./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3994967786 <...> Warning: Permanently added '10.128.1.55' (ED25519) to the list of known hosts. execve("./syz-executor3994967786", ["./syz-executor3994967786"], 0x7fff4093bef0 /* 10 vars */) = 0 brk(NULL) = 0x55555cb1a000 brk(0x55555cb1ad00) = 0x55555cb1ad00 arch_prctl(ARCH_SET_FS, 0x55555cb1a380) = 0 set_tid_address(0x55555cb1a650) = 296 set_robust_list(0x55555cb1a660, 24) = 0 rseq(0x55555cb1aca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3994967786", 4096) = 28 getrandom("\x96\xbe\xdc\x8d\x65\xbd\x90\x6b", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55555cb1ad00 brk(0x55555cb3bd00) = 0x55555cb3bd00 brk(0x55555cb3c000) = 0x55555cb3c000 mprotect(0x7fe9add6d000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 mkdir("./syzkaller.TnHLhE", 0700) = 0 chmod("./syzkaller.TnHLhE", 0777) = 0 chdir("./syzkaller.TnHLhE") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555cb1a650) = 298 executing program ./strace-static-x86_64: Process 298 attached [pid 298] set_robust_list(0x55555cb1a660, 24) = 0 [pid 298] chdir("./0") = 0 [pid 298] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 298] setpgid(0, 0) = 0 [pid 298] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 298] write(3, "1000", 4) = 4 [pid 298] close(3) = 0 [pid 298] symlink("/dev/binderfs", "./binderfs") = 0 [pid 298] write(1, "executing program\n", 18) = 18 [pid 298] memfd_create("syzkaller", 0) = 3 [pid 298] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe9a58aa000 [ 24.176168][ T28] audit: type=1400 audit(1745327318.242:66): avc: denied { execmem } for pid=296 comm="syz-executor399" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 24.195883][ T28] audit: type=1400 audit(1745327318.242:67): avc: denied { read write } for pid=296 comm="syz-executor399" name="loop0" dev="devtmpfs" ino=114 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 24.220865][ T28] audit: type=1400 audit(1745327318.242:68): avc: denied { open } for pid=296 comm="syz-executor399" path="/dev/loop0" dev="devtmpfs" ino=114 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 24.245745][ T28] audit: type=1400 audit(1745327318.242:69): avc: denied { ioctl } for pid=296 comm="syz-executor399" path="/dev/loop0" dev="devtmpfs" ino=114 ioctlcmd=0x4c01 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [pid 298] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 67108864) = 67108864 [pid 298] munmap(0x7fe9a58aa000, 138412032) = 0 [pid 298] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 298] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 298] close(3) = 0 [pid 298] close(4) = 0 [pid 298] mkdir("./file0", 0777) = 0 [ 24.546209][ T298] loop0: detected capacity change from 0 to 131072 [ 24.554943][ T28] audit: type=1400 audit(1745327318.632:70): avc: denied { mounton } for pid=298 comm="syz-executor399" path="/root/syzkaller.TnHLhE/0/file0" dev="sda1" ino=1930 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 24.581400][ T298] F2FS-fs (loop0): Wrong CP boundary, start(512) end(198144) blocks(1024) [ 24.589785][ T298] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock [ 24.598465][ T298] F2FS-fs (loop0): invalid crc value [ 24.605407][ T298] F2FS-fs (loop0): Found nat_bits in checkpoint [pid 298] mount("/dev/loop0", "./file0", "f2fs", 0, "") = 0 [pid 298] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 298] chdir("./file0") = 0 [pid 298] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 298] ioctl(4, LOOP_CLR_FD) = 0 [pid 298] close(4) = 0 [pid 298] lstat("./file2", NULL) = -1 EFAULT (Bad address) [pid 298] rename("./file0", "./bus") = 0 [pid 298] clone(child_stack=NULL, flags=CLONE_FILES) = 303 [pid 298] exit_group(0) = ? [pid 298] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=298, si_uid=0, si_status=0, si_utime=8, si_stime=32} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55555cb1b6f0 /* 4 entries */, 32768) = 112 umount2("./0/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/binderfs") = 0 umount2("./0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) newfstatat(AT_FDCWD, "./0/file0", {st_mode=S_IFDIR|0755, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) openat(AT_FDCWD, "./0/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55555cb23730 /* 7 entries */, 32768) = 200 umount2("./0/file0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file0/file1", {st_mode=S_IFREG|0755, st_size=10, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/file0/file1"./strace-static-x86_64: Process 303 attached [ 24.639447][ T298] F2FS-fs (loop0): Try to recover 2th superblock, ret: 0 [ 24.646328][ T298] F2FS-fs (loop0): Mounted with checkpoint version = 48b305e4 [ 24.653988][ T28] audit: type=1400 audit(1745327318.722:71): avc: denied { mount } for pid=298 comm="syz-executor399" name="/" dev="loop0" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 24.674891][ T296] F2FS-fs (loop0): dec_valid_node_count: inconsistent i_blocks, ino:7, iblocks:0 ) = 0 [pid 296] umount2("./0/file0/file2", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 296] newfstatat(AT_FDCWD, "./0/file0/file2", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 296] unlink("./0/file0/file2") = 0 [pid 296] umount2("./0/file0/file3", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 296] newfstatat(AT_FDCWD, "./0/file0/file3", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 [ 24.675720][ T28] audit: type=1400 audit(1745327318.732:72): avc: denied { write } for pid=298 comm="syz-executor399" name="/" dev="loop0" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 24.705426][ T296] ------------[ cut here ]------------ [ 24.706608][ T28] audit: type=1400 audit(1745327318.732:73): avc: denied { remove_name } for pid=298 comm="syz-executor399" name="file0" dev="loop0" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 24.711550][ T296] WARNING: CPU: 0 PID: 296 at fs/f2fs/inode.c:847 f2fs_evict_inode+0x1262/0x1540 [ 24.734141][ T28] audit: type=1400 audit(1745327318.732:74): avc: denied { rename } for pid=298 comm="syz-executor399" name="file0" dev="loop0" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 24.742969][ T296] Modules linked in: [ 24.765201][ T28] audit: type=1400 audit(1745327318.732:75): avc: denied { add_name } for pid=298 comm="syz-executor399" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 24.768847][ T296] CPU: 0 PID: 296 Comm: syz-executor399 Not tainted 6.1.129-syzkaller-00017-g642656a36791 #0 [ 24.799506][ T296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 24.809401][ T296] RIP: 0010:f2fs_evict_inode+0x1262/0x1540 [ 24.815018][ T296] Code: 34 70 4a ff eb 0d e8 2d 70 4a ff 4d 89 e5 4c 8b 64 24 18 48 8b 5c 24 28 4c 89 e7 e8 78 38 03 00 e9 84 fc ff ff e8 0e 70 4a ff <0f> 0b 4c 89 f7 be 08 00 00 00 e8 7f 21 92 ff f0 41 80 0e 04 e9 61 [ 24.834584][ T296] RSP: 0018:ffffc90000db7a40 EFLAGS: 00010293 [ 24.840465][ T296] RAX: ffffffff822aca42 RBX: 0000000000000002 RCX: ffff888110948000 [ 24.848291][ T296] RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000 [ 24.856064][ T296] RBP: ffffc90000db7bb0 R08: ffffffff822ac6a8 R09: ffffed10200b005d [ 24.864073][ T296] R10: 0000000000000000 R11: dffffc0000000001 R12: ffff888100580000 [ 24.871812][ T296] R13: dffffc0000000000 R14: ffff88810fef4078 R15: 1ffff920001b6f5c [ 24.879648][ T296] FS: 000055555cb1a380(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000 [pid 296] unlink("./0/file0/file3" [pid 303] exit(0) = ? [pid 303] +++ exited with 0 +++ [ 24.888406][ T296] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 24.894802][ T296] CR2: 000055f067cd1290 CR3: 000000012482a000 CR4: 00000000003506b0 [ 24.902645][ T296] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 24.910436][ T296] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 24.918281][ T296] Call Trace: [ 24.921360][ T296] [ 24.924130][ T296] ? show_regs+0x58/0x60 [ 24.928359][ T296] ? __warn+0x160/0x3d0 [ 24.932344][ T296] ? f2fs_evict_inode+0x1262/0x1540 [ 24.937376][ T296] ? report_bug+0x4d5/0x7d0 [ 24.941751][ T296] ? f2fs_evict_inode+0x1262/0x1540 [ 24.946758][ T296] ? handle_bug+0x41/0x70 [ 24.950947][ T296] ? exc_invalid_op+0x1b/0x50 [ 24.955430][ T296] ? asm_exc_invalid_op+0x1b/0x20 [ 24.960329][ T296] ? f2fs_evict_inode+0xec8/0x1540 [ 24.965235][ T296] ? f2fs_evict_inode+0x1262/0x1540 [ 24.970302][ T296] ? f2fs_evict_inode+0x1262/0x1540 [ 24.975309][ T296] ? f2fs_write_inode+0x790/0x790 [ 24.980209][ T296] ? bit_waitqueue+0x30/0x30 [ 24.984590][ T296] ? _raw_spin_unlock+0x4c/0x70 [ 24.989309][ T296] ? inode_io_list_del+0x18b/0x1a0 [ 24.994227][ T296] ? f2fs_write_inode+0x790/0x790 [ 24.999115][ T296] evict+0x529/0x930 [ 25.002819][ T296] ? proc_nr_inodes+0x320/0x320 [ 25.007503][ T296] ? __kasan_check_read+0x11/0x20 [ 25.012398][ T296] ? f2fs_drop_inode+0x18c/0xa50 [ 25.017140][ T296] ? __kasan_check_write+0x14/0x20 [ 25.022118][ T296] ? _atomic_dec_and_lock+0xfc/0x140 [ 25.027209][ T296] iput+0x616/0x690 [ 25.030880][ T296] do_unlinkat+0x4e1/0x920 [ 25.035108][ T296] ? fsnotify_link_count+0x100/0x100 [ 25.040264][ T296] ? strncpy_from_user+0x169/0x2b0 [ 25.045178][ T296] ? getname_flags+0x1fd/0x520 [ 25.049803][ T296] __x64_sys_unlink+0x49/0x50 [ 25.054287][ T296] x64_sys_call+0x289/0x9a0 [ 25.058658][ T296] do_syscall_64+0x3b/0x80 [ 25.062884][ T296] ? clear_bhb_loop+0x55/0xb0 [ 25.067392][ T296] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 25.073155][ T296] RIP: 0033:0x7fe9adce8b97 [ 25.077374][ T296] Code: 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 25.096917][ T296] RSP: 002b:00007ffe5a583958 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 [ 25.105097][ T296] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe9adce8b97 [ 25.112909][ T296] RDX: 00007ffe5a583980 RSI: 00007ffe5a583a10 RDI: 00007ffe5a583a10 [ 25.120700][ T296] RBP: 00007ffe5a583a10 R08: 0000000000000000 R09: 0000000000000000 [ 25.128527][ T296] R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffe5a584b00 <... unlink resumed>) = 0 umount2("./0/file0/file.cold", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file0/file.cold", {st_mode=S_IFREG|0755, st_size=100, ...}, AT_SYMLINK_NOFOLLOW) = 0 [ 25.136306][ T296] R13: 000055555cb23700 R14: 0000000000000001 R15: 431bde82d7b634db [ 25.144155][ T296] [ 25.146981][ T296] ---[ end trace 0000000000000000 ]--- [ 25.153973][ T296] ------------[ cut here ]------------ [ 25.159281][ T296] WARNING: CPU: 1 PID: 296 at fs/inode.c:332 drop_nlink+0xc1/0x110 [ 25.166976][ T296] Modules linked in: [ 25.170747][ T296] CPU: 1 PID: 296 Comm: syz-executor399 Tainted: G W 6.1.129-syzkaller-00017-g642656a36791 #0 [ 25.182186][ T296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 25.192091][ T296] RIP: 0010:drop_nlink+0xc1/0x110 [ 25.196923][ T296] Code: 1e 48 8d bb b8 04 00 00 be 08 00 00 00 e8 27 fe ef ff f0 48 ff 83 b8 04 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 8f 4c a8 ff <0f> 0b eb 88 44 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 62 ff ff ff 4c [ 25.216396][ T296] RSP: 0018:ffffc90000db7a68 EFLAGS: 00010293 [ 25.222283][ T296] RAX: ffffffff81ccedc1 RBX: 0000000000000000 RCX: ffff888110948000 [ 25.230107][ T296] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 25.237891][ T296] RBP: ffffc90000db7a90 R08: ffffffff81cced44 R09: ffffc90000db7a20 [ 25.245729][ T296] R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000 [ 25.253528][ T296] R13: 1ffff110200b08c1 R14: ffff8881005845c0 R15: ffff888100584608 [ 25.261345][ T296] FS: 000055555cb1a380(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000 [ 25.270125][ T296] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 25.276512][ T296] CR2: 00007fe9add22e90 CR3: 000000012482a000 CR4: 00000000003506a0 [ 25.284354][ T296] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 25.292156][ T296] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 25.299969][ T296] Call Trace: [ 25.303071][ T296] [ 25.305846][ T296] ? show_regs+0x58/0x60 [ 25.309959][ T296] ? __warn+0x160/0x3d0 [ 25.313919][ T296] ? drop_nlink+0xc1/0x110 [ 25.318170][ T296] ? report_bug+0x4d5/0x7d0 [ 25.322513][ T296] ? drop_nlink+0xc1/0x110 [ 25.326767][ T296] ? handle_bug+0x41/0x70 [ 25.330960][ T296] ? exc_invalid_op+0x1b/0x50 [ 25.335445][ T296] ? asm_exc_invalid_op+0x1b/0x20 [ 25.340332][ T296] ? drop_nlink+0x44/0x110 [ 25.344559][ T296] ? drop_nlink+0xc1/0x110 [ 25.348843][ T296] ? drop_nlink+0xc1/0x110 [ 25.353072][ T296] ? drop_nlink+0xc1/0x110 [ 25.357316][ T296] f2fs_drop_nlink+0x13a/0x3d0 [ 25.361959][ T296] ? f2fs_mark_inode_dirty_sync+0x11b/0x190 [ 25.367659][ T296] f2fs_delete_entry+0xde2/0xf40 [ 25.372451][ T296] f2fs_unlink+0x48b/0x880 [ 25.376673][ T296] ? f2fs_link+0x910/0x910 [ 25.380962][ T296] ? HAS_UNMAPPED_ID+0x1e6/0x240 [ 25.385700][ T296] ? selinux_inode_unlink+0x22/0x30 [ 25.390764][ T296] ? security_inode_unlink+0xcd/0x110 [ 25.396000][ T296] vfs_unlink+0x38c/0x630 [ 25.400134][ T296] do_unlinkat+0x483/0x920 [ 25.404360][ T296] ? getname_flags+0xba/0x520 [ 25.408905][ T296] ? fsnotify_link_count+0x100/0x100 [ 25.413994][ T296] ? strncpy_from_user+0x169/0x2b0 [ 25.419009][ T296] ? getname_flags+0x1fd/0x520 [ 25.423558][ T296] __x64_sys_unlink+0x49/0x50 [ 25.428061][ T296] x64_sys_call+0x289/0x9a0 [ 25.432424][ T296] do_syscall_64+0x3b/0x80 [ 25.436654][ T296] ? clear_bhb_loop+0x55/0xb0 [ 25.441276][ T296] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 25.447062][ T296] RIP: 0033:0x7fe9adce8b97 [ 25.451474][ T296] Code: 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 25.471029][ T296] RSP: 002b:00007ffe5a583958 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 [ 25.479271][ T296] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe9adce8b97 unlink("./0/file0/file.cold") = 0 umount2("./0/file0/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file0/bus", {st_mode=S_IFDIR|0755, st_size=3488, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./0/file0/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0/file0/bus", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0755, st_size=3488, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x55555cb2b770 /* 4 entries */, 32768) = 112 umount2("./0/file0/bus/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "./0/file0/bus/file0", 0x7ffe5a582890, AT_SYMLINK_NOFOLLOW) = -1 ENOENT (No such file or directory) exit_group(1) = ? +++ exited with 1 +++ [ 25.487057][ T296] RDX: 00007ffe5a583980 RSI: 00007ffe5a583a10 RDI: 00007ffe5a583a10 [ 25.495010][ T296] RBP: 00007ffe5a583a10 R08: 0000000000000000 R09: 0000000000000000 [ 25.502799][ T296] R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffe5a584b00 [ 25.510615][ T296] R13: 000055555cb23700 R14: 0000000000000001 R15: 431bde82d7b634db [ 25.518420][ T296] [ 25.521265][ T296] ---[ end trace 0000000000000000 ]--- [ 29.699160][ T8] ================================================================== [ 29.707198][ T8] BUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 [ 29.714819][ T8] Read of size 8 at addr ffff8881005803b8 by task kworker/u4:0/8 [ 29.722373][ T8] [ 29.724555][ T8] CPU: 0 PID: 8 Comm: kworker/u4:0 Tainted: G W 6.1.129-syzkaller-00017-g642656a36791 #0 [ 29.735571][ T8] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 29.745461][ T8] Workqueue: writeback wb_workfn (flush-7:0) [ 29.751274][ T8] Call Trace: [ 29.754398][ T8] [ 29.757177][ T8] dump_stack_lvl+0x151/0x1b7 [ 29.761689][ T8] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 29.766980][ T8] ? _printk+0xd1/0x111 [ 29.770975][ T8] ? __virt_addr_valid+0x242/0x2f0 [ 29.775922][ T8] print_report+0x158/0x4e0 [ 29.780276][ T8] ? __virt_addr_valid+0x242/0x2f0 [ 29.785210][ T8] ? kasan_complete_mode_report_info+0x90/0x1b0 [ 29.791284][ T8] ? __list_del_entry_valid+0xa6/0x130 [ 29.796581][ T8] kasan_report+0x13c/0x170 [ 29.800923][ T8] ? __list_del_entry_valid+0xa6/0x130 [ 29.806214][ T8] __asan_report_load8_noabort+0x14/0x20 [ 29.811683][ T8] __list_del_entry_valid+0xa6/0x130 [ 29.816803][ T8] f2fs_inode_synced+0x100/0x2e0 [ 29.821577][ T8] f2fs_update_inode+0x72/0x1c40 [ 29.826350][ T8] ? __get_node_page+0x44d/0xb50 [ 29.831124][ T8] f2fs_update_inode_page+0x135/0x170 [ 29.836329][ T8] ? f2fs_write_inode+0x40e/0x790 [ 29.841191][ T8] f2fs_write_inode+0x416/0x790 [ 29.845879][ T8] __writeback_single_inode+0x4cf/0xb80 [ 29.851260][ T8] writeback_sb_inodes+0xb32/0x1910 [ 29.856297][ T8] ? queue_io+0x520/0x520 [ 29.860460][ T8] ? down_read_trylock+0x319/0x7d0 [ 29.865409][ T8] ? __writeback_inodes_wb+0x3f0/0x3f0 [ 29.870702][ T8] __writeback_inodes_wb+0x118/0x3f0 [ 29.875819][ T8] ? queue_io+0x3d0/0x520 [ 29.879987][ T8] wb_writeback+0x3da/0xa00 [ 29.884328][ T8] ? inode_cgwb_move_to_attached+0x3c0/0x3c0 [ 29.890141][ T8] ? __kasan_check_write+0x14/0x20 [ 29.895091][ T8] wb_workfn+0xbba/0x1030 [ 29.899263][ T8] ? inode_wait_for_writeback+0x280/0x280 [ 29.904819][ T8] ? finish_task_switch+0x167/0x7b0 [ 29.909846][ T8] ? __kasan_check_read+0x11/0x20 [ 29.914705][ T8] ? read_word_at_a_time+0x12/0x20 [ 29.919654][ T8] ? strscpy+0x9c/0x260 [ 29.923647][ T8] process_one_work+0x73d/0xcb0 [ 29.928337][ T8] worker_thread+0xa60/0x1260 [ 29.932850][ T8] kthread+0x26d/0x300 [ 29.936751][ T8] ? worker_clr_flags+0x1a0/0x1a0 [ 29.941613][ T8] ? kthread_blkcg+0xd0/0xd0 [ 29.946038][ T8] ret_from_fork+0x1f/0x30 [ 29.950294][ T8] [ 29.953153][ T8] [ 29.955321][ T8] Allocated by task 298: [ 29.959413][ T8] kasan_set_track+0x4b/0x70 [ 29.963830][ T8] kasan_save_alloc_info+0x1f/0x30 [ 29.968775][ T8] __kasan_slab_alloc+0x6c/0x80 [ 29.973464][ T8] slab_post_alloc_hook+0x53/0x2c0 [ 29.978413][ T8] kmem_cache_alloc_lru+0x102/0x270 [ 29.983446][ T8] f2fs_alloc_inode+0x2d/0x350 [ 29.988044][ T8] iget_locked+0x18c/0x7e0 [ 29.992296][ T8] f2fs_iget+0x55/0x4ca0 [ 29.996374][ T8] f2fs_lookup+0x3c1/0xb50 [ 30.000629][ T8] __lookup_slow+0x2b9/0x3e0 [ 30.005055][ T8] lookup_slow+0x5a/0x80 [ 30.009134][ T8] walk_component+0x2e7/0x410 [ 30.013647][ T8] path_lookupat+0x16d/0x450 [ 30.018072][ T8] filename_lookup+0x251/0x600 [ 30.022674][ T8] vfs_statx+0x107/0x4b0 [ 30.026755][ T8] __se_sys_newlstat+0xda/0x7c0 [ 30.031440][ T8] __x64_sys_newlstat+0x5b/0x70 [ 30.036138][ T8] x64_sys_call+0x52/0x9a0 [ 30.040379][ T8] do_syscall_64+0x3b/0x80 [ 30.044634][ T8] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 30.050364][ T8] [ 30.052532][ T8] Freed by task 0: [ 30.056091][ T8] kasan_set_track+0x4b/0x70 [ 30.060518][ T8] kasan_save_free_info+0x2b/0x40 [ 30.065464][ T8] ____kasan_slab_free+0x131/0x180 [ 30.070411][ T8] __kasan_slab_free+0x11/0x20 [ 30.075011][ T8] kmem_cache_free+0x291/0x560 [ 30.079610][ T8] f2fs_free_inode+0x24/0x30 [ 30.084039][ T8] i_callback+0x4b/0x70 [ 30.088036][ T8] rcu_do_batch+0x552/0xbe0 [ 30.092371][ T8] rcu_core+0x502/0xf40 [ 30.096362][ T8] rcu_core_si+0x9/0x10 [ 30.100445][ T8] handle_softirqs+0x1db/0x650 [ 30.105042][ T8] __irq_exit_rcu+0x52/0xf0 [ 30.109381][ T8] irq_exit_rcu+0x9/0x10 [ 30.113461][ T8] sysvec_apic_timer_interrupt+0xa9/0xc0 [ 30.118929][ T8] asm_sysvec_apic_timer_interrupt+0x1b/0x20 [ 30.124744][ T8] [ 30.126915][ T8] Last potentially related work creation: [ 30.132469][ T8] kasan_save_stack+0x3b/0x60 [ 30.136982][ T8] __kasan_record_aux_stack+0xb4/0xc0 [ 30.142188][ T8] kasan_record_aux_stack_noalloc+0xb/0x10 [ 30.147831][ T8] call_rcu+0xdc/0x10f0 [ 30.151878][ T8] evict+0x87d/0x930 [ 30.155556][ T8] iput+0x616/0x690 [ 30.159202][ T8] do_unlinkat+0x4e1/0x920 [ 30.163455][ T8] __x64_sys_unlink+0x49/0x50 [ 30.167966][ T8] x64_sys_call+0x289/0x9a0 [ 30.172305][ T8] do_syscall_64+0x3b/0x80 [ 30.176559][ T8] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 30.182407][ T8] [ 30.184565][ T8] The buggy address belongs to the object at ffff888100580000 [ 30.184565][ T8] which belongs to the cache f2fs_inode_cache of size 1360 [ 30.199085][ T8] The buggy address is located 952 bytes inside of [ 30.199085][ T8] 1360-byte region [ffff888100580000, ffff888100580550) [ 30.212285][ T8] [ 30.214474][ T8] The buggy address belongs to the physical page: [ 30.220712][ T8] page:ffffea0004016000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100580 [ 30.230763][ T8] head:ffffea0004016000 order:3 compound_mapcount:0 compound_pincount:0 [ 30.238920][ T8] flags: 0x4000000000010200(slab|head|zone=1) [ 30.244835][ T8] raw: 4000000000010200 0000000000000000 dead000000000122 ffff8881002c2f00 [ 30.253252][ T8] raw: 0000000000000000 0000000080160016 00000001ffffffff 0000000000000000 [ 30.261665][ T8] page dumped because: kasan: bad access detected [ 30.267928][ T8] page_owner tracks the page as allocated [ 30.273465][ T8] page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 298, tgid 298 (syz-executor399), ts 24637948684, free_ts 0 [ 30.295119][ T8] post_alloc_hook+0x213/0x220 [ 30.299714][ T8] prep_new_page+0x1b/0x110 [ 30.304052][ T8] get_page_from_freelist+0x3a98/0x3b10 [ 30.309436][ T8] __alloc_pages+0x234/0x610 [ 30.313861][ T8] alloc_slab_page+0x6c/0xf0 [ 30.318283][ T8] new_slab+0x90/0x3e0 [ 30.322187][ T8] ___slab_alloc+0x6f9/0xb80 [ 30.326615][ T8] __slab_alloc+0x5d/0xa0 [ 30.330782][ T8] kmem_cache_alloc_lru+0x149/0x270 [ 30.335816][ T8] f2fs_alloc_inode+0x2d/0x350 [ 30.340504][ T8] iget_locked+0x18c/0x7e0 [ 30.344759][ T8] f2fs_iget+0x55/0x4ca0 [ 30.348836][ T8] f2fs_fill_super+0x5360/0x6dc0 [ 30.353628][ T8] mount_bdev+0x282/0x3b0 [ 30.357775][ T8] f2fs_mount+0x34/0x40 [ 30.361768][ T8] legacy_get_tree+0xf1/0x190 [ 30.366283][ T8] page_owner free stack trace missing [ 30.371490][ T8] [ 30.373657][ T8] Memory state around the buggy address: [ 30.379130][ T8] ffff888100580280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.387028][ T8] ffff888100580300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.394928][ T8] >ffff888100580380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.402821][ T8] ^ [ 30.408562][ T8] ffff888100580400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.416464][ T8] ffff888100580480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.424431][ T8] ================================================================== [ 30.432425][ T8] Disabling lock debugging due to kernel taint