./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1989321999
<...>
DUID 00:04:b0:cd:33:f9:4f:8a:55:45:4d:7b:3b:ee:3a:71:f0:8b
forked to background, child pid 3210
[ 30.337804][ T3211] 8021q: adding VLAN 0 to HW filter on device bond0
[ 30.348134][ T3211] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK
syzkaller
Warning: Permanently added '10.128.15.201' (ECDSA) to the list of known hosts.
execve("./syz-executor1989321999", ["./syz-executor1989321999"], 0x7ffc2d3ca2d0 /* 10 vars */) = 0
brk(NULL) = 0x555557227000
brk(0x555557227d00) = 0x555557227d00
arch_prctl(ARCH_SET_FS, 0x5555572273c0) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor1989321999", 4096) = 28
brk(0x555557248d00) = 0x555557248d00
brk(0x555557249000) = 0x555557249000
mprotect(0x7f4da5b72000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0
rt_sigaction(SIGSEGV, {sa_handler=0x7f4da5abf030, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f4da5ac0a40}, NULL, 8) = 0
rt_sigaction(SIGBUS, {sa_handler=0x7f4da5abf030, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f4da5ac0a40}, NULL, 8) = 0
getpid() = 3631
mkdir("./syzkaller.LXpnLK", 0700) = 0
chmod("./syzkaller.LXpnLK", 0777) = 0
chdir("./syzkaller.LXpnLK") = 0
mkdir("./0", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555557227690) = 3632
./strace-static-x86_64: Process 3632 attached
[pid 3632] chdir("./0") = 0
[pid 3632] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 3632] setpgid(0, 0) = 0
[pid 3632] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 3632] write(3, "1000", 4) = 4
[pid 3632] close(3) = 0
[pid 3632] symlink("/dev/binderfs", "./binderfs") = 0
[pid 3632] memfd_create("syzkaller", 0) = 3
[pid 3632] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4d9d600000
[pid 3632] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304
[pid 3632] munmap(0x7f4d9d600000, 4194304) = 0
[pid 3632] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 3632] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 3632] close(3) = 0
[pid 3632] mkdir("./file2", 0777) = 0
syzkaller login: [ 54.731399][ T3632] loop0: detected capacity change from 0 to 8192
[ 54.744294][ T3632] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025
[ 54.757659][ T3632] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal
[ 54.767528][ T3632] REISERFS (device loop0): using ordered data mode
[ 54.774329][ T3632] reiserfs: using flush barriers
[pid 3632] mount("/dev/loop0", "./file2", "reiserfs", MS_DIRSYNC|MS_REC|MS_I_VERSION, "") = 0
[pid 3632] openat(AT_FDCWD, "./file2", O_RDONLY|O_DIRECTORY) = 3
[pid 3632] chdir("./file2") = 0
[pid 3632] ioctl(4, LOOP_CLR_FD) = 0
[pid 3632] close(4) = 0
[pid 3632] mkdir("./file0", 000) = 0
[pid 3632] mkdir("./file1", 000) = 0
[ 54.780429][ T3632] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
[ 54.797124][ T3632] REISERFS (device loop0): checking transaction log (loop0)
[ 54.806876][ T3632] REISERFS (device loop0): Using r5 hash to sort names
[ 54.814936][ T3632] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage.
[ 54.848501][ T3632] ==================================================================
[ 54.856614][ T3632] BUG: KASAN: use-after-free in reiserfs_release_objectid+0x528/0x7c0
[ 54.864806][ T3632] Read of size 14568 at addr ffff8880737890d0 by task syz-executor198/3632
[ 54.873372][ T3632]
[ 54.875675][ T3632] CPU: 1 PID: 3632 Comm: syz-executor198 Not tainted 6.1.0-rc7-syzkaller-00012-gca57f02295f1 #0
[ 54.886058][ T3632] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 54.896092][ T3632] Call Trace:
[ 54.899352][ T3632]
[ 54.902270][ T3632] dump_stack_lvl+0x1b1/0x28e
[ 54.906957][ T3632] ? nf_tcp_handle_invalid+0x62e/0x62e
[ 54.912407][ T3632] ? __wake_up_klogd+0xcd/0x100
[ 54.917249][ T3632] ? panic+0x710/0x710
[ 54.921307][ T3632] ? _printk+0xc0/0x100
[ 54.925453][ T3632] ? _raw_spin_lock_irqsave+0x8e/0x100
[ 54.930907][ T3632] print_address_description+0x74/0x340
[ 54.936443][ T3632] print_report+0x107/0x1f0
[ 54.940938][ T3632] ? __virt_addr_valid+0x21b/0x2d0
[ 54.946045][ T3632] ? __phys_addr+0xb5/0x160
[ 54.950542][ T3632] ? reiserfs_release_objectid+0x528/0x7c0
[ 54.956345][ T3632] kasan_report+0xcd/0x100
[ 54.960755][ T3632] ? reiserfs_release_objectid+0x528/0x7c0
[ 54.966557][ T3632] kasan_check_range+0x2a7/0x2e0
[ 54.971483][ T3632] ? reiserfs_release_objectid+0x528/0x7c0
[ 54.977280][ T3632] memmove+0x25/0x60
[ 54.981167][ T3632] reiserfs_release_objectid+0x528/0x7c0
[ 54.986796][ T3632] remove_save_link+0x2f6/0x4a0
[ 54.991655][ T3632] ? add_save_link+0x780/0x780
[ 54.996416][ T3632] ? journal_end+0x21e/0x2d0
[ 55.000997][ T3632] reiserfs_evict_inode+0x35a/0x460
[ 55.006187][ T3632] ? entry_points_to_object+0x330/0x330
[ 55.011867][ T3632] ? do_raw_spin_unlock+0x134/0x8a0
[ 55.017094][ T3632] ? entry_points_to_object+0x330/0x330
[ 55.026999][ T3632] evict+0x2a4/0x620
[ 55.030905][ T3632] __dentry_kill+0x3b1/0x5b0
[ 55.035495][ T3632] dentry_kill+0xbb/0x290
[ 55.039824][ T3632] dput+0x1f3/0x410
[ 55.043631][ T3632] do_renameat2+0xb60/0x1370
[ 55.048226][ T3632] ? fsnotify_move+0x4e0/0x4e0
[ 55.053010][ T3632] ? check_heap_object+0x244/0x810
[ 55.058119][ T3632] ? __phys_addr_symbol+0x2b/0x70
[ 55.063138][ T3632] ? strncpy_from_user+0x1d6/0x330
[ 55.068243][ T3632] ? getname_flags+0x1ea/0x4e0
[ 55.073000][ T3632] __x64_sys_rename+0x82/0x90
[ 55.077699][ T3632] do_syscall_64+0x3d/0xb0
[ 55.082112][ T3632] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 55.088015][ T3632] RIP: 0033:0x7f4da5b02e99
[ 55.092432][ T3632] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 55.112041][ T3632] RSP: 002b:00007ffdba5119c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000052
[ 55.120451][ T3632] RAX: ffffffffffffffda RBX: 00007ffdba511ba8 RCX: 00007f4da5b02e99
[ 55.128412][ T3632] RDX: 00007f4da5b02e99 RSI: 0000000020000200 RDI: 0000000020000140
[ 55.136370][ T3632] RBP: 0000000000000000 R08: 00007ffdba511a30 R09: 00007ffdba511a30
[ 55.144417][ T3632] R10: 00007ffdba511a30 R11: 0000000000000246 R12: 0000000000000000
[ 55.152395][ T3632] R13: 00007ffdba511a30 R14: 00007ffdba511a10 R15: 0000000000000000
[ 55.160377][ T3632]
[ 55.163389][ T3632]
[ 55.165986][ T3632] The buggy address belongs to the physical page:
[ 55.172385][ T3632] page:ffffea0001cde240 refcount:2 mapcount:0 mapping:ffff888012c275f8 index:0x10 pfn:0x73789
[ 55.182626][ T3632] memcg:ffff888140150000
[ 55.186852][ T3632] aops:def_blk_aops ino:700000
[ 55.191609][ T3632] flags: 0xfff00000022036(referenced|uptodate|lru|active|private|mappedtodisk|node=0|zone=1|lastcpupid=0x7ff)
[ 55.203232][ T3632] raw: 00fff00000022036 ffffea0001ccdf88 ffffea0001cd8cc8 ffff888012c275f8
[ 55.211814][ T3632] raw: 0000000000000010 ffff888072933cb0 00000002ffffffff ffff888140150000
[ 55.220398][ T3632] page dumped because: kasan: bad access detected
[ 55.226804][ T3632] page_owner tracks the page as allocated
[ 55.232511][ T3632] page last allocated via order 0, migratetype Movable, gfp_mask 0x148c48(GFP_NOFS|__GFP_NOFAIL|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 3632, tgid 3632 (syz-executor198), ts 54744108099, free_ts 54728652923
[ 55.253510][ T3632] get_page_from_freelist+0x742/0x7c0
[ 55.259055][ T3632] __alloc_pages+0x259/0x560
[ 55.263723][ T3632] folio_alloc+0x1a/0x50
[ 55.267954][ T3632] filemap_alloc_folio+0x7e/0x1c0
[ 55.272966][ T3632] __filemap_get_folio+0x898/0x1260
[ 55.278150][ T3632] pagecache_get_page+0x28/0x260
[ 55.283074][ T3632] grow_dev_page+0xba/0x920
[ 55.287565][ T3632] __getblk_gfp+0x16c/0x290
[ 55.292070][ T3632] __bread_gfp+0x28/0x320
[ 55.296392][ T3632] read_super_block+0x93/0x820
[ 55.301239][ T3632] reiserfs_fill_super+0x7ff/0x24a0
[ 55.306426][ T3632] mount_bdev+0x26c/0x3a0
[ 55.310746][ T3632] legacy_get_tree+0xea/0x180
[ 55.315449][ T3632] vfs_get_tree+0x88/0x270
[ 55.319882][ T3632] do_new_mount+0x289/0xad0
[ 55.324392][ T3632] __se_sys_mount+0x2d3/0x3c0
[ 55.329146][ T3632] page last free stack trace:
[ 55.333812][ T3632] free_pcp_prepare+0x80c/0x8f0
[ 55.338657][ T3632] free_unref_page_list+0xb4/0x7b0
[ 55.343762][ T3632] release_pages+0x232a/0x25c0
[ 55.348516][ T3632] tlb_flush_mmu+0x850/0xa70
[ 55.353099][ T3632] tlb_finish_mmu+0xcb/0x200
[ 55.357681][ T3632] unmap_region+0x2af/0x300
[ 55.362173][ T3632] do_mas_align_munmap+0xd18/0x14e0
[ 55.367364][ T3632] do_mas_munmap+0x245/0x2b0
[ 55.371944][ T3632] __vm_munmap+0x23c/0x340
[ 55.376381][ T3632] __x64_sys_munmap+0x5c/0x70
[ 55.381048][ T3632] do_syscall_64+0x3d/0xb0
[ 55.385451][ T3632] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 55.391332][ T3632]
[ 55.393642][ T3632] Memory state around the buggy address:
[ 55.399278][ T3632] ffff88807378af00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 55.407340][ T3632] ffff88807378af80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 55.415394][ T3632] >ffff88807378b000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 55.423465][ T3632] ^
[ 55.427520][ T3632] ffff88807378b080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 55.435566][ T3632] ffff88807378b100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 55.443611][ T3632] ==================================================================
[ 55.452337][ T3632] Kernel panic - not syncing: panic_on_warn set ...
[ 55.458945][ T3632] CPU: 0 PID: 3632 Comm: syz-executor198 Not tainted 6.1.0-rc7-syzkaller-00012-gca57f02295f1 #0
[ 55.469363][ T3632] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 55.479585][ T3632] Call Trace:
[ 55.482854][ T3632]
[ 55.485776][ T3632] dump_stack_lvl+0x1b1/0x28e
[ 55.490452][ T3632] ? nf_tcp_handle_invalid+0x62e/0x62e
[ 55.495986][ T3632] ? panic+0x710/0x710
[ 55.500044][ T3632] ? preempt_schedule_common+0xb7/0xe0
[ 55.505506][ T3632] ? vscnprintf+0x59/0x80
[ 55.509827][ T3632] panic+0x2d6/0x710
[ 55.513801][ T3632] ? memcpy_page_flushcache+0xfc/0xfc
[ 55.519172][ T3632] ? _raw_spin_unlock_irqrestore+0x110/0x120
[ 55.525145][ T3632] ? print_report+0x1b4/0x1f0
[ 55.529815][ T3632] ? reiserfs_release_objectid+0x528/0x7c0
[ 55.535616][ T3632] end_report+0x91/0xa0
[ 55.539765][ T3632] kasan_report+0xda/0x100
[ 55.544170][ T3632] ? reiserfs_release_objectid+0x528/0x7c0
[ 55.549978][ T3632] kasan_check_range+0x2a7/0x2e0
[ 55.554903][ T3632] ? reiserfs_release_objectid+0x528/0x7c0
[ 55.560703][ T3632] memmove+0x25/0x60
[ 55.564603][ T3632] reiserfs_release_objectid+0x528/0x7c0
[ 55.570319][ T3632] remove_save_link+0x2f6/0x4a0
[ 55.575170][ T3632] ? add_save_link+0x780/0x780
[ 55.580017][ T3632] ? journal_end+0x21e/0x2d0
[ 55.584597][ T3632] reiserfs_evict_inode+0x35a/0x460
[ 55.589785][ T3632] ? entry_points_to_object+0x330/0x330
[ 55.595336][ T3632] ? do_raw_spin_unlock+0x134/0x8a0
[ 55.600531][ T3632] ? entry_points_to_object+0x330/0x330
[ 55.606070][ T3632] evict+0x2a4/0x620
[ 55.609971][ T3632] __dentry_kill+0x3b1/0x5b0
[ 55.614560][ T3632] dentry_kill+0xbb/0x290
[ 55.618883][ T3632] dput+0x1f3/0x410
[ 55.622685][ T3632] do_renameat2+0xb60/0x1370
[ 55.627277][ T3632] ? fsnotify_move+0x4e0/0x4e0
[ 55.632031][ T3632] ? check_heap_object+0x244/0x810
[ 55.637137][ T3632] ? __phys_addr_symbol+0x2b/0x70
[ 55.642183][ T3632] ? strncpy_from_user+0x1d6/0x330
[ 55.647324][ T3632] ? getname_flags+0x1ea/0x4e0
[ 55.652100][ T3632] __x64_sys_rename+0x82/0x90
[ 55.656777][ T3632] do_syscall_64+0x3d/0xb0
[ 55.661218][ T3632] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 55.667131][ T3632] RIP: 0033:0x7f4da5b02e99
[ 55.671537][ T3632] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 55.691130][ T3632] RSP: 002b:00007ffdba5119c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000052
[ 55.699708][ T3632] RAX: ffffffffffffffda RBX: 00007ffdba511ba8 RCX: 00007f4da5b02e99
[ 55.707668][ T3632] RDX: 00007f4da5b02e99 RSI: 0000000020000200 RDI: 0000000020000140
[ 55.715635][ T3632] RBP: 0000000000000000 R08: 00007ffdba511a30 R09: 00007ffdba511a30
[ 55.723683][ T3632] R10: 00007ffdba511a30 R11: 0000000000000246 R12: 0000000000000000
[ 55.731655][ T3632] R13: 00007ffdba511a30 R14: 00007ffdba511a10 R15: 0000000000000000
[ 55.739626][ T3632]
[ 55.742890][ T3632] Kernel Offset: disabled
[ 55.747206][ T3632] Rebooting in 86400 seconds..