./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2868144195
<...>
Warning: Permanently added '10.128.0.238' (ED25519) to the list of known hosts.
execve("./syz-executor2868144195", ["./syz-executor2868144195"], 0x7ffc677ff310 /* 10 vars */) = 0
brk(NULL) = 0x555555e41000
brk(0x555555e41d00) = 0x555555e41d00
arch_prctl(ARCH_SET_FS, 0x555555e41380) = 0
set_tid_address(0x555555e41650) = 5062
set_robust_list(0x555555e41660, 24) = 0
rseq(0x555555e41ca0, 0x20, 0, 0x53053053) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor2868144195", 4096) = 28
getrandom("\x1d\x52\x9b\xfb\x4b\x88\xe1\x94", 8, GRND_NONBLOCK) = 8
brk(NULL) = 0x555555e41d00
brk(0x555555e62d00) = 0x555555e62d00
brk(0x555555e63000) = 0x555555e63000
mprotect(0x7f003cc97000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
mkdir("./syzkaller.OAuYbK", 0700) = 0
chmod("./syzkaller.OAuYbK", 0777) = 0
chdir("./syzkaller.OAuYbK") = 0
mkdir("./0", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
[ 77.769372][ T27] audit: type=1400 audit(1700835917.473:83): avc: denied { execmem } for pid=5062 comm="syz-executor286" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555e41650) = 5063
./strace-static-x86_64: Process 5063 attached
[pid 5063] set_robust_list(0x555555e41660, 24) = 0
[pid 5063] chdir("./0") = 0
[pid 5063] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5063] setpgid(0, 0) = 0
[pid 5063] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5063] write(3, "1000", 4) = 4
[pid 5063] close(3) = 0
[pid 5063] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5063] memfd_create("syzkaller", 0) = 3
[pid 5063] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00347e3000
[ 77.818325][ T27] audit: type=1400 audit(1700835917.523:84): avc: denied { read write } for pid=5062 comm="syz-executor286" name="loop0" dev="devtmpfs" ino=648 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1
[ 77.846160][ T27] audit: type=1400 audit(1700835917.523:85): avc: denied { open } for pid=5062 comm="syz-executor286" path="/dev/loop0" dev="devtmpfs" ino=648 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1
[ 77.871856][ T27] audit: type=1400 audit(1700835917.533:86): avc: denied { ioctl } for pid=5062 comm="syz-executor286" path="/dev/loop0" dev="devtmpfs" ino=648 ioctlcmd=0x4c01 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1
[pid 5063] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304
[pid 5063] munmap(0x7f00347e3000, 138412032) = 0
[pid 5063] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5063] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5063] close(3) = 0
[pid 5063] mkdir("./file0", 0777) = 0
[ 77.965053][ T5063] loop0: detected capacity change from 0 to 8192
[ 77.991121][ T27] audit: type=1400 audit(1700835917.693:87): avc: denied { mounton } for pid=5063 comm="syz-executor286" path="/root/syzkaller.OAuYbK/0/file0" dev="sda1" ino=1930 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1
[ 78.002072][ T5063] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025
[ 78.029077][ T5063] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal
[ 78.038822][ T5063] REISERFS (device loop0): using ordered data mode
[ 78.045374][ T5063] reiserfs: using flush barriers
[ 78.052657][ T5063] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
[ 78.069389][ T5063] REISERFS (device loop0): checking transaction log (loop0)
[pid 5063] mount("/dev/loop0", "./file0", "reiserfs", MS_RDONLY|MS_SILENT, "") = 0
[pid 5063] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
[pid 5063] chdir("./file0") = 0
[pid 5063] ioctl(4, LOOP_CLR_FD) = 0
[pid 5063] close(4) = 0
[pid 5063] open(".", O_RDONLY) = 4
[pid 5063] getdents64(4, NULL /* 0 entries */, 0) = 0
[pid 5063] exit_group(0) = ?
[pid 5063] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5063, si_uid=0, si_status=0, si_utime=0, si_stime=18 /* 0.18 s */} ---
umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
[ 78.136296][ T5063] REISERFS (device loop0): Using r5 hash to sort names
[ 78.144802][ T27] audit: type=1400 audit(1700835917.843:88): avc: denied { mount } for pid=5063 comm="syz-executor286" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nfs_t tclass=filesystem permissive=1
openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x555555e426f0 /* 4 entries */, 32768) = 112
umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./0/binderfs") = 0
[ 78.252314][ T27] audit: type=1400 audit(1700835917.953:89): avc: denied { unmount } for pid=5062 comm="syz-executor286" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nfs_t tclass=filesystem permissive=1
umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0
umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./0/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0
umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./0/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(4, 0x555555e4a730 /* 2 entries */, 32768) = 48
getdents64(4, 0x555555e4a730 /* 0 entries */, 32768) = 0
close(4) = 0
rmdir("./0/file0") = 0
getdents64(3, 0x555555e426f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./0") = 0
mkdir("./1", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5066 attached
, child_tidptr=0x555555e41650) = 5066
[pid 5066] set_robust_list(0x555555e41660, 24) = 0
[pid 5066] chdir("./1") = 0
[pid 5066] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5066] setpgid(0, 0) = 0
[pid 5066] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5066] write(3, "1000", 4) = 4
[pid 5066] close(3) = 0
[pid 5066] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5066] memfd_create("syzkaller", 0) = 3
[pid 5066] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00347e3000
[pid 5066] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304
[pid 5066] munmap(0x7f00347e3000, 138412032) = 0
[pid 5066] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5066] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5066] close(3) = 0
[pid 5066] mkdir("./file0", 0777) = 0
[ 78.590244][ T5066] loop0: detected capacity change from 0 to 8192
[ 78.608184][ T27] audit: type=1400 audit(1700835918.313:90): avc: denied { append } for pid=4494 comm="syslogd" name="messages" dev="tmpfs" ino=3 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[ 78.616953][ T5066] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025
[ 78.631099][ T27] audit: type=1400 audit(1700835918.313:91): avc: denied { open } for pid=4494 comm="syslogd" path="/tmp/messages" dev="tmpfs" ino=3 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[ 78.644062][ T5066] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal
[ 78.666963][ T27] audit: type=1400 audit(1700835918.313:92): avc: denied { getattr } for pid=4494 comm="syslogd" path="/tmp/messages" dev="tmpfs" ino=3 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[ 78.675863][ T5066] REISERFS (device loop0): using ordered data mode
[ 78.704488][ T5066] reiserfs: using flush barriers
[ 78.710901][ T5066] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
[ 78.727802][ T5066] REISERFS (device loop0): checking transaction log (loop0)
[pid 5066] mount("/dev/loop0", "./file0", "reiserfs", MS_RDONLY|MS_SILENT, "") = 0
[pid 5066] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
[pid 5066] chdir("./file0") = 0
[pid 5066] ioctl(4, LOOP_CLR_FD) = 0
[pid 5066] close(4) = 0
[pid 5066] open(".", O_RDONLY) = 4
[pid 5066] getdents64(4, NULL /* 0 entries */, 0) = 0
[pid 5066] exit_group(0) = ?
[ 78.785030][ T5066] REISERFS (device loop0): Using r5 hash to sort names
[pid 5066] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5066, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=18 /* 0.18 s */} ---
umount2("./1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x555555e426f0 /* 4 entries */, 32768) = 112
umount2("./1/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./1/binderfs") = 0
umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0
umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./1/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0
umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(4, 0x555555e4a730 /* 2 entries */, 32768) = 48
getdents64(4, 0x555555e4a730 /* 0 entries */, 32768) = 0
close(4) = 0
rmdir("./1/file0") = 0
getdents64(3, 0x555555e426f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./1") = 0
mkdir("./2", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5068 attached
, child_tidptr=0x555555e41650) = 5068
[pid 5068] set_robust_list(0x555555e41660, 24) = 0
[pid 5068] chdir("./2") = 0
[pid 5068] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5068] setpgid(0, 0) = 0
[pid 5068] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5068] write(3, "1000", 4) = 4
[pid 5068] close(3) = 0
[pid 5068] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5068] memfd_create("syzkaller", 0) = 3
[pid 5068] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00347e3000
[pid 5068] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304
[pid 5068] munmap(0x7f00347e3000, 138412032) = 0
[pid 5068] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5068] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5068] close(3) = 0
[pid 5068] mkdir("./file0", 0777) = 0
[ 79.183869][ T5068] loop0: detected capacity change from 0 to 8192
[ 79.199683][ T5068] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025
[ 79.212765][ T5068] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal
[ 79.222234][ T5068] REISERFS (device loop0): using ordered data mode
[ 79.228890][ T5068] reiserfs: using flush barriers
[ 79.235394][ T5068] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
[ 79.252332][ T5068] REISERFS (device loop0): checking transaction log (loop0)
[pid 5068] mount("/dev/loop0", "./file0", "reiserfs", MS_RDONLY|MS_SILENT, "") = 0
[pid 5068] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
[pid 5068] chdir("./file0") = 0
[pid 5068] ioctl(4, LOOP_CLR_FD) = 0
[pid 5068] close(4) = 0
[pid 5068] open(".", O_RDONLY) = 4
[ 79.312994][ T5068] REISERFS (device loop0): Using r5 hash to sort names
[ 79.373232][ T5068] ==================================================================
[ 79.381338][ T5068] BUG: KASAN: use-after-free in reiserfs_readdir_inode+0xce1/0x14b0
[ 79.389353][ T5068] Read of size 8 at addr ffff8880752af000 by task syz-executor286/5068
[ 79.397583][ T5068]
[ 79.399894][ T5068] CPU: 1 PID: 5068 Comm: syz-executor286 Not tainted 6.7.0-rc2-syzkaller-00095-gd3fa86b1a7b4 #0
[ 79.410380][ T5068] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
[ 79.421032][ T5068] Call Trace:
[ 79.424301][ T5068] <TASK>
[ 79.427217][ T5068] dump_stack_lvl+0xd9/0x1b0
[ 79.431826][ T5068] print_report+0xc4/0x620
[ 79.436265][ T5068] ? __virt_addr_valid+0x5e/0x2d0
[ 79.441291][ T5068] ? __phys_addr+0xc6/0x140
[ 79.445790][ T5068] kasan_report+0xda/0x110
[ 79.450275][ T5068] ? reiserfs_readdir_inode+0xce1/0x14b0
[ 79.455952][ T5068] ? reiserfs_readdir_inode+0xce1/0x14b0
[ 79.461613][ T5068] kasan_check_range+0xef/0x190
[ 79.466461][ T5068] reiserfs_readdir_inode+0xce1/0x14b0
[ 79.471929][ T5068] ? reiserfs_dir_fsync+0x140/0x140
[ 79.477125][ T5068] ? rwsem_read_trylock+0x12a/0x250
[ 79.482332][ T5068] ? down_read_killable+0xcc/0x380
[ 79.487444][ T5068] iterate_dir+0x1e5/0x5b0
[ 79.491926][ T5068] __x64_sys_getdents64+0x14f/0x2e0
[ 79.497150][ T5068] ? __ia32_sys_getdents+0x2d0/0x2d0
[ 79.502442][ T5068] ? fillonedir+0x400/0x400
[ 79.506959][ T5068] ? _raw_spin_unlock_irq+0x2e/0x50
[ 79.512176][ T5068] ? ptrace_notify+0xf4/0x130
[ 79.516847][ T5068] ? syscall_trace_enter.constprop.0+0xaf/0x1e0
[ 79.523143][ T5068] do_syscall_64+0x40/0x110
[ 79.527675][ T5068] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 79.533577][ T5068] RIP: 0033:0x7f003cc220e9
[ 79.538020][ T5068] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 79.557658][ T5068] RSP: 002b:00007ffdb83cfcc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
[ 79.566074][ T5068] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f003cc220e9
[ 79.574060][ T5068] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
[ 79.582052][ T5068] RBP: 0000000000000004 R08: 00007ffdb83cfcf0 R09: 00007ffdb83cfcf0
[ 79.590040][ T5068] R10: 0000000000001131 R11: 0000000000000246 R12: 00007ffdb83cfd10
[ 79.598013][ T5068] R13: 00007ffdb83cfd50 R14: 0000000000000003 R15: 0000000000400000
[ 79.606002][ T5068] </TASK>
[ 79.609015][ T5068]
[ 79.611331][ T5068] The buggy address belongs to the physical page:
[ 79.617737][ T5068] page:ffffea0001d4abc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x752af
[ 79.627893][ T5068] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 79.634998][ T5068] page_type: 0xffffffff()
[ 79.639322][ T5068] raw: 00fff00000000000 ffffea0001d05b08 ffffe8ffffc01770 0000000000000000
[ 79.647904][ T5068] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[ 79.656506][ T5068] page dumped because: kasan: bad access detected
[ 79.662908][ T5068] page_owner tracks the page as freed
[ 79.668268][ T5068] page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 5064, tgid 5064 (udevd), ts 79382272913, free_ts 79384772944
[ 79.684415][ T5068] post_alloc_hook+0x2d0/0x350
[ 79.689216][ T5068] get_page_from_freelist+0xa25/0x36d0
[ 79.694681][ T5068] __alloc_pages+0x22e/0x2420
[ 79.699359][ T5068] alloc_pages_mpol+0x258/0x5f0
[ 79.704213][ T5068] shmem_alloc_folio+0x10d/0x140
[ 79.709145][ T5068] shmem_alloc_and_add_folio+0x147/0x7b0
[ 79.714781][ T5068] shmem_get_folio_gfp+0x623/0x1360
[ 79.719993][ T5068] shmem_write_begin+0x15a/0x360
[ 79.724965][ T5068] generic_perform_write+0x278/0x600
[ 79.730253][ T5068] shmem_file_write_iter+0x110/0x140
[ 79.735537][ T5068] vfs_write+0x64f/0xdf0
[ 79.739841][ T5068] ksys_write+0x12f/0x250
[ 79.744177][ T5068] do_syscall_64+0x40/0x110
[ 79.748690][ T5068] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 79.754589][ T5068] page last free stack trace:
[ 79.759249][ T5068] free_unref_page_prepare+0x4fa/0xaa0
[ 79.764702][ T5068] free_unref_page_list+0xe6/0xb40
[ 79.769809][ T5068] release_pages+0x32a/0x14f0
[ 79.774666][ T5068] __folio_batch_release+0x77/0xe0
[ 79.780292][ T5068] shmem_undo_range+0x57a/0x1030
[ 79.785226][ T5068] shmem_evict_inode+0x39f/0xba0
[ 79.790162][ T5068] evict+0x2ed/0x6b0
[ 79.794057][ T5068] iput.part.0+0x560/0x7b0
[ 79.798490][ T5068] iput+0x5c/0x80
[ 79.802142][ T5068] dentry_unlink_inode+0x292/0x430
[ 79.807270][ T5068] __dentry_kill+0x3b8/0x640
[ 79.811994][ T5068] dput+0x6de/0xd90
[ 79.815809][ T5068] do_renameat2+0xc4c/0xdc0
[ 79.820327][ T5068] __x64_sys_rename+0x81/0xa0
[ 79.825017][ T5068] do_syscall_64+0x40/0x110
[ 79.829511][ T5068] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 79.835407][ T5068]
[ 79.837714][ T5068] Memory state around the buggy address:
[ 79.843333][ T5068] ffff8880752aef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 79.851380][ T5068] ffff8880752aef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 79.859425][ T5068] >ffff8880752af000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 79.867479][ T5068] ^
[ 79.871539][ T5068] ffff8880752af080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 79.879607][ T5068] ffff8880752af100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 79.887676][ T5068] ==================================================================
[ 79.896026][ T5068] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 79.903240][ T5068] CPU: 0 PID: 5068 Comm: syz-executor286 Not tainted 6.7.0-rc2-syzkaller-00095-gd3fa86b1a7b4 #0
[ 79.913670][ T5068] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
[ 79.923734][ T5068] Call Trace:
[ 79.927028][ T5068] <TASK>
[ 79.929963][ T5068] dump_stack_lvl+0xd9/0x1b0
[ 79.934577][ T5068] panic+0x6dc/0x790
[ 79.938485][ T5068] ? panic_smp_self_stop+0xa0/0xa0
[ 79.943603][ T5068] ? preempt_schedule_thunk+0x1a/0x30
[ 79.949003][ T5068] ? preempt_schedule_common+0x45/0xc0
[ 79.954487][ T5068] ? check_panic_on_warn+0x1f/0xb0
[ 79.959622][ T5068] check_panic_on_warn+0xab/0xb0
[ 79.964572][ T5068] end_report+0x108/0x150
[ 79.968928][ T5068] kasan_report+0xea/0x110
[ 79.973364][ T5068] ? reiserfs_readdir_inode+0xce1/0x14b0
[ 79.979017][ T5068] ? reiserfs_readdir_inode+0xce1/0x14b0
[ 79.984656][ T5068] kasan_check_range+0xef/0x190
[ 79.989528][ T5068] reiserfs_readdir_inode+0xce1/0x14b0
[ 79.995014][ T5068] ? reiserfs_dir_fsync+0x140/0x140
[ 80.000235][ T5068] ? rwsem_read_trylock+0x12a/0x250
[ 80.005442][ T5068] ? down_read_killable+0xcc/0x380
[ 80.010570][ T5068] iterate_dir+0x1e5/0x5b0
[ 80.014992][ T5068] __x64_sys_getdents64+0x14f/0x2e0
[ 80.020194][ T5068] ? __ia32_sys_getdents+0x2d0/0x2d0
[ 80.026266][ T5068] ? fillonedir+0x400/0x400
[ 80.030775][ T5068] ? _raw_spin_unlock_irq+0x2e/0x50
[ 80.035985][ T5068] ? ptrace_notify+0xf4/0x130
[ 80.040665][ T5068] ? syscall_trace_enter.constprop.0+0xaf/0x1e0
[ 80.046931][ T5068] do_syscall_64+0x40/0x110
[ 80.051472][ T5068] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 80.057394][ T5068] RIP: 0033:0x7f003cc220e9
[ 80.061823][ T5068] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 80.081452][ T5068] RSP: 002b:00007ffdb83cfcc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
[ 80.089878][ T5068] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f003cc220e9
[ 80.097850][ T5068] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
[ 80.105822][ T5068] RBP: 0000000000000004 R08: 00007ffdb83cfcf0 R09: 00007ffdb83cfcf0
[ 80.113793][ T5068] R10: 0000000000001131 R11: 0000000000000246 R12: 00007ffdb83cfd10
[ 80.121762][ T5068] R13: 00007ffdb83cfd50 R14: 0000000000000003 R15: 0000000000400000
[ 80.129824][ T5068] </TASK>
[ 80.133090][ T5068] Kernel Offset: disabled
[ 80.137402][ T5068] Rebooting in 86400 seconds..