./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor4181869629 <...> DUID 00:04:06:88:74:a7:04:75:62:cb:55:93:34:09:94:90:e1:fe forked to background, child pid 4652 [ 34.916272][ T4653] 8021q: adding VLAN 0 to HW filter on device bond0 [ 34.937730][ T4653] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.0.230' (ECDSA) to the list of known hosts. execve("./syz-executor4181869629", ["./syz-executor4181869629"], 0x7ffe2ddb22c0 /* 10 vars */) = 0 brk(NULL) = 0x5555558f7000 brk(0x5555558f7c40) = 0x5555558f7c40 arch_prctl(ARCH_SET_FS, 0x5555558f7300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor4181869629", 4096) = 28 brk(0x555555918c40) = 0x555555918c40 brk(0x555555919000) = 0x555555919000 mprotect(0x7fc47bdc2000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5077 attached , child_tidptr=0x5555558f75d0) = 5077 [pid 5077] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5077] setpgid(0, 0) = 0 [pid 5077] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5077] write(3, "1000", 4) = 4 [pid 5077] close(3) = 0 [pid 5077] openat(AT_FDCWD, "/dev/snd/midiC2D0", O_WRONLY|O_NOCTTY|O_SYNC|O_NOATIME) = 3 [pid 5077] dup(3) = 4 [pid 5077] io_uring_setup(1496, {flags=0, sq_thread_cpu=0, sq_thread_idle=0, sq_entries=2048, cq_entries=4096, features=IORING_FEAT_SINGLE_MMAP|IORING_FEAT_NODROP|IORING_FEAT_SUBMIT_STABLE|IORING_FEAT_RW_CUR_POS|IORING_FEAT_CUR_PERSONALITY|IORING_FEAT_FAST_POLL|IORING_FEAT_POLL_32BITS|IORING_FEAT_SQPOLL_NONFIXED|IORING_FEAT_EXT_ARG|IORING_FEAT_NATIVE_WORKERS|IORING_FEAT_RSRC_TAGS|IORING_FEAT_CQE_SKIP|IORING_FEAT_LINKED_FILE, sq_off={head=0, tail=64, ring_mask=256, ring_entries=264, flags=276, dropped=272, array=65856}, cq_off={head=128, tail=192, ring_mask=260, ring_entries=268, overflow=284, cqes=320, flags=280}}) = 5 [pid 5077] mmap(0x20ee8000, 74048, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 5, 0) = 0x20ee8000 [pid 5077] mmap(0x20ffe000, 131072, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 5, 0x10000000) = 0x20ffe000 [pid 5077] io_uring_enter(5, 17678, 0, 0, NULL, 0) = 1 [pid 5077] write(4, "\x30\x80\xee\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2f\x64\x65\x76\x2f\x73\x6e\x64\x2f\x6d\x69\x64\x69\x43\x23\x44\x23\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4294966572) = 8192 [pid 5077] exit_group(0) = ? syzkaller login: [ 59.183306][ T5077] ================================================================== [ 59.191400][ T5077] BUG: KASAN: use-after-free in io_fallback_tw+0x6d/0x119 [ 59.198525][ T5077] Read of size 8 at addr ffff88801d25b948 by task syz-executor418/5077 [ 59.206754][ T5077] [ 59.209069][ T5077] CPU: 0 PID: 5077 Comm: syz-executor418 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0 [ 59.218954][ T5077] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 59.229001][ T5077] Call Trace: [ 59.232270][ T5077] [ 59.235197][ T5077] dump_stack_lvl+0xd1/0x138 [ 59.239794][ T5077] print_report+0x15e/0x45d [ 59.244290][ T5077] ? __phys_addr+0xc8/0x140 [ 59.248797][ T5077] ? io_fallback_tw+0x6d/0x119 [ 59.253555][ T5077] kasan_report+0xc0/0xf0 [ 59.257880][ T5077] ? io_fallback_tw+0x6d/0x119 [ 59.262638][ T5077] io_fallback_tw+0x6d/0x119 [ 59.267218][ T5077] tctx_task_work.cold+0xf/0x2c [ 59.272083][ T5077] ? handle_tw_list+0x460/0x460 [ 59.276925][ T5077] ? lock_downgrade+0x6e0/0x6e0 [ 59.281764][ T5077] ? do_raw_spin_lock+0x124/0x2b0 [ 59.286776][ T5077] ? rwlock_bug.part.0+0x90/0x90 [ 59.291704][ T5077] ? _raw_spin_unlock_irq+0x23/0x50 [ 59.296900][ T5077] task_work_run+0x16f/0x270 [ 59.301485][ T5077] ? task_work_cancel+0x30/0x30 [ 59.306337][ T5077] ? do_raw_spin_unlock+0x175/0x230 [ 59.311532][ T5077] do_exit+0xb17/0x2a90 [ 59.315680][ T5077] ? lock_downgrade+0x6e0/0x6e0 [ 59.320538][ T5077] ? do_raw_spin_lock+0x124/0x2b0 [ 59.325562][ T5077] ? mm_update_next_owner+0x7b0/0x7b0 [ 59.330973][ T5077] ? rwlock_bug.part.0+0x90/0x90 [ 59.335917][ T5077] ? _raw_spin_unlock_irq+0x23/0x50 [ 59.341117][ T5077] do_group_exit+0xd4/0x2a0 [ 59.345619][ T5077] __x64_sys_exit_group+0x3e/0x50 [ 59.350633][ T5077] do_syscall_64+0x39/0xb0 [ 59.355039][ T5077] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 59.360924][ T5077] RIP: 0033:0x7fc47bd541c9 [ 59.365323][ T5077] Code: Unable to access opcode bytes at 0x7fc47bd5419f. [ 59.372319][ T5077] RSP: 002b:00007fff5b17e7a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 59.380715][ T5077] RAX: ffffffffffffffda RBX: 00007fc47bdc8350 RCX: 00007fc47bd541c9 [ 59.388672][ T5077] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 59.396625][ T5077] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 59.404579][ T5077] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc47bdc8350 [ 59.412553][ T5077] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 59.420511][ T5077] [ 59.423513][ T5077] [ 59.425820][ T5077] Allocated by task 5077: [ 59.430134][ T5077] kasan_save_stack+0x22/0x40 [ 59.434806][ T5077] kasan_set_track+0x25/0x30 [ 59.439384][ T5077] __kasan_slab_alloc+0x7f/0x90 [ 59.444246][ T5077] kmem_cache_alloc_bulk+0x3aa/0x730 [ 59.449527][ T5077] __io_alloc_req_refill+0xcc/0x40b [ 59.454723][ T5077] io_submit_sqes.cold+0x7c/0xc2 [ 59.459650][ T5077] __do_sys_io_uring_enter+0x9e4/0x2c10 [ 59.465189][ T5077] do_syscall_64+0x39/0xb0 [ 59.469596][ T5077] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 59.475479][ T5077] [ 59.477787][ T5077] Freed by task 1068: [ 59.481755][ T5077] kasan_save_stack+0x22/0x40 [ 59.486417][ T5077] kasan_set_track+0x25/0x30 [ 59.490997][ T5077] kasan_save_free_info+0x2e/0x40 [ 59.496019][ T5077] ____kasan_slab_free+0x160/0x1c0 [ 59.501121][ T5077] slab_free_freelist_hook+0x8b/0x1c0 [ 59.506479][ T5077] kmem_cache_free+0xec/0x4e0 [ 59.511143][ T5077] io_req_caches_free+0x1a9/0x1e6 [ 59.516159][ T5077] io_ring_exit_work+0x2e7/0xc80 [ 59.521085][ T5077] process_one_work+0x9bf/0x1750 [ 59.526015][ T5077] worker_thread+0x669/0x1090 [ 59.530680][ T5077] kthread+0x2e8/0x3a0 [ 59.534735][ T5077] ret_from_fork+0x1f/0x30 [ 59.539141][ T5077] [ 59.541451][ T5077] The buggy address belongs to the object at ffff88801d25b8c0 [ 59.541451][ T5077] which belongs to the cache io_kiocb of size 216 [ 59.555242][ T5077] The buggy address is located 136 bytes inside of [ 59.555242][ T5077] 216-byte region [ffff88801d25b8c0, ffff88801d25b998) [ 59.568500][ T5077] [ 59.570807][ T5077] The buggy address belongs to the physical page: [ 59.577198][ T5077] page:ffffea00007496c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d25b [ 59.587342][ T5077] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 59.594873][ T5077] raw: 00fff00000000200 ffff88801bfcd140 dead000000000122 0000000000000000 [ 59.603440][ T5077] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 59.612001][ T5077] page dumped because: kasan: bad access detected [ 59.618389][ T5077] page_owner tracks the page as allocated [ 59.624084][ T5077] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5077, tgid 5077 (syz-executor418), ts 59177829676, free_ts 53028811592 [ 59.642646][ T5077] get_page_from_freelist+0x11bb/0x2d50 [ 59.648188][ T5077] __alloc_pages+0x1cb/0x5c0 [ 59.652772][ T5077] alloc_pages+0x1aa/0x270 [ 59.657172][ T5077] allocate_slab+0x25f/0x350 [ 59.661751][ T5077] ___slab_alloc+0xa91/0x1400 [ 59.666411][ T5077] kmem_cache_alloc_bulk+0x23d/0x730 [ 59.671679][ T5077] __io_alloc_req_refill+0xcc/0x40b [ 59.676864][ T5077] io_submit_sqes.cold+0x7c/0xc2 [ 59.681787][ T5077] __do_sys_io_uring_enter+0x9e4/0x2c10 [ 59.687319][ T5077] do_syscall_64+0x39/0xb0 [ 59.691722][ T5077] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 59.697604][ T5077] page last free stack trace: [ 59.702254][ T5077] free_pcp_prepare+0x4d0/0x910 [ 59.707093][ T5077] free_unref_page+0x1d/0x490 [ 59.711755][ T5077] __folio_put+0xc5/0x140 [ 59.716072][ T5077] anon_pipe_buf_release+0x3fb/0x4c0 [ 59.721346][ T5077] pipe_read+0x614/0x1110 [ 59.725660][ T5077] vfs_read+0x7fa/0x930 [ 59.729802][ T5077] ksys_read+0x1ec/0x250 [ 59.734028][ T5077] do_syscall_64+0x39/0xb0 [ 59.738430][ T5077] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 59.744316][ T5077] [ 59.746621][ T5077] Memory state around the buggy address: [ 59.752231][ T5077] ffff88801d25b800: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc [ 59.760272][ T5077] ffff88801d25b880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 59.768313][ T5077] >ffff88801d25b900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.776356][ T5077] ^ [ 59.782745][ T5077] ffff88801d25b980: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.790792][ T5077] ffff88801d25ba00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.798831][ T5077] ================================================================== [ 59.807792][ T5077] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 59.815014][ T5077] CPU: 1 PID: 5077 Comm: syz-executor418 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0 [ 59.824924][ T5077] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 59.834993][ T5077] Call Trace: [ 59.838462][ T5077] [ 59.841381][ T5077] dump_stack_lvl+0xd1/0x138 [ 59.845964][ T5077] panic+0x2cc/0x626 [ 59.849859][ T5077] ? panic_print_sys_info.part.0+0x112/0x112 [ 59.855929][ T5077] ? preempt_schedule_thunk+0x1a/0x20 [ 59.861300][ T5077] ? preempt_schedule_common+0x59/0xc0 [ 59.866770][ T5077] check_panic_on_warn.cold+0x19/0x35 [ 59.872171][ T5077] end_report.part.0+0x36/0x73 [ 59.876930][ T5077] ? io_fallback_tw+0x6d/0x119 [ 59.881684][ T5077] kasan_report.cold+0xa/0xf [ 59.886267][ T5077] ? io_fallback_tw+0x6d/0x119 [ 59.891037][ T5077] io_fallback_tw+0x6d/0x119 [ 59.895629][ T5077] tctx_task_work.cold+0xf/0x2c [ 59.900475][ T5077] ? handle_tw_list+0x460/0x460 [ 59.905319][ T5077] ? lock_downgrade+0x6e0/0x6e0 [ 59.910161][ T5077] ? do_raw_spin_lock+0x124/0x2b0 [ 59.915187][ T5077] ? rwlock_bug.part.0+0x90/0x90 [ 59.920143][ T5077] ? _raw_spin_unlock_irq+0x23/0x50 [ 59.925365][ T5077] task_work_run+0x16f/0x270 [ 59.929977][ T5077] ? task_work_cancel+0x30/0x30 [ 59.934850][ T5077] ? do_raw_spin_unlock+0x175/0x230 [ 59.940082][ T5077] do_exit+0xb17/0x2a90 [ 59.944260][ T5077] ? lock_downgrade+0x6e0/0x6e0 [ 59.949117][ T5077] ? do_raw_spin_lock+0x124/0x2b0 [ 59.954147][ T5077] ? mm_update_next_owner+0x7b0/0x7b0 [ 59.959535][ T5077] ? rwlock_bug.part.0+0x90/0x90 [ 59.964480][ T5077] ? _raw_spin_unlock_irq+0x23/0x50 [ 59.969702][ T5077] do_group_exit+0xd4/0x2a0 [ 59.974225][ T5077] __x64_sys_exit_group+0x3e/0x50 [ 59.979252][ T5077] do_syscall_64+0x39/0xb0 [ 59.983677][ T5077] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 59.989593][ T5077] RIP: 0033:0x7fc47bd541c9 [ 59.994006][ T5077] Code: Unable to access opcode bytes at 0x7fc47bd5419f. [ 60.001021][ T5077] RSP: 002b:00007fff5b17e7a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 60.009441][ T5077] RAX: ffffffffffffffda RBX: 00007fc47bdc8350 RCX: 00007fc47bd541c9 [ 60.017414][ T5077] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 60.025384][ T5077] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 60.033357][ T5077] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc47bdc8350 [ 60.041327][ T5077] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 60.049304][ T5077] [ 60.052524][ T5077] Kernel Offset: disabled [ 60.056840][ T5077] Rebooting in 86400 seconds..