./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3258012269 <...> Warning: Permanently added '10.128.1.173' (ED25519) to the list of known hosts. execve("./syz-executor3258012269", ["./syz-executor3258012269"], 0x7ffea4096fd0 /* 10 vars */) = 0 brk(NULL) = 0x55556a0c6000 brk(0x55556a0c6d00) = 0x55556a0c6d00 arch_prctl(ARCH_SET_FS, 0x55556a0c6380) = 0 set_tid_address(0x55556a0c6650) = 5863 set_robust_list(0x55556a0c6660, 24) = 0 rseq(0x55556a0c6ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3258012269", 4096) = 28 getrandom("\x8a\x13\x35\xa2\x5c\xa0\xda\x1e", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55556a0c6d00 brk(0x55556a0e7d00) = 0x55556a0e7d00 brk(0x55556a0e8000) = 0x55556a0e8000 mprotect(0x7fe523675000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 mkdir("./syzkaller.G4qMzw", 0700) = 0 chmod("./syzkaller.G4qMzw", 0777) = 0 chdir("./syzkaller.G4qMzw") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5864 attached [pid 5864] set_robust_list(0x55556a0c6660, 24 [pid 5863] <... clone resumed>, child_tidptr=0x55556a0c6650) = 5864 [pid 5864] <... set_robust_list resumed>) = 0 [pid 5864] chdir("./0") = 0 [pid 5864] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5864] setpgid(0, 0) = 0 [pid 5864] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5864] write(3, "1000", 4) = 4 [pid 5864] close(3) = 0 [pid 5864] symlink("/dev/binderfs", "./binderfs") = 0 executing program [pid 5864] write(1, "executing program\n", 18) = 18 [pid 5864] memfd_create("syzkaller", 0) = 3 [pid 5864] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe51b000000 [pid 5864] write(3, "\x58\x46\x53\x42\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc4\x96\xe0\x5e\x54\x0d\x4c\x72\xb5\x91\x04\xd7\x9d\x8b\x4e\xeb\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x11\x40\x00\x00\x00\x00\x00\x00\x11\x41\x00\x00\x00\x00\x00\x00\x11\x42\x00\x00\x00\x01\x00\x00\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x04\x3e"..., 16777216) = 16777216 [pid 5864] munmap(0x7fe51b000000, 138412032) = 0 [pid 5864] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5864] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5864] close(3) = 0 [pid 5864] close(4) = 0 [pid 5864] mkdir("./file1", 0777) = 0 [ 55.333416][ T5864] loop0: detected capacity change from 0 to 32768 [ 55.362959][ T5864] XFS: noikeep mount option is deprecated. [ 55.372524][ T5864] XFS (loop0): Mounting V5 Filesystem c496e05e-540d-4c72-b591-04d79d8b4eeb [pid 5864] mount("/dev/loop0", "./file1", "xfs", MS_NOSUID|MS_NODIRATIME|MS_I_VERSION|MS_SUBMOUNT, "noikeep,sunit=0x0000000000000000,,nouuid") = 0 [pid 5864] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 5864] chdir("./file1") = 0 [pid 5864] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [pid 5864] setxattr("./file1", "trusted.overlay.upper", "\x2e\x2f\x66\x69\x6c\x65\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x9c\xec\xdd\x09\xbc\xad\x63\xc1\xb8\xff\x75\x9c\x83\x63\x1e\x4a\x34\x21\x53\x1a\x8d\x19\x52\x32\x0f\x25\x99\x23\x73\xe6\x8c\x21\xa1\xcc\x43"..., 2101, XATTR_CREATE) = 0 [pid 5864] mount("/dev/loop0", "./file1", NULL, MS_BIND|MS_REC, NULL) = 0 [pid 5864] open("./file1", O_RDONLY|O_NOCTTY) = 4 [ 55.391556][ T5864] XFS (loop0): Torn write (CRC failure) detected at log block 0x30. Truncating head block from 0x51. [ 55.406945][ T5864] XFS (loop0): Starting recovery (logdev: internal) [ 55.417830][ T5864] XFS (loop0): Ending recovery (logdev: internal) [pid 5864] ioctl(4, LOOP_SET_STATUS64, {lo_offset=0, lo_number=0, lo_flags=0, lo_file_name="\xef\x35\x9f\x41\x3b\xb9\x38\x52\xf7\xd6\xa4\xae\x6d\xdd\xfb\xd1\xce\x5d\x29\xc2\xee\x5e\x5c\xa9", ...}) = 0 [pid 5864] openat(AT_FDCWD, "cpuacct.usage_percpu_user", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = -1 EUCLEAN (Structure needs cleaning) [pid 5864] exit_group(0) = ? [pid 5864] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5864, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=19 /* 0.19 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 [ 55.468969][ T5864] loop0: detected capacity change from 32768 to 64 [ 55.486505][ T5864] XFS (loop0): Metadata corruption detected at xfs_btree_lookup_get_block+0x3c5/0x500, xfs_bnobt block 0x8 [ 55.498010][ T5864] XFS (loop0): Unmount and run xfs_repair umount2("./0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55556a0c76f0 /* 4 entries */, 32768) = 112 umount2("./0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) newfstatat(AT_FDCWD, "./0/file1", {st_mode=S_IFDIR|0755, st_size=75, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) openat(AT_FDCWD, "./0/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=75, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55556a0cf730 /* 7 entries */, 32768) = 208 umount2("./0/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1/file0", {st_mode=S_IFDIR|0755, st_size=32, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./0/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0/file1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0755, st_size=32, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x55556a0d7770 /* 4 entries */, 32768) = 112 umount2("./0/file1/file0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1/file0/file0", {st_mode=S_IFREG|0755, st_size=1050, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/file1/file0/file0") = 0 umount2("./0/file1/file0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1/file0/file1", {st_mode=S_IFLNK|0777, st_size=38, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/file1/file0/file1") = 0 getdents64(5, 0x55556a0d7770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./0/file1/file0") = 0 umount2("./0/file1/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./0/file1/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1/file1", {st_mode=S_IFREG|0755, st_size=10, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/file1/file1") = 0 umount2("./0/file1/file2", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1/file2", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/file1/file2") = 0 umount2("./0/file1/file3", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1/file3", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/file1/file3") = 0 umount2("./0/file1/file.cold", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1/file.cold", {st_mode=S_IFREG|0755, st_size=100, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/file1/file.cold") = 0 getdents64(4, 0x55556a0cf730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./0/file1") = -1 EBUSY (Device or resource busy) [ 55.577544][ T5863] syz-executor325: attempt to access beyond end of device [ 55.577544][ T5863] loop0: rw=432129, sector=96, nr_sectors = 16 limit=64 [ 55.592098][ T55] XFS (loop0): log I/O error -5 [ 55.592559][ T979] kworker/1:2: attempt to access beyond end of device [ 55.592559][ T979] loop0: rw=432129, sector=112, nr_sectors = 16 limit=64 [ 55.596969][ T55] XFS (loop0): Filesystem has been shut down due to log error (0x2). [ 55.610844][ T96] XFS (loop0): log I/O error -5 [ 55.618685][ T55] XFS (loop0): Please unmount the filesystem and rectify the problem(s). [ 55.618820][ T55] ================================================================== [ 55.639988][ T55] BUG: KASAN: slab-use-after-free in xlog_cil_committed+0x45e/0x1040 [ 55.648559][ T55] Write of size 8 at addr ffff888071103c10 by task kworker/0:1H/55 [ 55.656427][ T55] [ 55.658742][ T55] CPU: 0 UID: 0 PID: 55 Comm: kworker/0:1H Not tainted 6.17.0-rc1-next-20250814-syzkaller #0 PREEMPT(full) [ 55.658759][ T55] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 55.658768][ T55] Workqueue: xfs-log/loop0 xlog_ioend_work [ 55.658787][ T55] Call Trace: [ 55.658794][ T55] [ 55.658800][ T55] dump_stack_lvl+0x189/0x250 [ 55.658817][ T55] ? rcu_is_watching+0x15/0xb0 [ 55.658830][ T55] ? __pfx_dump_stack_lvl+0x10/0x10 [ 55.658844][ T55] ? rcu_is_watching+0x15/0xb0 [ 55.658855][ T55] ? lock_release+0x4b/0x3e0 [ 55.658874][ T55] ? __virt_addr_valid+0x1c8/0x5c0 [ 55.658890][ T55] ? __virt_addr_valid+0x4a5/0x5c0 [ 55.658905][ T55] print_report+0xca/0x240 [ 55.658918][ T55] ? xlog_cil_committed+0x45e/0x1040 [ 55.658931][ T55] kasan_report+0x118/0x150 [ 55.658950][ T55] ? xlog_cil_committed+0x45e/0x1040 [ 55.658966][ T55] kasan_check_range+0x2b0/0x2c0 [ 55.658984][ T55] xlog_cil_committed+0x45e/0x1040 [ 55.658997][ T55] ? rcu_is_watching+0x15/0xb0 [ 55.659013][ T55] ? __pfx_xlog_cil_committed+0x10/0x10 [ 55.659026][ T55] ? __pfx_vprintk_emit+0x10/0x10 [ 55.659047][ T55] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 55.659068][ T55] ? rcu_is_watching+0x15/0xb0 [ 55.659081][ T55] xlog_cil_process_committed+0x15c/0x1b0 [ 55.659097][ T55] xlog_state_shutdown_callbacks+0x269/0x360 [ 55.659118][ T55] ? __pfx_xlog_state_shutdown_callbacks+0x10/0x10 [ 55.659144][ T55] xlog_force_shutdown+0x332/0x400 [ 55.659159][ T55] xlog_ioend_work+0xaf/0x100 [ 55.659171][ T55] ? process_scheduled_works+0x9ef/0x17b0 [ 55.659183][ T55] process_scheduled_works+0xae1/0x17b0 [ 55.659204][ T55] ? __pfx_process_scheduled_works+0x10/0x10 [ 55.659220][ T55] worker_thread+0x8a0/0xda0 [ 55.659234][ T55] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 55.659253][ T55] ? __kthread_parkme+0x7b/0x200 [ 55.659269][ T55] kthread+0x711/0x8a0 [ 55.659284][ T55] ? __pfx_worker_thread+0x10/0x10 [ 55.659296][ T55] ? __pfx_kthread+0x10/0x10 [ 55.659310][ T55] ? _raw_spin_unlock_irq+0x23/0x50 [ 55.659327][ T55] ? lockdep_hardirqs_on+0x9c/0x150 [ 55.659338][ T55] ? __pfx_kthread+0x10/0x10 [ 55.659353][ T55] ret_from_fork+0x3f9/0x770 [ 55.659366][ T55] ? __pfx_ret_from_fork+0x10/0x10 [ 55.659380][ T55] ? __switch_to_asm+0x39/0x70 [ 55.659395][ T55] ? __switch_to_asm+0x33/0x70 [ 55.659410][ T55] ? __pfx_kthread+0x10/0x10 [ 55.659424][ T55] ret_from_fork_asm+0x1a/0x30 [ 55.659444][ T55] [ 55.659449][ T55] [ 55.905234][ T55] Allocated by task 5864: [ 55.909629][ T55] kasan_save_track+0x3e/0x80 [ 55.914297][ T55] __kasan_slab_alloc+0x6c/0x80 [ 55.919134][ T55] kmem_cache_alloc_noprof+0x1c1/0x3c0 [ 55.924603][ T55] xfs_buf_item_init+0x66/0x670 [ 55.929446][ T55] _xfs_trans_bjoin+0x46/0x110 [ 55.934214][ T55] xfs_trans_read_buf_map+0x28f/0x8e0 [ 55.939576][ T55] xfs_btree_read_buf_block+0x290/0x470 [ 55.945125][ T55] xfs_btree_lookup_get_block+0x28d/0x500 [ 55.950853][ T55] xfs_btree_lookup+0x4e1/0x1410 [ 55.955790][ T55] xfs_alloc_fixup_trees+0x21b/0xd20 [ 55.961074][ T55] xfs_alloc_cur_finish+0xd3/0x4b0 [ 55.966189][ T55] xfs_alloc_ag_vextent_near+0xd1a/0x1230 [ 55.971899][ T55] xfs_alloc_vextent_iterate_ags+0x640/0x940 [ 55.977865][ T55] xfs_alloc_vextent_start_ag+0x388/0x850 [ 55.983587][ T55] xfs_bmapi_allocate+0x188e/0x2e00 [ 55.988771][ T55] xfs_bmapi_write+0x7df/0x1260 [ 55.993864][ T55] xfs_da_grow_inode_int+0x298/0x860 [ 55.999136][ T55] xfs_da_grow_inode+0x16d/0x390 [ 56.004054][ T55] xfs_attr_shortform_to_leaf+0x273/0x860 [ 56.009757][ T55] xfs_attr_set_iter+0xd30/0x4b70 [ 56.014781][ T55] xfs_attr_finish_item+0xed/0x320 [ 56.019902][ T55] xfs_defer_finish_one+0x5c8/0xcf0 [ 56.025087][ T55] xfs_defer_finish_noroll+0x910/0x12d0 [ 56.030618][ T55] xfs_trans_commit+0x10b/0x1c0 [ 56.035457][ T55] xfs_attr_set+0xdc6/0x1210 [ 56.040028][ T55] xfs_xattr_set+0x14d/0x250 [ 56.044604][ T55] __vfs_setxattr+0x43c/0x480 [ 56.049280][ T55] __vfs_setxattr_noperm+0x12d/0x660 [ 56.054575][ T55] vfs_setxattr+0x16b/0x2f0 [ 56.059072][ T55] filename_setxattr+0x274/0x600 [ 56.064004][ T55] path_setxattrat+0x364/0x3a0 [ 56.068774][ T55] __x64_sys_setxattr+0xbc/0xe0 [ 56.073620][ T55] do_syscall_64+0xfa/0x3b0 [ 56.078139][ T55] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 56.084020][ T55] [ 56.086327][ T55] Freed by task 979: [ 56.090200][ T55] kasan_save_track+0x3e/0x80 [ 56.094861][ T55] __kasan_save_free_info+0x46/0x50 [ 56.100040][ T55] __kasan_slab_free+0x5b/0x80 [ 56.104789][ T55] kmem_cache_free+0x18f/0x400 [ 56.109544][ T55] __xfs_buf_ioend+0x29c/0x6f0 [ 56.114290][ T55] xfs_buf_iowait+0x167/0x480 [ 56.118956][ T55] xfs_buf_read_map+0x335/0xa50 [ 56.123796][ T55] xfs_trans_read_buf_map+0x1d7/0x8e0 [ 56.129152][ T55] xfs_btree_read_buf_block+0x290/0x470 [ 56.134678][ T55] xfs_btree_lookup_get_block+0x28d/0x500 [ 56.140415][ T55] xfs_btree_lookup+0x4e1/0x1410 [ 56.145335][ T55] xfs_free_ag_extent+0x25d/0x1760 [ 56.150437][ T55] __xfs_free_extent+0x2f1/0x470 [ 56.155369][ T55] xfs_extent_free_finish_item+0x28b/0x670 [ 56.161157][ T55] xfs_defer_finish_one+0x5c8/0xcf0 [ 56.166351][ T55] xfs_defer_finish_noroll+0x910/0x12d0 [ 56.171898][ T55] xfs_defer_finish+0x1c/0x180 [ 56.176657][ T55] xfs_bunmapi_range+0xc4/0x140 [ 56.181500][ T55] xfs_itruncate_extents_flags+0x306/0x990 [ 56.187295][ T55] xfs_inactive_truncate+0x125/0x1b0 [ 56.192569][ T55] xfs_inactive+0x949/0xcd0 [ 56.197057][ T55] xfs_inodegc_worker+0x31b/0x7c0 [ 56.202145][ T55] process_scheduled_works+0xae1/0x17b0 [ 56.207696][ T55] worker_thread+0x8a0/0xda0 [ 56.212308][ T55] kthread+0x711/0x8a0 [ 56.216362][ T55] ret_from_fork+0x3f9/0x770 [ 56.220933][ T55] ret_from_fork_asm+0x1a/0x30 [ 56.225679][ T55] [ 56.227986][ T55] The buggy address belongs to the object at ffff888071103bd0 [ 56.227986][ T55] which belongs to the cache xfs_buf_item of size 272 [ 56.242128][ T55] The buggy address is located 64 bytes inside of [ 56.242128][ T55] freed 272-byte region [ffff888071103bd0, ffff888071103ce0) [ 56.255824][ T55] [ 56.258135][ T55] The buggy address belongs to the physical page: [ 56.264543][ T55] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x71103 [ 56.273292][ T55] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 56.280384][ T55] page_type: f5(slab) [ 56.284358][ T55] raw: 00fff00000000000 ffff88801e77d780 dead000000000122 0000000000000000 [ 56.293115][ T55] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000 [ 56.301675][ T55] page dumped because: kasan: bad access detected [ 56.308071][ T55] page_owner tracks the page as allocated [ 56.313765][ T55] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5864, tgid 5864 (syz-executor325), ts 55415955865, free_ts 55178881457 [ 56.333373][ T55] post_alloc_hook+0x240/0x2a0 [ 56.338128][ T55] get_page_from_freelist+0x21e4/0x22c0 [ 56.343657][ T55] __alloc_frozen_pages_noprof+0x181/0x370 [ 56.349442][ T55] alloc_pages_mpol+0x232/0x4a0 [ 56.354280][ T55] allocate_slab+0x8a/0x370 [ 56.358763][ T55] ___slab_alloc+0xbeb/0x1410 [ 56.363424][ T55] kmem_cache_alloc_noprof+0x283/0x3c0 [ 56.368870][ T55] xfs_buf_item_init+0x66/0x670 [ 56.373715][ T55] xlog_recover_validate_buf_type+0xa2e/0xdb0 [ 56.379767][ T55] xlog_recover_buf_commit_pass2+0xe2b/0x1a10 [ 56.385828][ T55] xlog_recover_items_pass2+0xe6/0x130 [ 56.391273][ T55] xlog_recover_commit_trans+0x658/0x8a0 [ 56.396891][ T55] xlog_recovery_process_trans+0xab/0x1c0 [ 56.402596][ T55] xlog_recover_process_ophdr+0x2f5/0x380 [ 56.408304][ T55] xlog_recover_process_data+0x1a5/0x430 [ 56.413927][ T55] xlog_do_recovery_pass+0x9cd/0xc30 [ 56.419203][ T55] page last free pid 0 tgid 0 stack trace: [ 56.424984][ T55] __free_frozen_pages+0xbc4/0xd30 [ 56.430084][ T55] __tlb_remove_table+0x2d2/0x3b0 [ 56.435087][ T55] tlb_remove_table_rcu+0x85/0x100 [ 56.440178][ T55] rcu_core+0xca8/0x1770 [ 56.444407][ T55] handle_softirqs+0x286/0x870 [ 56.449156][ T55] __irq_exit_rcu+0xca/0x1f0 [ 56.453725][ T55] irq_exit_rcu+0x9/0x30 [ 56.457950][ T55] sysvec_apic_timer_interrupt+0xa6/0xc0 [ 56.463569][ T55] asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 56.469629][ T55] [ 56.471936][ T55] Memory state around the buggy address: [ 56.477544][ T55] ffff888071103b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.485762][ T55] ffff888071103b80: fb fb fc fc fc fc fc fc fc fc fa fb fb fb fb fb [ 56.493809][ T55] >ffff888071103c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.501847][ T55] ^ [ 56.506412][ T55] ffff888071103c80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 56.514452][ T55] ffff888071103d00: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00 [ 56.522488][ T55] ================================================================== [ 56.530994][ T55] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 56.538192][ T55] CPU: 0 UID: 0 PID: 55 Comm: kworker/0:1H Not tainted 6.17.0-rc1-next-20250814-syzkaller #0 PREEMPT(full) [ 56.549666][ T55] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 56.559712][ T55] Workqueue: xfs-log/loop0 xlog_ioend_work [ 56.565511][ T55] Call Trace: [ 56.568780][ T55] [ 56.571696][ T55] dump_stack_lvl+0x99/0x250 [ 56.576284][ T55] ? __asan_memcpy+0x40/0x70 [ 56.581038][ T55] ? __pfx_dump_stack_lvl+0x10/0x10 [ 56.586222][ T55] ? __pfx__printk+0x10/0x10 [ 56.590803][ T55] vpanic+0x281/0x750 [ 56.594776][ T55] ? preempt_schedule+0xae/0xc0 [ 56.599616][ T55] ? __pfx_vpanic+0x10/0x10 [ 56.604106][ T55] ? preempt_schedule_common+0x83/0xd0 [ 56.609553][ T55] ? preempt_schedule+0xae/0xc0 [ 56.614392][ T55] ? __pfx_preempt_schedule+0x10/0x10 [ 56.619928][ T55] panic+0xb9/0xc0 [ 56.623636][ T55] ? __pfx_panic+0x10/0x10 [ 56.628037][ T55] ? _raw_spin_unlock_irqrestore+0xfd/0x110 [ 56.633922][ T55] ? xlog_cil_committed+0x45e/0x1040 [ 56.639193][ T55] check_panic_on_warn+0x89/0xb0 [ 56.644121][ T55] ? xlog_cil_committed+0x45e/0x1040 [ 56.649391][ T55] end_report+0x78/0x160 [ 56.653624][ T55] kasan_report+0x129/0x150 [ 56.658112][ T55] ? xlog_cil_committed+0x45e/0x1040 [ 56.663383][ T55] kasan_check_range+0x2b0/0x2c0 [ 56.668318][ T55] xlog_cil_committed+0x45e/0x1040 [ 56.673430][ T55] ? rcu_is_watching+0x15/0xb0 [ 56.678184][ T55] ? __pfx_xlog_cil_committed+0x10/0x10 [ 56.683888][ T55] ? __pfx_vprintk_emit+0x10/0x10 [ 56.688908][ T55] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 56.694800][ T55] ? rcu_is_watching+0x15/0xb0 [ 56.699551][ T55] xlog_cil_process_committed+0x15c/0x1b0 [ 56.705262][ T55] xlog_state_shutdown_callbacks+0x269/0x360 [ 56.711233][ T55] ? __pfx_xlog_state_shutdown_callbacks+0x10/0x10 [ 56.717831][ T55] xlog_force_shutdown+0x332/0x400 [ 56.722927][ T55] xlog_ioend_work+0xaf/0x100 [ 56.727682][ T55] ? process_scheduled_works+0x9ef/0x17b0 [ 56.733386][ T55] process_scheduled_works+0xae1/0x17b0 [ 56.738921][ T55] ? __pfx_process_scheduled_works+0x10/0x10 [ 56.744889][ T55] worker_thread+0x8a0/0xda0 [ 56.749462][ T55] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 56.755780][ T55] ? __kthread_parkme+0x7b/0x200 [ 56.760705][ T55] kthread+0x711/0x8a0 [ 56.764763][ T55] ? __pfx_worker_thread+0x10/0x10 [ 56.769871][ T55] ? __pfx_kthread+0x10/0x10 [ 56.774446][ T55] ? _raw_spin_unlock_irq+0x23/0x50 [ 56.779631][ T55] ? lockdep_hardirqs_on+0x9c/0x150 [ 56.784809][ T55] ? __pfx_kthread+0x10/0x10 [ 56.789386][ T55] ret_from_fork+0x3f9/0x770 [ 56.793960][ T55] ? __pfx_ret_from_fork+0x10/0x10 [ 56.799056][ T55] ? __switch_to_asm+0x39/0x70 [ 56.803807][ T55] ? __switch_to_asm+0x33/0x70 [ 56.808557][ T55] ? __pfx_kthread+0x10/0x10 [ 56.813134][ T55] ret_from_fork_asm+0x1a/0x30 [ 56.817887][ T55] [ 56.821140][ T55] Kernel Offset: disabled [ 56.825445][ T55] Rebooting in 86400 seconds..