./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1444435671

<...>
DUID 00:04:e6:d8:3e:4c:c1:15:84:42:dc:00:60:8c:e3:5f:26:b4
forked to background, child pid 3186
[   19.463236][ T3187] 8021q: adding VLAN 0 to HW filter on device bond0
[   19.478630][ T3187] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK

syzkaller
Warning: Permanently added '10.128.1.42' (ECDSA) to the list of known hosts.
execve("./syz-executor1444435671", ["./syz-executor1444435671"], 0x7ffe6ae56b30 /* 10 vars */) = 0
brk(NULL)                               = 0x555557156000
brk(0x555557156c40)                     = 0x555557156c40
arch_prctl(ARCH_SET_FS, 0x555557156300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor1444435671", 4096) = 28
brk(0x555557177c40)                     = 0x555557177c40
brk(0x555557178000)                     = 0x555557178000
mprotect(0x7fa0f7d0c000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
unshare(CLONE_NEWPID)                   = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571565d0) = 3608
./strace-static-x86_64: Process 3608 attached
[pid  3608] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy)
[pid  3608] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  3608] setsid()                    = 1
[pid  3608] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0
[pid  3608] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0
[pid  3608] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0
[pid  3608] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0
[pid  3608] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0
[pid  3608] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0
[pid  3608] unshare(CLONE_NEWNS)        = 0
[pid  3608] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0
[pid  3608] unshare(CLONE_NEWIPC)       = 0
[pid  3608] unshare(CLONE_NEWCGROUP)    = 0
[pid  3608] unshare(CLONE_NEWUTS)       = 0
[pid  3608] unshare(CLONE_SYSVSEM)      = 0
[pid  3608] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3
[pid  3608] write(3, "16777216", 8)     = 8
[pid  3608] close(3)                    = 0
[pid  3608] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3
[pid  3608] write(3, "536870912", 9)    = 9
[pid  3608] close(3)                    = 0
[pid  3608] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3
[pid  3608] write(3, "1024", 4)         = 4
[pid  3608] close(3)                    = 0
[pid  3608] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3
[pid  3608] write(3, "8192", 4)         = 4
[pid  3608] close(3)                    = 0
[pid  3608] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3
[pid  3608] write(3, "1024", 4)         = 4
[pid  3608] close(3)                    = 0
[pid  3608] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3
[pid  3608] write(3, "1024", 4)         = 4
[pid  3608] close(3)                    = 0
[pid  3608] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3
[pid  3608] write(3, "1024 1048576 500 1024", 21) = 21
[pid  3608] close(3)                    = 0
[pid  3608] getpid()                    = 1
[pid  3608] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, permitted=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, inheritable=0}) = 0
[pid  3608] capset({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, permitted=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, inheritable=0}) = 0
[pid  3608] unshare(CLONE_NEWNET)       = 0
[pid  3608] openat(AT_FDCWD, "/proc/sys/net/ipv4/ping_group_range", O_WRONLY|O_CLOEXEC) = 3
[pid  3608] write(3, "0 65535", 7)      = 7
[pid  3608] close(3)                    = 0
[pid  3608] mkdir("/dev/binderfs", 0777) = 0
[pid  3608] mount("binder", "/dev/binderfs", "binder", 0, NULL) = 0
[pid  3608] symlink("/dev/binderfs", "./binderfs") = 0
[pid  3608] memfd_create("syzkaller", 0) = 3
[pid  3608] ftruncate(3, 32768)         = 0
[pid  3608] pwrite64(3, "\xeb\x3c\x90\x6d\x8d\x66\x73\xfd\xd2\x61\x74\x00\x02\x80\x01\x00\x02\x40\x00\x00\x04\xf8\x01", 23, 0) = 23
[pid  3608] pwrite64(3, "\x57\x59\x5a\x4b\x41\x4c\x4c\x45\x52\x20\x20\x08\x5a\xc1\x9f\x69\xf2\xb2\xb1\xea\x1b\x8a\x0a\xc9\x13\x5e\xed\x1d\xf1\xd1\x00\x1c\xc2\xde\x85\x0f\x06\x00\x00\x00\x00\x00\x00\x00\xf7\xe7\x5e\xff\xac\x2a\xc4\xc1\x5e\x29\xfb\x3c\x18\xfa\xff\xf8\xd1\x98\xe3\x12\x47\x5f\xfa\x1d\x00\x00\x00\x00\x00\x00\xad\x25\x82\x2a\x17\xb1\x7f\x46\x3e\x10\x41\x79\xc1\x9c\x2a\xd2\xfb\xdd\xc0\x77\x7d\xf2\xec\x4f\x62\x82"..., 450, 1534) = 450
[pid  3608] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid  3608] ioctl(4, LOOP_SET_FD, 3)    = 0
[pid  3608] mkdir("./file0", 0777)      = 0
[pid  3608] mount("/dev/loop0", "./file0", "vfat", MS_POSIXACL|MS_LAZYTIME, "iocharset=cp852,nonumtail=0,shortname=mixed,shortname=lower,check=strict,shortname=win95,discard,ioc"...) = 0
[pid  3608] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 5
[pid  3608] ioctl(4, LOOP_CLR_FD)       = 0
[pid  3608] close(4)                    = 0
[pid  3608] close(3)                    = 0
[pid  3608] chdir("./file0")            = 0
[pid  3608] openat(AT_FDCWD, "./file0", O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_APPEND|O_NONBLOCK|__O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|O_CLOEXEC|FASYNC|0x8d800030, 000) = 3
[pid  3608] unlink("./file0")           = 0
[pid  3608] openat(AT_FDCWD, "cgroup.controllers", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4
syzkaller login: [   35.388535][ T3608] loop0: detected capacity change from 0 to 64
[   35.405515][   T27] audit: type=1800 audit(1665457041.563:2): pid=3608 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed(directio) comm="syz-executor144" name="file0" dev="loop0" ino=1048583 res=0 errno=0
[pid  3608] write(4, "\x2e\x2f\x66\x69\x6c\x65\x30\x00\x17\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x20\x00\x00\x00\x00\xc2\x01\x00\x00\x00\x00\x00\x00\xfe\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 989098014) = 458752
[pid  3608] pwritev(3, [{iov_base="J", iov_len=1}], 1, 0) = -1 ENOSPC (No space left on device)
[   35.437167][ T3608] syz-executor144: attempt to access beyond end of device
[   35.437167][ T3608] loop0: rw=2049, sector=135, nr_sectors = 768 limit=64
[pid  3608] close(3)                    = 0
[pid  3608] close(4)                    = 0
[pid  3608] close(5)                    = 0
[pid  3608] close(6)                    = -1 EBADF (Bad file descriptor)
[pid  3608] close(7)                    = -1 EBADF (Bad file descriptor)
[pid  3608] close(8)                    = -1 EBADF (Bad file descriptor)
[pid  3608] close(9)                    = -1 EBADF (Bad file descriptor)
[pid  3608] close(10)                   = -1 EBADF (Bad file descriptor)
[pid  3608] close(11)                   = -1 EBADF (Bad file descriptor)
[pid  3608] close(12)                   = -1 EBADF (Bad file descriptor)
[pid  3608] close(13)                   = -1 EBADF (Bad file descriptor)
[pid  3608] close(14)                   = -1 EBADF (Bad file descriptor)
[pid  3608] close(15)                   = -1 EBADF (Bad file descriptor)
[pid  3608] close(16)                   = -1 EBADF (Bad file descriptor)
[pid  3608] close(17)                   = -1 EBADF (Bad file descriptor)
[pid  3608] close(18)                   = -1 EBADF (Bad file descriptor)
[pid  3608] close(19)                   = -1 EBADF (Bad file descriptor)
[pid  3608] close(20)                   = -1 EBADF (Bad file descriptor)
[pid  3608] close(21)                   = -1 EBADF (Bad file descriptor)
[pid  3608] close(22)                   = -1 EBADF (Bad file descriptor)
[pid  3608] close(23)                   = -1 EBADF (Bad file descriptor)
[pid  3608] close(24)                   = -1 EBADF (Bad file descriptor)
[pid  3608] close(25)                   = -1 EBADF (Bad file descriptor)
[pid  3608] close(26)                   = -1 EBADF (Bad file descriptor)
[pid  3608] close(27)                   = -1 EBADF (Bad file descriptor)
[pid  3608] close(28)                   = -1 EBADF (Bad file descriptor)
[pid  3608] close(29)                   = -1 EBADF (Bad file descriptor)
[pid  3608] exit_group(1)               = ?
[   35.672657][   T12] ==================================================================
[   35.680748][   T12] BUG: KASAN: use-after-free in move_expired_inodes+0x186/0x8e0
[   35.688379][   T12] Read of size 8 at addr ffff8880720e15a8 by task kworker/u4:1/12
[   35.696172][   T12] 
[   35.698480][   T12] CPU: 1 PID: 12 Comm: kworker/u4:1 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0
[   35.708088][   T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
[   35.718127][   T12] Workqueue: writeback wb_workfn (flush-7:0)
[   35.724107][   T12] Call Trace:
[   35.727370][   T12]  <TASK>
[   35.730287][   T12]  dump_stack_lvl+0x1b1/0x28e
[   35.734950][   T12]  ? fortify_panic+0x13/0x13
[   35.739519][   T12]  ? __wake_up_klogd+0xcd/0x100
[   35.744352][   T12]  ? panic+0x710/0x710
[   35.748412][   T12]  ? _printk+0xc0/0x100
[   35.752549][   T12]  ? move_expired_inodes+0x3c3/0x8e0
[   35.757816][   T12]  print_address_description+0x65/0x4b0
[   35.763351][   T12]  print_report+0x108/0x1f0
[   35.767841][   T12]  ? __lock_acquire+0x1f60/0x1f60
[   35.772843][   T12]  ? do_raw_spin_lock+0x148/0x360
[   35.777851][   T12]  ? atime_needs_update+0x7a0/0x7a0
[   35.783042][   T12]  ? move_expired_inodes+0x186/0x8e0
[   35.788318][   T12]  kasan_report+0xc3/0xf0
[   35.792637][   T12]  ? do_raw_spin_unlock+0x134/0x8a0
[   35.797825][   T12]  ? move_expired_inodes+0x186/0x8e0
[   35.803102][   T12]  move_expired_inodes+0x186/0x8e0
[   35.808211][   T12]  ? trace_writeback_wait+0x220/0x220
[   35.813573][   T12]  ? do_raw_spin_lock+0x148/0x360
[   35.818613][   T12]  ? __bpf_trace_rcu_stall_warning+0x10/0x10
[   35.824581][   T12]  ? rcu_read_lock_sched_held+0x5d/0x110
[   35.830202][   T12]  queue_io+0x250/0x400
[   35.834350][   T12]  wb_writeback+0x3d3/0x7b0
[   35.838862][   T12]  ? trace_writeback_exec+0x220/0x220
[   35.844233][   T12]  ? set_worker_desc+0x149/0x1b0
[   35.849156][   T12]  ? __lock_acquire+0x1f60/0x1f60
[   35.854172][   T12]  ? rcu_read_lock_sched_held+0x5d/0x110
[   35.859797][   T12]  ? do_raw_spin_unlock+0x134/0x8a0
[   35.864985][   T12]  ? rcu_read_lock_sched_held+0x5d/0x110
[   35.870604][   T12]  ? kthread_data+0x4d/0xc0
[   35.875101][   T12]  wb_workfn+0x3cb/0xef0
[   35.879344][   T12]  ? inode_wait_for_writeback+0x2c0/0x2c0
[   35.885051][   T12]  ? lock_acquire+0xa4/0x3c0
[   35.889636][   T12]  ? process_one_work+0x831/0xdb0
[   35.894648][   T12]  ? read_lock_is_recursive+0x10/0x10
[   35.900011][   T12]  ? do_raw_spin_unlock+0x134/0x8a0
[   35.905198][   T12]  ? __lock_acquire+0x1f60/0x1f60
[   35.910217][   T12]  ? _raw_spin_lock_irqsave+0xbf/0x100
[   35.915669][   T12]  ? rcu_read_lock_sched_held+0x5d/0x110
[   35.921293][   T12]  ? __bpf_trace_rcu_stall_warning+0x10/0x10
[   35.927259][   T12]  ? _raw_spin_unlock_irqrestore+0xc1/0x120
[   35.933141][   T12]  ? do_raw_spin_unlock+0x134/0x8a0
[   35.938328][   T12]  ? read_word_at_a_time+0xe/0x20
[   35.943351][   T12]  process_one_work+0x877/0xdb0
[   35.948201][   T12]  ? worker_detach_from_pool+0x260/0x260
[   35.953820][   T12]  ? lockdep_hardirqs_on_prepare+0x428/0x790
[   35.959874][   T12]  ? _raw_spin_lock_irq+0xba/0xf0
[   35.964883][   T12]  ? _raw_spin_lock_irqsave+0x100/0x100
[   35.970417][   T12]  worker_thread+0xb14/0x1330
[   35.975091][   T12]  kthread+0x266/0x300
[   35.979145][   T12]  ? rcu_lock_release+0x20/0x20
[   35.983982][   T12]  ? kthread_blkcg+0xd0/0xd0
[   35.988563][   T12]  ret_from_fork+0x1f/0x30
[   35.992973][   T12]  </TASK>
[   35.995977][   T12] 
[   35.998282][   T12] Allocated by task 3608:
[   36.002594][   T12]  __kasan_slab_alloc+0xa3/0xd0
[   36.007429][   T12]  kmem_cache_alloc_lru+0x175/0x2d0
[   36.012617][   T12]  fat_alloc_inode+0x25/0xc0
[   36.017190][   T12]  new_inode_pseudo+0x61/0x1d0
[   36.021938][   T12]  new_inode+0x25/0x1d0
[   36.026075][   T12]  fat_build_inode+0x1e8/0x3e0
[   36.030823][   T12]  vfat_create+0x240/0x3a0
[   36.035223][   T12]  path_openat+0x12d0/0x2df0
[   36.039796][   T12]  do_filp_open+0x264/0x4f0
[   36.044283][   T12]  do_sys_openat2+0x124/0x4e0
[   36.048944][   T12]  __x64_sys_openat+0x243/0x290
[   36.053777][   T12]  do_syscall_64+0x3d/0xb0
[   36.058180][   T12]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   36.064060][   T12] 
[   36.066369][   T12] Freed by task 0:
[   36.070068][   T12]  kasan_set_track+0x3d/0x60
[   36.074643][   T12]  kasan_set_free_info+0x1f/0x40
[   36.079571][   T12]  ____kasan_slab_free+0xd8/0x120
[   36.084579][   T12]  slab_free_freelist_hook+0x12e/0x1a0
[   36.090026][   T12]  kmem_cache_free+0x95/0x1d0
[   36.094690][   T12]  rcu_core+0x981/0x1610
[   36.098918][   T12]  __do_softirq+0x277/0x738
[   36.103412][   T12] 
[   36.105717][   T12] Last potentially related work creation:
[   36.111412][   T12]  kasan_save_stack+0x2b/0x50
[   36.116073][   T12]  __kasan_record_aux_stack+0xaf/0xc0
[   36.121430][   T12]  call_rcu+0x163/0x970
[   36.125576][   T12]  __dentry_kill+0x3b1/0x5b0
[   36.130154][   T12]  dentry_kill+0xbb/0x290
[   36.134471][   T12]  dput+0x1f3/0x410
[   36.138265][   T12]  __fput+0x5e4/0x880
[   36.142227][   T12]  task_work_run+0x146/0x1c0
[   36.146803][   T12]  ptrace_notify+0x29a/0x340
[   36.151375][   T12]  syscall_exit_work+0x8c/0xe0
[   36.156126][   T12]  syscall_exit_to_user_mode_prepare+0x63/0xc0
[   36.162269][   T12]  syscall_exit_to_user_mode+0xa/0x60
[   36.167630][   T12]  do_syscall_64+0x49/0xb0
[   36.172035][   T12]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   36.177916][   T12] 
[   36.180225][   T12] The buggy address belongs to the object at ffff8880720e12f0
[   36.180225][   T12]  which belongs to the cache fat_inode_cache of size 1488
[   36.194693][   T12] The buggy address is located 696 bytes inside of
[   36.194693][   T12]  1488-byte region [ffff8880720e12f0, ffff8880720e18c0)
[   36.208038][   T12] 
[   36.210344][   T12] The buggy address belongs to the physical page:
[   36.216736][   T12] page:ffffea0001c83800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x720e0
[   36.226867][   T12] head:ffffea0001c83800 order:3 compound_mapcount:0 compound_pincount:0
[   36.235173][   T12] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[   36.243136][   T12] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888146460140
[   36.251700][   T12] raw: 0000000000000000 0000000080140014 00000001ffffffff 0000000000000000
[   36.260277][   T12] page dumped because: kasan: bad access detected
[   36.266676][   T12] page_owner tracks the page as allocated
[   36.272388][   T12] page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 3608, tgid 3608 (syz-executor144), ts 35396569179, free_ts 10664127500
[   36.294958][   T12]  get_page_from_freelist+0x742/0x7c0
[   36.300324][   T12]  __alloc_pages+0x259/0x560
[   36.304898][   T12]  alloc_slab_page+0x70/0xf0
[   36.309480][   T12]  allocate_slab+0x5e/0x520
[   36.313972][   T12]  ___slab_alloc+0x3ee/0xc40
[   36.318560][   T12]  kmem_cache_alloc_lru+0x225/0x2d0
[   36.323746][   T12]  fat_alloc_inode+0x25/0xc0
[   36.328319][   T12]  new_inode_pseudo+0x61/0x1d0
[   36.333080][   T12]  new_inode+0x25/0x1d0
[   36.337228][   T12]  fat_fill_super+0x3278/0x4b00
[   36.342072][   T12]  mount_bdev+0x26c/0x3a0
[   36.346410][   T12]  legacy_get_tree+0xea/0x180
[   36.351074][   T12]  vfs_get_tree+0x88/0x270
[   36.355485][   T12]  do_new_mount+0x289/0xad0
[   36.359995][   T12]  __se_sys_mount+0x2d3/0x3c0
[   36.364664][   T12]  do_syscall_64+0x3d/0xb0
[   36.369073][   T12] page last free stack trace:
[   36.373734][   T12]  free_pcp_prepare+0x812/0x900
[   36.378576][   T12]  free_unref_page+0x7d/0x5f0
[   36.383238][   T12]  free_contig_range+0xa3/0x160
[   36.388082][   T12]  destroy_args+0xfe/0x91d
[   36.392493][   T12]  debug_vm_pgtable+0x43e/0x497
[   36.397330][   T12]  do_one_initcall+0x1c9/0x400
[   36.402081][   T12]  do_initcall_level+0x168/0x218
[   36.407006][   T12]  do_initcalls+0x4b/0x8c
[   36.411324][   T12]  kernel_init_freeable+0x3f1/0x57b
[   36.416512][   T12]  kernel_init+0x19/0x2b0
[   36.420823][   T12]  ret_from_fork+0x1f/0x30
[   36.425224][   T12] 
[   36.427537][   T12] Memory state around the buggy address:
[   36.433149][   T12]  ffff8880720e1480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.441195][   T12]  ffff8880720e1500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.449351][   T12] >ffff8880720e1580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.457402][   T12]                                   ^
[   36.462777][   T12]  ffff8880720e1600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.470828][   T12]  ffff8880720e1680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.478870][   T12] ==================================================================
[   36.487071][   T12] Kernel panic - not syncing: panic_on_warn set ...
[   36.493652][   T12] CPU: 1 PID: 12 Comm: kworker/u4:1 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0
[   36.503264][   T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
[   36.513315][   T12] Workqueue: writeback wb_workfn (flush-7:0)
[   36.519293][   T12] Call Trace:
[   36.522560][   T12]  <TASK>
[   36.525479][   T12]  dump_stack_lvl+0x1b1/0x28e
[   36.530150][   T12]  ? fortify_panic+0x13/0x13
[   36.534733][   T12]  ? panic+0x710/0x710
[   36.538795][   T12]  ? vscnprintf+0x59/0x80
[   36.543118][   T12]  panic+0x2d6/0x710
[   36.547004][   T12]  ? fb_is_primary_device+0xcc/0xcc
[   36.552196][   T12]  ? _raw_spin_unlock_irqrestore+0xbc/0x120
[   36.558079][   T12]  ? _raw_spin_unlock_irqrestore+0xc1/0x120
[   36.563961][   T12]  ? print_report+0x1b4/0x1f0
[   36.568624][   T12]  ? move_expired_inodes+0x186/0x8e0
[   36.573901][   T12]  end_report+0x91/0xa0
[   36.578043][   T12]  kasan_report+0xd0/0xf0
[   36.582364][   T12]  ? do_raw_spin_unlock+0x134/0x8a0
[   36.587552][   T12]  ? move_expired_inodes+0x186/0x8e0
[   36.592825][   T12]  move_expired_inodes+0x186/0x8e0
[   36.597935][   T12]  ? trace_writeback_wait+0x220/0x220
[   36.603297][   T12]  ? do_raw_spin_lock+0x148/0x360
[   36.608314][   T12]  ? __bpf_trace_rcu_stall_warning+0x10/0x10
[   36.614282][   T12]  ? rcu_read_lock_sched_held+0x5d/0x110
[   36.619903][   T12]  queue_io+0x250/0x400
[   36.624048][   T12]  wb_writeback+0x3d3/0x7b0
[   36.628545][   T12]  ? trace_writeback_exec+0x220/0x220
[   36.633907][   T12]  ? set_worker_desc+0x149/0x1b0
[   36.638836][   T12]  ? __lock_acquire+0x1f60/0x1f60
[   36.643852][   T12]  ? rcu_read_lock_sched_held+0x5d/0x110
[   36.649472][   T12]  ? do_raw_spin_unlock+0x134/0x8a0
[   36.654658][   T12]  ? rcu_read_lock_sched_held+0x5d/0x110
[   36.660278][   T12]  ? kthread_data+0x4d/0xc0
[   36.664775][   T12]  wb_workfn+0x3cb/0xef0
[   36.669018][   T12]  ? inode_wait_for_writeback+0x2c0/0x2c0
[   36.674724][   T12]  ? lock_acquire+0xa4/0x3c0
[   36.679302][   T12]  ? process_one_work+0x831/0xdb0
[   36.684316][   T12]  ? read_lock_is_recursive+0x10/0x10
[   36.689679][   T12]  ? do_raw_spin_unlock+0x134/0x8a0
[   36.694870][   T12]  ? __lock_acquire+0x1f60/0x1f60
[   36.699887][   T12]  ? _raw_spin_lock_irqsave+0xbf/0x100
[   36.705331][   T12]  ? rcu_read_lock_sched_held+0x5d/0x110
[   36.710950][   T12]  ? __bpf_trace_rcu_stall_warning+0x10/0x10
[   36.716914][   T12]  ? _raw_spin_unlock_irqrestore+0xc1/0x120
[   36.722793][   T12]  ? do_raw_spin_unlock+0x134/0x8a0
[   36.727979][   T12]  ? read_word_at_a_time+0xe/0x20
[   36.732995][   T12]  process_one_work+0x877/0xdb0
[   36.737838][   T12]  ? worker_detach_from_pool+0x260/0x260
[   36.743459][   T12]  ? lockdep_hardirqs_on_prepare+0x428/0x790
[   36.749430][   T12]  ? _raw_spin_lock_irq+0xba/0xf0
[   36.754438][   T12]  ? _raw_spin_lock_irqsave+0x100/0x100
[   36.759971][   T12]  worker_thread+0xb14/0x1330
[   36.764660][   T12]  kthread+0x266/0x300
[   36.768717][   T12]  ? rcu_lock_release+0x20/0x20
[   36.773557][   T12]  ? kthread_blkcg+0xd0/0xd0
[   36.778143][   T12]  ret_from_fork+0x1f/0x30
[   36.782556][   T12]  </TASK>
[   36.785719][   T12] Kernel Offset: disabled
[   36.790030][   T12] Rebooting in 86400 seconds..