./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2372816691 <...> forked to background, child pid 3209 [ 29.765572][ T3210] 8021q: adding VLAN 0 to HW filter on device bond0 [ 29.779566][ T3210] eql: remember to turn off Van-Jacobson compression on your slave devices [ 30.030508][ T3295] ssh-keygen (3295) used greatest stack depth: 15664 bytes left Starting sshd: OK syzkaller Warning: Permanently added '10.128.0.231' (ECDSA) to the list of known hosts. execve("./syz-executor2372816691", ["./syz-executor2372816691"], 0x7fffc9d5a7c0 /* 10 vars */) = 0 brk(NULL) = 0x555555bce000 brk(0x555555bcec40) = 0x555555bcec40 arch_prctl(ARCH_SET_FS, 0x555555bce300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor2372816691", 4096) = 28 brk(0x555555befc40) = 0x555555befc40 brk(0x555555bf0000) = 0x555555bf0000 mprotect(0x7efd25de2000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 openat(AT_FDCWD, "/sys/kernel/debug/failslab/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_futex/ignore-private", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/min-order", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) = 3 socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) = 4 sendto(4, [{nlmsg_len=36, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x03\x00\x00\x00\x0d\x00\x02\x00\x6e\x6c\x38\x30\x32\x31\x35\x34\x00\x00\x00\x00"], 36, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 36 recvfrom(4, [{nlmsg_len=680, nlmsg_type=nlctrl, nlmsg_flags=0, nlmsg_seq=0, nlmsg_pid=3638}, "\x01\x02\x00\x00\x0d\x00\x02\x00\x6e\x6c\x38\x30\x32\x31\x35\x34\x00\x00\x00\x00\x06\x00\x01\x00\x1c\x00\x00\x00\x08\x00\x03\x00\x01\x00\x00\x00\x08\x00\x04\x00\x00\x00\x00\x00\x08\x00\x05\x00\x25\x00\x00\x00\x48\x02\x06\x00\x14\x00\x01\x00\x08\x00\x01\x00\x01\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x02\x00\x08\x00\x01\x00\x05\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x03\x00"...], 4096, 0, NULL, NULL) = 680 recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=3638}, {error=0, msg={nlmsg_len=36, nlmsg_type=nlctrl, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 access("/proc/net", R_OK) = 0 access("/proc/net/unix", R_OK) = 0 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan0", ifr_ifindex=11}) = 0 close(5) = 0 sendto(4, [{nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x0b\x00\x00\x00\x08\x00\x03\x00\x0b\x00\x00\x00\x06\x00\x0a\x00\xa0\xaa\x00\x00"], 36, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 36 recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=3638}, {error=0, msg={nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan0", ifr_ifindex=11}) = 0 close(5) = 0 sendto(3, [{nlmsg_len=44, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x00\x00\x00\x00\x0b\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x0c\x00\x01\x00\x02\x00\xaa\xaa\xaa\xaa\xaa\xaa"], 44, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 44 recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=3638}, {error=0, msg={nlmsg_len=44, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 sendto(3, [{nlmsg_len=68, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|NLM_F_EXCL|NLM_F_CREATE, nlmsg_seq=0, nlmsg_pid=0}, {ifi_family=AF_UNSPEC, ifi_type=ARPHRD_NETROM, ifi_index=0, ifi_flags=0, ifi_change=0}, [[{nla_len=11, nla_type=IFLA_IFNAME}, "lowpan0"...], [{nla_len=16, nla_type=IFLA_LINKINFO}, [{nla_len=10, nla_type=IFLA_INFO_KIND}, "lowpan"...]], [{nla_len=8, nla_type=IFLA_LINK}, 11]]], 68, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 68 recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=3638}, {error=0, msg={nlmsg_len=68, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|NLM_F_EXCL|NLM_F_CREATE, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan1", ifr_ifindex=12}) = 0 close(5) = 0 sendto(4, [{nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x0b\x00\x00\x00\x08\x00\x03\x00\x0c\x00\x00\x00\x06\x00\x0a\x00\xa1\xaa\x00\x00"], 36, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 36 recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=3638}, {error=0, msg={nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan1", ifr_ifindex=12}) = 0 close(5) = 0 sendto(3, [{nlmsg_len=44, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, {ifi_family=AF_UNSPEC, ifi_type=ARPHRD_NETROM, ifi_index=if_nametoindex("wpan1"), ifi_flags=IFF_UP, ifi_change=0x1}, [{nla_len=12, nla_type=IFLA_ADDRESS}, 02:01:aa:aa:aa:aa:aa]], 44, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 44 recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=3638}, {error=0, msg={nlmsg_len=44, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 close(3) = 0 close(4) = 0 memfd_create("syzkaller", 0) = 3 mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7efd1d800000 write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 munmap(0x7efd1d800000, 16777216) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 ioctl(4, LOOP_SET_FD, 3) = 0 mkdir("./file0", 0777) = 0 syzkaller login: [ 55.029066][ T3638] loop0: detected capacity change from 0 to 32768 [ 55.040738][ T3638] BTRFS: device fsid d552757d-9c39-40e3-95f0-16d819589928 devid 1 transid 8 /dev/loop0 scanned by syz-executor237 (3638) [ 55.059482][ T3638] BTRFS info (device loop0): using sha256 (sha256-avx2) checksum algorithm [ 55.068240][ T3638] BTRFS info (device loop0): using free space tree mount("/dev/loop0", "./file0", "btrfs", 0, "") = 0 openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 5 chdir("./file0") = 0 ioctl(4, LOOP_CLR_FD) = 0 close(4) = 0 close(3) = 0 open("./file0", O_RDONLY) = 3 open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 fallocate(4, 0, 0, 1048820) = 0 openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6 write(6, "23", 2) = 2 [ 55.088301][ T3638] BTRFS info (device loop0): enabling ssd optimizations [ 55.113334][ T27] audit: type=1800 audit(1669259181.145:2): pid=3638 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed(directio) comm="syz-executor237" name="bus" dev="loop0" ino=263 res=0 errno=0 [ 55.144336][ T3638] ------------[ cut here ]------------ [ 55.150328][ T3638] kernel BUG at fs/btrfs/transaction.c:1672! [ 55.157130][ T3638] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 55.163213][ T3638] CPU: 1 PID: 3638 Comm: syz-executor237 Not tainted 6.1.0-rc6-syzkaller #0 [ 55.171981][ T3638] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 55.182044][ T3638] RIP: 0010:create_pending_snapshot+0x250a/0x2560 [ 55.188492][ T3638] Code: ff e8 da c7 02 fe 48 c7 c7 60 16 39 8b 44 89 ee 31 c0 e8 c9 65 ca fd 0f 0b b3 01 e9 18 fa ff ff e8 3b 63 0a 07 e8 b6 c7 02 fe <0f> 0b e8 af c7 02 fe 0f 0b e8 a8 c7 02 fe 0f 0b e8 a1 c7 02 fe 48 [ 55.208110][ T3638] RSP: 0018:ffffc90003aff6e0 EFLAGS: 00010293 [ 55.214198][ T3638] RAX: ffffffff8387d0ba RBX: 00000000fffffff4 RCX: ffff88802722ba80 [ 55.222182][ T3638] RDX: 0000000000000000 RSI: 00000000fffffff4 RDI: 0000000000000000 [ 55.230177][ T3638] RBP: ffffc90003aff970 R08: ffffffff8387b1f0 R09: fffffbfff1a42e97 [ 55.238159][ T3638] R10: fffffbfff1a42e97 R11: 1ffffffff1a42e96 R12: ffff888076ce1780 [ 55.246138][ T3638] R13: ffff8880731717d0 R14: ffff888027dea000 R15: ffff8880708b8178 [ 55.254127][ T3638] FS: 0000555555bce300(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 [ 55.263037][ T3638] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 55.269605][ T3638] CR2: 00005626964b1000 CR3: 000000007955e000 CR4: 00000000003506e0 [ 55.277571][ T3638] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 55.285537][ T3638] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 55.293521][ T3638] Call Trace: [ 55.296802][ T3638] [ 55.299737][ T3638] ? trace_btrfs_space_reservation+0x320/0x320 [ 55.305900][ T3638] ? __mutex_lock_common+0x45f/0x26e0 [ 55.311288][ T3638] ? read_lock_is_recursive+0x10/0x10 [ 55.316653][ T3638] ? mutex_lock_io_nested+0x60/0x60 [ 55.321930][ T3638] ? do_raw_spin_lock+0x148/0x360 [ 55.326951][ T3638] ? __might_sleep+0xc0/0xc0 [ 55.331534][ T3638] create_pending_snapshots+0x1a8/0x1e0 [ 55.337080][ T3638] btrfs_commit_transaction+0x13f0/0x3760 [ 55.342813][ T3638] ? _raw_spin_unlock+0x24/0x40 [ 55.347667][ T3638] ? btrfs_commit_transaction_async+0x440/0x440 [ 55.353916][ T3638] ? join_transaction+0xc45/0xe60 [ 55.358932][ T3638] ? join_transaction+0xc1f/0xe60 [ 55.363949][ T3638] ? btrfs_record_root_in_trans+0x129/0x180 [ 55.369882][ T3638] ? start_transaction+0x3da/0x1180 [ 55.375086][ T3638] create_snapshot+0x4aa/0x7e0 [ 55.379877][ T3638] btrfs_mksubvol+0x62e/0x760 [ 55.384548][ T3638] btrfs_mksnapshot+0xb5/0xf0 [ 55.389228][ T3638] __btrfs_ioctl_snap_create+0x339/0x450 [ 55.394909][ T3638] btrfs_ioctl_snap_create+0x134/0x190 [ 55.400364][ T3638] btrfs_ioctl+0x15c/0xc10 [ 55.404773][ T3638] ? btrfs_ioctl_get_supported_features+0x40/0x40 [ 55.411179][ T3638] __se_sys_ioctl+0xfb/0x170 [ 55.415770][ T3638] do_syscall_64+0x3d/0xb0 [ 55.420184][ T3638] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 55.426066][ T3638] RIP: 0033:0x7efd25d6d2a9 [ 55.430477][ T3638] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 55.450072][ T3638] RSP: 002b:00007ffe43e29638 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 55.458499][ T3638] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007efd25d6d2a9 [ 55.466459][ T3638] RDX: 00000000200000c0 RSI: 0000000050009401 RDI: 0000000000000003 [ 55.474419][ T3638] RBP: 0000000000000006 R08: 0000000000000002 R09: 0000000000000000 [ 55.482378][ T3638] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 [ 55.490337][ T3638] R13: 00007ffe43e29670 R14: 0000000000000003 R15: 00007ffe43e2966a [ 55.498394][ T3638] [ 55.501403][ T3638] Modules linked in: [ 55.505443][ T3638] ---[ end trace 0000000000000000 ]--- [ 55.511021][ T3638] RIP: 0010:create_pending_snapshot+0x250a/0x2560 [ 55.517473][ T3638] Code: ff e8 da c7 02 fe 48 c7 c7 60 16 39 8b 44 89 ee 31 c0 e8 c9 65 ca fd 0f 0b b3 01 e9 18 fa ff ff e8 3b 63 0a 07 e8 b6 c7 02 fe <0f> 0b e8 af c7 02 fe 0f 0b e8 a8 c7 02 fe 0f 0b e8 a1 c7 02 fe 48 [ 55.537210][ T3638] RSP: 0018:ffffc90003aff6e0 EFLAGS: 00010293 [ 55.543273][ T3638] RAX: ffffffff8387d0ba RBX: 00000000fffffff4 RCX: ffff88802722ba80 [ 55.551352][ T3638] RDX: 0000000000000000 RSI: 00000000fffffff4 RDI: 0000000000000000 [ 55.559359][ T3638] RBP: ffffc90003aff970 R08: ffffffff8387b1f0 R09: fffffbfff1a42e97 [ 55.567557][ T3638] R10: fffffbfff1a42e97 R11: 1ffffffff1a42e96 R12: ffff888076ce1780 [ 55.575534][ T3638] R13: ffff8880731717d0 R14: ffff888027dea000 R15: ffff8880708b8178 [ 55.583551][ T3638] FS: 0000555555bce300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 [ 55.592603][ T3638] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 55.599216][ T3638] CR2: 00005626963c87d8 CR3: 000000007955e000 CR4: 00000000003506f0 [ 55.607294][ T3638] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 55.615248][ T3638] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 55.623253][ T3638] Kernel panic - not syncing: Fatal exception [ 55.629482][ T3638] Kernel Offset: disabled [ 55.633800][ T3638] Rebooting in 86400 seconds..