./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor353371705 <...> Warning: Permanently added '10.128.0.208' (ED25519) to the list of known hosts. execve("./syz-executor353371705", ["./syz-executor353371705"], 0x7ffea71fb1e0 /* 10 vars */) = 0 brk(NULL) = 0x55556b9fa000 brk(0x55556b9fad00) = 0x55556b9fad00 arch_prctl(ARCH_SET_FS, 0x55556b9fa380) = 0 set_tid_address(0x55556b9fa650) = 5818 set_robust_list(0x55556b9fa660, 24) = 0 rseq(0x55556b9faca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor353371705", 4096) = 27 getrandom("\xc1\x30\x32\x98\x9d\xe8\x68\x95", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55556b9fad00 brk(0x55556ba1bd00) = 0x55556ba1bd00 brk(0x55556ba1c000) = 0x55556ba1c000 mprotect(0x7f3d546aa000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5820 attached [pid 5820] set_robust_list(0x55556b9fa660, 24) = 0 [pid 5820] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5818] <... clone resumed>, child_tidptr=0x55556b9fa650) = 5820 [pid 5820] setpgid(0, 0) = 0 [pid 5820] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5820] write(3, "1000", 4) = 4 [pid 5820] close(3) = 0 [pid 5820] write(1, "executing program\n", 18executing program ) = 18 [pid 5820] memfd_create("syzkaller", 0) = 3 [pid 5820] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3d4c000000 [pid 5820] write(3, "\x02\x02\x02\x02\x02\x02\x02\x02\x74\x68\x69\x73\x20\x69\x73\x20\x61\x6e\x20\x6f\x63\x66\x73\x32\x20\x76\x6f\x6c\x75\x6d\x65\x00\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02"..., 16777216) = 16777216 [pid 5820] munmap(0x7f3d4c000000, 138412032) = 0 [pid 5820] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5820] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5820] close(3) = 0 [pid 5820] close(4) = 0 [pid 5820] mkdir("./file0", 0777) = 0 [ 64.592901][ T5820] loop0: detected capacity change from 0 to 32768 [ 64.645509][ T5820] (syz-executor353,5820,1):ocfs2_block_check_validate:402 ERROR: CRC32 failed: stored: 0xb3775c19, computed 0x2dd1c265. Applying ECC. [ 64.660774][ T5820] (syz-executor353,5820,1):ocfs2_block_check_validate:402 ERROR: CRC32 failed: stored: 0xb3775c19, computed 0x2dd1c265. Applying ECC. [pid 5820] mount("/dev/loop0", "./file0", "ocfs2", MS_NOSUID|MS_NOEXEC|MS_STRICTATIME, "journal_async_commit,heartbeat=none,localflocks,inode64,journal_async_commit,noacl,noacl,errors=cont"...) = 0 [pid 5820] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5820] chdir("./file0") = 0 [pid 5820] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5820] mkdir(".", 0777) = -1 EEXIST (File exists) [pid 5820] mount(NULL, ".", 0x20000180, MS_RDONLY|MS_NOEXEC|MS_REMOUNT|MS_DIRSYNC|MS_MOVE|MS_REC|MS_UNBINDABLE|MS_SHARED, "journal_async_commit,heartbeat=none,localflocks,inode64,journal_async_commit,noacl,noacl,errors=cont"...) = 0 [pid 5820] openat(AT_FDCWD, ".", O_RDONLY|O_DIRECTORY) = 4 [ 64.682886][ T5820] (syz-executor353,5820,1):ocfs2_block_check_validate:402 ERROR: CRC32 failed: stored: 0xcfdff595, computed 0xefed4a20. Applying ECC. [ 64.700681][ T5820] JBD2: Ignoring recovery information on journal [ 64.725411][ T5820] ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode. [ 64.777022][ T5820] ================================================================== [ 64.785143][ T5820] BUG: KASAN: slab-use-after-free in ocfs2_lock_global_qf+0xb8/0x2b0 [ 64.793233][ T5820] Read of size 8 at addr ffff888035461028 by task syz-executor353/5820 [ 64.801543][ T5820] [ 64.803870][ T5820] CPU: 0 UID: 0 PID: 5820 Comm: syz-executor353 Not tainted 6.13.0-rc2-syzkaller-00018-g7cb1b4663150 #0 [ 64.814971][ T5820] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 64.825041][ T5820] Call Trace: [ 64.828323][ T5820] [ 64.831256][ T5820] dump_stack_lvl+0x241/0x360 [ 64.835922][ T5820] ? __pfx_dump_stack_lvl+0x10/0x10 [ 64.841122][ T5820] ? __pfx__printk+0x10/0x10 [ 64.845707][ T5820] ? _printk+0xd5/0x120 [ 64.849850][ T5820] ? __virt_addr_valid+0x183/0x530 [ 64.854968][ T5820] ? __virt_addr_valid+0x183/0x530 [ 64.860087][ T5820] print_report+0x169/0x550 [ 64.864590][ T5820] ? __virt_addr_valid+0x183/0x530 [ 64.869728][ T5820] ? __virt_addr_valid+0x183/0x530 [ 64.874833][ T5820] ? __virt_addr_valid+0x45f/0x530 [ 64.879938][ T5820] ? __phys_addr+0xba/0x170 [ 64.884426][ T5820] ? ocfs2_lock_global_qf+0xb8/0x2b0 [ 64.889695][ T5820] kasan_report+0x143/0x180 [ 64.894194][ T5820] ? ocfs2_lock_global_qf+0xb8/0x2b0 [ 64.899486][ T5820] ocfs2_lock_global_qf+0xb8/0x2b0 [ 64.904587][ T5820] ? __pfx_ocfs2_lock_global_qf+0x10/0x10 [ 64.910301][ T5820] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 64.916282][ T5820] ocfs2_get_next_id+0x22c/0x740 [ 64.921219][ T5820] ? __pfx_ocfs2_get_next_id+0x10/0x10 [ 64.926839][ T5820] ? from_kuid+0x1a7/0x730 [ 64.931239][ T5820] ? __pfx_from_kuid+0x10/0x10 [ 64.936014][ T5820] dquot_get_next_dqblk+0x73/0x3a0 [ 64.941128][ T5820] quota_getnextquota+0x2c5/0x6c0 [ 64.946141][ T5820] ? __pfx_quota_getnextquota+0x10/0x10 [ 64.951848][ T5820] ? safesetid_security_capable+0xb2/0x1d0 [ 64.957646][ T5820] ? bpf_lsm_capable+0x9/0x10 [ 64.962335][ T5820] ? security_capable+0x7e/0x2d0 [ 64.967257][ T5820] ? bpf_lsm_quotactl+0x9/0x10 [ 64.972002][ T5820] ? security_quotactl+0x7d/0x2c0 [ 64.977020][ T5820] ? do_quotactl+0x475/0x870 [ 64.981608][ T5820] __se_sys_quotactl+0x2c4/0xa30 [ 64.986722][ T5820] ? __pfx___se_sys_quotactl+0x10/0x10 [ 64.992180][ T5820] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 64.998609][ T5820] ? do_syscall_64+0x100/0x230 [ 65.003391][ T5820] do_syscall_64+0xf3/0x230 [ 65.007888][ T5820] ? clear_bhb_loop+0x35/0x90 [ 65.012568][ T5820] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 65.018581][ T5820] RIP: 0033:0x7f3d54632b99 [ 65.023149][ T5820] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 65.042773][ T5820] RSP: 002b:00007ffe711e58a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000b3 [ 65.051220][ T5820] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3d54632b99 [ 65.059185][ T5820] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: ffffffff80000900 [ 65.067146][ T5820] RBP: 00007f3d546aa5f0 R08: 0000000020000c40 R09: 000055556b9fb4c0 [ 65.075116][ T5820] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe711e58d0 [ 65.083108][ T5820] R13: 00007ffe711e5af8 R14: 431bde82d7b634db R15: 00007f3d5467b03b [ 65.091076][ T5820] [ 65.094102][ T5820] [ 65.096411][ T5820] Allocated by task 5820: [ 65.101156][ T5820] kasan_save_track+0x3f/0x80 [ 65.105825][ T5820] __kasan_kmalloc+0x98/0xb0 [ 65.110402][ T5820] __kmalloc_cache_noprof+0x243/0x390 [ 65.115792][ T5820] ocfs2_local_read_info+0x1ee/0x19f0 [ 65.121150][ T5820] dquot_load_quota_sb+0x762/0xbb0 [ 65.126253][ T5820] dquot_load_quota_inode+0x320/0x600 [ 65.131636][ T5820] ocfs2_enable_quotas+0x169/0x450 [ 65.136752][ T5820] ocfs2_fill_super+0x4ca1/0x5760 [ 65.141766][ T5820] mount_bdev+0x20a/0x2d0 [ 65.146092][ T5820] legacy_get_tree+0xee/0x190 [ 65.150755][ T5820] vfs_get_tree+0x90/0x2b0 [ 65.155155][ T5820] do_new_mount+0x2be/0xb40 [ 65.159665][ T5820] __se_sys_mount+0x2d6/0x3c0 [ 65.164335][ T5820] do_syscall_64+0xf3/0x230 [ 65.168845][ T5820] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 65.174722][ T5820] [ 65.177037][ T5820] Freed by task 5820: [ 65.181027][ T5820] kasan_save_track+0x3f/0x80 [ 65.185690][ T5820] kasan_save_free_info+0x40/0x50 [ 65.190704][ T5820] __kasan_slab_free+0x59/0x70 [ 65.195482][ T5820] kfree+0x196/0x430 [ 65.199370][ T5820] ocfs2_local_free_info+0x81f/0x9a0 [ 65.204643][ T5820] dquot_disable+0x1160/0x1cd0 [ 65.209394][ T5820] ocfs2_susp_quotas+0x16c/0x340 [ 65.214333][ T5820] ocfs2_remount+0x576/0xc30 [ 65.218935][ T5820] reconfigure_super+0x43a/0x870 [ 65.223860][ T5820] path_mount+0xc22/0xfa0 [ 65.228183][ T5820] __se_sys_mount+0x2d6/0x3c0 [ 65.232840][ T5820] do_syscall_64+0xf3/0x230 [ 65.237346][ T5820] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 65.243229][ T5820] [ 65.245534][ T5820] The buggy address belongs to the object at ffff888035461000 [ 65.245534][ T5820] which belongs to the cache kmalloc-1k of size 1024 [ 65.259590][ T5820] The buggy address is located 40 bytes inside of [ 65.259590][ T5820] freed 1024-byte region [ffff888035461000, ffff888035461400) [ 65.273378][ T5820] [ 65.275720][ T5820] The buggy address belongs to the physical page: [ 65.282208][ T5820] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x35460 [ 65.291052][ T5820] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 65.299553][ T5820] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 65.307091][ T5820] page_type: f5(slab) [ 65.311075][ T5820] raw: 00fff00000000040 ffff88801ac41dc0 ffffea000533c600 0000000000000002 [ 65.319664][ T5820] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 65.328320][ T5820] head: 00fff00000000040 ffff88801ac41dc0 ffffea000533c600 0000000000000002 [ 65.337001][ T5820] head: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 65.345674][ T5820] head: 00fff00000000003 ffffea0000d51801 ffffffffffffffff 0000000000000000 [ 65.354384][ T5820] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 65.363053][ T5820] page dumped because: kasan: bad access detected [ 65.369461][ T5820] page_owner tracks the page as allocated [ 65.375188][ T5820] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5485, tgid 5485 (S41dhcpcd), ts 36970568324, free_ts 36970094811 [ 65.395506][ T5820] post_alloc_hook+0x1f3/0x230 [ 65.400353][ T5820] get_page_from_freelist+0x3651/0x37a0 [ 65.405977][ T5820] __alloc_pages_noprof+0x292/0x710 [ 65.411163][ T5820] alloc_pages_mpol_noprof+0x3e8/0x680 [ 65.416616][ T5820] alloc_slab_page+0x6a/0x110 [ 65.421288][ T5820] allocate_slab+0x5a/0x2b0 [ 65.425794][ T5820] ___slab_alloc+0xc27/0x14a0 [ 65.430458][ T5820] __slab_alloc+0x58/0xa0 [ 65.434782][ T5820] __kmalloc_noprof+0x2e6/0x4c0 [ 65.439648][ T5820] tomoyo_init_log+0x1b3d/0x2050 [ 65.444592][ T5820] tomoyo_supervisor+0x38a/0x11f0 [ 65.449605][ T5820] tomoyo_env_perm+0x178/0x210 [ 65.454368][ T5820] tomoyo_find_next_domain+0x146e/0x1d40 [ 65.459992][ T5820] tomoyo_bprm_check_security+0x117/0x180 [ 65.465706][ T5820] security_bprm_check+0x86/0x250 [ 65.470737][ T5820] bprm_execve+0xa53/0x17a0 [ 65.475231][ T5820] page last free pid 5485 tgid 5485 stack trace: [ 65.481539][ T5820] free_unref_page+0xd2c/0x1000 [ 65.486377][ T5820] __put_partials+0x160/0x1c0 [ 65.491047][ T5820] put_cpu_partial+0x17c/0x250 [ 65.495799][ T5820] __slab_free+0x290/0x380 [ 65.500204][ T5820] qlist_free_all+0x9a/0x140 [ 65.504783][ T5820] kasan_quarantine_reduce+0x14f/0x170 [ 65.510229][ T5820] __kasan_slab_alloc+0x23/0x80 [ 65.515069][ T5820] __kmalloc_noprof+0x236/0x4c0 [ 65.519923][ T5820] tomoyo_supervisor+0xe0d/0x11f0 [ 65.524938][ T5820] tomoyo_env_perm+0x178/0x210 [ 65.529709][ T5820] tomoyo_find_next_domain+0x146e/0x1d40 [ 65.535332][ T5820] tomoyo_bprm_check_security+0x117/0x180 [ 65.541047][ T5820] security_bprm_check+0x86/0x250 [ 65.546061][ T5820] bprm_execve+0xa53/0x17a0 [ 65.550569][ T5820] do_execveat_common+0x55f/0x6f0 [ 65.555577][ T5820] __x64_sys_execve+0x92/0xb0 [ 65.560260][ T5820] [ 65.562565][ T5820] Memory state around the buggy address: [ 65.568182][ T5820] ffff888035460f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.576225][ T5820] ffff888035460f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.584268][ T5820] >ffff888035461000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.593699][ T5820] ^ [ 65.599057][ T5820] ffff888035461080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.607115][ T5820] ffff888035461100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.615238][ T5820] ================================================================== [ 65.624236][ T5820] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 65.631436][ T5820] CPU: 0 UID: 0 PID: 5820 Comm: syz-executor353 Not tainted 6.13.0-rc2-syzkaller-00018-g7cb1b4663150 #0 [ 65.642553][ T5820] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 65.652629][ T5820] Call Trace: [ 65.655909][ T5820] [ 65.658835][ T5820] dump_stack_lvl+0x241/0x360 [ 65.663510][ T5820] ? __pfx_dump_stack_lvl+0x10/0x10 [ 65.668707][ T5820] ? __pfx__printk+0x10/0x10 [ 65.673292][ T5820] ? preempt_schedule+0xe1/0xf0 [ 65.678148][ T5820] ? vscnprintf+0x5d/0x90 [ 65.682469][ T5820] panic+0x349/0x880 [ 65.686353][ T5820] ? check_panic_on_warn+0x21/0xb0 [ 65.691457][ T5820] ? __pfx_panic+0x10/0x10 [ 65.695866][ T5820] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 65.701836][ T5820] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 65.708155][ T5820] ? print_report+0x502/0x550 [ 65.712839][ T5820] check_panic_on_warn+0x86/0xb0 [ 65.717766][ T5820] ? ocfs2_lock_global_qf+0xb8/0x2b0 [ 65.723044][ T5820] end_report+0x77/0x160 [ 65.727283][ T5820] kasan_report+0x154/0x180 [ 65.731779][ T5820] ? ocfs2_lock_global_qf+0xb8/0x2b0 [ 65.737058][ T5820] ocfs2_lock_global_qf+0xb8/0x2b0 [ 65.742163][ T5820] ? __pfx_ocfs2_lock_global_qf+0x10/0x10 [ 65.747872][ T5820] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 65.753854][ T5820] ocfs2_get_next_id+0x22c/0x740 [ 65.758784][ T5820] ? __pfx_ocfs2_get_next_id+0x10/0x10 [ 65.764234][ T5820] ? from_kuid+0x1a7/0x730 [ 65.768643][ T5820] ? __pfx_from_kuid+0x10/0x10 [ 65.773395][ T5820] dquot_get_next_dqblk+0x73/0x3a0 [ 65.778605][ T5820] quota_getnextquota+0x2c5/0x6c0 [ 65.783639][ T5820] ? __pfx_quota_getnextquota+0x10/0x10 [ 65.789187][ T5820] ? safesetid_security_capable+0xb2/0x1d0 [ 65.794999][ T5820] ? bpf_lsm_capable+0x9/0x10 [ 65.799691][ T5820] ? security_capable+0x7e/0x2d0 [ 65.804644][ T5820] ? bpf_lsm_quotactl+0x9/0x10 [ 65.809407][ T5820] ? security_quotactl+0x7d/0x2c0 [ 65.814435][ T5820] ? do_quotactl+0x475/0x870 [ 65.819024][ T5820] __se_sys_quotactl+0x2c4/0xa30 [ 65.823960][ T5820] ? __pfx___se_sys_quotactl+0x10/0x10 [ 65.829412][ T5820] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 65.835729][ T5820] ? do_syscall_64+0x100/0x230 [ 65.840514][ T5820] do_syscall_64+0xf3/0x230 [ 65.845013][ T5820] ? clear_bhb_loop+0x35/0x90 [ 65.849686][ T5820] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 65.855659][ T5820] RIP: 0033:0x7f3d54632b99 [ 65.860062][ T5820] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 65.879655][ T5820] RSP: 002b:00007ffe711e58a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000b3 [ 65.888318][ T5820] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3d54632b99 [ 65.896284][ T5820] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: ffffffff80000900 [ 65.904243][ T5820] RBP: 00007f3d546aa5f0 R08: 0000000020000c40 R09: 000055556b9fb4c0 [ 65.912205][ T5820] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe711e58d0 [ 65.920168][ T5820] R13: 00007ffe711e5af8 R14: 431bde82d7b634db R15: 00007f3d5467b03b [ 65.928148][ T5820] [ 65.931438][ T5820] Kernel Offset: disabled [ 65.935769][ T5820] Rebooting in 86400 seconds..