./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor696630442 <...> DUID 00:04:e3:a1:4c:5b:a4:47:39:93:9a:5d:f6:69:14:97:a9:57 forked to background, child pid 3187 [ 23.413490][ T3188] 8021q: adding VLAN 0 to HW filter on device bond0 [ 23.425094][ T3188] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.10.43' (ECDSA) to the list of known hosts. execve("./syz-executor696630442", ["./syz-executor696630442"], 0x7ffc6a3f1290 /* 10 vars */) = 0 brk(NULL) = 0x555556a32000 brk(0x555556a32c40) = 0x555556a32c40 arch_prctl(ARCH_SET_FS, 0x555556a32300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor696630442", 4096) = 27 brk(0x555556a53c40) = 0x555556a53c40 brk(0x555556a54000) = 0x555556a54000 mprotect(0x7f28c754b000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556a325d0) = 3609 ./strace-static-x86_64: Process 3609 attached [pid 3609] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3609] setpgid(0, 0) = 0 [pid 3609] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3609] write(3, "1000", 4) = 4 [pid 3609] close(3) = 0 [pid 3609] openat(AT_FDCWD, "/dev/kvm", O_RDONLY) = 3 [pid 3609] ioctl(3, KVM_CREATE_VM, 0) = 4 [pid 3609] openat(AT_FDCWD, "/dev/bus/usb/007/001", O_RDONLY) = 5 [pid 3609] mmap(0x2000d000, 8192, PROT_GROWSDOWN, MAP_PRIVATE|MAP_FIXED|MAP_EXECUTABLE, 5, 0) = 0x2000d000 [pid 3609] ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=0, flags=0, guest_phys_addr=0, memory_size=536879104, userspace_addr=0x20000000}) = 0 [pid 3609] ioctl(4, KVM_CREATE_VCPU, 0) = 6 [pid 3609] ioctl(6, KVM_RUN, 0) = 0 [pid 3609] ioctl(6, KVM_RUN, 0) = -1 EFAULT (Bad address) [pid 3609] exit_group(0) = ? syzkaller login: [ 40.875189][ T3609] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. [ 40.929440][ T3609] page:ffffea0001f14600 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffffea0001eda200 pfn:0x7c518 [ 40.941092][ T3609] head:ffffea0001f14600 order:3 compound_mapcount:0 compound_pincount:0 [ 40.949455][ T3609] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 40.957513][ T3609] raw: 00fff00000010200 ffff888011842280 dead000080020002 0000000000000000 [ 40.966136][ T3609] raw: ffffea0001eda200 0000000000000005 00000001ffffffff 0000000000000000 [ 40.974839][ T3609] page dumped because: VM_BUG_ON_FOLIO(folio_test_slab(folio)) [ 40.982365][ T3609] page_owner tracks the page as allocated [ 40.988120][ T3609] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3204, tgid 3204 (dhcpcd-run-hook), ts 22552412281, free_ts 22546949829 [ 41.009024][ T3609] get_page_from_freelist+0x1092/0x2d20 [ 41.014650][ T3609] __alloc_pages+0x1c7/0x5a0 [ 41.019249][ T3609] alloc_pages+0x1a6/0x270 [ 41.023801][ T3609] allocate_slab+0x213/0x300 [ 41.028407][ T3609] ___slab_alloc+0xac1/0x1430 [ 41.033137][ T3609] __slab_alloc.constprop.0+0x4d/0xa0 [ 41.038596][ T3609] __kmem_cache_alloc_node+0x18a/0x3d0 [ 41.044147][ T3609] kmalloc_trace+0x22/0x60 [ 41.048668][ T3609] tomoyo_init_log+0xc86/0x1ed0 [ 41.053521][ T3609] tomoyo_supervisor+0x350/0xf10 [ 41.058503][ T3609] tomoyo_env_perm+0x17f/0x1f0 [ 41.063380][ T3609] tomoyo_find_next_domain+0x13ce/0x1f80 [ 41.069084][ T3609] tomoyo_bprm_check_security+0x121/0x1a0 [ 41.074852][ T3609] security_bprm_check+0x45/0xa0 [ 41.079794][ T3609] bprm_execve+0x732/0x19f0 [ 41.084366][ T3609] do_execveat_common+0x724/0x890 [ 41.089410][ T3609] page last free stack trace: [ 41.094119][ T3609] free_pcp_prepare+0x65c/0xd90 [ 41.098989][ T3609] free_unref_page+0x19/0x4d0 [ 41.103819][ T3609] __unfreeze_partials+0x17c/0x1a0 [ 41.108953][ T3609] qlist_free_all+0x6a/0x170 [ 41.113550][ T3609] kasan_quarantine_reduce+0x180/0x200 [ 41.119043][ T3609] __kasan_slab_alloc+0x62/0x80 [ 41.123945][ T3609] __kmem_cache_alloc_node+0x2d2/0x3d0 [ 41.129397][ T3609] __kmalloc+0x44/0xc0 [ 41.133459][ T3609] tomoyo_supervisor+0xcf8/0xf10 [ 41.138457][ T3609] tomoyo_path_permission+0x270/0x3a0 [ 41.143888][ T3609] tomoyo_check_open_permission+0x30f/0x380 [ 41.149808][ T3609] tomoyo_file_open+0x9d/0xc0 [ 41.154520][ T3609] security_file_open+0x45/0xb0 [ 41.159483][ T3609] do_dentry_open+0x575/0x13f0 [ 41.164552][ T3609] path_openat+0x1c92/0x28f0 [ 41.169170][ T3609] do_filp_open+0x1b6/0x400 [ 41.173836][ T3609] ------------[ cut here ]------------ [ 41.179295][ T3609] kernel BUG at include/linux/memcontrol.h:455! [ 41.186038][ T3609] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 41.192116][ T3609] CPU: 0 PID: 3609 Comm: syz-executor696 Not tainted 6.0.0-rc6-next-20220923-syzkaller #0 [ 41.202024][ T3609] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 41.212078][ T3609] RIP: 0010:workingset_activation+0x4c8/0x580 [ 41.218175][ T3609] Code: 48 89 ef e8 da 00 00 00 c6 05 56 4b 18 0c 01 0f 0b e9 0e fd ff ff e8 97 8f c9 ff 48 c7 c6 c0 78 f8 89 48 89 ef e8 b8 00 00 00 <0f> 0b e8 81 8f c9 ff 0f 0b e9 10 fc ff ff e8 75 8f c9 ff 48 c7 c6 [ 41.237783][ T3609] RSP: 0018:ffffc90003bef4a0 EFLAGS: 00010293 [ 41.243852][ T3609] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 [ 41.251825][ T3609] RDX: ffff888024669d40 RSI: ffffffff81b30478 RDI: ffffffff8de06710 [ 41.259799][ T3609] RBP: ffffea0001f14600 R08: 0000000000000000 R09: ffffffff8de06717 [ 41.267772][ T3609] R10: 0000000000000000 R11: 706c69665f6f6420 R12: 0000000000000000 [ 41.275773][ T3609] R13: ffff8880b9a34d08 R14: dffffc0000000000 R15: 0000000000000003 [ 41.283746][ T3609] FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 [ 41.292680][ T3609] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 41.299268][ T3609] CR2: 00007f28c75521f0 CR3: 0000000071d0a000 CR4: 00000000003526f0 [ 41.307244][ T3609] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 41.315214][ T3609] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 41.323184][ T3609] Call Trace: [ 41.326706][ T3609] [ 41.329637][ T3609] folio_mark_accessed+0x595/0x820 [ 41.334761][ T3609] kvm_set_pfn_accessed+0x23b/0x2a0 [ 41.339984][ T3609] handle_changed_spte_acc_track+0x1bc/0x290 [ 41.345980][ T3609] __handle_changed_spte+0xd30/0x1930 [ 41.351374][ T3609] ? tdp_mmu_init_child_sp+0x620/0x620 [ 41.356847][ T3609] ? lock_release+0x5cb/0x810 [ 41.361547][ T3609] ? psi_task_change+0x1bb/0x2f0 [ 41.366505][ T3609] ? rcu_read_lock_sched_held+0xd/0x70 [ 41.371998][ T3609] __handle_changed_spte+0xd21/0x1930 [ 41.377405][ T3609] ? tdp_mmu_init_child_sp+0x620/0x620 [ 41.382876][ T3609] ? lock_release+0x5cb/0x810 [ 41.387563][ T3609] ? rcu_read_lock_held+0x5/0x40 [ 41.392519][ T3609] ? kvm_mmu_reset_all_pte_masks+0x370/0x370 [ 41.398511][ T3609] __tdp_mmu_set_spte+0x229/0x9d0 [ 41.403549][ T3609] ? zap_collapsible_spte_range+0xa30/0xa30 [ 41.409453][ T3609] ? spte_to_child_pt+0xa0/0xa0 [ 41.414324][ T3609] __tdp_mmu_zap_root+0x7e7/0x860 [ 41.419361][ T3609] ? clear_dirty_pt_masked+0x510/0x510 [ 41.424829][ T3609] ? lock_acquire+0x4fc/0x630 [ 41.429526][ T3609] ? lock_release+0x810/0x810 [ 41.434215][ T3609] ? tdp_mmu_zap_root_work+0x70/0x70 [ 41.439511][ T3609] ? lock_release+0x810/0x810 [ 41.444198][ T3609] ? lock_acquire+0x4fc/0x630 [ 41.448879][ T3609] tdp_mmu_zap_root+0x12e/0x330 [ 41.453746][ T3609] kvm_tdp_mmu_zap_all+0x154/0x1b0 [ 41.458879][ T3609] ? kvm_mmu_notifier_invalidate_range+0xd0/0xd0 [ 41.465240][ T3609] kvm_mmu_zap_all+0x27c/0x2c0 [ 41.470015][ T3609] ? kvm_mmu_slot_leaf_clear_dirty+0x3e0/0x3e0 [ 41.476176][ T3609] ? lock_release+0x810/0x810 [ 41.480865][ T3609] ? kvm_mmu_notifier_invalidate_range+0xd0/0xd0 [ 41.487214][ T3609] kvm_mmu_notifier_release+0x5c/0xb0 [ 41.492602][ T3609] ? kvm_mmu_notifier_invalidate_range+0xd0/0xd0 [ 41.498950][ T3609] __mmu_notifier_release+0x1a9/0x600 [ 41.504325][ T3609] ? lock_acquire+0x4fc/0x630 [ 41.509007][ T3609] ? mmu_interval_notifier_insert+0x170/0x170 [ 41.515078][ T3609] ? lock_release+0x810/0x810 [ 41.519757][ T3609] ? lock_acquire+0x4fc/0x630 [ 41.524436][ T3609] ? lock_release+0x810/0x810 [ 41.529116][ T3609] ? lock_release+0x810/0x810 [ 41.533796][ T3609] ? lock_downgrade+0x6e0/0x6e0 [ 41.538741][ T3609] ? rcu_read_lock_sched_held+0xd/0x70 [ 41.544216][ T3609] ? lock_release+0x5cb/0x810 [ 41.548901][ T3609] ? uprobe_clear_state+0xf8/0x410 [ 41.554025][ T3609] exit_mmap+0x669/0x7a0 [ 41.558273][ T3609] ? __mutex_lock+0x231/0x1350 [ 41.563046][ T3609] ? __ia32_sys_remap_file_pages+0x150/0x150 [ 41.569034][ T3609] ? ioctx_alloc+0x2180/0x2180 [ 41.573799][ T3609] ? rcu_read_lock_sched_held+0xd/0x70 [ 41.579380][ T3609] ? lock_acquire+0x4fc/0x630 [ 41.584072][ T3609] ? lock_release+0x5cb/0x810 [ 41.588789][ T3609] __mmput+0x128/0x4c0 [ 41.592953][ T3609] mmput+0x5c/0x70 [ 41.596691][ T3609] do_exit+0xa39/0x2a20 [ 41.600849][ T3609] ? lock_downgrade+0x6e0/0x6e0 [ 41.605709][ T3609] ? do_raw_spin_lock+0x120/0x2a0 [ 41.610740][ T3609] ? mm_update_next_owner+0x7b0/0x7b0 [ 41.616120][ T3609] ? rwlock_bug.part.0+0x90/0x90 [ 41.621066][ T3609] do_group_exit+0xd0/0x2a0 [ 41.625576][ T3609] __x64_sys_exit_group+0x3a/0x50 [ 41.630606][ T3609] do_syscall_64+0x35/0xb0 [ 41.635026][ T3609] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 41.640945][ T3609] RIP: 0033:0x7f28c74dd0c9 [ 41.645359][ T3609] Code: Unable to access opcode bytes at 0x7f28c74dd09f. [ 41.652374][ T3609] RSP: 002b:00007ffcf55cc2f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 41.660788][ T3609] RAX: ffffffffffffffda RBX: 00007f28c7551350 RCX: 00007f28c74dd0c9 [ 41.668759][ T3609] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 41.676731][ T3609] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 00007ffcf55cc4e8 [ 41.684702][ T3609] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f28c7551350 [ 41.692674][ T3609] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 41.700651][ T3609] [ 41.703667][ T3609] Modules linked in: [ 41.707688][ T3609] ---[ end trace 0000000000000000 ]--- [ 41.713135][ T3609] RIP: 0010:workingset_activation+0x4c8/0x580 [ 41.719229][ T3609] Code: 48 89 ef e8 da 00 00 00 c6 05 56 4b 18 0c 01 0f 0b e9 0e fd ff ff e8 97 8f c9 ff 48 c7 c6 c0 78 f8 89 48 89 ef e8 b8 00 00 00 <0f> 0b e8 81 8f c9 ff 0f 0b e9 10 fc ff ff e8 75 8f c9 ff 48 c7 c6 [ 41.738894][ T3609] RSP: 0018:ffffc90003bef4a0 EFLAGS: 00010293 [ 41.745011][ T3609] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 [ 41.752992][ T3609] RDX: ffff888024669d40 RSI: ffffffff81b30478 RDI: ffffffff8de06710 [ 41.760999][ T3609] RBP: ffffea0001f14600 R08: 0000000000000000 R09: ffffffff8de06717 [ 41.768991][ T3609] R10: 0000000000000000 R11: 706c69665f6f6420 R12: 0000000000000000 [ 41.776998][ T3609] R13: ffff8880b9a34d08 R14: dffffc0000000000 R15: 0000000000000003 [ 41.784995][ T3609] FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 [ 41.793986][ T3609] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 41.800570][ T3609] CR2: 00007f28c75521f0 CR3: 0000000071d0a000 CR4: 00000000003526f0 [ 41.808582][ T3609] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 41.816607][ T3609] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 41.824602][ T3609] Kernel panic - not syncing: Fatal exception [ 41.830839][ T3609] Kernel Offset: disabled [ 41.839588][ T3609] Rebooting in 86400 seconds..