program: sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000000)=ANY=[], 0x34}, 0x1, 0x0, 0x0, 0x404c095}, 0x0) bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x1, 0x5, &(0x7f0000001cc0)=ANY=[@ANYBLOB="bf16000000000000b70700000100f0ff5070000000000000300000000000c00095000000000000002ba728041598d6fbd30cb599e83d24bd8137a3aa81e0ed139a85d36bb3019d13bd2321af3c2bd67ce68f15c0ec71d0e6adfefcf1d8f7faf75e0f226bd917060000007142fa9ea4318123f51c0a0e168c1886d0d4d35379bd223ec839bc16ee988e6e0dc8cedf3ceb9fbfbf9b0a49ef23d430f6296b32a83438810720a159cda90363db3d221e152dfca64057ff3c4744aeaccd3641110bec4e9027a0c8055bbfc3a96d2e8910c2c39e4babe802f5ab3e89cf6c662ed4048d3b3e3962dcddef6af1a11972a6b4975022278d00031e5388ee5c867ddd58211d6ece1ccb0cd2b6d3cffd962867a3a2f624f992daa94a0c556f3218ce740068725c37074e468ee207d2f73902ebcfcf49822775985bf31b715f5888b24efa190000000000000000000000000000ddffffff020000000000000000ddffffff0000b27cf3d1848a54d7132be1bfb0adf9deab3323aa9fdfb52faf9cb09c3bfd0971d379380bf63432872cfed453870000b219ef00bb7b3de8f67ffcad3f6c3c2b1f03550000000000001cf41ab11f12fb1e0a494034007de7c6592df1a6c64d3f153b3d34889f40159e800ea2474b540500a30b23bcee46762e2093bcc9eae5ee3e980026c96f80ee1a74e04bde740750fa4d9aaa705989b8e673e3296e52d3112874ec51d6fe048ba6866adebab53168770a71ad901ace383e7927de217d6bf74daf41d277b103923a9d961f7a2591dbe4a912ffaf6f658f3f9cd16286744f83a83f138f8f92efd92239eafce5c1b3f97a297c9e490f241999085afabdd529f62ca0c3300ef7b7fb5f09e0c8a868a353409e34d3e82279637f99f35ad3f7ffffff3cac394c7bbdcd0e0eb52162e0c410ade7a36b26a4e70f03cc4146a77af02c1d4cefd4a2b94c0aed8477dfa8ceefb467f05c6977c78cdbf37704ec737555392a0b06491cba71f897144910fe050038ec9e475e89298b7bf4d769ccc18eede0068ca1457870eb30d211e23ccc8e06dddeb6179d257ab5000013c86ba9affb12ec757c7234c270246c878d01160e6c07bf6cf8809c3a0d062357ba2515567230a6f8b2ad1e1f4933545fc3c741374211663f6b63b1dd044dd0117c9b737b9b59418006c1bc1aafa2768e82597251e5510a33dcda5e4e202bd622549c4cffffff501d3a5dd7143fbf221fff161c12ca389cbe0000000000000fff75067d2a214f8c9d9b2ecf631c6c5fd9c26a54d43fa050b88d1d43a8645bd9109b7e07869bba7131421c0f397073943330baafd243c0c6ffe673bab4113be7664e08bdd7115c61afcb718cf3c4680b2f6c7a8400e378a9b101000f49e298727340e87cdefb40e56e9cfad973347d0de7ba4754ff231a1b933d8f931b8c552b2c7c503f3d0e7ab0e958adb862822e40009995ae166deb9856291a43a6f7eb2e32cefbf444b032dad13007b82e6044f643fc8cd07a97e2bbe636a5dbe9864a117d27326850a7c3b570863f532c218b10af13d7be94987005088a83880ccab9c9920c2d2af8c5e13d52c83ac3fa7c3ae6c08384865b66d2b4dcb5dd9cba16b62040bf8702ae12c77e6e34991af603e3856a346cf708feeb708ab22b560cf8a4a6f31ba6d9b8cb0908000000000000001a342c010000000000e667a7592b33406f1f71c739b55db91d2309dc7ae401005f52053a39e7307c09ff3ac3e820b01c57dd74d4aafc4c383a17bc1de5347bb71ca16dcbbbaa2935f602325984386b21b96492ae662082b56cf666e63a757c0ef3ea7af6881513be94b362e15ffca8ec453b3a2a67be70c17b0f9c2eac765816c30c2e71338a40c7669522e8dff8bc570a93fbdb688c3aef810000007a6ea6b11163392a19d87995b51cb6febd5f24a34998d2010fd5facf68c4f84e2f66e27c81a149d7b331983d3b74444953fc1216dfec10b724be3733c26f12538376e177ffef6fd2603bfab96831957a08e4919a463d5332a2546032a3c06b94f168e8fc4bda0c294723fe306f26c477af4b926644672985fab7cc67bc5b5f5d38cdd8df95147ebe1cd88b0a4c6cde9951be42827dfddfefb238fac2303cc8982f1e55b005afcfea5eb037248fefad6bb02c162ce92ab17744c8ec3d2e80cf3205d36699fd381bc81231fb5e12e45f3059f361d08d6a6d01af43083c29512bcedd79ca9bf24e063d0c273ed70a2b70be521ea27dc8cf3c9bdf83b93405db07e82e2ddf4c4d26f1cdd8c3c9736cf5e5082de3b484f8673e0e97dd7e8a872148613c3a04f3d67f4375ba5c7f1b0033f8dfe0fd9bb2a70801f763524e1d79d812ced782646b5f79c8fc08bb5c11020108d702edd2ea9c96cfcb9066668627ebe92d48aa5fc0a7bf1b5108b34d22ad004de8274c22c8ba823d964969c9f02bb78c598fa8701b000884de710b54e5ab2e8ff0c7ae23e0b601ac95c4c2eef2e5eb1d019d52099fbd404e8ece970f67736ba7e960bd8b1e4105b65007c8ff1f00a8ce7e31f7c9c3e3fa61aab967b90087e91d703e98535b107b8f4653be4c46a3a1adb07d226952b8573b417018316fa96e942e35c4baa1904122c863709b08d4639a19a46ac90ac48a13ee9bcaa875fc700ba363ca3182105960bef3378a980000000000003b40dc5c745fe2491e8425e600000000000000000000000000000000000000000000000000000000000000250318a44ad31baac0520a913301e630ae540f3289aebde8633f6f450cfe6e39959735758248032cdf7320c6dc87b01e3f9a7811b200000000ae189de4b9b25f7c7a9c32e4f1f22af1c06315270de4a6605e4b4b58bef76fac54f11b84bd7bcd6b6a485edfb7684c770a39b38b08e18a51a4d4e66ca21c06a4b4198e1bc2ef990c9ba911efed626e5ee341a17bf8132b5b1dfa9fd31df213c88b404797056fd3baa8b2d6cb134437cba0193ba4360bdcc98aad2560aa58291c4eb9d4e08ad7a9c5f04be1ab59719a8200007bd8cca8f68154a0ed356e773a797ca6d66748857b4abbf8830abeea2a46342e6a7378173cb29d5cdcd698a0203f78116b710008000000000000007c2d86b94472807c10eb9a8e2fb8bd79fe3a8316deff3ee641c9a080a2173642e673a672279bae4e7e28055da9497d7edb53be6e80482bd4d9a74b7f76c78ba0b44ec0bdfa0d32d7030000003a073b12eb579032b856d892ad6af5124c9c3130485e9682ff1f3c54e475d5bb496aef4bb537d7e191dfdeba109fdcf7864763f87a6d711cf52e520a6ce30e134c55e02b7cd25385f3b9628471b4364987b0b2c82a8b0f976387ebb62ead0e1b761e6ec9b824fe006ea52c0c469e3bd8fed05a486bd5511144ebb63d56d61da5fcb58e196a8923edaf228b0cb96b856b15c90b154494fb0cff768b3417fcc89acb9b9b4f8581c82ff3121b5920f4e71508eea4341ec618f4d9110928ea8dd17e36f3beb0c07d911c00eb4054ad48cab563c5ad97d732c3653635df7600091973d44ff94ac6d670ecc085501bd91b586adf858b41d918fd58f8577adb541857dbbf33be97c4809c6595ebfff19b34cec7fd877e8f2aad6a1a6a4ec6dbb3de42bb2e75b4768d139d7b7ff5d51e6863b6704901b59fd92495608395fce98c267a3846b67e7a5b57d995e07dca8db555aea5a0f6f1cd85d791f22d06ff37fcbb22b2d9296b36faee22e513b276fc8494ce31699343278aa8f531ee549d2ba495059c80d5748d8a0cb19df27338aaafbf0849c31572d17a786383b3f619212651a076e5148fa6421f5405e65ee31e6fbd510d92c17fe12a7f203066848e2a9adef66ad7ae8edea20fb8c7233de3736949e15b88699c2f8576060cf95d2593828abde6e2eed2a717655782ae9e589f5de9792c810ec07a842bca96e594f13211eae7ee1919b7af1e33ff726792cbb1366fb8a3684370e35122b0ad40f55846ca7d39cf6f9a1cfa5460f537e89e1c5f3cd10a3d8ae3ecec0c7e4114aec30742d88f313d74447723808da0889e34b31c13a79b8bb105cdcb234d56246bbf003c0ad03ff20f573df9604720d652b0a0cc5d90a284b5c7824bfdc4e3f18eaf9820ffbd8c4f32c8de631c181ab76505dac753fec759b0414cb3c5dfa02b6a3b93ff79bcf8c613b4a9124923e7e6ce74266fd78564000000000ce0d3ac2350502cf4a410152ee893d57622bee2b52df83cd30b4ae17d507fba05e7055db7e6d4cfc085773b900ca50bee4d49529f24bab389fb87fbb481340e8ce1810727212dc5e96d99de07611cb588a5d8b5c510c1f5b3fb568971646821b50dc2542003eb60a4ee9398ae4b6681c29cd921fb35b12ca111f12c59ac39dde4bf4f7524362304610979f5199ef9d271af60a421e29c6483423157ed4c2721123ddf33313a97ec1a55115b6df23157ad17b5e544db26c46d31b2e7375c37ace025955c9482e1ef841554c202c356842233c57c258f8f2043b4b6de433e8a2fb9365b65496c5777c1a1a223763d51190a24fb4047ad7ff6258f1b000000000000000000000000e0ef07726228fb150d09f697ee3db6cc096676225780d422fe917a5c57bedabb42399727b386e979dde3b7243dad1f78e8592937866cfc017f3a8ad31c53115fb7f3452bd3318c4a17cc80bcab32d9ed35273c3c930719ddb5b757f9d85cc86ddd"], &(0x7f0000000140)='GPL\x00', 0x1}, 0x94) r0 = io_uring_setup(0x2c49, &(0x7f0000002240)={0x0, 0xfffffffd}) io_uring_register$IORING_REGISTER_EVENTFD_ASYNC(r0, 0x18, &(0x7f0000000000), 0x1) io_uring_register$IORING_REGISTER_EVENTFD_ASYNC(r0, 0x7, &(0x7f0000000040), 0x1) open(&(0x7f00000000c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/../file0\x00', 0x101040, 0x0) syz_fuse_handle_req(0xffffffffffffffff, 0x0, 0x0, 0x0) syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="040e05405a0c"], 0x8) r1 = socket$alg(0x26, 0x5, 0x0) bind$alg(r1, &(0x7f00000000c0)={0x26, 'aead\x00', 0x0, 0x0, 'aegis128\x00'}, 0x58) setsockopt$ALG_SET_AEAD_AUTHSIZE(r1, 0x117, 0x5, 0x0, 0x9) r2 = memfd_create(&(0x7f0000000480)='\xff\x00l\x1e\xa0 128), deleting [ 87.727916][ T5326] bcachefs (loop0): recovering from clean shutdown, journal seq 10 [ 87.731705][ T5326] bcachefs (loop0): Version upgrade required: [ 87.731705][ T5326] Version upgrade from 0.24: unwritten_extents to 1.7: mi_btree_bitmap incomplete [ 87.731705][ T5326] Doing incompatible version upgrade from 0.24: unwritten_extents to 1.28: inode_has_case_insensitive [ 87.731705][ T5326] running recovery passes: check_allocations,check_alloc_info,check_lrus,check_btree_backpointers,check_backpointers_to_extents,check_extents_to_backpointers,check_alloc_to_lru_refs,bucket_gens_init,check_snapshot_trees,check_snapshots,check_subvols,check_subvol_children,delete_dead_snapshots,check_inodes,check_extents,check_indirect_extents,check_dirents,check_xattrs,check_root,check_unreachable_inodes,check_subvolume_structure,check_directory_structure,check_nlinks,check_rebalance_work,set_fs_needs_rebalance [ 87.774682][ T5326] bcachefs (loop0): invalid bkey in btree_node btree=inodes level=0: u64s 18 type inode_v3 0:4100:U32_MAX len 0 ver 0: (unpack error) [ 87.774711][ T5326] invalid variable length fields, deleting [ 87.791789][ T5326] bcachefs (loop0): btree node read error at btree xattrs level 0/0 [ 87.791822][ T5326] u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 2285c34bed0abe32 written 16 min_key 327680:0:0 durability: 1 ptr: 0:31:0 gen 0 [ 87.791833][ T5326] loop0 node offset 0/16: incorrect min_key: got POS_MIN should be 327680:0:0 [ 87.791840][ T5326] flagging btree xattrs lost data [ 87.791846][ T5326] running recovery pass scan_for_btree_nodes (1), currently at recovery_pass_empty (0) [ 87.791855][ T5326] ret btree_node_read_validate_error [ 87.819017][ T5326] bcachefs (loop0): error reading btree root btree=xattrs level=0: btree_node_read_error, fixing [ 87.826077][ T5326] bcachefs (loop0): btree node read error at btree subvolumes level 0/0 [ 87.826092][ T5326] u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq c0bef60d07ceb940 written 16 min_key POS_MIN durability: 1 ptr: 0:35:0 gen 0 [ 87.826101][ T5326] loop0 node offset 0/16: incorrect min_key: got 0:2199023255552:0 should be POS_MIN [ 87.826109][ T5326] flagging btree subvolumes lost data [ 87.826115][ T5326] ret btree_node_read_validate_error [ 87.851128][ T5326] bcachefs (loop0): error reading btree root btree=subvolumes level=0: btree_node_read_error, fixing [ 87.860832][ T5326] bcachefs (loop0): check_topology... [ 87.861012][ T5326] bcachefs (loop0): btree root xattrs unreadable, must recover from scan [ 87.868191][ T5326] bcachefs (loop0): no nodes found for btree xattrs, continuing [ 87.871852][ T5326] bcachefs (loop0): btree root subvolumes unreadable, must recover from scan [ 87.875717][ T5326] bcachefs (loop0): no nodes found for btree subvolumes, continuing [ 87.883214][ T5326] done [ 87.885270][ T5326] bcachefs (loop0): accounting_read... done [ 87.889834][ T5326] bcachefs (loop0): alloc_read... done [ 87.893422][ T5326] bcachefs (loop0): snapshots_read... done [ 87.896604][ T5326] bcachefs (loop0): check_allocations... [ 87.903413][ T5326] bcachefs (loop0): bucket 0:26 data type btree ptr gen 0 missing in alloc btree [ 87.903445][ T5326] while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq ac62141f8dc7e261 written 24 min_key POS_MIN durability: 1 ptr: 0:26:0 gen 0, fixing [ 87.923440][ T5326] bcachefs (loop0): bucket 0:38 data type btree ptr gen 0 missing in alloc btree [ 87.923456][ T5326] while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 7589ab5e0c11cc7a written 24 min_key POS_MIN durability: 1 ptr: 0:38:0 gen 0, fixing [ 87.935428][ T5326] bcachefs (loop0): bucket 0:41 data type btree ptr gen 0 missing in alloc btree [ 87.935449][ T5326] while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 9aa2895aefce4bdf written 24 min_key POS_MIN durability: 1 ptr: 0:41:0 gen 0, fixing [ 87.952422][ T5326] bcachefs (loop0): bucket 0:29 data type btree ptr gen 0 missing in alloc btree [ 87.952442][ T5326] while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq e81e1ed936acf3df written 32 min_key POS_MIN durability: 1 ptr: 0:29:0 gen 0, fixing [ 87.964234][ T5326] bcachefs (loop0): bucket 0:1 gen 0 has wrong data_type: got free, should be sb, fixing [ 87.968416][ T5326] bcachefs (loop0): bucket 0:1 gen 0 data type sb has wrong dirty_sectors: got 0, should be 256, fixing [ 87.973107][ T5326] bcachefs (loop0): bucket 0:2 gen 0 has wrong data_type: got free, should be sb, fixing [ 87.978169][ T5326] bcachefs (loop0): bucket 0:2 gen 0 data type sb has wrong dirty_sectors: got 0, should be 256, fixing [ 87.983001][ T5326] bcachefs (loop0): bucket 0:3 gen 0 has wrong data_type: got free, should be sb, fixing [ 87.987800][ T5326] bcachefs (loop0): bucket 0:3 gen 0 data type sb has wrong dirty_sectors: got 0, should be 256, fixing [ 87.993380][ T5326] bcachefs (loop0): bucket 0:4 gen 0 has wrong data_type: got free, should be sb, fixing [ 87.999637][ T5326] bcachefs (loop0): bucket 0:4 gen 0 data type sb has wrong dirty_sectors: got 0, should be 256, fixing [ 88.005066][ T5326] bcachefs (loop0): bucket 0:5 gen 0 has wrong data_type: got free, should be sb, fixing [ 88.012985][ T5326] bcachefs (loop0): bucket 0:5 gen 0 data type sb has wrong dirty_sectors: got 0, should be 256, fixing [ 88.020885][ T5326] bcachefs (loop0): bucket 0:6 gen 0 has wrong data_type: got free, should be sb, fixing [ 88.026263][ T5326] bcachefs (loop0): bucket 0:6 gen 0 data type sb has wrong dirty_sectors: got 0, should be 256, fixing [ 88.041477][ T5326] bcachefs (loop0): bucket 0:7 gen 0 has wrong data_type: got free, should be sb, fixing [ 88.052735][ T5326] bcachefs (loop0): bucket 0:7 gen 0 data type sb has wrong dirty_sectors: got 0, should be 256, fixing [ 88.067643][ T5326] bcachefs (loop0): bucket 0:8 gen 0 has wrong data_type: got free, should be sb, fixing [ 88.072394][ T5326] bcachefs (loop0): bucket 0:8 gen 0 data type sb has wrong dirty_sectors: got 0, should be 8, fixing [ 88.079933][ T5326] bcachefs (loop0): bucket 0:9 gen 0 has wrong data_type: got free, should be journal, fixing [ 88.102485][ T5326] bcachefs (loop0): bucket 0:9 gen 0 data type journal has wrong dirty_sectors: got 0, should be 256, fixing [ 88.127857][ T5326] bcachefs (loop0): bucket 0:10 gen 0 has wrong data_type: got free, should be journal, fixing [ 88.134191][ T5326] bcachefs (loop0): bucket 0:10 gen 0 data type journal has wrong dirty_sectors: got 0, should be 256, fixing [ 88.152641][ T5326] bcachefs (loop0): bucket 0:11 gen 0 has wrong data_type: got free, should be journal, fixing [ 88.152659][ T5326] Ratelimiting new instances of previous error [ 88.180860][ T5326] bcachefs (loop0): bucket 0:11 gen 0 data type journal has wrong dirty_sectors: got 0, should be 256, fixing [ 88.180881][ T5326] Ratelimiting new instances of previous error [ 88.220650][ T5326] done [ 88.240677][ T5326] bcachefs (loop0): going read-write [ 88.312495][ T12] bcachefs (loop0): u64s 12 type alloc_v4 0:37:0 len 0 ver 0: [ 88.312528][ T12] gen 0 oldest_gen 0 data_type btree [ 88.312535][ T12] journal_seq_nonempty 6 [ 88.312542][ T12] journal_seq_empty 0 [ 88.312548][ T12] need_discard 1 [ 88.312554][ T12] need_inc_gen 1 [ 88.312560][ T12] dirty_sectors 256 [ 88.312567][ T12] stripe_sectors 0 [ 88.312573][ T12] cached_sectors 0 [ 88.312579][ T12] stripe 0 [ 88.312585][ T12] stripe_redundancy 0 [ 88.312592][ T12] io_time[READ] 1 [ 88.312598][ T12] io_time[WRITE] 1024 [ 88.312604][ T12] fragmentation 0 [ 88.312610][ T12] bp_start 7 [ 88.312616][ T12] [ 88.312622][ T12] incorrectly set at freespace:0:37:0 (free 0, genbits 0 should be 0), fixing [ 88.342149][ T5326] bcachefs (loop0): journal_replay... [ 88.446541][ T12] bcachefs (loop0): u64s 13 type alloc_v4 0:42:0 len 0 ver 0: [ 88.446557][ T12] gen 0 oldest_gen 0 data_type need_discard [ 88.446563][ T12] journal_seq_nonempty 7 [ 88.446569][ T12] journal_seq_empty 0 [ 88.446575][ T12] need_discard 1 [ 88.446580][ T12] need_inc_gen 1 [ 88.446585][ T12] dirty_sectors 0 [ 88.446590][ T12] stripe_sectors 0 [ 88.446596][ T12] cached_sectors 0 [ 88.446602][ T12] stripe 0 [ 88.446607][ T12] stripe_redundancy 0 [ 88.446612][ T12] io_time[READ] 1 [ 88.446617][ T12] io_time[WRITE] 1280 [ 88.446623][ T12] fragmentation 0 [ 88.446628][ T12] bp_start 8 [ 88.446633][ T12] [ 88.446638][ T12] incorrectly set at freespace:0:42:0 (free 0, genbits 0 should be 0), fixing [ 88.517920][ T12] ================================================================== [ 88.521306][ T12] BUG: KASAN: slab-use-after-free in bch2_bucket_alloc_trans+0x1aa0/0x2410 [ 88.524906][ T12] Read of size 8 at addr ffff88801a0bc520 by task kworker/u4:0/12 [ 88.528354][ T12] [ 88.529438][ T12] CPU: 0 UID: 0 PID: 12 Comm: kworker/u4:0 Not tainted 6.16.0-rc3-syzkaller-00121-gf02769e7f272 #0 PREEMPT(full) [ 88.529453][ T12] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 88.529462][ T12] Workqueue: btree_node_rewrite async_btree_node_rewrite_work [ 88.529486][ T12] Call Trace: [ 88.529494][ T12] [ 88.529499][ T12] dump_stack_lvl+0x189/0x250 [ 88.529517][ T12] ? __virt_addr_valid+0x1c8/0x5c0 [ 88.529527][ T12] ? rcu_is_watching+0x15/0xb0 [ 88.529543][ T12] ? __kasan_check_byte+0x12/0x40 [ 88.529553][ T12] ? __pfx_dump_stack_lvl+0x10/0x10 [ 88.529569][ T12] ? rcu_is_watching+0x15/0xb0 [ 88.529584][ T12] ? lock_release+0x4b/0x3e0 [ 88.529600][ T12] ? __virt_addr_valid+0x1c8/0x5c0 [ 88.529611][ T12] ? __virt_addr_valid+0x4a5/0x5c0 [ 88.529622][ T12] print_report+0xd2/0x2b0 [ 88.529636][ T12] ? bch2_bucket_alloc_trans+0x1aa0/0x2410 [ 88.529650][ T12] kasan_report+0x118/0x150 [ 88.529661][ T12] ? bch2_bucket_alloc_trans+0x1aa0/0x2410 [ 88.529677][ T12] bch2_bucket_alloc_trans+0x1aa0/0x2410 [ 88.529695][ T12] ? bch2_bucket_alloc_trans+0xcb4/0x2410 [ 88.529712][ T12] ? __pfx_bch2_bucket_alloc_trans+0x10/0x10 [ 88.529727][ T12] ? bch2_bucket_alloc_trans+0xcb4/0x2410 [ 88.529741][ T12] ? bch2_bucket_alloc_set_trans+0x1eb/0xe70 [ 88.529756][ T12] bch2_bucket_alloc_set_trans+0x5a6/0xe70 [ 88.529773][ T12] ? bch2_bucket_alloc_set_trans+0x1eb/0xe70 [ 88.529788][ T12] ? __open_bucket_add_buckets+0x783/0x1e40 [ 88.529806][ T12] __open_bucket_add_buckets+0x1437/0x1e40 [ 88.529828][ T12] open_bucket_add_buckets+0x2ee/0x440 [ 88.529844][ T12] bch2_alloc_sectors_start_trans+0xd26/0x1e80 [ 88.529861][ T12] ? __mutex_unlock_slowpath+0x1cd/0x700 [ 88.529937][ T12] bch2_btree_reserve_get+0x641/0x1810 [ 88.529955][ T12] ? __pfx_rcu_read_lock_any_held+0x10/0x10 [ 88.529966][ T12] ? __pfx_bch2_btree_reserve_get+0x10/0x10 [ 88.529982][ T12] ? __pfx___bch2_disk_reservation_add+0x10/0x10 [ 88.529997][ T12] ? bch2_btree_update_start+0xadb/0x1dc0 [ 88.530013][ T12] bch2_btree_update_start+0x147e/0x1dc0 [ 88.530026][ T12] ? bch2_btree_path_traverse_one+0x91e/0x21d0 [ 88.530054][ T12] ? bch2_btree_node_rewrite+0x17e/0x1120 [ 88.530070][ T12] ? __pfx_bch2_btree_update_start+0x10/0x10 [ 88.530087][ T12] ? bch2_btree_path_traverse_one+0x91e/0x21d0 [ 88.530104][ T12] ? async_btree_node_rewrite_work+0x1e1/0x840 [ 88.530121][ T12] ? bch2_btree_iter_peek_node+0x566/0xbe0 [ 88.530132][ T12] ? bch2_btree_iter_verify+0x1d/0x360 [ 88.530142][ T12] bch2_btree_node_rewrite+0x17e/0x1120 [ 88.530161][ T12] async_btree_node_rewrite_work+0x370/0x840 [ 88.530180][ T12] ? __pfx_async_btree_node_rewrite_work+0x10/0x10 [ 88.530199][ T12] ? async_btree_node_rewrite_work+0x1d2/0x840 [ 88.530217][ T12] ? _raw_spin_unlock_irq+0x23/0x50 [ 88.530231][ T12] ? process_scheduled_works+0x9ef/0x17b0 [ 88.530247][ T12] ? process_scheduled_works+0x9ef/0x17b0 [ 88.530263][ T12] process_scheduled_works+0xae1/0x17b0 [ 88.530284][ T12] ? __pfx_process_scheduled_works+0x10/0x10 [ 88.530301][ T12] worker_thread+0x8a0/0xda0 [ 88.530321][ T12] kthread+0x70e/0x8a0 [ 88.530332][ T12] ? __pfx_worker_thread+0x10/0x10 [ 88.530348][ T12] ? __pfx_kthread+0x10/0x10 [ 88.530359][ T12] ? _raw_spin_unlock_irq+0x23/0x50 [ 88.530371][ T12] ? lockdep_hardirqs_on+0x9c/0x150 [ 88.530384][ T12] ? __pfx_kthread+0x10/0x10 [ 88.530395][ T12] ret_from_fork+0x3fc/0x770 [ 88.530408][ T12] ? __pfx_ret_from_fork+0x10/0x10 [ 88.530422][ T12] ? __pfx_kthread+0x10/0x10 [ 88.530431][ T12] ret_from_fork_asm+0x1a/0x30 [ 88.530444][ T12] [ 88.530448][ T12] [ 88.838560][ T12] Allocated by task 12: [ 88.840228][ T12] kasan_save_track+0x3e/0x80 [ 88.842139][ T12] __kasan_kmalloc+0x93/0xb0 [ 88.844811][ T12] __kmalloc_node_track_caller_noprof+0x271/0x4e0 [ 88.850203][ T12] krealloc_noprof+0x124/0x340 [ 88.853455][ T12] __bch2_trans_kmalloc+0x26c/0xc80 [ 88.856813][ T12] bch2_alloc_sectors_start_trans+0x1d59/0x1e80 [ 88.859545][ T12] bch2_btree_reserve_get+0x641/0x1810 [ 88.861879][ T12] bch2_btree_update_start+0x147e/0x1dc0 [ 88.864205][ T12] bch2_btree_node_rewrite+0x17e/0x1120 [ 88.866503][ T12] async_btree_node_rewrite_work+0x370/0x840 [ 88.870727][ T12] process_scheduled_works+0xae1/0x17b0 [ 88.873794][ T12] worker_thread+0x8a0/0xda0 [ 88.875735][ T12] kthread+0x70e/0x8a0 [ 88.877714][ T12] ret_from_fork+0x3fc/0x770 [ 88.880867][ T12] ret_from_fork_asm+0x1a/0x30 [ 88.883105][ T12] [ 88.884805][ T12] Freed by task 12: [ 88.887719][ T12] kasan_save_track+0x3e/0x80 [ 88.890414][ T12] kasan_save_free_info+0x46/0x50 [ 88.893372][ T12] __kasan_slab_free+0x62/0x70 [ 88.895779][ T12] kfree+0x18e/0x440 [ 88.898225][ T12] krealloc_noprof+0x1cd/0x340 [ 88.900813][ T12] __bch2_trans_kmalloc+0x26c/0xc80 [ 88.903264][ T12] __bch2_trans_subbuf_alloc+0x2da/0x460 [ 88.905859][ T12] bch2_trans_log_str+0xd5/0x3c0 [ 88.909095][ T12] __bch2_fsck_err+0xc11/0xfb0 [ 88.911398][ T12] bch2_check_discard_freespace_key+0x71b/0xce0 [ 88.915237][ T12] bch2_bucket_alloc_trans+0x1333/0x2410 [ 88.917811][ T12] bch2_bucket_alloc_set_trans+0x5a6/0xe70 [ 88.920756][ T12] __open_bucket_add_buckets+0x1437/0x1e40 [ 88.923277][ T12] open_bucket_add_buckets+0x2ee/0x440 [ 88.925700][ T12] bch2_alloc_sectors_start_trans+0xd26/0x1e80 [ 88.928710][ T12] bch2_btree_reserve_get+0x641/0x1810 [ 88.930988][ T12] bch2_btree_update_start+0x147e/0x1dc0 [ 88.933570][ T12] bch2_btree_node_rewrite+0x17e/0x1120 [ 88.936756][ T12] async_btree_node_rewrite_work+0x370/0x840 [ 88.940065][ T12] process_scheduled_works+0xae1/0x17b0 [ 88.943775][ T12] worker_thread+0x8a0/0xda0 [ 88.947205][ T12] kthread+0x70e/0x8a0 [ 88.951082][ T12] ret_from_fork+0x3fc/0x770 [ 88.955615][ T12] ret_from_fork_asm+0x1a/0x30 [ 88.960728][ T12] [ 88.961844][ T12] The buggy address belongs to the object at ffff88801a0bc400 [ 88.961844][ T12] which belongs to the cache kmalloc-512 of size 512 [ 88.971157][ T12] The buggy address is located 288 bytes inside of [ 88.971157][ T12] freed 512-byte region [ffff88801a0bc400, ffff88801a0bc600) [ 88.976958][ T12] [ 88.978031][ T12] The buggy address belongs to the physical page: [ 88.980519][ T12] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1a0bc [ 88.986787][ T12] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 88.991812][ T12] anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 88.995827][ T12] page_type: f5(slab) [ 89.013393][ T12] raw: 00fff00000000040 ffff88801a441c80 0000000000000000 dead000000000001 [ 89.031269][ T12] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 89.036813][ T12] head: 00fff00000000040 ffff88801a441c80 0000000000000000 dead000000000001 [ 89.041407][ T12] head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 89.057776][ T12] head: 00fff00000000001 ffffea0000682f01 00000000ffffffff 00000000ffffffff [ 89.061514][ T12] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 89.067966][ T12] page dumped because: kasan: bad access detected [ 89.075899][ T12] page_owner tracks the page as allocated [ 89.082108][ T12] page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5018, tgid 5018 (dhcpcd), ts 52310762471, free_ts 32962241614 [ 89.110284][ T12] post_alloc_hook+0x240/0x2a0 [ 89.112385][ T12] get_page_from_freelist+0x21e4/0x22c0 [ 89.114786][ T12] __alloc_frozen_pages_noprof+0x181/0x370 [ 89.117235][ T12] alloc_pages_mpol+0x232/0x4a0 [ 89.119261][ T12] allocate_slab+0x8a/0x3b0 [ 89.122450][ T12] ___slab_alloc+0xbfc/0x1480 [ 89.126116][ T12] __kmalloc_noprof+0x305/0x4f0 [ 89.130940][ T12] tomoyo_init_log+0x1a6e/0x1f70 [ 89.137493][ T12] tomoyo_supervisor+0x340/0x1480 [ 89.140727][ T12] tomoyo_path_permission+0x25a/0x380 [ 89.145554][ T12] tomoyo_path_perm+0x392/0x4b0 [ 89.153346][ T12] security_inode_getattr+0x12f/0x330 [ 89.158909][ T12] __x64_sys_newfstat+0xfc/0x200 [ 89.164529][ T12] do_syscall_64+0xfa/0x3b0 [ 89.169599][ T12] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.174942][ T12] page last free pid 4734 tgid 4734 stack trace: [ 89.179737][ T12] __free_frozen_pages+0xc71/0xe70 [ 89.184084][ T12] __slab_free+0x326/0x400 [ 89.185940][ T12] qlist_free_all+0x97/0x140 [ 89.191157][ T12] kasan_quarantine_reduce+0x148/0x160 [ 89.194075][ T12] __kasan_slab_alloc+0x22/0x80 [ 89.196107][ T12] kmem_cache_alloc_noprof+0x1c1/0x3c0 [ 89.198353][ T12] getname_flags+0xb8/0x540 [ 89.200307][ T12] vfs_fstatat+0x43/0x170 [ 89.202203][ T12] __x64_sys_newfstatat+0x116/0x190 [ 89.207354][ T12] do_syscall_64+0xfa/0x3b0 [ 89.211181][ T12] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.215418][ T12] [ 89.217464][ T12] Memory state around the buggy address: [ 89.221088][ T12] ffff88801a0bc400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 89.229177][ T12] ffff88801a0bc480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 89.233202][ T12] >ffff88801a0bc500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 89.236954][ T12] ^ [ 89.239748][ T12] ffff88801a0bc580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 89.245086][ T12] ffff88801a0bc600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 89.250177][ T12] ================================================================== [ 89.264934][ T4672] Bluetooth: hci0: command tx timeout [ 89.284426][ T12] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 89.289123][ T12] CPU: 0 UID: 0 PID: 12 Comm: kworker/u4:0 Not tainted 6.16.0-rc3-syzkaller-00121-gf02769e7f272 #0 PREEMPT(full) [ 89.295376][ T12] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 89.315468][ T12] Workqueue: btree_node_rewrite async_btree_node_rewrite_work [ 89.320059][ T12] Call Trace: [ 89.322876][ T12] [ 89.335774][ T12] dump_stack_lvl+0x99/0x250 [ 89.339660][ T12] ? __asan_memcpy+0x40/0x70 [ 89.341633][ T12] ? __pfx_dump_stack_lvl+0x10/0x10 [ 89.344031][ T12] ? __pfx__printk+0x10/0x10 [ 89.346192][ T12] panic+0x2db/0x790 [ 89.347840][ T12] ? __pfx_panic+0x10/0x10 [ 89.349682][ T12] ? _raw_spin_unlock_irqrestore+0xfd/0x110 [ 89.352100][ T12] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 89.371010][ T12] ? print_memory_metadata+0x314/0x400 [ 89.392882][ T12] ? bch2_bucket_alloc_trans+0x1aa0/0x2410 [ 89.395339][ T12] check_panic_on_warn+0x89/0xb0 [ 89.397566][ T12] ? bch2_bucket_alloc_trans+0x1aa0/0x2410 [ 89.400260][ T12] end_report+0x78/0x160 [ 89.422364][ T12] kasan_report+0x129/0x150 [ 89.424434][ T12] ? bch2_bucket_alloc_trans+0x1aa0/0x2410 [ 89.427214][ T12] bch2_bucket_alloc_trans+0x1aa0/0x2410 [ 89.429964][ T12] ? bch2_bucket_alloc_trans+0xcb4/0x2410 [ 89.450037][ T12] ? __pfx_bch2_bucket_alloc_trans+0x10/0x10 [ 89.452958][ T12] ? bch2_bucket_alloc_trans+0xcb4/0x2410 [ 89.457529][ T12] ? bch2_bucket_alloc_set_trans+0x1eb/0xe70 [ 89.461865][ T12] bch2_bucket_alloc_set_trans+0x5a6/0xe70 [ 89.467057][ T12] ? bch2_bucket_alloc_set_trans+0x1eb/0xe70 [ 89.482998][ T12] ? __open_bucket_add_buckets+0x783/0x1e40 [ 89.492795][ T12] __open_bucket_add_buckets+0x1437/0x1e40 [ 89.496301][ T12] open_bucket_add_buckets+0x2ee/0x440 [ 89.504470][ T12] bch2_alloc_sectors_start_trans+0xd26/0x1e80 [ 89.506960][ T12] ? __mutex_unlock_slowpath+0x1cd/0x700 [ 89.509338][ T12] bch2_btree_reserve_get+0x641/0x1810 [ 89.511698][ T12] ? __pfx_rcu_read_lock_any_held+0x10/0x10 [ 89.514132][ T12] ? __pfx_bch2_btree_reserve_get+0x10/0x10 [ 89.516492][ T12] ? __pfx___bch2_disk_reservation_add+0x10/0x10 [ 89.522708][ T12] ? bch2_btree_update_start+0xadb/0x1dc0 [ 89.527435][ T12] bch2_btree_update_start+0x147e/0x1dc0 [ 89.529742][ T12] ? bch2_btree_path_traverse_one+0x91e/0x21d0 [ 89.532150][ T12] ? bch2_btree_node_rewrite+0x17e/0x1120 [ 89.536786][ T12] ? __pfx_bch2_btree_update_start+0x10/0x10 [ 89.541351][ T12] ? bch2_btree_path_traverse_one+0x91e/0x21d0 [ 89.546275][ T12] ? async_btree_node_rewrite_work+0x1e1/0x840 [ 89.549116][ T12] ? bch2_btree_iter_peek_node+0x566/0xbe0 [ 89.551931][ T12] ? bch2_btree_iter_verify+0x1d/0x360 [ 89.556723][ T12] bch2_btree_node_rewrite+0x17e/0x1120 [ 89.560617][ T12] async_btree_node_rewrite_work+0x370/0x840 [ 89.569373][ T12] ? __pfx_async_btree_node_rewrite_work+0x10/0x10 [ 89.572048][ T12] ? async_btree_node_rewrite_work+0x1d2/0x840 [ 89.574508][ T12] ? _raw_spin_unlock_irq+0x23/0x50 [ 89.576650][ T12] ? process_scheduled_works+0x9ef/0x17b0 [ 89.579107][ T12] ? process_scheduled_works+0x9ef/0x17b0 [ 89.581988][ T12] process_scheduled_works+0xae1/0x17b0 [ 89.584663][ T12] ? __pfx_process_scheduled_works+0x10/0x10 [ 89.587571][ T12] worker_thread+0x8a0/0xda0 [ 89.591090][ T12] kthread+0x70e/0x8a0 [ 89.593466][ T12] ? __pfx_worker_thread+0x10/0x10 [ 89.596972][ T12] ? __pfx_kthread+0x10/0x10 [ 89.599931][ T12] ? _raw_spin_unlock_irq+0x23/0x50 [ 89.602944][ T12] ? lockdep_hardirqs_on+0x9c/0x150 [ 89.605765][ T12] ? __pfx_kthread+0x10/0x10 [ 89.609408][ T12] ret_from_fork+0x3fc/0x770 [ 89.612671][ T12] ? __pfx_ret_from_fork+0x10/0x10 [ 89.616252][ T12] ? __pfx_kthread+0x10/0x10 [ 89.620261][ T12] ret_from_fork_asm+0x1a/0x30 [ 89.622708][ T12] [ 89.624463][ T12] Kernel Offset: disabled [ 89.626232][ T12] Rebooting in 86400 seconds..