./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1502811458 <...> forked to background, child pid 3183 no interfaces have a carri[ 22.113357][ T3184] 8021q: adding VLAN 0 to HW filter on device bond0 er [ 22.123180][ T3184] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.1.108' (ECDSA) to the list of known hosts. execve("./syz-executor1502811458", ["./syz-executor1502811458"], 0x7ffdbfca8830 /* 10 vars */) = 0 brk(NULL) = 0x5555568f5000 brk(0x5555568f5c40) = 0x5555568f5c40 arch_prctl(ARCH_SET_FS, 0x5555568f5300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor1502811458", 4096) = 28 brk(0x555556916c40) = 0x555556916c40 brk(0x555556917000) = 0x555556917000 mprotect(0x7f6608ef6000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 getpid() = 3612 openat(AT_FDCWD, "/sys/kernel/debug/x86/nmi_longest_ns", O_WRONLY|O_CLOEXEC) = 3 write(3, "10000000000", 11) = 11 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/hung_task_check_interval_secs", O_WRONLY|O_CLOEXEC) = 3 write(3, "20", 2) = 2 close(3) = 0 openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_kallsyms", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_harden", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/kptr_restrict", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/softlockup_all_cpu_backtrace", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3 write(3, "100", 3) = 3 close(3) = 0 openat(AT_FDCWD, "/proc/sys/vm/oom_dump_tasks", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/debug/exception-trace", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/printk", O_WRONLY|O_CLOEXEC) = 3 write(3, "7 4 1 3", 7) = 7 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/keys/gc_delay", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/vm/oom_kill_allocating_task", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/ctrl-alt-del", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/cad_pid", O_WRONLY|O_CLOEXEC) = 3 write(3, "3612", 4) = 4 close(3) = 0 socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) = 3 socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) = 4 sendto(4, [{nlmsg_len=36, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x03\x00\x00\x00\x0d\x00\x02\x00\x6e\x6c\x38\x30\x32\x31\x35\x34\x00\x00\x00\x00"], 36, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 36 recvfrom(4, [{nlmsg_len=680, nlmsg_type=nlctrl, nlmsg_flags=0, nlmsg_seq=0, nlmsg_pid=3612}, "\x01\x02\x00\x00\x0d\x00\x02\x00\x6e\x6c\x38\x30\x32\x31\x35\x34\x00\x00\x00\x00\x06\x00\x01\x00\x1c\x00\x00\x00\x08\x00\x03\x00\x01\x00\x00\x00\x08\x00\x04\x00\x00\x00\x00\x00\x08\x00\x05\x00\x25\x00\x00\x00\x48\x02\x06\x00\x14\x00\x01\x00\x08\x00\x01\x00\x01\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x02\x00\x08\x00\x01\x00\x05\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x03\x00"...], 4096, 0, NULL, NULL) = 680 recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=3612}, {error=0, msg={nlmsg_len=36, nlmsg_type=nlctrl, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 access("/proc/net", R_OK) = 0 access("/proc/net/unix", R_OK) = 0 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan0", ifr_ifindex=11}) = 0 close(5) = 0 sendto(4, [{nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x0b\x00\x00\x00\x08\x00\x03\x00\x0b\x00\x00\x00\x06\x00\x0a\x00\xa0\xaa\x00\x00"], 36, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 36 recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=3612}, {error=0, msg={nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan0", ifr_ifindex=11}) = 0 close(5) = 0 sendto(3, [{nlmsg_len=44, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x00\x00\x00\x00\x0b\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x0c\x00\x01\x00\x02\x00\xaa\xaa\xaa\xaa\xaa\xaa"], 44, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 44 recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=3612}, {error=0, msg={nlmsg_len=44, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 sendto(3, [{nlmsg_len=68, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|NLM_F_EXCL|NLM_F_CREATE, nlmsg_seq=0, nlmsg_pid=0}, {ifi_family=AF_UNSPEC, ifi_type=ARPHRD_NETROM, ifi_index=0, ifi_flags=0, ifi_change=0}, [[{nla_len=11, nla_type=IFLA_IFNAME}, "lowpan0"...], [{nla_len=16, nla_type=IFLA_LINKINFO}, [{nla_len=10, nla_type=IFLA_INFO_KIND}, "lowpan"...]], [{nla_len=8, nla_type=IFLA_LINK}, 11]]], 68, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 68 recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=3612}, {error=0, msg={nlmsg_len=68, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|NLM_F_EXCL|NLM_F_CREATE, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan1", ifr_ifindex=12}) = 0 close(5) = 0 sendto(4, [{nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x0b\x00\x00\x00\x08\x00\x03\x00\x0c\x00\x00\x00\x06\x00\x0a\x00\xa1\xaa\x00\x00"], 36, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 36 recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=3612}, {error=0, msg={nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan1", ifr_ifindex=12}) = 0 close(5) = 0 sendto(3, [{nlmsg_len=44, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, {ifi_family=AF_UNSPEC, ifi_type=ARPHRD_NETROM, ifi_index=if_nametoindex("wpan1"), ifi_flags=IFF_UP, ifi_change=0x1}, [{nla_len=12, nla_type=IFLA_ADDRESS}, 02:01:aa:aa:aa:aa:aa]], 44, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 44 recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=3612}, {error=0, msg={nlmsg_len=44, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 close(3) = 0 close(4) = 0 getpid() = 3612 mkdir("./syzkaller.Y0kk4j", 0700) = 0 chmod("./syzkaller.Y0kk4j", 0777) = 0 chdir("./syzkaller.Y0kk4j") = 0 memfd_create("syzkaller", 0) = 3 ftruncate(3, 286849) = 0 pwrite64(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x08\x01\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x03\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\xff\x01\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x02", 69, 0) = 69 pwrite64(3, "\x46\x49\x4c\x45\x30\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x01\x00\x40\x00\x01\x00\xa0\x01\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x60\x00\x00\x00\x00\x00\x18\x00\x00\x00\x00\x00\x48\x00\x00\x00\x18\x00\x00\x00\x80\x18\x75\xc1\x34\x4f\xd8\x01\x80\x18\x75\xc1"..., 403, 16384) = 403 pwrite64(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb0\x00\x00\x00\x48\x00\x00\x00\x01\x00\x40\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x11\x01\x04\x00\x00\x00\x00\x00\xff\xff\xff\xff\x00\x00\x03\x00\x46\x49\x4c\x45"..., 373, 18336) = 373 pwrite64(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x46\x49\x4c\x45\x30\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x00\x40\x00\x01\x00\x60\x01\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00"..., 373, 20448) = 373 pwrite64(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x46\x49\x4c\x45\x30\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x01\x00\x40\x00\x01\x00\xe8\x01\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x03\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00"..., 493, 22496) = 493 pwrite64(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x46\x49\x4c\x45\x30\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x01\x00\x40\x00\x01\x00\xc8\x01\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00"..., 475, 24544) = 475 pwrite64(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x46\x49\x4c\x45\x30\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x01\x00\x40\x00\x03\x00\x08\x02\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x05\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00"..., 373, 26592) = 373 pwrite64(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x46\x49\x4c\x45\x30\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x01\x00\x40\x00\x01\x00\x58\x01\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x06\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00"..., 363, 28640) = 363 pwrite64(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x46\x49\x4c\x45\x30\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x01\x00\x40\x00\x01\x00\x80\x01\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x08\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00"..., 403, 32736) = 403 pwrite64(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x46\x49\x4c\x45\x30\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x00\x01\x00\x40\x00\x09\x00\x08\x03\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\x09\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00"..., 797, 34784) = 797 pwrite64(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x46\x49\x4c\x45\x30\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x01\x00\x40\x00\x01\x00\xa0\x01\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x0a\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00"..., 363, 36832) = 363 pwrite64(3, "\x10", 1, 286848) = 1 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 ioctl(4, LOOP_SET_FD, 3) = 0 mkdir("./file0", 0777) = 0 syzkaller login: [ 43.666732][ T3612] loop0: detected capacity change from 0 to 560 [ 43.679526][ T3612] ntfs3: loop0: Different NTFS' sector size (2048) and media sector size (512) [ 43.688649][ T3612] ntfs3: loop0: RAW NTFS volume: Filesystem size 0.00 Gb > volume size 0.00 Gb. Mount in read-only [ 43.700731][ T3612] ================================================================== [ 43.708960][ T3612] BUG: KASAN: use-after-free in run_unpack+0x8b7/0x970 [ 43.715806][ T3612] Read of size 1 at addr ffff88807f395110 by task syz-executor150/3612 [ 43.724456][ T3612] [ 43.726759][ T3612] CPU: 1 PID: 3612 Comm: syz-executor150 Not tainted 6.0.0-syzkaller #0 [ 43.735149][ T3612] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 43.745449][ T3612] Call Trace: [ 43.748710][ T3612] [ 43.751857][ T3612] dump_stack_lvl+0xcd/0x134 [ 43.756448][ T3612] print_report.cold+0x2ba/0x719 [ 43.762135][ T3612] ? run_unpack+0x8b7/0x970 [ 43.766622][ T3612] kasan_report+0xb1/0x1e0 [ 43.771021][ T3612] ? run_unpack+0x8b7/0x970 [ 43.775504][ T3612] run_unpack+0x8b7/0x970 [ 43.779876][ T3612] ? run_pack+0x1100/0x1100 [ 43.784359][ T3612] ? ntfs_bread_run+0x310/0x310 [ 43.789192][ T3612] run_unpack_ex+0xb0/0x7c0 [ 43.793678][ T3612] ? mi_enum_attr+0x34f/0x630 [ 43.798507][ T3612] ? ni_enum_attr_ex+0x281/0x400 [ 43.803426][ T3612] ? run_unpack+0x970/0x970 [ 43.807907][ T3612] ? ni_fname_type.part.0+0x1e0/0x1e0 [ 43.813257][ T3612] ? mi_read+0x27f/0x5b0 [ 43.817479][ T3612] ntfs_iget5+0xc20/0x3280 [ 43.821873][ T3612] ? ntfs_write_end+0x800/0x800 [ 43.826698][ T3612] ? ntfs_sync_fs+0x400/0x400 [ 43.831369][ T3612] ? destroy_inode+0xc4/0x1b0 [ 43.836027][ T3612] ? iput.part.0+0x55d/0x810 [ 43.840600][ T3612] ntfs_fill_super+0x1ecc/0x37f0 [ 43.845626][ T3612] ? put_ntfs+0x330/0x330 [ 43.849955][ T3612] ? set_blocksize+0x2e5/0x370 [ 43.854701][ T3612] get_tree_bdev+0x440/0x760 [ 43.859278][ T3612] ? put_ntfs+0x330/0x330 [ 43.863589][ T3612] vfs_get_tree+0x89/0x2f0 [ 43.867989][ T3612] path_mount+0x1326/0x1e20 [ 43.872478][ T3612] ? kmem_cache_free+0xeb/0x5b0 [ 43.877329][ T3612] ? finish_automount+0x960/0x960 [ 43.882337][ T3612] ? putname+0xfe/0x140 [ 43.886495][ T3612] __x64_sys_mount+0x27f/0x300 [ 43.891245][ T3612] ? copy_mnt_ns+0xae0/0xae0 [ 43.895817][ T3612] ? lockdep_hardirqs_on+0x79/0x100 [ 43.900999][ T3612] ? _raw_spin_unlock_irq+0x2a/0x40 [ 43.906177][ T3612] ? ptrace_notify+0xfa/0x140 [ 43.911101][ T3612] do_syscall_64+0x35/0xb0 [ 43.915675][ T3612] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 43.921551][ T3612] RIP: 0033:0x7f6608e8e89a [ 43.925971][ T3612] Code: 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 43.945819][ T3612] RSP: 002b:00007fff69b2dab8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 43.954214][ T3612] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f6608e8e89a [ 43.962257][ T3612] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fff69b2dad0 [ 43.970214][ T3612] RBP: 00007fff69b2dad0 R08: 00007fff69b2db10 R09: 00005555568f52c0 [ 43.978170][ T3612] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000000000004 [ 43.986119][ T3612] R13: 00007fff69b2db10 R14: 000000000000000c R15: 0000000020000320 [ 43.994248][ T3612] [ 43.997247][ T3612] [ 43.999567][ T3612] Allocated by task 2971: [ 44.003970][ T3612] kasan_save_stack+0x1e/0x40 [ 44.008629][ T3612] __kasan_kmalloc+0xa9/0xd0 [ 44.013201][ T3612] sk_prot_alloc+0x143/0x290 [ 44.017784][ T3612] sk_alloc+0x36/0x770 [ 44.021833][ T3612] __netlink_create+0x63/0x380 [ 44.026595][ T3612] netlink_create+0x3ad/0x5e0 [ 44.031263][ T3612] __sock_create+0x355/0x790 [ 44.035833][ T3612] __sys_socket+0x12f/0x240 [ 44.040490][ T3612] __x64_sys_socket+0x6f/0xb0 [ 44.045144][ T3612] do_syscall_64+0x35/0xb0 [ 44.049545][ T3612] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 44.055481][ T3612] [ 44.057805][ T3612] Freed by task 22: [ 44.061588][ T3612] kasan_save_stack+0x1e/0x40 [ 44.066247][ T3612] kasan_set_track+0x21/0x30 [ 44.070814][ T3612] kasan_set_free_info+0x20/0x30 [ 44.075732][ T3612] ____kasan_slab_free+0x166/0x1c0 [ 44.080822][ T3612] slab_free_freelist_hook+0x8b/0x1c0 [ 44.086172][ T3612] kfree+0xe2/0x580 [ 44.090041][ T3612] __sk_destruct+0x5e0/0x710 [ 44.094722][ T3612] __sk_free+0x175/0x460 [ 44.098943][ T3612] sk_free+0x78/0xa0 [ 44.102816][ T3612] deferred_put_nlk_sk+0x151/0x2f0 [ 44.107909][ T3612] rcu_core+0x7b5/0x1890 [ 44.112132][ T3612] __do_softirq+0x1d3/0x9c6 [ 44.116619][ T3612] [ 44.118922][ T3612] Last potentially related work creation: [ 44.124611][ T3612] kasan_save_stack+0x1e/0x40 [ 44.129442][ T3612] __kasan_record_aux_stack+0xbe/0xd0 [ 44.134794][ T3612] call_rcu+0x99/0x790 [ 44.138842][ T3612] netlink_release+0xeff/0x1db0 [ 44.143689][ T3612] __sock_release+0xcd/0x280 [ 44.148258][ T3612] sock_close+0x18/0x20 [ 44.152393][ T3612] __fput+0x277/0x9d0 [ 44.156439][ T3612] task_work_run+0xdd/0x1a0 [ 44.160923][ T3612] do_exit+0xad5/0x29b0 [ 44.165056][ T3612] do_group_exit+0xd2/0x2f0 [ 44.169852][ T3612] __x64_sys_exit_group+0x3a/0x50 [ 44.174856][ T3612] do_syscall_64+0x35/0xb0 [ 44.179250][ T3612] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 44.185126][ T3612] [ 44.187444][ T3612] The buggy address belongs to the object at ffff88807f395000 [ 44.187444][ T3612] which belongs to the cache kmalloc-2k of size 2048 [ 44.202123][ T3612] The buggy address is located 272 bytes inside of [ 44.202123][ T3612] 2048-byte region [ffff88807f395000, ffff88807f395800) [ 44.215642][ T3612] [ 44.217948][ T3612] The buggy address belongs to the physical page: [ 44.224335][ T3612] page:ffffea0001fce400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7f390 [ 44.234466][ T3612] head:ffffea0001fce400 order:3 compound_mapcount:0 compound_pincount:0 [ 44.242914][ T3612] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 44.250879][ T3612] raw: 00fff00000010200 0000000000000000 dead000000000001 ffff888011842000 [ 44.259527][ T3612] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 44.268084][ T3612] page dumped because: kasan: bad access detected [ 44.274558][ T3612] page_owner tracks the page as allocated [ 44.280243][ T3612] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2956, tgid 2956 (acpid), ts 11123423947, free_ts 10139579660 [ 44.300972][ T3612] get_page_from_freelist+0x109b/0x2ce0 [ 44.306587][ T3612] __alloc_pages+0x1c7/0x510 [ 44.311209][ T3612] alloc_pages+0x1a6/0x270 [ 44.315662][ T3612] allocate_slab+0x27e/0x3d0 [ 44.320228][ T3612] ___slab_alloc+0x7f1/0xe10 [ 44.324795][ T3612] __slab_alloc.constprop.0+0x4d/0xa0 [ 44.330144][ T3612] __kmalloc_node+0x2e2/0x380 [ 44.334883][ T3612] kvmalloc_node+0x3f/0x1b0 [ 44.339453][ T3612] evdev_open+0x117/0x6a0 [ 44.343863][ T3612] chrdev_open+0x266/0x770 [ 44.348264][ T3612] do_dentry_open+0x4a4/0x13a0 [ 44.353014][ T3612] path_openat+0x1c92/0x28f0 [ 44.357587][ T3612] do_filp_open+0x1b6/0x400 [ 44.362071][ T3612] do_sys_openat2+0x16d/0x4c0 [ 44.366723][ T3612] __x64_sys_openat+0x13f/0x1f0 [ 44.371551][ T3612] do_syscall_64+0x35/0xb0 [ 44.375962][ T3612] page last free stack trace: [ 44.380619][ T3612] free_pcp_prepare+0x5e4/0xd20 [ 44.385628][ T3612] free_unref_page+0x19/0x4d0 [ 44.390380][ T3612] free_contig_range+0xb1/0x180 [ 44.395213][ T3612] destroy_args+0xa8/0x646 [ 44.399610][ T3612] debug_vm_pgtable+0x2945/0x29d6 [ 44.404614][ T3612] do_one_initcall+0xfe/0x650 [ 44.409272][ T3612] kernel_init_freeable+0x6b1/0x73a [ 44.414460][ T3612] kernel_init+0x1a/0x1d0 [ 44.418773][ T3612] ret_from_fork+0x1f/0x30 [ 44.423172][ T3612] [ 44.425470][ T3612] Memory state around the buggy address: [ 44.431073][ T3612] ffff88807f395000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.439110][ T3612] ffff88807f395080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.447144][ T3612] >ffff88807f395100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.455184][ T3612] ^ [ 44.459746][ T3612] ffff88807f395180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.467791][ T3612] ffff88807f395200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.475839][ T3612] ================================================================== [ 44.484130][ T3612] Kernel panic - not syncing: panic_on_warn set ... [ 44.490721][ T3612] CPU: 1 PID: 3612 Comm: syz-executor150 Not tainted 6.0.0-syzkaller #0 [ 44.499040][ T3612] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 44.509172][ T3612] Call Trace: [ 44.512440][ T3612] [ 44.515359][ T3612] dump_stack_lvl+0xcd/0x134 [ 44.519950][ T3612] panic+0x2c8/0x627 [ 44.523837][ T3612] ? panic_print_sys_info.part.0+0x10b/0x10b [ 44.529808][ T3612] ? preempt_schedule_common+0x59/0xc0 [ 44.535256][ T3612] ? preempt_schedule_thunk+0x16/0x18 [ 44.540621][ T3612] ? run_unpack+0x8b7/0x970 [ 44.545113][ T3612] end_report.part.0+0x3f/0x7c [ 44.549869][ T3612] kasan_report.cold+0xa/0xf [ 44.554451][ T3612] ? run_unpack+0x8b7/0x970 [ 44.558942][ T3612] run_unpack+0x8b7/0x970 [ 44.563260][ T3612] ? run_pack+0x1100/0x1100 [ 44.567752][ T3612] ? ntfs_bread_run+0x310/0x310 [ 44.572593][ T3612] run_unpack_ex+0xb0/0x7c0 [ 44.577085][ T3612] ? mi_enum_attr+0x34f/0x630 [ 44.581748][ T3612] ? ni_enum_attr_ex+0x281/0x400 [ 44.586675][ T3612] ? run_unpack+0x970/0x970 [ 44.591169][ T3612] ? ni_fname_type.part.0+0x1e0/0x1e0 [ 44.596533][ T3612] ? mi_read+0x27f/0x5b0 [ 44.600763][ T3612] ntfs_iget5+0xc20/0x3280 [ 44.605186][ T3612] ? ntfs_write_end+0x800/0x800 [ 44.610022][ T3612] ? ntfs_sync_fs+0x400/0x400 [ 44.614684][ T3612] ? destroy_inode+0xc4/0x1b0 [ 44.619350][ T3612] ? iput.part.0+0x55d/0x810 [ 44.623933][ T3612] ntfs_fill_super+0x1ecc/0x37f0 [ 44.628865][ T3612] ? put_ntfs+0x330/0x330 [ 44.633187][ T3612] ? set_blocksize+0x2e5/0x370 [ 44.637942][ T3612] get_tree_bdev+0x440/0x760 [ 44.642611][ T3612] ? put_ntfs+0x330/0x330 [ 44.646930][ T3612] vfs_get_tree+0x89/0x2f0 [ 44.651336][ T3612] path_mount+0x1326/0x1e20 [ 44.655832][ T3612] ? kmem_cache_free+0xeb/0x5b0 [ 44.660674][ T3612] ? finish_automount+0x960/0x960 [ 44.665689][ T3612] ? putname+0xfe/0x140 [ 44.669833][ T3612] __x64_sys_mount+0x27f/0x300 [ 44.674672][ T3612] ? copy_mnt_ns+0xae0/0xae0 [ 44.679250][ T3612] ? lockdep_hardirqs_on+0x79/0x100 [ 44.684459][ T3612] ? _raw_spin_unlock_irq+0x2a/0x40 [ 44.689741][ T3612] ? ptrace_notify+0xfa/0x140 [ 44.694500][ T3612] do_syscall_64+0x35/0xb0 [ 44.698998][ T3612] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 44.704976][ T3612] RIP: 0033:0x7f6608e8e89a [ 44.709384][ T3612] Code: 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 44.729068][ T3612] RSP: 002b:00007fff69b2dab8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 44.737468][ T3612] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f6608e8e89a [ 44.745424][ T3612] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fff69b2dad0 [ 44.753381][ T3612] RBP: 00007fff69b2dad0 R08: 00007fff69b2db10 R09: 00005555568f52c0 [ 44.761342][ T3612] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000000000004 [ 44.769300][ T3612] R13: 00007fff69b2db10 R14: 000000000000000c R15: 0000000020000320 [ 44.777264][ T3612] [ 44.780977][ T3612] Kernel Offset: disabled [ 44.785288][ T3612] Rebooting in 86400 seconds..