./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3430499469 <...> DUID 00:04:03:2c:e5:fc:a2:19:b8:8b:c5:bf:62:63:19:3a:75:c6 forked to background, child pid 3184 [ 23.578862][ T3185] 8021q: adding VLAN 0 to HW filter on device bond0 [ 23.589319][ T3185] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.0.41' (ECDSA) to the list of known hosts. execve("./syz-executor3430499469", ["./syz-executor3430499469"], 0x7fff8ec4b1e0 /* 10 vars */) = 0 brk(NULL) = 0x55555566f000 brk(0x55555566fc40) = 0x55555566fc40 arch_prctl(ARCH_SET_FS, 0x55555566f300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x55555566f5d0) = 3605 set_robust_list(0x55555566f5e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7f53ced955b0, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f53ced95c80}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7f53ced95650, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f53ced95c80}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3430499469", 4096) = 28 brk(0x555555690c40) = 0x555555690c40 brk(0x555555691000) = 0x555555691000 mprotect(0x7f53cee56000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 futex(0x7f53cee5c42c, FUTEX_WAKE_PRIVATE, 1000000) = 0 mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f53ced64000 mprotect(0x7f53ced65000, 131072, PROT_READ|PROT_WRITE) = 0 clone(child_stack=0x7f53ced843f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3606], tls=0x7f53ced84700, child_tidptr=0x7f53ced849d0) = 3606 futex(0x7f53cee5c428, FUTEX_WAKE_PRIVATE, 1000000) = 0 futex(0x7f53cee5c42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 3606 attached [pid 3606] set_robust_list(0x7f53ced849e0, 24) = 0 [pid 3606] mmap(0x20000000, 16732160, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE|MAP_POPULATE|MAP_NONBLOCK|MAP_DENYWRITE|MAP_HUGETLB, -1, 0) = 0x20000000 [pid 3606] futex(0x7f53cee5c42c, FUTEX_WAKE_PRIVATE, 1000000 [pid 3605] <... futex resumed>) = 0 [pid 3605] futex(0x7f53cee5c428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3605] futex(0x7f53cee5c42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3606] <... futex resumed>) = 1 [pid 3606] mprotect(0x20000000, 8388608, PROT_WRITE) = 0 [pid 3606] futex(0x7f53cee5c42c, FUTEX_WAKE_PRIVATE, 1000000 [pid 3605] <... futex resumed>) = 0 [pid 3605] futex(0x7f53cee5c428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3605] futex(0x7f53cee5c42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3606] <... futex resumed>) = 1 [pid 3606] userfaultfd(UFFD_USER_MODE_ONLY|O_NONBLOCK|O_CLOEXEC) = 3 [pid 3606] futex(0x7f53cee5c42c, FUTEX_WAKE_PRIVATE, 1000000 [pid 3605] <... futex resumed>) = 0 [pid 3605] futex(0x7f53cee5c428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3605] futex(0x7f53cee5c42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3606] <... futex resumed>) = 1 [pid 3606] ioctl(3, UFFDIO_API, 0x20000040) = 0 [pid 3606] futex(0x7f53cee5c42c, FUTEX_WAKE_PRIVATE, 1000000 [pid 3605] <... futex resumed>) = 0 [pid 3605] futex(0x7f53cee5c428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3605] futex(0x7f53cee5c42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3606] <... futex resumed>) = 1 [pid 3606] ioctl(3, UFFDIO_REGISTER, 0x20000080) = 0 [pid 3606] futex(0x7f53cee5c42c, FUTEX_WAKE_PRIVATE, 1000000 [pid 3605] <... futex resumed>) = 0 [pid 3605] futex(0x7f53cee5c428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3605] futex(0x7f53cee5c42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3606] <... futex resumed>) = 1 [pid 3606] openat(AT_FDCWD, 0x20000280, O_RDONLY) = 4 [pid 3606] futex(0x7f53cee5c42c, FUTEX_WAKE_PRIVATE, 1000000 [pid 3605] <... futex resumed>) = 0 [pid 3605] futex(0x7f53cee5c428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3605] futex(0x7f53cee5c42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3606] <... futex resumed>) = 1 [pid 3606] ioctl(4, KVM_CREATE_VM, 0) = 5 [pid 3606] futex(0x7f53cee5c42c, FUTEX_WAKE_PRIVATE, 1000000 [pid 3605] <... futex resumed>) = 0 [pid 3605] futex(0x7f53cee5c428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3605] futex(0x7f53cee5c42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3606] <... futex resumed>) = 1 [pid 3606] ioctl(5, KVM_CREATE_VCPU, 0) = 6 [pid 3606] futex(0x7f53cee5c42c, FUTEX_WAKE_PRIVATE, 1000000 [pid 3605] <... futex resumed>) = 0 [pid 3605] futex(0x7f53cee5c428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3606] <... futex resumed>) = 1 [pid 3605] futex(0x7f53cee5c42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=0, flags=0, guest_phys_addr=0, memory_size=4096, userspace_addr=0x207a2000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=1, flags=0, guest_phys_addr=0x1000, memory_size=4096, userspace_addr=0x207a3000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=2, flags=0, guest_phys_addr=0x2000, memory_size=4096, userspace_addr=0x207a4000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=3, flags=0, guest_phys_addr=0x3000, memory_size=4096, userspace_addr=0x207a5000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=4, flags=0, guest_phys_addr=0x4000, memory_size=4096, userspace_addr=0x207a6000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=5, flags=0, guest_phys_addr=0x5000, memory_size=4096, userspace_addr=0x207a7000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=6, flags=0, guest_phys_addr=0x6000, memory_size=4096, userspace_addr=0x207a8000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=7, flags=0, guest_phys_addr=0x7000, memory_size=4096, userspace_addr=0x207a9000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=8, flags=0, guest_phys_addr=0x8000, memory_size=4096, userspace_addr=0x207aa000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=9, flags=0, guest_phys_addr=0x9000, memory_size=4096, userspace_addr=0x207ab000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=10, flags=0, guest_phys_addr=0xfec00000, memory_size=4096, userspace_addr=0x207ac000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=11, flags=0, guest_phys_addr=0xb000, memory_size=4096, userspace_addr=0x207ad000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=12, flags=0, guest_phys_addr=0xc000, memory_size=4096, userspace_addr=0x207ae000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=13, flags=0, guest_phys_addr=0xd000, memory_size=4096, userspace_addr=0x207af000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=14, flags=0, guest_phys_addr=0xe000, memory_size=4096, userspace_addr=0x207b0000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=15, flags=0, guest_phys_addr=0xf000, memory_size=4096, userspace_addr=0x207b1000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=16, flags=0, guest_phys_addr=0x10000, memory_size=4096, userspace_addr=0x207b2000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=17, flags=0, guest_phys_addr=0x11000, memory_size=4096, userspace_addr=0x207b3000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=18, flags=0, guest_phys_addr=0x12000, memory_size=4096, userspace_addr=0x207b4000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=19, flags=0, guest_phys_addr=0x13000, memory_size=4096, userspace_addr=0x207b5000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=20, flags=0, guest_phys_addr=0x14000, memory_size=4096, userspace_addr=0x207b6000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=21, flags=0, guest_phys_addr=0x15000, memory_size=4096, userspace_addr=0x207b7000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=22, flags=0, guest_phys_addr=0x16000, memory_size=4096, userspace_addr=0x207b8000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=23, flags=0, guest_phys_addr=0x17000, memory_size=4096, userspace_addr=0x207b9000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=65537, flags=0, guest_phys_addr=0x30000, memory_size=65536, userspace_addr=0x207a2000}) = -1 EBADF (Bad file descriptor) [pid 3606] ioctl(6, KVM_GET_SREGS, {cs={base=0xffff0000, limit=65535, selector=61440, type=11, present=1, dpl=0, db=0, s=1, l=0, g=0, avl=0}, ...}) = 0 [pid 3606] openat(AT_FDCWD, "/dev/kvm", O_RDWR) = 7 [pid 3606] ioctl(7, KVM_GET_SUPPORTED_CPUID, {nent=33, entries=[...]}) = 0 [pid 3606] ioctl(6, KVM_SET_CPUID2, {nent=33, entries=[...]}) = 0 [pid 3606] close(7) = 0 syzkaller login: [ 39.491294][ T3606] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. [pid 3605] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3605] futex(0x7f53cee5c42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 3605] futex(0x7f53cee5c43c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3605] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f53ced43000 [pid 3605] mprotect(0x7f53ced44000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3605] clone(child_stack=0x7f53ced633f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3610 attached , parent_tid=[3610], tls=0x7f53ced63700, child_tidptr=0x7f53ced639d0) = 3610 [pid 3605] futex(0x7f53cee5c438, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3605] futex(0x7f53cee5c43c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3610] set_robust_list(0x7f53ced639e0, 24) = 0 [pid 3610] mmap(0x20000000, 16732160, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE|MAP_POPULATE|MAP_NONBLOCK|MAP_DENYWRITE|MAP_HUGETLB, -1, 0) = 0x20000000 [pid 3610] futex(0x7f53cee5c43c, FUTEX_WAKE_PRIVATE, 1000000 [pid 3605] <... futex resumed>) = 0 [pid 3610] <... futex resumed>) = 1 [pid 3610] futex(0x7f53cee5c438, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3605] exit_group(0) = ? [pid 3610] <... futex resumed>) = ? [pid 3610] +++ exited with 0 +++ [ 39.684386][ T3606] ================================================================== [ 39.692492][ T3606] BUG: KASAN: use-after-free in hugetlb_handle_userfault+0x236/0x250 [ 39.700556][ T3606] Read of size 8 at addr ffff888026e0d530 by task syz-executor343/3606 [ 39.708776][ T3606] [ 39.711086][ T3606] CPU: 0 PID: 3606 Comm: syz-executor343 Not tainted 6.0.0-rc3-next-20220901-syzkaller #0 [ 39.720972][ T3606] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 39.731026][ T3606] Call Trace: [ 39.734307][ T3606] [ 39.737231][ T3606] dump_stack_lvl+0xcd/0x134 [ 39.741837][ T3606] print_report.cold+0x2ba/0x719 [ 39.746787][ T3606] ? hugetlb_handle_userfault+0x236/0x250 [ 39.752506][ T3606] kasan_report+0xb1/0x1e0 [ 39.756919][ T3606] ? hugetlb_handle_userfault+0x236/0x250 [ 39.762630][ T3606] hugetlb_handle_userfault+0x236/0x250 [ 39.768284][ T3606] ? hugetlb_fault_mutex_hash+0xd0/0xd0 [ 39.773818][ T3606] ? filemap_add_folio+0x1d0/0x1d0 [ 39.778918][ T3606] ? hugetlb_total_pages+0x140/0x140 [ 39.784191][ T3606] ? lock_downgrade+0x6e0/0x6e0 [ 39.789046][ T3606] hugetlb_fault+0x152d/0x1e00 [ 39.793802][ T3606] ? hugetlb_wp+0x1a30/0x1a30 [ 39.798466][ T3606] ? lock_release+0x780/0x780 [ 39.803138][ T3606] ? rcu_read_lock_sched_held+0xd/0x70 [ 39.808589][ T3606] ? lock_release+0x560/0x780 [ 39.813256][ T3606] ? count_memcg_event_mm.part.0+0x134/0x2d0 [ 39.819309][ T3606] ? lock_downgrade+0x6e0/0x6e0 [ 39.824160][ T3606] handle_mm_fault+0x640/0x780 [ 39.828913][ T3606] do_user_addr_fault+0x475/0x1210 [ 39.834021][ T3606] exc_page_fault+0x94/0x170 [ 39.838604][ T3606] asm_exc_page_fault+0x22/0x30 [ 39.843445][ T3606] RIP: 0033:0x7f53ced8fc3b [ 39.847845][ T3606] Code: 00 48 89 94 24 ca 03 00 00 f3 0f 6f 9c 24 c0 03 00 00 f3 0f 6f a4 24 d0 03 00 00 48 89 84 24 e2 03 00 00 48 8d 86 00 20 7a 20 <0f> 11 9e 00 20 7a 20 0f 11 a6 10 20 7a 20 48 8b b4 24 e0 03 00 00 [ 39.867439][ T3606] RSP: 002b:00007f53ced82820 EFLAGS: 00010246 [ 39.873623][ T3606] RAX: 00000000207a5e00 RBX: 0000000000000000 RCX: 00180f8000180f80 [ 39.881587][ T3606] RDX: 0002912000180f80 RSI: 0000000000003e00 RDI: 0000000000000008 [ 39.889560][ T3606] RBP: 0000000000000006 R08: 0000000000000000 R09: 0000000000000000 [ 39.897523][ T3606] R10: 0000000000000000 R11: 00007f53ced82c80 R12: 00000000207a2000 [ 39.905486][ T3606] R13: 0000000000000000 R14: 0000000000000000 R15: 00007f53ced82d80 [ 39.913460][ T3606] [ 39.916480][ T3606] [ 39.918801][ T3606] Allocated by task 3606: [ 39.923120][ T3606] kasan_save_stack+0x1e/0x40 [ 39.927798][ T3606] __kasan_slab_alloc+0x90/0xc0 [ 39.932653][ T3606] kmem_cache_alloc+0x2b7/0x3d0 [ 39.937571][ T3606] vm_area_alloc+0x1c/0xf0 [ 39.941986][ T3606] mmap_region+0x448/0x1bf0 [ 39.946493][ T3606] do_mmap+0x825/0xf50 [ 39.950558][ T3606] vm_mmap_pgoff+0x1ab/0x270 [ 39.955161][ T3606] ksys_mmap_pgoff+0x1c3/0x5a0 [ 39.959918][ T3606] do_syscall_64+0x35/0xb0 [ 39.964330][ T3606] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 39.970256][ T3606] [ 39.972577][ T3606] Freed by task 3610: [ 39.976555][ T3606] kasan_save_stack+0x1e/0x40 [ 39.981239][ T3606] kasan_set_track+0x21/0x30 [ 39.985831][ T3606] kasan_set_free_info+0x20/0x30 [ 39.990759][ T3606] ____kasan_slab_free+0x166/0x1c0 [ 39.995872][ T3606] slab_free_freelist_hook+0x8b/0x1c0 [ 40.001252][ T3606] kmem_cache_free+0xe7/0x5b0 [ 40.005916][ T3606] do_mas_align_munmap+0x983/0xee0 [ 40.011017][ T3606] do_mas_munmap+0x26a/0x2b0 [ 40.015594][ T3606] mmap_region+0x219/0x1bf0 [ 40.020105][ T3606] do_mmap+0x825/0xf50 [ 40.024162][ T3606] vm_mmap_pgoff+0x1ab/0x270 [ 40.028754][ T3606] ksys_mmap_pgoff+0x1c3/0x5a0 [ 40.033505][ T3606] do_syscall_64+0x35/0xb0 [ 40.037927][ T3606] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 40.043811][ T3606] [ 40.046136][ T3606] The buggy address belongs to the object at ffff888026e0d510 [ 40.046136][ T3606] which belongs to the cache vm_area_struct of size 152 [ 40.060434][ T3606] The buggy address is located 32 bytes inside of [ 40.060434][ T3606] 152-byte region [ffff888026e0d510, ffff888026e0d5a8) [ 40.073619][ T3606] [ 40.075921][ T3606] The buggy address belongs to the physical page: [ 40.082310][ T3606] page:ffffea00009b8340 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x26e0d [ 40.092439][ T3606] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 40.099969][ T3606] raw: 00fff00000000200 ffffea0000984fc0 dead00000000000d ffff888140006b40 [ 40.108547][ T3606] raw: 0000000000000000 0000000000120012 00000001ffffffff 0000000000000000 [ 40.117117][ T3606] page dumped because: kasan: bad access detected [ 40.123524][ T3606] page_owner tracks the page as allocated [ 40.129227][ T3606] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 3314, tgid 3314 (rm), ts 24325304308, free_ts 24317978337 [ 40.146664][ T3606] get_page_from_freelist+0x109b/0x2ce0 [ 40.152293][ T3606] __alloc_pages+0x1c7/0x510 [ 40.156865][ T3606] alloc_pages+0x1a6/0x270 [ 40.161272][ T3606] allocate_slab+0x228/0x370 [ 40.165858][ T3606] ___slab_alloc+0xad0/0x1440 [ 40.170519][ T3606] __slab_alloc.constprop.0+0x4d/0xa0 [ 40.175889][ T3606] kmem_cache_alloc+0x31c/0x3d0 [ 40.180724][ T3606] vm_area_alloc+0x1c/0xf0 [ 40.185136][ T3606] mmap_region+0x448/0x1bf0 [ 40.189636][ T3606] do_mmap+0x825/0xf50 [ 40.193692][ T3606] vm_mmap_pgoff+0x1ab/0x270 [ 40.198266][ T3606] ksys_mmap_pgoff+0x79/0x5a0 [ 40.202930][ T3606] do_syscall_64+0x35/0xb0 [ 40.207358][ T3606] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 40.213310][ T3606] page last free stack trace: [ 40.217966][ T3606] free_pcp_prepare+0x5e4/0xd20 [ 40.222822][ T3606] free_unref_page_list+0x16f/0xb90 [ 40.228008][ T3606] release_pages+0xc6c/0x1590 [ 40.232688][ T3606] tlb_batch_pages_flush+0xa8/0x1a0 [ 40.237884][ T3606] tlb_finish_mmu+0x147/0x7e0 [ 40.242549][ T3606] exit_mmap+0x1fe/0x720 [ 40.246795][ T3606] __mmput+0x128/0x4c0 [ 40.250850][ T3606] mmput+0x5c/0x70 [ 40.254558][ T3606] begin_new_exec+0x100c/0x2ef0 [ 40.259412][ T3606] load_elf_binary+0x8e6/0x4e00 [ 40.264247][ T3606] bprm_execve+0x7ef/0x1960 [ 40.268822][ T3606] do_execveat_common+0x724/0x890 [ 40.273830][ T3606] __x64_sys_execve+0x8f/0xc0 [ 40.278496][ T3606] do_syscall_64+0x35/0xb0 [ 40.282896][ T3606] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 40.288773][ T3606] [ 40.291076][ T3606] Memory state around the buggy address: [ 40.296693][ T3606] ffff888026e0d400: fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb [ 40.304736][ T3606] ffff888026e0d480: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 40.312786][ T3606] >ffff888026e0d500: fc fc fa fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.320835][ T3606] ^ [ 40.326442][ T3606] ffff888026e0d580: fb fb fb fb fb fc fc fc fc fc fc fc fc 00 00 00 [ 40.334483][ T3606] ffff888026e0d600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 40.342530][ T3606] ================================================================== [ 40.351409][ T3606] Kernel panic - not syncing: panic_on_warn set ... [ 40.358012][ T3606] CPU: 0 PID: 3606 Comm: syz-executor343 Not tainted 6.0.0-rc3-next-20220901-syzkaller #0 [ 40.367911][ T3606] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 40.377959][ T3606] Call Trace: [ 40.381232][ T3606] [ 40.384154][ T3606] dump_stack_lvl+0xcd/0x134 [ 40.388747][ T3606] panic+0x2c8/0x622 [ 40.392648][ T3606] ? panic_print_sys_info.part.0+0x110/0x110 [ 40.398623][ T3606] ? preempt_schedule_common+0x59/0xc0 [ 40.404080][ T3606] ? preempt_schedule_thunk+0x16/0x18 [ 40.409523][ T3606] ? hugetlb_handle_userfault+0x236/0x250 [ 40.415247][ T3606] end_report.part.0+0x3f/0x7c [ 40.420007][ T3606] kasan_report.cold+0xa/0xf [ 40.424589][ T3606] ? hugetlb_handle_userfault+0x236/0x250 [ 40.430315][ T3606] hugetlb_handle_userfault+0x236/0x250 [ 40.435866][ T3606] ? hugetlb_fault_mutex_hash+0xd0/0xd0 [ 40.441418][ T3606] ? filemap_add_folio+0x1d0/0x1d0 [ 40.446556][ T3606] ? hugetlb_total_pages+0x140/0x140 [ 40.451836][ T3606] ? lock_downgrade+0x6e0/0x6e0 [ 40.456690][ T3606] hugetlb_fault+0x152d/0x1e00 [ 40.461457][ T3606] ? hugetlb_wp+0x1a30/0x1a30 [ 40.466123][ T3606] ? lock_release+0x780/0x780 [ 40.470799][ T3606] ? rcu_read_lock_sched_held+0xd/0x70 [ 40.476269][ T3606] ? lock_release+0x560/0x780 [ 40.480939][ T3606] ? count_memcg_event_mm.part.0+0x134/0x2d0 [ 40.486921][ T3606] ? lock_downgrade+0x6e0/0x6e0 [ 40.491769][ T3606] handle_mm_fault+0x640/0x780 [ 40.496536][ T3606] do_user_addr_fault+0x475/0x1210 [ 40.501662][ T3606] exc_page_fault+0x94/0x170 [ 40.506269][ T3606] asm_exc_page_fault+0x22/0x30 [ 40.511114][ T3606] RIP: 0033:0x7f53ced8fc3b [ 40.515516][ T3606] Code: 00 48 89 94 24 ca 03 00 00 f3 0f 6f 9c 24 c0 03 00 00 f3 0f 6f a4 24 d0 03 00 00 48 89 84 24 e2 03 00 00 48 8d 86 00 20 7a 20 <0f> 11 9e 00 20 7a 20 0f 11 a6 10 20 7a 20 48 8b b4 24 e0 03 00 00 [ 40.535107][ T3606] RSP: 002b:00007f53ced82820 EFLAGS: 00010246 [ 40.541169][ T3606] RAX: 00000000207a5e00 RBX: 0000000000000000 RCX: 00180f8000180f80 [ 40.549122][ T3606] RDX: 0002912000180f80 RSI: 0000000000003e00 RDI: 0000000000000008 [ 40.557077][ T3606] RBP: 0000000000000006 R08: 0000000000000000 R09: 0000000000000000 [ 40.565051][ T3606] R10: 0000000000000000 R11: 00007f53ced82c80 R12: 00000000207a2000 [ 40.573005][ T3606] R13: 0000000000000000 R14: 0000000000000000 R15: 00007f53ced82d80 [ 40.580963][ T3606] [ 40.584137][ T3606] Kernel Offset: disabled [ 40.588452][ T3606] Rebooting in 86400 seconds..