./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2343400136 <...> DUID 00:04:e3:a1:4c:5b:a4:47:39:93:9a:5d:f6:69:14:97:a9:57 forked to background, child pid 4651 [ 34.382082][ T4652] 8021q: adding VLAN 0 to HW filter on device bond0 [ 34.399314][ T4652] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.10.55' (ECDSA) to the list of known hosts. execve("./syz-executor2343400136", ["./syz-executor2343400136"], 0x7ffeedde1ec0 /* 10 vars */) = 0 brk(NULL) = 0x5555556a8000 brk(0x5555556a8c40) = 0x5555556a8c40 arch_prctl(ARCH_SET_FS, 0x5555556a8300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor2343400136", 4096) = 28 brk(0x5555556c9c40) = 0x5555556c9c40 brk(0x5555556ca000) = 0x5555556ca000 mprotect(0x7f86410c9000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5078 attached , child_tidptr=0x5555556a85d0) = 5078 [pid 5078] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5078] setpgid(0, 0) = 0 [pid 5078] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5078] write(3, "1000", 4) = 4 [pid 5078] close(3) = 0 [pid 5078] openat(AT_FDCWD, "/dev/audio", O_RDONLY) = 3 [pid 5078] io_uring_setup(15175, {flags=0, sq_thread_cpu=0, sq_thread_idle=0, sq_entries=16384, cq_entries=32768, features=IORING_FEAT_SINGLE_MMAP|IORING_FEAT_NODROP|IORING_FEAT_SUBMIT_STABLE|IORING_FEAT_RW_CUR_POS|IORING_FEAT_CUR_PERSONALITY|IORING_FEAT_FAST_POLL|IORING_FEAT_POLL_32BITS|IORING_FEAT_SQPOLL_NONFIXED|IORING_FEAT_EXT_ARG|IORING_FEAT_NATIVE_WORKERS|IORING_FEAT_RSRC_TAGS|IORING_FEAT_CQE_SKIP|IORING_FEAT_LINKED_FILE, sq_off={head=0, tail=64, ring_mask=256, ring_entries=264, flags=276, dropped=272, array=524608}, cq_off={head=128, tail=192, ring_mask=260, ring_entries=268, overflow=284, cqes=320, flags=280}}) = 4 [pid 5078] mmap(0x20ee9000, 590144, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 4, 0) = 0x20ee9000 [pid 5078] mmap(0x20ffc000, 1048576, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 4, 0x10000000) = 0x20ffc000 [pid 5078] io_uring_enter(4, 19228, 0, 0, NULL, 0) = 1 [pid 5078] openat(AT_FDCWD, "/dev/char/4:1", O_RDWR) = 5 [pid 5078] dup(5) = 6 [pid 5078] read(6, 0x200021c0, 8224) = ? ERESTARTSYS (To be restarted if SA_RESTART is set) [pid 5078] read(6, 0x200021c0, 8224) = ? ERESTARTSYS (To be restarted if SA_RESTART is set) [pid 5078] read(6, 0x200021c0, 8224) = ? ERESTARTSYS (To be restarted if SA_RESTART is set) [pid 5078] read(6, 0x200021c0, 8224) = ? ERESTARTSYS (To be restarted if SA_RESTART is set) [pid 5078] read(6, 0x200021c0, 8224) = ? ERESTARTSYS (To be restarted if SA_RESTART is set) [pid 5078] read(6, 0x200021c0, 8224) = ? ERESTARTSYS (To be restarted if SA_RESTART is set) [pid 5078] read(6, 0x200021c0, 8224) = ? ERESTARTSYS (To be restarted if SA_RESTART is set) [pid 5078] read(6, 0x200021c0, 8224) = ? ERESTARTSYS (To be restarted if SA_RESTART is set) [pid 5078] read(6, 0x200021c0, 8224) = ? ERESTARTSYS (To be restarted if SA_RESTART is set) [pid 5078] read(6, [pid 5077] kill(-5078, SIGKILL) = 0 [pid 5078] <... read resumed> ) = ? [pid 5077] kill(5078, SIGKILL) = 0 syzkaller login: [ 63.900739][ T5078] ================================================================== [ 63.908863][ T5078] BUG: KASAN: use-after-free in __wake_up_common+0x637/0x650 [ 63.916241][ T5078] Read of size 8 at addr ffff88801eb938f0 by task syz-executor234/5078 [ 63.924554][ T5078] [ 63.926862][ T5078] CPU: 0 PID: 5078 Comm: syz-executor234 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0 [ 63.936751][ T5078] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 63.946867][ T5078] Call Trace: [ 63.950154][ T5078] [ 63.953083][ T5078] dump_stack_lvl+0xd1/0x138 [ 63.957677][ T5078] print_report+0x15e/0x45d [ 63.962175][ T5078] ? __phys_addr+0xc8/0x140 [ 63.966695][ T5078] ? __wake_up_common+0x637/0x650 [ 63.971711][ T5078] kasan_report+0xc0/0xf0 [ 63.976033][ T5078] ? __wake_up_common+0x637/0x650 [ 63.981050][ T5078] __wake_up_common+0x637/0x650 [ 63.985896][ T5078] __wake_up_common_lock+0xd4/0x140 [ 63.991196][ T5078] ? __wake_up_common+0x650/0x650 [ 63.996236][ T5078] ? _raw_spin_unlock_irqrestore+0x41/0x70 [ 64.002040][ T5078] ? snd_timer_notify+0x302/0x3d0 [ 64.007158][ T5078] snd_pcm_post_stop+0x91/0x1f0 [ 64.012023][ T5078] snd_pcm_action_single+0xf4/0x130 [ 64.017238][ T5078] snd_pcm_action+0x6e/0x90 [ 64.021741][ T5078] snd_pcm_drop+0x165/0x2b0 [ 64.026236][ T5078] snd_pcm_kernel_ioctl+0x243/0x2e0 [ 64.031439][ T5078] snd_pcm_oss_sync+0x230/0x810 [ 64.036310][ T5078] snd_pcm_oss_release+0x27a/0x300 [ 64.041426][ T5078] __fput+0x27c/0xa90 [ 64.045435][ T5078] ? snd_pcm_oss_sync+0x810/0x810 [pid 5077] openat(AT_FDCWD, "/sys/fs/fuse/connections", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 [pid 5077] fstat(3, {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0 [pid 5077] getdents64(3, 0x5555556a9620 /* 2 entries */, 32768) = 48 [pid 5077] getdents64(3, 0x5555556a9620 /* 0 entries */, 32768) = 0 [pid 5077] close(3) = 0 [ 64.050482][ T5078] task_work_run+0x16f/0x270 [ 64.055175][ T5078] ? task_work_cancel+0x30/0x30 [ 64.060151][ T5078] ? do_raw_spin_unlock+0x175/0x230 [ 64.065347][ T5078] do_exit+0xb17/0x2a90 [ 64.069495][ T5078] ? find_held_lock+0x2d/0x110 [ 64.074253][ T5078] ? get_signal+0x8a0/0x24f0 [ 64.078830][ T5078] ? mm_update_next_owner+0x7b0/0x7b0 [ 64.084200][ T5078] do_group_exit+0xd4/0x2a0 [ 64.088697][ T5078] get_signal+0x225f/0x24f0 [ 64.093186][ T5078] ? __task_pid_nr_ns+0x16c/0x500 [ 64.098296][ T5078] ? exit_signals+0x910/0x910 [ 64.102975][ T5078] ? find_held_lock+0x2d/0x110 [ 64.107732][ T5078] arch_do_signal_or_restart+0x79/0x5c0 [ 64.113268][ T5078] ? get_sigframe_size+0x10/0x10 [ 64.118280][ T5078] ? lock_downgrade+0x6e0/0x6e0 [ 64.123130][ T5078] ? _raw_spin_unlock_irq+0x23/0x50 [ 64.128334][ T5078] exit_to_user_mode_prepare+0x11f/0x240 [ 64.133978][ T5078] syscall_exit_to_user_mode+0x1d/0x50 [ 64.139431][ T5078] do_syscall_64+0x46/0xb0 [ 64.143926][ T5078] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 64.149810][ T5078] RIP: 0033:0x7f864105c209 [ 64.154209][ T5078] Code: Unable to access opcode bytes at 0x7f864105c1df. [ 64.161206][ T5078] RSP: 002b:00007fff6e56b898 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 64.169603][ T5078] RAX: fffffffffffffe00 RBX: 0000000000000004 RCX: 00007f864105c209 [ 64.177559][ T5078] RDX: 0000000000002020 RSI: 00000000200021c0 RDI: 0000000000000006 [ 64.185518][ T5078] RBP: 0000000000000000 R08: 00007fff6e56ba38 R09: 00007fff6e56ba38 [ 64.193474][ T5078] R10: 000000000000000d R11: 0000000000000246 R12: 00007f864101f800 [ 64.201433][ T5078] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000 [ 64.209393][ T5078] [ 64.212395][ T5078] [ 64.214702][ T5078] Allocated by task 5078: [ 64.219011][ T5078] kasan_save_stack+0x22/0x40 [ 64.223680][ T5078] kasan_set_track+0x25/0x30 [ 64.228265][ T5078] __kasan_slab_alloc+0x7f/0x90 [ 64.233103][ T5078] kmem_cache_alloc_bulk+0x3aa/0x730 [ 64.238382][ T5078] __io_alloc_req_refill+0xcc/0x40b [ 64.243567][ T5078] io_submit_sqes.cold+0x7c/0xc2 [ 64.248491][ T5078] __do_sys_io_uring_enter+0x9e4/0x2c10 [ 64.254028][ T5078] do_syscall_64+0x39/0xb0 [ 64.258428][ T5078] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 64.264324][ T5078] [ 64.266644][ T5078] Freed by task 1002: [ 64.270610][ T5078] kasan_save_stack+0x22/0x40 [ 64.275281][ T5078] kasan_set_track+0x25/0x30 [ 64.279866][ T5078] kasan_save_free_info+0x2e/0x40 [ 64.284881][ T5078] ____kasan_slab_free+0x160/0x1c0 [ 64.289984][ T5078] slab_free_freelist_hook+0x8b/0x1c0 [ 64.295339][ T5078] kmem_cache_free+0xec/0x4e0 [ 64.300003][ T5078] io_req_caches_free+0x1a9/0x1e6 [ 64.305016][ T5078] io_ring_exit_work+0x2e7/0xc80 [ 64.309941][ T5078] process_one_work+0x9bf/0x1750 [ 64.314865][ T5078] worker_thread+0x669/0x1090 [ 64.319532][ T5078] kthread+0x2e8/0x3a0 [ 64.323594][ T5078] ret_from_fork+0x1f/0x30 [ 64.328001][ T5078] [ 64.330308][ T5078] The buggy address belongs to the object at ffff88801eb938c0 [ 64.330308][ T5078] which belongs to the cache io_kiocb of size 216 [ 64.344083][ T5078] The buggy address is located 48 bytes inside of [ 64.344083][ T5078] 216-byte region [ffff88801eb938c0, ffff88801eb93998) [ 64.357254][ T5078] [ 64.359559][ T5078] The buggy address belongs to the physical page: [ 64.365952][ T5078] page:ffffea00007ae4c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eb93 [ 64.376087][ T5078] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 64.383619][ T5078] raw: 00fff00000000200 ffff88801bc32dc0 dead000000000122 0000000000000000 [ 64.392189][ T5078] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 64.400753][ T5078] page dumped because: kasan: bad access detected [ 64.407143][ T5078] page_owner tracks the page as allocated [ 64.412837][ T5078] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5078, tgid 5078 (syz-executor234), ts 58909389529, free_ts 58908987546 [ 64.431493][ T5078] get_page_from_freelist+0x11bb/0x2d50 [ 64.437050][ T5078] __alloc_pages+0x1cb/0x5c0 [ 64.441626][ T5078] alloc_pages+0x1aa/0x270 [ 64.446028][ T5078] allocate_slab+0x25f/0x350 [ 64.450609][ T5078] ___slab_alloc+0xa91/0x1400 [ 64.455272][ T5078] kmem_cache_alloc_bulk+0x23d/0x730 [ 64.460542][ T5078] __io_alloc_req_refill+0xcc/0x40b [ 64.465749][ T5078] io_submit_sqes.cold+0x7c/0xc2 [ 64.470681][ T5078] __do_sys_io_uring_enter+0x9e4/0x2c10 [ 64.476219][ T5078] do_syscall_64+0x39/0xb0 [ 64.480630][ T5078] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 64.486620][ T5078] page last free stack trace: [ 64.491279][ T5078] free_pcp_prepare+0x4d0/0x910 [ 64.496122][ T5078] free_unref_page+0x1d/0x490 [ 64.500960][ T5078] skb_free_head+0x96/0x110 [ 64.505452][ T5078] skb_release_data+0x5f4/0x870 [ 64.510292][ T5078] __kfree_skb+0x4f/0x70 [ 64.514522][ T5078] tcp_rcv_established+0x15fd/0x2270 [ 64.519800][ T5078] tcp_v4_do_rcv+0x663/0x9d0 [ 64.524378][ T5078] tcp_v4_rcv+0x2eab/0x3280 [ 64.528870][ T5078] ip_protocol_deliver_rcu+0x9f/0x480 [ 64.534247][ T5078] ip_local_deliver_finish+0x2ec/0x4f0 [ 64.539695][ T5078] ip_local_deliver+0x1ae/0x200 [ 64.544539][ T5078] ip_sublist_rcv_finish+0x9a/0x2c0 [ 64.549726][ T5078] ip_list_rcv_finish.constprop.0+0x4f9/0x6c0 [ 64.555784][ T5078] ip_list_rcv+0x347/0x4a0 [ 64.560196][ T5078] __netif_receive_skb_list_core+0x548/0x8f0 [ 64.566165][ T5078] netif_receive_skb_list_internal+0x75f/0xdc0 [ 64.572305][ T5078] [ 64.574609][ T5078] Memory state around the buggy address: [ 64.580259][ T5078] ffff88801eb93780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.588301][ T5078] ffff88801eb93800: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc [ 64.596359][ T5078] >ffff88801eb93880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 64.604750][ T5078] ^ [ 64.612446][ T5078] ffff88801eb93900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.620494][ T5078] ffff88801eb93980: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.628535][ T5078] ================================================================== [ 64.636574][ T5078] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 64.643752][ T5078] CPU: 0 PID: 5078 Comm: syz-executor234 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0 [ 64.653624][ T5078] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 64.663661][ T5078] Call Trace: [ 64.666925][ T5078] [ 64.669843][ T5078] dump_stack_lvl+0xd1/0x138 [ 64.674421][ T5078] panic+0x2cc/0x626 [ 64.678309][ T5078] ? panic_print_sys_info.part.0+0x112/0x112 [ 64.684311][ T5078] ? lock_downgrade+0x6e0/0x6e0 [ 64.689148][ T5078] ? dump_page.cold+0x21d/0x255 [ 64.693990][ T5078] check_panic_on_warn.cold+0x19/0x35 [ 64.699360][ T5078] end_report.part.0+0x36/0x73 [ 64.704112][ T5078] ? __wake_up_common+0x637/0x650 [ 64.709126][ T5078] kasan_report.cold+0xa/0xf [ 64.713703][ T5078] ? __wake_up_common+0x637/0x650 [ 64.718716][ T5078] __wake_up_common+0x637/0x650 [ 64.723553][ T5078] __wake_up_common_lock+0xd4/0x140 [ 64.728739][ T5078] ? __wake_up_common+0x650/0x650 [ 64.733751][ T5078] ? _raw_spin_unlock_irqrestore+0x41/0x70 [ 64.739551][ T5078] ? snd_timer_notify+0x302/0x3d0 [ 64.744567][ T5078] snd_pcm_post_stop+0x91/0x1f0 [ 64.749403][ T5078] snd_pcm_action_single+0xf4/0x130 [ 64.754594][ T5078] snd_pcm_action+0x6e/0x90 [ 64.759084][ T5078] snd_pcm_drop+0x165/0x2b0 [ 64.763580][ T5078] snd_pcm_kernel_ioctl+0x243/0x2e0 [ 64.768777][ T5078] snd_pcm_oss_sync+0x230/0x810 [ 64.773649][ T5078] snd_pcm_oss_release+0x27a/0x300 [ 64.778757][ T5078] __fput+0x27c/0xa90 [ 64.782729][ T5078] ? snd_pcm_oss_sync+0x810/0x810 [ 64.787745][ T5078] task_work_run+0x16f/0x270 [ 64.792327][ T5078] ? task_work_cancel+0x30/0x30 [ 64.797170][ T5078] ? do_raw_spin_unlock+0x175/0x230 [ 64.802363][ T5078] do_exit+0xb17/0x2a90 [ 64.806512][ T5078] ? find_held_lock+0x2d/0x110 [ 64.811270][ T5078] ? get_signal+0x8a0/0x24f0 [ 64.815846][ T5078] ? mm_update_next_owner+0x7b0/0x7b0 [ 64.821217][ T5078] do_group_exit+0xd4/0x2a0 [ 64.825712][ T5078] get_signal+0x225f/0x24f0 [ 64.830204][ T5078] ? __task_pid_nr_ns+0x16c/0x500 [ 64.835221][ T5078] ? exit_signals+0x910/0x910 [ 64.839882][ T5078] ? find_held_lock+0x2d/0x110 [ 64.844638][ T5078] arch_do_signal_or_restart+0x79/0x5c0 [ 64.850175][ T5078] ? get_sigframe_size+0x10/0x10 [ 64.855104][ T5078] ? lock_downgrade+0x6e0/0x6e0 [ 64.859940][ T5078] ? _raw_spin_unlock_irq+0x23/0x50 [ 64.865134][ T5078] exit_to_user_mode_prepare+0x11f/0x240 [ 64.870755][ T5078] syscall_exit_to_user_mode+0x1d/0x50 [ 64.876207][ T5078] do_syscall_64+0x46/0xb0 [ 64.880612][ T5078] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 64.886498][ T5078] RIP: 0033:0x7f864105c209 [ 64.890899][ T5078] Code: Unable to access opcode bytes at 0x7f864105c1df. [ 64.897896][ T5078] RSP: 002b:00007fff6e56b898 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 64.906291][ T5078] RAX: fffffffffffffe00 RBX: 0000000000000004 RCX: 00007f864105c209 [ 64.914247][ T5078] RDX: 0000000000002020 RSI: 00000000200021c0 RDI: 0000000000000006 [ 64.922208][ T5078] RBP: 0000000000000000 R08: 00007fff6e56ba38 R09: 00007fff6e56ba38 [ 64.930161][ T5078] R10: 000000000000000d R11: 0000000000000246 R12: 00007f864101f800 [ 64.938125][ T5078] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000 [ 64.946083][ T5078] [ 64.949255][ T5078] Kernel Offset: disabled [ 64.953570][ T5078] Rebooting in 86400 seconds..