./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1020970560 <...> Warning: Permanently added '10.128.1.63' (ED25519) to the list of known hosts. execve("./syz-executor1020970560", ["./syz-executor1020970560"], 0x7ffd46a16a50 /* 10 vars */) = 0 brk(NULL) = 0x55558623b000 brk(0x55558623bd00) = 0x55558623bd00 arch_prctl(ARCH_SET_FS, 0x55558623b380) = 0 set_tid_address(0x55558623b650) = 5226 set_robust_list(0x55558623b660, 24) = 0 rseq(0x55558623bca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1020970560", 4096) = 28 getrandom("\xf2\x7b\x4b\x99\xd2\xc8\x93\x8c", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55558623bd00 brk(0x55558625cd00) = 0x55558625cd00 brk(0x55558625d000) = 0x55558625d000 mprotect(0x7fd4b68eb000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 unshare(CLONE_NEWPID) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5227 attached [pid 5227] set_robust_list(0x55558623b660, 24 [pid 5226] <... clone resumed>, child_tidptr=0x55558623b650) = 5227 [pid 5227] <... set_robust_list resumed>) = 0 [pid 5227] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy) [pid 5227] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5227] setsid() = 1 [pid 5227] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0 [pid 5227] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0 [pid 5227] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0 [pid 5227] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0 [pid 5227] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0 [pid 5227] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0 [pid 5227] unshare(CLONE_NEWNS) = 0 [pid 5227] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0 [pid 5227] unshare(CLONE_NEWIPC) = 0 [pid 5227] unshare(CLONE_NEWCGROUP) = 0 [pid 5227] unshare(CLONE_NEWUTS) = 0 [pid 5227] unshare(CLONE_SYSVSEM) = 0 [pid 5227] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3 [pid 5227] write(3, "16777216", 8) = 8 [pid 5227] close(3) = 0 [pid 5227] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3 [pid 5227] write(3, "536870912", 9) = 9 [pid 5227] close(3) = 0 [pid 5227] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3 [pid 5227] write(3, "1024", 4) = 4 [pid 5227] close(3) = 0 [pid 5227] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3 [pid 5227] write(3, "8192", 4) = 4 [pid 5227] close(3) = 0 [pid 5227] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3 [pid 5227] write(3, "1024", 4) = 4 [pid 5227] close(3) = 0 [pid 5227] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3 [pid 5227] write(3, "1024", 4) = 4 [pid 5227] close(3) = 0 [pid 5227] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3 [pid 5227] write(3, "1024 1048576 500 1024", 21) = 21 [pid 5227] close(3) = 0 [pid 5227] getpid() = 1 [pid 5227] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1< [pid 5237] set_robust_list(0x55558623b660, 24 [pid 5227] <... clone resumed>, child_tidptr=0x55558623b650) = 2 [pid 5237] <... set_robust_list resumed>) = 0 [pid 5237] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5237] setpgid(0, 0) = 0 [pid 5237] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5237] write(3, "1000", 4) = 4 [pid 5237] close(3) = 0 [pid 5237] write(1, "executing program\n", 18executing program ) = 18 [pid 5237] socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) = 3 [pid 5237] socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) = 4 [pid 5237] sendto(4, [{nlmsg_len=32, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x03\x00\x00\x00\x0c\x00\x02\x00\x65\x74\x68\x74\x6f\x6f\x6c\x00"], 32, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 32 [pid 5237] recvfrom(4, [{nlmsg_len=996, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=0, nlmsg_seq=0, nlmsg_pid=2}, "\x01\x02\x00\x00\x0c\x00\x02\x00\x65\x74\x68\x74\x6f\x6f\x6c\x00\x06\x00\x01\x00\x16\x00\x00\x00\x08\x00\x03\x00\x01\x00\x00\x00\x08\x00\x04\x00\x00\x00\x00\x00\x08\x00\x05\x00\x00\x00\x00\x00\x88\x03\x06\x00\x14\x00\x01\x00\x08\x00\x01\x00\x01\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x02\x00\x08\x00\x01\x00\x02\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x03\x00\x08\x00\x01\x00"...], 4096, 0, NULL, NULL) = 996 [pid 5237] recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=2}, {error=0, msg={nlmsg_len=32, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 [pid 5237] close(4) = 0 [pid 5237] socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) = 4 [pid 5237] ioctl(4, SIOCGIFINDEX, {ifr_name="vcan0", ifr_ifindex=13}) = 0 [pid 5237] sendmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x20\x00\x00\x00\x16\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1a\x00\x00\x00\x0c\x00\x01\x80\x08\x00\x01\x00\x0d\x00\x00\x00", iov_len=32}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 32 [ 68.766056][ T5237] [ 68.768499][ T5237] ================================================ [ 68.774984][ T5237] WARNING: lock held when returning to user space! [ 68.781476][ T5237] 6.11.0-rc4-syzkaller-00565-gf9db28bb09f4 #0 Not tainted [ 68.788568][ T5237] ------------------------------------------------ [ 68.795044][ T5237] syz-executor102/5237 is leaving the kernel with locks still held! [ 68.803001][ T5237] 1 lock held by syz-executor102/5237: [pid 5237] close(3) = 0 [pid 5237] close(4) = 0 [pid 5237] close(5) = -1 EBADF (Bad file descriptor) [pid 5237] close(6) = -1 EBADF (Bad file descriptor) [pid 5237] close(7) = -1 EBADF (Bad file descriptor) [pid 5237] close(8) = -1 EBADF (Bad file descriptor) [pid 5237] close(9) = -1 EBADF (Bad file descriptor) [pid 5237] close(10) = -1 EBADF (Bad file descriptor) [pid 5237] close(11) = -1 EBADF (Bad file descriptor) [pid 5237] close(12) = -1 EBADF (Bad file descriptor) [pid 5237] close(13) = -1 EBADF (Bad file descriptor) [ 68.808439][ T5237] #0: ffffffff8fc84b88 (rtnl_mutex){+.+.}-{3:3}, at: ethnl_act_cable_test+0x187/0x3f0 [pid 5237] close(14) = -1 EBADF (Bad file descriptor) [pid 5237] close(15) = -1 EBADF (Bad file descriptor) [pid 5237] close(16) = -1 EBADF (Bad file descriptor) [pid 5237] close(17) = -1 EBADF (Bad file descriptor) [pid 5237] close(18) = -1 EBADF (Bad file descriptor) [pid 5237] close(19) = -1 EBADF (Bad file descriptor) [pid 5237] close(20) = -1 EBADF (Bad file descriptor) [pid 5237] close(21) = -1 EBADF (Bad file descriptor) [pid 5237] close(22) = -1 EBADF (Bad file descriptor) [pid 5237] close(23) = -1 EBADF (Bad file descriptor) [pid 5237] close(24) = -1 EBADF (Bad file descriptor) [pid 5237] close(25) = -1 EBADF (Bad file descriptor) [pid 5237] close(26) = -1 EBADF (Bad file descriptor) [pid 5237] close(27) = -1 EBADF (Bad file descriptor) [pid 5237] close(28) = -1 EBADF (Bad file descriptor) [pid 5237] close(29) = -1 EBADF (Bad file descriptor) [pid 5237] exit_group(0) = ? [pid 5237] +++ exited with 0 +++ [pid 5227] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=2, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 5227] restart_syscall(<... resuming interrupted clone ...>) = 0 [pid 5227] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5238 attached , child_tidptr=0x55558623b650) = 3 [pid 5238] set_robust_list(0x55558623b660, 24) = 0 [pid 5238] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5238] setpgid(0, 0) = 0 [pid 5238] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5238] write(3, "1000", 4) = 4 [pid 5238] close(3) = 0 [pid 5238] write(1, "executing program\n", 18executing program ) = 18 [pid 5238] socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) = 3 [pid 5238] socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) = 4 [pid 5238] sendto(4, [{nlmsg_len=32, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x03\x00\x00\x00\x0c\x00\x02\x00\x65\x74\x68\x74\x6f\x6f\x6c\x00"], 32, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 32 [pid 5238] recvfrom(4, [{nlmsg_len=996, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=0, nlmsg_seq=0, nlmsg_pid=3}, "\x01\x02\x00\x00\x0c\x00\x02\x00\x65\x74\x68\x74\x6f\x6f\x6c\x00\x06\x00\x01\x00\x16\x00\x00\x00\x08\x00\x03\x00\x01\x00\x00\x00\x08\x00\x04\x00\x00\x00\x00\x00\x08\x00\x05\x00\x00\x00\x00\x00\x88\x03\x06\x00\x14\x00\x01\x00\x08\x00\x01\x00\x01\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x02\x00\x08\x00\x01\x00\x02\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x03\x00\x08\x00\x01\x00"...], 4096, 0, NULL, NULL) = 996 [pid 5238] recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=3}, {error=0, msg={nlmsg_len=32, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 [pid 5238] close(4) = 0 [pid 5238] socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) = 4 [pid 5238] ioctl(4, SIOCGIFINDEX, {ifr_name="vcan0", ifr_ifindex=13}) = 0 [ 69.004894][ T5238] ================================================================== [ 69.012985][ T5238] BUG: KASAN: slab-use-after-free in __mutex_lock+0xcf5/0xd70 [ 69.020432][ T5238] Read of size 4 at addr ffff888029963c34 by task syz-executor102/5238 [ 69.028649][ T5238] [ 69.030975][ T5238] CPU: 0 UID: 0 PID: 5238 Comm: syz-executor102 Not tainted 6.11.0-rc4-syzkaller-00565-gf9db28bb09f4 #0 [ 69.042103][ T5238] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 [ 69.052172][ T5238] Call Trace: [ 69.055436][ T5238] [ 69.058392][ T5238] dump_stack_lvl+0x241/0x360 [ 69.063057][ T5238] ? __pfx_dump_stack_lvl+0x10/0x10 [ 69.068256][ T5238] ? __pfx__printk+0x10/0x10 [ 69.072844][ T5238] ? _printk+0xd5/0x120 [ 69.076986][ T5238] ? __virt_addr_valid+0x183/0x530 [ 69.082104][ T5238] ? __virt_addr_valid+0x183/0x530 [ 69.087211][ T5238] print_report+0x169/0x550 [ 69.091864][ T5238] ? __virt_addr_valid+0x183/0x530 [ 69.096954][ T5238] ? __virt_addr_valid+0x183/0x530 [ 69.102047][ T5238] ? __virt_addr_valid+0x45f/0x530 [ 69.107161][ T5238] ? __phys_addr+0xba/0x170 [ 69.111662][ T5238] ? __mutex_lock+0xcf5/0xd70 [ 69.116332][ T5238] kasan_report+0x143/0x180 [ 69.120837][ T5238] ? __mutex_lock+0xcf5/0xd70 [ 69.125506][ T5238] __mutex_lock+0xcf5/0xd70 [ 69.129998][ T5238] ? netdev_get_by_index+0x7a/0xb0 [ 69.135100][ T5238] ? ethnl_parse_header_dev_get+0x690/0x990 [ 69.140977][ T5238] ? ethnl_act_cable_test+0x187/0x3f0 [ 69.146351][ T5238] ? __pfx___mutex_lock+0x10/0x10 [ 69.151405][ T5238] ethnl_act_cable_test+0x187/0x3f0 [ 69.156628][ T5238] ? __pfx_ethnl_act_cable_test+0x10/0x10 [ 69.162345][ T5238] ? genl_family_rcv_msg_attrs_parse+0x1d1/0x290 [ 69.168698][ T5238] genl_rcv_msg+0xb14/0xec0 [ 69.173206][ T5238] ? __pfx_genl_rcv_msg+0x10/0x10 [ 69.178245][ T5238] ? do_syscall_64+0xf3/0x230 [ 69.182920][ T5238] ? rcu_is_watching+0x15/0xb0 [ 69.187690][ T5238] ? __pfx_lock_acquire+0x10/0x10 [ 69.192715][ T5238] ? __pfx_ethnl_act_cable_test+0x10/0x10 [ 69.198886][ T5238] ? __pfx___might_resched+0x10/0x10 [ 69.204186][ T5238] netlink_rcv_skb+0x1e3/0x430 [ 69.208970][ T5238] ? __pfx_genl_rcv_msg+0x10/0x10 [ 69.213986][ T5238] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 69.219260][ T5238] ? lock_release+0xbf/0xa30 [ 69.223849][ T5238] ? __netlink_deliver_tap+0x77e/0x7c0 [ 69.229576][ T5238] genl_rcv+0x28/0x40 [ 69.233589][ T5238] netlink_unicast+0x7f6/0x990 [ 69.238461][ T5238] ? __pfx_netlink_unicast+0x10/0x10 [ 69.243755][ T5238] ? __virt_addr_valid+0x183/0x530 [ 69.248874][ T5238] ? __check_object_size+0x49c/0x900 [ 69.254151][ T5238] ? bpf_lsm_netlink_send+0x9/0x10 [ 69.259265][ T5238] netlink_sendmsg+0x8e4/0xcb0 [ 69.264055][ T5238] ? __pfx_netlink_sendmsg+0x10/0x10 [ 69.269343][ T5238] ? __import_iovec+0x536/0x820 [ 69.274200][ T5238] ? aa_sock_msg_perm+0x91/0x160 [ 69.279129][ T5238] ? bpf_lsm_socket_sendmsg+0x9/0x10 [ 69.284407][ T5238] ? security_socket_sendmsg+0x87/0xb0 [ 69.289862][ T5238] ? __pfx_netlink_sendmsg+0x10/0x10 [ 69.295157][ T5238] __sock_sendmsg+0x221/0x270 [ 69.299822][ T5238] ____sys_sendmsg+0x525/0x7d0 [ 69.304606][ T5238] ? __pfx_____sys_sendmsg+0x10/0x10 [ 69.309898][ T5238] ? do_raw_spin_lock+0x14f/0x370 [ 69.314919][ T5238] __sys_sendmsg+0x2b0/0x3a0 [ 69.319500][ T5238] ? __pfx___sys_sendmsg+0x10/0x10 [ 69.324621][ T5238] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 69.330950][ T5238] ? _raw_spin_unlock_irq+0x2e/0x50 [ 69.336147][ T5238] ? ptrace_notify+0x279/0x380 [ 69.340903][ T5238] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 69.347230][ T5238] ? rcu_is_watching+0x15/0xb0 [ 69.351991][ T5238] do_syscall_64+0xf3/0x230 [ 69.356505][ T5238] ? clear_bhb_loop+0x35/0x90 [ 69.361184][ T5238] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 69.367101][ T5238] RIP: 0033:0x7fd4b6872f89 [ 69.371524][ T5238] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 01 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 69.391122][ T5238] RSP: 002b:00007fff62b87d58 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 69.399521][ T5238] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fd4b6872f89 [ 69.407593][ T5238] RDX: 0000000000000000 RSI: 00000000200003c0 RDI: 0000000000000003 [ 69.415573][ T5238] RBP: 00000000000f4240 R08: 0000000000000001 R09: 0000000000000001 [ 69.423542][ T5238] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff62b87db0 [ 69.431495][ T5238] R13: 0000000000010c5f R14: 00007fff62b87d7c R15: 00007fff62b87d90 [ 69.439457][ T5238] [ 69.442455][ T5238] [ 69.444791][ T5238] Allocated by task 5227: [ 69.449100][ T5238] kasan_save_track+0x3f/0x80 [ 69.453760][ T5238] __kasan_slab_alloc+0x66/0x80 [ 69.458595][ T5238] kmem_cache_alloc_node_noprof+0x16b/0x320 [ 69.464477][ T5238] dup_task_struct+0x57/0x8c0 [ 69.469175][ T5238] copy_process+0x5d1/0x3e10 [ 69.473745][ T5238] kernel_clone+0x226/0x8f0 [ 69.478229][ T5238] __x64_sys_clone+0x258/0x2a0 [ 69.482972][ T5238] do_syscall_64+0xf3/0x230 [ 69.487454][ T5238] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 69.493342][ T5238] [ 69.495643][ T5238] Freed by task 16: [ 69.499435][ T5238] kasan_save_track+0x3f/0x80 [ 69.504092][ T5238] kasan_save_free_info+0x40/0x50 [ 69.509107][ T5238] poison_slab_object+0xe0/0x150 [ 69.514025][ T5238] __kasan_slab_free+0x37/0x60 [ 69.518768][ T5238] kmem_cache_free+0x145/0x350 [ 69.523509][ T5238] delayed_put_task_struct+0x125/0x300 [ 69.528972][ T5238] rcu_core+0xafd/0x1830 [ 69.533196][ T5238] handle_softirqs+0x2c4/0x970 [ 69.537953][ T5238] run_ksoftirqd+0xca/0x130 [ 69.542442][ T5238] smpboot_thread_fn+0x544/0xa30 [ 69.547377][ T5238] kthread+0x2f0/0x390 [ 69.551438][ T5238] ret_from_fork+0x4b/0x80 [ 69.555967][ T5238] ret_from_fork_asm+0x1a/0x30 [ 69.560723][ T5238] [ 69.563040][ T5238] Last potentially related work creation: [ 69.568777][ T5238] kasan_save_stack+0x3f/0x60 [ 69.573633][ T5238] __kasan_record_aux_stack+0xac/0xc0 [ 69.579044][ T5238] call_rcu+0x167/0xa70 [ 69.583216][ T5238] release_task+0x16ec/0x1830 [ 69.587887][ T5238] wait_consider_task+0x1a14/0x2e60 [ 69.593089][ T5238] __do_wait+0x1b0/0x850 [ 69.597318][ T5238] do_wait+0x1e9/0x560 [ 69.601395][ T5238] kernel_wait4+0x2a7/0x3e0 [ 69.605874][ T5238] __x64_sys_wait4+0x134/0x1e0 [ 69.610620][ T5238] do_syscall_64+0xf3/0x230 [ 69.615132][ T5238] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 69.621009][ T5238] [ 69.623340][ T5238] The buggy address belongs to the object at ffff888029963c00 [ 69.623340][ T5238] which belongs to the cache task_struct of size 7424 [ 69.637490][ T5238] The buggy address is located 52 bytes inside of [ 69.637490][ T5238] freed 7424-byte region [ffff888029963c00, ffff888029965900) [ 69.651923][ T5238] [ 69.654241][ T5238] The buggy address belongs to the physical page: [ 69.660642][ T5238] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x29960 [ 69.669581][ T5238] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 69.678098][ T5238] ksm flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 69.686004][ T5238] page_type: 0xfdffffff(slab) [ 69.690682][ T5238] raw: 00fff00000000040 ffff8880166fd500 ffffea0000a67c00 dead000000000003 [ 69.699277][ T5238] raw: 0000000000000000 0000000080040004 00000001fdffffff 0000000000000000 [ 69.707891][ T5238] head: 00fff00000000040 ffff8880166fd500 ffffea0000a67c00 dead000000000003 [ 69.716560][ T5238] head: 0000000000000000 0000000080040004 00000001fdffffff 0000000000000000 [ 69.725223][ T5238] head: 00fff00000000003 ffffea0000a65801 ffffffffffffffff 0000000000000000 [ 69.733881][ T5238] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 69.742566][ T5238] page dumped because: kasan: bad access detected [ 69.748998][ T5238] page_owner tracks the page as allocated [ 69.754694][ T5238] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2, tgid 2 (kthreadd), ts 11371947020, free_ts 0 [ 69.774313][ T5238] post_alloc_hook+0x1f3/0x230 [ 69.779068][ T5238] get_page_from_freelist+0x2e4c/0x2f10 [ 69.784632][ T5238] __alloc_pages_noprof+0x256/0x6c0 [ 69.789835][ T5238] alloc_slab_page+0x5f/0x120 [ 69.794512][ T5238] allocate_slab+0x5a/0x2f0 [ 69.799027][ T5238] ___slab_alloc+0xcd1/0x14b0 [ 69.803725][ T5238] __slab_alloc+0x58/0xa0 [ 69.808044][ T5238] kmem_cache_alloc_node_noprof+0x1fe/0x320 [ 69.813935][ T5238] dup_task_struct+0x57/0x8c0 [ 69.818621][ T5238] copy_process+0x5d1/0x3e10 [ 69.823205][ T5238] kernel_clone+0x226/0x8f0 [ 69.827769][ T5238] kernel_thread+0x1bc/0x240 [ 69.832356][ T5238] kthreadd+0x60d/0x810 [ 69.836518][ T5238] ret_from_fork+0x4b/0x80 [ 69.840940][ T5238] ret_from_fork_asm+0x1a/0x30 [ 69.845693][ T5238] page_owner free stack trace missing [ 69.851126][ T5238] [ 69.853433][ T5238] Memory state around the buggy address: [ 69.859043][ T5238] ffff888029963b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 69.867115][ T5238] ffff888029963b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 69.875247][ T5238] >ffff888029963c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.883332][ T5238] ^ [ 69.888958][ T5238] ffff888029963c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.897010][ T5238] ffff888029963d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.905352][ T5238] ================================================================== [ 69.914409][ T5238] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 69.921649][ T5238] CPU: 0 UID: 0 PID: 5238 Comm: syz-executor102 Not tainted 6.11.0-rc4-syzkaller-00565-gf9db28bb09f4 #0 [ 69.932766][ T5238] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 [ 69.942854][ T5238] Call Trace: [ 69.946145][ T5238] [ 69.949083][ T5238] dump_stack_lvl+0x241/0x360 [ 69.953754][ T5238] ? __pfx_dump_stack_lvl+0x10/0x10 [ 69.958954][ T5238] ? __pfx__printk+0x10/0x10 [ 69.963530][ T5238] ? rcu_is_watching+0x15/0xb0 [ 69.968285][ T5238] ? vscnprintf+0x5d/0x90 [ 69.972602][ T5238] panic+0x349/0x860 [ 69.976483][ T5238] ? check_panic_on_warn+0x21/0xb0 [ 69.981588][ T5238] ? __pfx_panic+0x10/0x10 [ 69.985989][ T5238] ? trace_irq_enable+0x2c/0x120 [ 69.990917][ T5238] ? _raw_spin_unlock_irqrestore+0xd8/0x140 [ 69.996802][ T5238] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 70.002690][ T5238] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 70.009008][ T5238] ? print_report+0x502/0x550 [ 70.013686][ T5238] check_panic_on_warn+0x86/0xb0 [ 70.018608][ T5238] ? __mutex_lock+0xcf5/0xd70 [ 70.023271][ T5238] end_report+0x77/0x160 [ 70.027502][ T5238] kasan_report+0x154/0x180 [ 70.031997][ T5238] ? __mutex_lock+0xcf5/0xd70 [ 70.036659][ T5238] __mutex_lock+0xcf5/0xd70 [ 70.041149][ T5238] ? netdev_get_by_index+0x7a/0xb0 [ 70.046251][ T5238] ? ethnl_parse_header_dev_get+0x690/0x990 [ 70.052129][ T5238] ? ethnl_act_cable_test+0x187/0x3f0 [ 70.057494][ T5238] ? __pfx___mutex_lock+0x10/0x10 [ 70.062509][ T5238] ethnl_act_cable_test+0x187/0x3f0 [ 70.067697][ T5238] ? __pfx_ethnl_act_cable_test+0x10/0x10 [ 70.073406][ T5238] ? genl_family_rcv_msg_attrs_parse+0x1d1/0x290 [ 70.079740][ T5238] genl_rcv_msg+0xb14/0xec0 [ 70.084257][ T5238] ? __pfx_genl_rcv_msg+0x10/0x10 [ 70.089283][ T5238] ? do_syscall_64+0xf3/0x230 [ 70.093959][ T5238] ? rcu_is_watching+0x15/0xb0 [ 70.098721][ T5238] ? __pfx_lock_acquire+0x10/0x10 [ 70.103734][ T5238] ? __pfx_ethnl_act_cable_test+0x10/0x10 [ 70.109447][ T5238] ? __pfx___might_resched+0x10/0x10 [ 70.114724][ T5238] netlink_rcv_skb+0x1e3/0x430 [ 70.119493][ T5238] ? __pfx_genl_rcv_msg+0x10/0x10 [ 70.124520][ T5238] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 70.129801][ T5238] ? lock_release+0xbf/0xa30 [ 70.134396][ T5238] ? __netlink_deliver_tap+0x77e/0x7c0 [ 70.139845][ T5238] genl_rcv+0x28/0x40 [ 70.143817][ T5238] netlink_unicast+0x7f6/0x990 [ 70.148578][ T5238] ? __pfx_netlink_unicast+0x10/0x10 [ 70.153853][ T5238] ? __virt_addr_valid+0x183/0x530 [ 70.158953][ T5238] ? __check_object_size+0x49c/0x900 [ 70.164225][ T5238] ? bpf_lsm_netlink_send+0x9/0x10 [ 70.169344][ T5238] netlink_sendmsg+0x8e4/0xcb0 [ 70.174127][ T5238] ? __pfx_netlink_sendmsg+0x10/0x10 [ 70.179418][ T5238] ? __import_iovec+0x536/0x820 [ 70.184271][ T5238] ? aa_sock_msg_perm+0x91/0x160 [ 70.189216][ T5238] ? bpf_lsm_socket_sendmsg+0x9/0x10 [ 70.194504][ T5238] ? security_socket_sendmsg+0x87/0xb0 [ 70.199967][ T5238] ? __pfx_netlink_sendmsg+0x10/0x10 [ 70.205242][ T5238] __sock_sendmsg+0x221/0x270 [ 70.209916][ T5238] ____sys_sendmsg+0x525/0x7d0 [ 70.214685][ T5238] ? __pfx_____sys_sendmsg+0x10/0x10 [ 70.219962][ T5238] ? do_raw_spin_lock+0x14f/0x370 [ 70.224975][ T5238] __sys_sendmsg+0x2b0/0x3a0 [ 70.229650][ T5238] ? __pfx___sys_sendmsg+0x10/0x10 [ 70.234752][ T5238] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 70.241080][ T5238] ? _raw_spin_unlock_irq+0x2e/0x50 [ 70.246274][ T5238] ? ptrace_notify+0x279/0x380 [ 70.251032][ T5238] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 70.257348][ T5238] ? rcu_is_watching+0x15/0xb0 [ 70.262153][ T5238] do_syscall_64+0xf3/0x230 [ 70.266712][ T5238] ? clear_bhb_loop+0x35/0x90 [ 70.271529][ T5238] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.277528][ T5238] RIP: 0033:0x7fd4b6872f89 [ 70.281942][ T5238] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 01 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 70.301591][ T5238] RSP: 002b:00007fff62b87d58 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 70.310114][ T5238] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fd4b6872f89 [ 70.318084][ T5238] RDX: 0000000000000000 RSI: 00000000200003c0 RDI: 0000000000000003 [ 70.326043][ T5238] RBP: 00000000000f4240 R08: 0000000000000001 R09: 0000000000000001 [ 70.334009][ T5238] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff62b87db0 [ 70.341967][ T5238] R13: 0000000000010c5f R14: 00007fff62b87d7c R15: 00007fff62b87d90 [ 70.349935][ T5238] [ 70.353352][ T5238] Kernel Offset: disabled [ 70.357681][ T5238] Rebooting in 86400 seconds..