./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1709431593 <...> Warning: Permanently added '10.128.1.82' (ED25519) to the list of known hosts. execve("./syz-executor1709431593", ["./syz-executor1709431593"], 0x7ffe3c9a3ba0 /* 10 vars */) = 0 brk(NULL) = 0x5555793a3000 brk(0x5555793a3e00) = 0x5555793a3e00 arch_prctl(ARCH_SET_FS, 0x5555793a3480) = 0 set_tid_address(0x5555793a3750) = 5066 set_robust_list(0x5555793a3760, 24) = 0 rseq(0x5555793a3da0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1709431593", 4096) = 28 getrandom("\x3e\xc0\x85\xbd\x71\x34\x9e\xb0", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x5555793a3e00 brk(0x5555793c4e00) = 0x5555793c4e00 brk(0x5555793c5000) = 0x5555793c5000 mprotect(0x7ff4d9d7e000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGSEGV, {sa_handler=0x7ff4d9cc4c20, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7ff4d9ccd5a0}, NULL, 8) = 0 rt_sigaction(SIGBUS, {sa_handler=0x7ff4d9cc4c20, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7ff4d9ccd5a0}, NULL, 8) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5067 attached , child_tidptr=0x5555793a3750) = 5067 [pid 5066] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5067] set_robust_list(0x5555793a3760, 24) = 0 ./strace-static-x86_64: Process 5068 attached [pid 5067] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5066] <... clone resumed>, child_tidptr=0x5555793a3750) = 5068 [pid 5068] set_robust_list(0x5555793a3760, 24./strace-static-x86_64: Process 5069 attached ) = 0 [pid 5066] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5069] set_robust_list(0x5555793a3760, 24 [pid 5068] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5067] <... clone resumed>, child_tidptr=0x5555793a3750) = 5069 [pid 5069] <... set_robust_list resumed>) = 0 [pid 5069] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 ./strace-static-x86_64: Process 5071 attached ./strace-static-x86_64: Process 5070 attached [pid 5069] setpgid(0, 0) = 0 [pid 5069] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5066] <... clone resumed>, child_tidptr=0x5555793a3750) = 5070 [pid 5071] set_robust_list(0x5555793a3760, 24 [pid 5070] set_robust_list(0x5555793a3760, 24 [pid 5069] <... openat resumed>) = 3 [pid 5068] <... clone resumed>, child_tidptr=0x5555793a3750) = 5071 [pid 5066] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5071] <... set_robust_list resumed>) = 0 [pid 5070] <... set_robust_list resumed>) = 0 [pid 5069] write(3, "1000", 4 [pid 5071] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5070] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5072 attached [pid 5071] <... prctl resumed>) = 0 [pid 5069] <... write resumed>) = 4 [pid 5066] <... clone resumed>, child_tidptr=0x5555793a3750) = 5072 [pid 5066] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5072] set_robust_list(0x5555793a3760, 24 [pid 5071] setpgid(0, 0 [pid 5069] close(3 [pid 5072] <... set_robust_list resumed>) = 0 [pid 5071] <... setpgid resumed>) = 0 [pid 5069] <... close resumed>) = 0 [pid 5072] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5069] futex(0x7ff4d9d8432c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5071] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5069] <... futex resumed>) = 0 ./strace-static-x86_64: Process 5074 attached ./strace-static-x86_64: Process 5073 attached ./strace-static-x86_64: Process 5075 attached [pid 5074] set_robust_list(0x5555793a3760, 24 [pid 5073] set_robust_list(0x5555793a3760, 24 [pid 5069] rt_sigaction(SIGRT_1, {sa_handler=0x7ff4d9d20a70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7ff4d9ccd5a0}, [pid 5075] set_robust_list(0x5555793a3760, 24 [pid 5069] <... rt_sigaction resumed>NULL, 8) = 0 [pid 5073] <... set_robust_list resumed>) = 0 [pid 5069] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], [pid 5066] <... clone resumed>, child_tidptr=0x5555793a3750) = 5073 [pid 5075] <... set_robust_list resumed>) = 0 [pid 5074] <... set_robust_list resumed>) = 0 [pid 5073] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5072] <... clone resumed>, child_tidptr=0x5555793a3750) = 5075 [pid 5071] <... openat resumed>) = 3 [pid 5070] <... clone resumed>, child_tidptr=0x5555793a3750) = 5074 [pid 5069] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5075] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5074] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5071] write(3, "1000", 4 [pid 5069] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0./strace-static-x86_64: Process 5076 attached [pid 5075] <... prctl resumed>) = 0 [pid 5074] <... prctl resumed>) = 0 [pid 5071] <... write resumed>) = 4 [pid 5069] <... mmap resumed>) = 0x7ff4d9c94000 [pid 5076] set_robust_list(0x5555793a3760, 24 [pid 5075] setpgid(0, 0 [pid 5074] setpgid(0, 0 [pid 5073] <... clone resumed>, child_tidptr=0x5555793a3750) = 5076 [pid 5071] close(3 [pid 5069] mprotect(0x7ff4d9c95000, 131072, PROT_READ|PROT_WRITE [pid 5076] <... set_robust_list resumed>) = 0 [pid 5075] <... setpgid resumed>) = 0 [pid 5074] <... setpgid resumed>) = 0 [pid 5071] <... close resumed>) = 0 [pid 5069] <... mprotect resumed>) = 0 [pid 5076] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5075] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5074] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5076] <... prctl resumed>) = 0 [pid 5075] <... openat resumed>) = 3 [pid 5074] <... openat resumed>) = 3 [pid 5071] futex(0x7ff4d9d8432c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5069] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5076] setpgid(0, 0 [pid 5075] write(3, "1000", 4 [pid 5071] <... futex resumed>) = 0 [pid 5075] <... write resumed>) = 4 [pid 5071] rt_sigaction(SIGRT_1, {sa_handler=0x7ff4d9d20a70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7ff4d9ccd5a0}, [pid 5075] close(3 [pid 5071] <... rt_sigaction resumed>NULL, 8) = 0 [pid 5075] <... close resumed>) = 0 [pid 5071] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], [pid 5075] futex(0x7ff4d9d8432c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5071] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5075] <... futex resumed>) = 0 [pid 5071] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5075] rt_sigaction(SIGRT_1, {sa_handler=0x7ff4d9d20a70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7ff4d9ccd5a0}, [pid 5074] write(3, "1000", 4 [pid 5075] <... rt_sigaction resumed>NULL, 8) = 0 [pid 5071] <... mmap resumed>) = 0x7ff4d9c94000 [pid 5076] <... setpgid resumed>) = 0 [pid 5075] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], [pid 5074] <... write resumed>) = 4 [pid 5071] mprotect(0x7ff4d9c95000, 131072, PROT_READ|PROT_WRITE [pid 5069] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5076] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5075] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5074] close(3 [pid 5071] <... mprotect resumed>) = 0 [pid 5069] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7ff4d9cb4990, parent_tid=0x7ff4d9cb4990, exit_signal=0, stack=0x7ff4d9c94000, stack_size=0x20240, tls=0x7ff4d9cb46c0} [pid 5075] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5074] <... close resumed>) = 0 [pid 5075] <... mmap resumed>) = 0x7ff4d9c94000 [pid 5074] futex(0x7ff4d9d8432c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5071] rt_sigprocmask(SIG_BLOCK, ~[], ./strace-static-x86_64: Process 5077 attached [pid 5076] <... openat resumed>) = 3 [pid 5075] mprotect(0x7ff4d9c95000, 131072, PROT_READ|PROT_WRITE [pid 5074] <... futex resumed>) = 0 [pid 5069] <... clone3 resumed> => {parent_tid=[5077]}, 88) = 5077 [pid 5077] rseq(0x7ff4d9cb4fe0, 0x20, 0, 0x53053053 [pid 5069] rt_sigprocmask(SIG_SETMASK, [], [pid 5077] <... rseq resumed>) = 0 [pid 5074] rt_sigaction(SIGRT_1, {sa_handler=0x7ff4d9d20a70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7ff4d9ccd5a0}, [pid 5069] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5077] set_robust_list(0x7ff4d9cb49a0, 24 [pid 5076] write(3, "1000", 4 [pid 5069] futex(0x7ff4d9d84328, FUTEX_WAKE_PRIVATE, 1000000 [pid 5077] <... set_robust_list resumed>) = 0 [pid 5074] <... rt_sigaction resumed>NULL, 8) = 0 [pid 5069] <... futex resumed>) = 0 [pid 5077] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5075] <... mprotect resumed>) = 0 [pid 5074] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], [pid 5071] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5069] futex(0x7ff4d9d8432c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=550000000} [pid 5077] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE, insn_cnt=5, insns=0x20000040, license="GPL", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS, prog_btf_fd=-1, func_info_rec_size=8, func_info=NULL, func_info_cnt=0, line_info_rec_size=16, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL, ...}, 144 [pid 5076] <... write resumed>) = 4 [pid 5075] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5074] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5071] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7ff4d9cb4990, parent_tid=0x7ff4d9cb4990, exit_signal=0, stack=0x7ff4d9c94000, stack_size=0x20240, tls=0x7ff4d9cb46c0} [pid 5076] close(3 [pid 5075] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5074] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0./strace-static-x86_64: Process 5078 attached [pid 5076] <... close resumed>) = 0 [pid 5075] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7ff4d9cb4990, parent_tid=0x7ff4d9cb4990, exit_signal=0, stack=0x7ff4d9c94000, stack_size=0x20240, tls=0x7ff4d9cb46c0} [pid 5074] <... mmap resumed>) = 0x7ff4d9c94000 [pid 5071] <... clone3 resumed> => {parent_tid=[5078]}, 88) = 5078 ./strace-static-x86_64: Process 5079 attached [pid 5071] rt_sigprocmask(SIG_SETMASK, [], [pid 5079] rseq(0x7ff4d9cb4fe0, 0x20, 0, 0x53053053 [pid 5078] rseq(0x7ff4d9cb4fe0, 0x20, 0, 0x53053053 [pid 5077] <... bpf resumed>) = 3 [pid 5076] futex(0x7ff4d9d8432c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5074] mprotect(0x7ff4d9c95000, 131072, PROT_READ|PROT_WRITE [pid 5071] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5079] <... rseq resumed>) = 0 [pid 5078] <... rseq resumed>) = 0 [pid 5077] futex(0x7ff4d9d8432c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5076] <... futex resumed>) = 0 [pid 5075] <... clone3 resumed> => {parent_tid=[5079]}, 88) = 5079 [pid 5074] <... mprotect resumed>) = 0 [pid 5071] futex(0x7ff4d9d84328, FUTEX_WAKE_PRIVATE, 1000000 [pid 5079] set_robust_list(0x7ff4d9cb49a0, 24 [pid 5078] set_robust_list(0x7ff4d9cb49a0, 24 [pid 5077] <... futex resumed>) = 1 [pid 5076] rt_sigaction(SIGRT_1, {sa_handler=0x7ff4d9d20a70, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7ff4d9ccd5a0}, [pid 5075] rt_sigprocmask(SIG_SETMASK, [], [pid 5071] <... futex resumed>) = 0 [pid 5069] <... futex resumed>) = 0 [pid 5079] <... set_robust_list resumed>) = 0 [pid 5078] <... set_robust_list resumed>) = 0 [pid 5077] futex(0x7ff4d9d84328, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5076] <... rt_sigaction resumed>NULL, 8) = 0 [pid 5075] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5074] rt_sigprocmask(SIG_BLOCK, ~[], [pid 5071] futex(0x7ff4d9d8432c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=550000000} [pid 5069] futex(0x7ff4d9d84328, FUTEX_WAKE_PRIVATE, 1000000 [pid 5079] rt_sigprocmask(SIG_SETMASK, [], [pid 5078] rt_sigprocmask(SIG_SETMASK, [], [pid 5077] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5076] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], [pid 5075] futex(0x7ff4d9d84328, FUTEX_WAKE_PRIVATE, 1000000 [pid 5079] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5078] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5077] bpf(BPF_RAW_TRACEPOINT_OPEN, {raw_tracepoint={name="mmap_lock_acquire_returned", prog_fd=3}}, 16 [pid 5076] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5075] <... futex resumed>) = 0 [pid 5074] <... rt_sigprocmask resumed>[], 8) = 0 [pid 5069] <... futex resumed>) = 0 [pid 5079] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE, insn_cnt=5, insns=0x20000040, license="GPL", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS, prog_btf_fd=-1, func_info_rec_size=8, func_info=NULL, func_info_cnt=0, line_info_rec_size=16, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL, ...}, 144 [ 71.360248][ T6854] ================================================================== [ 71.368367][ T6854] BUG: KASAN: slab-use-after-free in bpf_trace_run4+0x143/0x580 [ 71.376022][ T6854] Read of size 8 at addr ffff88807c144018 by task syz-executor170/6854 [ 71.384342][ T6854] [ 71.386708][ T6854] CPU: 0 PID: 6854 Comm: syz-executor170 Not tainted 6.8.0-syzkaller-05243-g14bb1e8c8d4a #0 [ 71.396752][ T6854] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 71.406891][ T6854] Call Trace: [ 71.410163][ T6854] [ 71.413089][ T6854] dump_stack_lvl+0x1e7/0x2e0 [ 71.417809][ T6854] ? __pfx_dump_stack_lvl+0x10/0x10 [ 71.422999][ T6854] ? __pfx__printk+0x10/0x10 [ 71.427574][ T6854] ? _printk+0xd5/0x120 [ 71.431715][ T6854] ? __virt_addr_valid+0x183/0x520 [ 71.436896][ T6854] ? __virt_addr_valid+0x183/0x520 [ 71.442025][ T6854] print_report+0x169/0x550 [ 71.446534][ T6854] ? __virt_addr_valid+0x183/0x520 [ 71.451659][ T6854] ? __virt_addr_valid+0x183/0x520 [ 71.456769][ T6854] ? __virt_addr_valid+0x44e/0x520 [ 71.461883][ T6854] ? __phys_addr+0xba/0x170 [ 71.466403][ T6854] ? bpf_trace_run4+0x143/0x580 [ 71.471255][ T6854] kasan_report+0x143/0x180 [ 71.475847][ T6854] ? bpf_trace_run4+0x143/0x580 [ 71.480719][ T6854] bpf_trace_run4+0x143/0x580 [ 71.485599][ T6854] ? __pfx_bpf_trace_run4+0x10/0x10 [ 71.491041][ T6854] ? __pfx___bpf_trace_mmap_lock_acquire_returned+0x10/0x10 [ 71.498342][ T6854] __traceiter_mmap_lock_acquire_returned+0x93/0xf0 [ 71.505030][ T6854] __mmap_lock_do_trace_acquire_returned+0x598/0x600 [ 71.511702][ T6854] ? __mmap_lock_do_trace_acquire_returned+0x8f/0x600 [ 71.518513][ T6854] lock_mm_and_find_vma+0x213/0x2f0 [ 71.523741][ T6854] exc_page_fault+0x1a9/0x890 [ 71.528520][ T6854] asm_exc_page_fault+0x26/0x30 [ 71.533370][ T6854] RIP: 0010:strncpy_from_user+0x110/0x2f0 [ 71.539087][ T6854] Code: 00 00 00 4c 89 e6 e8 df 30 b7 fc 49 83 fc 07 0f 86 9a 00 00 00 48 89 6c 24 08 48 c7 44 24 10 f8 ff ff ff 45 31 ed 4c 89 3c 24 <4f> 8b 3c 2f 48 b8 ff fe fe fe fe fe fe fe 49 8d 1c 07 4c 89 fd 48 [ 71.558769][ T6854] RSP: 0018:ffffc9000b317b10 EFLAGS: 00050246 [ 71.565096][ T6854] RAX: 0000000000000000 RBX: ffffc9000b317db0 RCX: ffff88802bb20000 [ 71.573249][ T6854] RDX: 0000000000000000 RSI: 000000000000007f RDI: 0000000000000007 [ 71.581314][ T6854] RBP: 000000000000007f R08: ffffffff84ddc451 R09: ffffffff8206b477 [ 71.589364][ T6854] R10: 0000000000000003 R11: ffff88802bb20000 R12: 000000000000007f [ 71.597352][ T6854] R13: 0000000000000000 R14: ffffc9000b317c50 R15: 0000000000000000 [ 71.605416][ T6854] ? __check_object_size+0x77/0xa00 [ 71.610703][ T6854] ? strncpy_from_user+0xf1/0x2f0 [ 71.615732][ T6854] bpf_prog_load+0xd65/0x20f0 [ 71.620531][ T6854] ? __pfx_bpf_prog_load+0x10/0x10 [ 71.625818][ T6854] ? __pfx___might_resched+0x10/0x10 [ 71.631221][ T6854] ? __might_fault+0xc6/0x120 [ 71.636787][ T6854] ? bpf_lsm_bpf+0x9/0x10 [ 71.642423][ T6854] ? security_bpf+0x87/0xb0 [ 71.647700][ T6854] __sys_bpf+0x4ee/0x810 [ 71.652026][ T6854] ? __pfx___sys_bpf+0x10/0x10 [ 71.657990][ T6854] ? xfd_validate_state+0x6e/0x150 [ 71.663645][ T6854] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 71.669896][ T6854] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 71.677022][ T6854] ? do_syscall_64+0x10a/0x240 [ 71.681822][ T6854] __x64_sys_bpf+0x7c/0x90 [ 71.686277][ T6854] do_syscall_64+0xfb/0x240 [ 71.690810][ T6854] entry_SYSCALL_64_after_hwframe+0x6d/0x75 [ 71.696821][ T6854] RIP: 0033:0x7ff4d9cfadd9 [ 71.701524][ T6854] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 71.721230][ T6854] RSP: 002b:00007ff4d9cb4168 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ 71.729780][ T6854] RAX: ffffffffffffffda RBX: 00007ff4d9d84328 RCX: 00007ff4d9cfadd9 [ 71.737858][ T6854] RDX: 0000000000000090 RSI: 00000000200000c0 RDI: 0000000000000005 [ 71.745844][ T6854] RBP: 00007ff4d9d84320 R08: 00007ff4d9cb46c0 R09: 0000000000000000 [ 71.753894][ T6854] R10: 00007ff4d9cb46c0 R11: 0000000000000246 R12: 00007ff4d9d8432c [ 71.761862][ T6854] R13: 0000000000000000 R14: 00007ffe8b55d460 R15: 00007ffe8b55d548 [ 71.769846][ T6854] [ 71.772936][ T6854] [ 71.775256][ T6854] Allocated by task 6849: [ 71.779678][ T6854] kasan_save_track+0x3f/0x80 [ 71.784528][ T6854] __kasan_kmalloc+0x98/0xb0 [ 71.789418][ T6854] kmalloc_trace+0x1d9/0x360 [ 71.794004][ T6854] bpf_raw_tp_link_attach+0x2a0/0x6e0 [ 71.799370][ T6854] bpf_raw_tracepoint_open+0x1c2/0x240 [ 71.804857][ T6854] __sys_bpf+0x3c0/0x810 [ 71.809080][ T6854] __x64_sys_bpf+0x7c/0x90 [ 71.813477][ T6854] do_syscall_64+0xfb/0x240 [ 71.818081][ T6854] entry_SYSCALL_64_after_hwframe+0x6d/0x75 [ 71.823977][ T6854] [ 71.826472][ T6854] Freed by task 6849: [ 71.830486][ T6854] kasan_save_track+0x3f/0x80 [ 71.835181][ T6854] kasan_save_free_info+0x40/0x50 [ 71.840205][ T6854] poison_slab_object+0xa6/0xe0 [ 71.845053][ T6854] __kasan_slab_free+0x37/0x60 [ 71.849918][ T6854] kfree+0x14a/0x380 [ 71.853806][ T6854] bpf_link_release+0x3b/0x50 [ 71.858473][ T6854] __fput+0x429/0x8a0 [ 71.862452][ T6854] task_work_run+0x24f/0x310 [ 71.867039][ T6854] do_exit+0xa1b/0x27e0 [ 71.871284][ T6854] do_group_exit+0x207/0x2c0 [ 71.875863][ T6854] get_signal+0x176e/0x1850 [ 71.880383][ T6854] arch_do_signal_or_restart+0x96/0x860 [ 71.885914][ T6854] syscall_exit_to_user_mode+0xc9/0x360 [ 71.891442][ T6854] do_syscall_64+0x10a/0x240 [ 71.896026][ T6854] entry_SYSCALL_64_after_hwframe+0x6d/0x75 [ 71.901915][ T6854] [ 71.904238][ T6854] The buggy address belongs to the object at ffff88807c144000 [ 71.904238][ T6854] which belongs to the cache kmalloc-128 of size 128 [ 71.918545][ T6854] The buggy address is located 24 bytes inside of [ 71.918545][ T6854] freed 128-byte region [ffff88807c144000, ffff88807c144080) [ 71.932429][ T6854] [ 71.934741][ T6854] The buggy address belongs to the physical page: [ 71.941152][ T6854] page:ffffea0001f05100 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7c144 [ 71.951284][ T6854] flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff) [ 71.958805][ T6854] page_type: 0xffffffff() [ 71.963118][ T6854] raw: 00fff00000000800 ffff888014c418c0 dead000000000122 0000000000000000 [ 71.971781][ T6854] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 71.980354][ T6854] page dumped because: kasan: bad access detected [ 71.986749][ T6854] page_owner tracks the page as allocated [ 71.992446][ T6854] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 6849, tgid 6847 (syz-executor170), ts 71323815613, free_ts 71323499090 [ 72.011222][ T6854] post_alloc_hook+0x1ea/0x210 [ 72.015999][ T6854] get_page_from_freelist+0x33ea/0x3580 [ 72.021554][ T6854] __alloc_pages+0x256/0x680 [ 72.026238][ T6854] alloc_slab_page+0x5f/0x160 [ 72.030904][ T6854] new_slab+0x84/0x2f0 [ 72.034961][ T6854] ___slab_alloc+0xd1b/0x13e0 [ 72.039633][ T6854] kmalloc_trace+0x267/0x360 [ 72.044332][ T6854] bpf_raw_tp_link_attach+0x2a0/0x6e0 [ 72.049705][ T6854] bpf_raw_tracepoint_open+0x1c2/0x240 [ 72.055148][ T6854] __sys_bpf+0x3c0/0x810 [ 72.059384][ T6854] __x64_sys_bpf+0x7c/0x90 [ 72.063790][ T6854] do_syscall_64+0xfb/0x240 [ 72.068282][ T6854] entry_SYSCALL_64_after_hwframe+0x6d/0x75 [ 72.075034][ T6854] page last free pid 6849 tgid 6847 stack trace: [ 72.081528][ T6854] free_unref_page_prepare+0x968/0xa90 [ 72.086989][ T6854] free_unref_page+0x37/0x3f0 [ 72.091662][ T6854] vfree+0x186/0x2e0 [ 72.095555][ T6854] bpf_check+0x8089/0x190c0 [ 72.100041][ T6854] bpf_prog_load+0x1667/0x20f0 [ 72.104801][ T6854] __sys_bpf+0x4ee/0x810 [ 72.110008][ T6854] __x64_sys_bpf+0x7c/0x90 [ 72.114422][ T6854] do_syscall_64+0xfb/0x240 [ 72.118921][ T6854] entry_SYSCALL_64_after_hwframe+0x6d/0x75 [ 72.124903][ T6854] [ 72.127318][ T6854] Memory state around the buggy address: [ 72.132941][ T6854] ffff88807c143f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 72.140995][ T6854] ffff88807c143f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 72.149170][ T6854] >ffff88807c144000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.157354][ T6854] ^ [ 72.162243][ T6854] ffff88807c144080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 72.170305][ T6854] ffff88807c144100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 72.178362][ T6854] ================================================================== [ 72.188200][ T6854] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 72.195420][ T6854] CPU: 0 PID: 6854 Comm: syz-executor170 Not tainted 6.8.0-syzkaller-05243-g14bb1e8c8d4a #0 [ 72.205508][ T6854] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 72.215762][ T6854] Call Trace: [ 72.219063][ T6854] [ 72.222020][ T6854] dump_stack_lvl+0x1e7/0x2e0 [ 72.226735][ T6854] ? __pfx_dump_stack_lvl+0x10/0x10 [ 72.231973][ T6854] ? __pfx__printk+0x10/0x10 [ 72.236564][ T6854] ? lock_release+0xbf/0x9d0 [ 72.241146][ T6854] ? vscnprintf+0x5d/0x90 [ 72.245483][ T6854] panic+0x349/0x860 [ 72.249373][ T6854] ? check_panic_on_warn+0x21/0xb0 [ 72.254483][ T6854] ? __pfx_panic+0x10/0x10 [ 72.258892][ T6854] ? mark_lock+0x9a/0x350 [ 72.263210][ T6854] ? _raw_spin_unlock_irqrestore+0xd8/0x140 [ 72.269189][ T6854] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 72.275070][ T6854] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 72.281386][ T6854] ? print_report+0x502/0x550 [ 72.286056][ T6854] check_panic_on_warn+0x86/0xb0 [ 72.291008][ T6854] ? bpf_trace_run4+0x143/0x580 [ 72.295864][ T6854] end_report+0x6e/0x140 [ 72.300201][ T6854] kasan_report+0x154/0x180 [ 72.304725][ T6854] ? bpf_trace_run4+0x143/0x580 [ 72.309575][ T6854] bpf_trace_run4+0x143/0x580 [ 72.314334][ T6854] ? __pfx_bpf_trace_run4+0x10/0x10 [ 72.319534][ T6854] ? __pfx___bpf_trace_mmap_lock_acquire_returned+0x10/0x10 [ 72.326810][ T6854] __traceiter_mmap_lock_acquire_returned+0x93/0xf0 [ 72.333567][ T6854] __mmap_lock_do_trace_acquire_returned+0x598/0x600 [ 72.340231][ T6854] ? __mmap_lock_do_trace_acquire_returned+0x8f/0x600 [ 72.346982][ T6854] lock_mm_and_find_vma+0x213/0x2f0 [ 72.352173][ T6854] exc_page_fault+0x1a9/0x890 [ 72.356841][ T6854] asm_exc_page_fault+0x26/0x30 [ 72.361705][ T6854] RIP: 0010:strncpy_from_user+0x110/0x2f0 [ 72.367420][ T6854] Code: 00 00 00 4c 89 e6 e8 df 30 b7 fc 49 83 fc 07 0f 86 9a 00 00 00 48 89 6c 24 08 48 c7 44 24 10 f8 ff ff ff 45 31 ed 4c 89 3c 24 <4f> 8b 3c 2f 48 b8 ff fe fe fe fe fe fe fe 49 8d 1c 07 4c 89 fd 48 [ 72.387124][ T6854] RSP: 0018:ffffc9000b317b10 EFLAGS: 00050246 [ 72.393267][ T6854] RAX: 0000000000000000 RBX: ffffc9000b317db0 RCX: ffff88802bb20000 [ 72.401380][ T6854] RDX: 0000000000000000 RSI: 000000000000007f RDI: 0000000000000007 [ 72.409522][ T6854] RBP: 000000000000007f R08: ffffffff84ddc451 R09: ffffffff8206b477 [ 72.417486][ T6854] R10: 0000000000000003 R11: ffff88802bb20000 R12: 000000000000007f [ 72.425447][ T6854] R13: 0000000000000000 R14: ffffc9000b317c50 R15: 0000000000000000 [ 72.433411][ T6854] ? __check_object_size+0x77/0xa00 [ 72.438628][ T6854] ? strncpy_from_user+0xf1/0x2f0 [ 72.443679][ T6854] bpf_prog_load+0xd65/0x20f0 [ 72.448359][ T6854] ? __pfx_bpf_prog_load+0x10/0x10 [ 72.453462][ T6854] ? __pfx___might_resched+0x10/0x10 [ 72.459439][ T6854] ? __might_fault+0xc6/0x120 [ 72.464713][ T6854] ? bpf_lsm_bpf+0x9/0x10 [ 72.469033][ T6854] ? security_bpf+0x87/0xb0 [ 72.473525][ T6854] __sys_bpf+0x4ee/0x810 [ 72.477758][ T6854] ? __pfx___sys_bpf+0x10/0x10 [ 72.482514][ T6854] ? xfd_validate_state+0x6e/0x150 [ 72.487630][ T6854] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 72.493609][ T6854] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 72.499948][ T6854] ? do_syscall_64+0x10a/0x240 [ 72.504729][ T6854] __x64_sys_bpf+0x7c/0x90 [ 72.509237][ T6854] do_syscall_64+0xfb/0x240 [ 72.513754][ T6854] entry_SYSCALL_64_after_hwframe+0x6d/0x75 [ 72.519666][ T6854] RIP: 0033:0x7ff4d9cfadd9 [ 72.524880][ T6854] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 72.545194][ T6854] RSP: 002b:00007ff4d9cb4168 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ 72.553978][ T6854] RAX: ffffffffffffffda RBX: 00007ff4d9d84328 RCX: 00007ff4d9cfadd9 [ 72.561945][ T6854] RDX: 0000000000000090 RSI: 00000000200000c0 RDI: 0000000000000005 [ 72.569915][ T6854] RBP: 00007ff4d9d84320 R08: 00007ff4d9cb46c0 R09: 0000000000000000 [ 72.577872][ T6854] R10: 00007ff4d9cb46c0 R11: 0000000000000246 R12: 00007ff4d9d8432c [ 72.585942][ T6854] R13: 0000000000000000 R14: 00007ffe8b55d460 R15: 00007ffe8b55d548 [ 72.594018][ T6854] [ 72.597392][ T6854] Kernel Offset: disabled [ 72.601730][ T6854] Rebooting in 86400 seconds..