EXT4-fs error (device loop6): ext4_fill_super:4954: inode #2: comm syz-executor.6: iget: root inode unallocated EXT4-fs (loop6): get root inode failed EXT4-fs (loop6): mount failed ================================================================== BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline] BUG: KASAN: use-after-free in atomic_fetch_add_relaxed include/asm-generic/atomic-instrumented.h:142 [inline] BUG: KASAN: use-after-free in __refcount_add include/linux/refcount.h:193 [inline] BUG: KASAN: use-after-free in __refcount_inc include/linux/refcount.h:250 [inline] BUG: KASAN: use-after-free in refcount_inc include/linux/refcount.h:267 [inline] BUG: KASAN: use-after-free in get_task_struct include/linux/sched/task.h:104 [inline] BUG: KASAN: use-after-free in kthread_stop+0x76/0x610 kernel/kthread.c:616 Write of size 4 at addr ffff88804bfc4be0 by task syz-executor.6/17913 CPU: 0 PID: 17913 Comm: syz-executor.6 Not tainted 5.10.56 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:118 print_address_description.constprop.0+0x1c/0x210 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report.cold+0x37/0x7c mm/kasan/report.c:562 check_memory_region_inline mm/kasan/generic.c:186 [inline] check_memory_region+0xf9/0x1e0 mm/kasan/generic.c:192 instrument_atomic_read_write include/linux/instrumented.h:101 [inline] atomic_fetch_add_relaxed include/asm-generic/atomic-instrumented.h:142 [inline] __refcount_add include/linux/refcount.h:193 [inline] __refcount_inc include/linux/refcount.h:250 [inline] refcount_inc include/linux/refcount.h:267 [inline] get_task_struct include/linux/sched/task.h:104 [inline] kthread_stop+0x76/0x610 kernel/kthread.c:616 ext4_stop_mmpd+0x47/0xd0 fs/ext4/mmp.c:254 ext4_fill_super+0x8208/0xcf70 fs/ext4/super.c:5176 mount_bdev+0x331/0x3f0 fs/super.c:1419 legacy_get_tree+0x105/0x220 fs/fs_context.c:592 vfs_get_tree+0x8e/0x2f0 fs/super.c:1549 do_new_mount fs/namespace.c:2881 [inline] path_mount+0x139a/0x2080 fs/namespace.c:3211 do_mount fs/namespace.c:3224 [inline] __do_sys_mount fs/namespace.c:3432 [inline] __se_sys_mount fs/namespace.c:3409 [inline] __x64_sys_mount+0x27e/0x300 fs/namespace.c:3409 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x467b2a Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f2843922fa8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 0000000000467b2a RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f2843923000 RBP: 00007f2843923040 R08: 00007f2843923040 R09: 0000000020000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000020000000 R13: 0000000020000100 R14: 00007f2843923000 R15: 0000000020000040 Allocated by task 2: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:461 slab_post_alloc_hook mm/slab.h:532 [inline] slab_alloc_node mm/slub.c:2889 [inline] kmem_cache_alloc_node+0x14b/0x370 mm/slub.c:2925 alloc_task_struct_node kernel/fork.c:170 [inline] dup_task_struct kernel/fork.c:860 [inline] copy_process+0x4380/0x6650 kernel/fork.c:1947 kernel_clone+0xe7/0xa20 kernel/fork.c:2465 kernel_thread+0xb5/0xf0 kernel/fork.c:2517 create_kthread kernel/kthread.c:315 [inline] kthreadd+0x4bb/0x710 kernel/kthread.c:658 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:296 Freed by task 399: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355 __kasan_slab_free+0x110/0x150 mm/kasan/common.c:422 slab_free_hook mm/slub.c:1542 [inline] slab_free_freelist_hook+0x64/0x150 mm/slub.c:1575 slab_free mm/slub.c:3140 [inline] kmem_cache_free+0x97/0x2f0 mm/slub.c:3156 __put_task_struct+0x25a/0x3e0 kernel/fork.c:741 put_task_struct include/linux/sched/task.h:113 [inline] delayed_put_task_struct+0x1a4/0x2b0 kernel/exit.c:173 rcu_do_batch kernel/rcu/tree.c:2484 [inline] rcu_core+0x52d/0x1660 kernel/rcu/tree.c:2719 __do_softirq+0x1b8/0x867 kernel/softirq.c:298 Last call_rcu(): kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_record_aux_stack+0x9e/0xb0 mm/kasan/generic.c:346 __call_rcu kernel/rcu/tree.c:2960 [inline] call_rcu+0x8a/0xa20 kernel/rcu/tree.c:3034 put_task_struct_rcu_user+0x7f/0xb0 kernel/exit.c:179 finish_task_switch+0x428/0x5d0 kernel/sched/core.c:3649 context_switch kernel/sched/core.c:3779 [inline] __schedule+0x850/0x1e80 kernel/sched/core.c:4525 schedule+0xcb/0x270 kernel/sched/core.c:4603 jbd2_log_wait_commit+0x2d4/0x430 fs/jbd2/journal.c:712 jbd2_complete_transaction+0x184/0x200 fs/jbd2/journal.c:846 ext4_fc_commit+0x6c6/0x2160 fs/ext4/fast_commit.c:1163 ext4_fsync_journal fs/ext4/fsync.c:115 [inline] ext4_sync_file+0x3d3/0xf30 fs/ext4/fsync.c:174 vfs_fsync_range+0x13d/0x230 fs/sync.c:200 generic_write_sync include/linux/fs.h:2739 [inline] iomap_dio_complete+0x5fb/0x780 fs/iomap/direct-io.c:127 iomap_dio_rw+0x63/0x90 fs/iomap/direct-io.c:608 ext4_dio_write_iter fs/ext4/file.c:569 [inline] ext4_file_write_iter+0xaaf/0x1890 fs/ext4/file.c:679 call_write_iter include/linux/fs.h:1903 [inline] do_iter_readv_writev+0x476/0x750 fs/read_write.c:740 do_iter_write+0x18d/0x670 fs/read_write.c:866 vfs_iter_write+0x70/0xa0 fs/read_write.c:907 iter_file_splice_write+0x71d/0xbe0 fs/splice.c:686 do_splice_from fs/splice.c:764 [inline] direct_splice_actor+0x10f/0x170 fs/splice.c:933 splice_direct_to_actor+0x387/0x980 fs/splice.c:888 do_splice_direct+0x1c4/0x290 fs/splice.c:976 generic_copy_file_range fs/read_write.c:1386 [inline] do_copy_file_range fs/read_write.c:1409 [inline] vfs_copy_file_range+0x57b/0x10f0 fs/read_write.c:1516 __do_sys_copy_file_range+0x176/0x410 fs/read_write.c:1569 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Second to last call_rcu(): kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_record_aux_stack+0x9e/0xb0 mm/kasan/generic.c:346 __call_rcu kernel/rcu/tree.c:2960 [inline] call_rcu+0x8a/0xa20 kernel/rcu/tree.c:3034 put_task_struct_rcu_user+0x7f/0xb0 kernel/exit.c:179 finish_task_switch+0x428/0x5d0 kernel/sched/core.c:3649 context_switch kernel/sched/core.c:3779 [inline] __schedule+0x850/0x1e80 kernel/sched/core.c:4525 schedule+0xcb/0x270 kernel/sched/core.c:4603 worker_thread+0x14f/0x1310 kernel/workqueue.c:2437 kthread+0x38f/0x470 kernel/kthread.c:292 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:296 The buggy address belongs to the object at ffff88804bfc4bc0 which belongs to the cache task_struct of size 6208 The buggy address is located 32 bytes inside of 6208-byte region [ffff88804bfc4bc0, ffff88804bfc6400) The buggy address belongs to the page: page:000000005ce7191c refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88804bfc6500 pfn:0x4bfc0 head:000000005ce7191c order:3 compound_mapcount:0 compound_pincount:0 flags: 0x100000000010200(slab|head) raw: 0100000000010200 ffffea00010f6208 ffffea0000334a08 ffff888007fdc140 raw: ffff88804bfc6500 0000000000050004 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88804bfc4a80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff88804bfc4b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88804bfc4b80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ^ ffff88804bfc4c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88804bfc4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 0 PID: 17913 at lib/refcount.c:25 refcount_warn_saturate+0x178/0x1f0 lib/refcount.c:25 Modules linked in: CPU: 0 PID: 17913 Comm: syz-executor.6 Tainted: G B 5.10.56 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 RIP: 0010:refcount_warn_saturate+0x178/0x1f0 lib/refcount.c:25 Code: 03 31 ff 89 de e8 e8 25 51 ff 84 db 0f 85 2e ff ff ff e8 ab 2c 51 ff 48 c7 c7 c0 37 3b 84 c6 05 ee 66 54 03 01 e8 c7 1e c9 01 <0f> 0b e9 0f ff ff ff e8 8c 2c 51 ff 0f b6 1d d8 66 54 03 31 ff 89 RSP: 0018:ffff88805000fac0 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000040000 RSI: ffffffff812930d3 RDI: ffffed100a001f4a RBP: ffff88804bfc4be0 R08: 0000000000000001 R09: ffff88806ce2facf R10: 0000000000000000 R11: 0000000000000001 R12: ffff88804bfc4be0 R13: 0000000000000000 R14: ffff8880441b2000 R15: ffff8880441b6000 FS: 00007f2843923700(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fffb11cd7e0 CR3: 0000000044afc000 CR4: 0000000000350ef0 Call Trace: __refcount_add include/linux/refcount.h:199 [inline] __refcount_inc include/linux/refcount.h:250 [inline] refcount_inc include/linux/refcount.h:267 [inline] get_task_struct include/linux/sched/task.h:104 [inline] kthread_stop+0x583/0x610 kernel/kthread.c:616 ext4_stop_mmpd+0x47/0xd0 fs/ext4/mmp.c:254 ext4_fill_super+0x8208/0xcf70 fs/ext4/super.c:5176 mount_bdev+0x331/0x3f0 fs/super.c:1419 legacy_get_tree+0x105/0x220 fs/fs_context.c:592 vfs_get_tree+0x8e/0x2f0 fs/super.c:1549 do_new_mount fs/namespace.c:2881 [inline] path_mount+0x139a/0x2080 fs/namespace.c:3211 do_mount fs/namespace.c:3224 [inline] __do_sys_mount fs/namespace.c:3432 [inline] __se_sys_mount fs/namespace.c:3409 [inline] __x64_sys_mount+0x27e/0x300 fs/namespace.c:3409 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x467b2a Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f2843922fa8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 0000000000467b2a RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f2843923000 RBP: 00007f2843923040 R08: 00007f2843923040 R09: 0000000020000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000020000000 R13: 0000000020000100 R14: 00007f2843923000 R15: 0000000020000040 irq event stamp: 1656 hardirqs last enabled at (1655): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline] hardirqs last enabled at (1655): [] _raw_spin_unlock_irqrestore+0x34/0x40 kernel/locking/spinlock.c:191 hardirqs last disabled at (1656): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (1656): [] _raw_spin_lock_irqsave+0x4b/0x50 kernel/locking/spinlock.c:159 softirqs last enabled at (1498): [] asm_call_irq_on_stack+0x12/0x20 softirqs last disabled at (1437): [] asm_call_irq_on_stack+0x12/0x20 ---[ end trace f26731c9144fa6c8 ]--- ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 17913 at lib/refcount.c:28 refcount_warn_saturate+0x103/0x1f0 lib/refcount.c:28 Modules linked in: CPU: 0 PID: 17913 Comm: syz-executor.6 Tainted: G B W 5.10.56 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 RIP: 0010:refcount_warn_saturate+0x103/0x1f0 lib/refcount.c:28 Code: 1d 82 67 54 03 31 ff 89 de e8 59 26 51 ff 84 db 75 a3 e8 20 2d 51 ff 48 c7 c7 20 38 3b 84 c6 05 62 67 54 03 01 e8 3c 1f c9 01 <0f> 0b eb 87 e8 04 2d 51 ff 0f b6 1d 4b 67 54 03 31 ff 89 de e8 24 RSP: 0018:ffff88805000fac0 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000040000 RSI: ffffffff812930d3 RDI: ffffed100a001f4a RBP: ffff88804bfc4be0 R08: 0000000000000001 R09: ffff88806ce2facf R10: 0000000000000000 R11: 0000000000000001 R12: ffff88804bfc4be0 R13: 0000000000000000 R14: ffff8880441b2000 R15: ffff8880441b6000 FS: 00007f2843923700(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9f18e5afe8 CR3: 0000000044afc000 CR4: 0000000000350ef0 Call Trace: __refcount_sub_and_test include/linux/refcount.h:283 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] put_task_struct include/linux/sched/task.h:112 [inline] kthread_stop+0x56c/0x610 kernel/kthread.c:623 ext4_stop_mmpd+0x47/0xd0 fs/ext4/mmp.c:254 ext4_fill_super+0x8208/0xcf70 fs/ext4/super.c:5176 mount_bdev+0x331/0x3f0 fs/super.c:1419 legacy_get_tree+0x105/0x220 fs/fs_context.c:592 vfs_get_tree+0x8e/0x2f0 fs/super.c:1549 do_new_mount fs/namespace.c:2881 [inline] path_mount+0x139a/0x2080 fs/namespace.c:3211 do_mount fs/namespace.c:3224 [inline] __do_sys_mount fs/namespace.c:3432 [inline] __se_sys_mount fs/namespace.c:3409 [inline] __x64_sys_mount+0x27e/0x300 fs/namespace.c:3409 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x467b2a Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f2843922fa8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 0000000000467b2a RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f2843923000 RBP: 00007f2843923040 R08: 00007f2843923040 R09: 0000000020000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000020000000 R13: 0000000020000100 R14: 00007f2843923000 R15: 0000000020000040 irq event stamp: 1656 hardirqs last enabled at (1655): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline] hardirqs last enabled at (1655): [] _raw_spin_unlock_irqrestore+0x34/0x40 kernel/locking/spinlock.c:191 hardirqs last disabled at (1656): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (1656): [] _raw_spin_lock_irqsave+0x4b/0x50 kernel/locking/spinlock.c:159 softirqs last enabled at (1498): [] asm_call_irq_on_stack+0x12/0x20 softirqs last disabled at (1437): [] asm_call_irq_on_stack+0x12/0x20 ---[ end trace f26731c9144fa6c9 ]--- EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue ext4 filesystem being mounted at /syzkaller-testdir565753641/syzkaller.FzdKmT/363/file0 supports timestamps until 2038 (0x7fffffff) EXT4-fs (loop6): Unrecognized mount option "./file0/file0" or missing value EXT4-fs (loop7): mounted filesystem without journal. Opts: ,errors=continue ext4 filesystem being mounted at /syzkaller-testdir193600109/syzkaller.GJBCd4/380/file0 supports timestamps until 2038 (0x7fffffff) EXT4-fs (loop5): ext4_check_descriptors: Block bitmap for group 0 not in group (block 3541992194)! EXT4-fs (loop5): group descriptors corrupted! EXT4-fs (loop5): Unrecognized mount option "./file0/file0" or missing value EXT4-fs (loop7): mounted filesystem without journal. Opts: ,errors=continue EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue ext4 filesystem being mounted at /syzkaller-testdir193600109/syzkaller.GJBCd4/381/file0 supports timestamps until 2038 (0x7fffffff) ext4 filesystem being mounted at /syzkaller-testdir565753641/syzkaller.FzdKmT/364/file0 supports timestamps until 2038 (0x7fffffff) EXT4-fs (loop6): mounted filesystem without journal. Opts: ,errors=continue ext4 filesystem being mounted at /syzkaller-testdir288316227/syzkaller.tmGyB1/380/file0 supports timestamps until 2038 (0x7fffffff) autofs4:pid:18033:autofs_fill_super: called with bogus options EXT4-fs (loop5): mounted filesystem without journal. Opts: ,errors=continue ext4 filesystem being mounted at /syzkaller-testdir562783326/syzkaller.AS4BEt/404/file0 supports timestamps until 2038 (0x7fffffff) general protection fault, probably for non-canonical address 0x62bddfe220000: 0000 [#1] SMP KASAN NOPTI CPU: 0 PID: 18037 Comm: syz-executor.5 Tainted: G B W 5.10.56 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 RIP: 0010:compound_head include/linux/page-flags.h:185 [inline] RIP: 0010:virt_to_head_page include/linux/mm.h:860 [inline] RIP: 0010:qlink_to_cache mm/kasan/quarantine.c:130 [inline] RIP: 0010:qlist_free_all+0x8d/0xd0 mm/kasan/quarantine.c:167 Code: df 48 85 db 75 cc 48 89 f0 4c 01 e8 72 56 4c 89 f2 48 2b 15 15 61 3a 03 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 f3 60 3a 03 <48> 8b 50 08 48 8d 4a ff 83 e2 01 48 0f 45 c1 48 8b 78 18 eb 93 49 RSP: 0018:ffff88804eb17458 EFLAGS: 00010207 RAX: 00062bddfe220000 RBX: 0000000000000000 RCX: ffffea000112b200 RDX: 0000777f80000000 RSI: 018fffff88800ecf RDI: 0000000000000000 RBP: dffffc0000000000 R08: 0000000000000004 R09: ffffffff816abb01 R10: ffff88804bfc4bc2 R11: 0000000000000001 R12: ffff88804eb17490 R13: 0000000080000000 R14: ffffffff80000000 R15: 018fffff88800ecf FS: 00007f7673fa7700(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000202a7000 CR3: 000000004fbdc000 CR4: 0000000000350ef0 Call Trace: quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:267 __kasan_kmalloc.constprop.0+0x9e/0xd0 mm/kasan/common.c:442 slab_post_alloc_hook mm/slab.h:532 [inline] slab_alloc_node mm/slub.c:2889 [inline] slab_alloc mm/slub.c:2897 [inline] kmem_cache_alloc+0x13b/0x350 mm/slub.c:2902 mb_cache_entry_create+0xbf/0x890 fs/mbcache.c:88 ext4_xattr_block_cache_insert fs/ext4/xattr.c:2978 [inline] ext4_xattr_block_set+0x2746/0x2f30 fs/ext4/xattr.c:2041 ext4_xattr_set_handle+0xd49/0x1310 fs/ext4/xattr.c:2394 ext4_xattr_set+0x13a/0x340 fs/ext4/xattr.c:2495 __vfs_setxattr+0x10f/0x170 fs/xattr.c:177 __vfs_setxattr_noperm+0x11a/0x4c0 fs/xattr.c:208 __vfs_setxattr_locked+0x1bf/0x250 fs/xattr.c:266 vfs_setxattr+0xe8/0x270 fs/xattr.c:283 setxattr+0x23d/0x330 fs/xattr.c:548 path_setxattr+0x170/0x190 fs/xattr.c:567 __do_sys_lsetxattr fs/xattr.c:589 [inline] __se_sys_lsetxattr fs/xattr.c:585 [inline] __x64_sys_lsetxattr+0xbd/0x150 fs/xattr.c:585 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x466609 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f7673fa7188 EFLAGS: 00000246 ORIG_RAX: 00000000000000bd RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 0000000000466609 RDX: 0000000020000480 RSI: 0000000020000080 RDI: 0000000020000040 RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000e01 R11: 0000000000000246 R12: 000000000056bf80 R13: 00007ffd6991f0af R14: 00007f7673fa7300 R15: 0000000000022000 Modules linked in: ---[ end trace f26731c9144fa6ca ]--- RIP: 0010:compound_head include/linux/page-flags.h:185 [inline] RIP: 0010:virt_to_head_page include/linux/mm.h:860 [inline] RIP: 0010:qlink_to_cache mm/kasan/quarantine.c:130 [inline] RIP: 0010:qlist_free_all+0x8d/0xd0 mm/kasan/quarantine.c:167 Code: df 48 85 db 75 cc 48 89 f0 4c 01 e8 72 56 4c 89 f2 48 2b 15 15 61 3a 03 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 f3 60 3a 03 <48> 8b 50 08 48 8d 4a ff 83 e2 01 48 0f 45 c1 48 8b 78 18 eb 93 49 RSP: 0018:ffff88804eb17458 EFLAGS: 00010207 RAX: 00062bddfe220000 RBX: 0000000000000000 RCX: ffffea000112b200 RDX: 0000777f80000000 RSI: 018fffff88800ecf RDI: 0000000000000000 RBP: dffffc0000000000 R08: 0000000000000004 R09: ffffffff816abb01 R10: ffff88804bfc4bc2 R11: 0000000000000001 R12: ffff88804eb17490 R13: 0000000080000000 R14: ffffffff80000000 R15: 018fffff88800ecf FS: 00007f7673fa7700(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000202a7000 CR3: 000000004fbdc000 CR4: 0000000000350ef0 ------------[ cut here ]------------ WARNING: CPU: 0 PID: 18056 at arch/x86/include/asm/fpu/internal.h:324 copy_xregs_to_kernel arch/x86/include/asm/fpu/internal.h:324 [inline] WARNING: CPU: 0 PID: 18056 at arch/x86/include/asm/fpu/internal.h:324 copy_fpregs_to_fpstate+0x17a/0x1d0 arch/x86/kernel/fpu/core.c:98 Modules linked in: CPU: 0 PID: 18056 Comm: syz-executor.1 Tainted: G B D W 5.10.56 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 RIP: 0010:copy_xregs_to_kernel arch/x86/include/asm/fpu/internal.h:324 [inline] RIP: 0010:copy_fpregs_to_fpstate+0x17a/0x1d0 arch/x86/kernel/fpu/core.c:98 Code: 01 00 00 00 5b 5d 41 5c 41 5d 41 5e c3 e8 fe 18 37 00 48 0f ae 43 40 eb e1 e8 f2 18 37 00 0f 0b e9 23 ff ff ff e8 e6 18 37 00 <0f> 0b e9 3c ff ff ff 48 c7 c7 f8 e3 44 85 e8 73 4a 62 00 e9 ec fe RSP: 0018:ffff88800ea67b10 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88804bfc6082 RCX: ffffffff81086ca5 RDX: ffff88804527cbc0 RSI: ffffffff81086d6a RDI: 0000000000000005 RBP: 00000000fffffffe R08: 0000000000000000 R09: ffff88804527cbc7 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000007 R13: 0000000000000000 R14: 0000000000000001 R15: ffff88804527e080 FS: 0000000002b8b400(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f12ec830718 CR3: 00000000444b4000 CR4: 0000000000350ef0 Call Trace: fpu__copy+0x39c/0x550 arch/x86/kernel/fpu/core.c:243 dup_task_struct kernel/fork.c:873 [inline] copy_process+0x6da/0x6650 kernel/fork.c:1947 kernel_clone+0xe7/0xa20 kernel/fork.c:2465 __do_sys_clone+0xc8/0x110 kernel/fork.c:2582 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x467a31 Code: 48 85 ff 74 3d 48 85 f6 74 38 48 83 ee 10 48 89 4e 08 48 89 3e 48 89 d7 4c 89 c2 4d 89 c8 4c 8b 54 24 08 b8 38 00 00 00 0f 05 <48> 85 c0 7c 13 74 01 c3 31 ed 58 5f ff d0 48 89 c7 b8 3c 00 00 00 RSP: 002b:00007ffd2274aa98 EFLAGS: 00000206 ORIG_RAX: 0000000000000038 RAX: ffffffffffffffda RBX: 00007f12ec830700 RCX: 0000000000467a31 RDX: 00007f12ec8309d0 RSI: 00007f12ec8302f0 RDI: 00000000003d0f00 RBP: 00007ffd2274acd0 R08: 00007f12ec830700 R09: 00007f12ec830700 R10: 00007f12ec8309d0 R11: 0000000000000206 R12: 00007ffd2274ab4e R13: 00007ffd2274ab4f R14: 00007f12ec830300 R15: 0000000000022000 irq event stamp: 0 hardirqs last enabled at (0): [<0000000000000000>] 0x0 hardirqs last disabled at (0): [] copy_process+0x15bc/0x6650 kernel/fork.c:2049 softirqs last enabled at (0): [] copy_process+0x15fd/0x6650 kernel/fork.c:2053 softirqs last disabled at (0): [<0000000000000000>] 0x0 ---[ end trace f26731c9144fa6cb ]--- EXT4-fs (loop7): mounted filesystem without journal. Opts: ,errors=continue ext4 filesystem being mounted at /syzkaller-testdir193600109/syzkaller.GJBCd4/382/file0 supports timestamps until 2038 (0x7fffffff) EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue EXT4-fs (loop6): mounted filesystem without journal. Opts: ,errors=continue ext4 filesystem being mounted at /syzkaller-testdir565753641/syzkaller.FzdKmT/365/file0 supports timestamps until 2038 (0x7fffffff) ext4 filesystem being mounted at /syzkaller-testdir288316227/syzkaller.tmGyB1/381/file0 supports timestamps until 2038 (0x7fffffff) ------------[ cut here ]------------ Bad FPU state detected at copy_kernel_to_xregs arch/x86/include/asm/fpu/internal.h:335 [inline], reinitializing FPU registers. Bad FPU state detected at __copy_kernel_to_fpregs arch/x86/include/asm/fpu/internal.h:410 [inline], reinitializing FPU registers. Bad FPU state detected at copy_kernel_to_fpregs+0x99/0xe0 arch/x86/include/asm/fpu/internal.h:434, reinitializing FPU registers. WARNING: CPU: 0 PID: 18072 at arch/x86/mm/extable.c:65 ex_handler_fprestore+0xf0/0x110 arch/x86/mm/extable.c:65 Modules linked in: CPU: 0 PID: 18072 Comm: syz-executor.1 Tainted: G B D W 5.10.56 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 RIP: 0010:ex_handler_fprestore+0xf0/0x110 arch/x86/mm/extable.c:65 Code: e8 25 87 2e 00 b8 01 00 00 00 5b 5d 41 5c c3 e8 16 87 2e 00 48 89 de 48 c7 c7 40 dd 24 84 c6 05 a8 c0 31 04 01 e8 2f 79 a6 02 <0f> 0b eb 90 48 89 df e8 94 b8 59 00 e9 3d ff ff ff e8 1a b9 59 00 RSP: 0018:ffff88804bf2fce8 EFLAGS: 00010082 RAX: 0000000000000000 RBX: ffffffff81087a19 RCX: 0000000000000000 RDX: ffff88804bfc4bc2 RSI: ffffffff812930d3 RDI: ffffed10097e5f8f RBP: 0000000000000000 R08: 0000000000000001 R09: ffff88806ce1ff9b R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff84ad3e10 R13: 000000000000000d R14: 0000000000000000 R15: 0000000000000000 FS: 00007f12ec830700(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004e4da2 CR3: 00000000444b4000 CR4: 0000000000350ef0 Call Trace: fixup_exception+0x9d/0xd0 arch/x86/mm/extable.c:183 __exc_general_protection arch/x86/kernel/traps.c:559 [inline] exc_general_protection+0xeb/0x2e0 arch/x86/kernel/traps.c:526 asm_exc_general_protection+0x1e/0x30 arch/x86/include/asm/idtentry.h:565 RIP: 0010:copy_kernel_to_fpregs+0x99/0xe0 arch/x86/include/asm/fpu/internal.h:435 Code: 44 24 20 e8 59 0c 37 00 48 8b 6c 24 20 0f 1f 44 00 00 e8 4a 0c 37 00 e8 45 0c 37 00 b8 ff ff ff ff 48 89 ef 89 c2 48 0f c7 1f 32 0c 37 00 48 b8 00 00 00 00 00 fc ff df 48 c7 04 03 00 00 00 RSP: 0018:ffff88804bf2fe80 EFLAGS: 00010093 RAX: 00000000ffffffff RBX: 1ffff110097e5fd0 RCX: ffffffff810881a3 RDX: 00000000ffffffff RSI: ffffffff81087a0b RDI: ffff88804bfc60c2 RBP: ffff88804bfc60c2 R08: 0000000000000000 R09: ffff88804bfc4bc9 R10: 0000000000000000 R11: 0000000000000001 R12: ffff88804bfc6082 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 __fpregs_load_activate arch/x86/include/asm/fpu/internal.h:505 [inline] switch_fpu_return+0x92/0x300 arch/x86/kernel/fpu/core.c:406 arch_exit_to_user_mode_prepare arch/x86/include/asm/entry-common.h:59 [inline] exit_to_user_mode_prepare+0x141/0x160 kernel/entry/common.c:193 syscall_exit_to_user_mode+0x38/0x230 kernel/entry/common.c:266 ret_from_fork+0x15/0x30 arch/x86/entry/entry_64.S:289 RIP: 0033:0x467a31 Code: 48 85 ff 74 3d 48 85 f6 74 38 48 83 ee 10 48 89 4e 08 48 89 3e 48 89 d7 4c 89 c2 4d 89 c8 4c 8b 54 24 08 b8 38 00 00 00 0f 05 <48> 85 c0 7c 13 74 01 c3 31 ed 58 5f ff d0 48 89 c7 b8 3c 00 00 00 RSP: 002b:00007f12ec8302f0 EFLAGS: 00000206 ORIG_RAX: 0000000000000038 RAX: 0000000000000000 RBX: 00007f12ec830700 RCX: 0000000000467a31 RDX: 00007f12ec8309d0 RSI: 00007f12ec8302f0 RDI: 00000000003d0f00 RBP: 00007ffd2274acd0 R08: 00007f12ec830700 R09: 00007f12ec830700 R10: 00007f12ec8309d0 R11: 0000000000000206 R12: 00007ffd2274ab4e R13: 00007ffd2274ab4f R14: 00007f12ec830300 R15: 0000000000022000 irq event stamp: 0 hardirqs last enabled at (0): [<0000000000000000>] 0x0 hardirqs last disabled at (0): [] copy_process+0x15bc/0x6650 kernel/fork.c:2049 softirqs last enabled at (0): [] copy_process+0x15fd/0x6650 kernel/fork.c:2053 softirqs last disabled at (0): [<0000000000000000>] 0x0 ---[ end trace f26731c9144fa6cc ]--- general protection fault, probably for non-canonical address 0xf11004a336620001: 0000 [#2] SMP KASAN NOPTI KASAN: maybe wild-memory-access in range [0x88804519b3100008-0x88804519b310000f] CPU: 0 PID: 18012 Comm: systemd-udevd Tainted: G B D W 5.10.56 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 RIP: 0010:__rb_insert lib/rbtree.c:115 [inline] RIP: 0010:rb_insert_color+0x6d/0x7a0 lib/rbtree.c:436 Code: 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 48 05 00 00 48 8b 2b 40 f6 c5 01 0f 85 81 01 00 00 48 8d 7d 08 48 89 f8 48 c1 e8 03 <42> 80 3c 28 00 0f 85 01 05 00 00 4c 8b 75 08 49 39 de 0f 84 6d 01 RSP: 0018:ffff888044627460 EFLAGS: 00010012 RAX: 111008a336620001 RBX: ffff88804bfc4c50 RCX: 1ffff11009ef733c RDX: 1ffff11009ef733a RSI: ffff88806ce33270 RDI: 88804519b3100008 RBP: 88804519b3100000 R08: ffff88804f7b99d0 R09: ffff888018a681d0 R10: 0000000000000000 R11: 0000000000000001 R12: ffff888044f88090 R13: dffffc0000000000 R14: ffff88804f7bb310 R15: 000000c33a914fdc FS: 00007f65f8d678c0(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004e4da2 CR3: 000000004481e000 CR4: 0000000000350ef0 Call Trace: rb_insert_color_cached include/linux/rbtree.h:141 [inline] __enqueue_entity kernel/sched/fair.c:601 [inline] put_prev_entity+0x1d4/0x5d0 kernel/sched/fair.c:4540 pick_next_task_fair+0x5cc/0xb10 kernel/sched/fair.c:7120 pick_next_task kernel/sched/core.c:4342 [inline] __schedule+0x330/0x1e80 kernel/sched/core.c:4493 preempt_schedule_common kernel/sched/core.c:4684 [inline] _cond_resched+0x45/0x80 kernel/sched/core.c:6117 __mutex_lock_common kernel/locking/mutex.c:948 [inline] __mutex_lock+0xad/0x1230 kernel/locking/mutex.c:1114 kernfs_iop_lookup+0x4a/0x220 fs/kernfs/dir.c:1087 __lookup_slow+0x252/0x490 fs/namei.c:1544 lookup_slow fs/namei.c:1561 [inline] walk_component+0x41a/0x6a0 fs/namei.c:1856 link_path_walk.part.0+0x695/0xbe0 fs/namei.c:2179 link_path_walk fs/namei.c:2108 [inline] path_openat+0x255/0x26c0 fs/namei.c:3356 do_filp_open+0x17e/0x3c0 fs/namei.c:3387 do_sys_openat2+0x16d/0x420 fs/open.c:1180 do_sys_open fs/open.c:1196 [inline] __do_sys_openat fs/open.c:1212 [inline] __se_sys_openat fs/open.c:1207 [inline] __x64_sys_openat+0x13f/0x1f0 fs/open.c:1207 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f65f7bda7da Code: 75 3e 89 d0 45 31 d2 25 00 00 41 00 3d 00 00 41 00 74 2d 8b 05 37 2f 2c 00 85 c0 75 51 48 63 d2 48 63 ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 8a 00 00 00 48 83 c4 60 5b 5d 41 5c c3 90 RSP: 002b:00007fffb1155d40 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f65f7bda7da RDX: 0000000000080000 RSI: 00007f65f873631f RDI: 0000000000000010 RBP: 00007f65f873631f R08: 000000000000ffff R09: 0000000000000020 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000080000 R13: 00007fffb1157f18 R14: 0000000000000000 R15: 000000000000000f Modules linked in: ---[ end trace f26731c9144fa6cd ]--- RIP: 0010:compound_head include/linux/page-flags.h:185 [inline] RIP: 0010:virt_to_head_page include/linux/mm.h:860 [inline] RIP: 0010:qlink_to_cache mm/kasan/quarantine.c:130 [inline] RIP: 0010:qlist_free_all+0x8d/0xd0 mm/kasan/quarantine.c:167 Code: df 48 85 db 75 cc 48 89 f0 4c 01 e8 72 56 4c 89 f2 48 2b 15 15 61 3a 03 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 f3 60 3a 03 <48> 8b 50 08 48 8d 4a ff 83 e2 01 48 0f 45 c1 48 8b 78 18 eb 93 49 RSP: 0018:ffff88804eb17458 EFLAGS: 00010207 RAX: 00062bddfe220000 RBX: 0000000000000000 RCX: ffffea000112b200 RDX: 0000777f80000000 RSI: 018fffff88800ecf RDI: 0000000000000000 RBP: dffffc0000000000 R08: 0000000000000004 R09: ffffffff816abb01 R10: ffff88804bfc4bc2 R11: 0000000000000001 R12: ffff88804eb17490 R13: 0000000080000000 R14: ffffffff80000000 R15: 018fffff88800ecf FS: 00007f65f8d678c0(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004e4da2 CR3: 000000004481e000 CR4: 0000000000350ef0 note: systemd-udevd[18012] exited with preempt_count 2 BUG: sleeping function called from invalid context at include/linux/percpu-rwsem.h:49 in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 18012, name: systemd-udevd INFO: lockdep is turned off. irq event stamp: 0 hardirqs last enabled at (0): [<0000000000000000>] 0x0 hardirqs last disabled at (0): [] copy_process+0x15bc/0x6650 kernel/fork.c:2049 softirqs last enabled at (0): [] copy_process+0x15fd/0x6650 kernel/fork.c:2053 softirqs last disabled at (0): [<0000000000000000>] 0x0 CPU: 0 PID: 18012 Comm: systemd-udevd Tainted: G B D W 5.10.56 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:118 ___might_sleep.cold+0x141/0x16f kernel/sched/core.c:7297 percpu_down_read include/linux/percpu-rwsem.h:49 [inline] cgroup_threadgroup_change_begin include/linux/cgroup-defs.h:733 [inline] exit_signals+0x23/0x850 kernel/signal.c:2843 do_exit+0x30a/0x2770 kernel/exit.c:767 rewind_stack_do_exit+0x17/0x20 arch/x86/entry/entry_64.S:1483 RIP: 0033:0x7f65f7bda7da Code: 75 3e 89 d0 45 31 d2 25 00 00 41 00 3d 00 00 41 00 74 2d 8b 05 37 2f 2c 00 85 c0 75 51 48 63 d2 48 63 ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 8a 00 00 00 48 83 c4 60 5b 5d 41 5c c3 90 RSP: 002b:00007fffb1155d40 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f65f7bda7da RDX: 0000000000080000 RSI: 00007f65f873631f RDI: 0000000000000010 RBP: 00007f65f873631f R08: 000000000000ffff R09: 0000000000000020 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000080000 R13: 00007fffb1157f18 R14: 0000000000000000 R15: 000000000000000f