./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor40975600
<...>
DUID 00:04:f8:b5:8a:47:ae:09:95:3a:43:2d:d7:42:86:31:94:89
forked to background, child pid 4661
[ 38.792942][ T4662] 8021q: adding VLAN 0 to HW filter on device bond0
[ 38.805729][ T4662] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK
syzkaller
Warning: Permanently added '10.128.0.21' (ECDSA) to the list of known hosts.
execve("./syz-executor40975600", ["./syz-executor40975600"], 0x7ffe1bf5ce10 /* 10 vars */) = 0
brk(NULL) = 0x555556377000
brk(0x555556377c40) = 0x555556377c40
arch_prctl(ARCH_SET_FS, 0x555556377300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor40975600", 4096) = 26
brk(0x555556398c40) = 0x555556398c40
brk(0x555556399000) = 0x555556399000
mprotect(0x7f2576478000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
getpid() = 4997
openat(AT_FDCWD, "/sys/kernel/debug/x86/nmi_longest_ns", O_WRONLY|O_CLOEXEC) = 3
write(3, "10000000000", 11) = 11
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/hung_task_check_interval_secs", O_WRONLY|O_CLOEXEC) = 3
write(3, "20", 2) = 2
close(3) = 0
openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_kallsyms", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_harden", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/kptr_restrict", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/softlockup_all_cpu_backtrace", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3
write(3, "100", 3) = 3
close(3) = 0
openat(AT_FDCWD, "/proc/sys/vm/oom_dump_tasks", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/debug/exception-trace", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/printk", O_WRONLY|O_CLOEXEC) = 3
write(3, "7 4 1 3", 7) = 7
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/keys/gc_delay", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/vm/oom_kill_allocating_task", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/ctrl-alt-del", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/cad_pid", O_WRONLY|O_CLOEXEC) = 3
write(3, "4997", 4) = 4
close(3) = 0
getpid() = 4997
mkdir("./syzkaller.NQxmh2", 0700) = 0
chmod("./syzkaller.NQxmh2", 0777) = 0
chdir("./syzkaller.NQxmh2") = 0
memfd_create("syzkaller", 0) = 3
mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f256dfbd000
write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304
munmap(0x7f256dfbd000, 4194304) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
syzkaller login: [ 65.337829][ T4997] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=4997 'syz-executor409'
ioctl(4, LOOP_SET_FD, 3) = 0
close(3) = 0
mkdir("./file0", 0777) = 0
[ 65.389778][ T4997] loop0: detected capacity change from 0 to 8192
[ 65.402192][ T4997] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025
[ 65.415391][ T4997] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal
[ 65.424852][ T4997] REISERFS (device loop0): using ordered data mode
[ 65.431464][ T4997] reiserfs: using flush barriers
[ 65.438182][ T4997] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
[ 65.454710][ T4997] REISERFS (device loop0): checking transaction log (loop0)
[ 65.464343][ T4997] REISERFS (device loop0): Using r5 hash to sort names
[ 65.471711][ T4997] ==================================================================
[ 65.479779][ T4997] BUG: KASAN: use-after-free in strlen+0x58/0x70
[ 65.486127][ T4997] Read of size 1 at addr ffff888072d2d7a3 by task syz-executor409/4997
[ 65.494354][ T4997]
[ 65.496707][ T4997] CPU: 0 PID: 4997 Comm: syz-executor409 Not tainted 6.4.0-rc4-syzkaller-00268-g51f269a6ecc7 #0
[ 65.507118][ T4997] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
[ 65.517182][ T4997] Call Trace:
[ 65.520465][ T4997]
[ 65.523410][ T4997] dump_stack_lvl+0x1e7/0x2d0
[ 65.528219][ T4997] ? nf_tcp_handle_invalid+0x650/0x650
[ 65.533689][ T4997] ? panic+0x770/0x770
[ 65.537762][ T4997] ? _printk+0xd5/0x120
[ 65.541924][ T4997] print_report+0x163/0x540
[ 65.546433][ T4997] ? __virt_addr_valid+0x22f/0x2e0
[ 65.551550][ T4997] ? __phys_addr+0xba/0x170
[ 65.556057][ T4997] ? strlen+0x58/0x70
[ 65.560035][ T4997] kasan_report+0x176/0x1b0
[ 65.564536][ T4997] ? strlen+0x58/0x70
[ 65.568518][ T4997] strlen+0x58/0x70
[ 65.572325][ T4997] reiserfs_find_entry+0x982/0x19b0
[ 65.577537][ T4997] ? reiserfs_get_parent+0x2d0/0x2d0
[ 65.582825][ T4997] ? mutex_lock_nested+0x1b/0x20
[ 65.587790][ T4997] reiserfs_lookup+0x1e2/0x580
[ 65.592573][ T4997] ? reiserfs_init_priv_inode+0x150/0x150
[ 65.598319][ T4997] ? d_hash_and_lookup+0x1b0/0x1b0
[ 65.603451][ T4997] ? __init_waitqueue_head+0xae/0x150
[ 65.608851][ T4997] __lookup_slow+0x282/0x3e0
[ 65.613477][ T4997] ? lookup_one_len+0x2d0/0x2d0
[ 65.618357][ T4997] lookup_one_len+0x18b/0x2d0
[ 65.623047][ T4997] ? lookup_one_common+0x460/0x460
[ 65.628170][ T4997] reiserfs_lookup_privroot+0x89/0x180
[ 65.633643][ T4997] reiserfs_fill_super+0x195b/0x2620
[ 65.638953][ T4997] ? reiserfs_kill_sb+0x150/0x150
[ 65.643986][ T4997] ? snprintf+0xda/0x120
[ 65.648240][ T4997] ? sb_set_blocksize+0x99/0x100
[ 65.653200][ T4997] mount_bdev+0x2d0/0x3f0
[ 65.657541][ T4997] ? reiserfs_kill_sb+0x150/0x150
[ 65.662574][ T4997] legacy_get_tree+0xef/0x190
[ 65.667430][ T4997] ? remove_save_link+0x540/0x540
[ 65.672466][ T4997] vfs_get_tree+0x8c/0x270
[ 65.676894][ T4997] do_new_mount+0x28f/0xae0
[ 65.681407][ T4997] ? path_mount+0x5f2/0xf80
[ 65.685913][ T4997] ? do_move_mount_old+0x170/0x170
[ 65.691043][ T4997] ? user_path_at_empty+0x12f/0x180
[ 65.696251][ T4997] __se_sys_mount+0x2d9/0x3c0
[ 65.701197][ T4997] ? __x64_sys_mount+0xc0/0xc0
[ 65.705965][ T4997] ? syscall_enter_from_user_mode+0x32/0x230
[ 65.711948][ T4997] ? __x64_sys_mount+0x20/0xc0
[ 65.716720][ T4997] do_syscall_64+0x41/0xc0
[ 65.721165][ T4997] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 65.727070][ T4997] RIP: 0033:0x7f257641295a
[ 65.731489][ T4997] Code: 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 65.751101][ T4997] RSP: 002b:00007ffcc036b458 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
[ 65.759522][ T4997] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f257641295a
[ 65.767495][ T4997] RDX: 00000000200000c0 RSI: 0000000020000040 RDI: 00007ffcc036b460
[ 65.775467][ T4997] RBP: 00007ffcc036b460 R08: 00007ffcc036b4a0 R09: 000000000000111c
[ 65.783445][ T4997] R10: 0000000000008001 R11: 0000000000000286 R12: 0000000000000004
[ 65.791414][ T4997] R13: 00005555563772c0 R14: 00007ffcc036b4a0 R15: 0000000000000000
[ 65.799393][ T4997]
[ 65.802411][ T4997]
[ 65.804727][ T4997] The buggy address belongs to the physical page:
[ 65.811132][ T4997] page:ffffea0001cb4b40 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x72d2d
[ 65.821284][ T4997] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 65.828387][ T4997] page_type: 0xffffffff()
[ 65.832817][ T4997] raw: 00fff00000000000 ffffea0001cb4b88 ffff8880b9843260 0000000000000000
[ 65.841399][ T4997] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[ 65.849977][ T4997] page dumped because: kasan: bad access detected
[ 65.856385][ T4997] page_owner tracks the page as freed
[ 65.861746][ T4997] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 4985, tgid 4985 (sshd), ts 58577174728, free_ts 58613297051
[ 65.879804][ T4997] post_alloc_hook+0x1e6/0x210
[ 65.884660][ T4997] get_page_from_freelist+0x321c/0x33a0
[ 65.890207][ T4997] __alloc_pages+0x255/0x670
[ 65.894797][ T4997] __folio_alloc+0x13/0x30
[ 65.899217][ T4997] vma_alloc_folio+0x48a/0x9a0
[ 65.903983][ T4997] handle_mm_fault+0x2942/0x5860
[ 65.908925][ T4997] exc_page_fault+0x274/0x910
[ 65.913597][ T4997] asm_exc_page_fault+0x26/0x30
[ 65.918446][ T4997] page last free stack trace:
[ 65.923112][ T4997] free_unref_page_prepare+0x903/0xa30
[ 65.928572][ T4997] free_unref_page_list+0x596/0x830
[ 65.933774][ T4997] release_pages+0x2193/0x2470
[ 65.938542][ T4997] tlb_flush_mmu+0x100/0x210
[ 65.943152][ T4997] tlb_finish_mmu+0xd4/0x1f0
[ 65.947745][ T4997] unmap_region+0x258/0x2a0
[ 65.952251][ T4997] do_vmi_align_munmap+0x1123/0x1820
[ 65.957538][ T4997] do_vmi_munmap+0x24a/0x2b0
[ 65.962130][ T4997] __vm_munmap+0x226/0x470
[ 65.966549][ T4997] __x64_sys_munmap+0x69/0x80
[ 65.971243][ T4997] do_syscall_64+0x41/0xc0
[ 65.975681][ T4997] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 65.981582][ T4997]
[ 65.983902][ T4997] Memory state around the buggy address:
[ 65.989527][ T4997] ffff888072d2d680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 65.997588][ T4997] ffff888072d2d700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 66.005673][ T4997] >ffff888072d2d780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 66.013727][ T4997] ^
[ 66.018836][ T4997] ffff888072d2d800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 66.026903][ T4997] ffff888072d2d880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 66.034958][ T4997] ==================================================================
[ 66.043303][ T4997] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 66.050540][ T4997] CPU: 1 PID: 4997 Comm: syz-executor409 Not tainted 6.4.0-rc4-syzkaller-00268-g51f269a6ecc7 #0
[ 66.061056][ T4997] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
[ 66.071112][ T4997] Call Trace:
[ 66.074408][ T4997]
[ 66.077349][ T4997] dump_stack_lvl+0x1e7/0x2d0
[ 66.082048][ T4997] ? nf_tcp_handle_invalid+0x650/0x650
[ 66.087528][ T4997] ? panic+0x770/0x770
[ 66.091608][ T4997] ? preempt_schedule_common+0x83/0xc0
[ 66.097083][ T4997] ? vscnprintf+0x5d/0x80
[ 66.101440][ T4997] panic+0x30f/0x770
[ 66.105356][ T4997] ? check_panic_on_warn+0x21/0xa0
[ 66.110487][ T4997] ? __memcpy_flushcache+0x2b0/0x2b0
[ 66.115778][ T4997] ? _raw_spin_unlock_irqrestore+0x12c/0x140
[ 66.121760][ T4997] ? _raw_spin_unlock+0x40/0x40
[ 66.126635][ T4997] check_panic_on_warn+0x82/0xa0
[ 66.131576][ T4997] ? strlen+0x58/0x70
[ 66.135552][ T4997] end_report+0x63/0x110
[ 66.139796][ T4997] kasan_report+0x183/0x1b0
[ 66.144307][ T4997] ? strlen+0x58/0x70
[ 66.148292][ T4997] strlen+0x58/0x70
[ 66.152100][ T4997] reiserfs_find_entry+0x982/0x19b0
[ 66.157308][ T4997] ? reiserfs_get_parent+0x2d0/0x2d0
[ 66.162597][ T4997] ? mutex_lock_nested+0x1b/0x20
[ 66.167553][ T4997] reiserfs_lookup+0x1e2/0x580
[ 66.172331][ T4997] ? reiserfs_init_priv_inode+0x150/0x150
[ 66.178075][ T4997] ? d_hash_and_lookup+0x1b0/0x1b0
[ 66.183200][ T4997] ? __init_waitqueue_head+0xae/0x150
[ 66.188587][ T4997] __lookup_slow+0x282/0x3e0
[ 66.193181][ T4997] ? lookup_one_len+0x2d0/0x2d0
[ 66.198041][ T4997] lookup_one_len+0x18b/0x2d0
[ 66.202806][ T4997] ? lookup_one_common+0x460/0x460
[ 66.207916][ T4997] reiserfs_lookup_privroot+0x89/0x180
[ 66.213374][ T4997] reiserfs_fill_super+0x195b/0x2620
[ 66.218687][ T4997] ? reiserfs_kill_sb+0x150/0x150
[ 66.223717][ T4997] ? snprintf+0xda/0x120
[ 66.227959][ T4997] ? sb_set_blocksize+0x99/0x100
[ 66.232890][ T4997] mount_bdev+0x2d0/0x3f0
[ 66.237220][ T4997] ? reiserfs_kill_sb+0x150/0x150
[ 66.242274][ T4997] legacy_get_tree+0xef/0x190
[ 66.246961][ T4997] ? remove_save_link+0x540/0x540
[ 66.251987][ T4997] vfs_get_tree+0x8c/0x270
[ 66.256405][ T4997] do_new_mount+0x28f/0xae0
[ 66.260908][ T4997] ? path_mount+0x5f2/0xf80
[ 66.265491][ T4997] ? do_move_mount_old+0x170/0x170
[ 66.270603][ T4997] ? user_path_at_empty+0x12f/0x180
[ 66.275797][ T4997] __se_sys_mount+0x2d9/0x3c0
[ 66.280475][ T4997] ? __x64_sys_mount+0xc0/0xc0
[ 66.285246][ T4997] ? syscall_enter_from_user_mode+0x32/0x230
[ 66.291225][ T4997] ? __x64_sys_mount+0x20/0xc0
[ 66.295992][ T4997] do_syscall_64+0x41/0xc0
[ 66.300429][ T4997] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 66.306317][ T4997] RIP: 0033:0x7f257641295a
[ 66.310725][ T4997] Code: 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 66.330332][ T4997] RSP: 002b:00007ffcc036b458 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
[ 66.338756][ T4997] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f257641295a
[ 66.347092][ T4997] RDX: 00000000200000c0 RSI: 0000000020000040 RDI: 00007ffcc036b460
[ 66.355055][ T4997] RBP: 00007ffcc036b460 R08: 00007ffcc036b4a0 R09: 000000000000111c
[ 66.363021][ T4997] R10: 0000000000008001 R11: 0000000000000286 R12: 0000000000000004
[ 66.370988][ T4997] R13: 00005555563772c0 R14: 00007ffcc036b4a0 R15: 0000000000000000
[ 66.378959][ T4997]
[ 66.382049][ T4997] Kernel Offset: disabled
[ 66.386381][ T4997] Rebooting in 86400 seconds..