./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3750511408 <...> DUID 00:04:2f:bc:f2:2f:e4:1d:55:f7:99:3b:0f:15:66:5c:e9:07 forked to background, child pid 3184 [ 26.027214][ T3185] 8021q: adding VLAN 0 to HW filter on device bond0 [ 26.037707][ T3185] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.1.50' (ECDSA) to the list of known hosts. execve("./syz-executor3750511408", ["./syz-executor3750511408"], 0x7fff86d8bf70 /* 10 vars */) = 0 brk(NULL) = 0x555557334000 brk(0x555557334c40) = 0x555557334c40 arch_prctl(ARCH_SET_FS, 0x555557334300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor3750511408", 4096) = 28 brk(0x555557355c40) = 0x555557355c40 brk(0x555557356000) = 0x555557356000 mprotect(0x7eff5a216000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555573345d0) = 3607 ./strace-static-x86_64: Process 3607 attached [pid 3606] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3607] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3606] <... clone resumed>, child_tidptr=0x5555573345d0) = 3608 [pid 3606] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3609 attached [pid 3607] <... clone resumed>, child_tidptr=0x5555573345d0) = 3609 [pid 3606] <... clone resumed>, child_tidptr=0x5555573345d0) = 3610 [pid 3609] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3606] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3608 attached [pid 3609] <... prctl resumed>) = 0 ./strace-static-x86_64: Process 3610 attached [pid 3609] setpgid(0, 0) = 0 [pid 3608] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3609] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3606] <... clone resumed>, child_tidptr=0x5555573345d0) = 3611 [pid 3606] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3609] <... openat resumed>) = 3 [pid 3609] write(3, "1000", 4 [pid 3608] <... clone resumed>, child_tidptr=0x5555573345d0) = 3612 [pid 3610] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3606] <... clone resumed>, child_tidptr=0x5555573345d0) = 3613 [pid 3609] <... write resumed>) = 4 [pid 3606] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3609] close(3./strace-static-x86_64: Process 3611 attached [pid 3610] <... clone resumed>, child_tidptr=0x5555573345d0) = 3614 [pid 3609] <... close resumed>) = 0 [pid 3609] mkdir("./file0", 000 [pid 3606] <... clone resumed>, child_tidptr=0x5555573345d0) = 3615 ./strace-static-x86_64: Process 3614 attached [pid 3614] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3609] <... mkdir resumed>) = 0 [pid 3609] pipe2([3, 4], 0) = 0 [pid 3611] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3615 attached ./strace-static-x86_64: Process 3613 attached ./strace-static-x86_64: Process 3612 attached [pid 3609] getsockopt(-1, SOL_SOCKET, SO_PEERCRED, NULL, NULL) = -1 EBADF (Bad file descriptor) [pid 3609] mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000003,wfdno=0x0000000000000004" [pid 3612] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3614] setpgid(0, 0) = 0 [pid 3614] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3614] write(3, "1000", 4) = 4 [pid 3614] close(3 [pid 3612] <... prctl resumed>) = 0 [pid 3612] setpgid(0, 0) = 0 [pid 3612] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3614] <... close resumed>) = 0 [pid 3612] <... openat resumed>) = 3 [pid 3614] mkdir("./file0", 000 [pid 3613] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3612] write(3, "1000", 4) = 4 [pid 3612] close(3 [pid 3611] <... clone resumed>, child_tidptr=0x5555573345d0) = 3616 [pid 3612] <... close resumed>) = 0 [pid 3612] mkdir("./file0", 000 [pid 3614] <... mkdir resumed>) = -1 EEXIST (File exists) [pid 3612] <... mkdir resumed>) = -1 EEXIST (File exists) [pid 3612] pipe2( [pid 3614] pipe2([3, 4], 0) = 0 [pid 3614] getsockopt(-1, SOL_SOCKET, SO_PEERCRED, NULL, NULL) = -1 EBADF (Bad file descriptor) [pid 3614] mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000003,wfdno=0x0000000000000004" [pid 3613] <... clone resumed>, child_tidptr=0x5555573345d0) = 3617 [pid 3612] <... pipe2 resumed>[3, 4], 0) = 0 [pid 3615] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3612] getsockopt(-1, SOL_SOCKET, SO_PEERCRED, NULL, NULL) = -1 EBADF (Bad file descriptor) ./strace-static-x86_64: Process 3617 attached ./strace-static-x86_64: Process 3616 attached [pid 3612] mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000003,wfdno=0x0000000000000004" [pid 3617] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3616] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3617] <... prctl resumed>) = 0 [pid 3615] <... clone resumed>, child_tidptr=0x5555573345d0) = 3619 [pid 3617] setpgid(0, 0 [pid 3616] <... prctl resumed>) = 0 [pid 3617] <... setpgid resumed>) = 0 [pid 3616] setpgid(0, 0./strace-static-x86_64: Process 3619 attached [pid 3617] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3616] <... setpgid resumed>) = 0 [pid 3617] <... openat resumed>) = 3 [pid 3616] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3617] write(3, "1000", 4 [pid 3616] <... openat resumed>) = 3 [pid 3619] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3617] <... write resumed>) = 4 [pid 3616] write(3, "1000", 4 [pid 3619] <... prctl resumed>) = 0 [pid 3617] close(3 [pid 3616] <... write resumed>) = 4 [pid 3619] setpgid(0, 0 [pid 3617] <... close resumed>) = 0 [pid 3616] close(3 [pid 3619] <... setpgid resumed>) = 0 [pid 3617] mkdir("./file0", 000 [pid 3616] <... close resumed>) = 0 [pid 3619] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3617] <... mkdir resumed>) = -1 EEXIST (File exists) [pid 3616] mkdir("./file0", 000 [pid 3619] <... openat resumed>) = 3 [pid 3617] pipe2( [pid 3616] <... mkdir resumed>) = -1 EEXIST (File exists) [pid 3619] write(3, "1000", 4 [pid 3617] <... pipe2 resumed>[3, 4], 0) = 0 [pid 3616] pipe2( [pid 3619] <... write resumed>) = 4 [pid 3617] getsockopt(-1, SOL_SOCKET, SO_PEERCRED, NULL, NULL [pid 3616] <... pipe2 resumed>[3, 4], 0) = 0 [pid 3619] close(3 [pid 3617] <... getsockopt resumed>) = -1 EBADF (Bad file descriptor) [pid 3616] getsockopt(-1, SOL_SOCKET, SO_PEERCRED, NULL, NULL [pid 3619] <... close resumed>) = 0 [pid 3617] mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000003,wfdno=0x0000000000000004" [pid 3616] <... getsockopt resumed>) = -1 EBADF (Bad file descriptor) [pid 3619] mkdir("./file0", 000 [pid 3616] mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000003,wfdno=0x0000000000000004" [pid 3619] <... mkdir resumed>) = -1 EEXIST (File exists) [pid 3619] pipe2([3, 4], 0) = 0 [pid 3619] getsockopt(-1, SOL_SOCKET, SO_PEERCRED, NULL, NULL) = -1 EBADF (Bad file descriptor) [pid 3619] mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000003,wfdno=0x0000000000000004" [pid 3609] <... mount resumed>) = -1 EFAULT (Bad address) [pid 3609] exit_group(0) = ? [pid 3609] +++ exited with 0 +++ [pid 3607] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3609, si_uid=0, si_status=0, si_utime=0, si_stime=3} --- [pid 3607] restart_syscall(<... resuming interrupted clone ...>) = 0 [pid 3607] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555573345d0) = 3622 ./strace-static-x86_64: Process 3622 attached [pid 3622] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3622] setpgid(0, 0) = 0 [pid 3622] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3622] write(3, "1000", 4) = 4 [pid 3622] close(3) = 0 [pid 3622] mkdir("./file0", 000) = -1 EEXIST (File exists) [pid 3622] pipe2([3, 4], 0) = 0 [pid 3622] getsockopt(-1, SOL_SOCKET, SO_PEERCRED, NULL, NULL) = -1 EBADF (Bad file descriptor) [pid 3622] mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000003,wfdno=0x0000000000000004" [pid 3614] <... mount resumed>) = -1 EFAULT (Bad address) [pid 3614] exit_group(0) = ? [pid 3614] +++ exited with 0 +++ [pid 3610] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3614, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- [pid 3610] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555573345d0) = 3623 ./strace-static-x86_64: Process 3623 attached [pid 3623] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3623] setpgid(0, 0) = 0 [pid 3623] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3623] write(3, "1000", 4) = 4 [pid 3623] close(3) = 0 [pid 3623] mkdir("./file0", 000) = -1 EEXIST (File exists) [pid 3623] pipe2([3, 4], 0) = 0 [pid 3623] getsockopt(-1, SOL_SOCKET, SO_PEERCRED, NULL, NULL) = -1 EBADF (Bad file descriptor) [pid 3623] mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000003,wfdno=0x0000000000000004" [pid 3612] <... mount resumed>) = -1 EFAULT (Bad address) [pid 3612] exit_group(0) = ? [pid 3612] +++ exited with 0 +++ [pid 3608] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3612, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- [pid 3608] restart_syscall(<... resuming interrupted clone ...>) = 0 [pid 3608] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555573345d0) = 3624 ./strace-static-x86_64: Process 3624 attached [pid 3624] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3624] setpgid(0, 0) = 0 syzkaller login: [ 43.839065][ T3617] ================================================================== [ 43.847180][ T3617] BUG: KASAN: use-after-free in __kernfs_remove+0xf2d/0x1180 [ 43.854677][ T3617] Read of size 2 at addr ffff888145172f18 by task syz-executor375/3617 [ 43.862927][ T3617] [ 43.865254][ T3617] CPU: 1 PID: 3617 Comm: syz-executor375 Not tainted 6.0.0-rc6-syzkaller-00009-g60891ec99e14 #0 [ 43.875663][ T3617] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 43.885821][ T3617] Call Trace: [pid 3624] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3624] write(3, "1000", 4) = 4 [pid 3624] close(3) = 0 [pid 3624] mkdir("./file0", 000) = -1 EEXIST (File exists) [pid 3624] pipe2([3, 4], 0) = 0 [pid 3624] getsockopt(-1, SOL_SOCKET, SO_PEERCRED, NULL, NULL) = -1 EBADF (Bad file descriptor) [ 43.889121][ T3617] [ 43.892057][ T3617] dump_stack_lvl+0x1e3/0x2cb [ 43.896761][ T3617] ? io_alloc_page_table+0x110/0x110 [ 43.902033][ T3617] ? _printk+0xcf/0x10f [ 43.906184][ T3617] ? __wake_up_klogd+0xd6/0x100 [ 43.911044][ T3617] ? __wake_up_klogd+0xcd/0x100 [ 43.915890][ T3617] ? panic+0x76b/0x76b [ 43.919965][ T3617] ? _printk+0xcf/0x10f [ 43.924149][ T3617] print_address_description+0x65/0x4b0 [ 43.929712][ T3617] print_report+0x108/0x220 [ 43.934229][ T3617] ? kernfs_put+0x340/0x490 [ 43.938744][ T3617] ? kmem_cache_free+0x95/0x1d0 [ 43.943614][ T3617] ? __kernfs_remove+0xf2d/0x1180 [ 43.948657][ T3617] kasan_report+0xfb/0x130 [ 43.953085][ T3617] ? __kernfs_remove+0xf2d/0x1180 [ 43.958284][ T3617] __kernfs_remove+0xf2d/0x1180 [ 43.963155][ T3617] ? kernfs_iop_rename+0x7d0/0x7d0 [ 43.968285][ T3617] ? kernfs_find_ns+0x4d6/0x550 [ 43.973190][ T3617] kernfs_remove_by_name_ns+0x96/0xe0 [ 43.978577][ T3617] sysfs_slab_add+0x54/0x270 [ 43.983170][ T3617] __kmem_cache_create+0x34/0x170 [ 43.988210][ T3617] kmem_cache_create_usercopy+0x1a6/0x340 [ 43.993939][ T3617] p9_client_create+0xbbe/0x1030 [ 43.998892][ T3617] ? do_trace_9p_fid_put+0x20/0x20 [ 44.004031][ T3617] ? lockdep_softirqs_off+0x420/0x420 [ 44.009428][ T3617] ? __raw_spin_lock_init+0x41/0x100 [ 44.014726][ T3617] v9fs_session_init+0x1e3/0x1990 [ 44.019775][ T3617] ? v9fs_show_options+0x600/0x600 [ 44.024907][ T3617] ? kmem_cache_alloc_trace+0x97/0x310 [ 44.030379][ T3617] ? v9fs_mount+0xae/0xcb0 [ 44.034809][ T3617] v9fs_mount+0xd2/0xcb0 [ 44.039059][ T3617] ? xfs_fs_commit_blocks+0x8d0/0x8d0 [ 44.044520][ T3617] ? legacy_init_fs_context+0x4d/0xb0 [ 44.049890][ T3617] ? smack_sb_eat_lsm_opts+0x3cd/0x990 [ 44.055351][ T3617] ? cap_capable+0x1b5/0x250 [ 44.059979][ T3617] legacy_get_tree+0xea/0x180 [ 44.064673][ T3617] ? xfs_fs_commit_blocks+0x8d0/0x8d0 [ 44.070079][ T3617] vfs_get_tree+0x88/0x270 [ 44.074495][ T3617] do_new_mount+0x289/0xad0 [ 44.079027][ T3617] ? do_move_mount_old+0x160/0x160 [ 44.084149][ T3617] ? user_path_at_empty+0x149/0x1a0 [ 44.089351][ T3617] __se_sys_mount+0x2e3/0x3d0 [ 44.094029][ T3617] ? __x64_sys_mount+0xc0/0xc0 [ 44.098809][ T3617] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 44.104806][ T3617] ? __x64_sys_mount+0x1c/0xc0 [ 44.109592][ T3617] do_syscall_64+0x2b/0x70 [ 44.114023][ T3617] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 44.120084][ T3617] RIP: 0033:0x7eff5a1a9139 [ 44.124504][ T3617] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 44.144217][ T3617] RSP: 002b:00007ffc56fb24a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 44.152654][ T3617] RAX: ffffffffffffffda RBX: 00000000000f4240 RCX: 00007eff5a1a9139 [ 44.160641][ T3617] RDX: 0000000020000140 RSI: 0000000020000200 RDI: 0000000000000000 [ 44.168653][ T3617] RBP: 0000000000000000 R08: 0000000020000580 R09: 0000000000000001 [ 44.176663][ T3617] R10: 0000000000000000 R11: 0000000000000246 R12: 00007eff5a16c680 [ 44.184645][ T3617] R13: 0000000000000000 R14: 00007ffc56fb24d0 R15: 00007ffc56fb24c0 [ 44.192634][ T3617] [ 44.195660][ T3617] [ 44.197970][ T3617] Allocated by task 3612: [ 44.202287][ T3617] __kasan_slab_alloc+0xb2/0xe0 [ 44.207150][ T3617] kmem_cache_alloc+0x1a6/0x310 [ 44.212005][ T3617] __kernfs_new_node+0xdb/0x730 [ 44.216851][ T3617] kernfs_create_dir_ns+0x90/0x220 [ 44.221975][ T3617] sysfs_create_dir_ns+0x181/0x390 [ 44.227097][ T3617] kobject_add_internal+0x6dd/0xd10 [ 44.232310][ T3617] kobject_init_and_add+0x123/0x190 [ 44.237534][ T3617] sysfs_slab_add+0x140/0x270 [ 44.242211][ T3617] __kmem_cache_create+0x34/0x170 [ 44.247252][ T3617] kmem_cache_create_usercopy+0x1a6/0x340 [ 44.253085][ T3617] p9_client_create+0xbbe/0x1030 [ 44.258036][ T3617] v9fs_session_init+0x1e3/0x1990 [ 44.263071][ T3617] v9fs_mount+0xd2/0xcb0 [ 44.267384][ T3617] legacy_get_tree+0xea/0x180 [ 44.272069][ T3617] vfs_get_tree+0x88/0x270 [ 44.276505][ T3617] do_new_mount+0x289/0xad0 [ 44.280999][ T3617] __se_sys_mount+0x2e3/0x3d0 [ 44.285687][ T3617] do_syscall_64+0x2b/0x70 [ 44.290103][ T3617] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 44.295985][ T3617] [ 44.298310][ T3617] Freed by task 3617: [ 44.302288][ T3617] kasan_set_track+0x4c/0x70 [ 44.306879][ T3617] kasan_set_free_info+0x1f/0x40 [ 44.311810][ T3617] ____kasan_slab_free+0xd8/0x120 [ 44.316845][ T3617] slab_free_freelist_hook+0x12e/0x1a0 [ 44.322319][ T3617] kmem_cache_free+0x95/0x1d0 [ 44.327012][ T3617] kernfs_put+0x340/0x490 [ 44.331348][ T3617] __kernfs_remove+0xec0/0x1180 [ 44.336192][ T3617] kernfs_remove_by_name_ns+0x96/0xe0 [ 44.341582][ T3617] sysfs_slab_add+0x54/0x270 [ 44.346199][ T3617] __kmem_cache_create+0x34/0x170 [ 44.351412][ T3617] kmem_cache_create_usercopy+0x1a6/0x340 [ 44.357679][ T3617] p9_client_create+0xbbe/0x1030 [ 44.362633][ T3617] v9fs_session_init+0x1e3/0x1990 [ 44.367671][ T3617] v9fs_mount+0xd2/0xcb0 [ 44.371930][ T3617] legacy_get_tree+0xea/0x180 [ 44.376622][ T3617] vfs_get_tree+0x88/0x270 [ 44.381048][ T3617] do_new_mount+0x289/0xad0 [ 44.385559][ T3617] __se_sys_mount+0x2e3/0x3d0 [ 44.390225][ T3617] do_syscall_64+0x2b/0x70 [ 44.394648][ T3617] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 44.400560][ T3617] [ 44.402882][ T3617] The buggy address belongs to the object at ffff888145172e80 [ 44.402882][ T3617] which belongs to the cache kernfs_node_cache of size 168 [ 44.417457][ T3617] The buggy address is located 152 bytes inside of [ 44.417457][ T3617] 168-byte region [ffff888145172e80, ffff888145172f28) [ 44.430984][ T3617] [ 44.433308][ T3617] The buggy address belongs to the physical page: [ 44.439744][ T3617] page:ffffea0005145c80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x145172 [ 44.450014][ T3617] flags: 0x57ff00000000200(slab|node=1|zone=2|lastcpupid=0x7ff) [ 44.457642][ T3617] raw: 057ff00000000200 ffffea0005145cc0 dead000000000004 ffff888140007c80 [ 44.466225][ T3617] raw: 0000000000000000 0000000000110011 00000001ffffffff 0000000000000000 [ 44.474817][ T3617] page dumped because: kasan: bad access detected [ 44.481236][ T3617] page_owner tracks the page as allocated [ 44.486971][ T3617] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, tgid 1 (swapper/0), ts 2119646026, free_ts 0 [ 44.503554][ T3617] get_page_from_freelist+0x72b/0x7a0 [ 44.508964][ T3617] __alloc_pages+0x259/0x560 [ 44.513575][ T3617] alloc_page_interleave+0x22/0x1c0 [ 44.518803][ T3617] alloc_slab_page+0x70/0xf0 [ 44.523402][ T3617] allocate_slab+0x5e/0x520 [ 44.527933][ T3617] ___slab_alloc+0x42e/0xce0 [ 44.532518][ T3617] kmem_cache_alloc+0x25d/0x310 [ 44.537638][ T3617] __kernfs_new_node+0xdb/0x730 [ 44.542590][ T3617] kernfs_new_node+0x95/0x160 [ 44.547275][ T3617] __kernfs_create_file+0x45/0x2e0 [ 44.552396][ T3617] sysfs_add_file_mode_ns+0x21d/0x330 [ 44.557779][ T3617] internal_create_group+0x55c/0xf50 [ 44.563093][ T3617] kernel_add_sysfs_param+0xe8/0x126 [ 44.568398][ T3617] param_sysfs_builtin+0x16a/0x1e2 [ 44.573870][ T3617] param_sysfs_init+0x68/0x6c [ 44.578557][ T3617] do_one_initcall+0xbd/0x2b0 [ 44.583248][ T3617] page_owner free stack trace missing [ 44.588615][ T3617] [ 44.590943][ T3617] Memory state around the buggy address: [ 44.596610][ T3617] ffff888145172e00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 44.604681][ T3617] ffff888145172e80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.612751][ T3617] >ffff888145172f00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 44.620815][ T3617] ^ [ 44.625670][ T3617] ffff888145172f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.633753][ T3617] ffff888145173000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.641820][ T3617] ================================================================== [ 44.656752][ T3617] Kernel panic - not syncing: panic_on_warn set ... [ 44.663375][ T3617] CPU: 1 PID: 3617 Comm: syz-executor375 Not tainted 6.0.0-rc6-syzkaller-00009-g60891ec99e14 #0 [ 44.673806][ T3617] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 44.683876][ T3617] Call Trace: [ 44.687157][ T3617] [ 44.690085][ T3617] dump_stack_lvl+0x1e3/0x2cb [ 44.694780][ T3617] ? io_alloc_page_table+0x110/0x110 [ 44.700092][ T3617] ? panic+0x76b/0x76b [ 44.704175][ T3617] ? preempt_schedule_common+0xb7/0xe0 [ 44.709663][ T3617] ? preempt_schedule+0xd9/0xe0 [ 44.714705][ T3617] ? vscnprintf+0x59/0x80 [ 44.719036][ T3617] panic+0x316/0x76b [ 44.723036][ T3617] ? fb_is_primary_device+0xcc/0xcc [ 44.728249][ T3617] ? _raw_spin_unlock_irqrestore+0x128/0x130 [ 44.734336][ T3617] ? __kernfs_remove+0xf2d/0x1180 [ 44.739375][ T3617] end_report+0x91/0xa0 [ 44.743538][ T3617] kasan_report+0x108/0x130 [ 44.748039][ T3617] ? __kernfs_remove+0xf2d/0x1180 [ 44.753518][ T3617] __kernfs_remove+0xf2d/0x1180 [ 44.758389][ T3617] ? kernfs_iop_rename+0x7d0/0x7d0 [ 44.763528][ T3617] ? kernfs_find_ns+0x4d6/0x550 [ 44.768400][ T3617] kernfs_remove_by_name_ns+0x96/0xe0 [ 44.773790][ T3617] sysfs_slab_add+0x54/0x270 [ 44.778394][ T3617] __kmem_cache_create+0x34/0x170 [ 44.783435][ T3617] kmem_cache_create_usercopy+0x1a6/0x340 [ 44.789167][ T3617] p9_client_create+0xbbe/0x1030 [ 44.794121][ T3617] ? do_trace_9p_fid_put+0x20/0x20 [ 44.799241][ T3617] ? lockdep_softirqs_off+0x420/0x420 [ 44.804623][ T3617] ? __raw_spin_lock_init+0x41/0x100 [ 44.809906][ T3617] v9fs_session_init+0x1e3/0x1990 [ 44.814966][ T3617] ? v9fs_show_options+0x600/0x600 [ 44.820101][ T3617] ? kmem_cache_alloc_trace+0x97/0x310 [ 44.825574][ T3617] ? v9fs_mount+0xae/0xcb0 [ 44.830011][ T3617] v9fs_mount+0xd2/0xcb0 [ 44.834276][ T3617] ? xfs_fs_commit_blocks+0x8d0/0x8d0 [ 44.839679][ T3617] ? legacy_init_fs_context+0x4d/0xb0 [ 44.845081][ T3617] ? smack_sb_eat_lsm_opts+0x3cd/0x990 [ 44.850569][ T3617] ? cap_capable+0x1b5/0x250 [ 44.855173][ T3617] legacy_get_tree+0xea/0x180 [ 44.859867][ T3617] ? xfs_fs_commit_blocks+0x8d0/0x8d0 [ 44.865257][ T3617] vfs_get_tree+0x88/0x270 [ 44.869690][ T3617] do_new_mount+0x289/0xad0 [ 44.874210][ T3617] ? do_move_mount_old+0x160/0x160 [ 44.879337][ T3617] ? user_path_at_empty+0x149/0x1a0 [ 44.884548][ T3617] __se_sys_mount+0x2e3/0x3d0 [ 44.889243][ T3617] ? __x64_sys_mount+0xc0/0xc0 [ 44.894020][ T3617] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 44.900014][ T3617] ? __x64_sys_mount+0x1c/0xc0 [ 44.904791][ T3617] do_syscall_64+0x2b/0x70 [ 44.909218][ T3617] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 44.915134][ T3617] RIP: 0033:0x7eff5a1a9139 [ 44.919564][ T3617] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 44.939191][ T3617] RSP: 002b:00007ffc56fb24a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 44.947629][ T3617] RAX: ffffffffffffffda RBX: 00000000000f4240 RCX: 00007eff5a1a9139 [ 44.955615][ T3617] RDX: 0000000020000140 RSI: 0000000020000200 RDI: 0000000000000000 [ 44.963607][ T3617] RBP: 0000000000000000 R08: 0000000020000580 R09: 0000000000000001 [ 44.971599][ T3617] R10: 0000000000000000 R11: 0000000000000246 R12: 00007eff5a16c680 [ 44.979590][ T3617] R13: 0000000000000000 R14: 00007ffc56fb24d0 R15: 00007ffc56fb24c0 [ 44.987585][ T3617] [ 44.990783][ T3617] Kernel Offset: disabled [ 44.995102][ T3617] Rebooting in 86400 seconds..