syzkaller login: [ 86.830764][ T3067] ================================================================== [ 86.838440][ T3067] BUG: KASAN: slab-use-after-free in reweight_entity+0x248/0x2b8 [ 86.840612][ T3067] Read at addr f2ff0000039b4f70 by task sshd/3067 [ 86.841521][ T3067] Pointer tag: [f2], memory tag: [fe] [ 86.842037][ T3067] [ 86.842778][ T3067] CPU: 0 PID: 3067 Comm: sshd Not tainted 6.6.0-rc6-syzkaller #0 [ 86.843720][ T3067] Hardware name: linux,dummy-virt (DT) [ 86.844483][ T3067] Call trace: [ 86.845095][ T3067] dump_backtrace+0x94/0xec [ 86.845831][ T3067] show_stack+0x18/0x24 [ 86.846391][ T3067] dump_stack_lvl+0x48/0x60 [ 86.846926][ T3067] print_report+0x108/0x618 [ 86.847632][ T3067] kasan_report+0x88/0xac [ 86.848161][ T3067] __do_kernel_fault+0x17c/0x1e8 [ 86.848768][ T3067] do_tag_check_fault+0x78/0x8c [ 86.849398][ T3067] do_mem_abort+0x44/0x94 [ 86.849911][ T3067] el1_abort+0x40/0x60 [ 86.850431][ T3067] el1h_64_sync_handler+0xd8/0xe4 [ 86.850983][ T3067] el1h_64_sync+0x64/0x68 [ 86.851497][ T3067] reweight_entity+0x248/0x2b8 [ 86.852036][ T3067] update_cfs_group+0x80/0x98 [ 86.852595][ T3067] dequeue_task_fair+0x114/0x2a8 [ 86.853283][ T3067] __schedule+0x58c/0x8a8 [ 86.853849][ T3067] schedule+0x5c/0xc4 [ 86.854360][ T3067] do_wait+0x14c/0x274 [ 86.854879][ T3067] kernel_wait4+0xa0/0x18c [ 86.855439][ T3067] __do_sys_wait4+0xb4/0x114 [ 86.855966][ T3067] __arm64_sys_wait4+0x24/0x30 [ 86.856516][ T3067] invoke_syscall+0x48/0x114 [ 86.857049][ T3067] el0_svc_common.constprop.0+0x40/0xe0 [ 86.857622][ T3067] do_el0_svc+0x1c/0x28 [ 86.858151][ T3067] el0_svc+0x40/0x114 [ 86.858708][ T3067] el0t_64_sync_handler+0x100/0x12c [ 86.859338][ T3067] el0t_64_sync+0x19c/0x1a0 [ 86.860066][ T3067] [ 86.860577][ T3067] Allocated by task 3074: [ 86.861215][ T3067] kasan_save_stack+0x3c/0x64 [ 86.862043][ T3067] save_stack_info+0x38/0x118 [ 86.862658][ T3067] kasan_save_alloc_info+0x14/0x20 [ 86.863211][ T3067] __kasan_slab_alloc+0x94/0xcc [ 86.863786][ T3067] kmem_cache_alloc_node+0x150/0x2b8 [ 86.864376][ T3067] copy_process+0x1b4/0x147c [ 86.864910][ T3067] kernel_clone+0x64/0x360 [ 86.865491][ T3067] __do_sys_clone+0x70/0xa8 [ 86.866008][ T3067] __arm64_sys_clone+0x20/0x2c [ 86.866533][ T3067] invoke_syscall+0x48/0x114 [ 86.867043][ T3067] el0_svc_common.constprop.0+0x40/0xe0 [ 86.867607][ T3067] do_el0_svc+0x1c/0x28 [ 86.868112][ T3067] el0_svc+0x40/0x114 [ 86.868694][ T3067] el0t_64_sync_handler+0x100/0x12c [ 86.869343][ T3067] el0t_64_sync+0x19c/0x1a0 [ 86.869912][ T3067] [ 86.870301][ T3067] Freed by task 3076: [ 86.870772][ T3067] kasan_save_stack+0x3c/0x64 [ 86.871312][ T3067] save_stack_info+0x38/0x118 [ 86.871881][ T3067] kasan_save_free_info+0x18/0x24 [ 86.872441][ T3067] ____kasan_slab_free.constprop.0+0x180/0x1c8 [ 86.873019][ T3067] __kasan_slab_free+0x10/0x1c [ 86.873551][ T3067] slab_free_freelist_hook+0xac/0x1c4 [ 86.874074][ T3067] kmem_cache_free+0x18c/0x314 [ 86.874595][ T3067] free_task+0x54/0x80 [ 86.875082][ T3067] __put_task_struct+0x100/0x154 [ 86.875622][ T3067] delayed_put_task_struct+0x7c/0xa8 [ 86.876152][ T3067] rcu_core+0x250/0x638 [ 86.876720][ T3067] rcu_core_si+0x10/0x1c [ 86.877240][ T3067] __do_softirq+0x10c/0x284 [ 86.877812][ T3067] [ 86.878212][ T3067] The buggy address belongs to the object at ffff0000039b4ec0 [ 86.878212][ T3067] which belongs to the cache task_struct of size 4032 [ 86.879491][ T3067] The buggy address is located 176 bytes inside of [ 86.879491][ T3067] 4032-byte region [ffff0000039b4ec0, ffff0000039b5e80) [ 86.880423][ T3067] [ 86.880982][ T3067] The buggy address belongs to the physical page: [ 86.881849][ T3067] page:00000000c9817e01 refcount:1 mapcount:0 mapping:0000000000000000 index:0xf2ff0000039b4ec0 pfn:0x439b0 [ 86.883216][ T3067] head:00000000c9817e01 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 86.884125][ T3067] flags: 0x1ffc00000000840(slab|head|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) [ 86.885386][ T3067] page_type: 0xffffffff() [ 86.886548][ T3067] raw: 01ffc00000000840 f5ff000002c39300 fffffc00000db600 dead000000000004 [ 86.887271][ T3067] raw: f2ff0000039b4ec0 0000000080080007 00000001ffffffff 0000000000000000 [ 86.887974][ T3067] page dumped because: kasan: bad access detected [ 86.888588][ T3067] [ 86.889069][ T3067] Memory state around the buggy address: [ 86.889842][ T3067] ffff0000039b4d00: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 [ 86.890602][ T3067] ffff0000039b4e00: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 fe fe fe fe [ 86.891257][ T3067] >ffff0000039b4f00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 86.891901][ T3067] ^ [ 86.892536][ T3067] ffff0000039b5000: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 86.893165][ T3067] ffff0000039b5100: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 86.893866][ T3067] ================================================================== [ 86.894614][ T3067] Disabling lock debugging due to kernel taint Warning: Permanently added '[localhost]:22282' (ED25519) to the list of known hosts. 1970/01/01 00:01:51 fuzzer started 1970/01/01 00:01:53 connecting to host at localhost:36639 1970/01/01 00:01:53 checking machine... 1970/01/01 00:01:53 checking revisions... 1970/01/01 00:01:55 testing simple program... [ 115.453614][ T3102] cgroup: Unknown subsys name 'net' [ 115.875559][ T3102] cgroup: Unknown subsys name 'rlimit' [ 116.588150][ T3102] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 116.638489][ T3099] syz-fuzzer[3099]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set executing program [ 119.493477][ T3107] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 119.514896][ T3107] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link executing program [ 120.784847][ T3107] hsr_slave_0: entered promiscuous mode [ 120.842986][ T3107] hsr_slave_1: entered promiscuous mode [ 121.895095][ T3107] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 121.969954][ T3107] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 122.047392][ T3107] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 122.123578][ T3107] netdevsim netdevsim0 netdevsim3: renamed from eth3 executing program [ 123.291485][ T3107] 8021q: adding VLAN 0 to HW filter on device bond0 executing program [ 126.978337][ T3107] veth0_vlan: entered promiscuous mode [ 127.035431][ T3107] veth1_vlan: entered promiscuous mode [ 127.178396][ T3107] veth0_macvtap: entered promiscuous mode [ 127.212430][ T3107] veth1_macvtap: entered promiscuous mode [ 127.385830][ T3107] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 127.386836][ T3107] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 127.387369][ T3107] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 127.388010][ T3107] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 1970/01/01 00:02:07 building call list... [ 128.614135][ T1939] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 executing program [ 128.842698][ T1939] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 129.154170][ T1939] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 129.371521][ T1939] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 131.436433][ T1939] hsr_slave_0: left promiscuous mode [ 131.491669][ T1939] hsr_slave_1: left promiscuous mode executing program [ 131.691035][ T1939] veth1_macvtap: left promiscuous mode [ 131.692083][ T1939] veth0_macvtap: left promiscuous mode [ 131.693230][ T1939] veth1_vlan: left promiscuous mode [ 131.694277][ T1939] veth0_vlan: left promiscuous mode [ 132.970369][ T1939] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 133.064498][ T1939] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 133.411710][ T1939] bond0 (unregistering): Released all slaves executing program executing program VM DIAGNOSIS: 06:37:23 Registers: info registers vcpu 0 CPU#0 PC=ffff8000802ba57c X00=00000000054a00eb X01=f7ff0000039b4ec0 X02=0000000000000000 X03=0000000000000000 X04=faff0000055354b8 X05=ffff800082b3ba64 X06=0000000000000003 X07=0000000081896ff4 X08=0000000000000012 X09=0000000000000000 X10=0000000000000000 X11=0000000000000000 X12=0000000000000000 X13=0000000000000000 X14=0000000000000000 X15=0000000000000000 X16=0000000000000000 X17=0000000000000000 X18=0000000000000000 X19=ffff8000826d8020 X20=f6ff00000307e080 X21=0000000000000000 X22=0000000000000000 X23=f5ff000002c3bf00 X24=0000000000000300 X25=0000000000000300 X26=f6ff000002c8e4b8 X27=0000000000000000 X28=f7ff0000039b4ec0 X29=ffff800082b3bbe0 X30=62968000802bbfe4 SP=ffff800082b3bbe0 PSTATE=61400009 -ZC- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000 P01=0000 P02=0000 P03=0000 P04=0000 P05=0000 P06=0000 P07=0000 P08=0000 P09=0000 P10=0000 P11=0000 P12=0000 P13=0000 P14=0000 P15=0000 FFR=0000 Z00=2525252525252525:2525252525252525 Z01=64657a696e676f63:65726e5500733030 Z02=f00ff00ff00ff00f:f00ff00ff00ff00f Z03=0000000000000000:00000000f0000000 Z04=f00ff00ff00ff00f:f00ff00ff00ff00f Z05=000000000000f000:000000000000f000 Z06=0000000000000000:0000000000000000 Z07=0000000000000000:0000000000000000 Z08=0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000 Z17=0000000000000000:0000000000000000 Z18=0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff800081897954 X00=0000000000005d74 X01=ffff00007f9d07c8 X02=ffff7ffffd5d5000 X03=ffff80008287bdd0 X04=ffff7ffffd5d5000 X05=4000000000000000 X06=00000001999975c3 X07=0000000000000004 X08=faff000002d72f08 X09=f6e19e78424b7de8 X10=18e164552a86304a X11=0000000000000001 X12=ffff80008241fee8 X13=000000000000023b X14=000000000000023b X15=0000ffff9a7f1000 X16=ffff800081cfb4b8 X17=0000000000000000 X18=ffff800082b2bc38 X19=0000000000000001 X20=ffff80008241fe58 X21=ffff80008241fee4 X22=faff000002d71f80 X23=0000000000000000 X24=0000000000000000 X25=faff000002d71f80 X26=0000000000000000 X27=0000000000000000 X28=0000000000000000 X29=ffff80008287bdf0 X30=ffff800081897968 SP=ffff80008287bdf0 PSTATE=614000c9 -ZC- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000 P01=0000 P02=0000 P03=0000 P04=0000 P05=0000 P06=0000 P07=0000 P08=0000 P09=0000 P10=0000 P11=0000 P12=0000 P13=0000 P14=0000 P15=0000 FFR=0000 Z00=0000000000000000:0000000000000000 Z01=0000000000000000:0000000000000000 Z02=0000000000000000:0000000000000000 Z03=0000000000000000:0000000000000000 Z04=0000000000000000:0000000000000000 Z05=0000000000000000:0000000000000000 Z06=0000000000000000:0000000000000000 Z07=0000000000000000:0000000000000000 Z08=0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000 Z17=0000000000000000:0000000000000000 Z18=0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000