./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3977665705
<...>
forked to background, child pid 3208
no interfaces have a carrier
[ 26.175078][ T3209] 8021q: adding VLAN 0 to HW filter on device bond0
[ 26.184583][ T3209] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK
syzkaller
Warning: Permanently added '10.128.1.141' (ECDSA) to the list of known hosts.
execve("./syz-executor3977665705", ["./syz-executor3977665705"], 0x7ffca61b3a80 /* 10 vars */) = 0
brk(NULL) = 0x555555d15000
brk(0x555555d15c40) = 0x555555d15c40
arch_prctl(ARCH_SET_FS, 0x555555d15300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor3977665705", 4096) = 28
brk(0x555555d36c40) = 0x555555d36c40
brk(0x555555d37000) = 0x555555d37000
mprotect(0x7fd80d217000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
memfd_create("syzkaller", 0) = 3
mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd804d5d000
write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 1048576) = 1048576
munmap(0x7fd804d5d000, 1048576) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
ioctl(4, LOOP_SET_FD, 3) = 0
close(3) = 0
mkdir("./file0", 0777) = 0
mount("/dev/loop0", "./file0", "udf", 0, "") = 0
openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
chdir("./file0") = 0
ioctl(4, LOOP_CLR_FD) = 0
close(4) = 0
setrlimit(RLIMIT_FSIZE, {rlim_cur=RLIM64_INFINITY, rlim_max=RLIM64_INFINITY}) = 0
open("./bus", O_RDWR|O_CREAT|O_SYNC|O_NOATIME|O_CLOEXEC, 000) = 4
pwrite64(4, "\x13", 1, 4402345721853) = 1
syzkaller login: [ 51.297704][ T3629] loop0: detected capacity change from 0 to 2048
[ 51.311002][ T3629] UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000)
open("./bus", O_RDWR|O_CREAT|O_SYNC|O_NOATIME|FASYNC, 000) = 5
pwrite64(4, "\xef", 1, 0) = 1
[ 51.368356][ T3629] ==================================================================
[ 51.376980][ T3629] BUG: KASAN: slab-out-of-bounds in udf_get_filelongad+0x138/0x140
[ 51.384870][ T3629] Read of size 4 at addr ffff88801cd9df58 by task syz-executor397/3629
[ 51.393105][ T3629]
[ 51.395406][ T3629] CPU: 0 PID: 3629 Comm: syz-executor397 Not tainted 6.1.0-rc8-syzkaller-00152-g3ecc37918c80 #0
[ 51.405878][ T3629] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 51.415909][ T3629] Call Trace:
[ 51.419166][ T3629]
[ 51.422076][ T3629] dump_stack_lvl+0xd1/0x138
[ 51.426656][ T3629] print_report+0x15e/0x45d
[ 51.431135][ T3629] ? __phys_addr+0xc8/0x140
[ 51.435619][ T3629] ? udf_get_filelongad+0x138/0x140
[ 51.440794][ T3629] kasan_report+0xbf/0x1f0
[ 51.445193][ T3629] ? udf_get_filelongad+0x138/0x140
[ 51.450368][ T3629] udf_get_filelongad+0x138/0x140
[ 51.455388][ T3629] udf_current_aext+0x1d6/0x940
[ 51.460229][ T3629] udf_next_aext+0x210/0x410
[ 51.464798][ T3629] udf_setsize+0xa1e/0x1080
[ 51.469281][ T3629] ? inode_bmap+0x7b0/0x7b0
[ 51.473759][ T3629] ? mark_held_locks+0x9f/0xe0
[ 51.478506][ T3629] ? ktime_get_coarse_real_ts64+0x1bb/0x200
[ 51.484381][ T3629] ? ktime_get_coarse_real_ts64+0x15e/0x200
[ 51.490253][ T3629] ? inode_newsize_ok+0x191/0x210
[ 51.495255][ T3629] ? setattr_prepare+0x13e/0xc60
[ 51.500168][ T3629] ? evm_inode_setattr+0x7e/0x710
[ 51.505171][ T3629] ? file_remove_privs+0x20/0x20
[ 51.510083][ T3629] udf_setattr+0x4a8/0x5e0
[ 51.514486][ T3629] ? security_inode_setattr+0x10c/0x150
[ 51.520066][ T3629] ? udf_file_write_iter+0x650/0x650
[ 51.525338][ T3629] notify_change+0xcd4/0x1440
[ 51.530021][ T3629] ? do_truncate+0x140/0x200
[ 51.534682][ T3629] do_truncate+0x140/0x200
[ 51.539075][ T3629] ? file_open_root+0x430/0x430
[ 51.543907][ T3629] do_sys_ftruncate+0x53a/0x730
[ 51.548733][ T3629] do_syscall_64+0x39/0xb0
[ 51.553133][ T3629] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 51.559004][ T3629] RIP: 0033:0x7fd80d1a9909
[ 51.563398][ T3629] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 51.583007][ T3629] RSP: 002b:00007ffef9f8c468 EFLAGS: 00000246 ORIG_RAX: 000000000000004d
[ 51.591411][ T3629] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd80d1a9909
[ 51.599375][ T3629] RDX: 00007fd80d1a9909 RSI: 0100000000000000 RDI: 0000000000000005
[ 51.607324][ T3629] RBP: 00007fd80d1691a0 R08: 0000000000000000 R09: 0000000000000000
[ 51.615272][ T3629] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd80d169230
[ 51.623218][ T3629] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 51.631168][ T3629]
[ 51.634162][ T3629]
[ 51.636459][ T3629] Allocated by task 3629:
[ 51.640759][ T3629] kasan_save_stack+0x22/0x40
[ 51.645422][ T3629] kasan_set_track+0x25/0x30
[ 51.649990][ T3629] __kasan_kmalloc+0xa5/0xb0
[ 51.654573][ T3629] __kmalloc+0x5a/0xd0
[ 51.658615][ T3629] tomoyo_init_log+0x128e/0x1ed0
[ 51.663528][ T3629] tomoyo_supervisor+0x354/0xf10
[ 51.668441][ T3629] tomoyo_path_number_perm+0x3f3/0x550
[ 51.673879][ T3629] security_file_ioctl+0x54/0xb0
[ 51.678791][ T3629] __x64_sys_ioctl+0xb7/0x210
[ 51.683445][ T3629] do_syscall_64+0x39/0xb0
[ 51.688191][ T3629] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 51.694060][ T3629]
[ 51.696358][ T3629] Freed by task 3629:
[ 51.700321][ T3629] kasan_save_stack+0x22/0x40
[ 51.704975][ T3629] kasan_set_track+0x25/0x30
[ 51.709542][ T3629] kasan_save_free_info+0x2e/0x40
[ 51.714545][ T3629] ____kasan_slab_free+0x160/0x1c0
[ 51.719633][ T3629] slab_free_freelist_hook+0x8b/0x1c0
[ 51.724993][ T3629] __kmem_cache_free+0xaf/0x3b0
[ 51.729820][ T3629] tomoyo_supervisor+0x375/0xf10
[ 51.734739][ T3629] tomoyo_path_number_perm+0x3f3/0x550
[ 51.740172][ T3629] security_file_ioctl+0x54/0xb0
[ 51.745086][ T3629] __x64_sys_ioctl+0xb7/0x210
[ 51.749741][ T3629] do_syscall_64+0x39/0xb0
[ 51.754136][ T3629] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 51.760093][ T3629]
[ 51.762390][ T3629] The buggy address belongs to the object at ffff88801cd9dc00
[ 51.762390][ T3629] which belongs to the cache kmalloc-512 of size 512
[ 51.776417][ T3629] The buggy address is located 344 bytes to the right of
[ 51.776417][ T3629] 512-byte region [ffff88801cd9dc00, ffff88801cd9de00)
[ 51.790275][ T3629]
[ 51.792573][ T3629] The buggy address belongs to the physical page:
[ 51.798958][ T3629] page:ffffea0000736700 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1cd9c
[ 51.809082][ T3629] head:ffffea0000736700 order:2 compound_mapcount:0 compound_pincount:0
[ 51.817377][ T3629] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 51.825337][ T3629] raw: 00fff00000010200 ffffea00007b0700 dead000000000002 ffff888012041c80
[ 51.833906][ T3629] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[ 51.842458][ T3629] page dumped because: kasan: bad access detected
[ 51.848849][ T3629] page_owner tracks the page as allocated
[ 51.854627][ T3629] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 209, tgid 209 (kworker/u4:1), ts 5723325076, free_ts 0
[ 51.874845][ T3629] get_page_from_freelist+0x10b5/0x2d50
[ 51.880372][ T3629] __alloc_pages+0x1cb/0x5b0
[ 51.884939][ T3629] alloc_pages+0x1aa/0x270
[ 51.889332][ T3629] allocate_slab+0x25f/0x350
[ 51.893897][ T3629] ___slab_alloc+0xa91/0x1400
[ 51.898550][ T3629] __slab_alloc.constprop.0+0x56/0xa0
[ 51.903895][ T3629] __kmem_cache_alloc_node+0x199/0x3e0
[ 51.909328][ T3629] kmalloc_trace+0x26/0x60
[ 51.913740][ T3629] alloc_bprm+0x51/0x900
[ 51.917972][ T3629] kernel_execve+0xaf/0x500
[ 51.922448][ T3629] call_usermodehelper_exec_async+0x2e7/0x580
[ 51.928494][ T3629] ret_from_fork+0x1f/0x30
[ 51.932887][ T3629] page_owner free stack trace missing
[ 51.938227][ T3629]
[ 51.940523][ T3629] Memory state around the buggy address:
[ 51.946126][ T3629] ffff88801cd9de00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 51.954160][ T3629] ffff88801cd9de80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 51.962192][ T3629] >ffff88801cd9df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 51.970242][ T3629] ^
[ 51.977180][ T3629] ffff88801cd9df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 51.985217][ T3629] ffff88801cd9e000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 51.993341][ T3629] ==================================================================
[ 52.001619][ T3629] Kernel panic - not syncing: panic_on_warn set ...
[ 52.008219][ T3629] CPU: 0 PID: 3629 Comm: syz-executor397 Not tainted 6.1.0-rc8-syzkaller-00152-g3ecc37918c80 #0
[ 52.018785][ T3629] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 52.028822][ T3629] Call Trace:
[ 52.032082][ T3629]
[ 52.034998][ T3629] dump_stack_lvl+0xd1/0x138
[ 52.039582][ T3629] panic+0x2cc/0x626
[ 52.043479][ T3629] ? panic_print_sys_info.part.0+0x110/0x110
[ 52.049543][ T3629] ? preempt_schedule_common+0x59/0xc0
[ 52.055027][ T3629] ? preempt_schedule_thunk+0x1a/0x1c
[ 52.060392][ T3629] end_report.part.0+0x3f/0x7c
[ 52.065138][ T3629] ? udf_get_filelongad+0x138/0x140
[ 52.070423][ T3629] kasan_report.cold+0xa/0xf
[ 52.075022][ T3629] ? udf_get_filelongad+0x138/0x140
[ 52.080220][ T3629] udf_get_filelongad+0x138/0x140
[ 52.085245][ T3629] udf_current_aext+0x1d6/0x940
[ 52.090080][ T3629] udf_next_aext+0x210/0x410
[ 52.094656][ T3629] udf_setsize+0xa1e/0x1080
[ 52.099142][ T3629] ? inode_bmap+0x7b0/0x7b0
[ 52.103630][ T3629] ? mark_held_locks+0x9f/0xe0
[ 52.108404][ T3629] ? ktime_get_coarse_real_ts64+0x1bb/0x200
[ 52.114389][ T3629] ? ktime_get_coarse_real_ts64+0x15e/0x200
[ 52.120378][ T3629] ? inode_newsize_ok+0x191/0x210
[ 52.125391][ T3629] ? setattr_prepare+0x13e/0xc60
[ 52.130318][ T3629] ? evm_inode_setattr+0x7e/0x710
[ 52.135938][ T3629] ? file_remove_privs+0x20/0x20
[ 52.140862][ T3629] udf_setattr+0x4a8/0x5e0
[ 52.145272][ T3629] ? security_inode_setattr+0x10c/0x150
[ 52.150807][ T3629] ? udf_file_write_iter+0x650/0x650
[ 52.156091][ T3629] notify_change+0xcd4/0x1440
[ 52.160755][ T3629] ? do_truncate+0x140/0x200
[ 52.165327][ T3629] do_truncate+0x140/0x200
[ 52.169816][ T3629] ? file_open_root+0x430/0x430
[ 52.174657][ T3629] do_sys_ftruncate+0x53a/0x730
[ 52.179493][ T3629] do_syscall_64+0x39/0xb0
[ 52.183918][ T3629] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 52.189800][ T3629] RIP: 0033:0x7fd80d1a9909
[ 52.194197][ T3629] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 52.213794][ T3629] RSP: 002b:00007ffef9f8c468 EFLAGS: 00000246 ORIG_RAX: 000000000000004d
[ 52.223503][ T3629] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd80d1a9909
[ 52.231467][ T3629] RDX: 00007fd80d1a9909 RSI: 0100000000000000 RDI: 0000000000000005
[ 52.239710][ T3629] RBP: 00007fd80d1691a0 R08: 0000000000000000 R09: 0000000000000000
[ 52.247689][ T3629] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd80d169230
[ 52.255645][ T3629] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 52.263604][ T3629]
[ 52.267142][ T3629] Kernel Offset: disabled
[ 52.271452][ T3629] Rebooting in 86400 seconds..