syzkaller login: [ 21.846551][ T1171] sshd-session (1171) used greatest stack depth: 24376 bytes left [ 30.344144][ T1196] cgroup: Unknown subsys name 'net' [ 30.349608][ T1196] cgroup: Unknown subsys name 'net_prio' [ 30.356048][ T1196] cgroup: Unknown subsys name 'devices' [ 30.361766][ T1196] cgroup: Unknown subsys name 'blkio' [ 30.476199][ T1196] cgroup: Unknown subsys name 'hugetlb' [ 30.482051][ T1196] cgroup: Unknown subsys name 'rlimit' [ 30.741004][ T1196] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 34.392600][ T1225] syz-executor (1225) used greatest stack depth: 23560 bytes left Warning: Permanently added '10.128.1.236' (ED25519) to the list of known hosts. 2026/01/01 23:44:29 parsed 1 programs [ 57.597821][ T2148] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k 2026/01/01 23:44:34 executed programs: 0 [ 64.956329][ T3065] loop3: detected capacity change from 0 to 32768 [ 65.004298][ T3065] ======================================================= [ 65.004298][ T3065] WARNING: The mand mount option has been deprecated and [ 65.004298][ T3065] and is ignored by this kernel. Remove the mand [ 65.004298][ T3065] option from the mount to silence this warning. [ 65.004298][ T3065] ======================================================= [ 65.088493][ T3065] ocfs2: Slot 0 on device (7,3) was already allocated to this node! [ 65.099357][ T3065] ocfs2: Mounting device (7,3) on (node local, slot 0) with ordered data mode. [ 65.110879][ T3065] ================================================================== [ 65.119551][ T3065] BUG: KASAN: use-after-free in ocfs2_claim_suballoc_bits+0x1386/0x1860 [ 65.128984][ T3065] Read of size 4 at addr ffff888063e84000 by task syz.3.16/3065 [ 65.137214][ T3065] [ 65.140744][ T3065] CPU: 0 PID: 3065 Comm: syz.3.16 Not tainted syzkaller #0 [ 65.148117][ T3065] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 65.158635][ T3065] Call Trace: [ 65.161994][ T3065] [ 65.164908][ T3065] dump_stack_lvl+0x41/0x5e [ 65.169398][ T3065] print_address_description.constprop.0.cold+0x6c/0x309 [ 65.176437][ T3065] ? ocfs2_claim_suballoc_bits+0x1386/0x1860 [ 65.182394][ T3065] ? ocfs2_claim_suballoc_bits+0x1386/0x1860 [ 65.188372][ T3065] kasan_report.cold+0x83/0xdf [ 65.193196][ T3065] ? ocfs2_claim_suballoc_bits+0x1386/0x1860 [ 65.199144][ T3065] ocfs2_claim_suballoc_bits+0x1386/0x1860 [ 65.205266][ T3065] ? jbd2_journal_dirty_metadata+0x4aa/0x8f0 [ 65.211369][ T3065] ? ocfs2_search_chain+0x1960/0x1960 [ 65.216893][ T3065] ? lock_downgrade+0x4f0/0x4f0 [ 65.221955][ T3065] ? __jbd2_journal_temp_unlink_buffer+0x27c/0x450 [ 65.228453][ T3065] __ocfs2_claim_clusters+0x203/0x900 [ 65.234278][ T3065] ? ocfs2_sync_local_to_main+0x681/0x7c0 [ 65.240151][ T3065] ? ocfs2_which_cluster_group+0x220/0x220 [ 65.246053][ T3065] ? ocfs2_journal_dirty+0x9f/0x410 [ 65.251242][ T3065] ocfs2_local_alloc_slide_window+0x800/0x1710 [ 65.258137][ T3065] ? ocfs2_sync_local_to_main+0x7c0/0x7c0 [ 65.264111][ T3065] ? do_raw_spin_lock+0x120/0x2b0 [ 65.269128][ T3065] ? rwlock_bug.part.0+0x90/0x90 [ 65.274045][ T3065] ? memweight+0x92/0x110 [ 65.278368][ T3065] ocfs2_reserve_local_alloc_bits+0x292/0x9a0 [ 65.284708][ T3065] ? ocfs2_complete_local_alloc_recovery+0x400/0x400 [ 65.291772][ T3065] ? do_raw_spin_unlock+0x171/0x230 [ 65.297342][ T3065] ? _raw_spin_unlock+0x1a/0x30 [ 65.302389][ T3065] ocfs2_reserve_clusters_with_limit+0x3db/0x9a0 [ 65.308777][ T3065] ? ocfs2_reserve_cluster_bitmap_bits+0x170/0x170 [ 65.316063][ T3065] ? ocfs2_add_links_count+0xe0/0xe0 [ 65.321518][ T3065] ? find_held_lock+0x2d/0x110 [ 65.326399][ T3065] ? ocfs2_inode_lock_full_nested+0x356/0x19b0 [ 65.332835][ T3065] ocfs2_mknod+0x932/0x1b80 [ 65.337828][ T3065] ? ocfs2_symlink+0x3170/0x3170 [ 65.343099][ T3065] ? ocfs2_inode_unlock+0x154/0x220 [ 65.348817][ T3065] ? do_raw_spin_lock+0x120/0x2b0 [ 65.354518][ T3065] ? lock_downgrade+0x4f0/0x4f0 [ 65.360373][ T3065] ? do_raw_spin_lock+0x120/0x2b0 [ 65.366227][ T3065] ? lock_acquire+0x11a/0x250 [ 65.371505][ T3065] ? _raw_spin_unlock+0x1a/0x30 [ 65.377080][ T3065] ? put_pid.part.0+0x79/0x100 [ 65.382380][ T3065] ? ocfs2_permission+0xb7/0x140 [ 65.387957][ T3065] ocfs2_mkdir+0xb6/0x2e0 [ 65.392273][ T3065] ? ocfs2_mknod+0x1b80/0x1b80 [ 65.397357][ T3065] vfs_mkdir+0x1c4/0x3e0 [ 65.402165][ T3065] ? security_path_mkdir+0xc0/0x130 [ 65.407530][ T3065] do_mkdirat+0x210/0x280 [ 65.412422][ T3065] ? __ia32_sys_mknod+0xa0/0xa0 [ 65.418169][ T3065] ? getname_flags.part.0+0x89/0x440 [ 65.424411][ T3065] __x64_sys_mkdirat+0xef/0x140 [ 65.429839][ T3065] do_syscall_64+0x33/0x80 [ 65.434347][ T3065] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 65.441452][ T3065] RIP: 0033:0x7ff4a3014169 [ 65.446118][ T3065] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 65.467843][ T3065] RSP: 002b:00007ff4a2a86038 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 [ 65.476320][ T3065] RAX: ffffffffffffffda RBX: 00007ff4a322cfa0 RCX: 00007ff4a3014169 [ 65.484460][ T3065] RDX: 0000000000000000 RSI: 00002000000000c0 RDI: ffffffffffffff9c [ 65.492589][ T3065] RBP: 00007ff4a30952a0 R08: 0000000000000000 R09: 0000000000000000 [ 65.500757][ T3065] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 65.509007][ T3065] R13: 0000000000000000 R14: 00007ff4a322cfa0 R15: 00007fffd157a7b8 [ 65.518006][ T3065] [ 65.521373][ T3065] [ 65.524152][ T3065] The buggy address belongs to the page: [ 65.530987][ T3065] page:ffffea00018fa100 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x63e84 [ 65.542047][ T3065] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 65.549936][ T3065] raw: 00fff00000000000 ffffea00018fa148 ffffea00018f9a88 0000000000000000 [ 65.560741][ T3065] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 65.570967][ T3065] page dumped because: kasan: bad access detected [ 65.578137][ T3065] page_owner tracks the page as freed [ 65.583495][ T3065] page last allocated via order 0, migratetype Movable, gfp_mask 0x1100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), pid 3066, ts 65121960143, free_ts 65130122619 [ 65.600180][ T3065] get_page_from_freelist+0x1369/0x31f0 [ 65.606719][ T3065] __alloc_pages+0x1b2/0x440 [ 65.612782][ T3065] alloc_pages_vma+0xe0/0x650 [ 65.620140][ T3065] __handle_mm_fault+0x1d97/0x33a0 [ 65.628754][ T3065] handle_mm_fault+0x1c5/0x5b0 [ 65.634227][ T3065] do_user_addr_fault+0x298/0xc80 [ 65.641023][ T3065] exc_page_fault+0x5a/0xb0 [ 65.646393][ T3065] asm_exc_page_fault+0x22/0x30 [ 65.653030][ T3065] copy_user_enhanced_fast_string+0xe/0x40 [ 65.660279][ T3065] copy_page_to_iter+0x3d8/0xb60 [ 65.666573][ T3065] filemap_read+0x4e1/0xab0 [ 65.674005][ T3065] blkdev_read_iter+0xfb/0x180 [ 65.679521][ T3065] new_sync_read+0x35a/0x5f0 [ 65.684171][ T3065] vfs_read+0x209/0x470 [ 65.688472][ T3065] ksys_read+0xf4/0x1d0 [ 65.692857][ T3065] do_syscall_64+0x33/0x80 [ 65.697355][ T3065] page last free stack trace: [ 65.702700][ T3065] free_pcp_prepare+0x379/0x850 [ 65.707903][ T3065] free_unref_page_list+0x16f/0xbd0 [ 65.713162][ T3065] release_pages+0xb3a/0x1480 [ 65.717810][ T3065] tlb_finish_mmu+0x127/0x790 [ 65.722454][ T3065] unmap_region+0x298/0x390 [ 65.727023][ T3065] __do_munmap+0x47e/0x10d0 [ 65.731718][ T3065] __vm_munmap+0xd2/0x1a0 [ 65.736133][ T3065] __x64_sys_munmap+0x5d/0x80 [ 65.741023][ T3065] do_syscall_64+0x33/0x80 [ 65.745990][ T3065] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 65.752375][ T3065] [ 65.755805][ T3065] Memory state around the buggy address: [ 65.763193][ T3065] ffff888063e83f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 65.774011][ T3065] ffff888063e83f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 65.783976][ T3065] >ffff888063e84000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 65.793872][ T3065] ^ [ 65.799192][ T3065] ffff888063e84080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 65.807928][ T3065] ffff888063e84100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 65.817104][ T3065] ================================================================== [ 65.826213][ T3065] Disabling lock debugging due to kernel taint [ 65.834136][ T3065] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 65.842189][ T3065] Kernel Offset: disabled [ 65.846895][ T3065] Rebooting in 86400 seconds..