./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2377892143

<...>
DUID 00:04:a1:84:1b:e0:48:24:35:f8:15:f9:55:b5:79:ea:e6:3e
forked to background, child pid 3177
[   25.147014][ T3178] 8021q: adding VLAN 0 to HW filter on device bond0
[   25.157271][ T3178] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK

syzkaller
Warning: Permanently added '10.128.0.71' (ECDSA) to the list of known hosts.
execve("./syz-executor2377892143", ["./syz-executor2377892143"], 0x7ffef77c1de0 /* 10 vars */) = 0
brk(NULL)                               = 0x555556859000
brk(0x555556859c40)                     = 0x555556859c40
arch_prctl(ARCH_SET_FS, 0x555556859300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor2377892143", 4096) = 28
brk(0x55555687ac40)                     = 0x55555687ac40
brk(0x55555687b000)                     = 0x55555687b000
mprotect(0x7f2d8b0b3000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3599 attached
, child_tidptr=0x5555568595d0) = 3599
[pid  3599] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  3599] setpgid(0, 0)               = 0
[pid  3599] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  3599] write(3, "1000", 4)         = 4
[pid  3599] close(3)                    = 0
[pid  3599] creat("./bus", 000)         = 3
[pid  3599] io_setup(514, [0x7f2d8aff6000]) = 0
[pid  3599] ioctl(3, FS_IOC_SETFLAGS, [0]) = 0
[pid  3599] io_submit(0x7f2d8aff6000, 6227, [{aio_data=0x25, aio_key=933, aio_rw_flags=RWF_DSYNC, aio_lio_opcode=IOCB_CMD_PWRITE, aio_fildes=3, aio_buf="\x2e\x2f\x62\x75\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., aio_nbytes=90112, aio_offset=0, aio_resfd=0xffffffff}, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, ...]) = 1
[pid  3599] open("./bus", O_RDWR|O_CREAT|O_NONBLOCK|O_DIRECT|O_NOFOLLOW|O_NOATIME, 000) = 4
syzkaller login: [   41.590825][   T27] audit: type=1800 audit(1652116801.475:2): pid=3599 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="syz-executor237" name="bus" dev="sda1" ino=1138 res=0 errno=0
[pid  3599] pwritev2(4, [{iov_base="\x85\x2f\x62\x75\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=3177984}], 1, 5120, RWF_HIPRI|RWF_DSYNC) = 3177984
[pid  3599] exit_group(0)               = ?
[pid  3599] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3599, si_uid=0, si_status=0, si_utime=0, si_stime=8} ---
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3600 attached
, child_tidptr=0x5555568595d0) = 3600
[pid  3600] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  3600] setpgid(0, 0)               = 0
[pid  3600] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  3600] write(3, "1000", 4)         = 4
[pid  3600] close(3)                    = 0
[pid  3600] creat("./bus", 000)         = 3
[pid  3600] io_setup(514, [0x7f2d8aff6000]) = 0
[pid  3600] ioctl(3, FS_IOC_SETFLAGS, [0]) = 0
[pid  3600] io_submit(0x7f2d8aff6000, 6227, [{aio_data=0x25, aio_key=933, aio_rw_flags=RWF_DSYNC, aio_lio_opcode=IOCB_CMD_PWRITE, aio_fildes=3, aio_buf="\x2e\x2f\x62\x75\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., aio_nbytes=90112, aio_offset=0, aio_resfd=0xffffffff}, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, ...]) = 1
[pid  3600] open("./bus", O_RDWR|O_CREAT|O_NONBLOCK|O_DIRECT|O_NOFOLLOW|O_NOATIME, 000) = 4
[   41.785683][   T27] audit: type=1800 audit(1652116801.665:3): pid=3600 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="syz-executor237" name="bus" dev="sda1" ino=1138 res=0 errno=0
[   41.864975][ T3600] ==================================================================
[   41.873042][ T3600] BUG: KASAN: use-after-free in bio_poll+0x41/0x290
[   41.879649][ T3600] Read of size 8 at addr ffff88807f015508 by task syz-executor237/3600
[   41.887870][ T3600] 
[   41.890177][ T3600] CPU: 0 PID: 3600 Comm: syz-executor237 Not tainted 5.18.0-rc6-syzkaller #0
[   41.899261][ T3600] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   41.909296][ T3600] Call Trace:
[   41.912649][ T3600]  <TASK>
[   41.915565][ T3600]  dump_stack_lvl+0x1e3/0x2cb
[   41.920233][ T3600]  ? bfq_pos_tree_add_move+0x436/0x436
[   41.925676][ T3600]  ? wake_up_klogd+0xb2/0xf0
[   41.930248][ T3600]  ? panic+0x76e/0x76e
[   41.934299][ T3600]  ? _printk+0xcf/0x10f
[   41.938440][ T3600]  print_address_description+0x65/0x4b0
[   41.943969][ T3600]  print_report+0xf4/0x210
[   41.948368][ T3600]  ? __blk_flush_plug+0x515/0x570
[   41.953377][ T3600]  ? bio_poll+0x41/0x290
[   41.957598][ T3600]  kasan_report+0xfb/0x130
[   41.961996][ T3600]  ? bio_poll+0x41/0x290
[   41.966219][ T3600]  bio_poll+0x41/0x290
[   41.970270][ T3600]  __iomap_dio_rw+0x1a95/0x1ea0
[   41.975114][ T3600]  ? iomap_dio_complete+0x630/0x630
[   41.980299][ T3600]  ? jbd2_journal_stop+0x898/0xba0
[   41.985400][ T3600]  ? jbd2_journal_start_reserved+0x2f0/0x2f0
[   41.991361][ T3600]  ? trace_ext4_fc_stats+0x260/0x260
[   41.996624][ T3600]  ? jbd2__journal_start+0x3a5/0x5b0
[   42.001892][ T3600]  iomap_dio_rw+0x38/0x80
[   42.006203][ T3600]  ext4_file_write_iter+0x14fc/0x1960
[   42.011560][ T3600]  ? ext4_file_write_iter+0xc51/0x1960
[   42.017005][ T3600]  ? ext4_file_read_iter+0x730/0x730
[   42.022278][ T3600]  do_iter_readv_writev+0x499/0x650
[   42.027464][ T3600]  ? generic_file_rw_checks+0x250/0x250
[   42.032994][ T3600]  ? bpf_lsm_file_permission+0x5/0x10
[   42.038348][ T3600]  ? security_file_permission+0xe0/0x5c0
[   42.043960][ T3600]  ? do_iter_write+0x147/0x7a0
[   42.048721][ T3600]  do_iter_write+0x1f1/0x7a0
[   42.053297][ T3600]  do_pwritev+0x219/0x360
[   42.057612][ T3600]  ? print_irqtrace_events+0x220/0x220
[   42.063050][ T3600]  ? do_preadv+0x350/0x350
[   42.067450][ T3600]  ? do_notify_parent+0xe60/0xe60
[   42.072454][ T3600]  ? lockdep_hardirqs_on_prepare+0x448/0x7b0
[   42.078414][ T3600]  ? vtime_user_exit+0x2b2/0x3e0
[   42.083333][ T3600]  ? syscall_enter_from_user_mode+0x2e/0x1a0
[   42.089294][ T3600]  ? __x64_sys_pwritev2+0xb9/0x100
[   42.094391][ T3600]  do_syscall_64+0x2b/0x70
[   42.098798][ T3600]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   42.104703][ T3600] RIP: 0033:0x7f2d8b046e69
[   42.109115][ T3600] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[   42.128722][ T3600] RSP: 002b:00007ffe6399e988 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
[   42.137134][ T3600] RAX: ffffffffffffffda RBX: 000000000000a252 RCX: 00007f2d8b046e69
[   42.145095][ T3600] RDX: 0000000000000001 RSI: 0000000020000240 RDI: 0000000000000004
[   42.153061][ T3600] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000003
[   42.161022][ T3600] R10: 0000000000001400 R11: 0000000000000246 R12: 00007ffe6399e9ac
[   42.168981][ T3600] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000
[   42.176947][ T3600]  </TASK>
[   42.179947][ T3600] 
[   42.182252][ T3600] The buggy address belongs to the physical page:
[   42.188638][ T3600] page:ffffea0001fc0540 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7f015
[   42.198767][ T3600] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   42.205859][ T3600] raw: 00fff00000000000 ffffea0001eccac8 ffff8880b9b40038 0000000000000000
[   42.214420][ T3600] raw: 0000000000000000 00000000000c0000 00000000ffffffff 0000000000000000
[   42.222975][ T3600] page dumped because: kasan: bad access detected
[   42.229364][ T3600] page_owner tracks the page as freed
[   42.234708][ T3600] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x92800(GFP_NOWAIT|__GFP_NOWARN|__GFP_NORETRY|__GFP_NOMEMALLOC), pid 2931, tgid 2931 (jbd2/sda1-8), ts 18049756371, free_ts 41846633810
[   42.254397][ T3600]  get_page_from_freelist+0x72e/0x7a0
[   42.259755][ T3600]  __alloc_pages+0x26c/0x5f0
[   42.264330][ T3600]  alloc_slab_page+0x70/0xf0
[   42.268900][ T3600]  allocate_slab+0x5e/0x560
[   42.273384][ T3600]  ___slab_alloc+0x41e/0xcd0
[   42.277954][ T3600]  kmem_cache_alloc+0x246/0x2f0
[   42.282782][ T3600]  mempool_alloc+0x17d/0x5c0
[   42.287357][ T3600]  bio_alloc_bioset+0x144/0xce0
[   42.292189][ T3600]  submit_bh_wbc+0x262/0x4e0
[   42.296760][ T3600]  submit_bh+0x1e/0x30
[   42.300806][ T3600]  jbd2_journal_commit_transaction+0x297d/0x5a80
[   42.307116][ T3600]  kjournald2+0x4c4/0x950
[   42.311428][ T3600]  kthread+0x266/0x300
[   42.315479][ T3600]  ret_from_fork+0x1f/0x30
[   42.319880][ T3600] page last free stack trace:
[   42.324533][ T3600]  free_pcp_prepare+0x812/0x900
[   42.329363][ T3600]  free_unref_page+0x7d/0x390
[   42.334021][ T3600]  rcu_core+0xa0c/0x16d0
[   42.338246][ T3600]  __do_softirq+0x382/0x793
[   42.342739][ T3600] 
[   42.345045][ T3600] Memory state around the buggy address:
[   42.350653][ T3600]  ffff88807f015400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   42.358704][ T3600]  ffff88807f015480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   42.366752][ T3600] >ffff88807f015500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   42.374794][ T3600]                       ^
[   42.379103][ T3600]  ffff88807f015580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   42.387143][ T3600]  ffff88807f015600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   42.395183][ T3600] ==================================================================
[   42.403423][ T3600] Kernel panic - not syncing: panic_on_warn set ...
[   42.410027][ T3600] CPU: 1 PID: 3600 Comm: syz-executor237 Not tainted 5.18.0-rc6-syzkaller #0
[   42.418774][ T3600] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   42.428808][ T3600] Call Trace:
[   42.432073][ T3600]  <TASK>
[   42.434989][ T3600]  dump_stack_lvl+0x1e3/0x2cb
[   42.439656][ T3600]  ? bfq_pos_tree_add_move+0x436/0x436
[   42.445100][ T3600]  ? panic+0x76e/0x76e
[   42.449151][ T3600]  ? preempt_schedule_common+0xb7/0xe0
[   42.454591][ T3600]  ? preempt_schedule+0xd9/0xe0
[   42.459424][ T3600]  ? vscnprintf+0x59/0x80
[   42.463745][ T3600]  panic+0x312/0x76e
[   42.467626][ T3600]  ? fb_is_primary_device+0xcc/0xcc
[   42.472804][ T3600]  ? _raw_spin_unlock_irqrestore+0x128/0x130
[   42.478767][ T3600]  ? print_report+0x1d0/0x210
[   42.483439][ T3600]  ? __blk_flush_plug+0x515/0x570
[   42.488458][ T3600]  ? bio_poll+0x41/0x290
[   42.492682][ T3600]  end_report+0x91/0xa0
[   42.496816][ T3600]  kasan_report+0x108/0x130
[   42.501300][ T3600]  ? bio_poll+0x41/0x290
[   42.505529][ T3600]  bio_poll+0x41/0x290
[   42.509586][ T3600]  __iomap_dio_rw+0x1a95/0x1ea0
[   42.514427][ T3600]  ? iomap_dio_complete+0x630/0x630
[   42.519609][ T3600]  ? jbd2_journal_stop+0x898/0xba0
[   42.524704][ T3600]  ? jbd2_journal_start_reserved+0x2f0/0x2f0
[   42.530663][ T3600]  ? trace_ext4_fc_stats+0x260/0x260
[   42.535926][ T3600]  ? jbd2__journal_start+0x3a5/0x5b0
[   42.541197][ T3600]  iomap_dio_rw+0x38/0x80
[   42.545512][ T3600]  ext4_file_write_iter+0x14fc/0x1960
[   42.550865][ T3600]  ? ext4_file_write_iter+0xc51/0x1960
[   42.556311][ T3600]  ? ext4_file_read_iter+0x730/0x730
[   42.561583][ T3600]  do_iter_readv_writev+0x499/0x650
[   42.566799][ T3600]  ? generic_file_rw_checks+0x250/0x250
[   42.572327][ T3600]  ? bpf_lsm_file_permission+0x5/0x10
[   42.577680][ T3600]  ? security_file_permission+0xe0/0x5c0
[   42.583293][ T3600]  ? do_iter_write+0x147/0x7a0
[   42.588036][ T3600]  do_iter_write+0x1f1/0x7a0
[   42.592609][ T3600]  do_pwritev+0x219/0x360
[   42.596922][ T3600]  ? print_irqtrace_events+0x220/0x220
[   42.602363][ T3600]  ? do_preadv+0x350/0x350
[   42.606762][ T3600]  ? do_notify_parent+0xe60/0xe60
[   42.611791][ T3600]  ? lockdep_hardirqs_on_prepare+0x448/0x7b0
[   42.617786][ T3600]  ? vtime_user_exit+0x2b2/0x3e0
[   42.622722][ T3600]  ? syscall_enter_from_user_mode+0x2e/0x1a0
[   42.628703][ T3600]  ? __x64_sys_pwritev2+0xb9/0x100
[   42.633812][ T3600]  do_syscall_64+0x2b/0x70
[   42.638220][ T3600]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   42.644098][ T3600] RIP: 0033:0x7f2d8b046e69
[   42.648496][ T3600] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[   42.668080][ T3600] RSP: 002b:00007ffe6399e988 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
[   42.676475][ T3600] RAX: ffffffffffffffda RBX: 000000000000a252 RCX: 00007f2d8b046e69
[   42.684430][ T3600] RDX: 0000000000000001 RSI: 0000000020000240 RDI: 0000000000000004
[   42.692817][ T3600] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000003
[   42.700766][ T3600] R10: 0000000000001400 R11: 0000000000000246 R12: 00007ffe6399e9ac
[   42.708716][ T3600] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000
[   42.716680][ T3600]  </TASK>
[   42.719940][ T3600] Kernel Offset: disabled
[   42.724251][ T3600] Rebooting in 86400 seconds..