./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor220224827 <...> forked to background, child pid 3184 no interfaces have a carri[ 22.791888][ T3185] 8021q: adding VLAN 0 to HW filter on device bond0 er [ 22.806180][ T3185] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.10.39' (ECDSA) to the list of known hosts. execve("./syz-executor220224827", ["./syz-executor220224827"], 0x7ffc34a92110 /* 10 vars */) = 0 brk(NULL) = 0x5555556ce000 brk(0x5555556ced00) = 0x5555556ced00 arch_prctl(ARCH_SET_FS, 0x5555556ce3c0) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor220224827", 4096) = 27 brk(0x5555556efd00) = 0x5555556efd00 brk(0x5555556f0000) = 0x5555556f0000 mprotect(0x7f8e61184000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGSEGV, {sa_handler=0x7f8e610d50a0, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f8e610d5d20}, NULL, 8) = 0 rt_sigaction(SIGBUS, {sa_handler=0x7f8e610d50a0, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f8e610d5d20}, NULL, 8) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3606 attached , child_tidptr=0x5555556ce690) = 3606 [pid 3605] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3606] openat(AT_FDCWD, "/dev/loop0", O_RDWR./strace-static-x86_64: Process 3607 attached [pid 3605] <... clone resumed>, child_tidptr=0x5555556ce690) = 3607 [pid 3605] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3606] <... openat resumed>) = 3 ./strace-static-x86_64: Process 3608 attached [pid 3607] openat(AT_FDCWD, "/dev/loop1", O_RDWR [pid 3606] ioctl(3, LOOP_CLR_FD [pid 3605] <... clone resumed>, child_tidptr=0x5555556ce690) = 3608 [pid 3608] openat(AT_FDCWD, "/dev/loop2", O_RDWR [pid 3607] <... openat resumed>) = 3 [pid 3606] <... ioctl resumed>) = -1 ENXIO (No such device or address) [pid 3607] ioctl(3, LOOP_CLR_FD [pid 3606] close(3 [pid 3607] <... ioctl resumed>) = -1 ENXIO (No such device or address) [pid 3606] <... close resumed>) = 0 [pid 3607] close(3 [pid 3606] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3607] <... close resumed>) = 0 [pid 3607] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3606] <... clone resumed>, child_tidptr=0x5555556ce690) = 3609 [pid 3607] <... clone resumed>, child_tidptr=0x5555556ce690) = 3610 ./strace-static-x86_64: Process 3610 attached [pid 3610] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3610] setpgid(0, 0) = 0 [pid 3610] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3610] write(3, "1000", 4) = 4 [pid 3610] close(3) = 0 [pid 3610] mkdir("./file0", 0777./strace-static-x86_64: Process 3609 attached [pid 3605] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3608] <... openat resumed>) = 3 [pid 3608] ioctl(3, LOOP_CLR_FD [pid 3605] <... clone resumed>, child_tidptr=0x5555556ce690) = 3611 [pid 3608] <... ioctl resumed>) = -1 ENXIO (No such device or address) [pid 3605] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3609] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3608] close(3 [pid 3609] <... prctl resumed>) = 0 [pid 3608] <... close resumed>) = 0 [pid 3605] <... clone resumed>, child_tidptr=0x5555556ce690) = 3612 [pid 3609] setpgid(0, 0 [pid 3608] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3605] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3610] <... mkdir resumed>) = 0 [pid 3610] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} --- [pid 3608] <... clone resumed>, child_tidptr=0x5555556ce690) = 3613 [pid 3609] <... setpgid resumed>) = 0 [pid 3605] <... clone resumed>, child_tidptr=0x5555556ce690) = 3614 [pid 3610] pipe2( [pid 3609] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3610] <... pipe2 resumed>[3, 4], 0) = 0 [pid 3609] <... openat resumed>) = 3 ./strace-static-x86_64: Process 3612 attached [pid 3610] mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000003,wfdno=0x0000000000000004,version=9p2000.u,privport,noextend," [pid 3609] write(3, "1000", 4./strace-static-x86_64: Process 3614 attached ./strace-static-x86_64: Process 3613 attached ./strace-static-x86_64: Process 3611 attached [pid 3612] openat(AT_FDCWD, "/dev/loop4", O_RDWR [pid 3609] <... write resumed>) = 4 [pid 3614] openat(AT_FDCWD, "/dev/loop5", O_RDWR [pid 3613] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3612] <... openat resumed>) = 3 [pid 3611] openat(AT_FDCWD, "/dev/loop3", O_RDWR [pid 3609] close(3 [pid 3614] <... openat resumed>) = 3 [pid 3613] <... prctl resumed>) = 0 [pid 3612] ioctl(3, LOOP_CLR_FD [pid 3611] <... openat resumed>) = 3 [pid 3609] <... close resumed>) = 0 [pid 3614] ioctl(3, LOOP_CLR_FD [pid 3613] setpgid(0, 0 [pid 3612] <... ioctl resumed>) = -1 ENXIO (No such device or address) [pid 3611] ioctl(3, LOOP_CLR_FD [pid 3609] mkdir("./file0", 0777 [pid 3614] <... ioctl resumed>) = -1 ENXIO (No such device or address) [pid 3613] <... setpgid resumed>) = 0 [pid 3612] close(3 [pid 3611] <... ioctl resumed>) = -1 ENXIO (No such device or address) [pid 3609] <... mkdir resumed>) = -1 EEXIST (File exists) [pid 3614] close(3 [pid 3613] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3612] <... close resumed>) = 0 [pid 3611] close(3 [pid 3609] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} --- [pid 3614] <... close resumed>) = 0 [pid 3613] <... openat resumed>) = 3 [pid 3612] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3611] <... close resumed>) = 0 [pid 3609] pipe2( [pid 3614] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3613] write(3, "1000", 4 [pid 3611] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3609] <... pipe2 resumed>[3, 4], 0) = 0 [pid 3613] <... write resumed>) = 4 [pid 3612] <... clone resumed>, child_tidptr=0x5555556ce690) = 3616 [pid 3614] <... clone resumed>, child_tidptr=0x5555556ce690) = 3618 [pid 3613] close(3 [pid 3609] mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000003,wfdno=0x0000000000000004,version=9p2000.u,privport,noextend,"./strace-static-x86_64: Process 3616 attached [pid 3613] <... close resumed>) = 0 [pid 3611] <... clone resumed>, child_tidptr=0x5555556ce690) = 3619 [pid 3616] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3613] mkdir("./file0", 0777./strace-static-x86_64: Process 3619 attached ./strace-static-x86_64: Process 3618 attached [pid 3616] <... prctl resumed>) = 0 [pid 3613] <... mkdir resumed>) = -1 EEXIST (File exists) [pid 3619] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3618] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3616] setpgid(0, 0 [pid 3613] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} --- [pid 3619] <... prctl resumed>) = 0 [pid 3618] <... prctl resumed>) = 0 [pid 3616] <... setpgid resumed>) = 0 [pid 3613] pipe2( [pid 3619] setpgid(0, 0 [pid 3618] setpgid(0, 0 [pid 3616] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3613] <... pipe2 resumed>[3, 4], 0) = 0 [pid 3619] <... setpgid resumed>) = 0 [pid 3618] <... setpgid resumed>) = 0 [pid 3616] <... openat resumed>) = 3 [pid 3613] mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000003,wfdno=0x0000000000000004,version=9p2000.u,privport,noextend," [pid 3619] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3618] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3616] write(3, "1000", 4 [pid 3619] <... openat resumed>) = 3 [pid 3618] <... openat resumed>) = 3 [pid 3616] <... write resumed>) = 4 [pid 3619] write(3, "1000", 4 [pid 3618] write(3, "1000", 4 [pid 3616] close(3 [pid 3619] <... write resumed>) = 4 [pid 3618] <... write resumed>) = 4 [pid 3616] <... close resumed>) = 0 [pid 3619] close(3 [pid 3618] close(3 [pid 3616] mkdir("./file0", 0777 [pid 3619] <... close resumed>) = 0 [pid 3618] <... close resumed>) = 0 [pid 3616] <... mkdir resumed>) = -1 EEXIST (File exists) [pid 3619] mkdir("./file0", 0777 [pid 3618] mkdir("./file0", 0777 [pid 3616] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} --- [pid 3619] <... mkdir resumed>) = -1 EEXIST (File exists) [pid 3618] <... mkdir resumed>) = -1 EEXIST (File exists) [pid 3616] pipe2( [pid 3619] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} --- [pid 3618] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} --- [pid 3616] <... pipe2 resumed>[3, 4], 0) = 0 [pid 3619] pipe2( [pid 3618] pipe2( [pid 3616] mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000003,wfdno=0x0000000000000004,version=9p2000.u,privport,noextend," [pid 3619] <... pipe2 resumed>[3, 4], 0) = 0 [pid 3618] <... pipe2 resumed>[3, 4], 0) = 0 [pid 3619] mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000003,wfdno=0x0000000000000004,version=9p2000.u,privport,noextend," [pid 3618] mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000003,wfdno=0x0000000000000004,version=9p2000.u,privport,noextend," [pid 3610] <... mount resumed>) = -1 EFAULT (Bad address) [pid 3610] exit_group(0) = ? [pid 3610] +++ exited with 0 +++ [pid 3607] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3610, si_uid=0, si_status=0, si_utime=0, si_stime=3} --- [pid 3607] restart_syscall(<... resuming interrupted clone ...>) = 0 [pid 3607] openat(AT_FDCWD, "/dev/loop1", O_RDWR) = 3 [pid 3607] ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) [pid 3607] close(3) = 0 [pid 3607] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ce690) = 3620 ./strace-static-x86_64: Process 3620 attached [pid 3620] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3620] setpgid(0, 0) = 0 [pid 3620] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3620] write(3, "1000", 4) = 4 [pid 3620] close(3) = 0 [pid 3620] mkdir("./file0", 0777) = -1 EEXIST (File exists) [pid 3620] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} --- [pid 3620] pipe2([3, 4], 0) = 0 syzkaller login: [ 42.996017][ T3609] ================================================================== [ 43.004386][ T3609] BUG: KASAN: use-after-free in __kernfs_remove+0xa09/0xb50 [ 43.011710][ T3609] Read of size 2 at addr ffff888017469e30 by task syz-executor220/3609 [ 43.020053][ T3609] [ 43.022471][ T3609] CPU: 0 PID: 3609 Comm: syz-executor220 Not tainted 6.0.0-rc6-syzkaller-00210-gbf682942cd26 #0 [ 43.032876][ T3609] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 43.043205][ T3609] Call Trace: [ 43.046498][ T3609] [ 43.049439][ T3609] dump_stack_lvl+0xcd/0x134 [ 43.054050][ T3609] print_report.cold+0x2ba/0x719 [ 43.059001][ T3609] ? __kernfs_remove+0xa09/0xb50 [ 43.063936][ T3609] kasan_report+0xb1/0x1e0 [ 43.068371][ T3609] ? __kernfs_remove+0xa09/0xb50 [ 43.073390][ T3609] __kernfs_remove+0xa09/0xb50 [ 43.078177][ T3609] ? kernfs_next_descendant_post+0x2f0/0x2f0 [ 43.084196][ T3609] ? kernfs_name_hash+0xf1/0x120 [ 43.089154][ T3609] kernfs_remove_by_name_ns+0xa8/0x110 [ 43.094712][ T3609] sysfs_slab_add+0x14b/0x200 [ 43.099397][ T3609] __kmem_cache_create+0x509/0x690 [ 43.104505][ T3609] kmem_cache_create_usercopy+0x1f9/0x300 [ 43.110217][ T3609] p9_client_create+0xca5/0x1070 [ 43.115153][ T3609] ? p9_client_rpc+0xce0/0xce0 [ 43.119910][ T3609] ? lockdep_init_map_type+0x21a/0x7f0 [ 43.125360][ T3609] ? rcu_read_lock_sched_held+0x3a/0x70 [ 43.130901][ T3609] ? __raw_spin_lock_init+0x36/0x110 [ 43.136192][ T3609] v9fs_session_init+0x1e2/0x1810 [ 43.141215][ T3609] ? find_held_lock+0x2d/0x110 [ 43.145971][ T3609] ? v9fs_show_options+0x780/0x780 [ 43.151165][ T3609] ? rcu_read_lock_sched_held+0x3a/0x70 [ 43.156705][ T3609] ? trace_kmalloc+0x32/0x100 [ 43.161379][ T3609] v9fs_mount+0xba/0xc90 [ 43.165618][ T3609] ? v9fs_statfs+0x4d0/0x4d0 [ 43.170287][ T3609] ? apparmor_capable+0x1d8/0x460 [ 43.175304][ T3609] ? v9fs_statfs+0x4d0/0x4d0 [ 43.179887][ T3609] legacy_get_tree+0x105/0x220 [ 43.184649][ T3609] vfs_get_tree+0x89/0x2f0 [ 43.189147][ T3609] path_mount+0x1326/0x1e20 [ 43.193652][ T3609] ? kmem_cache_free+0xeb/0x5b0 [ 43.198759][ T3609] ? finish_automount+0x960/0x960 [ 43.203783][ T3609] ? putname+0xfe/0x140 [ 43.208024][ T3609] __x64_sys_mount+0x27f/0x300 [ 43.212790][ T3609] ? copy_mnt_ns+0xae0/0xae0 [ 43.217461][ T3609] ? lockdep_hardirqs_on+0x79/0x100 [ 43.222658][ T3609] ? _raw_spin_unlock_irq+0x2a/0x40 [ 43.227850][ T3609] ? ptrace_notify+0xfa/0x140 [ 43.232520][ T3609] do_syscall_64+0x35/0xb0 [ 43.236929][ T3609] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 43.242818][ T3609] RIP: 0033:0x7f8e611180c9 [ 43.247233][ T3609] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 43.266838][ T3609] RSP: 002b:00007ffe0f9321f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 43.275245][ T3609] RAX: ffffffffffffffda RBX: 00007ffe0f932230 RCX: 00007f8e611180c9 [ 43.283209][ T3609] RDX: 0000000020000080 RSI: 0000000020000040 RDI: 0000000000000000 [ 43.291176][ T3609] RBP: 0000000000000000 R08: 00000000200003c0 R09: 0000000000000000 [ 43.299144][ T3609] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000f4240 [ 43.307109][ T3609] R13: 0000000000000000 R14: 00007ffe0f93221c R15: 00007ffe0f932220 [ 43.315081][ T3609] [ 43.318108][ T3609] [ 43.320423][ T3609] Allocated by task 3610: [ 43.325516][ T3609] kasan_save_stack+0x1e/0x40 [ 43.330189][ T3609] __kasan_slab_alloc+0x90/0xc0 [ 43.335037][ T3609] kmem_cache_alloc+0x267/0x3b0 [ 43.339877][ T3609] __kernfs_new_node+0xd4/0x8b0 [ 43.344718][ T3609] kernfs_create_dir_ns+0x9c/0x220 [ 43.349819][ T3609] sysfs_create_dir_ns+0x127/0x290 [ 43.354918][ T3609] kobject_add_internal+0x2c9/0x8f0 [ 43.360108][ T3609] kobject_init_and_add+0x101/0x160 [ 43.365294][ T3609] sysfs_slab_add+0x16e/0x200 [ 43.369960][ T3609] __kmem_cache_create+0x509/0x690 [ 43.375058][ T3609] kmem_cache_create_usercopy+0x1f9/0x300 [ 43.380768][ T3609] p9_client_create+0xca5/0x1070 [ 43.385696][ T3609] v9fs_session_init+0x1e2/0x1810 [ 43.390713][ T3609] v9fs_mount+0xba/0xc90 [ 43.394942][ T3609] legacy_get_tree+0x105/0x220 [ 43.399788][ T3609] vfs_get_tree+0x89/0x2f0 [ 43.404200][ T3609] path_mount+0x1326/0x1e20 [ 43.408693][ T3609] __x64_sys_mount+0x27f/0x300 [ 43.413453][ T3609] do_syscall_64+0x35/0xb0 [ 43.417861][ T3609] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 43.423752][ T3609] [ 43.426061][ T3609] Freed by task 3609: [ 43.430023][ T3609] kasan_save_stack+0x1e/0x40 [ 43.434692][ T3609] kasan_set_track+0x21/0x30 [ 43.439271][ T3609] kasan_set_free_info+0x20/0x30 [ 43.444218][ T3609] ____kasan_slab_free+0x166/0x1c0 [ 43.449320][ T3609] slab_free_freelist_hook+0x8b/0x1c0 [ 43.454677][ T3609] kmem_cache_free+0xeb/0x5b0 [ 43.459338][ T3609] kernfs_put.part.0+0x2c4/0x540 [ 43.464266][ T3609] kernfs_put+0x42/0x50 [ 43.468410][ T3609] __kernfs_remove+0x7a6/0xb50 [ 43.473162][ T3609] kernfs_remove_by_name_ns+0xa8/0x110 [ 43.478616][ T3609] sysfs_slab_add+0x14b/0x200 [ 43.483280][ T3609] __kmem_cache_create+0x509/0x690 [ 43.488380][ T3609] kmem_cache_create_usercopy+0x1f9/0x300 [ 43.494089][ T3609] p9_client_create+0xca5/0x1070 [ 43.499017][ T3609] v9fs_session_init+0x1e2/0x1810 [ 43.504033][ T3609] v9fs_mount+0xba/0xc90 [ 43.508263][ T3609] legacy_get_tree+0x105/0x220 [ 43.513017][ T3609] vfs_get_tree+0x89/0x2f0 [ 43.517423][ T3609] path_mount+0x1326/0x1e20 [ 43.521918][ T3609] __x64_sys_mount+0x27f/0x300 [ 43.526759][ T3609] do_syscall_64+0x35/0xb0 [ 43.531164][ T3609] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 43.537051][ T3609] [ 43.539362][ T3609] The buggy address belongs to the object at ffff888017469d98 [ 43.539362][ T3609] which belongs to the cache kernfs_node_cache of size 168 [ 43.553923][ T3609] The buggy address is located 152 bytes inside of [ 43.553923][ T3609] 168-byte region [ffff888017469d98, ffff888017469e40) [ 43.567186][ T3609] [ 43.569586][ T3609] The buggy address belongs to the physical page: [ 43.575981][ T3609] page:ffffea00005d1a40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17469 [ 43.586120][ T3609] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 43.593661][ T3609] raw: 00fff00000000200 ffffea00005d1ac0 dead000000000003 ffff8880119dbb40 [ 43.602234][ T3609] raw: 0000000000000000 0000000000110011 00000001ffffffff 0000000000000000 [ 43.610799][ T3609] page dumped because: kasan: bad access detected [ 43.617197][ T3609] page_owner tracks the page as allocated [ 43.622894][ T3609] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, tgid 1 (swapper/0), ts 1594349526, free_ts 0 [ 43.639553][ T3609] get_page_from_freelist+0x109b/0x2ce0 [ 43.645098][ T3609] __alloc_pages+0x1c7/0x510 [ 43.649689][ T3609] alloc_page_interleave+0x1e/0x200 [ 43.654879][ T3609] alloc_pages+0x22f/0x270 [ 43.659288][ T3609] allocate_slab+0x27e/0x3d0 [ 43.663870][ T3609] ___slab_alloc+0x7f1/0xe10 [ 43.668449][ T3609] __slab_alloc.constprop.0+0x4d/0xa0 [ 43.673809][ T3609] kmem_cache_alloc+0x38c/0x3b0 [ 43.678647][ T3609] __kernfs_new_node+0xd4/0x8b0 [ 43.683487][ T3609] kernfs_new_node+0x93/0x120 [ 43.688157][ T3609] __kernfs_create_file+0x51/0x350 [ 43.693263][ T3609] sysfs_add_file_mode_ns+0x20f/0x3f0 [ 43.698627][ T3609] sysfs_create_file_ns+0x127/0x1c0 [ 43.703826][ T3609] locate_module_kobject+0x112/0x164 [ 43.709106][ T3609] param_sysfs_init+0x28e/0x43b [ 43.713943][ T3609] do_one_initcall+0xfe/0x650 [ 43.718611][ T3609] page_owner free stack trace missing [ 43.723960][ T3609] [ 43.726267][ T3609] Memory state around the buggy address: [ 43.731893][ T3609] ffff888017469d00: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc [ 43.739936][ T3609] ffff888017469d80: fc fc fc fa fb fb fb fb fb fb fb fb fb fb fb fb [ 43.747986][ T3609] >ffff888017469e00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 43.756030][ T3609] ^ [ 43.761643][ T3609] ffff888017469e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 43.769691][ T3609] ffff888017469f00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 43.777737][ T3609] ================================================================== [ 43.799235][ T3609] Kernel panic - not syncing: panic_on_warn set ... [ 43.806365][ T3609] CPU: 0 PID: 3609 Comm: syz-executor220 Not tainted 6.0.0-rc6-syzkaller-00210-gbf682942cd26 #0 [ 43.816794][ T3609] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 43.826950][ T3609] Call Trace: [ 43.830237][ T3609] [ 43.833184][ T3609] dump_stack_lvl+0xcd/0x134 [ 43.837839][ T3609] panic+0x2c8/0x627 [ 43.841760][ T3609] ? panic_print_sys_info.part.0+0x10b/0x10b [ 43.847758][ T3609] ? preempt_schedule_common+0x59/0xc0 [ 43.853409][ T3609] ? preempt_schedule_thunk+0x16/0x18 [ 43.858808][ T3609] ? __kernfs_remove+0xa09/0xb50 [ 43.863771][ T3609] end_report.part.0+0x3f/0x7c [ 43.868558][ T3609] kasan_report.cold+0xa/0xf [ 43.873198][ T3609] ? __kernfs_remove+0xa09/0xb50 [ 43.878182][ T3609] __kernfs_remove+0xa09/0xb50 [ 43.882996][ T3609] ? kernfs_next_descendant_post+0x2f0/0x2f0 [ 43.889014][ T3609] ? kernfs_name_hash+0xf1/0x120 [ 43.893998][ T3609] kernfs_remove_by_name_ns+0xa8/0x110 [ 43.899504][ T3609] sysfs_slab_add+0x14b/0x200 [ 43.904218][ T3609] __kmem_cache_create+0x509/0x690 [ 43.909363][ T3609] kmem_cache_create_usercopy+0x1f9/0x300 [ 43.915116][ T3609] p9_client_create+0xca5/0x1070 [ 43.920093][ T3609] ? p9_client_rpc+0xce0/0xce0 [ 43.924902][ T3609] ? lockdep_init_map_type+0x21a/0x7f0 [ 43.930401][ T3609] ? rcu_read_lock_sched_held+0x3a/0x70 [ 43.935980][ T3609] ? __raw_spin_lock_init+0x36/0x110 [ 43.941285][ T3609] v9fs_session_init+0x1e2/0x1810 [ 43.946353][ T3609] ? find_held_lock+0x2d/0x110 [ 43.951220][ T3609] ? v9fs_show_options+0x780/0x780 [ 43.956329][ T3609] ? rcu_read_lock_sched_held+0x3a/0x70 [ 43.961901][ T3609] ? trace_kmalloc+0x32/0x100 [ 43.966615][ T3609] v9fs_mount+0xba/0xc90 [ 43.970899][ T3609] ? v9fs_statfs+0x4d0/0x4d0 [ 43.975532][ T3609] ? apparmor_capable+0x1d8/0x460 [ 43.980598][ T3609] ? v9fs_statfs+0x4d0/0x4d0 [ 43.985215][ T3609] legacy_get_tree+0x105/0x220 [ 43.990010][ T3609] vfs_get_tree+0x89/0x2f0 [ 43.994456][ T3609] path_mount+0x1326/0x1e20 [ 43.998977][ T3609] ? kmem_cache_free+0xeb/0x5b0 [ 44.003843][ T3609] ? finish_automount+0x960/0x960 [ 44.008916][ T3609] ? putname+0xfe/0x140 [ 44.013200][ T3609] __x64_sys_mount+0x27f/0x300 [ 44.018006][ T3609] ? copy_mnt_ns+0xae0/0xae0 [ 44.022628][ T3609] ? lockdep_hardirqs_on+0x79/0x100 [ 44.027864][ T3609] ? _raw_spin_unlock_irq+0x2a/0x40 [ 44.033082][ T3609] ? ptrace_notify+0xfa/0x140 [ 44.037779][ T3609] do_syscall_64+0x35/0xb0 [ 44.042215][ T3609] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 44.048146][ T3609] RIP: 0033:0x7f8e611180c9 [ 44.052574][ T3609] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 44.072188][ T3609] RSP: 002b:00007ffe0f9321f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 44.080720][ T3609] RAX: ffffffffffffffda RBX: 00007ffe0f932230 RCX: 00007f8e611180c9 [ 44.088713][ T3609] RDX: 0000000020000080 RSI: 0000000020000040 RDI: 0000000000000000 [ 44.096695][ T3609] RBP: 0000000000000000 R08: 00000000200003c0 R09: 0000000000000000 [ 44.105307][ T3609] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000f4240 [ 44.113318][ T3609] R13: 0000000000000000 R14: 00007ffe0f93221c R15: 00007ffe0f932220 [ 44.121333][ T3609] [ 44.125151][ T3609] Kernel Offset: disabled [ 44.129498][ T3609] Rebooting in 86400 seconds..