./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3181741566 <...> DUID 00:04:f8:32:f0:25:6b:f7:7b:d6:d2:5e:34:7f:1d:07:e3:4e forked to background, child pid 4750 [ 33.890701][ T4751] 8021q: adding VLAN 0 to HW filter on device bond0 [ 33.900862][ T4751] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.1.160' (ED25519) to the list of known hosts. execve("./syz-executor3181741566", ["./syz-executor3181741566"], 0x7fffe20d2f50 /* 10 vars */) = 0 brk(NULL) = 0x55556c287000 brk(0x55556c287d40) = 0x55556c287d40 arch_prctl(ARCH_SET_FS, 0x55556c2873c0) = 0 set_tid_address(0x55556c287690) = 5081 set_robust_list(0x55556c2876a0, 24) = 0 rseq(0x55556c287ce0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3181741566", 4096) = 28 getrandom("\x4e\x90\xfa\x0f\xdf\x0b\x4d\xcc", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55556c287d40 brk(0x55556c2a8d40) = 0x55556c2a8d40 brk(0x55556c2a9000) = 0x55556c2a9000 mprotect(0x7fcbf1a19000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55556c287690) = 5082 ./strace-static-x86_64: Process 5082 attached [pid 5081] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5082] set_robust_list(0x55556c2876a0, 24) = 0 ./strace-static-x86_64: Process 5083 attached [pid 5081] <... clone resumed>, child_tidptr=0x55556c287690) = 5083 [pid 5082] openat(AT_FDCWD, "/dev/loop0", O_RDWR [pid 5081] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5083] set_robust_list(0x55556c2876a0, 24) = 0 [pid 5082] <... openat resumed>) = 3 ./strace-static-x86_64: Process 5084 attached [pid 5083] openat(AT_FDCWD, "/dev/loop1", O_RDWR [pid 5082] ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) [pid 5081] <... clone resumed>, child_tidptr=0x55556c287690) = 5084 [pid 5084] set_robust_list(0x55556c2876a0, 24 [pid 5083] <... openat resumed>) = 3 [pid 5081] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5082] close(3 [pid 5084] <... set_robust_list resumed>) = 0 [pid 5083] ioctl(3, LOOP_CLR_FD [pid 5081] <... clone resumed>, child_tidptr=0x55556c287690) = 5085 [pid 5084] openat(AT_FDCWD, "/dev/loop2", O_RDWR [pid 5082] <... close resumed>) = 0 ./strace-static-x86_64: Process 5085 attached [pid 5081] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5083] <... ioctl resumed>) = -1 ENXIO (No such device or address) [pid 5084] <... openat resumed>) = 3 [pid 5083] close(3) = 0 [pid 5083] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5085] set_robust_list(0x55556c2876a0, 24) = 0 [pid 5084] ioctl(3, LOOP_CLR_FD [pid 5082] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5088 attached ./strace-static-x86_64: Process 5087 attached [pid 5084] <... ioctl resumed>) = -1 ENXIO (No such device or address) [pid 5087] set_robust_list(0x55556c2876a0, 24./strace-static-x86_64: Process 5089 attached [pid 5081] <... clone resumed>, child_tidptr=0x55556c287690) = 5087 [pid 5088] set_robust_list(0x55556c2876a0, 24 [pid 5085] openat(AT_FDCWD, "/dev/loop3", O_RDWR [pid 5084] close(3 [pid 5083] <... clone resumed>, child_tidptr=0x55556c287690) = 5088 [pid 5089] set_robust_list(0x55556c2876a0, 24 [pid 5088] <... set_robust_list resumed>) = 0 [pid 5087] <... set_robust_list resumed>) = 0 [pid 5085] <... openat resumed>) = 3 [pid 5084] <... close resumed>) = 0 [pid 5082] <... clone resumed>, child_tidptr=0x55556c287690) = 5089 [pid 5088] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5087] openat(AT_FDCWD, "/dev/loop4", O_RDWR [pid 5085] ioctl(3, LOOP_CLR_FD [pid 5084] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5089] <... set_robust_list resumed>) = 0 [pid 5088] <... prctl resumed>) = 0 [pid 5085] <... ioctl resumed>) = -1 ENXIO (No such device or address) ./strace-static-x86_64: Process 5090 attached [pid 5089] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5088] setpgid(0, 0 [pid 5087] <... openat resumed>) = 3 [pid 5085] close(3 [pid 5084] <... clone resumed>, child_tidptr=0x55556c287690) = 5090 [pid 5090] set_robust_list(0x55556c2876a0, 24 [pid 5089] <... prctl resumed>) = 0 [pid 5088] <... setpgid resumed>) = 0 [pid 5085] <... close resumed>) = 0 [pid 5090] <... set_robust_list resumed>) = 0 [pid 5089] setpgid(0, 0 [pid 5088] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5085] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5090] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5089] <... setpgid resumed>) = 0 [pid 5088] <... openat resumed>) = 3 [pid 5089] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXECexecuting program [pid 5090] <... prctl resumed>) = 0 [pid 5089] <... openat resumed>) = 3 [pid 5088] write(3, "1000", 4 [pid 5087] ioctl(3, LOOP_CLR_FD [pid 5090] setpgid(0, 0 [pid 5089] write(3, "1000", 4 [pid 5088] <... write resumed>) = 4 [pid 5087] <... ioctl resumed>) = -1 ENXIO (No such device or address) [pid 5090] <... setpgid resumed>) = 0 [pid 5089] <... write resumed>) = 4 [pid 5088] close(3 [pid 5090] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5089] close(3 [pid 5088] <... close resumed>) = 0 [pid 5087] close(3 [pid 5089] <... close resumed>) = 0 [pid 5088] write(1, "executing program\n", 18 [pid 5087] <... close resumed>) = 0 executing program [pid 5089] write(1, "executing program\n", 18 [pid 5088] <... write resumed>) = 18 ./strace-static-x86_64: Process 5091 attached [pid 5090] <... openat resumed>) = 3 [pid 5089] <... write resumed>) = 18 [pid 5088] futex(0x7fcbf1a1f60c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5087] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5089] futex(0x7fcbf1a1f60c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5091] set_robust_list(0x55556c2876a0, 24) = 0 [pid 5090] write(3, "1000", 4 [pid 5089] <... futex resumed>) = 0 [pid 5088] <... futex resumed>) = 0 [pid 5091] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5090] <... write resumed>) = 4 [pid 5089] rt_sigaction(SIGRT_1, {sa_handler=0x7fcbf19b83f0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fcbf19a9aa0}, [pid 5088] rt_sigaction(SIGRT_1, {sa_handler=0x7fcbf19b83f0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fcbf19a9aa0}, [pid 5085] <... clone resumed>, child_tidptr=0x55556c287690) = 5091 [pid 5090] close(3 [pid 5089] <... rt_sigaction resumed>NULL, 8) = 0 [pid 5088] <... rt_sigaction resumed>NULL, 8) = 0 [pid 5091] <... prctl resumed>) = 0 [pid 5091] setpgid(0, 0 [pid 5090] <... close resumed>) = 0 [pid 5089] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], [pid 5088] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], ./strace-static-x86_64: Process 5092 attached executing program [pid 5091] <... setpgid resumed>) = 0 [pid 5090] write(1, "executing program\n", 18 [pid 5089] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5088] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5087] <... clone resumed>, child_tidptr=0x55556c287690) = 5092 [pid 5090] <... write resumed>) = 18 [pid 5089] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5088] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5091] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5090] futex(0x7fcbf1a1f60c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5089] <... mmap resumed>) = 0x7fcbf1929000 [pid 5088] <... mmap resumed>) = 0x7fcbf1929000 [pid 5092] set_robust_list(0x55556c2876a0, 24 [pid 5090] <... futex resumed>) = 0 [pid 5089] mprotect(0x7fcbf192a000, 131072, PROT_READ|PROT_WRITE [pid 5088] mprotect(0x7fcbf192a000, 131072, PROT_READ|PROT_WRITE [pid 5092] <... set_robust_list resumed>) = 0 [pid 5091] <... openat resumed>) = 3 [pid 5090] rt_sigaction(SIGRT_1, {sa_handler=0x7fcbf19b83f0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fcbf19a9aa0}, [pid 5089] <... mprotect resumed>) = 0 [pid 5088] <... mprotect resumed>) = 0 [pid 5092] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5091] write(3, "1000", 4 [pid 5090] <... rt_sigaction resumed>NULL, 8) = 0 [pid 5089] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5088] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5090] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], [pid 5092] <... prctl resumed>) = 0 [pid 5091] <... write resumed>) = 4 [pid 5090] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5092] setpgid(0, 0 [pid 5091] close(3) = 0 [pid 5090] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0executing program [pid 5089] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5088] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5092] <... setpgid resumed>) = 0 [pid 5090] <... mmap resumed>) = 0x7fcbf1929000 [pid 5089] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fcbf1949990, parent_tid=0x7fcbf1949990, exit_signal=0, stack=0x7fcbf1929000, stack_size=0x20300, tls=0x7fcbf19496c0} [pid 5088] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fcbf1949990, parent_tid=0x7fcbf1949990, exit_signal=0, stack=0x7fcbf1929000, stack_size=0x20300, tls=0x7fcbf19496c0} [pid 5092] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5090] mprotect(0x7fcbf192a000, 131072, PROT_READ|PROT_WRITE [pid 5091] write(1, "executing program\n", 18./strace-static-x86_64: Process 5094 attached ./strace-static-x86_64: Process 5093 attached [pid 5092] <... openat resumed>) = 3 [pid 5091] <... write resumed>) = 18 [pid 5090] <... mprotect resumed>) = 0 [pid 5089] <... clone3 resumed> => {parent_tid=[5093]}, 88) = 5093 [pid 5094] rseq(0x7fcbf1949fe0, 0x20, 0, 0x53053053 [pid 5093] rseq(0x7fcbf1949fe0, 0x20, 0, 0x53053053 [pid 5091] futex(0x7fcbf1a1f60c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5090] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5089] rt_sigprocmask(SIG_SETMASK, [], [pid 5088] <... clone3 resumed> => {parent_tid=[5094]}, 88) = 5094 [pid 5094] <... rseq resumed>) = 0 [pid 5093] <... rseq resumed>) = 0 [pid 5092] write(3, "1000", 4 [pid 5091] <... futex resumed>) = 0 [pid 5089] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5094] set_robust_list(0x7fcbf19499a0, 24 [pid 5093] set_robust_list(0x7fcbf19499a0, 24 [pid 5092] <... write resumed>) = 4 [pid 5091] rt_sigaction(SIGRT_1, {sa_handler=0x7fcbf19b83f0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fcbf19a9aa0}, [pid 5090] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5089] futex(0x7fcbf1a1f608, FUTEX_WAKE_PRIVATE, 1000000 [pid 5088] rt_sigprocmask(SIG_SETMASK, [], [pid 5094] <... set_robust_list resumed>) = 0 [pid 5093] <... set_robust_list resumed>) = 0 [pid 5092] close(3 [pid 5091] <... rt_sigaction resumed>NULL, 8) = 0 [pid 5090] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fcbf1949990, parent_tid=0x7fcbf1949990, exit_signal=0, stack=0x7fcbf1929000, stack_size=0x20300, tls=0x7fcbf19496c0} [pid 5089] <... futex resumed>) = 0 [pid 5088] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5094] rt_sigprocmask(SIG_SETMASK, [], [pid 5093] rt_sigprocmask(SIG_SETMASK, [], [pid 5092] <... close resumed>) = 0 [pid 5091] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], [pid 5089] futex(0x7fcbf1a1f60c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5088] futex(0x7fcbf1a1f608, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 5095 attached [pid 5094] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5093] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5092] write(1, "executing program\n", 18 [pid 5091] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5088] <... futex resumed>) = 0 executing program [pid 5095] rseq(0x7fcbf1949fe0, 0x20, 0, 0x53053053 [pid 5094] memfd_create("syzkaller", 0 [pid 5091] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5095] <... rseq resumed>) = 0 [pid 5094] <... memfd_create resumed>) = 3 [pid 5093] memfd_create("syzkaller", 0 [pid 5092] <... write resumed>) = 18 [pid 5091] <... mmap resumed>) = 0x7fcbf1929000 [pid 5090] <... clone3 resumed> => {parent_tid=[5095]}, 88) = 5095 [pid 5088] futex(0x7fcbf1a1f60c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5095] set_robust_list(0x7fcbf19499a0, 24 [pid 5091] mprotect(0x7fcbf192a000, 131072, PROT_READ|PROT_WRITE [pid 5095] <... set_robust_list resumed>) = 0 [pid 5094] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5093] <... memfd_create resumed>) = 3 [pid 5092] futex(0x7fcbf1a1f60c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5091] <... mprotect resumed>) = 0 [pid 5090] rt_sigprocmask(SIG_SETMASK, [], [pid 5095] rt_sigprocmask(SIG_SETMASK, [], [pid 5094] <... mmap resumed>) = 0x7fcbe9400000 [pid 5093] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5092] <... futex resumed>) = 0 [pid 5091] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5090] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5095] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5092] rt_sigaction(SIGRT_1, {sa_handler=0x7fcbf19b83f0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fcbf19a9aa0}, [pid 5091] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5090] futex(0x7fcbf1a1f608, FUTEX_WAKE_PRIVATE, 1000000 [pid 5095] memfd_create("syzkaller", 0 [pid 5091] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fcbf1949990, parent_tid=0x7fcbf1949990, exit_signal=0, stack=0x7fcbf1929000, stack_size=0x20300, tls=0x7fcbf19496c0}./strace-static-x86_64: Process 5096 attached [pid 5095] <... memfd_create resumed>) = 3 [pid 5096] rseq(0x7fcbf1949fe0, 0x20, 0, 0x53053053) = 0 [pid 5096] set_robust_list(0x7fcbf19499a0, 24 [pid 5095] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5091] <... clone3 resumed> => {parent_tid=[5096]}, 88) = 5096 [pid 5096] <... set_robust_list resumed>) = 0 [pid 5095] <... mmap resumed>) = 0x7fcbe9400000 [pid 5091] rt_sigprocmask(SIG_SETMASK, [], [pid 5096] rt_sigprocmask(SIG_SETMASK, [], [pid 5091] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5096] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5091] futex(0x7fcbf1a1f608, FUTEX_WAKE_PRIVATE, 1000000 [pid 5096] memfd_create("syzkaller", 0 [pid 5091] <... futex resumed>) = 0 [pid 5096] <... memfd_create resumed>) = 3 [pid 5092] <... rt_sigaction resumed>NULL, 8) = 0 [pid 5091] futex(0x7fcbf1a1f60c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5096] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5093] <... mmap resumed>) = 0x7fcbe9400000 [pid 5092] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], [pid 5090] <... futex resumed>) = 0 [pid 5096] <... mmap resumed>) = 0x7fcbe9400000 [pid 5092] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5090] futex(0x7fcbf1a1f60c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5092] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fcbf1929000 [pid 5092] mprotect(0x7fcbf192a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5092] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5092] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fcbf1949990, parent_tid=0x7fcbf1949990, exit_signal=0, stack=0x7fcbf1929000, stack_size=0x20300, tls=0x7fcbf19496c0} => {parent_tid=[5097]}, 88) = 5097 [pid 5092] rt_sigprocmask(SIG_SETMASK, [], ./strace-static-x86_64: Process 5097 attached NULL, 8) = 0 [pid 5092] futex(0x7fcbf1a1f608, FUTEX_WAKE_PRIVATE, 1000000 [pid 5097] rseq(0x7fcbf1949fe0, 0x20, 0, 0x53053053 [pid 5092] <... futex resumed>) = 0 [pid 5097] <... rseq resumed>) = 0 [pid 5092] futex(0x7fcbf1a1f60c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5097] set_robust_list(0x7fcbf19499a0, 24) = 0 [pid 5097] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5097] memfd_create("syzkaller", 0) = 3 [pid 5097] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fcbe9400000 [pid 5094] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216 [pid 5093] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216 [pid 5097] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216 [pid 5096] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216 [pid 5095] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216 [pid 5097] <... write resumed>) = 16777216 [pid 5095] <... write resumed>) = 16777216 [pid 5094] <... write resumed>) = 16777216 [pid 5097] munmap(0x7fcbe9400000, 138412032 [pid 5095] munmap(0x7fcbe9400000, 138412032 [pid 5094] munmap(0x7fcbe9400000, 138412032 [pid 5096] <... write resumed>) = 16777216 [pid 5096] munmap(0x7fcbe9400000, 138412032 [pid 5097] <... munmap resumed>) = 0 [pid 5097] openat(AT_FDCWD, "/dev/loop4", O_RDWR [pid 5095] <... munmap resumed>) = 0 [pid 5097] <... openat resumed>) = 4 [pid 5095] openat(AT_FDCWD, "/dev/loop2", O_RDWR [pid 5097] ioctl(4, LOOP_SET_FD, 3 [pid 5095] <... openat resumed>) = 4 [pid 5097] <... ioctl resumed>) = 0 [pid 5095] ioctl(4, LOOP_SET_FD, 3 [pid 5096] <... munmap resumed>) = 0 [pid 5095] <... ioctl resumed>) = 0 [pid 5094] <... munmap resumed>) = 0 [pid 5097] close(3 [pid 5096] openat(AT_FDCWD, "/dev/loop3", O_RDWR [pid 5095] close(3 [pid 5097] <... close resumed>) = 0 [pid 5095] <... close resumed>) = 0 [pid 5096] <... openat resumed>) = 4 [pid 5097] close(4 [pid 5095] close(4 [pid 5096] ioctl(4, LOOP_SET_FD, 3 [pid 5094] openat(AT_FDCWD, "/dev/loop1", O_RDWR [pid 5097] <... close resumed>) = 0 [pid 5096] <... ioctl resumed>) = 0 [pid 5095] <... close resumed>) = 0 [pid 5093] <... write resumed>) = 16777216 [pid 5096] close(3 [pid 5095] mkdir("./file0", 0777 [pid 5094] <... openat resumed>) = 4 [pid 5097] mkdir("./file0", 0777 [pid 5096] <... close resumed>) = 0 [pid 5095] <... mkdir resumed>) = 0 [pid 5093] munmap(0x7fcbe9400000, 138412032 [pid 5096] close(4 [pid 5097] <... mkdir resumed>) = -1 EEXIST (File exists) syzkaller login: [ 60.397227][ T5097] loop4: detected capacity change from 0 to 32768 [ 60.404944][ T5095] loop2: detected capacity change from 0 to 32768 [ 60.420602][ T5096] loop3: detected capacity change from 0 to 32768 [pid 5096] <... close resumed>) = 0 [pid 5097] mount("/dev/loop4", "./file0", "btrfs", 0, "" [pid 5095] mount("/dev/loop2", "./file0", "btrfs", 0, "" [pid 5094] ioctl(4, LOOP_SET_FD, 3 [pid 5093] <... munmap resumed>) = 0 [pid 5096] mkdir("./file0", 0777) = -1 EEXIST (File exists) [pid 5096] mount("/dev/loop3", "./file0", "btrfs", 0, "" [pid 5093] openat(AT_FDCWD, "/dev/loop0", O_RDWR [pid 5094] <... ioctl resumed>) = 0 [pid 5094] close(3) = 0 [pid 5094] close(4) = 0 [pid 5094] mkdir("./file0", 0777 [pid 5093] <... openat resumed>) = 4 [pid 5094] <... mkdir resumed>) = -1 EEXIST (File exists) [pid 5094] mount("/dev/loop1", "./file0", "btrfs", 0, "" [ 60.451522][ T5094] loop1: detected capacity change from 0 to 32768 [ 60.466513][ T5095] BTRFS: device fsid 395ef67a-297e-477c-816d-cd80a5b93e5d devid 1 transid 8 /dev/loop2 (7:2) scanned by syz-executor318 (5095) [pid 5093] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5093] close(3) = 0 [pid 5093] close(4) = 0 [pid 5093] mkdir("./file0", 0777) = -1 EEXIST (File exists) [ 60.497185][ T5093] loop0: detected capacity change from 0 to 32768 [ 60.520624][ T5096] BTRFS: device /dev/loop3 (7:3) using temp-fsid a953a001-e44e-4419-9c94-c3f484a5220c [ 60.531347][ T5095] BTRFS info (device loop2): first mount of filesystem 395ef67a-297e-477c-816d-cd80a5b93e5d [ 60.531541][ T5096] BTRFS: device fsid 395ef67a-297e-477c-816d-cd80a5b93e5d devid 1 transid 8 /dev/loop3 (7:3) scanned by syz-executor318 (5096) [ 60.557710][ T5095] BTRFS info (device loop2): using sha256 (sha256-avx2) checksum algorithm [ 60.570799][ T5097] BTRFS: device /dev/loop4 (7:4) using temp-fsid af9dcf9f-dc57-4742-9f8f-e182ce0d7d6e [ 60.581318][ T5096] BTRFS info (device loop3): first mount of filesystem 395ef67a-297e-477c-816d-cd80a5b93e5d [ 60.591983][ T5095] BTRFS info (device loop2): using free-space-tree [ 60.601637][ T5097] BTRFS: device fsid 395ef67a-297e-477c-816d-cd80a5b93e5d devid 1 transid 8 /dev/loop4 (7:4) scanned by syz-executor318 (5097) [ 60.615207][ T5096] BTRFS info (device loop3): using sha256 (sha256-avx2) checksum algorithm [ 60.627306][ T5096] BTRFS info (device loop3): using free-space-tree [ 60.657169][ T5094] BTRFS: device /dev/loop1 (7:1) using temp-fsid 08f1ae38-7668-4a62-be33-bcd68aa072e5 [ 60.669939][ T5097] BTRFS info (device loop4): first mount of filesystem 395ef67a-297e-477c-816d-cd80a5b93e5d [ 60.689119][ T5094] BTRFS: device fsid 395ef67a-297e-477c-816d-cd80a5b93e5d devid 1 transid 8 /dev/loop1 (7:1) scanned by syz-executor318 (5094) [ 60.702839][ T5097] BTRFS info (device loop4): using sha256 (sha256-avx2) checksum algorithm [ 60.716566][ T5093] BTRFS: device /dev/loop0 (7:0) using temp-fsid cd19272b-20b9-49ad-8deb-b8d8a8cc81a0 [ 60.726304][ T5097] BTRFS info (device loop4): using free-space-tree [ 60.728125][ T5094] BTRFS info (device loop1): first mount of filesystem 395ef67a-297e-477c-816d-cd80a5b93e5d [ 60.737120][ T5093] BTRFS: device fsid 395ef67a-297e-477c-816d-cd80a5b93e5d devid 1 transid 8 /dev/loop0 (7:0) scanned by syz-executor318 (5093) [ 60.783270][ T5094] BTRFS info (device loop1): using sha256 (sha256-avx2) checksum algorithm [ 60.786490][ T5093] BTRFS info (device loop0): first mount of filesystem 395ef67a-297e-477c-816d-cd80a5b93e5d [ 60.847144][ T5094] BTRFS info (device loop1): using free-space-tree [pid 5093] mount("/dev/loop0", "./file0", "btrfs", 0, "" [pid 5096] <... mount resumed>) = 0 [pid 5096] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5096] openat(AT_FDCWD, "/dev/loop3", O_RDWR) = 4 [pid 5096] ioctl(4, LOOP_CLR_FD) = 0 [pid 5096] close(4) = 0 [pid 5096] futex(0x7fcbf1a1f60c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5091] <... futex resumed>) = 0 [pid 5096] futex(0x7fcbf1a1f608, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5091] futex(0x7fcbf1a1f608, FUTEX_WAKE_PRIVATE, 1000000 [pid 5096] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5091] <... futex resumed>) = 0 [ 60.908374][ T5093] BTRFS info (device loop0): using sha256 (sha256-avx2) checksum algorithm [pid 5096] ioctl(3, BTRFS_IOC_QUOTA_CTL, {cmd=0x4 /* BTRFS_QUOTA_CTL_??? */} [pid 5091] futex(0x7fcbf1a1f60c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5095] <... mount resumed>) = 0 [pid 5095] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY [pid 5097] <... mount resumed>) = 0 [pid 5095] <... openat resumed>) = 3 [pid 5097] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY [pid 5095] openat(AT_FDCWD, "/dev/loop2", O_RDWR [pid 5097] <... openat resumed>) = 3 [pid 5095] <... openat resumed>) = 4 [pid 5095] ioctl(4, LOOP_CLR_FD) = 0 [pid 5097] openat(AT_FDCWD, "/dev/loop4", O_RDWR [pid 5095] close(4 [pid 5097] <... openat resumed>) = 4 [pid 5095] <... close resumed>) = 0 [pid 5095] futex(0x7fcbf1a1f60c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5095] futex(0x7fcbf1a1f608, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5097] ioctl(4, LOOP_CLR_FD [pid 5090] <... futex resumed>) = 0 [pid 5097] <... ioctl resumed>) = 0 [ 60.958131][ T5093] BTRFS info (device loop0): using free-space-tree [pid 5090] futex(0x7fcbf1a1f608, FUTEX_WAKE_PRIVATE, 1000000 [pid 5097] close(4 [pid 5095] <... futex resumed>) = 0 [pid 5090] <... futex resumed>) = 1 [pid 5095] ioctl(3, BTRFS_IOC_QUOTA_CTL, {cmd=0x4 /* BTRFS_QUOTA_CTL_??? */} [pid 5097] <... close resumed>) = 0 [pid 5090] futex(0x7fcbf1a1f60c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5097] futex(0x7fcbf1a1f60c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5092] <... futex resumed>) = 0 [pid 5092] futex(0x7fcbf1a1f608, FUTEX_WAKE_PRIVATE, 1000000 [pid 5097] ioctl(3, BTRFS_IOC_QUOTA_CTL, {cmd=0x4 /* BTRFS_QUOTA_CTL_??? */} [pid 5092] <... futex resumed>) = 0 [pid 5092] futex(0x7fcbf1a1f60c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5091] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5091] futex(0x7fcbf1a1f61c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5091] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fcbf1908000 [pid 5091] mprotect(0x7fcbf1909000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5091] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5091] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fcbf1928990, parent_tid=0x7fcbf1928990, exit_signal=0, stack=0x7fcbf1908000, stack_size=0x20300, tls=0x7fcbf19286c0} => {parent_tid=[5171]}, 88) = 5171 [pid 5091] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5090] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5090] futex(0x7fcbf1a1f61c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5091] futex(0x7fcbf1a1f618, FUTEX_WAKE_PRIVATE, 1000000 [pid 5090] <... futex resumed>) = 0 [pid 5090] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fcbf1908000 [pid 5090] mprotect(0x7fcbf1909000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5091] <... futex resumed>) = 0 [pid 5090] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5090] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fcbf1928990, parent_tid=0x7fcbf1928990, exit_signal=0, stack=0x7fcbf1908000, stack_size=0x20300, tls=0x7fcbf19286c0} => {parent_tid=[5173]}, 88) = 5173 [pid 5090] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5090] futex(0x7fcbf1a1f618, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5090] futex(0x7fcbf1a1f61c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5091] futex(0x7fcbf1a1f61c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5171 attached ./strace-static-x86_64: Process 5173 attached [pid 5173] rseq(0x7fcbf1928fe0, 0x20, 0, 0x53053053) = 0 [pid 5173] set_robust_list(0x7fcbf19289a0, 24 [pid 5171] rseq(0x7fcbf1928fe0, 0x20, 0, 0x53053053 [pid 5173] <... set_robust_list resumed>) = 0 [pid 5171] <... rseq resumed>) = 0 [pid 5092] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 61.047005][ T5095] BTRFS info (device loop2): setting incompat feature flag for SIMPLE_QUOTA (0x10000) [pid 5173] rt_sigprocmask(SIG_SETMASK, [], [pid 5171] set_robust_list(0x7fcbf19289a0, 24 [pid 5092] futex(0x7fcbf1a1f61c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5173] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5171] <... set_robust_list resumed>) = 0 [pid 5092] <... futex resumed>) = 0 [pid 5173] ioctl(3, BTRFS_IOC_SNAP_CREATE_V2, {fd=3, flags=BTRFS_SUBVOL_QGROUP_INHERIT, size=80, qgroup_inherit={flags=BTRFS_QGROUP_INHERIT_SET_LIMITS, num_qgroups=1, num_ref_copies=432345564227567621, num_excl_copies=0, lim={flags=BTRFS_QGROUP_LIMIT_RSV_RFER|BTRFS_QGROUP_LIMIT_RSV_EXCL|BTRFS_QGROUP_LIMIT_RFER_CMPR|BTRFS_QGROUP_LIMIT_EXCL_CMPR, max_rfer=142, max_excl=1823, rsv_rfer=9, rsv_excl=32}, ...}, name="\x38\x97\x6d\x6a\x9a\x57\x5f\xec\x59\xff\xf1\x12\x3b\xe4\x26\x67\x85\x65\x4f\x3e\xde\x97\x5c\xd0\x2e\x18\x04\x5d\x66\xba\xf6\x62\x78\x6f\xbb\xb4\x7e\x08\x47\xb2\xa2\x4e\xe1\xe4\xcb\x2b\x5d\x9d\xf3\x4d\xe9\xab\xcf\x6f\xab\x0f\x41\x52\x9c\xd9\x80\xac\x44\x83\xee\xfb\xcb\x52\x41\x2d\x95\xef\xcd\x06\x32\x70\x76\x89\x82\xbd\x9b\xae\x6a\xb0\x0d\x80\x14\x6f\xdb\x46\x93\x70\x81\xe5\x3c\x60\x92\xc8\x05\x23\xca\xe1\xf6\xda\x45\x12\x8e\xf8\x68\xb0\x73\xc2\xd5\x92\xb5\xd6\x3d\xe3\xd0\x61\x25\x47\x79\x1f\x92\x98\x91\x3c\xd2\x90\x89\x12\xd8\xdc\xcd\x24\x70\x62\x65\x78\x47\xe9\x5d\x53\x84\xdd\x93\xca\x55\x7c\x51\xb7\x67\x9c\x79\x69\xa0\x6a\x9e\x10\x3b\xde\xdc\x64\x5c\xc8\x3f\x77\x7a\x6b\x96\x2e\x24\x05\x03\xd7\xb9\x9e\xce\xac\x2a\xd0\x40\x29\x51\xeb\x82\x50\xe9\xdc\x57\xb5\x2d\x28\x4f\xae\xe4"} [pid 5171] rt_sigprocmask(SIG_SETMASK, [], [pid 5092] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5094] <... mount resumed>) = 0 [pid 5094] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5094] openat(AT_FDCWD, "/dev/loop1", O_RDWR) = 4 [pid 5094] ioctl(4, LOOP_CLR_FD) = 0 [pid 5094] close(4) = 0 [pid 5094] futex(0x7fcbf1a1f60c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5094] futex(0x7fcbf1a1f608, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5088] <... futex resumed>) = 0 [pid 5088] futex(0x7fcbf1a1f608, FUTEX_WAKE_PRIVATE, 1000000 [pid 5094] <... futex resumed>) = 0 [pid 5088] <... futex resumed>) = 1 [pid 5094] ioctl(3, BTRFS_IOC_QUOTA_CTL, {cmd=0x4 /* BTRFS_QUOTA_CTL_??? */} [pid 5173] <... ioctl resumed>) = -1 EINVAL (Invalid argument) [pid 5171] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5092] <... mmap resumed>) = 0x7fcbf1908000 [pid 5171] ioctl(3, BTRFS_IOC_SNAP_CREATE_V2, {fd=3, flags=BTRFS_SUBVOL_QGROUP_INHERIT, size=80, qgroup_inherit={flags=BTRFS_QGROUP_INHERIT_SET_LIMITS, num_qgroups=1, num_ref_copies=432345564227567621, num_excl_copies=0, lim={flags=BTRFS_QGROUP_LIMIT_RSV_RFER|BTRFS_QGROUP_LIMIT_RSV_EXCL|BTRFS_QGROUP_LIMIT_RFER_CMPR|BTRFS_QGROUP_LIMIT_EXCL_CMPR, max_rfer=142, max_excl=1823, rsv_rfer=9, rsv_excl=32}, ...}, name="\x38\x97\x6d\x6a\x9a\x57\x5f\xec\x59\xff\xf1\x12\x3b\xe4\x26\x67\x85\x65\x4f\x3e\xde\x97\x5c\xd0\x2e\x18\x04\x5d\x66\xba\xf6\x62\x78\x6f\xbb\xb4\x7e\x08\x47\xb2\xa2\x4e\xe1\xe4\xcb\x2b\x5d\x9d\xf3\x4d\xe9\xab\xcf\x6f\xab\x0f\x41\x52\x9c\xd9\x80\xac\x44\x83\xee\xfb\xcb\x52\x41\x2d\x95\xef\xcd\x06\x32\x70\x76\x89\x82\xbd\x9b\xae\x6a\xb0\x0d\x80\x14\x6f\xdb\x46\x93\x70\x81\xe5\x3c\x60\x92\xc8\x05\x23\xca\xe1\xf6\xda\x45\x12\x8e\xf8\x68\xb0\x73\xc2\xd5\x92\xb5\xd6\x3d\xe3\xd0\x61\x25\x47\x79\x1f\x92\x98\x91\x3c\xd2\x90\x89\x12\xd8\xdc\xcd\x24\x70\x62\x65\x78\x47\xe9\x5d\x53\x84\xdd\x93\xca\x55\x7c\x51\xb7\x67\x9c\x79\x69\xa0\x6a\x9e\x10\x3b\xde\xdc\x64\x5c\xc8\x3f\x77\x7a\x6b\x96\x2e\x24\x05\x03\xd7\xb9\x9e\xce\xac\x2a\xd0\x40\x29\x51\xeb\x82\x50\xe9\xdc\x57\xb5\x2d\x28\x4f\xae\xe4"} [pid 5173] futex(0x7fcbf1a1f61c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5092] mprotect(0x7fcbf1909000, 131072, PROT_READ|PROT_WRITE [pid 5088] futex(0x7fcbf1a1f60c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5173] <... futex resumed>) = 1 [pid 5092] <... mprotect resumed>) = 0 [pid 5173] futex(0x7fcbf1a1f618, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5092] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5090] <... futex resumed>) = 0 [pid 5092] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5092] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fcbf1928990, parent_tid=0x7fcbf1928990, exit_signal=0, stack=0x7fcbf1908000, stack_size=0x20300, tls=0x7fcbf19286c0}./strace-static-x86_64: Process 5180 attached => {parent_tid=[5180]}, 88) = 5180 [pid 5091] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5180] rseq(0x7fcbf1928fe0, 0x20, 0, 0x53053053) = 0 [pid 5180] set_robust_list(0x7fcbf19289a0, 24) = 0 [pid 5180] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5180] futex(0x7fcbf1a1f618, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5092] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5092] futex(0x7fcbf1a1f618, FUTEX_WAKE_PRIVATE, 1000000 [pid 5180] <... futex resumed>) = 0 [pid 5092] <... futex resumed>) = 1 [pid 5180] ioctl(3, BTRFS_IOC_SNAP_CREATE_V2, {fd=3, flags=BTRFS_SUBVOL_QGROUP_INHERIT, size=80, qgroup_inherit={flags=BTRFS_QGROUP_INHERIT_SET_LIMITS, num_qgroups=1, num_ref_copies=432345564227567621, num_excl_copies=0, lim={flags=BTRFS_QGROUP_LIMIT_RSV_RFER|BTRFS_QGROUP_LIMIT_RSV_EXCL|BTRFS_QGROUP_LIMIT_RFER_CMPR|BTRFS_QGROUP_LIMIT_EXCL_CMPR, max_rfer=142, max_excl=1823, rsv_rfer=9, rsv_excl=32}, ...}, name="\x38\x97\x6d\x6a\x9a\x57\x5f\xec\x59\xff\xf1\x12\x3b\xe4\x26\x67\x85\x65\x4f\x3e\xde\x97\x5c\xd0\x2e\x18\x04\x5d\x66\xba\xf6\x62\x78\x6f\xbb\xb4\x7e\x08\x47\xb2\xa2\x4e\xe1\xe4\xcb\x2b\x5d\x9d\xf3\x4d\xe9\xab\xcf\x6f\xab\x0f\x41\x52\x9c\xd9\x80\xac\x44\x83\xee\xfb\xcb\x52\x41\x2d\x95\xef\xcd\x06\x32\x70\x76\x89\x82\xbd\x9b\xae\x6a\xb0\x0d\x80\x14\x6f\xdb\x46\x93\x70\x81\xe5\x3c\x60\x92\xc8\x05\x23\xca\xe1\xf6\xda\x45\x12\x8e\xf8\x68\xb0\x73\xc2\xd5\x92\xb5\xd6\x3d\xe3\xd0\x61\x25\x47\x79\x1f\x92\x98\x91\x3c\xd2\x90\x89\x12\xd8\xdc\xcd\x24\x70\x62\x65\x78\x47\xe9\x5d\x53\x84\xdd\x93\xca\x55\x7c\x51\xb7\x67\x9c\x79\x69\xa0\x6a\x9e\x10\x3b\xde\xdc\x64\x5c\xc8\x3f\x77\x7a\x6b\x96\x2e\x24\x05\x03\xd7\xb9\x9e\xce\xac\x2a\xd0\x40\x29\x51\xeb\x82\x50\xe9\xdc\x57\xb5\x2d\x28\x4f\xae\xe4"} [pid 5092] futex(0x7fcbf1a1f61c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5180] <... ioctl resumed>) = -1 EINVAL (Invalid argument) [pid 5180] futex(0x7fcbf1a1f61c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5092] <... futex resumed>) = 0 [pid 5180] futex(0x7fcbf1a1f618, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5095] <... ioctl resumed>) = 0 [pid 5094] <... ioctl resumed>) = 0 [pid 5095] futex(0x7fcbf1a1f60c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5094] futex(0x7fcbf1a1f60c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5090] exit_group(0 [pid 5173] <... futex resumed>) = ? [pid 5095] <... futex resumed>) = ? [pid 5094] <... futex resumed>) = 1 [pid 5090] <... exit_group resumed>) = ? [pid 5088] <... futex resumed>) = 0 [pid 5173] +++ exited with 0 +++ [pid 5095] +++ exited with 0 +++ [pid 5094] ioctl(3, BTRFS_IOC_SNAP_CREATE_V2, {fd=3, flags=BTRFS_SUBVOL_QGROUP_INHERIT, size=80, qgroup_inherit={flags=BTRFS_QGROUP_INHERIT_SET_LIMITS, num_qgroups=1, num_ref_copies=432345564227567621, num_excl_copies=0, lim={flags=BTRFS_QGROUP_LIMIT_RSV_RFER|BTRFS_QGROUP_LIMIT_RSV_EXCL|BTRFS_QGROUP_LIMIT_RFER_CMPR|BTRFS_QGROUP_LIMIT_EXCL_CMPR, max_rfer=142, max_excl=1823, rsv_rfer=9, rsv_excl=32}, ...}, name="\x38\x97\x6d\x6a\x9a\x57\x5f\xec\x59\xff\xf1\x12\x3b\xe4\x26\x67\x85\x65\x4f\x3e\xde\x97\x5c\xd0\x2e\x18\x04\x5d\x66\xba\xf6\x62\x78\x6f\xbb\xb4\x7e\x08\x47\xb2\xa2\x4e\xe1\xe4\xcb\x2b\x5d\x9d\xf3\x4d\xe9\xab\xcf\x6f\xab\x0f\x41\x52\x9c\xd9\x80\xac\x44\x83\xee\xfb\xcb\x52\x41\x2d\x95\xef\xcd\x06\x32\x70\x76\x89\x82\xbd\x9b\xae\x6a\xb0\x0d\x80\x14\x6f\xdb\x46\x93\x70\x81\xe5\x3c\x60\x92\xc8\x05\x23\xca\xe1\xf6\xda\x45\x12\x8e\xf8\x68\xb0\x73\xc2\xd5\x92\xb5\xd6\x3d\xe3\xd0\x61\x25\x47\x79\x1f\x92\x98\x91\x3c\xd2\x90\x89\x12\xd8\xdc\xcd\x24\x70\x62\x65\x78\x47\xe9\x5d\x53\x84\xdd\x93\xca\x55\x7c\x51\xb7\x67\x9c\x79\x69\xa0\x6a\x9e\x10\x3b\xde\xdc\x64\x5c\xc8\x3f\x77\x7a\x6b\x96\x2e\x24\x05\x03\xd7\xb9\x9e\xce\xac\x2a\xd0\x40\x29\x51\xeb\x82\x50\xe9\xdc\x57\xb5\x2d\x28\x4f\xae\xe4"} [pid 5090] +++ exited with 0 +++ [pid 5088] futex(0x7fcbf1a1f608, FUTEX_WAKE_PRIVATE, 1000000 [pid 5094] <... ioctl resumed>) = -1 EINVAL (Invalid argument) [pid 5088] <... futex resumed>) = 0 [pid 5084] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5090, si_uid=0, si_status=0, si_utime=10 /* 0.10 s */, si_stime=32 /* 0.32 s */} --- [ 61.120871][ T5096] BTRFS info (device loop3): setting incompat feature flag for SIMPLE_QUOTA (0x10000) [ 61.141438][ T5097] BTRFS info (device loop4): setting incompat feature flag for SIMPLE_QUOTA (0x10000) [ 61.141822][ T5094] BTRFS info (device loop1): setting incompat feature flag for SIMPLE_QUOTA (0x10000) [pid 5094] futex(0x7fcbf1a1f60c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5088] futex(0x7fcbf1a1f60c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5094] <... futex resumed>) = 0 [pid 5094] futex(0x7fcbf1a1f608, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5096] <... ioctl resumed>) = 0 [pid 5088] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5084] openat(AT_FDCWD, "/dev/loop2", O_RDWR [pid 5088] exit_group(0 [pid 5094] <... futex resumed>) = ? [pid 5088] <... exit_group resumed>) = ? [pid 5084] <... openat resumed>) = 3 [pid 5094] +++ exited with 0 +++ [pid 5084] ioctl(3, LOOP_CLR_FD) = 0 [pid 5084] close(3) = 0 [pid 5084] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5096] futex(0x7fcbf1a1f60c, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 5186 attached [pid 5096] futex(0x7fcbf1a1f608, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5084] <... clone resumed>, child_tidptr=0x55556c287690) = 5186 [pid 5186] set_robust_list(0x55556c2876a0, 24) = 0 [pid 5097] <... ioctl resumed>) = 0 [pid 5186] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5097] futex(0x7fcbf1a1f60c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5186] <... prctl resumed>) = 0 [pid 5097] <... futex resumed>) = 0 [pid 5088] +++ exited with 0 +++ [pid 5186] setpgid(0, 0 [pid 5097] futex(0x7fcbf1a1f608, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5092] exit_group(0 [pid 5186] <... setpgid resumed>) = 0 [pid 5180] <... futex resumed>) = ? [pid 5097] <... futex resumed>) = ? [pid 5092] <... exit_group resumed>) = ? [pid 5083] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5088, si_uid=0, si_status=0, si_utime=6 /* 0.06 s */, si_stime=34 /* 0.34 s */} --- [pid 5186] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5180] +++ exited with 0 +++ [pid 5097] +++ exited with 0 +++ [pid 5092] +++ exited with 0 +++ [pid 5083] restart_syscall(<... resuming interrupted clone ...> [pid 5087] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5092, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=26 /* 0.26 s */} --- [pid 5083] <... restart_syscall resumed>) = 0 [pid 5186] <... openat resumed>) = 3 [pid 5186] write(3, "1000", 4) = 4 [pid 5083] openat(AT_FDCWD, "/dev/loop1", O_RDWR [pid 5186] close(3 [pid 5083] <... openat resumed>) = 3 [pid 5083] ioctl(3, LOOP_CLR_FD) = 0 [pid 5083] close(3) = 0 [pid 5083] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55556c287690) = 5187 [ 61.235854][ T5171] ================================================================== [ 61.243965][ T5171] BUG: KASAN: slab-out-of-bounds in btrfs_qgroup_inherit+0x42e/0x2e20 [ 61.252164][ T5171] Read of size 8 at addr ffff88814628ca50 by task syz-executor318/5171 [ 61.260418][ T5171] [ 61.262758][ T5171] CPU: 0 PID: 5171 Comm: syz-executor318 Not tainted 6.10.0-rc2-syzkaller-00010-g2ab795141095 #0 [ 61.273277][ T5171] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 61.283354][ T5171] Call Trace: [ 61.286655][ T5171] [ 61.289600][ T5171] dump_stack_lvl+0x241/0x360 [ 61.294304][ T5171] ? __pfx_dump_stack_lvl+0x10/0x10 [ 61.299524][ T5171] ? __pfx__printk+0x10/0x10 [ 61.304129][ T5171] ? _printk+0xd5/0x120 [ 61.308309][ T5171] ? __virt_addr_valid+0x183/0x520 [ 61.313439][ T5171] ? __virt_addr_valid+0x183/0x520 [ 61.318578][ T5171] print_report+0x169/0x550 [ 61.323092][ T5171] ? __virt_addr_valid+0x183/0x520 [ 61.328222][ T5171] ? __virt_addr_valid+0x183/0x520 executing program [pid 5186] <... close resumed>) = 0 [pid 5186] write(1, "executing program\n", 18) = 18 [pid 5087] openat(AT_FDCWD, "/dev/loop4", O_RDWR [pid 5186] futex(0x7fcbf1a1f60c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5087] <... openat resumed>) = 3 [pid 5186] <... futex resumed>) = 0 [pid 5087] ioctl(3, LOOP_CLR_FD [pid 5186] rt_sigaction(SIGRT_1, {sa_handler=0x7fcbf19b83f0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fcbf19a9aa0}, [pid 5087] <... ioctl resumed>) = 0 [pid 5186] <... rt_sigaction resumed>NULL, 8) = 0 [pid 5087] close(3 [pid 5186] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], [pid 5087] <... close resumed>) = 0 [pid 5186] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5087] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5186] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fcbf1929000 [pid 5087] <... clone resumed>, child_tidptr=0x55556c287690) = 5188 [pid 5186] mprotect(0x7fcbf192a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5186] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5186] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fcbf1949990, parent_tid=0x7fcbf1949990, exit_signal=0, stack=0x7fcbf1929000, stack_size=0x20300, tls=0x7fcbf19496c0} => {parent_tid=[5189]}, 88) = 5189 [pid 5186] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5186] futex(0x7fcbf1a1f608, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 61.333437][ T5171] ? __virt_addr_valid+0x44e/0x520 [ 61.338562][ T5171] ? __phys_addr+0xba/0x170 [ 61.343147][ T5171] ? btrfs_qgroup_inherit+0x42e/0x2e20 [ 61.348627][ T5171] kasan_report+0x143/0x180 [ 61.353147][ T5171] ? btrfs_qgroup_inherit+0x42e/0x2e20 [ 61.358635][ T5171] btrfs_qgroup_inherit+0x42e/0x2e20 [ 61.363946][ T5171] ? btrfs_insert_fs_root+0x3e5/0x5e0 [ 61.369341][ T5171] ? __pfx_btrfs_insert_fs_root+0x10/0x10 [ 61.375076][ T5171] ? __pfx_btrfs_qgroup_inherit+0x10/0x10 [ 61.380826][ T5171] ? btrfs_get_root_ref+0xa24/0xc30 [pid 5186] futex(0x7fcbf1a1f60c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [ 61.386043][ T5171] ? btrfs_reloc_post_snapshot+0x27a/0x1700 [ 61.391950][ T5171] ? __pfx_btrfs_get_root_ref+0x10/0x10 [ 61.397511][ T5171] ? __pfx_btrfs_reloc_post_snapshot+0x10/0x10 [ 61.403695][ T5171] create_pending_snapshot+0x1359/0x29b0 [ 61.409358][ T5171] ? __pfx_create_pending_snapshot+0x10/0x10 [ 61.415353][ T5171] ? __mutex_trylock_common+0x2f/0x2e0 [ 61.420836][ T5171] ? rcu_is_watching+0x15/0xb0 [ 61.425647][ T5171] ? trace_contention_end+0x3c/0x120 [ 61.430944][ T5171] ? __mutex_lock+0x2ef/0xd70 [ 61.435637][ T5171] ? btrfs_commit_transaction+0x17f/0x3740 [ 61.441469][ T5171] ? __pfx___mutex_lock+0x10/0x10 [ 61.446520][ T5171] create_pending_snapshots+0x195/0x1d0 [ 61.452088][ T5171] ? btrfs_commit_transaction+0x17f/0x3740 [ 61.457914][ T5171] btrfs_commit_transaction+0xf20/0x3740 [ 61.463612][ T5171] ? btrfs_commit_transaction+0x17f/0x3740 [ 61.469442][ T5171] ? __pfx_btrfs_commit_transaction+0x10/0x10 [ 61.475525][ T5171] ? do_raw_spin_lock+0x14f/0x370 [ 61.480578][ T5171] ? do_raw_spin_unlock+0x13c/0x8b0 [ 61.485807][ T5171] ? _raw_spin_unlock+0x28/0x50 [ 61.490692][ T5171] ? btrfs_qgroup_convert_reserved_meta+0x708/0xdc0 [ 61.497296][ T5171] ? btrfs_record_root_in_trans+0x16e/0x190 [ 61.503234][ T5171] ? __pfx_btrfs_qgroup_convert_reserved_meta+0x10/0x10 [ 61.510191][ T5171] ? btrfs_record_root_in_trans+0x12d/0x190 [ 61.516112][ T5171] create_snapshot+0x6a1/0x9e0 [ 61.520898][ T5171] btrfs_mksubvol+0x58f/0x710 [ 61.525600][ T5171] ? __pfx_btrfs_mksubvol+0x10/0x10 [ 61.530821][ T5171] ? __fget_files+0x29/0x470 [ 61.535423][ T5171] ? __fget_files+0x3f6/0x470 [ 61.540117][ T5171] ? __fget_files+0x29/0x470 [ 61.544725][ T5171] btrfs_mksnapshot+0xb5/0xf0 [ 61.549416][ T5171] __btrfs_ioctl_snap_create+0x387/0x4b0 [ 61.555067][ T5171] btrfs_ioctl_snap_create_v2+0x1f2/0x3a0 [ 61.560815][ T5171] btrfs_ioctl+0x99e/0xc60 [ 61.565250][ T5171] ? __pfx_btrfs_ioctl+0x10/0x10 [ 61.570197][ T5171] __se_sys_ioctl+0xfc/0x170 [ 61.574795][ T5171] do_syscall_64+0xf3/0x230 [ 61.579317][ T5171] ? clear_bhb_loop+0x35/0x90 [ 61.584017][ T5171] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 61.589935][ T5171] RIP: 0033:0x7fcbf1992509 [ 61.594363][ T5171] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 61.613988][ T5171] RSP: 002b:00007fcbf1928218 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 61.622421][ T5171] RAX: ffffffffffffffda RBX: 00007fcbf1a1f618 RCX: 00007fcbf1992509 [ 61.630403][ T5171] RDX: 0000000020000280 RSI: 0000000050009417 RDI: 0000000000000003 [ 61.638387][ T5171] RBP: 00007fcbf1a1f610 R08: 00007ffea1298e97 R09: 0000000000000000 [ 61.646371][ T5171] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fcbf19eb660 [ 61.654357][ T5171] R13: 00000000200002b8 R14: 00007fcbf19e60c0 R15: 0030656c69662f2e [ 61.662369][ T5171] [ 61.665405][ T5171] [ 61.667730][ T5171] Allocated by task 5171: [ 61.672053][ T5171] kasan_save_track+0x3f/0x80 [ 61.676740][ T5171] __kasan_kmalloc+0x98/0xb0 [ 61.681350][ T5171] kmalloc_node_track_caller_noprof+0x225/0x440 [ 61.687606][ T5171] memdup_user+0x2b/0xc0 [ 61.691858][ T5171] btrfs_ioctl_snap_create_v2+0x2fd/0x3a0 [ 61.697585][ T5171] btrfs_ioctl+0x99e/0xc60 [ 61.702014][ T5171] __se_sys_ioctl+0xfc/0x170 [ 61.706615][ T5171] do_syscall_64+0xf3/0x230 [ 61.711127][ T5171] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 61.717029][ T5171] [ 61.719354][ T5171] The buggy address belongs to the object at ffff88814628ca00 [ 61.719354][ T5171] which belongs to the cache kmalloc-96 of size 96 [ 61.733250][ T5171] The buggy address is located 0 bytes to the right of [ 61.733250][ T5171] allocated 80-byte region [ffff88814628ca00, ffff88814628ca50) [ 61.747669][ T5171] [ 61.750004][ T5171] The buggy address belongs to the physical page: [ 61.756444][ T5171] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14628c [ 61.765325][ T5171] flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff) [ 61.772561][ T5171] page_type: 0xffffefff(slab) [ 61.777351][ T5171] raw: 057ff00000000000 ffff888015041280 dead000000000100 dead000000000122 [ 61.785944][ T5171] raw: 0000000000000000 0000000080200020 00000001ffffefff 0000000000000000 [ 61.794533][ T5171] page dumped because: kasan: bad access detected [ 61.800963][ T5171] page_owner tracks the page as allocated [ 61.806679][ T5171] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x252800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid 1, tgid 1 (swapper/0), ts 7530129564, free_ts 7138110092 [ 61.825278][ T5171] post_alloc_hook+0x1f3/0x230 [ 61.830063][ T5171] get_page_from_freelist+0x2e2d/0x2ee0 [ 61.835622][ T5171] __alloc_pages_noprof+0x256/0x6c0 [ 61.840827][ T5171] alloc_slab_page+0x5f/0x120 [ 61.845529][ T5171] allocate_slab+0x5a/0x2e0 [ 61.850049][ T5171] ___slab_alloc+0xcd1/0x14b0 [ 61.854760][ T5171] __slab_alloc+0x58/0xa0 [ 61.859123][ T5171] kmalloc_node_trace_noprof+0x20c/0x300 [ 61.864771][ T5171] alloc_workqueue+0x847/0x2060 [ 61.869635][ T5171] nvmet_init+0x8d/0x150 [ 61.873898][ T5171] do_one_initcall+0x248/0x880 [ 61.878678][ T5171] do_initcall_level+0x157/0x210 [ 61.883637][ T5171] do_initcalls+0x3f/0x80 [ 61.887990][ T5171] kernel_init_freeable+0x435/0x5d0 [ 61.893212][ T5171] kernel_init+0x1d/0x2b0 [ 61.897564][ T5171] ret_from_fork+0x4b/0x80 [ 61.902003][ T5171] page last free pid 1 tgid 1 stack trace: [ 61.907812][ T5171] free_unref_page+0xd19/0xea0 [ 61.912589][ T5171] vfree+0x186/0x2e0 [ 61.916492][ T5171] bdev_disk_changed+0x80e/0x13d0 [ 61.921547][ T5171] blkdev_get_whole+0x315/0x470 [ 61.926411][ T5171] bdev_open+0x2e9/0xc60 [ 61.930664][ T5171] bdev_file_open_by_dev+0x1b0/0x230 [ 61.935961][ T5171] disk_scan_partitions+0x1be/0x2b0 [ 61.941177][ T5171] device_add_disk+0xca0/0xf90 [ 61.945967][ T5171] brd_alloc+0x503/0x770 [ 61.950228][ T5171] brd_init+0xfd/0x1d0 [ 61.954315][ T5171] do_one_initcall+0x248/0x880 [ 61.959096][ T5171] do_initcall_level+0x157/0x210 [ 61.964051][ T5171] do_initcalls+0x3f/0x80 [ 61.968394][ T5171] kernel_init_freeable+0x435/0x5d0 [ 61.973602][ T5171] kernel_init+0x1d/0x2b0 [ 61.978143][ T5171] ret_from_fork+0x4b/0x80 [ 61.982585][ T5171] [ 61.984915][ T5171] Memory state around the buggy address: [ 61.990565][ T5171] ffff88814628c900: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 61.998646][ T5171] ffff88814628c980: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 62.006723][ T5171] >ffff88814628ca00: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 62.014788][ T5171] ^ [ 62.021467][ T5171] ffff88814628ca80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 62.029539][ T5171] ffff88814628cb00: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc executing program executing program [pid 5091] exit_group(0 [pid 5096] <... futex resumed>) = ? [pid 5091] <... exit_group resumed>) = ? [pid 5096] +++ exited with 0 +++ ./strace-static-x86_64: Process 5189 attached ./strace-static-x86_64: Process 5188 attached ./strace-static-x86_64: Process 5187 attached [pid 5189] rseq(0x7fcbf1949fe0, 0x20, 0, 0x53053053 [pid 5188] set_robust_list(0x55556c2876a0, 24 [pid 5187] set_robust_list(0x55556c2876a0, 24 [pid 5189] <... rseq resumed>) = 0 [pid 5188] <... set_robust_list resumed>) = 0 [pid 5187] <... set_robust_list resumed>) = 0 [pid 5189] set_robust_list(0x7fcbf19499a0, 24 [pid 5188] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5187] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5189] <... set_robust_list resumed>) = 0 [pid 5189] rt_sigprocmask(SIG_SETMASK, [], [pid 5188] <... prctl resumed>) = 0 [pid 5187] <... prctl resumed>) = 0 [pid 5189] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5188] setpgid(0, 0 [pid 5187] setpgid(0, 0 [pid 5189] memfd_create("syzkaller", 0 [pid 5188] <... setpgid resumed>) = 0 [pid 5187] <... setpgid resumed>) = 0 [pid 5188] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5187] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5189] <... memfd_create resumed>) = 3 [pid 5188] <... openat resumed>) = 3 [pid 5187] <... openat resumed>) = 3 [pid 5189] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 5187] write(3, "1000", 4 [pid 5189] <... mmap resumed>) = 0x7fcbe9400000 [pid 5188] write(3, "1000", 4 [pid 5187] <... write resumed>) = 4 [pid 5187] close(3 [pid 5188] <... write resumed>) = 4 [pid 5188] close(3 [pid 5187] <... close resumed>) = 0 [pid 5187] write(1, "executing program\n", 18) = 18 [pid 5188] <... close resumed>) = 0 [pid 5187] futex(0x7fcbf1a1f60c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5188] write(1, "executing program\n", 18) = 18 [pid 5187] <... futex resumed>) = 0 [pid 5188] futex(0x7fcbf1a1f60c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5187] rt_sigaction(SIGRT_1, {sa_handler=0x7fcbf19b83f0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fcbf19a9aa0}, [pid 5188] <... futex resumed>) = 0 [pid 5187] <... rt_sigaction resumed>NULL, 8) = 0 [pid 5188] rt_sigaction(SIGRT_1, {sa_handler=0x7fcbf19b83f0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fcbf19a9aa0}, [pid 5187] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], [pid 5188] <... rt_sigaction resumed>NULL, 8) = 0 [pid 5187] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5188] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], [pid 5187] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5188] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5187] <... mmap resumed>) = 0x7fcbf1929000 [pid 5188] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5187] mprotect(0x7fcbf192a000, 131072, PROT_READ|PROT_WRITE [pid 5188] <... mmap resumed>) = 0x7fcbf1929000 [pid 5187] <... mprotect resumed>) = 0 [pid 5188] mprotect(0x7fcbf192a000, 131072, PROT_READ|PROT_WRITE [pid 5187] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5188] <... mprotect resumed>) = 0 [pid 5188] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5187] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5188] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5187] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fcbf1949990, parent_tid=0x7fcbf1949990, exit_signal=0, stack=0x7fcbf1929000, stack_size=0x20300, tls=0x7fcbf19496c0} [pid 5188] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fcbf1949990, parent_tid=0x7fcbf1949990, exit_signal=0, stack=0x7fcbf1929000, stack_size=0x20300, tls=0x7fcbf19496c0} [pid 5187] <... clone3 resumed> => {parent_tid=[5190]}, 88) = 5190 [pid 5188] <... clone3 resumed> => {parent_tid=[5191]}, 88) = 5191 [pid 5188] rt_sigprocmask(SIG_SETMASK, [], [pid 5187] rt_sigprocmask(SIG_SETMASK, [], [pid 5188] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5187] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5188] futex(0x7fcbf1a1f608, FUTEX_WAKE_PRIVATE, 1000000 [pid 5187] futex(0x7fcbf1a1f608, FUTEX_WAKE_PRIVATE, 1000000 [pid 5188] <... futex resumed>) = 0 [pid 5187] <... futex resumed>) = 0 [pid 5188] futex(0x7fcbf1a1f60c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5187] futex(0x7fcbf1a1f60c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5189] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216./strace-static-x86_64: Process 5190 attached [pid 5190] rseq(0x7fcbf1949fe0, 0x20, 0, 0x53053053) = 0 [pid 5190] set_robust_list(0x7fcbf19499a0, 24) = 0 [pid 5190] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5190] memfd_create("syzkaller", 0) = 3 [pid 5190] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fcbe9400000 ./strace-static-x86_64: Process 5191 attached [ 62.037630][ T5171] ================================================================== [ 62.063923][ T5171] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 62.071166][ T5171] CPU: 0 PID: 5171 Comm: syz-executor318 Not tainted 6.10.0-rc2-syzkaller-00010-g2ab795141095 #0 [ 62.081732][ T5171] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 62.091797][ T5171] Call Trace: [ 62.095083][ T5171] [ 62.098022][ T5171] dump_stack_lvl+0x241/0x360 [ 62.102717][ T5171] ? __pfx_dump_stack_lvl+0x10/0x10 [ 62.107932][ T5171] ? __pfx__printk+0x10/0x10 [ 62.112535][ T5171] ? preempt_schedule+0xe1/0xf0 [ 62.117401][ T5171] ? vscnprintf+0x5d/0x90 [ 62.121752][ T5171] panic+0x349/0x860 [ 62.125661][ T5171] ? check_panic_on_warn+0x21/0xb0 [ 62.130791][ T5171] ? __pfx_panic+0x10/0x10 [ 62.135223][ T5171] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 62.141213][ T5171] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 62.147573][ T5171] ? print_report+0x502/0x550 [ 62.152258][ T5171] check_panic_on_warn+0x86/0xb0 [ 62.157240][ T5171] ? btrfs_qgroup_inherit+0x42e/0x2e20 [ 62.162722][ T5171] end_report+0x77/0x160 [ 62.167060][ T5171] kasan_report+0x154/0x180 [ 62.171575][ T5171] ? btrfs_qgroup_inherit+0x42e/0x2e20 [ 62.177054][ T5171] btrfs_qgroup_inherit+0x42e/0x2e20 [ 62.182366][ T5171] ? btrfs_insert_fs_root+0x3e5/0x5e0 [ 62.187765][ T5171] ? __pfx_btrfs_insert_fs_root+0x10/0x10 [ 62.193521][ T5171] ? __pfx_btrfs_qgroup_inherit+0x10/0x10 [ 62.199278][ T5171] ? btrfs_get_root_ref+0xa24/0xc30 [ 62.204497][ T5171] ? btrfs_reloc_post_snapshot+0x27a/0x1700 [ 62.210413][ T5171] ? __pfx_btrfs_get_root_ref+0x10/0x10 [ 62.216059][ T5171] ? __pfx_btrfs_reloc_post_snapshot+0x10/0x10 [ 62.222252][ T5171] create_pending_snapshot+0x1359/0x29b0 [ 62.227927][ T5171] ? __pfx_create_pending_snapshot+0x10/0x10 [ 62.233931][ T5171] ? __mutex_trylock_common+0x2f/0x2e0 [ 62.239412][ T5171] ? rcu_is_watching+0x15/0xb0 [ 62.244198][ T5171] ? trace_contention_end+0x3c/0x120 [ 62.249517][ T5171] ? __mutex_lock+0x2ef/0xd70 [ 62.254214][ T5171] ? btrfs_commit_transaction+0x17f/0x3740 [ 62.260041][ T5171] ? __pfx___mutex_lock+0x10/0x10 [ 62.265089][ T5171] create_pending_snapshots+0x195/0x1d0 [ 62.270654][ T5171] ? btrfs_commit_transaction+0x17f/0x3740 [ 62.276491][ T5171] btrfs_commit_transaction+0xf20/0x3740 [ 62.282148][ T5171] ? btrfs_commit_transaction+0x17f/0x3740 [ 62.287975][ T5171] ? __pfx_btrfs_commit_transaction+0x10/0x10 [ 62.294068][ T5171] ? do_raw_spin_lock+0x14f/0x370 [ 62.299120][ T5171] ? do_raw_spin_unlock+0x13c/0x8b0 [ 62.304336][ T5171] ? _raw_spin_unlock+0x28/0x50 [ 62.309201][ T5171] ? btrfs_qgroup_convert_reserved_meta+0x708/0xdc0 [ 62.315805][ T5171] ? btrfs_record_root_in_trans+0x16e/0x190 [ 62.321734][ T5171] ? __pfx_btrfs_qgroup_convert_reserved_meta+0x10/0x10 [ 62.328703][ T5171] ? btrfs_record_root_in_trans+0x12d/0x190 [ 62.334617][ T5171] create_snapshot+0x6a1/0x9e0 [ 62.339398][ T5171] btrfs_mksubvol+0x58f/0x710 [ 62.344087][ T5171] ? __pfx_btrfs_mksubvol+0x10/0x10 [ 62.349293][ T5171] ? __fget_files+0x29/0x470 [ 62.353959][ T5171] ? __fget_files+0x3f6/0x470 [ 62.358727][ T5171] ? __fget_files+0x29/0x470 [ 62.363332][ T5171] btrfs_mksnapshot+0xb5/0xf0 [ 62.368030][ T5171] __btrfs_ioctl_snap_create+0x387/0x4b0 [ 62.373680][ T5171] btrfs_ioctl_snap_create_v2+0x1f2/0x3a0 [ 62.379419][ T5171] btrfs_ioctl+0x99e/0xc60 [ 62.383865][ T5171] ? __pfx_btrfs_ioctl+0x10/0x10 [pid 5191] rseq(0x7fcbf1949fe0, 0x20, 0, 0x53053053 [ 62.388916][ T5171] __se_sys_ioctl+0xfc/0x170 [ 62.393528][ T5171] do_syscall_64+0xf3/0x230 [ 62.398047][ T5171] ? clear_bhb_loop+0x35/0x90 [ 62.402743][ T5171] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 62.408657][ T5171] RIP: 0033:0x7fcbf1992509 [ 62.413078][ T5171] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 62.432698][ T5171] RSP: 002b:00007fcbf1928218 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [pid 5190] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216 [pid 5189] <... write resumed>) = 16777216 [ 62.441136][ T5171] RAX: ffffffffffffffda RBX: 00007fcbf1a1f618 RCX: 00007fcbf1992509 [ 62.449123][ T5171] RDX: 0000000020000280 RSI: 0000000050009417 RDI: 0000000000000003 [ 62.457106][ T5171] RBP: 00007fcbf1a1f610 R08: 00007ffea1298e97 R09: 0000000000000000 [ 62.465089][ T5171] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fcbf19eb660 [ 62.473076][ T5171] R13: 00000000200002b8 R14: 00007fcbf19e60c0 R15: 0030656c69662f2e [ 62.481073][ T5171] [ 62.484466][ T5171] Kernel Offset: disabled [ 62.488797][ T5171] Rebooting in 86400 seconds..