./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor538775728 <...> Warning: Permanently added '10.128.0.142' (ECDSA) to the list of known hosts. execve("./syz-executor538775728", ["./syz-executor538775728"], 0x7ffe7f362e30 /* 10 vars */) = 0 brk(NULL) = 0x555556212000 brk(0x555556212c40) = 0x555556212c40 arch_prctl(ARCH_SET_FS, 0x555556212300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x5555562125d0) = 3600 set_robust_list(0x5555562125e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7f51f127cf30, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f51f127d600}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7f51f127cfd0, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f51f127d600}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor538775728", 4096) = 27 brk(0x555556233c40) = 0x555556233c40 brk(0x555556234000) = 0x555556234000 mprotect(0x7f51f133e000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 unshare(CLONE_NEWPID) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3601 attached , child_tidptr=0x5555562125d0) = 3601 [pid 3601] set_robust_list(0x5555562125e0, 24) = 0 [pid 3601] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy) [pid 3601] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 3601] openat(AT_FDCWD, "/dev/vhci", O_RDWR) = 4 [pid 3601] dup2(4, 202) = 202 [pid 3601] close(4) = 0 [pid 3601] read(202, "\xff\x00\x00\x00", 4) = 4 [pid 3601] mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f51f0a6c000 [pid 3601] mprotect(0x7f51f0a6d000, 8388608, PROT_READ|PROT_WRITE) = 0 [pid 3601] clone(child_stack=0x7f51f126c3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[2], tls=0x7f51f126c700, child_tidptr=0x7f51f126c9d0) = 2 [pid 3601] ioctl(3, HCIDEVUP./strace-static-x86_64: Process 3605 attached [pid 3605] set_robust_list(0x7f51f126c9e0, 24) = 0 [pid 3605] read(202, "\x01\x03\x0c\x00", 1024) = 4 [pid 3605] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x03\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 3605] read(202, "\x01\x03\x10\x00", 1024) = 4 [pid 3605] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x03\x10", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 3605] read(202, "\x01\x01\x10\x00", 1024) = 4 [pid 3605] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x01\x10", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 3605] read(202, "\x01\x09\x10\x00", 1024) = 4 [pid 3605] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x0a", iov_len=2}, {iov_base="\x01\x09\x10", iov_len=3}, {iov_base="\x00\xaa\xaa\xaa\xaa\xaa\xaa", iov_len=7}], 4) = 13 [pid 3605] read(202, "\x01\x05\x10\x00", 1024) = 4 [pid 3605] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x0b", iov_len=2}, {iov_base="\x01\x05\x10", iov_len=3}, {iov_base="\x00\xfd\x03\x60\x04\x00\x06\x00", iov_len=8}], 4) = 14 [pid 3605] read(202, "\x01\x23\x0c\x00", 1024) = 4 [pid 3605] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x23\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 3605] read(202, "\x01\x14\x0c\x00", 1024) = 4 [pid 3605] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x14\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 3605] read(202, "\x01\x25\x0c\x00", 1024) = 4 [pid 3605] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x25\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 3605] read(202, "\x01\x38\x0c\x00", 1024) = 4 [pid 3605] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x38\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 syzkaller login: [ 51.610461][ T3603] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 51.619467][ T3603] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 51.628562][ T3603] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 51.638786][ T3603] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 51.647895][ T3603] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [pid 3605] read(202, "\x01\x39\x0c\x00", 1024) = 4 [pid 3605] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x39\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 3605] read(202, "\x01\x16\x0c\x02\x00\x7d", 1024) = 6 [pid 3605] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x16\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 3605] read(202, [pid 3601] <... ioctl resumed>, 0) = -1 EALREADY (Operation already in progress) [pid 3601] ioctl(3, HCISETSCAN [pid 3605] <... read resumed>"\x01\x1a\x0c\x01\x02", 1024) = 5 [pid 3605] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x04", iov_len=2}, {iov_base="\x01\x1a\x0c", iov_len=3}, {iov_base="\x00", iov_len=1}], 4) = 7 [pid 3605] madvise(0x7f51f0a6c000, 8372224, MADV_DONTNEED [pid 3601] <... ioctl resumed>, 0x7ffd255089f8) = 0 [pid 3601] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x04\x0a", iov_len=2}, {iov_base="\xaa\xaa\xaa\xaa\xaa\x10\x00\x00\x00\x01", iov_len=10}], 3 [pid 3605] <... madvise resumed>) = 0 [pid 3605] exit(0) = ? [pid 3605] +++ exited with 0 +++ [pid 3601] <... writev resumed>) = 13 [pid 3601] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x03\x0b", iov_len=2}, {iov_base="\x00\xc8\x00\xaa\xaa\xaa\xaa\xaa\x10\x01\x00", iov_len=11}], 3) = 14 [pid 3601] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\v\v", iov_len=2}, {iov_base="\x00\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00", iov_len=11}], 3) = 14 [pid 3601] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x3e\x13", iov_len=2}, {iov_base="\x01\x00\xc9\x00\x01\x00\xaa\xaa\xaa\xaa\xaa\x11\x00\x00\x00\x00\x00\x00\x00", iov_len=19}], 3) = 22 [pid 3601] close(3) = 0 [pid 3601] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3601] setsid() = 1 [pid 3601] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0 [pid 3601] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0 [pid 3601] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0 [pid 3601] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0 [pid 3601] prlimit64(0, RLIMIT_CORE, {rlim_cur=0, rlim_max=0}, NULL) = 0 [pid 3601] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0 [pid 3601] unshare(CLONE_NEWNS) = 0 [pid 3601] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0 [pid 3601] unshare(CLONE_NEWIPC) = 0 [pid 3601] unshare(CLONE_NEWCGROUP) = 0 [pid 3601] unshare(CLONE_NEWUTS) = 0 [pid 3601] unshare(CLONE_SYSVSEM) = 0 [pid 3601] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3 [pid 3601] write(3, "16777216", 8) = 8 [pid 3601] close(3) = 0 [pid 3601] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3 [pid 3601] write(3, "536870912", 9) = 9 [pid 3601] close(3) = 0 [pid 3601] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3 [pid 3601] write(3, "1024", 4) = 4 [pid 3601] close(3) = 0 [pid 3601] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3 [pid 3601] write(3, "8192", 4) = 4 [pid 3601] close(3) = 0 [pid 3601] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3 [pid 3601] write(3, "1024", 4) = 4 [pid 3601] close(3) = 0 [pid 3601] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3 [pid 3601] write(3, "1024", 4) = 4 [pid 3601] close(3) = 0 [pid 3601] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3 [pid 3601] write(3, "1024 1048576 500 1024", 21) = 21 [pid 3601] close(3) = 0 [pid 3601] getpid() = 1 [pid 3601] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1< 2 [pid 3601] unshare(CLONE_NEWNET) = 0 [pid 3601] openat(AT_FDCWD, "/proc/sys/net/ipv4/ping_group_range", O_WRONLY|O_CLOEXEC) = 3 [pid 3601] write(3, "0 65535", 7) = 7 [pid 3601] close(3) = 0 [pid 3601] openat(AT_FDCWD, "/dev/net/tun", O_RDWR|O_NONBLOCK) = 3 [pid 3601] dup2(3, 200) = 200 [pid 3601] close(3) = 0 [pid 3601] ioctl(200, TUNSETIFF, 0x7ffd25508a30) = 0 [pid 3601] openat(AT_FDCWD, "/proc/sys/net/ipv6/conf/syz_tun/accept_dad", O_WRONLY|O_CLOEXEC) = 3 [pid 3601] write(3, "0", 1) = 1 [pid 3601] close(3) = 0 [pid 3601] openat(AT_FDCWD, "/proc/sys/net/ipv6/conf/syz_tun/router_solicitations", O_WRONLY|O_CLOEXEC) = 3 [pid 3601] write(3, "0", 1) = 1 [pid 3601] close(3) = 0 [pid 3601] socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) = 3 [pid 3601] access("/proc/net", R_OK) = 0 [pid 3601] access("/proc/net/unix", R_OK) = 0 [pid 3601] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4 [pid 3601] ioctl(4, SIOCGIFINDEX, {ifr_name="syz_tun", ifr_ifindex=11}) = 0 [pid 3601] close(4) = 0 [pid 3601] sendto(3, [{nlmsg_len=40, nlmsg_type=0x14 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x500, nlmsg_seq=0, nlmsg_pid=0}, "\x02\x18\x00\x00\x0b\x00\x00\x00\x08\x00\x02\x00\xac\x14\x14\xaa\x08\x00\x01\x00\xac\x14\x14\xaa"], 40, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 40 [pid 3601] recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=1}, {error=0, msg={nlmsg_len=40, nlmsg_type=0x14 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x500, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 [pid 3601] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4 [pid 3601] ioctl(4, SIOCGIFINDEX, {ifr_name="syz_tun", ifr_ifindex=11}) = 0 [pid 3601] close(4) = 0 [pid 3601] sendto(3, [{nlmsg_len=64, nlmsg_type=0x14 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x500, nlmsg_seq=0, nlmsg_pid=0}, "\x0a\x78\x00\x00\x0b\x00\x00\x00\x14\x00\x02\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xaa\x14\x00\x01\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xaa"], 64, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 64 [pid 3601] recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=1}, {error=0, msg={nlmsg_len=64, nlmsg_type=0x14 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x500, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 [pid 3601] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4 [pid 3601] ioctl(4, SIOCGIFINDEX, {ifr_name="syz_tun", ifr_ifindex=11}) = 0 [pid 3601] close(4) = 0 [pid 3601] sendto(3, [{nlmsg_len=48, nlmsg_type=0x1c /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x600, nlmsg_seq=0, nlmsg_pid=0}, "\x02\x00\x00\x00\x0b\x00\x00\x00\x80\x00\x00\x00\x08\x00\x01\x00\xac\x14\x14\xbb\x0a\x00\x02\x00\xbb\xaa\xaa\xaa\xaa\xaa\x00\x00"], 48, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 48 [pid 3601] recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=1}, {error=0, msg={nlmsg_len=48, nlmsg_type=0x1c /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x600, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 [pid 3601] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4 [pid 3601] ioctl(4, SIOCGIFINDEX, {ifr_name="syz_tun", ifr_ifindex=11}) = 0 [pid 3601] close(4) = 0 [pid 3601] sendto(3, [{nlmsg_len=60, nlmsg_type=0x1c /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x600, nlmsg_seq=0, nlmsg_pid=0}, "\x0a\x00\x00\x00\x0b\x00\x00\x00\x80\x00\x00\x00\x14\x00\x01\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbb\x0a\x00\x02\x00\xbb\xaa\xaa\xaa\xaa\xaa\x00\x00"], 60, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 60 [pid 3601] recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=1}, {error=0, msg={nlmsg_len=60, nlmsg_type=0x1c /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|0x600, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 [pid 3601] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4 [pid 3601] ioctl(4, SIOCGIFINDEX, {ifr_name="syz_tun", ifr_ifindex=11}) = 0 [pid 3601] close(4) = 0 [pid 3601] sendto(3, [{nlmsg_len=44, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x00\x00\x00\x00\x0b\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x0a\x00\x01\x00\xaa\xaa\xaa\xaa\xaa\xaa\x00\x00"], 44, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 44 [pid 3601] recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=1}, {error=0, msg={nlmsg_len=44, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 [pid 3601] close(3) = 0 [pid 3601] mkdir("/dev/binderfs", 0777) = 0 [pid 3601] mount("binder", "/dev/binderfs", "binder", 0, NULL) = 0 [pid 3601] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3601] openat(AT_FDCWD, "memory.current", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 3 [pid 3601] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 16777216 [pid 3601] mmap(0x20000000, 11755520, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED, 3, 0) = 0x20000000 [pid 3601] io_uring_setup(29124, {flags=0, sq_thread_cpu=0, sq_thread_idle=0, sq_entries=32768, cq_entries=65536, features=IORING_FEAT_SINGLE_MMAP|IORING_FEAT_NODROP|IORING_FEAT_SUBMIT_STABLE|IORING_FEAT_RW_CUR_POS|IORING_FEAT_CUR_PERSONALITY|IORING_FEAT_FAST_POLL|IORING_FEAT_POLL_32BITS|IORING_FEAT_SQPOLL_NONFIXED|IORING_FEAT_EXT_ARG|IORING_FEAT_NATIVE_WORKERS|IORING_FEAT_RSRC_TAGS|IORING_FEAT_CQE_SKIP|0x1000, sq_off={head=0, tail=64, ring_mask=256, ring_entries=264, flags=276, dropped=272, array=1048896}, cq_off={head=128, tail=192, ring_mask=260, ring_entries=268, overflow=284, cqes=320, flags=280}}) = 4 [pid 3601] io_uring_register(4, 0x16 /* IORING_REGISTER_??? */, 0x20000140, 1) = -1 EOPNOTSUPP (Operation not supported) [pid 3601] close(3) = 0 [pid 3601] close(4) = 0 [pid 3601] close(5) = -1 EBADF (Bad file descriptor) [pid 3601] close(6) = -1 EBADF (Bad file descriptor) [pid 3601] close(7) = -1 EBADF (Bad file descriptor) [pid 3601] close(8) = -1 EBADF (Bad file descriptor) [pid 3601] close(9) = -1 EBADF (Bad file descriptor) [pid 3601] close(10) = -1 EBADF (Bad file descriptor) [pid 3601] close(11) = -1 EBADF (Bad file descriptor) [pid 3601] close(12) = -1 EBADF (Bad file descriptor) [pid 3601] close(13) = -1 EBADF (Bad file descriptor) [pid 3601] close(14) = -1 EBADF (Bad file descriptor) [pid 3601] close(15) = -1 EBADF (Bad file descriptor) [pid 3601] close(16) = -1 EBADF (Bad file descriptor) [pid 3601] close(17) = -1 EBADF (Bad file descriptor) [pid 3601] close(18) = -1 EBADF (Bad file descriptor) [pid 3601] close(19) = -1 EBADF (Bad file descriptor) [pid 3601] close(20) = -1 EBADF (Bad file descriptor) [pid 3601] close(21) = -1 EBADF (Bad file descriptor) [pid 3601] close(22) = -1 EBADF (Bad file descriptor) [pid 3601] close(23) = -1 EBADF (Bad file descriptor) [pid 3601] close(24) = -1 EBADF (Bad file descriptor) [pid 3601] close(25) = -1 EBADF (Bad file descriptor) [pid 3601] close(26) = -1 EBADF (Bad file descriptor) [pid 3601] close(27) = -1 EBADF (Bad file descriptor) [pid 3601] close(28) = -1 EBADF (Bad file descriptor) [pid 3601] close(29) = -1 EBADF (Bad file descriptor) [pid 3601] exit_group(1) = ? [ 52.043970][ T8] ================================================================== [ 52.052073][ T8] BUG: KASAN: use-after-free in __io_remove_buffers.part.0+0x3c6/0x4f0 [ 52.060323][ T8] Read of size 2 at addr ffff8880269a8012 by task kworker/u4:0/8 [ 52.068026][ T8] [ 52.070336][ T8] CPU: 1 PID: 8 Comm: kworker/u4:0 Not tainted 5.19.0-rc4-next-20220628-syzkaller #0 [ 52.079779][ T8] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 52.089823][ T8] Workqueue: events_unbound io_ring_exit_work [ 52.095905][ T8] Call Trace: [ 52.099173][ T8] [ 52.102095][ T8] dump_stack_lvl+0xcd/0x134 [ 52.106690][ T8] print_report.cold+0x2ba/0x719 [ 52.111634][ T8] ? __io_remove_buffers.part.0+0x3c6/0x4f0 [ 52.117529][ T8] kasan_report+0xbe/0x1f0 [ 52.121953][ T8] ? __io_remove_buffers.part.0+0x3c6/0x4f0 [ 52.127844][ T8] __io_remove_buffers.part.0+0x3c6/0x4f0 [ 52.133561][ T8] ? __mutex_unlock_slowpath+0x157/0x5e0 [ 52.139191][ T8] io_destroy_buffers+0x9a/0x3b0 [ 52.144126][ T8] ? _raw_spin_unlock+0x24/0x40 [ 52.148975][ T8] ? io_buffer_select+0xba0/0xba0 [ 52.153998][ T8] io_ring_exit_work+0x784/0xc7c [ 52.158941][ T8] ? io_uring_try_cancel_requests+0x759/0x759 [ 52.165008][ T8] ? io_iopoll_try_reap_events+0x158/0x158 [ 52.170820][ T8] process_one_work+0x991/0x1610 [ 52.175768][ T8] ? pwq_dec_nr_in_flight+0x2a0/0x2a0 [ 52.181140][ T8] ? rwlock_bug.part.0+0x90/0x90 [ 52.186074][ T8] ? _raw_spin_lock_irq+0x41/0x50 [ 52.191116][ T8] worker_thread+0x665/0x1080 [ 52.195813][ T8] ? process_one_work+0x1610/0x1610 [ 52.201005][ T8] kthread+0x2e9/0x3a0 [ 52.205072][ T8] ? kthread_complete_and_exit+0x40/0x40 [ 52.210698][ T8] ret_from_fork+0x1f/0x30 [ 52.215118][ T8] [ 52.218127][ T8] [ 52.220441][ T8] Allocated by task 3601: [ 52.224754][ T8] kasan_save_stack+0x1e/0x40 [ 52.229424][ T8] __kasan_kmalloc+0xa9/0xd0 [ 52.234001][ T8] io_init_bl_list+0x4c/0x139 [ 52.238676][ T8] io_register_pbuf_ring.cold+0x11/0x84 [ 52.244224][ T8] __do_sys_io_uring_register+0x6b2/0x1030 [ 52.250028][ T8] do_syscall_64+0x35/0xb0 [ 52.254437][ T8] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 52.260321][ T8] [ 52.262643][ T8] Freed by task 3601: [ 52.266616][ T8] kasan_save_stack+0x1e/0x40 [ 52.271283][ T8] kasan_set_track+0x21/0x30 [ 52.275864][ T8] kasan_set_free_info+0x20/0x30 [ 52.280802][ T8] ____kasan_slab_free+0x166/0x1c0 [ 52.285901][ T8] slab_free_freelist_hook+0x8b/0x1c0 [ 52.291271][ T8] kfree+0xe2/0x4d0 [ 52.295077][ T8] io_register_pbuf_ring+0x4e9/0x5d0 [ 52.300365][ T8] __do_sys_io_uring_register+0x6b2/0x1030 [ 52.306181][ T8] do_syscall_64+0x35/0xb0 [ 52.310605][ T8] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 52.316504][ T8] [ 52.318817][ T8] Last potentially related work creation: [ 52.324527][ T8] kasan_save_stack+0x1e/0x40 [ 52.329207][ T8] __kasan_record_aux_stack+0xbe/0xd0 [ 52.334582][ T8] call_rcu+0x99/0x790 [ 52.338653][ T8] netlink_release+0xf08/0x1db0 [ 52.343508][ T8] __sock_release+0xcd/0x280 [ 52.348096][ T8] sock_close+0x18/0x20 [ 52.352246][ T8] __fput+0x277/0x9d0 [ 52.356222][ T8] task_work_run+0xdd/0x1a0 [ 52.360722][ T8] exit_to_user_mode_prepare+0x23c/0x250 [ 52.366368][ T8] syscall_exit_to_user_mode+0x19/0x50 [ 52.371824][ T8] do_syscall_64+0x42/0xb0 [ 52.376233][ T8] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 52.382116][ T8] [ 52.384424][ T8] The buggy address belongs to the object at ffff8880269a8000 [ 52.384424][ T8] which belongs to the cache kmalloc-2k of size 2048 [ 52.398464][ T8] The buggy address is located 18 bytes inside of [ 52.398464][ T8] 2048-byte region [ffff8880269a8000, ffff8880269a8800) [ 52.411730][ T8] [ 52.414041][ T8] The buggy address belongs to the physical page: [ 52.420434][ T8] page:ffffea00009a6a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x269a8 [ 52.430572][ T8] head:ffffea00009a6a00 order:3 compound_mapcount:0 compound_pincount:0 [ 52.438882][ T8] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 52.446855][ T8] raw: 00fff00000010200 0000000000000000 dead000000000001 ffff888011842000 [ 52.455432][ T8] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 52.463998][ T8] page dumped because: kasan: bad access detected [ 52.470394][ T8] page_owner tracks the page as allocated [ 52.476092][ T8] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 10266954305, free_ts 0 [ 52.495791][ T8] get_page_from_freelist+0x210d/0x3a30 [ 52.501345][ T8] __alloc_pages+0x1c7/0x510 [ 52.505932][ T8] alloc_page_interleave+0x1e/0x200 [ 52.511124][ T8] alloc_pages+0x2b1/0x310 [ 52.515529][ T8] allocate_slab+0x27e/0x3d0 [ 52.520115][ T8] ___slab_alloc+0x89d/0xef0 [ 52.524701][ T8] __slab_alloc.constprop.0+0x4d/0xa0 [ 52.530076][ T8] __kmalloc_node_track_caller+0x360/0x480 [ 52.535883][ T8] __alloc_skb+0xd9/0x340 [ 52.540207][ T8] rtmsg_ifinfo_build_skb+0x72/0x1a0 [ 52.545485][ T8] rtmsg_ifinfo+0x83/0x120 [ 52.549894][ T8] register_netdevice+0x128d/0x15e0 [ 52.555083][ T8] register_netdev+0x2d/0x50 [ 52.559665][ T8] rose_proto_init+0x317/0x66a [ 52.564418][ T8] do_one_initcall+0xfe/0x650 [ 52.569090][ T8] kernel_init_freeable+0x6b1/0x73a [ 52.574283][ T8] page_owner free stack trace missing [ 52.579631][ T8] [ 52.581943][ T8] Memory state around the buggy address: [ 52.587557][ T8] ffff8880269a7f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 52.596037][ T8] ffff8880269a7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 52.605645][ T8] >ffff8880269a8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.613698][ T8] ^ [ 52.618277][ T8] ffff8880269a8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.626336][ T8] ffff8880269a8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.634387][ T8] ================================================================== [ 52.650095][ T8] Kernel panic - not syncing: panic_on_warn set ... [ 52.656712][ T8] CPU: 1 PID: 8 Comm: kworker/u4:0 Not tainted 5.19.0-rc4-next-20220628-syzkaller #0 [ 52.666151][ T8] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 52.676195][ T8] Workqueue: events_unbound io_ring_exit_work [ 52.682262][ T8] Call Trace: [ 52.685526][ T8] [ 52.688443][ T8] dump_stack_lvl+0xcd/0x134 [ 52.693029][ T8] panic+0x2d7/0x636 [ 52.696932][ T8] ? panic_print_sys_info.part.0+0x10b/0x10b [ 52.702904][ T8] ? preempt_schedule_common+0x59/0xc0 [ 52.708354][ T8] ? preempt_schedule_thunk+0x16/0x18 [ 52.713739][ T8] ? __io_remove_buffers.part.0+0x3c6/0x4f0 [ 52.719631][ T8] end_report.part.0+0x3f/0x7c [ 52.724413][ T8] kasan_report.cold+0x8/0x12 [ 52.729129][ T8] ? __io_remove_buffers.part.0+0x3c6/0x4f0 [ 52.735018][ T8] __io_remove_buffers.part.0+0x3c6/0x4f0 [ 52.740739][ T8] ? __mutex_unlock_slowpath+0x157/0x5e0 [ 52.746366][ T8] io_destroy_buffers+0x9a/0x3b0 [ 52.751296][ T8] ? _raw_spin_unlock+0x24/0x40 [ 52.756140][ T8] ? io_buffer_select+0xba0/0xba0 [ 52.761151][ T8] io_ring_exit_work+0x784/0xc7c [ 52.766080][ T8] ? io_uring_try_cancel_requests+0x759/0x759 [ 52.772143][ T8] ? io_iopoll_try_reap_events+0x158/0x158 [ 52.777944][ T8] process_one_work+0x991/0x1610 [ 52.782870][ T8] ? pwq_dec_nr_in_flight+0x2a0/0x2a0 [ 52.788226][ T8] ? rwlock_bug.part.0+0x90/0x90 [ 52.793169][ T8] ? _raw_spin_lock_irq+0x41/0x50 [ 52.798183][ T8] worker_thread+0x665/0x1080 [ 52.802851][ T8] ? process_one_work+0x1610/0x1610 [ 52.808043][ T8] kthread+0x2e9/0x3a0 [ 52.812106][ T8] ? kthread_complete_and_exit+0x40/0x40 [ 52.817726][ T8] ret_from_fork+0x1f/0x30 [ 52.822135][ T8] [ 52.825388][ T8] Kernel Offset: disabled [ 52.829706][ T8] Rebooting in 86400 seconds..