Warning: Permanently added '10.128.0.140' (ED25519) to the list of known hosts. 2024/01/31 15:29:51 ignoring optional flag "sandboxArg"="0" 2024/01/31 15:29:52 parsed 1 programs 2024/01/31 15:29:52 executed programs: 0 [ 47.383054][ T1405] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 51.154422][ T1866] ================================================================== [ 51.162696][ T1866] BUG: KASAN: slab-use-after-free in v9fs_stat2inode_dotl+0x9dd/0xb80 [ 51.170854][ T1866] Read of size 8 at addr ffff8881169d1770 by task syz-executor.0/1866 [ 51.178993][ T1866] [ 51.181302][ T1866] CPU: 0 PID: 1866 Comm: syz-executor.0 Not tainted 6.8.0-rc1-syzkaller #0 [ 51.189979][ T1866] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 51.200629][ T1866] Call Trace: [ 51.203886][ T1866] [ 51.206813][ T1866] dump_stack_lvl+0x3d/0x70 [ 51.211303][ T1866] print_report+0xc4/0x620 [ 51.217180][ T1866] ? __virt_addr_valid+0x1b1/0x2a0 [ 51.222270][ T1866] kasan_report+0xda/0x110 [ 51.226756][ T1866] ? v9fs_stat2inode_dotl+0x9dd/0xb80 [ 51.232099][ T1866] ? v9fs_stat2inode_dotl+0x9dd/0xb80 [ 51.237445][ T1866] v9fs_stat2inode_dotl+0x9dd/0xb80 [ 51.242622][ T1866] v9fs_fid_iget_dotl+0x184/0x200 [ 51.247793][ T1866] v9fs_mount+0x3ec/0x7d0 [ 51.252112][ T1866] ? __pfx_v9fs_mount+0x10/0x10 [ 51.257015][ T1866] ? kasan_save_track+0x14/0x30 [ 51.261849][ T1866] ? __pfx_v9fs_mount+0x10/0x10 [ 51.267743][ T1866] legacy_get_tree+0x102/0x200 [ 51.272495][ T1866] ? security_capable+0x6a/0xb0 [ 51.277313][ T1866] vfs_get_tree+0x85/0x230 [ 51.281695][ T1866] path_mount+0x8ec/0x1a70 [ 51.286183][ T1866] ? __kasan_slab_free+0x12c/0x1c0 [ 51.291465][ T1866] ? __pfx_path_mount+0x10/0x10 [ 51.296312][ T1866] ? kmem_cache_free+0x120/0x3d0 [ 51.301339][ T1866] ? user_path_at_empty+0x3f/0x50 [ 51.306338][ T1866] __x64_sys_mount+0x20c/0x280 [ 51.311085][ T1866] ? __pfx___x64_sys_mount+0x10/0x10 [ 51.316372][ T1866] ? fpregs_restore_userregs+0x121/0x230 [ 51.321991][ T1866] do_syscall_64+0x73/0x180 [ 51.326482][ T1866] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 51.332521][ T1866] RIP: 0033:0x7f7c6ef02da9 [ 51.336908][ T1866] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 51.356538][ T1866] RSP: 002b:00007f7c6ea850c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 51.365112][ T1866] RAX: ffffffffffffffda RBX: 00007f7c6f031f80 RCX: 00007f7c6ef02da9 [ 51.373245][ T1866] RDX: 0000000020004500 RSI: 00000000200002c0 RDI: 0000000000000000 [ 51.381279][ T1866] RBP: 00007f7c6ef4f47a R08: 0000000020000300 R09: 0000000000000000 [ 51.389593][ T1866] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 51.397544][ T1866] R13: 0000000000000006 R14: 00007f7c6f031f80 R15: 00007ffc63ea09a8 [ 51.405500][ T1866] [ 51.408498][ T1866] [ 51.410794][ T1866] Allocated by task 1866: [ 51.415089][ T1866] kasan_save_stack+0x33/0x60 [ 51.419737][ T1866] kasan_save_track+0x14/0x30 [ 51.424555][ T1866] __kasan_kmalloc+0xaa/0xb0 [ 51.429113][ T1866] p9_client_getattr_dotl+0x49/0x260 [ 51.434363][ T1866] v9fs_fid_iget_dotl+0xc2/0x200 [ 51.439289][ T1866] v9fs_mount+0x3ec/0x7d0 [ 51.443584][ T1866] legacy_get_tree+0x102/0x200 [ 51.448485][ T1866] vfs_get_tree+0x85/0x230 [ 51.452970][ T1866] path_mount+0x8ec/0x1a70 [ 51.457458][ T1866] __x64_sys_mount+0x20c/0x280 [ 51.462286][ T1866] do_syscall_64+0x73/0x180 [ 51.466781][ T1866] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 51.473087][ T1866] [ 51.475387][ T1866] Freed by task 1866: [ 51.479424][ T1866] kasan_save_stack+0x33/0x60 [ 51.484071][ T1866] kasan_save_track+0x14/0x30 [ 51.488720][ T1866] kasan_save_free_info+0x3f/0x60 [ 51.493971][ T1866] __kasan_slab_free+0x121/0x1c0 [ 51.498977][ T1866] kfree+0x11b/0x340 [ 51.502861][ T1866] v9fs_fid_iget_dotl+0x156/0x200 [ 51.508201][ T1866] v9fs_mount+0x3ec/0x7d0 [ 51.512584][ T1866] legacy_get_tree+0x102/0x200 [ 51.517495][ T1866] vfs_get_tree+0x85/0x230 [ 51.522253][ T1866] path_mount+0x8ec/0x1a70 [ 51.526804][ T1866] __x64_sys_mount+0x20c/0x280 [ 51.531726][ T1866] do_syscall_64+0x73/0x180 [ 51.536204][ T1866] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 51.542423][ T1866] [ 51.544735][ T1866] The buggy address belongs to the object at ffff8881169d1770 [ 51.544735][ T1866] which belongs to the cache kmalloc-192 of size 192 [ 51.559284][ T1866] The buggy address is located 0 bytes inside of [ 51.559284][ T1866] freed 192-byte region [ffff8881169d1770, ffff8881169d1830) [ 51.572895][ T1866] [ 51.575317][ T1866] The buggy address belongs to the physical page: [ 51.581714][ T1866] page:ffffea00045a7440 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1169d1 [ 51.592016][ T1866] flags: 0x200000000000800(slab|node=0|zone=2) [ 51.598326][ T1866] page_type: 0xffffffff() [ 51.602712][ T1866] raw: 0200000000000800 ffff888100041a00 dead000000000122 0000000000000000 [ 51.611883][ T1866] raw: 0000000000000000 00000000800f000f 00000001ffffffff 0000000000000000 [ 51.620437][ T1866] page dumped because: kasan: bad access detected [ 51.626841][ T1866] page_owner tracks the page as allocated [ 51.632636][ T1866] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 1411, tgid 1411 (syz-executor.0), ts 51147176492, free_ts 51146933134 [ 51.651755][ T1866] post_alloc_hook+0x283/0x300 [ 51.656523][ T1866] get_page_from_freelist+0xeb8/0x3700 [ 51.662314][ T1866] __alloc_pages+0x346/0x5e0 [ 51.666970][ T1866] allocate_slab+0xa3/0x340 [ 51.671443][ T1866] ___slab_alloc+0x853/0x13e0 [ 51.676138][ T1866] __slab_alloc.constprop.0+0x4d/0x90 [ 51.681596][ T1866] __kmalloc_node+0x39e/0x4c0 [ 51.686331][ T1866] memcg_alloc_slab_cgroups+0xa9/0x180 [ 51.691878][ T1866] __memcg_slab_post_alloc_hook+0xa4/0x2b0 [ 51.697749][ T1866] kmem_cache_alloc+0x37d/0x390 [ 51.702759][ T1866] dup_fd+0x7b/0xab0 [ 51.706742][ T1866] copy_process+0x1ee5/0x93a0 [ 51.711606][ T1866] kernel_clone+0xcb/0x7e0 [ 51.716051][ T1866] __do_sys_clone+0xa1/0xe0 [ 51.720638][ T1866] do_syscall_64+0x73/0x180 [ 51.725202][ T1866] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 51.731329][ T1866] page last free pid 1411 tgid 1411 stack trace: [ 51.737860][ T1866] free_unref_page_prepare+0x543/0xb10 [ 51.743302][ T1866] free_unref_page+0x33/0x2a0 [ 51.748057][ T1866] vfree+0x27c/0x9c0 [ 51.751944][ T1866] do_ip6t_get_ctl+0x98a/0xd10 [ 51.756769][ T1866] nf_getsockopt+0x5e/0xc0 [ 51.761227][ T1866] ipv6_getsockopt+0x178/0x1d0 [ 51.766406][ T1866] do_sock_getsockopt+0x1fc/0x2f0 [ 51.771864][ T1866] __sys_getsockopt+0xf6/0x1b0 [ 51.776604][ T1866] __x64_sys_getsockopt+0xb8/0x150 [ 51.781786][ T1866] do_syscall_64+0x73/0x180 [ 51.786401][ T1866] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 51.792381][ T1866] [ 51.794695][ T1866] Memory state around the buggy address: [ 51.800836][ T1866] ffff8881169d1600: 00 fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 [ 51.808960][ T1866] ffff8881169d1680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 51.817159][ T1866] >ffff8881169d1700: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fa fb [ 51.825211][ T1866] ^ [ 51.832894][ T1866] ffff8881169d1780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.841119][ T1866] ffff8881169d1800: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 51.849245][ T1866] ================================================================== [ 51.857481][ T1866] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 51.865387][ T1866] Kernel Offset: disabled [ 51.869971][ T1866] Rebooting in 86400 seconds..