./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3642588550
<...>
DUID 00:04:ab:86:5b:51:31:5e:ac:a3:74:55:84:ab:cd:90:ff:3d
forked to background, child pid 4870
[ 34.347116][ T4871] 8021q: adding VLAN 0 to HW filter on device bond0
[ 34.357704][ T4871] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK
syzkaller
Warning: Permanently added '10.128.1.32' (ECDSA) to the list of known hosts.
execve("./syz-executor3642588550", ["./syz-executor3642588550"], 0x7ffea1fb0dd0 /* 10 vars */) = 0
brk(NULL) = 0x555555a2f000
brk(0x555555a2fc40) = 0x555555a2fc40
arch_prctl(ARCH_SET_FS, 0x555555a2f300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor3642588550", 4096) = 28
brk(0x555555a50c40) = 0x555555a50c40
brk(0x555555a51000) = 0x555555a51000
mprotect(0x7f35fa56b000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
unshare(CLONE_NEWPID) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5297 attached
, child_tidptr=0x555555a2f5d0) = 5297
[pid 5297] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy)
[pid 5297] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5297] setsid() = 1
[pid 5297] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0
[pid 5297] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0
[pid 5297] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0
[pid 5297] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0
[pid 5297] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0
[pid 5297] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0
[pid 5297] unshare(CLONE_NEWNS) = 0
[pid 5297] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0
[pid 5297] unshare(CLONE_NEWIPC) = 0
[pid 5297] unshare(CLONE_NEWCGROUP) = 0
[pid 5297] unshare(CLONE_NEWUTS) = 0
[pid 5297] unshare(CLONE_SYSVSEM) = 0
[pid 5297] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3
[pid 5297] write(3, "16777216", 8) = 8
[pid 5297] close(3) = 0
[pid 5297] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3
[pid 5297] write(3, "536870912", 9) = 9
[pid 5297] close(3) = 0
[pid 5297] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3
[pid 5297] write(3, "1024", 4) = 4
[pid 5297] close(3) = 0
[pid 5297] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3
[pid 5297] write(3, "8192", 4) = 4
[pid 5297] close(3) = 0
[pid 5297] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3
[pid 5297] write(3, "1024", 4) = 4
[pid 5297] close(3) = 0
[pid 5297] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3
[pid 5297] write(3, "1024", 4) = 4
[pid 5297] close(3) = 0
[pid 5297] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3
[pid 5297] write(3, "1024 1048576 500 1024", 21) = 21
[pid 5297] close(3) = 0
[pid 5297] getpid() = 1
[pid 5297] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, permitted=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, inheritable=0}) = 0
[pid 5297] capset({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, permitted=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, inheritable=0}) = 0
[pid 5297] unshare(CLONE_NEWNET) = 0
[pid 5297] openat(AT_FDCWD, "/proc/sys/net/ipv4/ping_group_range", O_WRONLY|O_CLOEXEC) = 3
[pid 5297] write(3, "0 65535", 7) = 7
[pid 5297] close(3) = 0
[pid 5297] mkdir("/dev/binderfs", 0777) = 0
[pid 5297] mount("binder", "/dev/binderfs", "binder", 0, NULL) = 0
[pid 5297] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5297] memfd_create("syzkaller", 0) = 3
[pid 5297] ftruncate(3, 32768) = 0
[pid 5297] pwrite64(3, "\xeb\x3c\x90\x6d\x8d\x66\x73\xfd\xd2\x61\x74\x00\x02\x80\x01\x00\x02\x40\x00\x00\x04\xf8\x01", 23, 0) = 23
[pid 5297] pwrite64(3, "\x57\x59\x5a\x4b\x41\x4c\x4c\x45\x52\x20\x20\x08\x5a\xc1\x9f\x69\xf2\xb2\xb1\xea\x1b\x8a\x0a\xc9\x13\x5e\xed\x1d\xf1\xd1\x00\x1c\xc2\xde\x85\x0f\x06\x00\x00\x00\x00\x00\x00\x00\xf7\xe7\x5e\xff\xac\x2a\xc4\xc1\x5e\x29\xfb\x3c\x18\xfa\xff\xf8\xd1\x98\xe3\x12\x47\x5f\xfa\x1d\x00\x00\x00\x00\x00\x00\xad\x25\x82\x2a\x17\xb1\x7f\x46\x3e\x10\x41\x79\xc1\x9c\x2a\xd2\xfb\xdd\xc0\x77\x7d\xf2\xec\x4f\x62\x82"..., 450, 1534) = 450
[pid 5297] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5297] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5297] mkdir("./file0", 0777) = 0
[pid 5297] mount("/dev/loop0", "./file0", "vfat", MS_POSIXACL|MS_LAZYTIME, "iocharset=cp852,nonumtail=0,shortname=mixed,shortname=lower,check=strict,shortname=win95,discard,ioc"...) = 0
[pid 5297] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 5
[pid 5297] ioctl(4, LOOP_CLR_FD) = 0
[pid 5297] close(4) = 0
[pid 5297] close(3) = 0
[pid 5297] chdir("./file0") = 0
[pid 5297] openat(AT_FDCWD, "./file0", O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_APPEND|O_NONBLOCK|__O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|O_CLOEXEC|FASYNC|0x8d800030, 000) = 3
[pid 5297] unlink("./file0") = 0
[pid 5297] openat(AT_FDCWD, "cgroup.controllers", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4
syzkaller login: [ 54.450350][ T5297] loop0: detected capacity change from 0 to 64
[ 54.473280][ T26] audit: type=1800 audit(1668935888.910:2): pid=5297 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed(directio) comm="syz-executor364" name="file0" dev="loop0" ino=1048583 res=0 errno=0
[pid 5297] write(4, "\x2e\x2f\x66\x69\x6c\x65\x30\x00\x17\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x20\x00\x00\x00\x00\xc2\x01\x00\x00\x00\x00\x00\x00\xfe\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 989098014) = 458752
[pid 5297] pwritev(3, [{iov_base="J", iov_len=1}], 1, 0) = -1 ENOSPC (No space left on device)
[ 54.500195][ T5297] syz-executor364: attempt to access beyond end of device
[ 54.500195][ T5297] loop0: rw=2049, sector=135, nr_sectors = 768 limit=64
[pid 5297] close(3) = 0
[pid 5297] close(4) = 0
[pid 5297] close(5) = 0
[pid 5297] close(6) = -1 EBADF (Bad file descriptor)
[pid 5297] close(7) = -1 EBADF (Bad file descriptor)
[pid 5297] close(8) = -1 EBADF (Bad file descriptor)
[pid 5297] close(9) = -1 EBADF (Bad file descriptor)
[pid 5297] close(10) = -1 EBADF (Bad file descriptor)
[pid 5297] close(11) = -1 EBADF (Bad file descriptor)
[pid 5297] close(12) = -1 EBADF (Bad file descriptor)
[pid 5297] close(13) = -1 EBADF (Bad file descriptor)
[pid 5297] close(14) = -1 EBADF (Bad file descriptor)
[pid 5297] close(15) = -1 EBADF (Bad file descriptor)
[pid 5297] close(16) = -1 EBADF (Bad file descriptor)
[pid 5297] close(17) = -1 EBADF (Bad file descriptor)
[pid 5297] close(18) = -1 EBADF (Bad file descriptor)
[pid 5297] close(19) = -1 EBADF (Bad file descriptor)
[pid 5297] close(20) = -1 EBADF (Bad file descriptor)
[pid 5297] close(21) = -1 EBADF (Bad file descriptor)
[pid 5297] close(22) = -1 EBADF (Bad file descriptor)
[pid 5297] close(23) = -1 EBADF (Bad file descriptor)
[pid 5297] close(24) = -1 EBADF (Bad file descriptor)
[pid 5297] close(25) = -1 EBADF (Bad file descriptor)
[pid 5297] close(26) = -1 EBADF (Bad file descriptor)
[pid 5297] close(27) = -1 EBADF (Bad file descriptor)
[pid 5297] close(28) = -1 EBADF (Bad file descriptor)
[pid 5297] close(29) = -1 EBADF (Bad file descriptor)
[pid 5297] exit_group(1) = ?
[ 54.750609][ T56] ==================================================================
[ 54.758727][ T56] BUG: KASAN: use-after-free in move_expired_inodes+0x765/0x7e0
[ 54.766405][ T56] Read of size 8 at addr ffff8880735915a8 by task kworker/u4:4/56
[ 54.774210][ T56]
[ 54.776526][ T56] CPU: 0 PID: 56 Comm: kworker/u4:4 Not tainted 6.1.0-rc5-next-20221116-syzkaller #0
[ 54.785966][ T56] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 54.796010][ T56] Workqueue: writeback wb_workfn (flush-7:0)
[ 54.801993][ T56] Call Trace:
[ 54.805436][ T56] <TASK>
[ 54.808356][ T56] dump_stack_lvl+0xd1/0x138
[ 54.812955][ T56] print_report+0x15e/0x45d
[ 54.817444][ T56] ? __phys_addr+0xc8/0x140
[ 54.822114][ T56] ? move_expired_inodes+0x765/0x7e0
[ 54.827411][ T56] kasan_report+0xbf/0x1f0
[ 54.831826][ T56] ? move_expired_inodes+0x765/0x7e0
[ 54.837102][ T56] move_expired_inodes+0x765/0x7e0
[ 54.842202][ T56] ? trace_event_raw_event_track_foreign_dirty+0x620/0x620
[ 54.849405][ T56] ? do_raw_spin_lock+0x124/0x2b0
[ 54.854423][ T56] queue_io+0x205/0x600
[ 54.858568][ T56] wb_writeback+0xa0b/0xd70
[ 54.863145][ T56] ? __writeback_inodes_wb+0x280/0x280
[ 54.868604][ T56] wb_workfn+0x2e0/0x12f0
[ 54.872927][ T56] ? inode_wait_for_writeback+0x40/0x40
[ 54.878466][ T56] ? lock_release+0x810/0x810
[ 54.883137][ T56] ? lock_downgrade+0x6e0/0x6e0
[ 54.887987][ T56] process_one_work+0x9bf/0x1710
[ 54.892915][ T56] ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[ 54.898295][ T56] ? rwlock_bug.part.0+0x90/0x90
[ 54.903231][ T56] ? _raw_spin_lock_irq+0x45/0x50
[ 54.908259][ T56] worker_thread+0x669/0x1090
[ 54.912935][ T56] ? __kthread_parkme+0x163/0x220
[ 54.917954][ T56] ? process_one_work+0x1710/0x1710
[ 54.923146][ T56] kthread+0x2e8/0x3a0
[ 54.927203][ T56] ? kthread_complete_and_exit+0x40/0x40
[ 54.932930][ T56] ret_from_fork+0x1f/0x30
[ 54.937347][ T56] </TASK>
[ 54.940352][ T56]
[ 54.942661][ T56] Allocated by task 5297:
[ 54.946968][ T56] kasan_save_stack+0x22/0x40
[ 54.951660][ T56] kasan_set_track+0x25/0x30
[ 54.956250][ T56] __kasan_slab_alloc+0x82/0x90
[ 54.961096][ T56] kmem_cache_alloc_lru+0x26c/0x760
[ 54.966287][ T56] fat_alloc_inode+0x27/0x1f0
[ 54.970954][ T56] alloc_inode+0x61/0x230
[ 54.975269][ T56] new_inode+0x2b/0x280
[ 54.979418][ T56] fat_build_inode+0x14a/0x2e0
[ 54.984174][ T56] vfat_create+0x1cb/0x270
[ 54.988579][ T56] lookup_open.isra.0+0xee7/0x1270
[ 54.993678][ T56] path_openat+0x975/0x2a50
[ 54.998167][ T56] do_filp_open+0x1ba/0x410
[ 55.002657][ T56] do_sys_openat2+0x16d/0x4c0
[ 55.007327][ T56] __x64_sys_openat+0x143/0x1f0
[ 55.012165][ T56] do_syscall_64+0x39/0xb0
[ 55.016701][ T56] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 55.022605][ T56]
[ 55.024926][ T56] Freed by task 0:
[ 55.028637][ T56] kasan_save_stack+0x22/0x40
[ 55.033315][ T56] kasan_set_track+0x25/0x30
[ 55.037896][ T56] kasan_save_free_info+0x2e/0x40
[ 55.042904][ T56] ____kasan_slab_free+0x160/0x1c0
[ 55.048004][ T56] slab_free_freelist_hook+0x8b/0x1c0
[ 55.053370][ T56] kmem_cache_free+0xee/0x5c0
[ 55.058050][ T56] i_callback+0x43/0x70
[ 55.062190][ T56] rcu_core+0x81f/0x1980
[ 55.066419][ T56] __do_softirq+0x1fb/0xadc
[ 55.070912][ T56]
[ 55.073219][ T56] Last potentially related work creation:
[ 55.078982][ T56] kasan_save_stack+0x22/0x40
[ 55.083650][ T56] __kasan_record_aux_stack+0xbc/0xd0
[ 55.089022][ T56] __call_rcu_common.constprop.0+0x99/0x820
[ 55.094907][ T56] destroy_inode+0x129/0x1b0
[ 55.099482][ T56] iput.part.0+0x59b/0x880
[ 55.103888][ T56] iput+0x5c/0x80
[ 55.107510][ T56] dentry_unlink_inode+0x2b1/0x460
[ 55.112621][ T56] __dentry_kill+0x3c0/0x640
[ 55.117202][ T56] dput+0x651/0xdb0
[ 55.121027][ T56] __fput+0x3cc/0xa90
[ 55.124998][ T56] task_work_run+0x16f/0x270
[ 55.129581][ T56] ptrace_notify+0x118/0x140
[ 55.134164][ T56] syscall_exit_to_user_mode_prepare+0x129/0x280
[ 55.140477][ T56] syscall_exit_to_user_mode+0xd/0x50
[ 55.145836][ T56] do_syscall_64+0x46/0xb0
[ 55.150251][ T56] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 55.156217][ T56]
[ 55.158524][ T56] The buggy address belongs to the object at ffff8880735912f0
[ 55.158524][ T56] which belongs to the cache fat_inode_cache of size 1488
[ 55.172994][ T56] The buggy address is located 696 bytes inside of
[ 55.172994][ T56] 1488-byte region [ffff8880735912f0, ffff8880735918c0)
[ 55.186338][ T56]
[ 55.188645][ T56] The buggy address belongs to the physical page:
[ 55.195041][ T56] page:ffffea0001cd6400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x73590
[ 55.205189][ T56] head:ffffea0001cd6400 order:3 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0
[ 55.215242][ T56] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 55.223215][ T56] raw: 00fff00000010200 ffff888019022a00 dead000000000122 0000000000000000
[ 55.231784][ T56] raw: 0000000000000000 0000000080140014 00000001ffffffff 0000000000000000
[ 55.240357][ T56] page dumped because: kasan: bad access detected
[ 55.246756][ T56] page_owner tracks the page as allocated
[ 55.252456][ T56] page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 5297, tgid 5297 (syz-executor364), ts 54461406303, free_ts 14487442433
[ 55.275555][ T56] get_page_from_freelist+0x10b5/0x2d50
[ 55.281094][ T56] __alloc_pages+0x1cb/0x5b0
[ 55.285673][ T56] alloc_pages+0x1aa/0x270
[ 55.290093][ T56] allocate_slab+0x25e/0x350
[ 55.294675][ T56] ___slab_alloc+0xa91/0x1400
[ 55.299344][ T56] __slab_alloc.constprop.0+0x56/0xa0
[ 55.304714][ T56] kmem_cache_alloc_lru+0x4db/0x760
[ 55.309908][ T56] fat_alloc_inode+0x27/0x1f0
[ 55.314575][ T56] alloc_inode+0x61/0x230
[ 55.318894][ T56] new_inode+0x2b/0x280
[ 55.323035][ T56] fat_fill_super+0x1b64/0x3680
[ 55.327872][ T56] mount_bdev+0x351/0x410
[ 55.332188][ T56] legacy_get_tree+0x109/0x220
[ 55.336951][ T56] vfs_get_tree+0x8d/0x2f0
[ 55.341351][ T56] path_mount+0x132a/0x1e20
[ 55.345839][ T56] __x64_sys_mount+0x283/0x300
[ 55.350850][ T56] page last free stack trace:
[ 55.355590][ T56] free_pcp_prepare+0x65c/0xc00
[ 55.360434][ T56] free_unref_page+0x1d/0x4d0
[ 55.365124][ T56] free_contig_range+0xb5/0x180
[ 55.369957][ T56] destroy_args+0xa8/0x64c
[ 55.374366][ T56] debug_vm_pgtable+0x28de/0x296f
[ 55.379380][ T56] do_one_initcall+0x141/0x790
[ 55.384132][ T56] kernel_init_freeable+0x6f9/0x782
[ 55.389318][ T56] kernel_init+0x1e/0x1d0
[ 55.393647][ T56] ret_from_fork+0x1f/0x30
[ 55.398051][ T56]
[ 55.400362][ T56] Memory state around the buggy address:
[ 55.405973][ T56] ffff888073591480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 55.414027][ T56] ffff888073591500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 55.422073][ T56] >ffff888073591580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 55.430121][ T56] ^
[ 55.435471][ T56] ffff888073591600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 55.443606][ T56] ffff888073591680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 55.451741][ T56] ==================================================================
[ 55.459889][ T56] Kernel panic - not syncing: panic_on_warn set ...
[ 55.466484][ T56] CPU: 0 PID: 56 Comm: kworker/u4:4 Not tainted 6.1.0-rc5-next-20221116-syzkaller #0
[ 55.477055][ T56] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 55.488479][ T56] Workqueue: writeback wb_workfn (flush-7:0)
[ 55.494489][ T56] Call Trace:
[ 55.497769][ T56] <TASK>
[ 55.500705][ T56] dump_stack_lvl+0xd1/0x138
[ 55.505338][ T56] panic+0x2cc/0x626
[ 55.509263][ T56] ? panic_print_sys_info.part.0+0x110/0x110
[ 55.515293][ T56] ? asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 55.521478][ T56] end_report.part.0+0x3f/0x7c
[ 55.526253][ T56] ? move_expired_inodes+0x765/0x7e0
[ 55.531559][ T56] kasan_report.cold+0xa/0xf
[ 55.536162][ T56] ? move_expired_inodes+0x765/0x7e0
[ 55.541460][ T56] move_expired_inodes+0x765/0x7e0
[ 55.546589][ T56] ? trace_event_raw_event_track_foreign_dirty+0x620/0x620
[ 55.553798][ T56] ? do_raw_spin_lock+0x124/0x2b0
[ 55.558831][ T56] queue_io+0x205/0x600
[ 55.563014][ T56] wb_writeback+0xa0b/0xd70
[ 55.567532][ T56] ? __writeback_inodes_wb+0x280/0x280
[ 55.573033][ T56] wb_workfn+0x2e0/0x12f0
[ 55.577440][ T56] ? inode_wait_for_writeback+0x40/0x40
[ 55.583013][ T56] ? lock_release+0x810/0x810
[ 55.587715][ T56] ? lock_downgrade+0x6e0/0x6e0
[ 55.592602][ T56] process_one_work+0x9bf/0x1710
[ 55.597557][ T56] ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[ 55.602945][ T56] ? rwlock_bug.part.0+0x90/0x90
[ 55.607982][ T56] ? _raw_spin_lock_irq+0x45/0x50
[ 55.613026][ T56] worker_thread+0x669/0x1090
[ 55.617719][ T56] ? __kthread_parkme+0x163/0x220
[ 55.622762][ T56] ? process_one_work+0x1710/0x1710
[ 55.627975][ T56] kthread+0x2e8/0x3a0
[ 55.632048][ T56] ? kthread_complete_and_exit+0x40/0x40
[ 55.637689][ T56] ret_from_fork+0x1f/0x30
[ 55.642128][ T56] </TASK>
[ 55.645347][ T56] Kernel Offset: disabled
[ 55.649667][ T56] Rebooting in 86400 seconds..