./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1225542904 <...> Warning: Permanently added '10.128.0.106' (ECDSA) to the list of known hosts. execve("./syz-executor1225542904", ["./syz-executor1225542904"], 0x7ffc685313b0 /* 10 vars */) = 0 brk(NULL) = 0x55555649a000 brk(0x55555649ac40) = 0x55555649ac40 arch_prctl(ARCH_SET_FS, 0x55555649a300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor1225542904", 4096) = 28 brk(0x5555564bbc40) = 0x5555564bbc40 brk(0x5555564bc000) = 0x5555564bc000 mprotect(0x7f2e8023e000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555649a5d0) = 3605 ./strace-static-x86_64: Process 3605 attached [pid 3605] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3605] setpgid(0, 0) = 0 [pid 3605] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3605] write(3, "1000", 4) = 4 [pid 3605] close(3) = 0 [pid 3605] memfd_create("syzkaller", 0) = 3 [pid 3605] ftruncate(3, 32768) = 0 [pid 3605] pwrite64(3, "\xeb\x3c\x90\x6d\x8d\x66\x73\xfd\xd2\x61\x74\x00\x02\x80\x01\x00\x02\x40\x00\x00\x04\xf8\x01", 23, 0) = 23 [pid 3605] pwrite64(3, "\x57\x59\x5a\x4b\x41\x4c\x4c\x45\x52\x20\x20\x08\x5a\xc1\x9f\x69\xf2\xb2\xb1\xea\x1b\x8a\x0a\xc9\x13\x5e\xed\x1d\xf1\xd1\x00\x1c\xc2\xde\x85\x0f\x06\x00\x00\x00\x00\x00\x00\x00\xf7\xe7\x5e\xff\xac\x2a\xc4\xc1\x5e\x29\xfb\x3c\x18\xfa\xff\xf8\xd1\x98\xe3\x12\x47\x5f\xfa\x1d\x00\x00\x00\x00\x00\x00\xad\x25\x82\x2a\x17\xb1\x7f\x46\x3e\x10\x41\x79\xc1\x9c\x2a\xd2\xfb\xdd\xc0\x77\x7d\xf2\xec\x4f\x62\x82"..., 450, 256) = 450 [pid 3605] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3605] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3605] mkdir("./file0", 0777) = 0 [pid 3605] mount("/dev/loop0", "./file0", "vfat", MS_POSIXACL|MS_LAZYTIME, "iocharset=cp852,nonumtail=0,flush,shortname=lower,debug,utf8=1,discard,shortname=lower,nonumtail=0,u"...) = 0 [pid 3605] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 5 [pid 3605] ioctl(4, LOOP_CLR_FD) = 0 [pid 3605] close(4) = 0 [pid 3605] close(3) = 0 [pid 3605] chdir("./file0") = 0 [pid 3605] creat("./bus", 000) = 3 [pid 3605] unlink("./bus") = 0 [pid 3605] write(3, "\x31\x30\x30\x30\x30\x30\x30\x00", 8) = -1 ENOSPC (No space left on device) [pid 3605] exit_group(0) = ? [ 37.411948][ T3605] loop0: detected capacity change from 0 to 64 [ 37.417167][ T3606] I/O error, dev loop0, sector 0 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 2 [pid 3605] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3605, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- restart_syscall(<... resuming interrupted clone ...>) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555649a5d0) = 3607 ./strace-static-x86_64: Process 3607 attached [pid 3607] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3607] setpgid(0, 0) = 0 [pid 3607] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3607] write(3, "1000", 4) = 4 [pid 3607] close(3) = 0 [pid 3607] memfd_create("syzkaller", 0) = 3 [pid 3607] ftruncate(3, 32768) = 0 [pid 3607] pwrite64(3, "\xeb\x3c\x90\x6d\x8d\x66\x73\xfd\xd2\x61\x74\x00\x02\x80\x01\x00\x02\x40\x00\x00\x04\xf8\x01", 23, 0) = 23 [pid 3607] pwrite64(3, "\x57\x59\x5a\x4b\x41\x4c\x4c\x45\x52\x20\x20\x08\x5a\xc1\x9f\x69\xf2\xb2\xb1\xea\x1b\x8a\x0a\xc9\x13\x5e\xed\x1d\xf1\xd1\x00\x1c\xc2\xde\x85\x0f\x06\x00\x00\x00\x00\x00\x00\x00\xf7\xe7\x5e\xff\xac\x2a\xc4\xc1\x5e\x29\xfb\x3c\x18\xfa\xff\xf8\xd1\x98\xe3\x12\x47\x5f\xfa\x1d\x00\x00\x00\x00\x00\x00\xad\x25\x82\x2a\x17\xb1\x7f\x46\x3e\x10\x41\x79\xc1\x9c\x2a\xd2\xfb\xdd\xc0\x77\x7d\xf2\xec\x4f\x62\x82"..., 450, 256) = 450 [pid 3607] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3607] ioctl(4, LOOP_SET_FD, 3) = -1 EBUSY (Device or resource busy) [pid 3607] ioctl(4, LOOP_CLR_FD) = 0 [pid 3607] ioctl(4, LOOP_SET_FD, 3) = -1 EBUSY (Device or resource busy) [pid 3607] close(4) = 0 [pid 3607] close(3) = 0 [pid 3607] chdir("./file0") = 0 [pid 3607] creat("./bus", 000) = 3 [pid 3607] unlink("./bus") = 0 [pid 3607] write(3, "\x31\x30\x30\x30\x30\x30\x30\x00", 8) = -1 ENOSPC (No space left on device) [pid 3607] exit_group(0) = ? [ 37.680218][ T3607] ================================================================== [ 37.688299][ T3607] BUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 [ 37.696089][ T3607] Read of size 8 at addr ffff888073d495d0 by task syz-executor122/3607 [ 37.704301][ T3607] [ 37.706613][ T3607] CPU: 0 PID: 3607 Comm: syz-executor122 Not tainted 6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0 [ 37.716997][ T3607] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 [ 37.727029][ T3607] Call Trace: [ 37.730287][ T3607] [ 37.733198][ T3607] dump_stack_lvl+0x1b1/0x28e [ 37.737859][ T3607] ? nf_tcp_handle_invalid+0x62e/0x62e [ 37.743296][ T3607] ? __wake_up_klogd+0xcd/0x100 [ 37.748140][ T3607] ? panic+0x710/0x710 [ 37.752190][ T3607] ? _printk+0xc0/0x100 [ 37.756327][ T3607] print_address_description+0x74/0x340 [ 37.761853][ T3607] print_report+0x107/0x1f0 [ 37.766334][ T3607] ? _raw_spin_lock+0x40/0x40 [ 37.770991][ T3607] ? __virt_addr_valid+0x21b/0x2d0 [ 37.776080][ T3607] ? __phys_addr+0xb5/0x160 [ 37.780562][ T3607] ? __list_del_entry_valid+0xa6/0x130 [ 37.786008][ T3607] kasan_report+0xcd/0x100 [ 37.790412][ T3607] ? __list_del_entry_valid+0xa6/0x130 [ 37.795857][ T3607] __list_del_entry_valid+0xa6/0x130 [ 37.801128][ T3607] inode_io_list_del+0x6e/0x180 [ 37.805966][ T3607] ? evict+0x102/0x620 [ 37.810025][ T3607] evict+0x10a/0x620 [ 37.813905][ T3607] ? iput+0x516/0x760 [ 37.817872][ T3607] __dentry_kill+0x3b1/0x5b0 [ 37.822448][ T3607] dentry_kill+0xbb/0x290 [ 37.826760][ T3607] dput+0x1f3/0x410 [ 37.830553][ T3607] __fput+0x5e4/0x880 [ 37.834544][ T3607] task_work_run+0x243/0x300 [ 37.839136][ T3607] ? task_work_cancel+0x290/0x290 [ 37.844154][ T3607] ? switch_task_namespaces+0xaf/0xe0 [ 37.849531][ T3607] do_exit+0x664/0x2070 [ 37.853682][ T3607] ? __lock_acquire+0x1f60/0x1f60 [ 37.858699][ T3607] ? ptrace_notify+0x245/0x340 [ 37.863451][ T3607] ? mm_update_next_owner+0x6d0/0x6d0 [ 37.868810][ T3607] ? print_irqtrace_events+0x220/0x220 [ 37.874261][ T3607] do_group_exit+0x1fd/0x2b0 [ 37.878837][ T3607] __x64_sys_exit_group+0x3b/0x40 [ 37.883851][ T3607] do_syscall_64+0x3d/0xb0 [ 37.888256][ T3607] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 37.894136][ T3607] RIP: 0033:0x7f2e801d03e9 [ 37.898535][ T3607] Code: Unable to access opcode bytes at 0x7f2e801d03bf. [ 37.905551][ T3607] RSP: 002b:00007ffd16778008 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 37.913950][ T3607] RAX: ffffffffffffffda RBX: 00007f2e80244330 RCX: 00007f2e801d03e9 [ 37.921905][ T3607] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 37.929859][ T3607] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 00007f2e8023eec0 [ 37.937813][ T3607] R10: 00007f2e8023eec0 R11: 0000000000000246 R12: 00007f2e80244330 [ 37.945767][ T3607] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 37.953724][ T3607] [ 37.956729][ T3607] [ 37.959035][ T3607] Allocated by task 3605: [ 37.963341][ T3607] kasan_set_track+0x3d/0x60 [ 37.967916][ T3607] __kasan_slab_alloc+0x65/0x70 [ 37.972750][ T3607] kmem_cache_alloc_lru+0x180/0x2e0 [ 37.977933][ T3607] fat_alloc_inode+0x25/0xc0 [ 37.982509][ T3607] new_inode_pseudo+0x61/0x1d0 [ 37.987255][ T3607] new_inode+0x25/0x1d0 [ 37.991393][ T3607] fat_build_inode+0x1e8/0x3e0 [ 37.996141][ T3607] vfat_create+0x1ef/0x2e0 [ 38.000547][ T3607] path_openat+0x12d0/0x2df0 [ 38.005122][ T3607] do_filp_open+0x264/0x4f0 [ 38.009608][ T3607] do_sys_openat2+0x124/0x4e0 [ 38.014268][ T3607] __x64_sys_creat+0x11f/0x160 [ 38.019018][ T3607] do_syscall_64+0x3d/0xb0 [ 38.023420][ T3607] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 38.029313][ T3607] [ 38.031632][ T3607] Freed by task 0: [ 38.035336][ T3607] kasan_set_track+0x3d/0x60 [ 38.039933][ T3607] kasan_save_free_info+0x27/0x40 [ 38.044952][ T3607] ____kasan_slab_free+0xd6/0x120 [ 38.049964][ T3607] slab_free_freelist_hook+0x12e/0x1a0 [ 38.055410][ T3607] kmem_cache_free+0x94/0x1d0 [ 38.060080][ T3607] rcu_core+0x9c1/0x1690 [ 38.064314][ T3607] __do_softirq+0x277/0x738 [ 38.068812][ T3607] [ 38.071128][ T3607] Last potentially related work creation: [ 38.076824][ T3607] kasan_save_stack+0x2b/0x50 [ 38.081484][ T3607] __kasan_record_aux_stack+0xb0/0xc0 [ 38.086840][ T3607] call_rcu+0x163/0x9c0 [ 38.090976][ T3607] __dentry_kill+0x3b1/0x5b0 [ 38.095553][ T3607] dentry_kill+0xbb/0x290 [ 38.099862][ T3607] dput+0x1f3/0x410 [ 38.103652][ T3607] __fput+0x5e4/0x880 [ 38.107617][ T3607] task_work_run+0x243/0x300 [ 38.112190][ T3607] do_exit+0x664/0x2070 [ 38.116326][ T3607] do_group_exit+0x1fd/0x2b0 [ 38.120897][ T3607] __x64_sys_exit_group+0x3b/0x40 [ 38.125904][ T3607] do_syscall_64+0x3d/0xb0 [ 38.130303][ T3607] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 38.136181][ T3607] [ 38.138488][ T3607] The buggy address belongs to the object at ffff888073d492f0 [ 38.138488][ T3607] which belongs to the cache fat_inode_cache of size 1488 [ 38.152954][ T3607] The buggy address is located 736 bytes inside of [ 38.152954][ T3607] 1488-byte region [ffff888073d492f0, ffff888073d498c0) [ 38.166294][ T3607] [ 38.168601][ T3607] The buggy address belongs to the physical page: [ 38.174994][ T3607] page:ffffea0001cf5200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x73d48 [ 38.185124][ T3607] head:ffffea0001cf5200 order:3 compound_mapcount:0 compound_pincount:0 [ 38.193427][ T3607] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 38.201392][ T3607] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff8880193fd140 [ 38.209956][ T3607] raw: 0000000000000000 0000000080140014 00000001ffffffff 0000000000000000 [ 38.218518][ T3607] page dumped because: kasan: bad access detected [ 38.224907][ T3607] page_owner tracks the page as allocated [ 38.230599][ T3607] page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 3605, tgid 3605 (syz-executor122), ts 37428549742, free_ts 11058035801 [ 38.253151][ T3607] get_page_from_freelist+0x742/0x7c0 [ 38.258513][ T3607] __alloc_pages+0x259/0x560 [ 38.263086][ T3607] alloc_slab_page+0x70/0xf0 [ 38.267663][ T3607] allocate_slab+0x5e/0x4b0 [ 38.272159][ T3607] ___slab_alloc+0x782/0xe20 [ 38.276735][ T3607] kmem_cache_alloc_lru+0x233/0x2e0 [ 38.281918][ T3607] fat_alloc_inode+0x25/0xc0 [ 38.286492][ T3607] new_inode_pseudo+0x61/0x1d0 [ 38.291239][ T3607] new_inode+0x25/0x1d0 [ 38.295380][ T3607] fat_fill_super+0x3278/0x4b00 [ 38.300214][ T3607] mount_bdev+0x26c/0x3a0 [ 38.304528][ T3607] legacy_get_tree+0xea/0x180 [ 38.309191][ T3607] vfs_get_tree+0x88/0x270 [ 38.313595][ T3607] do_new_mount+0x289/0xad0 [ 38.318087][ T3607] __se_sys_mount+0x2d3/0x3c0 [ 38.322751][ T3607] do_syscall_64+0x3d/0xb0 [ 38.327153][ T3607] page last free stack trace: [ 38.331805][ T3607] free_pcp_prepare+0x80c/0x8f0 [ 38.336640][ T3607] free_unref_page+0x7d/0x5f0 [ 38.341296][ T3607] free_contig_range+0xa3/0x160 [ 38.346130][ T3607] destroy_args+0xfe/0x935 [ 38.350535][ T3607] debug_vm_pgtable+0x44d/0x4a6 [ 38.355372][ T3607] do_one_initcall+0x1c9/0x400 [ 38.360123][ T3607] do_initcall_level+0x168/0x218 [ 38.365044][ T3607] do_initcalls+0x4b/0x8c [ 38.369357][ T3607] kernel_init_freeable+0x428/0x5d5 [ 38.374542][ T3607] kernel_init+0x19/0x2b0 [ 38.378854][ T3607] ret_from_fork+0x1f/0x30 [ 38.383256][ T3607] [ 38.385563][ T3607] Memory state around the buggy address: [ 38.391172][ T3607] ffff888073d49480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.399215][ T3607] ffff888073d49500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.407255][ T3607] >ffff888073d49580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.415292][ T3607] ^ [ 38.421943][ T3607] ffff888073d49600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.429982][ T3607] ffff888073d49680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.438021][ T3607] ================================================================== [ 38.446190][ T3607] Kernel panic - not syncing: panic_on_warn set ... [ 38.452770][ T3607] CPU: 0 PID: 3607 Comm: syz-executor122 Not tainted 6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0 [ 38.463164][ T3607] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 [ 38.473200][ T3607] Call Trace: [ 38.476464][ T3607] [ 38.479383][ T3607] dump_stack_lvl+0x1b1/0x28e [ 38.484050][ T3607] ? nf_tcp_handle_invalid+0x62e/0x62e [ 38.489498][ T3607] ? panic+0x710/0x710 [ 38.493557][ T3607] ? vscnprintf+0x59/0x80 [ 38.497871][ T3607] panic+0x2d6/0x710 [ 38.501756][ T3607] ? memcpy_page_flushcache+0xfc/0xfc [ 38.507114][ T3607] ? _raw_spin_unlock_irqrestore+0xbc/0x120 [ 38.512993][ T3607] ? _raw_spin_unlock_irqrestore+0xc1/0x120 [ 38.518869][ T3607] ? print_report+0x1b4/0x1f0 [ 38.523538][ T3607] ? __list_del_entry_valid+0xa6/0x130 [ 38.528981][ T3607] end_report+0x91/0xa0 [ 38.533121][ T3607] kasan_report+0xda/0x100 [ 38.537524][ T3607] ? __list_del_entry_valid+0xa6/0x130 [ 38.542974][ T3607] __list_del_entry_valid+0xa6/0x130 [ 38.548332][ T3607] inode_io_list_del+0x6e/0x180 [ 38.553171][ T3607] ? evict+0x102/0x620 [ 38.557226][ T3607] evict+0x10a/0x620 [ 38.561106][ T3607] ? iput+0x516/0x760 [ 38.565079][ T3607] __dentry_kill+0x3b1/0x5b0 [ 38.569659][ T3607] dentry_kill+0xbb/0x290 [ 38.573972][ T3607] dput+0x1f3/0x410 [ 38.577765][ T3607] __fput+0x5e4/0x880 [ 38.581740][ T3607] task_work_run+0x243/0x300 [ 38.586314][ T3607] ? task_work_cancel+0x290/0x290 [ 38.591323][ T3607] ? switch_task_namespaces+0xaf/0xe0 [ 38.596685][ T3607] do_exit+0x664/0x2070 [ 38.600828][ T3607] ? __lock_acquire+0x1f60/0x1f60 [ 38.605840][ T3607] ? ptrace_notify+0x245/0x340 [ 38.610591][ T3607] ? mm_update_next_owner+0x6d0/0x6d0 [ 38.615944][ T3607] ? print_irqtrace_events+0x220/0x220 [ 38.621392][ T3607] do_group_exit+0x1fd/0x2b0 [ 38.625969][ T3607] __x64_sys_exit_group+0x3b/0x40 [ 38.630975][ T3607] do_syscall_64+0x3d/0xb0 [ 38.635378][ T3607] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 38.641260][ T3607] RIP: 0033:0x7f2e801d03e9 [ 38.645658][ T3607] Code: Unable to access opcode bytes at 0x7f2e801d03bf. [ 38.652655][ T3607] RSP: 002b:00007ffd16778008 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 38.661052][ T3607] RAX: ffffffffffffffda RBX: 00007f2e80244330 RCX: 00007f2e801d03e9 [ 38.669013][ T3607] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 38.676967][ T3607] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 00007f2e8023eec0 [ 38.684921][ T3607] R10: 00007f2e8023eec0 R11: 0000000000000246 R12: 00007f2e80244330 [ 38.692873][ T3607] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 38.701431][ T3607] [ 38.704591][ T3607] Kernel Offset: disabled [ 38.708904][ T3607] Rebooting in 86400 seconds..