./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2368514138 <...> Warning: Permanently added '10.128.1.85' (ED25519) to the list of known hosts. execve("./syz-executor2368514138", ["./syz-executor2368514138"], 0x7ffd63f8df70 /* 10 vars */) = 0 brk(NULL) = 0x55558ca07000 brk(0x55558ca07d40) = 0x55558ca07d40 arch_prctl(ARCH_SET_FS, 0x55558ca073c0) = 0 set_tid_address(0x55558ca07690) = 5829 set_robust_list(0x55558ca076a0, 24) = 0 rseq(0x55558ca07ce0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2368514138", 4096) = 28 getrandom("\xa1\xe4\xd6\x75\xc2\x6a\x68\xdb", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55558ca07d40 brk(0x55558ca28d40) = 0x55558ca28d40 brk(0x55558ca29000) = 0x55558ca29000 mprotect(0x7fd043d56000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 mkdir("./syzkaller.G0TQ8z", 0700) = 0 chmod("./syzkaller.G0TQ8z", 0777) = 0 chdir("./syzkaller.G0TQ8z") = 0 unshare(CLONE_NEWPID) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55558ca07690) = 5830 ./strace-static-x86_64: Process 5830 attached [pid 5830] set_robust_list(0x55558ca076a0, 24) = 0 [pid 5830] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 5830] openat(AT_FDCWD, "/dev/vhci", O_RDWR) = 4 [pid 5830] dup2(4, 202) = 202 [pid 5830] close(4) = 0 [pid 5830] write(202, "\xff\x00", 2) = 2 [pid 5830] read(202, "\xff\x00\x00\x00", 4) = 4 [pid 5830] rt_sigaction(SIGRT_1, {sa_handler=0x7fd043cf8040, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fd043ce91f0}, NULL, 8) = 0 [pid 5830] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5830] mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fd043480000 [pid 5830] mprotect(0x7fd043481000, 8388608, PROT_READ|PROT_WRITE) = 0 [pid 5830] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5830] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fd043c80990, parent_tid=0x7fd043c80990, exit_signal=0, stack=0x7fd043480000, stack_size=0x800300, tls=0x7fd043c806c0}./strace-static-x86_64: Process 5833 attached => {parent_tid=[2]}, 88) = 2 [pid 5830] rt_sigprocmask(SIG_SETMASK, [], [pid 5833] rseq(0x7fd043c80fe0, 0x20, 0, 0x53053053 [pid 5830] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5833] <... rseq resumed>) = 0 [pid 5830] ioctl(3, HCIDEVUP [pid 5833] set_robust_list(0x7fd043c809a0, 24) = 0 [pid 5833] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5833] read(202, "\x01\x03\x0c\x00", 1024) = 4 [pid 5833] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x03\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5833] read(202, "\x01\x03\x10\x00", 1024) = 4 [pid 5833] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x03\x10", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5833] read(202, "\x01\x01\x10\x00", 1024) = 4 [pid 5833] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x01\x10", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5833] read(202, "\x01\x09\x10\x00", 1024) = 4 [pid 5833] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x0a", iov_len=2}, {iov_base="\x01\x09\x10", iov_len=3}, {iov_base="\x00\xaa\xaa\xaa\xaa\xaa\xaa", iov_len=7}], 4) = 13 [pid 5833] read(202, "\x01\x05\x10\x00", 1024) = 4 [ 90.380752][ T5831] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 90.390028][ T5831] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 90.399010][ T5831] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [pid 5833] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x0b", iov_len=2}, {iov_base="\x01\x05\x10", iov_len=3}, {iov_base="\x00\xfd\x03\x60\x04\x00\x06\x00", iov_len=8}], 4) = 14 [pid 5833] read(202, "\x01\x23\x0c\x00", 1024) = 4 [pid 5833] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x23\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5833] read(202, "\x01\x14\x0c\x00", 1024) = 4 [pid 5833] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x14\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5833] read(202, "\x01\x38\x0c\x00", 1024) = 4 [pid 5833] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x38\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5833] read(202, "\x01\x39\x0c\x00", 1024) = 4 [pid 5833] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x39\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5833] read(202, "\x01\x16\x0c\x02\x00\x7d", 1024) = 6 [pid 5833] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x16\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5833] read(202, [pid 5830] <... ioctl resumed>, 0) = -1 EALREADY (Operation already in progress) [pid 5830] ioctl(3, HCISETSCAN [pid 5833] <... read resumed>"\x01\x1a\x0c\x01\x02", 1024) = 5 [pid 5833] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x04", iov_len=2}, {iov_base="\x01\x1a\x0c", iov_len=3}, {iov_base="\x00", iov_len=1}], 4 [pid 5830] <... ioctl resumed>, 0x7ffd379442f8) = 0 [pid 5833] <... writev resumed>) = 7 [pid 5830] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x04\x0a", iov_len=2}, {iov_base="\xaa\xaa\xaa\xaa\xaa\x10\x00\x00\x00\x01", iov_len=10}], 3 [pid 5833] rt_sigprocmask(SIG_BLOCK, ~[RT_1], NULL, 8) = 0 [pid 5833] madvise(0x7fd043480000, 8372224, MADV_DONTNEED [pid 5830] <... writev resumed>) = 13 [pid 5833] <... madvise resumed>) = 0 [pid 5830] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x03\x0b", iov_len=2}, {iov_base="\x00\xc8\x00\xaa\xaa\xaa\xaa\xaa\x10\x01\x00", iov_len=11}], 3 [pid 5833] exit(0 [pid 5830] <... writev resumed>) = 14 [pid 5833] <... exit resumed>) = ? [pid 5830] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\v\v", iov_len=2}, {iov_base="\x00\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00", iov_len=11}], 3) = 14 [pid 5830] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x3e\x13", iov_len=2}, {iov_base="\x01\x00\xc9\x00\x01\x00\xaa\xaa\xaa\xaa\xaa\x11\x00\x00\x00\x00\x00\x00\x00", iov_len=19}], 3) = 22 [pid 5830] futex(0x7fd043c80990, FUTEX_WAIT_BITSET|FUTEX_CLOCK_REALTIME, 2, NULL, FUTEX_BITSET_MATCH_ANY) = 0 [pid 5830] close(3) = 0 [ 90.463164][ T5831] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 90.502998][ T5831] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [pid 5833] +++ exited with 0 +++ [pid 5830] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5830] getppid() = 0 [pid 5830] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0 [pid 5830] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0 [pid 5830] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0 [pid 5830] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0 [pid 5830] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0 [pid 5830] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0 [pid 5830] unshare(CLONE_NEWNS) = 0 [pid 5830] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0 [pid 5830] unshare(CLONE_NEWIPC) = 0 [pid 5830] unshare(CLONE_NEWCGROUP) = 0 [pid 5830] unshare(CLONE_NEWUTS) = 0 [pid 5830] unshare(CLONE_SYSVSEM) = 0 [pid 5830] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3 [pid 5830] write(3, "16777216", 8) = 8 [pid 5830] close(3) = 0 [pid 5830] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3 [pid 5830] write(3, "536870912", 9) = 9 [pid 5830] close(3) = 0 [pid 5830] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3 [pid 5830] write(3, "1024", 4) = 4 [pid 5830] close(3) = 0 [pid 5830] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3 [pid 5830] write(3, "8192", 4) = 4 [pid 5830] close(3) = 0 [pid 5830] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3 [pid 5830] write(3, "1024", 4) = 4 [pid 5830] close(3) = 0 [pid 5830] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3 [pid 5830] write(3, "1024", 4) = 4 [pid 5830] close(3) = 0 [pid 5830] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3 [pid 5830] write(3, "1024 1048576 500 1024", 21) = 21 [pid 5830] close(3) = 0 [pid 5830] getpid() = 1 [pid 5830] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1< [pid 5856] set_robust_list(0x55558ca076a0, 24) = 0 [pid 5856] chdir("./0" [pid 5830] <... clone resumed>, child_tidptr=0x55558ca07690) = 3 [pid 5856] <... chdir resumed>) = 0 [pid 5856] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5856] setpgid(0, 0) = 0 [pid 5856] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5856] write(3, "1000", 4) = 4 [pid 5856] close(3) = 0 [pid 5856] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5856] write(1, "executing program\n", 18executing program ) = 18 [pid 5856] memfd_create("syzkaller", 0) = 3 [pid 5856] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd03b000000 [pid 5856] write(3, "\x02\x02\x02\x02\x02\x02\x02\x02\x74\x68\x69\x73\x20\x69\x73\x20\x61\x6e\x20\x6f\x63\x66\x73\x32\x20\x76\x6f\x6c\x75\x6d\x65\x00\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02"..., 16777216) = 16777216 [pid 5856] munmap(0x7fd03b000000, 138412032) = 0 [pid 5856] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5856] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5856] close(3) = 0 [pid 5856] close(4) = 0 [pid 5856] mkdir("./file1", 0777) = 0 [ 105.737984][ T5856] loop0: detected capacity change from 0 to 32768 [ 105.763869][ T5856] ======================================================= [ 105.763869][ T5856] WARNING: The mand mount option has been deprecated and [ 105.763869][ T5856] and is ignored by this kernel. Remove the mand [ 105.763869][ T5856] option from the mount to silence this warning. [ 105.763869][ T5856] ======================================================= [pid 5856] mount("/dev/loop0", "./file1", "ocfs2", MS_NOEXEC|MS_MANDLOCK|MS_DIRSYNC|MS_NODIRATIME|MS_POSIXACL, "acl,heartbeat=none,errors=remount-ro,coherency=full,coherency=full,localflocks,intr,noacl,") = 0 [pid 5856] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 5856] chdir("./file1") = 0 [pid 5856] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [ 105.836914][ T5856] ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode. [ 105.896853][ T5856] ================================================================== [ 105.904986][ T5856] BUG: KASAN: use-after-free in ocfs2_reserve_suballoc_bits+0xdd0/0x4640 [ 105.913439][ T5856] Read of size 4 at addr ffff888075770004 by task syz-executor236/5856 [ 105.921676][ T5856] [ 105.924023][ T5856] CPU: 0 UID: 0 PID: 5856 Comm: syz-executor236 Not tainted 6.16.0-rc1-syzkaller #0 PREEMPT(full) [ 105.924041][ T5856] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 105.924053][ T5856] Call Trace: [ 105.924064][ T5856] [ 105.924071][ T5856] dump_stack_lvl+0x189/0x250 [ 105.924096][ T5856] ? __virt_addr_valid+0x1c8/0x5c0 [ 105.924110][ T5856] ? rcu_is_watching+0x15/0xb0 [ 105.924130][ T5856] ? __kasan_check_byte+0x12/0x40 [ 105.924148][ T5856] ? __pfx_dump_stack_lvl+0x10/0x10 [ 105.924168][ T5856] ? rcu_is_watching+0x15/0xb0 [ 105.924188][ T5856] ? lock_release+0x4b/0x3e0 [ 105.924209][ T5856] ? __virt_addr_valid+0x1c8/0x5c0 [ 105.924221][ T5856] ? __virt_addr_valid+0x4a5/0x5c0 [ 105.924235][ T5856] print_report+0xd2/0x2b0 [ 105.924253][ T5856] ? ocfs2_reserve_suballoc_bits+0xdd0/0x4640 [ 105.924274][ T5856] kasan_report+0x118/0x150 [ 105.924292][ T5856] ? ocfs2_reserve_suballoc_bits+0xdd0/0x4640 [ 105.924316][ T5856] ocfs2_reserve_suballoc_bits+0xdd0/0x4640 [ 105.924342][ T5856] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 105.924368][ T5856] ? lockdep_hardirqs_on+0x9c/0x150 [ 105.924390][ T5856] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 105.924414][ T5856] ? __pfx_ocfs2_reserve_suballoc_bits+0x10/0x10 [ 105.924436][ T5856] ? stack_depot_save_flags+0x429/0x900 [ 105.924459][ T5856] ? kasan_save_track+0x4f/0x80 [ 105.924473][ T5856] ? kasan_save_track+0x3e/0x80 [ 105.924488][ T5856] ? __kasan_kmalloc+0x93/0xb0 [ 105.924503][ T5856] ? __kmalloc_cache_noprof+0x230/0x3d0 [ 105.924521][ T5856] ? ocfs2_reserve_new_metadata_blocks+0x113/0x940 [ 105.924542][ T5856] ? ocfs2_mknod+0xe08/0x2050 [ 105.924560][ T5856] ? ocfs2_create+0x1a5/0x440 [ 105.924577][ T5856] ? path_openat+0x14f4/0x3830 [ 105.924591][ T5856] ? do_filp_open+0x1fa/0x410 [ 105.924605][ T5856] ? do_sys_openat2+0x121/0x1c0 [ 105.924628][ T5856] ? __x64_sys_openat+0x138/0x170 [ 105.924649][ T5856] ? do_syscall_64+0xfa/0x3b0 [ 105.924661][ T5856] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 105.924693][ T5856] ? __kasan_kmalloc+0x93/0xb0 [ 105.924711][ T5856] ? ocfs2_reserve_new_metadata_blocks+0x113/0x940 [ 105.924734][ T5856] ocfs2_reserve_new_metadata_blocks+0x403/0x940 [ 105.924759][ T5856] ? __pfx_ocfs2_reserve_new_metadata_blocks+0x10/0x10 [ 105.924783][ T5856] ? __pfx_ocfs2_calc_xattr_init+0x10/0x10 [ 105.924808][ T5856] ? ocfs2_init_security_get+0x132/0x1a0 [ 105.924824][ T5856] ocfs2_mknod+0xe08/0x2050 [ 105.924849][ T5856] ? __pfx_ocfs2_mknod+0x10/0x10 [ 105.924873][ T5856] ? __pfx_ocfs2_find_entry+0x10/0x10 [ 105.924887][ T5856] ? __lock_acquire+0xab9/0xd20 [ 105.924914][ T5856] ? look_up_lock_class+0x74/0x170 [ 105.924937][ T5856] ? register_lock_class+0x51/0x320 [ 105.924957][ T5856] ? __lock_acquire+0xab9/0xd20 [ 105.924979][ T5856] ? __lock_acquire+0xab9/0xd20 [ 105.925001][ T5856] ? do_raw_spin_lock+0x121/0x290 [ 105.925020][ T5856] ? do_raw_spin_unlock+0x122/0x240 [ 105.925037][ T5856] ? rcu_is_watching+0x15/0xb0 [ 105.925058][ T5856] ? ocfs2_lookup+0x4a0/0x990 [ 105.925079][ T5856] ocfs2_create+0x1a5/0x440 [ 105.925097][ T5856] ? __pfx_ocfs2_lookup+0x10/0x10 [ 105.925117][ T5856] ? __pfx_ocfs2_create+0x10/0x10 [ 105.925134][ T5856] ? HAS_UNMAPPED_ID+0x11a/0x180 [ 105.925157][ T5856] ? bpf_lsm_inode_create+0x9/0x20 [ 105.925175][ T5856] ? __pfx_ocfs2_create+0x10/0x10 [ 105.925193][ T5856] path_openat+0x14f4/0x3830 [ 105.925207][ T5856] ? arch_stack_walk+0xfc/0x150 [ 105.925242][ T5856] ? __pfx_path_openat+0x10/0x10 [ 105.925255][ T5856] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 105.925278][ T5856] do_filp_open+0x1fa/0x410 [ 105.925291][ T5856] ? __lock_acquire+0xab9/0xd20 [ 105.925310][ T5856] ? __pfx_do_filp_open+0x10/0x10 [ 105.925333][ T5856] ? _raw_spin_unlock+0x28/0x50 [ 105.925352][ T5856] ? alloc_fd+0x64c/0x6c0 [ 105.925375][ T5856] do_sys_openat2+0x121/0x1c0 [ 105.925398][ T5856] ? __pfx_do_sys_openat2+0x10/0x10 [ 105.925423][ T5856] ? rcu_is_watching+0x15/0xb0 [ 105.925445][ T5856] __x64_sys_openat+0x138/0x170 [ 105.925470][ T5856] do_syscall_64+0xfa/0x3b0 [ 105.925483][ T5856] ? lockdep_hardirqs_on+0x9c/0x150 [ 105.925504][ T5856] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 105.925518][ T5856] ? clear_bhb_loop+0x60/0xb0 [ 105.925535][ T5856] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 105.925550][ T5856] RIP: 0033:0x7fd043ccff89 [ 105.925569][ T5856] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 105.925582][ T5856] RSP: 002b:00007ffd379440c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 105.925598][ T5856] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fd043ccff89 [ 105.925610][ T5856] RDX: 0000000000101042 RSI: 0000200000000040 RDI: 00000000ffffff9c [ 105.925620][ T5856] RBP: 00000000ffffffff R08: 0000000000004465 R09: 00007fd043d24149 [ 105.925630][ T5856] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000001000000 [ 105.925639][ T5856] R13: 00007ffd37944160 R14: 0000200000000040 R15: 0000000000000003 [ 105.925655][ T5856] [ 105.925660][ T5856] [ 106.411839][ T5856] The buggy address belongs to the physical page: [ 106.418268][ T5856] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7fb71c79e pfn:0x75770 [ 106.427744][ T5856] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 106.434885][ T5856] raw: 00fff00000000000 ffffea0001de7c48 ffffea0001d5dc48 0000000000000000 [ 106.443483][ T5856] raw: 00000007fb71c79e 0000000000000000 00000000ffffffff 0000000000000000 [ 106.452069][ T5856] page dumped because: kasan: bad access detected [ 106.458500][ T5856] page_owner tracks the page as freed [ 106.463889][ T5856] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), pid 5854, tgid 5854 (udevd), ts 105780430290, free_ts 105790998262 [ 106.482135][ T5856] post_alloc_hook+0x240/0x2a0 [ 106.486915][ T5856] get_page_from_freelist+0x21d5/0x22b0 [ 106.492479][ T5856] __alloc_frozen_pages_noprof+0x181/0x370 [ 106.498306][ T5856] alloc_pages_mpol+0x232/0x4a0 [ 106.503172][ T5856] vma_alloc_folio_noprof+0xe4/0x200 [ 106.508470][ T5856] folio_prealloc+0x30/0x180 [ 106.513077][ T5856] __handle_mm_fault+0x2c88/0x5620 [ 106.518200][ T5856] handle_mm_fault+0x2d5/0x7f0 [ 106.522974][ T5856] do_user_addr_fault+0x764/0x1390 [ 106.528188][ T5856] exc_page_fault+0x76/0xf0 [ 106.532817][ T5856] asm_exc_page_fault+0x26/0x30 [ 106.537764][ T5856] page last free pid 5854 tgid 5854 stack trace: [ 106.544098][ T5856] free_unref_folios+0xcd2/0x1570 [ 106.549136][ T5856] folios_put_refs+0x559/0x640 [ 106.554098][ T5856] free_pages_and_swap_cache+0x4be/0x520 [ 106.559753][ T5856] tlb_flush_mmu+0x3a0/0x680 [ 106.564367][ T5856] tlb_finish_mmu+0xc3/0x1d0 [ 106.568970][ T5856] vms_clear_ptes+0x42c/0x540 [ 106.573854][ T5856] vms_complete_munmap_vmas+0x206/0x8a0 [ 106.579431][ T5856] do_vmi_align_munmap+0x358/0x420 [ 106.584576][ T5856] do_vmi_munmap+0x253/0x2e0 [ 106.589178][ T5856] __vm_munmap+0x23b/0x3d0 [ 106.593606][ T5856] __x64_sys_munmap+0x60/0x70 [ 106.598300][ T5856] do_syscall_64+0xfa/0x3b0 [ 106.602813][ T5856] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 106.608725][ T5856] [ 106.611078][ T5856] Memory state around the buggy address: [ 106.616802][ T5856] ffff88807576ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 106.625680][ T5856] ffff88807576ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 106.633753][ T5856] >ffff888075770000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 106.641822][ T5856] ^ [ 106.645904][ T5856] ffff888075770080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 106.653982][ T5856] ffff888075770100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 106.662049][ T5856] ================================================================== [ 106.677173][ T5856] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 106.684448][ T5856] CPU: 1 UID: 0 PID: 5856 Comm: syz-executor236 Not tainted 6.16.0-rc1-syzkaller #0 PREEMPT(full) [ 106.695162][ T5856] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 106.705256][ T5856] Call Trace: [ 106.708546][ T5856] [ 106.711485][ T5856] dump_stack_lvl+0x99/0x250 [ 106.716099][ T5856] ? __asan_memcpy+0x40/0x70 [ 106.720712][ T5856] ? __pfx_dump_stack_lvl+0x10/0x10 [ 106.726021][ T5856] ? __pfx__printk+0x10/0x10 [ 106.730665][ T5856] panic+0x2db/0x790 [ 106.734595][ T5856] ? __pfx_panic+0x10/0x10 [ 106.739055][ T5856] ? _raw_spin_unlock_irqrestore+0xfd/0x110 [ 106.744977][ T5856] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 106.751513][ T5856] ? print_memory_metadata+0x314/0x400 [ 106.757349][ T5856] ? ocfs2_reserve_suballoc_bits+0xdd0/0x4640 [ 106.763463][ T5856] check_panic_on_warn+0x89/0xb0 [ 106.768420][ T5856] ? ocfs2_reserve_suballoc_bits+0xdd0/0x4640 [ 106.774539][ T5856] end_report+0x78/0x160 [ 106.778886][ T5856] kasan_report+0x129/0x150 [ 106.783430][ T5856] ? ocfs2_reserve_suballoc_bits+0xdd0/0x4640 [ 106.789540][ T5856] ocfs2_reserve_suballoc_bits+0xdd0/0x4640 [ 106.795471][ T5856] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 106.801661][ T5856] ? lockdep_hardirqs_on+0x9c/0x150 [ 106.806881][ T5856] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 106.813320][ T5856] ? __pfx_ocfs2_reserve_suballoc_bits+0x10/0x10 [ 106.820100][ T5856] ? stack_depot_save_flags+0x429/0x900 [ 106.825752][ T5856] ? kasan_save_track+0x4f/0x80 [ 106.830962][ T5856] ? kasan_save_track+0x3e/0x80 [ 106.835825][ T5856] ? __kasan_kmalloc+0x93/0xb0 [ 106.840611][ T5856] ? __kmalloc_cache_noprof+0x230/0x3d0 [ 106.846257][ T5856] ? ocfs2_reserve_new_metadata_blocks+0x113/0x940 [ 106.852785][ T5856] ? ocfs2_mknod+0xe08/0x2050 [ 106.857492][ T5856] ? ocfs2_create+0x1a5/0x440 [ 106.862188][ T5856] ? path_openat+0x14f4/0x3830 [ 106.866957][ T5856] ? do_filp_open+0x1fa/0x410 [ 106.871643][ T5856] ? do_sys_openat2+0x121/0x1c0 [ 106.876513][ T5856] ? __x64_sys_openat+0x138/0x170 [ 106.881616][ T5856] ? do_syscall_64+0xfa/0x3b0 [ 106.886302][ T5856] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 106.892408][ T5856] ? __kasan_kmalloc+0x93/0xb0 [ 106.897205][ T5856] ? ocfs2_reserve_new_metadata_blocks+0x113/0x940 [ 106.903755][ T5856] ocfs2_reserve_new_metadata_blocks+0x403/0x940 [ 106.910117][ T5856] ? __pfx_ocfs2_reserve_new_metadata_blocks+0x10/0x10 [ 106.916985][ T5856] ? __pfx_ocfs2_calc_xattr_init+0x10/0x10 [ 106.922837][ T5856] ? ocfs2_init_security_get+0x132/0x1a0 [ 106.928477][ T5856] ocfs2_mknod+0xe08/0x2050 [ 106.933012][ T5856] ? __pfx_ocfs2_mknod+0x10/0x10 [ 106.937992][ T5856] ? __pfx_ocfs2_find_entry+0x10/0x10 [ 106.943371][ T5856] ? __lock_acquire+0xab9/0xd20 [ 106.948274][ T5856] ? look_up_lock_class+0x74/0x170 [ 106.953409][ T5856] ? register_lock_class+0x51/0x320 [ 106.958641][ T5856] ? __lock_acquire+0xab9/0xd20 [ 106.963520][ T5856] ? __lock_acquire+0xab9/0xd20 [ 106.968388][ T5856] ? do_raw_spin_lock+0x121/0x290 [ 106.973437][ T5856] ? do_raw_spin_unlock+0x122/0x240 [ 106.978898][ T5856] ? rcu_is_watching+0x15/0xb0 [ 106.983703][ T5856] ? ocfs2_lookup+0x4a0/0x990 [ 106.988407][ T5856] ocfs2_create+0x1a5/0x440 [ 106.992947][ T5856] ? __pfx_ocfs2_lookup+0x10/0x10 [ 106.998003][ T5856] ? __pfx_ocfs2_create+0x10/0x10 [ 107.003058][ T5856] ? HAS_UNMAPPED_ID+0x11a/0x180 [ 107.008034][ T5856] ? bpf_lsm_inode_create+0x9/0x20 [ 107.013169][ T5856] ? __pfx_ocfs2_create+0x10/0x10 [ 107.018203][ T5856] path_openat+0x14f4/0x3830 [ 107.022797][ T5856] ? arch_stack_walk+0xfc/0x150 [ 107.027682][ T5856] ? __pfx_path_openat+0x10/0x10 [ 107.032637][ T5856] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 107.038735][ T5856] do_filp_open+0x1fa/0x410 [ 107.043248][ T5856] ? __lock_acquire+0xab9/0xd20 [ 107.048113][ T5856] ? __pfx_do_filp_open+0x10/0x10 [ 107.053158][ T5856] ? _raw_spin_unlock+0x28/0x50 [ 107.058125][ T5856] ? alloc_fd+0x64c/0x6c0 [ 107.062470][ T5856] do_sys_openat2+0x121/0x1c0 [ 107.067251][ T5856] ? __pfx_do_sys_openat2+0x10/0x10 [ 107.072480][ T5856] ? rcu_is_watching+0x15/0xb0 [ 107.077277][ T5856] __x64_sys_openat+0x138/0x170 [ 107.082156][ T5856] do_syscall_64+0xfa/0x3b0 [ 107.086679][ T5856] ? lockdep_hardirqs_on+0x9c/0x150 [ 107.091890][ T5856] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 107.098144][ T5856] ? clear_bhb_loop+0x60/0xb0 [ 107.102833][ T5856] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 107.108737][ T5856] RIP: 0033:0x7fd043ccff89 [ 107.113436][ T5856] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 107.133184][ T5856] RSP: 002b:00007ffd379440c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 107.141631][ T5856] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fd043ccff89 [ 107.149611][ T5856] RDX: 0000000000101042 RSI: 0000200000000040 RDI: 00000000ffffff9c [ 107.157592][ T5856] RBP: 00000000ffffffff R08: 0000000000004465 R09: 00007fd043d24149 [ 107.165763][ T5856] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000001000000 [ 107.173763][ T5856] R13: 00007ffd37944160 R14: 0000200000000040 R15: 0000000000000003 [ 107.181761][ T5856] [ 107.185144][ T5856] Kernel Offset: disabled [ 107.189492][ T5856] Rebooting in 86400 seconds..