./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1959344224
<...>
Warning: Permanently added '10.128.1.120' (ED25519) to the list of known hosts.
[ 97.238567][ T54] cfg80211: failed to load regulatory.db
execve("./syz-executor1959344224", ["./syz-executor1959344224"], 0x7ffcda65f820 /* 10 vars */) = 0
brk(NULL) = 0x55555607a000
brk(0x55555607ad00) = 0x55555607ad00
arch_prctl(ARCH_SET_FS, 0x55555607a380) = 0
set_tid_address(0x55555607a650) = 5072
set_robust_list(0x55555607a660, 24) = 0
rseq(0x55555607aca0, 0x20, 0, 0x53053053) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor1959344224", 4096) = 28
getrandom("\xf2\xb7\x13\x5c\x56\xa2\x5b\x1e", 8, GRND_NONBLOCK) = 8
brk(NULL) = 0x55555607ad00
brk(0x55555609bd00) = 0x55555609bd00
brk(0x55555609c000) = 0x55555609c000
mprotect(0x7fe7856fd000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
mkdir("./syzkaller.g1nVIA", 0700) = 0
chmod("./syzkaller.g1nVIA", 0777) = 0
chdir("./syzkaller.g1nVIA") = 0
mkdir("./0", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5073 attached
, child_tidptr=0x55555607a650) = 5073
[pid 5073] set_robust_list(0x55555607a660, 24) = 0
[pid 5073] chdir("./0") = 0
[pid 5073] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5073] setpgid(0, 0) = 0
[pid 5073] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5073] write(3, "1000", 4) = 4
[pid 5073] close(3) = 0
[pid 5073] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5073] memfd_create("syzkaller", 0) = 3
[pid 5073] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe77d249000
[pid 5073] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304
[pid 5073] munmap(0x7fe77d249000, 138412032) = 0
[pid 5073] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5073] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5073] close(3) = 0
[pid 5073] mkdir("./file0", 0777) = 0
[ 97.869521][ T5073] loop0: detected capacity change from 0 to 8192
[ 97.896748][ T5073] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025
[ 97.910003][ T5073] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal
[pid 5073] mount("/dev/loop0", "./file0", "reiserfs", MS_RDONLY|MS_SILENT, "") = 0
[pid 5073] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
[pid 5073] ioctl(4, LOOP_CLR_FD) = 0
[pid 5073] close(4) = 0
[ 97.919740][ T5073] REISERFS (device loop0): using ordered data mode
[ 97.926342][ T5073] reiserfs: using flush barriers
[ 97.933742][ T5073] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30
[ 97.950990][ T5073] REISERFS (device loop0): checking transaction log (loop0)
[ 97.961877][ T5073] REISERFS (device loop0): Using r5 hash to sort names
[pid 5073] open("./bus", O_RDWR|O_CREAT|O_SYNC|O_NOATIME|FASYNC, 000) = 4
[pid 5073] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND, NULL) = 0
[pid 5073] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5
[pid 5073] write(5, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 4194304
[pid 5073] exit_group(0) = ?
[pid 5073] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5073, si_uid=0, si_status=0, si_utime=0, si_stime=27 /* 0.27 s */} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x55555607b6f0 /* 5 entries */, 32768) = 136
umount2("./0/bus", MNT_DETACH|UMOUNT_NOFOLLOW) = 0
umount2("./0/bus", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./0/bus", {st_mode=S_IFREG|000, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./0/bus") = 0
umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./0/binderfs") = 0
[ 98.331111][ T5072] ==================================================================
[ 98.339223][ T5072] BUG: KASAN: vmalloc-out-of-bounds in cleanup_bitmap_list.part.0+0x4dd/0x5c0
[ 98.348105][ T5072] Read of size 8 at addr ffffc90000af6008 by task syz-executor195/5072
[ 98.356346][ T5072]
[ 98.358666][ T5072] CPU: 1 PID: 5072 Comm: syz-executor195 Not tainted 6.6.0-next-20231101-syzkaller #0
[ 98.368235][ T5072] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
[ 98.378297][ T5072] Call Trace:
[ 98.381583][ T5072]
[ 98.384512][ T5072] dump_stack_lvl+0xd9/0x1b0
[ 98.389144][ T5072] print_report+0xc3/0x620
[ 98.393572][ T5072] ? __virt_addr_valid+0x5e/0x580
[ 98.398613][ T5072] kasan_report+0xd9/0x110
[ 98.403047][ T5072] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0
[ 98.408949][ T5072] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0
[ 98.414853][ T5072] cleanup_bitmap_list.part.0+0x4dd/0x5c0
[ 98.420585][ T5072] free_journal_ram+0x15e/0x5c0
[ 98.425455][ T5072] ? do_raw_spin_unlock+0x172/0x230
[ 98.430680][ T5072] ? _raw_spin_unlock+0x28/0x40
[ 98.435922][ T5072] journal_release+0x2a3/0x650
[ 98.440735][ T5072] ? reiserfs_end_persistent_transaction+0x1b0/0x1b0
[ 98.447450][ T5072] reiserfs_put_super+0xe9/0x5c0
[ 98.452420][ T5072] ? reiserfs_quota_read+0x4e0/0x4e0
[ 98.457741][ T5072] ? fscrypt_destroy_keyring+0x1e/0x3d0
[ 98.463487][ T5072] ? reiserfs_quota_read+0x4e0/0x4e0
[ 98.468823][ T5072] generic_shutdown_super+0x161/0x3c0
[ 98.474242][ T5072] kill_block_super+0x3b/0x90
[ 98.478949][ T5072] deactivate_locked_super+0xbc/0x1a0
[ 98.484352][ T5072] deactivate_super+0xde/0x100
[ 98.489168][ T5072] cleanup_mnt+0x222/0x450
[ 98.493641][ T5072] task_work_run+0x14c/0x240
[ 98.498269][ T5072] ? task_work_cancel+0x30/0x30
[ 98.503159][ T5072] ptrace_notify+0x109/0x130
[ 98.507782][ T5072] syscall_exit_to_user_mode_prepare+0x11c/0x230
[ 98.514131][ T5072] syscall_exit_to_user_mode+0xd/0x60
[ 98.519548][ T5072] do_syscall_64+0x4b/0x110
[ 98.524083][ T5072] entry_SYSCALL_64_after_hwframe+0x62/0x6a
[ 98.530012][ T5072] RIP: 0033:0x7fe7856893c7
[ 98.534436][ T5072] Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8
[ 98.554077][ T5072] RSP: 002b:00007ffecb579f78 EFLAGS: 00000206 ORIG_RAX: 00000000000000a6
[ 98.562511][ T5072] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fe7856893c7
[ 98.570505][ T5072] RDX: 0000000000000000 RSI: 000000000000000a RDI: 00007ffecb57a030
[ 98.578503][ T5072] RBP: 00007ffecb57a030 R08: 0000000000000000 R09: 0000000000000000
[ 98.586497][ T5072] R10: 00000000ffffffff R11: 0000000000000206 R12: 00007ffecb57b090
[ 98.594493][ T5072] R13: 000055555607b6c0 R14: 0000000000000001 R15: 431bde82d7b634db
[ 98.602512][ T5072]
[ 98.605548][ T5072]
[ 98.607886][ T5072] The buggy address belongs to the virtual mapping at
[ 98.607886][ T5072] [ffffc90000af6000, ffffc90000af8000) created by:
[ 98.607886][ T5072] reiserfs_allocate_list_bitmaps+0x58/0x1c0
[ 98.626935][ T5072]
[ 98.629283][ T5072] The buggy address belongs to the physical page:
[ 98.635706][ T5072] page:ffffea0001dc4040 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x77101
[ 98.645875][ T5072] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 98.652996][ T5072] page_type: 0xffffffff()
[ 98.657340][ T5072] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
[ 98.665943][ T5072] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[ 98.674532][ T5072] page dumped because: kasan: bad access detected
[ 98.680946][ T5072] page_owner tracks the page as allocated
[ 98.686671][ T5072] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5073, tgid 5073 (syz-executor195), ts 97932422982, free_ts 88306308344
[ 98.706132][ T5072] post_alloc_hook+0x2cf/0x340
[ 98.710918][ T5072] get_page_from_freelist+0xa16/0x3680
[ 98.716407][ T5072] __alloc_pages+0x1cf/0x4c0
[ 98.721017][ T5072] __alloc_pages_bulk+0x77a/0x1110
[ 98.726146][ T5072] alloc_pages_bulk_array_mempolicy+0x21d/0x400
[ 98.732398][ T5072] __vmalloc_node_range+0x10b5/0x1be0
[ 98.737777][ T5072] vzalloc+0x6b/0x80
[ 98.741679][ T5072] reiserfs_allocate_list_bitmaps+0x58/0x1c0
[ 98.747669][ T5072] journal_init+0x3e2/0x6990
[ 98.752272][ T5072] reiserfs_fill_super+0xcc6/0x3150
[ 98.757499][ T5072] mount_bdev+0x1df/0x2d0
[ 98.761852][ T5072] legacy_get_tree+0x109/0x220
[ 98.766632][ T5072] vfs_get_tree+0x8c/0x370
[ 98.771059][ T5072] path_mount+0x148e/0x1ed0
[ 98.775581][ T5072] __x64_sys_mount+0x293/0x310
[ 98.780358][ T5072] do_syscall_64+0x3f/0x110
[ 98.784891][ T5072] page last free stack trace:
[ 98.789563][ T5072] free_unref_page_prepare+0x4f8/0xa90
[ 98.795039][ T5072] free_unref_page+0x33/0x3b0
[ 98.799798][ T5072] __folio_put+0xc3/0x110
[ 98.804158][ T5072] anon_pipe_buf_release+0x3fa/0x4b0
[ 98.809479][ T5072] pipe_read+0x645/0x1400
[ 98.813834][ T5072] vfs_read+0x7c2/0x8f0
[ 98.818023][ T5072] ksys_read+0x1f0/0x250
[ 98.822297][ T5072] do_syscall_64+0x3f/0x110
[ 98.826827][ T5072] entry_SYSCALL_64_after_hwframe+0x62/0x6a
[ 98.832739][ T5072]
[ 98.835060][ T5072] Memory state around the buggy address:
[ 98.840698][ T5072] ffffc90000af5f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[ 98.848786][ T5072] ffffc90000af5f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[ 98.856862][ T5072] >ffffc90000af6000: 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[ 98.864949][ T5072] ^
[ 98.869283][ T5072] ffffc90000af6080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[ 98.877354][ T5072] ffffc90000af6100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[ 98.885418][ T5072] ==================================================================
[ 98.893671][ T5072] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 98.900882][ T5072] CPU: 1 PID: 5072 Comm: syz-executor195 Not tainted 6.6.0-next-20231101-syzkaller #0
[ 98.910460][ T5072] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
[ 98.920524][ T5072] Call Trace:
[ 98.923810][ T5072]
[ 98.926782][ T5072] dump_stack_lvl+0xd9/0x1b0
[ 98.931420][ T5072] panic+0x6dc/0x790
[ 98.935351][ T5072] ? panic_smp_self_stop+0xa0/0xa0
[ 98.940488][ T5072] ? asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 98.946669][ T5072] ? asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 98.952851][ T5072] ? check_panic_on_warn+0x1f/0xb0
[ 98.957993][ T5072] check_panic_on_warn+0xab/0xb0
[ 98.962958][ T5072] end_report+0x117/0x160
[ 98.967311][ T5072] kasan_report+0xe9/0x110
[ 98.971748][ T5072] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0
[ 98.977678][ T5072] ? cleanup_bitmap_list.part.0+0x4dd/0x5c0
[ 98.985343][ T5072] cleanup_bitmap_list.part.0+0x4dd/0x5c0
[ 98.991108][ T5072] free_journal_ram+0x15e/0x5c0
[ 98.995995][ T5072] ? do_raw_spin_unlock+0x172/0x230
[ 99.001224][ T5072] ? _raw_spin_unlock+0x28/0x40
[ 99.006129][ T5072] journal_release+0x2a3/0x650
[ 99.010925][ T5072] ? reiserfs_end_persistent_transaction+0x1b0/0x1b0
[ 99.017633][ T5072] reiserfs_put_super+0xe9/0x5c0
[ 99.022599][ T5072] ? reiserfs_quota_read+0x4e0/0x4e0
[ 99.027917][ T5072] ? fscrypt_destroy_keyring+0x1e/0x3d0
[ 99.033498][ T5072] ? reiserfs_quota_read+0x4e0/0x4e0
[ 99.038812][ T5072] generic_shutdown_super+0x161/0x3c0
[ 99.044201][ T5072] kill_block_super+0x3b/0x90
[ 99.048894][ T5072] deactivate_locked_super+0xbc/0x1a0
[ 99.054286][ T5072] deactivate_super+0xde/0x100
[ 99.059070][ T5072] cleanup_mnt+0x222/0x450
[ 99.063533][ T5072] task_work_run+0x14c/0x240
[ 99.068158][ T5072] ? task_work_cancel+0x30/0x30
[ 99.073397][ T5072] ptrace_notify+0x109/0x130
[ 99.078015][ T5072] syscall_exit_to_user_mode_prepare+0x11c/0x230
[ 99.084366][ T5072] syscall_exit_to_user_mode+0xd/0x60
[ 99.089751][ T5072] do_syscall_64+0x4b/0x110
[ 99.094540][ T5072] entry_SYSCALL_64_after_hwframe+0x62/0x6a
[ 99.100456][ T5072] RIP: 0033:0x7fe7856893c7
[ 99.104880][ T5072] Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8
[ 99.124518][ T5072] RSP: 002b:00007ffecb579f78 EFLAGS: 00000206 ORIG_RAX: 00000000000000a6
[ 99.133331][ T5072] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fe7856893c7
[ 99.141316][ T5072] RDX: 0000000000000000 RSI: 000000000000000a RDI: 00007ffecb57a030
[ 99.149301][ T5072] RBP: 00007ffecb57a030 R08: 0000000000000000 R09: 0000000000000000
[ 99.157285][ T5072] R10: 00000000ffffffff R11: 0000000000000206 R12: 00007ffecb57b090
[ 99.165269][ T5072] R13: 000055555607b6c0 R14: 0000000000000001 R15: 431bde82d7b634db
[ 99.173282][ T5072]
[ 99.176618][ T5072] Kernel Offset: disabled
[ 99.180950][ T5072] Rebooting in 86400 seconds..