./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1439374626

<...>
DUID 00:04:a1:84:1b:e0:48:24:35:f8:15:f9:55:b5:79:ea:e6:3e
forked to background, child pid 3185
[   26.673607][ T3186] 8021q: adding VLAN 0 to HW filter on device bond0
[   26.685448][ T3186] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK

syzkaller
Warning: Permanently added '10.128.1.27' (ECDSA) to the list of known hosts.
execve("./syz-executor1439374626", ["./syz-executor1439374626"], 0x7ffd701cd490 /* 10 vars */) = 0
brk(NULL)                               = 0x555556912000
brk(0x555556912d00)                     = 0x555556912d00
arch_prctl(ARCH_SET_FS, 0x5555569123c0) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor1439374626", 4096) = 28
brk(0x555556933d00)                     = 0x555556933d00
brk(0x555556934000)                     = 0x555556934000
mprotect(0x7faaf8bb1000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0
rt_sigaction(SIGSEGV, {sa_handler=0x7faaf8b020a0, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7faaf8b02a40}, NULL, 8) = 0
rt_sigaction(SIGBUS, {sa_handler=0x7faaf8b020a0, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7faaf8b02a40}, NULL, 8) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556912690) = 3607
./strace-static-x86_64: Process 3607 attached
[pid  3606] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD <unfinished ...>
[pid  3607] openat(AT_FDCWD, "/dev/loop0", O_RDWR./strace-static-x86_64: Process 3608 attached
 <unfinished ...>
[pid  3606] <... clone resumed>, child_tidptr=0x555556912690) = 3608
[pid  3608] openat(AT_FDCWD, "/dev/loop1", O_RDWR <unfinished ...>
[pid  3607] <... openat resumed>)       = 3
[pid  3606] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD <unfinished ...>
[pid  3608] <... openat resumed>)       = 3
[pid  3607] ioctl(3, LOOP_CLR_FD./strace-static-x86_64: Process 3609 attached
 <unfinished ...>
[pid  3608] ioctl(3, LOOP_CLR_FD <unfinished ...>
[pid  3607] <... ioctl resumed>)        = -1 ENXIO (No such device or address)
[pid  3608] <... ioctl resumed>)        = -1 ENXIO (No such device or address)
[pid  3608] close(3 <unfinished ...>
[pid  3607] close(3)                    = 0
[pid  3607] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556912690) = 3610
./strace-static-x86_64: Process 3610 attached
[pid  3610] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  3610] setpgid(0, 0)               = 0
[pid  3610] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC <unfinished ...>
[pid  3606] <... clone resumed>, child_tidptr=0x555556912690) = 3609
[pid  3608] <... close resumed>)        = 0
[pid  3606] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD <unfinished ...>
[pid  3608] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD <unfinished ...>
[pid  3610] <... openat resumed>)       = 3
[pid  3606] <... clone resumed>, child_tidptr=0x555556912690) = 3611
[pid  3606] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD <unfinished ...>
[pid  3609] openat(AT_FDCWD, "/dev/loop2", O_RDWR <unfinished ...>
[pid  3608] <... clone resumed>, child_tidptr=0x555556912690) = 3612
[pid  3610] write(3, "1000", 4 <unfinished ...>
[pid  3606] <... clone resumed>, child_tidptr=0x555556912690) = 3613
./strace-static-x86_64: Process 3613 attached
./strace-static-x86_64: Process 3612 attached
./strace-static-x86_64: Process 3611 attached
[pid  3609] <... openat resumed>)       = 3
[pid  3606] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD <unfinished ...>
[pid  3609] ioctl(3, LOOP_CLR_FD./strace-static-x86_64: Process 3614 attached
 <unfinished ...>
[pid  3613] openat(AT_FDCWD, "/dev/loop4", O_RDWR <unfinished ...>
[pid  3612] prctl(PR_SET_PDEATHSIG, SIGKILL <unfinished ...>
[pid  3611] openat(AT_FDCWD, "/dev/loop3", O_RDWR <unfinished ...>
[pid  3610] <... write resumed>)        = 4
[pid  3609] <... ioctl resumed>)        = -1 ENXIO (No such device or address)
[pid  3606] <... clone resumed>, child_tidptr=0x555556912690) = 3614
[pid  3609] close(3 <unfinished ...>
[pid  3613] <... openat resumed>)       = 3
[pid  3612] <... prctl resumed>)        = 0
[pid  3611] <... openat resumed>)       = 3
[pid  3610] close(3 <unfinished ...>
[pid  3609] <... close resumed>)        = 0
[pid  3614] openat(AT_FDCWD, "/dev/loop5", O_RDWR <unfinished ...>
[pid  3613] ioctl(3, LOOP_CLR_FD <unfinished ...>
[pid  3612] setpgid(0, 0 <unfinished ...>
[pid  3611] ioctl(3, LOOP_CLR_FD <unfinished ...>
[pid  3610] <... close resumed>)        = 0
[pid  3609] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD <unfinished ...>
[pid  3614] <... openat resumed>)       = 3
[pid  3613] <... ioctl resumed>)        = -1 ENXIO (No such device or address)
[pid  3612] <... setpgid resumed>)      = 0
[pid  3611] <... ioctl resumed>)        = -1 ENXIO (No such device or address)
[pid  3610] mkdir("./file0", 0777 <unfinished ...>
[pid  3614] ioctl(3, LOOP_CLR_FD <unfinished ...>
[pid  3613] close(3 <unfinished ...>
[pid  3612] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC <unfinished ...>
[pid  3611] close(3 <unfinished ...>
[pid  3610] <... mkdir resumed>)        = 0
[pid  3614] <... ioctl resumed>)        = -1 ENXIO (No such device or address)
[pid  3613] <... close resumed>)        = 0
[pid  3612] <... openat resumed>)       = 3
[pid  3611] <... close resumed>)        = 0
[pid  3610] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
[pid  3609] <... clone resumed>, child_tidptr=0x555556912690) = 3616
[pid  3614] close(3 <unfinished ...>
[pid  3613] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD <unfinished ...>
[pid  3612] write(3, "1000", 4 <unfinished ...>
[pid  3611] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD <unfinished ...>
[pid  3610] pipe2( <unfinished ...>
[pid  3614] <... close resumed>)        = 0
[pid  3612] <... write resumed>)        = 4
[pid  3610] <... pipe2 resumed>[3, 4], 0) = 0
[pid  3614] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD <unfinished ...>
[pid  3613] <... clone resumed>, child_tidptr=0x555556912690) = 3618
[pid  3612] close(3 <unfinished ...>
[pid  3611] <... clone resumed>, child_tidptr=0x555556912690) = 3619
[pid  3610] mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000003,wfdno=0x0000000000000004" <unfinished ...>
[pid  3612] <... close resumed>)        = 0
[pid  3614] <... clone resumed>, child_tidptr=0x555556912690) = 3620
[pid  3612] mkdir("./file0", 0777./strace-static-x86_64: Process 3620 attached
)      = -1 EEXIST (File exists)
[pid  3620] prctl(PR_SET_PDEATHSIG, SIGKILL <unfinished ...>
[pid  3612] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
./strace-static-x86_64: Process 3619 attached
./strace-static-x86_64: Process 3616 attached
[pid  3620] <... prctl resumed>)        = 0
[pid  3612] pipe2(./strace-static-x86_64: Process 3618 attached
 <unfinished ...>
[pid  3620] setpgid(0, 0 <unfinished ...>
[pid  3619] prctl(PR_SET_PDEATHSIG, SIGKILL <unfinished ...>
[pid  3616] prctl(PR_SET_PDEATHSIG, SIGKILL <unfinished ...>
[pid  3612] <... pipe2 resumed>[3, 4], 0) = 0
[pid  3620] <... setpgid resumed>)      = 0
[pid  3619] <... prctl resumed>)        = 0
[pid  3618] prctl(PR_SET_PDEATHSIG, SIGKILL <unfinished ...>
[pid  3616] <... prctl resumed>)        = 0
[pid  3612] mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000003,wfdno=0x0000000000000004" <unfinished ...>
[pid  3620] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC <unfinished ...>
[pid  3619] setpgid(0, 0 <unfinished ...>
[pid  3618] <... prctl resumed>)        = 0
[pid  3616] setpgid(0, 0 <unfinished ...>
[pid  3619] <... setpgid resumed>)      = 0
[pid  3618] setpgid(0, 0 <unfinished ...>
[pid  3616] <... setpgid resumed>)      = 0
[pid  3620] <... openat resumed>)       = 3
[pid  3619] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC <unfinished ...>
[pid  3618] <... setpgid resumed>)      = 0
[pid  3616] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC <unfinished ...>
[pid  3620] write(3, "1000", 4 <unfinished ...>
[pid  3619] <... openat resumed>)       = 3
[pid  3618] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC <unfinished ...>
[pid  3616] <... openat resumed>)       = 3
[pid  3620] <... write resumed>)        = 4
[pid  3619] write(3, "1000", 4 <unfinished ...>
[pid  3618] <... openat resumed>)       = 3
[pid  3616] write(3, "1000", 4 <unfinished ...>
[pid  3620] close(3 <unfinished ...>
[pid  3619] <... write resumed>)        = 4
[pid  3618] write(3, "1000", 4 <unfinished ...>
[pid  3616] <... write resumed>)        = 4
[pid  3620] <... close resumed>)        = 0
[pid  3619] close(3 <unfinished ...>
[pid  3618] <... write resumed>)        = 4
[pid  3616] close(3 <unfinished ...>
[pid  3620] mkdir("./file0", 0777 <unfinished ...>
[pid  3619] <... close resumed>)        = 0
[pid  3618] close(3 <unfinished ...>
[pid  3616] <... close resumed>)        = 0
[pid  3620] <... mkdir resumed>)        = -1 EEXIST (File exists)
[pid  3619] mkdir("./file0", 0777 <unfinished ...>
[pid  3618] <... close resumed>)        = 0
[pid  3616] mkdir("./file0", 0777 <unfinished ...>
[pid  3620] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
[pid  3619] <... mkdir resumed>)        = -1 EEXIST (File exists)
[pid  3618] mkdir("./file0", 0777 <unfinished ...>
[pid  3616] <... mkdir resumed>)        = -1 EEXIST (File exists)
[pid  3620] pipe2( <unfinished ...>
[pid  3619] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
[pid  3618] <... mkdir resumed>)        = -1 EEXIST (File exists)
[pid  3616] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
[pid  3620] <... pipe2 resumed>[3, 4], 0) = 0
[pid  3619] pipe2( <unfinished ...>
[pid  3618] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
[pid  3616] pipe2( <unfinished ...>
[pid  3620] mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000003,wfdno=0x0000000000000004" <unfinished ...>
[pid  3619] <... pipe2 resumed>[3, 4], 0) = 0
[pid  3618] pipe2( <unfinished ...>
[pid  3616] <... pipe2 resumed>[3, 4], 0) = 0
[pid  3619] mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000003,wfdno=0x0000000000000004" <unfinished ...>
[pid  3618] <... pipe2 resumed>[3, 4], 0) = 0
[pid  3616] mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000003,wfdno=0x0000000000000004" <unfinished ...>
[pid  3618] mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000003,wfdno=0x0000000000000004" <unfinished ...>
[pid  3610] <... mount resumed>)        = -1 EFAULT (Bad address)
[pid  3610] exit_group(0)               = ?
[pid  3610] +++ exited with 0 +++
[pid  3607] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3610, si_uid=0, si_status=0, si_utime=0, si_stime=3} ---
[pid  3607] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
[pid  3607] ioctl(3, LOOP_CLR_FD)       = -1 ENXIO (No such device or address)
[pid  3607] close(3)                    = 0
[pid  3612] <... mount resumed>)        = -1 EFAULT (Bad address)
[pid  3607] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD <unfinished ...>
[pid  3612] exit_group(0)               = ?
[pid  3612] +++ exited with 0 +++
[pid  3608] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3612, si_uid=0, si_status=0, si_utime=0, si_stime=3} ---
[pid  3608] openat(AT_FDCWD, "/dev/loop1", O_RDWR) = 3
[pid  3608] ioctl(3, LOOP_CLR_FD)       = -1 ENXIO (No such device or address)
[pid  3608] close(3)                    = 0
[pid  3608] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556912690) = 3621
[pid  3607] <... clone resumed>, child_tidptr=0x555556912690) = 3622
./strace-static-x86_64: Process 3621 attached
[pid  3621] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  3621] setpgid(0, 0)               = 0
[pid  3621] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  3621] write(3, "1000", 4)         = 4
[pid  3621] close(3)                    = 0
[pid  3621] mkdir("./file0", 0777)      = -1 EEXIST (File exists)
[pid  3621] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
[pid  3621] pipe2([3, 4], 0)            = 0
[pid  3621] mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000003,wfdno=0x0000000000000004"./strace-static-x86_64: Process 3622 attached
 <unfinished ...>
[pid  3622] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  3622] setpgid(0, 0)               = 0
[pid  3622] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  3622] write(3, "1000", 4)         = 4
[pid  3622] close(3)                    = 0
syzkaller login: [   50.368469][ T3620] ==================================================================
[   50.376597][ T3620] BUG: KASAN: use-after-free in __kernfs_remove+0xf2d/0x1180
[   50.384015][ T3620] Read of size 2 at addr ffff8881452d98c0 by task syz-executor143/3620
[   50.392279][ T3620] 
[   50.394617][ T3620] CPU: 0 PID: 3620 Comm: syz-executor143 Not tainted 6.0.0-rc5-syzkaller-00097-g38eddeedbbea #0
[   50.405044][ T3620] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
[   50.415115][ T3620] Call Trace:
[pid  3622] mkdir("./file0", 0777)      = -1 EEXIST (File exists)
[pid  3622] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
[pid  3622] pipe2([3, 4], 0)            = 0
[   50.418425][ T3620]  <TASK>
[   50.421388][ T3620]  dump_stack_lvl+0x1e3/0x2cb
[   50.426117][ T3620]  ? io_alloc_page_table+0x110/0x110
[   50.431425][ T3620]  ? _printk+0xcf/0x10f
[   50.435606][ T3620]  ? __wake_up_klogd+0xd6/0x100
[   50.440495][ T3620]  ? __wake_up_klogd+0xcd/0x100
[   50.445383][ T3620]  ? panic+0x76b/0x76b
[   50.449477][ T3620]  ? _printk+0xcf/0x10f
[   50.453650][ T3620]  print_address_description+0x65/0x4b0
[   50.459224][ T3620]  print_report+0x108/0x220
[   50.463737][ T3620]  ? kernfs_put+0x340/0x490
[   50.468240][ T3620]  ? kmem_cache_free+0x95/0x1d0
[   50.473142][ T3620]  ? __kernfs_remove+0xf2d/0x1180
[   50.478184][ T3620]  kasan_report+0xfb/0x130
[   50.482619][ T3620]  ? __kernfs_remove+0xf2d/0x1180
[   50.487666][ T3620]  __kernfs_remove+0xf2d/0x1180
[   50.492543][ T3620]  ? kernfs_iop_rename+0x7d0/0x7d0
[   50.497672][ T3620]  ? kernfs_find_ns+0x4d6/0x550
[   50.502530][ T3620]  kernfs_remove_by_name_ns+0x96/0xe0
[   50.507914][ T3620]  sysfs_slab_add+0x54/0x270
[   50.512519][ T3620]  __kmem_cache_create+0x34/0x170
[   50.517563][ T3620]  kmem_cache_create_usercopy+0x1a6/0x340
[   50.523307][ T3620]  p9_client_create+0xbbe/0x1030
[   50.528268][ T3620]  ? do_trace_9p_fid_put+0x20/0x20
[   50.535384][ T3620]  ? lockdep_softirqs_off+0x420/0x420
[   50.540880][ T3620]  ? __raw_spin_lock_init+0x41/0x100
[   50.546188][ T3620]  v9fs_session_init+0x1e3/0x1990
[   50.551246][ T3620]  ? v9fs_show_options+0x600/0x600
[   50.556379][ T3620]  ? kmem_cache_alloc_trace+0x97/0x310
[   50.561879][ T3620]  ? v9fs_mount+0xae/0xcb0
[   50.566321][ T3620]  v9fs_mount+0xd2/0xcb0
[   50.570585][ T3620]  ? xfs_fs_commit_blocks+0x8d0/0x8d0
[   50.576066][ T3620]  ? legacy_init_fs_context+0x4d/0xb0
[   50.581459][ T3620]  ? smack_sb_eat_lsm_opts+0x3cd/0x990
[   50.586937][ T3620]  ? cap_capable+0x1b5/0x250
[   50.591537][ T3620]  legacy_get_tree+0xea/0x180
[   50.596217][ T3620]  ? xfs_fs_commit_blocks+0x8d0/0x8d0
[   50.601606][ T3620]  vfs_get_tree+0x88/0x270
[   50.606046][ T3620]  do_new_mount+0x289/0xad0
[   50.610567][ T3620]  ? do_move_mount_old+0x160/0x160
[   50.615690][ T3620]  ? user_path_at_empty+0x149/0x1a0
[   50.620910][ T3620]  __se_sys_mount+0x2e3/0x3d0
[   50.625687][ T3620]  ? __x64_sys_mount+0xc0/0xc0
[   50.630461][ T3620]  ? syscall_enter_from_user_mode+0x2e/0x1d0
[   50.636474][ T3620]  ? __x64_sys_mount+0x1c/0xc0
[   50.641249][ T3620]  do_syscall_64+0x2b/0x70
[   50.645667][ T3620]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   50.651585][ T3620] RIP: 0033:0x7faaf8b44de9
[   50.656013][ T3620] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[   50.675633][ T3620] RSP: 002b:00007ffd26bd3618 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   50.684081][ T3620] RAX: ffffffffffffffda RBX: 00007ffd26bd3650 RCX: 00007faaf8b44de9
[   50.692060][ T3620] RDX: 0000000020000280 RSI: 0000000020000180 RDI: 0000000000000000
[   50.700135][ T3620] RBP: 0000000000000000 R08: 0000000020000480 R09: 0000000000000000
[   50.708123][ T3620] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000f4240
[   50.716112][ T3620] R13: 0000000000000000 R14: 00007ffd26bd363c R15: 00007ffd26bd3640
[   50.724109][ T3620]  </TASK>
[   50.727140][ T3620] 
[   50.729466][ T3620] Allocated by task 3612:
[   50.733794][ T3620]  __kasan_slab_alloc+0xb2/0xe0
[   50.738657][ T3620]  kmem_cache_alloc+0x1a6/0x310
[   50.743523][ T3620]  __kernfs_new_node+0xdb/0x730
[   50.748388][ T3620]  kernfs_create_dir_ns+0x90/0x220
[   50.753520][ T3620]  sysfs_create_dir_ns+0x181/0x390
[   50.758641][ T3620]  kobject_add_internal+0x6dd/0xd10
[   50.763849][ T3620]  kobject_init_and_add+0x123/0x190
[   50.769064][ T3620]  sysfs_slab_add+0x140/0x270
[   50.775575][ T3620]  __kmem_cache_create+0x34/0x170
[   50.780609][ T3620]  kmem_cache_create_usercopy+0x1a6/0x340
[   50.786345][ T3620]  p9_client_create+0xbbe/0x1030
[   50.791291][ T3620]  v9fs_session_init+0x1e3/0x1990
[   50.796327][ T3620]  v9fs_mount+0xd2/0xcb0
[   50.800583][ T3620]  legacy_get_tree+0xea/0x180
[   50.805355][ T3620]  vfs_get_tree+0x88/0x270
[   50.809802][ T3620]  do_new_mount+0x289/0xad0
[   50.814570][ T3620]  __se_sys_mount+0x2e3/0x3d0
[   50.819260][ T3620]  do_syscall_64+0x2b/0x70
[   50.823687][ T3620]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   50.829613][ T3620] 
[   50.831945][ T3620] Freed by task 3620:
[   50.835928][ T3620]  kasan_set_track+0x4c/0x70
[   50.840527][ T3620]  kasan_set_free_info+0x1f/0x40
[   50.845481][ T3620]  ____kasan_slab_free+0xd8/0x120
[   50.850516][ T3620]  slab_free_freelist_hook+0x12e/0x1a0
[   50.855987][ T3620]  kmem_cache_free+0x95/0x1d0
[   50.860686][ T3620]  kernfs_put+0x340/0x490
[   50.865023][ T3620]  __kernfs_remove+0xec0/0x1180
[   50.869884][ T3620]  kernfs_remove_by_name_ns+0x96/0xe0
[   50.875269][ T3620]  sysfs_slab_add+0x54/0x270
[   50.879878][ T3620]  __kmem_cache_create+0x34/0x170
[   50.884918][ T3620]  kmem_cache_create_usercopy+0x1a6/0x340
[   50.890663][ T3620]  p9_client_create+0xbbe/0x1030
[   50.895613][ T3620]  v9fs_session_init+0x1e3/0x1990
[   50.900648][ T3620]  v9fs_mount+0xd2/0xcb0
[   50.904909][ T3620]  legacy_get_tree+0xea/0x180
[   50.909606][ T3620]  vfs_get_tree+0x88/0x270
[   50.914081][ T3620]  do_new_mount+0x289/0xad0
[   50.918678][ T3620]  __se_sys_mount+0x2e3/0x3d0
[   50.923363][ T3620]  do_syscall_64+0x2b/0x70
[   50.927794][ T3620]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   50.933714][ T3620] 
[   50.936046][ T3620] The buggy address belongs to the object at ffff8881452d9828
[   50.936046][ T3620]  which belongs to the cache kernfs_node_cache of size 168
[   50.950724][ T3620] The buggy address is located 152 bytes inside of
[   50.950724][ T3620]  168-byte region [ffff8881452d9828, ffff8881452d98d0)
[   50.964016][ T3620] 
[   50.966347][ T3620] The buggy address belongs to the physical page:
[   50.972799][ T3620] page:ffffea000514b640 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1452d9
[   50.983050][ T3620] flags: 0x57ff00000000200(slab|node=1|zone=2|lastcpupid=0x7ff)
[   50.990711][ T3620] raw: 057ff00000000200 ffffea000514b680 dead000000000003 ffff888140007c80
[   50.999310][ T3620] raw: 0000000000000000 0000000000110011 00000001ffffffff 0000000000000000
[   51.007899][ T3620] page dumped because: kasan: bad access detected
[   51.014351][ T3620] page_owner tracks the page as allocated
[   51.020343][ T3620] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, tgid 1 (swapper/0), ts 2144263389, free_ts 0
[   51.036981][ T3620]  get_page_from_freelist+0x72b/0x7a0
[   51.042375][ T3620]  __alloc_pages+0x259/0x560
[   51.046980][ T3620]  alloc_page_interleave+0x22/0x1c0
[   51.052192][ T3620]  alloc_slab_page+0x70/0xf0
[   51.056803][ T3620]  allocate_slab+0x5e/0x520
[   51.061329][ T3620]  ___slab_alloc+0x42e/0xce0
[   51.065933][ T3620]  kmem_cache_alloc+0x25d/0x310
[   51.070794][ T3620]  __kernfs_new_node+0xdb/0x730
[   51.075662][ T3620]  kernfs_create_dir_ns+0x90/0x220
[   51.080786][ T3620]  internal_create_group+0x29d/0xf50
[   51.086086][ T3620]  kernel_add_sysfs_param+0xe8/0x126
[   51.091399][ T3620]  param_sysfs_builtin+0x16a/0x1e2
[   51.096540][ T3620]  param_sysfs_init+0x68/0x6c
[   51.101233][ T3620]  do_one_initcall+0xbd/0x2b0
[   51.105928][ T3620]  do_initcall_level+0x168/0x218
[   51.110881][ T3620]  do_initcalls+0x4b/0x8c
[   51.115221][ T3620] page_owner free stack trace missing
[   51.120590][ T3620] 
[   51.122916][ T3620] Memory state around the buggy address:
[   51.128545][ T3620]  ffff8881452d9780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
[   51.136616][ T3620]  ffff8881452d9800: fc fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb
[   51.144686][ T3620] >ffff8881452d9880: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
[   51.152772][ T3620]                                            ^
[   51.158936][ T3620]  ffff8881452d9900: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   51.167008][ T3620]  ffff8881452d9980: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc 00
[   51.175076][ T3620] ==================================================================
[   51.197466][ T3620] Kernel panic - not syncing: panic_on_warn set ...
[   51.204091][ T3620] CPU: 0 PID: 3620 Comm: syz-executor143 Not tainted 6.0.0-rc5-syzkaller-00097-g38eddeedbbea #0
[   51.214513][ T3620] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
[   51.224582][ T3620] Call Trace:
[   51.227874][ T3620]  <TASK>
[   51.230825][ T3620]  dump_stack_lvl+0x1e3/0x2cb
[   51.235520][ T3620]  ? io_alloc_page_table+0x110/0x110
[   51.240827][ T3620]  ? panic+0x76b/0x76b
[   51.244910][ T3620]  ? preempt_schedule_common+0xb7/0xe0
[   51.250384][ T3620]  ? preempt_schedule+0xd9/0xe0
[   51.255250][ T3620]  ? vscnprintf+0x59/0x80
[   51.259691][ T3620]  panic+0x316/0x76b
[   51.263601][ T3620]  ? fb_is_primary_device+0xcc/0xcc
[   51.268810][ T3620]  ? _raw_spin_unlock_irqrestore+0x128/0x130
[   51.274821][ T3620]  ? __kernfs_remove+0xf2d/0x1180
[   51.279864][ T3620]  end_report+0x91/0xa0
[   51.284033][ T3620]  kasan_report+0x108/0x130
[   51.288546][ T3620]  ? __kernfs_remove+0xf2d/0x1180
[   51.293586][ T3620]  __kernfs_remove+0xf2d/0x1180
[   51.298450][ T3620]  ? kernfs_iop_rename+0x7d0/0x7d0
[   51.303575][ T3620]  ? kernfs_find_ns+0x4d6/0x550
[   51.308436][ T3620]  kernfs_remove_by_name_ns+0x96/0xe0
[   51.313826][ T3620]  sysfs_slab_add+0x54/0x270
[   51.318430][ T3620]  __kmem_cache_create+0x34/0x170
[   51.323470][ T3620]  kmem_cache_create_usercopy+0x1a6/0x340
[   51.329209][ T3620]  p9_client_create+0xbbe/0x1030
[   51.334164][ T3620]  ? do_trace_9p_fid_put+0x20/0x20
[   51.339284][ T3620]  ? lockdep_softirqs_off+0x420/0x420
[   51.344670][ T3620]  ? __raw_spin_lock_init+0x41/0x100
[   51.349966][ T3620]  v9fs_session_init+0x1e3/0x1990
[   51.355013][ T3620]  ? v9fs_show_options+0x600/0x600
[   51.360138][ T3620]  ? kmem_cache_alloc_trace+0x97/0x310
[   51.365607][ T3620]  ? v9fs_mount+0xae/0xcb0
[   51.370033][ T3620]  v9fs_mount+0xd2/0xcb0
[   51.374287][ T3620]  ? xfs_fs_commit_blocks+0x8d0/0x8d0
[   51.379668][ T3620]  ? legacy_init_fs_context+0x4d/0xb0
[   51.385051][ T3620]  ? smack_sb_eat_lsm_opts+0x3cd/0x990
[   51.390519][ T3620]  ? cap_capable+0x1b5/0x250
[   51.395120][ T3620]  legacy_get_tree+0xea/0x180
[   51.399812][ T3620]  ? xfs_fs_commit_blocks+0x8d0/0x8d0
[   51.405198][ T3620]  vfs_get_tree+0x88/0x270
[   51.409620][ T3620]  do_new_mount+0x289/0xad0
[   51.414133][ T3620]  ? do_move_mount_old+0x160/0x160
[   51.419263][ T3620]  ? user_path_at_empty+0x149/0x1a0
[   51.424484][ T3620]  __se_sys_mount+0x2e3/0x3d0
[   51.429178][ T3620]  ? __x64_sys_mount+0xc0/0xc0
[   51.434125][ T3620]  ? syscall_enter_from_user_mode+0x2e/0x1d0
[   51.440119][ T3620]  ? __x64_sys_mount+0x1c/0xc0
[   51.444896][ T3620]  do_syscall_64+0x2b/0x70
[   51.449327][ T3620]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   51.455232][ T3620] RIP: 0033:0x7faaf8b44de9
[   51.459650][ T3620] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[   51.479272][ T3620] RSP: 002b:00007ffd26bd3618 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   51.487702][ T3620] RAX: ffffffffffffffda RBX: 00007ffd26bd3650 RCX: 00007faaf8b44de9
[   51.495774][ T3620] RDX: 0000000020000280 RSI: 0000000020000180 RDI: 0000000000000000
[   51.503766][ T3620] RBP: 0000000000000000 R08: 0000000020000480 R09: 0000000000000000
[   51.511749][ T3620] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000f4240
[   51.519743][ T3620] R13: 0000000000000000 R14: 00007ffd26bd363c R15: 00007ffd26bd3640
[   51.527824][ T3620]  </TASK>
[   51.531018][ T3620] Kernel Offset: disabled
[   51.535344][ T3620] Rebooting in 86400 seconds..