./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor936983969 <...> Warning: Permanently added '10.128.1.165' (ED25519) to the list of known hosts. execve("./syz-executor936983969", ["./syz-executor936983969"], 0x7fff5b1f9230 /* 10 vars */) = 0 brk(NULL) = 0x555569c11000 brk(0x555569c11d00) = 0x555569c11d00 arch_prctl(ARCH_SET_FS, 0x555569c11380) = 0 set_tid_address(0x555569c11650) = 5817 set_robust_list(0x555569c11660, 24) = 0 rseq(0x555569c11ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor936983969", 4096) = 27 getrandom("\x76\xdc\x19\xc9\x78\x1e\x3f\xee", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555569c11d00 brk(0x555569c32d00) = 0x555569c32d00 brk(0x555569c33000) = 0x555569c33000 mprotect(0x7fe59a8dd000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5818 attached [pid 5818] set_robust_list(0x555569c11660, 24 [pid 5817] <... clone resumed>, child_tidptr=0x555569c11650) = 5818 [pid 5818] <... set_robust_list resumed>) = 0 [pid 5818] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5818] setpgid(0, 0) = 0 [pid 5818] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5818] write(3, "1000", 4) = 4 [pid 5818] close(3) = 0 executing program [pid 5818] write(1, "executing program\n", 18) = 18 [pid 5818] openat(AT_FDCWD, "/dev/ubi_ctrl", O_RDONLY) = 3 [ 59.673299][ T5818] ubi0: attaching mtd0 [ 59.678558][ T5818] ubi0: scanning is finished [ 59.683233][ T5818] ubi0: empty MTD device detected [ 59.716690][ T5818] ubi0: attached mtd0 (name "mtdram test device", size 0 MiB) [ 59.724308][ T5818] ubi0: PEB size: 4096 bytes (4 KiB), LEB size: 3968 bytes [ 59.731528][ T5818] ubi0: min./max. I/O unit sizes: 1/64, sub-page size 1 [ 59.738524][ T5818] ubi0: VID header offset: 64 (aligned 64), data offset: 128 [ 59.745942][ T5818] ubi0: good PEBs: 32, bad PEBs: 0, corrupted PEBs: 0 [ 59.752773][ T5818] ubi0: user volume: 0, internal volumes: 1, max. volumes count: 23 [pid 5818] ioctl(3, UBI_IOCATT, {ubi_num=0, mtd_num=0, vid_hdr_offset=0, max_beb_per1024=0} => [0]) = 0 [pid 5818] openat(AT_FDCWD, "/dev/ubi_ctrl", O_RDONLY) = 4 [pid 5818] ioctl(4, UBI_IOCDET, [0]) = 0 [pid 5818] exit_group(0) = ? [pid 5818] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5818, si_uid=0, si_status=0, si_utime=0, si_stime=10 /* 0.10 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 [ 59.760768][ T5818] ubi0: max/mean erase counter: 0/0, WL threshold: 4096, image sequence number: 90351234 [ 59.770655][ T5818] ubi0: available PEBs: 28, total reserved PEBs: 4, PEBs reserved for bad PEB handling: 0 [ 59.781269][ T5819] ubi0: background thread "ubi_bgt0d" started, PID 5819 [ 59.803209][ T5818] ubi0: detaching mtd0 [ 59.809823][ T5818] ubi0: mtd0 is detached clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5821 attached , child_tidptr=0x555569c11650) = 5821 [pid 5821] set_robust_list(0x555569c11660, 24) = 0 [pid 5821] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5821] setpgid(0, 0) = 0 [pid 5821] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5821] write(3, "1000", 4) = 4 [pid 5821] close(3) = 0 [pid 5821] write(1, "executing program\n", 18executing program ) = 18 [pid 5821] openat(AT_FDCWD, "/dev/ubi_ctrl", O_RDONLY) = 3 [ 59.904138][ T5821] ubi0: attaching mtd0 [ 59.908870][ T5821] ubi0: scanning is finished [ 59.913953][ T5821] ================================================================== [ 59.922003][ T5821] BUG: KASAN: slab-use-after-free in notifier_chain_register+0x141/0x3f0 [ 59.930426][ T5821] Read of size 4 at addr ffff888030b698d8 by task syz-executor936/5821 [ 59.938646][ T5821] [ 59.940967][ T5821] CPU: 1 UID: 0 PID: 5821 Comm: syz-executor936 Not tainted 6.13.0-rc2-syzkaller-00018-g7cb1b4663150 #0 [ 59.952055][ T5821] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 59.962105][ T5821] Call Trace: [ 59.965371][ T5821] [ 59.968287][ T5821] dump_stack_lvl+0x241/0x360 [ 59.972953][ T5821] ? __pfx_dump_stack_lvl+0x10/0x10 [ 59.978138][ T5821] ? __pfx__printk+0x10/0x10 [ 59.982712][ T5821] ? _printk+0xd5/0x120 [ 59.986853][ T5821] ? __virt_addr_valid+0x183/0x530 [ 59.991947][ T5821] ? __virt_addr_valid+0x183/0x530 [ 59.997040][ T5821] print_report+0x169/0x550 [ 60.001528][ T5821] ? __virt_addr_valid+0x183/0x530 [ 60.006624][ T5821] ? __virt_addr_valid+0x183/0x530 [ 60.011714][ T5821] ? __virt_addr_valid+0x45f/0x530 [ 60.016826][ T5821] ? __phys_addr+0xba/0x170 [ 60.021318][ T5821] ? notifier_chain_register+0x141/0x3f0 [ 60.026945][ T5821] kasan_report+0x143/0x180 [ 60.031443][ T5821] ? notifier_chain_register+0x141/0x3f0 [ 60.037069][ T5821] notifier_chain_register+0x141/0x3f0 [ 60.042518][ T5821] blocking_notifier_chain_register+0x61/0xc0 [ 60.048570][ T5821] ubi_wl_init+0x3396/0x3720 [ 60.053158][ T5821] ubi_attach+0x3e01/0x5b80 [ 60.057664][ T5821] ? __pfx_ubi_attach+0x10/0x10 [ 60.062503][ T5821] ? ubi_attach_mtd_dev+0x19fa/0x3540 [ 60.067864][ T5821] ubi_attach_mtd_dev+0x1a3a/0x3540 [ 60.073069][ T5821] ctrl_cdev_ioctl+0x346/0x570 [ 60.077833][ T5821] ? __pfx_ctrl_cdev_ioctl+0x10/0x10 [ 60.083110][ T5821] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 60.089445][ T5821] ? __pfx_ctrl_cdev_ioctl+0x10/0x10 [ 60.094723][ T5821] __se_sys_ioctl+0xf5/0x170 [ 60.099314][ T5821] do_syscall_64+0xf3/0x230 [ 60.103821][ T5821] ? clear_bhb_loop+0x35/0x90 [ 60.108488][ T5821] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 60.114367][ T5821] RIP: 0033:0x7fe59a86aa79 [ 60.118776][ T5821] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 60.138370][ T5821] RSP: 002b:00007ffdfa89fa18 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 60.146766][ T5821] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe59a86aa79 [ 60.154722][ T5821] RDX: 0000000020000502 RSI: 0000000040186f40 RDI: 0000000000000003 [ 60.162683][ T5821] RBP: 000000000000e8cb R08: 0000000000000006 R09: 0000000000000006 [ 60.170660][ T5821] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdfa89fa2c [ 60.178616][ T5821] R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001 [ 60.186575][ T5821] [ 60.189580][ T5821] [ 60.191907][ T5821] Allocated by task 5818: [ 60.196225][ T5821] kasan_save_track+0x3f/0x80 [ 60.200898][ T5821] __kasan_kmalloc+0x98/0xb0 [ 60.205485][ T5821] __kmalloc_cache_noprof+0x243/0x390 [ 60.210842][ T5821] ubi_attach_mtd_dev+0x552/0x3540 [ 60.215945][ T5821] ctrl_cdev_ioctl+0x346/0x570 [ 60.220701][ T5821] __se_sys_ioctl+0xf5/0x170 [ 60.225278][ T5821] do_syscall_64+0xf3/0x230 [ 60.229775][ T5821] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 60.235656][ T5821] [ 60.237958][ T5821] Freed by task 5818: [ 60.241913][ T5821] kasan_save_track+0x3f/0x80 [ 60.246576][ T5821] kasan_save_free_info+0x40/0x50 [ 60.251607][ T5821] __kasan_slab_free+0x59/0x70 [ 60.256358][ T5821] kfree+0x196/0x430 [ 60.260251][ T5821] device_release+0x99/0x1c0 [ 60.264845][ T5821] kobject_put+0x22f/0x480 [ 60.269246][ T5821] ubi_detach_mtd_dev+0x347/0x480 [ 60.274279][ T5821] ctrl_cdev_ioctl+0x231/0x570 [ 60.279032][ T5821] __se_sys_ioctl+0xf5/0x170 [ 60.283612][ T5821] do_syscall_64+0xf3/0x230 [ 60.288101][ T5821] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 60.293981][ T5821] [ 60.296290][ T5821] The buggy address belongs to the object at ffff888030b68000 [ 60.296290][ T5821] which belongs to the cache kmalloc-8k of size 8192 [ 60.310328][ T5821] The buggy address is located 6360 bytes inside of [ 60.310328][ T5821] freed 8192-byte region [ffff888030b68000, ffff888030b6a000) [ 60.324298][ T5821] [ 60.326610][ T5821] The buggy address belongs to the physical page: [ 60.333008][ T5821] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x30b68 [ 60.341770][ T5821] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 60.350255][ T5821] anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 60.358223][ T5821] page_type: f5(slab) [ 60.362187][ T5821] raw: 00fff00000000040 ffff88801ac42280 0000000000000000 dead000000000001 [ 60.370752][ T5821] raw: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000 [ 60.379321][ T5821] head: 00fff00000000040 ffff88801ac42280 0000000000000000 dead000000000001 [ 60.387972][ T5821] head: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000 [ 60.396624][ T5821] head: 00fff00000000003 ffffea0000c2da01 ffffffffffffffff 0000000000000000 [ 60.405278][ T5821] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 60.413925][ T5821] page dumped because: kasan: bad access detected [ 60.420320][ T5821] page_owner tracks the page as allocated [ 60.426013][ T5821] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 11714942856, free_ts 0 [ 60.445719][ T5821] post_alloc_hook+0x1f3/0x230 [ 60.450467][ T5821] get_page_from_freelist+0x3651/0x37a0 [ 60.455996][ T5821] __alloc_pages_noprof+0x292/0x710 [ 60.461177][ T5821] alloc_pages_mpol_noprof+0x3e8/0x680 [ 60.466623][ T5821] alloc_slab_page+0x6a/0x110 [ 60.471279][ T5821] allocate_slab+0x5a/0x2b0 [ 60.475778][ T5821] ___slab_alloc+0xc27/0x14a0 [ 60.480462][ T5821] __slab_alloc+0x58/0xa0 [ 60.484802][ T5821] __kmalloc_cache_noprof+0x27b/0x390 [ 60.490170][ T5821] cryptomgr_notify+0x84/0xb10 [ 60.494922][ T5821] notifier_call_chain+0x1a5/0x3f0 [ 60.500030][ T5821] blocking_notifier_call_chain+0x69/0x90 [ 60.505753][ T5821] crypto_alg_mod_lookup+0x372/0x760 [ 60.511023][ T5821] crypto_alloc_tfm_node+0x130/0x360 [ 60.516291][ T5821] seg6_hmac_init+0x113/0x3c0 [ 60.520950][ T5821] seg6_init+0x8d/0xf0 [ 60.525012][ T5821] page_owner free stack trace missing [ 60.530357][ T5821] [ 60.532670][ T5821] Memory state around the buggy address: [ 60.538279][ T5821] ffff888030b69780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.546320][ T5821] ffff888030b69800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.554373][ T5821] >ffff888030b69880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.562418][ T5821] ^ [ 60.569329][ T5821] ffff888030b69900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.577369][ T5821] ffff888030b69980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.585407][ T5821] ================================================================== [ 60.594092][ T5821] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 60.601298][ T5821] CPU: 1 UID: 0 PID: 5821 Comm: syz-executor936 Not tainted 6.13.0-rc2-syzkaller-00018-g7cb1b4663150 #0 [ 60.612405][ T5821] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 60.622447][ T5821] Call Trace: [ 60.625706][ T5821] [ 60.628616][ T5821] dump_stack_lvl+0x241/0x360 [ 60.633282][ T5821] ? __pfx_dump_stack_lvl+0x10/0x10 [ 60.638461][ T5821] ? __pfx__printk+0x10/0x10 [ 60.643032][ T5821] ? preempt_schedule+0xe1/0xf0 [ 60.647869][ T5821] ? vscnprintf+0x5d/0x90 [ 60.652181][ T5821] panic+0x349/0x880 [ 60.656063][ T5821] ? check_panic_on_warn+0x21/0xb0 [ 60.661164][ T5821] ? __pfx_panic+0x10/0x10 [ 60.665567][ T5821] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 60.671534][ T5821] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 60.677845][ T5821] ? print_report+0x502/0x550 [ 60.682509][ T5821] check_panic_on_warn+0x86/0xb0 [ 60.687425][ T5821] ? notifier_chain_register+0x141/0x3f0 [ 60.693050][ T5821] end_report+0x77/0x160 [ 60.697284][ T5821] kasan_report+0x154/0x180 [ 60.701780][ T5821] ? notifier_chain_register+0x141/0x3f0 [ 60.707400][ T5821] notifier_chain_register+0x141/0x3f0 [ 60.712847][ T5821] blocking_notifier_chain_register+0x61/0xc0 [ 60.718894][ T5821] ubi_wl_init+0x3396/0x3720 [ 60.723471][ T5821] ubi_attach+0x3e01/0x5b80 [ 60.727960][ T5821] ? __pfx_ubi_attach+0x10/0x10 [ 60.732793][ T5821] ? ubi_attach_mtd_dev+0x19fa/0x3540 [ 60.738150][ T5821] ubi_attach_mtd_dev+0x1a3a/0x3540 [ 60.743339][ T5821] ctrl_cdev_ioctl+0x346/0x570 [ 60.748084][ T5821] ? __pfx_ctrl_cdev_ioctl+0x10/0x10 [ 60.753352][ T5821] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 60.759659][ T5821] ? __pfx_ctrl_cdev_ioctl+0x10/0x10 [ 60.764929][ T5821] __se_sys_ioctl+0xf5/0x170 [ 60.769501][ T5821] do_syscall_64+0xf3/0x230 [ 60.773996][ T5821] ? clear_bhb_loop+0x35/0x90 [ 60.778657][ T5821] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 60.784538][ T5821] RIP: 0033:0x7fe59a86aa79 [ 60.788936][ T5821] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 60.808523][ T5821] RSP: 002b:00007ffdfa89fa18 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 60.816923][ T5821] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe59a86aa79 [ 60.824883][ T5821] RDX: 0000000020000502 RSI: 0000000040186f40 RDI: 0000000000000003 [ 60.832836][ T5821] RBP: 000000000000e8cb R08: 0000000000000006 R09: 0000000000000006 [ 60.840790][ T5821] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdfa89fa2c [ 60.848760][ T5821] R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001 [ 60.856722][ T5821] [ 60.859863][ T5821] Kernel Offset: disabled [ 60.864175][ T5821] Rebooting in 86400 seconds..