Warning: Permanently added '10.128.0.184' (ED25519) to the list of known hosts. executing program [ 75.290250][ T5835] loop0: detected capacity change from 0 to 32768 [ 75.315630][ T5835] ================================================================== [ 75.323757][ T5835] BUG: KASAN: slab-use-after-free in diWrite+0xde3/0x19b0 [ 75.330959][ T5835] Write of size 32 at addr ffff8880336df0c0 by task syz-executor238/5835 [ 75.339452][ T5835] [ 75.341825][ T5835] CPU: 1 UID: 0 PID: 5835 Comm: syz-executor238 Not tainted 6.12.0-syzkaller-09073-g9f16d5e6f220 #0 [ 75.352615][ T5835] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 75.362700][ T5835] Call Trace: [ 75.365986][ T5835] <TASK> [ 75.368931][ T5835] dump_stack_lvl+0x241/0x360 [ 75.373629][ T5835] ? __pfx_dump_stack_lvl+0x10/0x10 [ 75.378843][ T5835] ? __pfx__printk+0x10/0x10 [ 75.383498][ T5835] ? _printk+0xd5/0x120 [ 75.387672][ T5835] ? __virt_addr_valid+0x183/0x530 [ 75.392901][ T5835] ? __virt_addr_valid+0x183/0x530 [ 75.398047][ T5835] print_report+0x169/0x550 [ 75.402569][ T5835] ? __virt_addr_valid+0x183/0x530 [ 75.407689][ T5835] ? __virt_addr_valid+0x183/0x530 [ 75.412821][ T5835] ? __virt_addr_valid+0x45f/0x530 [ 75.417955][ T5835] ? __phys_addr+0xba/0x170 [ 75.422472][ T5835] ? diWrite+0xde3/0x19b0 [ 75.426801][ T5835] kasan_report+0x143/0x180 [ 75.431307][ T5835] ? diWrite+0xde3/0x19b0 [ 75.435721][ T5835] kasan_check_range+0x282/0x290 [ 75.440745][ T5835] ? diWrite+0xde3/0x19b0 [ 75.445074][ T5835] __asan_memcpy+0x40/0x70 [ 75.449519][ T5835] diWrite+0xde3/0x19b0 [ 75.453678][ T5835] txCommit+0xa1a/0x6b90 [ 75.457954][ T5835] ? txLock+0x2b8/0x1f40 [ 75.462197][ T5835] ? add_index+0x34c/0x1620 [ 75.466748][ T5835] ? __pfx_add_index+0x10/0x10 [ 75.471536][ T5835] ? __pfx_txCommit+0x10/0x10 [ 75.476225][ T5835] ? rcu_is_watching+0x15/0xb0 [ 75.481001][ T5835] ? __mark_inode_dirty+0x3db/0xe90 [ 75.486219][ T5835] add_missing_indices+0x8b3/0xbf0 [ 75.491341][ T5835] ? __pfx_add_missing_indices+0x10/0x10 [ 75.496999][ T5835] ? alloc_pages_noprof+0xef/0x170 [ 75.502130][ T5835] jfs_readdir+0x1fc5/0x3c50 [ 75.506745][ T5835] ? __pfx_jfs_readdir+0x10/0x10 [ 75.511691][ T5835] ? __pfx_lock_acquire+0x10/0x10 [ 75.516826][ T5835] ? down_write+0x18c/0x220 [ 75.521331][ T5835] ? __pfx_down_write+0x10/0x10 [ 75.526184][ T5835] ? __pfx_jfs_readdir+0x10/0x10 [ 75.531146][ T5835] wrap_directory_iterator+0x91/0xd0 [ 75.536444][ T5835] iterate_dir+0x571/0x800 [ 75.540870][ T5835] __se_sys_getdents64+0x1e2/0x4b0 [ 75.545988][ T5835] ? __pfx___se_sys_getdents64+0x10/0x10 [ 75.551625][ T5835] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 75.557606][ T5835] ? __pfx_filldir64+0x10/0x10 [ 75.562392][ T5835] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 75.568736][ T5835] ? exc_page_fault+0x590/0x8c0 [ 75.573885][ T5835] ? do_syscall_64+0xb6/0x230 [ 75.578580][ T5835] do_syscall_64+0xf3/0x230 [ 75.583091][ T5835] ? clear_bhb_loop+0x35/0x90 [ 75.587786][ T5835] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.593713][ T5835] RIP: 0033:0x7f211e65be99 [ 75.598150][ T5835] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 75.617859][ T5835] RSP: 002b:00007ffefb8cee98 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 75.626292][ T5835] RAX: ffffffffffffffda RBX: 00007f211e6a5179 RCX: 00007f211e65be99 [ 75.634302][ T5835] RDX: 0000000000001000 RSI: 00000000200038c0 RDI: 0000000000000005 [ 75.642284][ T5835] RBP: 00007f211e6a5157 R08: 00007f211e6b063c R09: 00007f211e6b063c [ 75.650279][ T5835] R10: 00007f211e6b063c R11: 0000000000000246 R12: 00007f211e6b063c [ 75.658285][ T5835] R13: 00007f211e6a50dc R14: 0000000000000001 R15: 0000000000000001 [ 75.666287][ T5835] </TASK> [ 75.669518][ T5835] [ 75.671842][ T5835] Allocated by task 5691: [ 75.676179][ T5835] kasan_save_track+0x3f/0x80 [ 75.680913][ T5835] __kasan_slab_alloc+0x66/0x80 [ 75.685794][ T5835] kmem_cache_alloc_noprof+0x135/0x2a0 [ 75.691271][ T5835] skb_clone+0x20c/0x390 [ 75.695534][ T5835] dev_queue_xmit_nit+0x249/0xca0 [ 75.701021][ T5835] dev_hard_start_xmit+0x15f/0x7e0 [ 75.706147][ T5835] sch_direct_xmit+0x29c/0x5d0 [ 75.710916][ T5835] __dev_queue_xmit+0x1a8f/0x3f50 [ 75.715946][ T5835] ip_finish_output2+0xd41/0x1390 [ 75.720976][ T5835] __ip_queue_xmit+0x12ca/0x1ef0 [ 75.725944][ T5835] __tcp_transmit_skb+0x2582/0x3ba0 [ 75.731157][ T5835] tcp_recvmsg_locked+0x330f/0x3c80 [ 75.736467][ T5835] tcp_recvmsg+0x25d/0x920 [ 75.741237][ T5835] inet_recvmsg+0x150/0x2d0 [ 75.745737][ T5835] sock_recvmsg+0x1ae/0x280 [ 75.750246][ T5835] sock_read_iter+0x2c4/0x3d0 [ 75.754934][ T5835] vfs_read+0x991/0xb70 [ 75.759097][ T5835] ksys_read+0x18f/0x2b0 [ 75.763340][ T5835] do_syscall_64+0xf3/0x230 [ 75.767842][ T5835] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.773739][ T5835] [ 75.776053][ T5835] Freed by task 5691: [ 75.780026][ T5835] kasan_save_track+0x3f/0x80 [ 75.784703][ T5835] kasan_save_free_info+0x40/0x50 [ 75.789751][ T5835] __kasan_slab_free+0x59/0x70 [ 75.794518][ T5835] kmem_cache_free+0x1a2/0x420 [ 75.799302][ T5835] packet_rcv+0x16f/0x14b0 [ 75.803714][ T5835] dev_queue_xmit_nit+0xb6e/0xca0 [ 75.808739][ T5835] dev_hard_start_xmit+0x15f/0x7e0 [ 75.813871][ T5835] sch_direct_xmit+0x29c/0x5d0 [ 75.818634][ T5835] __dev_queue_xmit+0x1a8f/0x3f50 [ 75.823658][ T5835] ip_finish_output2+0xd41/0x1390 [ 75.828684][ T5835] __ip_queue_xmit+0x12ca/0x1ef0 [ 75.833618][ T5835] __tcp_transmit_skb+0x2582/0x3ba0 [ 75.838815][ T5835] tcp_recvmsg_locked+0x330f/0x3c80 [ 75.844031][ T5835] tcp_recvmsg+0x25d/0x920 [ 75.848447][ T5835] inet_recvmsg+0x150/0x2d0 [ 75.852979][ T5835] sock_recvmsg+0x1ae/0x280 [ 75.857481][ T5835] sock_read_iter+0x2c4/0x3d0 [ 75.862162][ T5835] vfs_read+0x991/0xb70 [ 75.866338][ T5835] ksys_read+0x18f/0x2b0 [ 75.870592][ T5835] do_syscall_64+0xf3/0x230 [ 75.875091][ T5835] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.881071][ T5835] [ 75.883391][ T5835] The buggy address belongs to the object at ffff8880336df000 [ 75.883391][ T5835] which belongs to the cache skbuff_head_cache of size 240 [ 75.897964][ T5835] The buggy address is located 192 bytes inside of [ 75.897964][ T5835] freed 240-byte region [ffff8880336df000, ffff8880336df0f0) [ 75.911766][ T5835] [ 75.914089][ T5835] The buggy address belongs to the physical page: [ 75.920501][ T5835] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x336df [ 75.929271][ T5835] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 75.936380][ T5835] page_type: f5(slab) [ 75.940361][ T5835] raw: 00fff00000000000 ffff88801dec0780 dead000000000122 0000000000000000 [ 75.948943][ T5835] raw: 0000000000000000 00000000000c000c 00000001f5000000 0000000000000000 [ 75.957519][ T5835] page dumped because: kasan: bad access detected [ 75.963931][ T5835] page_owner tracks the page as allocated [ 75.969643][ T5835] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5691, tgid 5691 (sshd), ts 65488149768, free_ts 64301147302 [ 75.988221][ T5835] post_alloc_hook+0x1f3/0x230 [ 75.993015][ T5835] get_page_from_freelist+0x363e/0x3790 [ 75.998566][ T5835] __alloc_pages_noprof+0x292/0x710 [ 76.003767][ T5835] alloc_pages_mpol_noprof+0x3e8/0x680 [ 76.009226][ T5835] alloc_slab_page+0x6a/0x140 [ 76.013908][ T5835] allocate_slab+0x5a/0x2f0 [ 76.018436][ T5835] ___slab_alloc+0xcd1/0x14b0 [ 76.023114][ T5835] __slab_alloc+0x58/0xa0 [ 76.027465][ T5835] kmem_cache_alloc_noprof+0x1c1/0x2a0 [ 76.032942][ T5835] skb_clone+0x20c/0x390 [ 76.037209][ T5835] dev_queue_xmit_nit+0x249/0xca0 [ 76.042254][ T5835] dev_hard_start_xmit+0x15f/0x7e0 [ 76.047373][ T5835] sch_direct_xmit+0x29c/0x5d0 [ 76.052166][ T5835] __dev_queue_xmit+0x1a8f/0x3f50 [ 76.057204][ T5835] ip_finish_output2+0xd41/0x1390 [ 76.062241][ T5835] __ip_queue_xmit+0x12ca/0x1ef0 [ 76.067190][ T5835] page last free pid 5691 tgid 5691 stack trace: [ 76.073520][ T5835] free_unref_page+0xded/0x1130 [ 76.078374][ T5835] __put_partials+0xeb/0x130 [ 76.082966][ T5835] put_cpu_partial+0x17c/0x250 [ 76.087734][ T5835] __slab_free+0x2ea/0x3d0 [ 76.092174][ T5835] qlist_free_all+0x9a/0x140 [ 76.096766][ T5835] kasan_quarantine_reduce+0x14f/0x170 [ 76.102229][ T5835] __kasan_slab_alloc+0x23/0x80 [ 76.107090][ T5835] kmem_cache_alloc_noprof+0x135/0x2a0 [ 76.112557][ T5835] ptlock_alloc+0x20/0x70 [ 76.116909][ T5835] pte_alloc_one+0xd3/0x610 [ 76.121411][ T5835] __pte_alloc+0x79/0x3c0 [ 76.125746][ T5835] handle_pte_fault+0x510e/0x68a0 [ 76.130775][ T5835] handle_mm_fault+0x1053/0x1ad0 [ 76.135712][ T5835] exc_page_fault+0x459/0x8c0 [ 76.140397][ T5835] asm_exc_page_fault+0x26/0x30 [ 76.145246][ T5835] [ 76.147577][ T5835] Memory state around the buggy address: [ 76.153225][ T5835] ffff8880336def80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 76.161288][ T5835] ffff8880336df000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.169347][ T5835] >ffff8880336df080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 76.177401][ T5835] ^ [ 76.183545][ T5835] ffff8880336df100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 76.191602][ T5835] ffff8880336df180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.199656][ T5835] ================================================================== [ 76.208397][ T5835] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 76.215630][ T5835] CPU: 1 UID: 0 PID: 5835 Comm: syz-executor238 Not tainted 6.12.0-syzkaller-09073-g9f16d5e6f220 #0 [ 76.226402][ T5835] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 76.236469][ T5835] Call Trace: [ 76.239756][ T5835] <TASK> [ 76.242694][ T5835] dump_stack_lvl+0x241/0x360 [ 76.247384][ T5835] ? __pfx_dump_stack_lvl+0x10/0x10 [ 76.252763][ T5835] ? __pfx__printk+0x10/0x10 [ 76.257369][ T5835] ? preempt_schedule+0xe1/0xf0 [ 76.262236][ T5835] ? vscnprintf+0x5d/0x90 [ 76.266575][ T5835] panic+0x349/0x880 [ 76.270486][ T5835] ? check_panic_on_warn+0x21/0xb0 [ 76.275608][ T5835] ? __pfx_panic+0x10/0x10 [ 76.280045][ T5835] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 76.286045][ T5835] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 76.292386][ T5835] ? print_report+0x502/0x550 [ 76.297106][ T5835] check_panic_on_warn+0x86/0xb0 [ 76.302068][ T5835] ? diWrite+0xde3/0x19b0 [ 76.306403][ T5835] end_report+0x77/0x160 [ 76.310653][ T5835] kasan_report+0x154/0x180 [ 76.315162][ T5835] ? diWrite+0xde3/0x19b0 [ 76.319500][ T5835] kasan_check_range+0x282/0x290 [ 76.324441][ T5835] ? diWrite+0xde3/0x19b0 [ 76.328779][ T5835] __asan_memcpy+0x40/0x70 [ 76.333208][ T5835] diWrite+0xde3/0x19b0 [ 76.337376][ T5835] txCommit+0xa1a/0x6b90 [ 76.341626][ T5835] ? txLock+0x2b8/0x1f40 [ 76.345876][ T5835] ? add_index+0x34c/0x1620 [ 76.350395][ T5835] ? __pfx_add_index+0x10/0x10 [ 76.355175][ T5835] ? __pfx_txCommit+0x10/0x10 [ 76.359861][ T5835] ? rcu_is_watching+0x15/0xb0 [ 76.364635][ T5835] ? __mark_inode_dirty+0x3db/0xe90 [ 76.369844][ T5835] add_missing_indices+0x8b3/0xbf0 [ 76.374971][ T5835] ? __pfx_add_missing_indices+0x10/0x10 [ 76.380619][ T5835] ? alloc_pages_noprof+0xef/0x170 [ 76.385736][ T5835] jfs_readdir+0x1fc5/0x3c50 [ 76.390353][ T5835] ? __pfx_jfs_readdir+0x10/0x10 [ 76.395318][ T5835] ? __pfx_lock_acquire+0x10/0x10 [ 76.400381][ T5835] ? down_write+0x18c/0x220 [ 76.404910][ T5835] ? __pfx_down_write+0x10/0x10 [ 76.409789][ T5835] ? __pfx_jfs_readdir+0x10/0x10 [ 76.414742][ T5835] wrap_directory_iterator+0x91/0xd0 [ 76.420050][ T5835] iterate_dir+0x571/0x800 [ 76.424483][ T5835] __se_sys_getdents64+0x1e2/0x4b0 [ 76.429614][ T5835] ? __pfx___se_sys_getdents64+0x10/0x10 [ 76.435258][ T5835] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 76.441245][ T5835] ? __pfx_filldir64+0x10/0x10 [ 76.446022][ T5835] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 76.452368][ T5835] ? exc_page_fault+0x590/0x8c0 [ 76.457289][ T5835] ? do_syscall_64+0xb6/0x230 [ 76.462012][ T5835] do_syscall_64+0xf3/0x230 [ 76.466538][ T5835] ? clear_bhb_loop+0x35/0x90 [ 76.471258][ T5835] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.477226][ T5835] RIP: 0033:0x7f211e65be99 [ 76.481659][ T5835] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 76.501292][ T5835] RSP: 002b:00007ffefb8cee98 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 76.509727][ T5835] RAX: ffffffffffffffda RBX: 00007f211e6a5179 RCX: 00007f211e65be99 [ 76.517705][ T5835] RDX: 0000000000001000 RSI: 00000000200038c0 RDI: 0000000000000005 [ 76.525686][ T5835] RBP: 00007f211e6a5157 R08: 00007f211e6b063c R09: 00007f211e6b063c [ 76.533687][ T5835] R10: 00007f211e6b063c R11: 0000000000000246 R12: 00007f211e6b063c [ 76.541667][ T5835] R13: 00007f211e6a50dc R14: 0000000000000001 R15: 0000000000000001 [ 76.549653][ T5835] </TASK> [ 76.552975][ T5835] Kernel Offset: disabled [ 76.557306][ T5835] Rebooting in 86400 seconds..