./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3371023576 <...> Warning: Permanently added '10.128.0.86' (ECDSA) to the list of known hosts. execve("./syz-executor3371023576", ["./syz-executor3371023576"], 0x7fff48815800 /* 10 vars */) = 0 brk(NULL) = 0x5555565e4000 brk(0x5555565e4c40) = 0x5555565e4c40 arch_prctl(ARCH_SET_FS, 0x5555565e4300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor3371023576", 4096) = 28 brk(0x555556605c40) = 0x555556605c40 brk(0x555556606000) = 0x555556606000 mprotect(0x7f8aa4735000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 openat(AT_FDCWD, "/sys/kernel/debug/failslab/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_futex/ignore-private", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/min-order", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 chmod("/dev/raw-gadget", 0666) = 0 unshare(CLONE_NEWPID) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3602 attached , child_tidptr=0x5555565e45d0) = 3602 [pid 3602] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy) [pid 3602] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3602] setsid() = 1 [pid 3602] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0 [pid 3602] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0 [pid 3602] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0 [pid 3602] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0 [pid 3602] prlimit64(0, RLIMIT_CORE, {rlim_cur=0, rlim_max=0}, NULL) = 0 [pid 3602] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0 [pid 3602] unshare(CLONE_NEWNS) = 0 [pid 3602] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0 [pid 3602] unshare(CLONE_NEWIPC) = 0 [pid 3602] unshare(CLONE_NEWCGROUP) = 0 [pid 3602] unshare(CLONE_NEWUTS) = 0 [pid 3602] unshare(CLONE_SYSVSEM) = 0 [pid 3602] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3 [pid 3602] write(3, "16777216", 8) = 8 [pid 3602] close(3) = 0 [pid 3602] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3 [pid 3602] write(3, "536870912", 9) = 9 [pid 3602] close(3) = 0 [pid 3602] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3 [pid 3602] write(3, "1024", 4) = 4 [pid 3602] close(3) = 0 [pid 3602] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3 [pid 3602] write(3, "8192", 4) = 4 [pid 3602] close(3) = 0 [pid 3602] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3 [pid 3602] write(3, "1024", 4) = 4 [pid 3602] close(3) = 0 [pid 3602] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3 [pid 3602] write(3, "1024", 4) = 4 [pid 3602] close(3) = 0 [pid 3602] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3 [pid 3602] write(3, "1024 1048576 500 1024", 21) = 21 [pid 3602] close(3) = 0 [pid 3602] getpid() = 1 [pid 3602] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1< features=UFFD_FEATURE_PAGEFAULT_FLAG_WP|UFFD_FEATURE_EVENT_FORK|UFFD_FEATURE_EVENT_REMAP|UFFD_FEATURE_EVENT_REMOVE|UFFD_FEATURE_MISSING_HUGETLBFS|UFFD_FEATURE_MISSING_SHMEM|UFFD_FEATURE_EVENT_UNMAP|UFFD_FEATURE_SIGBUS|UFFD_FEATURE_THREAD_ID|UFFD_FEATURE_MINOR_HUGETLBFS|UFFD_FEATURE_MINOR_SHMEM|0x800, ioctls=1<<_UFFDIO_REGISTER|1<<_UFFDIO_UNREGISTER|1<<_UFFDIO_API}) = 0 [pid 3602] ioctl(3, UFFDIO_REGISTER, {range={start=0x200e2000, len=0xc00000}, mode=UFFDIO_REGISTER_MODE_MISSING, ioctls=1<<_UFFDIO_WAKE|1<<_UFFDIO_COPY|1<<_UFFDIO_ZEROPAGE}) = 0 [pid 3602] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 3602] write(4, "14", 2) = 2 [pid 3602] mremap(0x205de000, 16384, 53248, MREMAP_MAYMOVE|MREMAP_FIXED, 0x20440000) = -1 ENOMEM (Cannot allocate memory) [pid 3602] exit_group(1) = ? [ 51.860165][ T3602] ================================================================== [ 51.868257][ T3602] BUG: KASAN: use-after-free in anon_vma_interval_tree_remove+0xc7d/0xf30 [ 51.876750][ T3602] Read of size 8 at addr ffff888075a68ec0 by task syz-executor337/3602 [ 51.884978][ T3602] [ 51.887289][ T3602] CPU: 1 PID: 3602 Comm: syz-executor337 Not tainted 5.19.0-rc4-next-20220628-syzkaller #0 [ 51.897256][ T3602] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 [ 51.907302][ T3602] Call Trace: [ 51.910573][ T3602] [ 51.913496][ T3602] dump_stack_lvl+0xcd/0x134 [ 51.918096][ T3602] print_report.cold+0x2ba/0x719 [ 51.923054][ T3602] ? anon_vma_interval_tree_remove+0xc7d/0xf30 [ 51.929195][ T3602] kasan_report+0xbe/0x1f0 [ 51.933599][ T3602] ? anon_vma_interval_tree_remove+0xc7d/0xf30 [ 51.939736][ T3602] anon_vma_interval_tree_remove+0xc7d/0xf30 [ 51.945702][ T3602] ? mas_find+0x20d/0xce0 [ 51.950017][ T3602] unlink_anon_vmas+0x218/0x840 [ 51.954959][ T3602] free_pgtables+0x24d/0x420 [ 51.959558][ T3602] ? free_pgd_range+0xbf0/0xbf0 [ 51.964412][ T3602] exit_mmap+0x1ec/0x720 [ 51.968653][ T3602] ? __ia32_sys_remap_file_pages+0x150/0x150 [ 51.974640][ T3602] __mmput+0x128/0x4c0 [ 51.978706][ T3602] mmput+0x5c/0x70 [ 51.982421][ T3602] do_exit+0xa09/0x29f0 [ 51.986575][ T3602] ? lock_downgrade+0x6e0/0x6e0 [ 51.991418][ T3602] ? mm_update_next_owner+0x7b0/0x7b0 [ 51.996780][ T3602] ? _raw_spin_unlock_irq+0x1f/0x40 [ 52.002065][ T3602] ? _raw_spin_unlock_irq+0x1f/0x40 [ 52.007266][ T3602] do_group_exit+0xd2/0x2f0 [ 52.011764][ T3602] __x64_sys_exit_group+0x3a/0x50 [ 52.016781][ T3602] do_syscall_64+0x35/0xb0 [ 52.021192][ T3602] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 52.027078][ T3602] RIP: 0033:0x7f8aa46c68d9 [ 52.031483][ T3602] Code: Unable to access opcode bytes at RIP 0x7f8aa46c68af. [ 52.038833][ T3602] RSP: 002b:00007ffd8b5da748 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 52.047238][ T3602] RAX: ffffffffffffffda RBX: 00007f8aa473b3f0 RCX: 00007f8aa46c68d9 [ 52.055201][ T3602] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 52.063163][ T3602] RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007ffd8b5da938 [ 52.071127][ T3602] R10: 0000000000000003 R11: 0000000000000246 R12: 00007f8aa473b3f0 [ 52.079175][ T3602] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 52.087142][ T3602] [ 52.090152][ T3602] [ 52.092463][ T3602] Allocated by task 3602: [ 52.096775][ T3602] kasan_save_stack+0x1e/0x40 [ 52.101447][ T3602] __kasan_slab_alloc+0x90/0xc0 [ 52.106293][ T3602] kmem_cache_alloc+0x2d6/0x4c0 [ 52.111135][ T3602] vm_area_dup+0x81/0x380 [ 52.115461][ T3602] copy_vma+0x36f/0x890 [ 52.119610][ T3602] move_vma+0x449/0xf60 [ 52.123760][ T3602] __do_sys_mremap+0x480/0x16a0 [ 52.128609][ T3602] do_syscall_64+0x35/0xb0 [ 52.133020][ T3602] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 52.138904][ T3602] [ 52.141216][ T3602] Freed by task 3602: [ 52.145179][ T3602] kasan_save_stack+0x1e/0x40 [ 52.149849][ T3602] kasan_set_track+0x21/0x30 [ 52.154432][ T3602] kasan_set_free_info+0x20/0x30 [ 52.159367][ T3602] ____kasan_slab_free+0x166/0x1c0 [ 52.164470][ T3602] slab_free_freelist_hook+0x8b/0x1c0 [ 52.169840][ T3602] kmem_cache_free+0xeb/0x5b0 [ 52.174507][ T3602] copy_vma+0x6ac/0x890 [ 52.178655][ T3602] move_vma+0x449/0xf60 [ 52.182803][ T3602] __do_sys_mremap+0x480/0x16a0 [ 52.187649][ T3602] do_syscall_64+0x35/0xb0 [ 52.192058][ T3602] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 52.197942][ T3602] [ 52.200258][ T3602] The buggy address belongs to the object at ffff888075a68e58 [ 52.200258][ T3602] which belongs to the cache vm_area_struct of size 152 [ 52.214559][ T3602] The buggy address is located 104 bytes inside of [ 52.214559][ T3602] 152-byte region [ffff888075a68e58, ffff888075a68ef0) [ 52.227820][ T3602] [ 52.230132][ T3602] The buggy address belongs to the physical page: [ 52.236525][ T3602] page:ffffea0001d69a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x75a68 [ 52.246749][ T3602] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 52.254299][ T3602] raw: 00fff00000000200 ffffea00005a00c0 dead000000000005 ffff888140006b40 [ 52.262871][ T3602] raw: 0000000000000000 0000000080120012 00000001ffffffff 0000000000000000 [ 52.271436][ T3602] page dumped because: kasan: bad access detected [ 52.277832][ T3602] page_owner tracks the page as allocated [ 52.283532][ T3602] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 3308, tgid 3308 (rm), ts 28834810115, free_ts 28822620948 [ 52.301059][ T3602] get_page_from_freelist+0x210d/0x3a30 [ 52.306603][ T3602] __alloc_pages+0x1c7/0x510 [ 52.311185][ T3602] alloc_pages+0x1aa/0x310 [ 52.315593][ T3602] allocate_slab+0x27e/0x3d0 [ 52.320180][ T3602] ___slab_alloc+0x89d/0xef0 [ 52.324770][ T3602] __slab_alloc.constprop.0+0x4d/0xa0 [ 52.330140][ T3602] kmem_cache_alloc+0x3fb/0x4c0 [ 52.334979][ T3602] vm_area_dup+0x81/0x380 [ 52.339300][ T3602] __split_vma+0x9f/0x530 [ 52.343709][ T3602] split_vma+0x9f/0xe0 [ 52.347770][ T3602] mprotect_fixup+0x746/0x960 [ 52.352439][ T3602] do_mprotect_pkey+0x70f/0xa80 [ 52.357285][ T3602] __x64_sys_mprotect+0x74/0xb0 [ 52.362129][ T3602] do_syscall_64+0x35/0xb0 [ 52.366540][ T3602] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 52.372422][ T3602] page last free stack trace: [ 52.377077][ T3602] free_pcp_prepare+0x5e4/0xd20 [ 52.381921][ T3602] free_unref_page_list+0x16f/0xb90 [ 52.387116][ T3602] release_pages+0xbe8/0x1810 [ 52.391786][ T3602] tlb_batch_pages_flush+0xa8/0x1a0 [ 52.396981][ T3602] tlb_finish_mmu+0x147/0x7e0 [ 52.401655][ T3602] exit_mmap+0x1fe/0x720 [ 52.405888][ T3602] __mmput+0x128/0x4c0 [ 52.409953][ T3602] mmput+0x5c/0x70 [ 52.413666][ T3602] begin_new_exec+0x1021/0x2ed0 [ 52.418506][ T3602] load_elf_binary+0x15a3/0x4eb0 [ 52.423439][ T3602] bprm_execve+0x7ef/0x1960 [ 52.427935][ T3602] do_execveat_common+0x724/0x890 [ 52.432958][ T3602] __x64_sys_execve+0x8f/0xc0 [ 52.437626][ T3602] do_syscall_64+0x35/0xb0 [ 52.442039][ T3602] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 52.447927][ T3602] [ 52.450237][ T3602] Memory state around the buggy address: [ 52.455850][ T3602] ffff888075a68d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.463898][ T3602] ffff888075a68e00: fb fb fb fc fc fc fc fc fc fc fc fa fb fb fb fb [ 52.471949][ T3602] >ffff888075a68e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 52.479996][ T3602] ^ [ 52.486144][ T3602] ffff888075a68f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 52.494192][ T3602] ffff888075a68f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 52.502236][ T3602] ================================================================== [ 52.510486][ T3602] Kernel panic - not syncing: panic_on_warn set ... [ 52.517090][ T3602] CPU: 0 PID: 3602 Comm: syz-executor337 Not tainted 5.19.0-rc4-next-20220628-syzkaller #0 [ 52.527074][ T3602] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 [ 52.537144][ T3602] Call Trace: [ 52.540416][ T3602] [ 52.543343][ T3602] dump_stack_lvl+0xcd/0x134 [ 52.547938][ T3602] panic+0x2d7/0x636 [ 52.551831][ T3602] ? panic_print_sys_info.part.0+0x10b/0x10b [ 52.557828][ T3602] ? preempt_schedule_common+0x59/0xc0 [ 52.563289][ T3602] ? preempt_schedule_thunk+0x16/0x18 [ 52.568669][ T3602] ? anon_vma_interval_tree_remove+0xc7d/0xf30 [ 52.574817][ T3602] end_report.part.0+0x3f/0x7c [ 52.579577][ T3602] kasan_report.cold+0x8/0x12 [ 52.584257][ T3602] ? anon_vma_interval_tree_remove+0xc7d/0xf30 [ 52.590403][ T3602] anon_vma_interval_tree_remove+0xc7d/0xf30 [ 52.596389][ T3602] ? mas_find+0x20d/0xce0 [ 52.600725][ T3602] unlink_anon_vmas+0x218/0x840 [ 52.605583][ T3602] free_pgtables+0x24d/0x420 [ 52.610173][ T3602] ? free_pgd_range+0xbf0/0xbf0 [ 52.615024][ T3602] exit_mmap+0x1ec/0x720 [ 52.619261][ T3602] ? __ia32_sys_remap_file_pages+0x150/0x150 [ 52.625249][ T3602] __mmput+0x128/0x4c0 [ 52.629313][ T3602] mmput+0x5c/0x70 [ 52.633029][ T3602] do_exit+0xa09/0x29f0 [ 52.637177][ T3602] ? lock_downgrade+0x6e0/0x6e0 [ 52.642031][ T3602] ? mm_update_next_owner+0x7b0/0x7b0 [ 52.647395][ T3602] ? _raw_spin_unlock_irq+0x1f/0x40 [ 52.652598][ T3602] ? _raw_spin_unlock_irq+0x1f/0x40 [ 52.657798][ T3602] do_group_exit+0xd2/0x2f0 [ 52.662307][ T3602] __x64_sys_exit_group+0x3a/0x50 [ 52.667333][ T3602] do_syscall_64+0x35/0xb0 [ 52.671750][ T3602] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 52.677643][ T3602] RIP: 0033:0x7f8aa46c68d9 [ 52.682059][ T3602] Code: Unable to access opcode bytes at RIP 0x7f8aa46c68af. [ 52.689412][ T3602] RSP: 002b:00007ffd8b5da748 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 52.697832][ T3602] RAX: ffffffffffffffda RBX: 00007f8aa473b3f0 RCX: 00007f8aa46c68d9 [ 52.705791][ T3602] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 52.713762][ T3602] RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007ffd8b5da938 [ 52.721734][ T3602] R10: 0000000000000003 R11: 0000000000000246 R12: 00007f8aa473b3f0 [ 52.729700][ T3602] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 52.737671][ T3602] [ 52.740837][ T3602] Kernel Offset: disabled [ 52.745156][ T3602] Rebooting in 86400 seconds..