./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3107141718
<...>
forked to background, child pid 3184
no interfaces have a carrier
[ 23.815374][ T3185] 8021q: adding VLAN 0 to HW filter on device bond0
[ 23.826666][ T3185] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK
syzkaller
Warning: Permanently added '10.128.0.117' (ECDSA) to the list of known hosts.
execve("./syz-executor3107141718", ["./syz-executor3107141718"], 0x7fffbc3932c0 /* 10 vars */) = 0
brk(NULL) = 0x5555570d9000
brk(0x5555570d9d00) = 0x5555570d9d00
arch_prctl(ARCH_SET_FS, 0x5555570d93c0) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor3107141718", 4096) = 28
brk(0x5555570fad00) = 0x5555570fad00
brk(0x5555570fb000) = 0x5555570fb000
mprotect(0x7f86fa743000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0
rt_sigaction(SIGSEGV, {sa_handler=0x7f86fa694ae0, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f86fa694f80}, NULL, 8) = 0
rt_sigaction(SIGBUS, {sa_handler=0x7f86fa694ae0, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f86fa694f80}, NULL, 8) = 0
memfd_create("syzkaller", 0) = 3
ftruncate(3, 0) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
ioctl(4, LOOP_SET_FD, 3) = 0
mkdir("./file0", 0777) = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
pipe2([5, 6], 0) = 0
write(6, "\x15\x00\x00\x00\x61\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 21) = 21
dup(6) = 7
mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000005,wfdno=0x0000000000000007,") = -1 EREMOTEIO (Remote I/O error)
write(7, "\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 24) = 24
write(7, "\xb0\x00\x00\x00\x00\x00\x00\x6b\x2e\x7f\xb3\xf3\x73\x25\x10\x28\xe4\x79\x55\xa6\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 176) = 176
write(7, "\x4c\x01\x00\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 311) = 311
mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000005,wfdno=0x0000000000000006,") = 0
syzkaller login: [ 43.112315][ T26] ==================================================================
[ 43.120397][ T26] BUG: KASAN: slab-out-of-bounds in _copy_to_iter+0xd14/0x1140
[ 43.127945][ T26] Write of size 22 at addr ffff88807fe97147 by task kworker/1:1/26
[ 43.135808][ T26]
[ 43.138121][ T26] CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.1.0-rc3-syzkaller-00158-gee6050c8af96 #0
[ 43.147985][ T26] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 43.158019][ T26] Workqueue: events p9_read_work
[ 43.162938][ T26] Call Trace:
[ 43.166197][ T26]
[ 43.169108][ T26] dump_stack_lvl+0xcd/0x134
[ 43.173682][ T26] print_report+0x15e/0x45d
[ 43.178162][ T26] ? __phys_addr+0xc4/0x140
[ 43.182649][ T26] ? _copy_to_iter+0xd14/0x1140
[ 43.187482][ T26] kasan_report+0xbb/0x1f0
[ 43.191943][ T26] ? _copy_to_iter+0xd14/0x1140
[ 43.196772][ T26] kasan_check_range+0x13d/0x180
[ 43.201691][ T26] memcpy+0x39/0x60
[ 43.205475][ T26] _copy_to_iter+0xd14/0x1140
[ 43.210221][ T26] ? _copy_from_iter+0xf40/0xf40
[ 43.215150][ T26] ? pipe_read+0x139/0x1100
[ 43.219640][ T26] ? mutex_lock_io_nested+0x1190/0x1190
[ 43.225171][ T26] ? lock_chain_count+0x20/0x20
[ 43.230008][ T26] ? page_copy_sane+0x28f/0x410
[ 43.234845][ T26] copy_page_to_iter+0xdc/0xa20
[ 43.239685][ T26] pipe_read+0x50a/0x1100
[ 43.244008][ T26] ? pipe_ioctl+0x2b0/0x2b0
[ 43.248500][ T26] ? aa_file_perm+0x595/0x1230
[ 43.253278][ T26] ? lockdep_hardirqs_on_prepare+0x400/0x400
[ 43.259331][ T26] __kernel_read+0x2c6/0x7c0
[ 43.263909][ T26] ? __ia32_sys_llseek+0x380/0x380
[ 43.269012][ T26] ? lockdep_hardirqs_on_prepare+0x400/0x400
[ 43.274977][ T26] ? fsnotify_perm.part.0+0x221/0x610
[ 43.280440][ T26] ? apparmor_file_permission+0x264/0x4e0
[ 43.286147][ T26] kernel_read+0xbf/0x1c0
[ 43.290464][ T26] p9_read_work+0x2ac/0x1040
[ 43.295043][ T26] ? do_raw_spin_lock+0x120/0x2a0
[ 43.300053][ T26] ? p9_conn_cancel+0x8c0/0x8c0
[ 43.304891][ T26] process_one_work+0x9bf/0x1710
[ 43.309906][ T26] ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[ 43.315268][ T26] ? rwlock_bug.part.0+0x90/0x90
[ 43.320199][ T26] ? _raw_spin_lock_irq+0x41/0x50
[ 43.325218][ T26] worker_thread+0x665/0x1080
[ 43.329885][ T26] ? __kthread_parkme+0x15f/0x220
[ 43.334891][ T26] ? process_one_work+0x1710/0x1710
[ 43.340075][ T26] kthread+0x2e4/0x3a0
[ 43.344127][ T26] ? kthread_complete_and_exit+0x40/0x40
[ 43.349746][ T26] ret_from_fork+0x1f/0x30
[ 43.354154][ T26]
[ 43.357152][ T26]
[ 43.359457][ T26] Allocated by task 3605:
[ 43.363763][ T26] kasan_save_stack+0x1e/0x40
[ 43.368430][ T26] kasan_set_track+0x21/0x30
[ 43.373006][ T26] __kasan_kmalloc+0xa1/0xb0
[ 43.377583][ T26] __kmalloc+0x54/0xc0
[ 43.381633][ T26] p9_fcall_init+0x97/0x210
[ 43.386117][ T26] p9_tag_alloc+0x208/0x840
[ 43.390603][ T26] p9_client_prepare_req+0x177/0x590
[ 43.395869][ T26] p9_client_rpc+0x1a1/0xd70
[ 43.400440][ T26] p9_client_walk+0x19c/0x540
[ 43.405099][ T26] v9fs_vfs_lookup.part.0+0x143/0x5d0
[ 43.410453][ T26] v9fs_vfs_lookup+0x69/0x90
[ 43.415022][ T26] __lookup_hash+0x117/0x180
[ 43.419592][ T26] filename_create+0x1d6/0x4a0
[ 43.424341][ T26] do_mkdirat+0x99/0x310
[ 43.428567][ T26] __x64_sys_mkdir+0xf2/0x140
[ 43.433224][ T26] do_syscall_64+0x35/0xb0
[ 43.437628][ T26] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 43.443514][ T26]
[ 43.445819][ T26] The buggy address belongs to the object at ffff88807fe97140
[ 43.445819][ T26] which belongs to the cache kmalloc-32 of size 32
[ 43.459679][ T26] The buggy address is located 7 bytes inside of
[ 43.459679][ T26] 32-byte region [ffff88807fe97140, ffff88807fe97160)
[ 43.472670][ T26]
[ 43.474973][ T26] The buggy address belongs to the physical page:
[ 43.481360][ T26] page:ffffea0001ffa5c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7fe97
[ 43.491489][ T26] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 43.499018][ T26] raw: 00fff00000000200 dead000000000100 dead000000000122 ffff888011841500
[ 43.507583][ T26] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000
[ 43.516139][ T26] page dumped because: kasan: bad access detected
[ 43.522526][ T26] page_owner tracks the page as allocated
[ 43.528215][ T26] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 2942, tgid 2942 (mount), ts 11035136514, free_ts 10617668505
[ 43.545733][ T26] get_page_from_freelist+0x10b5/0x2d50
[ 43.551264][ T26] __alloc_pages+0x1c7/0x5a0
[ 43.555838][ T26] alloc_pages+0x1a6/0x270
[ 43.560242][ T26] allocate_slab+0x213/0x300
[ 43.564817][ T26] ___slab_alloc+0xa91/0x1400
[ 43.569480][ T26] __slab_alloc.constprop.0+0x56/0xa0
[ 43.574836][ T26] __kmem_cache_alloc_node+0x191/0x3e0
[ 43.580280][ T26] __kmalloc+0x44/0xc0
[ 43.584333][ T26] tomoyo_supervisor+0xcf8/0xf10
[ 43.589260][ T26] tomoyo_path_permission+0x270/0x3a0
[ 43.594620][ T26] tomoyo_check_open_permission+0x33e/0x380
[ 43.600500][ T26] tomoyo_file_open+0x9d/0xc0
[ 43.605157][ T26] security_file_open+0x45/0xb0
[ 43.609988][ T26] do_dentry_open+0x575/0x13f0
[ 43.614735][ T26] path_openat+0x1bf6/0x2860
[ 43.619310][ T26] do_filp_open+0x1b6/0x400
[ 43.623796][ T26] page last free stack trace:
[ 43.628443][ T26] free_pcp_prepare+0x65c/0xd90
[ 43.633283][ T26] free_unref_page+0x19/0x4d0
[ 43.637964][ T26] kasan_depopulate_vmalloc_pte+0x5c/0x70
[ 43.643676][ T26] __apply_to_page_range+0x68c/0x1030
[ 43.649034][ T26] kasan_release_vmalloc+0xa7/0xc0
[ 43.654126][ T26] __purge_vmap_area_lazy+0x885/0x1c50
[ 43.659569][ T26] _vm_unmap_aliases.part.0+0x420/0x550
[ 43.665098][ T26] vm_unmap_aliases+0x45/0x50
[ 43.669762][ T26] change_page_attr_set_clr+0x241/0x500
[ 43.675292][ T26] set_memory_nx+0xb2/0x110
[ 43.679777][ T26] free_init_pages+0x73/0xc0
[ 43.684353][ T26] kernel_init+0x2e/0x1d0
[ 43.688670][ T26] ret_from_fork+0x1f/0x30
[ 43.693074][ T26]
[ 43.695377][ T26] Memory state around the buggy address:
[ 43.700995][ T26] ffff88807fe97000: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[ 43.709135][ T26] ffff88807fe97080: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[ 43.717181][ T26] >ffff88807fe97100: fa fb fb fb fc fc fc fc 00 00 06 fc fc fc fc fc
[ 43.725225][ T26] ^
[ 43.731874][ T26] ffff88807fe97180: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[ 43.739912][ T26] ffff88807fe97200: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[ 43.747949][ T26] ==================================================================
[ 43.756848][ T26] Kernel panic - not syncing: panic_on_warn set ...
[ 43.763436][ T26] CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.1.0-rc3-syzkaller-00158-gee6050c8af96 #0
[ 43.773330][ T26] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 43.783363][ T26] Workqueue: events p9_read_work
[ 43.788290][ T26] Call Trace:
[ 43.791545][ T26]
[ 43.794450][ T26] dump_stack_lvl+0xcd/0x134
[ 43.799022][ T26] panic+0x2c8/0x622
[ 43.802898][ T26] ? panic_print_sys_info.part.0+0x110/0x110
[ 43.808948][ T26] ? preempt_schedule_common+0x59/0xc0
[ 43.814383][ T26] ? preempt_schedule_thunk+0x16/0x18
[ 43.819743][ T26] end_report.part.0+0x3f/0x7c
[ 43.824482][ T26] ? _copy_to_iter+0xd14/0x1140
[ 43.829402][ T26] kasan_report.cold+0xa/0xf
[ 43.834146][ T26] ? _copy_to_iter+0xd14/0x1140
[ 43.838977][ T26] kasan_check_range+0x13d/0x180
[ 43.843987][ T26] memcpy+0x39/0x60
[ 43.847771][ T26] _copy_to_iter+0xd14/0x1140
[ 43.852426][ T26] ? _copy_from_iter+0xf40/0xf40
[ 43.857345][ T26] ? pipe_read+0x139/0x1100
[ 43.861840][ T26] ? mutex_lock_io_nested+0x1190/0x1190
[ 43.867368][ T26] ? lock_chain_count+0x20/0x20
[ 43.872207][ T26] ? page_copy_sane+0x28f/0x410
[ 43.877042][ T26] copy_page_to_iter+0xdc/0xa20
[ 43.881881][ T26] pipe_read+0x50a/0x1100
[ 43.886209][ T26] ? pipe_ioctl+0x2b0/0x2b0
[ 43.890701][ T26] ? aa_file_perm+0x595/0x1230
[ 43.895455][ T26] ? lockdep_hardirqs_on_prepare+0x400/0x400
[ 43.901510][ T26] __kernel_read+0x2c6/0x7c0
[ 43.906106][ T26] ? __ia32_sys_llseek+0x380/0x380
[ 43.911210][ T26] ? lockdep_hardirqs_on_prepare+0x400/0x400
[ 43.917176][ T26] ? fsnotify_perm.part.0+0x221/0x610
[ 43.922541][ T26] ? apparmor_file_permission+0x264/0x4e0
[ 43.928246][ T26] kernel_read+0xbf/0x1c0
[ 43.932563][ T26] p9_read_work+0x2ac/0x1040
[ 43.937140][ T26] ? do_raw_spin_lock+0x120/0x2a0
[ 43.942149][ T26] ? p9_conn_cancel+0x8c0/0x8c0
[ 43.946988][ T26] process_one_work+0x9bf/0x1710
[ 43.951916][ T26] ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[ 43.957361][ T26] ? rwlock_bug.part.0+0x90/0x90
[ 43.962284][ T26] ? _raw_spin_lock_irq+0x41/0x50
[ 43.967296][ T26] worker_thread+0x665/0x1080
[ 43.971963][ T26] ? __kthread_parkme+0x15f/0x220
[ 43.976971][ T26] ? process_one_work+0x1710/0x1710
[ 43.982160][ T26] kthread+0x2e4/0x3a0
[ 43.986221][ T26] ? kthread_complete_and_exit+0x40/0x40
[ 43.991837][ T26] ret_from_fork+0x1f/0x30
[ 43.996247][ T26]
[ 44.000240][ T26] Kernel Offset: disabled
[ 44.004547][ T26] Rebooting in 86400 seconds..