./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1008497357 <...> Warning: Permanently added '10.128.0.43' (ED25519) to the list of known hosts. execve("./syz-executor1008497357", ["./syz-executor1008497357"], 0x7ffcb03d1f10 /* 10 vars */) = 0 brk(NULL) = 0x55558e308000 brk(0x55558e308d00) = 0x55558e308d00 arch_prctl(ARCH_SET_FS, 0x55558e308380) = 0 set_tid_address(0x55558e308650) = 5822 set_robust_list(0x55558e308660, 24) = 0 rseq(0x55558e308ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1008497357", 4096) = 28 getrandom("\x97\x39\xc3\x8d\xae\xe7\x7a\x81", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55558e308d00 brk(0x55558e329d00) = 0x55558e329d00 brk(0x55558e32a000) = 0x55558e32a000 mprotect(0x7fbfb6c95000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5823 attached [pid 5823] set_robust_list(0x55558e308660, 24) = 0 [pid 5823] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5822] <... clone resumed>, child_tidptr=0x55558e308650) = 5823 [pid 5823] <... prctl resumed>) = 0 [pid 5823] setpgid(0, 0) = 0 [pid 5823] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5823] write(3, "1000", 4) = 4 [pid 5823] close(3executing program ) = 0 [pid 5823] write(1, "executing program\n", 18) = 18 [pid 5823] memfd_create("syzkaller", 0) = 3 [pid 5823] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fbfae600000 [pid 5823] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5823] munmap(0x7fbfae600000, 138412032) = 0 [pid 5823] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5823] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5823] close(3) = 0 [pid 5823] close(4) = 0 [pid 5823] mkdir("./file0", 0777) = 0 [pid 5823] mount("/dev/loop0", "./file0", "jfs", 0, "iocharset=maccroatian,discard=0x0000000000000003,nodiscard,errors=continue,iocharset=maccyrillic,") = 0 [pid 5823] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5823] chdir("./file0") = 0 [pid 5823] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5823] chdir("./file0") = 0 [ 88.720614][ T5823] loop0: detected capacity change from 0 to 32768 [ 88.750943][ T5823] [ 88.750943][ T5823] ... Log Wrap ... Log Wrap ... Log Wrap ... [ 88.750943][ T5823] [pid 5823] creat("./bus", 000) = -1 EIO (Input/output error) [pid 5823] openat(AT_FDCWD, "cpu.stat", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = -1 EIO (Input/output error) [ 88.801208][ T5823] read_mapping_page failed! [ 88.805917][ T5823] ERROR: (device loop0): txCommit: [ 88.805917][ T5823] [ 88.826135][ T5823] read_mapping_page failed! [ 88.832779][ T5823] ERROR: (device loop0): txCommit: [ 88.832779][ T5823] [pid 5823] openat(AT_FDCWD, "./file1", O_WRONLY|O_CREAT|O_SYNC|O_NOATIME|FASYNC, 000) = -1 EIO (Input/output error) [pid 5823] openat(AT_FDCWD, ".", O_RDONLY) = 4 [ 88.847310][ T5823] read_mapping_page failed! [ 88.851997][ T5823] ERROR: (device loop0): txCommit: [ 88.851997][ T5823] [ 88.869013][ T5823] ================================================================== [ 88.877119][ T5823] BUG: KASAN: slab-out-of-bounds in jfs_readdir+0x1a6a/0x3ac0 [ 88.884585][ T5823] Read of size 4 at addr ffff888078b636e4 by task syz-executor100/5823 [ 88.892817][ T5823] [ 88.895160][ T5823] CPU: 1 UID: 0 PID: 5823 Comm: syz-executor100 Not tainted 6.15.0-rc7-syzkaller #0 PREEMPT(full) [ 88.895177][ T5823] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 88.895193][ T5823] Call Trace: [ 88.895201][ T5823] [ 88.895209][ T5823] dump_stack_lvl+0x189/0x250 [ 88.895230][ T5823] ? __virt_addr_valid+0x18c/0x540 [ 88.895248][ T5823] ? rcu_is_watching+0x15/0xb0 [ 88.895268][ T5823] ? __kasan_check_byte+0x12/0x40 [ 88.895290][ T5823] ? __pfx_dump_stack_lvl+0x10/0x10 [ 88.895308][ T5823] ? rcu_is_watching+0x15/0xb0 [ 88.895328][ T5823] ? lock_release+0x4b/0x3e0 [ 88.895349][ T5823] ? __virt_addr_valid+0x18c/0x540 [ 88.895366][ T5823] ? __virt_addr_valid+0x469/0x540 [ 88.895383][ T5823] print_report+0xb4/0x290 [ 88.895399][ T5823] ? jfs_readdir+0x1a6a/0x3ac0 [ 88.895417][ T5823] kasan_report+0x118/0x150 [ 88.895439][ T5823] ? jfs_readdir+0x1a6a/0x3ac0 [ 88.895460][ T5823] jfs_readdir+0x1a6a/0x3ac0 [ 88.895489][ T5823] ? __lock_acquire+0xaac/0xd20 [ 88.895506][ T5823] ? __pfx_jfs_readdir+0x10/0x10 [ 88.895533][ T5823] ? down_write+0x162/0x1f0 [ 88.895556][ T5823] ? __pfx_down_write+0x10/0x10 [ 88.895578][ T5823] ? __pfx_jfs_readdir+0x10/0x10 [ 88.895596][ T5823] wrap_directory_iterator+0x93/0xe0 [ 88.895617][ T5823] iterate_dir+0x5ac/0x770 [ 88.895636][ T5823] __se_sys_getdents64+0xe4/0x260 [ 88.895656][ T5823] ? __pfx___se_sys_getdents64+0x10/0x10 [ 88.895675][ T5823] ? __pfx_filldir64+0x10/0x10 [ 88.895699][ T5823] do_syscall_64+0xf6/0x210 [ 88.895718][ T5823] ? clear_bhb_loop+0x60/0xb0 [ 88.895734][ T5823] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 88.895748][ T5823] RIP: 0033:0x7fbfb6c1bb99 [ 88.895765][ T5823] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 88.895777][ T5823] RSP: 002b:00007ffde83a0a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 88.895793][ T5823] RAX: ffffffffffffffda RBX: 0000200000000040 RCX: 00007fbfb6c1bb99 [ 88.895803][ T5823] RDX: 0000000000001000 RSI: 0000200000000f80 RDI: 0000000000000004 [ 88.895812][ T5823] RBP: 00002000000000c0 R08: 000055558e3094c0 R09: 000055558e3094c0 [ 88.895822][ T5823] R10: 000055558e3094c0 R11: 0000000000000246 R12: 0030656c69662f2e [ 88.895832][ T5823] R13: 00007ffde83a0c98 R14: 431bde82d7b634db R15: 0000200000000000 [ 88.895848][ T5823] [ 88.895853][ T5823] [ 89.131586][ T5823] Allocated by task 5823: [ 89.135914][ T5823] kasan_save_track+0x3e/0x80 [ 89.140640][ T5823] __kasan_slab_alloc+0x6c/0x80 [ 89.145535][ T5823] kmem_cache_alloc_lru_noprof+0x1c6/0x3d0 [ 89.151345][ T5823] jfs_alloc_inode+0x28/0x70 [ 89.155954][ T5823] alloc_inode+0x67/0x1b0 [ 89.160287][ T5823] iget_locked+0xf0/0x570 [ 89.164617][ T5823] jfs_iget+0x24/0x3e0 [ 89.168706][ T5823] jfs_lookup+0x1c5/0x380 [ 89.173041][ T5823] __lookup_slow+0x297/0x3d0 [ 89.177629][ T5823] lookup_slow+0x53/0x70 [ 89.181867][ T5823] walk_component+0x2d2/0x400 [ 89.186575][ T5823] path_lookupat+0x163/0x430 [ 89.191163][ T5823] filename_lookup+0x212/0x570 [ 89.195924][ T5823] user_path_at+0x3a/0x60 [ 89.200294][ T5823] __se_sys_chdir+0x91/0x280 [ 89.204881][ T5823] do_syscall_64+0xf6/0x210 [ 89.209384][ T5823] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.215274][ T5823] [ 89.217609][ T5823] The buggy address belongs to the object at ffff888078b62e18 [ 89.217609][ T5823] which belongs to the cache jfs_ip of size 2232 [ 89.231426][ T5823] The buggy address is located 20 bytes to the right of [ 89.231426][ T5823] allocated 2232-byte region [ffff888078b62e18, ffff888078b636d0) [ 89.246111][ T5823] [ 89.248454][ T5823] The buggy address belongs to the physical page: [ 89.254870][ T5823] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x78b60 [ 89.263639][ T5823] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 89.272157][ T5823] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 89.279726][ T5823] page_type: f5(slab) [ 89.283726][ T5823] raw: 00fff00000000040 ffff8881432d3000 dead000000000122 0000000000000000 [ 89.292427][ T5823] raw: 0000000000000000 00000000800d000d 00000000f5000000 0000000000000000 [ 89.301012][ T5823] head: 00fff00000000040 ffff8881432d3000 dead000000000122 0000000000000000 [ 89.309679][ T5823] head: 0000000000000000 00000000800d000d 00000000f5000000 0000000000000000 [ 89.318350][ T5823] head: 00fff00000000003 ffffea0001e2d801 00000000ffffffff 00000000ffffffff [ 89.327017][ T5823] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 89.335679][ T5823] page dumped because: kasan: bad access detected [ 89.342092][ T5823] page_owner tracks the page as allocated [ 89.347804][ T5823] page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_RECLAIMABLE|__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5823, tgid 5823 (syz-executor100), ts 88744631698, free_ts 29287886958 [ 89.370386][ T5823] post_alloc_hook+0x1d8/0x230 [ 89.375151][ T5823] get_page_from_freelist+0x21c7/0x22a0 [ 89.380702][ T5823] __alloc_frozen_pages_noprof+0x181/0x370 [ 89.386523][ T5823] alloc_pages_mpol+0x232/0x4a0 [ 89.391379][ T5823] allocate_slab+0x8a/0x3b0 [ 89.395878][ T5823] ___slab_alloc+0xbfc/0x1480 [ 89.400549][ T5823] kmem_cache_alloc_lru_noprof+0x288/0x3d0 [ 89.406360][ T5823] jfs_alloc_inode+0x28/0x70 [ 89.410973][ T5823] alloc_inode+0x67/0x1b0 [ 89.415319][ T5823] new_inode+0x22/0x170 [ 89.419521][ T5823] jfs_fill_super+0x569/0xd90 [ 89.424239][ T5823] get_tree_bdev_flags+0x40b/0x4d0 [ 89.429398][ T5823] vfs_get_tree+0x92/0x2b0 [ 89.433834][ T5823] do_new_mount+0x24a/0xa40 [ 89.438336][ T5823] __se_sys_mount+0x317/0x410 [ 89.443102][ T5823] do_syscall_64+0xf6/0x210 [ 89.447604][ T5823] page last free pid 1 tgid 1 stack trace: [ 89.453402][ T5823] __free_frozen_pages+0xb05/0xcd0 [ 89.458507][ T5823] free_contig_range+0x159/0x440 [ 89.463444][ T5823] destroy_args+0x86/0x460 [ 89.467861][ T5823] debug_vm_pgtable+0x3cf/0x410 [ 89.472712][ T5823] do_one_initcall+0x233/0x820 [ 89.477477][ T5823] do_initcall_level+0x137/0x1f0 [ 89.482413][ T5823] do_initcalls+0x69/0xd0 [ 89.486751][ T5823] kernel_init_freeable+0x3d9/0x570 [ 89.491946][ T5823] kernel_init+0x1d/0x1d0 [ 89.496325][ T5823] ret_from_fork+0x4b/0x80 [ 89.500743][ T5823] ret_from_fork_asm+0x1a/0x30 [ 89.505520][ T5823] [ 89.507834][ T5823] Memory state around the buggy address: [ 89.513459][ T5823] ffff888078b63580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 89.521644][ T5823] ffff888078b63600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 89.529713][ T5823] >ffff888078b63680: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 89.537763][ T5823] ^ [ 89.544953][ T5823] ffff888078b63700: fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb fb [ 89.553011][ T5823] ffff888078b63780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 89.561064][ T5823] ================================================================== [ 89.569375][ T5823] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 89.576675][ T5823] CPU: 1 UID: 0 PID: 5823 Comm: syz-executor100 Not tainted 6.15.0-rc7-syzkaller #0 PREEMPT(full) [ 89.587352][ T5823] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 89.597412][ T5823] Call Trace: [ 89.600698][ T5823] [ 89.603631][ T5823] dump_stack_lvl+0x99/0x250 [ 89.608232][ T5823] ? __asan_memcpy+0x40/0x70 [ 89.612828][ T5823] ? __pfx_dump_stack_lvl+0x10/0x10 [ 89.618035][ T5823] ? __pfx__printk+0x10/0x10 [ 89.622643][ T5823] panic+0x2db/0x790 [ 89.626557][ T5823] ? __pfx_panic+0x10/0x10 [ 89.630983][ T5823] ? _raw_spin_unlock_irqrestore+0xfd/0x110 [ 89.636880][ T5823] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 89.643210][ T5823] ? print_memory_metadata+0x314/0x400 [ 89.648673][ T5823] ? jfs_readdir+0x1a6a/0x3ac0 [ 89.653442][ T5823] check_panic_on_warn+0x89/0xb0 [ 89.658389][ T5823] ? jfs_readdir+0x1a6a/0x3ac0 [ 89.663159][ T5823] end_report+0x78/0x160 [ 89.667412][ T5823] kasan_report+0x129/0x150 [ 89.671927][ T5823] ? jfs_readdir+0x1a6a/0x3ac0 [ 89.676699][ T5823] jfs_readdir+0x1a6a/0x3ac0 [ 89.681305][ T5823] ? __lock_acquire+0xaac/0xd20 [ 89.686164][ T5823] ? __pfx_jfs_readdir+0x10/0x10 [ 89.691121][ T5823] ? down_write+0x162/0x1f0 [ 89.695631][ T5823] ? __pfx_down_write+0x10/0x10 [ 89.700499][ T5823] ? __pfx_jfs_readdir+0x10/0x10 [ 89.705445][ T5823] wrap_directory_iterator+0x93/0xe0 [ 89.710738][ T5823] iterate_dir+0x5ac/0x770 [ 89.715160][ T5823] __se_sys_getdents64+0xe4/0x260 [ 89.720197][ T5823] ? __pfx___se_sys_getdents64+0x10/0x10 [ 89.725845][ T5823] ? __pfx_filldir64+0x10/0x10 [ 89.730617][ T5823] do_syscall_64+0xf6/0x210 [ 89.735135][ T5823] ? clear_bhb_loop+0x60/0xb0 [ 89.739814][ T5823] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.745707][ T5823] RIP: 0033:0x7fbfb6c1bb99 [ 89.750121][ T5823] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 89.769730][ T5823] RSP: 002b:00007ffde83a0a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 89.778147][ T5823] RAX: ffffffffffffffda RBX: 0000200000000040 RCX: 00007fbfb6c1bb99 [ 89.786123][ T5823] RDX: 0000000000001000 RSI: 0000200000000f80 RDI: 0000000000000004 [ 89.794111][ T5823] RBP: 00002000000000c0 R08: 000055558e3094c0 R09: 000055558e3094c0 [ 89.802085][ T5823] R10: 000055558e3094c0 R11: 0000000000000246 R12: 0030656c69662f2e [ 89.810077][ T5823] R13: 00007ffde83a0c98 R14: 431bde82d7b634db R15: 0000200000000000 [ 89.818062][ T5823] [ 89.821420][ T5823] Kernel Offset: disabled [ 89.825748][ T5823] Rebooting in 86400 seconds..