./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1038965328
<...>
Warning: Permanently added '10.128.0.144' (ED25519) to the list of known hosts.
execve("./syz-executor1038965328", ["./syz-executor1038965328"], 0x7fff39ac1ff0 /* 10 vars */) = 0
brk(NULL) = 0x55555734b000
brk(0x55555734bd00) = 0x55555734bd00
arch_prctl(ARCH_SET_FS, 0x55555734b380) = 0
set_tid_address(0x55555734b650) = 5054
set_robust_list(0x55555734b660, 24) = 0
rseq(0x55555734bca0, 0x20, 0, 0x53053053) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor1038965328", 4096) = 28
getrandom("\xd2\x77\xeb\x83\x1c\xc7\xa5\x0b", 8, GRND_NONBLOCK) = 8
brk(NULL) = 0x55555734bd00
brk(0x55555736cd00) = 0x55555736cd00
brk(0x55555736d000) = 0x55555736d000
mprotect(0x7f2834d58000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5056 attached
, child_tidptr=0x55555734b650) = 5056
[pid 5056] set_robust_list(0x55555734b660, 24) = 0
[pid 5056] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5056] setpgid(0, 0) = 0
[pid 5056] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5056] write(3, "1000", 4) = 4
[pid 5056] close(3) = 0
[pid 5056] memfd_create("syzkaller", 0) = 3
[pid 5056] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f282c800000
[pid 5056] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 32394836) = 32394836
[pid 5056] munmap(0x7f282c800000, 138412032) = 0
[pid 5056] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5056] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5056] close(3) = 0
[pid 5056] close(4) = 0
[pid 5056] mkdir("./bus", 0777) = 0
[ 52.589426][ T5056] loop0: detected capacity change from 0 to 63271
[ 52.624919][ T5056] F2FS-fs (loop0): Mismatch start address, segment0(512) cp_blkaddr(605)
[ 52.633398][ T5056] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
[ 52.641969][ T5056] F2FS-fs (loop0): Unrecognized mount option "18446744073709551615184467440737095516150177777777777777777777718446744073709551615”�źû÷ǘ�$H¦Qs¾G™" or missing value
[ 52.658623][ T5056] ==================================================================
[ 52.666847][ T5056] BUG: KASAN: slab-use-after-free in destroy_device_list+0x195/0x200
[ 52.674917][ T5056] Read of size 4 at addr ffff88802370577c by task syz-executor103/5056
[ 52.683133][ T5056]
[ 52.685438][ T5056] CPU: 0 PID: 5056 Comm: syz-executor103 Not tainted 6.7.0-syzkaller-09928-g052d534373b7 #0
[ 52.695476][ T5056] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
[ 52.705511][ T5056] Call Trace:
[ 52.708769][ T5056]
[ 52.711683][ T5056] dump_stack_lvl+0xd9/0x1b0
[ 52.716267][ T5056] print_report+0xc4/0x620
[ 52.720663][ T5056] ? __virt_addr_valid+0x5e/0x580
[ 52.725682][ T5056] ? __phys_addr+0xc6/0x140
[ 52.730189][ T5056] kasan_report+0xda/0x110
[ 52.734601][ T5056] ? destroy_device_list+0x195/0x200
[ 52.739885][ T5056] ? destroy_device_list+0x195/0x200
[ 52.745169][ T5056] destroy_device_list+0x195/0x200
[ 52.750272][ T5056] kill_f2fs_super+0x2c6/0x430
[ 52.755028][ T5056] ? trace_event_raw_event_f2fs_unlink_enter+0x450/0x450
[ 52.762045][ T5056] ? f2fs_record_error_work+0x20/0x20
[ 52.767407][ T5056] deactivate_locked_super+0xbc/0x1a0
[ 52.772780][ T5056] mount_bdev+0x277/0x2d0
[ 52.777121][ T5056] ? sget+0x640/0x640
[ 52.781104][ T5056] ? apparmor_capable+0x126/0x1e0
[ 52.786121][ T5056] ? destroy_device_list+0x200/0x200
[ 52.791401][ T5056] legacy_get_tree+0x109/0x220
[ 52.796330][ T5056] vfs_get_tree+0x8c/0x370
[ 52.800737][ T5056] path_mount+0x14e6/0x1f20
[ 52.805235][ T5056] ? kmem_cache_free+0x129/0x350
[ 52.810167][ T5056] ? finish_automount+0xa40/0xa40
[ 52.815185][ T5056] ? lock_release+0xa5/0x690
[ 52.819774][ T5056] ? putname+0x12e/0x170
[ 52.824008][ T5056] __x64_sys_mount+0x293/0x310
[ 52.828769][ T5056] ? copy_mnt_ns+0x9f0/0x9f0
[ 52.833354][ T5056] ? _raw_spin_unlock_irq+0x2e/0x50
[ 52.838542][ T5056] ? ptrace_notify+0xf4/0x130
[ 52.843208][ T5056] do_syscall_64+0xd3/0x250
[ 52.847702][ T5056] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 52.853591][ T5056] RIP: 0033:0x7f2834cde0ea
[ 52.857989][ T5056] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 52.877597][ T5056] RSP: 002b:00007ffcca982818 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
[ 52.885997][ T5056] RAX: ffffffffffffffda RBX: 00007ffcca982830 RCX: 00007f2834cde0ea
[ 52.893952][ T5056] RDX: 00000000200000c0 RSI: 0000000020010280 RDI: 00007ffcca982830
[ 52.901906][ T5056] RBP: 0000000000000010 R08: 00007ffcca982870 R09: 0000000000007e5e
[ 52.909892][ T5056] R10: 0000000000000010 R11: 0000000000000286 R12: 0000000000000004
[ 52.917849][ T5056] R13: 00007ffcca982870 R14: 0000000000000003 R15: 0000000001ee4e54
[ 52.925814][ T5056]
[ 52.928815][ T5056]
[ 52.931118][ T5056] Allocated by task 5056:
[ 52.935423][ T5056] kasan_save_stack+0x33/0x50
[ 52.940088][ T5056] kasan_save_track+0x14/0x30
[ 52.944748][ T5056] __kasan_kmalloc+0xa2/0xb0
[ 52.949319][ T5056] f2fs_fill_super+0xfe/0x8e50
[ 52.954071][ T5056] mount_bdev+0x1df/0x2d0
[ 52.958393][ T5056] legacy_get_tree+0x109/0x220
[ 52.963143][ T5056] vfs_get_tree+0x8c/0x370
[ 52.967569][ T5056] path_mount+0x14e6/0x1f20
[ 52.972063][ T5056] __x64_sys_mount+0x293/0x310
[ 52.976818][ T5056] do_syscall_64+0xd3/0x250
[ 52.981308][ T5056] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 52.987197][ T5056]
[ 52.989507][ T5056] Freed by task 5056:
[ 52.993491][ T5056] kasan_save_stack+0x33/0x50
[ 52.998152][ T5056] kasan_save_track+0x14/0x30
[ 53.002813][ T5056] kasan_save_free_info+0x3f/0x60
[ 53.007825][ T5056] __kasan_slab_free+0x121/0x1b0
[ 53.012750][ T5056] kfree+0x124/0x360
[ 53.016634][ T5056] f2fs_fill_super+0x270c/0x8e50
[ 53.021561][ T5056] mount_bdev+0x1df/0x2d0
[ 53.025882][ T5056] legacy_get_tree+0x109/0x220
[ 53.030631][ T5056] vfs_get_tree+0x8c/0x370
[ 53.035030][ T5056] path_mount+0x14e6/0x1f20
[ 53.039526][ T5056] __x64_sys_mount+0x293/0x310
[ 53.044279][ T5056] do_syscall_64+0xd3/0x250
[ 53.048765][ T5056] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 53.054647][ T5056]
[ 53.056955][ T5056] The buggy address belongs to the object at ffff888023704000
[ 53.056955][ T5056] which belongs to the cache kmalloc-8k of size 8192
[ 53.070988][ T5056] The buggy address is located 6012 bytes inside of
[ 53.070988][ T5056] freed 8192-byte region [ffff888023704000, ffff888023706000)
[ 53.084939][ T5056]
[ 53.087246][ T5056] The buggy address belongs to the physical page:
[ 53.093632][ T5056] page:ffffea00008dc000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x23700
[ 53.103762][ T5056] head:ffffea00008dc000 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 53.112696][ T5056] anon flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 53.121091][ T5056] page_type: 0xffffffff()
[ 53.125401][ T5056] raw: 00fff00000000840 ffff888013042280 0000000000000000 0000000000000001
[ 53.133967][ T5056] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
[ 53.142527][ T5056] page dumped because: kasan: bad access detected
[ 53.148919][ T5056] page_owner tracks the page as allocated
[ 53.154610][ T5056] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4720, tgid 4720 (S41dhcpcd), ts 24021448913, free_ts 23992557968
[ 53.174911][ T5056] post_alloc_hook+0x2d0/0x350
[ 53.179687][ T5056] get_page_from_freelist+0xa28/0x3780
[ 53.185137][ T5056] __alloc_pages+0x22f/0x2440
[ 53.189799][ T5056] new_slab+0xcc/0x3a0
[ 53.193852][ T5056] ___slab_alloc+0x4af/0x19a0
[ 53.198519][ T5056] __slab_alloc.constprop.0+0x56/0xa0
[ 53.203876][ T5056] kmalloc_trace+0x30b/0x340
[ 53.208456][ T5056] tomoyo_init_log+0xcdf/0x2110
[ 53.213290][ T5056] tomoyo_supervisor+0x30c/0xea0
[ 53.218301][ T5056] tomoyo_env_perm+0x18f/0x200
[ 53.223050][ T5056] tomoyo_find_next_domain+0xef6/0x2020
[ 53.228582][ T5056] tomoyo_bprm_check_security+0x12b/0x1d0
[ 53.234291][ T5056] security_bprm_check+0x6a/0xe0
[ 53.239214][ T5056] bprm_execve+0x73a/0x1a90
[ 53.243711][ T5056] do_execveat_common.isra.0+0x5d3/0x740
[ 53.249330][ T5056] __x64_sys_execve+0x8c/0xb0
[ 53.253992][ T5056] page last free pid 4718 tgid 4718 stack trace:
[ 53.260298][ T5056] free_unref_page_prepare+0x51f/0xb10
[ 53.265750][ T5056] free_unref_page+0x33/0x3c0
[ 53.270417][ T5056] __put_partials+0x14c/0x160
[ 53.275083][ T5056] qlist_free_all+0x58/0x150
[ 53.279665][ T5056] kasan_quarantine_reduce+0x18e/0x1d0
[ 53.285111][ T5056] __kasan_slab_alloc+0x65/0x90
[ 53.289944][ T5056] __kmalloc+0x1bd/0x440
[ 53.294438][ T5056] ext4_htree_store_dirent+0x92/0x690
[ 53.299802][ T5056] htree_dirblock_to_tree+0x585/0xd20
[ 53.305165][ T5056] ext4_htree_fill_tree+0x395/0xc80
[ 53.310347][ T5056] ext4_readdir+0x2010/0x3720
[ 53.315012][ T5056] iterate_dir+0x28c/0x9e0
[ 53.319417][ T5056] __x64_sys_getdents64+0x14f/0x2e0
[ 53.324601][ T5056] do_syscall_64+0xd3/0x250
[ 53.329090][ T5056] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 53.334972][ T5056]
[ 53.337281][ T5056] Memory state around the buggy address:
[ 53.342890][ T5056] ffff888023705600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 53.350934][ T5056] ffff888023705680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 53.358985][ T5056] >ffff888023705700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 53.367027][ T5056] ^
[ 53.374984][ T5056] ffff888023705780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 53.383032][ T5056] ffff888023705800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 53.391075][ T5056] ==================================================================
[ 53.399317][ T5056] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 53.406510][ T5056] CPU: 0 PID: 5056 Comm: syz-executor103 Not tainted 6.7.0-syzkaller-09928-g052d534373b7 #0
[ 53.416592][ T5056] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
[ 53.426646][ T5056] Call Trace:
[ 53.430007][ T5056]
[ 53.432982][ T5056] dump_stack_lvl+0xd9/0x1b0
[ 53.437571][ T5056] panic+0x6dc/0x790
[ 53.441476][ T5056] ? panic_smp_self_stop+0xa0/0xa0
[ 53.446582][ T5056] ? rcu_is_watching+0x12/0xb0
[ 53.451336][ T5056] ? trace_irq_enable.constprop.0+0xd0/0x100
[ 53.457313][ T5056] ? check_panic_on_warn+0x1f/0xb0
[ 53.462421][ T5056] check_panic_on_warn+0xab/0xb0
[ 53.467439][ T5056] end_report+0x108/0x150
[ 53.471759][ T5056] kasan_report+0xea/0x110
[ 53.476169][ T5056] ? destroy_device_list+0x195/0x200
[ 53.481445][ T5056] ? destroy_device_list+0x195/0x200
[ 53.486719][ T5056] destroy_device_list+0x195/0x200
[ 53.491822][ T5056] kill_f2fs_super+0x2c6/0x430
[ 53.496577][ T5056] ? trace_event_raw_event_f2fs_unlink_enter+0x450/0x450
[ 53.503589][ T5056] ? f2fs_record_error_work+0x20/0x20
[ 53.508950][ T5056] deactivate_locked_super+0xbc/0x1a0
[ 53.514371][ T5056] mount_bdev+0x277/0x2d0
[ 53.518698][ T5056] ? sget+0x640/0x640
[ 53.522675][ T5056] ? apparmor_capable+0x126/0x1e0
[ 53.527691][ T5056] ? destroy_device_list+0x200/0x200
[ 53.532963][ T5056] legacy_get_tree+0x109/0x220
[ 53.537756][ T5056] vfs_get_tree+0x8c/0x370
[ 53.542160][ T5056] path_mount+0x14e6/0x1f20
[ 53.546665][ T5056] ? kmem_cache_free+0x129/0x350
[ 53.551594][ T5056] ? finish_automount+0xa40/0xa40
[ 53.556610][ T5056] ? lock_release+0xa5/0x690
[ 53.561189][ T5056] ? putname+0x12e/0x170
[ 53.565424][ T5056] __x64_sys_mount+0x293/0x310
[ 53.570183][ T5056] ? copy_mnt_ns+0x9f0/0x9f0
[ 53.574771][ T5056] ? _raw_spin_unlock_irq+0x2e/0x50
[ 53.579965][ T5056] ? ptrace_notify+0xf4/0x130
[ 53.584634][ T5056] do_syscall_64+0xd3/0x250
[ 53.589128][ T5056] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 53.595018][ T5056] RIP: 0033:0x7f2834cde0ea
[ 53.599418][ T5056] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 53.619011][ T5056] RSP: 002b:00007ffcca982818 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
[ 53.627408][ T5056] RAX: ffffffffffffffda RBX: 00007ffcca982830 RCX: 00007f2834cde0ea
[ 53.635366][ T5056] RDX: 00000000200000c0 RSI: 0000000020010280 RDI: 00007ffcca982830
[ 53.643325][ T5056] RBP: 0000000000000010 R08: 00007ffcca982870 R09: 0000000000007e5e
[ 53.651286][ T5056] R10: 0000000000000010 R11: 0000000000000286 R12: 0000000000000004
[ 53.659337][ T5056] R13: 00007ffcca982870 R14: 0000000000000003 R15: 0000000001ee4e54
[ 53.667302][ T5056]
[ 53.670521][ T5056] Kernel Offset: disabled
[ 53.674823][ T5056] Rebooting in 86400 seconds..