./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3049990077 <...> Warning: Permanently added '10.128.1.72' (ED25519) to the list of known hosts. execve("./syz-executor3049990077", ["./syz-executor3049990077"], 0x7ffe77dfb660 /* 10 vars */) = 0 brk(NULL) = 0x555555e60000 brk(0x555555e60d40) = 0x555555e60d40 arch_prctl(ARCH_SET_FS, 0x555555e603c0) = 0 set_tid_address(0x555555e60690) = 5056 set_robust_list(0x555555e606a0, 24) = 0 rseq(0x555555e60ce0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3049990077", 4096) = 28 getrandom("\xec\xa7\x1c\xa3\xe4\xd7\xde\x19", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555555e60d40 brk(0x555555e81d40) = 0x555555e81d40 brk(0x555555e82000) = 0x555555e82000 mprotect(0x7f5438b9a000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 futex(0x7f5438ba030c, FUTEX_WAKE_PRIVATE, 1000000) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7f5438b3cae0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f5438b2e160}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f5438ab9000 mprotect(0x7f5438aba000, 131072, PROT_READ|PROT_WRITE) = 0 rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f5438ad9990, parent_tid=0x7f5438ad9990, exit_signal=0, stack=0x7f5438ab9000, stack_size=0x20300, tls=0x7f5438ad96c0}./strace-static-x86_64: Process 5057 attached [pid 5057] rseq(0x7f5438ad9fe0, 0x20, 0, 0x53053053 [pid 5056] <... clone3 resumed> => {parent_tid=[5057]}, 88) = 5057 [pid 5057] <... rseq resumed>) = 0 [pid 5056] rt_sigprocmask(SIG_SETMASK, [], [pid 5057] set_robust_list(0x7f5438ad99a0, 24 [pid 5056] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5057] <... set_robust_list resumed>) = 0 [pid 5056] futex(0x7f5438ba0308, FUTEX_WAKE_PRIVATE, 1000000 [pid 5057] rt_sigprocmask(SIG_SETMASK, [], [pid 5056] <... futex resumed>) = 0 [pid 5057] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5056] futex(0x7f5438ba030c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5057] openat(AT_FDCWD, "/dev/ptp0", O_RDONLY) = 3 [pid 5057] futex(0x7f5438ba030c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5056] <... futex resumed>) = 0 [pid 5057] <... futex resumed>) = 1 [pid 5056] futex(0x7f5438ba0308, FUTEX_WAKE_PRIVATE, 1000000 [pid 5057] read(3, [pid 5056] <... futex resumed>) = 0 [pid 5056] futex(0x7f5438ba030c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5056] futex(0x7f5438ba031c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5056] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f5438a98000 [pid 5056] mprotect(0x7f5438a99000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5056] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5056] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f5438ab8990, parent_tid=0x7f5438ab8990, exit_signal=0, stack=0x7f5438a98000, stack_size=0x20300, tls=0x7f5438ab86c0}./strace-static-x86_64: Process 5058 attached => {parent_tid=[5058]}, 88) = 5058 [pid 5058] rseq(0x7f5438ab8fe0, 0x20, 0, 0x53053053 [pid 5056] rt_sigprocmask(SIG_SETMASK, [], [pid 5058] <... rseq resumed>) = 0 [pid 5056] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5058] set_robust_list(0x7f5438ab89a0, 24 [pid 5056] futex(0x7f5438ba0318, FUTEX_WAKE_PRIVATE, 1000000 [pid 5058] <... set_robust_list resumed>) = 0 [pid 5056] <... futex resumed>) = 0 [pid 5058] rt_sigprocmask(SIG_SETMASK, [], [pid 5056] futex(0x7f5438ba031c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5058] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5058] read(3, 0x20000000, 14) = -1 EINVAL (Invalid argument) [pid 5058] futex(0x7f5438ba031c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5056] <... futex resumed>) = 0 [pid 5058] <... futex resumed>) = 1 [pid 5058] futex(0x7f5438ba0318, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5056] exit_group(0) = ? [pid 5058] <... futex resumed>) = ? [ 55.673646][ T5057] ================================================================== [ 55.681766][ T5057] BUG: KASAN: slab-use-after-free in ptp_read+0x5e4/0x820 [ 55.688908][ T5057] Read of size 4 at addr ffff888078735004 by task syz-executor304/5057 [ 55.697134][ T5057] [ 55.699447][ T5057] CPU: 1 PID: 5057 Comm: syz-executor304 Not tainted 6.6.0-syzkaller-14651-gd2f51b3516da #0 [ 55.709498][ T5057] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 55.719541][ T5057] Call Trace: [ 55.722810][ T5057] [ 55.725731][ T5057] dump_stack_lvl+0x1e7/0x2d0 [ 55.730420][ T5057] ? nf_tcp_handle_invalid+0x650/0x650 [ 55.735869][ T5057] ? panic+0x850/0x850 [ 55.739930][ T5057] ? _printk+0xd5/0x120 [ 55.744084][ T5057] print_report+0x163/0x540 [ 55.748666][ T5057] ? __virt_addr_valid+0x22f/0x2e0 [ 55.753768][ T5057] ? __phys_addr+0xba/0x170 [ 55.758259][ T5057] ? ptp_read+0x5e4/0x820 [ 55.763017][ T5057] kasan_report+0x142/0x170 [ 55.767513][ T5057] ? lockdep_hardirqs_on+0x98/0x140 [ 55.772704][ T5057] ? ptp_read+0x5e4/0x820 [ 55.777029][ T5057] ptp_read+0x5e4/0x820 [ 55.781179][ T5057] ? ptp_poll+0x160/0x160 [ 55.785513][ T5057] ? wake_bit_function+0x220/0x220 [ 55.790615][ T5057] ? __fsnotify_update_child_dentry_flags+0x2a0/0x2a0 [ 55.797369][ T5057] ? ptp_poll+0x160/0x160 [ 55.801692][ T5057] posix_clock_read+0x12f/0x190 [ 55.806546][ T5057] ? pc_clock_adjtime+0x220/0x220 [ 55.811576][ T5057] vfs_read+0x289/0xb00 [ 55.815727][ T5057] ? kernel_read+0x1f0/0x1f0 [ 55.820304][ T5057] ? __fget_files+0x29/0x480 [ 55.824888][ T5057] ? __fget_files+0x3fe/0x480 [ 55.829553][ T5057] ? __fget_files+0x29/0x480 [ 55.834138][ T5057] ? __fdget_pos+0x1df/0x340 [ 55.838719][ T5057] ? ksys_read+0x7b/0x2c0 [ 55.843039][ T5057] ksys_read+0x1a0/0x2c0 [ 55.847624][ T5057] ? vfs_write+0xb20/0xb20 [ 55.852033][ T5057] ? syscall_enter_from_user_mode+0x32/0x230 [ 55.858009][ T5057] ? syscall_enter_from_user_mode+0x8c/0x230 [ 55.863983][ T5057] do_syscall_64+0x44/0x110 [ 55.868476][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 55.874361][ T5057] RIP: 0033:0x7f5438b16c39 [ 55.878770][ T5057] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 55.898457][ T5057] RSP: 002b:00007f5438ad9238 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 55.906862][ T5057] RAX: ffffffffffffffda RBX: 00007f5438ba0308 RCX: 00007f5438b16c39 [ 55.914840][ T5057] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 55.922800][ T5057] RBP: 00007f5438ba0300 R08: 00007f5438ad96c0 R09: 00007f5438ad96c0 [ 55.930761][ T5057] R10: 00007f5438ad96c0 R11: 0000000000000246 R12: 7074702f7665642f [ 55.938721][ T5057] R13: 0000000000000000 R14: 00007fffeb9398a0 R15: 00007fffeb939988 [ 55.946688][ T5057] [ 55.949694][ T5057] [ 55.952021][ T5057] Allocated by task 5057: [ 55.956328][ T5057] kasan_set_track+0x4f/0x70 [ 55.960905][ T5057] __kasan_kmalloc+0x98/0xb0 [ 55.965483][ T5057] ptp_open+0xd9/0x430 [ 55.969542][ T5057] posix_clock_open+0x155/0x1f0 [ 55.974380][ T5057] chrdev_open+0x5ab/0x630 [ 55.978783][ T5057] do_dentry_open+0x8fd/0x1590 [ 55.983538][ T5057] path_openat+0x2845/0x3280 [ 55.988118][ T5057] do_filp_open+0x234/0x490 [ 55.992611][ T5057] do_sys_openat2+0x13e/0x1d0 [ 55.997273][ T5057] __x64_sys_openat+0x247/0x290 [ 56.002109][ T5057] do_syscall_64+0x44/0x110 [ 56.006598][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 56.012479][ T5057] [ 56.014788][ T5057] Freed by task 5058: [ 56.018751][ T5057] kasan_set_track+0x4f/0x70 [ 56.023332][ T5057] kasan_save_free_info+0x28/0x40 [ 56.028343][ T5057] ____kasan_slab_free+0xd6/0x120 [ 56.033354][ T5057] __kmem_cache_free+0x263/0x3a0 [ 56.038280][ T5057] ptp_release+0x1ce/0x1e0 [ 56.042687][ T5057] ptp_read+0x17f/0x820 [ 56.046833][ T5057] posix_clock_read+0x12f/0x190 [ 56.051678][ T5057] vfs_read+0x289/0xb00 [ 56.056167][ T5057] ksys_read+0x1a0/0x2c0 [ 56.060396][ T5057] do_syscall_64+0x44/0x110 [ 56.064888][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 56.070767][ T5057] [ 56.073075][ T5057] The buggy address belongs to the object at ffff888078734000 [ 56.073075][ T5057] which belongs to the cache kmalloc-8k of size 8192 [ 56.087112][ T5057] The buggy address is located 4100 bytes inside of [ 56.087112][ T5057] freed 8192-byte region [ffff888078734000, ffff888078736000) [ 56.101067][ T5057] [ 56.103375][ T5057] The buggy address belongs to the physical page: [ 56.109769][ T5057] page:ffffea0001e1cc00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x78730 [ 56.119905][ T5057] head:ffffea0001e1cc00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 56.128830][ T5057] flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 56.136805][ T5057] page_type: 0xffffffff() [ 56.141123][ T5057] raw: 00fff00000000840 ffff888012c42280 dead000000000122 0000000000000000 [ 56.149695][ T5057] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 [ 56.158258][ T5057] page dumped because: kasan: bad access detected [ 56.164650][ T5057] page_owner tracks the page as allocated [ 56.170347][ T5057] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd28c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4964, tgid 4964 (sshd), ts 45894976160, free_ts 45769063688 [ 56.191953][ T5057] post_alloc_hook+0x1e6/0x210 [ 56.196710][ T5057] get_page_from_freelist+0x339a/0x3530 [ 56.202242][ T5057] __alloc_pages+0x255/0x670 [ 56.206818][ T5057] alloc_pages_mpol+0x3de/0x640 [ 56.211658][ T5057] alloc_slab_page+0x6a/0x160 [ 56.216329][ T5057] new_slab+0x84/0x2f0 [ 56.220387][ T5057] ___slab_alloc+0xc85/0x1310 [ 56.225581][ T5057] __kmem_cache_alloc_node+0x21d/0x300 [ 56.231031][ T5057] __kmalloc_node_track_caller+0xa5/0x230 [ 56.236741][ T5057] kmalloc_reserve+0xf3/0x260 [ 56.241410][ T5057] __alloc_skb+0x1b1/0x420 [ 56.245819][ T5057] netlink_dump+0x206/0xcd0 [ 56.250330][ T5057] netlink_recvmsg+0x6b9/0x11d0 [ 56.255183][ T5057] ____sys_recvmsg+0x2a4/0x580 [ 56.259952][ T5057] __sys_recvmsg+0x2f0/0x3d0 [ 56.264532][ T5057] do_syscall_64+0x44/0x110 [ 56.269022][ T5057] page last free stack trace: [ 56.273677][ T5057] free_unref_page_prepare+0x92a/0xa50 [ 56.279127][ T5057] free_unref_page+0x37/0x3f0 [ 56.283799][ T5057] skb_release_data+0x446/0x850 [ 56.288640][ T5057] napi_consume_skb+0x14d/0x200 [ 56.293495][ T5057] net_rx_action+0x554/0x1010 [ 56.298157][ T5057] __do_softirq+0x2bf/0x93a [ 56.302651][ T5057] [ 56.304961][ T5057] Memory state around the buggy address: [ 56.310578][ T5057] ffff888078734f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [pid 5058] +++ exited with 0 +++ [ 56.318625][ T5057] ffff888078734f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.326669][ T5057] >ffff888078735000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.334712][ T5057] ^ [ 56.338780][ T5057] ffff888078735080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.346831][ T5057] ffff888078735100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.354878][ T5057] ================================================================== [ 56.364065][ T5057] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 56.371278][ T5057] CPU: 0 PID: 5057 Comm: syz-executor304 Not tainted 6.6.0-syzkaller-14651-gd2f51b3516da #0 [ 56.381344][ T5057] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 56.391398][ T5057] Call Trace: [ 56.394664][ T5057] [ 56.397579][ T5057] dump_stack_lvl+0x1e7/0x2d0 [ 56.402248][ T5057] ? nf_tcp_handle_invalid+0x650/0x650 [ 56.407691][ T5057] ? panic+0x850/0x850 [ 56.411748][ T5057] ? vscnprintf+0x5d/0x80 [ 56.416059][ T5057] panic+0x349/0x850 [ 56.419938][ T5057] ? asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 56.426076][ T5057] ? check_panic_on_warn+0x21/0xa0 [ 56.431169][ T5057] ? __memcpy_flushcache+0x2b0/0x2b0 [ 56.436441][ T5057] ? _raw_spin_unlock_irqrestore+0x12c/0x140 [ 56.442537][ T5057] ? _raw_spin_unlock+0x40/0x40 [ 56.447393][ T5057] ? print_report+0x4fb/0x540 [ 56.452060][ T5057] check_panic_on_warn+0x82/0xa0 [ 56.456982][ T5057] ? ptp_read+0x5e4/0x820 [ 56.461295][ T5057] end_report+0x6e/0x130 [ 56.465516][ T5057] kasan_report+0x153/0x170 [ 56.469995][ T5057] ? lockdep_hardirqs_on+0x98/0x140 [ 56.475175][ T5057] ? ptp_read+0x5e4/0x820 [ 56.479490][ T5057] ptp_read+0x5e4/0x820 [ 56.483626][ T5057] ? ptp_poll+0x160/0x160 [ 56.487936][ T5057] ? wake_bit_function+0x220/0x220 [ 56.493031][ T5057] ? __fsnotify_update_child_dentry_flags+0x2a0/0x2a0 [ 56.499788][ T5057] ? ptp_poll+0x160/0x160 [ 56.504099][ T5057] posix_clock_read+0x12f/0x190 [ 56.508933][ T5057] ? pc_clock_adjtime+0x220/0x220 [ 56.513941][ T5057] vfs_read+0x289/0xb00 [ 56.518081][ T5057] ? kernel_read+0x1f0/0x1f0 [ 56.522649][ T5057] ? __fget_files+0x29/0x480 [ 56.527217][ T5057] ? __fget_files+0x3fe/0x480 [ 56.531887][ T5057] ? __fget_files+0x29/0x480 [ 56.536456][ T5057] ? __fdget_pos+0x1df/0x340 [ 56.541027][ T5057] ? ksys_read+0x7b/0x2c0 [ 56.545335][ T5057] ksys_read+0x1a0/0x2c0 [ 56.549560][ T5057] ? vfs_write+0xb20/0xb20 [ 56.553959][ T5057] ? syscall_enter_from_user_mode+0x32/0x230 [ 56.559938][ T5057] ? syscall_enter_from_user_mode+0x8c/0x230 [ 56.565911][ T5057] do_syscall_64+0x44/0x110 [ 56.570396][ T5057] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 56.576270][ T5057] RIP: 0033:0x7f5438b16c39 [ 56.580668][ T5057] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 56.600275][ T5057] RSP: 002b:00007f5438ad9238 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 56.608682][ T5057] RAX: ffffffffffffffda RBX: 00007f5438ba0308 RCX: 00007f5438b16c39 [ 56.616634][ T5057] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 56.624585][ T5057] RBP: 00007f5438ba0300 R08: 00007f5438ad96c0 R09: 00007f5438ad96c0 [ 56.632537][ T5057] R10: 00007f5438ad96c0 R11: 0000000000000246 R12: 7074702f7665642f [ 56.640487][ T5057] R13: 0000000000000000 R14: 00007fffeb9398a0 R15: 00007fffeb939988 [ 56.648440][ T5057] [ 56.651685][ T5057] Kernel Offset: disabled [ 56.655993][ T5057] Rebooting in 86400 seconds..