./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3065444404 <...> Warning: Permanently added '10.128.1.180' (ED25519) to the list of known hosts. execve("./syz-executor3065444404", ["./syz-executor3065444404"], 0x7ffecdd87cd0 /* 10 vars */) = 0 brk(NULL) = 0x55555c3df000 brk(0x55555c3dfd00) = 0x55555c3dfd00 arch_prctl(ARCH_SET_FS, 0x55555c3df380) = 0 set_tid_address(0x55555c3df650) = 5225 set_robust_list(0x55555c3df660, 24) = 0 rseq(0x55555c3dfca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3065444404", 4096) = 28 getrandom("\x85\xda\x5a\x7c\xe8\x76\x83\xc1", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55555c3dfd00 brk(0x55555c400d00) = 0x55555c400d00 brk(0x55555c401000) = 0x55555c401000 mprotect(0x7f0b5e435000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 unshare(CLONE_NEWPID) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5226 attached [pid 5226] set_robust_list(0x55555c3df660, 24 [pid 5225] <... clone resumed>, child_tidptr=0x55555c3df650) = 5226 [pid 5226] <... set_robust_list resumed>) = 0 [pid 5226] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy) [pid 5226] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5226] setsid() = 1 [pid 5226] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0 [pid 5226] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0 [pid 5226] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0 [pid 5226] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0 [pid 5226] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0 [pid 5226] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0 [pid 5226] unshare(CLONE_NEWNS) = 0 [pid 5226] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0 [pid 5226] unshare(CLONE_NEWIPC) = 0 [pid 5226] unshare(CLONE_NEWCGROUP) = 0 [pid 5226] unshare(CLONE_NEWUTS) = 0 [pid 5226] unshare(CLONE_SYSVSEM) = 0 [pid 5226] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3 [pid 5226] write(3, "16777216", 8) = 8 [pid 5226] close(3) = 0 [pid 5226] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3 [pid 5226] write(3, "536870912", 9) = 9 [pid 5226] close(3) = 0 [pid 5226] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3 [pid 5226] write(3, "1024", 4) = 4 [pid 5226] close(3) = 0 [pid 5226] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3 [pid 5226] write(3, "8192", 4) = 4 [pid 5226] close(3) = 0 [pid 5226] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3 [pid 5226] write(3, "1024", 4) = 4 [pid 5226] close(3) = 0 [pid 5226] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3 [pid 5226] write(3, "1024", 4) = 4 [pid 5226] close(3) = 0 [pid 5226] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3 [pid 5226] write(3, "1024 1048576 500 1024", 21) = 21 [pid 5226] close(3) = 0 [pid 5226] getpid() = 1 [pid 5226] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1< [pid 5236] set_robust_list(0x55555c3df660, 24 [pid 5226] <... clone resumed>, child_tidptr=0x55555c3df650) = 2 [pid 5236] <... set_robust_list resumed>) = 0 [pid 5236] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5236] setpgid(0, 0) = 0 [pid 5236] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5236] write(3, "1000", 4) = 4 [pid 5236] close(3) = 0 [pid 5236] write(1, "executing program\n", 18executing program ) = 18 [pid 5236] socket(AF_CAN, SOCK_DGRAM, CAN_J1939) = 3 [pid 5236] ioctl(3, SIOCGIFINDEX, {ifr_name="batadv_slave_1", ifr_ifindex=42}) = 0 [pid 5236] socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) = 4 [pid 5236] socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) = 5 [pid 5236] sendto(5, [{nlmsg_len=32, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x03\x00\x00\x00\x0c\x00\x02\x00\x65\x74\x68\x74\x6f\x6f\x6c\x00"], 32, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 32 [pid 5236] recvfrom(5, [{nlmsg_len=996, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=0, nlmsg_seq=0, nlmsg_pid=2}, "\x01\x02\x00\x00\x0c\x00\x02\x00\x65\x74\x68\x74\x6f\x6f\x6c\x00\x06\x00\x01\x00\x16\x00\x00\x00\x08\x00\x03\x00\x01\x00\x00\x00\x08\x00\x04\x00\x00\x00\x00\x00\x08\x00\x05\x00\x00\x00\x00\x00\x88\x03\x06\x00\x14\x00\x01\x00\x08\x00\x01\x00\x01\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x02\x00\x08\x00\x01\x00\x02\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x03\x00\x08\x00\x01\x00"...], 4096, 0, NULL, NULL) = 996 [pid 5236] recvfrom(5, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=2}, {error=0, msg={nlmsg_len=32, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 [pid 5236] close(5) = 0 [pid 5236] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x34\x00\x00\x00\x16\x00\x01\x00\x00\x00\x02\x00\x00\x00\xe4\x80\x1a\xed\x00\x00\x20\x00\x01\x80\x08\x00\x01\x00\x2a\x00\x00\x00\x14\x00\x02\x00\x62\x61\x74\x61\x64\x76\x5f\x73\x6c\x61\x76\x65\x5f\x31\x00\x00", iov_len=52}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 52 [ 68.853775][ T5236] [ 68.856129][ T5236] ================================================ [ 68.862599][ T5236] WARNING: lock held when returning to user space! [ 68.869103][ T5236] 6.11.0-rc4-syzkaller-00565-gf9db28bb09f4 #0 Not tainted [ 68.876185][ T5236] ------------------------------------------------ [ 68.882652][ T5236] syz-executor306/5236 is leaving the kernel with locks still held! [ 68.890601][ T5236] 1 lock held by syz-executor306/5236: [pid 5236] close(3) = 0 [pid 5236] close(4) = 0 [pid 5236] close(5) = -1 EBADF (Bad file descriptor) [pid 5236] close(6) = -1 EBADF (Bad file descriptor) [pid 5236] close(7) = -1 EBADF (Bad file descriptor) [pid 5236] close(8) = -1 EBADF (Bad file descriptor) [pid 5236] close(9) = -1 EBADF (Bad file descriptor) [pid 5236] close(10) = -1 EBADF (Bad file descriptor) [pid 5236] close(11) = -1 EBADF (Bad file descriptor) [pid 5236] close(12) = -1 EBADF (Bad file descriptor) [ 68.896032][ T5236] #0: ffffffff8fc84b88 (rtnl_mutex){+.+.}-{3:3}, at: ethnl_act_cable_test+0x187/0x3f0 [pid 5236] close(13) = -1 EBADF (Bad file descriptor) [pid 5236] close(14) = -1 EBADF (Bad file descriptor) [pid 5236] close(15) = -1 EBADF (Bad file descriptor) [pid 5236] close(16) = -1 EBADF (Bad file descriptor) [pid 5236] close(17) = -1 EBADF (Bad file descriptor) [pid 5236] close(18) = -1 EBADF (Bad file descriptor) [pid 5236] close(19) = -1 EBADF (Bad file descriptor) [pid 5236] close(20) = -1 EBADF (Bad file descriptor) [pid 5236] close(21) = -1 EBADF (Bad file descriptor) [pid 5236] close(22) = -1 EBADF (Bad file descriptor) [pid 5236] close(23) = -1 EBADF (Bad file descriptor) [pid 5236] close(24) = -1 EBADF (Bad file descriptor) [pid 5236] close(25) = -1 EBADF (Bad file descriptor) [pid 5236] close(26) = -1 EBADF (Bad file descriptor) [pid 5236] close(27) = -1 EBADF (Bad file descriptor) [pid 5236] close(28) = -1 EBADF (Bad file descriptor) [pid 5236] close(29) = -1 EBADF (Bad file descriptor) [pid 5236] exit_group(0) = ? [pid 5236] +++ exited with 0 +++ [pid 5226] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=2, si_uid=0, si_status=0, si_utime=0, si_stime=1 /* 0.01 s */} --- [pid 5226] restart_syscall(<... resuming interrupted clone ...>) = 0 [pid 5226] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5237 attached , child_tidptr=0x55555c3df650) = 3 [pid 5237] set_robust_list(0x55555c3df660, 24) = 0 [pid 5237] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5237] setpgid(0, 0) = 0 [pid 5237] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5237] write(3, "1000", 4) = 4 [pid 5237] close(3) = 0 [pid 5237] write(1, "executing program\n", 18executing program ) = 18 [pid 5237] socket(AF_CAN, SOCK_DGRAM, CAN_J1939) = 3 [pid 5237] ioctl(3, SIOCGIFINDEX, {ifr_name="batadv_slave_1", ifr_ifindex=42}) = 0 [pid 5237] socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) = 4 [pid 5237] socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) = 5 [pid 5237] sendto(5, [{nlmsg_len=32, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x03\x00\x00\x00\x0c\x00\x02\x00\x65\x74\x68\x74\x6f\x6f\x6c\x00"], 32, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 32 [pid 5237] recvfrom(5, [{nlmsg_len=996, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=0, nlmsg_seq=0, nlmsg_pid=3}, "\x01\x02\x00\x00\x0c\x00\x02\x00\x65\x74\x68\x74\x6f\x6f\x6c\x00\x06\x00\x01\x00\x16\x00\x00\x00\x08\x00\x03\x00\x01\x00\x00\x00\x08\x00\x04\x00\x00\x00\x00\x00\x08\x00\x05\x00\x00\x00\x00\x00\x88\x03\x06\x00\x14\x00\x01\x00\x08\x00\x01\x00\x01\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x02\x00\x08\x00\x01\x00\x02\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x03\x00\x08\x00\x01\x00"...], 4096, 0, NULL, NULL) = 996 [pid 5237] recvfrom(5, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=3}, {error=0, msg={nlmsg_len=32, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 [pid 5237] close(5) = 0 [pid 5237] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x34\x00\x00\x00\x16\x00\x01\x00\x00\x00\x02\x00\x00\x00\xe4\x80\x1a\xed\x00\x00\x20\x00\x01\x80\x08\x00\x01\x00\x2a\x00\x00\x00\x14\x00\x02\x00\x62\x61\x74\x61\x64\x76\x5f\x73\x6c\x61\x76\x65\x5f\x31\x00\x00", iov_len=52}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0 [pid 5226] kill(-3, SIGKILL) = 0 [pid 5226] kill(3, SIGKILL) = 0 [pid 5226] openat(AT_FDCWD, "/sys/fs/fuse/connections", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 [pid 5226] newfstatat(3, "", {st_mode=S_IFDIR|0755, st_size=0, ...}, AT_EMPTY_PATH) = 0 [pid 5226] getdents64(3, 0x55555c3e06f0 /* 2 entries */, 32768) = 48 [pid 5226] getdents64(3, 0x55555c3e06f0 /* 0 entries */, 32768) = 0 [pid 5226] close(3) = 0 [ 76.744342][ T940] ================================================================== [ 76.751351][ T1743] cfg80211: failed to load regulatory.db [ 76.752416][ T940] BUG: KASAN: slab-use-after-free in __mutex_lock+0xcf5/0xd70 [ 76.765461][ T940] Read of size 4 at addr ffff88807f06bc34 by task kworker/0:2/940 [ 76.773241][ T940] [ 76.775548][ T940] CPU: 0 UID: 0 PID: 940 Comm: kworker/0:2 Not tainted 6.11.0-rc4-syzkaller-00565-gf9db28bb09f4 #0 [ 76.786196][ T940] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 [ 76.796229][ T940] Workqueue: events_power_efficient reg_check_chans_work [ 76.803242][ T940] Call Trace: [ 76.806504][ T940] [ 76.809419][ T940] dump_stack_lvl+0x241/0x360 [ 76.814086][ T940] ? __pfx_dump_stack_lvl+0x10/0x10 [ 76.819269][ T940] ? __pfx__printk+0x10/0x10 [ 76.823846][ T940] ? _printk+0xd5/0x120 [ 76.827985][ T940] ? __virt_addr_valid+0x183/0x530 [ 76.833079][ T940] ? __virt_addr_valid+0x183/0x530 [ 76.838171][ T940] print_report+0x169/0x550 [ 76.842663][ T940] ? __virt_addr_valid+0x183/0x530 [ 76.847753][ T940] ? __virt_addr_valid+0x183/0x530 [ 76.852846][ T940] ? __virt_addr_valid+0x45f/0x530 [ 76.857938][ T940] ? __phys_addr+0xba/0x170 [ 76.862422][ T940] ? __mutex_lock+0xcf5/0xd70 [ 76.867083][ T940] kasan_report+0x143/0x180 [ 76.871575][ T940] ? __mutex_lock+0xcf5/0xd70 [ 76.876238][ T940] __mutex_lock+0xcf5/0xd70 [ 76.880730][ T940] ? do_raw_spin_lock+0x14f/0x370 [ 76.885739][ T940] ? reg_check_chans_work+0x99/0xfd0 [ 76.891014][ T940] ? __pfx_lock_release+0x10/0x10 [ 76.896024][ T940] ? __pfx___mutex_lock+0x10/0x10 [ 76.901034][ T940] ? do_raw_spin_unlock+0x13c/0x8b0 [ 76.906219][ T940] ? rcu_is_watching+0x15/0xb0 [ 76.910974][ T940] ? process_scheduled_works+0x945/0x1830 [ 76.916678][ T940] reg_check_chans_work+0x99/0xfd0 [ 76.921780][ T940] ? process_scheduled_works+0x945/0x1830 [ 76.927483][ T940] ? lock_acquire+0xe3/0x550 [ 76.932059][ T940] ? __pfx_lock_acquire+0x10/0x10 [ 76.937066][ T940] ? debug_object_deactivate+0x2d5/0x390 [ 76.942689][ T940] ? __pfx_lock_release+0x10/0x10 [ 76.947697][ T940] ? __pfx_reg_check_chans_work+0x10/0x10 [ 76.953402][ T940] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 76.959717][ T940] ? rcu_is_watching+0x15/0xb0 [ 76.964469][ T940] ? process_scheduled_works+0x945/0x1830 [ 76.970170][ T940] process_scheduled_works+0xa2c/0x1830 [ 76.975711][ T940] ? __pfx_process_scheduled_works+0x10/0x10 [ 76.981676][ T940] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 76.987210][ T940] ? assign_work+0x364/0x3d0 [ 76.991783][ T940] worker_thread+0x86d/0xd40 [ 76.996362][ T940] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 77.002242][ T940] ? __kthread_parkme+0x169/0x1d0 [ 77.007255][ T940] ? __pfx_worker_thread+0x10/0x10 [ 77.012350][ T940] kthread+0x2f0/0x390 [ 77.016406][ T940] ? __pfx_worker_thread+0x10/0x10 [ 77.021506][ T940] ? __pfx_kthread+0x10/0x10 [ 77.026084][ T940] ret_from_fork+0x4b/0x80 [ 77.030506][ T940] ? __pfx_kthread+0x10/0x10 [ 77.035102][ T940] ret_from_fork_asm+0x1a/0x30 [ 77.039869][ T940] [ 77.042880][ T940] [ 77.045196][ T940] Allocated by task 5226: [ 77.049506][ T940] kasan_save_track+0x3f/0x80 [ 77.054177][ T940] __kasan_slab_alloc+0x66/0x80 [ 77.059016][ T940] kmem_cache_alloc_node_noprof+0x16b/0x320 [ 77.064897][ T940] dup_task_struct+0x57/0x8c0 [ 77.069562][ T940] copy_process+0x5d1/0x3e10 [ 77.074144][ T940] kernel_clone+0x226/0x8f0 [ 77.078635][ T940] __x64_sys_clone+0x258/0x2a0 [ 77.083386][ T940] do_syscall_64+0xf3/0x230 [ 77.087873][ T940] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 77.093749][ T940] [ 77.096055][ T940] Freed by task 24: [ 77.099839][ T940] kasan_save_track+0x3f/0x80 [ 77.104503][ T940] kasan_save_free_info+0x40/0x50 [ 77.109510][ T940] poison_slab_object+0xe0/0x150 [ 77.114436][ T940] __kasan_slab_free+0x37/0x60 [ 77.119184][ T940] kmem_cache_free+0x145/0x350 [ 77.123930][ T940] delayed_put_task_struct+0x125/0x300 [ 77.129378][ T940] rcu_core+0xafd/0x1830 [ 77.133603][ T940] handle_softirqs+0x2c4/0x970 [ 77.138349][ T940] run_ksoftirqd+0xca/0x130 [ 77.142835][ T940] smpboot_thread_fn+0x544/0xa30 [ 77.147755][ T940] kthread+0x2f0/0x390 [ 77.151812][ T940] ret_from_fork+0x4b/0x80 [ 77.156215][ T940] ret_from_fork_asm+0x1a/0x30 [ 77.160965][ T940] [ 77.163269][ T940] Last potentially related work creation: [ 77.168962][ T940] kasan_save_stack+0x3f/0x60 [ 77.173622][ T940] __kasan_record_aux_stack+0xac/0xc0 [ 77.178975][ T940] call_rcu+0x167/0xa70 [ 77.183116][ T940] release_task+0x16ec/0x1830 [ 77.187779][ T940] wait_consider_task+0x1a14/0x2e60 [ 77.192961][ T940] __do_wait+0x1b0/0x850 [ 77.197181][ T940] do_wait+0x1e9/0x560 [ 77.201228][ T940] kernel_wait4+0x2a7/0x3e0 [ 77.205711][ T940] __x64_sys_wait4+0x134/0x1e0 [ 77.210454][ T940] do_syscall_64+0xf3/0x230 [ 77.214941][ T940] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 77.220858][ T940] [ 77.223166][ T940] Second to last potentially related work creation: [ 77.229729][ T940] kasan_save_stack+0x3f/0x60 [ 77.234396][ T940] __kasan_record_aux_stack+0xac/0xc0 [ 77.239754][ T940] task_work_add+0xb8/0x450 [ 77.244246][ T940] sched_tick+0x322/0x610 [ 77.248556][ T940] update_process_times+0x202/0x230 [ 77.253740][ T940] tick_nohz_handler+0x37c/0x500 [ 77.258664][ T940] __hrtimer_run_queues+0x551/0xd50 [ 77.263847][ T940] hrtimer_interrupt+0x396/0x990 [ 77.268769][ T940] __sysvec_apic_timer_interrupt+0x110/0x3f0 [ 77.274737][ T940] sysvec_apic_timer_interrupt+0xa1/0xc0 [ 77.280356][ T940] asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 77.286324][ T940] [ 77.288628][ T940] The buggy address belongs to the object at ffff88807f06bc00 [ 77.288628][ T940] which belongs to the cache task_struct of size 7424 [ 77.302748][ T940] The buggy address is located 52 bytes inside of [ 77.302748][ T940] freed 7424-byte region [ffff88807f06bc00, ffff88807f06d900) [ 77.316523][ T940] [ 77.318834][ T940] The buggy address belongs to the physical page: [ 77.325228][ T940] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7f068 [ 77.333975][ T940] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 77.342450][ T940] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 77.349976][ T940] page_type: 0xfdffffff(slab) [ 77.354637][ T940] raw: 00fff00000000040 ffff8880166fd500 dead000000000122 0000000000000000 [ 77.363199][ T940] raw: 0000000000000000 0000000080040004 00000001fdffffff 0000000000000000 [ 77.371761][ T940] head: 00fff00000000040 ffff8880166fd500 dead000000000122 0000000000000000 [ 77.380410][ T940] head: 0000000000000000 0000000080040004 00000001fdffffff 0000000000000000 [ 77.389062][ T940] head: 00fff00000000003 ffffea0001fc1a01 ffffffffffffffff 0000000000000000 [ 77.397713][ T940] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 77.406362][ T940] page dumped because: kasan: bad access detected [ 77.412760][ T940] page_owner tracks the page as allocated [ 77.418452][ T940] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2, tgid 2 (kthreadd), ts 63488075448, free_ts 63343560932 [ 77.438920][ T940] post_alloc_hook+0x1f3/0x230 [ 77.443673][ T940] get_page_from_freelist+0x2e4c/0x2f10 [ 77.449205][ T940] __alloc_pages_noprof+0x256/0x6c0 [ 77.454386][ T940] alloc_slab_page+0x5f/0x120 [ 77.459050][ T940] allocate_slab+0x5a/0x2f0 [ 77.463537][ T940] ___slab_alloc+0xcd1/0x14b0 [ 77.468196][ T940] __slab_alloc+0x58/0xa0 [ 77.472506][ T940] kmem_cache_alloc_node_noprof+0x1fe/0x320 [ 77.478378][ T940] dup_task_struct+0x57/0x8c0 [ 77.483037][ T940] copy_process+0x5d1/0x3e10 [ 77.487610][ T940] kernel_clone+0x226/0x8f0 [ 77.492095][ T940] kernel_thread+0x1bc/0x240 [ 77.496668][ T940] kthreadd+0x60d/0x810 [ 77.500815][ T940] ret_from_fork+0x4b/0x80 [ 77.505215][ T940] ret_from_fork_asm+0x1a/0x30 [ 77.509964][ T940] page last free pid 5226 tgid 5226 stack trace: [ 77.516267][ T940] register_dummy_stack+0x8a/0xe0 [ 77.521278][ T940] init_page_owner+0x3e/0x970 [ 77.525938][ T940] page_ext_init+0x731/0x790 [ 77.530509][ T940] mm_core_init+0x4c/0x60 [ 77.534825][ T940] [ 77.537129][ T940] Memory state around the buggy address: [ 77.542736][ T940] ffff88807f06bb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 77.550776][ T940] ffff88807f06bb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 77.558821][ T940] >ffff88807f06bc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.566858][ T940] ^ [ 77.572463][ T940] ffff88807f06bc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.580501][ T940] ffff88807f06bd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.588536][ T940] ================================================================== [ 77.597441][ T940] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 77.604639][ T940] CPU: 0 UID: 0 PID: 940 Comm: kworker/0:2 Not tainted 6.11.0-rc4-syzkaller-00565-gf9db28bb09f4 #0 [ 77.615299][ T940] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 [ 77.625335][ T940] Workqueue: events_power_efficient reg_check_chans_work [ 77.632357][ T940] Call Trace: [ 77.635622][ T940] [ 77.638545][ T940] dump_stack_lvl+0x241/0x360 [ 77.643208][ T940] ? __pfx_dump_stack_lvl+0x10/0x10 [ 77.648392][ T940] ? __pfx__printk+0x10/0x10 [ 77.652965][ T940] ? rcu_is_watching+0x15/0xb0 [ 77.657722][ T940] ? vscnprintf+0x5d/0x90 [ 77.662042][ T940] panic+0x349/0x860 [ 77.665922][ T940] ? check_panic_on_warn+0x21/0xb0 [ 77.671015][ T940] ? __pfx_panic+0x10/0x10 [ 77.675412][ T940] ? trace_irq_enable+0x2c/0x120 [ 77.680341][ T940] ? _raw_spin_unlock_irqrestore+0xd8/0x140 [ 77.686223][ T940] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 77.692100][ T940] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 77.698413][ T940] ? print_report+0x502/0x550 [ 77.703081][ T940] check_panic_on_warn+0x86/0xb0 [ 77.708000][ T940] ? __mutex_lock+0xcf5/0xd70 [ 77.712659][ T940] end_report+0x77/0x160 [ 77.716889][ T940] kasan_report+0x154/0x180 [ 77.721379][ T940] ? __mutex_lock+0xcf5/0xd70 [ 77.726042][ T940] __mutex_lock+0xcf5/0xd70 [ 77.730530][ T940] ? do_raw_spin_lock+0x14f/0x370 [ 77.735539][ T940] ? reg_check_chans_work+0x99/0xfd0 [ 77.740809][ T940] ? __pfx_lock_release+0x10/0x10 [ 77.745820][ T940] ? __pfx___mutex_lock+0x10/0x10 [ 77.750829][ T940] ? do_raw_spin_unlock+0x13c/0x8b0 [ 77.756011][ T940] ? rcu_is_watching+0x15/0xb0 [ 77.760762][ T940] ? process_scheduled_works+0x945/0x1830 [ 77.766471][ T940] reg_check_chans_work+0x99/0xfd0 [ 77.771569][ T940] ? process_scheduled_works+0x945/0x1830 [ 77.777271][ T940] ? lock_acquire+0xe3/0x550 [ 77.781850][ T940] ? __pfx_lock_acquire+0x10/0x10 [ 77.786857][ T940] ? debug_object_deactivate+0x2d5/0x390 [ 77.792472][ T940] ? __pfx_lock_release+0x10/0x10 [ 77.797481][ T940] ? __pfx_reg_check_chans_work+0x10/0x10 [ 77.803190][ T940] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 77.809504][ T940] ? rcu_is_watching+0x15/0xb0 [ 77.814258][ T940] ? process_scheduled_works+0x945/0x1830 [ 77.819963][ T940] process_scheduled_works+0xa2c/0x1830 [ 77.825503][ T940] ? __pfx_process_scheduled_works+0x10/0x10 [ 77.831470][ T940] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 77.837002][ T940] ? assign_work+0x364/0x3d0 [ 77.841578][ T940] worker_thread+0x86d/0xd40 [ 77.846158][ T940] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 77.852062][ T940] ? __kthread_parkme+0x169/0x1d0 [ 77.857075][ T940] ? __pfx_worker_thread+0x10/0x10 [ 77.862170][ T940] kthread+0x2f0/0x390 [ 77.866225][ T940] ? __pfx_worker_thread+0x10/0x10 [ 77.871319][ T940] ? __pfx_kthread+0x10/0x10 [ 77.875896][ T940] ret_from_fork+0x4b/0x80 [ 77.880297][ T940] ? __pfx_kthread+0x10/0x10 [ 77.884876][ T940] ret_from_fork_asm+0x1a/0x30 [ 77.889630][ T940] [ 77.892828][ T940] Kernel Offset: disabled [ 77.897133][ T940] Rebooting in 86400 seconds..