./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3057863028 <...> Warning: Permanently added '10.128.1.57' (ED25519) to the list of known hosts. execve("./syz-executor3057863028", ["./syz-executor3057863028"], 0x7ffd3736b900 /* 10 vars */) = 0 brk(NULL) = 0x555575f56000 brk(0x555575f56e00) = 0x555575f56e00 arch_prctl(ARCH_SET_FS, 0x555575f56480) = 0 set_tid_address(0x555575f56750) = 5221 set_robust_list(0x555575f56760, 24) = 0 rseq(0x555575f56da0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3057863028", 4096) = 28 getrandom("\x7f\x69\x7d\xa4\x78\x0e\xbe\xfe", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555575f56e00 brk(0x555575f77e00) = 0x555575f77e00 brk(0x555575f78000) = 0x555575f78000 mprotect(0x7f7cbf26c000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5222 attached [pid 5222] set_robust_list(0x555575f56760, 24 [pid 5221] <... clone resumed>, child_tidptr=0x555575f56750) = 5222 [pid 5222] <... set_robust_list resumed>) = 0 [pid 5221] openat(AT_FDCWD, "/sys/kernel/debug/x86/nmi_longest_ns", O_WRONLY|O_CLOEXEC) = 3 [pid 5221] write(3, "10000000000", 11) = 11 [pid 5221] close(3) = 0 [pid 5221] openat(AT_FDCWD, "/proc/sys/kernel/hung_task_check_interval_secs", O_WRONLY|O_CLOEXEC) = 3 [pid 5221] write(3, "20", 2) = 2 [pid 5221] close(3) = 0 [pid 5221] openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_kallsyms", O_WRONLY|O_CLOEXEC) = 3 [pid 5221] write(3, "1", 1) = 1 [pid 5221] close(3) = 0 [pid 5221] openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_harden", O_WRONLY|O_CLOEXEC) = 3 [pid 5221] write(3, "0", 1) = 1 [pid 5221] close(3) = 0 [pid 5221] openat(AT_FDCWD, "/proc/sys/kernel/kptr_restrict", O_WRONLY|O_CLOEXEC) = 3 [pid 5221] write(3, "0", 1) = 1 [pid 5221] close(3) = 0 [pid 5221] openat(AT_FDCWD, "/proc/sys/kernel/softlockup_all_cpu_backtrace", O_WRONLY|O_CLOEXEC) = 3 [pid 5221] write(3, "1", 1) = 1 [pid 5221] close(3) = 0 [pid 5221] openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3 [pid 5221] write(3, "100", 3) = 3 [pid 5221] close(3) = 0 [pid 5221] openat(AT_FDCWD, "/proc/sys/vm/oom_dump_tasks", O_WRONLY|O_CLOEXEC) = 3 [pid 5221] write(3, "0", 1) = 1 [pid 5221] close(3) = 0 [pid 5221] openat(AT_FDCWD, "/proc/sys/debug/exception-trace", O_WRONLY|O_CLOEXEC) = 3 [pid 5221] write(3, "0", 1) = 1 [pid 5221] close(3) = 0 [pid 5221] openat(AT_FDCWD, "/proc/sys/kernel/printk", O_WRONLY|O_CLOEXEC) = 3 [pid 5221] write(3, "7 4 1 3", 7) = 7 [pid 5221] close(3) = 0 [pid 5221] openat(AT_FDCWD, "/proc/sys/kernel/keys/gc_delay", O_WRONLY|O_CLOEXEC) = 3 [pid 5221] write(3, "1", 1) = 1 [pid 5221] close(3) = 0 [pid 5221] openat(AT_FDCWD, "/proc/sys/vm/oom_kill_allocating_task", O_WRONLY|O_CLOEXEC) = 3 [pid 5221] write(3, "1", 1) = 1 [pid 5221] close(3) = 0 [pid 5221] openat(AT_FDCWD, "/proc/sys/kernel/ctrl-alt-del", O_WRONLY|O_CLOEXEC) = 3 [pid 5221] write(3, "0", 1) = 1 [pid 5221] close(3) = 0 [pid 5221] openat(AT_FDCWD, "/proc/sys/kernel/cad_pid", O_WRONLY|O_CLOEXEC) = 3 [pid 5221] write(3, "5222", 4) = 4 [pid 5221] close(3) = 0 [pid 5221] kill(5222, SIGKILL) = 0 [pid 5222] +++ killed by SIGKILL +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=5222, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=0} --- socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) = 3 socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) = 4 sendto(4, [{nlmsg_len=36, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x03\x00\x00\x00\x0d\x00\x02\x00\x6e\x6c\x38\x30\x32\x31\x35\x34\x00\x00\x00\x00"], 36, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 36 recvfrom(4, [{nlmsg_len=864, nlmsg_type=nlctrl, nlmsg_flags=0, nlmsg_seq=0, nlmsg_pid=5221}, "\x01\x02\x00\x00\x0d\x00\x02\x00\x6e\x6c\x38\x30\x32\x31\x35\x34\x00\x00\x00\x00\x06\x00\x01\x00\x1d\x00\x00\x00\x08\x00\x03\x00\x01\x00\x00\x00\x08\x00\x04\x00\x00\x00\x00\x00\x08\x00\x05\x00\x30\x00\x00\x00\xe8\x02\x06\x00\x14\x00\x01\x00\x08\x00\x01\x00\x01\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x02\x00\x08\x00\x01\x00\x05\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x03\x00"...], 4096, 0, NULL, NULL) = 864 recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5221}, {error=0, msg={nlmsg_len=36, nlmsg_type=nlctrl, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan0", ifr_ifindex=11}) = 0 close(5) = 0 sendto(4, [{nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x0b\x00\x00\x00\x08\x00\x03\x00\x0b\x00\x00\x00\x06\x00\x0a\x00\xa0\xaa\x00\x00"], 36, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 36 recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5221}, {error=0, msg={nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan0", ifr_ifindex=11}) = 0 close(5) = 0 sendto(3, [{nlmsg_len=44, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x00\x00\x00\x00\x0b\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x0c\x00\x01\x00\x02\x00\xaa\xaa\xaa\xaa\xaa\xaa"], 44, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 44 recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5221}, {error=0, msg={nlmsg_len=44, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 sendto(3, [{nlmsg_len=68, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|NLM_F_EXCL|NLM_F_CREATE, nlmsg_seq=0, nlmsg_pid=0}, {ifi_family=AF_UNSPEC, ifi_type=ARPHRD_NETROM, ifi_index=0, ifi_flags=0, ifi_change=0}, [[{nla_len=11, nla_type=IFLA_IFNAME}, "lowpan0"...], [{nla_len=16, nla_type=IFLA_LINKINFO}, [{nla_len=10, nla_type=IFLA_INFO_KIND}, "lowpan"...]], [{nla_len=8, nla_type=IFLA_LINK}, 11]]], 68, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 68 recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5221}, {error=0, msg={nlmsg_len=68, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|NLM_F_EXCL|NLM_F_CREATE, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan1", ifr_ifindex=12}) = 0 close(5) = 0 sendto(4, [{nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x0b\x00\x00\x00\x08\x00\x03\x00\x0c\x00\x00\x00\x06\x00\x0a\x00\xa1\xaa\x00\x00"], 36, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 36 recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5221}, {error=0, msg={nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan1", ifr_ifindex=12}) = 0 close(5) = 0 sendto(3, [{nlmsg_len=44, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, {ifi_family=AF_UNSPEC, ifi_type=ARPHRD_NETROM, ifi_index=if_nametoindex("wpan1"), ifi_flags=IFF_UP, ifi_change=0x1}, [{nla_len=12, nla_type=IFLA_ADDRESS}, 02:01:aa:aa:aa:aa:aa]], 44, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 44 recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5221}, {error=0, msg={nlmsg_len=44, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 close(3) = 0 close(4) = 0 rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGSEGV, {sa_handler=0x7f7cbf1bc090, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f7cbf1c4960}, NULL, 8) = 0 rt_sigaction(SIGBUS, {sa_handler=0x7f7cbf1bc090, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f7cbf1c4960}, NULL, 8) = 0 mkdir("./syzkaller.aUK81Q", 0700) = 0 chmod("./syzkaller.aUK81Q", 0777) = 0 chdir("./syzkaller.aUK81Q") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5225 attached , child_tidptr=0x555575f56750) = 5225 [pid 5225] set_robust_list(0x555575f56760, 24) = 0 [pid 5225] chdir("./0") = 0 [pid 5225] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5225] setpgid(0, 0) = 0 [pid 5225] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5225] write(3, "1000", 4) = 4 [pid 5225] close(3) = 0 [pid 5225] symlink("/dev/binderfs", "./binderfs") = 0 executing program [pid 5225] write(1, "executing program\n", 18) = 18 [pid 5225] memfd_create("syzkaller", 0) = 3 [pid 5225] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7cb6c00000 [pid 5225] write(3, "\x02\x02\x02\x02\x02\x02\x02\x02\x74\x68\x69\x73\x20\x69\x73\x20\x61\x6e\x20\x6f\x63\x66\x73\x32\x20\x76\x6f\x6c\x75\x6d\x65\x00\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02"..., 16777216) = 16777216 [pid 5225] munmap(0x7f7cb6c00000, 138412032) = 0 [pid 5225] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5225] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5225] close(3) = 0 [pid 5225] close(4) = 0 [pid 5225] mkdir("./file1", 0777) = 0 [ 57.657035][ T5225] loop0: detected capacity change from 0 to 32768 [ 57.680149][ T5225] ======================================================= [ 57.680149][ T5225] WARNING: The mand mount option has been deprecated and [ 57.680149][ T5225] and is ignored by this kernel. Remove the mand [pid 5225] mount("/dev/loop0", "./file1", "ocfs2", MS_MANDLOCK|MS_DIRSYNC|MS_NODIRATIME, "acl,heartbeat=none,errors=remount-ro,coherency=full,coherency=full,localflocks,errors=remount-ro,acl"...) = 0 [pid 5225] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 5225] chdir("./file1") = 0 [pid 5225] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [ 57.680149][ T5225] option from the mount to silence this warning. [ 57.680149][ T5225] ======================================================= [ 57.741919][ T5225] ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode. [pid 5225] open("./file0", O_RDONLY|O_CREAT|O_LARGEFILE|0x4000000, 000) = 4 [pid 5225] exit_group(0) = ? [pid 5225] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5225, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=14 /* 0.14 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555575f577f0 /* 4 entries */, 32768) = 112 umount2("./0/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/binderfs") = 0 umount2("./0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555575f5f830 /* 2 entries */, 32768) = 48 getdents64(4, 0x555575f5f830 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./0/file1") = 0 getdents64(3, 0x555575f577f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./0") = 0 mkdir("./1", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 [ 57.923026][ T5221] ocfs2: Unmounting device (7,0) on (node local) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5228 attached , child_tidptr=0x555575f56750) = 5228 [pid 5228] set_robust_list(0x555575f56760, 24) = 0 [pid 5228] chdir("./1") = 0 [pid 5228] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5228] setpgid(0, 0) = 0 [pid 5228] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5228] write(3, "1000", 4) = 4 [pid 5228] close(3) = 0 [pid 5228] symlink("/dev/binderfs", "./binderfs") = 0 executing program [pid 5228] write(1, "executing program\n", 18) = 18 [pid 5228] memfd_create("syzkaller", 0) = 3 [pid 5228] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7cb6c00000 [pid 5228] write(3, "\x02\x02\x02\x02\x02\x02\x02\x02\x74\x68\x69\x73\x20\x69\x73\x20\x61\x6e\x20\x6f\x63\x66\x73\x32\x20\x76\x6f\x6c\x75\x6d\x65\x00\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02"..., 16777216) = 16777216 [pid 5228] munmap(0x7f7cb6c00000, 138412032) = 0 [pid 5228] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5228] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5228] close(3) = 0 [pid 5228] close(4) = 0 [pid 5228] mkdir("./file1", 0777) = 0 [ 58.242230][ T5228] loop0: detected capacity change from 0 to 32768 [pid 5228] mount("/dev/loop0", "./file1", "ocfs2", MS_MANDLOCK|MS_DIRSYNC|MS_NODIRATIME, "acl,heartbeat=none,errors=remount-ro,coherency=full,coherency=full,localflocks,errors=remount-ro,acl"...) = 0 [pid 5228] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 5228] chdir("./file1") = 0 [pid 5228] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [ 58.290019][ T5228] ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode. [ 58.335401][ T5228] ================================================================== [ 58.343485][ T5228] BUG: KASAN: slab-use-after-free in ocfs2_reserve_suballoc_bits+0x1023/0x4eb0 [ 58.352458][ T5228] Read of size 4 at addr ffff888074488004 by task syz-executor305/5228 [ 58.360677][ T5228] [ 58.363031][ T5228] CPU: 1 UID: 0 PID: 5228 Comm: syz-executor305 Not tainted 6.12.0-rc2-syzkaller-00307-g36c254515dc6 #0 [ 58.374132][ T5228] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 58.384197][ T5228] Call Trace: [ 58.387458][ T5228] [ 58.390374][ T5228] dump_stack_lvl+0x241/0x360 [ 58.395049][ T5228] ? __pfx_dump_stack_lvl+0x10/0x10 [ 58.400230][ T5228] ? __pfx__printk+0x10/0x10 [ 58.404805][ T5228] ? _printk+0xd5/0x120 [ 58.408941][ T5228] ? __virt_addr_valid+0x183/0x530 [ 58.414037][ T5228] ? __virt_addr_valid+0x183/0x530 [ 58.419130][ T5228] print_report+0x169/0x550 [ 58.423621][ T5228] ? __virt_addr_valid+0x183/0x530 [ 58.428714][ T5228] ? __virt_addr_valid+0x183/0x530 [ 58.433813][ T5228] ? __virt_addr_valid+0x45f/0x530 [ 58.438931][ T5228] ? __phys_addr+0xba/0x170 [ 58.443412][ T5228] ? ocfs2_reserve_suballoc_bits+0x1023/0x4eb0 [ 58.449553][ T5228] kasan_report+0x143/0x180 [ 58.454045][ T5228] ? ocfs2_reserve_suballoc_bits+0x1023/0x4eb0 [ 58.460185][ T5228] ocfs2_reserve_suballoc_bits+0x1023/0x4eb0 [ 58.466151][ T5228] ? unwind_get_return_address+0x4d/0x90 [ 58.471770][ T5228] ? __pfx_ocfs2_reserve_suballoc_bits+0x10/0x10 [ 58.478081][ T5228] ? __pfx_stack_trace_save+0x10/0x10 [ 58.483434][ T5228] ? stack_depot_save_flags+0x29/0x830 [ 58.488899][ T5228] ? kasan_save_track+0x51/0x80 [ 58.493741][ T5228] ? kasan_save_track+0x3f/0x80 [ 58.498574][ T5228] ? __kasan_kmalloc+0x98/0xb0 [ 58.503323][ T5228] ? __kmalloc_cache_noprof+0x19c/0x2c0 [ 58.508855][ T5228] ? ocfs2_reserve_new_metadata_blocks+0x117/0x9c0 [ 58.515339][ T5228] ? ocfs2_mknod+0x143a/0x2b40 [ 58.520085][ T5228] ? ocfs2_create+0x1ab/0x480 [ 58.524744][ T5228] ? path_openat+0x1c03/0x3590 [ 58.529509][ T5228] ? do_filp_open+0x235/0x490 [ 58.534178][ T5228] ? do_sys_openat2+0x13e/0x1d0 [ 58.539009][ T5228] ? __x64_sys_open+0x225/0x270 [ 58.543839][ T5228] ? do_syscall_64+0xf3/0x230 [ 58.548500][ T5228] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 58.554586][ T5228] ? __kasan_kmalloc+0x98/0xb0 [ 58.559339][ T5228] ? ocfs2_reserve_new_metadata_blocks+0x117/0x9c0 [ 58.565825][ T5228] ? __kmalloc_cache_noprof+0x19c/0x2c0 [ 58.571351][ T5228] ocfs2_reserve_new_metadata_blocks+0x41c/0x9c0 [ 58.577668][ T5228] ? __pfx_ocfs2_reserve_new_metadata_blocks+0x10/0x10 [ 58.584509][ T5228] ? __pfx_ocfs2_calc_xattr_init+0x10/0x10 [ 58.590309][ T5228] ? ocfs2_init_security_get+0x12d/0x1a0 [ 58.595932][ T5228] ocfs2_mknod+0x143a/0x2b40 [ 58.600506][ T5228] ? __pfx_validate_chain+0x10/0x10 [ 58.605697][ T5228] ? __pfx_ocfs2_mknod+0x10/0x10 [ 58.610621][ T5228] ? __lock_acquire+0x1384/0x2050 [ 58.615638][ T5228] ? __pfx_lock_acquire+0x10/0x10 [ 58.620646][ T5228] ? ocfs2_inode_unlock+0xa7/0x150 [ 58.625741][ T5228] ? __pfx_lock_release+0x10/0x10 [ 58.630750][ T5228] ? do_raw_spin_lock+0x14f/0x370 [ 58.635761][ T5228] ? do_raw_spin_unlock+0x13c/0x8b0 [ 58.640948][ T5228] ? _raw_spin_unlock+0x28/0x50 [ 58.645813][ T5228] ? rcu_is_watching+0x15/0xb0 [ 58.650558][ T5228] ? ocfs2_lookup+0x503/0xa60 [ 58.655220][ T5228] ocfs2_create+0x1ab/0x480 [ 58.659711][ T5228] ? __pfx_ocfs2_create+0x10/0x10 [ 58.664722][ T5228] ? bpf_lsm_inode_create+0x9/0x10 [ 58.669819][ T5228] ? security_inode_create+0xbe/0x340 [ 58.675171][ T5228] ? __pfx_ocfs2_create+0x10/0x10 [ 58.680179][ T5228] path_openat+0x1c03/0x3590 [ 58.684761][ T5228] ? __pfx_path_openat+0x10/0x10 [ 58.689687][ T5228] do_filp_open+0x235/0x490 [ 58.694175][ T5228] ? __pfx_do_filp_open+0x10/0x10 [ 58.699205][ T5228] ? _raw_spin_unlock+0x28/0x50 [ 58.704041][ T5228] ? alloc_fd+0x5a1/0x640 [ 58.708357][ T5228] do_sys_openat2+0x13e/0x1d0 [ 58.713014][ T5228] ? __pfx_do_sys_openat2+0x10/0x10 [ 58.718195][ T5228] ? lockdep_hardirqs_on+0x99/0x150 [ 58.723380][ T5228] ? _raw_spin_unlock_irq+0x2e/0x50 [ 58.728580][ T5228] ? ptrace_notify+0x279/0x380 [ 58.733325][ T5228] __x64_sys_open+0x225/0x270 [ 58.738015][ T5228] ? __pfx___x64_sys_open+0x10/0x10 [ 58.743198][ T5228] ? do_syscall_64+0x100/0x230 [ 58.747947][ T5228] do_syscall_64+0xf3/0x230 [ 58.752433][ T5228] ? clear_bhb_loop+0x35/0x90 [ 58.757093][ T5228] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 58.762979][ T5228] RIP: 0033:0x7f7cbf1f9749 [ 58.767381][ T5228] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 1c 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 58.786974][ T5228] RSP: 002b:00007ffdbbfdc928 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 58.795372][ T5228] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f7cbf1f9749 [ 58.803324][ T5228] RDX: 0000000000000000 RSI: 0000000004008040 RDI: 0000000020000200 [ 58.811275][ T5228] RBP: 0000000000000000 R08: 0000000000004441 R09: 00007ffdbbfdc95c [ 58.819227][ T5228] R10: 00007ffdbbfdc7f0 R11: 0000000000000246 R12: 00007ffdbbfdc95c [ 58.827180][ T5228] R13: 0000000000000001 R14: 431bde82d7b634db R15: 00007ffdbbfdc990 [ 58.835176][ T5228] [ 58.838183][ T5228] [ 58.840497][ T5228] Allocated by task 5158: [ 58.844818][ T5228] kasan_save_track+0x3f/0x80 [ 58.849490][ T5228] __kasan_slab_alloc+0x66/0x80 [ 58.854334][ T5228] kmem_cache_alloc_noprof+0x135/0x2a0 [ 58.859777][ T5228] skb_clone+0x20c/0x390 [ 58.864003][ T5228] dev_queue_xmit_nit+0x419/0xc10 [ 58.869018][ T5228] dev_hard_start_xmit+0x15f/0x7e0 [ 58.874117][ T5228] sch_direct_xmit+0x29c/0x5d0 [ 58.878885][ T5228] __dev_queue_xmit+0x1a2d/0x3ed0 [ 58.883895][ T5228] ip_finish_output2+0xe70/0x1390 [ 58.888902][ T5228] __ip_queue_xmit+0x118c/0x1b80 [ 58.893821][ T5228] __tcp_transmit_skb+0x2544/0x3b30 [ 58.899004][ T5228] tcp_recvmsg_locked+0x330f/0x3c80 [ 58.904182][ T5228] tcp_recvmsg+0x25d/0x920 [ 58.908578][ T5228] inet_recvmsg+0x150/0x2d0 [ 58.913065][ T5228] sock_recvmsg+0x1ae/0x280 [ 58.917553][ T5228] sock_read_iter+0x2c4/0x3d0 [ 58.922212][ T5228] vfs_read+0x9bb/0xbc0 [ 58.926350][ T5228] ksys_read+0x183/0x2b0 [ 58.930572][ T5228] do_syscall_64+0xf3/0x230 [ 58.935061][ T5228] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 58.940941][ T5228] [ 58.943262][ T5228] Freed by task 5158: [ 58.947232][ T5228] kasan_save_track+0x3f/0x80 [ 58.951906][ T5228] kasan_save_free_info+0x40/0x50 [ 58.956928][ T5228] __kasan_slab_free+0x59/0x70 [ 58.961697][ T5228] kmem_cache_free+0x1a2/0x420 [ 58.966443][ T5228] packet_rcv+0x16f/0x14b0 [ 58.970843][ T5228] dev_queue_xmit_nit+0xad4/0xc10 [ 58.975855][ T5228] dev_hard_start_xmit+0x15f/0x7e0 [ 58.980950][ T5228] sch_direct_xmit+0x29c/0x5d0 [ 58.985706][ T5228] __dev_queue_xmit+0x1a2d/0x3ed0 [ 58.990713][ T5228] ip_finish_output2+0xe70/0x1390 [ 58.995718][ T5228] __ip_queue_xmit+0x118c/0x1b80 [ 59.000638][ T5228] __tcp_transmit_skb+0x2544/0x3b30 [ 59.005828][ T5228] tcp_recvmsg_locked+0x330f/0x3c80 [ 59.011011][ T5228] tcp_recvmsg+0x25d/0x920 [ 59.015405][ T5228] inet_recvmsg+0x150/0x2d0 [ 59.019892][ T5228] sock_recvmsg+0x1ae/0x280 [ 59.024376][ T5228] sock_read_iter+0x2c4/0x3d0 [ 59.029054][ T5228] vfs_read+0x9bb/0xbc0 [ 59.033192][ T5228] ksys_read+0x183/0x2b0 [ 59.037436][ T5228] do_syscall_64+0xf3/0x230 [ 59.041930][ T5228] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 59.047810][ T5228] [ 59.050116][ T5228] The buggy address belongs to the object at ffff888074488000 [ 59.050116][ T5228] which belongs to the cache skbuff_head_cache of size 240 [ 59.064668][ T5228] The buggy address is located 4 bytes inside of [ 59.064668][ T5228] freed 240-byte region [ffff888074488000, ffff8880744880f0) [ 59.078272][ T5228] [ 59.080577][ T5228] The buggy address belongs to the physical page: [ 59.086974][ T5228] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x74488 [ 59.095717][ T5228] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 59.102810][ T5228] page_type: f5(slab) [ 59.106772][ T5228] raw: 00fff00000000000 ffff888140ee6780 dead000000000122 0000000000000000 [ 59.115333][ T5228] raw: 0000000000000000 00000000000c000c 00000001f5000000 0000000000000000 [ 59.123890][ T5228] page dumped because: kasan: bad access detected [ 59.130283][ T5228] page_owner tracks the page as allocated [ 59.136001][ T5228] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5158, tgid 5158 (sshd), ts 46020041993, free_ts 46019511087 [ 59.154560][ T5228] post_alloc_hook+0x1f3/0x230 [ 59.159309][ T5228] get_page_from_freelist+0x3039/0x3180 [ 59.164837][ T5228] __alloc_pages_noprof+0x292/0x710 [ 59.170016][ T5228] alloc_pages_mpol_noprof+0x3e8/0x680 [ 59.175461][ T5228] alloc_slab_page+0x6a/0x120 [ 59.180122][ T5228] allocate_slab+0x5a/0x2f0 [ 59.184607][ T5228] ___slab_alloc+0xcd1/0x14b0 [ 59.189279][ T5228] __slab_alloc+0x58/0xa0 [ 59.193600][ T5228] kmem_cache_alloc_noprof+0x1c1/0x2a0 [ 59.199038][ T5228] skb_clone+0x20c/0x390 [ 59.203263][ T5228] dev_queue_xmit_nit+0x419/0xc10 [ 59.208280][ T5228] dev_hard_start_xmit+0x15f/0x7e0 [ 59.213374][ T5228] sch_direct_xmit+0x29c/0x5d0 [ 59.218134][ T5228] __dev_queue_xmit+0x1a2d/0x3ed0 [ 59.223137][ T5228] ip_finish_output2+0xe70/0x1390 [ 59.228137][ T5228] __ip_queue_xmit+0x118c/0x1b80 [ 59.233054][ T5228] page last free pid 5158 tgid 5158 stack trace: [ 59.239372][ T5228] free_unref_page+0xcd0/0xf00 [ 59.244132][ T5228] skb_release_data+0x6dc/0x8a0 [ 59.248964][ T5228] skb_attempt_defer_free+0x42f/0x5c0 [ 59.254327][ T5228] tcp_recvmsg_locked+0x2995/0x3c80 [ 59.259503][ T5228] tcp_recvmsg+0x25d/0x920 [ 59.263910][ T5228] inet_recvmsg+0x150/0x2d0 [ 59.268392][ T5228] sock_recvmsg+0x1ae/0x280 [ 59.272879][ T5228] sock_read_iter+0x2c4/0x3d0 [ 59.277539][ T5228] vfs_read+0x9bb/0xbc0 [ 59.281672][ T5228] ksys_read+0x183/0x2b0 [ 59.285898][ T5228] do_syscall_64+0xf3/0x230 [ 59.290378][ T5228] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 59.296256][ T5228] [ 59.298560][ T5228] Memory state around the buggy address: [ 59.304168][ T5228] ffff888074487f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.312222][ T5228] ffff888074487f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.320260][ T5228] >ffff888074488000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.328295][ T5228] ^ [ 59.332340][ T5228] ffff888074488080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 59.340379][ T5228] ffff888074488100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 59.348416][ T5228] ================================================================== [ 59.357245][ T5228] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 59.364459][ T5228] CPU: 1 UID: 0 PID: 5228 Comm: syz-executor305 Not tainted 6.12.0-rc2-syzkaller-00307-g36c254515dc6 #0 [ 59.375558][ T5228] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 59.385604][ T5228] Call Trace: [ 59.388876][ T5228] [ 59.391796][ T5228] dump_stack_lvl+0x241/0x360 [ 59.396471][ T5228] ? __pfx_dump_stack_lvl+0x10/0x10 [ 59.401656][ T5228] ? __pfx__printk+0x10/0x10 [ 59.406233][ T5228] ? preempt_schedule+0xe1/0xf0 [ 59.411077][ T5228] ? vscnprintf+0x5d/0x90 [ 59.415400][ T5228] panic+0x349/0x880 [ 59.419283][ T5228] ? check_panic_on_warn+0x21/0xb0 [ 59.424385][ T5228] ? __pfx_panic+0x10/0x10 [ 59.428791][ T5228] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 59.434764][ T5228] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 59.441083][ T5228] ? print_report+0x502/0x550 [ 59.445758][ T5228] check_panic_on_warn+0x86/0xb0 [ 59.450687][ T5228] ? ocfs2_reserve_suballoc_bits+0x1023/0x4eb0 [ 59.456839][ T5228] end_report+0x77/0x160 [ 59.461075][ T5228] kasan_report+0x154/0x180 [ 59.465573][ T5228] ? ocfs2_reserve_suballoc_bits+0x1023/0x4eb0 [ 59.471718][ T5228] ocfs2_reserve_suballoc_bits+0x1023/0x4eb0 [ 59.477693][ T5228] ? unwind_get_return_address+0x4d/0x90 [ 59.483320][ T5228] ? __pfx_ocfs2_reserve_suballoc_bits+0x10/0x10 [ 59.489636][ T5228] ? __pfx_stack_trace_save+0x10/0x10 [ 59.495001][ T5228] ? stack_depot_save_flags+0x29/0x830 [ 59.500462][ T5228] ? kasan_save_track+0x51/0x80 [ 59.505304][ T5228] ? kasan_save_track+0x3f/0x80 [ 59.510145][ T5228] ? __kasan_kmalloc+0x98/0xb0 [ 59.514900][ T5228] ? __kmalloc_cache_noprof+0x19c/0x2c0 [ 59.520432][ T5228] ? ocfs2_reserve_new_metadata_blocks+0x117/0x9c0 [ 59.526937][ T5228] ? ocfs2_mknod+0x143a/0x2b40 [ 59.531709][ T5228] ? ocfs2_create+0x1ab/0x480 [ 59.536377][ T5228] ? path_openat+0x1c03/0x3590 [ 59.541132][ T5228] ? do_filp_open+0x235/0x490 [ 59.545818][ T5228] ? do_sys_openat2+0x13e/0x1d0 [ 59.550658][ T5228] ? __x64_sys_open+0x225/0x270 [ 59.555498][ T5228] ? do_syscall_64+0xf3/0x230 [ 59.560173][ T5228] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 59.566249][ T5228] ? __kasan_kmalloc+0x98/0xb0 [ 59.571007][ T5228] ? ocfs2_reserve_new_metadata_blocks+0x117/0x9c0 [ 59.577520][ T5228] ? __kmalloc_cache_noprof+0x19c/0x2c0 [ 59.583074][ T5228] ocfs2_reserve_new_metadata_blocks+0x41c/0x9c0 [ 59.589416][ T5228] ? __pfx_ocfs2_reserve_new_metadata_blocks+0x10/0x10 [ 59.596280][ T5228] ? __pfx_ocfs2_calc_xattr_init+0x10/0x10 [ 59.602086][ T5228] ? ocfs2_init_security_get+0x12d/0x1a0 [ 59.607715][ T5228] ocfs2_mknod+0x143a/0x2b40 [ 59.612300][ T5228] ? __pfx_validate_chain+0x10/0x10 [ 59.617497][ T5228] ? __pfx_ocfs2_mknod+0x10/0x10 [ 59.622521][ T5228] ? __lock_acquire+0x1384/0x2050 [ 59.627554][ T5228] ? __pfx_lock_acquire+0x10/0x10 [ 59.632572][ T5228] ? ocfs2_inode_unlock+0xa7/0x150 [ 59.637679][ T5228] ? __pfx_lock_release+0x10/0x10 [ 59.642699][ T5228] ? do_raw_spin_lock+0x14f/0x370 [ 59.647721][ T5228] ? do_raw_spin_unlock+0x13c/0x8b0 [ 59.652913][ T5228] ? _raw_spin_unlock+0x28/0x50 [ 59.657763][ T5228] ? rcu_is_watching+0x15/0xb0 [ 59.662519][ T5228] ? ocfs2_lookup+0x503/0xa60 [ 59.667190][ T5228] ocfs2_create+0x1ab/0x480 [ 59.671691][ T5228] ? __pfx_ocfs2_create+0x10/0x10 [ 59.676728][ T5228] ? bpf_lsm_inode_create+0x9/0x10 [ 59.681832][ T5228] ? security_inode_create+0xbe/0x340 [ 59.687196][ T5228] ? __pfx_ocfs2_create+0x10/0x10 [ 59.692212][ T5228] path_openat+0x1c03/0x3590 [ 59.696806][ T5228] ? __pfx_path_openat+0x10/0x10 [ 59.701741][ T5228] do_filp_open+0x235/0x490 [ 59.706265][ T5228] ? __pfx_do_filp_open+0x10/0x10 [ 59.711290][ T5228] ? _raw_spin_unlock+0x28/0x50 [ 59.716133][ T5228] ? alloc_fd+0x5a1/0x640 [ 59.720460][ T5228] do_sys_openat2+0x13e/0x1d0 [ 59.725130][ T5228] ? __pfx_do_sys_openat2+0x10/0x10 [ 59.730322][ T5228] ? lockdep_hardirqs_on+0x99/0x150 [ 59.735520][ T5228] ? _raw_spin_unlock_irq+0x2e/0x50 [ 59.740713][ T5228] ? ptrace_notify+0x279/0x380 [ 59.745469][ T5228] __x64_sys_open+0x225/0x270 [ 59.750137][ T5228] ? __pfx___x64_sys_open+0x10/0x10 [ 59.755324][ T5228] ? do_syscall_64+0x100/0x230 [ 59.760081][ T5228] do_syscall_64+0xf3/0x230 [ 59.764574][ T5228] ? clear_bhb_loop+0x35/0x90 [ 59.769242][ T5228] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 59.775153][ T5228] RIP: 0033:0x7f7cbf1f9749 [ 59.779581][ T5228] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 1c 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 59.799187][ T5228] RSP: 002b:00007ffdbbfdc928 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 59.807598][ T5228] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f7cbf1f9749 [ 59.815567][ T5228] RDX: 0000000000000000 RSI: 0000000004008040 RDI: 0000000020000200 [ 59.823530][ T5228] RBP: 0000000000000000 R08: 0000000000004441 R09: 00007ffdbbfdc95c [ 59.831497][ T5228] R10: 00007ffdbbfdc7f0 R11: 0000000000000246 R12: 00007ffdbbfdc95c [ 59.839462][ T5228] R13: 0000000000000001 R14: 431bde82d7b634db R15: 00007ffdbbfdc990 [ 59.847437][ T5228] [ 59.850712][ T5228] Kernel Offset: disabled [ 59.855054][ T5228] Rebooting in 86400 seconds..