Warning: Permanently added '10.128.0.22' (ED25519) to the list of known hosts. [ 38.728033][ T50] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 38.730517][ T50] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 38.732768][ T50] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 38.738163][ T50] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 38.740624][ T50] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 38.742566][ T50] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 executing program [ 38.782054][ T6160] jffs2: notice: (6160) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found. [ 38.846829][ T6166] ================================================================== [ 38.848927][ T6166] BUG: KASAN: slab-use-after-free in __mutex_lock_common+0x100/0x21a0 [ 38.851046][ T6166] Read of size 8 at addr ffff0000cf938130 by task jffs2_gcd_mtd0/6166 [ 38.853145][ T6166] [ 38.853724][ T6166] CPU: 0 PID: 6166 Comm: jffs2_gcd_mtd0 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0 [ 38.856173][ T6166] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 38.858845][ T6166] Call trace: [ 38.859647][ T6166] dump_backtrace+0x1b8/0x1e4 [ 38.860836][ T6166] show_stack+0x2c/0x3c [ 38.861967][ T6166] dump_stack_lvl+0xd0/0x124 [ 38.863176][ T6166] print_report+0x178/0x518 [ 38.864372][ T6166] kasan_report+0xd8/0x138 [ 38.865587][ T6166] __asan_report_load8_noabort+0x20/0x2c [ 38.867065][ T6166] __mutex_lock_common+0x100/0x21a0 [ 38.868424][ T6166] mutex_lock_interruptible_nested+0x2c/0x38 [ 38.870032][ T6166] jffs2_garbage_collect_pass+0xa4/0x1a50 [ 38.871546][ T6166] jffs2_garbage_collect_thread+0x414/0x48c [ 38.873113][ T6166] kthread+0x288/0x310 [ 38.874077][ T6166] ret_from_fork+0x10/0x20 [ 38.875283][ T6166] [ 38.875873][ T6166] Allocated by task 6160: [ 38.877054][ T6166] kasan_save_track+0x40/0x78 [ 38.878267][ T6166] kasan_save_alloc_info+0x40/0x50 [ 38.879672][ T6166] __kasan_kmalloc+0xac/0xc4 [ 38.880895][ T6166] kmalloc_trace+0x26c/0x49c [ 38.882123][ T6166] jffs2_init_fs_context+0x58/0xc8 [ 38.883449][ T6166] alloc_fs_context+0x514/0x7a4 [ 38.884678][ T6166] fs_context_for_mount+0x34/0x44 [ 38.886034][ T6166] do_new_mount+0x14c/0x900 [ 38.887208][ T6166] path_mount+0x590/0xe04 [ 38.888377][ T6166] __arm64_sys_mount+0x45c/0x594 [ 38.889681][ T6166] invoke_syscall+0x98/0x2b8 [ 38.890824][ T6166] el0_svc_common+0x130/0x23c [ 38.892086][ T6166] do_el0_svc+0x48/0x58 [ 38.893187][ T6166] el0_svc+0x54/0x168 [ 38.894218][ T6166] el0t_64_sync_handler+0x84/0xfc [ 38.895534][ T6166] el0t_64_sync+0x190/0x194 [ 38.896722][ T6166] [ 38.897371][ T6166] Freed by task 6160: [ 38.898450][ T6166] kasan_save_track+0x40/0x78 [ 38.899659][ T6166] kasan_save_free_info+0x54/0x6c [ 38.900977][ T6166] poison_slab_object+0x124/0x18c [ 38.902356][ T6166] __kasan_slab_free+0x3c/0x70 [ 38.903610][ T6166] kfree+0x144/0x3cc [ 38.904679][ T6166] jffs2_kill_sb+0x9c/0xb0 [ 38.905892][ T6166] deactivate_locked_super+0xc4/0x12c [ 38.907369][ T6166] deactivate_super+0xe0/0x100 [ 38.908659][ T6166] cleanup_mnt+0x34c/0x3dc [ 38.909791][ T6166] __cleanup_mnt+0x20/0x30 [ 38.910917][ T6166] task_work_run+0x230/0x2e0 [ 38.912108][ T6166] do_exit+0x618/0x1f64 [ 38.913191][ T6166] do_group_exit+0x194/0x22c [ 38.914418][ T6166] pid_child_should_wake+0x0/0x1dc [ 38.915784][ T6166] invoke_syscall+0x98/0x2b8 [ 38.916987][ T6166] el0_svc_common+0x130/0x23c [ 38.918187][ T6166] do_el0_svc+0x48/0x58 [ 38.919256][ T6166] el0_svc+0x54/0x168 [ 38.920359][ T6166] el0t_64_sync_handler+0x84/0xfc [ 38.921668][ T6166] el0t_64_sync+0x190/0x194 [ 38.922835][ T6166] [ 38.923427][ T6166] The buggy address belongs to the object at ffff0000cf938000 [ 38.923427][ T6166] which belongs to the cache kmalloc-4k of size 4096 [ 38.927077][ T6166] The buggy address is located 304 bytes inside of [ 38.927077][ T6166] freed 4096-byte region [ffff0000cf938000, ffff0000cf939000) [ 38.930687][ T6166] [ 38.931319][ T6166] The buggy address belongs to the physical page: [ 38.932985][ T6166] page:000000006cff1ed1 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10f938 [ 38.935640][ T6166] head:000000006cff1ed1 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 38.937985][ T6166] flags: 0x5ffc00000000840(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 38.940099][ T6166] page_type: 0xffffffff() [ 38.941262][ T6166] raw: 05ffc00000000840 ffff0000c0002140 dead000000000122 0000000000000000 [ 38.943529][ T6166] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 38.945836][ T6166] page dumped because: kasan: bad access detected [ 38.947474][ T6166] [ 38.948101][ T6166] Memory state around the buggy address: [ 38.949601][ T6166] ffff0000cf938000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.951605][ T6166] ffff0000cf938080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.953747][ T6166] >ffff0000cf938100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.955851][ T6166] ^ [ 38.957356][ T6166] ffff0000cf938180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.959498][ T6166] ffff0000cf938200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.961621][ T6166] ================================================================== [ 38.963814][ T6166] Disabling lock debugging due to kernel taint [ 38.965426][ T6166] jffs2: Erase at 0x0001e000 failed immediately: errno -524 [ 38.967314][ T6166] jffs2: Erase at 0x0001d000 failed immediately: errno -524 [ 38.969133][ T6166] jffs2: Erase at 0x0001c000 failed immediately: errno -524 [ 38.971116][ T6166] jffs2: Erase at 0x0001b000 failed immediately: errno -524 [ 38.972971][ T6166] jffs2: Erase at 0x0001a000 failed immediately: errno -524 [ 38.974847][ T6166] jffs2: Erase at 0x00019000 failed immediately: errno -524 [ 38.977124][ T6166] jffs2: Erase at 0x00018000 failed immediately: errno -524 [ 38.979031][ T6166] jffs2: Erase at 0x00017000 failed immediately: errno -524 [ 38.980982][ T6166] jffs2: Erase at 0x00016000 failed immediately: errno -524 [ 38.982903][ T6166] jffs2: Erase at 0x00015000 failed immediately: errno -524 [ 38.984837][ T6166] jffs2: Erase at 0x00014000 failed immediately: errno -524 [ 38.986778][ T6166] jffs2: Erase at 0x00013000 failed immediately: errno -524 [ 38.988636][ T6166] jffs2: Erase at 0x00012000 failed immediately: errno -524 [ 38.990593][ T6166] jffs2: Erase at 0x00011000 failed immediately: errno -524 [ 38.992480][ T6166] jffs2: Erase at 0x00010000 failed immediately: errno -524 [ 38.994389][ T6166] jffs2: Erase at 0x0000f000 failed immediately: errno -524 [ 38.996222][ T6166] jffs2: Erase at 0x0000e000 failed immediately: errno -524 [ 38.998251][ T6166] jffs2: Erase at 0x0000d000 failed immediately: errno -524 [ 39.000060][ T6166] jffs2: Erase at 0x0000c000 failed immediately: errno -524 [ 39.001936][ T6166] jffs2: Erase at 0x0000b000 failed immediately: errno -524 [ 39.003804][ T6166] jffs2: Erase at 0x0000a000 failed immediately: errno -524 [ 39.005583][ T6166] jffs2: Erase at 0x00009000 failed immediately: errno -524 [ 39.007502][ T6166] jffs2: Erase at 0x00008000 failed immediately: errno -524 [ 39.009467][ T6166] jffs2: Erase at 0x00007000 failed immediately: errno -524 [ 39.011343][ T6166] jffs2: Erase at 0x00006000 failed immediately: errno -524 [ 39.013201][ T6166] jffs2: Erase at 0x00005000 failed immediately: errno -524 [ 39.015029][ T6166] jffs2: Erase at 0x00004000 failed immediately: errno -524 [ 39.016903][ T6166] jffs2: Erase at 0x00003000 failed immediately: errno -524 [ 39.018788][ T6166] jffs2: Erase at 0x00002000 failed immediately: errno -524 [ 39.020622][ T6166] list_del corruption. next->prev should be ffff0000cf93c048, but was 064802db00001810. (next=ffff0000cf93c000) [ 39.023940][ T6166] ------------[ cut here ]------------ [ 39.025318][ T6166] kernel BUG at lib/list_debug.c:67! [ 39.026660][ T6166] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [ 39.028587][ T6166] Modules linked in: [ 39.029596][ T6166] CPU: 0 PID: 6166 Comm: jffs2_gcd_mtd0 Tainted: G B 6.8.0-rc7-syzkaller-g707081b61156 #0 [ 39.032570][ T6166] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 39.035075][ T6166] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 39.037127][ T6166] pc : __list_del_entry_valid_or_report+0x154/0x158 [ 39.038929][ T6166] lr : __list_del_entry_valid_or_report+0x154/0x158 [ 39.040644][ T6166] sp : ffff800097877870 [ 39.041762][ T6166] x29: ffff800097877870 x28: ffff0000cf938000 x27: ffff0000cf9383a8 [ 39.043886][ T6166] x26: ffff0000cf93c048 x25: dfff800000000000 x24: ffff0000cf938170 [ 39.046038][ T6166] x23: ffff0000cf938278 x22: dfff800000000000 x21: ffff0000cf93c008 [ 39.048183][ T6166] x20: ffff0000cf93c000 x19: ffff0000cf93c048 x18: 1fffe000367fff96 [ 39.050182][ T6166] x17: 20747562202c3834 x16: ffff80008ad6b09c x15: 0000000000000001 [ 39.052278][ T6166] x14: 1fffe00036800002 x13: 0000000000000000 x12: 0000000000000000 [ 39.054387][ T6166] x11: 0000000000000002 x10: 0000000000ff0100 x9 : 51a7a8d1f1eeb600 [ 39.056379][ T6166] x8 : 51a7a8d1f1eeb600 x7 : 0000000000000001 x6 : 0000000000000001 [ 39.058539][ T6166] x5 : ffff800097877178 x4 : ffff80008ed822c0 x3 : ffff8000805ba130 [ 39.060713][ T6166] x2 : 0000000000000001 x1 : 0000000100000001 x0 : 000000000000006d [ 39.062859][ T6166] Call trace: [ 39.063725][ T6166] __list_del_entry_valid_or_report+0x154/0x158 [ 39.065351][ T6166] jffs2_erase_pending_blocks+0x33c/0x1fcc [ 39.066893][ T6166] jffs2_garbage_collect_pass+0x554/0x1a50 [ 39.068437][ T6166] jffs2_garbage_collect_thread+0x414/0x48c [ 39.070011][ T6166] kthread+0x288/0x310 [ 39.071119][ T6166] ret_from_fork+0x10/0x20 [ 39.072277][ T6166] Code: 91330000 aa1303e1 aa1403e3 95f68c3c (d4210000) [ 39.074138][ T6166] ---[ end trace 0000000000000000 ]--- [ 39.427181][ T6166] Kernel panic - not syncing: Oops - BUG: Fatal exception [ 39.429064][ T6166] SMP: stopping secondary CPUs [ 39.430318][ T6166] Kernel Offset: disabled [ 39.431468][ T6166] CPU features: 0x0,00000081,c0080094,42017203 [ 39.433050][ T6166] Memory Limit: none [ 39.771789][ T6166] Rebooting in 86400 seconds..