./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor798791669 <...> Warning: Permanently added '10.128.1.60' (ED25519) to the list of known hosts. execve("./syz-executor798791669", ["./syz-executor798791669"], 0x7ffdf7a817a0 /* 10 vars */) = 0 brk(NULL) = 0x555557376000 brk(0x555557376e00) = 0x555557376e00 arch_prctl(ARCH_SET_FS, 0x555557376480) = 0 set_tid_address(0x555557376750) = 5034 set_robust_list(0x555557376760, 24) = 0 rseq(0x555557376da0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor798791669", 4096) = 27 getrandom("\x06\x73\x27\xcf\xb0\xee\x4a\x4a", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555557376e00 brk(0x555557397e00) = 0x555557397e00 brk(0x555557398000) = 0x555557398000 mprotect(0x7f8cfb794000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGSEGV, {sa_handler=0x7f8cfb6ec9c0, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f8cfb6f4220}, NULL, 8) = 0 rt_sigaction(SIGBUS, {sa_handler=0x7f8cfb6ec9c0, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f8cfb6f4220}, NULL, 8) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555557376750) = 5035 ./strace-static-x86_64: Process 5035 attached [pid 5034] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5035] set_robust_list(0x555557376760, 24) = 0 ./strace-static-x86_64: Process 5036 attached [pid 5035] openat(AT_FDCWD, "/dev/loop0", O_RDWR [pid 5034] <... clone resumed>, child_tidptr=0x555557376750) = 5036 [pid 5036] set_robust_list(0x555557376760, 24 [pid 5034] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5036] <... set_robust_list resumed>) = 0 [pid 5036] openat(AT_FDCWD, "/dev/loop1", O_RDWR [pid 5035] <... openat resumed>) = 3 [pid 5035] ioctl(3, LOOP_CLR_FD./strace-static-x86_64: Process 5037 attached [pid 5034] <... clone resumed>, child_tidptr=0x555557376750) = 5037 [pid 5034] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5037] set_robust_list(0x555557376760, 24 [pid 5035] <... ioctl resumed>) = -1 ENXIO (No such device or address) [pid 5037] <... set_robust_list resumed>) = 0 [pid 5035] close(3 [pid 5037] openat(AT_FDCWD, "/dev/loop2", O_RDWR [pid 5036] <... openat resumed>) = 3 [pid 5035] <... close resumed>) = 0 [pid 5035] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555557376750) = 5038 [pid 5036] ioctl(3, LOOP_CLR_FD./strace-static-x86_64: Process 5038 attached [pid 5038] set_robust_list(0x555557376760, 24) = 0 [pid 5038] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5037] <... openat resumed>) = 3 [pid 5036] <... ioctl resumed>) = -1 ENXIO (No such device or address) [pid 5034] <... clone resumed>, child_tidptr=0x555557376750) = 5039 [pid 5038] <... prctl resumed>) = 0 [pid 5037] ioctl(3, LOOP_CLR_FD [pid 5036] close(3./strace-static-x86_64: Process 5039 attached [pid 5038] setpgid(0, 0 [pid 5034] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5039] set_robust_list(0x555557376760, 24 [pid 5038] <... setpgid resumed>) = 0 [pid 5037] <... ioctl resumed>) = -1 ENXIO (No such device or address) [pid 5036] <... close resumed>) = 0 [pid 5039] <... set_robust_list resumed>) = 0 [pid 5038] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5036] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5039] openat(AT_FDCWD, "/dev/loop3", O_RDWR [pid 5038] <... openat resumed>) = 3 [pid 5037] close(3) = 0 [pid 5037] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5040 attached ./strace-static-x86_64: Process 5042 attached ./strace-static-x86_64: Process 5041 attached [pid 5040] set_robust_list(0x555557376760, 24 [pid 5042] set_robust_list(0x555557376760, 24 [pid 5041] set_robust_list(0x555557376760, 24 [pid 5040] <... set_robust_list resumed>) = 0 [pid 5039] <... openat resumed>) = 3 [pid 5042] <... set_robust_list resumed>) = 0 [pid 5034] <... clone resumed>, child_tidptr=0x555557376750) = 5040 [pid 5042] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5038] write(3, "1000", 4 [pid 5042] <... prctl resumed>) = 0 [pid 5038] <... write resumed>) = 4 [pid 5034] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5042] setpgid(0, 0 [pid 5038] close(3 [pid 5036] <... clone resumed>, child_tidptr=0x555557376750) = 5041 ./strace-static-x86_64: Process 5043 attached [pid 5042] <... setpgid resumed>) = 0 [pid 5041] <... set_robust_list resumed>) = 0 [pid 5040] openat(AT_FDCWD, "/dev/loop4", O_RDWR [pid 5039] ioctl(3, LOOP_CLR_FD [pid 5038] <... close resumed>) = 0 [pid 5037] <... clone resumed>, child_tidptr=0x555557376750) = 5042 [pid 5041] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5038] mkdir("./file0", 0777 [pid 5041] <... prctl resumed>) = 0 [pid 5040] <... openat resumed>) = 3 [pid 5042] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5041] setpgid(0, 0 [pid 5040] ioctl(3, LOOP_CLR_FD [pid 5034] <... clone resumed>, child_tidptr=0x555557376750) = 5043 [pid 5043] set_robust_list(0x555557376760, 24 [pid 5042] <... openat resumed>) = 3 [pid 5041] <... setpgid resumed>) = 0 [pid 5039] <... ioctl resumed>) = -1 ENXIO (No such device or address) [pid 5038] <... mkdir resumed>) = 0 [pid 5043] <... set_robust_list resumed>) = 0 [pid 5042] write(3, "1000", 4 [pid 5041] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5040] <... ioctl resumed>) = -1 ENXIO (No such device or address) [pid 5039] close(3 [pid 5042] <... write resumed>) = 4 [pid 5041] <... openat resumed>) = 3 [pid 5040] close(3 [pid 5039] <... close resumed>) = 0 [pid 5042] close(3 [pid 5041] write(3, "1000", 4 [pid 5040] <... close resumed>) = 0 [pid 5039] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5038] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} --- [pid 5043] openat(AT_FDCWD, "/dev/loop5", O_RDWR [pid 5042] <... close resumed>) = 0 [pid 5041] <... write resumed>) = 4 [pid 5040] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5045 attached [pid 5041] close(3) = 0 [pid 5041] mkdir("./file0", 0777) = -1 EEXIST (File exists) [pid 5038] mount("/dev/nullb0", "./file0", "udf", 0, NULL [pid 5041] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} --- [pid 5041] mount("/dev/nullb0", "./file0", "udf", 0, NULL./strace-static-x86_64: Process 5046 attached [pid 5045] set_robust_list(0x555557376760, 24 [pid 5042] mkdir("./file0", 0777 [pid 5039] <... clone resumed>, child_tidptr=0x555557376750) = 5045 [pid 5043] <... openat resumed>) = 3 [pid 5040] <... clone resumed>, child_tidptr=0x555557376750) = 5046 [pid 5043] ioctl(3, LOOP_CLR_FD [pid 5042] <... mkdir resumed>) = -1 EEXIST (File exists) [pid 5043] <... ioctl resumed>) = -1 ENXIO (No such device or address) [pid 5043] close(3 [pid 5042] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} --- [pid 5046] set_robust_list(0x555557376760, 24 [pid 5045] <... set_robust_list resumed>) = 0 [pid 5046] <... set_robust_list resumed>) = 0 [pid 5043] <... close resumed>) = 0 [pid 5042] mount("/dev/nullb0", "./file0", "udf", 0, NULL [pid 5046] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5043] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5046] <... prctl resumed>) = 0 [pid 5046] setpgid(0, 0) = 0 [pid 5046] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5046] write(3, "1000", 4) = 4 [pid 5045] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5043] <... clone resumed>, child_tidptr=0x555557376750) = 5048 [pid 5045] <... prctl resumed>) = 0 [pid 5046] close(3) = 0 [pid 5045] setpgid(0, 0 [pid 5046] mkdir("./file0", 0777 [pid 5045] <... setpgid resumed>) = 0 [pid 5046] <... mkdir resumed>) = -1 EEXIST (File exists) [pid 5045] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC./strace-static-x86_64: Process 5048 attached [pid 5046] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} --- [pid 5045] <... openat resumed>) = 3 [pid 5046] mount("/dev/nullb0", "./file0", "udf", 0, NULL [pid 5045] write(3, "1000", 4) = 4 [pid 5048] set_robust_list(0x555557376760, 24) = 0 [pid 5048] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5048] setpgid(0, 0 [pid 5045] close(3 [pid 5048] <... setpgid resumed>) = 0 [pid 5048] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5048] write(3, "1000", 4) = 4 [pid 5045] <... close resumed>) = 0 [pid 5048] close(3) = 0 [pid 5045] mkdir("./file0", 0777 [pid 5048] mkdir("./file0", 0777 [pid 5045] <... mkdir resumed>) = -1 EEXIST (File exists) [pid 5045] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} --- [pid 5045] mount("/dev/nullb0", "./file0", "udf", 0, NULL [pid 5048] <... mkdir resumed>) = -1 EEXIST (File exists) [pid 5048] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} --- [ 42.795671][ T5038] UDF-fs: warning (device nullb0): udf_load_vrs: No VRS found [ 42.808260][ T5038] UDF-fs: Scanning with blocksize 512 failed [ 42.823529][ T5038] UDF-fs: warning (device nullb0): udf_load_vrs: No VRS found [ 42.837441][ T5038] UDF-fs: Scanning with blocksize 1024 failed [pid 5048] mount("/dev/nullb0", "./file0", "udf", 0, NULL [pid 5038] <... mount resumed>) = -1 EINVAL (Invalid argument) [ 42.844539][ T5038] UDF-fs: warning (device nullb0): udf_load_vrs: No VRS found [ 42.853198][ T5038] UDF-fs: Scanning with blocksize 2048 failed [ 42.861603][ T5038] UDF-fs: warning (device nullb0): udf_load_vrs: No VRS found [ 42.869354][ T5038] UDF-fs: Scanning with blocksize 4096 failed [ 42.875760][ T5042] UDF-fs: warning (device nullb0): udf_load_vrs: No VRS found [ 42.877230][ T5038] MTD: Attempt to mount non-MTD device "/dev/nullb0" [ 42.883637][ T5042] UDF-fs: Scanning with blocksize 512 failed [pid 5038] mount("/dev/nullb0", "./file0", "romfs", MS_RDONLY|MS_NODEV, NULL) = -1 EBUSY (Device or resource busy) [pid 5038] exit_group(0) = ? [pid 5038] +++ exited with 0 +++ [pid 5035] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5038, si_uid=0, si_status=0, si_utime=0, si_stime=6 /* 0.06 s */} --- [pid 5035] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [pid 5035] ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) [pid 5035] close(3) = 0 [pid 5035] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5050 attached , child_tidptr=0x555557376750) = 5050 [pid 5050] set_robust_list(0x555557376760, 24) = 0 [pid 5050] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5050] setpgid(0, 0) = 0 [pid 5050] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5050] write(3, "1000", 4) = 4 [pid 5050] close(3) = 0 [pid 5050] mkdir("./file0", 0777) = -1 EEXIST (File exists) [pid 5050] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} --- [ 42.890496][ T5038] /dev/nullb0: Can't open blockdev [ 42.901283][ T5042] UDF-fs: warning (device nullb0): udf_load_vrs: No VRS found [ 42.909484][ T5042] UDF-fs: Scanning with blocksize 1024 failed [ 42.917660][ T5042] UDF-fs: warning (device nullb0): udf_load_vrs: No VRS found [ 42.927205][ T5042] UDF-fs: Scanning with blocksize 2048 failed [ 42.933666][ T5042] UDF-fs: warning (device nullb0): udf_load_vrs: No VRS found [pid 5050] mount("/dev/nullb0", "./file0", "udf", 0, NULL [pid 5042] <... mount resumed>) = -1 EINVAL (Invalid argument) [ 42.941266][ T5042] UDF-fs: Scanning with blocksize 4096 failed [ 42.947975][ T5048] UDF-fs: warning (device nullb0): udf_load_vrs: No VRS found [ 42.955737][ T5048] UDF-fs: Scanning with blocksize 512 failed [ 42.962007][ T5042] MTD: Attempt to mount non-MTD device "/dev/nullb0" [ 42.969452][ T5048] UDF-fs: warning (device nullb0): udf_load_vrs: No VRS found [ 42.976221][ T5042] ================================================================== [ 42.977138][ T5048] UDF-fs: Scanning with blocksize 1024 failed [ 42.984941][ T5042] BUG: KASAN: slab-use-after-free in test_bdev_super_fc+0x10a/0x110 [ 42.991420][ T5048] UDF-fs: warning (device nullb0): udf_load_vrs: No VRS found [ 42.998938][ T5042] Read of size 8 at addr ffff88807887e058 by task syz-executor798/5042 [ 42.998957][ T5042] [ 42.998962][ T5042] CPU: 1 PID: 5042 Comm: syz-executor798 Not tainted 6.5.0-rc3-next-20230728-syzkaller #0 [ 42.998983][ T5042] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 [ 42.998995][ T5042] Call Trace: [ 43.006886][ T5048] UDF-fs: Scanning with blocksize 2048 failed [ 43.014631][ T5042] [ 43.017224][ T5048] UDF-fs: warning (device nullb0): udf_load_vrs: No VRS found [ 43.026800][ T5042] dump_stack_lvl+0xd9/0x1b0 [ 43.026831][ T5042] print_report+0xc4/0x620 [ 43.026858][ T5042] ? __virt_addr_valid+0x5e/0x2d0 [ 43.026881][ T5042] ? __phys_addr+0xc6/0x140 [ 43.038068][ T5048] UDF-fs: Scanning with blocksize 4096 failed [ 43.040203][ T5042] kasan_report+0xda/0x110 [ 43.085603][ T5042] ? test_bdev_super_fc+0x10a/0x110 [ 43.090791][ T5042] ? test_bdev_super_fc+0x10a/0x110 [ 43.095972][ T5042] ? set_bdev_super_fc+0xa0/0xa0 [ 43.100893][ T5042] test_bdev_super_fc+0x10a/0x110 [ 43.105902][ T5042] ? set_bdev_super_fc+0xa0/0xa0 [ 43.110869][ T5042] sget_fc+0x584/0x860 [ 43.114925][ T5042] ? set_bdev_super+0x80/0x80 [ 43.119593][ T5042] get_tree_bdev+0x13e/0x6a0 [ 43.124174][ T5042] ? romfs_get_tree+0x60/0x60 [ 43.128842][ T5042] ? mtd_set_super+0x1d0/0x1d0 [ 43.133596][ T5042] ? vfs_parse_fs_string+0xfb/0x150 [ 43.138804][ T5042] ? sget_fc+0x860/0x860 [ 43.143031][ T5042] ? bpf_lsm_capable+0x9/0x10 [ 43.147690][ T5042] romfs_get_tree+0x4e/0x60 [ 43.152176][ T5042] vfs_get_tree+0x88/0x350 [ 43.156579][ T5042] path_mount+0x1492/0x1ed0 [ 43.161075][ T5042] ? kmem_cache_free+0xf0/0x490 [ 43.165924][ T5042] ? finish_automount+0xa50/0xa50 [ 43.170940][ T5042] ? putname+0x101/0x140 [ 43.175183][ T5042] __x64_sys_mount+0x293/0x310 [ 43.179937][ T5042] ? copy_mnt_ns+0xb60/0xb60 [ 43.184514][ T5042] ? _raw_spin_unlock_irq+0x2e/0x50 [ 43.189790][ T5042] ? ptrace_notify+0xf4/0x130 [ 43.194449][ T5042] do_syscall_64+0x38/0xb0 [ 43.198854][ T5042] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 43.204764][ T5042] RIP: 0033:0x7f8cfb721359 [ 43.209159][ T5042] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 43.228747][ T5042] RSP: 002b:00007fffc0205068 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 43.237226][ T5042] RAX: ffffffffffffffda RBX: 00007fffc02050b0 RCX: 00007f8cfb721359 [ 43.245179][ T5042] RDX: 0000000020000040 RSI: 0000000020000080 RDI: 00000000200000c0 [ 43.253131][ T5042] RBP: 0000000000000000 R08: 0000000000000000 R09: 00000000000f4240 [ 43.261084][ T5042] R10: 0000000000000005 R11: 0000000000000246 R12: 00000000000f4240 [ 43.269037][ T5042] R13: 00007fffc0205338 R14: 00007fffc020509c R15: 00007f8cfb76a06a [ 43.276992][ T5042] [ 43.279999][ T5042] [ 43.282307][ T5042] Allocated by task 5038: [ 43.286615][ T5042] kasan_save_stack+0x33/0x50 [ 43.291292][ T5042] kasan_set_track+0x25/0x30 [ 43.295867][ T5042] __kasan_kmalloc+0xa2/0xb0 [ 43.300458][ T5042] alloc_super+0x52/0xb40 [ 43.304769][ T5042] sget_fc+0x142/0x860 [ 43.308907][ T5042] get_tree_bdev+0x13e/0x6a0 [ 43.313480][ T5042] romfs_get_tree+0x4e/0x60 [ 43.317967][ T5042] vfs_get_tree+0x88/0x350 [ 43.322377][ T5042] path_mount+0x1492/0x1ed0 [ 43.326862][ T5042] __x64_sys_mount+0x293/0x310 [ 43.331605][ T5042] do_syscall_64+0x38/0xb0 [ 43.336007][ T5042] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 43.341882][ T5042] [ 43.344185][ T5042] Freed by task 4776: [ 43.348140][ T5042] kasan_save_stack+0x33/0x50 [ 43.352800][ T5042] kasan_set_track+0x25/0x30 [ 43.357380][ T5042] kasan_save_free_info+0x2b/0x40 [ 43.362385][ T5042] ____kasan_slab_free+0x15e/0x1b0 [ 43.367479][ T5042] slab_free_freelist_hook+0x114/0x1e0 [ 43.372920][ T5042] __kmem_cache_free+0xb8/0x2f0 [ 43.377755][ T5042] process_one_work+0xaa2/0x16f0 [ 43.382674][ T5042] worker_thread+0x687/0x1110 [ 43.387338][ T5042] kthread+0x33a/0x430 [ 43.391390][ T5042] ret_from_fork+0x2c/0x70 [ 43.395789][ T5042] ret_from_fork_asm+0x11/0x20 [ 43.400536][ T5042] [ 43.402840][ T5042] Last potentially related work creation: [ 43.408542][ T5042] kasan_save_stack+0x33/0x50 [ 43.413203][ T5042] __kasan_record_aux_stack+0xbc/0xd0 [ 43.418555][ T5042] insert_work+0x4a/0x330 [ 43.422867][ T5042] __queue_work+0x5f5/0x1040 [ 43.427445][ T5042] queue_work_on+0xed/0x110 [ 43.431927][ T5042] rcu_core+0x7fb/0x1bb0 [ 43.436155][ T5042] __do_softirq+0x218/0x965 [ 43.440644][ T5042] [ 43.442948][ T5042] Second to last potentially related work creation: [ 43.449505][ T5042] kasan_save_stack+0x33/0x50 [ 43.454164][ T5042] __kasan_record_aux_stack+0xbc/0xd0 [ 43.459511][ T5042] __call_rcu_common.constprop.0+0x9a/0x790 [ 43.465387][ T5042] deactivate_locked_super+0x144/0x170 [ 43.470829][ T5042] get_tree_bdev+0x4c7/0x6a0 [ 43.475401][ T5042] romfs_get_tree+0x4e/0x60 [ 43.479886][ T5042] vfs_get_tree+0x88/0x350 [ 43.484303][ T5042] path_mount+0x1492/0x1ed0 [ 43.488793][ T5042] __x64_sys_mount+0x293/0x310 [ 43.493536][ T5042] do_syscall_64+0x38/0xb0 [ 43.498026][ T5042] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 43.503904][ T5042] [ 43.506211][ T5042] The buggy address belongs to the object at ffff88807887e000 [ 43.506211][ T5042] which belongs to the cache kmalloc-4k of size 4096 [ 43.520253][ T5042] The buggy address is located 88 bytes inside of [ 43.520253][ T5042] freed 4096-byte region [ffff88807887e000, ffff88807887f000) [ 43.534025][ T5042] [ 43.536344][ T5042] The buggy address belongs to the physical page: [ 43.542734][ T5042] page:ffffea0001e21e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x78878 [ 43.552947][ T5042] head:ffffea0001e21e00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 43.561856][ T5042] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 43.569810][ T5042] page_type: 0xffffffff() [ 43.574119][ T5042] raw: 00fff00000010200 ffff888012842140 dead000000000122 0000000000000000 [ 43.582680][ T5042] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 43.591236][ T5042] page dumped because: kasan: bad access detected [ 43.597625][ T5042] page_owner tracks the page as allocated [ 43.603313][ T5042] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5038, tgid 5038 (syz-executor798), ts 42876874060, free_ts 42820208731 [ 43.624125][ T5042] post_alloc_hook+0x2d2/0x350 [ 43.628886][ T5042] get_page_from_freelist+0x10d7/0x31b0 [ 43.634414][ T5042] __alloc_pages+0x1d0/0x4a0 [ 43.638987][ T5042] alloc_pages+0x1a9/0x270 [ 43.643386][ T5042] allocate_slab+0x24e/0x380 [ 43.647957][ T5042] ___slab_alloc+0x8bc/0x1570 [ 43.652616][ T5042] __slab_alloc.constprop.0+0x56/0xa0 [ 43.657973][ T5042] __kmem_cache_alloc_node+0x137/0x350 [ 43.663415][ T5042] __kmalloc+0x4f/0x100 [ 43.667563][ T5042] tomoyo_realpath_from_path+0xb9/0x710 [ 43.673097][ T5042] tomoyo_mount_acl+0x1af/0x880 [ 43.677926][ T5042] tomoyo_mount_permission+0x16d/0x410 [ 43.683363][ T5042] security_sb_mount+0x86/0xd0 [ 43.688106][ T5042] path_mount+0x129/0x1ed0 [ 43.692507][ T5042] __x64_sys_mount+0x293/0x310 [ 43.697253][ T5042] do_syscall_64+0x38/0xb0 [ 43.701739][ T5042] page last free stack trace: [ 43.706398][ T5042] free_unref_page_prepare+0x508/0xb90 [ 43.711864][ T5042] free_unref_page+0x33/0x3b0 [ 43.716530][ T5042] __unfreeze_partials+0x21d/0x240 [ 43.721633][ T5042] qlist_free_all+0x6a/0x170 [ 43.726204][ T5042] kasan_quarantine_reduce+0x18b/0x1d0 [ 43.731652][ T5042] __kasan_slab_alloc+0x65/0x90 [ 43.736494][ T5042] kmem_cache_alloc+0x172/0x3b0 [ 43.741352][ T5042] flock_lock_inode+0xb7f/0xfe0 [ 43.746201][ T5042] locks_lock_inode_wait+0x1c7/0x450 [ 43.751482][ T5042] __do_sys_flock+0x403/0x4c0 [ 43.756147][ T5042] do_syscall_64+0x38/0xb0 [ 43.760553][ T5042] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 43.766435][ T5042] [ 43.768914][ T5042] Memory state around the buggy address: [ 43.774520][ T5042] ffff88807887df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.782577][ T5042] ffff88807887df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.790621][ T5042] >ffff88807887e000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.798744][ T5042] ^ [ 43.805668][ T5042] ffff88807887e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.813726][ T5042] ffff88807887e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.821785][ T5042] ================================================================== [ 43.829983][ T5042] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 43.837159][ T5042] CPU: 1 PID: 5042 Comm: syz-executor798 Not tainted 6.5.0-rc3-next-20230728-syzkaller #0 [ 43.847039][ T5042] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 [ 43.857186][ T5042] Call Trace: [ 43.860556][ T5042] [ 43.863483][ T5042] dump_stack_lvl+0xd9/0x1b0 [ 43.868093][ T5042] panic+0x6a4/0x750 [ 43.871986][ T5042] ? panic_smp_self_stop+0xa0/0xa0 [ 43.877091][ T5042] ? trace_irq_enable.constprop.0+0xd0/0x100 [ 43.883064][ T5042] ? asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 43.889207][ T5042] check_panic_on_warn+0xab/0xb0 [ 43.894131][ T5042] end_report+0x108/0x150 [ 43.898452][ T5042] kasan_report+0xea/0x110 [ 43.902868][ T5042] ? test_bdev_super_fc+0x10a/0x110 [ 43.908063][ T5042] ? test_bdev_super_fc+0x10a/0x110 [ 43.913249][ T5042] ? set_bdev_super_fc+0xa0/0xa0 [ 43.918177][ T5042] test_bdev_super_fc+0x10a/0x110 [ 43.923196][ T5042] ? set_bdev_super_fc+0xa0/0xa0 [ 43.928177][ T5042] sget_fc+0x584/0x860 [ 43.932271][ T5042] ? set_bdev_super+0x80/0x80 [ 43.936945][ T5042] get_tree_bdev+0x13e/0x6a0 [ 43.941525][ T5042] ? romfs_get_tree+0x60/0x60 [ 43.946285][ T5042] ? mtd_set_super+0x1d0/0x1d0 [ 43.951140][ T5042] ? vfs_parse_fs_string+0xfb/0x150 [ 43.956338][ T5042] ? sget_fc+0x860/0x860 [ 43.960578][ T5042] ? bpf_lsm_capable+0x9/0x10 [ 43.965250][ T5042] romfs_get_tree+0x4e/0x60 [ 43.969745][ T5042] vfs_get_tree+0x88/0x350 [ 43.974148][ T5042] path_mount+0x1492/0x1ed0 [ 43.978645][ T5042] ? kmem_cache_free+0xf0/0x490 [ 43.983490][ T5042] ? finish_automount+0xa50/0xa50 [ 43.988680][ T5042] ? putname+0x101/0x140 [ 43.992908][ T5042] __x64_sys_mount+0x293/0x310 [ 43.997674][ T5042] ? copy_mnt_ns+0xb60/0xb60 [ 44.002254][ T5042] ? _raw_spin_unlock_irq+0x2e/0x50 [ 44.007455][ T5042] ? ptrace_notify+0xf4/0x130 [ 44.012209][ T5042] do_syscall_64+0x38/0xb0 [ 44.017218][ T5042] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 44.023093][ T5042] RIP: 0033:0x7f8cfb721359 [ 44.027587][ T5042] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 44.047193][ T5042] RSP: 002b:00007fffc0205068 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 44.055616][ T5042] RAX: ffffffffffffffda RBX: 00007fffc02050b0 RCX: 00007f8cfb721359 [ 44.063574][ T5042] RDX: 0000000020000040 RSI: 0000000020000080 RDI: 00000000200000c0 [ 44.071699][ T5042] RBP: 0000000000000000 R08: 0000000000000000 R09: 00000000000f4240 [ 44.079694][ T5042] R10: 0000000000000005 R11: 0000000000000246 R12: 00000000000f4240 [ 44.087650][ T5042] R13: 00007fffc0205338 R14: 00007fffc020509c R15: 00007f8cfb76a06a [ 44.095621][ T5042] [ 44.098815][ T5042] Kernel Offset: disabled [ 44.103121][ T5042] Rebooting in 86400 seconds..