./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1076888478
<...>
Warning: Permanently added '10.128.0.197' (ECDSA) to the list of known hosts.
execve("./syz-executor1076888478", ["./syz-executor1076888478"], 0x7ffdc3d1e0d0 /* 10 vars */) = 0
brk(NULL) = 0x555557454000
brk(0x555557454c40) = 0x555557454c40
arch_prctl(ARCH_SET_FS, 0x555557454300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor1076888478", 4096) = 28
brk(0x555557475c40) = 0x555557475c40
brk(0x555557476000) = 0x555557476000
mprotect(0x7fb254e1a000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
getpid() = 3608
openat(AT_FDCWD, "/sys/kernel/debug/x86/nmi_longest_ns", O_WRONLY|O_CLOEXEC) = 3
write(3, "10000000000", 11) = 11
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/hung_task_check_interval_secs", O_WRONLY|O_CLOEXEC) = 3
write(3, "20", 2) = 2
close(3) = 0
openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_kallsyms", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_harden", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/kptr_restrict", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/softlockup_all_cpu_backtrace", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3
write(3, "100", 3) = 3
close(3) = 0
openat(AT_FDCWD, "/proc/sys/vm/oom_dump_tasks", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/debug/exception-trace", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/printk", O_WRONLY|O_CLOEXEC) = 3
write(3, "7 4 1 3", 7) = 7
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/keys/gc_delay", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/vm/oom_kill_allocating_task", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/ctrl-alt-del", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/cad_pid", O_WRONLY|O_CLOEXEC) = 3
write(3, "3608", 4) = 4
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/failslab/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_futex/ignore-private", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/min-order", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
pkey_mprotect(0x20ff9000, 16384, PROT_NONE, -1) = 0
pkey_mprotect(0x20fff000, 4096, PROT_NONE, -1) = 0
openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 3
write(3, "3", 1) = 1
[ 50.513863][ T3608] ==================================================================
[ 50.521938][ T3608] BUG: KASAN: use-after-free in mprotect_fixup+0x8fc/0x960
[ 50.529123][ T3608] Read of size 8 at addr ffff88801f89ed80 by task syz-executor107/3608
[ 50.537340][ T3608]
[ 50.539646][ T3608] CPU: 0 PID: 3608 Comm: syz-executor107 Not tainted 5.19.0-rc4-next-20220628-syzkaller #0
[ 50.549621][ T3608] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
[ 50.559656][ T3608] Call Trace:
[ 50.562919][ T3608]
[ 50.565835][ T3608] dump_stack_lvl+0xcd/0x134
[ 50.570435][ T3608] print_report.cold+0x2ba/0x719
[ 50.575372][ T3608] ? mprotect_fixup+0x8fc/0x960
[ 50.580213][ T3608] kasan_report+0xbe/0x1f0
[ 50.584622][ T3608] ? mprotect_fixup+0x8fc/0x960
[ 50.589469][ T3608] mprotect_fixup+0x8fc/0x960
[ 50.594135][ T3608] ? change_protection+0x3a50/0x3a50
[ 50.599410][ T3608] do_mprotect_pkey+0x70f/0xa80
[ 50.604254][ T3608] ? mprotect_fixup+0x960/0x960
[ 50.609093][ T3608] ? _raw_spin_unlock_irq+0x1f/0x40
[ 50.614282][ T3608] ? _raw_spin_unlock_irq+0x1f/0x40
[ 50.619468][ T3608] ? lockdep_hardirqs_on+0x79/0x100
[ 50.624654][ T3608] __x64_sys_pkey_mprotect+0x93/0xf0
[ 50.629925][ T3608] do_syscall_64+0x35/0xb0
[ 50.634324][ T3608] entry_SYSCALL_64_after_hwframe+0x46/0xb0
[ 50.640201][ T3608] RIP: 0033:0x7fb254db5389
[ 50.644600][ T3608] Code: 28 c3 e8 1a 17 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 50.664202][ T3608] RSP: 002b:00007ffcd8258c98 EFLAGS: 00000246 ORIG_RAX: 0000000000000149
[ 50.672634][ T3608] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb254db5389
[ 50.680589][ T3608] RDX: 0000000000000000 RSI: 0000000000003000 RDI: 0000000020ffd000
[ 50.688541][ T3608] RBP: 0000000000000003 R08: 0000000000000001 R09: 0000000038303633
[ 50.696497][ T3608] R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffcd8258da0
[ 50.704452][ T3608] R13: 00007ffcd8258cc0 R14: 00007fb254df10a1 R15: 0000000000000000
[ 50.712431][ T3608]
[ 50.715441][ T3608]
[ 50.717745][ T3608] Allocated by task 3608:
[ 50.722049][ T3608] kasan_save_stack+0x1e/0x40
[ 50.726713][ T3608] __kasan_slab_alloc+0x90/0xc0
[ 50.731546][ T3608] kmem_cache_alloc+0x2d6/0x4c0
[ 50.736388][ T3608] vm_area_dup+0x81/0x380
[ 50.740705][ T3608] __split_vma+0x9f/0x530
[ 50.745016][ T3608] split_vma+0x9f/0xe0
[ 50.749070][ T3608] mprotect_fixup+0x6c7/0x960
[ 50.753729][ T3608] do_mprotect_pkey+0x70f/0xa80
[ 50.758585][ T3608] __x64_sys_pkey_mprotect+0x93/0xf0
[ 50.763853][ T3608] do_syscall_64+0x35/0xb0
[ 50.768252][ T3608] entry_SYSCALL_64_after_hwframe+0x46/0xb0
[ 50.774126][ T3608]
[ 50.776440][ T3608] Freed by task 3608:
[ 50.780403][ T3608] kasan_save_stack+0x1e/0x40
[ 50.785067][ T3608] kasan_set_track+0x21/0x30
[ 50.789636][ T3608] kasan_set_free_info+0x20/0x30
[ 50.794559][ T3608] ____kasan_slab_free+0x166/0x1c0
[ 50.799652][ T3608] slab_free_freelist_hook+0x8b/0x1c0
[ 50.805012][ T3608] kmem_cache_free+0xeb/0x5b0
[ 50.809670][ T3608] __vma_adjust+0x9ab/0x1900
[ 50.814241][ T3608] vma_merge+0x590/0x870
[ 50.818466][ T3608] mprotect_fixup+0x338/0x960
[ 50.823124][ T3608] do_mprotect_pkey+0x70f/0xa80
[ 50.827959][ T3608] __x64_sys_pkey_mprotect+0x93/0xf0
[ 50.833241][ T3608] do_syscall_64+0x35/0xb0
[ 50.837642][ T3608] entry_SYSCALL_64_after_hwframe+0x46/0xb0
[ 50.843518][ T3608]
[ 50.845822][ T3608] The buggy address belongs to the object at ffff88801f89ed80
[ 50.845822][ T3608] which belongs to the cache vm_area_struct of size 152
[ 50.860287][ T3608] The buggy address is located 0 bytes inside of
[ 50.860287][ T3608] 152-byte region [ffff88801f89ed80, ffff88801f89ee18)
[ 50.873365][ T3608]
[ 50.875684][ T3608] The buggy address belongs to the physical page:
[ 50.882071][ T3608] page:ffffea00007e2780 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1f89e
[ 50.892397][ T3608] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 50.899944][ T3608] raw: 00fff00000000200 0000000000000000 dead000000000122 ffff888140006b40
[ 50.908509][ T3608] raw: 0000000000000000 0000000080120012 00000001ffffffff 0000000000000000
[ 50.917071][ T3608] page dumped because: kasan: bad access detected
[ 50.923458][ T3608] page_owner tracks the page as allocated
[ 50.929147][ T3608] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 3603, tgid 3603 (sshd), ts 50397360264, free_ts 45063905366
[ 50.946751][ T3608] get_page_from_freelist+0x210d/0x3a30
[ 50.952288][ T3608] __alloc_pages+0x1c7/0x510
[ 50.956863][ T3608] alloc_pages+0x1aa/0x310
[ 50.961265][ T3608] allocate_slab+0x27e/0x3d0
[ 50.965841][ T3608] ___slab_alloc+0x89d/0xef0
[ 50.970424][ T3608] __slab_alloc.constprop.0+0x4d/0xa0
[ 50.975800][ T3608] kmem_cache_alloc+0x3fb/0x4c0
[ 50.980642][ T3608] vm_area_dup+0x81/0x380
[ 50.984953][ T3608] dup_mmap+0x642/0x1070
[ 50.989178][ T3608] dup_mm+0x91/0x370
[ 50.993053][ T3608] copy_process+0x3ca8/0x7080
[ 50.997713][ T3608] kernel_clone+0xe7/0xab0
[ 51.002111][ T3608] __do_sys_clone+0xba/0x100
[ 51.006683][ T3608] do_syscall_64+0x35/0xb0
[ 51.011081][ T3608] entry_SYSCALL_64_after_hwframe+0x46/0xb0
[ 51.016958][ T3608] page last free stack trace:
[ 51.021609][ T3608] free_pcp_prepare+0x5e4/0xd20
[ 51.026441][ T3608] free_unref_page_list+0x16f/0xb90
[ 51.031622][ T3608] release_pages+0xbe8/0x1810
[ 51.036281][ T3608] tlb_batch_pages_flush+0xa8/0x1a0
[ 51.041464][ T3608] tlb_finish_mmu+0x147/0x7e0
[ 51.046123][ T3608] exit_mmap+0x1fe/0x720
[ 51.050357][ T3608] __mmput+0x128/0x4c0
[ 51.054408][ T3608] mmput+0x5c/0x70
[ 51.058117][ T3608] do_exit+0xa09/0x29f0
[ 51.062252][ T3608] do_group_exit+0xd2/0x2f0
[ 51.066734][ T3608] __x64_sys_exit_group+0x3a/0x50
[ 51.071739][ T3608] do_syscall_64+0x35/0xb0
[ 51.076138][ T3608] entry_SYSCALL_64_after_hwframe+0x46/0xb0
[ 51.082013][ T3608]
[ 51.084333][ T3608] Memory state around the buggy address:
[ 51.089942][ T3608] ffff88801f89ec80: fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00
[ 51.097982][ T3608] ffff88801f89ed00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[ 51.106020][ T3608] >ffff88801f89ed80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 51.114057][ T3608] ^
[ 51.118101][ T3608] ffff88801f89ee00: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 51.126141][ T3608] ffff88801f89ee80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 51.134178][ T3608] ==================================================================
[ 51.142400][ T3608] Kernel panic - not syncing: panic_on_warn set ...
[ 51.148987][ T3608] CPU: 1 PID: 3608 Comm: syz-executor107 Not tainted 5.19.0-rc4-next-20220628-syzkaller #0
[ 51.158956][ T3608] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
[ 51.168999][ T3608] Call Trace:
[ 51.172266][ T3608]
[ 51.175188][ T3608] dump_stack_lvl+0xcd/0x134
[ 51.179785][ T3608] panic+0x2d7/0x636
[ 51.183680][ T3608] ? panic_print_sys_info.part.0+0x10b/0x10b
[ 51.189661][ T3608] ? preempt_schedule_common+0x59/0xc0
[ 51.195117][ T3608] ? preempt_schedule_thunk+0x16/0x18
[ 51.200490][ T3608] ? mprotect_fixup+0x8fc/0x960
[ 51.205339][ T3608] end_report.part.0+0x3f/0x7c
[ 51.210105][ T3608] kasan_report.cold+0x8/0x12
[ 51.214783][ T3608] ? mprotect_fixup+0x8fc/0x960
[ 51.219644][ T3608] mprotect_fixup+0x8fc/0x960
[ 51.224335][ T3608] ? change_protection+0x3a50/0x3a50
[ 51.229633][ T3608] do_mprotect_pkey+0x70f/0xa80
[ 51.234489][ T3608] ? mprotect_fixup+0x960/0x960
[ 51.239348][ T3608] ? _raw_spin_unlock_irq+0x1f/0x40
[ 51.244548][ T3608] ? _raw_spin_unlock_irq+0x1f/0x40
[ 51.249748][ T3608] ? lockdep_hardirqs_on+0x79/0x100
[ 51.254946][ T3608] __x64_sys_pkey_mprotect+0x93/0xf0
[ 51.260231][ T3608] do_syscall_64+0x35/0xb0
[ 51.264644][ T3608] entry_SYSCALL_64_after_hwframe+0x46/0xb0
[ 51.270531][ T3608] RIP: 0033:0x7fb254db5389
[ 51.274938][ T3608] Code: 28 c3 e8 1a 17 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 51.294536][ T3608] RSP: 002b:00007ffcd8258c98 EFLAGS: 00000246 ORIG_RAX: 0000000000000149
[ 51.302941][ T3608] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb254db5389
[ 51.310900][ T3608] RDX: 0000000000000000 RSI: 0000000000003000 RDI: 0000000020ffd000
[ 51.318859][ T3608] RBP: 0000000000000003 R08: 0000000000000001 R09: 0000000038303633
[ 51.326817][ T3608] R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffcd8258da0
[ 51.334777][ T3608] R13: 00007ffcd8258cc0 R14: 00007fb254df10a1 R15: 0000000000000000
[ 51.342747][ T3608]
[ 51.345917][ T3608] Kernel Offset: disabled
[ 51.350234][ T3608] Rebooting in 86400 seconds..