Warning: Permanently added '10.128.1.182' (ED25519) to the list of known hosts. 2025/07/29 19:54:07 ignoring optional flag "sandboxArg"="0" 2025/07/29 19:54:08 parsed 1 programs [ 71.160376][ T2157] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k 2025/07/29 19:54:16 executed programs: 0 2025/07/29 19:54:22 executed programs: 2 [ 85.220806][ T3080] loop3: detected capacity change from 0 to 128 [ 85.228309][ T3080] VFS: Found a Xenix FS (block size = 1024) on device loop3 [ 85.237638][ T3080] syz.3.16: attempt to access beyond end of device [ 85.237638][ T3080] loop3: rw=0, sector=6491536, nr_sectors = 2 limit=128 [ 85.252140][ T3080] Buffer I/O error on dev loop3, logical block 3245768, async page read [ 85.260829][ T3080] ================================================================== [ 85.268890][ T3080] BUG: KASAN: use-after-free in sysv_new_inode+0xf09/0x10a0 [ 85.276173][ T3080] Read of size 2 at addr ffff88806affe1ce by task syz.3.16/3080 [ 85.283787][ T3080] [ 85.286100][ T3080] CPU: 0 PID: 3080 Comm: syz.3.16 Not tainted 6.1.147-syzkaller #0 [ 85.293963][ T3080] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 85.304007][ T3080] Call Trace: [ 85.307266][ T3080] [ 85.310264][ T3080] dump_stack_lvl+0xdc/0x15b [ 85.314921][ T3080] ? show_regs_print_info+0x5/0x5 [ 85.319912][ T3080] ? load_image+0x550/0x550 [ 85.324385][ T3080] ? _raw_spin_lock_irqsave+0xa2/0xe0 [ 85.329726][ T3080] ? __virt_addr_valid+0x139/0x270 [ 85.334910][ T3080] ? __virt_addr_valid+0x21a/0x270 [ 85.340002][ T3080] ? sysv_new_inode+0xf09/0x10a0 [ 85.344928][ T3080] print_report+0xa8/0x200 [ 85.349319][ T3080] kasan_report+0x10b/0x140 [ 85.353807][ T3080] ? sysv_new_inode+0xf09/0x10a0 [ 85.358717][ T3080] sysv_new_inode+0xf09/0x10a0 [ 85.363469][ T3080] ? __d_add+0x40c/0x760 [ 85.367712][ T3080] ? aa_get_newest_label+0x98/0x250 [ 85.373179][ T3080] ? sysv_free_inode+0x770/0x770 [ 85.378090][ T3080] ? generic_permission+0x1b5/0x3d0 [ 85.383263][ T3080] sysv_symlink+0x83/0x110 [ 85.387651][ T3080] vfs_symlink+0x202/0x3a0 [ 85.392039][ T3080] do_symlinkat+0x185/0x390 [ 85.396512][ T3080] ? vfs_symlink+0x3a0/0x3a0 [ 85.401071][ T3080] ? getname_flags+0x111/0x430 [ 85.405800][ T3080] __x64_sys_symlink+0x75/0x80 [ 85.410536][ T3080] do_syscall_64+0x4c/0xa0 [ 85.414920][ T3080] ? clear_bhb_loop+0x60/0xb0 [ 85.419567][ T3080] ? clear_bhb_loop+0x60/0xb0 [ 85.424227][ T3080] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 85.430200][ T3080] RIP: 0033:0x7fabebf8cda9 [ 85.434583][ T3080] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 85.454182][ T3080] RSP: 002b:00007fabecec7038 EFLAGS: 00000246 ORIG_RAX: 0000000000000058 [ 85.462578][ T3080] RAX: ffffffffffffffda RBX: 00007fabec1a5fa0 RCX: 00007fabebf8cda9 [ 85.470526][ T3080] RDX: 0000000000000000 RSI: 000000002000acc0 RDI: 000000002000ad80 [ 85.478468][ T3080] RBP: 00007fabec00e2a0 R08: 0000000000000000 R09: 0000000000000000 [ 85.486419][ T3080] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 85.494450][ T3080] R13: 0000000000000000 R14: 00007fabec1a5fa0 R15: 00007fff08e1a018 [ 85.502399][ T3080] [ 85.505391][ T3080] [ 85.507687][ T3080] The buggy address belongs to the physical page: [ 85.514073][ T3080] page:ffffea0001abff80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x6affe [ 85.524191][ T3080] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 85.531290][ T3080] raw: 00fff00000000000 ffffea00019018c8 ffffea0001900348 0000000000000000 [ 85.539846][ T3080] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 85.548409][ T3080] page dumped because: kasan: bad access detected [ 85.554804][ T3080] page_owner tracks the page as freed [ 85.560328][ T3080] page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 2795, tgid 2795 (modprobe), ts 80998239561, free_ts 81007766551 [ 85.577654][ T3080] post_alloc_hook+0x257/0x280 [ 85.582391][ T3080] get_page_from_freelist+0x2ce1/0x2e20 [ 85.587915][ T3080] __alloc_pages+0x1df/0x420 [ 85.592491][ T3080] __folio_alloc+0xe/0x30 [ 85.596801][ T3080] vma_alloc_folio+0x482/0x9d0 [ 85.601534][ T3080] handle_mm_fault+0x18da/0x3470 [ 85.606444][ T3080] do_user_addr_fault+0x2ff/0x6e0 [ 85.611435][ T3080] exc_page_fault+0x4e/0xb0 [ 85.615915][ T3080] asm_exc_page_fault+0x22/0x30 [ 85.620738][ T3080] page last free stack trace: [ 85.625379][ T3080] free_unref_page_prepare+0x821/0x8f0 [ 85.630808][ T3080] free_unref_page_list+0xb8/0x810 [ 85.635995][ T3080] release_pages+0x1447/0x15d0 [ 85.640733][ T3080] tlb_flush_mmu+0xe8/0x1d0 [ 85.645202][ T3080] tlb_finish_mmu+0xa4/0x180 [ 85.649759][ T3080] exit_mmap+0x2bf/0x650 [ 85.653970][ T3080] __mmput+0x9d/0x2d0 [ 85.657927][ T3080] exit_mm+0x12a/0x1b0 [ 85.661978][ T3080] do_exit+0x66b/0x1f50 [ 85.666192][ T3080] do_group_exit+0x1ac/0x270 [ 85.670751][ T3080] __x64_sys_exit_group+0x3b/0x40 [ 85.675782][ T3080] do_syscall_64+0x4c/0xa0 [ 85.680183][ T3080] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 85.686056][ T3080] [ 85.688447][ T3080] Memory state around the buggy address: [ 85.694078][ T3080] ffff88806affe080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 85.702206][ T3080] ffff88806affe100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 85.710239][ T3080] >ffff88806affe180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 85.718271][ T3080] ^ [ 85.724651][ T3080] ffff88806affe200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 85.732686][ T3080] ffff88806affe280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 85.740801][ T3080] ================================================================== [ 85.749218][ T3080] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 85.756635][ T3080] Kernel Offset: disabled [ 85.760944][ T3080] Rebooting in 86400 seconds..