./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2177146853 <...> Warning: Permanently added '10.128.0.97' (ED25519) to the list of known hosts. execve("./syz-executor2177146853", ["./syz-executor2177146853"], 0x7ffdb402e920 /* 10 vars */) = 0 brk(NULL) = 0x555589277000 brk(0x555589277d40) = 0x555589277d40 arch_prctl(ARCH_SET_FS, 0x5555892773c0) = 0 set_tid_address(0x555589277690) = 5835 set_robust_list(0x5555892776a0, 24) = 0 rseq(0x555589277ce0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2177146853", 4096) = 28 getrandom("\xfb\x6f\xce\xc7\xdd\x5d\xff\x71", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555589277d40 brk(0x555589298d40) = 0x555589298d40 brk(0x555589299000) = 0x555589299000 mprotect(0x7fa47c266000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 openat(AT_FDCWD, "/proc/self/make-it-fail", O_WRONLY) = 3 close(3) = 0 openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_WRONLY) = 3 [ 70.769293][ T29] audit: type=1400 audit(1732705886.525:88): avc: denied { execmem } for pid=5835 comm="syz-executor217" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/failslab/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_futex/ignore-private", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/min-order", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3executing program ) = 0 write(1, "executing program\n", 18) = 18 futex(0x7fa47c26c3ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7fa47c20cc60, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fa47c1fe9c0}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa47c17b000 mprotect(0x7fa47c17c000, 131072, PROT_READ|PROT_WRITE) = 0 rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fa47c19b990, parent_tid=0x7fa47c19b990, exit_signal=0, stack=0x7fa47c17b000, stack_size=0x20300, tls=0x7fa47c19b6c0}./strace-static-x86_64: Process 5836 attached [pid 5836] rseq(0x7fa47c19bfe0, 0x20, 0, 0x53053053 [pid 5835] <... clone3 resumed> => {parent_tid=[5836]}, 88) = 5836 [pid 5836] <... rseq resumed>) = 0 [pid 5835] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5836] set_robust_list(0x7fa47c19b9a0, 24) = 0 [pid 5836] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5835] futex(0x7fa47c26c3e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5836] mknod("./file0", 000 [pid 5835] <... futex resumed>) = 0 [pid 5835] futex(0x7fa47c26c3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5836] <... mknod resumed>) = 0 [pid 5836] futex(0x7fa47c26c3ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 5835] <... futex resumed>) = 0 [pid 5836] <... futex resumed>) = 1 [pid 5835] futex(0x7fa47c26c3e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5836] openat(AT_FDCWD, "/dev/fuse", O_RDWR|O_CREAT, 000 [pid 5835] futex(0x7fa47c26c3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5836] <... openat resumed>) = 3 [pid 5836] futex(0x7fa47c26c3ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 5835] <... futex resumed>) = 0 [pid 5835] futex(0x7fa47c26c3e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5835] futex(0x7fa47c26c3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5836] <... futex resumed>) = 1 [pid 5836] mount(NULL, "./file0", "fuse", 0, "fd=0x0000000000000003,rootmode=00000000000000000100000,user_id=00000000000000000000,group_id=0000000"...) = 0 [pid 5836] futex(0x7fa47c26c3ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5836] futex(0x7fa47c26c3e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5835] <... futex resumed>) = 0 [pid 5835] futex(0x7fa47c26c3e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5836] <... futex resumed>) = 0 [pid 5835] futex(0x7fa47c26c3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5836] read(3, "\x68\x00\x00\x00\x1a\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x29\x00\x00\x00\x00\x00\x02\x00\xfb\xff\xff\x73\xdf\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 8224) = 104 [pid 5836] futex(0x7fa47c26c3ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 5835] <... futex resumed>) = 0 [pid 5836] <... futex resumed>) = 1 [pid 5835] futex(0x7fa47c26c3e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5836] write(3, "\x50\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x1f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 80 [pid 5835] <... futex resumed>) = 0 [pid 5836] <... write resumed>) = 80 [pid 5835] futex(0x7fa47c26c3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5836] futex(0x7fa47c26c3ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 5835] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5836] <... futex resumed>) = 0 [pid 5835] futex(0x7fa47c26c3e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5836] read(3, [pid 5835] <... futex resumed>) = 0 [ 70.894773][ T29] audit: type=1400 audit(1732705886.655:89): avc: denied { read write } for pid=5835 comm="syz-executor217" name="fuse" dev="devtmpfs" ino=99 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fuse_device_t tclass=chr_file permissive=1 [ 70.919030][ T29] audit: type=1400 audit(1732705886.655:90): avc: denied { open } for pid=5835 comm="syz-executor217" path="/dev/fuse" dev="devtmpfs" ino=99 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fuse_device_t tclass=chr_file permissive=1 [pid 5835] futex(0x7fa47c26c3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5835] futex(0x7fa47c26c3fc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 70.943236][ T29] audit: type=1400 audit(1732705886.665:91): avc: denied { mounton } for pid=5835 comm="syz-executor217" path="/root/file0" dev="sda1" ino=1927 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=file permissive=1 [ 70.966153][ T29] audit: type=1400 audit(1732705886.675:92): avc: denied { mount } for pid=5835 comm="syz-executor217" name="/" dev="fuse" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=filesystem permissive=1 [pid 5835] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa47c15a000 [pid 5835] mprotect(0x7fa47c15b000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5835] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5835] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fa47c17a990, parent_tid=0x7fa47c17a990, exit_signal=0, stack=0x7fa47c15a000, stack_size=0x20300, tls=0x7fa47c17a6c0}./strace-static-x86_64: Process 5838 attached [pid 5838] rseq(0x7fa47c17afe0, 0x20, 0, 0x53053053) = 0 [pid 5835] <... clone3 resumed> => {parent_tid=[5838]}, 88) = 5838 [pid 5838] set_robust_list(0x7fa47c17a9a0, 24 [pid 5835] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5838] <... set_robust_list resumed>) = 0 [pid 5835] futex(0x7fa47c26c3f8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5838] rt_sigprocmask(SIG_SETMASK, [], [pid 5835] <... futex resumed>) = 0 [pid 5838] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5835] futex(0x7fa47c26c3fc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5838] openat(AT_FDCWD, "./file0", O_WRONLY|O_APPEND|O_NONBLOCK|O_DIRECT|O_NOFOLLOW [pid 5836] <... read resumed>"\x30\x00\x00\x00\x0e\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xce\x16\x00\x00\x00\x00\x00\x00\x01\xcc\x02\x00\x00\x00\x00\x00", 8192) = 48 [pid 5836] write(3, "\x20\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x00\x00\x00\x00", 32) = 32 [pid 5838] <... openat resumed>) = 4 [pid 5836] futex(0x7fa47c26c3ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 5838] futex(0x7fa47c26c3fc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5836] <... futex resumed>) = 0 [pid 5836] futex(0x7fa47c26c3e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5835] <... futex resumed>) = 0 [pid 5838] <... futex resumed>) = 1 [pid 5835] futex(0x7fa47c26c3e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5838] futex(0x7fa47c26c3f8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5836] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5835] <... futex resumed>) = 0 [pid 5835] futex(0x7fa47c26c3ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5836] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 5 [pid 5836] write(5, "3", 1) = 1 [ 71.089352][ T5836] FAULT_INJECTION: forcing a failure. [ 71.089352][ T5836] name failslab, interval 1, probability 0, space 0, times 1 [ 71.102240][ T5836] CPU: 0 UID: 0 PID: 5836 Comm: syz-executor217 Not tainted 6.12.0-syzkaller-09734-g445d9f05fa14 #0 [ 71.112993][ T5836] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 71.123034][ T5836] Call Trace: [ 71.126360][ T5836] [ 71.129268][ T5836] dump_stack_lvl+0x16c/0x1f0 [ 71.133994][ T5836] should_fail_ex+0x497/0x5b0 [ 71.138687][ T5836] ? fs_reclaim_acquire+0xae/0x150 [ 71.143843][ T5836] should_failslab+0xc2/0x120 [ 71.148510][ T5836] __kmalloc_noprof+0xcb/0x510 [ 71.153275][ T5836] ? kasan_save_track+0x14/0x30 [ 71.158112][ T5836] fuse_direct_io+0x5b3/0x2580 [ 71.162880][ T5836] ? __pfx_lock_acquire.part.0+0x10/0x10 [ 71.168530][ T5836] ? __pfx_fuse_direct_io+0x10/0x10 [ 71.173718][ T5836] ? __pfx_generic_write_checks+0x10/0x10 [ 71.179434][ T5836] fuse_direct_write_iter+0x64f/0x830 [ 71.184787][ T5836] ? __pfx_fuse_direct_write_iter+0x10/0x10 [ 71.190668][ T5836] ? __pfx___lock_acquire+0x10/0x10 [ 71.195846][ T5836] fuse_file_write_iter+0x66e/0x8c0 [ 71.201023][ T5836] do_iter_readv_writev+0x532/0x7f0 [ 71.206204][ T5836] ? __pfx_do_iter_readv_writev+0x10/0x10 [ 71.211901][ T5836] ? rcu_is_watching+0x12/0xc0 [ 71.216664][ T5836] ? do_writev+0x133/0x340 [ 71.221059][ T5836] vfs_writev+0x363/0xdd0 [ 71.225363][ T5836] ? fdget_pos+0x267/0x390 [ 71.229770][ T5836] ? rcu_is_watching+0x12/0xc0 [ 71.234514][ T5836] ? __pfx_vfs_writev+0x10/0x10 [ 71.239336][ T5836] ? __mutex_lock+0x1cc/0xa60 [ 71.244009][ T5836] ? find_held_lock+0x2d/0x110 [ 71.248757][ T5836] ? __pfx___mutex_lock+0x10/0x10 [ 71.254205][ T5836] ? trace_lock_acquire+0x146/0x1e0 [ 71.259388][ T5836] ? __fget_files+0x206/0x3a0 [ 71.264044][ T5836] ? do_writev+0x133/0x340 [ 71.268438][ T5836] do_writev+0x133/0x340 [ 71.272663][ T5836] ? __pfx_do_writev+0x10/0x10 [ 71.277400][ T5836] ? _raw_spin_unlock_irq+0x2e/0x50 [ 71.282588][ T5836] ? ptrace_notify+0xf1/0x130 [ 71.287266][ T5836] do_syscall_64+0xcd/0x250 [ 71.291754][ T5836] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 71.297645][ T5836] RIP: 0033:0x7fa47c1e71b9 [ 71.302059][ T5836] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 71.321647][ T5836] RSP: 002b:00007fa47c19b208 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 [ 71.330044][ T5836] RAX: ffffffffffffffda RBX: 00007fa47c26c3e8 RCX: 00007fa47c1e71b9 [pid 5836] writev(4, [{iov_base="\xa1", iov_len=1}, {iov_base=NULL, iov_len=0}], 2 [pid 5835] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 71.337991][ T5836] RDX: 0000000000000002 RSI: 0000000020000180 RDI: 0000000000000004 [ 71.345944][ T5836] RBP: 00007fa47c26c3e0 R08: 00007fa47c19afa7 R09: 0000000000000033 [ 71.353894][ T5836] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa47c239064 [ 71.361841][ T5836] R13: 00007fa47c19b210 R14: 0000000000000001 R15: 0030656c69662f2e [ 71.369801][ T5836] [pid 5835] exit_group(0) = ? [pid 5838] <... futex resumed>) = ? [pid 5838] +++ exited with 0 +++ [ 71.512189][ T5836] ================================================================== [ 71.520274][ T5836] BUG: KASAN: stack-out-of-bounds in iov_iter_revert+0x561/0x5a0 [ 71.528005][ T5836] Read of size 8 at addr ffffc90002ee7d78 by task syz-executor217/5836 [ 71.536230][ T5836] [ 71.538540][ T5836] CPU: 0 UID: 0 PID: 5836 Comm: syz-executor217 Not tainted 6.12.0-syzkaller-09734-g445d9f05fa14 #0 [ 71.549279][ T5836] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 71.559375][ T5836] Call Trace: [ 71.562636][ T5836] [ 71.565569][ T5836] dump_stack_lvl+0x116/0x1f0 [ 71.570244][ T5836] print_report+0xc3/0x620 [ 71.574645][ T5836] ? __virt_addr_valid+0x5e/0x590 [ 71.579663][ T5836] kasan_report+0xd9/0x110 [ 71.584059][ T5836] ? iov_iter_revert+0x561/0x5a0 [ 71.588994][ T5836] ? iov_iter_revert+0x561/0x5a0 [ 71.593972][ T5836] iov_iter_revert+0x561/0x5a0 [ 71.598732][ T5836] fuse_direct_io+0xf0e/0x2580 [ 71.603484][ T5836] ? __pfx_lock_acquire.part.0+0x10/0x10 [ 71.609101][ T5836] ? __pfx_fuse_direct_io+0x10/0x10 [ 71.614277][ T5836] ? __pfx_generic_write_checks+0x10/0x10 [ 71.619977][ T5836] fuse_direct_write_iter+0x64f/0x830 [ 71.625325][ T5836] ? __pfx_fuse_direct_write_iter+0x10/0x10 [ 71.631219][ T5836] ? __pfx___lock_acquire+0x10/0x10 [ 71.636395][ T5836] fuse_file_write_iter+0x66e/0x8c0 [ 71.641572][ T5836] do_iter_readv_writev+0x532/0x7f0 [ 71.646750][ T5836] ? __pfx_do_iter_readv_writev+0x10/0x10 [ 71.652456][ T5836] ? rcu_is_watching+0x12/0xc0 [ 71.657199][ T5836] ? do_writev+0x133/0x340 [ 71.661616][ T5836] vfs_writev+0x363/0xdd0 [ 71.665937][ T5836] ? fdget_pos+0x267/0x390 [ 71.670342][ T5836] ? rcu_is_watching+0x12/0xc0 [ 71.675091][ T5836] ? __pfx_vfs_writev+0x10/0x10 [ 71.679917][ T5836] ? __mutex_lock+0x1cc/0xa60 [ 71.684595][ T5836] ? find_held_lock+0x2d/0x110 [ 71.689362][ T5836] ? __pfx___mutex_lock+0x10/0x10 [ 71.694365][ T5836] ? trace_lock_acquire+0x146/0x1e0 [ 71.699553][ T5836] ? __fget_files+0x206/0x3a0 [ 71.704214][ T5836] ? do_writev+0x133/0x340 [ 71.708601][ T5836] do_writev+0x133/0x340 [ 71.712817][ T5836] ? __pfx_do_writev+0x10/0x10 [ 71.717551][ T5836] ? _raw_spin_unlock_irq+0x2e/0x50 [ 71.722727][ T5836] ? ptrace_notify+0xf1/0x130 [ 71.727390][ T5836] do_syscall_64+0xcd/0x250 [ 71.731869][ T5836] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 71.737740][ T5836] RIP: 0033:0x7fa47c1e71b9 [ 71.742127][ T5836] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 71.761793][ T5836] RSP: 002b:00007fa47c19b208 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 [ 71.770176][ T5836] RAX: ffffffffffffffda RBX: 00007fa47c26c3e8 RCX: 00007fa47c1e71b9 [ 71.778122][ T5836] RDX: 0000000000000002 RSI: 0000000020000180 RDI: 0000000000000004 [ 71.786064][ T5836] RBP: 00007fa47c26c3e0 R08: 00007fa47c19afa7 R09: 0000000000000033 [ 71.794010][ T5836] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa47c239064 [ 71.801962][ T5836] R13: 00007fa47c19b210 R14: 0000000000000001 R15: 0030656c69662f2e [ 71.809927][ T5836] [ 71.812933][ T5836] [ 71.815286][ T5836] The buggy address belongs to stack of task syz-executor217/5836 [ 71.823059][ T5836] and is located at offset 152 in frame: [ 71.828790][ T5836] vfs_writev+0x0/0xdd0 [ 71.832937][ T5836] [ 71.835238][ T5836] This frame has 3 objects: [ 71.839728][ T5836] [48, 56) 'iov' [ 71.839737][ T5836] [80, 120) 'iter' [ 71.843342][ T5836] [160, 288) 'iovstack' [ 71.847117][ T5836] [ 71.853638][ T5836] The buggy address belongs to the virtual mapping at [ 71.853638][ T5836] [ffffc90002ee0000, ffffc90002ee9000) created by: [ 71.853638][ T5836] kernel_clone+0xfd/0x960 [ 71.871071][ T5836] [ 71.873381][ T5836] The buggy address belongs to the physical page: [ 71.879765][ T5836] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7f15b [ 71.888603][ T5836] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 71.895699][ T5836] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 [ 71.904252][ T5836] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 71.912803][ T5836] page dumped because: kasan: bad access detected [ 71.919192][ T5836] page_owner tracks the page as allocated [ 71.924876][ T5836] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5824, tgid 5824 (sshd), ts 62065641502, free_ts 61480318731 [ 71.943357][ T5836] post_alloc_hook+0x2d1/0x350 [ 71.948097][ T5836] get_page_from_freelist+0xfce/0x2f80 [ 71.953534][ T5836] __alloc_pages_noprof+0x223/0x25a0 [ 71.958807][ T5836] alloc_pages_mpol_noprof+0x2c9/0x610 [ 71.964245][ T5836] __vmalloc_node_range_noprof+0x724/0x1530 [ 71.970115][ T5836] copy_process+0x2f0a/0x8cc0 [ 71.974769][ T5836] kernel_clone+0xfd/0x960 [ 71.979175][ T5836] __do_sys_clone+0xba/0x100 [ 71.983739][ T5836] do_syscall_64+0xcd/0x250 [ 71.988220][ T5836] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 71.994090][ T5836] page last free pid 5823 tgid 5823 stack trace: [ 72.000398][ T5836] free_unref_page+0x661/0x1080 [ 72.005236][ T5836] __folio_put+0x32a/0x450 [ 72.009655][ T5836] put_page+0x21e/0x280 [ 72.013802][ T5836] anon_pipe_buf_release+0x11a/0x240 [ 72.019077][ T5836] pipe_read+0x641/0x13f0 [ 72.023391][ T5836] vfs_read+0xa4c/0xbe0 [ 72.027521][ T5836] ksys_read+0x207/0x250 [ 72.031740][ T5836] do_syscall_64+0xcd/0x250 [ 72.036230][ T5836] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 72.042101][ T5836] [ 72.044414][ T5836] Memory state around the buggy address: [ 72.050034][ T5836] ffffc90002ee7c00: 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 [ 72.058066][ T5836] ffffc90002ee7c80: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 [ 72.066113][ T5836] >ffffc90002ee7d00: f1 f1 00 f2 f2 f2 00 00 00 00 00 f2 f2 f2 f2 f2 [ 72.074144][ T5836] ^ [ 72.082114][ T5836] ffffc90002ee7d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 72.090203][ T5836] ffffc90002ee7e00: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 [ 72.098252][ T5836] ================================================================== [ 72.106786][ T5836] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 72.114003][ T5836] CPU: 0 UID: 0 PID: 5836 Comm: syz-executor217 Not tainted 6.12.0-syzkaller-09734-g445d9f05fa14 #0 [ 72.124760][ T5836] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 72.134799][ T5836] Call Trace: [ 72.138066][ T5836] [ 72.140987][ T5836] dump_stack_lvl+0x3d/0x1f0 [ 72.145572][ T5836] panic+0x71d/0x800 [ 72.149463][ T5836] ? __pfx_panic+0x10/0x10 [ 72.153870][ T5836] ? preempt_schedule_thunk+0x1a/0x30 [ 72.159244][ T5836] ? preempt_schedule_common+0x44/0xc0 [ 72.164693][ T5836] ? check_panic_on_warn+0x1f/0xb0 [ 72.169793][ T5836] check_panic_on_warn+0xab/0xb0 [ 72.174720][ T5836] end_report+0x117/0x180 [ 72.179041][ T5836] kasan_report+0xe9/0x110 [ 72.183446][ T5836] ? iov_iter_revert+0x561/0x5a0 [ 72.188370][ T5836] ? iov_iter_revert+0x561/0x5a0 [ 72.193293][ T5836] iov_iter_revert+0x561/0x5a0 [ 72.198041][ T5836] fuse_direct_io+0xf0e/0x2580 [ 72.202795][ T5836] ? __pfx_lock_acquire.part.0+0x10/0x10 [ 72.208420][ T5836] ? __pfx_fuse_direct_io+0x10/0x10 [ 72.213606][ T5836] ? __pfx_generic_write_checks+0x10/0x10 [ 72.219333][ T5836] fuse_direct_write_iter+0x64f/0x830 [ 72.224693][ T5836] ? __pfx_fuse_direct_write_iter+0x10/0x10 [ 72.230578][ T5836] ? __pfx___lock_acquire+0x10/0x10 [ 72.235782][ T5836] fuse_file_write_iter+0x66e/0x8c0 [ 72.240970][ T5836] do_iter_readv_writev+0x532/0x7f0 [ 72.246204][ T5836] ? __pfx_do_iter_readv_writev+0x10/0x10 [ 72.251917][ T5836] ? rcu_is_watching+0x12/0xc0 [ 72.256672][ T5836] ? do_writev+0x133/0x340 [ 72.261071][ T5836] vfs_writev+0x363/0xdd0 [ 72.265391][ T5836] ? fdget_pos+0x267/0x390 [ 72.269794][ T5836] ? rcu_is_watching+0x12/0xc0 [ 72.274551][ T5836] ? __pfx_vfs_writev+0x10/0x10 [ 72.279383][ T5836] ? __mutex_lock+0x1cc/0xa60 [ 72.284051][ T5836] ? find_held_lock+0x2d/0x110 [ 72.288806][ T5836] ? __pfx___mutex_lock+0x10/0x10 [ 72.293821][ T5836] ? trace_lock_acquire+0x146/0x1e0 [ 72.299013][ T5836] ? __fget_files+0x206/0x3a0 [ 72.303680][ T5836] ? do_writev+0x133/0x340 [ 72.308078][ T5836] do_writev+0x133/0x340 [ 72.312320][ T5836] ? __pfx_do_writev+0x10/0x10 [ 72.317104][ T5836] ? _raw_spin_unlock_irq+0x2e/0x50 [ 72.322297][ T5836] ? ptrace_notify+0xf1/0x130 [ 72.326980][ T5836] do_syscall_64+0xcd/0x250 [ 72.331489][ T5836] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 72.337450][ T5836] RIP: 0033:0x7fa47c1e71b9 [ 72.341857][ T5836] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 72.361465][ T5836] RSP: 002b:00007fa47c19b208 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 [ 72.369867][ T5836] RAX: ffffffffffffffda RBX: 00007fa47c26c3e8 RCX: 00007fa47c1e71b9 [ 72.377824][ T5836] RDX: 0000000000000002 RSI: 0000000020000180 RDI: 0000000000000004 [ 72.385783][ T5836] RBP: 00007fa47c26c3e0 R08: 00007fa47c19afa7 R09: 0000000000000033 [ 72.393741][ T5836] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa47c239064 [ 72.401698][ T5836] R13: 00007fa47c19b210 R14: 0000000000000001 R15: 0030656c69662f2e [ 72.409682][ T5836] [ 72.412938][ T5836] Kernel Offset: disabled [ 72.417251][ T5836] Rebooting in 86400 seconds..