./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3220268350 <...> Warning: Permanently added '10.128.0.94' (ED25519) to the list of known hosts. execve("./syz-executor3220268350", ["./syz-executor3220268350"], 0x7ffffbfb2850 /* 10 vars */) = 0 brk(NULL) = 0x5555595bd000 brk(0x5555595bdd40) = 0x5555595bdd40 arch_prctl(ARCH_SET_FS, 0x5555595bd3c0) = 0 set_tid_address(0x5555595bd690) = 288 set_robust_list(0x5555595bd6a0, 24) = 0 rseq(0x5555595bdce0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3220268350", 4096) = 28 getrandom("\x5c\xfd\x58\xd9\x1e\xaa\x4a\x9d", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x5555595bdd40 brk(0x5555595ded40) = 0x5555595ded40 brk(0x5555595df000) = 0x5555595df000 mprotect(0x7f95fb7a4000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 mkdir("./syzkaller.8Tolr0", 0700) = 0 chmod("./syzkaller.8Tolr0", 0777) = 0 chdir("./syzkaller.8Tolr0") = 0 write(1, "executing program\n", 18executing program ) = 18 futex(0x7f95fb7aa70c, FUTEX_WAKE_PRIVATE, 1000000) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7f95fb748b20, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f95fb739cd0}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f95fb6c0000 mprotect(0x7f95fb6c1000, 131072, PROT_READ|PROT_WRITE) = 0 rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f95fb6e0990, parent_tid=0x7f95fb6e0990, exit_signal=0, stack=0x7f95fb6c0000, stack_size=0x20300, tls=0x7f95fb6e06c0}./strace-static-x86_64: Process 289 attached => {parent_tid=[289]}, 88) = 289 [pid 289] set_robust_list(0x7f95fb6e09a0, 24) = 0 [pid 289] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 289] futex(0x7f95fb7aa708, FUTEX_WAIT_PRIVATE, 0, NULL [pid 288] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 288] futex(0x7f95fb7aa708, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 289] <... futex resumed>) = 0 [pid 289] openat(AT_FDCWD, "net_prio.prioidx", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000 [pid 288] futex(0x7f95fb7aa70c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 289] <... openat resumed>) = 3 [pid 289] futex(0x7f95fb7aa70c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 289] futex(0x7f95fb7aa708, FUTEX_WAIT_PRIVATE, 0, NULL [pid 288] <... futex resumed>) = 0 [pid 288] futex(0x7f95fb7aa708, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 289] <... futex resumed>) = 0 [pid 289] write(3, "\x23\x21\x20\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651 [ 20.753679][ T30] audit: type=1400 audit(1755498111.554:64): avc: denied { execmem } for pid=288 comm="syz-executor322" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [pid 288] futex(0x7f95fb7aa70c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 288] futex(0x7f95fb7aa71c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 288] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f95fb69f000 [pid 288] mprotect(0x7f95fb6a0000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 288] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 288] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f95fb6bf990, parent_tid=0x7f95fb6bf990, exit_signal=0, stack=0x7f95fb69f000, stack_size=0x20300, tls=0x7f95fb6bf6c0} => {parent_tid=[290]}, 88) = 290 [pid 288] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 288] futex(0x7f95fb7aa718, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 288] futex(0x7f95fb7aa71c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 290 attached [pid 290] set_robust_list(0x7f95fb6bf9a0, 24) = 0 [pid 290] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 290] mmap(0x200000000000, 11755520, PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 3, 0 [pid 289] <... write resumed>) = 11091968 [pid 289] futex(0x7f95fb7aa70c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 289] futex(0x7f95fb7aa708, FUTEX_WAIT_PRIVATE, 0, NULL [pid 290] <... mmap resumed>) = 0x200000000000 [pid 290] futex(0x7f95fb7aa71c, FUTEX_WAKE_PRIVATE, 1000000 [pid 288] <... futex resumed>) = 0 [pid 290] <... futex resumed>) = 1 [pid 288] futex(0x7f95fb7aa708, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 288] futex(0x7f95fb7aa70c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 289] <... futex resumed>) = 0 [pid 289] preadv(3, [pid 290] futex(0x7f95fb7aa718, FUTEX_WAIT_PRIVATE, 0, NULL [pid 289] <... preadv resumed>0x2000000015c0, 5, 0) = 11091840 [pid 289] futex(0x7f95fb7aa70c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 289] futex(0x7f95fb7aa708, FUTEX_WAIT_PRIVATE, 0, NULL [pid 288] <... futex resumed>) = 0 [pid 288] futex(0x7f95fb7aa708, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 288] futex(0x7f95fb7aa70c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 289] <... futex resumed>) = 0 [pid 289] memfd_create("syzkaller", 0) = 4 [pid 289] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f95f329f000 [pid 289] write(4, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 289] munmap(0x7f95f329f000, 138412032) = 0 [pid 289] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [pid 289] ioctl(5, LOOP_SET_FD, 4) = 0 [pid 289] close(4) = 0 [ 20.849645][ T30] audit: type=1400 audit(1755498111.644:65): avc: denied { read write } for pid=288 comm="syz-executor322" name="loop0" dev="devtmpfs" ino=116 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 20.871360][ T289] loop0: detected capacity change from 0 to 512 [ 20.873889][ T30] audit: type=1400 audit(1755498111.644:66): avc: denied { open } for pid=288 comm="syz-executor322" path="/dev/loop0" dev="devtmpfs" ino=116 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 20.904059][ T30] audit: type=1400 audit(1755498111.674:67): avc: denied { ioctl } for pid=288 comm="syz-executor322" path="/dev/loop0" dev="devtmpfs" ino=116 ioctlcmd=0x4c00 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [pid 289] close(5) = 0 [pid 289] mkdir(0x200000000240, 0777) = 0 [ 20.991665][ T289] ======================================================= [ 20.991665][ T289] WARNING: The mand mount option has been deprecated and [ 20.991665][ T289] and is ignored by this kernel. Remove the mand [ 20.991665][ T289] option from the mount to silence this warning. [ 20.991665][ T289] ======================================================= [ 20.991706][ T30] audit: type=1400 audit(1755498111.794:68): avc: denied { mounton } for pid=288 comm="syz-executor322" path="/root/syzkaller.8Tolr0/file1" dev="sda1" ino=2026 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 21.092663][ T289] EXT4-fs (loop0): 1 orphan inode deleted [ 21.098384][ T289] EXT4-fs (loop0): mounted filesystem without journal. Opts: discard,nodiscard,noquota,noinit_itable,stripe=0x0000000000000079,resgid=0x0000000000000000,sysvgroups,delalloc,delalloc,,errors=continue. Quota mode: writeback. [ 21.120127][ T30] audit: type=1400 audit(1755498111.914:69): avc: denied { mount } for pid=288 comm="syz-executor322" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [pid 289] mount("/dev/loop0", 0x200000000240, 0x200000000080, MS_MANDLOCK|MS_LAZYTIME, "discard,nodiscard,noquota,noinit_itable,stripe=0x0000000000000079,resgid=0x0000000000000000,sysvgrou"...) = 0 [pid 289] openat(AT_FDCWD, 0x200000000240, O_RDONLY|O_DIRECTORY) = 4 [pid 289] chdir(0x200000000240) = 0 [pid 289] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [pid 289] ioctl(5, LOOP_CLR_FD) = 0 [pid 289] close(5) = 0 [pid 289] futex(0x7f95fb7aa70c, FUTEX_WAKE_PRIVATE, 1000000 [pid 288] <... futex resumed>) = 0 [pid 288] futex(0x7f95fb7aa708, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 288] futex(0x7f95fb7aa70c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 289] <... futex resumed>) = 1 [pid 289] creat(0x200000000040, 000) = 5 [pid 289] futex(0x7f95fb7aa70c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 289] futex(0x7f95fb7aa708, FUTEX_WAIT_PRIVATE, 0, NULL [pid 288] <... futex resumed>) = 0 [pid 288] futex(0x7f95fb7aa708, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 288] futex(0x7f95fb7aa70c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 289] <... futex resumed>) = 0 [pid 289] open(0x200000000180, O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_LARGEFILE|O_NOATIME|0x3c, 000) = 6 [pid 289] futex(0x7f95fb7aa70c, FUTEX_WAKE_PRIVATE, 1000000 [pid 288] <... futex resumed>) = 0 [pid 288] futex(0x7f95fb7aa708, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 288] futex(0x7f95fb7aa70c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 289] <... futex resumed>) = 1 [pid 289] fallocate(6, 0, 0, 1048820) = -1 ENOSPC (No space left on device) [pid 289] futex(0x7f95fb7aa70c, FUTEX_WAKE_PRIVATE, 1000000 [pid 288] <... futex resumed>) = 0 [pid 288] futex(0x7f95fb7aa708, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 288] futex(0x7f95fb7aa70c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 289] <... futex resumed>) = 1 [pid 289] mount(0x200000000380, 0x200000000140, NULL, MS_BIND, NULL) = 0 [pid 289] futex(0x7f95fb7aa70c, FUTEX_WAKE_PRIVATE, 1000000 [pid 288] <... futex resumed>) = 0 [pid 288] futex(0x7f95fb7aa708, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 288] futex(0x7f95fb7aa70c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 289] <... futex resumed>) = 1 [pid 289] open(0x200000000100, O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 7 [pid 289] futex(0x7f95fb7aa70c, FUTEX_WAKE_PRIVATE, 1000000 [pid 288] <... futex resumed>) = 0 [pid 288] futex(0x7f95fb7aa708, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 288] futex(0x7f95fb7aa70c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 289] <... futex resumed>) = 1 [pid 289] write(6, 0x200000000000, 42) = 42 [pid 289] futex(0x7f95fb7aa70c, FUTEX_WAKE_PRIVATE, 1000000 [pid 288] <... futex resumed>) = 0 [pid 288] futex(0x7f95fb7aa708, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 288] futex(0x7f95fb7aa70c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 289] <... futex resumed>) = 1 [pid 289] write(7, 0x200000000080, 34136651) = 262144 [pid 289] futex(0x7f95fb7aa70c, FUTEX_WAKE_PRIVATE, 1000000 [pid 288] <... futex resumed>) = 0 [pid 288] futex(0x7f95fb7aa708, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 288] futex(0x7f95fb7aa70c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 289] <... futex resumed>) = 1 [ 21.120127][ T289] ext4 filesystem being mounted at /root/syzkaller.8Tolr0/file1 supports timestamps until 2038-01-19 (0x7fffffff) [ 21.158063][ T30] audit: type=1400 audit(1755498111.954:70): avc: denied { write } for pid=288 comm="syz-executor322" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 21.180135][ T30] audit: type=1400 audit(1755498111.954:71): avc: denied { add_name } for pid=288 comm="syz-executor322" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 21.180811][ T289] ================================================================== [ 21.201189][ T30] audit: type=1400 audit(1755498111.954:72): avc: denied { create } for pid=288 comm="syz-executor322" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 21.208840][ T289] BUG: KASAN: use-after-free in ext4_find_extent+0xbeb/0xe20 [ 21.229173][ T30] audit: type=1400 audit(1755498111.954:73): avc: denied { write open } for pid=288 comm="syz-executor322" path="/root/syzkaller.8Tolr0/file1/bus" dev="loop0" ino=16 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 21.236352][ T289] Read of size 4 at addr ffff888123302ccc by task syz-executor322/289 [ 21.236367][ T289] [ 21.236380][ T289] CPU: 1 PID: 289 Comm: syz-executor322 Not tainted 5.15.189-syzkaller-android13-5.15.189_r00 #0 [ 21.281962][ T289] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 21.292009][ T289] Call Trace: [ 21.295267][ T289] [ 21.298177][ T289] __dump_stack+0x21/0x30 [ 21.302511][ T289] dump_stack_lvl+0xee/0x150 [ 21.307079][ T289] ? show_regs_print_info+0x20/0x20 [ 21.312255][ T289] ? load_image+0x3a0/0x3a0 [ 21.316738][ T289] print_address_description+0x7f/0x2c0 [ 21.322265][ T289] ? ext4_find_extent+0xbeb/0xe20 [ 21.327270][ T289] kasan_report+0xf1/0x140 [ 21.331670][ T289] ? __read_extent_tree_block+0x1e8/0x790 [ 21.337372][ T289] ? ext4_find_extent+0xbeb/0xe20 [ 21.342377][ T289] __asan_report_load4_noabort+0x14/0x20 [ 21.347990][ T289] ext4_find_extent+0xbeb/0xe20 [ 21.352821][ T289] ? ext4_ext_remove_space+0x1a0/0x4180 [ 21.358347][ T289] ext4_ext_remove_space+0x2bc/0x4180 [ 21.363702][ T289] ? ext4_es_free_extent+0x3de/0x4c0 [ 21.368969][ T289] ? _raw_spin_unlock+0x4d/0x70 [ 21.373809][ T289] ? ext4_da_release_space+0x1d6/0x480 [ 21.379246][ T289] ? ext4_ext_index_trans_blocks+0x100/0x100 [ 21.385205][ T289] ? ext4_es_remove_extent+0x1d9/0x330 [ 21.390644][ T289] ext4_punch_hole+0x77c/0xbd0 [ 21.395387][ T289] ext4_fallocate+0x2b6/0x1de0 [ 21.400132][ T289] ? selinux_file_permission+0x2aa/0x510 [ 21.405746][ T289] ? fsnotify_perm+0x67/0x5b0 [ 21.410403][ T289] vfs_fallocate+0x4b4/0x590 [ 21.414979][ T289] __x64_sys_fallocate+0xc0/0x110 [ 21.419982][ T289] x64_sys_call+0x7ec/0x9a0 [ 21.424479][ T289] do_syscall_64+0x4c/0xa0 [ 21.428889][ T289] ? clear_bhb_loop+0x50/0xa0 [ 21.433550][ T289] ? clear_bhb_loop+0x50/0xa0 [ 21.438214][ T289] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 21.444097][ T289] RIP: 0033:0x7f95fb7227c9 [ 21.448512][ T289] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 21.468109][ T289] RSP: 002b:00007f95fb6e0218 EFLAGS: 00000246 ORIG_RAX: 000000000000011d [ 21.476508][ T289] RAX: ffffffffffffffda RBX: 00007f95fb7aa708 RCX: 00007f95fb7227c9 [ 21.484462][ T289] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000005 [ 21.492413][ T289] RBP: 00007f95fb7aa700 R08: 0000000000000000 R09: 0000000000000000 [ 21.500364][ T289] R10: 0000000000001a00 R11: 0000000000000246 R12: 00007f95fb777554 [ 21.508447][ T289] R13: 0000200000000000 R14: 0000200000000080 R15: 00007f95fb77704c [ 21.516499][ T289] [ 21.519503][ T289] [ 21.521810][ T289] The buggy address belongs to the page: [ 21.527415][ T289] page:ffffea00048cc080 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x123302 [ 21.537656][ T289] flags: 0x4000000000000000(zone=1) [ 21.542849][ T289] raw: 4000000000000000 ffffea00048cc0c8 ffffea00048cc008 0000000000000000 [ 21.551414][ T289] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 21.559969][ T289] page dumped because: kasan: bad access detected [ 21.566353][ T289] page_owner tracks the page as freed [ 21.571698][ T289] page last allocated via order 0, migratetype Movable, gfp_mask 0x100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), pid 234, ts 14755662617, free_ts 14795308352 [ 21.587126][ T289] post_alloc_hook+0x192/0x1b0 [ 21.591891][ T289] prep_new_page+0x1c/0x110 [ 21.596376][ T289] get_page_from_freelist+0x2cc5/0x2d50 [ 21.601898][ T289] __alloc_pages+0x18f/0x440 [ 21.606470][ T289] handle_pte_fault+0xe89/0x2680 [ 21.611392][ T289] do_handle_mm_fault+0x1a6d/0x1d50 [ 21.616568][ T289] do_user_addr_fault+0x841/0x1180 [ 21.621661][ T289] exc_page_fault+0x51/0xb0 [ 21.626145][ T289] asm_exc_page_fault+0x27/0x30 [ 21.630973][ T289] page last free stack trace: [ 21.635725][ T289] free_unref_page_prepare+0x542/0x550 [ 21.641176][ T289] free_unref_page_list+0x134/0x9d0 [ 21.646364][ T289] release_pages+0xfda/0x1030 [ 21.651027][ T289] free_pages_and_swap_cache+0x86/0xa0 [ 21.656467][ T289] tlb_finish_mmu+0x175/0x300 [ 21.661126][ T289] unmap_region+0x315/0x360 [ 21.665617][ T289] __do_munmap+0xa0e/0xfe0 [ 21.670026][ T289] __vm_munmap+0x15b/0x2a0 [ 21.674423][ T289] __x64_sys_munmap+0x6b/0x80 [ 21.679082][ T289] x64_sys_call+0xc9/0x9a0 [ 21.683480][ T289] do_syscall_64+0x4c/0xa0 [ 21.687877][ T289] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 21.693750][ T289] [ 21.696050][ T289] Memory state around the buggy address: [ 21.701652][ T289] ffff888123302b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.709689][ T289] ffff888123302c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.717725][ T289] >ffff888123302c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.725762][ T289] ^ [ 21.732151][ T289] ffff888123302d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [pid 289] fallocate(5, FALLOC_FL_KEEP_SIZE|FALLOC_FL_PUNCH_HOLE, 0, 6656 [pid 288] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 21.740185][ T289] ffff888123302d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.748217][ T289] ================================================================== [ 21.756248][ T289] Disabling lock debugging due to kernel taint [ 21.762986][ T289] ------------[ cut here ]------------ [ 21.768513][ T289] kernel BUG at fs/ext4/extents.c:3186! [ 21.774145][ T289] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 21.780201][ T289] CPU: 0 PID: 289 Comm: syz-executor322 Tainted: G B 5.15.189-syzkaller-android13-5.15.189_r00 #0 [ 21.792070][ T289] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 21.802103][ T289] RIP: 0010:ext4_split_extent_at+0xe77/0xe90 [ 21.808066][ T289] Code: 6f fb ff ff 48 89 df 49 89 d7 e8 84 82 d3 ff 4c 89 fa e9 5c fb ff ff e8 d7 07 95 ff 0f 0b e8 d0 07 95 ff 0f 0b e8 c9 07 95 ff <0f> 0b e8 c2 07 95 ff 0f 0b e8 bb 07 95 ff 0f 0b e8 b4 07 95 ff 0f [ 21.827649][ T289] RSP: 0018:ffffc900009e7940 EFLAGS: 00010293 [ 21.833694][ T289] RAX: ffffffff81d3a807 RBX: 1ffff11024660d30 RCX: ffff88810699a780 [pid 288] exit_group(0) = ? [pid 290] <... futex resumed>) = ? [pid 290] +++ exited with 0 +++ [ 21.841642][ T289] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001 [ 21.849593][ T289] RBP: ffffc900009e7ab0 R08: 0000000000000000 R09: 0000000050000028 [ 21.857553][ T289] R10: fffffbfff0e1804c R11: 1ffffffff0e1804c R12: dffffc0000000000 [ 21.865519][ T289] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 [ 21.873468][ T289] FS: 00007f95fb6e06c0(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 [ 21.882400][ T289] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 21.888970][ T289] CR2: 000055ebc8f61430 CR3: 0000000121e66000 CR4: 00000000003506b0 [ 21.896923][ T289] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 21.904889][ T289] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 21.912852][ T289] Call Trace: [ 21.916105][ T289] [ 21.919017][ T289] ? __kasan_check_write+0x14/0x20 [ 21.924109][ T289] ? __asan_report_load2_noabort+0x14/0x20 [ 21.929888][ T289] ? ext4_ext_try_to_merge_right+0x820/0x820 [ 21.935855][ T289] ? ext4_ext_remove_space+0x1a0/0x4180 [ 21.941389][ T289] ext4_ext_remove_space+0x64b/0x4180 [ 21.946738][ T289] ? _raw_spin_unlock+0x4d/0x70 [ 21.951653][ T289] ? ext4_da_release_space+0x1d6/0x480 [ 21.957178][ T289] ? ext4_ext_index_trans_blocks+0x100/0x100 [ 21.963162][ T289] ? ext4_es_remove_extent+0x1d9/0x330 [ 21.968622][ T289] ext4_punch_hole+0x77c/0xbd0 [ 21.973374][ T289] ext4_fallocate+0x2b6/0x1de0 [ 21.978112][ T289] ? selinux_file_permission+0x2aa/0x510 [ 21.983721][ T289] ? fsnotify_perm+0x67/0x5b0 [ 21.988372][ T289] vfs_fallocate+0x4b4/0x590 [ 21.992938][ T289] __x64_sys_fallocate+0xc0/0x110 [ 21.997937][ T289] x64_sys_call+0x7ec/0x9a0 [ 22.002412][ T289] do_syscall_64+0x4c/0xa0 [ 22.006832][ T289] ? clear_bhb_loop+0x50/0xa0 [ 22.011494][ T289] ? clear_bhb_loop+0x50/0xa0 [ 22.016155][ T289] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 22.022025][ T289] RIP: 0033:0x7f95fb7227c9 [ 22.026418][ T289] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 22.046118][ T289] RSP: 002b:00007f95fb6e0218 EFLAGS: 00000246 ORIG_RAX: 000000000000011d [ 22.054516][ T289] RAX: ffffffffffffffda RBX: 00007f95fb7aa708 RCX: 00007f95fb7227c9 [ 22.062468][ T289] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000005 [ 22.070414][ T289] RBP: 00007f95fb7aa700 R08: 0000000000000000 R09: 0000000000000000 [ 22.078369][ T289] R10: 0000000000001a00 R11: 0000000000000246 R12: 00007f95fb777554 [ 22.086325][ T289] R13: 0000200000000000 R14: 0000200000000080 R15: 00007f95fb77704c [ 22.094448][ T289] [ 22.097441][ T289] Modules linked in: [ 22.101806][ T289] ---[ end trace 609ba7b4c197f4f7 ]--- [ 22.107255][ T289] RIP: 0010:ext4_split_extent_at+0xe77/0xe90 [ 22.113294][ T289] Code: 6f fb ff ff 48 89 df 49 89 d7 e8 84 82 d3 ff 4c 89 fa e9 5c fb ff ff e8 d7 07 95 ff 0f 0b e8 d0 07 95 ff 0f 0b e8 c9 07 95 ff <0f> 0b e8 c2 07 95 ff 0f 0b e8 bb 07 95 ff 0f 0b e8 b4 07 95 ff 0f [ 22.132927][ T289] RSP: 0018:ffffc900009e7940 EFLAGS: 00010293 [ 22.138974][ T289] RAX: ffffffff81d3a807 RBX: 1ffff11024660d30 RCX: ffff88810699a780 [ 22.146968][ T289] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001 [ 22.154958][ T289] RBP: ffffc900009e7ab0 R08: 0000000000000000 R09: 0000000050000028 [ 22.162941][ T289] R10: fffffbfff0e1804c R11: 1ffffffff0e1804c R12: dffffc0000000000 [ 22.170915][ T289] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 [ 22.178861][ T289] FS: 00007f95fb6e06c0(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 [ 22.187786][ T289] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 22.194367][ T289] CR2: 000055ebc8f61430 CR3: 0000000121e66000 CR4: 00000000003506b0 [ 22.202340][ T289] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 22.210306][ T289] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 22.218286][ T289] Kernel panic - not syncing: Fatal exception [ 22.224547][ T289] Kernel Offset: disabled [ 22.228855][ T289] Rebooting in 86400 seconds..