./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor4102782264 <...> DUID 00:04:ab:86:5b:51:31:5e:ac:a3:74:55:84:ab:cd:90:ff:3d forked to background, child pid 4694 [ 48.868660][ T4695] 8021q: adding VLAN 0 to HW filter on device bond0 [ 48.886984][ T4695] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.1.39' (ECDSA) to the list of known hosts. execve("./syz-executor4102782264", ["./syz-executor4102782264"], 0x7ffc37acd3a0 /* 10 vars */) = 0 brk(NULL) = 0x5555571e0000 brk(0x5555571e0d00) = 0x5555571e0d00 arch_prctl(ARCH_SET_FS, 0x5555571e03c0) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor4102782264", 4096) = 28 brk(0x555557201d00) = 0x555557201d00 brk(0x555557202000) = 0x555557202000 mprotect(0x7f2e41cb7000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGSEGV, {sa_handler=0x7f2e41c0e380, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f2e41c0e3f0}, NULL, 8) = 0 rt_sigaction(SIGBUS, {sa_handler=0x7f2e41c0e380, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f2e41c0e3f0}, NULL, 8) = 0 ioctl(-1, _IOC(_IOC_NONE, 0x89, 0xf3, 0), 0x20000180) = -1 EBADF (Bad file descriptor) userfaultfd(UFFD_USER_MODE_ONLY|O_NONBLOCK) = 3 ioctl(3, UFFDIO_API, {api=0xaa, features=0 => features=UFFD_FEATURE_PAGEFAULT_FLAG_WP|UFFD_FEATURE_EVENT_FORK|UFFD_FEATURE_EVENT_REMAP|UFFD_FEATURE_EVENT_REMOVE|UFFD_FEATURE_MISSING_HUGETLBFS|UFFD_FEATURE_MISSING_SHMEM|UFFD_FEATURE_EVENT_UNMAP|UFFD_FEATURE_SIGBUS|UFFD_FEATURE_THREAD_ID|UFFD_FEATURE_MINOR_HUGETLBFS|UFFD_FEATURE_MINOR_SHMEM|UFFD_FEATURE_EXACT_ADDRESS|0x4000, ioctls=1<<_UFFDIO_REGISTER|1<<_UFFDIO_UNREGISTER|1<<_UFFDIO_API}) = 0 openat(AT_FDCWD, "memory.events", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 write(4, "\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4d\x00\x00\x34\x00\x00\x00\x00\x00\x00\x90\x78\xac\x1e\x00\x01\xac\x1e\x00\x01\x44\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 65228) = 65228 mmap(0x20000000, 12288, PROT_READ, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x20000000 --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_ACCERR, si_addr=0x20000040} --- --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_ACCERR, si_addr=0x20000048} --- --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_ACCERR, si_addr=0x20000050} --- --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_ACCERR, si_addr=0x20000058} --- --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_ACCERR, si_addr=0x20000060} --- syzkaller login: [ 77.602518][ T5031] ------------[ cut here ]------------ [ 77.608017][ T5031] kernel BUG at mm/userfaultfd.c:573! [ 77.613492][ T5031] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 77.619586][ T5031] CPU: 1 PID: 5031 Comm: syz-executor410 Not tainted 6.5.0-rc1-next-20230710-syzkaller #0 [ 77.629490][ T5031] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023 [ 77.639550][ T5031] RIP: 0010:mfill_atomic_copy+0x9ed/0x17e0 [ 77.645403][ T5031] Code: 8d 8c 24 a8 00 00 00 4c 89 e7 e8 be 54 d9 ff 4c 63 f0 e9 71 fc ff ff e8 51 eb a1 ff 0f 0b e8 4a eb a1 ff 0f 0b e8 43 eb a1 ff <0f> 0b e8 3c eb a1 ff 0f 0b 49 c7 c6 ef ff ff ff e9 54 fd ff ff e8 [ 77.665023][ T5031] RSP: 0018:ffffc9000395fb48 EFLAGS: 00010293 [ 77.671099][ T5031] RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000 [ 77.679076][ T5031] RDX: ffff88801f67bb80 RSI: ffffffff81e32bad RDI: 0000000000000006 [ 77.687053][ T5031] RBP: 0000000000000000 R08: 0000000000000006 R09: ffffffffffffffff [ 77.695029][ T5031] R10: 0000000005ffffff R11: 0000000000000001 R12: 0000200000000000 [ 77.703005][ T5031] R13: 00005ffffffff001 R14: ffffffffffffffff R15: 0000000005ffffff [ 77.710978][ T5031] FS: 00005555571e03c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 [ 77.719918][ T5031] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 77.726509][ T5031] CR2: 0000000020000060 CR3: 000000002ba7a000 CR4: 00000000003506e0 [ 77.734489][ T5031] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 77.742465][ T5031] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 77.750441][ T5031] Call Trace: [ 77.753723][ T5031] [ 77.756660][ T5031] ? die+0x32/0x90 [ 77.760400][ T5031] ? do_trap+0x1b2/0x3f0 [ 77.764682][ T5031] ? mfill_atomic_copy+0x9ed/0x17e0 [ 77.769906][ T5031] ? mfill_atomic_copy+0x9ed/0x17e0 [ 77.775124][ T5031] ? do_error_trap+0xb1/0x170 [ 77.779821][ T5031] ? mfill_atomic_copy+0x9ed/0x17e0 [ 77.785042][ T5031] ? handle_invalid_op+0x2c/0x30 [ 77.790001][ T5031] ? mfill_atomic_copy+0x9ed/0x17e0 [ 77.795225][ T5031] ? exc_invalid_op+0x2f/0x50 [ 77.799943][ T5031] ? asm_exc_invalid_op+0x1a/0x20 [ 77.804986][ T5031] ? mfill_atomic_copy+0x9ed/0x17e0 [ 77.810222][ T5031] ? mfill_atomic_copy+0x9ed/0x17e0 [ 77.815445][ T5031] ? mfill_atomic_copy+0x9ed/0x17e0 [ 77.820685][ T5031] ? __might_fault+0xe2/0x190 [ 77.825395][ T5031] ? mfill_atomic_install_pte+0xda0/0xda0 [ 77.831141][ T5031] userfaultfd_ioctl+0xe43/0x4c40 [ 77.836189][ T5031] ? __sanitizer_cov_trace_switch+0x54/0x90 [ 77.842115][ T5031] ? userfaultfd_release+0x7b0/0x7b0 [ 77.847421][ T5031] ? vfs_fileattr_set+0xc40/0xc40 [ 77.852477][ T5031] ? find_held_lock+0x2d/0x110 [ 77.857259][ T5031] ? do_one_initcall+0x440/0x630 [ 77.862220][ T5031] ? lock_downgrade+0x690/0x690 [ 77.867101][ T5031] ? bpf_lsm_file_ioctl+0x9/0x10 [ 77.872052][ T5031] ? userfaultfd_release+0x7b0/0x7b0 [ 77.877363][ T5031] __x64_sys_ioctl+0x19d/0x210 [ 77.882150][ T5031] do_syscall_64+0x39/0xb0 [ 77.886586][ T5031] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 77.892496][ T5031] RIP: 0033:0x7f2e41c4b4b9 [ 77.896918][ T5031] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 77.916536][ T5031] RSP: 002b:00007fff13a95188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 77.924961][ T5031] RAX: ffffffffffffffda RBX: 00007fff13a95198 RCX: 00007f2e41c4b4b9 [ 77.932949][ T5031] RDX: 0000000020000040 RSI: 00000000c028aa03 RDI: 0000000000000003 [ 77.940929][ T5031] RBP: 00007fff13a95190 R08: 00007fff13a95190 R09: 00007f2e41c0e380 [ 77.948905][ T5031] R10: 00007fff13a95190 R11: 0000000000000246 R12: 0000000000000000 [ 77.956975][ T5031] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 77.964963][ T5031] [ 77.967984][ T5031] Modules linked in: [ 77.972118][ T5031] ---[ end trace 0000000000000000 ]--- [ 77.977651][ T5031] RIP: 0010:mfill_atomic_copy+0x9ed/0x17e0 [ 77.983544][ T5031] Code: 8d 8c 24 a8 00 00 00 4c 89 e7 e8 be 54 d9 ff 4c 63 f0 e9 71 fc ff ff e8 51 eb a1 ff 0f 0b e8 4a eb a1 ff 0f 0b e8 43 eb a1 ff <0f> 0b e8 3c eb a1 ff 0f 0b 49 c7 c6 ef ff ff ff e9 54 fd ff ff e8 [ 78.003254][ T5031] RSP: 0018:ffffc9000395fb48 EFLAGS: 00010293 [ 78.009347][ T5031] RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000 [ 78.017364][ T5031] RDX: ffff88801f67bb80 RSI: ffffffff81e32bad RDI: 0000000000000006 [ 78.025399][ T5031] RBP: 0000000000000000 R08: 0000000000000006 R09: ffffffffffffffff [ 78.033413][ T5031] R10: 0000000005ffffff R11: 0000000000000001 R12: 0000200000000000 [ 78.041423][ T5031] R13: 00005ffffffff001 R14: ffffffffffffffff R15: 0000000005ffffff [ 78.049441][ T5031] FS: 00005555571e03c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 [ 78.058428][ T5031] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 78.065058][ T5031] CR2: 0000000020000060 CR3: 000000002ba7a000 CR4: 00000000003506e0 [ 78.073088][ T5031] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 78.081069][ T5031] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 78.089108][ T5031] Kernel panic - not syncing: Fatal exception [ 78.095392][ T5031] Kernel Offset: disabled [ 78.099726][ T5031] Rebooting in 86400 seconds..