sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
------------[ cut here ]------------
kernfs_put: syz5/pids.events: released with incorrect active_ref 0
WARNING: CPU: 0 PID: 17066 at fs/kernfs/dir.c:531 kernfs_put.part.0+0x433/0x540
Modules linked in:
CPU: 0 PID: 17066 Comm: kworker/0:0 Not tainted 5.19.0-rc5-next-20220706 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Workqueue: events kernfs_notify_workfn
RIP: 0010:kernfs_put.part.0+0x433/0x540
Code: 03 80 3c 18 00 0f 85 ea 00 00 00 4d 8b 7d 38 e8 53 fc a6 ff 48 8b 14 24 44 89 f1 4c 89 fe 48 c7 c7 e0 5b 72 84 e8 13 aa 6c 02 <0f> 0b e9 b9 fc ff ff 48 89 ef e8 0e b3 d9 ff e9 c1 fd ff ff e8 04
RSP: 0018:ffff888045c07bd8 EFLAGS: 00010286
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: ffff888045ce5040 RSI: ffffffff812bd348 RDI: ffffed1008b80f6d
RBP: ffff88801b83f690 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: ffff88801b83f658
R13: ffff888018994828 R14: 0000000000000000 R15: ffff888014b30f50
FS: 0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5a914e69c8 CR3: 00000000230ba000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
Call Trace:
kernfs_put+0x42/0x50
kernfs_notify_workfn+0x417/0x560
process_one_work+0xa0f/0x1690
worker_thread+0x637/0x1250
kthread+0x2ed/0x3a0
ret_from_fork+0x22/0x30
irq event stamp: 182021
hardirqs last enabled at (182027): [] vprintk_emit+0x4fe/0x550
hardirqs last disabled at (182032): [] vprintk_emit+0x495/0x550
softirqs last enabled at (181782): [] __irq_exit_rcu+0x113/0x170
softirqs last disabled at (181751): [] __irq_exit_rcu+0x113/0x170
---[ end trace 0000000000000000 ]---
==================================================================
BUG: KASAN: use-after-free in llist_del_first+0x89/0xa0
Read of size 8 at addr ffff88801b83f6d8 by task kworker/0:0/17066
CPU: 0 PID: 17066 Comm: kworker/0:0 Tainted: G W 5.19.0-rc5-next-20220706 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Workqueue: events kernfs_notify_workfn
Call Trace:
dump_stack_lvl+0x8b/0xb3
print_report.cold+0x5e/0x5e1
kasan_report+0xb1/0x1b0
llist_del_first+0x89/0xa0
kernfs_notify_workfn+0x78/0x560
process_one_work+0xa0f/0x1690
worker_thread+0x637/0x1250
kthread+0x2ed/0x3a0
ret_from_fork+0x22/0x30
Allocated by task 3762:
kasan_save_stack+0x1e/0x40
__kasan_slab_alloc+0x66/0x80
kmem_cache_alloc+0x1b1/0x490
__kernfs_new_node+0xd4/0x8b0
kernfs_new_node+0x93/0x120
__kernfs_create_file+0x51/0x350
cgroup_addrm_files+0x3e2/0x9d0
css_populate_dir+0x19b/0x450
cgroup_apply_control_enable+0x3ae/0xa40
syz-executor.7: attempt to access beyond end of device
loop7: rw=2049, sector=40, nr_sectors = 4 limit=40
cgroup_mkdir+0x824/0x11f0
kernfs_iop_mkdir+0x149/0x1d0
vfs_mkdir+0x417/0x6a0
do_mkdirat+0x17b/0x2e0
__x64_sys_mkdir+0xf2/0x140
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Freed by task 17066:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
------------[ cut here ]------------
kasan_set_free_info+0x20/0x30
__kasan_slab_free+0x108/0x190
kmem_cache_free+0xfb/0x600
WARNING: CPU: 1 PID: 23622 at fs/kernfs/dir.c:504 kernfs_get.part.0+0x69/0x80
kernfs_put.part.0+0x2c7/0x540
Modules linked in:
kernfs_put+0x42/0x50
kernfs_notify_workfn+0x417/0x560
CPU: 1 PID: 23622 Comm: syz-executor.7 Tainted: G W 5.19.0-rc5-next-20220706 #1
process_one_work+0xa0f/0x1690
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
worker_thread+0x637/0x1250
RIP: 0010:kernfs_get.part.0+0x69/0x80
kthread+0x2ed/0x3a0
Code: 31 ff 89 ee e8 a8 fd a6 ff 85 ed 74 18 e8 cf 00 a7 ff be 04 00 00 00 48 89 df e8 d2 ba d9 ff f0 ff 03 5b 5d c3 e8 b7 00 a7 ff <0f> 0b eb df 48 89 df e8 7b b7 d9 ff eb c6 66 0f 1f 84 00 00 00 00
ret_from_fork+0x22/0x30
RSP: 0018:ffff88806cf09c80 EFLAGS: 00010046
The buggy address belongs to the object at ffff88801b83f658
which belongs to the cache kernfs_node_cache of size 168
The buggy address is located 128 bytes inside of
168-byte region [ffff88801b83f658, ffff88801b83f700)
RAX: 0000000000000000 RBX: ffff88801b83f658 RCX: 0000000000000100
The buggy address belongs to the physical page:
RDX: ffff888046fd3580 RSI: ffffffff819df849 RDI: 0000000000000005
page:00000000a91903ae refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1b83f
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
flags: 0x100000000000200(slab|node=0|zone=1)
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
raw: 0100000000000200 ffffea00010f3b00 dead000000000003 ffff8880080358c0
R13: 1ffffffff0a01e40 R14: ffff88801b83f658 R15: ffff88800d9d3130
raw: 0000000000000000 0000000000110011 00000001ffffffff 0000000000000000
FS: 00007fdb26635700(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
page dumped because: kasan: bad access detected
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Memory state around the buggy address:
CR2: 00007f23ab7ed718 CR3: 000000004428e000 CR4: 0000000000350ee0
ffff88801b83f580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
ffff88801b83f600: 00 00 00 fc fc fc fc fc fc fc fc fa fb fb fb fb
DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
>ffff88801b83f680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Call Trace:
^
ffff88801b83f700: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
kernfs_get+0x1b/0x30
ffff88801b83f780: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
kernfs_notify+0x180/0x350
==================================================================
cgroup_file_notify+0xf5/0x1a0
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
call_timer_fn+0x17d/0x5f0
__run_timers.part.0+0x65e/0xa50
run_timer_softirq+0xae/0x1a0
__do_softirq+0x1c8/0x8cc
__irq_exit_rcu+0x113/0x170
irq_exit_rcu+0x5/0x20
sysvec_apic_timer_interrupt+0x8e/0xc0
asm_sysvec_apic_timer_interrupt+0x1b/0x20
RIP: 0010:console_emit_next_record.constprop.0+0x4c8/0x800
Code: 83 e2 07 38 d0 7f 08 84 c0 0f 85 d5 02 00 00 88 5d 00 e8 db 3e 00 00 31 ff 4c 89 f6 e8 61 61 19 00 4d 85 f6 0f 85 76 01 00 00 63 64 19 00 48 b8 00 00 00 00 00 fc ff df 48 03 04 24 48 c7 00
RSP: 0018:ffff8880476269c0 EFLAGS: 00000202
RAX: 00000000000017a7 RBX: 0000000000000001 RCX: ffffffff8128d13f
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffff888047626b68 R08: 0000000000000001 R09: ffffffff86a6088f
R10: fffffbfff0d4c111 R11: 0000000000000001 R12: 0000000000000001
R13: ffffffff86dacba0 R14: 0000000000000200 R15: ffffffff854a01b8
console_unlock+0x36c/0x590
vprintk_emit+0x1b9/0x550
vprintk+0x80/0x90
_printk+0xba/0xed
submit_bio_noacct.cold+0x98/0xc2
submit_bio+0x8b/0x250
submit_bh_wbc+0x4d0/0x650
__block_write_full_page+0x794/0x1190
block_write_full_page+0x14d/0x190
__mpage_writepage+0x413/0x1710
write_cache_pages+0x48c/0x1190
mpage_writepages+0xc2/0x170
do_writepages+0x1b0/0x690
filemap_fdatawrite_wbc+0x143/0x1b0
__filemap_fdatawrite_range+0xb6/0xf0
file_write_and_wait_range+0xb2/0x120
__generic_file_fsync+0x74/0x1f0
fat_file_fsync+0x73/0x200
vfs_fsync_range+0x13d/0x230
generic_file_write_iter+0x195/0x220
do_iter_readv_writev+0x367/0x5d0
do_iter_write+0x187/0x6f0
vfs_iter_write+0x70/0xa0
iter_file_splice_write+0x736/0xca0
direct_splice_actor+0x10f/0x170
splice_direct_to_actor+0x350/0x8e0
do_splice_direct+0x1b8/0x280
do_sendfile+0xad7/0x1230
__x64_sys_sendfile64+0x1cd/0x210
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fdb290bfb19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fdb26635188 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007fdb291d2f60 RCX: 00007fdb290bfb19
RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000004
RBP: 00007fdb29119f6d R08: 0000000000000000 R09: 0000000000000000
R10: 00000000fffffdef R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffce70f475f R14: 00007fdb26635300 R15: 0000000000022000
irq event stamp: 6085
hardirqs last enabled at (6084): [] asm_sysvec_apic_timer_interrupt+0x1b/0x20
hardirqs last disabled at (6085): [] _raw_spin_lock_irqsave+0x4e/0x50
softirqs last enabled at (5912): [] __irq_exit_rcu+0x113/0x170
softirqs last disabled at (6057): [] __irq_exit_rcu+0x113/0x170
---[ end trace 0000000000000000 ]---
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
syz-executor.1: attempt to access beyond end of device
loop1: rw=2049, sector=40, nr_sectors = 4 limit=40
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
usercopy: Kernel memory overwrite attempt detected to SLUB object 'names_cache' (offset 1912, size 4064)!
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:101!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 1 PID: 112 Comm: systemd-journal Tainted: G B W 5.19.0-rc5-next-20220706 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
RIP: 0010:usercopy_abort+0xb9/0xbb
Code: e8 49 a3 38 fd 49 89 d9 4d 89 e8 4c 89 e1 41 56 48 89 ee 48 c7 c7 20 86 6f 84 ff 74 24 08 41 57 48 8b 54 24 20 e8 2f 03 ff ff <0f> 0b e8 1d a3 38 fd 48 89 e5 e8 e5 4f 6b fd 48 89 e9 8b 54 24 0c
RSP: 0018:ffff8880186e7c50 EFLAGS: 00010286
RAX: 0000000000000069 RBX: ffffffff846fd660 RCX: 0000000000000000
RDX: ffff888016e50000 RSI: ffffffff812bd348 RDI: ffffed10030dcf7c
RBP: ffffffff846f8560 R08: 0000000000000069 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff84e88bda
R13: ffffffff846f84a0 R14: 0000000000000fe0 R15: ffffffff846f8460
FS: 00007fcec1bcd900(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcec1314000 CR3: 000000000ec72000 CR4: 0000000000350ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
Call Trace:
__check_heap_object+0x8e/0xd0
__check_object_size+0x234/0x800
strncpy_from_user+0xad/0x3d0
getname_flags.part.0+0x95/0x4f0
getname+0x8e/0xd0
do_sys_openat2+0xf5/0x4c0
__x64_sys_openat+0x13f/0x1f0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fcec2486c64
Code: 84 00 00 00 00 00 44 89 54 24 0c e8 36 61 f9 ff 44 8b 54 24 0c 44 89 e2 48 89 ee 41 89 c0 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 34 44 89 c7 89 44 24 0c e8 68 61 f9 ff 8b 44
RSP: 002b:00007fffebe81890 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000562705bd5d60 RCX: 00007fcec2486c64
RDX: 0000000000080802 RSI: 0000562705bde460 RDI: 00000000ffffff9c
RBP: 0000562705bde460 R08: 0000000000000000 R09: ffffffffffffff01
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000080802
R13: 00000000fffffffa R14: 0000562705c11870 R15: 0000000000000002
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:usercopy_abort+0xb9/0xbb
Code: e8 49 a3 38 fd 49 89 d9 4d 89 e8 4c 89 e1 41 56 48 89 ee 48 c7 c7 20 86 6f 84 ff 74 24 08 41 57 48 8b 54 24 20 e8 2f 03 ff ff <0f> 0b e8 1d a3 38 fd 48 89 e5 e8 e5 4f 6b fd 48 89 e9 8b 54 24 0c
RSP: 0018:ffff8880186e7c50 EFLAGS: 00010286
RAX: 0000000000000069 RBX: ffffffff846fd660 RCX: 0000000000000000
RDX: ffff888016e50000 RSI: ffffffff812bd348 RDI: ffffed10030dcf7c
RBP: ffffffff846f8560 R08: 0000000000000069 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff84e88bda
R13: ffffffff846f84a0 R14: 0000000000000fe0 R15: ffffffff846f8460
FS: 00007fcec1bcd900(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcec1314000 CR3: 000000000ec72000 CR4: 0000000000350ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
systemd[1]: systemd-journald.service: Scheduled restart job, restart counter is at 1.
loop1: detected capacity change from 0 to 40
loop7: detected capacity change from 0 to 40
systemd[1]: Stopping Flush Journal to Persistent Storage...
syz-executor.7: attempt to access beyond end of device
loop7: rw=2049, sector=40, nr_sectors = 4 limit=40
syz-executor.1: attempt to access beyond end of device
loop1: rw=2049, sector=40, nr_sectors = 4 limit=40
kmemleak: Cannot insert 0xffff888046e06600 into the object search tree (overlaps existing)
CPU: 0 PID: 23746 Comm: systemd-udevd Tainted: G B D W 5.19.0-rc5-next-20220706 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Call Trace:
dump_stack_lvl+0x8b/0xb3
__create_object.isra.0.cold+0x44/0x6a
kmem_cache_alloc+0x247/0x490
getname_flags.part.0+0x50/0x4f0
getname+0x8e/0xd0
do_sys_openat2+0xf5/0x4c0
__x64_sys_openat+0x13f/0x1f0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f6d2c837767
Code: 25 00 00 41 00 3d 00 00 41 00 74 47 64 8b 04 25 18 00 00 00 85 c0 75 6b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 95 00 00 00 48 8b 4c 24 28 64 48 2b 0c 25
RSP: 002b:00007fffacd734d0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007f6d2c837767
RDX: 00000000002a0000 RSI: 00005560b555ead0 RDI: 00000000ffffff9c
RBP: 00005560b555ead0 R08: 00005560b555d750 R09: 00007f6d2c81dbe0
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000002a0000
R13: 00000000ffffffff R14: 0000000000000000 R15: 00005560b5542f90
kmemleak: Kernel memory leak detector disabled
kmemleak: Object 0xffff888046e06d58 (size 4096):
kmemleak: comm "systemd-journal", pid 112, jiffies 4297146939
kmemleak: min_count = 1
kmemleak: count = 0
kmemleak: flags = 0x1
kmemleak: checksum = 0
kmemleak: backtrace:
getname_flags.part.0+0x50/0x4f0
getname+0x8e/0xd0
do_sys_openat2+0xf5/0x4c0
__x64_sys_openat+0x13f/0x1f0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
kmemleak: Automatic memory scanning thread ended
syz-executor.7: attempt to access beyond end of device
loop7: rw=2049, sector=40, nr_sectors = 4 limit=40
systemd[1]: systemd-journal-flush.service: Succeeded.
general protection fault, probably for non-canonical address 0x2abebdc22011dc8: 0000 [#2] PREEMPT SMP KASAN NOPTI
CPU: 1 PID: 15683 Comm: kworker/u4:11 Tainted: G B D W 5.19.0-rc5-next-20220706 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Workqueue: writeback wb_workfn (flush-8:0)
RIP: 0010:qlist_free_all+0xaf/0x190
Code: 80 4c 01 c2 0f 82 f0 00 00 00 48 c7 c0 00 00 00 80 48 2b 05 c3 76 7b 03 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 a1 76 7b 03 <48> 8b 48 08 48 89 c2 f6 c1 01 0f 85 b6 00 00 00 0f 1f 44 00 00 48
RSP: 0018:ffff888045d4edf8 EFLAGS: 00010207
RAX: 02abebdc22011dc0 RBX: aaffff8880477d00 RCX: 1ffffffff0b1d66d
RDX: aaffff8900477d00 RSI: 0000000000000008 RDI: ffffffff81771eb1
RBP: 0000000000000000 R08: aaffff8880477d00 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: dffffc0000000000
R13: ffff888045d4ee38 R14: 0000000000000000 R15: ffff8880460e8001
FS: 0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5272e8f3b8 CR3: 000000000ef28000 CR4: 0000000000350ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
Call Trace:
kasan_quarantine_reduce+0x180/0x200
__kasan_slab_alloc+0x78/0x80
__kmalloc+0x1be/0x440
ext4_find_extent+0xa39/0xd20
ext4_ext_map_blocks+0x1c3/0x5cc0
ext4_map_blocks+0x76e/0x19d0
ext4_writepages+0x1bc9/0x3690
do_writepages+0x1b0/0x690
__writeback_single_inode+0x105/0xf50
writeback_sb_inodes+0x542/0xec0
__writeback_inodes_wb+0xbe/0x270
wb_writeback+0x749/0xb50
wb_workfn+0x8f7/0x10b0
process_one_work+0xa0f/0x1690
worker_thread+0x637/0x1250
kthread+0x2ed/0x3a0
ret_from_fork+0x22/0x30
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:usercopy_abort+0xb9/0xbb
Code: e8 49 a3 38 fd 49 89 d9 4d 89 e8 4c 89 e1 41 56 48 89 ee 48 c7 c7 20 86 6f 84 ff 74 24 08 41 57 48 8b 54 24 20 e8 2f 03 ff ff <0f> 0b e8 1d a3 38 fd 48 89 e5 e8 e5 4f 6b fd 48 89 e9 8b 54 24 0c
RSP: 0018:ffff8880186e7c50 EFLAGS: 00010286
RAX: 0000000000000069 RBX: ffffffff846fd660 RCX: 0000000000000000
RDX: ffff888016e50000 RSI: ffffffff812bd348 RDI: ffffed10030dcf7c
RBP: ffffffff846f8560 R08: 0000000000000069 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff84e88bda
R13: ffffffff846f84a0 R14: 0000000000000fe0 R15: ffffffff846f8460
FS: 0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5272e8f3b8 CR3: 000000000ef28000 CR4: 0000000000350ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
------------[ cut here ]------------
WARNING: CPU: 1 PID: 15683 at kernel/exit.c:741 do_exit+0x1cf8/0x27d0
Modules linked in:
CPU: 1 PID: 15683 Comm: kworker/u4:11 Tainted: G B D W 5.19.0-rc5-next-20220706 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Workqueue: writeback wb_workfn (flush-8:0)
RIP: 0010:do_exit+0x1cf8/0x27d0
Code: 89 f7 e8 cb 91 2d 00 e9 5a eb ff ff e8 51 aa 2e 00 48 8b 74 24 10 bf 05 06 00 00 e8 62 d6 02 00 e9 b3 e7 ff ff e8 38 aa 2e 00 <0f> 0b e9 9c e3 ff ff e8 2c aa 2e 00 48 8b 54 24 20 b8 ff ff 37 00
RSP: 0018:ffff888045d4fe48 EFLAGS: 00010293
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: ffff88804737b580 RSI: ffffffff81164ec8 RDI: ffff88804737c688
RBP: ffff88804737b580 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: ffff88804737b580 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5272e8f3b8 CR3: 000000000ef28000 CR4: 0000000000350ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
Call Trace:
make_task_dead+0x102/0x120
rewind_stack_and_make_dead+0x17/0x17
RIP: 0000:0x0
Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
RSP: 0000:0000000000000000 EFLAGS: 00000000 ORIG_RAX: 0000000000000000
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
irq event stamp: 1213898
hardirqs last enabled at (1213897): [] _raw_spin_unlock_irq+0x1f/0x40
hardirqs last disabled at (1213898): [] __schedule+0x11d9/0x24a0
softirqs last enabled at (1213606): [] ieee80211_ibss_work+0x2e8/0xdf0
softirqs last disabled at (1213604): [] ieee80211_ibss_work+0x138/0xdf0
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: 83 e2 07 and $0x7,%edx
3: 38 d0 cmp %dl,%al
5: 7f 08 jg 0xf
7: 84 c0 test %al,%al
9: 0f 85 d5 02 00 00 jne 0x2e4
f: 88 5d 00 mov %bl,0x0(%rbp)
12: e8 db 3e 00 00 callq 0x3ef2
17: 31 ff xor %edi,%edi
19: 4c 89 f6 mov %r14,%rsi
1c: e8 61 61 19 00 callq 0x196182
21: 4d 85 f6 test %r14,%r14
24: 0f 85 76 01 00 00 jne 0x1a0
* 2a: e8 63 64 19 00 callq 0x196492 <-- trapping instruction
2f: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
36: fc ff df
39: 48 03 04 24 add (%rsp),%rax
3d: 48 rex.W
3e: c7 .byte 0xc7