./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2676429106 <...> Warning: Permanently added '10.128.0.240' (ED25519) to the list of known hosts. execve("./syz-executor2676429106", ["./syz-executor2676429106"], 0x7ffc3800e3e0 /* 10 vars */) = 0 brk(NULL) = 0x5555757ef000 brk(0x5555757efd00) = 0x5555757efd00 arch_prctl(ARCH_SET_FS, 0x5555757ef380) = 0 set_tid_address(0x5555757ef650) = 5833 set_robust_list(0x5555757ef660, 24) = 0 rseq(0x5555757efca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2676429106", 4096) = 28 getrandom("\xd1\xc6\x1d\x88\x04\xfa\x34\xa7", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x5555757efd00 brk(0x555575810d00) = 0x555575810d00 brk(0x555575811000) = 0x555575811000 mprotect(0x7fc985312000, 16384, PROT_READ) = 0 mmap(0x3ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3ffffffff000 mmap(0x400000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x400000000000 mmap(0x400001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x400001000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5834 attached [pid 5834] set_robust_list(0x5555757ef660, 24 [pid 5833] <... clone resumed>, child_tidptr=0x5555757ef650) = 5834 [pid 5834] <... set_robust_list resumed>) = 0 [pid 5834] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5834] setpgid(0, 0) = 0 [pid 5834] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5834] write(3, "1000", 4) = 4 [pid 5834] close(3) = 0 executing program [pid 5834] write(1, "executing program\n", 18) = 18 [ 69.309121][ T5834] ================================================================== [ 69.317229][ T5834] BUG: KASAN: slab-out-of-bounds in atomic_ptr_type_ok+0x3d7/0x550 [ 69.325303][ T5834] Read of size 4 at addr ffff88803486e690 by task syz-executor267/5834 [ 69.333715][ T5834] [ 69.336059][ T5834] CPU: 1 UID: 0 PID: 5834 Comm: syz-executor267 Not tainted 6.14.0-rc3-syzkaller-gf28214603dc6 #0 [ 69.336073][ T5834] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 69.336086][ T5834] Call Trace: [ 69.336094][ T5834] [ 69.336099][ T5834] dump_stack_lvl+0x241/0x360 [ 69.336116][ T5834] ? __pfx_dump_stack_lvl+0x10/0x10 [ 69.336126][ T5834] ? __pfx__printk+0x10/0x10 [ 69.336135][ T5834] ? _printk+0xd5/0x120 [ 69.336143][ T5834] ? __virt_addr_valid+0x183/0x530 [ 69.336152][ T5834] ? __virt_addr_valid+0x183/0x530 [ 69.336161][ T5834] print_report+0x16e/0x5b0 [ 69.336174][ T5834] ? __virt_addr_valid+0x183/0x530 [ 69.336182][ T5834] ? __virt_addr_valid+0x183/0x530 [ 69.336190][ T5834] ? __virt_addr_valid+0x45f/0x530 [ 69.336197][ T5834] ? __phys_addr+0xba/0x170 [ 69.336212][ T5834] ? atomic_ptr_type_ok+0x3d7/0x550 [ 69.336222][ T5834] kasan_report+0x143/0x180 [ 69.336235][ T5834] ? atomic_ptr_type_ok+0x3d7/0x550 [ 69.336246][ T5834] atomic_ptr_type_ok+0x3d7/0x550 [ 69.336258][ T5834] do_check+0x89dd/0xedd0 [ 69.336274][ T5834] ? __kasan_kmalloc+0x98/0xb0 [ 69.336285][ T5834] ? bpf_prog_load+0x1664/0x20e0 [ 69.336298][ T5834] ? __sys_bpf+0x4ea/0x820 [ 69.336318][ T5834] ? __pfx_do_check+0x10/0x10 [ 69.336330][ T5834] ? __pfx_verbose+0x10/0x10 [ 69.336340][ T5834] ? __pfx_disasm_kfunc_name+0x10/0x10 [ 69.336352][ T5834] ? __asan_memset+0x23/0x50 [ 69.336362][ T5834] do_check_common+0x1678/0x2080 [ 69.336379][ T5834] bpf_check+0x165c8/0x1cca0 [ 69.336391][ T5834] ? post_alloc_hook+0x207/0x240 [ 69.336399][ T5834] ? __pfx_validate_chain+0x10/0x10 [ 69.336410][ T5834] ? get_page_from_freelist+0x3a8c/0x3c20 [ 69.336426][ T5834] ? validate_chain+0x11e/0x5920 [ 69.336436][ T5834] ? validate_chain+0x11e/0x5920 [ 69.336445][ T5834] ? mark_lock+0x9a/0x360 [ 69.336456][ T5834] ? validate_chain+0x11e/0x5920 [ 69.336466][ T5834] ? validate_chain+0x11e/0x5920 [ 69.336475][ T5834] ? __pfx_validate_chain+0x10/0x10 [ 69.336485][ T5834] ? validate_chain+0x11e/0x5920 [ 69.336495][ T5834] ? validate_chain+0x11e/0x5920 [ 69.336510][ T5834] ? validate_chain+0x11e/0x5920 [ 69.336522][ T5834] ? __pfx_validate_chain+0x10/0x10 [ 69.336534][ T5834] ? __pfx_validate_chain+0x10/0x10 [ 69.336545][ T5834] ? mark_lock+0x9a/0x360 [ 69.336553][ T5834] ? __pfx_bpf_check+0x10/0x10 [ 69.336563][ T5834] ? mark_lock+0x9a/0x360 [ 69.336573][ T5834] ? mark_lock+0x9a/0x360 [ 69.336582][ T5834] ? __lock_acquire+0x1397/0x2100 [ 69.336601][ T5834] ? __pfx_lock_acquire+0x10/0x10 [ 69.336614][ T5834] ? ktime_get_with_offset+0x8d/0x2a0 [ 69.336627][ T5834] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 69.336641][ T5834] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 69.336656][ T5834] ? ktime_get_with_offset+0x8d/0x2a0 [ 69.336666][ T5834] ? seqcount_lockdep_reader_access+0x157/0x220 [ 69.336678][ T5834] ? lockdep_hardirqs_on+0x99/0x150 [ 69.336696][ T5834] ? seqcount_lockdep_reader_access+0x1d7/0x220 [ 69.336707][ T5834] ? __pfx_seqcount_lockdep_reader_access+0x10/0x10 [ 69.336721][ T5834] ? __check_object_size+0x8e/0x730 [ 69.336734][ T5834] ? __asan_memset+0x23/0x50 [ 69.336743][ T5834] ? bpf_obj_name_cpy+0x18a/0x1d0 [ 69.336753][ T5834] bpf_prog_load+0x1664/0x20e0 [ 69.336769][ T5834] ? __pfx_bpf_prog_load+0x10/0x10 [ 69.336782][ T5834] ? __pfx___might_resched+0x10/0x10 [ 69.336798][ T5834] ? __might_fault+0xaa/0x120 [ 69.336809][ T5834] __sys_bpf+0x4ea/0x820 [ 69.336822][ T5834] ? __pfx___sys_bpf+0x10/0x10 [ 69.336838][ T5834] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 69.336852][ T5834] ? exc_page_fault+0x590/0x8b0 [ 69.336864][ T5834] __x64_sys_bpf+0x7c/0x90 [ 69.336876][ T5834] do_syscall_64+0xf3/0x230 [ 69.336891][ T5834] ? clear_bhb_loop+0x35/0x90 [ 69.336906][ T5834] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 69.336919][ T5834] RIP: 0033:0x7fc98529fab9 [ 69.336932][ T5834] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 69.336940][ T5834] RSP: 002b:00007ffed30e2e08 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ 69.336951][ T5834] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc98529fab9 [ 69.336958][ T5834] RDX: 0000000000000094 RSI: 00004000000009c0 RDI: 0000000000000005 [ 69.336964][ T5834] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000006 [ 69.336969][ T5834] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 69.336974][ T5834] R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001 [ 69.336983][ T5834] [ 69.336987][ T5834] [ 69.789268][ T5834] Allocated by task 5834: [ 69.793598][ T5834] kasan_save_track+0x3f/0x80 [ 69.798414][ T5834] __kasan_kmalloc+0x98/0xb0 [ 69.803095][ T5834] __kmalloc_cache_noprof+0x243/0x390 [ 69.809262][ T5834] do_check_common+0x1ec/0x2080 [ 69.814126][ T5834] bpf_check+0x165c8/0x1cca0 [ 69.818930][ T5834] bpf_prog_load+0x1664/0x20e0 [ 69.823794][ T5834] __sys_bpf+0x4ea/0x820 [ 69.828343][ T5834] __x64_sys_bpf+0x7c/0x90 [ 69.832979][ T5834] do_syscall_64+0xf3/0x230 [ 69.837483][ T5834] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 69.843389][ T5834] [ 69.845710][ T5834] The buggy address belongs to the object at ffff88803486e000 [ 69.845710][ T5834] which belongs to the cache kmalloc-2k of size 2048 [ 69.859854][ T5834] The buggy address is located 312 bytes to the right of [ 69.859854][ T5834] allocated 1368-byte region [ffff88803486e000, ffff88803486e558) [ 69.874824][ T5834] [ 69.877138][ T5834] The buggy address belongs to the physical page: [ 69.883716][ T5834] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x34868 [ 69.893114][ T5834] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 69.901873][ T5834] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 69.909573][ T5834] page_type: f5(slab) [ 69.913618][ T5834] raw: 00fff00000000040 ffff88801b042000 dead000000000122 0000000000000000 [ 69.922386][ T5834] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 [ 69.930981][ T5834] head: 00fff00000000040 ffff88801b042000 dead000000000122 0000000000000000 [ 69.939649][ T5834] head: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 [ 69.948329][ T5834] head: 00fff00000000003 ffffea0000d21a01 ffffffffffffffff 0000000000000000 [ 69.957003][ T5834] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 69.965672][ T5834] page dumped because: kasan: bad access detected [ 69.972184][ T5834] page_owner tracks the page as allocated [ 69.978074][ T5834] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5819, tgid 5819 (sshd), ts 58310440750, free_ts 58278111680 [ 69.998738][ T5834] post_alloc_hook+0x1f4/0x240 [ 70.003602][ T5834] get_page_from_freelist+0x3a8c/0x3c20 [ 70.009317][ T5834] __alloc_frozen_pages_noprof+0x264/0x580 [ 70.015120][ T5834] alloc_pages_mpol+0x311/0x660 [ 70.020157][ T5834] allocate_slab+0x8f/0x3a0 [ 70.024665][ T5834] ___slab_alloc+0xc27/0x14a0 [ 70.029338][ T5834] __slab_alloc+0x58/0xa0 [ 70.033668][ T5834] __kmalloc_noprof+0x2e6/0x4c0 [ 70.038625][ T5834] sk_prot_alloc+0xe0/0x210 [ 70.043349][ T5834] sk_alloc+0x38/0x370 [ 70.047458][ T5834] __netlink_create+0x65/0x260 [ 70.052227][ T5834] netlink_create+0x3ab/0x560 [ 70.057174][ T5834] __sock_create+0x4c0/0xa30 [ 70.062118][ T5834] __sys_socket+0x150/0x3c0 [ 70.066634][ T5834] __x64_sys_socket+0x7a/0x90 [ 70.071341][ T5834] do_syscall_64+0xf3/0x230 [ 70.075953][ T5834] page last free pid 5591 tgid 5591 stack trace: [ 70.082544][ T5834] __free_frozen_pages+0xd7f/0x1020 [ 70.087754][ T5834] __slab_free+0x2c2/0x380 [ 70.092177][ T5834] qlist_free_all+0x9a/0x140 [ 70.096849][ T5834] kasan_quarantine_reduce+0x14f/0x170 [ 70.102298][ T5834] __kasan_slab_alloc+0x23/0x80 [ 70.107244][ T5834] kmem_cache_alloc_lru_noprof+0x1dd/0x390 [ 70.113077][ T5834] sock_alloc_inode+0x28/0xc0 [ 70.117755][ T5834] alloc_inode+0x65/0x1a0 [ 70.122098][ T5834] do_accept+0x130/0x6d0 [ 70.126334][ T5834] __sys_accept4+0x11f/0x1d0 [ 70.130915][ T5834] __x64_sys_accept+0x7d/0x90 [ 70.135582][ T5834] do_syscall_64+0xf3/0x230 [ 70.140161][ T5834] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.146207][ T5834] [ 70.148626][ T5834] Memory state around the buggy address: [ 70.154251][ T5834] ffff88803486e580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 70.162506][ T5834] ffff88803486e600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 70.170566][ T5834] >ffff88803486e680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 70.178733][ T5834] ^ [ 70.183345][ T5834] ffff88803486e700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 70.191412][ T5834] ffff88803486e780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 70.199471][ T5834] ================================================================== [ 70.208452][ T5834] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 70.215708][ T5834] CPU: 0 UID: 0 PID: 5834 Comm: syz-executor267 Not tainted 6.14.0-rc3-syzkaller-gf28214603dc6 #0 [ 70.226294][ T5834] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 70.236543][ T5834] Call Trace: [ 70.239924][ T5834] [ 70.242860][ T5834] dump_stack_lvl+0x241/0x360 [ 70.247553][ T5834] ? __pfx_dump_stack_lvl+0x10/0x10 [ 70.252752][ T5834] ? __pfx__printk+0x10/0x10 [ 70.257348][ T5834] ? preempt_schedule+0xe1/0xf0 [ 70.262314][ T5834] ? vscnprintf+0x5d/0x90 [ 70.266660][ T5834] panic+0x349/0x880 [ 70.270562][ T5834] ? check_panic_on_warn+0x21/0xb0 [ 70.275675][ T5834] ? __pfx_panic+0x10/0x10 [ 70.280070][ T5834] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 70.286122][ T5834] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 70.292519][ T5834] ? print_report+0x519/0x5b0 [ 70.297198][ T5834] check_panic_on_warn+0x86/0xb0 [ 70.302237][ T5834] ? atomic_ptr_type_ok+0x3d7/0x550 [ 70.307438][ T5834] end_report+0x77/0x160 [ 70.311687][ T5834] kasan_report+0x154/0x180 [ 70.316276][ T5834] ? atomic_ptr_type_ok+0x3d7/0x550 [ 70.321908][ T5834] atomic_ptr_type_ok+0x3d7/0x550 [ 70.327020][ T5834] do_check+0x89dd/0xedd0 [ 70.331346][ T5834] ? __kasan_kmalloc+0x98/0xb0 [ 70.336116][ T5834] ? bpf_prog_load+0x1664/0x20e0 [ 70.341125][ T5834] ? __sys_bpf+0x4ea/0x820 [ 70.345547][ T5834] ? __pfx_do_check+0x10/0x10 [ 70.350222][ T5834] ? __pfx_verbose+0x10/0x10 [ 70.354826][ T5834] ? __pfx_disasm_kfunc_name+0x10/0x10 [ 70.360297][ T5834] ? __asan_memset+0x23/0x50 [ 70.365064][ T5834] do_check_common+0x1678/0x2080 [ 70.370091][ T5834] bpf_check+0x165c8/0x1cca0 [ 70.374676][ T5834] ? post_alloc_hook+0x207/0x240 [ 70.379606][ T5834] ? __pfx_validate_chain+0x10/0x10 [ 70.384813][ T5834] ? get_page_from_freelist+0x3a8c/0x3c20 [ 70.390546][ T5834] ? validate_chain+0x11e/0x5920 [ 70.395491][ T5834] ? validate_chain+0x11e/0x5920 [ 70.400419][ T5834] ? mark_lock+0x9a/0x360 [ 70.404828][ T5834] ? validate_chain+0x11e/0x5920 [ 70.409755][ T5834] ? validate_chain+0x11e/0x5920 [ 70.414689][ T5834] ? __pfx_validate_chain+0x10/0x10 [ 70.419877][ T5834] ? validate_chain+0x11e/0x5920 [ 70.424811][ T5834] ? validate_chain+0x11e/0x5920 [ 70.429740][ T5834] ? validate_chain+0x11e/0x5920 [ 70.434756][ T5834] ? __pfx_validate_chain+0x10/0x10 [ 70.439971][ T5834] ? __pfx_validate_chain+0x10/0x10 [ 70.445173][ T5834] ? mark_lock+0x9a/0x360 [ 70.449490][ T5834] ? __pfx_bpf_check+0x10/0x10 [ 70.454591][ T5834] ? mark_lock+0x9a/0x360 [ 70.458950][ T5834] ? mark_lock+0x9a/0x360 [ 70.463350][ T5834] ? __lock_acquire+0x1397/0x2100 [ 70.468404][ T5834] ? __pfx_lock_acquire+0x10/0x10 [ 70.473535][ T5834] ? ktime_get_with_offset+0x8d/0x2a0 [ 70.479000][ T5834] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 70.484979][ T5834] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 70.491299][ T5834] ? ktime_get_with_offset+0x8d/0x2a0 [ 70.497011][ T5834] ? seqcount_lockdep_reader_access+0x157/0x220 [ 70.503244][ T5834] ? lockdep_hardirqs_on+0x99/0x150 [ 70.508524][ T5834] ? seqcount_lockdep_reader_access+0x1d7/0x220 [ 70.514846][ T5834] ? __pfx_seqcount_lockdep_reader_access+0x10/0x10 [ 70.521430][ T5834] ? __check_object_size+0x8e/0x730 [ 70.526619][ T5834] ? __asan_memset+0x23/0x50 [ 70.531212][ T5834] ? bpf_obj_name_cpy+0x18a/0x1d0 [ 70.536313][ T5834] bpf_prog_load+0x1664/0x20e0 [ 70.541091][ T5834] ? __pfx_bpf_prog_load+0x10/0x10 [ 70.546218][ T5834] ? __pfx___might_resched+0x10/0x10 [ 70.551506][ T5834] ? __might_fault+0xaa/0x120 [ 70.556179][ T5834] __sys_bpf+0x4ea/0x820 [ 70.560540][ T5834] ? __pfx___sys_bpf+0x10/0x10 [ 70.565332][ T5834] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 70.571752][ T5834] ? exc_page_fault+0x590/0x8b0 [ 70.576686][ T5834] __x64_sys_bpf+0x7c/0x90 [ 70.581295][ T5834] do_syscall_64+0xf3/0x230 [ 70.586357][ T5834] ? clear_bhb_loop+0x35/0x90 [ 70.591332][ T5834] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.597220][ T5834] RIP: 0033:0x7fc98529fab9 [ 70.601639][ T5834] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 70.621422][ T5834] RSP: 002b:00007ffed30e2e08 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ 70.629904][ T5834] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc98529fab9 [ 70.638080][ T5834] RDX: 0000000000000094 RSI: 00004000000009c0 RDI: 0000000000000005 [ 70.646065][ T5834] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000006 [ 70.654053][ T5834] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 70.662048][ T5834] R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001 [ 70.670205][ T5834] [ 70.673621][ T5834] Kernel Offset: disabled [ 70.677944][ T5834] Rebooting in 86400 seconds..