Warning: Permanently added '10.128.0.84' (ED25519) to the list of known hosts. 2025/08/14 01:51:03 ignoring optional flag "sandboxArg"="0" 2025/08/14 01:51:04 parsed 1 programs [ 68.623707][ T4137] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 71.614553][ T4169] veth0_vlan: entered promiscuous mode [ 72.409862][ T11] veth0_vlan: left promiscuous mode 2025/08/14 01:51:09 executed programs: 0 [ 74.874218][ T4407] veth0_vlan: entered promiscuous mode [ 75.421023][ T4597] syz.2.16[4597]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set [ 75.432535][ T4597] loop2: detected capacity change from 0 to 128 [ 75.443196][ T4597] VFS: Found a Xenix FS (block size = 1024) on device loop2 [ 75.453893][ T4597] syz.2.16: attempt to access beyond end of device [ 75.453893][ T4597] loop2: rw=0, sector=6491536, nr_sectors = 2 limit=128 [ 75.467930][ T4597] Buffer I/O error on dev loop2, logical block 3245768, async page read [ 75.480587][ T4597] syz.2.16: attempt to access beyond end of device [ 75.480587][ T4597] loop2: rw=0, sector=6491536, nr_sectors = 2 limit=128 [ 75.495371][ T4597] Buffer I/O error on dev loop2, logical block 3245768, async page read [ 75.507100][ T4407] sysv_free_block: flc_count > flc_size [ 75.512693][ T4407] sysv_free_block: flc_count > flc_size [ 75.518848][ T4407] sysv_free_block: flc_count > flc_size [ 75.524464][ T4407] sysv_free_block: flc_count > flc_size [ 75.530035][ T4407] sysv_free_block: flc_count > flc_size [ 75.535618][ T4407] sysv_free_block: flc_count > flc_size [ 75.541157][ T4407] sysv_free_block: flc_count > flc_size [ 75.546758][ T4407] sysv_free_block: flc_count > flc_size [ 75.552312][ T4407] sysv_free_block: flc_count > flc_size [ 75.557938][ T4407] sysv_free_block: flc_count > flc_size [ 75.563980][ T4407] sysv_free_inode: inode 0,1,2 or nonexistent inode [ 75.584599][ T4599] loop2: detected capacity change from 0 to 128 [ 75.593743][ T4599] VFS: Found a Xenix FS (block size = 1024) on device loop2 [ 75.602047][ T4599] syz.2.17: attempt to access beyond end of device [ 75.602047][ T4599] loop2: rw=0, sector=6491536, nr_sectors = 2 limit=128 [ 75.616061][ T4599] Buffer I/O error on dev loop2, logical block 3245768, async page read [ 75.628553][ T4599] syz.2.17: attempt to access beyond end of device [ 75.628553][ T4599] loop2: rw=0, sector=6491536, nr_sectors = 2 limit=128 [ 75.641917][ T4599] Buffer I/O error on dev loop2, logical block 3245768, async page read [ 75.653517][ T4407] sysv_free_block: flc_count > flc_size [ 75.659083][ T4407] sysv_free_block: flc_count > flc_size [ 75.665012][ T4407] sysv_free_block: flc_count > flc_size [ 75.670569][ T4407] sysv_free_block: flc_count > flc_size [ 75.676451][ T4407] sysv_free_block: flc_count > flc_size [ 75.681993][ T4407] sysv_free_block: flc_count > flc_size [ 75.687593][ T4407] sysv_free_block: flc_count > flc_size [ 75.693240][ T4407] sysv_free_block: flc_count > flc_size [ 75.698790][ T4407] sysv_free_block: flc_count > flc_size [ 75.704382][ T4407] sysv_free_block: flc_count > flc_size [ 75.710264][ T4407] sysv_free_inode: inode 0,1,2 or nonexistent inode [ 75.729577][ T4601] loop2: detected capacity change from 0 to 128 [ 75.738135][ T4601] VFS: Found a Xenix FS (block size = 1024) on device loop2 [ 75.746408][ T4601] syz.2.18: attempt to access beyond end of device [ 75.746408][ T4601] loop2: rw=0, sector=6491536, nr_sectors = 2 limit=128 [ 75.760312][ T4601] Buffer I/O error on dev loop2, logical block 3245768, async page read [ 75.772734][ T4601] syz.2.18: attempt to access beyond end of device [ 75.772734][ T4601] loop2: rw=0, sector=6491536, nr_sectors = 2 limit=128 [ 75.786851][ T4601] Buffer I/O error on dev loop2, logical block 3245768, async page read [ 75.797892][ T4407] sysv_free_block: flc_count > flc_size [ 75.803636][ T4407] sysv_free_block: flc_count > flc_size [ 75.809192][ T4407] sysv_free_block: flc_count > flc_size [ 75.814824][ T4407] sysv_free_block: flc_count > flc_size [ 75.820370][ T4407] sysv_free_block: flc_count > flc_size [ 75.826023][ T4407] sysv_free_block: flc_count > flc_size [ 75.831570][ T4407] sysv_free_block: flc_count > flc_size [ 75.837351][ T4407] sysv_free_block: flc_count > flc_size [ 75.842913][ T4407] sysv_free_block: flc_count > flc_size [ 75.848817][ T4407] sysv_free_block: flc_count > flc_size [ 75.854824][ T4407] sysv_free_inode: inode 0,1,2 or nonexistent inode [ 75.874824][ T4603] loop2: detected capacity change from 0 to 128 [ 75.881930][ T4603] VFS: Found a Xenix FS (block size = 1024) on device loop2 [ 75.891541][ T4603] syz.2.19: attempt to access beyond end of device [ 75.891541][ T4603] loop2: rw=0, sector=6491536, nr_sectors = 2 limit=128 [ 75.905305][ T4603] Buffer I/O error on dev loop2, logical block 3245768, async page read [ 75.914153][ T4603] ================================================================== [ 75.922238][ T4603] BUG: KASAN: use-after-free in sysv_new_inode+0xf09/0x10c0 [ 75.929539][ T4603] Read of size 2 at addr ffff88806e56b1ce by task syz.2.19/4603 [ 75.937163][ T4603] [ 75.939492][ T4603] CPU: 1 PID: 4603 Comm: syz.2.19 Not tainted 6.6.101-syzkaller #0 [ 75.947378][ T4603] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 75.957532][ T4603] Call Trace: [ 75.960810][ T4603] [ 75.963742][ T4603] dump_stack_lvl+0xe0/0x160 [ 75.968329][ T4603] ? show_regs_print_info+0x10/0x10 [ 75.973517][ T4603] ? load_image+0x550/0x550 [ 75.978007][ T4603] ? __virt_addr_valid+0x21e/0x270 [ 75.983113][ T4603] print_report+0xac/0x220 [ 75.987529][ T4603] ? sysv_new_inode+0xf09/0x10c0 [ 75.992469][ T4603] kasan_report+0x117/0x150 [ 75.996968][ T4603] ? sysv_new_inode+0xf09/0x10c0 [ 76.001921][ T4603] sysv_new_inode+0xf09/0x10c0 [ 76.006675][ T4603] ? __d_add+0x40c/0x760 [ 76.010924][ T4603] ? __lock_acquire+0xba0/0xba0 [ 76.015758][ T4603] ? do_raw_spin_lock+0x121/0x2c0 [ 76.020763][ T4603] ? sysv_free_inode+0x770/0x770 [ 76.025682][ T4603] ? _raw_spin_unlock+0x28/0x40 [ 76.030541][ T4603] ? __d_add+0x40c/0x760 [ 76.034794][ T4603] sysv_mknod+0x29/0xa0 [ 76.038934][ T4603] path_openat+0xee0/0x2790 [ 76.043422][ T4603] ? do_filp_open+0x370/0x370 [ 76.048086][ T4603] ? __virt_addr_valid+0x13d/0x270 [ 76.053187][ T4603] do_filp_open+0x1b4/0x370 [ 76.057673][ T4603] ? vfs_tmpfile+0x3a0/0x3a0 [ 76.062258][ T4603] ? do_raw_spin_unlock+0x121/0x230 [ 76.067475][ T4603] ? _raw_spin_unlock+0x28/0x40 [ 76.072312][ T4603] ? alloc_fd+0x3f2/0x4a0 [ 76.076623][ T4603] do_sys_openat2+0xf9/0x180 [ 76.081194][ T4603] ? do_sys_open+0x80/0x80 [ 76.085596][ T4603] __x64_sys_openat+0xf4/0x120 [ 76.090361][ T4603] do_syscall_64+0x55/0xb0 [ 76.094776][ T4603] ? clear_bhb_loop+0x40/0x90 [ 76.099452][ T4603] ? clear_bhb_loop+0x40/0x90 [ 76.104481][ T4603] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 76.110357][ T4603] RIP: 0033:0x7f067838e929 [ 76.114763][ T4603] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 76.134394][ T4603] RSP: 002b:00007f067919c038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 76.142803][ T4603] RAX: ffffffffffffffda RBX: 00007f06785b5fa0 RCX: 00007f067838e929 [ 76.150782][ T4603] RDX: 0000000000101042 RSI: 0000200000000180 RDI: ffffffffffffff9c [ 76.158741][ T4603] RBP: 00007f0678410b39 R08: 0000000000000000 R09: 0000000000000000 [ 76.166704][ T4603] R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000000 [ 76.174666][ T4603] R13: 0000000000000000 R14: 00007f06785b5fa0 R15: 00007ffd2c0e1538 [ 76.182725][ T4603] [ 76.185735][ T4603] [ 76.188047][ T4603] The buggy address belongs to the physical page: [ 76.194443][ T4603] page:ffffea0001b95ac0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x6e56b [ 76.204590][ T4603] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 76.211686][ T4603] page_type: 0xffffffff() [ 76.216020][ T4603] raw: 00fff00000000000 ffffea0001b25f48 ffffea0001b2c208 0000000000000000 [ 76.224599][ T4603] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 76.233171][ T4603] page dumped because: kasan: bad access detected [ 76.239576][ T4603] page_owner tracks the page as freed [ 76.244928][ T4603] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 4603, tgid 4602 (syz.2.19), ts 75872330577, free_ts 75874536734 [ 76.263233][ T4603] post_alloc_hook+0x26b/0x290 [ 76.267999][ T4603] get_page_from_freelist+0x2a35/0x2b70 [ 76.273538][ T4603] __alloc_pages+0x1e3/0x430 [ 76.278186][ T4603] __folio_alloc+0x10/0x20 [ 76.282594][ T4603] vma_alloc_folio+0x47d/0x9d0 [ 76.287431][ T4603] do_pte_missing+0xc22/0x2090 [ 76.292176][ T4603] handle_mm_fault+0xd97/0x1d90 [ 76.297015][ T4603] do_user_addr_fault+0x786/0xb70 [ 76.302027][ T4603] exc_page_fault+0x52/0xc0 [ 76.306608][ T4603] asm_exc_page_fault+0x26/0x30 [ 76.311442][ T4603] page last free stack trace: [ 76.316095][ T4603] free_unref_page_prepare+0x7d5/0x8e0 [ 76.321618][ T4603] free_unref_page_list+0xbe/0x7c0 [ 76.326716][ T4603] release_pages+0x14d0/0x1650 [ 76.331465][ T4603] tlb_flush_mmu+0x288/0x3f0 [ 76.336037][ T4603] tlb_finish_mmu+0xaa/0x190 [ 76.340607][ T4603] unmap_region+0x2d4/0x320 [ 76.345091][ T4603] do_vmi_align_munmap+0xb91/0x1160 [ 76.350269][ T4603] do_vmi_munmap+0x190/0x200 [ 76.354851][ T4603] __vm_munmap+0x16d/0x310 [ 76.359342][ T4603] __x64_sys_munmap+0x5b/0x70 [ 76.364000][ T4603] do_syscall_64+0x55/0xb0 [ 76.368397][ T4603] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 76.374273][ T4603] [ 76.376668][ T4603] Memory state around the buggy address: [ 76.382296][ T4603] ffff88806e56b080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 76.390511][ T4603] ffff88806e56b100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 76.398566][ T4603] >ffff88806e56b180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 76.406623][ T4603] ^ [ 76.413026][ T4603] ffff88806e56b200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 76.421072][ T4603] ffff88806e56b280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 76.429135][ T4603] ================================================================== [ 76.442340][ T4603] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 76.449862][ T4603] Kernel Offset: disabled [ 76.454282][ T4603] Rebooting in 86400 seconds..