./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor612626586 <...> Warning: Permanently added '10.128.0.128' (ED25519) to the list of known hosts. execve("./syz-executor612626586", ["./syz-executor612626586"], 0x7ffd3adfb4d0 /* 10 vars */) = 0 brk(NULL) = 0x55555624b000 brk(0x55555624bd40) = 0x55555624bd40 arch_prctl(ARCH_SET_FS, 0x55555624b3c0) = 0 set_tid_address(0x55555624b690) = 5069 set_robust_list(0x55555624b6a0, 24) = 0 rseq(0x55555624bce0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor612626586", 4096) = 27 getrandom("\x5c\xf2\xa5\xcf\xd3\x83\xce\x56", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55555624bd40 brk(0x55555626cd40) = 0x55555626cd40 brk(0x55555626d000) = 0x55555626d000 mprotect(0x7f9efa948000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 futex(0x7f9efa94e30c, FUTEX_WAKE_PRIVATE, 1000000) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7f9efa8eaae0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f9efa8dc160}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9efa867000 mprotect(0x7f9efa868000, 131072, PROT_READ|PROT_WRITE) = 0 rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f9efa887990, parent_tid=0x7f9efa887990, exit_signal=0, stack=0x7f9efa867000, stack_size=0x20300, tls=0x7f9efa8876c0}./strace-static-x86_64: Process 5070 attached => {parent_tid=[5070]}, 88) = 5070 [pid 5070] rseq(0x7f9efa887fe0, 0x20, 0, 0x53053053 [pid 5069] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5070] <... rseq resumed>) = 0 [pid 5069] futex(0x7f9efa94e308, FUTEX_WAKE_PRIVATE, 1000000 [pid 5070] set_robust_list(0x7f9efa8879a0, 24 [pid 5069] <... futex resumed>) = 0 [pid 5070] <... set_robust_list resumed>) = 0 [pid 5069] futex(0x7f9efa94e30c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5070] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5070] openat(AT_FDCWD, "/dev/ptp0", O_RDONLY) = 3 [pid 5070] futex(0x7f9efa94e30c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5070] futex(0x7f9efa94e308, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5069] <... futex resumed>) = 0 [pid 5069] futex(0x7f9efa94e308, FUTEX_WAKE_PRIVATE, 1000000 [pid 5070] <... futex resumed>) = 0 [pid 5069] <... futex resumed>) = 1 [pid 5069] futex(0x7f9efa94e30c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5070] read(3, [pid 5069] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5069] futex(0x7f9efa94e30c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5069] futex(0x7f9efa94e30c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5069] futex(0x7f9efa94e31c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5069] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9efa846000 [pid 5069] mprotect(0x7f9efa847000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5069] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5069] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f9efa866990, parent_tid=0x7f9efa866990, exit_signal=0, stack=0x7f9efa846000, stack_size=0x20300, tls=0x7f9efa8666c0} => {parent_tid=[5071]}, 88) = 5071 ./strace-static-x86_64: Process 5071 attached [pid 5069] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5069] futex(0x7f9efa94e318, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5069] futex(0x7f9efa94e31c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5071] rseq(0x7f9efa866fe0, 0x20, 0, 0x53053053) = 0 [pid 5071] set_robust_list(0x7f9efa8669a0, 24) = 0 [pid 5071] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5071] read(3, 0x20000240, 10) = -1 EINVAL (Invalid argument) [pid 5071] futex(0x7f9efa94e31c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5069] <... futex resumed>) = 0 [pid 5071] <... futex resumed>) = 1 [pid 5071] futex(0x7f9efa94e318, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5069] exit_group(0) = ? [pid 5071] <... futex resumed>) = ? [pid 5071] +++ exited with 0 +++ [ 72.161853][ T5070] ================================================================== [ 72.169949][ T5070] BUG: KASAN: slab-use-after-free in ptp_read+0x7c4/0x830 [ 72.177063][ T5070] Read of size 4 at addr ffff88801eeb9004 by task syz-executor612/5070 [ 72.185294][ T5070] [ 72.187603][ T5070] CPU: 1 PID: 5070 Comm: syz-executor612 Not tainted 6.6.0-syzkaller-14263-gaea6bf908d73 #0 [ 72.197646][ T5070] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 72.207687][ T5070] Call Trace: [ 72.210953][ T5070] [ 72.213870][ T5070] dump_stack_lvl+0xd9/0x1b0 [ 72.218456][ T5070] print_report+0xc4/0x620 [ 72.222863][ T5070] ? __virt_addr_valid+0x5e/0x2d0 [ 72.227913][ T5070] ? __phys_addr+0xc6/0x140 [ 72.232414][ T5070] kasan_report+0xda/0x110 [ 72.236825][ T5070] ? ptp_read+0x7c4/0x830 [ 72.241141][ T5070] ? ptp_read+0x7c4/0x830 [ 72.245548][ T5070] ptp_read+0x7c4/0x830 [ 72.249689][ T5070] ? ptp_poll+0x1b0/0x1b0 [ 72.254002][ T5070] ? cpuusage_read+0x10/0x10 [ 72.258580][ T5070] ? fsnotify_perm.part.0+0x23c/0x5c0 [ 72.263941][ T5070] ? fsnotify_perm.part.0+0x247/0x5c0 [ 72.269304][ T5070] ? apparmor_file_permission+0x258/0x540 [ 72.275015][ T5070] ? ptp_poll+0x1b0/0x1b0 [ 72.279326][ T5070] posix_clock_read+0x138/0x1b0 [ 72.284169][ T5070] ? posix_clock_compat_ioctl+0x30/0x30 [ 72.289704][ T5070] vfs_read+0x1ce/0x8f0 [ 72.293857][ T5070] ? kernel_read+0x1b0/0x1b0 [ 72.298433][ T5070] ? ptrace_stop.part.0+0x61a/0x900 [ 72.303618][ T5070] ? __fget_files+0x1c6/0x340 [ 72.308282][ T5070] ? __fget_light+0xe6/0x260 [ 72.312865][ T5070] ksys_read+0x12f/0x250 [ 72.317098][ T5070] ? vfs_write+0xdf0/0xdf0 [ 72.321503][ T5070] ? lockdep_hardirqs_on+0x7d/0x100 [ 72.326708][ T5070] ? _raw_spin_unlock_irq+0x2e/0x50 [ 72.331898][ T5070] ? ptrace_notify+0xf4/0x130 [ 72.336563][ T5070] do_syscall_64+0x3f/0x110 [ 72.341055][ T5070] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 72.346938][ T5070] RIP: 0033:0x7f9efa8c4c39 [ 72.351339][ T5070] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 72.370939][ T5070] RSP: 002b:00007f9efa887238 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 72.379426][ T5070] RAX: ffffffffffffffda RBX: 00007f9efa94e308 RCX: 00007f9efa8c4c39 [ 72.387385][ T5070] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 72.395343][ T5070] RBP: 00007f9efa94e300 R08: 00007f9efa8876c0 R09: 00007f9efa8876c0 [ 72.403471][ T5070] R10: 00007f9efa8876c0 R11: 0000000000000246 R12: 7074702f7665642f [ 72.411428][ T5070] R13: 0000000000000000 R14: 00007fff658be820 R15: 00007fff658be908 [ 72.419387][ T5070] [ 72.422389][ T5070] [ 72.424695][ T5070] Allocated by task 5070: [ 72.429000][ T5070] kasan_save_stack+0x33/0x50 [ 72.433846][ T5070] kasan_set_track+0x25/0x30 [ 72.438422][ T5070] __kasan_kmalloc+0xa2/0xb0 [ 72.442994][ T5070] ptp_open+0xe3/0x4f0 [ 72.447041][ T5070] posix_clock_open+0x17e/0x240 [ 72.451879][ T5070] chrdev_open+0x26d/0x6e0 [ 72.456300][ T5070] do_dentry_open+0x8d4/0x18d0 [ 72.461052][ T5070] path_openat+0x1d4e/0x2c40 [ 72.465622][ T5070] do_filp_open+0x1de/0x430 [ 72.470124][ T5070] do_sys_openat2+0x176/0x1e0 [ 72.474787][ T5070] __x64_sys_openat+0x175/0x210 [ 72.479621][ T5070] do_syscall_64+0x3f/0x110 [ 72.484113][ T5070] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 72.489998][ T5070] [ 72.492302][ T5070] Freed by task 5071: [ 72.496261][ T5070] kasan_save_stack+0x33/0x50 [ 72.500924][ T5070] kasan_set_track+0x25/0x30 [ 72.505500][ T5070] kasan_save_free_info+0x2b/0x40 [ 72.510510][ T5070] ____kasan_slab_free+0x15b/0x1b0 [ 72.515604][ T5070] slab_free_freelist_hook+0x114/0x1e0 [ 72.521046][ T5070] __kmem_cache_free+0xc0/0x180 [ 72.525880][ T5070] ptp_release+0x204/0x2b0 [ 72.530276][ T5070] ptp_read+0xf6/0x830 [ 72.534329][ T5070] posix_clock_read+0x138/0x1b0 [ 72.539171][ T5070] vfs_read+0x1ce/0x8f0 [ 72.543321][ T5070] ksys_read+0x12f/0x250 [ 72.547551][ T5070] do_syscall_64+0x3f/0x110 [ 72.552040][ T5070] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 72.557924][ T5070] [ 72.560229][ T5070] The buggy address belongs to the object at ffff88801eeb8000 [ 72.560229][ T5070] which belongs to the cache kmalloc-8k of size 8192 [ 72.574264][ T5070] The buggy address is located 4100 bytes inside of [ 72.574264][ T5070] freed 8192-byte region [ffff88801eeb8000, ffff88801eeba000) [ 72.588299][ T5070] [ 72.590607][ T5070] The buggy address belongs to the physical page: [ 72.597083][ T5070] page:ffffea00007bae00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eeb8 [ 72.607229][ T5070] head:ffffea00007bae00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 72.616157][ T5070] flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 72.624128][ T5070] page_type: 0xffffffff() [ 72.628451][ T5070] raw: 00fff00000000840 ffff888013042280 ffffea000060f400 dead000000000002 [ 72.637024][ T5070] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 [ 72.645585][ T5070] page dumped because: kasan: bad access detected [ 72.651976][ T5070] page_owner tracks the page as allocated [ 72.657668][ T5070] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 48, tgid 48 (kworker/u4:3), ts 9294708955, free_ts 0 [ 72.679715][ T5070] post_alloc_hook+0x2cf/0x340 [ 72.684476][ T5070] get_page_from_freelist+0xa25/0x36c0 [ 72.689932][ T5070] __alloc_pages+0x1d0/0x4a0 [ 72.694516][ T5070] alloc_pages_mpol+0x258/0x5f0 [ 72.699356][ T5070] allocate_slab+0x251/0x380 [ 72.703939][ T5070] ___slab_alloc+0x8c7/0x1580 [ 72.708601][ T5070] __slab_alloc.constprop.0+0x56/0xa0 [ 72.713956][ T5070] __kmem_cache_alloc_node+0x131/0x310 [ 72.719398][ T5070] __kmalloc_node+0x52/0x110 [ 72.723973][ T5070] kvmalloc_node+0x6f/0x1a0 [ 72.728460][ T5070] sbitmap_init_node+0x1c8/0x680 [ 72.733385][ T5070] scsi_realloc_sdev_budget_map+0x4d4/0x620 [ 72.739261][ T5070] scsi_alloc_sdev+0x9a9/0xd10 [ 72.744041][ T5070] scsi_probe_and_add_lun+0x170d/0x27d0 [ 72.749662][ T5070] __scsi_scan_target+0x255/0xef0 [ 72.754675][ T5070] scsi_scan_channel+0x149/0x1e0 [ 72.759598][ T5070] page_owner free stack trace missing [ 72.764943][ T5070] [ 72.767272][ T5070] Memory state around the buggy address: [ 72.772880][ T5070] ffff88801eeb8f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.780925][ T5070] ffff88801eeb8f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.788962][ T5070] >ffff88801eeb9000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.797017][ T5070] ^ [ 72.801068][ T5070] ffff88801eeb9080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.809121][ T5070] ffff88801eeb9100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.817166][ T5070] ================================================================== [ 72.825709][ T5070] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 72.833006][ T5070] CPU: 0 PID: 5070 Comm: syz-executor612 Not tainted 6.6.0-syzkaller-14263-gaea6bf908d73 #0 [ 72.843071][ T5070] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 72.853118][ T5070] Call Trace: [ 72.856416][ T5070] [ 72.859347][ T5070] dump_stack_lvl+0xd9/0x1b0 [ 72.863948][ T5070] panic+0x6dc/0x790 [ 72.867848][ T5070] ? panic_smp_self_stop+0xa0/0xa0 [ 72.872963][ T5070] ? asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 72.879214][ T5070] ? preempt_schedule_thunk+0x1a/0x30 [ 72.884591][ T5070] ? preempt_schedule_common+0x45/0xc0 [ 72.890055][ T5070] ? check_panic_on_warn+0x1f/0xb0 [ 72.895168][ T5070] check_panic_on_warn+0xab/0xb0 [ 72.900108][ T5070] end_report+0x108/0x150 [ 72.904440][ T5070] kasan_report+0xea/0x110 [ 72.909022][ T5070] ? ptp_read+0x7c4/0x830 [ 72.913363][ T5070] ? ptp_read+0x7c4/0x830 [ 72.917700][ T5070] ptp_read+0x7c4/0x830 [ 72.921879][ T5070] ? ptp_poll+0x1b0/0x1b0 [ 72.926220][ T5070] ? cpuusage_read+0x10/0x10 [ 72.930824][ T5070] ? fsnotify_perm.part.0+0x23c/0x5c0 [ 72.936209][ T5070] ? fsnotify_perm.part.0+0x247/0x5c0 [ 72.941583][ T5070] ? apparmor_file_permission+0x258/0x540 [ 72.947309][ T5070] ? ptp_poll+0x1b0/0x1b0 [ 72.951631][ T5070] posix_clock_read+0x138/0x1b0 [ 72.956492][ T5070] ? posix_clock_compat_ioctl+0x30/0x30 [ 72.962222][ T5070] vfs_read+0x1ce/0x8f0 [ 72.966381][ T5070] ? kernel_read+0x1b0/0x1b0 [ 72.970973][ T5070] ? ptrace_stop.part.0+0x61a/0x900 [ 72.976171][ T5070] ? __fget_files+0x1c6/0x340 [ 72.980850][ T5070] ? __fget_light+0xe6/0x260 [ 72.985442][ T5070] ksys_read+0x12f/0x250 [ 72.989688][ T5070] ? vfs_write+0xdf0/0xdf0 [ 72.994104][ T5070] ? lockdep_hardirqs_on+0x7d/0x100 [ 72.999305][ T5070] ? _raw_spin_unlock_irq+0x2e/0x50 [ 73.004501][ T5070] ? ptrace_notify+0xf4/0x130 [ 73.009217][ T5070] do_syscall_64+0x3f/0x110 [ 73.013718][ T5070] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 73.019614][ T5070] RIP: 0033:0x7f9efa8c4c39 [ 73.024022][ T5070] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 73.043624][ T5070] RSP: 002b:00007f9efa887238 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 73.052036][ T5070] RAX: ffffffffffffffda RBX: 00007f9efa94e308 RCX: 00007f9efa8c4c39 [ 73.060007][ T5070] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 73.067969][ T5070] RBP: 00007f9efa94e300 R08: 00007f9efa8876c0 R09: 00007f9efa8876c0 [ 73.076020][ T5070] R10: 00007f9efa8876c0 R11: 0000000000000246 R12: 7074702f7665642f [ 73.083988][ T5070] R13: 0000000000000000 R14: 00007fff658be820 R15: 00007fff658be908 [ 73.092045][ T5070] [ 73.095363][ T5070] Kernel Offset: disabled [ 73.099676][ T5070] Rebooting in 86400 seconds..