./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1509844993 <...> Warning: Permanently added '10.128.1.15' (ED25519) to the list of known hosts. execve("./syz-executor1509844993", ["./syz-executor1509844993"], 0x7fff13dab640 /* 10 vars */) = 0 brk(NULL) = 0x5555890f2000 brk(0x5555890f2d00) = 0x5555890f2d00 arch_prctl(ARCH_SET_FS, 0x5555890f2380) = 0 set_tid_address(0x5555890f2650) = 5088 set_robust_list(0x5555890f2660, 24) = 0 rseq(0x5555890f2ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1509844993", 4096) = 28 getrandom("\x2a\xfc\x7b\x06\x6d\x26\xef\x32", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x5555890f2d00 brk(0x555589113d00) = 0x555589113d00 brk(0x555589114000) = 0x555589114000 mprotect(0x7fa32b645000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 memfd_create("syzkaller", 0) = 3 mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa323000000 write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 munmap(0x7fa323000000, 138412032) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 ioctl(4, LOOP_SET_FD, 3) = 0 close(3) = 0 close(4) = 0 mkdir("./file1", 0777) = 0 [ 55.687628][ T5088] loop0: detected capacity change from 0 to 32768 [ 55.740320][ T5088] bcachefs (/dev/loop0): error reading default superblock: Not a bcachefs superblock (got magic c68573f6-4e1a-4502-8265-f57f48ba6d81) [ 55.784082][ T5088] bcachefs (loop0): mounting version 1.7: mi_btree_bitmap opts=metadata_checksum=none,data_checksum=none,compression=lz4,nojournal_transaction_names [ 55.799491][ T5088] bcachefs (loop0): recovering from clean shutdown, journal seq 13 [ 55.817485][ T5088] bcachefs (loop0): alloc_read... done [ 55.823203][ T5088] bcachefs (loop0): stripes_read... done mount("/dev/loop0", "./file1", "bcachefs", 0, "017777777777777777777770x0000000000000000") = 0 openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 chdir("./file1") = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 ioctl(4, LOOP_CLR_FD) = 0 close(4) = 0 creat("./bus", 000) = 4 [ 55.828905][ T5088] bcachefs (loop0): snapshots_read... done [ 55.836704][ T5088] bcachefs (loop0): journal_replay... done [ 55.842533][ T5088] bcachefs (loop0): resume_logged_ops... done [ 55.848799][ T5088] bcachefs (loop0): going read-write [ 55.857026][ T5088] bcachefs (loop0): done starting filesystem open("./bus", O_RDONLY) = 5 write(4, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 1088) = 1088 fcntl(5, F_SETFL, O_RDONLY|O_APPEND|O_NONBLOCK|O_DIRECT|O_NOATIME|FASYNC) = 0 io_setup(6, [0x7fa32b57e000]) = 0 open("./bus", O_RDWR|O_CREAT|O_SYNC|O_DIRECT|O_NOATIME|0x3c, 000) = 6 [ 55.909677][ T29] audit: type=1804 audit(1715449197.317:2): pid=5088 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=invalid_pcr cause=open_writers comm="syz-executor150" name="/root/file1/bus" dev="loop0" ino=1073741827 res=1 errno=0 [ 55.931574][ T29] audit: type=1804 audit(1715449197.317:3): pid=5088 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=invalid_pcr cause=ToMToU comm="syz-executor150" name="/root/file1/bus" dev="loop0" ino=1073741827 res=1 errno=0 mmap(0x20000000, 6291456, PROT_READ|PROT_WRITE|PROT_EXEC|PROT_SEM|PROT_GROWSUP|0x7ffff0, MAP_SHARED|MAP_FIXED|MAP_LOCKED|1< [ 56.063284][ T12] dump_stack_lvl+0x241/0x360 [ 56.067952][ T12] ? __pfx_dump_stack_lvl+0x10/0x10 [ 56.073129][ T12] ? __pfx__printk+0x10/0x10 [ 56.077701][ T12] ? _printk+0xd5/0x120 [ 56.081842][ T12] print_report+0x169/0x550 [ 56.086325][ T12] ? __virt_addr_valid+0xbd/0x520 [ 56.091328][ T12] ? __bch2_encrypt_bio+0x84d/0xb10 [ 56.096502][ T12] kasan_report+0x143/0x180 [ 56.100985][ T12] ? __bch2_encrypt_bio+0x84d/0xb10 [ 56.106162][ T12] __bch2_encrypt_bio+0x84d/0xb10 [ 56.111162][ T12] ? __pfx_validate_chain+0x10/0x10 [ 56.116336][ T12] ? __lock_acquire+0x1346/0x1fd0 [ 56.121338][ T12] ? __pfx___bch2_encrypt_bio+0x10/0x10 [ 56.126866][ T12] ? __poly1305_init_avx+0x172/0x1f0 [ 56.132130][ T12] ? poly1305_blocks_avx2+0x273/0x790 [ 56.137488][ T12] ? kernel_fpu_end+0x51/0x80 [ 56.142141][ T12] ? poly1305_simd_blocks+0x115/0x520 [ 56.147502][ T12] ? ret_from_fork_asm+0x1a/0x30 [ 56.152418][ T12] ? ret_from_fork_asm+0x1a/0x30 [ 56.157336][ T12] ? __asan_memset+0x23/0x50 [ 56.161905][ T12] ? poly1305_final_arch+0x85/0x240 [ 56.167090][ T12] ? crypto_poly1305_final+0x4b/0x90 [ 56.172351][ T12] ? __bch2_checksum_bio+0xfb1/0x1160 [ 56.177702][ T12] ? __asan_memcpy+0x40/0x70 [ 56.182275][ T12] ? __bch2_checksum_bio+0xfb1/0x1160 [ 56.187625][ T12] ? __pfx___bch2_checksum_bio+0x10/0x10 [ 56.193237][ T12] ? lockdep_unlock+0x16a/0x300 [ 56.198064][ T12] ? __pfx_lockdep_unlock+0x10/0x10 [ 56.203238][ T12] ? add_lock_to_list+0x1de/0x2e0 [ 56.208269][ T12] ? __bio_advance+0x2ef/0x4e0 [ 56.213015][ T12] __bch2_read_endio+0x8ab/0x23c0 [ 56.218020][ T12] ? __pfx___bch2_read_endio+0x10/0x10 [ 56.223455][ T12] ? __pfx_lock_acquire+0x10/0x10 [ 56.228452][ T12] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 56.234415][ T12] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 56.240721][ T12] ? process_scheduled_works+0x945/0x1830 [ 56.246415][ T12] process_scheduled_works+0xa2c/0x1830 [ 56.251942][ T12] ? __pfx_process_scheduled_works+0x10/0x10 [ 56.257904][ T12] ? assign_work+0x364/0x3d0 [ 56.262470][ T12] worker_thread+0x86d/0xd70 [ 56.267040][ T12] ? __kthread_parkme+0x169/0x1d0 [ 56.272041][ T12] ? __pfx_worker_thread+0x10/0x10 [ 56.277126][ T12] kthread+0x2f0/0x390 [ 56.281177][ T12] ? __pfx_worker_thread+0x10/0x10 [ 56.286284][ T12] ? __pfx_kthread+0x10/0x10 [ 56.290854][ T12] ret_from_fork+0x4b/0x80 [ 56.295251][ T12] ? __pfx_kthread+0x10/0x10 [ 56.299820][ T12] ret_from_fork_asm+0x1a/0x30 [ 56.304586][ T12] [ 56.307583][ T12] [ 56.309885][ T12] The buggy address belongs to stack of task kworker/u8:1/12 [ 56.317226][ T12] and is located at offset 1120 in frame: [ 56.322998][ T12] __bch2_encrypt_bio+0x0/0xb10 [ 56.327828][ T12] [ 56.330128][ T12] This frame has 5 objects: [ 56.334600][ T12] [32, 48) 'nonce.i115' [ 56.334607][ T12] [64, 528) '__req_desc.i116' [ 56.338817][ T12] [592, 608) 'nonce.i' [ 56.343553][ T12] [624, 1088) '__req_desc.i' [ 56.347680][ T12] [1152, 1664) 'sgl' [ 56.352325][ T12] [ 56.358573][ T12] The buggy address belongs to the virtual mapping at [ 56.358573][ T12] [ffffc90000110000, ffffc90000119000) created by: [ 56.358573][ T12] copy_process+0x5d1/0x3dc0 [ 56.376165][ T12] [ 56.378464][ T12] The buggy address belongs to the physical page: [ 56.384852][ T12] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17297 [ 56.393584][ T12] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 56.400670][ T12] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 [ 56.409229][ T12] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 56.417781][ T12] page dumped because: kasan: bad access detected [ 56.424165][ T12] page_owner tracks the page as allocated [ 56.429851][ T12] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 2, tgid 2 (kthreadd), ts 2480284041, free_ts 0 [ 56.447182][ T12] post_alloc_hook+0x1f3/0x230 [ 56.451929][ T12] get_page_from_freelist+0x2ce2/0x2d90 [ 56.457451][ T12] __alloc_pages_noprof+0x256/0x6c0 [ 56.462626][ T12] alloc_pages_mpol_noprof+0x3e8/0x680 [ 56.468062][ T12] __vmalloc_node_range_noprof+0x9a4/0x1490 [ 56.473933][ T12] dup_task_struct+0x444/0x8c0 [ 56.478671][ T12] copy_process+0x5d1/0x3dc0 [ 56.483232][ T12] kernel_clone+0x226/0x8f0 [ 56.487709][ T12] kernel_thread+0x1bc/0x240 [ 56.492272][ T12] kthreadd+0x60d/0x810 [ 56.496402][ T12] ret_from_fork+0x4b/0x80 [ 56.500792][ T12] ret_from_fork_asm+0x1a/0x30 [ 56.505531][ T12] page_owner free stack trace missing [ 56.510869][ T12] [ 56.513168][ T12] Memory state around the buggy address: [ 56.518772][ T12] ffffc90000117580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 56.526805][ T12] ffffc90000117600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 56.534838][ T12] >ffffc90000117680: f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 [ 56.542867][ T12] ^ [ 56.547946][ T12] ffffc90000117700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 56.555980][ T12] ffffc90000117780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 56.564013][ T12] ================================================================== [ 56.592394][ T12] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 56.599607][ T12] CPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.9.0-rc7-next-20240510-syzkaller #0 [ 56.609066][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 56.619126][ T12] Workqueue: events_unbound __bch2_read_endio [ 56.625214][ T12] Call Trace: [ 56.628495][ T12] [ 56.631428][ T12] dump_stack_lvl+0x241/0x360 [ 56.636124][ T12] ? __pfx_dump_stack_lvl+0x10/0x10 [ 56.641336][ T12] ? __pfx__printk+0x10/0x10 [ 56.645941][ T12] ? preempt_schedule+0xe1/0xf0 [ 56.650807][ T12] ? vscnprintf+0x5d/0x90 [ 56.655146][ T12] panic+0x349/0x860 [ 56.659054][ T12] ? check_panic_on_warn+0x21/0xb0 [ 56.664175][ T12] ? __pfx_panic+0x10/0x10 [ 56.668606][ T12] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 56.674599][ T12] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 56.680935][ T12] ? print_report+0x502/0x550 [ 56.685627][ T12] check_panic_on_warn+0x86/0xb0 [ 56.690580][ T12] ? __bch2_encrypt_bio+0x84d/0xb10 [ 56.695795][ T12] end_report+0x77/0x160 [ 56.700045][ T12] kasan_report+0x154/0x180 [ 56.704560][ T12] ? __bch2_encrypt_bio+0x84d/0xb10 [ 56.709773][ T12] __bch2_encrypt_bio+0x84d/0xb10 [ 56.714807][ T12] ? __pfx_validate_chain+0x10/0x10 [ 56.720013][ T12] ? __lock_acquire+0x1346/0x1fd0 [ 56.725046][ T12] ? __pfx___bch2_encrypt_bio+0x10/0x10 [ 56.730614][ T12] ? __poly1305_init_avx+0x172/0x1f0 [ 56.735918][ T12] ? poly1305_blocks_avx2+0x273/0x790 [ 56.741305][ T12] ? kernel_fpu_end+0x51/0x80 [ 56.745991][ T12] ? poly1305_simd_blocks+0x115/0x520 [ 56.751369][ T12] ? ret_from_fork_asm+0x1a/0x30 [ 56.756325][ T12] ? ret_from_fork_asm+0x1a/0x30 [ 56.761276][ T12] ? __asan_memset+0x23/0x50 [ 56.765880][ T12] ? poly1305_final_arch+0x85/0x240 [ 56.771084][ T12] ? crypto_poly1305_final+0x4b/0x90 [ 56.776377][ T12] ? __bch2_checksum_bio+0xfb1/0x1160 [ 56.781761][ T12] ? __asan_memcpy+0x40/0x70 [ 56.786364][ T12] ? __bch2_checksum_bio+0xfb1/0x1160 [ 56.791748][ T12] ? __pfx___bch2_checksum_bio+0x10/0x10 [ 56.797393][ T12] ? lockdep_unlock+0x16a/0x300 [ 56.802251][ T12] ? __pfx_lockdep_unlock+0x10/0x10 [ 56.807460][ T12] ? add_lock_to_list+0x1de/0x2e0 [ 56.812535][ T12] ? __bio_advance+0x2ef/0x4e0 [ 56.817316][ T12] __bch2_read_endio+0x8ab/0x23c0 [ 56.822358][ T12] ? __pfx___bch2_read_endio+0x10/0x10 [ 56.827837][ T12] ? __pfx_lock_acquire+0x10/0x10 [ 56.832874][ T12] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 56.838865][ T12] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 56.845207][ T12] ? process_scheduled_works+0x945/0x1830 [ 56.850934][ T12] process_scheduled_works+0xa2c/0x1830 [ 56.856504][ T12] ? __pfx_process_scheduled_works+0x10/0x10 [ 56.862495][ T12] ? assign_work+0x364/0x3d0 [ 56.867094][ T12] worker_thread+0x86d/0xd70 [ 56.871701][ T12] ? __kthread_parkme+0x169/0x1d0 [ 56.876737][ T12] ? __pfx_worker_thread+0x10/0x10 [ 56.881862][ T12] kthread+0x2f0/0x390 [ 56.885946][ T12] ? __pfx_worker_thread+0x10/0x10 [ 56.891068][ T12] ? __pfx_kthread+0x10/0x10 [ 56.895679][ T12] ret_from_fork+0x4b/0x80 [ 56.900114][ T12] ? __pfx_kthread+0x10/0x10 [ 56.904728][ T12] ret_from_fork_asm+0x1a/0x30 [ 56.909515][ T12] [ 56.912613][ T12] Kernel Offset: disabled [ 56.916919][ T12] Rebooting in 86400 seconds..