audit: type=1804 audit(1678117819.626:15702): pid=9923 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.2" name="/root/syzkaller-testdir1012175310/syzkaller.J9p1tm/149/bus" dev="sda1" ino=15233 res=1 BUG: MAX_LOCKDEP_CHAINS too low! turning off the locking correctness validator. CPU: 1 PID: 9834 Comm: syz-executor.2 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 add_chain_cache kernel/locking/lockdep.c:2259 [inline] lookup_chain_cache_add kernel/locking/lockdep.c:2371 [inline] validate_chain kernel/locking/lockdep.c:2391 [inline] __lock_acquire.cold+0x420/0x57e kernel/locking/lockdep.c:3416 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908 seqcount_lockdep_reader_access include/linux/seqlock.h:81 [inline] read_seqcount_begin include/linux/seqlock.h:164 [inline] ktime_get+0xd0/0x2f0 kernel/time/timekeeping.c:756 hrtimer_expires_remaining include/linux/hrtimer.h:285 [inline] __hrtimer_get_remaining+0xd7/0x1d0 kernel/time/hrtimer.c:1260 hrtimer_get_remaining include/linux/hrtimer.h:425 [inline] perf_swevent_cancel_hrtimer kernel/events/core.c:9297 [inline] perf_swevent_cancel_hrtimer kernel/events/core.c:9292 [inline] cpu_clock_event_stop kernel/events/core.c:9351 [inline] cpu_clock_event_del+0xa3/0x100 kernel/events/core.c:9366 event_sched_out+0x34d/0xca0 kernel/events/core.c:2014 group_sched_out.part.0+0x110/0x3f0 kernel/events/core.c:2047 group_sched_out kernel/events/core.c:2042 [inline] ctx_sched_out+0x8eb/0xbf0 kernel/events/core.c:2964 task_ctx_sched_out+0x5b/0x80 kernel/events/core.c:2421 perf_event_context_sched_out kernel/events/core.c:3146 [inline] __perf_event_task_sched_out+0xa5b/0x1470 kernel/events/core.c:3237 perf_event_task_sched_out include/linux/perf_event.h:1132 [inline] prepare_task_switch kernel/sched/core.c:2612 [inline] context_switch kernel/sched/core.c:2793 [inline] __schedule+0xd8a/0x2040 kernel/sched/core.c:3517 preempt_schedule_irq+0xb0/0x140 kernel/sched/core.c:3744 retint_kernel+0x1b/0x2d RIP: 0010:current_gfp_context include/linux/sched/mm.h:188 [inline] RIP: 0010:__need_fs_reclaim mm/page_alloc.c:3737 [inline] RIP: 0010:fs_reclaim_release+0x0/0x110 mm/page_alloc.c:3776 Code: ba 00 00 00 00 00 16 00 00 48 01 d0 48 ba 00 00 00 00 80 88 ff ff 48 c1 f8 06 48 c1 e0 0c 48 01 d0 c3 31 c0 c3 0f 1f 44 00 00 <48> b8 00 00 00 00 00 fc ff df 55 65 48 8b 2c 25 c0 df 01 00 53 89 RSP: 0018:ffff88809d76f850 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13 RAX: ffffffff817e80c5 RBX: 00000000006080c0 RCX: 0000000000005348 RDX: dffffc0000000000 RSI: 00000000a803929e RDI: 00000000006080c0 RBP: 00000000006080c0 R08: ffffffff8cd40f80 R09: 0000000000000001 R10: ffff888093dc4d30 R11: ffffffff8c66505b R12: 00000000006080c0 R13: ffff8880b0d140c0 R14: ffff888035613830 R15: dffffc0000000000 slab_pre_alloc_hook mm/slab.h:420 [inline] slab_alloc mm/slab.c:3383 [inline] kmem_cache_alloc+0x28/0x370 mm/slab.c:3557 kmem_cache_zalloc include/linux/slab.h:699 [inline] ext4_init_io_end+0x23/0x110 fs/ext4/page-io.c:253 ext4_writepages+0x11b5/0x37f0 fs/ext4/inode.c:2847 do_writepages+0xe5/0x290 mm/page-writeback.c:2344 __filemap_fdatawrite_range+0x27d/0x350 mm/filemap.c:446 ext4_alloc_da_blocks+0x207/0x360 fs/ext4/inode.c:3273 ext4_release_file+0x1ed/0x340 fs/ext4/file.c:89 __fput+0x2ce/0x890 fs/file_table.c:278 task_work_run+0x148/0x1c0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:193 [inline] exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath arch/x86/entry/common.c:271 [inline] do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f79d043afab Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007ffc0dd3da00 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f79d043afab RDX: 0000001b2e320000 RSI: 0000001b2e3290cc RDI: 0000000000000003 RBP: 00007f79d05aa980 R08: 0000000000000000 R09: 000000003253460c R10: 000123233f79c4e5 R11: 0000000000000293 R12: 00000000000fe28c R13: 00007ffc0dd3db00 R14: 00007ffc0dd3db20 R15: 0000000000000032 audit: type=1804 audit(1678117820.626:15703): pid=9967 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.2" name="/root/syzkaller-testdir1012175310/syzkaller.J9p1tm/150/bus" dev="sda1" ino=15233 res=1 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. audit: type=1804 audit(1678117823.176:15704): pid=10007 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.2" name="/root/syzkaller-testdir1012175310/syzkaller.J9p1tm/151/bus" dev="sda1" ino=14193 res=1 tmpfs: No value for mount option './bus' ubi0: attaching mtd0 ubi0: scanning is finished ubi0: attached mtd0 (name "mtdram test device", size 0 MiB) ubi0: PEB size: 4096 bytes (4 KiB), LEB size: 3968 bytes ubi0: min./max. I/O unit sizes: 1/64, sub-page size 1 audit: type=1804 audit(1678117824.317:15705): pid=10073 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.3" name="/root/syzkaller-testdir2985287953/syzkaller.ImFLCV/701/file0/bus" dev="loop3" ino=7 res=1 ubi0: VID header offset: 64 (aligned 64), data offset: 128 ubi0: good PEBs: 32, bad PEBs: 0, corrupted PEBs: 0 audit: type=1804 audit(1678117824.357:15706): pid=10073 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.3" name="/root/syzkaller-testdir2985287953/syzkaller.ImFLCV/701/file0/bus" dev="loop3" ino=7 res=1 audit: type=1804 audit(1678117824.427:15707): pid=10139 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.3" name="/root/syzkaller-testdir2985287953/syzkaller.ImFLCV/701/file0/bus" dev="loop3" ino=7 res=1 ubi0: user volume: 0, internal volumes: 1, max. volumes count: 23 ubi0: max/mean erase counter: 1/1, WL threshold: 4096, image sequence number: 663880669 ubi0: available PEBs: 28, total reserved PEBs: 4, PEBs reserved for bad PEB handling: 0 audit: type=1804 audit(1678117824.467:15708): pid=10139 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.3" name="/root/syzkaller-testdir2985287953/syzkaller.ImFLCV/701/file0/bus" dev="loop3" ino=7 res=1 ubi0: background thread "ubi_bgt0d" started, PID 10113 ubi0: detaching mtd0 ubi0: mtd0 is detached ubi0: attaching mtd0 ubi0: scanning is finished audit: type=1804 audit(1678117824.987:15709): pid=10168 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.3" name="/root/syzkaller-testdir2985287953/syzkaller.ImFLCV/702/bus" dev="sda1" ino=14050 res=1 audit: type=1804 audit(1678117825.037:15710): pid=10167 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.3" name="/root/syzkaller-testdir2985287953/syzkaller.ImFLCV/702/bus" dev="sda1" ino=14050 res=1 ubi0: attached mtd0 (name "mtdram test device", size 0 MiB) ubi0: PEB size: 4096 bytes (4 KiB), LEB size: 3968 bytes ubi0: min./max. I/O unit sizes: 1/64, sub-page size 1 audit: type=1804 audit(1678117825.067:15711): pid=10167 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.3" name="/root/syzkaller-testdir2985287953/syzkaller.ImFLCV/702/bus" dev="sda1" ino=14050 res=1 ubi0: VID header offset: 64 (aligned 64), data offset: 128 ubi0: good PEBs: 32, bad PEBs: 0, corrupted PEBs: 0 audit: type=1804 audit(1678117825.067:15712): pid=10167 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.3" name="/root/syzkaller-testdir2985287953/syzkaller.ImFLCV/702/bus" dev="sda1" ino=14050 res=1 ubi0: user volume: 0, internal volumes: 1, max. volumes count: 23 ubi0: max/mean erase counter: 1/1, WL threshold: 4096, image sequence number: 663880669 ubi0: available PEBs: 28, total reserved PEBs: 4, PEBs reserved for bad PEB handling: 0 ubi0: background thread "ubi_bgt0d" started, PID 10172 ubi0: detaching mtd0 ubi0: mtd0 is detached jfs: Unrecognized mount option "C=YH+Ӗ'y+-*+3HuѷcfRPlYI`ُ7ǓO\JOUj|7d0Ӡ;p_%beH" or missing value ubi0: attaching mtd0 ubi0: scanning is finished ubi0: attached mtd0 (name "mtdram test device", size 0 MiB) ubi0: PEB size: 4096 bytes (4 KiB), LEB size: 3968 bytes ubi0: min./max. I/O unit sizes: 1/64, sub-page size 1 audit: type=1804 audit(1678117826.257:15713): pid=10207 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.3" name="/root/syzkaller-testdir2985287953/syzkaller.ImFLCV/703/bus" dev="sda1" ino=14195 res=1 ubi0: VID header offset: 64 (aligned 64), data offset: 128 ubi0: good PEBs: 32, bad PEBs: 0, corrupted PEBs: 0 ubi0: user volume: 0, internal volumes: 1, max. volumes count: 23 ubi0: max/mean erase counter: 1/1, WL threshold: 4096, image sequence number: 663880669 ubi0: available PEBs: 28, total reserved PEBs: 4, PEBs reserved for bad PEB handling: 0 ubi0: background thread "ubi_bgt0d" started, PID 10205 ubi0: detaching mtd0 ubi0: mtd0 is detached jfs: Unrecognized mount option "C=YH+Ӗ'y+-*+3HuѷcfRPlYI`ُ7ǓO\JOUj|7d0Ӡ;p_%beH" or missing value netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'. kauditd_printk_skb: 60 callbacks suppressed audit: type=1800 audit(1678117828.577:15774): pid=10339 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.2" name="bus" dev="sda1" ino=14369 res=0 audit: type=1800 audit(1678117828.637:15775): pid=10350 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.2" name="bus" dev="sda1" ino=14370 res=0 audit: type=1800 audit(1678117828.747:15776): pid=10367 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.2" name="bus" dev="sda1" ino=14370 res=0 IPVS: ftp: loaded support on port[0] = 21 audit: type=1800 audit(1678117828.837:15777): pid=10387 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="bus" dev="sda1" ino=13989 res=0 audit: type=1800 audit(1678117829.298:15778): pid=10425 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="bus" dev="sda1" ino=14529 res=0 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 'syz-executor.1': attribute type 1 has an invalid length. audit: type=1800 audit(1678117829.318:15779): pid=10425 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="bus" dev="sda1" ino=14529 res=0 device bond5 entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): bond5: link is not ready audit: type=1800 audit(1678117829.318:15780): pid=10425 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="bus" dev="sda1" ino=14529 res=0 IPVS: ftp: loaded support on port[0] = 21 8021q: adding VLAN 0 to HW filter on device bond5 bond5: making interface bridge3 the new active one device bridge3 entered promiscuous mode bond5: Enslaving bridge3 as an active interface with an up link audit: type=1800 audit(1678117829.318:15781): pid=10425 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="bus" dev="sda1" ino=14529 res=0 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. IPv6: ADDRCONF(NETDEV_CHANGE): bond5: link becomes ready audit: type=1800 audit(1678117829.318:15782): pid=10425 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="bus" dev="sda1" ino=14529 res=0 netlink: 'syz-executor.1': attribute type 1 has an invalid length. audit: type=1800 audit(1678117829.318:15783): pid=10425 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="bus" dev="sda1" ino=14529 res=0 device bond6 entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): bond6: link is not ready 8021q: adding VLAN 0 to HW filter on device bond6 bond6: making interface bridge4 the new active one device bridge4 entered promiscuous mode bond6: Enslaving bridge4 as an active interface with an up link netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. IPv6: ADDRCONF(NETDEV_CHANGE): bond6: link becomes ready netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. netlink: 'syz-executor.1': attribute type 1 has an invalid length. device bond7 entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): bond7: link is not ready 8021q: adding VLAN 0 to HW filter on device bond7 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. REISERFS (device loop3): found reiserfs format "3.5" with non-standard journal REISERFS (device loop3): using ordered data mode reiserfs: using flush barriers REISERFS (device loop3): journal params: device loop3, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 REISERFS (device loop3): checking transaction log (loop3) REISERFS (device loop3): Using r5 hash to sort names reiserfs: enabling write barrier flush mode REISERFS (device loop3): Created .reiserfs_priv - reserved for xattr storage. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. overlayfs: upper fs needs to support d_type. overlayfs: upper fs does not support tmpfile. overlayfs: upper fs does not support xattr, falling back to index=off and metacopy=off. REISERFS (device loop3): found reiserfs format "3.5" with non-standard journal REISERFS (device loop3): using ordered data mode reiserfs: using flush barriers REISERFS (device loop3): journal params: device loop3, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 REISERFS (device loop3): checking transaction log (loop3) REISERFS (device loop3): Using r5 hash to sort names reiserfs: enabling write barrier flush mode REISERFS (device loop3): Created .reiserfs_priv - reserved for xattr storage. overlayfs: upper fs needs to support d_type. overlayfs: upper fs does not support tmpfile. overlayfs: upper fs does not support xattr, falling back to index=off and metacopy=off. overlayfs: failed to resolve './file0': -2 REISERFS (device loop3): found reiserfs format "3.5" with non-standard journal REISERFS (device loop3): using ordered data mode reiserfs: using flush barriers REISERFS (device loop3): journal params: device loop3, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 REISERFS (device loop3): checking transaction log (loop3) REISERFS (device loop3): Using r5 hash to sort names reiserfs: enabling write barrier flush mode REISERFS (device loop3): Created .reiserfs_priv - reserved for xattr storage. overlayfs: upper fs needs to support d_type. overlayfs: upper fs does not support tmpfile. overlayfs: upper fs does not support xattr, falling back to index=off and metacopy=off. overlayfs: failed to resolve './file0': -2 REISERFS warning (device loop3): super-6502 reiserfs_getopt: unknown mount option "017777777777777777777770x0000000000000000" ieee802154 phy0 wpan0: encryption failed: -22 ieee802154 phy1 wpan1: encryption failed: -22 REISERFS warning (device loop3): super-6502 reiserfs_getopt: unknown mount option "017777777777777777777770x0000000000000000" IPVS: ftp: loaded support on port[0] = 21 REISERFS warning (device loop3): super-6502 reiserfs_getopt: unknown mount option "017777777777777777777770x0000000000000000" vivid-003: kernel_thread() failed nla_parse: 2 callbacks suppressed netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. ---------------- Code disassembly (best guess): 0: ba 00 00 00 00 mov $0x0,%edx 5: 00 16 add %dl,(%rsi) 7: 00 00 add %al,(%rax) 9: 48 01 d0 add %rdx,%rax c: 48 ba 00 00 00 00 80 movabs $0xffff888000000000,%rdx 13: 88 ff ff 16: 48 c1 f8 06 sar $0x6,%rax 1a: 48 c1 e0 0c shl $0xc,%rax 1e: 48 01 d0 add %rdx,%rax 21: c3 retq 22: 31 c0 xor %eax,%eax 24: c3 retq 25: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) * 2a: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax <-- trapping instruction 31: fc ff df 34: 55 push %rbp 35: 65 48 8b 2c 25 c0 df mov %gs:0x1dfc0,%rbp 3c: 01 00 3e: 53 push %rbx 3f: 89 .byte 0x89