Warning: Permanently added '10.128.0.209' (ED25519) to the list of known hosts. 2025/07/16 23:16:16 ignoring optional flag "sandboxArg"="0" 2025/07/16 23:16:17 parsed 1 programs [ 62.436861][ T2148] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k 2025/07/16 23:16:21 executed programs: 0 [ 70.100833][ T3069] loop3: detected capacity change from 0 to 32768 [ 70.144901][ T3069] ======================================================= [ 70.144901][ T3069] WARNING: The mand mount option has been deprecated and [ 70.144901][ T3069] and is ignored by this kernel. Remove the mand [ 70.144901][ T3069] option from the mount to silence this warning. [ 70.144901][ T3069] ======================================================= [ 70.219257][ T3069] ocfs2: Slot 0 on device (7,3) was already allocated to this node! [ 70.230757][ T3069] ocfs2: Mounting device (7,3) on (node local, slot 0) with ordered data mode. [ 70.242049][ T3069] ================================================================== [ 70.250195][ T3069] BUG: KASAN: use-after-free in ocfs2_claim_suballoc_bits+0x1386/0x1860 [ 70.258543][ T3069] Read of size 4 at addr ffff88806aac0000 by task syz.3.16/3069 [ 70.266266][ T3069] [ 70.268611][ T3069] CPU: 1 PID: 3069 Comm: syz.3.16 Not tainted 5.15.188-syzkaller #0 [ 70.276610][ T3069] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 70.287094][ T3069] Call Trace: [ 70.290362][ T3069] [ 70.293305][ T3069] dump_stack_lvl+0x41/0x5e [ 70.297793][ T3069] print_address_description.constprop.0.cold+0x6c/0x309 [ 70.304893][ T3069] ? ocfs2_claim_suballoc_bits+0x1386/0x1860 [ 70.310861][ T3069] ? ocfs2_claim_suballoc_bits+0x1386/0x1860 [ 70.316861][ T3069] kasan_report.cold+0x83/0xdf [ 70.321620][ T3069] ? ocfs2_claim_suballoc_bits+0x1386/0x1860 [ 70.327594][ T3069] ocfs2_claim_suballoc_bits+0x1386/0x1860 [ 70.333383][ T3069] ? jbd2_journal_dirty_metadata+0x4aa/0x8f0 [ 70.339347][ T3069] ? ocfs2_search_chain+0x1960/0x1960 [ 70.344698][ T3069] ? lock_downgrade+0x4f0/0x4f0 [ 70.349531][ T3069] ? __jbd2_journal_temp_unlink_buffer+0x27c/0x450 [ 70.356109][ T3069] __ocfs2_claim_clusters+0x203/0x900 [ 70.361464][ T3069] ? ocfs2_sync_local_to_main+0x681/0x7c0 [ 70.367161][ T3069] ? ocfs2_which_cluster_group+0x220/0x220 [ 70.372981][ T3069] ? ocfs2_journal_dirty+0x9f/0x410 [ 70.378318][ T3069] ocfs2_local_alloc_slide_window+0x800/0x1710 [ 70.384463][ T3069] ? ocfs2_sync_local_to_main+0x7c0/0x7c0 [ 70.390171][ T3069] ? do_raw_spin_lock+0x120/0x2b0 [ 70.395172][ T3069] ? rwlock_bug.part.0+0x90/0x90 [ 70.400437][ T3069] ? memweight+0x92/0x110 [ 70.404763][ T3069] ocfs2_reserve_local_alloc_bits+0x292/0x9a0 [ 70.410927][ T3069] ? ocfs2_complete_local_alloc_recovery+0x400/0x400 [ 70.417585][ T3069] ? do_raw_spin_unlock+0x171/0x230 [ 70.422763][ T3069] ? _raw_spin_unlock+0x1a/0x30 [ 70.427593][ T3069] ocfs2_reserve_clusters_with_limit+0x3db/0x9a0 [ 70.433930][ T3069] ? ocfs2_reserve_cluster_bitmap_bits+0x170/0x170 [ 70.440558][ T3069] ? ocfs2_add_links_count+0xe0/0xe0 [ 70.445935][ T3069] ? find_held_lock+0x2d/0x110 [ 70.450784][ T3069] ? ocfs2_inode_lock_full_nested+0x356/0x19b0 [ 70.456933][ T3069] ocfs2_mknod+0x932/0x1b80 [ 70.461428][ T3069] ? ocfs2_symlink+0x3170/0x3170 [ 70.466343][ T3069] ? ocfs2_inode_unlock+0x154/0x220 [ 70.471517][ T3069] ? do_raw_spin_lock+0x120/0x2b0 [ 70.476523][ T3069] ? lock_downgrade+0x4f0/0x4f0 [ 70.481389][ T3069] ? do_raw_spin_lock+0x120/0x2b0 [ 70.486419][ T3069] ? lock_acquire+0x11a/0x250 [ 70.491078][ T3069] ? _raw_spin_unlock+0x1a/0x30 [ 70.495911][ T3069] ? put_pid.part.0+0x79/0x100 [ 70.500657][ T3069] ? ocfs2_permission+0xb7/0x140 [ 70.505576][ T3069] ocfs2_mkdir+0xb6/0x2e0 [ 70.509888][ T3069] ? ocfs2_mknod+0x1b80/0x1b80 [ 70.514636][ T3069] vfs_mkdir+0x1c4/0x3e0 [ 70.518867][ T3069] ? security_path_mkdir+0xc0/0x130 [ 70.524131][ T3069] do_mkdirat+0x210/0x280 [ 70.528442][ T3069] ? __ia32_sys_mknod+0xa0/0xa0 [ 70.533274][ T3069] ? getname_flags.part.0+0x89/0x440 [ 70.538549][ T3069] __x64_sys_mkdirat+0xef/0x140 [ 70.543381][ T3069] do_syscall_64+0x33/0x80 [ 70.547811][ T3069] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 70.553695][ T3069] RIP: 0033:0x7f754d820169 [ 70.558123][ T3069] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 70.577710][ T3069] RSP: 002b:00007f754d292038 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 [ 70.586102][ T3069] RAX: ffffffffffffffda RBX: 00007f754da38fa0 RCX: 00007f754d820169 [ 70.594054][ T3069] RDX: 0000000000000000 RSI: 00002000000000c0 RDI: ffffffffffffff9c [ 70.602007][ T3069] RBP: 00007f754d8a12a0 R08: 0000000000000000 R09: 0000000000000000 [ 70.609958][ T3069] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 70.617908][ T3069] R13: 0000000000000000 R14: 00007f754da38fa0 R15: 00007fffef5c1b68 [ 70.625858][ T3069] [ 70.628859][ T3069] [ 70.631168][ T3069] The buggy address belongs to the page: [ 70.636788][ T3069] page:ffffea0001aab000 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x6aac0 [ 70.646925][ T3069] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 70.654016][ T3069] raw: 00fff00000000000 ffffea00018f6a08 ffffea0001a9dfc8 0000000000000000 [ 70.662594][ T3069] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 70.671160][ T3069] page dumped because: kasan: bad access detected [ 70.677555][ T3069] page_owner tracks the page as freed [ 70.682909][ T3069] page last allocated via order 0, migratetype Movable, gfp_mask 0x1100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), pid 3070, ts 70219168932, free_ts 70234041774 [ 70.698427][ T3069] get_page_from_freelist+0x1369/0x31f0 [ 70.703962][ T3069] __alloc_pages+0x1b2/0x440 [ 70.708625][ T3069] alloc_pages_vma+0xe0/0x650 [ 70.713312][ T3069] __handle_mm_fault+0x1d97/0x33a0 [ 70.718402][ T3069] handle_mm_fault+0x1c5/0x5b0 [ 70.723147][ T3069] do_user_addr_fault+0x298/0xc80 [ 70.728150][ T3069] exc_page_fault+0x5a/0xb0 [ 70.732634][ T3069] asm_exc_page_fault+0x22/0x30 [ 70.737468][ T3069] copy_user_enhanced_fast_string+0xe/0x40 [ 70.743258][ T3069] copy_page_to_iter+0x3d8/0xb60 [ 70.748176][ T3069] filemap_read+0x4e1/0xab0 [ 70.752664][ T3069] blkdev_read_iter+0xfb/0x180 [ 70.757408][ T3069] new_sync_read+0x35a/0x5f0 [ 70.761983][ T3069] vfs_read+0x209/0x470 [ 70.766115][ T3069] ksys_read+0xf4/0x1d0 [ 70.770489][ T3069] do_syscall_64+0x33/0x80 [ 70.774885][ T3069] page last free stack trace: [ 70.779548][ T3069] free_pcp_prepare+0x379/0x850 [ 70.784395][ T3069] free_unref_page_list+0x16f/0xbd0 [ 70.789572][ T3069] release_pages+0xb3a/0x1480 [ 70.794242][ T3069] tlb_finish_mmu+0x127/0x790 [ 70.798923][ T3069] unmap_region+0x298/0x390 [ 70.803459][ T3069] __do_munmap+0x47e/0x10d0 [ 70.807939][ T3069] __vm_munmap+0xd2/0x1a0 [ 70.812281][ T3069] __x64_sys_munmap+0x5d/0x80 [ 70.816946][ T3069] do_syscall_64+0x33/0x80 [ 70.821356][ T3069] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 70.827244][ T3069] [ 70.829591][ T3069] Memory state around the buggy address: [ 70.835208][ T3069] ffff88806aabff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 70.843250][ T3069] ffff88806aabff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 70.851296][ T3069] >ffff88806aac0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 70.859476][ T3069] ^ [ 70.863533][ T3069] ffff88806aac0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 70.871572][ T3069] ffff88806aac0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 70.879610][ T3069] ================================================================== [ 70.887655][ T3069] Disabling lock debugging due to kernel taint [ 70.894028][ T3069] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 70.901451][ T3069] Kernel Offset: disabled [ 70.905771][ T3069] Rebooting in 86400 seconds..