Warning: Permanently added '10.128.10.28' (ED25519) to the list of known hosts. executing program [ 35.565416][ T6099] loop0: detected capacity change from 0 to 32768 [ 35.570640][ T6099] BTRFS: device fsid ed167579-eb65-4e76-9a50-61ac97e9b59d devid 1 transid 8 /dev/loop0 scanned by syz-executor364 (6099) [ 35.577789][ T6099] BTRFS info (device loop0): first mount of filesystem ed167579-eb65-4e76-9a50-61ac97e9b59d [ 35.580419][ T6099] BTRFS info (device loop0): using sha256 (sha256-ce) checksum algorithm [ 35.582251][ T6099] BTRFS info (device loop0): enabling auto defrag [ 35.584087][ T6099] BTRFS info (device loop0): enabling disk space caching [ 35.585856][ T6099] BTRFS info (device loop0): max_inline at 0 [ 35.587330][ T6099] BTRFS info (device loop0): force clearing of disk cache [ 35.588893][ T6099] BTRFS info (device loop0): turning on sync discard [ 35.590507][ T6099] BTRFS info (device loop0): disk space caching is enabled [ 35.602162][ T6099] BTRFS info (device loop0): enabling ssd optimizations [ 35.605206][ T6099] BTRFS info (device loop0): rebuilding free space tree [ 35.616617][ T6099] BTRFS info (device loop0): disabling free space tree [ 35.618321][ T6099] BTRFS info (device loop0): clearing compat-ro feature flag for FREE_SPACE_TREE (0x1) [ 35.620862][ T6099] BTRFS info (device loop0): clearing compat-ro feature flag for FREE_SPACE_TREE_VALID (0x2) [ 35.630033][ T6099] ================================================================== [ 35.632004][ T6099] BUG: KASAN: slab-out-of-bounds in strlen+0x54/0x70 [ 35.633722][ T6099] Read of size 1 at addr ffff0000d3abea28 by task syz-executor364/6099 [ 35.635650][ T6099] [ 35.636262][ T6099] CPU: 0 PID: 6099 Comm: syz-executor364 Not tainted 6.7.0-rc6-syzkaller-gaafe7ad77b91 #0 [ 35.638794][ T6099] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 [ 35.641307][ T6099] Call trace: [ 35.642063][ T6099] dump_backtrace+0x1b8/0x1e4 [ 35.643104][ T6099] show_stack+0x2c/0x3c [ 35.644394][ T6099] dump_stack_lvl+0xd0/0x124 [ 35.645425][ T6099] print_report+0x174/0x514 [ 35.646717][ T6099] kasan_report+0xd8/0x138 [ 35.647774][ T6099] __asan_report_load1_noabort+0x20/0x2c [ 35.649101][ T6099] strlen+0x54/0x70 [ 35.650119][ T6099] getname_kernel+0x2c/0x2d8 [ 35.651126][ T6099] kern_path+0x2c/0x6c [ 35.652287][ T6099] bdev_open_by_path+0xcc/0x490 [ 35.653362][ T6099] btrfs_dev_replace_by_ioctl+0x2e4/0x19d4 [ 35.654796][ T6099] btrfs_ioctl_dev_replace+0x348/0x408 [ 35.656100][ T6099] btrfs_ioctl+0xa28/0xb08 [ 35.657274][ T6099] __arm64_sys_ioctl+0x14c/0x1c8 [ 35.658425][ T6099] invoke_syscall+0x98/0x2b8 [ 35.659661][ T6099] el0_svc_common+0x130/0x23c [ 35.660979][ T6099] do_el0_svc+0x48/0x58 [ 35.662231][ T6099] el0_svc+0x54/0x158 [ 35.663397][ T6099] el0t_64_sync_handler+0x84/0xfc [ 35.664954][ T6099] el0t_64_sync+0x190/0x194 [ 35.666035][ T6099] [ 35.666599][ T6099] Allocated by task 6099: [ 35.667680][ T6099] kasan_set_track+0x4c/0x7c [ 35.668782][ T6099] kasan_save_alloc_info+0x24/0x30 [ 35.669984][ T6099] __kasan_kmalloc+0xac/0xc4 [ 35.671280][ T6099] __kmalloc_node_track_caller+0xd0/0x1c0 [ 35.672583][ T6099] memdup_user+0x4c/0x1f8 [ 35.673668][ T6099] btrfs_ioctl_dev_replace+0xa4/0x408 [ 35.674947][ T6099] btrfs_ioctl+0xa28/0xb08 [ 35.676060][ T6099] __arm64_sys_ioctl+0x14c/0x1c8 [ 35.677325][ T6099] invoke_syscall+0x98/0x2b8 [ 35.678679][ T6099] el0_svc_common+0x130/0x23c [ 35.679961][ T6099] do_el0_svc+0x48/0x58 [ 35.681053][ T6099] el0_svc+0x54/0x158 [ 35.682001][ T6099] el0t_64_sync_handler+0x84/0xfc [ 35.683391][ T6099] el0t_64_sync+0x190/0x194 [ 35.684680][ T6099] [ 35.685349][ T6099] The buggy address belongs to the object at ffff0000d3abe000 [ 35.685349][ T6099] which belongs to the cache kmalloc-4k of size 4096 [ 35.689274][ T6099] The buggy address is located 0 bytes to the right of [ 35.689274][ T6099] allocated 2600-byte region [ffff0000d3abe000, ffff0000d3abea28) [ 35.693495][ T6099] [ 35.694159][ T6099] The buggy address belongs to the physical page: [ 35.695600][ T6099] page:00000000c3060e78 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x113ab8 [ 35.697978][ T6099] head:00000000c3060e78 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 35.700075][ T6099] flags: 0x5ffc00000000840(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 35.702548][ T6099] page_type: 0xffffffff() [ 35.703589][ T6099] raw: 05ffc00000000840 ffff0000c0002140 dead000000000122 0000000000000000 [ 35.705897][ T6099] raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000 [ 35.708105][ T6099] page dumped because: kasan: bad access detected [ 35.709760][ T6099] [ 35.710380][ T6099] Memory state around the buggy address: [ 35.711968][ T6099] ffff0000d3abe900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.714307][ T6099] ffff0000d3abe980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.716521][ T6099] >ffff0000d3abea00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 35.718507][ T6099] ^ [ 35.719933][ T6099] ffff0000d3abea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.722015][ T6099] ffff0000d3abeb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.724009][ T6099] ================================================================== [ 35.726773][ T6099] Disabling lock debugging due to kernel taint