./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3308057160 <...> Warning: Permanently added '10.128.0.45' (ED25519) to the list of known hosts. execve("./syz-executor3308057160", ["./syz-executor3308057160"], 0x7ffea6812f10 /* 10 vars */) = 0 brk(NULL) = 0x5555897da000 brk(0x5555897dad00) = 0x5555897dad00 arch_prctl(ARCH_SET_FS, 0x5555897da380) = 0 set_tid_address(0x5555897da650) = 296 set_robust_list(0x5555897da660, 24) = 0 rseq(0x5555897daca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3308057160", 4096) = 28 getrandom("\x6f\x84\x45\x1f\x25\x86\x0f\xe0", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x5555897dad00 brk(0x5555897fbd00) = 0x5555897fbd00 brk(0x5555897fc000) = 0x5555897fc000 mprotect(0x7fd1513e5000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 mkdir("./syzkaller.Vzuak4", 0700) = 0 chmod("./syzkaller.Vzuak4", 0777) = 0 chdir("./syzkaller.Vzuak4") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555897da650) = 298 ./strace-static-x86_64: Process 298 attached [pid 298] set_robust_list(0x5555897da660, 24) = 0 [pid 298] chdir("./0") = 0 [pid 298] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 298] setpgid(0, 0) = 0 [pid 298] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 298] write(3, "1000", 4) = 4 [pid 298] close(3) = 0 [pid 298] symlink("/dev/binderfs", "./binderfs") = 0 [pid 298] write(1, "executing program\n", 18executing program ) = 18 [pid 298] memfd_create("syzkaller", 0) = 3 [pid 298] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd148f22000 [ 25.958639][ T28] audit: type=1400 audit(1745332679.937:66): avc: denied { execmem } for pid=296 comm="syz-executor330" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 25.978267][ T28] audit: type=1400 audit(1745332679.937:67): avc: denied { read write } for pid=296 comm="syz-executor330" name="loop0" dev="devtmpfs" ino=114 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 26.003030][ T28] audit: type=1400 audit(1745332679.937:68): avc: denied { open } for pid=296 comm="syz-executor330" path="/dev/loop0" dev="devtmpfs" ino=114 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 26.027892][ T28] audit: type=1400 audit(1745332679.937:69): avc: denied { ioctl } for pid=296 comm="syz-executor330" path="/dev/loop0" dev="devtmpfs" ino=114 ioctlcmd=0x4c01 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [pid 298] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 67108864) = 67108864 [pid 298] munmap(0x7fd148f22000, 138412032) = 0 [pid 298] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 298] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 298] close(3) = 0 [pid 298] close(4) = 0 [pid 298] mkdir("./file0", 0777) = 0 [ 26.395126][ T298] loop0: detected capacity change from 0 to 131072 [ 26.403593][ T28] audit: type=1400 audit(1745332680.387:70): avc: denied { mounton } for pid=298 comm="syz-executor330" path="/root/syzkaller.Vzuak4/0/file0" dev="sda1" ino=1930 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 26.429031][ T298] F2FS-fs (loop0): Wrong CP boundary, start(512) end(198144) blocks(1024) [ 26.437600][ T298] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock [ 26.446448][ T298] F2FS-fs (loop0): invalid crc value [ 26.454525][ T298] F2FS-fs (loop0): Found nat_bits in checkpoint [pid 298] mount("/dev/loop0", "./file0", "f2fs", 0, "") = 0 [pid 298] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 298] chdir("./file0") = 0 [pid 298] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 298] ioctl(4, LOOP_CLR_FD) = 0 [pid 298] close(4) = 0 [pid 298] lstat("./file2", NULL) = -1 EFAULT (Bad address) [pid 298] rename("./file0", "./bus") = 0 [pid 298] clone(child_stack=NULL, flags=CLONE_FILES) = 305 [pid 298] exit_group(0) = ? [pid 298] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=298, si_uid=0, si_status=0, si_utime=16, si_stime=32} --- ./strace-static-x86_64: Process 305 attached [pid 296] umount2("./0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 296] openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 [pid 296] newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 [pid 296] getdents64(3, 0x5555897db6f0 /* 4 entries */, 32768) = 112 [pid 296] umount2("./0/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 296] newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 296] unlink("./0/binderfs") = 0 [pid 296] umount2("./0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) [pid 296] newfstatat(AT_FDCWD, "./0/file0", {st_mode=S_IFDIR|0755, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 296] umount2("./0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) [pid 296] openat(AT_FDCWD, "./0/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 [pid 296] newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=4096, ...}, AT_EMPTY_PATH) = 0 [pid 296] getdents64(4, 0x5555897e3730 /* 7 entries */, 32768) = 200 [pid 296] umount2("./0/file0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 296] newfstatat(AT_FDCWD, "./0/file0/file1", {st_mode=S_IFREG|0755, st_size=10, ...}, AT_SYMLINK_NOFOLLOW) = 0 [ 26.491378][ T298] F2FS-fs (loop0): Try to recover 2th superblock, ret: 0 [ 26.498450][ T298] F2FS-fs (loop0): Mounted with checkpoint version = 48b305e4 [ 26.506114][ T28] audit: type=1400 audit(1745332680.487:71): avc: denied { mount } for pid=298 comm="syz-executor330" name="/" dev="loop0" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [pid 296] unlink("./0/file0/file1") = 0 [pid 296] umount2("./0/file0/file2", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 296] newfstatat(AT_FDCWD, "./0/file0/file2", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 296] unlink("./0/file0/file2") = 0 [pid 296] umount2("./0/file0/file3", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 296] newfstatat(AT_FDCWD, "./0/file0/file3", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 [ 26.528292][ T28] audit: type=1400 audit(1745332680.487:72): avc: denied { write } for pid=298 comm="syz-executor330" name="/" dev="loop0" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 26.541674][ T296] F2FS-fs (loop0): dec_valid_node_count: inconsistent i_blocks, ino:7, iblocks:0 [ 26.550444][ T28] audit: type=1400 audit(1745332680.487:73): avc: denied { remove_name } for pid=298 comm="syz-executor330" name="file0" dev="loop0" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 26.563754][ T296] ------------[ cut here ]------------ [ 26.581639][ T28] audit: type=1400 audit(1745332680.487:74): avc: denied { rename } for pid=298 comm="syz-executor330" name="file0" dev="loop0" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 26.586984][ T296] WARNING: CPU: 0 PID: 296 at fs/f2fs/inode.c:847 f2fs_evict_inode+0x1262/0x1540 [ 26.608834][ T28] audit: type=1400 audit(1745332680.487:75): avc: denied { add_name } for pid=298 comm="syz-executor330" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 26.617922][ T296] Modules linked in: [ 26.617948][ T296] CPU: 0 PID: 296 Comm: syz-executor330 Not tainted 6.1.129-syzkaller-00017-g642656a36791 #0 [ 26.652096][ T296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 26.661999][ T296] RIP: 0010:f2fs_evict_inode+0x1262/0x1540 [ 26.667609][ T296] Code: 34 70 4a ff eb 0d e8 2d 70 4a ff 4d 89 e5 4c 8b 64 24 18 48 8b 5c 24 28 4c 89 e7 e8 78 38 03 00 e9 84 fc ff ff e8 0e 70 4a ff <0f> 0b 4c 89 f7 be 08 00 00 00 e8 7f 21 92 ff f0 41 80 0e 04 e9 61 [pid 296] unlink("./0/file0/file3" [pid 305] exit(0) = ? [pid 305] +++ exited with 0 +++ [ 26.687098][ T296] RSP: 0018:ffffc90000f17a40 EFLAGS: 00010293 [ 26.692967][ T296] RAX: ffffffff822aca42 RBX: 0000000000000002 RCX: ffff888111419440 [ 26.700763][ T296] RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000 [ 26.708617][ T296] RBP: ffffc90000f17bb0 R08: ffffffff822ac6a8 R09: ffffed10200acf9f [ 26.716410][ T296] R10: 0000000000000000 R11: dffffc0000000001 R12: ffff888100567a10 [ 26.724221][ T296] R13: dffffc0000000000 R14: ffff88810fda0078 R15: 1ffff920001e2f5c [ 26.732036][ T296] FS: 00005555897da380(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000 [ 26.740860][ T296] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 26.747234][ T296] CR2: 00007fff1106fd68 CR3: 00000001255be000 CR4: 00000000003506b0 [ 26.755033][ T296] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 26.762846][ T296] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 26.770629][ T296] Call Trace: [ 26.773788][ T296] [ 26.776531][ T296] ? show_regs+0x58/0x60 [ 26.780610][ T296] ? __warn+0x160/0x3d0 [ 26.784632][ T296] ? f2fs_evict_inode+0x1262/0x1540 [ 26.789641][ T296] ? report_bug+0x4d5/0x7d0 [ 26.794010][ T296] ? f2fs_evict_inode+0x1262/0x1540 [ 26.799014][ T296] ? handle_bug+0x41/0x70 [ 26.803207][ T296] ? exc_invalid_op+0x1b/0x50 [ 26.807689][ T296] ? asm_exc_invalid_op+0x1b/0x20 [ 26.812577][ T296] ? f2fs_evict_inode+0xec8/0x1540 [ 26.817496][ T296] ? f2fs_evict_inode+0x1262/0x1540 [ 26.822566][ T296] ? f2fs_evict_inode+0x1262/0x1540 [ 26.827568][ T296] ? f2fs_write_inode+0x790/0x790 [ 26.832453][ T296] ? bit_waitqueue+0x30/0x30 [ 26.836851][ T296] ? _raw_spin_unlock+0x4c/0x70 [ 26.841577][ T296] ? inode_io_list_del+0x18b/0x1a0 [ 26.846487][ T296] ? f2fs_write_inode+0x790/0x790 [ 26.851343][ T296] evict+0x529/0x930 [ 26.855111][ T296] ? proc_nr_inodes+0x320/0x320 [ 26.859764][ T296] ? __kasan_check_read+0x11/0x20 [ 26.864658][ T296] ? f2fs_drop_inode+0x18c/0xa50 [ 26.869399][ T296] ? __kasan_check_write+0x14/0x20 [ 26.874376][ T296] ? _atomic_dec_and_lock+0xfc/0x140 [ 26.879466][ T296] iput+0x616/0x690 [ 26.883161][ T296] do_unlinkat+0x4e1/0x920 [ 26.887366][ T296] ? fsnotify_link_count+0x100/0x100 [ 26.892516][ T296] ? strncpy_from_user+0x169/0x2b0 [ 26.897434][ T296] ? getname_flags+0x1fd/0x520 [ 26.902059][ T296] __x64_sys_unlink+0x49/0x50 [ 26.906543][ T296] x64_sys_call+0x289/0x9a0 [ 26.910886][ T296] do_syscall_64+0x3b/0x80 [ 26.915182][ T296] ? clear_bhb_loop+0x55/0xb0 [ 26.919655][ T296] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 26.925409][ T296] RIP: 0033:0x7fd151360b97 [ 26.929637][ T296] Code: 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 26.949116][ T296] RSP: 002b:00007fff11070518 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 [ 26.957340][ T296] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd151360b97 [ 26.965155][ T296] RDX: 00007fff11070540 RSI: 00007fff110705d0 RDI: 00007fff110705d0 [ 26.972976][ T296] RBP: 00007fff110705d0 R08: 0000000000000000 R09: 0000000000000000 [ 26.980750][ T296] R10: 0000000000000100 R11: 0000000000000206 R12: 00007fff110716c0 <... unlink resumed>) = 0 umount2("./0/file0/file.cold", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file0/file.cold", {st_mode=S_IFREG|0755, st_size=100, ...}, AT_SYMLINK_NOFOLLOW) = 0 [ 26.988641][ T296] R13: 00005555897e3700 R14: 0000000000000001 R15: 431bde82d7b634db [ 26.996417][ T296] [ 26.999236][ T296] ---[ end trace 0000000000000000 ]--- [ 27.006388][ T296] ------------[ cut here ]------------ [ 27.011742][ T296] WARNING: CPU: 0 PID: 296 at fs/inode.c:332 drop_nlink+0xc1/0x110 [ 27.019423][ T296] Modules linked in: [ 27.023196][ T296] CPU: 0 PID: 296 Comm: syz-executor330 Tainted: G W 6.1.129-syzkaller-00017-g642656a36791 #0 [ 27.034647][ T296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 27.044676][ T296] RIP: 0010:drop_nlink+0xc1/0x110 [ 27.049489][ T296] Code: 1e 48 8d bb b8 04 00 00 be 08 00 00 00 e8 27 fe ef ff f0 48 ff 83 b8 04 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 8f 4c a8 ff <0f> 0b eb 88 44 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 62 ff ff ff 4c [ 27.069007][ T296] RSP: 0018:ffffc90000f17a68 EFLAGS: 00010293 [ 27.074848][ T296] RAX: ffffffff81ccedc1 RBX: 0000000000000000 RCX: ffff888111419440 [ 27.082663][ T296] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 27.090453][ T296] RBP: ffffc90000f17a90 R08: ffffffff81cced44 R09: ffffc90000f17a20 [ 27.098430][ T296] R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000 [ 27.106215][ T296] R13: 1ffff110200ac8c1 R14: ffff8881005645c0 R15: ffff888100564608 [ 27.114033][ T296] FS: 00005555897da380(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000 [ 27.122791][ T296] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 27.129193][ T296] CR2: 00007fff1106fd68 CR3: 00000001255be000 CR4: 00000000003506b0 [ 27.137045][ T296] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 27.144842][ T296] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 27.152660][ T296] Call Trace: [ 27.155755][ T296] [ 27.158543][ T296] ? show_regs+0x58/0x60 [ 27.162641][ T296] ? __warn+0x160/0x3d0 [ 27.166604][ T296] ? drop_nlink+0xc1/0x110 [ 27.170855][ T296] ? report_bug+0x4d5/0x7d0 [ 27.175233][ T296] ? drop_nlink+0xc1/0x110 [ 27.179454][ T296] ? handle_bug+0x41/0x70 [ 27.183639][ T296] ? exc_invalid_op+0x1b/0x50 [ 27.188132][ T296] ? asm_exc_invalid_op+0x1b/0x20 [ 27.193019][ T296] ? drop_nlink+0x44/0x110 [ 27.197240][ T296] ? drop_nlink+0xc1/0x110 [ 27.201529][ T296] ? drop_nlink+0xc1/0x110 [ 27.205749][ T296] ? drop_nlink+0xc1/0x110 [ 27.210000][ T296] f2fs_drop_nlink+0x13a/0x3d0 [ 27.214657][ T296] ? f2fs_mark_inode_dirty_sync+0x11b/0x190 [ 27.220336][ T296] f2fs_delete_entry+0xde2/0xf40 [ 27.225137][ T296] f2fs_unlink+0x48b/0x880 [ 27.229388][ T296] ? f2fs_link+0x910/0x910 [ 27.233634][ T296] ? HAS_UNMAPPED_ID+0x1e6/0x240 [ 27.238383][ T296] ? selinux_inode_unlink+0x22/0x30 [ 27.243448][ T296] ? security_inode_unlink+0xcd/0x110 [ 27.248623][ T296] vfs_unlink+0x38c/0x630 [ 27.252851][ T296] do_unlinkat+0x483/0x920 [ 27.257043][ T296] ? fsnotify_link_count+0x100/0x100 [ 27.262197][ T296] ? strncpy_from_user+0x169/0x2b0 [ 27.267116][ T296] ? getname_flags+0x1fd/0x520 [ 27.271777][ T296] __x64_sys_unlink+0x49/0x50 [ 27.276221][ T296] x64_sys_call+0x289/0x9a0 [ 27.280558][ T296] do_syscall_64+0x3b/0x80 [ 27.284850][ T296] ? clear_bhb_loop+0x55/0xb0 [ 27.289328][ T296] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 27.295084][ T296] RIP: 0033:0x7fd151360b97 [ 27.299310][ T296] Code: 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 27.318791][ T296] RSP: 002b:00007fff11070518 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 [ 27.327018][ T296] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd151360b97 [ 27.334838][ T296] RDX: 00007fff11070540 RSI: 00007fff110705d0 RDI: 00007fff110705d0 unlink("./0/file0/file.cold") = 0 umount2("./0/file0/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file0/bus", {st_mode=S_IFDIR|0755, st_size=3488, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./0/file0/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0/file0/bus", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0755, st_size=3488, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x5555897eb770 /* 4 entries */, 32768) = 112 umount2("./0/file0/bus/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "./0/file0/bus/file0", 0x7fff1106f450, AT_SYMLINK_NOFOLLOW) = -1 ENOENT (No such file or directory) exit_group(1) = ? +++ exited with 1 +++ [ 27.342628][ T296] RBP: 00007fff110705d0 R08: 0000000000000000 R09: 0000000000000000 [ 27.350427][ T296] R10: 0000000000000100 R11: 0000000000000206 R12: 00007fff110716c0 [ 27.358270][ T296] R13: 00005555897e3700 R14: 0000000000000001 R15: 431bde82d7b634db [ 27.366073][ T296] [ 27.368912][ T296] ---[ end trace 0000000000000000 ]--- [ 31.544396][ T8] ================================================================== [ 31.552412][ T8] BUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 [ 31.560038][ T8] Read of size 8 at addr ffff888100567dc8 by task kworker/u4:0/8 [ 31.567592][ T8] [ 31.569766][ T8] CPU: 1 PID: 8 Comm: kworker/u4:0 Tainted: G W 6.1.129-syzkaller-00017-g642656a36791 #0 [ 31.580790][ T8] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 31.590679][ T8] Workqueue: writeback wb_workfn (flush-7:0) [ 31.596492][ T8] Call Trace: [ 31.599617][ T8] [ 31.602400][ T8] dump_stack_lvl+0x151/0x1b7 [ 31.606909][ T8] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 31.612225][ T8] ? _printk+0xd1/0x111 [ 31.616195][ T8] ? __virt_addr_valid+0x242/0x2f0 [ 31.621142][ T8] print_report+0x158/0x4e0 [ 31.625486][ T8] ? __virt_addr_valid+0x242/0x2f0 [ 31.630427][ T8] ? kasan_complete_mode_report_info+0x90/0x1b0 [ 31.636504][ T8] ? __list_del_entry_valid+0xa6/0x130 [ 31.641808][ T8] kasan_report+0x13c/0x170 [ 31.646140][ T8] ? __list_del_entry_valid+0xa6/0x130 [ 31.651489][ T8] __asan_report_load8_noabort+0x14/0x20 [ 31.657026][ T8] __list_del_entry_valid+0xa6/0x130 [ 31.662155][ T8] f2fs_inode_synced+0x100/0x2e0 [ 31.666914][ T8] f2fs_update_inode+0x72/0x1c40 [ 31.671688][ T8] ? __get_node_page+0x44d/0xb50 [ 31.676465][ T8] f2fs_update_inode_page+0x135/0x170 [ 31.681668][ T8] ? f2fs_write_inode+0x40e/0x790 [ 31.686532][ T8] f2fs_write_inode+0x416/0x790 [ 31.691216][ T8] __writeback_single_inode+0x4cf/0xb80 [ 31.696601][ T8] writeback_sb_inodes+0xb32/0x1910 [ 31.701739][ T8] ? queue_io+0x520/0x520 [ 31.705912][ T8] ? down_read_trylock+0x319/0x7d0 [ 31.710862][ T8] ? __writeback_inodes_wb+0x3f0/0x3f0 [ 31.716146][ T8] __writeback_inodes_wb+0x118/0x3f0 [ 31.721264][ T8] ? queue_io+0x3d0/0x520 [ 31.725433][ T8] wb_writeback+0x3da/0xa00 [ 31.729772][ T8] ? inode_cgwb_move_to_attached+0x3c0/0x3c0 [ 31.735589][ T8] ? __kasan_check_write+0x14/0x20 [ 31.740586][ T8] wb_workfn+0xbba/0x1030 [ 31.744705][ T8] ? inode_wait_for_writeback+0x280/0x280 [ 31.750254][ T8] ? _raw_spin_unlock_irqrestore+0x5b/0x80 [ 31.755898][ T8] ? cpu_curr_snapshot+0x200/0x200 [ 31.760843][ T8] ? __kasan_check_read+0x11/0x20 [ 31.765703][ T8] ? read_word_at_a_time+0x12/0x20 [ 31.770647][ T8] ? strscpy+0x9c/0x260 [ 31.774640][ T8] process_one_work+0x73d/0xcb0 [ 31.779328][ T8] worker_thread+0xa60/0x1260 [ 31.783844][ T8] kthread+0x26d/0x300 [ 31.787744][ T8] ? worker_clr_flags+0x1a0/0x1a0 [ 31.792607][ T8] ? kthread_blkcg+0xd0/0xd0 [ 31.797033][ T8] ret_from_fork+0x1f/0x30 [ 31.801288][ T8] [ 31.804156][ T8] [ 31.806319][ T8] Allocated by task 298: [ 31.810403][ T8] kasan_set_track+0x4b/0x70 [ 31.814824][ T8] kasan_save_alloc_info+0x1f/0x30 [ 31.819773][ T8] __kasan_slab_alloc+0x6c/0x80 [ 31.824457][ T8] slab_post_alloc_hook+0x53/0x2c0 [ 31.829404][ T8] kmem_cache_alloc_lru+0x102/0x270 [ 31.834439][ T8] f2fs_alloc_inode+0x2d/0x350 [ 31.839037][ T8] iget_locked+0x18c/0x7e0 [ 31.843293][ T8] f2fs_iget+0x55/0x4ca0 [ 31.847374][ T8] f2fs_lookup+0x3c1/0xb50 [ 31.851624][ T8] __lookup_slow+0x2b9/0x3e0 [ 31.856050][ T8] lookup_slow+0x5a/0x80 [ 31.860138][ T8] walk_component+0x2e7/0x410 [ 31.864646][ T8] path_lookupat+0x16d/0x450 [ 31.869068][ T8] filename_lookup+0x251/0x600 [ 31.873669][ T8] vfs_statx+0x107/0x4b0 [ 31.877748][ T8] __se_sys_newlstat+0xda/0x7c0 [ 31.882434][ T8] __x64_sys_newlstat+0x5b/0x70 [ 31.887121][ T8] x64_sys_call+0x52/0x9a0 [ 31.891375][ T8] do_syscall_64+0x3b/0x80 [ 31.895625][ T8] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 31.901358][ T8] [ 31.903525][ T8] Freed by task 0: [ 31.907084][ T8] kasan_set_track+0x4b/0x70 [ 31.911516][ T8] kasan_save_free_info+0x2b/0x40 [ 31.916371][ T8] ____kasan_slab_free+0x131/0x180 [ 31.921315][ T8] __kasan_slab_free+0x11/0x20 [ 31.925917][ T8] kmem_cache_free+0x291/0x560 [ 31.930522][ T8] f2fs_free_inode+0x24/0x30 [ 31.934943][ T8] i_callback+0x4b/0x70 [ 31.938935][ T8] rcu_do_batch+0x552/0xbe0 [ 31.943274][ T8] rcu_core+0x502/0xf40 [ 31.947269][ T8] rcu_core_si+0x9/0x10 [ 31.951259][ T8] handle_softirqs+0x1db/0x650 [ 31.955859][ T8] __irq_exit_rcu+0x52/0xf0 [ 31.960198][ T8] irq_exit_rcu+0x9/0x10 [ 31.964279][ T8] sysvec_apic_timer_interrupt+0xa9/0xc0 [ 31.969746][ T8] asm_sysvec_apic_timer_interrupt+0x1b/0x20 [ 31.975563][ T8] [ 31.977732][ T8] Last potentially related work creation: [ 31.983289][ T8] kasan_save_stack+0x3b/0x60 [ 31.987803][ T8] __kasan_record_aux_stack+0xb4/0xc0 [ 31.993005][ T8] kasan_record_aux_stack_noalloc+0xb/0x10 [ 31.998649][ T8] call_rcu+0xdc/0x10f0 [ 32.002640][ T8] evict+0x87d/0x930 [ 32.006371][ T8] iput+0x616/0x690 [ 32.010016][ T8] do_unlinkat+0x4e1/0x920 [ 32.014270][ T8] __x64_sys_unlink+0x49/0x50 [ 32.018783][ T8] x64_sys_call+0x289/0x9a0 [ 32.023125][ T8] do_syscall_64+0x3b/0x80 [ 32.027376][ T8] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 32.033105][ T8] [ 32.035377][ T8] The buggy address belongs to the object at ffff888100567a10 [ 32.035377][ T8] which belongs to the cache f2fs_inode_cache of size 1360 [ 32.049770][ T8] The buggy address is located 952 bytes inside of [ 32.049770][ T8] 1360-byte region [ffff888100567a10, ffff888100567f60) [ 32.062963][ T8] [ 32.065128][ T8] The buggy address belongs to the physical page: [ 32.071386][ T8] page:ffffea0004015800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100560 [ 32.081448][ T8] head:ffffea0004015800 order:3 compound_mapcount:0 compound_pincount:0 [ 32.089605][ T8] flags: 0x4000000000010200(slab|head|zone=1) [ 32.095519][ T8] raw: 4000000000010200 0000000000000000 dead000000000122 ffff8881002c4d80 [ 32.103937][ T8] raw: 0000000000000000 0000000080160016 00000001ffffffff 0000000000000000 [ 32.112353][ T8] page dumped because: kasan: bad access detected [ 32.118609][ T8] page_owner tracks the page as allocated [ 32.124152][ T8] page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 298, tgid 298 (syz-executor330), ts 26489303743, free_ts 0 [ 32.145505][ T8] post_alloc_hook+0x213/0x220 [ 32.150359][ T8] prep_new_page+0x1b/0x110 [ 32.154697][ T8] get_page_from_freelist+0x3a98/0x3b10 [ 32.160080][ T8] __alloc_pages+0x234/0x610 [ 32.164506][ T8] alloc_slab_page+0x6c/0xf0 [ 32.168931][ T8] new_slab+0x90/0x3e0 [ 32.172837][ T8] ___slab_alloc+0x6f9/0xb80 [ 32.177264][ T8] __slab_alloc+0x5d/0xa0 [ 32.181435][ T8] kmem_cache_alloc_lru+0x149/0x270 [ 32.186467][ T8] f2fs_alloc_inode+0x2d/0x350 [ 32.191063][ T8] iget_locked+0x18c/0x7e0 [ 32.195320][ T8] f2fs_iget+0x55/0x4ca0 [ 32.199397][ T8] f2fs_fill_super+0x5360/0x6dc0 [ 32.204172][ T8] mount_bdev+0x282/0x3b0 [ 32.208339][ T8] f2fs_mount+0x34/0x40 [ 32.212333][ T8] legacy_get_tree+0xf1/0x190 [ 32.216842][ T8] page_owner free stack trace missing [ 32.222050][ T8] [ 32.224218][ T8] Memory state around the buggy address: [ 32.229690][ T8] ffff888100567c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.237590][ T8] ffff888100567d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.245487][ T8] >ffff888100567d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.253392][ T8] ^ [ 32.259641][ T8] ffff888100567e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.267537][ T8] ffff888100567e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.275428][ T8] ================================================================== [ 32.283444][ T8] Disabling lock debugging due to kernel taint