(3) = 0 [pid 5001] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3 [pid 5001] write(3, "8192", 4) = 4 [pid 5001] close(3) = 0 [pid 5001] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3 [pid 5001] write(3, "1024", 4) = 4 [pid 5001] close(3) = 0 [pid 5001] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3 [pid 5001] write(3, "1024", 4) = 4 [pid 5001] close(3) = 0 [pid 5001] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3 [pid 5001] write(3, "1024 1048576 500 1024", 21) = 21 [pid 5001] close(3) = 0 [pid 5001] getpid() = 1 [pid 5001] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1< [pid 5004] set_robust_list(0x7f3de0cff9e0, 24) = 0 [pid 5001] <... futex resumed>) = 0 [pid 5001] futex(0x7f3de0df87ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5004] memfd_create("syzkaller", 0) = 3 [pid 5004] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3dd88df000 [pid 5004] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 1048576) = 1048576 [pid 5004] munmap(0x7f3dd88df000, 1048576) = 0 [pid 5004] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5004] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5004] close(3) = 0 [pid 5004] mkdir("./file0", 0777) = 0 syzkaller login: [ 42.771377][ T5004] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=5004 'syz-executor267' [ 42.790141][ T5004] loop0: detected capacity change from 0 to 2048 [ 42.800677][ T5004] UDF-fs: error (device loop0): udf_read_tagged: tag version 0x0000 != 0x0002 || 0x0003, block 0 [ 42.812081][ T5004] UDF-fs: warning (device loop0): udf_load_vrs: No anchor found [pid 5004] mount("/dev/loop0", "./file0", "udf", MS_NODEV, "novrs,") = 0 [pid 5004] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5004] chdir("./file0") = 0 [pid 5004] ioctl(4, LOOP_CLR_FD) = 0 [pid 5004] close(4) = 0 [pid 5004] futex(0x7f3de0df87ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5004] futex(0x7f3de0df87a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5001] <... futex resumed>) = 0 [pid 5001] futex(0x7f3de0df87a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5001] futex(0x7f3de0df87ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5004] <... futex resumed>) = 0 [pid 5004] memfd_create("syzkaller", 0) = 4 [pid 5004] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = -1 ENOMEM (Cannot allocate memory) [pid 5004] close(4) = 0 [pid 5004] futex(0x7f3de0df87ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5001] <... futex resumed>) = 0 [pid 5001] futex(0x7f3de0df87a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5001] futex(0x7f3de0df87ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5004] <... futex resumed>) = 1 [pid 5004] open("./bus", O_RDWR|O_CREAT|O_NOCTTY|O_SYNC|O_NOATIME|FASYNC, 000) = 4 [pid 5004] futex(0x7f3de0df87ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5001] <... futex resumed>) = 0 [pid 5001] futex(0x7f3de0df87a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5001] futex(0x7f3de0df87ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5004] <... futex resumed>) = 1 [pid 5004] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 5004] futex(0x7f3de0df87ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5001] <... futex resumed>) = 0 [pid 5001] futex(0x7f3de0df87a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5001] futex(0x7f3de0df87ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5004] <... futex resumed>) = 1 [pid 5004] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 5004] futex(0x7f3de0df87ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5001] <... futex resumed>) = 0 [pid 5001] futex(0x7f3de0df87a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5001] futex(0x7f3de0df87ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5004] <... futex resumed>) = 1 [ 42.819793][ T5004] UDF-fs: Scanning with blocksize 512 failed [ 42.828049][ T5004] UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000) [pid 5004] write(5, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 1048576 [pid 5004] futex(0x7f3de0df87ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5001] <... futex resumed>) = 0 [pid 5001] exit_group(1) = ? [ 42.911400][ T5004] ================================================================== [ 42.919479][ T5004] BUG: KASAN: use-after-free in crc_itu_t+0xd2/0xe0 [ 42.926077][ T5004] Read of size 1 at addr ffff88807415f000 by task syz-executor267/5004 [ 42.934295][ T5004] [ 42.936600][ T5004] CPU: 0 PID: 5004 Comm: syz-executor267 Not tainted 6.4.0-rc7-syzkaller-00194-g8a28a0b6f1a1 #0 [ 42.946999][ T5004] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 [ 42.957038][ T5004] Call Trace: [ 42.960306][ T5004] [ 42.963223][ T5004] dump_stack_lvl+0xd9/0x150 [ 42.967810][ T5004] print_address_description.constprop.0+0x2c/0x3c0 [ 42.974397][ T5004] ? crc_itu_t+0xd2/0xe0 [ 42.978637][ T5004] kasan_report+0x11c/0x130 [ 42.983133][ T5004] ? crc_itu_t+0xd2/0xe0 [ 42.987392][ T5004] crc_itu_t+0xd2/0xe0 [ 42.991453][ T5004] udf_finalize_lvid+0xe0/0x1d0 [ 42.996290][ T5004] ? udf_mount+0x40/0x40 [ 43.000517][ T5004] udf_sync_fs+0xea/0x150 [ 43.004829][ T5004] ? udf_finalize_lvid+0x1d0/0x1d0 [ 43.009925][ T5004] sync_filesystem.part.0+0x75/0x1d0 [ 43.015200][ T5004] sync_filesystem+0x8f/0xc0 [ 43.019775][ T5004] generic_shutdown_super+0x74/0x480 [ 43.025049][ T5004] kill_block_super+0xa1/0x100 [ 43.029799][ T5004] deactivate_locked_super+0x98/0x160 [ 43.035159][ T5004] deactivate_super+0xb1/0xd0 [ 43.039828][ T5004] cleanup_mnt+0x2ae/0x3d0 [ 43.044231][ T5004] task_work_run+0x16f/0x270 [ 43.048807][ T5004] ? task_work_cancel+0x30/0x30 [ 43.053644][ T5004] do_exit+0xaa3/0x29b0 [ 43.057787][ T5004] ? find_held_lock+0x2d/0x110 [ 43.062544][ T5004] ? get_signal+0x89d/0x25b0 [ 43.067122][ T5004] ? mm_update_next_owner+0x7b0/0x7b0 [ 43.072480][ T5004] ? do_raw_spin_lock+0x124/0x2b0 [ 43.077516][ T5004] ? spin_bug+0x1c0/0x1c0 [ 43.081850][ T5004] do_group_exit+0xd4/0x2a0 [ 43.086343][ T5004] get_signal+0x2318/0x25b0 [ 43.090832][ T5004] ? do_raw_spin_lock+0x124/0x2b0 [ 43.095851][ T5004] ? _raw_spin_lock_irq+0x45/0x50 [ 43.100900][ T5004] ? exit_signals+0x910/0x910 [ 43.105562][ T5004] ? recalc_sigpending_tsk+0x18b/0x1d0 [ 43.111020][ T5004] ? ptrace_stop.part.0+0x60f/0x8e0 [ 43.116222][ T5004] ? find_held_lock+0x2d/0x110 [ 43.120975][ T5004] arch_do_signal_or_restart+0x79/0x5c0 [ 43.126686][ T5004] ? get_sigframe_size+0x10/0x10 [ 43.131610][ T5004] ? lock_downgrade+0x690/0x690 [ 43.136460][ T5004] ? _raw_spin_unlock_irq+0x23/0x50 [ 43.141653][ T5004] exit_to_user_mode_prepare+0x11f/0x240 [ 43.147291][ T5004] syscall_exit_to_user_mode+0x1d/0x50 [ 43.152747][ T5004] do_syscall_64+0x46/0xb0 [ 43.157168][ T5004] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 43.163070][ T5004] RIP: 0033:0x7f3de0d536e9 [ 43.167473][ T5004] Code: Unable to access opcode bytes at 0x7f3de0d536bf. [ 43.174469][ T5004] RSP: 002b:00007f3de0cff2f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 43.182866][ T5004] RAX: 0000000000000001 RBX: 00007f3de0df87a0 RCX: 00007f3de0d536e9 [ 43.190833][ T5004] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f3de0df87ac [ 43.198795][ T5004] RBP: 00007f3de0dc56a0 R08: 0000000000000000 R09: 0000000000000000 [ 43.206779][ T5004] R10: 0000000000000000 R11: 0000000000000246 R12: 6573726168636f69 [ 43.214770][ T5004] R13: 6174656d776f6873 R14: 6f6f6c2f7665642f R15: 00007f3de0df87a8 [ 43.222752][ T5004] [ 43.225756][ T5004] [ 43.228060][ T5004] The buggy address belongs to the physical page: [ 43.234446][ T5004] page:ffffea0001d057c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x7415f [ 43.244584][ T5004] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 43.251680][ T5004] page_type: 0xffffffff() [ 43.255997][ T5004] raw: 00fff00000000000 ffffea0001d05808 ffffea0001cfab08 0000000000000000 [ 43.264566][ T5004] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 43.273126][ T5004] page dumped because: kasan: bad access detected [ 43.279524][ T5004] page_owner tracks the page as freed [ 43.284870][ T5004] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 4950, tgid 4950 (sshd), ts 36146438600, free_ts 36197435493 [ 43.302834][ T5004] post_alloc_hook+0x2db/0x350 [ 43.307607][ T5004] get_page_from_freelist+0xf41/0x2c00 [ 43.313065][ T5004] __alloc_pages+0x1cb/0x4a0 [ 43.317648][ T5004] __folio_alloc+0x16/0x40 [ 43.322053][ T5004] vma_alloc_folio+0x155/0x890 [ 43.326829][ T5004] __handle_mm_fault+0x224c/0x41c0 [ 43.331925][ T5004] handle_mm_fault+0x2af/0x9f0 [ 43.336678][ T5004] do_user_addr_fault+0x2ca/0x1210 [ 43.341779][ T5004] exc_page_fault+0x98/0x170 [ 43.346362][ T5004] asm_exc_page_fault+0x26/0x30 [ 43.351203][ T5004] page last free stack trace: [ 43.355857][ T5004] free_unref_page_prepare+0x62e/0xcb0 [ 43.361306][ T5004] free_unref_page_list+0xe3/0xa70 [ 43.366408][ T5004] release_pages+0xcd8/0x1380 [ 43.371073][ T5004] tlb_batch_pages_flush+0xa8/0x1a0 [ 43.376260][ T5004] tlb_finish_mmu+0x14b/0x7e0 [ 43.380926][ T5004] unmap_region+0x23d/0x2d0 [ 43.385503][ T5004] do_vmi_align_munmap+0xf0c/0x1640 [ 43.390690][ T5004] do_vmi_munmap+0x26e/0x2c0 [ 43.395271][ T5004] __vm_munmap+0x133/0x3b0 [ 43.399673][ T5004] __x64_sys_munmap+0x62/0x80 [ 43.404340][ T5004] do_syscall_64+0x39/0xb0 [ 43.408739][ T5004] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 43.414625][ T5004] [ 43.416928][ T5004] Memory state around the buggy address: [ 43.422623][ T5004] ffff88807415ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 43.430683][ T5004] ffff88807415ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 43.438728][ T5004] >ffff88807415f000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 43.446855][ T5004] ^ [ 43.450899][ T5004] ffff88807415f080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 43.458943][ T5004] ffff88807415f100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 43.466981][ T5004] ================================================================== [ 43.479441][ T5004] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 43.486655][ T5004] CPU: 0 PID: 5004 Comm: syz-executor267 Not tainted 6.4.0-rc7-syzkaller-00194-g8a28a0b6f1a1 #0 [ 43.497130][ T5004] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 [ 43.507183][ T5004] Call Trace: [ 43.510443][ T5004] [ 43.513349][ T5004] dump_stack_lvl+0xd9/0x150 [ 43.517920][ T5004] panic+0x686/0x730 [ 43.521797][ T5004] ? panic_smp_self_stop+0xa0/0xa0 [ 43.526894][ T5004] ? preempt_schedule_thunk+0x1a/0x20 [ 43.532245][ T5004] ? preempt_schedule_common+0x45/0xb0 [ 43.537684][ T5004] check_panic_on_warn+0xb1/0xc0 [ 43.542607][ T5004] end_report+0xe9/0x120 [ 43.546835][ T5004] ? crc_itu_t+0xd2/0xe0 [ 43.551055][ T5004] kasan_report+0xf9/0x130 [ 43.555473][ T5004] ? crc_itu_t+0xd2/0xe0 [ 43.559713][ T5004] crc_itu_t+0xd2/0xe0 [ 43.564022][ T5004] udf_finalize_lvid+0xe0/0x1d0 [ 43.568856][ T5004] ? udf_mount+0x40/0x40 [ 43.573081][ T5004] udf_sync_fs+0xea/0x150 [ 43.577389][ T5004] ? udf_finalize_lvid+0x1d0/0x1d0 [ 43.582479][ T5004] sync_filesystem.part.0+0x75/0x1d0 [ 43.587743][ T5004] sync_filesystem+0x8f/0xc0 [ 43.592483][ T5004] generic_shutdown_super+0x74/0x480 [ 43.597746][ T5004] kill_block_super+0xa1/0x100 [ 43.602509][ T5004] deactivate_locked_super+0x98/0x160 [ 43.607868][ T5004] deactivate_super+0xb1/0xd0 [ 43.612525][ T5004] cleanup_mnt+0x2ae/0x3d0 [ 43.616920][ T5004] task_work_run+0x16f/0x270 [ 43.621493][ T5004] ? task_work_cancel+0x30/0x30 [ 43.626326][ T5004] do_exit+0xaa3/0x29b0 [ 43.630486][ T5004] ? find_held_lock+0x2d/0x110 [ 43.635227][ T5004] ? get_signal+0x89d/0x25b0 [ 43.639794][ T5004] ? mm_update_next_owner+0x7b0/0x7b0 [ 43.645143][ T5004] ? do_raw_spin_lock+0x124/0x2b0 [ 43.650146][ T5004] ? spin_bug+0x1c0/0x1c0 [ 43.654453][ T5004] do_group_exit+0xd4/0x2a0 [ 43.658933][ T5004] get_signal+0x2318/0x25b0 [ 43.663432][ T5004] ? do_raw_spin_lock+0x124/0x2b0 [ 43.668439][ T5004] ? _raw_spin_lock_irq+0x45/0x50 [ 43.673447][ T5004] ? exit_signals+0x910/0x910 [ 43.678100][ T5004] ? recalc_sigpending_tsk+0x18b/0x1d0 [ 43.683533][ T5004] ? ptrace_stop.part.0+0x60f/0x8e0 [ 43.688706][ T5004] ? find_held_lock+0x2d/0x110 [ 43.693463][ T5004] arch_do_signal_or_restart+0x79/0x5c0 [ 43.698987][ T5004] ? get_sigframe_size+0x10/0x10 [ 43.703920][ T5004] ? lock_downgrade+0x690/0x690 [ 43.708757][ T5004] ? _raw_spin_unlock_irq+0x23/0x50 [ 43.713936][ T5004] exit_to_user_mode_prepare+0x11f/0x240 [ 43.719556][ T5004] syscall_exit_to_user_mode+0x1d/0x50 [ 43.724998][ T5004] do_syscall_64+0x46/0xb0 [ 43.729392][ T5004] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 43.735278][ T5004] RIP: 0033:0x7f3de0d536e9 [ 43.739667][ T5004] Code: Unable to access opcode bytes at 0x7f3de0d536bf. [ 43.746662][ T5004] RSP: 002b:00007f3de0cff2f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 43.755047][ T5004] RAX: 0000000000000001 RBX: 00007f3de0df87a0 RCX: 00007f3de0d536e9 [ 43.762994][ T5004] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f3de0df87ac [ 43.770944][ T5004] RBP: 00007f3de0dc56a0 R08: 0000000000000000 R09: 0000000000000000 [ 43.778894][ T5004] R10: 0000000000000000 R11: 0000000000000246 R12: 6573726168636f69 [ 43.786850][ T5004] R13: 6174656d776f6873 R14: 6f6f6c2f7665642f R15: 00007f3de0df87a8 [ 43.794797][ T5004] [ 43.798510][ T5004] Kernel Offset: disabled [ 43.802883][ T5004] Rebooting in 86400 seconds..