./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3746677870
<...>
DUID 00:04:ac:03:58:10:d0:76:5c:28:30:a7:8a:8b:4a:a3:06:e2
forked to background, child pid 4651
[ 33.746538][ T4652] 8021q: adding VLAN 0 to HW filter on device bond0
[ 33.756638][ T4652] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK
syzkaller
Warning: Permanently added '10.128.0.199' (ECDSA) to the list of known hosts.
execve("./syz-executor3746677870", ["./syz-executor3746677870"], 0x7ffd9f36ecc0 /* 10 vars */) = 0
brk(NULL) = 0x555557073000
brk(0x555557073c40) = 0x555557073c40
arch_prctl(ARCH_SET_FS, 0x555557073300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor3746677870", 4096) = 28
brk(0x555557094c40) = 0x555557094c40
brk(0x555557095000) = 0x555557095000
mprotect(0x7f8c81c61000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
socket(AF_PACKET, SOCK_RAW, htons(0 /* ETH_P_??? */)) = 3
pipe([4, 5]) = 0
socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 6
close(6) = 0
socket(AF_NETLINK, SOCK_RAW, NETLINK_AUDIT) = 6
io_uring_setup(820, {flags=0, sq_thread_cpu=0, sq_thread_idle=0, sq_entries=1024, cq_entries=2048, features=IORING_FEAT_SINGLE_MMAP|IORING_FEAT_NODROP|IORING_FEAT_SUBMIT_STABLE|IORING_FEAT_RW_CUR_POS|IORING_FEAT_CUR_PERSONALITY|IORING_FEAT_FAST_POLL|IORING_FEAT_POLL_32BITS|IORING_FEAT_SQPOLL_NONFIXED|IORING_FEAT_EXT_ARG|IORING_FEAT_NATIVE_WORKERS|IORING_FEAT_RSRC_TAGS|IORING_FEAT_CQE_SKIP|IORING_FEAT_LINKED_FILE, sq_off={head=0, tail=64, ring_mask=256, ring_entries=264, flags=276, dropped=272, array=33088}, cq_off={head=128, tail=192, ring_mask=260, ring_entries=268, overflow=284, cqes=320, flags=280}}) = 7
mmap(0x20002000, 37184, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 7, 0) = 0x20002000
mmap(0x20ffd000, 65536, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 7, 0x10000000) = 0x20ffd000
io_uring_enter(7, 767, 0, 0, NULL, 0) = 1
write(5, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 28) = 28
splice(4, NULL, 6, NULL, 196607, 0) = 28
exit_group(0) = ?
syzkaller login: [ 53.374502][ T5072] ==================================================================
[ 53.382596][ T5072] BUG: KASAN: use-after-free in __wake_up_common+0x637/0x650
[ 53.389965][ T5072] Read of size 8 at addr ffff88807502d8f0 by task syz-executor374/5072
[ 53.398183][ T5072]
[ 53.400490][ T5072] CPU: 0 PID: 5072 Comm: syz-executor374 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
[ 53.410362][ T5072] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 53.420402][ T5072] Call Trace:
[ 53.423666][ T5072]
[ 53.426584][ T5072] dump_stack_lvl+0xd1/0x138
[ 53.431169][ T5072] print_report+0x15e/0x45d
[ 53.435660][ T5072] ? __phys_addr+0xc8/0x140
[ 53.440155][ T5072] ? __wake_up_common+0x637/0x650
[ 53.445170][ T5072] kasan_report+0xc0/0xf0
[ 53.449502][ T5072] ? __wake_up_common+0x637/0x650
[ 53.454516][ T5072] __wake_up_common+0x637/0x650
[ 53.459362][ T5072] __wake_up_common_lock+0xd4/0x140
[ 53.464551][ T5072] ? __wake_up_common+0x650/0x650
[ 53.469576][ T5072] ? debug_object_active_state+0x264/0x350
[ 53.475388][ T5072] ? fcntl_setlk+0xdc0/0xdc0
[ 53.479994][ T5072] pipe_release+0x18c/0x310
[ 53.484501][ T5072] __fput+0x27c/0xa90
[ 53.488480][ T5072] ? free_pipe_info+0x3b0/0x3b0
[ 53.493323][ T5072] task_work_run+0x16f/0x270
[ 53.497914][ T5072] ? task_work_cancel+0x30/0x30
[ 53.502756][ T5072] ? do_raw_spin_unlock+0x175/0x230
[ 53.507959][ T5072] do_exit+0xb17/0x2a90
[ 53.512130][ T5072] ? lock_downgrade+0x6e0/0x6e0
[ 53.516979][ T5072] ? do_raw_spin_lock+0x124/0x2b0
[ 53.522000][ T5072] ? mm_update_next_owner+0x7b0/0x7b0
[ 53.527373][ T5072] ? rwlock_bug.part.0+0x90/0x90
[ 53.532305][ T5072] ? _raw_spin_unlock_irq+0x23/0x50
[ 53.537513][ T5072] do_group_exit+0xd4/0x2a0
[ 53.542017][ T5072] __x64_sys_exit_group+0x3e/0x50
[ 53.547027][ T5072] do_syscall_64+0x39/0xb0
[ 53.551520][ T5072] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 53.557420][ T5072] RIP: 0033:0x7f8c81bf3949
[ 53.561826][ T5072] Code: Unable to access opcode bytes at 0x7f8c81bf391f.
[ 53.568825][ T5072] RSP: 002b:00007ffc0eeb6698 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 53.577224][ T5072] RAX: ffffffffffffffda RBX: 00007f8c81c672b0 RCX: 00007f8c81bf3949
[ 53.585180][ T5072] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[ 53.593135][ T5072] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
[ 53.601090][ T5072] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8c81c672b0
[ 53.609043][ T5072] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[ 53.617000][ T5072]
[ 53.620000][ T5072]
[ 53.622305][ T5072] Allocated by task 5072:
[ 53.626613][ T5072] kasan_save_stack+0x22/0x40
[ 53.631281][ T5072] kasan_set_track+0x25/0x30
[ 53.635861][ T5072] __kasan_slab_alloc+0x7f/0x90
[ 53.640699][ T5072] kmem_cache_alloc_bulk+0x3aa/0x730
[ 53.645969][ T5072] __io_alloc_req_refill+0xcc/0x40b
[ 53.651155][ T5072] io_submit_sqes.cold+0x7c/0xc2
[ 53.656080][ T5072] __do_sys_io_uring_enter+0x9e4/0x2c10
[ 53.661616][ T5072] do_syscall_64+0x39/0xb0
[ 53.666020][ T5072] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 53.671909][ T5072]
[ 53.674214][ T5072] Freed by task 33:
[ 53.677996][ T5072] kasan_save_stack+0x22/0x40
[ 53.682659][ T5072] kasan_set_track+0x25/0x30
[ 53.687233][ T5072] kasan_save_free_info+0x2e/0x40
[ 53.692246][ T5072] ____kasan_slab_free+0x160/0x1c0
[ 53.697344][ T5072] slab_free_freelist_hook+0x8b/0x1c0
[ 53.702699][ T5072] kmem_cache_free+0xec/0x4e0
[ 53.707360][ T5072] io_req_caches_free+0x1a9/0x1e6
[ 53.712370][ T5072] io_ring_exit_work+0x2e7/0xc80
[ 53.717294][ T5072] process_one_work+0x9bf/0x1750
[ 53.722224][ T5072] worker_thread+0x669/0x1090
[ 53.726888][ T5072] kthread+0x2e8/0x3a0
[ 53.730954][ T5072] ret_from_fork+0x1f/0x30
[ 53.735366][ T5072]
[ 53.737673][ T5072] The buggy address belongs to the object at ffff88807502d8c0
[ 53.737673][ T5072] which belongs to the cache io_kiocb of size 216
[ 53.751445][ T5072] The buggy address is located 48 bytes inside of
[ 53.751445][ T5072] 216-byte region [ffff88807502d8c0, ffff88807502d998)
[ 53.764611][ T5072]
[ 53.766915][ T5072] The buggy address belongs to the physical page:
[ 53.773305][ T5072] page:ffffea0001d40b40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7502d
[ 53.783436][ T5072] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 53.790974][ T5072] raw: 00fff00000000200 ffff88801c49ab40 dead000000000122 0000000000000000
[ 53.799540][ T5072] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 53.808099][ T5072] page dumped because: kasan: bad access detected
[ 53.814486][ T5072] page_owner tracks the page as allocated
[ 53.820176][ T5072] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5072, tgid 5072 (syz-executor374), ts 53370524537, free_ts 53344232790
[ 53.838736][ T5072] get_page_from_freelist+0x11bb/0x2d50
[ 53.844276][ T5072] __alloc_pages+0x1cb/0x5c0
[ 53.848856][ T5072] alloc_pages+0x1aa/0x270
[ 53.853256][ T5072] allocate_slab+0x25f/0x350
[ 53.857845][ T5072] ___slab_alloc+0xa91/0x1400
[ 53.862515][ T5072] kmem_cache_alloc_bulk+0x23d/0x730
[ 53.867786][ T5072] __io_alloc_req_refill+0xcc/0x40b
[ 53.872969][ T5072] io_submit_sqes.cold+0x7c/0xc2
[ 53.877894][ T5072] __do_sys_io_uring_enter+0x9e4/0x2c10
[ 53.883430][ T5072] do_syscall_64+0x39/0xb0
[ 53.887837][ T5072] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 53.893718][ T5072] page last free stack trace:
[ 53.898367][ T5072] free_pcp_prepare+0x4d0/0x910
[ 53.903204][ T5072] free_unref_page_list+0x176/0xcd0
[ 53.908387][ T5072] release_pages+0xcb1/0x1330
[ 53.913050][ T5072] tlb_batch_pages_flush+0xa8/0x1a0
[ 53.918234][ T5072] tlb_finish_mmu+0x14b/0x7e0
[ 53.922898][ T5072] exit_mmap+0x202/0x7c0
[ 53.927124][ T5072] __mmput+0x128/0x4c0
[ 53.931176][ T5072] mmput+0x60/0x70
[ 53.934881][ T5072] do_exit+0x9ac/0x2a90
[ 53.939028][ T5072] do_group_exit+0xd4/0x2a0
[ 53.943520][ T5072] get_signal+0x225f/0x24f0
[ 53.948008][ T5072] arch_do_signal_or_restart+0x79/0x5c0
[ 53.953540][ T5072] exit_to_user_mode_prepare+0x11f/0x240
[ 53.959868][ T5072] irqentry_exit_to_user_mode+0x9/0x40
[ 53.965323][ T5072] exc_page_fault+0xc0/0x170
[ 53.969903][ T5072] asm_exc_page_fault+0x26/0x30
[ 53.974749][ T5072]
[ 53.977057][ T5072] Memory state around the buggy address:
[ 53.982669][ T5072] ffff88807502d780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 53.990716][ T5072] ffff88807502d800: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
[ 53.998761][ T5072] >ffff88807502d880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 54.006803][ T5072] ^
[ 54.014497][ T5072] ffff88807502d900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 54.022539][ T5072] ffff88807502d980: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 54.030585][ T5072] ==================================================================
[ 54.038629][ T5072] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 54.045802][ T5072] CPU: 0 PID: 5072 Comm: syz-executor374 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
[ 54.055675][ T5072] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 54.065712][ T5072] Call Trace:
[ 54.068975][ T5072]
[ 54.071893][ T5072] dump_stack_lvl+0xd1/0x138
[ 54.076475][ T5072] panic+0x2cc/0x626
[ 54.080367][ T5072] ? panic_print_sys_info.part.0+0x112/0x112
[ 54.086346][ T5072] ? lock_downgrade+0x6e0/0x6e0
[ 54.091181][ T5072] ? dump_page.cold+0x21d/0x255
[ 54.096024][ T5072] check_panic_on_warn.cold+0x19/0x35
[ 54.101394][ T5072] end_report.part.0+0x36/0x73
[ 54.106157][ T5072] ? __wake_up_common+0x637/0x650
[ 54.111182][ T5072] kasan_report.cold+0xa/0xf
[ 54.115778][ T5072] ? __wake_up_common+0x637/0x650
[ 54.120801][ T5072] __wake_up_common+0x637/0x650
[ 54.125640][ T5072] __wake_up_common_lock+0xd4/0x140
[ 54.130827][ T5072] ? __wake_up_common+0x650/0x650
[ 54.135840][ T5072] ? debug_object_active_state+0x264/0x350
[ 54.141643][ T5072] ? fcntl_setlk+0xdc0/0xdc0
[ 54.146227][ T5072] pipe_release+0x18c/0x310
[ 54.150722][ T5072] __fput+0x27c/0xa90
[ 54.154693][ T5072] ? free_pipe_info+0x3b0/0x3b0
[ 54.159531][ T5072] task_work_run+0x16f/0x270
[ 54.164112][ T5072] ? task_work_cancel+0x30/0x30
[ 54.168957][ T5072] ? do_raw_spin_unlock+0x175/0x230
[ 54.174142][ T5072] do_exit+0xb17/0x2a90
[ 54.178293][ T5072] ? lock_downgrade+0x6e0/0x6e0
[ 54.183131][ T5072] ? do_raw_spin_lock+0x124/0x2b0
[ 54.188141][ T5072] ? mm_update_next_owner+0x7b0/0x7b0
[ 54.193505][ T5072] ? rwlock_bug.part.0+0x90/0x90
[ 54.198429][ T5072] ? _raw_spin_unlock_irq+0x23/0x50
[ 54.203624][ T5072] do_group_exit+0xd4/0x2a0
[ 54.208120][ T5072] __x64_sys_exit_group+0x3e/0x50
[ 54.213128][ T5072] do_syscall_64+0x39/0xb0
[ 54.217533][ T5072] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 54.223418][ T5072] RIP: 0033:0x7f8c81bf3949
[ 54.227815][ T5072] Code: Unable to access opcode bytes at 0x7f8c81bf391f.
[ 54.234817][ T5072] RSP: 002b:00007ffc0eeb6698 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 54.243216][ T5072] RAX: ffffffffffffffda RBX: 00007f8c81c672b0 RCX: 00007f8c81bf3949
[ 54.251172][ T5072] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[ 54.259128][ T5072] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
[ 54.267081][ T5072] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8c81c672b0
[ 54.275040][ T5072] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[ 54.283001][ T5072]
[ 54.286075][ T5072] Kernel Offset: disabled
[ 54.290393][ T5072] Rebooting in 86400 seconds..