./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1039977924
<...>
Warning: Permanently added '10.128.0.199' (ED25519) to the list of known hosts.
execve("./syz-executor1039977924", ["./syz-executor1039977924"], 0x7ffe09320880 /* 10 vars */) = 0
brk(NULL) = 0x5555572a0000
brk(0x5555572a0d00) = 0x5555572a0d00
arch_prctl(ARCH_SET_FS, 0x5555572a0380) = 0
set_tid_address(0x5555572a0650) = 5026
set_robust_list(0x5555572a0660, 24) = 0
rseq(0x5555572a0ca0, 0x20, 0, 0x53053053) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor1039977924", 4096) = 28
getrandom("\x4a\x13\x0e\x6c\x7b\x5b\x17\x95", 8, GRND_NONBLOCK) = 8
brk(NULL) = 0x5555572a0d00
brk(0x5555572c1d00) = 0x5555572c1d00
brk(0x5555572c2000) = 0x5555572c2000
mprotect(0x7fc21a649000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
mkdir("./syzkaller.1jl1o2", 0700) = 0
chmod("./syzkaller.1jl1o2", 0777) = 0
chdir("./syzkaller.1jl1o2") = 0
mkdir("./0", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555572a0650) = 5027
./strace-static-x86_64: Process 5027 attached
[pid 5027] set_robust_list(0x5555572a0660, 24) = 0
[pid 5027] chdir("./0") = 0
[pid 5027] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5027] setpgid(0, 0) = 0
[pid 5027] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5027] write(3, "1000", 4) = 4
[pid 5027] close(3) = 0
[pid 5027] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5027] memfd_create("syzkaller", 0) = 3
[pid 5027] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc212184000
syzkaller login: [ 54.522191][ T5027] syz-executor103[5027]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set
[pid 5027] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216
[pid 5027] munmap(0x7fc212184000, 138412032) = 0
[pid 5027] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5027] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5027] close(3) = 0
[pid 5027] mkdir("./file0", 0777) = 0
[ 54.764177][ T5027] loop0: detected capacity change from 0 to 32768
[ 54.779480][ T5027] gfs2: fsid=��%b�i�~N-SS���: Trying to join cluster "lock_nolock", "��%b�i�~N-SS���"
[ 54.789274][ T5027] gfs2: fsid=��%b�i�~N-SS���: Now mounting FS (format 1801)...
[ 54.803341][ T5027] gfs2: fsid=��%b�i�~N-SS���.0: journal 0 mapped with 18 extents in 0ms
[ 54.813806][ T8] gfs2: fsid=��%b�i�~N-SS���.0: jid=0, already locked for use
[ 54.821517][ T8] gfs2: fsid=��%b�i�~N-SS���.0: jid=0: Looking at journal...
[pid 5027] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_NODEV|MS_SYNCHRONOUS|MS_NODIRATIME, "\x64\x61\x74\x61\x3d\x77\x72\x69\x74\x65\x62\x61\x63\x6b\x2c\x61\x63\x6c\x2c\x71\x75\x6f\x74\x61\x3d\x6f\x6e\x2c\x6c\x6f\x63\x61\x6c\x63\x61\x63\x68\x69\x6e\x67\x2c\x6c\x6f\x63\x6b\x74\x61\x62\x6c\x65\x3d\x84\xbd\x25\x62\xad\x69\x92\x7e\x4e\x2d\x53\x53\xc2\x13\x93\x2c\x71\x75\x6f\x74\x61\x2c") = 0
[pid 5027] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
[pid 5027] ioctl(4, LOOP_CLR_FD) = 0
[pid 5027] close(4) = 0
[pid 5027] quotactl(QCMD(Q_GETQUOTA, GRPQUOTA), "/dev/loop0", 0, NULL) = -1 EFAULT (Bad address)
[pid 5027] exit_group(0) = ?
[pid 5027] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5027, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=26 /* 0.26 s */} ---
umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x5555572a16f0 /* 4 entries */, 32768) = 112
umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./0/binderfs") = 0
[ 54.861458][ T8] gfs2: fsid=��%b�i�~N-SS���.0: jid=0: Journal head lookup took 39ms
[ 54.870268][ T8] gfs2: fsid=��%b�i�~N-SS���.0: jid=0: Done
[ 54.876253][ T5027] gfs2: fsid=��%b�i�~N-SS���.0: first mount done, others may mount
umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0
umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./0/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0
umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./0/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(4, 0x5555572a9730 /* 2 entries */, 32768) = 48
getdents64(4, 0x5555572a9730 /* 0 entries */, 32768) = 0
close(4) = 0
rmdir("./0/file0") = 0
getdents64(3, 0x5555572a16f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./0") = 0
mkdir("./1", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555572a0650) = 5030
./strace-static-x86_64: Process 5030 attached
[pid 5030] set_robust_list(0x5555572a0660, 24) = 0
[pid 5030] chdir("./1") = 0
[pid 5030] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5030] setpgid(0, 0) = 0
[pid 5030] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5030] write(3, "1000", 4) = 4
[pid 5030] close(3) = 0
[pid 5030] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5030] memfd_create("syzkaller", 0) = 3
[pid 5030] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc212184000
[pid 5030] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216
[pid 5030] munmap(0x7fc212184000, 138412032) = 0
[pid 5030] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5030] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5030] close(3) = 0
[pid 5030] mkdir("./file0", 0777) = 0
[ 55.270898][ T5030] loop0: detected capacity change from 0 to 32768
[ 55.282634][ T5030] gfs2: fsid=��%b�i�~N-SS���: Trying to join cluster "lock_nolock", "��%b�i�~N-SS���"
[ 55.292243][ T5030] gfs2: fsid=��%b�i�~N-SS���: Now mounting FS (format 1801)...
[ 55.303563][ T5030] gfs2: fsid=��%b�i�~N-SS���.0: journal 0 mapped with 18 extents in 0ms
[ 55.313013][ T8] gfs2: fsid=��%b�i�~N-SS���.0: jid=0, already locked for use
[ 55.320580][ T8] gfs2: fsid=��%b�i�~N-SS���.0: jid=0: Looking at journal...
[ 55.361039][ T8] gfs2: fsid=��%b�i�~N-SS���.0: jid=0: Journal head lookup took 40ms
[pid 5030] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_NODEV|MS_SYNCHRONOUS|MS_NODIRATIME, "\x64\x61\x74\x61\x3d\x77\x72\x69\x74\x65\x62\x61\x63\x6b\x2c\x61\x63\x6c\x2c\x71\x75\x6f\x74\x61\x3d\x6f\x6e\x2c\x6c\x6f\x63\x61\x6c\x63\x61\x63\x68\x69\x6e\x67\x2c\x6c\x6f\x63\x6b\x74\x61\x62\x6c\x65\x3d\x84\xbd\x25\x62\xad\x69\x92\x7e\x4e\x2d\x53\x53\xc2\x13\x93\x2c\x71\x75\x6f\x74\x61\x2c") = 0
[pid 5030] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
[pid 5030] ioctl(4, LOOP_CLR_FD) = 0
[pid 5030] close(4) = 0
[pid 5030] quotactl(QCMD(Q_GETQUOTA, GRPQUOTA), "/dev/loop0", 0, NULL) = -1 EFAULT (Bad address)
[pid 5030] exit_group(0) = ?
[pid 5030] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5030, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=23 /* 0.23 s */} ---
umount2("./1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x5555572a16f0 /* 4 entries */, 32768) = 112
umount2("./1/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./1/binderfs") = 0
[ 55.369353][ T8] gfs2: fsid=��%b�i�~N-SS���.0: jid=0: Done
[ 55.375651][ T5030] gfs2: fsid=��%b�i�~N-SS���.0: first mount done, others may mount
[ 55.447138][ C1] ==================================================================
[ 55.455237][ C1] BUG: KASAN: slab-use-after-free in gfs2_qd_dealloc+0x83/0xf0
[ 55.462794][ C1] Write of size 4 at addr ffff888020f1ca78 by task syz-executor103/5026
[ 55.471100][ C1]
[ 55.473405][ C1] CPU: 1 PID: 5026 Comm: syz-executor103 Not tainted 6.6.0-rc6-syzkaller-00285-g9c5d00cb7b6b #0
[ 55.483791][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
[ 55.493825][ C1] Call Trace:
[ 55.497087][ C1] <IRQ>
[ 55.499915][ C1] dump_stack_lvl+0x1e7/0x2d0
[ 55.504580][ C1] ? nf_tcp_handle_invalid+0x650/0x650
[ 55.510025][ C1] ? panic+0x770/0x770
[ 55.514075][ C1] ? _printk+0xd5/0x120
[ 55.518212][ C1] print_report+0x163/0x540
[ 55.522702][ C1] ? print_irqtrace_events+0x220/0x220
[ 55.528139][ C1] ? __virt_addr_valid+0x22f/0x2e0
[ 55.533230][ C1] ? __phys_addr+0xba/0x170
[ 55.537711][ C1] ? gfs2_qd_dealloc+0x83/0xf0
[ 55.542456][ C1] kasan_report+0x175/0x1b0
[ 55.546942][ C1] ? gfs2_qd_dealloc+0x83/0xf0
[ 55.551689][ C1] kasan_check_range+0x27e/0x290
[ 55.556607][ C1] gfs2_qd_dealloc+0x83/0xf0
[ 55.561183][ C1] ? gfs2_qd_dispose+0x5b0/0x5b0
[ 55.566103][ C1] ? rcu_core+0xa61/0x1790
[ 55.570498][ C1] rcu_core+0xacf/0x1790
[ 55.574724][ C1] ? rcu_cpu_kthread_park+0x90/0x90
[ 55.579902][ C1] ? rebalance_domains+0x949/0xac0
[ 55.584992][ C1] ? mark_lock+0x9a/0x340
[ 55.589306][ C1] ? lockdep_hardirqs_on_prepare+0x43c/0x7a0
[ 55.595266][ C1] ? print_irqtrace_events+0x220/0x220
[ 55.600703][ C1] ? do_raw_spin_unlock+0x13b/0x8b0
[ 55.605883][ C1] __do_softirq+0x2ab/0x908
[ 55.610373][ C1] ? __irq_exit_rcu+0xf1/0x1b0
[ 55.615121][ C1] ? __lock_text_end+0xc/0xc
[ 55.619696][ C1] ? irqtime_account_irq+0xd4/0x1e0
[ 55.624873][ C1] __irq_exit_rcu+0xf1/0x1b0
[ 55.629446][ C1] ? irq_exit_rcu+0x20/0x20
[ 55.633932][ C1] irq_exit_rcu+0x9/0x20
[ 55.638158][ C1] sysvec_apic_timer_interrupt+0x95/0xb0
[ 55.643771][ C1] </IRQ>
[ 55.646679][ C1] <TASK>
[ 55.649591][ C1] asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 55.655551][ C1] RIP: 0010:__sanitizer_cov_trace_pc+0x8/0x60
[ 55.661602][ C1] Code: 00 00 f3 0f 1e fa 53 48 89 fb e8 13 00 00 00 48 8b 3d 34 9d 0b 0d 48 89 de 5b e9 53 a3 59 00 0f 1f 00 f3 0f 1e fa 48 8b 04 24 <65> 48 8b 0d 80 ab 75 7e 65 8b 15 81 ab 75 7e f7 c2 00 01 ff 00 74
[ 55.681202][ C1] RSP: 0018:ffffc900038972b0 EFLAGS: 00000293
[ 55.687255][ C1] RAX: ffffffff813dd529 RBX: ffffc90003897f20 RCX: ffff888024590000
[ 55.695213][ C1] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffc90003897f20
[ 55.703166][ C1] RBP: ffffc90003897f20 R08: ffffffff813dcbdb R09: ffffffff813db790
[ 55.711125][ C1] R10: 0000000000000003 R11: ffff888024590000 R12: 1ffff92000712e81
[ 55.719079][ C1] R13: 1ffff92000712e82 R14: 1ffff92000712e80 R15: ffffc90003898000
[ 55.727058][ C1] ? unwind_next_frame+0x1970/0x29e0
[ 55.732339][ C1] ? deref_stack_reg+0xab/0x250
[ 55.737173][ C1] ? __read_once_word_nocheck+0x9/0x10
[ 55.742617][ C1] __read_once_word_nocheck+0x9/0x10
[ 55.747886][ C1] deref_stack_reg+0x1c7/0x250
[ 55.752634][ C1] unwind_next_frame+0x1ab9/0x29e0
[ 55.757736][ C1] ? syscall_exit_to_user_mode+0x15c/0x280
[ 55.763522][ C1] ? syscall_exit_to_user_mode+0x15c/0x280
[ 55.769309][ C1] ? stack_trace_save+0x1c0/0x1c0
[ 55.774400][ C1] arch_stack_walk+0x146/0x1a0
[ 55.779145][ C1] ? do_syscall_64+0x4d/0xc0
[ 55.783719][ C1] stack_trace_save+0x117/0x1c0
[ 55.788549][ C1] ? stack_trace_snprint+0xf0/0xf0
[ 55.793641][ C1] save_stack+0xfa/0x1e0
[ 55.797864][ C1] ? __reset_page_owner+0x190/0x190
[ 55.803042][ C1] ? free_unref_page_prepare+0x8c3/0x9f0
[ 55.808657][ C1] ? free_unref_page_list+0x596/0x830
[ 55.814010][ C1] ? release_pages+0x2113/0x23f0
[ 55.818946][ C1] ? __folio_batch_release+0x84/0x100
[ 55.824296][ C1] ? truncate_inode_pages_range+0x45d/0x11a0
[ 55.830259][ C1] ? blkdev_flush_mapping+0x15a/0x2b0
[ 55.835608][ C1] ? blkdev_put+0x4a9/0x770
[ 55.840088][ C1] ? deactivate_locked_super+0xa4/0x110
[ 55.845610][ C1] ? cleanup_mnt+0x426/0x4c0
[ 55.850178][ C1] ? task_work_run+0x24a/0x300
[ 55.854921][ C1] ? ptrace_notify+0x2cd/0x380
[ 55.859666][ C1] ? syscall_exit_to_user_mode+0x15c/0x280
[ 55.865456][ C1] ? page_ext_get+0x20/0x2a0
[ 55.870050][ C1] __reset_page_owner+0x4f/0x190
[ 55.874976][ C1] free_unref_page_prepare+0x8c3/0x9f0
[ 55.880417][ C1] free_unref_page_list+0x596/0x830
[ 55.885594][ C1] ? __mod_zone_page_state+0xda/0x140
[ 55.890946][ C1] release_pages+0x2113/0x23f0
[ 55.895687][ C1] ? filemap_free_folio+0x1fc/0x3c0
[ 55.900868][ C1] ? lru_cache_disable+0x30/0x30
[ 55.905781][ C1] ? filemap_remove_folio+0x2e0/0x2e0
[ 55.911136][ C1] ? workingset_activation+0x880/0x880
[ 55.916575][ C1] __folio_batch_release+0x84/0x100
[ 55.921753][ C1] truncate_inode_pages_range+0x45d/0x11a0
[ 55.927543][ C1] ? smp_call_function_many_cond+0x162a/0x2890
[ 55.933674][ C1] ? lockdep_hardirqs_on+0x98/0x140
[ 55.938854][ C1] ? mapping_evict_folio+0x530/0x530
[ 55.944122][ C1] ? mutex_unlock+0x10/0x10
[ 55.948606][ C1] ? invalidate_bh_lrus+0x30/0x30
[ 55.953610][ C1] ? __bread_gfp+0x380/0x380
[ 55.958215][ C1] ? invalidate_bh_lrus+0x30/0x30
[ 55.963226][ C1] blkdev_flush_mapping+0x15a/0x2b0
[ 55.968410][ C1] blkdev_put+0x4a9/0x770
[ 55.972723][ C1] deactivate_locked_super+0xa4/0x110
[ 55.978077][ C1] cleanup_mnt+0x426/0x4c0
[ 55.982473][ C1] ? _raw_spin_unlock_irq+0x23/0x50
[ 55.987670][ C1] task_work_run+0x24a/0x300
[ 55.992250][ C1] ? task_work_cancel+0x2b0/0x2b0
[ 55.997262][ C1] ? lockdep_hardirqs_on+0x98/0x140
[ 56.002442][ C1] ? __x64_sys_umount+0x126/0x170
[ 56.007450][ C1] ptrace_notify+0x2cd/0x380
[ 56.012027][ C1] ? do_notify_parent+0x1100/0x1100
[ 56.017211][ C1] ? __x64_sys_umount+0x126/0x170
[ 56.022218][ C1] ? path_umount+0xf40/0xf40
[ 56.026795][ C1] ? syscall_enter_from_user_mode+0x32/0x230
[ 56.032768][ C1] syscall_exit_to_user_mode+0x15c/0x280
[ 56.038382][ C1] do_syscall_64+0x4d/0xc0
[ 56.042781][ C1] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 56.048656][ C1] RIP: 0033:0x7fc21a5c4407
[ 56.053052][ C1] Code: 08 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8
[ 56.072640][ C1] RSP: 002b:00007ffe49e5ebe8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a6
[ 56.081036][ C1] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fc21a5c4407
[ 56.088986][ C1] RDX: 0000000000000000 RSI: 000000000000000a RDI: 00007ffe49e5eca0
[ 56.096937][ C1] RBP: 00007ffe49e5eca0 R08: 0000000000000000 R09: 0000000000000000
[ 56.104889][ C1] R10: 00000000ffffffff R11: 0000000000000206 R12: 00007ffe49e5fd00
[ 56.112839][ C1] R13: 00005555572a16c0 R14: 0000000000000002 R15: 431bde82d7b634db
[ 56.120796][ C1] </TASK>
[ 56.123795][ C1]
[ 56.126095][ C1] Allocated by task 5030:
[ 56.130396][ C1] kasan_set_track+0x4f/0x70
[ 56.134967][ C1] __kasan_kmalloc+0x98/0xb0
[ 56.139536][ C1] gfs2_fill_super+0x136/0x26c0
[ 56.144363][ C1] get_tree_bdev+0x416/0x5b0
[ 56.148933][ C1] gfs2_get_tree+0x54/0x210
[ 56.153416][ C1] vfs_get_tree+0x8c/0x280
[ 56.157811][ C1] do_new_mount+0x28f/0xae0
[ 56.162291][ C1] __se_sys_mount+0x2d9/0x3c0
[ 56.166949][ C1] do_syscall_64+0x41/0xc0
[ 56.171345][ C1] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 56.177219][ C1]
[ 56.179524][ C1] Freed by task 5026:
[ 56.183475][ C1] kasan_set_track+0x4f/0x70
[ 56.188043][ C1] kasan_save_free_info+0x28/0x40
[ 56.193047][ C1] ____kasan_slab_free+0xd6/0x120
[ 56.198049][ C1] __kmem_cache_free+0x25f/0x3b0
[ 56.202964][ C1] generic_shutdown_super+0x13a/0x2c0
[ 56.208316][ C1] kill_block_super+0x41/0x70
[ 56.212972][ C1] deactivate_locked_super+0xa4/0x110
[ 56.218323][ C1] cleanup_mnt+0x426/0x4c0
[ 56.222718][ C1] task_work_run+0x24a/0x300
[ 56.227289][ C1] ptrace_notify+0x2cd/0x380
[ 56.231861][ C1] syscall_exit_to_user_mode+0x15c/0x280
[ 56.237471][ C1] do_syscall_64+0x4d/0xc0
[ 56.241867][ C1] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 56.247741][ C1]
[ 56.250041][ C1] The buggy address belongs to the object at ffff888020f1c000
[ 56.250041][ C1] which belongs to the cache kmalloc-8k of size 8192
[ 56.264071][ C1] The buggy address is located 2680 bytes inside of
[ 56.264071][ C1] freed 8192-byte region [ffff888020f1c000, ffff888020f1e000)
[ 56.278017][ C1]
[ 56.280320][ C1] The buggy address belongs to the physical page:
[ 56.286706][ C1] page:ffffea000083c600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20f18
[ 56.296863][ C1] head:ffffea000083c600 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 56.305770][ C1] anon flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 56.314173][ C1] page_type: 0xffffffff()
[ 56.318483][ C1] raw: 00fff00000000840 ffff888012842280 ffffea0000844200 0000000000000005
[ 56.327043][ C1] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
[ 56.335604][ C1] page dumped because: kasan: bad access detected
[ 56.341992][ C1] page_owner tracks the page as allocated
[ 56.347681][ C1] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4691, tgid 4691 (rcS), ts 31365276121, free_ts 31364458381
[ 56.367538][ C1] post_alloc_hook+0x1e6/0x210
[ 56.372286][ C1] get_page_from_freelist+0x31db/0x3360
[ 56.377810][ C1] __alloc_pages+0x255/0x670
[ 56.382380][ C1] alloc_slab_page+0x6a/0x160
[ 56.387035][ C1] new_slab+0x84/0x2f0
[ 56.391080][ C1] ___slab_alloc+0xc85/0x1310
[ 56.395732][ C1] __kmem_cache_alloc_node+0x1af/0x270
[ 56.401166][ C1] kmalloc_trace+0x2a/0xe0
[ 56.405558][ C1] tomoyo_init_log+0x11cd/0x2040
[ 56.410472][ C1] tomoyo_supervisor+0x386/0x11f0
[ 56.415492][ C1] tomoyo_env_perm+0x178/0x210
[ 56.420249][ C1] tomoyo_find_next_domain+0x1383/0x1cf0
[ 56.425871][ C1] tomoyo_bprm_check_security+0x114/0x170
[ 56.431577][ C1] security_bprm_check+0x63/0xa0
[ 56.436497][ C1] bprm_execve+0x8c7/0x17c0
[ 56.440988][ C1] do_execveat_common+0x580/0x720
[ 56.445992][ C1] page last free stack trace:
[ 56.450640][ C1] free_unref_page_prepare+0x8c3/0x9f0
[ 56.456084][ C1] free_unref_page+0x37/0x3f0
[ 56.460747][ C1] __unfreeze_partials+0x1dc/0x220
[ 56.465862][ C1] put_cpu_partial+0x17b/0x250
[ 56.470604][ C1] __slab_free+0x2b6/0x390
[ 56.474998][ C1] qlist_free_all+0x75/0xe0
[ 56.479478][ C1] kasan_quarantine_reduce+0x14b/0x160
[ 56.484912][ C1] __kasan_slab_alloc+0x23/0x70
[ 56.489742][ C1] slab_post_alloc_hook+0x67/0x3d0
[ 56.494832][ C1] __kmem_cache_alloc_node+0x141/0x270
[ 56.500286][ C1] __kmalloc+0xa8/0x230
[ 56.504421][ C1] tomoyo_supervisor+0xe06/0x11f0
[ 56.509427][ C1] tomoyo_env_perm+0x178/0x210
[ 56.514172][ C1] tomoyo_find_next_domain+0x1383/0x1cf0
[ 56.519781][ C1] tomoyo_bprm_check_security+0x114/0x170
[ 56.525480][ C1] security_bprm_check+0x63/0xa0
[ 56.530396][ C1]
[ 56.532697][ C1] Memory state around the buggy address:
[ 56.538304][ C1] ffff888020f1c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 56.546341][ C1] ffff888020f1c980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 56.554376][ C1] >ffff888020f1ca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 56.562418][ C1] ^
[ 56.570375][ C1] ffff888020f1ca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 56.578414][ C1] ffff888020f1cb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 56.586464][ C1] ==================================================================
[ 56.594612][ C1] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 56.601801][ C1] CPU: 1 PID: 5026 Comm: syz-executor103 Not tainted 6.6.0-rc6-syzkaller-00285-g9c5d00cb7b6b #0
[ 56.612229][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
[ 56.622287][ C1] Call Trace:
[ 56.625577][ C1] <IRQ>
[ 56.628403][ C1] dump_stack_lvl+0x1e7/0x2d0
[ 56.633069][ C1] ? nf_tcp_handle_invalid+0x650/0x650
[ 56.638510][ C1] ? panic+0x770/0x770
[ 56.642561][ C1] ? vscnprintf+0x5d/0x80
[ 56.646880][ C1] panic+0x30f/0x770
[ 56.650773][ C1] ? check_panic_on_warn+0x21/0xa0
[ 56.655863][ C1] ? __memcpy_flushcache+0x2b0/0x2b0
[ 56.661144][ C1] ? _raw_spin_unlock_irqrestore+0xd8/0x140
[ 56.667019][ C1] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 56.672907][ C1] ? _raw_spin_unlock+0x40/0x40
[ 56.677738][ C1] ? print_report+0x4fb/0x540
[ 56.682399][ C1] check_panic_on_warn+0x82/0xa0
[ 56.687316][ C1] ? gfs2_qd_dealloc+0x83/0xf0
[ 56.692064][ C1] end_report+0x6e/0x130
[ 56.696287][ C1] kasan_report+0x186/0x1b0
[ 56.700772][ C1] ? gfs2_qd_dealloc+0x83/0xf0
[ 56.705520][ C1] kasan_check_range+0x27e/0x290
[ 56.710439][ C1] gfs2_qd_dealloc+0x83/0xf0
[ 56.715010][ C1] ? gfs2_qd_dispose+0x5b0/0x5b0
[ 56.719929][ C1] ? rcu_core+0xa61/0x1790
[ 56.724321][ C1] rcu_core+0xacf/0x1790
[ 56.728546][ C1] ? rcu_cpu_kthread_park+0x90/0x90
[ 56.733724][ C1] ? rebalance_domains+0x949/0xac0
[ 56.738822][ C1] ? mark_lock+0x9a/0x340
[ 56.743136][ C1] ? lockdep_hardirqs_on_prepare+0x43c/0x7a0
[ 56.749095][ C1] ? print_irqtrace_events+0x220/0x220
[ 56.754531][ C1] ? do_raw_spin_unlock+0x13b/0x8b0
[ 56.759712][ C1] __do_softirq+0x2ab/0x908
[ 56.764199][ C1] ? __irq_exit_rcu+0xf1/0x1b0
[ 56.768947][ C1] ? __lock_text_end+0xc/0xc
[ 56.773519][ C1] ? irqtime_account_irq+0xd4/0x1e0
[ 56.778699][ C1] __irq_exit_rcu+0xf1/0x1b0
[ 56.783274][ C1] ? irq_exit_rcu+0x20/0x20
[ 56.787758][ C1] irq_exit_rcu+0x9/0x20
[ 56.791984][ C1] sysvec_apic_timer_interrupt+0x95/0xb0
[ 56.797623][ C1] </IRQ>
[ 56.800535][ C1] <TASK>
[ 56.803446][ C1] asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 56.809407][ C1] RIP: 0010:__sanitizer_cov_trace_pc+0x8/0x60
[ 56.815455][ C1] Code: 00 00 f3 0f 1e fa 53 48 89 fb e8 13 00 00 00 48 8b 3d 34 9d 0b 0d 48 89 de 5b e9 53 a3 59 00 0f 1f 00 f3 0f 1e fa 48 8b 04 24 <65> 48 8b 0d 80 ab 75 7e 65 8b 15 81 ab 75 7e f7 c2 00 01 ff 00 74
[ 56.835073][ C1] RSP: 0018:ffffc900038972b0 EFLAGS: 00000293
[ 56.841121][ C1] RAX: ffffffff813dd529 RBX: ffffc90003897f20 RCX: ffff888024590000
[ 56.849076][ C1] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffc90003897f20
[ 56.857030][ C1] RBP: ffffc90003897f20 R08: ffffffff813dcbdb R09: ffffffff813db790
[ 56.864985][ C1] R10: 0000000000000003 R11: ffff888024590000 R12: 1ffff92000712e81
[ 56.872936][ C1] R13: 1ffff92000712e82 R14: 1ffff92000712e80 R15: ffffc90003898000
[ 56.880890][ C1] ? unwind_next_frame+0x1970/0x29e0
[ 56.886160][ C1] ? deref_stack_reg+0xab/0x250
[ 56.891011][ C1] ? __read_once_word_nocheck+0x9/0x10
[ 56.896462][ C1] __read_once_word_nocheck+0x9/0x10
[ 56.901730][ C1] deref_stack_reg+0x1c7/0x250
[ 56.906500][ C1] unwind_next_frame+0x1ab9/0x29e0
[ 56.911596][ C1] ? syscall_exit_to_user_mode+0x15c/0x280
[ 56.917385][ C1] ? syscall_exit_to_user_mode+0x15c/0x280
[ 56.923170][ C1] ? stack_trace_save+0x1c0/0x1c0
[ 56.928176][ C1] arch_stack_walk+0x146/0x1a0
[ 56.932920][ C1] ? do_syscall_64+0x4d/0xc0
[ 56.937494][ C1] stack_trace_save+0x117/0x1c0
[ 56.942324][ C1] ? stack_trace_snprint+0xf0/0xf0
[ 56.947418][ C1] save_stack+0xfa/0x1e0
[ 56.951643][ C1] ? __reset_page_owner+0x190/0x190
[ 56.956829][ C1] ? free_unref_page_prepare+0x8c3/0x9f0
[ 56.962445][ C1] ? free_unref_page_list+0x596/0x830
[ 56.967799][ C1] ? release_pages+0x2113/0x23f0
[ 56.972713][ C1] ? __folio_batch_release+0x84/0x100
[ 56.978063][ C1] ? truncate_inode_pages_range+0x45d/0x11a0
[ 56.984020][ C1] ? blkdev_flush_mapping+0x15a/0x2b0
[ 56.989377][ C1] ? blkdev_put+0x4a9/0x770
[ 56.993858][ C1] ? deactivate_locked_super+0xa4/0x110
[ 56.999384][ C1] ? cleanup_mnt+0x426/0x4c0
[ 57.003959][ C1] ? task_work_run+0x24a/0x300
[ 57.008723][ C1] ? ptrace_notify+0x2cd/0x380
[ 57.013491][ C1] ? syscall_exit_to_user_mode+0x15c/0x280
[ 57.019281][ C1] ? page_ext_get+0x20/0x2a0
[ 57.023870][ C1] __reset_page_owner+0x4f/0x190
[ 57.028790][ C1] free_unref_page_prepare+0x8c3/0x9f0
[ 57.034235][ C1] free_unref_page_list+0x596/0x830
[ 57.039413][ C1] ? __mod_zone_page_state+0xda/0x140
[ 57.044765][ C1] release_pages+0x2113/0x23f0
[ 57.049508][ C1] ? filemap_free_folio+0x1fc/0x3c0
[ 57.054696][ C1] ? lru_cache_disable+0x30/0x30
[ 57.059613][ C1] ? filemap_remove_folio+0x2e0/0x2e0
[ 57.064967][ C1] ? workingset_activation+0x880/0x880
[ 57.070406][ C1] __folio_batch_release+0x84/0x100
[ 57.075583][ C1] truncate_inode_pages_range+0x45d/0x11a0
[ 57.081367][ C1] ? smp_call_function_many_cond+0x162a/0x2890
[ 57.087500][ C1] ? lockdep_hardirqs_on+0x98/0x140
[ 57.092682][ C1] ? mapping_evict_folio+0x530/0x530
[ 57.097955][ C1] ? mutex_unlock+0x10/0x10
[ 57.102438][ C1] ? invalidate_bh_lrus+0x30/0x30
[ 57.107440][ C1] ? __bread_gfp+0x380/0x380
[ 57.112007][ C1] ? invalidate_bh_lrus+0x30/0x30
[ 57.117020][ C1] blkdev_flush_mapping+0x15a/0x2b0
[ 57.122203][ C1] blkdev_put+0x4a9/0x770
[ 57.126514][ C1] deactivate_locked_super+0xa4/0x110
[ 57.131867][ C1] cleanup_mnt+0x426/0x4c0
[ 57.136265][ C1] ? _raw_spin_unlock_irq+0x23/0x50
[ 57.141445][ C1] task_work_run+0x24a/0x300
[ 57.146024][ C1] ? task_work_cancel+0x2b0/0x2b0
[ 57.151032][ C1] ? lockdep_hardirqs_on+0x98/0x140
[ 57.156213][ C1] ? __x64_sys_umount+0x126/0x170
[ 57.161236][ C1] ptrace_notify+0x2cd/0x380
[ 57.165811][ C1] ? do_notify_parent+0x1100/0x1100
[ 57.170992][ C1] ? __x64_sys_umount+0x126/0x170
[ 57.176000][ C1] ? path_umount+0xf40/0xf40
[ 57.180572][ C1] ? syscall_enter_from_user_mode+0x32/0x230
[ 57.186549][ C1] syscall_exit_to_user_mode+0x15c/0x280
[ 57.192162][ C1] do_syscall_64+0x4d/0xc0
[ 57.196560][ C1] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 57.202438][ C1] RIP: 0033:0x7fc21a5c4407
[ 57.206836][ C1] Code: 08 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8
[ 57.226420][ C1] RSP: 002b:00007ffe49e5ebe8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a6
[ 57.234811][ C1] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fc21a5c4407
[ 57.242764][ C1] RDX: 0000000000000000 RSI: 000000000000000a RDI: 00007ffe49e5eca0
[ 57.250719][ C1] RBP: 00007ffe49e5eca0 R08: 0000000000000000 R09: 0000000000000000
[ 57.258675][ C1] R10: 00000000ffffffff R11: 0000000000000206 R12: 00007ffe49e5fd00
[ 57.266626][ C1] R13: 00005555572a16c0 R14: 0000000000000002 R15: 431bde82d7b634db
[ 57.274582][ C1] </TASK>
[ 57.277792][ C1] Kernel Offset: disabled
[ 57.282116][ C1] Rebooting in 86400 seconds..