./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3642588550 <...> DUID 00:04:ab:86:5b:51:31:5e:ac:a3:74:55:84:ab:cd:90:ff:3d forked to background, child pid 4870 [ 34.347116][ T4871] 8021q: adding VLAN 0 to HW filter on device bond0 [ 34.357704][ T4871] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.1.32' (ECDSA) to the list of known hosts. execve("./syz-executor3642588550", ["./syz-executor3642588550"], 0x7ffea1fb0dd0 /* 10 vars */) = 0 brk(NULL) = 0x555555a2f000 brk(0x555555a2fc40) = 0x555555a2fc40 arch_prctl(ARCH_SET_FS, 0x555555a2f300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor3642588550", 4096) = 28 brk(0x555555a50c40) = 0x555555a50c40 brk(0x555555a51000) = 0x555555a51000 mprotect(0x7f35fa56b000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 unshare(CLONE_NEWPID) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5297 attached , child_tidptr=0x555555a2f5d0) = 5297 [pid 5297] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy) [pid 5297] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5297] setsid() = 1 [pid 5297] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0 [pid 5297] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0 [pid 5297] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0 [pid 5297] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0 [pid 5297] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0 [pid 5297] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0 [pid 5297] unshare(CLONE_NEWNS) = 0 [pid 5297] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0 [pid 5297] unshare(CLONE_NEWIPC) = 0 [pid 5297] unshare(CLONE_NEWCGROUP) = 0 [pid 5297] unshare(CLONE_NEWUTS) = 0 [pid 5297] unshare(CLONE_SYSVSEM) = 0 [pid 5297] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3 [pid 5297] write(3, "16777216", 8) = 8 [pid 5297] close(3) = 0 [pid 5297] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3 [pid 5297] write(3, "536870912", 9) = 9 [pid 5297] close(3) = 0 [pid 5297] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3 [pid 5297] write(3, "1024", 4) = 4 [pid 5297] close(3) = 0 [pid 5297] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3 [pid 5297] write(3, "8192", 4) = 4 [pid 5297] close(3) = 0 [pid 5297] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3 [pid 5297] write(3, "1024", 4) = 4 [pid 5297] close(3) = 0 [pid 5297] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3 [pid 5297] write(3, "1024", 4) = 4 [pid 5297] close(3) = 0 [pid 5297] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3 [pid 5297] write(3, "1024 1048576 500 1024", 21) = 21 [pid 5297] close(3) = 0 [pid 5297] getpid() = 1 [pid 5297] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1< [ 54.808356][ T56] dump_stack_lvl+0xd1/0x138 [ 54.812955][ T56] print_report+0x15e/0x45d [ 54.817444][ T56] ? __phys_addr+0xc8/0x140 [ 54.822114][ T56] ? move_expired_inodes+0x765/0x7e0 [ 54.827411][ T56] kasan_report+0xbf/0x1f0 [ 54.831826][ T56] ? move_expired_inodes+0x765/0x7e0 [ 54.837102][ T56] move_expired_inodes+0x765/0x7e0 [ 54.842202][ T56] ? trace_event_raw_event_track_foreign_dirty+0x620/0x620 [ 54.849405][ T56] ? do_raw_spin_lock+0x124/0x2b0 [ 54.854423][ T56] queue_io+0x205/0x600 [ 54.858568][ T56] wb_writeback+0xa0b/0xd70 [ 54.863145][ T56] ? __writeback_inodes_wb+0x280/0x280 [ 54.868604][ T56] wb_workfn+0x2e0/0x12f0 [ 54.872927][ T56] ? inode_wait_for_writeback+0x40/0x40 [ 54.878466][ T56] ? lock_release+0x810/0x810 [ 54.883137][ T56] ? lock_downgrade+0x6e0/0x6e0 [ 54.887987][ T56] process_one_work+0x9bf/0x1710 [ 54.892915][ T56] ? pwq_dec_nr_in_flight+0x2a0/0x2a0 [ 54.898295][ T56] ? rwlock_bug.part.0+0x90/0x90 [ 54.903231][ T56] ? _raw_spin_lock_irq+0x45/0x50 [ 54.908259][ T56] worker_thread+0x669/0x1090 [ 54.912935][ T56] ? __kthread_parkme+0x163/0x220 [ 54.917954][ T56] ? process_one_work+0x1710/0x1710 [ 54.923146][ T56] kthread+0x2e8/0x3a0 [ 54.927203][ T56] ? kthread_complete_and_exit+0x40/0x40 [ 54.932930][ T56] ret_from_fork+0x1f/0x30 [ 54.937347][ T56] [ 54.940352][ T56] [ 54.942661][ T56] Allocated by task 5297: [ 54.946968][ T56] kasan_save_stack+0x22/0x40 [ 54.951660][ T56] kasan_set_track+0x25/0x30 [ 54.956250][ T56] __kasan_slab_alloc+0x82/0x90 [ 54.961096][ T56] kmem_cache_alloc_lru+0x26c/0x760 [ 54.966287][ T56] fat_alloc_inode+0x27/0x1f0 [ 54.970954][ T56] alloc_inode+0x61/0x230 [ 54.975269][ T56] new_inode+0x2b/0x280 [ 54.979418][ T56] fat_build_inode+0x14a/0x2e0 [ 54.984174][ T56] vfat_create+0x1cb/0x270 [ 54.988579][ T56] lookup_open.isra.0+0xee7/0x1270 [ 54.993678][ T56] path_openat+0x975/0x2a50 [ 54.998167][ T56] do_filp_open+0x1ba/0x410 [ 55.002657][ T56] do_sys_openat2+0x16d/0x4c0 [ 55.007327][ T56] __x64_sys_openat+0x143/0x1f0 [ 55.012165][ T56] do_syscall_64+0x39/0xb0 [ 55.016701][ T56] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 55.022605][ T56] [ 55.024926][ T56] Freed by task 0: [ 55.028637][ T56] kasan_save_stack+0x22/0x40 [ 55.033315][ T56] kasan_set_track+0x25/0x30 [ 55.037896][ T56] kasan_save_free_info+0x2e/0x40 [ 55.042904][ T56] ____kasan_slab_free+0x160/0x1c0 [ 55.048004][ T56] slab_free_freelist_hook+0x8b/0x1c0 [ 55.053370][ T56] kmem_cache_free+0xee/0x5c0 [ 55.058050][ T56] i_callback+0x43/0x70 [ 55.062190][ T56] rcu_core+0x81f/0x1980 [ 55.066419][ T56] __do_softirq+0x1fb/0xadc [ 55.070912][ T56] [ 55.073219][ T56] Last potentially related work creation: [ 55.078982][ T56] kasan_save_stack+0x22/0x40 [ 55.083650][ T56] __kasan_record_aux_stack+0xbc/0xd0 [ 55.089022][ T56] __call_rcu_common.constprop.0+0x99/0x820 [ 55.094907][ T56] destroy_inode+0x129/0x1b0 [ 55.099482][ T56] iput.part.0+0x59b/0x880 [ 55.103888][ T56] iput+0x5c/0x80 [ 55.107510][ T56] dentry_unlink_inode+0x2b1/0x460 [ 55.112621][ T56] __dentry_kill+0x3c0/0x640 [ 55.117202][ T56] dput+0x651/0xdb0 [ 55.121027][ T56] __fput+0x3cc/0xa90 [ 55.124998][ T56] task_work_run+0x16f/0x270 [ 55.129581][ T56] ptrace_notify+0x118/0x140 [ 55.134164][ T56] syscall_exit_to_user_mode_prepare+0x129/0x280 [ 55.140477][ T56] syscall_exit_to_user_mode+0xd/0x50 [ 55.145836][ T56] do_syscall_64+0x46/0xb0 [ 55.150251][ T56] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 55.156217][ T56] [ 55.158524][ T56] The buggy address belongs to the object at ffff8880735912f0 [ 55.158524][ T56] which belongs to the cache fat_inode_cache of size 1488 [ 55.172994][ T56] The buggy address is located 696 bytes inside of [ 55.172994][ T56] 1488-byte region [ffff8880735912f0, ffff8880735918c0) [ 55.186338][ T56] [ 55.188645][ T56] The buggy address belongs to the physical page: [ 55.195041][ T56] page:ffffea0001cd6400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x73590 [ 55.205189][ T56] head:ffffea0001cd6400 order:3 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0 [ 55.215242][ T56] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 55.223215][ T56] raw: 00fff00000010200 ffff888019022a00 dead000000000122 0000000000000000 [ 55.231784][ T56] raw: 0000000000000000 0000000080140014 00000001ffffffff 0000000000000000 [ 55.240357][ T56] page dumped because: kasan: bad access detected [ 55.246756][ T56] page_owner tracks the page as allocated [ 55.252456][ T56] page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 5297, tgid 5297 (syz-executor364), ts 54461406303, free_ts 14487442433 [ 55.275555][ T56] get_page_from_freelist+0x10b5/0x2d50 [ 55.281094][ T56] __alloc_pages+0x1cb/0x5b0 [ 55.285673][ T56] alloc_pages+0x1aa/0x270 [ 55.290093][ T56] allocate_slab+0x25e/0x350 [ 55.294675][ T56] ___slab_alloc+0xa91/0x1400 [ 55.299344][ T56] __slab_alloc.constprop.0+0x56/0xa0 [ 55.304714][ T56] kmem_cache_alloc_lru+0x4db/0x760 [ 55.309908][ T56] fat_alloc_inode+0x27/0x1f0 [ 55.314575][ T56] alloc_inode+0x61/0x230 [ 55.318894][ T56] new_inode+0x2b/0x280 [ 55.323035][ T56] fat_fill_super+0x1b64/0x3680 [ 55.327872][ T56] mount_bdev+0x351/0x410 [ 55.332188][ T56] legacy_get_tree+0x109/0x220 [ 55.336951][ T56] vfs_get_tree+0x8d/0x2f0 [ 55.341351][ T56] path_mount+0x132a/0x1e20 [ 55.345839][ T56] __x64_sys_mount+0x283/0x300 [ 55.350850][ T56] page last free stack trace: [ 55.355590][ T56] free_pcp_prepare+0x65c/0xc00 [ 55.360434][ T56] free_unref_page+0x1d/0x4d0 [ 55.365124][ T56] free_contig_range+0xb5/0x180 [ 55.369957][ T56] destroy_args+0xa8/0x64c [ 55.374366][ T56] debug_vm_pgtable+0x28de/0x296f [ 55.379380][ T56] do_one_initcall+0x141/0x790 [ 55.384132][ T56] kernel_init_freeable+0x6f9/0x782 [ 55.389318][ T56] kernel_init+0x1e/0x1d0 [ 55.393647][ T56] ret_from_fork+0x1f/0x30 [ 55.398051][ T56] [ 55.400362][ T56] Memory state around the buggy address: [ 55.405973][ T56] ffff888073591480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.414027][ T56] ffff888073591500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.422073][ T56] >ffff888073591580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.430121][ T56] ^ [ 55.435471][ T56] ffff888073591600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.443606][ T56] ffff888073591680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.451741][ T56] ================================================================== [ 55.459889][ T56] Kernel panic - not syncing: panic_on_warn set ... [ 55.466484][ T56] CPU: 0 PID: 56 Comm: kworker/u4:4 Not tainted 6.1.0-rc5-next-20221116-syzkaller #0 [ 55.477055][ T56] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 55.488479][ T56] Workqueue: writeback wb_workfn (flush-7:0) [ 55.494489][ T56] Call Trace: [ 55.497769][ T56] [ 55.500705][ T56] dump_stack_lvl+0xd1/0x138 [ 55.505338][ T56] panic+0x2cc/0x626 [ 55.509263][ T56] ? panic_print_sys_info.part.0+0x110/0x110 [ 55.515293][ T56] ? asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 55.521478][ T56] end_report.part.0+0x3f/0x7c [ 55.526253][ T56] ? move_expired_inodes+0x765/0x7e0 [ 55.531559][ T56] kasan_report.cold+0xa/0xf [ 55.536162][ T56] ? move_expired_inodes+0x765/0x7e0 [ 55.541460][ T56] move_expired_inodes+0x765/0x7e0 [ 55.546589][ T56] ? trace_event_raw_event_track_foreign_dirty+0x620/0x620 [ 55.553798][ T56] ? do_raw_spin_lock+0x124/0x2b0 [ 55.558831][ T56] queue_io+0x205/0x600 [ 55.563014][ T56] wb_writeback+0xa0b/0xd70 [ 55.567532][ T56] ? __writeback_inodes_wb+0x280/0x280 [ 55.573033][ T56] wb_workfn+0x2e0/0x12f0 [ 55.577440][ T56] ? inode_wait_for_writeback+0x40/0x40 [ 55.583013][ T56] ? lock_release+0x810/0x810 [ 55.587715][ T56] ? lock_downgrade+0x6e0/0x6e0 [ 55.592602][ T56] process_one_work+0x9bf/0x1710 [ 55.597557][ T56] ? pwq_dec_nr_in_flight+0x2a0/0x2a0 [ 55.602945][ T56] ? rwlock_bug.part.0+0x90/0x90 [ 55.607982][ T56] ? _raw_spin_lock_irq+0x45/0x50 [ 55.613026][ T56] worker_thread+0x669/0x1090 [ 55.617719][ T56] ? __kthread_parkme+0x163/0x220 [ 55.622762][ T56] ? process_one_work+0x1710/0x1710 [ 55.627975][ T56] kthread+0x2e8/0x3a0 [ 55.632048][ T56] ? kthread_complete_and_exit+0x40/0x40 [ 55.637689][ T56] ret_from_fork+0x1f/0x30 [ 55.642128][ T56] [ 55.645347][ T56] Kernel Offset: disabled [ 55.649667][ T56] Rebooting in 86400 seconds..