./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor4200477070 <...> DUID 00:04:76:8b:f6:84:a4:3b:36:39:6c:68:e7:10:38:dd:b7:2c forked to background, child pid 4645 [ 31.953250][ T4646] 8021q: adding VLAN 0 to HW filter on device bond0 [ 31.968764][ T4646] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.1.99' (ECDSA) to the list of known hosts. execve("./syz-executor4200477070", ["./syz-executor4200477070"], 0x7ffeb52336d0 /* 10 vars */) = 0 brk(NULL) = 0x555556693000 brk(0x555556693c40) = 0x555556693c40 arch_prctl(ARCH_SET_FS, 0x555556693300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor4200477070", 4096) = 28 brk(0x5555566b4c40) = 0x5555566b4c40 brk(0x5555566b5000) = 0x5555566b5000 mprotect(0x7f4b7a9e1000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 memfd_create("syzkaller", 0) = 3 mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4b72527000 write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 1048576) = 1048576 munmap(0x7f4b72527000, 1048576) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 ioctl(4, LOOP_SET_FD, 3) = 0 close(3) = 0 mkdir("./file0", 0777) = 0 mount("/dev/loop0", "./file0", "ext4", MS_DIRSYNC|MS_NOATIME|MS_LAZYTIME, ",errors=continue") = 0 openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 chdir("./file0") = 0 ioctl(4, LOOP_CLR_FD) = 0 close(4) = 0 creat("./file1", 000) = 4 syzkaller login: [ 51.554281][ T5067] loop0: detected capacity change from 0 to 2048 [ 51.585708][ T5067] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 without journal. Quota mode: none. [ 51.613574][ T5067] ================================================================== [ 51.621663][ T5067] BUG: KASAN: use-after-free in ext4_find_extent+0x76e/0xd90 [ 51.629041][ T5067] Read of size 4 at addr ffff888073644750 by task syz-executor420/5067 [ 51.637277][ T5067] [ 51.639614][ T5067] CPU: 0 PID: 5067 Comm: syz-executor420 Not tainted 6.2.0-rc1-syzkaller #0 [ 51.648279][ T5067] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 51.658340][ T5067] Call Trace: [ 51.661619][ T5067] [ 51.664542][ T5067] dump_stack_lvl+0x1b1/0x290 [ 51.669674][ T5067] ? nf_tcp_handle_invalid+0x630/0x630 [ 51.675130][ T5067] ? __wake_up_klogd+0xcd/0x100 [ 51.679981][ T5067] ? panic+0x710/0x710 [ 51.684040][ T5067] ? _printk+0xc0/0x100 [ 51.688195][ T5067] ? _raw_spin_lock_irqsave+0x8e/0x100 [ 51.693653][ T5067] print_address_description+0x74/0x340 [ 51.699202][ T5067] print_report+0x107/0x1f0 [ 51.703703][ T5067] ? __virt_addr_valid+0x21b/0x2d0 [ 51.708809][ T5067] ? __phys_addr+0xb5/0x160 [ 51.713306][ T5067] ? ext4_find_extent+0x76e/0xd90 [ 51.718336][ T5067] kasan_report+0xcd/0x100 [ 51.722750][ T5067] ? ext4_find_extent+0x76e/0xd90 [ 51.727772][ T5067] ext4_find_extent+0x76e/0xd90 [ 51.732626][ T5067] ext4_clu_mapped+0x117/0x970 [ 51.737402][ T5067] ? ext4_es_lookup_extent+0x36c/0x720 [ 51.742878][ T5067] ? __down_read_common+0x156/0x2a0 [ 51.748080][ T5067] ext4_da_get_block_prep+0x9e8/0x13c0 [ 51.753548][ T5067] ? trace_ext4_da_release_space+0x2f0/0x2f0 [ 51.759534][ T5067] ? __lock_acquire+0x1f60/0x1f60 [ 51.764574][ T5067] ? folio_attach_private+0xd9/0x200 [ 51.769859][ T5067] ? do_raw_spin_unlock+0x134/0x8a0 [ 51.775054][ T5067] ? xas_load+0x135/0x150 [ 51.779377][ T5067] ext4_block_write_begin+0x6a8/0x2290 [ 51.784838][ T5067] ? trace_ext4_da_release_space+0x2f0/0x2f0 [ 51.790828][ T5067] ? trace_ext4_write_begin+0x300/0x300 [ 51.796366][ T5067] ? PageHeadHuge+0x8a/0x1d0 [ 51.800948][ T5067] ext4_da_write_begin+0x539/0x760 [ 51.806060][ T5067] ? ext4_dirty_folio+0x340/0x340 [ 51.811081][ T5067] ? fault_in_iov_iter_readable+0xe6/0x2a0 [ 51.816905][ T5067] generic_perform_write+0x2e4/0x5e0 [ 51.822191][ T5067] ? ext4_da_write_begin+0x760/0x760 [ 51.827555][ T5067] ? generic_file_direct_write+0x610/0x610 [ 51.833444][ T5067] ? down_read_killable+0x80/0x80 [ 51.838465][ T5067] ? ext4_write_checks+0x254/0x2c0 [ 51.843569][ T5067] ext4_buffered_write_iter+0x122/0x3a0 [ 51.849114][ T5067] ext4_file_write_iter+0x1d0/0x18f0 [ 51.854403][ T5067] ? read_lock_is_recursive+0x10/0x10 [ 51.859780][ T5067] ? ext4_file_read_iter+0x660/0x660 [ 51.865142][ T5067] ? apparmor_file_permission+0x2da/0x310 [ 51.870861][ T5067] vfs_write+0x7dc/0xc50 [ 51.875104][ T5067] ? file_end_write+0x230/0x230 [ 51.879949][ T5067] ? ptrace_stop+0x74d/0x970 [ 51.884537][ T5067] ? _raw_spin_unlock_irq+0x2a/0x40 [ 51.889821][ T5067] ? __fdget_pos+0x252/0x2e0 [ 51.894405][ T5067] ksys_write+0x177/0x2a0 [ 51.898820][ T5067] ? __ia32_sys_read+0x80/0x80 [ 51.903581][ T5067] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 51.909555][ T5067] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 51.915527][ T5067] do_syscall_64+0x3d/0xb0 [ 51.919941][ T5067] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 51.925862][ T5067] RIP: 0033:0x7f4b7a9737b9 [ 51.930267][ T5067] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 51.949870][ T5067] RSP: 002b:00007ffc5cac3668 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 51.958380][ T5067] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4b7a9737b9 [ 51.966342][ T5067] RDX: 00000000175d9003 RSI: 0000000020000200 RDI: 0000000000000004 [ 51.974301][ T5067] RBP: 00007f4b7a933050 R08: 0000000000000000 R09: 0000000000000000 [ 51.982260][ T5067] R10: 000000000000079f R11: 0000000000000246 R12: 00007f4b7a9330e0 [ 51.990220][ T5067] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 51.998189][ T5067] [ 52.001195][ T5067] [ 52.003506][ T5067] The buggy address belongs to the physical page: [ 52.009905][ T5067] page:ffffea0001cd9100 refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x73644 [ 52.020042][ T5067] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 52.027143][ T5067] raw: 00fff00000000000 ffffea0001cd9148 ffffea0001cd90c8 0000000000000000 [ 52.035713][ T5067] raw: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 [ 52.044286][ T5067] page dumped because: kasan: bad access detected [ 52.050683][ T5067] page_owner tracks the page as freed [ 52.056123][ T5067] page last allocated via order 0, migratetype Movable, gfp_mask 0x8(__GFP_MOVABLE), pid 1, tgid 1 (swapper/0), ts 12379768059, free_ts 13547634018 [ 52.071041][ T5067] split_map_pages+0x25b/0x540 [ 52.075802][ T5067] isolate_freepages_range+0x4ac/0x510 [ 52.081253][ T5067] alloc_contig_range+0x6a9/0x980 [ 52.086273][ T5067] alloc_contig_pages+0x3c8/0x4e0 [ 52.091287][ T5067] debug_vm_pgtable_alloc_huge_page+0xcd/0x120 [ 52.097433][ T5067] init_args+0xa3a/0xdc0 [ 52.101688][ T5067] debug_vm_pgtable+0x9a/0x4a0 [ 52.106446][ T5067] do_one_initcall+0x1d1/0x410 [ 52.111201][ T5067] do_initcall_level+0x168/0x220 [ 52.116133][ T5067] do_initcalls+0x43/0x90 [ 52.120457][ T5067] kernel_init_freeable+0x428/0x5e0 [ 52.125644][ T5067] kernel_init+0x19/0x2b0 [ 52.129963][ T5067] ret_from_fork+0x1f/0x30 [ 52.134390][ T5067] page last free stack trace: [ 52.139058][ T5067] free_pcp_prepare+0x751/0x780 [ 52.143919][ T5067] free_unref_page+0x19/0x4c0 [ 52.148602][ T5067] free_contig_range+0xa3/0x160 [ 52.153463][ T5067] destroy_args+0xfe/0x940 [ 52.157981][ T5067] debug_vm_pgtable+0x43d/0x4a0 [ 52.162840][ T5067] do_one_initcall+0x1d1/0x410 [ 52.167605][ T5067] do_initcall_level+0x168/0x220 [ 52.172549][ T5067] do_initcalls+0x43/0x90 [ 52.176882][ T5067] kernel_init_freeable+0x428/0x5e0 [ 52.182080][ T5067] kernel_init+0x19/0x2b0 [ 52.186428][ T5067] ret_from_fork+0x1f/0x30 [ 52.190844][ T5067] [ 52.193160][ T5067] Memory state around the buggy address: [ 52.198778][ T5067] ffff888073644600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 52.206828][ T5067] ffff888073644680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 52.214965][ T5067] >ffff888073644700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 52.223008][ T5067] ^ [ 52.229666][ T5067] ffff888073644780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 52.237718][ T5067] ffff888073644800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 52.245850][ T5067] ================================================================== [ 52.259657][ T5067] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 52.266875][ T5067] CPU: 0 PID: 5067 Comm: syz-executor420 Not tainted 6.2.0-rc1-syzkaller #0 [ 52.275540][ T5067] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 52.285587][ T5067] Call Trace: [ 52.288859][ T5067] [ 52.291779][ T5067] dump_stack_lvl+0x1b1/0x290 [ 52.296459][ T5067] ? nf_tcp_handle_invalid+0x630/0x630 [ 52.301915][ T5067] ? panic+0x710/0x710 [ 52.305974][ T5067] ? lock_release+0x81/0x820 [ 52.310563][ T5067] ? vscnprintf+0x59/0x80 [ 52.314893][ T5067] panic+0x2d6/0x710 [ 52.318778][ T5067] ? check_panic_on_warn+0x1d/0xa0 [ 52.323897][ T5067] ? memcpy_page_flushcache+0x100/0x100 [ 52.329446][ T5067] ? _raw_spin_unlock_irqrestore+0x110/0x120 [ 52.335431][ T5067] ? _raw_spin_unlock+0x40/0x40 [ 52.340286][ T5067] ? print_report+0x1b4/0x1f0 [ 52.344966][ T5067] check_panic_on_warn+0x80/0xa0 [ 52.349902][ T5067] ? ext4_find_extent+0x76e/0xd90 [ 52.354925][ T5067] end_report+0x47/0x90 [ 52.359077][ T5067] kasan_report+0xda/0x100 [ 52.363500][ T5067] ? ext4_find_extent+0x76e/0xd90 [ 52.368525][ T5067] ext4_find_extent+0x76e/0xd90 [ 52.373380][ T5067] ext4_clu_mapped+0x117/0x970 [ 52.378135][ T5067] ? ext4_es_lookup_extent+0x36c/0x720 [ 52.383590][ T5067] ? __down_read_common+0x156/0x2a0 [ 52.388894][ T5067] ext4_da_get_block_prep+0x9e8/0x13c0 [ 52.394355][ T5067] ? trace_ext4_da_release_space+0x2f0/0x2f0 [ 52.400332][ T5067] ? __lock_acquire+0x1f60/0x1f60 [ 52.405350][ T5067] ? folio_attach_private+0xd9/0x200 [ 52.410634][ T5067] ? do_raw_spin_unlock+0x134/0x8a0 [ 52.415856][ T5067] ? xas_load+0x135/0x150 [ 52.420180][ T5067] ext4_block_write_begin+0x6a8/0x2290 [ 52.425638][ T5067] ? trace_ext4_da_release_space+0x2f0/0x2f0 [ 52.432076][ T5067] ? trace_ext4_write_begin+0x300/0x300 [ 52.437615][ T5067] ? PageHeadHuge+0x8a/0x1d0 [ 52.442217][ T5067] ext4_da_write_begin+0x539/0x760 [ 52.447326][ T5067] ? ext4_dirty_folio+0x340/0x340 [ 52.452344][ T5067] ? fault_in_iov_iter_readable+0xe6/0x2a0 [ 52.458155][ T5067] generic_perform_write+0x2e4/0x5e0 [ 52.463439][ T5067] ? ext4_da_write_begin+0x760/0x760 [ 52.468724][ T5067] ? generic_file_direct_write+0x610/0x610 [ 52.474524][ T5067] ? down_read_killable+0x80/0x80 [ 52.479558][ T5067] ? ext4_write_checks+0x254/0x2c0 [ 52.484680][ T5067] ext4_buffered_write_iter+0x122/0x3a0 [ 52.490224][ T5067] ext4_file_write_iter+0x1d0/0x18f0 [ 52.496480][ T5067] ? read_lock_is_recursive+0x10/0x10 [ 52.501858][ T5067] ? ext4_file_read_iter+0x660/0x660 [ 52.507137][ T5067] ? apparmor_file_permission+0x2da/0x310 [ 52.512866][ T5067] vfs_write+0x7dc/0xc50 [ 52.517199][ T5067] ? file_end_write+0x230/0x230 [ 52.522134][ T5067] ? ptrace_stop+0x74d/0x970 [ 52.526731][ T5067] ? _raw_spin_unlock_irq+0x2a/0x40 [ 52.532097][ T5067] ? __fdget_pos+0x252/0x2e0 [ 52.536685][ T5067] ksys_write+0x177/0x2a0 [ 52.541019][ T5067] ? __ia32_sys_read+0x80/0x80 [ 52.545774][ T5067] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 52.551744][ T5067] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 52.557717][ T5067] do_syscall_64+0x3d/0xb0 [ 52.562130][ T5067] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 52.568014][ T5067] RIP: 0033:0x7f4b7a9737b9 [ 52.572417][ T5067] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 52.592025][ T5067] RSP: 002b:00007ffc5cac3668 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 52.600464][ T5067] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4b7a9737b9 [ 52.608434][ T5067] RDX: 00000000175d9003 RSI: 0000000020000200 RDI: 0000000000000004 [ 52.616600][ T5067] RBP: 00007f4b7a933050 R08: 0000000000000000 R09: 0000000000000000 [ 52.624650][ T5067] R10: 000000000000079f R11: 0000000000000246 R12: 00007f4b7a9330e0 [ 52.632609][ T5067] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 52.640577][ T5067] [ 52.643847][ T5067] Kernel Offset: disabled [ 52.648161][ T5067] Rebooting in 86400 seconds..