./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor588048805 <...> [ 3.784148][ T85] acpid (85) used greatest stack depth: 23440 bytes left [ 3.863819][ T94] xargs (94) used greatest stack depth: 22704 bytes left [ 4.052314][ T100] udevd[100]: starting version 3.2.11 [ 4.131447][ T101] udevd[101]: starting eudev-3.2.11 [ 11.979900][ T28] kauditd_printk_skb: 50 callbacks suppressed [ 11.979913][ T28] audit: type=1400 audit(1712128603.271:61): avc: denied { transition } for pid=223 comm="sshd" path="/bin/sh" dev="sda1" ino=89 scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 11.984307][ T28] audit: type=1400 audit(1712128603.281:62): avc: denied { noatsecure } for pid=223 comm="sshd" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 11.990916][ T28] audit: type=1400 audit(1712128603.281:63): avc: denied { write } for pid=223 comm="sh" path="pipe:[12929]" dev="pipefs" ino=12929 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1 [ 11.998186][ T28] audit: type=1400 audit(1712128603.281:64): avc: denied { rlimitinh } for pid=223 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 12.004264][ T28] audit: type=1400 audit(1712128603.281:65): avc: denied { siginh } for pid=223 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 Warning: Permanently added '10.128.1.160' (ED25519) to the list of known hosts. execve("./syz-executor588048805", ["./syz-executor588048805"], 0x7ffff4c10480 /* 10 vars */) = 0 brk(NULL) = 0x555556ebd000 brk(0x555556ebdd00) = 0x555556ebdd00 arch_prctl(ARCH_SET_FS, 0x555556ebd380) = 0 set_tid_address(0x555556ebd650) = 293 set_robust_list(0x555556ebd660, 24) = 0 rseq(0x555556ebdca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor588048805", 4096) = 27 getrandom("\xa9\x86\xed\x3a\x19\xd0\xb6\xec", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555556ebdd00 brk(0x555556eded00) = 0x555556eded00 brk(0x555556edf000) = 0x555556edf000 mprotect(0x7fa2827ca000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556ebd650) = 294 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556ebd650) = 295 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556ebd650) = 296 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556ebd650) = 297 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556ebd650) = 298 ./strace-static-x86_64: Process 294 attached [pid 294] set_robust_list(0x555556ebd660, 24) = 0 ./strace-static-x86_64: Process 295 attached ./strace-static-x86_64: Process 296 attached ./strace-static-x86_64: Process 297 attached ./strace-static-x86_64: Process 298 attached [pid 297] set_robust_list(0x555556ebd660, 24 [pid 296] set_robust_list(0x555556ebd660, 24 [pid 295] set_robust_list(0x555556ebd660, 24 [pid 294] mkdir("./syzkaller.MDYOYZ", 0700 [pid 298] set_robust_list(0x555556ebd660, 24 [pid 297] <... set_robust_list resumed>) = 0 [pid 296] <... set_robust_list resumed>) = 0 [pid 295] <... set_robust_list resumed>) = 0 [pid 298] <... set_robust_list resumed>) = 0 [pid 294] <... mkdir resumed>) = 0 [pid 296] mkdir("./syzkaller.QrJoi6", 0700 [pid 298] mkdir("./syzkaller.5t5aSt", 0700 [pid 297] mkdir("./syzkaller.w1ubYN", 0700 [pid 295] mkdir("./syzkaller.yqF7iR", 0700 [pid 296] <... mkdir resumed>) = 0 [pid 294] chmod("./syzkaller.MDYOYZ", 0777 [pid 296] chmod("./syzkaller.QrJoi6", 0777 [pid 298] <... mkdir resumed>) = 0 [pid 294] <... chmod resumed>) = 0 [pid 298] chmod("./syzkaller.5t5aSt", 0777 [pid 297] <... mkdir resumed>) = 0 [pid 296] <... chmod resumed>) = 0 [pid 295] <... mkdir resumed>) = 0 [pid 298] <... chmod resumed>) = 0 [pid 297] chmod("./syzkaller.w1ubYN", 0777 [pid 296] chdir("./syzkaller.QrJoi6" [pid 295] chmod("./syzkaller.yqF7iR", 0777 [pid 294] chdir("./syzkaller.MDYOYZ" [pid 296] <... chdir resumed>) = 0 [pid 295] <... chmod resumed>) = 0 [pid 296] mkdir("./0", 0777 [pid 295] chdir("./syzkaller.yqF7iR") = 0 [pid 297] <... chmod resumed>) = 0 [pid 295] mkdir("./0", 0777 [pid 298] chdir("./syzkaller.5t5aSt" [pid 297] chdir("./syzkaller.w1ubYN" [pid 294] <... chdir resumed>) = 0 [pid 297] <... chdir resumed>) = 0 [pid 297] mkdir("./0", 0777 [pid 294] mkdir("./0", 0777 [pid 298] <... chdir resumed>) = 0 [pid 295] <... mkdir resumed>) = 0 [pid 297] <... mkdir resumed>) = 0 [pid 295] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 297] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 294] <... mkdir resumed>) = 0 [pid 294] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 295] <... clone resumed>, child_tidptr=0x555556ebd650) = 299 [pid 297] <... clone resumed>, child_tidptr=0x555556ebd650) = 300 ./strace-static-x86_64: Process 300 attached [pid 300] set_robust_list(0x555556ebd660, 24) = 0 [pid 300] chdir("./0") = 0 [pid 300] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 300] setpgid(0, 0) = 0 [pid 300] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 298] mkdir("./0", 0777 [pid 300] <... openat resumed>) = 3 [pid 300] write(3, "1000", 4) = 4 [pid 300] close(3) = 0 [pid 300] symlink("/dev/binderfs", "./binderfs" [pid 296] <... mkdir resumed>) = 0 [pid 300] <... symlink resumed>) = 0 [pid 300] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_BLOOM_FILTER, key_size=0, value_size=4294967291, max_entries=255, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72 [pid 298] <... mkdir resumed>) = 0 ./strace-static-x86_64: Process 301 attached ./strace-static-x86_64: Process 299 attached [pid 296] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 298] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 302 attached [pid 301] set_robust_list(0x555556ebd660, 24 [pid 300] <... bpf resumed>) = 3 [pid 299] set_robust_list(0x555556ebd660, 24 [pid 294] <... clone resumed>, child_tidptr=0x555556ebd650) = 301 [pid 299] <... set_robust_list resumed>) = 0 [pid 298] <... clone resumed>, child_tidptr=0x555556ebd650) = 303 [pid 296] <... clone resumed>, child_tidptr=0x555556ebd650) = 302 [pid 299] chdir("./0") = 0 [pid 299] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 299] setpgid(0, 0) = 0 [pid 299] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 299] write(3, "1000", 4) = 4 [pid 299] close(3) = 0 [pid 299] symlink("/dev/binderfs", "./binderfs") = 0 [pid 299] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_BLOOM_FILTER, key_size=0, value_size=4294967291, max_entries=255, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 3 [pid 299] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SCHED_CLS, insn_cnt=12, insns=0x20000440, license=NULL, log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_XDP, prog_btf_fd=-1, func_info_rec_size=8, func_info=NULL, func_info_cnt=0, line_info_rec_size=16, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL, ...}, 144) = -1 EFAULT (Bad address) [pid 299] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_RAW_TRACEPOINT, insn_cnt=12, insns=0x20000440, license="GPL", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS, prog_btf_fd=-1, func_info_rec_size=0, func_info=NULL, func_info_cnt=0, line_info_rec_size=0, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL}, 144) = 4 [pid 299] bpf(BPF_RAW_TRACEPOINT_OPEN, {raw_tracepoint={name="jbd2_handle_stats", prog_fd=4}}, 16 [pid 300] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SCHED_CLS, insn_cnt=12, insns=0x20000440, license=NULL, log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_XDP, prog_btf_fd=-1, func_info_rec_size=8, func_info=NULL, func_info_cnt=0, line_info_rec_size=16, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL, ...}, 144./strace-static-x86_64: Process 303 attached [pid 302] set_robust_list(0x555556ebd660, 24 [pid 301] <... set_robust_list resumed>) = 0 [pid 300] <... bpf resumed>) = -1 EFAULT (Bad address) [ 21.098618][ T28] audit: type=1400 audit(1712128612.391:66): avc: denied { execmem } for pid=293 comm="syz-executor588" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 21.126220][ T28] audit: type=1400 audit(1712128612.421:67): avc: denied { bpf } for pid=300 comm="syz-executor588" capability=39 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability2 permissive=1 [pid 300] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_RAW_TRACEPOINT, insn_cnt=12, insns=0x20000440, license="GPL", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS, prog_btf_fd=-1, func_info_rec_size=0, func_info=NULL, func_info_cnt=0, line_info_rec_size=0, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL}, 144 [pid 303] set_robust_list(0x555556ebd660, 24 [pid 302] <... set_robust_list resumed>) = 0 [pid 303] <... set_robust_list resumed>) = 0 [pid 302] chdir("./0" [pid 301] chdir("./0" [pid 303] chdir("./0" [pid 302] <... chdir resumed>) = 0 [pid 301] <... chdir resumed>) = 0 [pid 303] <... chdir resumed>) = 0 [pid 302] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 301] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 300] <... bpf resumed>) = 4 [ 21.147405][ T28] audit: type=1400 audit(1712128612.421:68): avc: denied { map_create } for pid=300 comm="syz-executor588" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1 [ 21.167006][ T28] audit: type=1400 audit(1712128612.421:69): avc: denied { map_read map_write } for pid=300 comm="syz-executor588" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1 [pid 300] bpf(BPF_RAW_TRACEPOINT_OPEN, {raw_tracepoint={name="jbd2_handle_stats", prog_fd=4}}, 16 [pid 303] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 302] <... prctl resumed>) = 0 [pid 301] <... prctl resumed>) = 0 [pid 303] <... prctl resumed>) = 0 [pid 302] setpgid(0, 0 [pid 301] setpgid(0, 0 [pid 303] setpgid(0, 0 [pid 302] <... setpgid resumed>) = 0 [pid 301] <... setpgid resumed>) = 0 [pid 303] <... setpgid resumed>) = 0 [pid 302] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 301] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 303] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 302] <... openat resumed>) = 3 [pid 301] <... openat resumed>) = 3 [pid 303] <... openat resumed>) = 3 [pid 302] write(3, "1000", 4 [pid 301] write(3, "1000", 4 [pid 299] <... bpf resumed>) = 5 [pid 303] write(3, "1000", 4 [pid 302] <... write resumed>) = 4 [pid 301] <... write resumed>) = 4 [pid 303] <... write resumed>) = 4 [pid 302] close(3 [pid 301] close(3 [pid 303] close(3 [pid 302] <... close resumed>) = 0 [pid 301] <... close resumed>) = 0 [pid 303] <... close resumed>) = 0 [pid 302] symlink("/dev/binderfs", "./binderfs" [ 21.187335][ T28] audit: type=1400 audit(1712128612.431:70): avc: denied { prog_load } for pid=299 comm="syz-executor588" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1 [ 21.206744][ T28] audit: type=1400 audit(1712128612.431:71): avc: denied { perfmon } for pid=299 comm="syz-executor588" capability=38 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability2 permissive=1 [ 21.228216][ T28] audit: type=1400 audit(1712128612.431:72): avc: denied { prog_run } for pid=299 comm="syz-executor588" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1 [ 21.248956][ T301] ================================================================== [ 21.256843][ T301] BUG: KASAN: stack-out-of-bounds in hash+0x465/0xc20 [ 21.263434][ T301] Read of size 4 at addr ffffc90000f37980 by task syz-executor588/301 [ 21.271428][ T301] [ 21.273594][ T301] CPU: 0 PID: 301 Comm: syz-executor588 Not tainted 6.1.75-syzkaller-00108-g3ca4271578e1 #0 [ 21.283570][ T301] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 21.293466][ T301] Call Trace: [ 21.296706][ T301] [ 21.299483][ T301] dump_stack_lvl+0x151/0x1b7 [ 21.303995][ T301] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 21.309288][ T301] ? _printk+0xd1/0x111 [ 21.313283][ T301] ? __virt_addr_valid+0xc3/0x2f0 [ 21.318142][ T301] print_report+0x158/0x4e0 [ 21.322484][ T301] ? __virt_addr_valid+0xc3/0x2f0 [ 21.327340][ T301] ? kasan_addr_to_slab+0xd/0x80 [ 21.332117][ T301] ? hash+0x465/0xc20 [ 21.335937][ T301] kasan_report+0x13c/0x170 [ 21.340710][ T301] ? hash+0x465/0xc20 [ 21.344529][ T301] __asan_report_load_n_noabort+0xf/0x20 [ 21.349998][ T301] hash+0x465/0xc20 [ 21.353641][ T301] bloom_map_peek_elem+0xac/0x1a0 [ 21.358502][ T301] bpf_prog_00798911c748094f+0x3a/0x3e [ 21.363794][ T301] bpf_trace_run8+0x1f8/0x330 [ 21.368313][ T301] ? bpf_trace_run7+0x370/0x370 [ 21.372997][ T301] ? ext4_reserve_inode_write+0x2b3/0x360 [ 21.378553][ T301] ? inode_doinit_with_dentry+0x10f/0x1070 [ 21.384195][ T301] __bpf_trace_jbd2_handle_stats+0x4a/0x60 [ 21.389838][ T301] jbd2_journal_stop+0xc11/0xc70 [ 21.394609][ T301] ? jbd2_journal_start_reserved+0x410/0x410 [ 21.400422][ T301] ? _raw_spin_unlock+0x4c/0x70 [ 21.405108][ T301] __ext4_journal_stop+0x111/0x1c0 [ 21.410066][ T301] ext4_symlink+0x98e/0xc10 [ 21.414398][ T301] ? ext4_unlink+0x3f0/0x3f0 [ 21.418823][ T301] ? security_inode_symlink+0xb8/0x100 [ 21.424118][ T301] vfs_symlink+0x24e/0x3e0 [ 21.428371][ T301] do_symlinkat+0x1ea/0x5a0 [ 21.432707][ T301] ? __check_object_size+0x48e/0x650 [ 21.438006][ T301] ? vfs_symlink+0x3e0/0x3e0 [ 21.442633][ T301] ? getname_flags+0x1fd/0x520 [ 21.447232][ T301] __x64_sys_symlink+0x7e/0x90 [ 21.451920][ T301] do_syscall_64+0x3d/0xb0 [ 21.456162][ T301] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 21.462063][ T301] RIP: 0033:0x7fa282756f57 [ 21.466319][ T301] Code: 7b 00 00 00 48 8d 35 70 c3 04 00 48 8d 3d 91 c3 04 00 e8 dc 19 fd ff e8 27 1e 00 00 0f 1f 80 00 00 00 00 b8 58 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 21.485757][ T301] RSP: 002b:00007ffcc8cbbda8 EFLAGS: 00000206 ORIG_RAX: 0000000000000058 [ 21.494023][ T301] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa282756f57 [ 21.501815][ T301] RDX: 0000000000000004 RSI: 00007fa2827a002d RDI: 00007fa2827a0038 [ 21.509636][ T301] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 21.517606][ T301] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000001 [ 21.525422][ T301] R13: 00007ffcc8cbc148 R14: 00007ffcc8cbbde0 R15: 0000000000000000 [ 21.533239][ T301] [ 21.536093][ T301] [ 21.538262][ T301] The buggy address belongs to stack of task syz-executor588/301 [ 21.545814][ T301] and is located at offset 0 in frame: [ 21.551194][ T301] bpf_trace_run8+0x0/0x330 [ 21.555537][ T301] [ 21.557702][ T301] This frame has 1 object: [ 21.561958][ T301] [32, 96) 'args' [ 21.561969][ T301] [ 21.567690][ T301] The buggy address belongs to the virtual mapping at [ 21.567690][ T301] [ffffc90000f30000, ffffc90000f39000) created by: [ 21.567690][ T301] copy_process+0x5c3/0x3530 [ 21.585137][ T301] [ 21.587299][ T301] The buggy address belongs to the physical page: [ 21.593551][ T301] page:ffffea0004251580 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109456 [ 21.603619][ T301] flags: 0x4000000000000000(zone=1) [ 21.608664][ T301] raw: 4000000000000000 0000000000000000 dead000000000122 0000000000000000 [ 21.617076][ T301] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 21.625486][ T301] page dumped because: kasan: bad access detected [ 21.631737][ T301] page_owner tracks the page as allocated [ 21.637292][ T301] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 294, tgid 294 (syz-executor588), ts 21123579220, free_ts 17312168865 [ 21.656388][ T301] post_alloc_hook+0x213/0x220 [ 21.660987][ T301] prep_new_page+0x1b/0x110 [ 21.665331][ T301] get_page_from_freelist+0x27ea/0x2870 [ 21.670707][ T301] __alloc_pages+0x3a1/0x780 [ 21.675135][ T301] __vmalloc_node_range+0x89b/0x1540 [ 21.680254][ T301] dup_task_struct+0x3d6/0x7d0 [ 21.684854][ T301] copy_process+0x5c3/0x3530 [ 21.689281][ T301] kernel_clone+0x229/0x890 [ 21.693617][ T301] __x64_sys_clone+0x231/0x280 [ 21.698224][ T301] do_syscall_64+0x3d/0xb0 [ 21.702482][ T301] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 21.708198][ T301] page last free stack trace: [ 21.712715][ T301] free_unref_page_prepare+0x83d/0x850 [ 21.718020][ T301] free_unref_page+0xb2/0x5c0 [ 21.722523][ T301] __free_pages+0x61/0xf0 [ 21.726688][ T301] __free_slab+0xce/0x1a0 [ 21.730850][ T301] __unfreeze_partials+0x165/0x1a0 [ 21.735797][ T301] put_cpu_partial+0xa9/0x100 [ 21.740311][ T301] __slab_free+0x1c8/0x280 [ 21.744567][ T301] ___cache_free+0xc6/0xd0 [ 21.748818][ T301] qlist_free_all+0xc5/0x140 [ 21.753245][ T301] kasan_quarantine_reduce+0x15a/0x180 [ 21.758538][ T301] __kasan_slab_alloc+0x24/0x80 [ 21.763226][ T301] slab_post_alloc_hook+0x53/0x2c0 [ 21.768178][ T301] kmem_cache_alloc+0x175/0x2c0 [ 21.772860][ T301] getname_flags+0xba/0x520 [ 21.777198][ T301] getname+0x19/0x20 [ 21.780937][ T301] do_sys_openat2+0xd7/0x850 [ 21.785359][ T301] [ 21.787527][ T301] Memory state around the buggy address: [ 21.793008][ T301] ffffc90000f37880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 21.800895][ T301] ffffc90000f37900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 21.808793][ T301] >ffffc90000f37980: f1 f1 f1 f1 00 00 00 00 00 00 00 00 f3 f3 f3 f3 [ 21.816689][ T301] ^ [ 21.820595][ T301] ffffc90000f37a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 21.828495][ T301] ffffc90000f37a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 21.836390][ T301] ================================================================== [ 21.844367][ T301] Disabling lock debugging due to kernel taint [ 21.844817][ T302] BUG: unable to handle page fault for address: ffffc90000f48000 [ 21.857827][ T302] #PF: supervisor read access in kernel mode [ 21.863641][ T302] #PF: error_code(0x0000) - not-present page [ 21.869455][ T302] PGD 100000067 P4D 100000067 PUD 100154067 PMD 121ae5067 PTE 0 [ 21.876919][ T302] Oops: 0000 [#1] PREEMPT SMP KASAN [ 21.884994][ T302] CPU: 1 PID: 302 Comm: syz-executor588 Tainted: G B 6.1.75-syzkaller-00108-g3ca4271578e1 #0 [ 21.896361][ T302] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 21.906341][ T302] RIP: 0010:hash+0x2d8/0xc20 [ 21.910769][ T302] Code: 89 f8 48 c1 e8 03 0f b6 04 10 84 c0 0f 85 2b 01 00 00 4a 8d 7c 36 07 48 89 f8 48 c1 e8 03 0f b6 04 10 84 c0 0f 85 43 01 00 00 <42> 03 5c 36 04 4a 8d 7c 36 08 48 89 f8 48 c1 e8 03 0f b6 04 10 84 [ 21.930214][ T302] RSP: 0018:ffffc90000f47888 EFLAGS: 00010282 [ 21.936122][ T302] RAX: 0000000000000000 RBX: 000000004cc65499 RCX: ffffffff8191c465 [ 21.943925][ T302] RDX: dffffc0000000000 RSI: ffffc90000f47948 RDI: ffffc90000f48003 [ 21.951736][ T302] RBP: ffffc90000f478c8 R08: 00000000fffff93b R09: 0000000000000000 [ 21.959552][ T302] R10: 0000000000000000 R11: dffffc0000000001 R12: 000000000440d7da [ 21.967355][ T302] R13: 00000000fffff93b R14: 00000000000006b4 R15: 00000000f3688ca6 [ 21.975176][ T302] FS: 0000555556ebd380(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 [ 21.983933][ T302] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 21.990354][ T302] CR2: ffffc90000f48000 CR3: 0000000122084000 CR4: 00000000003506a0 [ 21.998171][ T302] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 22.005977][ T302] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 22.013790][ T302] Call Trace: [ 22.016912][ T302] [ 22.019701][ T302] ? __die_body+0x62/0xb0 [ 22.023858][ T302] ? __die+0x7e/0x90 [ 22.027590][ T302] ? page_fault_oops+0x7f9/0xa90 [ 22.032365][ T302] ? kernelmode_fixup_or_oops+0x270/0x270 [ 22.037916][ T302] ? is_prefetch+0x47a/0x6d0 [ 22.042343][ T302] ? chksum_update+0x48/0xa0 [ 22.046769][ T302] ? crypto_shash_setkey+0x2c0/0x2c0 [ 22.051891][ T302] ? __find_get_block+0xd38/0x1180 [ 22.056836][ T302] ? kernelmode_fixup_or_oops+0x21b/0x270 [ 22.062399][ T302] ? __bad_area_nosemaphore+0xcf/0x620 [ 22.067806][ T302] ? bad_area_nosemaphore+0x2d/0x40 [ 22.072829][ T302] ? do_kern_addr_fault+0x69/0x80 [ 22.077688][ T302] ? exc_page_fault+0x513/0x700 [ 22.082373][ T302] ? asm_exc_page_fault+0x27/0x30 [ 22.087232][ T302] ? hash+0x435/0xc20 [ 22.091056][ T302] ? hash+0x2d8/0xc20 [ 22.094870][ T302] ? hash+0x435/0xc20 [ 22.099298][ T302] bloom_map_peek_elem+0xac/0x1a0 [ 22.104160][ T302] bpf_prog_00798911c748094f+0x3a/0x3e [ 22.109449][ T302] bpf_trace_run8+0x1f8/0x330 [ 22.113967][ T302] ? bpf_trace_run7+0x370/0x370 [ 22.118652][ T302] ? ext4_reserve_inode_write+0x2b3/0x360 [ 22.124209][ T302] ? inode_doinit_with_dentry+0x10f/0x1070 [ 22.129849][ T302] __bpf_trace_jbd2_handle_stats+0x4a/0x60 [ 22.135489][ T302] jbd2_journal_stop+0xc11/0xc70 [ 22.140273][ T302] ? jbd2_journal_start_reserved+0x410/0x410 [ 22.146076][ T302] ? _raw_spin_unlock+0x4c/0x70 [ 22.150766][ T302] __ext4_journal_stop+0x111/0x1c0 [ 22.155710][ T302] ext4_symlink+0x98e/0xc10 [ 22.160057][ T302] ? ext4_unlink+0x3f0/0x3f0 [ 22.164485][ T302] ? security_inode_symlink+0xb8/0x100 [ 22.169779][ T302] vfs_symlink+0x24e/0x3e0 [ 22.174032][ T302] do_symlinkat+0x1ea/0x5a0 [ 22.178365][ T302] ? __check_object_size+0x48e/0x650 [ 22.183487][ T302] ? vfs_symlink+0x3e0/0x3e0 [ 22.187913][ T302] ? getname_flags+0x1fd/0x520 [ 22.192513][ T302] __x64_sys_symlink+0x7e/0x90 [ 22.197110][ T302] do_syscall_64+0x3d/0xb0 [ 22.201361][ T302] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 22.207090][ T302] RIP: 0033:0x7fa282756f57 [ 22.211347][ T302] Code: 7b 00 00 00 48 8d 35 70 c3 04 00 48 8d 3d 91 c3 04 00 e8 dc 19 fd ff e8 27 1e 00 00 0f 1f 80 00 00 00 00 b8 58 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 22.230789][ T302] RSP: 002b:00007ffcc8cbbda8 EFLAGS: 00000206 ORIG_RAX: 0000000000000058 [ 22.239038][ T302] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa282756f57 [ 22.246843][ T302] RDX: 0000000000000004 RSI: 00007fa2827a002d RDI: 00007fa2827a0038 [ 22.254652][ T302] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 22.262654][ T302] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000001 [ 22.270447][ T302] R13: 00007ffcc8cbc148 R14: 00007ffcc8cbbde0 R15: 0000000000000000 [ 22.278289][ T302] [ 22.281127][ T302] Modules linked in: [ 22.284854][ T302] CR2: ffffc90000f48000 [ 22.288858][ T302] ---[ end trace 0000000000000000 ]--- [ 22.288899][ T301] BUG: unable to handle page fault for address: ffffc90000f38000 [ 22.294143][ T302] RIP: 0010:hash+0x2d8/0xc20 [ 22.301691][ T301] #PF: supervisor read access in kernel mode [ 22.306119][ T302] Code: 89 f8 48 c1 e8 03 0f b6 04 10 84 c0 0f 85 2b 01 00 00 4a 8d 7c 36 07 48 89 f8 48 c1 e8 03 0f b6 04 10 84 c0 0f 85 43 01 00 00 <42> 03 5c 36 04 4a 8d 7c 36 08 48 89 f8 48 c1 e8 03 0f b6 04 10 84 [ 22.311934][ T301] #PF: error_code(0x0000) - not-present page [ 22.331379][ T302] RSP: 0018:ffffc90000f47888 EFLAGS: 00010282 [ 22.337279][ T301] PGD 100000067 P4D 100000067 PUD 100154067 [ 22.343179][ T302] RAX: 0000000000000000 RBX: 000000004cc65499 RCX: ffffffff8191c465 [ 22.343195][ T302] RDX: dffffc0000000000 RSI: ffffc90000f47948 RDI: ffffc90000f48003 [ 22.348994][ T301] PMD 121ae5067 [ 22.356802][ T302] RBP: ffffc90000f478c8 R08: 00000000fffff93b R09: 0000000000000000 [ 22.364613][ T301] PTE 0 [ 22.368003][ T302] R10: 0000000000000000 R11: dffffc0000000001 R12: 000000000440d7da [ 22.375811][ T301] Oops: 0000 [#2] PREEMPT SMP KASAN [ 22.378424][ T302] R13: 00000000fffff93b R14: 00000000000006b4 R15: 00000000f3688ca6 [ 22.386228][ T301] CPU: 0 PID: 301 Comm: syz-executor588 Tainted: G B D 6.1.75-syzkaller-00108-g3ca4271578e1 #0 [ 22.391262][ T302] FS: 0000555556ebd380(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 [ 22.399074][ T301] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 22.410439][ T302] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 22.419294][ T301] RIP: 0010:hash+0x2d8/0xc20 [ 22.429541][ T302] CR2: ffffc90000f48000 CR3: 0000000122084000 CR4: 00000000003506a0 [ 22.435958][ T301] Code: 89 f8 48 c1 e8 03 0f b6 04 10 84 c0 0f 85 2b 01 00 00 4a 8d 7c 36 07 48 89 f8 48 c1 e8 03 0f b6 04 10 84 c0 0f 85 43 01 00 00 <42> 03 5c 36 04 4a 8d 7c 36 08 48 89 f8 48 c1 e8 03 0f b6 04 10 84 [ 22.435983][ T301] RSP: 0018:ffffc90000f37888 EFLAGS: 00010282 [ 22.440473][ T302] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 22.448279][ T301] [ 22.448286][ T301] RAX: 0000000000000000 RBX: 000000000b02ce77 RCX: ffffffff8191c465 [ 22.467721][ T302] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 22.473651][ T301] RDX: dffffc0000000000 RSI: ffffc90000f37948 RDI: ffffc90000f38003 [ 22.481439][ T302] Kernel panic - not syncing: Fatal exception [ 22.483607][ T301] RBP: ffffc90000f378c8 R08: 00000000fffff93b R09: fffffbfff0ee5efd [ 22.483621][ T301] R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000088c45666 [ 22.483633][ T301] R13: 00000000fffff93b R14: 00000000000006b4 R15: 0000000080bc3495 [ 22.483644][ T301] FS: 0000555556ebd380(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 [ 22.483660][ T301] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 22.483672][ T301] CR2: ffffc90000f38000 CR3: 0000000109455000 CR4: 00000000003506b0 [ 22.483687][ T301] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 22.483697][ T301] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 22.483708][ T301] Call Trace: [ 22.483713][ T301] [ 22.483721][ T301] ? __die_body+0x62/0xb0 [ 22.483741][ T301] ? __die+0x7e/0x90 [ 22.483757][ T301] ? page_fault_oops+0x7f9/0xa90 [ 22.483780][ T301] ? vprintk_emit+0x450/0x450 [ 22.483801][ T301] ? kernelmode_fixup_or_oops+0x270/0x270 [ 22.483825][ T301] ? __kasan_check_write+0x14/0x20 [ 22.483851][ T301] ? is_prefetch+0x47a/0x6d0 [ 22.483873][ T301] ? __wake_up_klogd+0xde/0x110 [ 22.483893][ T301] ? vprintk_emit+0x1c7/0x450 [ 22.483911][ T301] ? printk_sprint+0x430/0x430 [ 22.483929][ T301] ? printk_sprint+0x430/0x430 [ 22.483949][ T301] ? kernelmode_fixup_or_oops+0x21b/0x270 [ 22.483974][ T301] ? __bad_area_nosemaphore+0xcf/0x620 [ 22.483997][ T301] ? _printk+0xd1/0x111 [ 22.484019][ T301] ? irqentry_exit+0x30/0x40 [ 22.484039][ T301] ? bad_area_nosemaphore+0x2d/0x40 [ 22.484062][ T301] ? do_kern_addr_fault+0x69/0x80 [ 22.484085][ T301] ? exc_page_fault+0x513/0x700 [ 22.484102][ T301] ? __kasan_check_write+0x14/0x20 [ 22.484129][ T301] ? asm_exc_page_fault+0x27/0x30 [ 22.484157][ T301] ? hash+0x435/0xc20 [ 22.484181][ T301] ? hash+0x2d8/0xc20 [ 22.484205][ T301] ? hash+0x435/0xc20 [ 22.484229][ T301] bloom_map_peek_elem+0xac/0x1a0 [ 22.484257][ T301] bpf_prog_00798911c748094f+0x3a/0x3e [ 22.484274][ T301] bpf_trace_run8+0x1f8/0x330 [ 22.484291][ T301] ? bpf_trace_run7+0x370/0x370 [ 22.484306][ T301] ? ext4_reserve_inode_write+0x2b3/0x360 [ 22.484331][ T301] ? inode_doinit_with_dentry+0x10f/0x1070 [ 22.484356][ T301] __bpf_trace_jbd2_handle_stats+0x4a/0x60 [ 22.484383][ T301] jbd2_journal_stop+0xc11/0xc70 [ 22.484404][ T301] ? jbd2_journal_start_reserved+0x410/0x410 [ 22.484423][ T301] ? _raw_spin_unlock+0x4c/0x70 [ 22.484447][ T301] __ext4_journal_stop+0x111/0x1c0 [ 22.484479][ T301] ext4_symlink+0x98e/0xc10 [ 22.484499][ T301] ? ext4_unlink+0x3f0/0x3f0 [ 22.484518][ T301] ? security_inode_symlink+0xb8/0x100 [ 22.484544][ T301] vfs_symlink+0x24e/0x3e0 [ 22.484563][ T301] do_symlinkat+0x1ea/0x5a0 [ 22.484579][ T301] ? __check_object_size+0x48e/0x650 [ 22.484598][ T301] ? vfs_symlink+0x3e0/0x3e0 [ 22.484615][ T301] ? getname_flags+0x1fd/0x520 [ 22.484641][ T301] __x64_sys_symlink+0x7e/0x90 [ 22.484658][ T301] do_syscall_64+0x3d/0xb0 [ 22.484674][ T301] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 22.484699][ T301] RIP: 0033:0x7fa282756f57 [ 22.484713][ T301] Code: 7b 00 00 00 48 8d 35 70 c3 04 00 48 8d 3d 91 c3 04 00 e8 dc 19 fd ff e8 27 1e 00 00 0f 1f 80 00 00 00 00 b8 58 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 22.484726][ T301] RSP: 002b:00007ffcc8cbbda8 EFLAGS: 00000206 ORIG_RAX: 0000000000000058 [ 22.484744][ T301] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa282756f57 [ 22.484756][ T301] RDX: 0000000000000004 RSI: 00007fa2827a002d RDI: 00007fa2827a0038 [ 22.484767][ T301] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 22.484778][ T301] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000001 [ 22.484787][ T301] R13: 00007ffcc8cbc148 R14: 00007ffcc8cbbde0 R15: 0000000000000000 [ 22.484803][ T301] [ 22.484808][ T301] Modules linked in: [ 22.484817][ T301] CR2: ffffc90000f38000 [ 22.492595][ T301] ---[ end trace 0000000000000000 ]--- [ 22.492604][ T301] RIP: 0010:hash+0x2d8/0xc20 [ 22.492661][ T301] Code: 89 f8 48 c1 e8 03 0f b6 04 10 84 c0 0f 85 2b 01 00 00 4a 8d 7c 36 07 48 89 f8 48 c1 e8 03 0f b6 04 10 84 c0 0f 85 43 01 00 00 <42> 03 5c 36 04 4a 8d 7c 36 08 48 89 f8 48 c1 e8 03 0f b6 04 10 84 [ 22.492705][ T301] RSP: 0018:ffffc90000f47888 EFLAGS: 00010282 [ 22.492747][ T301] RAX: 0000000000000000 RBX: 000000004cc65499 RCX: ffffffff8191c465 [ 22.492763][ T301] RDX: dffffc0000000000 RSI: ffffc90000f47948 RDI: ffffc90000f48003 [ 22.492776][ T301] RBP: ffffc90000f478c8 R08: 00000000fffff93b R09: 0000000000000000 [ 22.492787][ T301] R10: 0000000000000000 R11: dffffc0000000001 R12: 000000000440d7da [ 22.492798][ T301] R13: 00000000fffff93b R14: 00000000000006b4 R15: 00000000f3688ca6 [ 22.492810][ T301] FS: 0000555556ebd380(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 [ 22.492825][ T301] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 22.492837][ T301] CR2: ffffc90000f38000 CR3: 0000000109455000 CR4: 00000000003506b0 [ 22.492853][ T301] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 22.492863][ T301] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 23.678270][ T302] Shutting down cpus with NMI [ 24.180497][ T302] Kernel Offset: disabled [ 24.184628][ T302] Rebooting in 86400 seconds..