./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1096464629
<...>
DUID 00:04:d9:3a:76:1c:b4:63:be:bc:0b:c2:08:9c:83:36:98:31
forked to background, child pid 3187
[ 27.254998][ T3188] 8021q: adding VLAN 0 to HW filter on device bond0
[ 27.269320][ T3188] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK
syzkaller
Warning: Permanently added '10.128.1.107' (ECDSA) to the list of known hosts.
execve("./syz-executor1096464629", ["./syz-executor1096464629"], 0x7fff5bff1c00 /* 10 vars */) = 0
brk(NULL) = 0x555555cff000
brk(0x555555cffd00) = 0x555555cffd00
arch_prctl(ARCH_SET_FS, 0x555555cff3c0) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor1096464629", 4096) = 28
brk(0x555555d20d00) = 0x555555d20d00
brk(0x555555d21000) = 0x555555d21000
mprotect(0x7fb308ec6000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0
rt_sigaction(SIGSEGV, {sa_handler=0x7fb308e17ae0, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7fb308e17f80}, NULL, 8) = 0
rt_sigaction(SIGBUS, {sa_handler=0x7fb308e17ae0, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7fb308e17f80}, NULL, 8) = 0
memfd_create("syzkaller", 0) = 3
ftruncate(3, 0) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
ioctl(4, LOOP_SET_FD, 3) = 0
mkdir("./file0", 0777) = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
pipe2([5, 6], 0) = 0
write(6, "\x15\x00\x00\x00\x61\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 21) = 21
dup(6) = 7
mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000005,wfdno=0x0000000000000007,") = -1 EREMOTEIO (Remote I/O error)
write(7, "\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 24) = 24
write(7, "\xb0\x00\x00\x00\x00\x00\x00\x6b\x2e\x7f\xb3\xf3\x73\x25\x10\x28\xe4\x79\x55\xa6\x04\xc6\x09\x00\x00\x00\xa7\xa3\x5e\x95\x0c\x87\x04\x66\x22\xf3\x47\x49\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 176) = 176
write(7, "\x4c\x01\x00\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 311) = 311
mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000005,wfdno=0x0000000000000006,") = 0
syzkaller login: [ 61.683095][ T26] ==================================================================
[ 61.691197][ T26] BUG: KASAN: slab-out-of-bounds in _copy_to_iter+0xa46/0x1000
[ 61.698807][ T26] Write of size 22 at addr ffff88807c395f47 by task kworker/1:1/26
[ 61.706674][ T26]
[ 61.708978][ T26] CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.1.0-rc4-syzkaller-00362-gfef7fd48922d #0
[ 61.718847][ T26] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 61.728988][ T26] Workqueue: events p9_read_work
[ 61.733917][ T26] Call Trace:
[ 61.737179][ T26] <TASK>
[ 61.740097][ T26] dump_stack_lvl+0x1e3/0x2cb
[ 61.744756][ T26] ? nf_tcp_handle_invalid+0x62e/0x62e
[ 61.750195][ T26] ? __wake_up_klogd+0xcd/0x100
[ 61.755043][ T26] ? panic+0x766/0x766
[ 61.759093][ T26] ? _printk+0xcf/0x10f
[ 61.763242][ T26] ? _raw_spin_lock_irqsave+0xac/0x120
[ 61.768684][ T26] print_address_description+0x74/0x340
[ 61.774212][ T26] print_report+0x107/0x220
[ 61.778698][ T26] ? __virt_addr_valid+0x21b/0x2d0
[ 61.783790][ T26] ? __phys_addr+0xb5/0x160
[ 61.788285][ T26] ? _copy_to_iter+0xa46/0x1000
[ 61.793118][ T26] kasan_report+0x139/0x170
[ 61.797605][ T26] ? _copy_to_iter+0xa46/0x1000
[ 61.802437][ T26] kasan_check_range+0x2a7/0x2e0
[ 61.807355][ T26] ? _copy_to_iter+0xa46/0x1000
[ 61.812194][ T26] memcpy+0x3c/0x60
[ 61.815989][ T26] _copy_to_iter+0xa46/0x1000
[ 61.821348][ T26] ? stack_trace_snprint+0xf0/0xf0
[ 61.826443][ T26] ? iov_iter_init+0x1a0/0x1a0
[ 61.831190][ T26] ? mutex_lock_io_nested+0x60/0x60
[ 61.836371][ T26] ? validate_chain+0x126/0x6470
[ 61.841291][ T26] ? page_copy_sane+0x46/0x3a0
[ 61.846038][ T26] copy_page_to_iter+0xd2/0x1b0
[ 61.850873][ T26] pipe_read+0x58a/0x12a0
[ 61.855195][ T26] ? pipe_wait_writable+0x5a0/0x5a0
[ 61.860379][ T26] ? mark_lock+0x9a/0x350
[ 61.864692][ T26] ? register_lock_class+0xfe/0x9b0
[ 61.869878][ T26] ? iov_iter_kvec+0x4a/0x1a0
[ 61.874546][ T26] __kernel_read+0x3c4/0x7e0
[ 61.879142][ T26] ? rw_verify_area+0x1a0/0x1a0
[ 61.883983][ T26] ? security_file_permission+0x45f/0x5c0
[ 61.889689][ T26] ? kernel_read+0xc1/0x1f0
[ 61.894175][ T26] p9_read_work+0x389/0xfa0
[ 61.898662][ T26] ? p9_conn_create+0x5b0/0x5b0
[ 61.903512][ T26] process_one_work+0x81c/0xd10
[ 61.908353][ T26] ? worker_detach_from_pool+0x260/0x260
[ 61.913968][ T26] ? _raw_spin_lock_irqsave+0x120/0x120
[ 61.919500][ T26] ? kthread_data+0x4d/0xc0
[ 61.923986][ T26] ? wq_worker_running+0x95/0x190
[ 61.928996][ T26] worker_thread+0xb14/0x1330
[ 61.933667][ T26] ? _raw_spin_unlock_irqrestore+0xd9/0x130
[ 61.939547][ T26] kthread+0x266/0x300
[ 61.943595][ T26] ? rcu_lock_release+0x20/0x20
[ 61.948429][ T26] ? kthread_blkcg+0xd0/0xd0
[ 61.953007][ T26] ret_from_fork+0x1f/0x30
[ 61.957415][ T26] </TASK>
[ 61.960413][ T26]
[ 61.962715][ T26] Allocated by task 3608:
[ 61.967027][ T26] kasan_set_track+0x4c/0x70
[ 61.971597][ T26] __kasan_kmalloc+0x97/0xb0
[ 61.976165][ T26] __kmalloc+0xaf/0x1a0
[ 61.980302][ T26] p9_client_prepare_req+0x4f9/0xbb0
[ 61.985575][ T26] p9_client_rpc+0x1a2/0xad0
[ 61.990165][ T26] p9_client_walk+0x1d6/0x690
[ 61.994834][ T26] v9fs_vfs_lookup+0x1db/0x600
[ 61.999576][ T26] __lookup_hash+0x115/0x240
[ 62.004147][ T26] filename_create+0x27b/0x500
[ 62.008892][ T26] do_mkdirat+0xc5/0x560
[ 62.013114][ T26] __x64_sys_mkdir+0x6a/0x80
[ 62.017684][ T26] do_syscall_64+0x2b/0x70
[ 62.022086][ T26] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 62.027977][ T26]
[ 62.030295][ T26] The buggy address belongs to the object at ffff88807c395f40
[ 62.030295][ T26] which belongs to the cache kmalloc-32 of size 32
[ 62.044165][ T26] The buggy address is located 7 bytes inside of
[ 62.044165][ T26] 32-byte region [ffff88807c395f40, ffff88807c395f60)
[ 62.057941][ T26]
[ 62.060272][ T26] The buggy address belongs to the physical page:
[ 62.066687][ T26] page:ffffea0001f0e540 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88807c395040 pfn:0x7c395
[ 62.078117][ T26] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 62.085648][ T26] raw: 00fff00000000200 ffffea000073eec0 dead000000000004 ffff888012041500
[ 62.094213][ T26] raw: ffff88807c395040 000000008040003e 00000001ffffffff 0000000000000000
[ 62.102799][ T26] page dumped because: kasan: bad access detected
[ 62.109193][ T26] page_owner tracks the page as allocated
[ 62.114890][ T26] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 2983, tgid 2983 (udevd), ts 24711338305, free_ts 24673746347
[ 62.132586][ T26] get_page_from_freelist+0x72b/0x7a0
[ 62.137947][ T26] __alloc_pages+0x259/0x560
[ 62.142519][ T26] alloc_slab_page+0x70/0xf0
[ 62.147094][ T26] allocate_slab+0x5e/0x4b0
[ 62.151930][ T26] ___slab_alloc+0x7f4/0xeb0
[ 62.156501][ T26] __kmem_cache_alloc_node+0x252/0x310
[ 62.161939][ T26] __kmalloc+0x9e/0x1a0
[ 62.166076][ T26] shmem_initxattrs+0xd4/0x200
[ 62.170821][ T26] security_inode_init_security+0x3bf/0x3f0
[ 62.176696][ T26] shmem_symlink+0x144/0x740
[ 62.181273][ T26] vfs_symlink+0x246/0x3d0
[ 62.185669][ T26] do_symlinkat+0x209/0x610
[ 62.190155][ T26] __x64_sys_symlink+0x7a/0x90
[ 62.194908][ T26] do_syscall_64+0x2b/0x70
[ 62.199305][ T26] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 62.205190][ T26] page last free stack trace:
[ 62.209847][ T26] free_pcp_prepare+0x80c/0x8f0
[ 62.214681][ T26] free_unref_page+0x7d/0x630
[ 62.219341][ T26] qlist_free_all+0x2b/0x70
[ 62.223825][ T26] kasan_quarantine_reduce+0x169/0x180
[ 62.229268][ T26] __kasan_slab_alloc+0x1f/0x70
[ 62.234100][ T26] __kmem_cache_alloc_node+0x1d7/0x310
[ 62.239540][ T26] __kmalloc_node+0x9e/0x190
[ 62.244112][ T26] kvmalloc_node+0x6e/0x180
[ 62.248598][ T26] simple_xattr_alloc+0x3f/0xa0
[ 62.253431][ T26] shmem_initxattrs+0x8e/0x200
[ 62.258181][ T26] security_inode_init_security+0x3bf/0x3f0
[ 62.264064][ T26] shmem_mknod+0xb0/0x1b0
[ 62.268373][ T26] path_openat+0x12e2/0x2e00
[ 62.272952][ T26] do_filp_open+0x275/0x500
[ 62.277435][ T26] do_sys_openat2+0x13b/0x500
[ 62.282098][ T26] __x64_sys_openat+0x243/0x290
[ 62.286939][ T26]
[ 62.289245][ T26] Memory state around the buggy address:
[ 62.294850][ T26] ffff88807c395e00: fa fb fb fb fc fc fc fc 00 00 01 fc fc fc fc fc
[ 62.302887][ T26] ffff88807c395e80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[ 62.310929][ T26] >ffff88807c395f00: 00 00 00 fc fc fc fc fc 00 00 06 fc fc fc fc fc
[ 62.319052][ T26] ^
[ 62.325699][ T26] ffff88807c395f80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[ 62.333734][ T26] ffff88807c396000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 62.341769][ T26] ==================================================================
[ 62.350667][ T26] Kernel panic - not syncing: panic_on_warn set ...
[ 62.357265][ T26] CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.1.0-rc4-syzkaller-00362-gfef7fd48922d #0
[ 62.367151][ T26] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 62.377208][ T26] Workqueue: events p9_read_work
[ 62.382130][ T26] Call Trace:
[ 62.385399][ T26] <TASK>
[ 62.388320][ T26] dump_stack_lvl+0x1e3/0x2cb
[ 62.392999][ T26] ? nf_tcp_handle_invalid+0x62e/0x62e
[ 62.398451][ T26] ? panic+0x766/0x766
[ 62.402508][ T26] ? preempt_schedule_common+0xb7/0xe0
[ 62.407954][ T26] ? preempt_schedule+0xd9/0xe0
[ 62.412790][ T26] ? vscnprintf+0x59/0x80
[ 62.417105][ T26] panic+0x316/0x766
[ 62.420984][ T26] ? memcpy_page_flushcache+0xfc/0xfc
[ 62.426346][ T26] ? _raw_spin_unlock_irqrestore+0x128/0x130
[ 62.432489][ T26] ? _copy_to_iter+0xa46/0x1000
[ 62.437326][ T26] end_report+0x91/0xa0
[ 62.441476][ T26] kasan_report+0x146/0x170
[ 62.445963][ T26] ? _copy_to_iter+0xa46/0x1000
[ 62.451147][ T26] kasan_check_range+0x2a7/0x2e0
[ 62.456069][ T26] ? _copy_to_iter+0xa46/0x1000
[ 62.460915][ T26] memcpy+0x3c/0x60
[ 62.464714][ T26] _copy_to_iter+0xa46/0x1000
[ 62.469392][ T26] ? stack_trace_snprint+0xf0/0xf0
[ 62.474499][ T26] ? iov_iter_init+0x1a0/0x1a0
[ 62.479260][ T26] ? mutex_lock_io_nested+0x60/0x60
[ 62.484457][ T26] ? validate_chain+0x126/0x6470
[ 62.489392][ T26] ? page_copy_sane+0x46/0x3a0
[ 62.494156][ T26] copy_page_to_iter+0xd2/0x1b0
[ 62.499007][ T26] pipe_read+0x58a/0x12a0
[ 62.503347][ T26] ? pipe_wait_writable+0x5a0/0x5a0
[ 62.508545][ T26] ? mark_lock+0x9a/0x350
[ 62.512873][ T26] ? register_lock_class+0xfe/0x9b0
[ 62.518063][ T26] ? iov_iter_kvec+0x4a/0x1a0
[ 62.522734][ T26] __kernel_read+0x3c4/0x7e0
[ 62.527323][ T26] ? rw_verify_area+0x1a0/0x1a0
[ 62.532172][ T26] ? security_file_permission+0x45f/0x5c0
[ 62.537885][ T26] ? kernel_read+0xc1/0x1f0
[ 62.542385][ T26] p9_read_work+0x389/0xfa0
[ 62.546884][ T26] ? p9_conn_create+0x5b0/0x5b0
[ 62.551730][ T26] process_one_work+0x81c/0xd10
[ 62.556581][ T26] ? worker_detach_from_pool+0x260/0x260
[ 62.562210][ T26] ? _raw_spin_lock_irqsave+0x120/0x120
[ 62.567746][ T26] ? kthread_data+0x4d/0xc0
[ 62.572244][ T26] ? wq_worker_running+0x95/0x190
[ 62.577262][ T26] worker_thread+0xb14/0x1330
[ 62.581938][ T26] ? _raw_spin_unlock_irqrestore+0xd9/0x130
[ 62.587830][ T26] kthread+0x266/0x300
[ 62.591894][ T26] ? rcu_lock_release+0x20/0x20
[ 62.596746][ T26] ? kthread_blkcg+0xd0/0xd0
[ 62.601329][ T26] ret_from_fork+0x1f/0x30
[ 62.605743][ T26] </TASK>
[ 62.608900][ T26] Kernel Offset: disabled
[ 62.613215][ T26] Rebooting in 86400 seconds..