./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2148172596
<...>
forked to background, child pid 3185
no interfaces have a carrier
[ 24.465247][ T3186] 8021q: adding VLAN 0 to HW filter on device bond0
[ 24.475154][ T3186] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK
syzkaller
Warning: Permanently added '10.128.1.113' (ECDSA) to the list of known hosts.
execve("./syz-executor2148172596", ["./syz-executor2148172596"], 0x7ffebf7af680 /* 10 vars */) = 0
brk(NULL) = 0x555556140000
brk(0x555556140c40) = 0x555556140c40
arch_prctl(ARCH_SET_FS, 0x555556140300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor2148172596", 4096) = 28
brk(0x555556161c40) = 0x555556161c40
brk(0x555556162000) = 0x555556162000
mprotect(0x7f776b72f000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555561405d0) = 3607
./strace-static-x86_64: Process 3607 attached
[pid 3607] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 3607] setpgid(0, 0) = 0
[pid 3607] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 3607] write(3, "1000", 4) = 4
[pid 3607] close(3) = 0
[pid 3607] memfd_create("syzkaller", 0) = 3
[pid 3607] ftruncate(3, 32768) = 0
[pid 3607] pwrite64(3, "\xeb\x3c\x90\x6d\x8d\x66\x73\xfd\xd2\x61\x74\x00\x02\x80\x01\x00\x02\x40\x00\x00\x04\xf8\x01", 23, 0) = 23
[pid 3607] pwrite64(3, "\x57\x59\x5a\x4b\x41\x4c\x4c\x45\x52\x20\x20\x08\x5a\xc1\x9f\x69\xf2\xb2\xb1\xea\x1b\x8a\x0a\xc9\x13\x5e\xed\x1d\xf1\xd1\x00\x1c\xc2\xde\x85\x0f\x06\x00\x00\x00\x00\x00\x00\x00\xf7\xe7\x5e\xff\xac\x2a\xc4\xc1\x5e\x29\xfb\x3c\x18\xfa\xff\xf8\xd1\x98\xe3\x12\x47\x5f\xfa\x1d\x00\x00\x00\x00\x00\x00\xad\x25\x82\x2a\x17\xb1\x7f\x46\x3e\x10\x41\x79\xc1\x9c\x2a\xd2\xfb\xdd\xc0\x77\x7d\xf2\xec\x4f\x62\x82"..., 450, 256) = 450
[pid 3607] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 3607] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 3607] mkdir("./file0", 0777) = 0
[pid 3607] mount("/dev/loop0", "./file0", "vfat", MS_POSIXACL|MS_LAZYTIME, "iocharset=cp852,nonumtail=0,flush,shortname=lower,debug,utf8=1,discard,shortname=lower,nonumtail=0,u"...) = 0
[pid 3607] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 5
[pid 3607] ioctl(4, LOOP_CLR_FD) = 0
[pid 3607] close(4) = 0
[pid 3607] close(3) = 0
[pid 3607] chdir("./file0") = 0
[pid 3607] creat("./bus", 000) = 3
[pid 3607] unlink("./bus") = 0
[pid 3607] write(3, "\x31\x30\x30\x30\x30\x30\x30\x00", 8) = -1 ENOSPC (No space left on device)
[pid 3607] exit_group(0) = ?
syzkaller login: [ 41.295566][ T3607] loop0: detected capacity change from 0 to 64
[pid 3607] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3607, si_uid=0, si_status=0, si_utime=0, si_stime=2} ---
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = 0
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555561405d0) = 3609
./strace-static-x86_64: Process 3609 attached
[pid 3609] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 3609] setpgid(0, 0) = 0
[pid 3609] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 3609] write(3, "1000", 4) = 4
[pid 3609] close(3) = 0
[pid 3609] memfd_create("syzkaller", 0) = 3
[pid 3609] ftruncate(3, 32768) = 0
[pid 3609] pwrite64(3, "\xeb\x3c\x90\x6d\x8d\x66\x73\xfd\xd2\x61\x74\x00\x02\x80\x01\x00\x02\x40\x00\x00\x04\xf8\x01", 23, 0) = 23
[pid 3609] pwrite64(3, "\x57\x59\x5a\x4b\x41\x4c\x4c\x45\x52\x20\x20\x08\x5a\xc1\x9f\x69\xf2\xb2\xb1\xea\x1b\x8a\x0a\xc9\x13\x5e\xed\x1d\xf1\xd1\x00\x1c\xc2\xde\x85\x0f\x06\x00\x00\x00\x00\x00\x00\x00\xf7\xe7\x5e\xff\xac\x2a\xc4\xc1\x5e\x29\xfb\x3c\x18\xfa\xff\xf8\xd1\x98\xe3\x12\x47\x5f\xfa\x1d\x00\x00\x00\x00\x00\x00\xad\x25\x82\x2a\x17\xb1\x7f\x46\x3e\x10\x41\x79\xc1\x9c\x2a\xd2\xfb\xdd\xc0\x77\x7d\xf2\xec\x4f\x62\x82"..., 450, 256) = 450
[pid 3609] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 3609] ioctl(4, LOOP_SET_FD, 3) = -1 EBUSY (Device or resource busy)
[pid 3609] ioctl(4, LOOP_CLR_FD) = 0
[pid 3609] ioctl(4, LOOP_SET_FD, 3) = -1 EBUSY (Device or resource busy)
[pid 3609] close(4) = 0
[pid 3609] close(3) = 0
[pid 3609] chdir("./file0") = 0
[pid 3609] creat("./bus", 000) = 3
[pid 3609] unlink("./bus") = 0
[pid 3609] write(3, "\x31\x30\x30\x30\x30\x30\x30\x00", 8) = -1 ENOSPC (No space left on device)
[pid 3609] exit_group(0) = ?
[ 41.572827][ T3609] ==================================================================
[ 41.580903][ T3609] BUG: KASAN: use-after-free in __list_del_entry_valid+0xe8/0x110
[ 41.588736][ T3609] Read of size 8 at addr ffff888072bc95d0 by task syz-executor214/3609
[ 41.597068][ T3609]
[ 41.599388][ T3609] CPU: 1 PID: 3609 Comm: syz-executor214 Not tainted 6.1.0-rc4-syzkaller-00011-g59f2f4b8a757 #0
[ 41.609844][ T3609] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 41.619905][ T3609] Call Trace:
[ 41.623181][ T3609]
[ 41.626130][ T3609] dump_stack_lvl+0xcd/0x134
[ 41.630772][ T3609] print_report+0x15e/0x45d
[ 41.635292][ T3609] ? __phys_addr+0xc4/0x140
[ 41.639784][ T3609] ? __list_del_entry_valid+0xe8/0x110
[ 41.645251][ T3609] kasan_report+0xbb/0x1f0
[ 41.649693][ T3609] ? __list_del_entry_valid+0xe8/0x110
[ 41.655182][ T3609] __list_del_entry_valid+0xe8/0x110
[ 41.660480][ T3609] inode_io_list_del+0x7b/0x200
[ 41.665328][ T3609] evict+0x112/0x6b0
[ 41.669239][ T3609] iput.part.0+0x59b/0x880
[ 41.673646][ T3609] iput+0x58/0x70
[ 41.677276][ T3609] dentry_unlink_inode+0x2b1/0x460
[ 41.682414][ T3609] __dentry_kill+0x3c0/0x640
[ 41.687023][ T3609] ? dput+0x35/0xdb0
[ 41.690911][ T3609] dput+0x64d/0xdb0
[ 41.694719][ T3609] __fput+0x3cc/0xa90
[ 41.698793][ T3609] task_work_run+0x16b/0x270
[ 41.703400][ T3609] ? task_work_cancel+0x30/0x30
[ 41.708302][ T3609] ? do_raw_spin_unlock+0x171/0x230
[ 41.713508][ T3609] do_exit+0xb35/0x2a20
[ 41.717681][ T3609] ? lock_downgrade+0x6e0/0x6e0
[ 41.722536][ T3609] ? do_raw_spin_lock+0x120/0x2a0
[ 41.727574][ T3609] ? mm_update_next_owner+0x7b0/0x7b0
[ 41.732940][ T3609] ? rwlock_bug.part.0+0x90/0x90
[ 41.737868][ T3609] ? _raw_spin_unlock_irq+0x1f/0x40
[ 41.743062][ T3609] do_group_exit+0xd0/0x2a0
[ 41.747681][ T3609] __x64_sys_exit_group+0x3a/0x50
[ 41.752697][ T3609] do_syscall_64+0x35/0xb0
[ 41.757138][ T3609] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 41.763084][ T3609] RIP: 0033:0x7f776b6c13e9
[ 41.767517][ T3609] Code: Unable to access opcode bytes at 0x7f776b6c13bf.
[ 41.774533][ T3609] RSP: 002b:00007ffc7ff00188 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 41.782972][ T3609] RAX: ffffffffffffffda RBX: 00007f776b735330 RCX: 00007f776b6c13e9
[ 41.790959][ T3609] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[ 41.798946][ T3609] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000001
[ 41.806926][ T3609] R10: 0000000000000001 R11: 0000000000000246 R12: 00007f776b735330
[ 41.814894][ T3609] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[ 41.822878][ T3609]
[ 41.825883][ T3609]
[ 41.828191][ T3609] Allocated by task 3607:
[ 41.832496][ T3609] kasan_save_stack+0x1e/0x40
[ 41.837254][ T3609] kasan_set_track+0x21/0x30
[ 41.841833][ T3609] __kasan_slab_alloc+0x7e/0x80
[ 41.846683][ T3609] kmem_cache_alloc_lru+0x254/0x730
[ 41.851910][ T3609] fat_alloc_inode+0x23/0x1e0
[ 41.856611][ T3609] alloc_inode+0x61/0x230
[ 41.860982][ T3609] new_inode+0x27/0x270
[ 41.865155][ T3609] fat_build_inode+0x146/0x2d0
[ 41.869940][ T3609] vfat_create+0x1c7/0x260
[ 41.874348][ T3609] lookup_open.isra.0+0xf05/0x12a0
[ 41.879788][ T3609] path_openat+0x996/0x2860
[ 41.884491][ T3609] do_filp_open+0x1b6/0x400
[ 41.888984][ T3609] do_sys_openat2+0x16d/0x4c0
[ 41.893651][ T3609] __x64_sys_creat+0xc9/0x120
[ 41.898319][ T3609] do_syscall_64+0x35/0xb0
[ 41.902740][ T3609] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 41.908647][ T3609]
[ 41.910958][ T3609] Freed by task 0:
[ 41.914657][ T3609] kasan_save_stack+0x1e/0x40
[ 41.919335][ T3609] kasan_set_track+0x21/0x30
[ 41.923954][ T3609] kasan_save_free_info+0x2a/0x40
[ 41.928974][ T3609] ____kasan_slab_free+0x160/0x1c0
[ 41.934084][ T3609] slab_free_freelist_hook+0x8b/0x1c0
[ 41.939464][ T3609] kmem_cache_free+0xea/0x5b0
[ 41.944171][ T3609] i_callback+0x3f/0x70
[ 41.948323][ T3609] rcu_core+0x81f/0x1980
[ 41.952589][ T3609] __do_softirq+0x1f7/0xad8
[ 41.957114][ T3609]
[ 41.959433][ T3609] Last potentially related work creation:
[ 41.965130][ T3609] kasan_save_stack+0x1e/0x40
[ 41.969799][ T3609] __kasan_record_aux_stack+0xbc/0xd0
[ 41.975165][ T3609] call_rcu+0x99/0x820
[ 41.979225][ T3609] destroy_inode+0x129/0x1b0
[ 41.983807][ T3609] iput.part.0+0x59b/0x880
[ 41.988307][ T3609] iput+0x58/0x70
[ 41.991945][ T3609] dentry_unlink_inode+0x2b1/0x460
[ 41.997174][ T3609] __dentry_kill+0x3c0/0x640
[ 42.001753][ T3609] dput+0x64d/0xdb0
[ 42.005540][ T3609] __fput+0x3cc/0xa90
[ 42.009520][ T3609] task_work_run+0x16b/0x270
[ 42.014166][ T3609] do_exit+0xb35/0x2a20
[ 42.018328][ T3609] do_group_exit+0xd0/0x2a0
[ 42.022845][ T3609] __x64_sys_exit_group+0x3a/0x50
[ 42.027877][ T3609] do_syscall_64+0x35/0xb0
[ 42.032283][ T3609] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 42.038161][ T3609]
[ 42.040471][ T3609] The buggy address belongs to the object at ffff888072bc92f0
[ 42.040471][ T3609] which belongs to the cache fat_inode_cache of size 1488
[ 42.055918][ T3609] The buggy address is located 736 bytes inside of
[ 42.055918][ T3609] 1488-byte region [ffff888072bc92f0, ffff888072bc98c0)
[ 42.069301][ T3609]
[ 42.071619][ T3609] The buggy address belongs to the physical page:
[ 42.078024][ T3609] page:ffffea0001caf200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x72bc8
[ 42.088172][ T3609] head:ffffea0001caf200 order:3 compound_mapcount:0 compound_pincount:0
[ 42.096494][ T3609] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 42.104460][ T3609] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888018bf7640
[ 42.113048][ T3609] raw: 0000000000000000 0000000080140014 00000001ffffffff 0000000000000000
[ 42.121803][ T3609] page dumped because: kasan: bad access detected
[ 42.128214][ T3609] page_owner tracks the page as allocated
[ 42.133911][ T3609] page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 3607, tgid 3607 (syz-executor214), ts 41307576812, free_ts 10475354501
[ 42.156567][ T3609] get_page_from_freelist+0x10b5/0x2d50
[ 42.162136][ T3609] __alloc_pages+0x1c7/0x5a0
[ 42.166739][ T3609] alloc_pages+0x1a6/0x270
[ 42.171170][ T3609] allocate_slab+0x213/0x300
[ 42.175746][ T3609] ___slab_alloc+0xa91/0x1400
[ 42.180413][ T3609] __slab_alloc.constprop.0+0x56/0xa0
[ 42.185773][ T3609] kmem_cache_alloc_lru+0x4ad/0x730
[ 42.190970][ T3609] fat_alloc_inode+0x23/0x1e0
[ 42.195674][ T3609] alloc_inode+0x61/0x230
[ 42.200029][ T3609] new_inode+0x27/0x270
[ 42.204201][ T3609] fat_fill_super+0x1b60/0x3680
[ 42.209071][ T3609] mount_bdev+0x34d/0x410
[ 42.213389][ T3609] legacy_get_tree+0x105/0x220
[ 42.218139][ T3609] vfs_get_tree+0x89/0x2f0
[ 42.222563][ T3609] path_mount+0x1326/0x1e20
[ 42.227152][ T3609] __x64_sys_mount+0x27f/0x300
[ 42.231915][ T3609] page last free stack trace:
[ 42.236619][ T3609] free_pcp_prepare+0x65c/0xd90
[ 42.241474][ T3609] free_unref_page+0x19/0x4d0
[ 42.246230][ T3609] free_contig_range+0xb1/0x180
[ 42.251086][ T3609] destroy_args+0xa8/0x64c
[ 42.255498][ T3609] debug_vm_pgtable+0x2954/0x29e5
[ 42.260510][ T3609] do_one_initcall+0x13d/0x780
[ 42.265271][ T3609] kernel_init_freeable+0x6ff/0x788
[ 42.270487][ T3609] kernel_init+0x1a/0x1d0
[ 42.274809][ T3609] ret_from_fork+0x1f/0x30
[ 42.279213][ T3609]
[ 42.281532][ T3609] Memory state around the buggy address:
[ 42.287176][ T3609] ffff888072bc9480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 42.295244][ T3609] ffff888072bc9500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 42.303301][ T3609] >ffff888072bc9580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 42.311559][ T3609] ^
[ 42.318450][ T3609] ffff888072bc9600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 42.326602][ T3609] ffff888072bc9680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 42.334670][ T3609] ==================================================================
[ 42.342808][ T3609] Kernel panic - not syncing: panic_on_warn set ...
[ 42.349411][ T3609] CPU: 1 PID: 3609 Comm: syz-executor214 Not tainted 6.1.0-rc4-syzkaller-00011-g59f2f4b8a757 #0
[ 42.359811][ T3609] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 42.369875][ T3609] Call Trace:
[ 42.373151][ T3609]
[ 42.376069][ T3609] dump_stack_lvl+0xcd/0x134
[ 42.380928][ T3609] panic+0x2c8/0x622
[ 42.384851][ T3609] ? panic_print_sys_info.part.0+0x110/0x110
[ 42.390946][ T3609] ? asm_sysvec_apic_timer_interrupt+0x16/0x20
[ 42.397123][ T3609] end_report.part.0+0x3f/0x7c
[ 42.401879][ T3609] ? __list_del_entry_valid+0xe8/0x110
[ 42.407425][ T3609] kasan_report.cold+0xa/0xf
[ 42.412022][ T3609] ? __list_del_entry_valid+0xe8/0x110
[ 42.417478][ T3609] __list_del_entry_valid+0xe8/0x110
[ 42.422759][ T3609] inode_io_list_del+0x7b/0x200
[ 42.427604][ T3609] evict+0x112/0x6b0
[ 42.431488][ T3609] iput.part.0+0x59b/0x880
[ 42.435894][ T3609] iput+0x58/0x70
[ 42.439525][ T3609] dentry_unlink_inode+0x2b1/0x460
[ 42.444643][ T3609] __dentry_kill+0x3c0/0x640
[ 42.449232][ T3609] ? dput+0x35/0xdb0
[ 42.453112][ T3609] dput+0x64d/0xdb0
[ 42.456908][ T3609] __fput+0x3cc/0xa90
[ 42.460882][ T3609] task_work_run+0x16b/0x270
[ 42.465471][ T3609] ? task_work_cancel+0x30/0x30
[ 42.470320][ T3609] ? do_raw_spin_unlock+0x171/0x230
[ 42.475513][ T3609] do_exit+0xb35/0x2a20
[ 42.479656][ T3609] ? lock_downgrade+0x6e0/0x6e0
[ 42.484496][ T3609] ? do_raw_spin_lock+0x120/0x2a0
[ 42.489511][ T3609] ? mm_update_next_owner+0x7b0/0x7b0
[ 42.494871][ T3609] ? rwlock_bug.part.0+0x90/0x90
[ 42.499806][ T3609] ? _raw_spin_unlock_irq+0x1f/0x40
[ 42.505178][ T3609] do_group_exit+0xd0/0x2a0
[ 42.509667][ T3609] __x64_sys_exit_group+0x3a/0x50
[ 42.514678][ T3609] do_syscall_64+0x35/0xb0
[ 42.519089][ T3609] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 42.524978][ T3609] RIP: 0033:0x7f776b6c13e9
[ 42.529394][ T3609] Code: Unable to access opcode bytes at 0x7f776b6c13bf.
[ 42.536574][ T3609] RSP: 002b:00007ffc7ff00188 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 42.544988][ T3609] RAX: ffffffffffffffda RBX: 00007f776b735330 RCX: 00007f776b6c13e9
[ 42.552949][ T3609] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[ 42.560907][ T3609] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000001
[ 42.568874][ T3609] R10: 0000000000000001 R11: 0000000000000246 R12: 00007f776b735330
[ 42.576832][ T3609] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[ 42.584986][ T3609]
[ 42.588565][ T3609] Kernel Offset: disabled
[ 42.592875][ T3609] Rebooting in 86400 seconds..