./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2924448783 <...> Warning: Permanently added '10.128.15.207' (ECDSA) to the list of known hosts. execve("./syz-executor2924448783", ["./syz-executor2924448783"], 0x7ffde0cc8c90 /* 10 vars */) = 0 brk(NULL) = 0x55555667a000 brk(0x55555667ac40) = 0x55555667ac40 arch_prctl(ARCH_SET_FS, 0x55555667a300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x55555667a5d0) = 3607 set_robust_list(0x55555667a5e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7f5be2ace140, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f5be2ace810}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7f5be2ace1e0, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f5be2ace810}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2924448783", 4096) = 28 brk(0x55555669bc40) = 0x55555669bc40 brk(0x55555669c000) = 0x55555669c000 mprotect(0x7f5be2b8e000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555667a5d0) = 3608 ./strace-static-x86_64: Process 3608 attached [pid 3608] set_robust_list(0x55555667a5e0, 24) = 0 [pid 3608] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3608] setpgid(0, 0) = 0 [pid 3608] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3608] write(3, "1000", 4) = 4 [pid 3608] close(3) = 0 [pid 3608] futex(0x7f5be2b943ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3608] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f5be2a9e000 [pid 3608] mprotect(0x7f5be2a9f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3608] clone(child_stack=0x7f5be2abe3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3609 attached , parent_tid=[3609], tls=0x7f5be2abe700, child_tidptr=0x7f5be2abe9d0) = 3609 [pid 3609] set_robust_list(0x7f5be2abe9e0, 24 [pid 3608] futex(0x7f5be2b943e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3608] futex(0x7f5be2b943fc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3608] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 3609] <... set_robust_list resumed>) = 0 [pid 3608] <... mmap resumed>) = 0x7f5be2a7d000 [pid 3608] mprotect(0x7f5be2a7e000, 131072, PROT_READ|PROT_WRITE [pid 3609] mmap(0x20000000, 11755520, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS|MAP_POPULATE|MAP_DENYWRITE|MAP_STACK|MAP_HUGETLB, -1, 0 [pid 3608] <... mprotect resumed>) = 0 [pid 3608] clone(child_stack=0x7f5be2a9d3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3610], tls=0x7f5be2a9d700, child_tidptr=0x7f5be2a9d9d0) = 3610 ./strace-static-x86_64: Process 3610 attached [pid 3608] futex(0x7f5be2b943f8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3608] futex(0x7f5be2b943fc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3610] set_robust_list(0x7f5be2a9d9e0, 24) = 0 [pid 3609] <... mmap resumed>) = 0x20000000 [pid 3609] futex(0x7f5be2b943ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3609] futex(0x7f5be2b943e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3610] madvise(0x20000000, 6291456, MADV_DONTNEED) = 0 [pid 3610] futex(0x7f5be2b943fc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3608] <... futex resumed>) = 0 [pid 3610] futex(0x7f5be2b943f8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3608] exit_group(0) = ? [pid 3609] <... futex resumed>) = ? [pid 3610] <... futex resumed>) = ? [pid 3609] +++ exited with 0 +++ [pid 3610] +++ exited with 0 +++ [pid 3608] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3608, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3611 attached , child_tidptr=0x55555667a5d0) = 3611 [pid 3611] set_robust_list(0x55555667a5e0, 24) = 0 [pid 3611] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3611] setpgid(0, 0) = 0 [pid 3611] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3611] write(3, "1000", 4) = 4 [pid 3611] close(3) = 0 [pid 3611] futex(0x7f5be2b943ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3611] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f5be2a9e000 [pid 3611] mprotect(0x7f5be2a9f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3611] clone(child_stack=0x7f5be2abe3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3612 attached , parent_tid=[3612], tls=0x7f5be2abe700, child_tidptr=0x7f5be2abe9d0) = 3612 [pid 3611] futex(0x7f5be2b943e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3611] futex(0x7f5be2b943fc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3611] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f5be2a7d000 [pid 3611] mprotect(0x7f5be2a7e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3611] clone(child_stack=0x7f5be2a9d3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3613 attached [pid 3612] set_robust_list(0x7f5be2abe9e0, 24 [pid 3611] <... clone resumed>, parent_tid=[3613], tls=0x7f5be2a9d700, child_tidptr=0x7f5be2a9d9d0) = 3613 [pid 3611] futex(0x7f5be2b943f8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3611] futex(0x7f5be2b943fc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3612] <... set_robust_list resumed>) = 0 [pid 3612] mmap(0x20000000, 11755520, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS|MAP_POPULATE|MAP_DENYWRITE|MAP_STACK|MAP_HUGETLB, -1, 0 [pid 3613] set_robust_list(0x7f5be2a9d9e0, 24) = 0 [pid 3613] madvise(0x20000000, 6291456, MADV_DONTNEED [pid 3612] <... mmap resumed>) = 0x20000000 [pid 3613] <... madvise resumed>) = 0 [pid 3612] futex(0x7f5be2b943ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3612] futex(0x7f5be2b943e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3613] futex(0x7f5be2b943fc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3611] <... futex resumed>) = 0 [pid 3611] exit_group(0 [pid 3612] <... futex resumed>) = ? [pid 3612] +++ exited with 0 +++ [pid 3611] <... exit_group resumed>) = ? [pid 3613] +++ exited with 0 +++ [pid 3611] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3611, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3614 attached [pid 3614] set_robust_list(0x55555667a5e0, 24 [pid 3607] <... clone resumed>, child_tidptr=0x55555667a5d0) = 3614 [pid 3614] <... set_robust_list resumed>) = 0 [pid 3614] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3614] setpgid(0, 0) = 0 [pid 3614] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3614] write(3, "1000", 4) = 4 [pid 3614] close(3) = 0 [pid 3614] futex(0x7f5be2b943ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3614] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f5be2a9e000 [pid 3614] mprotect(0x7f5be2a9f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3614] clone(child_stack=0x7f5be2abe3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3615], tls=0x7f5be2abe700, child_tidptr=0x7f5be2abe9d0) = 3615 [pid 3614] futex(0x7f5be2b943e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3614] futex(0x7f5be2b943fc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3614] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f5be2a7d000 [pid 3614] mprotect(0x7f5be2a7e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3614] clone(child_stack=0x7f5be2a9d3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3616], tls=0x7f5be2a9d700, child_tidptr=0x7f5be2a9d9d0) = 3616 [pid 3614] futex(0x7f5be2b943f8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3614] futex(0x7f5be2b943fc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 3616 attached [pid 3616] set_robust_list(0x7f5be2a9d9e0, 24) = 0 [pid 3616] madvise(0x20000000, 6291456, MADV_DONTNEED) = 0 [pid 3616] futex(0x7f5be2b943fc, FUTEX_WAKE_PRIVATE, 1000000 [pid 3614] <... futex resumed>) = 0 [pid 3616] <... futex resumed>) = 1 [pid 3616] futex(0x7f5be2b943f8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 3615 attached [pid 3615] set_robust_list(0x7f5be2abe9e0, 24) = 0 [pid 3615] mmap(0x20000000, 11755520, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS|MAP_POPULATE|MAP_DENYWRITE|MAP_STACK|MAP_HUGETLB, -1, 0) = 0x20000000 [pid 3615] futex(0x7f5be2b943ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3615] futex(0x7f5be2b943e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3614] exit_group(0) = ? [pid 3616] <... futex resumed>) = ? [pid 3616] +++ exited with 0 +++ [pid 3615] <... futex resumed>) = ? [pid 3615] +++ exited with 0 +++ [pid 3614] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3614, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3617 attached , child_tidptr=0x55555667a5d0) = 3617 [pid 3617] set_robust_list(0x55555667a5e0, 24) = 0 [pid 3617] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3617] setpgid(0, 0) = 0 [pid 3617] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3617] write(3, "1000", 4) = 4 [pid 3617] close(3) = 0 [pid 3617] futex(0x7f5be2b943ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3617] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f5be2a9e000 [pid 3617] mprotect(0x7f5be2a9f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3617] clone(child_stack=0x7f5be2abe3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3618], tls=0x7f5be2abe700, child_tidptr=0x7f5be2abe9d0) = 3618 [pid 3617] futex(0x7f5be2b943e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3617] futex(0x7f5be2b943fc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3617] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f5be2a7d000 [pid 3617] mprotect(0x7f5be2a7e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3617] clone(child_stack=0x7f5be2a9d3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3619], tls=0x7f5be2a9d700, child_tidptr=0x7f5be2a9d9d0) = 3619 ./strace-static-x86_64: Process 3618 attached [pid 3617] futex(0x7f5be2b943f8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3617] futex(0x7f5be2b943fc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 3619 attached [pid 3619] set_robust_list(0x7f5be2a9d9e0, 24) = 0 [pid 3619] madvise(0x20000000, 6291456, MADV_DONTNEED) = 0 [pid 3619] futex(0x7f5be2b943fc, FUTEX_WAKE_PRIVATE, 1000000 [pid 3617] <... futex resumed>) = 0 [pid 3619] <... futex resumed>) = 1 [pid 3619] futex(0x7f5be2b943f8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3618] set_robust_list(0x7f5be2abe9e0, 24) = 0 [pid 3618] mmap(0x20000000, 11755520, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS|MAP_POPULATE|MAP_DENYWRITE|MAP_STACK|MAP_HUGETLB, -1, 0) = 0x20000000 [pid 3618] futex(0x7f5be2b943ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3618] futex(0x7f5be2b943e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3617] exit_group(0) = ? [pid 3619] <... futex resumed>) = ? [pid 3619] +++ exited with 0 +++ [pid 3618] <... futex resumed>) = ? [pid 3618] +++ exited with 0 +++ [pid 3617] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3617, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3620 attached , child_tidptr=0x55555667a5d0) = 3620 [pid 3620] set_robust_list(0x55555667a5e0, 24) = 0 [pid 3620] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3620] setpgid(0, 0) = 0 [pid 3620] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3620] write(3, "1000", 4) = 4 [pid 3620] close(3) = 0 [pid 3620] futex(0x7f5be2b943ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3620] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f5be2a9e000 [pid 3620] mprotect(0x7f5be2a9f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3620] clone(child_stack=0x7f5be2abe3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3621 attached [pid 3621] set_robust_list(0x7f5be2abe9e0, 24) = 0 [pid 3621] futex(0x7f5be2b943e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3620] <... clone resumed>, parent_tid=[3621], tls=0x7f5be2abe700, child_tidptr=0x7f5be2abe9d0) = 3621 [pid 3620] futex(0x7f5be2b943e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3620] futex(0x7f5be2b943fc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3620] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f5be2a7d000 [pid 3620] mprotect(0x7f5be2a7e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3620] clone(child_stack=0x7f5be2a9d3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3622], tls=0x7f5be2a9d700, child_tidptr=0x7f5be2a9d9d0) = 3622 [pid 3620] futex(0x7f5be2b943f8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3620] futex(0x7f5be2b943fc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 3622 attached [pid 3622] set_robust_list(0x7f5be2a9d9e0, 24) = 0 [pid 3622] madvise(0x20000000, 6291456, MADV_DONTNEED) = 0 [pid 3622] futex(0x7f5be2b943fc, FUTEX_WAKE_PRIVATE, 1000000 [pid 3620] <... futex resumed>) = 0 [pid 3622] <... futex resumed>) = 1 [pid 3622] futex(0x7f5be2b943f8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3621] <... futex resumed>) = 0 [pid 3621] mmap(0x20000000, 11755520, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS|MAP_POPULATE|MAP_DENYWRITE|MAP_STACK|MAP_HUGETLB, -1, 0) = 0x20000000 [pid 3621] futex(0x7f5be2b943ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 3620] exit_group(0) = ? [pid 3622] <... futex resumed>) = ? [pid 3621] <... futex resumed>) = ? [pid 3622] +++ exited with 0 +++ [pid 3621] +++ exited with 0 +++ [pid 3620] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3620, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3623 attached , child_tidptr=0x55555667a5d0) = 3623 [pid 3623] set_robust_list(0x55555667a5e0, 24) = 0 [pid 3623] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3623] setpgid(0, 0) = 0 [pid 3623] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3623] write(3, "1000", 4) = 4 [pid 3623] close(3) = 0 [pid 3623] futex(0x7f5be2b943ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3623] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f5be2a9e000 [pid 3623] mprotect(0x7f5be2a9f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3623] clone(child_stack=0x7f5be2abe3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3624], tls=0x7f5be2abe700, child_tidptr=0x7f5be2abe9d0) = 3624 [pid 3623] futex(0x7f5be2b943e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3623] futex(0x7f5be2b943fc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3623] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f5be2a7d000 [pid 3623] mprotect(0x7f5be2a7e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3623] clone(child_stack=0x7f5be2a9d3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3625], tls=0x7f5be2a9d700, child_tidptr=0x7f5be2a9d9d0) = 3625 [pid 3623] futex(0x7f5be2b943f8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3623] futex(0x7f5be2b943fc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 3625 attached [pid 3625] set_robust_list(0x7f5be2a9d9e0, 24) = 0 [pid 3625] madvise(0x20000000, 6291456, MADV_DONTNEED) = 0 [pid 3625] futex(0x7f5be2b943fc, FUTEX_WAKE_PRIVATE, 1000000 [pid 3623] <... futex resumed>) = 0 [pid 3625] <... futex resumed>) = 1 [pid 3625] futex(0x7f5be2b943f8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 3624 attached [pid 3624] set_robust_list(0x7f5be2abe9e0, 24) = 0 [pid 3624] mmap(0x20000000, 11755520, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS|MAP_POPULATE|MAP_DENYWRITE|MAP_STACK|MAP_HUGETLB, -1, 0) = 0x20000000 [pid 3624] futex(0x7f5be2b943ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3624] futex(0x7f5be2b943e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3623] exit_group(0) = ? [pid 3625] <... futex resumed>) = ? [pid 3625] +++ exited with 0 +++ [pid 3624] <... futex resumed>) = ? [pid 3624] +++ exited with 0 +++ [pid 3623] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3623, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3626 attached , child_tidptr=0x55555667a5d0) = 3626 [pid 3626] set_robust_list(0x55555667a5e0, 24) = 0 [pid 3626] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3626] setpgid(0, 0) = 0 [pid 3626] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3626] write(3, "1000", 4) = 4 [pid 3626] close(3) = 0 [pid 3626] futex(0x7f5be2b943ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3626] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f5be2a9e000 [pid 3626] mprotect(0x7f5be2a9f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3626] clone(child_stack=0x7f5be2abe3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3627], tls=0x7f5be2abe700, child_tidptr=0x7f5be2abe9d0) = 3627 [pid 3626] futex(0x7f5be2b943e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3626] futex(0x7f5be2b943fc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3626] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f5be2a7d000 [pid 3626] mprotect(0x7f5be2a7e000, 131072, PROT_READ|PROT_WRITE) = 0 ./strace-static-x86_64: Process 3627 attached [pid 3626] clone(child_stack=0x7f5be2a9d3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3628], tls=0x7f5be2a9d700, child_tidptr=0x7f5be2a9d9d0) = 3628 [pid 3626] futex(0x7f5be2b943f8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3626] futex(0x7f5be2b943fc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 3628 attached [pid 3628] set_robust_list(0x7f5be2a9d9e0, 24) = 0 [pid 3628] madvise(0x20000000, 6291456, MADV_DONTNEED) = 0 [pid 3628] futex(0x7f5be2b943fc, FUTEX_WAKE_PRIVATE, 1000000 [pid 3626] <... futex resumed>) = 0 [pid 3628] <... futex resumed>) = 1 [pid 3628] futex(0x7f5be2b943f8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3627] set_robust_list(0x7f5be2abe9e0, 24) = 0 [pid 3627] mmap(0x20000000, 11755520, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS|MAP_POPULATE|MAP_DENYWRITE|MAP_STACK|MAP_HUGETLB, -1, 0) = 0x20000000 [pid 3627] futex(0x7f5be2b943ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3627] futex(0x7f5be2b943e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3626] exit_group(0) = ? [pid 3628] <... futex resumed>) = ? [pid 3628] +++ exited with 0 +++ [pid 3627] <... futex resumed>) = ? [pid 3627] +++ exited with 0 +++ [pid 3626] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3626, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3629 attached , child_tidptr=0x55555667a5d0) = 3629 [pid 3629] set_robust_list(0x55555667a5e0, 24) = 0 [pid 3629] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3629] setpgid(0, 0) = 0 [pid 3629] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3629] write(3, "1000", 4) = 4 [pid 3629] close(3) = 0 [pid 3629] futex(0x7f5be2b943ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3629] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f5be2a9e000 [pid 3629] mprotect(0x7f5be2a9f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3629] clone(child_stack=0x7f5be2abe3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3630], tls=0x7f5be2abe700, child_tidptr=0x7f5be2abe9d0) = 3630 [pid 3629] futex(0x7f5be2b943e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3629] futex(0x7f5be2b943fc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3629] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f5be2a7d000 [pid 3629] mprotect(0x7f5be2a7e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3629] clone(child_stack=0x7f5be2a9d3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3631], tls=0x7f5be2a9d700, child_tidptr=0x7f5be2a9d9d0) = 3631 [pid 3629] futex(0x7f5be2b943f8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3629] futex(0x7f5be2b943fc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 3631 attached [pid 3631] set_robust_list(0x7f5be2a9d9e0, 24) = 0 [pid 3631] madvise(0x20000000, 6291456, MADV_DONTNEED) = 0 [pid 3631] futex(0x7f5be2b943fc, FUTEX_WAKE_PRIVATE, 1000000 [pid 3629] <... futex resumed>) = 0 [pid 3631] <... futex resumed>) = 1 [pid 3631] futex(0x7f5be2b943f8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 3630 attached [pid 3630] set_robust_list(0x7f5be2abe9e0, 24) = 0 [pid 3630] mmap(0x20000000, 11755520, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS|MAP_POPULATE|MAP_DENYWRITE|MAP_STACK|MAP_HUGETLB, -1, 0) = 0x20000000 [pid 3630] futex(0x7f5be2b943ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3630] futex(0x7f5be2b943e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3629] exit_group(0 [pid 3631] <... futex resumed>) = ? [pid 3629] <... exit_group resumed>) = ? [pid 3631] +++ exited with 0 +++ [pid 3630] <... futex resumed>) = ? [pid 3630] +++ exited with 0 +++ [pid 3629] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3629, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555667a5d0) = 3632 ./strace-static-x86_64: Process 3632 attached [pid 3632] set_robust_list(0x55555667a5e0, 24) = 0 [pid 3632] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3632] setpgid(0, 0) = 0 [pid 3632] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3632] write(3, "1000", 4) = 4 [pid 3632] close(3) = 0 [pid 3632] futex(0x7f5be2b943ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3632] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f5be2a9e000 [pid 3632] mprotect(0x7f5be2a9f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3632] clone(child_stack=0x7f5be2abe3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3633 attached , parent_tid=[3633], tls=0x7f5be2abe700, child_tidptr=0x7f5be2abe9d0) = 3633 [pid 3632] futex(0x7f5be2b943e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3632] futex(0x7f5be2b943fc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3632] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f5be2a7d000 [pid 3632] mprotect(0x7f5be2a7e000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3632] clone(child_stack=0x7f5be2a9d3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3634], tls=0x7f5be2a9d700, child_tidptr=0x7f5be2a9d9d0) = 3634 ./strace-static-x86_64: Process 3634 attached [pid 3632] futex(0x7f5be2b943f8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3632] futex(0x7f5be2b943fc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3633] set_robust_list(0x7f5be2abe9e0, 24) = 0 [pid 3633] mmap(0x20000000, 11755520, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS|MAP_POPULATE|MAP_DENYWRITE|MAP_STACK|MAP_HUGETLB, -1, 0 [pid 3634] set_robust_list(0x7f5be2a9d9e0, 24) = 0 [pid 3634] madvise(0x20000000, 6291456, MADV_DONTNEED) = 0 [pid 3634] futex(0x7f5be2b943fc, FUTEX_WAKE_PRIVATE, 1000000 [pid 3632] <... futex resumed>) = 0 [pid 3634] <... futex resumed>) = 1 syzkaller login: [ 34.045313][ T3633] ================================================================== [ 34.053589][ T3633] BUG: KASAN: use-after-free in down_read+0x1d3/0x450 [ 34.060336][ T3633] Read of size 8 at addr ffff888012692b08 by task syz-executor292/3633 [ 34.068651][ T3633] [ 34.070981][ T3633] CPU: 1 PID: 3633 Comm: syz-executor292 Not tainted 6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0 [ 34.081376][ T3633] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 [ 34.091456][ T3633] Call Trace: [ 34.094721][ T3633] [ 34.097634][ T3633] dump_stack_lvl+0xcd/0x134 [ 34.102223][ T3633] print_report+0x15e/0x45d [ 34.106712][ T3633] ? __phys_addr+0xc4/0x140 [ 34.111199][ T3633] ? down_read+0x1d3/0x450 [ 34.115599][ T3633] kasan_report+0xbb/0x1f0 [ 34.120025][ T3633] ? down_read+0x1d3/0x450 [ 34.124451][ T3633] kasan_check_range+0x13d/0x180 [ 34.129377][ T3633] down_read+0x1d3/0x450 [ 34.133602][ T3633] ? make_huge_pte.isra.0+0xec/0x350 [ 34.138876][ T3633] ? rwsem_down_read_slowpath+0xb10/0xb10 [ 34.144582][ T3633] ? hugetlb_total_pages+0x140/0x140 [ 34.149876][ T3633] hugetlb_fault+0x40a/0x2060 [ 34.154550][ T3633] ? hugetlb_wp+0x1af0/0x1af0 [ 34.159219][ T3633] ? rcu_read_lock_sched_held+0xd/0x70 [ 34.164666][ T3633] ? lock_release+0x5cb/0x810 [ 34.169325][ T3633] ? follow_hugetlb_page+0x36e/0x1850 [ 34.174683][ T3633] ? lock_downgrade+0x6e0/0x6e0 [ 34.179517][ T3633] ? do_raw_spin_lock+0x120/0x2a0 [ 34.184526][ T3633] ? rwlock_bug.part.0+0x90/0x90 [ 34.189451][ T3633] ? mas_destroy+0x2e1/0x5c0 [ 34.194029][ T3633] follow_hugetlb_page+0x3f3/0x1850 [ 34.199217][ T3633] __get_user_pages+0x2cb/0xf10 [ 34.204064][ T3633] ? mas_next_node+0xa00/0xa00 [ 34.208813][ T3633] ? vma_set_page_prot+0xa6/0x110 [ 34.213828][ T3633] ? follow_page_mask+0x1530/0x1530 [ 34.219018][ T3633] ? find_vma_intersection+0x10a/0x1b0 [ 34.224471][ T3633] populate_vma_page_range+0x23d/0x320 [ 34.229915][ T3633] __mm_populate+0x101/0x3a0 [ 34.234487][ T3633] ? faultin_vma_page_range+0x300/0x300 [ 34.240014][ T3633] ? up_write+0x1ac/0x520 [ 34.244335][ T3633] vm_mmap_pgoff+0x1fd/0x270 [ 34.248912][ T3633] ? randomize_page+0xb0/0xb0 [ 34.253571][ T3633] ? hugetlbfs_get_inode+0x3c5/0x5f0 [ 34.258844][ T3633] ksys_mmap_pgoff+0x1c3/0x5a0 [ 34.263600][ T3633] do_syscall_64+0x35/0xb0 [ 34.268014][ T3633] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 34.273897][ T3633] RIP: 0033:0x7f5be2b0c829 [ 34.278296][ T3633] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 34.297890][ T3633] RSP: 002b:00007f5be2abe308 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 [ 34.306287][ T3633] RAX: ffffffffffffffda RBX: 00007f5be2b943e8 RCX: 00007f5be2b0c829 [ 34.314241][ T3633] RDX: 0000000000000003 RSI: 0000000000b36000 RDI: 0000000020000000 [ 34.322193][ T3633] RBP: 00007f5be2b943e0 R08: 00000000ffffffff R09: 0000000000000000 [ 34.330147][ T3633] R10: 0000000000068831 R11: 0000000000000246 R12: 00007f5be2b943ec [ 34.338102][ T3633] R13: 00007ffc1d3b25cf R14: 00007f5be2abe400 R15: 0000000000022000 [ 34.346062][ T3633] [ 34.349062][ T3633] [ 34.351379][ T3633] Allocated by task 3633: [ 34.355689][ T3633] kasan_save_stack+0x1e/0x40 [ 34.360359][ T3633] kasan_set_track+0x21/0x30 [ 34.364959][ T3633] __kasan_kmalloc+0xa1/0xb0 [ 34.369538][ T3633] hugetlb_vma_lock_alloc.part.0+0x3f/0x130 [ 34.375413][ T3633] hugetlb_reserve_pages+0xa3f/0xe80 [ 34.380932][ T3633] hugetlbfs_file_mmap+0x40c/0x5c0 [ 34.386052][ T3633] mmap_region+0x6bf/0x1c00 [ 34.390634][ T3633] do_mmap+0x825/0xf50 [ 34.394696][ T3633] vm_mmap_pgoff+0x1ab/0x270 [ 34.399269][ T3633] ksys_mmap_pgoff+0x1c3/0x5a0 [ 34.404019][ T3633] do_syscall_64+0x35/0xb0 [ 34.408424][ T3633] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 34.414325][ T3633] [ 34.416630][ T3633] Freed by task 3634: [ 34.420590][ T3633] kasan_save_stack+0x1e/0x40 [ 34.425255][ T3633] kasan_set_track+0x21/0x30 [ 34.429831][ T3633] kasan_save_free_info+0x2a/0x40 [ 34.434922][ T3633] ____kasan_slab_free+0x160/0x1c0 [ 34.440022][ T3633] slab_free_freelist_hook+0x8b/0x1c0 [ 34.445381][ T3633] __kmem_cache_free+0xab/0x3b0 [ 34.450219][ T3633] __unmap_hugepage_range_final+0x2ad/0x340 [ 34.456101][ T3633] unmap_single_vma+0x23d/0x2a0 [ 34.460938][ T3633] zap_page_range+0x38a/0x520 [ 34.465597][ T3633] madvise_vma_behavior+0xee8/0x1cc0 [ 34.470867][ T3633] madvise_walk_vmas+0x1c7/0x2b0 [ 34.475787][ T3633] do_madvise.part.0+0x24a/0x340 [ 34.480706][ T3633] __x64_sys_madvise+0x113/0x150 [ 34.485714][ T3633] do_syscall_64+0x35/0xb0 [ 34.490121][ T3633] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 34.496001][ T3633] [ 34.498305][ T3633] The buggy address belongs to the object at ffff888012692b00 [ 34.498305][ T3633] which belongs to the cache kmalloc-192 of size 192 [ 34.512337][ T3633] The buggy address is located 8 bytes inside of [ 34.512337][ T3633] 192-byte region [ffff888012692b00, ffff888012692bc0) [ 34.525444][ T3633] [ 34.527747][ T3633] The buggy address belongs to the physical page: [ 34.534134][ T3633] page:ffffea000049a480 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12692 [ 34.544268][ T3633] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 34.551797][ T3633] raw: 00fff00000000200 0000000000000000 dead000000000001 ffff888011841a00 [ 34.560365][ T3633] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 34.568924][ T3633] page dumped because: kasan: bad access detected [ 34.575314][ T3633] page_owner tracks the page as allocated [ 34.581026][ T3633] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, tgid 1 (swapper/0), ts 1336465718, free_ts 0 [ 34.597590][ T3633] get_page_from_freelist+0x10b5/0x2d50 [ 34.603121][ T3633] __alloc_pages+0x1c7/0x5a0 [ 34.607690][ T3633] alloc_page_interleave+0x1e/0x200 [ 34.612876][ T3633] alloc_pages+0x22f/0x270 [ 34.617279][ T3633] allocate_slab+0x213/0x300 [ 34.621852][ T3633] ___slab_alloc+0xa91/0x1400 [ 34.626512][ T3633] __slab_alloc.constprop.0+0x56/0xa0 [ 34.631871][ T3633] __kmem_cache_alloc_node+0x191/0x3e0 [ 34.637334][ T3633] kmalloc_trace+0x22/0x60 [ 34.641730][ T3633] call_usermodehelper_setup+0x97/0x340 [ 34.647257][ T3633] kobject_uevent_env+0xee6/0x1640 [ 34.652353][ T3633] device_add+0xb72/0x1e90 [ 34.656758][ T3633] add_memory_block+0x2de/0x610 [ 34.661591][ T3633] memory_dev_init+0x214/0x29b [ 34.666354][ T3633] driver_init+0x3e/0x48 [ 34.670604][ T3633] kernel_init_freeable+0x4e3/0x788 [ 34.675806][ T3633] page_owner free stack trace missing [ 34.681152][ T3633] [ 34.683456][ T3633] Memory state around the buggy address: [ 34.689072][ T3633] ffff888012692a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.697117][ T3633] ffff888012692a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 34.705162][ T3633] >ffff888012692b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.713203][ T3633] ^ [ 34.717508][ T3633] ffff888012692b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 34.725551][ T3633] ffff888012692c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.733593][ T3633] ================================================================== [ 34.746668][ T3633] Kernel panic - not syncing: panic_on_warn set ... [ 34.753266][ T3633] CPU: 0 PID: 3633 Comm: syz-executor292 Not tainted 6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0 [ 34.763662][ T3633] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 [ 34.773706][ T3633] Call Trace: [ 34.776972][ T3633] [ 34.779893][ T3633] dump_stack_lvl+0xcd/0x134 [ 34.784480][ T3633] panic+0x2c8/0x622 [ 34.788371][ T3633] ? panic_print_sys_info.part.0+0x110/0x110 [ 34.794345][ T3633] ? preempt_schedule_common+0x59/0xc0 [ 34.799798][ T3633] ? preempt_schedule_thunk+0x16/0x18 [ 34.805164][ T3633] end_report.part.0+0x3f/0x7c [ 34.809922][ T3633] ? down_read+0x1d3/0x450 [ 34.814501][ T3633] kasan_report.cold+0xa/0xf [ 34.819083][ T3633] ? down_read+0x1d3/0x450 [ 34.823485][ T3633] kasan_check_range+0x13d/0x180 [ 34.828424][ T3633] down_read+0x1d3/0x450 [ 34.832651][ T3633] ? make_huge_pte.isra.0+0xec/0x350 [ 34.837924][ T3633] ? rwsem_down_read_slowpath+0xb10/0xb10 [ 34.843629][ T3633] ? hugetlb_total_pages+0x140/0x140 [ 34.849079][ T3633] hugetlb_fault+0x40a/0x2060 [ 34.853748][ T3633] ? hugetlb_wp+0x1af0/0x1af0 [ 34.858416][ T3633] ? rcu_read_lock_sched_held+0xd/0x70 [ 34.863948][ T3633] ? lock_release+0x5cb/0x810 [ 34.868701][ T3633] ? follow_hugetlb_page+0x36e/0x1850 [ 34.874064][ T3633] ? lock_downgrade+0x6e0/0x6e0 [ 34.878898][ T3633] ? do_raw_spin_lock+0x120/0x2a0 [ 34.883910][ T3633] ? rwlock_bug.part.0+0x90/0x90 [ 34.888928][ T3633] ? mas_destroy+0x2e1/0x5c0 [ 34.893510][ T3633] follow_hugetlb_page+0x3f3/0x1850 [ 34.898706][ T3633] __get_user_pages+0x2cb/0xf10 [ 34.903550][ T3633] ? mas_next_node+0xa00/0xa00 [ 34.908391][ T3633] ? vma_set_page_prot+0xa6/0x110 [ 34.913411][ T3633] ? follow_page_mask+0x1530/0x1530 [ 34.918607][ T3633] ? find_vma_intersection+0x10a/0x1b0 [ 34.924059][ T3633] populate_vma_page_range+0x23d/0x320 [ 34.929505][ T3633] __mm_populate+0x101/0x3a0 [ 34.934085][ T3633] ? faultin_vma_page_range+0x300/0x300 [ 34.939621][ T3633] ? up_write+0x1ac/0x520 [ 34.943947][ T3633] vm_mmap_pgoff+0x1fd/0x270 [ 34.948529][ T3633] ? randomize_page+0xb0/0xb0 [ 34.953207][ T3633] ? hugetlbfs_get_inode+0x3c5/0x5f0 [ 34.958570][ T3633] ksys_mmap_pgoff+0x1c3/0x5a0 [ 34.963330][ T3633] do_syscall_64+0x35/0xb0 [ 34.967768][ T3633] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 34.973654][ T3633] RIP: 0033:0x7f5be2b0c829 [ 34.978055][ T3633] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 34.997650][ T3633] RSP: 002b:00007f5be2abe308 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 [ 35.006049][ T3633] RAX: ffffffffffffffda RBX: 00007f5be2b943e8 RCX: 00007f5be2b0c829 [ 35.014008][ T3633] RDX: 0000000000000003 RSI: 0000000000b36000 RDI: 0000000020000000 [ 35.021966][ T3633] RBP: 00007f5be2b943e0 R08: 00000000ffffffff R09: 0000000000000000 [ 35.029921][ T3633] R10: 0000000000068831 R11: 0000000000000246 R12: 00007f5be2b943ec [ 35.037881][ T3633] R13: 00007ffc1d3b25cf R14: 00007f5be2abe400 R15: 0000000000022000 [ 35.045840][ T3633] [ 35.049551][ T3633] Kernel Offset: disabled [ 35.053866][ T3633] Rebooting in 86400 seconds..