./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor402571111 <...> Warning: Permanently added '10.128.0.250' (ED25519) to the list of known hosts. execve("./syz-executor402571111", ["./syz-executor402571111"], 0x7ffc3c6316e0 /* 10 vars */) = 0 brk(NULL) = 0x55555fc04000 brk(0x55555fc04d00) = 0x55555fc04d00 arch_prctl(ARCH_SET_FS, 0x55555fc04380) = 0 set_tid_address(0x55555fc04650) = 5096 set_robust_list(0x55555fc04660, 24) = 0 rseq(0x55555fc04ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor402571111", 4096) = 27 getrandom("\x99\x7f\x9d\xa4\x78\x21\x35\xbf", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55555fc04d00 brk(0x55555fc25d00) = 0x55555fc25d00 brk(0x55555fc26000) = 0x55555fc26000 mprotect(0x7fc499076000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5097 attached , child_tidptr=0x55555fc04650) = 5097 [pid 5097] set_robust_list(0x55555fc04660, 24) = 0 [pid 5097] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5097] setpgid(0, 0) = 0 [pid 5097] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5097] write(3, "1000", 4) = 4 [pid 5097] close(3) = 0 [pid 5097] write(1, "executing program\n", 18executing program ) = 18 [ 76.181185][ T5097] ================================================================== [ 76.189404][ T5097] BUG: KASAN: slab-out-of-bounds in btf_datasec_check_meta+0x2c9/0x9a0 [ 76.197944][ T5097] Read of size 1 at addr ffff88801eab7637 by task syz-executor402/5097 [ 76.206203][ T5097] [ 76.208532][ T5097] CPU: 0 PID: 5097 Comm: syz-executor402 Not tainted 6.10.0-rc6-syzkaller-01414-g58f9416d413a #0 [ 76.219039][ T5097] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 [ 76.229106][ T5097] Call Trace: [ 76.232382][ T5097] [ 76.235345][ T5097] dump_stack_lvl+0x241/0x360 [ 76.240142][ T5097] ? __pfx_dump_stack_lvl+0x10/0x10 [ 76.245518][ T5097] ? __pfx__printk+0x10/0x10 [ 76.250118][ T5097] ? _printk+0xd5/0x120 [ 76.254292][ T5097] ? __virt_addr_valid+0x183/0x520 [ 76.259634][ T5097] ? __virt_addr_valid+0x183/0x520 [ 76.264776][ T5097] print_report+0x169/0x550 [ 76.269298][ T5097] ? __virt_addr_valid+0x183/0x520 [ 76.274423][ T5097] ? __virt_addr_valid+0x183/0x520 [ 76.279546][ T5097] ? __virt_addr_valid+0x44e/0x520 [ 76.284667][ T5097] ? __phys_addr+0xba/0x170 [ 76.289185][ T5097] ? btf_datasec_check_meta+0x2c9/0x9a0 [ 76.294756][ T5097] kasan_report+0x143/0x180 [ 76.299360][ T5097] ? btf_datasec_check_meta+0x2c9/0x9a0 [ 76.304918][ T5097] btf_datasec_check_meta+0x2c9/0x9a0 [ 76.310309][ T5097] btf_parse_type_sec+0x4d5/0x2620 [ 76.315453][ T5097] ? __pfx___might_resched+0x10/0x10 [ 76.320942][ T5097] ? btf_check_sec_info+0x379/0x4f0 [ 76.326430][ T5097] ? __pfx_btf_parse_type_sec+0x10/0x10 [ 76.331993][ T5097] ? __asan_memcpy+0x40/0x70 [ 76.336596][ T5097] ? btf_parse_str_sec+0x21f/0x2b0 [ 76.341734][ T5097] btf_new_fd+0x43f/0xd30 [ 76.346089][ T5097] ? __pfx_btf_new_fd+0x10/0x10 [ 76.351234][ T5097] ? bpf_btf_load+0xcf/0x1a0 [ 76.355951][ T5097] __sys_bpf+0x6ef/0x810 [ 76.360215][ T5097] ? __pfx___sys_bpf+0x10/0x10 [ 76.365004][ T5097] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 76.371773][ T5097] ? exc_page_fault+0x590/0x8c0 [ 76.376631][ T5097] __x64_sys_bpf+0x7c/0x90 [ 76.381086][ T5097] do_syscall_64+0xf3/0x230 [ 76.385786][ T5097] ? clear_bhb_loop+0x35/0x90 [ 76.390484][ T5097] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.396428][ T5097] RIP: 0033:0x7fc499003af9 [ 76.400883][ T5097] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 76.420517][ T5097] RSP: 002b:00007fff8643f338 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ 76.428960][ T5097] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc499003af9 [ 76.436961][ T5097] RDX: 0000000000000020 RSI: 0000000020000300 RDI: 0000000000000012 [ 76.445381][ T5097] RBP: 00007fc4990765f0 R08: 0000000000000000 R09: 0000000000000006 [ 76.453378][ T5097] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 76.461360][ T5097] R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001 [ 76.469353][ T5097] [ 76.472810][ T5097] [ 76.475144][ T5097] Allocated by task 5097: [ 76.479468][ T5097] kasan_save_track+0x3f/0x80 [ 76.484175][ T5097] __kasan_kmalloc+0x98/0xb0 [ 76.488771][ T5097] __kmalloc_node_noprof+0x22a/0x440 [ 76.494059][ T5097] kvmalloc_node_noprof+0x72/0x190 [ 76.499174][ T5097] btf_new_fd+0x265/0xd30 [ 76.503503][ T5097] __sys_bpf+0x6ef/0x810 [ 76.507770][ T5097] __x64_sys_bpf+0x7c/0x90 [ 76.512221][ T5097] do_syscall_64+0xf3/0x230 [ 76.516756][ T5097] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.522662][ T5097] [ 76.525003][ T5097] The buggy address belongs to the object at ffff88801eab7600 [ 76.525003][ T5097] which belongs to the cache kmalloc-64 of size 64 [ 76.538975][ T5097] The buggy address is located 0 bytes to the right of [ 76.538975][ T5097] allocated 55-byte region [ffff88801eab7600, ffff88801eab7637) [ 76.553382][ T5097] [ 76.555707][ T5097] The buggy address belongs to the physical page: [ 76.562217][ T5097] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eab7 [ 76.570996][ T5097] anon flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 76.578541][ T5097] page_type: 0xffffefff(slab) [ 76.583219][ T5097] raw: 00fff00000000000 ffff8880150418c0 0000000000000000 dead000000000001 [ 76.591802][ T5097] raw: 0000000000000000 0000000080200020 00000001ffffefff 0000000000000000 [ 76.600379][ T5097] page dumped because: kasan: bad access detected [ 76.606793][ T5097] page_owner tracks the page as allocated [ 76.612503][ T5097] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 2, tgid 2 (kthreadd), ts 9827187434, free_ts 8730827665 [ 76.630738][ T5097] post_alloc_hook+0x1f3/0x230 [ 76.635514][ T5097] get_page_from_freelist+0x2e4c/0x2f10 [ 76.641065][ T5097] __alloc_pages_noprof+0x256/0x6c0 [ 76.646272][ T5097] alloc_slab_page+0x5f/0x120 [ 76.650957][ T5097] allocate_slab+0x5a/0x2f0 [ 76.655464][ T5097] ___slab_alloc+0xcd1/0x14b0 [ 76.660148][ T5097] __slab_alloc+0x58/0xa0 [ 76.664477][ T5097] __kmalloc_noprof+0x257/0x400 [ 76.669414][ T5097] security_task_alloc+0x43/0x130 [ 76.674459][ T5097] copy_process+0x169e/0x3dc0 [ 76.679423][ T5097] kernel_clone+0x226/0x8f0 [ 76.683932][ T5097] kernel_thread+0x1bc/0x240 [ 76.688528][ T5097] kthreadd+0x60d/0x810 [ 76.692686][ T5097] ret_from_fork+0x4b/0x80 [ 76.697194][ T5097] ret_from_fork_asm+0x1a/0x30 [ 76.702061][ T5097] page last free pid 25 tgid 25 stack trace: [ 76.708123][ T5097] free_unref_page+0xd22/0xea0 [ 76.712896][ T5097] vfree+0x186/0x2e0 [ 76.716800][ T5097] delayed_vfree_work+0x56/0x80 [ 76.721653][ T5097] process_scheduled_works+0xa2c/0x1830 [ 76.727203][ T5097] worker_thread+0x86d/0xd50 [ 76.731803][ T5097] kthread+0x2f0/0x390 [ 76.735875][ T5097] ret_from_fork+0x4b/0x80 [ 76.740301][ T5097] ret_from_fork_asm+0x1a/0x30 [ 76.745096][ T5097] [ 76.747415][ T5097] Memory state around the buggy address: [ 76.753070][ T5097] ffff88801eab7500: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 76.761652][ T5097] ffff88801eab7580: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 76.769973][ T5097] >ffff88801eab7600: 00 00 00 00 00 00 07 fc fc fc fc fc fc fc fc fc [ 76.778031][ T5097] ^ [ 76.783660][ T5097] ffff88801eab7680: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 76.791723][ T5097] ffff88801eab7700: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 76.799780][ T5097] ================================================================== [ 76.808199][ T5097] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 76.815512][ T5097] CPU: 0 PID: 5097 Comm: syz-executor402 Not tainted 6.10.0-rc6-syzkaller-01414-g58f9416d413a #0 [ 76.826385][ T5097] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 [ 76.836623][ T5097] Call Trace: [ 76.839910][ T5097] [ 76.842849][ T5097] dump_stack_lvl+0x241/0x360 [ 76.847590][ T5097] ? __pfx_dump_stack_lvl+0x10/0x10 [ 76.852801][ T5097] ? __pfx__printk+0x10/0x10 [ 76.857497][ T5097] ? preempt_schedule+0xe1/0xf0 [ 76.862359][ T5097] ? vscnprintf+0x5d/0x90 [ 76.866787][ T5097] panic+0x349/0x860 [ 76.871210][ T5097] ? check_panic_on_warn+0x21/0xb0 [ 76.876336][ T5097] ? __pfx_panic+0x10/0x10 [ 76.880758][ T5097] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 76.886835][ T5097] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 76.893175][ T5097] ? print_report+0x502/0x550 [ 76.897950][ T5097] check_panic_on_warn+0x86/0xb0 [ 76.902900][ T5097] ? btf_datasec_check_meta+0x2c9/0x9a0 [ 76.908464][ T5097] end_report+0x77/0x160 [ 76.912713][ T5097] kasan_report+0x154/0x180 [ 76.917248][ T5097] ? btf_datasec_check_meta+0x2c9/0x9a0 [ 76.922835][ T5097] btf_datasec_check_meta+0x2c9/0x9a0 [ 76.928244][ T5097] btf_parse_type_sec+0x4d5/0x2620 [ 76.933383][ T5097] ? __pfx___might_resched+0x10/0x10 [ 76.938695][ T5097] ? btf_check_sec_info+0x379/0x4f0 [ 76.943903][ T5097] ? __pfx_btf_parse_type_sec+0x10/0x10 [ 76.949452][ T5097] ? __asan_memcpy+0x40/0x70 [ 76.954056][ T5097] ? btf_parse_str_sec+0x21f/0x2b0 [ 76.959264][ T5097] btf_new_fd+0x43f/0xd30 [ 76.963603][ T5097] ? __pfx_btf_new_fd+0x10/0x10 [ 76.968468][ T5097] ? bpf_btf_load+0xcf/0x1a0 [ 76.973061][ T5097] __sys_bpf+0x6ef/0x810 [ 76.977338][ T5097] ? __pfx___sys_bpf+0x10/0x10 [ 76.982137][ T5097] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 76.988483][ T5097] ? exc_page_fault+0x590/0x8c0 [ 76.993354][ T5097] __x64_sys_bpf+0x7c/0x90 [ 76.997783][ T5097] do_syscall_64+0xf3/0x230 [ 77.002290][ T5097] ? clear_bhb_loop+0x35/0x90 [ 77.006977][ T5097] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 77.012917][ T5097] RIP: 0033:0x7fc499003af9 [ 77.017349][ T5097] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 77.037062][ T5097] RSP: 002b:00007fff8643f338 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ 77.045489][ T5097] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc499003af9 [ 77.053466][ T5097] RDX: 0000000000000020 RSI: 0000000020000300 RDI: 0000000000000012 [ 77.061443][ T5097] RBP: 00007fc4990765f0 R08: 0000000000000000 R09: 0000000000000006 [ 77.069502][ T5097] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 77.077840][ T5097] R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001 [ 77.085825][ T5097] [ 77.089136][ T5097] Kernel Offset: disabled [ 77.093463][ T5097] Rebooting in 86400 seconds..