Warning: Permanently added '10.128.1.248' (ED25519) to the list of known hosts. 2024/10/20 08:34:49 ignoring optional flag "sandboxArg"="0" 2024/10/20 08:34:49 parsed 1 programs [ 59.201150][ T2429] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 60.062448][ T2436] chnl_net:caif_netlink_parms(): no params data found [ 61.160044][ T2436] 8021q: adding VLAN 0 to HW filter on device bond0 [ 61.888331][ T2436] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 63.326859][ T892] bond0 (unregistering): Released all slaves [ 63.718709][ T1365] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 63.726900][ T1365] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 63.734803][ T1365] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 63.743023][ T1365] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 63.750435][ T1365] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 63.757798][ T1365] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 2024/10/20 08:34:54 executed programs: 0 [ 63.960812][ T1996] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 63.968135][ T1996] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 63.975927][ T1996] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 63.983534][ T1996] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 63.991232][ T1996] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 63.998666][ T1996] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 64.138167][ T2910] chnl_net:caif_netlink_parms(): no params data found [ 65.234840][ T2910] 8021q: adding VLAN 0 to HW filter on device bond0 [ 65.965953][ T2910] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 66.064144][ T1365] Bluetooth: hci0: command 0x0409 tx timeout [ 67.406011][ T3311] loop0: detected capacity change from 0 to 32768 [ 67.433961][ T3311] bcachefs (loop0): mounting version 1.7: (unknown version) opts=metadata_checksum=none,data_checksum=xxhash,str_hash=crc32c,nojournal_transaction_names,reconstruct_alloc,version_upgrade=none [ 67.453005][ T3311] bcachefs (loop0): recovering from clean shutdown, journal seq 8 [ 67.461103][ T3311] bcachefs (loop0): Version downgrade required: [ 67.461103][ T3311] [ 67.470270][ T3311] ================================================================== [ 67.478864][ T3311] BUG: KASAN: slab-use-after-free in bch2_fs_recovery+0xab5/0x4d80 [ 67.486756][ T3311] Read of size 8 at addr ffff888172f38f50 by task syz.0.15/3311 [ 67.494367][ T3311] [ 67.496704][ T3311] CPU: 1 PID: 3311 Comm: syz.0.15 Not tainted 6.7.0-rc7-syzkaller #0 [ 67.504846][ T3311] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 67.515164][ T3311] Call Trace: [ 67.518759][ T3311] [ 67.521864][ T3311] dump_stack_lvl+0xf8/0x260 [ 67.526557][ T3311] ? __pfx_dump_stack_lvl+0x10/0x10 [ 67.531821][ T3311] ? __pfx__printk+0x10/0x10 [ 67.536485][ T3311] ? _printk+0xce/0x120 [ 67.540623][ T3311] print_report+0x167/0x540 [ 67.545146][ T3311] ? bch2_fs_recovery+0xab5/0x4d80 [ 67.550251][ T3311] kasan_report+0x142/0x180 [ 67.554832][ T3311] ? bch2_fs_recovery+0xab5/0x4d80 [ 67.559937][ T3311] bch2_fs_recovery+0xab5/0x4d80 [ 67.564960][ T3311] ? __lock_acquire+0x5cc/0xc10 [ 67.569833][ T3311] ? __pfx_bch2_fs_recovery+0x10/0x10 [ 67.575303][ T3311] ? bch2_get_next_online_dev+0x2e/0x390 [ 67.580911][ T3311] ? bch2_recalc_capacity+0x4bc/0x8d0 [ 67.586766][ T3311] ? bch2_get_next_online_dev+0x2e/0x390 [ 67.592580][ T3311] ? bch2_get_next_online_dev+0x32a/0x390 [ 67.598401][ T3311] ? __closure_wake_up+0x22/0xa0 [ 67.603495][ T3311] ? bch2_recalc_capacity+0x7e5/0x8d0 [ 67.608869][ T3311] ? __pfx_lock_release+0x10/0x10 [ 67.613976][ T3311] ? bch2_recalc_capacity+0x4bc/0x8d0 [ 67.619378][ T3311] ? __pfx_bch2_recalc_capacity+0x10/0x10 [ 67.625340][ T3311] ? bch2_get_next_online_dev+0x32a/0x390 [ 67.631039][ T3311] bch2_fs_start+0x5f1/0x7c0 [ 67.635728][ T3311] ? __pfx_bch2_fs_start+0x10/0x10 [ 67.640835][ T3311] ? bch2_dev_attach_bdev+0x30c/0x450 [ 67.646212][ T3311] ? bch2_dev_attach_bdev+0x36b/0x450 [ 67.651589][ T3311] bch2_fs_open+0x1f18/0x2b10 [ 67.656263][ T3311] ? __pfx_bch2_fs_open+0x10/0x10 [ 67.661285][ T3311] ? _raw_spin_unlock_irqrestore+0xcf/0x130 [ 67.667268][ T3311] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 67.673570][ T3311] ? __stack_depot_save+0x358/0x440 [ 67.678760][ T3311] ? __pfx_bch2_test_super+0x10/0x10 [ 67.684020][ T3311] ? sget+0x1d4/0x3d0 [ 67.687978][ T3311] ? __pfx_bch2_noset_super+0x10/0x10 [ 67.693341][ T3311] bch2_mount+0x561/0x1080 [ 67.697736][ T3311] ? __pfx_bch2_mount+0x10/0x10 [ 67.702739][ T3311] ? __pfx_aa_get_newest_label+0x10/0x10 [ 67.708521][ T3311] ? kfree+0x2c/0x180 [ 67.712500][ T3311] ? vfs_parse_fs_string+0x17f/0x220 [ 67.717859][ T3311] legacy_get_tree+0xe9/0x180 [ 67.722603][ T3311] ? __pfx_bch2_mount+0x10/0x10 [ 67.727536][ T3311] vfs_get_tree+0x82/0x190 [ 67.732151][ T3311] do_new_mount+0x1e5/0x930 [ 67.737154][ T3311] ? __pfx_do_new_mount+0x10/0x10 [ 67.742217][ T3311] __se_sys_mount+0x242/0x2e0 [ 67.746968][ T3311] ? __pfx___se_sys_mount+0x10/0x10 [ 67.752199][ T3311] do_syscall_64+0x4d/0x120 [ 67.756723][ T3311] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 67.762728][ T3311] RIP: 0033:0x7f0109d7f79a [ 67.767163][ T3311] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 67.786766][ T3311] RSP: 002b:00007f010ac4ce68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 67.795349][ T3311] RAX: ffffffffffffffda RBX: 00007f010ac4cef0 RCX: 00007f0109d7f79a [ 67.803316][ T3311] RDX: 0000000020005b00 RSI: 0000000020005b40 RDI: 00007f010ac4ceb0 [ 67.811283][ T3311] RBP: 0000000020005b00 R08: 00007f010ac4cef0 R09: 0000000000000000 [ 67.819326][ T3311] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020005b40 [ 67.827275][ T3311] R13: 00007f010ac4ceb0 R14: 0000000000005b2d R15: 00000000200003c0 [ 67.835232][ T3311] [ 67.838225][ T3311] [ 67.840529][ T3311] Allocated by task 3311: [ 67.844834][ T3311] kasan_set_track+0x4f/0x80 [ 67.849397][ T3311] __kasan_kmalloc+0x98/0xb0 [ 67.853960][ T3311] __kmalloc_node_track_caller+0xab/0x1d0 [ 67.859661][ T3311] krealloc+0x7d/0x120 [ 67.863897][ T3311] bch2_sb_realloc+0x1bd/0x370 [ 67.868718][ T3311] __copy_super+0x4fc/0xd20 [ 67.873210][ T3311] bch2_sb_to_fs+0x66/0xc0 [ 67.877617][ T3311] bch2_fs_open+0x12bd/0x2b10 [ 67.882282][ T3311] bch2_mount+0x561/0x1080 [ 67.886684][ T3311] legacy_get_tree+0xe9/0x180 [ 67.891344][ T3311] vfs_get_tree+0x82/0x190 [ 67.895729][ T3311] do_new_mount+0x1e5/0x930 [ 67.900318][ T3311] __se_sys_mount+0x242/0x2e0 [ 67.904982][ T3311] do_syscall_64+0x4d/0x120 [ 67.909454][ T3311] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 67.915316][ T3311] [ 67.917611][ T3311] Freed by task 3311: [ 67.921572][ T3311] kasan_set_track+0x4f/0x80 [ 67.926146][ T3311] kasan_save_free_info+0x28/0x40 [ 67.931150][ T3311] ____kasan_slab_free+0x122/0x1f0 [ 67.936233][ T3311] __kmem_cache_free+0x2bc/0x470 [ 67.941140][ T3311] krealloc+0xcf/0x120 [ 67.945186][ T3311] bch2_sb_realloc+0x1bd/0x370 [ 67.950032][ T3311] bch2_sb_field_resize_id+0x17e/0xbc0 [ 67.955499][ T3311] bch2_sb_counters_from_cpu+0x89/0x240 [ 67.961050][ T3311] bch2_write_super+0x824/0x2bf0 [ 67.965964][ T3311] bch2_fs_recovery+0xaa1/0x4d80 [ 67.970898][ T3311] bch2_fs_start+0x5f1/0x7c0 [ 67.975565][ T3311] bch2_fs_open+0x1f18/0x2b10 [ 67.980312][ T3311] bch2_mount+0x561/0x1080 [ 67.984721][ T3311] legacy_get_tree+0xe9/0x180 [ 67.989386][ T3311] vfs_get_tree+0x82/0x190 [ 67.993783][ T3311] do_new_mount+0x1e5/0x930 [ 67.998350][ T3311] __se_sys_mount+0x242/0x2e0 [ 68.003143][ T3311] do_syscall_64+0x4d/0x120 [ 68.007639][ T3311] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 68.013525][ T3311] [ 68.015835][ T3311] The buggy address belongs to the object at ffff888172f38000 [ 68.015835][ T3311] which belongs to the cache kmalloc-4k of size 4096 [ 68.029885][ T3311] The buggy address is located 3920 bytes inside of [ 68.029885][ T3311] freed 4096-byte region [ffff888172f38000, ffff888172f39000) [ 68.043925][ T3311] [ 68.046334][ T3311] The buggy address belongs to the physical page: [ 68.052736][ T3311] page:ffffea0005cbce00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x172f38 [ 68.063313][ T3311] head:ffffea0005cbce00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 68.072317][ T3311] anon flags: 0x100000000000840(slab|head|node=0|zone=2) [ 68.079348][ T3311] page_type: 0xffffffff() [ 68.083671][ T3311] raw: 0100000000000840 ffff888100042140 0000000000000000 dead000000000001 [ 68.092574][ T3311] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 68.101139][ T3311] page dumped because: kasan: bad access detected [ 68.107618][ T3311] page_owner tracks the page as allocated [ 68.113397][ T3311] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 2455, tgid 2455 (kworker/u4:3), ts 60092508914, free_ts 60077080637 [ 68.135771][ T3311] post_alloc_hook+0x10f/0x130 [ 68.140518][ T3311] get_page_from_freelist+0x3e5f/0x4080 [ 68.146152][ T3311] __alloc_pages+0x255/0x650 [ 68.151156][ T3311] alloc_pages_mpol+0x27f/0x4d0 [ 68.156014][ T3311] alloc_slab_page+0x6a/0x170 [ 68.160706][ T3311] new_slab+0x70/0x270 [ 68.164753][ T3311] ___slab_alloc+0x94b/0xee0 [ 68.169755][ T3311] __kmem_cache_alloc_node+0x1fb/0x2c0 [ 68.175275][ T3311] kmalloc_trace+0x2a/0xc0 [ 68.179666][ T3311] tomoyo_find_next_domain+0xd20/0x1700 [ 68.185295][ T3311] tomoyo_bprm_check_security+0xfa/0x130 [ 68.190913][ T3311] security_bprm_check+0x2a/0x80 [ 68.195831][ T3311] bprm_execve+0x87f/0x13b0 [ 68.200305][ T3311] kernel_execve+0x543/0x620 [ 68.204884][ T3311] call_usermodehelper_exec_async+0x203/0x310 [ 68.211006][ T3311] ret_from_fork+0x32/0x60 [ 68.215404][ T3311] page last free stack trace: [ 68.220177][ T3311] free_unref_page_prepare+0x7f8/0x910 [ 68.225650][ T3311] free_unref_page+0x37/0x3a0 [ 68.230507][ T3311] __unfreeze_partials+0x1b1/0x200 [ 68.235608][ T3311] put_cpu_partial+0x150/0x1b0 [ 68.240363][ T3311] __slab_free+0x26f/0x330 [ 68.244775][ T3311] qlist_free_all+0x75/0xe0 [ 68.249285][ T3311] kasan_quarantine_reduce+0x14f/0x170 [ 68.254907][ T3311] __kasan_slab_alloc+0x23/0x80 [ 68.259741][ T3311] slab_post_alloc_hook+0x67/0x3c0 [ 68.265041][ T3311] __kmem_cache_alloc_node+0x1b2/0x2c0 [ 68.270559][ T3311] __kmalloc+0x99/0x1d0 [ 68.274701][ T3311] load_elf_binary+0x22b/0x2150 [ 68.279567][ T3311] bprm_execve+0x93b/0x13b0 [ 68.284174][ T3311] kernel_execve+0x543/0x620 [ 68.288845][ T3311] call_usermodehelper_exec_async+0x203/0x310 [ 68.294910][ T3311] ret_from_fork+0x32/0x60 [ 68.299316][ T3311] [ 68.301617][ T3311] Memory state around the buggy address: [ 68.307226][ T3311] ffff888172f38e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.315443][ T3311] ffff888172f38e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.323480][ T3311] >ffff888172f38f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.331607][ T3311] ^ [ 68.338350][ T3311] ffff888172f38f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.346406][ T3311] ffff888172f39000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 68.354708][ T3311] ================================================================== [ 68.362898][ T3311] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 68.370419][ T3311] Kernel Offset: disabled [ 68.374845][ T3311] Rebooting in 86400 seconds..