./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3622800191 <...> Warning: Permanently added '10.128.1.91' (ED25519) to the list of known hosts. execve("./syz-executor3622800191", ["./syz-executor3622800191"], 0x7ffdd2be2d40 /* 10 vars */) = 0 brk(NULL) = 0x555584619000 brk(0x555584619d00) = 0x555584619d00 arch_prctl(ARCH_SET_FS, 0x555584619380) = 0 set_tid_address(0x555584619650) = 5093 set_robust_list(0x555584619660, 24) = 0 rseq(0x555584619ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3622800191", 4096) = 28 getrandom("\x96\x26\xee\xbe\xb9\xfd\xc9\x4a", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555584619d00 brk(0x55558463ad00) = 0x55558463ad00 brk(0x55558463b000) = 0x55558463b000 mprotect(0x7f3b4cc10000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 mkdir("./syzkaller.IpvSEw", 0700) = 0 chmod("./syzkaller.IpvSEw", 0777) = 0 chdir("./syzkaller.IpvSEw") = 0 unshare(CLONE_NEWPID) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5094 attached [pid 5094] set_robust_list(0x555584619660, 24 [pid 5093] <... clone resumed>, child_tidptr=0x555584619650) = 5094 [pid 5094] <... set_robust_list resumed>) = 0 [pid 5094] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy) [pid 5094] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5094] setsid() = 1 [pid 5094] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0 [pid 5094] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0 [pid 5094] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0 [pid 5094] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0 [pid 5094] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0 [pid 5094] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0 [pid 5094] unshare(CLONE_NEWNS) = 0 [pid 5094] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0 [pid 5094] unshare(CLONE_NEWIPC) = 0 [pid 5094] unshare(CLONE_NEWCGROUP) = 0 [pid 5094] unshare(CLONE_NEWUTS) = 0 [pid 5094] unshare(CLONE_SYSVSEM) = 0 [pid 5094] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3 [pid 5094] write(3, "16777216", 8) = 8 [pid 5094] close(3) = 0 [pid 5094] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3 [pid 5094] write(3, "536870912", 9) = 9 [pid 5094] close(3) = 0 [pid 5094] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3 [pid 5094] write(3, "1024", 4) = 4 [pid 5094] close(3) = 0 [pid 5094] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3 [pid 5094] write(3, "8192", 4) = 4 [pid 5094] close(3) = 0 [pid 5094] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3 [pid 5094] write(3, "1024", 4) = 4 [pid 5094] close(3) = 0 [pid 5094] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3 [pid 5094] write(3, "1024", 4) = 4 [pid 5094] close(3) = 0 [pid 5094] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3 [pid 5094] write(3, "1024 1048576 500 1024", 21) = 21 [pid 5094] close(3) = 0 [pid 5094] getpid() = 1 [pid 5094] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1<) = 0 [pid 5094] umount2("./0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 5094] openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 [pid 5094] newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 [pid 5094] getdents64(3, 0x55558461a6f0 /* 4 entries */, 32768) = 104 [pid 5094] umount2("./0/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) [pid 5094] newfstatat(AT_FDCWD, "./0/bus", {st_mode=S_IFDIR|0755, st_size=48, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 5094] umount2("./0/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) [pid 5094] openat(AT_FDCWD, "./0/bus", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 [pid 5094] newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=48, ...}, AT_EMPTY_PATH) = 0 [pid 5094] getdents64(4, 0x555584622730 /* 7 entries */, 32768) = 200 [pid 5094] umount2("./0/bus/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 [pid 5094] umount2("./0/bus/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 5094] newfstatat(AT_FDCWD, "./0/bus/bus", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 5094] unlink("./0/bus/bus") = 0 [pid 5094] umount2("./0/bus/file.cold", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 5094] newfstatat(AT_FDCWD, "./0/bus/file.cold", {st_mode=S_IFREG|0755, st_size=100, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 5094] unlink("./0/bus/file.cold") = 0 [pid 5094] umount2("./0/bus/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EIO (Input/output error) [pid 5094] newfstatat(AT_FDCWD, "./0/bus/file0", 0x7ffd4bb29b50, AT_SYMLINK_NOFOLLOW) = -1 EIO (Input/output error) [pid 5094] exit_group(1) = ? [ 109.868147][ T5094] ERROR: (device loop0): diRead: i_ino != di_number [ 109.868147][ T5094] [ 109.878106][ T5094] ERROR: (device loop0): remounting filesystem as read-only [ 109.885930][ T5094] jfs_lookup: iget failed on inum 32 [ 109.893122][ T5094] ERROR: (device loop0): diRead: i_ino != di_number [ 109.893122][ T5094] [ 109.902145][ T5094] jfs_lookup: iget failed on inum 32 [ 109.924028][ T112] ================================================================== [ 109.932129][ T112] BUG: KASAN: use-after-free in dbJoin+0x295/0x2b0 [ 109.938672][ T112] Read of size 1 at addr ffff8881788e1061 by task jfsCommit/112 [ 109.946324][ T112] [ 109.948656][ T112] CPU: 1 PID: 112 Comm: jfsCommit Not tainted 6.9.0-syzkaller-01768-ga5131c3fdf26 #0 [ 109.958142][ T112] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 109.968214][ T112] Call Trace: [ 109.971509][ T112] [ 109.974452][ T112] dump_stack_lvl+0x116/0x1f0 [ 109.979179][ T112] print_report+0xc3/0x620 [ 109.983655][ T112] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.989344][ T112] ? srso_alias_return_thunk+0x5/0xfbef5 [ 109.995033][ T112] ? __phys_addr+0xc6/0x150 [ 109.999575][ T112] kasan_report+0xd9/0x110 [ 110.004044][ T112] ? dbJoin+0x295/0x2b0 [ 110.008238][ T112] ? dbJoin+0x295/0x2b0 [ 110.012435][ T112] dbJoin+0x295/0x2b0 [ 110.016428][ T112] dbFreeBits+0x15c/0x8f0 [ 110.020764][ T112] ? folio_flags.constprop.0+0x56/0x150 [ 110.026325][ T112] dbFreeDmap+0x62/0x1b0 [ 110.030579][ T112] dbFree+0x266/0x550 [ 110.034578][ T112] txFreeMap+0x788/0xe60 [ 110.038829][ T112] ? rcu_is_watching+0x12/0xc0 [ 110.043611][ T112] xtTruncate+0x1e57/0x2c80 [ 110.048136][ T112] ? __pfx_xtTruncate+0x10/0x10 [ 110.053029][ T112] jfs_free_zero_link+0x372/0x4f0 [ 110.058074][ T112] ? __pfx_jfs_free_zero_link+0x10/0x10 [ 110.063641][ T112] ? __pfx_wake_bit_function+0x10/0x10 [ 110.069113][ T112] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 110.074504][ T112] ? do_raw_spin_unlock+0x172/0x230 [ 110.079722][ T112] jfs_evict_inode+0x423/0x4b0 [ 110.084504][ T112] ? __pfx_jfs_evict_inode+0x10/0x10 [ 110.089812][ T112] evict+0x2f0/0x6c0 [ 110.093732][ T112] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.099392][ T112] iput.part.0+0x5a8/0x7f0 [ 110.103839][ T112] iput+0x5c/0x80 [ 110.107487][ T112] txUpdateMap+0xaf3/0xd20 [ 110.111923][ T112] ? __pfx_txUpdateMap+0x10/0x10 [ 110.116869][ T112] ? _raw_spin_unlock_irqrestore+0x52/0x80 [ 110.122686][ T112] jfs_lazycommit+0x5e6/0xb20 [ 110.127394][ T112] ? __pfx_jfs_lazycommit+0x10/0x10 [ 110.132602][ T112] ? __pfx_default_wake_function+0x10/0x10 [ 110.138416][ T112] ? lockdep_hardirqs_on+0x7c/0x110 [ 110.143626][ T112] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.149281][ T112] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.154933][ T112] ? __kthread_parkme+0x148/0x220 [ 110.159962][ T112] ? __pfx_jfs_lazycommit+0x10/0x10 [ 110.165170][ T112] kthread+0x2c4/0x3a0 [ 110.169253][ T112] ? _raw_spin_unlock_irq+0x23/0x50 [ 110.174458][ T112] ? __pfx_kthread+0x10/0x10 [ 110.179059][ T112] ret_from_fork+0x48/0x80 [ 110.183483][ T112] ? __pfx_kthread+0x10/0x10 [ 110.188083][ T112] ret_from_fork_asm+0x1a/0x30 [ 110.192879][ T112] [ 110.195889][ T112] [ 110.198201][ T112] The buggy address belongs to the physical page: [ 110.204598][ T112] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1788e1 [ 110.213443][ T112] flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff) [ 110.220632][ T112] page_type: 0xffffffff() [ 110.224958][ T112] raw: 057ff00000000000 ffffea0005e23848 ffffea0005e23848 0000000000000000 [ 110.233543][ T112] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 110.242117][ T112] page dumped because: kasan: bad access detected [ 110.248549][ T112] page_owner info is not present (never set?) [ 110.254600][ T112] [ 110.256912][ T112] Memory state around the buggy address: [ 110.262531][ T112] ffff8881788e0f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 110.270584][ T112] ffff8881788e0f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 110.278641][ T112] >ffff8881788e1000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 110.286712][ T112] ^ [ 110.293911][ T112] ffff8881788e1080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 110.301971][ T112] ffff8881788e1100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 110.310030][ T112] ================================================================== [ 110.318447][ T112] Disabling lock debugging due to kernel taint [ 110.325345][ T112] ------------[ cut here ]------------ [ 110.330817][ T112] UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2900:31 [ 110.338512][ T112] index -3 is out of range for type 's8 [1365]' [ 110.351754][ T112] CPU: 1 PID: 112 Comm: jfsCommit Tainted: G B 6.9.0-syzkaller-01768-ga5131c3fdf26 #0 [ 110.362736][ T112] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 110.372808][ T112] Call Trace: [ 110.376092][ T112] [ 110.379016][ T112] dump_stack_lvl+0x16c/0x1f0 [ 110.383708][ T112] __ubsan_handle_out_of_bounds+0x110/0x150 [ 110.389627][ T112] dbAdjTree+0x383/0x3d0 [ 110.393880][ T112] dbJoin+0x24b/0x2b0 [ 110.397957][ T112] dbFreeBits+0x15c/0x8f0 [ 110.402295][ T112] ? folio_flags.constprop.0+0x56/0x150 [ 110.407863][ T112] dbFreeDmap+0x62/0x1b0 [ 110.412118][ T112] dbFree+0x266/0x550 [ 110.416114][ T112] txFreeMap+0x788/0xe60 [ 110.420365][ T112] ? rcu_is_watching+0x12/0xc0 [ 110.425163][ T112] xtTruncate+0x1e57/0x2c80 [ 110.429692][ T112] ? __pfx_xtTruncate+0x10/0x10 [ 110.434588][ T112] jfs_free_zero_link+0x372/0x4f0 [ 110.439653][ T112] ? __pfx_jfs_free_zero_link+0x10/0x10 [ 110.445236][ T112] ? __pfx_wake_bit_function+0x10/0x10 [ 110.450739][ T112] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 110.456145][ T112] ? do_raw_spin_unlock+0x172/0x230 [ 110.461380][ T112] jfs_evict_inode+0x423/0x4b0 [ 110.466190][ T112] ? __pfx_jfs_evict_inode+0x10/0x10 [ 110.471513][ T112] evict+0x2f0/0x6c0 [ 110.475437][ T112] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.481120][ T112] iput.part.0+0x5a8/0x7f0 [ 110.485575][ T112] iput+0x5c/0x80 [ 110.489238][ T112] txUpdateMap+0xaf3/0xd20 [ 110.493684][ T112] ? __pfx_txUpdateMap+0x10/0x10 [ 110.498645][ T112] ? _raw_spin_unlock_irqrestore+0x52/0x80 [ 110.504478][ T112] jfs_lazycommit+0x5e6/0xb20 [ 110.509184][ T112] ? __pfx_jfs_lazycommit+0x10/0x10 [ 110.514408][ T112] ? __pfx_default_wake_function+0x10/0x10 [ 110.520263][ T112] ? lockdep_hardirqs_on+0x7c/0x110 [ 110.525506][ T112] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.531189][ T112] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.536878][ T112] ? __kthread_parkme+0x148/0x220 [ 110.541944][ T112] ? __pfx_jfs_lazycommit+0x10/0x10 [ 110.547196][ T112] kthread+0x2c4/0x3a0 [ 110.551298][ T112] ? _raw_spin_unlock_irq+0x23/0x50 [ 110.556522][ T112] ? __pfx_kthread+0x10/0x10 [ 110.561145][ T112] ret_from_fork+0x48/0x80 [ 110.565591][ T112] ? __pfx_kthread+0x10/0x10 [ 110.570211][ T112] ret_from_fork_asm+0x1a/0x30 [ 110.575031][ T112] [ 110.578770][ T112] ---[ end trace ]--- [ 110.583163][ T112] Kernel panic - not syncing: UBSAN: panic_on_warn set ... [ 110.590387][ T112] CPU: 1 PID: 112 Comm: jfsCommit Tainted: G B 6.9.0-syzkaller-01768-ga5131c3fdf26 #0 [ 110.601337][ T112] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 110.611409][ T112] Call Trace: [ 110.614694][ T112] [ 110.617619][ T112] dump_stack_lvl+0x3d/0x1f0 [ 110.622225][ T112] panic+0x6f5/0x7a0 [ 110.626138][ T112] ? __pfx_panic+0x10/0x10 [ 110.630591][ T112] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.636270][ T112] ? __pfx__printk+0x10/0x10 [ 110.640888][ T112] ? check_panic_on_warn+0x1f/0xb0 [ 110.646036][ T112] check_panic_on_warn+0xab/0xb0 [ 110.651014][ T112] __ubsan_handle_out_of_bounds+0x137/0x150 [ 110.656956][ T112] dbAdjTree+0x383/0x3d0 [ 110.661219][ T112] dbJoin+0x24b/0x2b0 [ 110.665224][ T112] dbFreeBits+0x15c/0x8f0 [ 110.669577][ T112] ? folio_flags.constprop.0+0x56/0x150 [ 110.675158][ T112] dbFreeDmap+0x62/0x1b0 [ 110.679438][ T112] dbFree+0x266/0x550 [ 110.683455][ T112] txFreeMap+0x788/0xe60 [ 110.687727][ T112] ? rcu_is_watching+0x12/0xc0 [ 110.692532][ T112] xtTruncate+0x1e57/0x2c80 [ 110.697070][ T112] ? __pfx_xtTruncate+0x10/0x10 [ 110.701970][ T112] jfs_free_zero_link+0x372/0x4f0 [ 110.707046][ T112] ? __pfx_jfs_free_zero_link+0x10/0x10 [ 110.712631][ T112] ? __pfx_wake_bit_function+0x10/0x10 [ 110.718125][ T112] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 110.723545][ T112] ? do_raw_spin_unlock+0x172/0x230 [ 110.728818][ T112] jfs_evict_inode+0x423/0x4b0 [ 110.733679][ T112] ? __pfx_jfs_evict_inode+0x10/0x10 [ 110.739007][ T112] evict+0x2f0/0x6c0 [ 110.742935][ T112] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.748616][ T112] iput.part.0+0x5a8/0x7f0 [ 110.753072][ T112] iput+0x5c/0x80 [ 110.756735][ T112] txUpdateMap+0xaf3/0xd20 [ 110.761182][ T112] ? __pfx_txUpdateMap+0x10/0x10 [ 110.766144][ T112] ? _raw_spin_unlock_irqrestore+0x52/0x80 [ 110.771999][ T112] jfs_lazycommit+0x5e6/0xb20 [ 110.776708][ T112] ? __pfx_jfs_lazycommit+0x10/0x10 [ 110.781929][ T112] ? __pfx_default_wake_function+0x10/0x10 [ 110.787755][ T112] ? lockdep_hardirqs_on+0x7c/0x110 [ 110.792980][ T112] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.798655][ T112] ? srso_alias_return_thunk+0x5/0xfbef5 [ 110.804327][ T112] ? __kthread_parkme+0x148/0x220 [ 110.809371][ T112] ? __pfx_jfs_lazycommit+0x10/0x10 [ 110.814595][ T112] kthread+0x2c4/0x3a0 [ 110.818688][ T112] ? _raw_spin_unlock_irq+0x23/0x50 [ 110.823903][ T112] ? __pfx_kthread+0x10/0x10 [ 110.828517][ T112] ret_from_fork+0x48/0x80 [ 110.832951][ T112] ? __pfx_kthread+0x10/0x10 [ 110.837569][ T112] ret_from_fork_asm+0x1a/0x30 [ 110.842381][ T112] [ 110.845504][ T112] Kernel Offset: disabled [ 110.849824][ T112] Rebooting in 86400 seconds..