./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2854748785 <...> Warning: Permanently added '10.128.1.39' (ED25519) to the list of known hosts. execve("./syz-executor2854748785", ["./syz-executor2854748785"], 0x7ffe616c15e0 /* 10 vars */) = 0 brk(NULL) = 0x55558e182000 brk(0x55558e182d00) = 0x55558e182d00 arch_prctl(ARCH_SET_FS, 0x55558e182380) = 0 set_tid_address(0x55558e182650) = 5831 set_robust_list(0x55558e182660, 24) = 0 rseq(0x55558e182ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2854748785", 4096) = 28 getrandom("\x5a\xe9\x01\x54\x73\x2a\x8a\x2d", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55558e182d00 brk(0x55558e1a3d00) = 0x55558e1a3d00 brk(0x55558e1a4000) = 0x55558e1a4000 mprotect(0x7f4de88e7000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 mkdir("./syzkaller.9bu9Pb", 0700) = 0 chmod("./syzkaller.9bu9Pb", 0777) = 0 chdir("./syzkaller.9bu9Pb") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5832 attached [pid 5832] set_robust_list(0x55558e182660, 24) = 0 [pid 5831] <... clone resumed>, child_tidptr=0x55558e182650) = 5832 [pid 5832] chdir("./0") = 0 [pid 5832] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5832] setpgid(0, 0) = 0 [pid 5832] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5832] write(3, "1000", 4) = 4 [pid 5832] close(3) = 0 [pid 5832] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5832] write(1, "executing program\n", 18executing program ) = 18 [pid 5832] memfd_create("syzkaller", 0) = 3 [pid 5832] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4de0400000 [pid 5832] write(3, "\x02\x02\x02\x02\x02\x02\x02\x02\x74\x68\x69\x73\x20\x69\x73\x20\x61\x6e\x20\x6f\x63\x66\x73\x32\x20\x76\x6f\x6c\x75\x6d\x65\x00\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02"..., 16777216) = 16777216 [pid 5832] munmap(0x7f4de0400000, 138412032) = 0 [pid 5832] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5832] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5832] close(3) = 0 [pid 5832] close(4) = 0 [pid 5832] mkdir("./file1", 0777) = 0 [ 61.269824][ T5832] loop0: detected capacity change from 0 to 32768 [pid 5832] mount("/dev/loop0", "./file1", "ocfs2", MS_NOSUID|MS_NOEXEC|MS_DIRSYNC|MS_NODIRATIME, "acl,nointr,atime_quantum=00000000000000000007,localflocks,localalloc=00000000000000000003,localflock"...) = 0 [pid 5832] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 5832] chdir("./file1") = 0 [pid 5832] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [ 61.329910][ T5832] ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode. [ 61.354504][ T5832] ================================================================== [ 61.362591][ T5832] BUG: KASAN: use-after-free in ocfs2_search_dirblock+0x26b/0x820 [ 61.370427][ T5832] Read of size 1 at addr ffff888070df38cb by task syz-executor285/5832 [ 61.378672][ T5832] [ 61.381008][ T5832] CPU: 0 UID: 0 PID: 5832 Comm: syz-executor285 Not tainted 6.12.0-next-20241128-syzkaller #0 [ 61.391228][ T5832] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 61.401279][ T5832] Call Trace: [ 61.404546][ T5832] [ 61.407462][ T5832] dump_stack_lvl+0x241/0x360 [ 61.412126][ T5832] ? __pfx_dump_stack_lvl+0x10/0x10 [ 61.417401][ T5832] ? __pfx__printk+0x10/0x10 [ 61.422007][ T5832] ? _printk+0xd5/0x120 [ 61.426150][ T5832] ? __virt_addr_valid+0x183/0x530 [ 61.431244][ T5832] ? __virt_addr_valid+0x183/0x530 [ 61.436337][ T5832] print_report+0x169/0x550 [ 61.440849][ T5832] ? __virt_addr_valid+0x183/0x530 [ 61.445945][ T5832] ? __virt_addr_valid+0x183/0x530 [ 61.451040][ T5832] ? __virt_addr_valid+0x45f/0x530 [ 61.456137][ T5832] ? __phys_addr+0xba/0x170 [ 61.460635][ T5832] ? ocfs2_search_dirblock+0x26b/0x820 [ 61.466087][ T5832] kasan_report+0x143/0x180 [ 61.470584][ T5832] ? ocfs2_search_dirblock+0x26b/0x820 [ 61.476040][ T5832] ocfs2_search_dirblock+0x26b/0x820 [ 61.481315][ T5832] ? ocfs2_read_inode_block+0x14c/0x1e0 [ 61.486941][ T5832] ? __pfx_ocfs2_search_dirblock+0x10/0x10 [ 61.492738][ T5832] ? validate_chain+0x11e/0x5920 [ 61.497673][ T5832] ocfs2_find_entry+0x1169/0x2730 [ 61.502691][ T5832] ? mark_lock+0x9a/0x360 [ 61.507013][ T5832] ? __lock_acquire+0x1397/0x2100 [ 61.512027][ T5832] ? __pfx_ocfs2_find_entry+0x10/0x10 [ 61.517398][ T5832] ? __pfx_lock_acquire+0x10/0x10 [ 61.522432][ T5832] ? ocfs2_inode_lock_full_nested+0x17b/0x1be0 [ 61.528765][ T5832] ? __pfx_lock_release+0x10/0x10 [ 61.533792][ T5832] ? do_raw_spin_lock+0x14f/0x370 [ 61.538822][ T5832] ? do_raw_spin_unlock+0x13c/0x8b0 [ 61.544017][ T5832] ? _raw_spin_unlock+0x28/0x50 [ 61.548893][ T5832] ? ocfs2_inode_lock_full_nested+0xb29/0x1be0 [ 61.555040][ T5832] ? __pfx_ocfs2_inode_lock_full_nested+0x10/0x10 [ 61.561794][ T5832] ocfs2_find_files_on_disk+0xff/0x360 [ 61.567247][ T5832] ocfs2_lookup_ino_from_name+0xb1/0x1e0 [ 61.572874][ T5832] ? __pfx_ocfs2_lookup_ino_from_name+0x10/0x10 [ 61.579112][ T5832] ocfs2_lookup+0x292/0xa30 [ 61.583790][ T5832] ? __pfx_ocfs2_lookup+0x10/0x10 [ 61.588806][ T5832] ? from_kgid+0x1a7/0x730 [ 61.593216][ T5832] ? make_vfsgid+0x51/0xa0 [ 61.597625][ T5832] ? HAS_UNMAPPED_ID+0xf9/0x150 [ 61.602467][ T5832] ? inode_permission+0xff/0x460 [ 61.607409][ T5832] ? __pfx_ocfs2_permission+0x10/0x10 [ 61.612818][ T5832] ? bpf_lsm_inode_create+0x9/0x10 [ 61.617934][ T5832] ? security_inode_create+0xbe/0x340 [ 61.623313][ T5832] ? __pfx_ocfs2_lookup+0x10/0x10 [ 61.628343][ T5832] path_openat+0x11a7/0x3590 [ 61.632958][ T5832] ? __pfx_path_openat+0x10/0x10 [ 61.637899][ T5832] do_filp_open+0x27f/0x4e0 [ 61.642420][ T5832] ? __pfx_do_filp_open+0x10/0x10 [ 61.647434][ T5832] ? do_raw_spin_lock+0x14f/0x370 [ 61.652457][ T5832] do_sys_openat2+0x13e/0x1d0 [ 61.657121][ T5832] ? __pfx_do_sys_openat2+0x10/0x10 [ 61.662308][ T5832] ? lockdep_hardirqs_on+0x99/0x150 [ 61.667500][ T5832] ? _raw_spin_unlock_irq+0x2e/0x50 [ 61.672692][ T5832] ? ptrace_notify+0x279/0x380 [ 61.677450][ T5832] __x64_sys_open+0x225/0x270 [ 61.682114][ T5832] ? __pfx___x64_sys_open+0x10/0x10 [ 61.687300][ T5832] ? do_syscall_64+0x100/0x230 [ 61.692052][ T5832] do_syscall_64+0xf3/0x230 [ 61.696547][ T5832] ? clear_bhb_loop+0x35/0x90 [ 61.701258][ T5832] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 61.707153][ T5832] RIP: 0033:0x7f4de886f129 [ 61.711562][ T5832] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 61.731341][ T5832] RSP: 002b:00007ffc53e2f0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 61.739749][ T5832] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4de886f129 [ 61.747713][ T5832] RDX: 0000000000000000 RSI: 0000000400141042 RDI: 0000000020000080 [ 61.755677][ T5832] RBP: 00000000ffffffff R08: 0000000000004435 R09: 000000000000088a [ 61.763724][ T5832] R10: 00007ffc53e2f150 R11: 0000000000000246 R12: 00007ffc53e2f110 [ 61.771683][ T5832] R13: 00007ffc53e2f150 R14: 0000000001000000 R15: 0000000000000003 [ 61.779648][ T5832] [ 61.782656][ T5832] [ 61.784970][ T5832] The buggy address belongs to the physical page: [ 61.791370][ T5832] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x70df3 [ 61.800125][ T5832] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 61.807234][ T5832] raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000 [ 61.815803][ T5832] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 61.824367][ T5832] page dumped because: kasan: bad access detected [ 61.830768][ T5832] page_owner tracks the page as freed [ 61.836118][ T5832] page last allocated via order 0, migratetype Movable, gfp_mask 0x8(__GFP_MOVABLE), pid 1, tgid 1 (swapper/0), ts 14338497642, free_ts 15453088175 [ 61.851038][ T5832] post_alloc_hook+0x1f3/0x230 [ 61.855794][ T5832] alloc_contig_range_noprof+0x821/0xe00 [ 61.861416][ T5832] alloc_contig_pages_noprof+0x4b3/0x5c0 [ 61.867037][ T5832] debug_vm_pgtable_alloc_huge_page+0xaf/0x100 [ 61.873180][ T5832] init_args+0x83b/0xb20 [ 61.877411][ T5832] debug_vm_pgtable+0xe0/0x550 [ 61.882162][ T5832] do_one_initcall+0x248/0x870 [ 61.886914][ T5832] do_initcall_level+0x157/0x210 [ 61.891841][ T5832] do_initcalls+0x3f/0x80 [ 61.896156][ T5832] kernel_init_freeable+0x435/0x5d0 [ 61.901341][ T5832] kernel_init+0x1d/0x2b0 [ 61.905656][ T5832] ret_from_fork+0x4b/0x80 [ 61.910059][ T5832] ret_from_fork_asm+0x1a/0x30 [ 61.914823][ T5832] page last free pid 1 tgid 1 stack trace: [ 61.920619][ T5832] free_unref_page+0xdef/0x1130 [ 61.925468][ T5832] free_contig_range+0x152/0x550 [ 61.930405][ T5832] destroy_args+0x92/0x910 [ 61.934813][ T5832] debug_vm_pgtable+0x4be/0x550 [ 61.939669][ T5832] do_one_initcall+0x248/0x870 [ 61.944437][ T5832] do_initcall_level+0x157/0x210 [ 61.949375][ T5832] do_initcalls+0x3f/0x80 [ 61.953710][ T5832] kernel_init_freeable+0x435/0x5d0 [ 61.958903][ T5832] kernel_init+0x1d/0x2b0 [ 61.963225][ T5832] ret_from_fork+0x4b/0x80 [ 61.967628][ T5832] ret_from_fork_asm+0x1a/0x30 [ 61.972464][ T5832] [ 61.974774][ T5832] Memory state around the buggy address: [ 61.980385][ T5832] ffff888070df3780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 61.988431][ T5832] ffff888070df3800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 61.996483][ T5832] >ffff888070df3880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 62.004524][ T5832] ^ [ 62.010919][ T5832] ffff888070df3900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 62.018962][ T5832] ffff888070df3980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 62.027006][ T5832] ================================================================== [ 62.035379][ T5832] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 62.042595][ T5832] CPU: 1 UID: 0 PID: 5832 Comm: syz-executor285 Not tainted 6.12.0-next-20241128-syzkaller #0 [ 62.052831][ T5832] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 62.062884][ T5832] Call Trace: [ 62.066157][ T5832] [ 62.069080][ T5832] dump_stack_lvl+0x241/0x360 [ 62.073756][ T5832] ? __pfx_dump_stack_lvl+0x10/0x10 [ 62.078947][ T5832] ? __pfx__printk+0x10/0x10 [ 62.083528][ T5832] ? preempt_schedule+0xe1/0xf0 [ 62.088377][ T5832] ? vscnprintf+0x5d/0x90 [ 62.092695][ T5832] panic+0x349/0x880 [ 62.096579][ T5832] ? check_panic_on_warn+0x21/0xb0 [ 62.101680][ T5832] ? __pfx_panic+0x10/0x10 [ 62.106087][ T5832] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 62.112060][ T5832] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 62.118380][ T5832] ? print_report+0x502/0x550 [ 62.123051][ T5832] check_panic_on_warn+0x86/0xb0 [ 62.127978][ T5832] ? ocfs2_search_dirblock+0x26b/0x820 [ 62.133429][ T5832] end_report+0x77/0x160 [ 62.137662][ T5832] kasan_report+0x154/0x180 [ 62.142157][ T5832] ? ocfs2_search_dirblock+0x26b/0x820 [ 62.147608][ T5832] ocfs2_search_dirblock+0x26b/0x820 [ 62.152886][ T5832] ? ocfs2_read_inode_block+0x14c/0x1e0 [ 62.158419][ T5832] ? __pfx_ocfs2_search_dirblock+0x10/0x10 [ 62.164218][ T5832] ? validate_chain+0x11e/0x5920 [ 62.169151][ T5832] ocfs2_find_entry+0x1169/0x2730 [ 62.174168][ T5832] ? mark_lock+0x9a/0x360 [ 62.178491][ T5832] ? __lock_acquire+0x1397/0x2100 [ 62.183506][ T5832] ? __pfx_ocfs2_find_entry+0x10/0x10 [ 62.188876][ T5832] ? __pfx_lock_acquire+0x10/0x10 [ 62.193887][ T5832] ? ocfs2_inode_lock_full_nested+0x17b/0x1be0 [ 62.200027][ T5832] ? __pfx_lock_release+0x10/0x10 [ 62.205040][ T5832] ? do_raw_spin_lock+0x14f/0x370 [ 62.210053][ T5832] ? do_raw_spin_unlock+0x13c/0x8b0 [ 62.215238][ T5832] ? _raw_spin_unlock+0x28/0x50 [ 62.220080][ T5832] ? ocfs2_inode_lock_full_nested+0xb29/0x1be0 [ 62.226227][ T5832] ? __pfx_ocfs2_inode_lock_full_nested+0x10/0x10 [ 62.232634][ T5832] ocfs2_find_files_on_disk+0xff/0x360 [ 62.238087][ T5832] ocfs2_lookup_ino_from_name+0xb1/0x1e0 [ 62.243711][ T5832] ? __pfx_ocfs2_lookup_ino_from_name+0x10/0x10 [ 62.249945][ T5832] ocfs2_lookup+0x292/0xa30 [ 62.254446][ T5832] ? __pfx_ocfs2_lookup+0x10/0x10 [ 62.259462][ T5832] ? from_kgid+0x1a7/0x730 [ 62.263867][ T5832] ? make_vfsgid+0x51/0xa0 [ 62.268273][ T5832] ? HAS_UNMAPPED_ID+0xf9/0x150 [ 62.273115][ T5832] ? inode_permission+0xff/0x460 [ 62.278040][ T5832] ? __pfx_ocfs2_permission+0x10/0x10 [ 62.283406][ T5832] ? bpf_lsm_inode_create+0x9/0x10 [ 62.288510][ T5832] ? security_inode_create+0xbe/0x340 [ 62.293877][ T5832] ? __pfx_ocfs2_lookup+0x10/0x10 [ 62.298897][ T5832] path_openat+0x11a7/0x3590 [ 62.303490][ T5832] ? __pfx_path_openat+0x10/0x10 [ 62.308429][ T5832] do_filp_open+0x27f/0x4e0 [ 62.312921][ T5832] ? __pfx_do_filp_open+0x10/0x10 [ 62.317936][ T5832] ? do_raw_spin_lock+0x14f/0x370 [ 62.322956][ T5832] do_sys_openat2+0x13e/0x1d0 [ 62.327627][ T5832] ? __pfx_do_sys_openat2+0x10/0x10 [ 62.332812][ T5832] ? lockdep_hardirqs_on+0x99/0x150 [ 62.338001][ T5832] ? _raw_spin_unlock_irq+0x2e/0x50 [ 62.343191][ T5832] ? ptrace_notify+0x279/0x380 [ 62.347948][ T5832] __x64_sys_open+0x225/0x270 [ 62.352612][ T5832] ? __pfx___x64_sys_open+0x10/0x10 [ 62.357798][ T5832] ? do_syscall_64+0x100/0x230 [ 62.362552][ T5832] do_syscall_64+0xf3/0x230 [ 62.367046][ T5832] ? clear_bhb_loop+0x35/0x90 [ 62.371711][ T5832] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 62.377594][ T5832] RIP: 0033:0x7f4de886f129 [ 62.381998][ T5832] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 62.401591][ T5832] RSP: 002b:00007ffc53e2f0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 62.409995][ T5832] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4de886f129 [ 62.417956][ T5832] RDX: 0000000000000000 RSI: 0000000400141042 RDI: 0000000020000080 [ 62.425915][ T5832] RBP: 00000000ffffffff R08: 0000000000004435 R09: 000000000000088a [ 62.433874][ T5832] R10: 00007ffc53e2f150 R11: 0000000000000246 R12: 00007ffc53e2f110 [ 62.441835][ T5832] R13: 00007ffc53e2f150 R14: 0000000001000000 R15: 0000000000000003 [ 62.449801][ T5832] [ 62.453081][ T5832] Kernel Offset: disabled [ 62.457395][ T5832] Rebooting in 86400 seconds..