./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2550669423

<...>
forked to background, child pid 3182
no interfa[   19.326958][ T3183] 8021q: adding VLAN 0 to HW filter on device bond0
ces have a carrier
[   19.351787][ T3183] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK

syzkaller
Warning: Permanently added '10.128.0.234' (ECDSA) to the list of known hosts.
execve("./syz-executor2550669423", ["./syz-executor2550669423"], 0x7ffe0df451b0 /* 10 vars */) = 0
brk(NULL)                               = 0x555555adf000
brk(0x555555adfc40)                     = 0x555555adfc40
arch_prctl(ARCH_SET_FS, 0x555555adf300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor2550669423", 4096) = 28
brk(0x555555b00c40)                     = 0x555555b00c40
brk(0x555555b01000)                     = 0x555555b01000
mprotect(0x7f7eb3341000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
getpid()                                = 3603
openat(AT_FDCWD, "/sys/kernel/debug/x86/nmi_longest_ns", O_WRONLY|O_CLOEXEC) = 3
write(3, "10000000000", 11)             = 11
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/kernel/hung_task_check_interval_secs", O_WRONLY|O_CLOEXEC) = 3
write(3, "20", 2)                       = 2
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_kallsyms", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_harden", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/kernel/kptr_restrict", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/kernel/softlockup_all_cpu_backtrace", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3
write(3, "100", 3)                      = 3
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/vm/oom_dump_tasks", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/debug/exception-trace", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/kernel/printk", O_WRONLY|O_CLOEXEC) = 3
write(3, "7 4 1 3", 7)                  = 7
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/kernel/keys/gc_delay", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/vm/oom_kill_allocating_task", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/kernel/ctrl-alt-del", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/kernel/cad_pid", O_WRONLY|O_CLOEXEC) = 3
write(3, "3603", 4)                     = 4
close(3)                                = 0
io_uring_setup(7190, {flags=0, sq_thread_cpu=0, sq_thread_idle=0, sq_entries=8192, cq_entries=16384, features=IORING_FEAT_SINGLE_MMAP|IORING_FEAT_NODROP|IORING_FEAT_SUBMIT_STABLE|IORING_FEAT_RW_CUR_POS|IORING_FEAT_CUR_PERSONALITY|IORING_FEAT_FAST_POLL|IORING_FEAT_POLL_32BITS|IORING_FEAT_SQPOLL_NONFIXED|IORING_FEAT_EXT_ARG|IORING_FEAT_NATIVE_WORKERS|IORING_FEAT_RSRC_TAGS|IORING_FEAT_CQE_SKIP|0x1000, sq_off={head=0, tail=64, ring_mask=256, ring_entries=264, flags=276, dropped=272, array=262464}, cq_off={head=128, tail=192, ring_mask=260, ring_entries=268, overflow=284, cqes=320, flags=280}}) = 3
mmap(0x20002000, 295232, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 3, 0) = 0x20002000
mmap(0x20004000, 524288, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 3, 0x10000000) = 0x20004000
io_uring_setup(16094, {flags=0, sq_thread_cpu=0, sq_thread_idle=0, sq_entries=16384, cq_entries=32768, features=IORING_FEAT_SINGLE_MMAP|IORING_FEAT_NODROP|IORING_FEAT_SUBMIT_STABLE|IORING_FEAT_RW_CUR_POS|IORING_FEAT_CUR_PERSONALITY|IORING_FEAT_FAST_POLL|IORING_FEAT_POLL_32BITS|IORING_FEAT_SQPOLL_NONFIXED|IORING_FEAT_EXT_ARG|IORING_FEAT_NATIVE_WORKERS|IORING_FEAT_RSRC_TAGS|IORING_FEAT_CQE_SKIP|0x1000, sq_off={head=0, tail=64, ring_mask=256, ring_entries=264, flags=276, dropped=272, array=524608}, cq_off={head=128, tail=192, ring_mask=260, ring_entries=268, overflow=284, cqes=320, flags=280}}) = 4
mmap(0x20002000, 590144, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 4, 0) = 0x20002000
mmap(0x20ffd000, 1048576, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 4, 0x10000000) = 0x20ffd000
openat(AT_FDCWD, "/proc/thread-self/fdinfo/4", O_RDWR) = 5
syzkaller login: [   37.020917][ T3603] ==================================================================
[   37.029290][ T3603] BUG: KASAN: use-after-free in io_uring_show_fdinfo+0x625/0x1947
[   37.037280][ T3603] Read of size 8 at addr ffff88806fbfff20 by task syz-executor255/3603
[   37.045691][ T3603] 
[   37.048004][ T3603] CPU: 0 PID: 3603 Comm: syz-executor255 Not tainted 6.0.0-syzkaller-09039-ga6afa4199d3d #0
[   37.058064][ T3603] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
[   37.068148][ T3603] Call Trace:
[   37.071418][ T3603]  <TASK>
[   37.074346][ T3603]  dump_stack_lvl+0xcd/0x134
[   37.079014][ T3603]  print_report.cold+0x2ba/0x719
[   37.084128][ T3603]  ? io_uring_show_fdinfo+0x625/0x1947
[   37.089688][ T3603]  kasan_report+0xb1/0x1e0
[   37.094127][ T3603]  ? io_uring_show_fdinfo+0x625/0x1947
[   37.099673][ T3603]  io_uring_show_fdinfo+0x625/0x1947
[   37.104976][ T3603]  ? seq_file_path+0x30/0x30
[   37.109589][ T3603]  ? rcu_lock_acquire.constprop.0+0x27/0x27
[   37.115502][ T3603]  ? rwlock_bug.part.0+0x90/0x90
[   37.120436][ T3603]  ? rcu_lock_acquire.constprop.0+0x27/0x27
[   37.126357][ T3603]  seq_show+0x587/0x800
[   37.130597][ T3603]  seq_read_iter+0x4f5/0x1280
[   37.135278][ T3603]  seq_read+0x16d/0x210
[   37.139423][ T3603]  ? seq_read_iter+0x1280/0x1280
[   37.144372][ T3603]  ? trace_hardirqs_on+0x2d/0x120
[   37.149506][ T3603]  ? security_file_permission+0xab/0xd0
[   37.155485][ T3603]  vfs_read+0x257/0x930
[   37.159633][ T3603]  ? seq_read_iter+0x1280/0x1280
[   37.164731][ T3603]  ? kernel_read+0x1c0/0x1c0
[   37.169400][ T3603]  ? recalc_sigpending_tsk+0x18f/0x1d0
[   37.174857][ T3603]  ? ptrace_stop.part.0+0x746/0xa80
[   37.180046][ T3603]  ? rcu_read_lock_sched_held+0xd/0x70
[   37.185500][ T3603]  ? lock_release+0x560/0x780
[   37.190423][ T3603]  ? ptrace_notify+0xfa/0x140
[   37.195186][ T3603]  ? lock_downgrade+0x6e0/0x6e0
[   37.200035][ T3603]  __x64_sys_pread64+0x1f7/0x250
[   37.204981][ T3603]  ? ksys_pread64+0x1a0/0x1a0
[   37.209760][ T3603]  ? _raw_spin_unlock_irq+0x2a/0x40
[   37.214963][ T3603]  ? ptrace_notify+0xfa/0x140
[   37.219637][ T3603]  do_syscall_64+0x35/0xb0
[   37.224393][ T3603]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   37.230456][ T3603] RIP: 0033:0x7f7eb32dc369
[   37.234870][ T3603] Code: 28 c3 e8 1a 17 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[   37.254488][ T3603] RSP: 002b:00007ffdd7256678 EFLAGS: 00000246 ORIG_RAX: 0000000000000011
[   37.262904][ T3603] RAX: ffffffffffffffda RBX: 00007ffdd7256780 RCX: 00007f7eb32dc369
[   37.270865][ T3603] RDX: 0000000000000011 RSI: 0000000020002140 RDI: 0000000000000005
[   37.279003][ T3603] RBP: 00007ffdd72566a0 R08: 00007ffdd7256510 R09: 0000000033303633
[   37.286982][ T3603] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdd7256780
[   37.294960][ T3603] R13: 00007ffdd72566a0 R14: 00007f7eb33180a1 R15: 0000000000000000
[   37.302939][ T3603]  </TASK>
[   37.305942][ T3603] 
[   37.308246][ T3603] The buggy address belongs to the physical page:
[   37.314660][ T3603] page:ffffea0001beffc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x6fbff
[   37.324798][ T3603] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   37.331896][ T3603] raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000
[   37.340493][ T3603] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[   37.349081][ T3603] page dumped because: kasan: bad access detected
[   37.355475][ T3603] page_owner tracks the page as freed
[   37.360834][ T3603] page last allocated via order 0, migratetype Movable, gfp_mask 0x8(__GFP_MOVABLE), pid 1, tgid 1 (swapper/0), ts 9881193944, free_ts 10384739419
[   37.375675][ T3603]  split_map_pages+0x1ef/0x520
[   37.380452][ T3603]  isolate_freepages_range+0x30f/0x350
[   37.385912][ T3603]  alloc_contig_range+0x2f6/0x490
[   37.391560][ T3603]  alloc_contig_pages+0x35a/0x4c0
[   37.396596][ T3603]  debug_vm_pgtable+0x88f/0x29d6
[   37.401527][ T3603]  do_one_initcall+0xfe/0x650
[   37.406201][ T3603]  kernel_init_freeable+0x6b1/0x73a
[   37.411394][ T3603]  kernel_init+0x1a/0x1d0
[   37.415712][ T3603]  ret_from_fork+0x1f/0x30
[   37.420118][ T3603] page last free stack trace:
[   37.424945][ T3603]  free_pcp_prepare+0x5e4/0xd20
[   37.429799][ T3603]  free_unref_page+0x19/0x4d0
[   37.434556][ T3603]  free_contig_range+0xb1/0x180
[   37.439405][ T3603]  destroy_args+0xa8/0x646
[   37.443831][ T3603]  debug_vm_pgtable+0x2945/0x29d6
[   37.448843][ T3603]  do_one_initcall+0xfe/0x650
[   37.453522][ T3603]  kernel_init_freeable+0x6b1/0x73a
[   37.458725][ T3603]  kernel_init+0x1a/0x1d0
[   37.463042][ T3603]  ret_from_fork+0x1f/0x30
[   37.467451][ T3603] 
[   37.469752][ T3603] Memory state around the buggy address:
[   37.475367][ T3603]  ffff88806fbffe00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   37.483424][ T3603]  ffff88806fbffe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   37.491473][ T3603] >ffff88806fbfff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   37.499527][ T3603]                                ^
[   37.504623][ T3603]  ffff88806fbfff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   37.512668][ T3603]  ffff88806fc00000: fa fb fb fb fb fb fb fc fc fc fc fa fb fb fb fb
[   37.520708][ T3603] ==================================================================
[   37.529715][ T3603] Kernel panic - not syncing: panic_on_warn set ...
[   37.536320][ T3603] CPU: 0 PID: 3603 Comm: syz-executor255 Not tainted 6.0.0-syzkaller-09039-ga6afa4199d3d #0
[   37.546454][ T3603] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
[   37.556684][ T3603] Call Trace:
[   37.559965][ T3603]  <TASK>
[   37.562974][ T3603]  dump_stack_lvl+0xcd/0x134
[   37.567573][ T3603]  panic+0x2c8/0x622
[   37.571456][ T3603]  ? panic_print_sys_info.part.0+0x10b/0x10b
[   37.577519][ T3603]  ? preempt_schedule_common+0x59/0xc0
[   37.582989][ T3603]  ? preempt_schedule_thunk+0x16/0x18
[   37.588364][ T3603]  ? io_uring_show_fdinfo+0x625/0x1947
[   37.593814][ T3603]  end_report.part.0+0x3f/0x7c
[   37.598598][ T3603]  kasan_report.cold+0xa/0xf
[   37.603182][ T3603]  ? io_uring_show_fdinfo+0x625/0x1947
[   37.608634][ T3603]  io_uring_show_fdinfo+0x625/0x1947
[   37.613908][ T3603]  ? seq_file_path+0x30/0x30
[   37.618485][ T3603]  ? rcu_lock_acquire.constprop.0+0x27/0x27
[   37.624383][ T3603]  ? rwlock_bug.part.0+0x90/0x90
[   37.629311][ T3603]  ? rcu_lock_acquire.constprop.0+0x27/0x27
[   37.635209][ T3603]  seq_show+0x587/0x800
[   37.640488][ T3603]  seq_read_iter+0x4f5/0x1280
[   37.645181][ T3603]  seq_read+0x16d/0x210
[   37.649344][ T3603]  ? seq_read_iter+0x1280/0x1280
[   37.654336][ T3603]  ? trace_hardirqs_on+0x2d/0x120
[   37.659456][ T3603]  ? security_file_permission+0xab/0xd0
[   37.665010][ T3603]  vfs_read+0x257/0x930
[   37.669156][ T3603]  ? seq_read_iter+0x1280/0x1280
[   37.674080][ T3603]  ? kernel_read+0x1c0/0x1c0
[   37.678658][ T3603]  ? recalc_sigpending_tsk+0x18f/0x1d0
[   37.684125][ T3603]  ? ptrace_stop.part.0+0x746/0xa80
[   37.689312][ T3603]  ? rcu_read_lock_sched_held+0xd/0x70
[   37.694783][ T3603]  ? lock_release+0x560/0x780
[   37.699448][ T3603]  ? ptrace_notify+0xfa/0x140
[   37.704117][ T3603]  ? lock_downgrade+0x6e0/0x6e0
[   37.708978][ T3603]  __x64_sys_pread64+0x1f7/0x250
[   37.713917][ T3603]  ? ksys_pread64+0x1a0/0x1a0
[   37.718603][ T3603]  ? _raw_spin_unlock_irq+0x2a/0x40
[   37.723792][ T3603]  ? ptrace_notify+0xfa/0x140
[   37.728464][ T3603]  do_syscall_64+0x35/0xb0
[   37.732895][ T3603]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   37.739042][ T3603] RIP: 0033:0x7f7eb32dc369
[   37.743546][ T3603] Code: 28 c3 e8 1a 17 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[   37.763238][ T3603] RSP: 002b:00007ffdd7256678 EFLAGS: 00000246 ORIG_RAX: 0000000000000011
[   37.771643][ T3603] RAX: ffffffffffffffda RBX: 00007ffdd7256780 RCX: 00007f7eb32dc369
[   37.779608][ T3603] RDX: 0000000000000011 RSI: 0000000020002140 RDI: 0000000000000005
[   37.787577][ T3603] RBP: 00007ffdd72566a0 R08: 00007ffdd7256510 R09: 0000000033303633
[   37.795543][ T3603] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdd7256780
[   37.803590][ T3603] R13: 00007ffdd72566a0 R14: 00007f7eb33180a1 R15: 0000000000000000
[   37.811551][ T3603]  </TASK>
[   37.814954][ T3603] Kernel Offset: disabled
[   37.819276][ T3603] Rebooting in 86400 seconds..