./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3012879409

<...>
Warning: Permanently added '10.128.0.91' (ED25519) to the list of known hosts.
execve("./syz-executor3012879409", ["./syz-executor3012879409"], 0x7ffd1976b690 /* 10 vars */) = 0
brk(NULL)                               = 0x55556e7c3000
brk(0x55556e7c3d00)                     = 0x55556e7c3d00
arch_prctl(ARCH_SET_FS, 0x55556e7c3380) = 0
set_tid_address(0x55556e7c3650)         = 288
set_robust_list(0x55556e7c3660, 24)     = 0
rseq(0x55556e7c3ca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented)
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor3012879409", 4096) = 28
getrandom("\x07\xc6\x58\x64\xea\xb2\x3b\x91", 8, GRND_NONBLOCK) = 8
brk(NULL)                               = 0x55556e7c3d00
brk(0x55556e7e4d00)                     = 0x55556e7e4d00
brk(0x55556e7e5000)                     = 0x55556e7e5000
mprotect(0x7f0ec1b14000, 16384, PROT_READ) = 0
mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000
mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000
mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000
unshare(CLONE_NEWPID)                   = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 289 attached
, child_tidptr=0x55556e7c3650) = 289
[pid   289] set_robust_list(0x55556e7c3660, 24) = 0
[pid   289] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid   289] getppid()                   = 0
[pid   289] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0
[pid   289] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0
[pid   289] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0
[pid   289] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0
[pid   289] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0
[pid   289] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0
[pid   289] unshare(CLONE_NEWNS)        = 0
[pid   289] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0
[pid   289] unshare(CLONE_NEWIPC)       = -1 EINVAL (Invalid argument)
[pid   289] unshare(CLONE_NEWCGROUP)    = 0
[pid   289] unshare(CLONE_NEWUTS)       = 0
[pid   289] unshare(CLONE_SYSVSEM)      = 0
[pid   289] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
[pid   289] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
[pid   289] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
[pid   289] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
[pid   289] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
[pid   289] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
[pid   289] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
[pid   289] getpid()                    = 1
[pid   289] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, permitted=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, inheritable=0}) = 0
[pid   289] capset({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, permitted=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, inheritable=0}) = 0
[pid   289] unshare(CLONE_NEWNET)       = 0
[pid   289] openat(AT_FDCWD, "/proc/sys/net/ipv4/ping_group_range", O_WRONLY|O_CLOEXEC) = 3
[pid   289] write(3, "0 65535", 7)      = 7
[pid   289] close(3)                    = 0
[pid   289] openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3
[pid   289] write(3, "100000", 6)       = 6
[pid   289] close(3)                    = 0
[pid   289] mkdir("./syz-tmp", 0777)    = 0
[   30.594430][   T30] audit: type=1400 audit(1749565606.814:64): avc:  denied  { execmem } for  pid=288 comm="syz-executor301" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   30.620265][   T30] audit: type=1400 audit(1749565606.844:65): avc:  denied  { mounton } for  pid=289 comm="syz-executor301" path="/" dev="sda1" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1
[pid   289] mount("", "./syz-tmp", "tmpfs", 0, NULL) = 0
[pid   289] mkdir("./syz-tmp/newroot", 0777) = 0
[pid   289] mkdir("./syz-tmp/newroot/dev", 0700) = 0
[pid   289] mount("/dev", "./syz-tmp/newroot/dev", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL) = 0
[pid   289] mkdir("./syz-tmp/newroot/proc", 0700) = 0
[pid   289] mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL) = 0
[pid   289] mkdir("./syz-tmp/newroot/selinux", 0700) = 0
[pid   289] mount("/selinux", "./syz-tmp/newroot/selinux", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL) = -1 ENOENT (No such file or directory)
[pid   289] mount("/sys/fs/selinux", "./syz-tmp/newroot/selinux", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL) = 0
[pid   289] mkdir("./syz-tmp/newroot/sys", 0700) = 0
[pid   289] mount("/sys", "./syz-tmp/newroot/sys", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL) = 0
[pid   289] mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL) = 0
[pid   289] mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL) = -1 ENOENT (No such file or directory)
[pid   289] mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL) = 0
[pid   289] mkdir("./syz-tmp/newroot/syz-inputs", 0700) = 0
[pid   289] mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE, NULL) = -1 ENOENT (No such file or directory)
[pid   289] mkdir("./syz-tmp/pivot", 0777) = 0
[pid   289] pivot_root("./syz-tmp", "./syz-tmp/pivot") = 0
[pid   289] chdir("/")                  = 0
[   30.663010][   T30] audit: type=1400 audit(1749565606.884:66): avc:  denied  { mounton } for  pid=289 comm="syz-executor301" path="/root/syz-tmp" dev="sda1" ino=2024 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1
[pid   289] umount2("./pivot", MNT_DETACH) = 0
[pid   289] chroot("./newroot")         = 0
[pid   289] chdir("/")                  = 0
[pid   289] mkdir("/dev/gadgetfs", 0777) = 0
[pid   289] mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL) = -1 ENODEV (No such device)
[pid   289] mkdir("/dev/binderfs", 0777) = 0
[pid   289] mount("binder", "/dev/binderfs", "binder", 0, NULL) = 0
[pid   289] symlink("/dev/binderfs", "./binderfs") = 0
[pid   289] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy)
[pid   289] write(1, "executing program\n", 18executing program
) = 18
[pid   289] memfd_create("syzkaller", 0) = 3
[pid   289] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0eb965c000
[   30.688124][   T30] audit: type=1400 audit(1749565606.884:67): avc:  denied  { mount } for  pid=289 comm="syz-executor301" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1
[   30.715219][   T30] audit: type=1400 audit(1749565606.904:68): avc:  denied  { mounton } for  pid=289 comm="syz-executor301" path="/root/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1
[   30.720568][  T289] request_module fs-gadgetfs succeeded, but still no fs?
[   30.742904][   T30] audit: type=1400 audit(1749565606.904:69): avc:  denied  { mount } for  pid=289 comm="syz-executor301" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1
[   30.776224][   T30] audit: type=1400 audit(1749565606.904:70): avc:  denied  { mounton } for  pid=289 comm="syz-executor301" path="/root/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1
[   30.804546][   T30] audit: type=1400 audit(1749565606.914:71): avc:  denied  { mounton } for  pid=289 comm="syz-executor301" path="/root/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=14946 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1
[   30.832384][   T30] audit: type=1400 audit(1749565606.914:72): avc:  denied  { unmount } for  pid=289 comm="syz-executor301" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1
[   30.855012][   T30] audit: type=1400 audit(1749565606.944:73): avc:  denied  { mounton } for  pid=289 comm="syz-executor301" path="/dev/gadgetfs" dev="devtmpfs" ino=556 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:device_t tclass=dir permissive=1
[pid   289] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 20699119) = 20699119
[pid   289] munmap(0x7f0eb965c000, 138412032) = 0
[pid   289] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid   289] ioctl(4, LOOP_SET_FD, 3)    = 0
[pid   289] close(3)                    = 0
[   30.936339][  T289] loop0: detected capacity change from 0 to 40427
[pid   289] close(4)                    = 0
[pid   289] mkdir("./bus", 0777)        = 0
[   31.108008][  T289] F2FS-fs (loop0): Invalid log_blocksize (268), supports only 12
[   31.116933][  T289] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
[   31.127687][  T289] F2FS-fs (loop0): invalid crc value
[   31.135006][  T289] F2FS-fs (loop0): Found nat_bits in checkpoint
[pid   289] mount("/dev/loop0", "./bus", "f2fs", 0, "") = 0
[pid   289] openat(AT_FDCWD, "./bus", O_RDONLY|O_DIRECTORY) = 3
[pid   289] chdir("./bus")              = 0
[pid   289] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid   289] ioctl(4, LOOP_CLR_FD)       = 0
[pid   289] close(4)                    = 0
[pid   289] openat(AT_FDCWD, "./file0", O_RDONLY|O_CREAT|O_EXCL|O_NOCTTY|O_TRUNC|O_APPEND|O_SYNC|O_CLOEXEC, 000) = 4
[pid   289] ioctl(4, F2FS_IOC_START_ATOMIC_WRITE, 0) = 0
[pid   289] close(3)                    = 0
[pid   289] close(4)                    = 0
[pid   289] close(5)                    = -1 EBADF (Bad file descriptor)
[pid   289] close(6)                    = -1 EBADF (Bad file descriptor)
[pid   289] close(7)                    = -1 EBADF (Bad file descriptor)
[pid   289] close(8)                    = -1 EBADF (Bad file descriptor)
[pid   289] close(9)                    = -1 EBADF (Bad file descriptor)
[pid   289] close(10)                   = -1 EBADF (Bad file descriptor)
[pid   289] close(11)                   = -1 EBADF (Bad file descriptor)
[pid   289] close(12)                   = -1 EBADF (Bad file descriptor)
[pid   289] close(13)                   = -1 EBADF (Bad file descriptor)
[pid   289] close(14)                   = -1 EBADF (Bad file descriptor)
[pid   289] close(15)                   = -1 EBADF (Bad file descriptor)
[pid   289] close(16)                   = -1 EBADF (Bad file descriptor)
[pid   289] close(17)                   = -1 EBADF (Bad file descriptor)
[pid   289] close(18)                   = -1 EBADF (Bad file descriptor)
[pid   289] close(19)                   = -1 EBADF (Bad file descriptor)
[pid   289] close(20)                   = -1 EBADF (Bad file descriptor)
[pid   289] close(21)                   = -1 EBADF (Bad file descriptor)
[pid   289] close(22)                   = -1 EBADF (Bad file descriptor)
[pid   289] close(23)                   = -1 EBADF (Bad file descriptor)
[pid   289] close(24)                   = -1 EBADF (Bad file descriptor)
[pid   289] close(25)                   = -1 EBADF (Bad file descriptor)
[pid   289] close(26)                   = -1 EBADF (Bad file descriptor)
[pid   289] close(27)                   = -1 EBADF (Bad file descriptor)
[pid   289] close(28)                   = -1 EBADF (Bad file descriptor)
[pid   289] close(29)                   = -1 EBADF (Bad file descriptor)
[pid   289] exit_group(1)               = ?
[   31.164083][  T289] F2FS-fs (loop0): Try to recover 1th superblock, ret: 0
[   31.172459][  T289] F2FS-fs (loop0): Mounted with checkpoint version = 48b305e5
[   31.205184][  T289] ------------[ cut here ]------------
[   31.210905][  T289] WARNING: CPU: 0 PID: 289 at fs/f2fs/inode.c:880 f2fs_evict_inode+0x12b0/0x1560
[   31.221293][  T289] Modules linked in:
[   31.225593][  T289] CPU: 0 PID: 289 Comm: syz-executor301 Not tainted 5.15.185-syzkaller-00339-ge678c93d43cc #0
[   31.237166][  T289] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[   31.248313][  T289] RIP: 0010:f2fs_evict_inode+0x12b0/0x1560
[   31.255025][  T289] Code: e9 55 f2 ff ff e8 f0 3e 61 ff eb 05 e8 e9 3e 61 ff 4c 8b 74 24 28 48 8b 7c 24 18 e8 ba ef 02 00 e9 bc fc ff ff e8 d0 3e 61 ff <0f> 0b 4c 89 f7 be 08 00 00 00 e8 91 b2 9f ff f0 41 80 0e 04 e9 99
[   31.276373][  T289] RSP: 0018:ffffc90000997740 EFLAGS: 00010293
[   31.282747][  T289] RAX: ffffffff820767c0 RBX: 1ffff92000132efc RCX: ffff88811b6ee2c0
[   31.290764][  T289] RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
[   31.300778][  T289] RBP: ffffc900009978b0 R08: dffffc0000000000 R09: ffffed102132a4ef
[   31.309680][  T289] R10: ffffed102132a4ef R11: 1ffff1102132a4ee R12: ffff888109952770
[   31.318736][  T289] R13: dffffc0000000000 R14: ffff888104dcc078 R15: 0000000000000002
[   31.327217][  T289] FS:  0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
[   31.336551][  T289] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   31.343225][  T289] CR2: 00007f6b1b109000 CR3: 000000010d9fa000 CR4: 00000000003506b0
[   31.351806][  T289] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   31.359942][  T289] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   31.368076][  T289] Call Trace:
[   31.371395][  T289]  <TASK>
[   31.374688][  T289]  ? inode_wait_for_writeback+0x1b0/0x200
[   31.380712][  T289]  ? f2fs_write_inode+0x850/0x850
[   31.386101][  T289]  ? bit_waitqueue+0x30/0x30
[   31.391759][  T289]  ? locks_free_lock_context+0x42/0x70
[   31.399213][  T289]  ? f2fs_write_inode+0x850/0x850
[   31.404505][  T289]  evict+0x485/0x870
[   31.408899][  T289]  ? proc_nr_inodes+0x310/0x310
[   31.413884][  T289]  ? _raw_spin_lock+0x8e/0xe0
[   31.419109][  T289]  ? _raw_spin_unlock+0x4d/0x70
[   31.424483][  T289]  evict_inodes+0x5de/0x650
[   31.429860][  T289]  ? clear_inode+0x150/0x150
[   31.434625][  T289]  generic_shutdown_super+0x96/0x330
[   31.440186][  T289]  kill_block_super+0x7f/0xf0
[   31.445219][  T289]  kill_f2fs_super+0x2e7/0x390
[   31.450447][  T289]  ? radix_tree_delete_item+0x2c8/0x410
[   31.456670][  T289]  ? f2fs_mount+0x40/0x40
[   31.461433][  T289]  ? unregister_shrinker+0x201/0x290
[   31.467036][  T289]  deactivate_locked_super+0xa0/0x100
[   31.472561][  T289]  deactivate_super+0xaf/0xe0
[   31.477720][  T289]  cleanup_mnt+0x446/0x500
[   31.482541][  T289]  __cleanup_mnt+0x19/0x20
[   31.487274][  T289]  task_work_run+0x127/0x190
[   31.492177][  T289]  do_exit+0xa76/0x27a0
[   31.496532][  T289]  ? ptrace_stop+0x6f4/0xa80
[   31.501438][  T289]  ? put_task_struct+0x90/0x90
[   31.506941][  T289]  ? ptrace_notify+0x1c4/0x250
[   31.512885][  T289]  ? do_notify_parent+0x800/0x800
[   31.518637][  T289]  do_group_exit+0x141/0x310
[   31.523382][  T289]  ? debug_smp_processor_id+0x17/0x20
[   31.529093][  T289]  __x64_sys_exit_group+0x3f/0x40
[   31.534507][  T289]  x64_sys_call+0x832/0x9a0
[   31.539052][  T289]  do_syscall_64+0x4c/0xa0
[   31.543789][  T289]  ? clear_bhb_loop+0x50/0xa0
[   31.548873][  T289]  ? clear_bhb_loop+0x50/0xa0
[   31.553889][  T289]  entry_SYSCALL_64_after_hwframe+0x66/0xd0
[   31.560336][  T289] RIP: 0033:0x7f0ec1a98b49
[   31.564997][  T289] Code: Unable to access opcode bytes at RIP 0x7f0ec1a98b1f.
[   31.572964][  T289] RSP: 002b:00007ffd85369028 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   31.581555][  T289] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f0ec1a98b49
[   31.590018][  T289] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
[   31.598390][  T289] RBP: 00007f0ec1b1a2d0 R08: ffffffffffffffb8 R09: 0000000000000006
[   31.606498][  T289] R10: 0000000000005580 R11: 0000000000000246 R12: 00007f0ec1b1a2d0
[   31.614839][  T289] R13: 0000000000000000 R14: 00007f0ec1b1b040 R15: 00007f0ec1a67070
[   31.623367][  T289]  </TASK>
[   31.626505][  T289] ---[ end trace 0a0203f4ba3f0405 ]---
[   31.657272][  T289] ==================================================================
[   31.665900][  T289] BUG: KASAN: use-after-free in _raw_spin_lock+0x81/0xe0
[   31.673310][  T289] Write of size 4 at addr ffff8881099524e8 by task syz-executor301/289
[   31.682086][  T289] 
[   31.684876][  T289] CPU: 1 PID: 289 Comm: syz-executor301 Tainted: G        W         5.15.185-syzkaller-00339-ge678c93d43cc #0
[   31.697736][  T289] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[   31.710288][  T289] Call Trace:
[   31.714087][  T289]  <TASK>
[   31.717233][  T289]  __dump_stack+0x21/0x30
[   31.722494][  T289]  dump_stack_lvl+0xee/0x150
[   31.727912][  T289]  ? show_regs_print_info+0x20/0x20
[   31.737221][  T289]  ? load_image+0x3a0/0x3a0
[   31.743423][  T289]  print_address_description+0x7f/0x2c0
[   31.749655][  T289]  ? _raw_spin_lock+0x81/0xe0
[   31.754723][  T289]  kasan_report+0xf1/0x140
[   31.760161][  T289]  ? _raw_spin_lock_irqsave+0xb0/0x110
[   31.765822][  T289]  ? _raw_spin_lock+0x81/0xe0
[   31.770685][  T289]  kasan_check_range+0x280/0x290
[   31.775727][  T289]  __kasan_check_write+0x14/0x20
[   31.781305][  T289]  _raw_spin_lock+0x81/0xe0
[   31.786901][  T289]  ? _raw_spin_trylock_bh+0x130/0x130
[   31.793491][  T289]  ? __kasan_check_write+0x14/0x20
[   31.799824][  T289]  ? _raw_spin_lock+0x8e/0xe0
[   31.805855][  T289]  ? _raw_spin_trylock_bh+0x130/0x130
[   31.811408][  T289]  igrab+0x20/0xa0
[   31.816052][  T289]  f2fs_sync_inode_meta+0x153/0x2a0
[   31.821672][  T289]  f2fs_write_checkpoint+0xa7d/0x1f00
[   31.827248][  T289]  ? _raw_spin_unlock+0x4d/0x70
[   31.832245][  T289]  ? f2fs_get_sectors_written+0x4e0/0x4e0
[   31.838333][  T289]  ? rwsem_write_trylock+0x130/0x300
[   31.844195][  T289]  ? __kasan_check_read+0x11/0x20
[   31.849661][  T289]  ? wb_wait_for_completion+0x1d8/0x270
[   31.855699][  T289]  f2fs_issue_checkpoint+0x2e5/0x470
[   31.861158][  T289]  ? f2fs_destroy_checkpoint_caches+0x30/0x30
[   31.867352][  T289]  ? try_to_writeback_inodes_sb+0xc0/0xc0
[   31.873083][  T289]  f2fs_sync_fs+0x16f/0x2c0
[   31.877812][  T289]  sync_filesystem+0x1cb/0x240
[   31.883017][  T289]  f2fs_quota_off_umount+0x217/0x230
[   31.888502][  T289]  f2fs_put_super+0xb7/0xc00
[   31.893487][  T289]  ? fsnotify_destroy_marks+0x14f/0x400
[   31.900805][  T289]  ? fsnotify_sb_delete+0x471/0x4e0
[   31.907633][  T289]  ? f2fs_drop_inode+0x980/0x980
[   31.912970][  T289]  ? __fsnotify_vfsmount_delete+0x20/0x20
[   31.919787][  T289]  ? clear_inode+0x150/0x150
[   31.924517][  T289]  ? fscrypt_destroy_keyring+0x27f/0x290
[   31.930894][  T289]  ? f2fs_drop_inode+0x980/0x980
[   31.935937][  T289]  generic_shutdown_super+0x151/0x330
[   31.941519][  T289]  kill_block_super+0x7f/0xf0
[   31.946938][  T289]  kill_f2fs_super+0x2e7/0x390
[   31.952092][  T289]  ? radix_tree_delete_item+0x2c8/0x410
[   31.958347][  T289]  ? f2fs_mount+0x40/0x40
[   31.963247][  T289]  ? unregister_shrinker+0x201/0x290
[   31.969614][  T289]  deactivate_locked_super+0xa0/0x100
[   31.975457][  T289]  deactivate_super+0xaf/0xe0
[   31.980816][  T289]  cleanup_mnt+0x446/0x500
[   31.985555][  T289]  __cleanup_mnt+0x19/0x20
[   31.990184][  T289]  task_work_run+0x127/0x190
[   31.997145][  T289]  do_exit+0xa76/0x27a0
[   32.001686][  T289]  ? ptrace_stop+0x6f4/0xa80
[   32.006556][  T289]  ? put_task_struct+0x90/0x90
[   32.011648][  T289]  ? ptrace_notify+0x1c4/0x250
[   32.016575][  T289]  ? do_notify_parent+0x800/0x800
[   32.021971][  T289]  do_group_exit+0x141/0x310
[   32.026776][  T289]  ? debug_smp_processor_id+0x17/0x20
[   32.032457][  T289]  __x64_sys_exit_group+0x3f/0x40
[   32.037879][  T289]  x64_sys_call+0x832/0x9a0
[   32.042902][  T289]  do_syscall_64+0x4c/0xa0
[   32.047918][  T289]  ? clear_bhb_loop+0x50/0xa0
[   32.052999][  T289]  ? clear_bhb_loop+0x50/0xa0
[   32.058075][  T289]  entry_SYSCALL_64_after_hwframe+0x66/0xd0
[   32.064511][  T289] RIP: 0033:0x7f0ec1a98b49
[   32.069284][  T289] Code: Unable to access opcode bytes at RIP 0x7f0ec1a98b1f.
[   32.077458][  T289] RSP: 002b:00007ffd85369028 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   32.086631][  T289] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f0ec1a98b49
[   32.095626][  T289] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
[   32.104581][  T289] RBP: 00007f0ec1b1a2d0 R08: ffffffffffffffb8 R09: 0000000000000006
[   32.113969][  T289] R10: 0000000000005580 R11: 0000000000000246 R12: 00007f0ec1b1a2d0
[   32.123025][  T289] R13: 0000000000000000 R14: 00007f0ec1b1b040 R15: 00007f0ec1a67070
[   32.132345][  T289]  </TASK>
[   32.135552][  T289] 
[   32.138242][  T289] Allocated by task 289:
[   32.145055][  T289]  __kasan_slab_alloc+0xbd/0xf0
[   32.150304][  T289]  slab_post_alloc_hook+0x4f/0x2b0
[   32.155964][  T289]  kmem_cache_alloc+0xf7/0x260
[   32.161409][  T289]  f2fs_alloc_inode+0x26/0x330
[   32.166876][  T289]  new_inode_pseudo+0x62/0x210
[   32.172199][  T289]  new_inode+0x28/0x1e0
[   32.177022][  T289]  f2fs_new_inode+0xd2/0x12b0
[   32.182595][  T289]  f2fs_create+0x178/0x15f0
[   32.187202][  T289]  path_openat+0x11ae/0x2f10
[   32.192469][  T289]  do_filp_open+0x1b3/0x3e0
[   32.198366][  T289]  do_sys_openat2+0x14c/0x7b0
[   32.204183][  T289]  __x64_sys_openat+0x136/0x160
[   32.209230][  T289]  x64_sys_call+0x219/0x9a0
[   32.214623][  T289]  do_syscall_64+0x4c/0xa0
[   32.219266][  T289]  entry_SYSCALL_64_after_hwframe+0x66/0xd0
[   32.225508][  T289] 
[   32.228035][  T289] Freed by task 0:
[   32.232103][  T289]  kasan_set_track+0x4a/0x70
[   32.237179][  T289]  kasan_set_free_info+0x23/0x40
[   32.242467][  T289]  ____kasan_slab_free+0x125/0x160
[   32.247833][  T289]  __kasan_slab_free+0x11/0x20
[   32.252764][  T289]  slab_free_freelist_hook+0xc2/0x190
[   32.258704][  T289]  kmem_cache_free+0x100/0x320
[   32.263697][  T289]  f2fs_free_inode+0x24/0x30
[   32.268731][  T289]  i_callback+0x4c/0x70
[   32.273104][  T289]  rcu_do_batch+0x51d/0xba0
[   32.277940][  T289]  rcu_core+0x5e4/0xf80
[   32.282192][  T289]  rcu_core_si+0x9/0x10
[   32.286347][  T289]  handle_softirqs+0x250/0x560
[   32.291437][  T289]  __do_softirq+0xb/0xd
[   32.295948][  T289] 
[   32.298583][  T289] Last potentially related work creation:
[   32.304856][  T289]  kasan_save_stack+0x3a/0x60
[   32.310014][  T289]  __kasan_record_aux_stack+0xd2/0x100
[   32.316129][  T289]  kasan_record_aux_stack_noalloc+0xb/0x10
[   32.322468][  T289]  call_rcu+0xf6/0xf60
[   32.326540][  T289]  evict+0x7da/0x870
[   32.330773][  T289]  evict_inodes+0x5de/0x650
[   32.335595][  T289]  generic_shutdown_super+0x96/0x330
[   32.341125][  T289]  kill_block_super+0x7f/0xf0
[   32.346075][  T289]  kill_f2fs_super+0x2e7/0x390
[   32.351043][  T289]  deactivate_locked_super+0xa0/0x100
[   32.356553][  T289]  deactivate_super+0xaf/0xe0
[   32.362074][  T289]  cleanup_mnt+0x446/0x500
[   32.367018][  T289]  __cleanup_mnt+0x19/0x20
[   32.371547][  T289]  task_work_run+0x127/0x190
[   32.376353][  T289]  do_exit+0xa76/0x27a0
[   32.380697][  T289]  do_group_exit+0x141/0x310
[   32.385565][  T289]  __x64_sys_exit_group+0x3f/0x40
[   32.391073][  T289]  x64_sys_call+0x832/0x9a0
[   32.395753][  T289]  do_syscall_64+0x4c/0xa0
[   32.400599][  T289]  entry_SYSCALL_64_after_hwframe+0x66/0xd0
[   32.407031][  T289] 
[   32.409462][  T289] The buggy address belongs to the object at ffff888109952460
[   32.409462][  T289]  which belongs to the cache f2fs_inode_cache of size 1424
[   32.424798][  T289] The buggy address is located 136 bytes inside of
[   32.424798][  T289]  1424-byte region [ffff888109952460, ffff8881099529f0)
[   32.439735][  T289] The buggy address belongs to the page:
[   32.445848][  T289] page:ffffea0004265400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109950
[   32.456364][  T289] head:ffffea0004265400 order:3 compound_mapcount:0 compound_pincount:0
[   32.464976][  T289] flags: 0x4000000000010200(slab|head|zone=1)
[   32.471143][  T289] raw: 4000000000010200 0000000000000000 dead000000000122 ffff8881003ec480
[   32.480288][  T289] raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000
[   32.490250][  T289] page dumped because: kasan: bad access detected
[   32.496877][  T289] page_owner tracks the page as allocated
[   32.503210][  T289] page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 289, ts 31127085819, free_ts 0
[   32.523497][  T289]  post_alloc_hook+0x192/0x1b0
[   32.528474][  T289]  prep_new_page+0x1c/0x110
[   32.533428][  T289]  get_page_from_freelist+0x2cc5/0x2d50
[   32.539420][  T289]  __alloc_pages+0x18f/0x440
[   32.544383][  T289]  new_slab+0xa1/0x4d0
[   32.548998][  T289]  ___slab_alloc+0x381/0x810
[   32.554218][  T289]  __slab_alloc+0x49/0x90
[   32.559381][  T289]  kmem_cache_alloc+0x138/0x260
[   32.564773][  T289]  f2fs_alloc_inode+0x26/0x330
[   32.570112][  T289]  iget_locked+0x16c/0x7e0
[   32.574970][  T289]  f2fs_iget+0x55/0x5130
[   32.579226][  T289]  f2fs_fill_super+0x3a20/0x6d10
[   32.584615][  T289]  mount_bdev+0x2ae/0x3e0
[   32.589139][  T289]  f2fs_mount+0x34/0x40
[   32.593329][  T289]  legacy_get_tree+0xed/0x190
[   32.598305][  T289]  vfs_get_tree+0x89/0x260
[   32.602994][  T289] page_owner free stack trace missing
[   32.609102][  T289] 
[   32.611531][  T289] Memory state around the buggy address:
[   32.617835][  T289]  ffff888109952380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.626252][  T289]  ffff888109952400: fc fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb
[   32.635781][  T289] >ffff888109952480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.644753][  T289]                                                           ^
[   32.652518][  T289]  ffff888109952500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.661022][  T289]  ffff888109952580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.669288][  T289] ==================================================================
[   32.677740][  T289] Disabling lock debugging due to kernel taint