Warning: Permanently added '10.128.1.187' (ED25519) to the list of known hosts. 2025/06/16 07:57:17 ignoring optional flag "sandboxArg"="0" 2025/06/16 07:57:18 parsed 1 programs [ 76.459947][ T2483] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 77.639328][ T1611] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 77.646814][ T1611] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 77.654443][ T1611] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 77.662391][ T1611] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 77.670530][ T1611] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 78.165601][ T2551] chnl_net:caif_netlink_parms(): no params data found [ 79.916876][ T2551] 8021q: adding VLAN 0 to HW filter on device bond0 [ 81.071836][ T2551] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 83.332517][ T12] bond0 (unregistering): Released all slaves 2025/06/16 07:57:26 executed programs: 0 [ 83.739140][ T1611] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 83.746558][ T1611] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 83.753952][ T1611] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 83.762903][ T1611] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 83.770425][ T1611] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 83.980779][ T2982] chnl_net:caif_netlink_parms(): no params data found [ 85.734063][ T2982] 8021q: adding VLAN 0 to HW filter on device bond0 [ 85.849956][ T1611] Bluetooth: hci0: command tx timeout [ 86.875840][ T2982] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 87.930049][ T1611] Bluetooth: hci0: command tx timeout 2025/06/16 07:57:31 executed programs: 2 [ 89.119113][ T3385] loop2: detected capacity change from 0 to 32768 [ 89.153175][ T3385] bcachefs (loop2): starting version 1.7: mi_btree_bitmap opts=metadata_checksum=none,data_checksum=none,compression=lz4,nojournal_transaction_names [ 89.153189][ T3385] allowing incompatible features above 0.0: (unknown version) [ 89.153193][ T3385] features: lz4,new_siphash,inline_data,new_extent_overwrite,btree_ptr_v2,new_varint,journal_no_flush,alloc_v2,extents_across_btree_nodes [ 89.190795][ T3385] bcachefs (loop2): invalid bkey in superblock btree=extents level=0: u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 4e0410879b0c2f04 written 16 min_key POS_MIN durability: 1 ptr: 0:27:0 gen 0 [ 89.190804][ T3385] invalid key type for btree extents (btree_ptr_v2), deleting [ 89.218050][ T3385] bcachefs (loop2): recovering from clean shutdown, journal seq 13 [ 89.226188][ T3385] bcachefs (loop2): Version upgrade required: [ 89.226188][ T3385] Version upgrade from 0.19: freespace to 1.7: mi_btree_bitmap incomplete [ 89.226188][ T3385] Doing incompatible version upgrade from 0.19: freespace to 1.28: inode_has_case_insensitive [ 89.226188][ T3385] running recovery passes: check_allocations,check_alloc_info,check_lrus,check_btree_backpointers,check_backpointers_to_extents,check_extents_to_backpointers,check_alloc_to_lru_refs,bucket_gens_init,check_snapshot_trees,check_snapshots,check_subvols,check_subvol_children,delete_dead_snapshots,check_inodes,check_extents,check_indirect_extents,check_dirents,check_xattrs,check_root,check_unreachable_inodes,check_subvolume_structure,check_directory_structure,check_nlinks,check_rebalance_work,set_fs_needs_rebalance [ 89.305021][ T3385] ================================================================== [ 89.313439][ T3385] BUG: KASAN: use-after-free in poly1305_update+0xe5/0x150 [ 89.320623][ T3385] Read of size 8 at addr ffff88815fd57390 by task syz.2.16/3385 [ 89.328218][ T3385] [ 89.330525][ T3385] CPU: 1 UID: 0 PID: 3385 Comm: syz.2.16 Not tainted 6.16.0-rc2-syzkaller #0 PREEMPT(undef) [ 89.330530][ T3385] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 89.330536][ T3385] Call Trace: [ 89.330543][ T3385] [ 89.330546][ T3385] dump_stack_lvl+0xf4/0x170 [ 89.330555][ T3385] ? __pfx_dump_stack_lvl+0x10/0x10 [ 89.330560][ T3385] ? rcu_is_watching+0x1f/0xa0 [ 89.330565][ T3385] ? __virt_addr_valid+0x176/0x2b0 [ 89.330570][ T3385] ? lock_release+0x42/0x2f0 [ 89.330575][ T3385] ? lock_acquire+0x69/0x210 [ 89.330578][ T3385] ? _raw_spin_lock_irqsave+0xa5/0xe0 [ 89.330584][ T3385] ? __virt_addr_valid+0x176/0x2b0 [ 89.330588][ T3385] ? __virt_addr_valid+0x262/0x2b0 [ 89.330592][ T3385] print_report+0xd2/0x2b0 [ 89.330598][ T3385] ? poly1305_update+0xe5/0x150 [ 89.330601][ T3385] kasan_report+0x118/0x150 [ 89.330608][ T3385] ? poly1305_update+0xe5/0x150 [ 89.330612][ T3385] kasan_check_range+0x2b0/0x2c0 [ 89.330616][ T3385] ? poly1305_update+0xe5/0x150 [ 89.330619][ T3385] __asan_memcpy+0x29/0x70 [ 89.330623][ T3385] poly1305_update+0xe5/0x150 [ 89.330628][ T3385] bch2_checksum+0x21a/0x410 [ 89.330634][ T3385] ? __pfx_bch2_checksum+0x10/0x10 [ 89.330638][ T3385] ? bch2_printbuf_exit+0x4e/0x90 [ 89.330643][ T3385] ? validate_bset_keys+0xfc6/0x1100 [ 89.330657][ T3385] bch2_btree_node_read_done+0xe52/0x48c0 [ 89.330667][ T3385] ? __pfx_bch2_btree_node_read_done+0x10/0x10 [ 89.330671][ T3385] ? __pfx_bch2_prt_printf+0x10/0x10 [ 89.330676][ T3385] ? bch2_extent_ptr_to_text+0x57/0x4c0 [ 89.330682][ T3385] ? bch2_extent_ptr_to_text+0x1ef/0x4c0 [ 89.330686][ T3385] ? bch2_extent_ptr_to_text+0x57/0x4c0 [ 89.330690][ T3385] ? bch2_bkey_ptrs_to_text+0x8d4/0xfa0 [ 89.330695][ T3385] ? enumerated_ref_put+0x74/0x200 [ 89.330699][ T3385] btree_node_read_work+0x39c/0xbd0 [ 89.330705][ T3385] ? __pfx_btree_node_read_work+0x10/0x10 [ 89.330709][ T3385] ? bch2_latency_acct+0x29c/0x310 [ 89.330714][ T3385] ? __pfx_bch2_latency_acct+0x10/0x10 [ 89.330717][ T3385] ? bio_associate_blkg+0x56/0x160 [ 89.330724][ T3385] ? bio_associate_blkg+0x56/0x160 [ 89.330728][ T3385] bch2_btree_node_read+0x7e6/0x2430 [ 89.330733][ T3385] ? __bch2_btree_node_hash_insert+0x218/0x1770 [ 89.330739][ T3385] ? bch2_btree_node_hash_insert+0x7e/0xe0 [ 89.330744][ T3385] ? __mutex_unlock_slowpath+0x19b/0x4d0 [ 89.330749][ T3385] ? __pfx_bch2_btree_node_read+0x10/0x10 [ 89.330754][ T3385] ? bch2_trans_unlock+0x68/0x2f0 [ 89.330760][ T3385] ? bch2_trans_unlock+0x6d/0x2f0 [ 89.330765][ T3385] bch2_btree_root_read+0x29b/0x790 [ 89.330770][ T3385] ? __pfx_bch2_btree_root_read+0x10/0x10 [ 89.330776][ T3385] ? bch2_current_has_btree_trans+0x136/0x170 [ 89.330781][ T3385] read_btree_roots+0x3b1/0x620 [ 89.330786][ T3385] ? __pfx_read_btree_roots+0x10/0x10 [ 89.330790][ T3385] ? bch2_fs_resize_on_mount+0x182/0x540 [ 89.330793][ T3385] ? journal_replay_entry_early+0x234/0x9f0 [ 89.330798][ T3385] bch2_fs_recovery+0x19d2/0x2e50 [ 89.330808][ T3385] ? __pfx_bch2_fs_recovery+0x10/0x10 [ 89.330815][ T3385] ? rcu_is_watching+0x1f/0xa0 [ 89.330819][ T3385] ? __mutex_lock+0x5b6/0x18d0 [ 89.330823][ T3385] ? rcuwait_wake_up+0x18/0xa0 [ 89.330829][ T3385] ? rcuwait_wake_up+0x84/0xa0 [ 89.330833][ T3385] ? bch2_fs_start+0x4cf/0xeb0 [ 89.330838][ T3385] ? bch2_fs_start+0x7f8/0xeb0 [ 89.330843][ T3385] ? bch2_fs_start+0x9b1/0xeb0 [ 89.330847][ T3385] bch2_fs_start+0xa51/0xeb0 [ 89.330851][ T3385] ? bch2_fs_start+0x5d6/0xeb0 [ 89.330855][ T3385] ? __pfx_bch2_fs_start+0x10/0x10 [ 89.330861][ T3385] ? sget+0x264/0x500 [ 89.330866][ T3385] bch2_fs_get_tree+0x4e4/0x1270 [ 89.330874][ T3385] ? __pfx_bch2_fs_get_tree+0x10/0x10 [ 89.330877][ T3385] ? smack_fs_context_parse_param+0x93/0x130 [ 89.330885][ T3385] ? vfs_parse_monolithic_sep+0x170/0x280 [ 89.330890][ T3385] ? __pfx_vfs_parse_comma_sep+0x10/0x10 [ 89.330894][ T3385] ? __pfx_vfs_parse_monolithic_sep+0x10/0x10 [ 89.330898][ T3385] ? cap_capable+0xa7/0x2d0 [ 89.330903][ T3385] ? bch2_init_fs_context+0x7e/0x100 [ 89.330907][ T3385] vfs_get_tree+0x87/0x1a0 [ 89.330912][ T3385] do_new_mount+0x1c7/0x850 [ 89.330918][ T3385] __se_sys_mount+0x218/0x2b0 [ 89.330924][ T3385] ? __pfx___se_sys_mount+0x10/0x10 [ 89.330929][ T3385] do_syscall_64+0x8f/0x250 [ 89.330935][ T3385] ? fpregs_assert_state_consistent+0x48/0x60 [ 89.330940][ T3385] ? clear_bhb_loop+0x40/0x90 [ 89.330945][ T3385] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.330949][ T3385] RIP: 0033:0x7f1d8398e58a [ 89.330957][ T3385] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 89.330961][ T3385] RSP: 002b:00007f1d84887e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 89.330969][ T3385] RAX: ffffffffffffffda RBX: 00007f1d84887ef0 RCX: 00007f1d8398e58a [ 89.330973][ T3385] RDX: 0000400000000000 RSI: 0000400000000200 RDI: 00007f1d84887eb0 [ 89.330975][ T3385] RBP: 0000400000000000 R08: 00007f1d84887ef0 R09: 0000000002a08414 [ 89.330977][ T3385] R10: 0000000002a08414 R11: 0000000000000246 R12: 0000400000000200 [ 89.330980][ T3385] R13: 00007f1d84887eb0 R14: 000000000000f63a R15: 0000400000000240 [ 89.330985][ T3385] [ 89.330987][ T3385] [ 89.833300][ T3385] The buggy address belongs to the physical page: [ 89.839768][ T3385] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x15fd57 [ 89.848588][ T3385] flags: 0x100000000000000(node=0|zone=2) [ 89.854275][ T3385] raw: 0100000000000000 dead000000000100 dead000000000122 0000000000000000 [ 89.862822][ T3385] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 89.871376][ T3385] page dumped because: kasan: bad access detected [ 89.877768][ T3385] page_owner tracks the page as freed [ 89.883103][ T3385] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xcc0(GFP_KERNEL), pid 1, tgid 1 (swapper/0), ts 5335777500, free_ts 6305636376 [ 89.897906][ T3385] post_alloc_hook+0x168/0x1a0 [ 89.902814][ T3385] split_free_pages+0xd7/0x2f0 [ 89.907551][ T3385] alloc_contig_range_noprof+0x9c5/0xcd0 [ 89.913147][ T3385] alloc_contig_pages_noprof+0x443/0x570 [ 89.918748][ T3385] debug_vm_pgtable_alloc_huge_page+0x79/0xd0 [ 89.924783][ T3385] init_args+0x784/0xa60 [ 89.928995][ T3385] debug_vm_pgtable+0xbb/0x4a0 [ 89.933724][ T3385] do_one_initcall+0x197/0x4d0 [ 89.938455][ T3385] do_initcall_level+0x117/0x1d0 [ 89.943358][ T3385] do_initcalls+0x59/0xa0 [ 89.947653][ T3385] kernel_init_freeable+0x306/0x460 [ 89.953076][ T3385] kernel_init+0x17/0x130 [ 89.957370][ T3385] ret_from_fork+0x139/0x2d0 [ 89.961930][ T3385] ret_from_fork_asm+0x1a/0x30 [ 89.966658][ T3385] page last free pid 1 tgid 1 stack trace: [ 89.972426][ T3385] __free_frozen_pages+0xc4b/0xe30 [ 89.977506][ T3385] free_contig_range+0x19b/0x420 [ 89.982414][ T3385] destroy_args+0x64/0x4a0 [ 89.986796][ T3385] debug_vm_pgtable+0x313/0x4a0 [ 89.991611][ T3385] do_one_initcall+0x197/0x4d0 [ 89.996341][ T3385] do_initcall_level+0x117/0x1d0 [ 90.001252][ T3385] do_initcalls+0x59/0xa0 [ 90.005547][ T3385] kernel_init_freeable+0x306/0x460 [ 90.010710][ T3385] kernel_init+0x17/0x130 [ 90.015008][ T3385] ret_from_fork+0x139/0x2d0 [ 90.019561][ T3385] ret_from_fork_asm+0x1a/0x30 [ 90.024290][ T3385] [ 90.026585][ T3385] Memory state around the buggy address: [ 90.032270][ T3385] ffff88815fd57280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 90.040296][ T3385] ffff88815fd57300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 90.048346][ T3385] >ffff88815fd57380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 90.056385][ T3385] ^ [ 90.060949][ T3385] ffff88815fd57400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 90.068978][ T3385] ffff88815fd57480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 90.077006][ T3385] ================================================================== [ 90.085183][ T3385] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 90.092589][ T3385] Kernel Offset: disabled [ 90.096892][ T3385] Rebooting in 86400 seconds..