Warning: Permanently added '10.128.0.51' (ED25519) to the list of known hosts. 2024/07/12 00:31:36 ignoring optional flag "sandboxArg"="0" 2024/07/12 00:31:36 parsed 1 programs 2024/07/12 00:31:38 executed programs: 0 [ 59.297025][ T2578] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 60.868610][ T2584] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 60.879100][ T2584] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 60.890690][ T2584] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 60.902462][ T2584] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 67.208861][ T13] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 67.217371][ T13] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 67.233671][ T13] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 67.242026][ T13] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 67.332542][ T3305] loop0: detected capacity change from 0 to 2048 2024/07/12 00:31:46 executed programs: 1 [ 67.416803][ T3305] jffs2: notice: (3305) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found. [ 67.461644][ T3309] loop0: detected capacity change from 0 to 2048 [ 67.490916][ T3307] ================================================================== [ 67.499107][ T3307] BUG: KASAN: slab-use-after-free in __mutex_lock+0x11b/0x1990 [ 67.506753][ T3307] Read of size 8 at addr ffff88811fdac130 by task jffs2_gcd_mtd0/3307 [ 67.514899][ T3307] [ 67.517221][ T3307] CPU: 0 PID: 3307 Comm: jffs2_gcd_mtd0 Not tainted 6.10.0-rc7-syzkaller #0 [ 67.525884][ T3307] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 67.536115][ T3307] Call Trace: [ 67.539381][ T3307] [ 67.542486][ T3307] dump_stack_lvl+0x231/0x330 [ 67.547251][ T3307] ? __pfx_dump_stack_lvl+0x10/0x10 [ 67.552438][ T3307] ? __pfx__printk+0x10/0x10 [ 67.557546][ T3307] ? lock_acquire+0xc2/0x3a0 [ 67.562138][ T3307] ? __pfx_lock_acquire+0x10/0x10 [ 67.567242][ T3307] ? _printk+0xd5/0x120 [ 67.571382][ T3307] ? __virt_addr_valid+0x169/0x380 [ 67.576516][ T3307] print_report+0x169/0x550 [ 67.581026][ T3307] ? __virt_addr_valid+0x169/0x380 [ 67.586172][ T3307] ? __virt_addr_valid+0x2c1/0x380 [ 67.591387][ T3307] ? __phys_addr+0x90/0x130 [ 67.595899][ T3307] ? __mutex_lock+0x11b/0x1990 [ 67.600795][ T3307] kasan_report+0x143/0x180 [ 67.605430][ T3307] ? __mutex_lock+0x11b/0x1990 [ 67.610553][ T3307] ? jffs2_garbage_collect_pass+0xae/0x2080 [ 67.616621][ T3307] __mutex_lock+0x11b/0x1990 [ 67.621282][ T3307] ? __lock_acquire+0x5cd/0xc10 [ 67.626212][ T3307] ? __pfx___mutex_lock+0x10/0x10 [ 67.631335][ T3307] ? __lock_acquire+0x5cd/0xc10 [ 67.636205][ T3307] ? __set_current_blocked+0x310/0x380 [ 67.641841][ T3307] jffs2_garbage_collect_pass+0xae/0x2080 [ 67.647640][ T3307] ? _raw_spin_unlock_irq+0x29/0x50 [ 67.653004][ T3307] ? __set_current_blocked+0x310/0x380 [ 67.658470][ T3307] ? __pfx___set_current_blocked+0x10/0x10 [ 67.664722][ T3307] ? __pfx_jffs2_garbage_collect_pass+0x10/0x10 [ 67.671498][ T3307] ? schedule_timeout+0x21a/0x2e0 [ 67.676592][ T3307] ? sigprocmask+0x228/0x280 [ 67.681166][ T3307] ? __pfx_sigprocmask+0x10/0x10 [ 67.686097][ T3307] ? do_raw_spin_unlock+0x13c/0x8b0 [ 67.691287][ T3307] jffs2_garbage_collect_thread+0x5c0/0x650 [ 67.697192][ T3307] ? __pfx_jffs2_garbage_collect_thread+0x10/0x10 [ 67.703718][ T3307] ? _raw_spin_unlock_irqrestore+0xcf/0x130 [ 67.709709][ T3307] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 67.716088][ T3307] ? _raw_spin_unlock_irqrestore+0xcf/0x130 [ 67.722170][ T3307] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 67.728755][ T3307] ? __kthread_parkme+0x126/0x170 [ 67.733949][ T3307] ? __pfx_jffs2_garbage_collect_thread+0x10/0x10 [ 67.740352][ T3307] kthread+0x290/0x300 [ 67.744431][ T3307] ? __pfx_jffs2_garbage_collect_thread+0x10/0x10 [ 67.750844][ T3307] ? __pfx_kthread+0x10/0x10 [ 67.755427][ T3307] ret_from_fork+0x4b/0x80 [ 67.759831][ T3307] ? __pfx_kthread+0x10/0x10 [ 67.764413][ T3307] ret_from_fork_asm+0x1a/0x30 [ 67.769166][ T3307] [ 67.772193][ T3307] [ 67.774515][ T3307] Allocated by task 3305: [ 67.778832][ T3307] kasan_save_track+0x3f/0x80 [ 67.783523][ T3307] __kasan_kmalloc+0x98/0xb0 [ 67.788200][ T3307] kmalloc_trace_noprof+0x19e/0x360 [ 67.793579][ T3307] jffs2_init_fs_context+0x4f/0xc0 [ 67.798796][ T3307] alloc_fs_context+0x685/0x800 [ 67.803737][ T3307] do_new_mount+0x160/0xb40 [ 67.808239][ T3307] __se_sys_mount+0x2c8/0x3b0 [ 67.812916][ T3307] do_syscall_64+0x8d/0x1a0 [ 67.817432][ T3307] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 67.823336][ T3307] [ 67.825692][ T3307] Freed by task 2584: [ 67.829666][ T3307] kasan_save_track+0x3f/0x80 [ 67.834437][ T3307] kasan_save_free_info+0x40/0x50 [ 67.839565][ T3307] poison_slab_object+0xe0/0x150 [ 67.844688][ T3307] __kasan_slab_free+0x37/0x60 [ 67.849448][ T3307] kfree+0x12f/0x310 [ 67.853425][ T3307] deactivate_locked_super+0xca/0x450 [ 67.859022][ T3307] cleanup_mnt+0x352/0x3e0 [ 67.863427][ T3307] task_work_run+0x24f/0x300 [ 67.868182][ T3307] syscall_exit_to_user_mode+0xc5/0x1f0 [ 67.873811][ T3307] do_syscall_64+0x9a/0x1a0 [ 67.878482][ T3307] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 67.884979][ T3307] [ 67.887289][ T3307] The buggy address belongs to the object at ffff88811fdac000 [ 67.887289][ T3307] which belongs to the cache kmalloc-4k of size 4096 [ 67.901334][ T3307] The buggy address is located 304 bytes inside of [ 67.901334][ T3307] freed 4096-byte region [ffff88811fdac000, ffff88811fdad000) [ 67.915463][ T3307] [ 67.917773][ T3307] The buggy address belongs to the physical page: [ 67.924360][ T3307] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11fda8 [ 67.933292][ T3307] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 67.942144][ T3307] flags: 0x200000000000040(head|node=0|zone=2) [ 67.948309][ T3307] page_type: 0xffffefff(slab) [ 67.952972][ T3307] raw: 0200000000000040 ffff888100042140 dead000000000122 0000000000000000 [ 67.961545][ T3307] raw: 0000000000000000 0000000000040004 00000001ffffefff 0000000000000000 [ 67.970832][ T3307] head: 0200000000000040 ffff888100042140 dead000000000122 0000000000000000 [ 67.979735][ T3307] head: 0000000000000000 0000000000040004 00000001ffffefff 0000000000000000 [ 67.988595][ T3307] head: 0200000000000003 ffffea00047f6a01 ffffffffffffffff 0000000000000000 [ 67.997518][ T3307] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 68.006170][ T3307] page dumped because: kasan: bad access detected [ 68.012667][ T3307] page_owner tracks the page as allocated [ 68.018539][ T3307] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 3305, tgid 3304 (syz-executor.0), ts 67411342457, free_ts 67356206746 [ 68.041632][ T3307] post_alloc_hook+0x10f/0x130 [ 68.046412][ T3307] get_page_from_freelist+0x37f4/0x3920 [ 68.052464][ T3307] __alloc_pages_noprof+0x256/0x670 [ 68.057795][ T3307] alloc_slab_page+0x5f/0x120 [ 68.062561][ T3307] allocate_slab+0x5d/0x290 [ 68.067177][ T3307] ___slab_alloc+0xa7f/0x11d0 [ 68.071850][ T3307] kmalloc_trace_noprof+0x1fc/0x360 [ 68.077303][ T3307] kobject_uevent_env+0x275/0x870 [ 68.082367][ T3307] disk_force_media_change+0x112/0x1c0 [ 68.087912][ T3307] __loop_clr_fd+0x49f/0x810 [ 68.092502][ T3307] lo_ioctl+0x174a/0x21a0 [ 68.096823][ T3307] blkdev_ioctl+0x51e/0x630 [ 68.101405][ T3307] __se_sys_ioctl+0xfc/0x170 [ 68.106379][ T3307] do_syscall_64+0x8d/0x1a0 [ 68.110974][ T3307] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.117138][ T3307] page last free pid 3299 tgid 3299 stack trace: [ 68.123545][ T3307] free_unref_page+0xbae/0xcf0 [ 68.128324][ T3307] __put_partials+0x18e/0x1d0 [ 68.133355][ T3307] put_cpu_partial+0x151/0x1b0 [ 68.138218][ T3307] __slab_free+0x2b8/0x3a0 [ 68.142819][ T3307] qlist_free_all+0x9e/0x140 [ 68.147405][ T3307] kasan_quarantine_reduce+0x14f/0x170 [ 68.153059][ T3307] __kasan_slab_alloc+0x23/0x80 [ 68.158421][ T3307] kmem_cache_alloc_noprof+0x12b/0x350 [ 68.164046][ T3307] getname_flags+0xbd/0x4f0 [ 68.168639][ T3307] __x64_sys_mkdir+0x5f/0x80 [ 68.173498][ T3307] do_syscall_64+0x8d/0x1a0 [ 68.178002][ T3307] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.184245][ T3307] [ 68.186593][ T3307] Memory state around the buggy address: [ 68.192206][ T3307] ffff88811fdac000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.200518][ T3307] ffff88811fdac080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.208828][ T3307] >ffff88811fdac100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.216870][ T3307] ^ [ 68.222859][ T3307] ffff88811fdac180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.230919][ T3307] ffff88811fdac200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.238984][ T3307] ================================================================== [ 68.247305][ T3307] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 68.255189][ T3307] Kernel Offset: disabled [ 68.259521][ T3307] Rebooting in 86400 seconds..