./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2253110317 <...> Warning: Permanently added '10.128.10.1' (ECDSA) to the list of known hosts. execve("./syz-executor2253110317", ["./syz-executor2253110317"], 0x7ffdd5cd8c90 /* 10 vars */) = 0 brk(NULL) = 0x55555715d000 brk(0x55555715dc40) = 0x55555715dc40 arch_prctl(ARCH_SET_FS, 0x55555715d300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x55555715d5d0) = 3605 set_robust_list(0x55555715d5e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7f2ff216a5b0, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f2ff216ac80}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7f2ff216a650, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f2ff216ac80}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2253110317", 4096) = 28 brk(0x55555717ec40) = 0x55555717ec40 brk(0x55555717f000) = 0x55555717f000 mprotect(0x7f2ff222b000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 futex(0x7f2ff223142c, FUTEX_WAKE_PRIVATE, 1000000) = 0 mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2ff2139000 mprotect(0x7f2ff213a000, 131072, PROT_READ|PROT_WRITE) = 0 clone(child_stack=0x7f2ff21593f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3606], tls=0x7f2ff2159700, child_tidptr=0x7f2ff21599d0) = 3606 futex(0x7f2ff2231428, FUTEX_WAKE_PRIVATE, 1000000) = 0 futex(0x7f2ff223142c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 3606 attached [pid 3606] set_robust_list(0x7f2ff21599e0, 24) = 0 [pid 3606] mmap(0x20000000, 16732160, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE|MAP_POPULATE|MAP_NONBLOCK|MAP_DENYWRITE|MAP_HUGETLB, -1, 0) = 0x20000000 [pid 3606] futex(0x7f2ff223142c, FUTEX_WAKE_PRIVATE, 1000000 [pid 3605] <... futex resumed>) = 0 [pid 3605] futex(0x7f2ff2231428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3605] futex(0x7f2ff223142c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3606] <... futex resumed>) = 1 [pid 3606] mprotect(0x20000000, 8388608, PROT_WRITE) = 0 [pid 3606] futex(0x7f2ff223142c, FUTEX_WAKE_PRIVATE, 1000000 [pid 3605] <... futex resumed>) = 0 [pid 3605] futex(0x7f2ff2231428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3605] futex(0x7f2ff223142c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3606] <... futex resumed>) = 1 [pid 3606] userfaultfd(UFFD_USER_MODE_ONLY|O_NONBLOCK|O_CLOEXEC) = 3 [pid 3606] futex(0x7f2ff223142c, FUTEX_WAKE_PRIVATE, 1000000 [pid 3605] <... futex resumed>) = 0 [pid 3605] futex(0x7f2ff2231428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3605] futex(0x7f2ff223142c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3606] <... futex resumed>) = 1 [pid 3606] ioctl(3, UFFDIO_API, 0x20000040) = 0 [pid 3606] futex(0x7f2ff223142c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3605] <... futex resumed>) = 0 [pid 3605] futex(0x7f2ff2231428, FUTEX_WAKE_PRIVATE, 1000000 [pid 3606] futex(0x7f2ff2231428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3605] <... futex resumed>) = 0 [pid 3605] futex(0x7f2ff223142c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3606] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3606] ioctl(3, UFFDIO_REGISTER, 0x20000080) = 0 [pid 3606] futex(0x7f2ff223142c, FUTEX_WAKE_PRIVATE, 1000000 [pid 3605] <... futex resumed>) = 0 [pid 3606] <... futex resumed>) = 1 [pid 3606] futex(0x7f2ff2231428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3605] futex(0x7f2ff2231428, FUTEX_WAKE_PRIVATE, 1000000 [pid 3606] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3605] <... futex resumed>) = 0 [pid 3605] futex(0x7f2ff223142c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3606] openat(AT_FDCWD, 0x20000280, O_RDONLY) = 4 [pid 3606] futex(0x7f2ff223142c, FUTEX_WAKE_PRIVATE, 1000000 [pid 3605] <... futex resumed>) = 0 [pid 3606] <... futex resumed>) = 1 [pid 3605] futex(0x7f2ff2231428, FUTEX_WAKE_PRIVATE, 1000000 [pid 3606] ioctl(4, KVM_CREATE_VM, 0 [pid 3605] <... futex resumed>) = 0 [pid 3605] futex(0x7f2ff223142c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3606] <... ioctl resumed>) = 5 [pid 3606] futex(0x7f2ff223142c, FUTEX_WAKE_PRIVATE, 1000000 [pid 3605] <... futex resumed>) = 0 [pid 3606] <... futex resumed>) = 1 [pid 3605] futex(0x7f2ff2231428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3605] futex(0x7f2ff223142c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3606] ioctl(5, KVM_CREATE_VCPU, 0) = 6 [pid 3606] futex(0x7f2ff223142c, FUTEX_WAKE_PRIVATE, 1000000 [pid 3605] <... futex resumed>) = 0 [pid 3605] futex(0x7f2ff2231428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3605] futex(0x7f2ff223142c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3606] <... futex resumed>) = 1 [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=0, flags=0, guest_phys_addr=0, memory_size=4096, userspace_addr=0x207a2000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=1, flags=0, guest_phys_addr=0x1000, memory_size=4096, userspace_addr=0x207a3000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=2, flags=0, guest_phys_addr=0x2000, memory_size=4096, userspace_addr=0x207a4000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=3, flags=0, guest_phys_addr=0x3000, memory_size=4096, userspace_addr=0x207a5000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=4, flags=0, guest_phys_addr=0x4000, memory_size=4096, userspace_addr=0x207a6000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=5, flags=0, guest_phys_addr=0x5000, memory_size=4096, userspace_addr=0x207a7000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=6, flags=0, guest_phys_addr=0x6000, memory_size=4096, userspace_addr=0x207a8000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=7, flags=0, guest_phys_addr=0x7000, memory_size=4096, userspace_addr=0x207a9000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=8, flags=0, guest_phys_addr=0x8000, memory_size=4096, userspace_addr=0x207aa000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=9, flags=0, guest_phys_addr=0x9000, memory_size=4096, userspace_addr=0x207ab000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=10, flags=0, guest_phys_addr=0xfec00000, memory_size=4096, userspace_addr=0x207ac000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=11, flags=0, guest_phys_addr=0xb000, memory_size=4096, userspace_addr=0x207ad000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=12, flags=0, guest_phys_addr=0xc000, memory_size=4096, userspace_addr=0x207ae000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=13, flags=0, guest_phys_addr=0xd000, memory_size=4096, userspace_addr=0x207af000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=14, flags=0, guest_phys_addr=0xe000, memory_size=4096, userspace_addr=0x207b0000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=15, flags=0, guest_phys_addr=0xf000, memory_size=4096, userspace_addr=0x207b1000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=16, flags=0, guest_phys_addr=0x10000, memory_size=4096, userspace_addr=0x207b2000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=17, flags=0, guest_phys_addr=0x11000, memory_size=4096, userspace_addr=0x207b3000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=18, flags=0, guest_phys_addr=0x12000, memory_size=4096, userspace_addr=0x207b4000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=19, flags=0, guest_phys_addr=0x13000, memory_size=4096, userspace_addr=0x207b5000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=20, flags=0, guest_phys_addr=0x14000, memory_size=4096, userspace_addr=0x207b6000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=21, flags=0, guest_phys_addr=0x15000, memory_size=4096, userspace_addr=0x207b7000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=22, flags=0, guest_phys_addr=0x16000, memory_size=4096, userspace_addr=0x207b8000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=23, flags=0, guest_phys_addr=0x17000, memory_size=4096, userspace_addr=0x207b9000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=65537, flags=0, guest_phys_addr=0x30000, memory_size=65536, userspace_addr=0x207a2000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(6, KVM_GET_SREGS, {cs={base=0xffff0000, limit=65535, selector=61440, type=11, present=1, dpl=0, db=0, s=1, l=0, g=0, avl=0}, ...}) = 0 [pid 3606] openat(AT_FDCWD, "/dev/kvm", O_RDWR) = 7 [pid 3606] ioctl(7, KVM_GET_SUPPORTED_CPUID, {nent=33, entries=[...]}) = 0 [pid 3606] ioctl(6, KVM_SET_CPUID2, {nent=33, entries=[...]}) = 0 [pid 3606] close(7) = 0 [ 44.037113][ T3606] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. [pid 3605] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3605] futex(0x7f2ff223143c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3605] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2ff2118000 [pid 3605] mprotect(0x7f2ff2119000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3605] clone(child_stack=0x7f2ff21383f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3610], tls=0x7f2ff2138700, child_tidptr=0x7f2ff21389d0) = 3610 ./strace-static-x86_64: Process 3610 attached [pid 3605] futex(0x7f2ff2231438, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3605] futex(0x7f2ff223143c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3610] set_robust_list(0x7f2ff21389e0, 24) = 0 [pid 3610] mmap(0x20000000, 16732160, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE|MAP_POPULATE|MAP_NONBLOCK|MAP_DENYWRITE|MAP_HUGETLB, -1, 0) = 0x20000000 [pid 3610] futex(0x7f2ff223143c, FUTEX_WAKE_PRIVATE, 1000000 [pid 3605] <... futex resumed>) = 0 [pid 3610] <... futex resumed>) = 1 [ 44.252577][ T3606] ================================================================== [ 44.260689][ T3606] BUG: KASAN: use-after-free in __lock_acquire+0x3ee7/0x56d0 [ 44.268073][ T3606] Read of size 8 at addr ffff888017a60eb0 by task syz-executor225/3606 [ 44.276399][ T3606] [ 44.278718][ T3606] CPU: 0 PID: 3606 Comm: syz-executor225 Not tainted 6.0.0-rc3-syzkaller-00363-g7726d4c3e60b #0 [ 44.289128][ T3606] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 44.299185][ T3606] Call Trace: [ 44.302462][ T3606] [ 44.305391][ T3606] dump_stack_lvl+0xcd/0x134 [ 44.310021][ T3606] print_report.cold+0x2ba/0x719 [ 44.314971][ T3606] ? __lock_acquire+0x3ee7/0x56d0 [ 44.319999][ T3606] kasan_report+0xb1/0x1e0 [ 44.324422][ T3606] ? __lock_acquire+0x3ee7/0x56d0 [ 44.329554][ T3606] __lock_acquire+0x3ee7/0x56d0 [ 44.334412][ T3606] ? handle_userfault+0xfbe/0x1580 [ 44.339548][ T3606] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 44.345548][ T3606] ? do_raw_spin_lock+0x120/0x2a0 [ 44.350603][ T3606] ? rwlock_bug.part.0+0x90/0x90 [ 44.355573][ T3606] ? _raw_spin_unlock_irq+0x1f/0x40 [ 44.360809][ T3606] lock_acquire+0x1ab/0x570 [ 44.365328][ T3606] ? hugetlb_handle_userfault+0xf5/0x150 [ 44.370971][ T3606] ? lock_release+0x780/0x780 [ 44.375673][ T3606] down_read+0x98/0x450 [ 44.379859][ T3606] ? hugetlb_handle_userfault+0xf5/0x150 [ 44.385507][ T3606] ? rwsem_down_read_slowpath+0xb10/0xb10 [ 44.391234][ T3606] ? xas_load+0x66/0x140 [ 44.395483][ T3606] hugetlb_handle_userfault+0xf5/0x150 [ 44.400949][ T3606] ? hugetlb_fault_mutex_hash+0xd0/0xd0 [ 44.406497][ T3606] ? filemap_add_folio+0x1d0/0x1d0 [ 44.411614][ T3606] ? hugetlb_total_pages+0x140/0x140 [ 44.416910][ T3606] hugetlb_fault+0x14cd/0x1aa0 [ 44.421781][ T3606] ? hugetlb_wp+0x19d0/0x19d0 [ 44.426547][ T3606] ? count_memcg_event_mm.part.0+0x134/0x2d0 [ 44.432535][ T3606] ? lock_downgrade+0x6e0/0x6e0 [ 44.437393][ T3606] ? mark_held_locks+0x9f/0xe0 [ 44.442165][ T3606] handle_mm_fault+0x640/0x780 [ 44.446938][ T3606] do_user_addr_fault+0x475/0x1210 [ 44.452061][ T3606] exc_page_fault+0x94/0x170 [ 44.456701][ T3606] asm_exc_page_fault+0x22/0x30 [ 44.461578][ T3606] RIP: 0033:0x7f2ff2164c3b [ 44.466011][ T3606] Code: 00 48 89 94 24 ca 03 00 00 f3 0f 6f 9c 24 c0 03 00 00 f3 0f 6f a4 24 d0 03 00 00 48 89 84 24 e2 03 00 00 48 8d 86 00 20 7a 20 <0f> 11 9e 00 20 7a 20 0f 11 a6 10 20 7a 20 48 8b b4 24 e0 03 00 00 [ 44.485639][ T3606] RSP: 002b:00007f2ff2157820 EFLAGS: 00010246 [ 44.491726][ T3606] RAX: 00000000207a5e00 RBX: 0000000000000000 RCX: 00180f8000180f80 [ 44.499715][ T3606] RDX: 0002912000180f80 RSI: 0000000000003e00 RDI: 0000000000000008 [ 44.507709][ T3606] RBP: 0000000000000006 R08: 0000000000000000 R09: 0000000000000000 [ 44.515716][ T3606] R10: 0000000000000000 R11: 00007f2ff2157c80 R12: 00000000207a2000 [ 44.523791][ T3606] R13: 0000000000000000 R14: 0000000000000000 R15: 00007f2ff2157d80 [ 44.531782][ T3606] [ 44.534804][ T3606] [ 44.537126][ T3606] Allocated by task 3606: [ 44.541469][ T3606] kasan_save_stack+0x1e/0x40 [ 44.546184][ T3606] __kasan_slab_alloc+0x90/0xc0 [ 44.551046][ T3606] kmem_cache_alloc_lru+0x255/0x720 [ 44.556248][ T3606] hugetlbfs_alloc_inode+0x88/0x1e0 [ 44.561450][ T3606] alloc_inode+0x61/0x230 [ 44.565785][ T3606] new_inode+0x27/0x270 [ 44.569959][ T3606] hugetlbfs_get_inode+0x353/0x5f0 [ 44.575097][ T3606] hugetlb_file_setup+0x13a/0x590 [ 44.580128][ T3606] ksys_mmap_pgoff+0x184/0x5a0 [ 44.584895][ T3606] do_syscall_64+0x35/0xb0 [ 44.589313][ T3606] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 44.595207][ T3606] [ 44.597526][ T3606] Freed by task 0: [ 44.601236][ T3606] kasan_save_stack+0x1e/0x40 [ 44.606000][ T3606] kasan_set_track+0x21/0x30 [ 44.610807][ T3606] kasan_set_free_info+0x20/0x30 [ 44.615757][ T3606] ____kasan_slab_free+0x166/0x1c0 [ 44.620868][ T3606] slab_free_freelist_hook+0x8b/0x1c0 [ 44.626243][ T3606] kmem_cache_free+0xeb/0x5b0 [ 44.630922][ T3606] i_callback+0x3f/0x70 [ 44.635081][ T3606] rcu_core+0x7b5/0x1890 [ 44.639332][ T3606] __do_softirq+0x1d3/0x9c6 [ 44.643923][ T3606] [ 44.646243][ T3606] Last potentially related work creation: [ 44.651948][ T3606] kasan_save_stack+0x1e/0x40 [ 44.656626][ T3606] __kasan_record_aux_stack+0xbe/0xd0 [ 44.662005][ T3606] call_rcu+0x99/0x790 [ 44.666077][ T3606] destroy_inode+0x129/0x1b0 [ 44.670669][ T3606] iput.part.0+0x55d/0x810 [ 44.675090][ T3606] iput+0x58/0x70 [ 44.678746][ T3606] dentry_unlink_inode+0x2b1/0x460 [ 44.683877][ T3606] __dentry_kill+0x3c0/0x640 [ 44.688469][ T3606] dput+0x806/0xdb0 [ 44.692280][ T3606] __fput+0x39c/0x9d0 [ 44.696262][ T3606] task_work_run+0xdd/0x1a0 [ 44.700767][ T3606] ptrace_notify+0x114/0x140 [ 44.705357][ T3606] syscall_exit_to_user_mode_prepare+0x129/0x280 [ 44.711705][ T3606] syscall_exit_to_user_mode+0x9/0x50 [ 44.717084][ T3606] do_syscall_64+0x42/0xb0 [ 44.721501][ T3606] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 44.727403][ T3606] [ 44.729718][ T3606] The buggy address belongs to the object at ffff888017a60ac0 [ 44.729718][ T3606] which belongs to the cache hugetlbfs_inode_cache of size 1248 [ 44.744724][ T3606] The buggy address is located 1008 bytes inside of [ 44.744724][ T3606] 1248-byte region [ffff888017a60ac0, ffff888017a60fa0) [ 44.758173][ T3606] [ 44.760498][ T3606] The buggy address belongs to the physical page: [ 44.766918][ T3606] page:ffffea00005e9800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17a60 [ 44.777069][ T3606] head:ffffea00005e9800 order:3 compound_mapcount:0 compound_pincount:0 [ 44.785394][ T3606] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 44.793383][ T3606] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888145a66640 [ 44.801972][ T3606] raw: 0000000000000000 0000000080170017 00000001ffffffff 0000000000000000 [ 44.810548][ T3606] page dumped because: kasan: bad access detected [ 44.816950][ T3606] page_owner tracks the page as allocated [ 44.822675][ T3606] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 2981386393, free_ts 0 [ 44.842409][ T3606] get_page_from_freelist+0x109b/0x2ce0 [ 44.847970][ T3606] __alloc_pages+0x1c7/0x510 [ 44.852569][ T3606] alloc_page_interleave+0x1e/0x200 [ 44.857772][ T3606] alloc_pages+0x22f/0x270 [ 44.862191][ T3606] allocate_slab+0x27e/0x3d0 [ 44.866882][ T3606] ___slab_alloc+0x7f1/0xe10 [ 44.871473][ T3606] __slab_alloc.constprop.0+0x4d/0xa0 [ 44.876846][ T3606] kmem_cache_alloc_lru+0x528/0x720 [ 44.882065][ T3606] hugetlbfs_alloc_inode+0x88/0x1e0 [ 44.887289][ T3606] alloc_inode+0x61/0x230 [ 44.891621][ T3606] new_inode+0x27/0x270 [ 44.895783][ T3606] hugetlbfs_fill_super+0x589/0xad0 [ 44.900998][ T3606] get_tree_nodev+0xcd/0x1d0 [ 44.905594][ T3606] hugetlbfs_get_tree+0x1e3/0x2b0 [ 44.910658][ T3606] vfs_get_tree+0x89/0x2f0 [ 44.915091][ T3606] fc_mount+0x13/0xc0 [ 44.919073][ T3606] page_owner free stack trace missing [ 44.924523][ T3606] [ 44.926842][ T3606] Memory state around the buggy address: [ 44.932463][ T3606] ffff888017a60d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.940518][ T3606] ffff888017a60e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.948582][ T3606] >ffff888017a60e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.956634][ T3606] ^ [ 44.962344][ T3606] ffff888017a60f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.970422][ T3606] ffff888017a60f80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 44.978484][ T3606] ================================================================== [ 44.986538][ T3606] Kernel panic - not syncing: panic_on_warn set ... [ 44.993122][ T3606] CPU: 0 PID: 3606 Comm: syz-executor225 Not tainted 6.0.0-rc3-syzkaller-00363-g7726d4c3e60b #0 [ 45.003627][ T3606] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 45.013681][ T3606] Call Trace: [ 45.016960][ T3606] [ 45.019890][ T3606] dump_stack_lvl+0xcd/0x134 [ 45.024493][ T3606] panic+0x2c8/0x627 [ 45.028482][ T3606] ? panic_print_sys_info.part.0+0x10b/0x10b [ 45.034586][ T3606] ? print_report.cold+0x4f6/0x719 [ 45.039718][ T3606] ? __lock_acquire+0x3ee7/0x56d0 [ 45.044762][ T3606] end_report.part.0+0x3f/0x7c [ 45.049622][ T3606] kasan_report.cold+0xa/0xf [ 45.054219][ T3606] ? __lock_acquire+0x3ee7/0x56d0 [ 45.059258][ T3606] __lock_acquire+0x3ee7/0x56d0 [ 45.064116][ T3606] ? handle_userfault+0xfbe/0x1580 [ 45.069242][ T3606] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 45.075234][ T3606] ? do_raw_spin_lock+0x120/0x2a0 [ 45.080261][ T3606] ? rwlock_bug.part.0+0x90/0x90 [ 45.085202][ T3606] ? _raw_spin_unlock_irq+0x1f/0x40 [ 45.090429][ T3606] lock_acquire+0x1ab/0x570 [ 45.094934][ T3606] ? hugetlb_handle_userfault+0xf5/0x150 [ 45.100572][ T3606] ? lock_release+0x780/0x780 [ 45.105259][ T3606] down_read+0x98/0x450 [ 45.109417][ T3606] ? hugetlb_handle_userfault+0xf5/0x150 [ 45.115074][ T3606] ? rwsem_down_read_slowpath+0xb10/0xb10 [ 45.120801][ T3606] ? xas_load+0x66/0x140 [ 45.125064][ T3606] hugetlb_handle_userfault+0xf5/0x150 [ 45.130537][ T3606] ? hugetlb_fault_mutex_hash+0xd0/0xd0 [ 45.136176][ T3606] ? filemap_add_folio+0x1d0/0x1d0 [ 45.141296][ T3606] ? hugetlb_total_pages+0x140/0x140 [ 45.146688][ T3606] hugetlb_fault+0x14cd/0x1aa0 [ 45.151465][ T3606] ? hugetlb_wp+0x19d0/0x19d0 [ 45.156146][ T3606] ? count_memcg_event_mm.part.0+0x134/0x2d0 [ 45.162134][ T3606] ? lock_downgrade+0x6e0/0x6e0 [ 45.167005][ T3606] ? mark_held_locks+0x9f/0xe0 [ 45.171777][ T3606] handle_mm_fault+0x640/0x780 [ 45.176545][ T3606] do_user_addr_fault+0x475/0x1210 [ 45.181672][ T3606] exc_page_fault+0x94/0x170 [ 45.186282][ T3606] asm_exc_page_fault+0x22/0x30 [ 45.191142][ T3606] RIP: 0033:0x7f2ff2164c3b [ 45.195561][ T3606] Code: 00 48 89 94 24 ca 03 00 00 f3 0f 6f 9c 24 c0 03 00 00 f3 0f 6f a4 24 d0 03 00 00 48 89 84 24 e2 03 00 00 48 8d 86 00 20 7a 20 <0f> 11 9e 00 20 7a 20 0f 11 a6 10 20 7a 20 48 8b b4 24 e0 03 00 00 [ 45.215170][ T3606] RSP: 002b:00007f2ff2157820 EFLAGS: 00010246 [ 45.221241][ T3606] RAX: 00000000207a5e00 RBX: 0000000000000000 RCX: 00180f8000180f80 [ 45.229305][ T3606] RDX: 0002912000180f80 RSI: 0000000000003e00 RDI: 0000000000000008 [ 45.237283][ T3606] RBP: 0000000000000006 R08: 0000000000000000 R09: 0000000000000000 [ 45.245252][ T3606] R10: 0000000000000000 R11: 00007f2ff2157c80 R12: 00000000207a2000 [ 45.253224][ T3606] R13: 0000000000000000 R14: 0000000000000000 R15: 00007f2ff2157d80 [ 45.261202][ T3606] [ 45.264391][ T3606] Kernel Offset: disabled [ 45.268719][ T3606] Rebooting in 86400 seconds..