./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor378087964 <...> Warning: Permanently added '10.128.0.75' (ECDSA) to the list of known hosts. execve("./syz-executor378087964", ["./syz-executor378087964"], 0x7ffd1a80c600 /* 10 vars */) = 0 brk(NULL) = 0x555556aeb000 brk(0x555556aebc40) = 0x555556aebc40 arch_prctl(ARCH_SET_FS, 0x555556aeb300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x555556aeb5d0) = 5076 set_robust_list(0x555556aeb5e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7facd1cc9660, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7facd1cc9d30}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7facd1cc9700, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7facd1cc9d30}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor378087964", 4096) = 27 brk(0x555556b0cc40) = 0x555556b0cc40 brk(0x555556b0d000) = 0x555556b0d000 mprotect(0x7facd1d8b000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 unshare(CLONE_NEWPID) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5077 attached , child_tidptr=0x555556aeb5d0) = 5077 [pid 5077] set_robust_list(0x555556aeb5e0, 24) = 0 [pid 5077] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy) [pid 5077] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5077] setsid() = 1 [pid 5077] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0 [pid 5077] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0 [pid 5077] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0 [pid 5077] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0 [pid 5077] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0 [pid 5077] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0 [pid 5077] unshare(CLONE_NEWNS) = 0 [pid 5077] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0 [pid 5077] unshare(CLONE_NEWIPC) = 0 [pid 5077] unshare(CLONE_NEWCGROUP) = 0 [pid 5077] unshare(CLONE_NEWUTS) = 0 [pid 5077] unshare(CLONE_SYSVSEM) = 0 [pid 5077] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3 [pid 5077] write(3, "16777216", 8) = 8 [pid 5077] close(3) = 0 [pid 5077] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3 [pid 5077] write(3, "536870912", 9) = 9 [pid 5077] close(3) = 0 [pid 5077] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3 [pid 5077] write(3, "1024", 4) = 4 [pid 5077] close(3) = 0 [pid 5077] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3 [pid 5077] write(3, "8192", 4) = 4 [pid 5077] close(3) = 0 [pid 5077] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3 [pid 5077] write(3, "1024", 4) = 4 [pid 5077] close(3) = 0 [pid 5077] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3 [pid 5077] write(3, "1024", 4) = 4 [pid 5077] close(3) = 0 [pid 5077] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3 [pid 5077] write(3, "1024 1048576 500 1024", 21) = 21 [pid 5077] close(3) = 0 [pid 5077] getpid() = 1 [pid 5077] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1< [pid 5079] futex(0x7facd1d91428, FUTEX_WAKE_PRIVATE, 1000000 [pid 5080] <... set_robust_list resumed>) = 0 [pid 5080] signalfd4(-1, [], 8, 0) = 3 [pid 5080] futex(0x7facd1d9142c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5080] futex(0x7facd1d91428, FUTEX_WAIT_PRIVATE, 0, NULL) = 0 [pid 5079] <... futex resumed>) = 1 [pid 5080] futex(0x7facd1d91428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5079] futex(0x7facd1d9142c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 5079] futex(0x7facd1d91428, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5080] <... futex resumed>) = 0 [pid 5080] io_uring_setup(135, {flags=0, sq_thread_cpu=0, sq_thread_idle=0 [pid 5079] futex(0x7facd1d9142c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5080] <... io_uring_setup resumed>, sq_entries=256, cq_entries=512, features=IORING_FEAT_SINGLE_MMAP|IORING_FEAT_NODROP|IORING_FEAT_SUBMIT_STABLE|IORING_FEAT_RW_CUR_POS|IORING_FEAT_CUR_PERSONALITY|IORING_FEAT_FAST_POLL|IORING_FEAT_POLL_32BITS|IORING_FEAT_SQPOLL_NONFIXED|IORING_FEAT_EXT_ARG|IORING_FEAT_NATIVE_WORKERS|IORING_FEAT_RSRC_TAGS|IORING_FEAT_CQE_SKIP|IORING_FEAT_LINKED_FILE, sq_off={head=0, tail=64, ring_mask=256, ring_entries=264, flags=276, dropped=272, array=8512}, cq_off={head=128, tail=192, ring_mask=260, ring_entries=268, overflow=284, cqes=320, flags=280}}) = 4 [pid 5080] mmap(0x20ffc000, 9536, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 4, 0) = 0x20ffc000 [pid 5080] mmap(0x206d4000, 16384, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 4, 0x10000000) = 0x206d4000 [pid 5080] futex(0x7facd1d9142c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5079] <... futex resumed>) = 0 [pid 5079] futex(0x7facd1d91428, FUTEX_WAKE_PRIVATE, 1000000 [pid 5080] pipe( [pid 5079] <... futex resumed>) = 0 [pid 5080] <... pipe resumed>[5, 6]) = 0 [pid 5079] futex(0x7facd1d9142c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5080] futex(0x7facd1d9142c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5079] <... futex resumed>) = 0 [pid 5080] futex(0x7facd1d91428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5079] futex(0x7facd1d91428, FUTEX_WAKE_PRIVATE, 1000000 [pid 5080] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5079] <... futex resumed>) = 0 [pid 5080] write(6, "\x00\xc0\xff\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x6d\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4294966988 [pid 5079] futex(0x7facd1d9142c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5079] futex(0x7facd1d9143c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5079] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7facd1c78000 [pid 5079] mprotect(0x7facd1c79000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5079] clone(child_stack=0x7facd1c983f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5081 attached , parent_tid=[4], tls=0x7facd1c98700, child_tidptr=0x7facd1c989d0) = 4 [pid 5079] futex(0x7facd1d91438, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5079] futex(0x7facd1d9143c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5081] set_robust_list(0x7facd1c989e0, 24) = 0 [pid 5081] futex(0x7facd1d9143c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5079] <... futex resumed>) = 0 [pid 5081] io_uring_enter(4, 17676, 0, 0, NULL, 0 [pid 5079] futex(0x7facd1d91438, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5079] futex(0x7facd1d9143c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5081] <... io_uring_enter resumed>) = 1 [pid 5081] futex(0x7facd1d9143c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5079] <... futex resumed>) = 0 [pid 5081] futex(0x7facd1d91438, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5079] close(3) = 0 [pid 5079] close(4) = 0 [pid 5079] close(5 [pid 5080] <... write resumed>) = 65536 [pid 5079] <... close resumed>) = 0 [pid 5081] <... futex resumed>) = ? ERESTARTSYS (To be restarted if SA_RESTART is set) [pid 5080] --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=2, si_uid=0} --- [pid 5080] +++ killed by SIGPIPE +++ [pid 5081] +++ killed by SIGPIPE +++ [pid 5079] +++ killed by SIGPIPE +++ [pid 5077] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=2, si_uid=0, si_status=SIGPIPE, si_utime=0, si_stime=1 /* 0.01 s */} --- syzkaller login: [ 61.343185][ T5077] ================================================================== [ 61.351306][ T5077] BUG: KASAN: use-after-free in __wake_up_common+0x637/0x650 [ 61.358684][ T5077] Read of size 8 at addr ffff88801d1508f0 by task syz-executor378/5077 [ 61.366906][ T5077] [ 61.369217][ T5077] CPU: 0 PID: 5077 Comm: syz-executor378 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0 [ 61.379088][ T5077] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 61.389137][ T5077] Call Trace: [ 61.392406][ T5077] [ 61.395338][ T5077] dump_stack_lvl+0xd1/0x138 [ 61.395847][ T4740] general protection fault, probably for non-canonical address 0xe09e7c2e40000007: 0000 [#1] PREEMPT SMP KASAN [ 61.399941][ T5077] print_report+0x15e/0x45d [ 61.411631][ T4740] KASAN: maybe wild-memory-access in range [0x04f4017200000038-0x04f401720000003f] [ 61.416122][ T5077] ? __phys_addr+0xc8/0x140 [ 61.425375][ T4740] CPU: 1 PID: 4740 Comm: kworker/1:3 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0 [ 61.429854][ T5077] ? __wake_up_common+0x637/0x650 [ 61.439366][ T4740] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 61.444365][ T5077] kasan_report+0xc0/0xf0 [ 61.454396][ T4740] Workqueue: events io_fallback_req_func [ 61.458699][ T5077] ? __wake_up_common+0x637/0x650 [ 61.458732][ T5077] __wake_up_common+0x637/0x650 [ 61.464331][ T4740] [ 61.464338][ T4740] RIP: 0010:__lock_acquire+0xd83/0x5660 [ 61.469334][ T5077] __wake_up_common_lock+0xd4/0x140 [ 61.474151][ T4740] Code: 3d 0f 41 bf 01 00 00 00 0f 86 c8 00 00 00 89 05 53 f6 3d 0f e9 bd 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 e6 30 00 00 49 81 3e 60 b6 f8 8f 0f 84 4c f3 ff [ 61.476468][ T5077] ? __wake_up_common+0x650/0x650 [ 61.481993][ T4740] RSP: 0018:ffffc900036ef8f8 EFLAGS: 00010002 [ 61.487167][ T5077] ? release_task+0xbf2/0x1870 [ 61.506746][ T4740] [ 61.506752][ T4740] RAX: dffffc0000000000 RBX: 1ffff920006ddf4d RCX: 0000000000000000 [ 61.511744][ T5077] ? lock_downgrade+0x6e0/0x6e0 [ 61.517780][ T4740] RDX: 009e802e40000007 RSI: 0000000000000000 RDI: 0000000000000001 [ 61.522514][ T5077] ? lock_downgrade+0x6e0/0x6e0 [ 61.524821][ T4740] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001 [ 61.532771][ T5077] __wake_up_pollfree+0x1d/0x60 [ 61.537595][ T4740] R10: fffffbfff1ce78da R11: 1ffffffff2148d1a R12: 0000000000000000 [ 61.545542][ T5077] signalfd_cleanup+0x46/0x60 [ 61.550361][ T4740] R13: ffff8880211f8000 R14: 04f4017200000039 R15: 0000000000000000 [ 61.558310][ T5077] __cleanup_sighand+0x76/0xb0 [ 61.563131][ T4740] FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 [ 61.571080][ T5077] release_task+0xbfa/0x1870 [ 61.575732][ T4740] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 61.583681][ T5077] ? put_task_struct_rcu_user+0xc0/0xc0 [ 61.588419][ T4740] CR2: 00007facd1d49020 CR3: 0000000029419000 CR4: 00000000003506e0 [ 61.597319][ T5077] ? trace_lock_acquire+0x1f1/0x290 [ 61.601885][ T4740] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 61.608447][ T5077] ? _raw_spin_unlock_irq+0x23/0x50 [ 61.613960][ T4740] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 61.621912][ T5077] wait_consider_task+0x306d/0x3ce0 [ 61.627081][ T4740] Call Trace: [ 61.627089][ T4740] [ 61.635035][ T5077] ? rcu_read_lock_sched_held+0x3e/0x70 [ 61.640296][ T4740] ? ret_from_fork+0x1f/0x30 [ 61.648236][ T5077] ? release_task+0x1870/0x1870 [ 61.653408][ T4740] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 61.656672][ T5077] ? do_wait+0x2b7/0xd90 [ 61.659584][ T4740] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 61.665101][ T5077] ? lock_acquire+0x32/0xc0 [ 61.669663][ T4740] ? stack_trace_save+0x90/0xc0 [ 61.674488][ T5077] ? do_wait+0x2b7/0xd90 [ 61.680445][ T4740] lock_acquire.part.0+0x11a/0x350 [ 61.684666][ T5077] do_wait+0x7cd/0xd90 [ 61.690616][ T4740] ? io_poll_remove_entries.part.0+0x15e/0x810 [ 61.695097][ T5077] kernel_wait4+0x150/0x260 [ 61.699916][ T4740] ? lock_release+0x810/0x810 [ 61.704129][ T5077] ? __ia32_sys_waitid+0x150/0x150 [ 61.709212][ T4740] ? io_poll_remove_entries.part.0+0x15e/0x810 [ 61.713255][ T5077] ? rcu_read_lock_sched_held+0x3e/0x70 [ 61.719380][ T4740] ? rcu_read_lock_sched_held+0x3e/0x70 [ 61.723859][ T5077] ? kill_orphaned_pgrp+0x320/0x320 [ 61.728505][ T4740] ? trace_lock_acquire+0x1f1/0x290 [ 61.733602][ T5077] ? ptrace_stop.part.0+0x4e3/0x8e0 [ 61.739737][ T4740] ? io_poll_remove_entries.part.0+0x15e/0x810 [ 61.745271][ T5077] __do_sys_wait4+0x13f/0x150 [ 61.750798][ T4740] ? lock_acquire+0x32/0xc0 [ 61.755976][ T5077] ? kernel_wait4+0x260/0x260 [ 61.761150][ T4740] ? io_poll_remove_entries.part.0+0x15e/0x810 [ 61.766342][ T5077] ? ptrace_notify+0xfe/0x140 [ 61.772473][ T4740] _raw_spin_lock_irq+0x36/0x50 [ 61.777122][ T5077] ? lock_downgrade+0x6e0/0x6e0 [ 61.781600][ T4740] ? io_poll_remove_entries.part.0+0x15e/0x810 [ 61.786256][ T5077] ? _raw_spin_unlock_irq+0x23/0x50 [ 61.792380][ T4740] io_poll_remove_entries.part.0+0x15e/0x810 [ 61.797042][ T5077] ? lockdep_hardirqs_on+0x7d/0x100 [ 61.801873][ T4740] io_poll_task_func+0x56c/0x1220 [ 61.806692][ T5077] ? _raw_spin_unlock_irq+0x2e/0x50 [ 61.812821][ T4740] ? io_poll_remove_entries.part.0+0x810/0x810 [ 61.817986][ T5077] ? ptrace_notify+0xfe/0x140 [ 61.823942][ T4740] ? lock_acquire+0x32/0xc0 [ 61.829117][ T5077] do_syscall_64+0x39/0xb0 [ 61.834120][ T4740] io_fallback_req_func+0xfd/0x204 [ 61.839292][ T5077] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 61.845419][ T4740] ? __io_commit_cqring_flush.cold+0x42/0x42 [ 61.850069][ T5077] RIP: 0033:0x7facd1d06656 [ 61.854569][ T4740] process_one_work+0x9bf/0x1750 [ 61.858952][ T5077] Code: 0f 1f 40 00 31 c9 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 49 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 90 48 83 ec 28 89 54 24 14 48 89 74 24 [ 61.864037][ T4740] ? pwq_dec_nr_in_flight+0x2a0/0x2a0 [ 61.869896][ T5077] RSP: 002b:00007ffc250fbf98 EFLAGS: 00000246 [ 61.876110][ T4740] ? rcu_read_lock_sched_held+0x3e/0x70 [ 61.880499][ T5077] ORIG_RAX: 000000000000003d [ 61.885411][ T4740] ? rwlock_bug.part.0+0x90/0x90 [ 61.904991][ T5077] RAX: ffffffffffffffda RBX: 00007ffc250fc050 RCX: 00007facd1d06656 [ 61.910338][ T4740] ? lock_acquire+0x32/0xc0 [ 61.916377][ T5077] RDX: 0000000040000001 RSI: 00007ffc250fbfcc RDI: 00000000ffffffff [ 61.921895][ T4740] ? worker_thread+0x16d/0x1090 [ 61.926546][ T5077] RBP: 00007ffc250fbfcc R08: 000000000000003d R09: 00007ffc251bb080 [ 61.931461][ T4740] worker_thread+0x669/0x1090 [ 61.939405][ T5077] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000f4240 [ 61.943897][ T4740] ? __kthread_parkme+0x163/0x220 [ 61.952109][ T5077] R13: 0000000000000002 R14: 00007ffc250fc020 R15: 00007ffc250fc010 [ 61.956932][ T4740] ? process_one_work+0x1750/0x1750 [ 61.964972][ T5077] [ 61.969614][ T4740] kthread+0x2e8/0x3a0 [ 61.977562][ T5077] [ 61.977567][ T5077] Allocated by task 5081: [ 61.982558][ T4740] ? kthread_complete_and_exit+0x40/0x40 [ 61.990505][ T5077] kasan_save_stack+0x22/0x40 [ 61.995679][ T4740] ret_from_fork+0x1f/0x30 [ 61.998680][ T5077] kasan_set_track+0x25/0x30 [ 62.002729][ T4740] [ 62.005031][ T5077] __kasan_slab_alloc+0x7f/0x90 [ 62.009337][ T4740] Modules linked in: [ 62.014937][ T5077] kmem_cache_alloc_bulk+0x3aa/0x730 [ 62.019589][ T4740] ---[ end trace 0000000000000000 ]--- [ 62.023972][ T5077] __io_alloc_req_refill+0xcc/0x40b [ 62.028533][ T4740] RIP: 0010:__lock_acquire+0xd83/0x5660 [ 62.031550][ T5077] io_submit_sqes.cold+0x7c/0xc2 [ 62.036375][ T4740] Code: 3d 0f 41 bf 01 00 00 00 0f 86 c8 00 00 00 89 05 53 f6 3d 0f e9 bd 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 e6 30 00 00 49 81 3e 60 b6 f8 8f 0f 84 4c f3 ff [ 62.040242][ T5077] __do_sys_io_uring_enter+0x9e4/0x2c10 [ 62.045499][ T4740] RSP: 0018:ffffc900036ef8f8 EFLAGS: 00010002 [ 62.050936][ T5077] do_syscall_64+0x39/0xb0 [ 62.056118][ T4740] [ 62.056126][ T4740] RAX: dffffc0000000000 RBX: 1ffff920006ddf4d RCX: 0000000000000000 [ 62.061641][ T5077] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 62.066557][ T4740] RDX: 009e802e40000007 RSI: 0000000000000000 RDI: 0000000000000001 [ 62.086138][ T5077] [ 62.086143][ T5077] Freed by task 33: [ 62.091664][ T4740] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001 [ 62.097703][ T5077] kasan_save_stack+0x22/0x40 [ 62.102090][ T4740] R10: fffffbfff1ce78da R11: 1ffffffff2148d1a R12: 0000000000000000 [ 62.104395][ T5077] kasan_set_track+0x25/0x30 [ 62.112342][ T4740] R13: ffff8880211f8000 R14: 04f4017200000039 R15: 0000000000000000 [ 62.118293][ T5077] kasan_save_free_info+0x2e/0x40 [ 62.126245][ T4740] FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 [ 62.128551][ T5077] ____kasan_slab_free+0x160/0x1c0 [ 62.132332][ T4740] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 62.140280][ T5077] slab_free_freelist_hook+0x8b/0x1c0 [ 62.144940][ T4740] CR2: 00007facd1d49020 CR3: 0000000029419000 CR4: 00000000003506e0 [ 62.152887][ T5077] kmem_cache_free+0xec/0x4e0 [ 62.157453][ T4740] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 62.165398][ T5077] io_req_caches_free+0x1a9/0x1e6 [ 62.170393][ T4740] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 62.179297][ T5077] io_ring_exit_work+0x2e7/0xc80 [ 62.184386][ T4740] Kernel panic - not syncing: Fatal exception [ 62.190942][ T5077] process_one_work+0x9bf/0x1750 [ 62.196313][ T5077] worker_thread+0x669/0x1090 [ 62.204285][ T5077] kthread+0x2e8/0x3a0 [ 62.208957][ T5077] ret_from_fork+0x1f/0x30 [ 62.216937][ T5077] [ 62.221935][ T5077] The buggy address belongs to the object at ffff88801d1508c0 [ 62.221935][ T5077] which belongs to the cache io_kiocb of size 216 [ 62.229899][ T5077] The buggy address is located 48 bytes inside of [ 62.229899][ T5077] 216-byte region [ffff88801d1508c0, ffff88801d150998) [ 62.234830][ T5077] [ 62.240873][ T5077] The buggy address belongs to the physical page: [ 62.245789][ T5077] page:ffffea0000745400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d150 [ 62.250465][ T5077] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 62.254535][ T5077] raw: 00fff00000000200 ffff88801beb7780 dead000000000122 0000000000000000 [ 62.258942][ T5077] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 62.261257][ T5077] page dumped because: kasan: bad access detected [ 62.275030][ T5077] page_owner tracks the page as allocated [ 62.288213][ T5077] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5081, tgid 5079 (syz-executor378), ts 61182579448, free_ts 52418879084 [ 62.290561][ T5077] get_page_from_freelist+0x11bb/0x2d50 [ 62.296981][ T5077] __alloc_pages+0x1cb/0x5c0 [ 62.307130][ T5077] alloc_pages+0x1aa/0x270 [ 62.314664][ T5077] allocate_slab+0x25f/0x350 [ 62.323246][ T5077] ___slab_alloc+0xa91/0x1400 [ 62.331823][ T5077] kmem_cache_alloc_bulk+0x23d/0x730 [ 62.338237][ T5077] __io_alloc_req_refill+0xcc/0x40b [ 62.343953][ T5077] io_submit_sqes.cold+0x7c/0xc2 [ 62.362523][ T5077] __do_sys_io_uring_enter+0x9e4/0x2c10 [ 62.368073][ T5077] do_syscall_64+0x39/0xb0 [ 62.372658][ T5077] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 62.377089][ T5077] page last free stack trace: [ 62.381655][ T5077] free_pcp_prepare+0x4d0/0x910 [ 62.386330][ T5077] free_unref_page+0x1d/0x490 [ 62.391612][ T5077] __folio_put+0xc5/0x140 [ 62.396807][ T5077] anon_pipe_buf_release+0x3fb/0x4c0 [ 62.401751][ T5077] pipe_read+0x614/0x1110 [ 62.407294][ T5077] vfs_read+0x7fa/0x930 [ 62.411706][ T5077] ksys_read+0x1ec/0x250 [ 62.417593][ T5077] do_syscall_64+0x39/0xb0 [ 62.422268][ T5077] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 62.427121][ T5077] [ 62.431774][ T5077] Memory state around the buggy address: [ 62.436086][ T5077] ffff88801d150780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.441358][ T5077] ffff88801d150800: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc [ 62.445680][ T5077] >ffff88801d150880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 62.449818][ T5077] ^ [ 62.454059][ T5077] ffff88801d150900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.458462][ T5077] ffff88801d150980: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc [ 62.464335][ T5077] ================================================================== [ 62.466806][ T4740] Kernel Offset: disabled [ 62.533631][ T4740] Rebooting in 86400 seconds..