./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor938526408 <...> Warning: Permanently added '10.128.0.124' (ED25519) to the list of known hosts. execve("./syz-executor938526408", ["./syz-executor938526408"], 0x7ffeb17bb150 /* 10 vars */) = 0 brk(NULL) = 0x555585452000 brk(0x555585452e00) = 0x555585452e00 arch_prctl(ARCH_SET_FS, 0x555585452480) = 0 set_tid_address(0x555585452750) = 5102 set_robust_list(0x555585452760, 24) = 0 rseq(0x555585452da0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor938526408", 4096) = 27 getrandom("\x7a\x23\x70\xcc\x9e\x2c\x1a\x63", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555585452e00 brk(0x555585473e00) = 0x555585473e00 brk(0x555585474000) = 0x555585474000 mprotect(0x7f40d8f82000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 getpid() = 5102 openat(AT_FDCWD, "/sys/kernel/debug/x86/nmi_longest_ns", O_WRONLY|O_CLOEXEC) = 3 write(3, "10000000000", 11) = 11 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/hung_task_check_interval_secs", O_WRONLY|O_CLOEXEC) = 3 write(3, "20", 2) = 2 close(3) = 0 openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_kallsyms", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_harden", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/kptr_restrict", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/softlockup_all_cpu_backtrace", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3 write(3, "100", 3) = 3 close(3) = 0 openat(AT_FDCWD, "/proc/sys/vm/oom_dump_tasks", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/debug/exception-trace", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/printk", O_WRONLY|O_CLOEXEC) = 3 write(3, "7 4 1 3", 7) = 7 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/keys/gc_delay", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/vm/oom_kill_allocating_task", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/ctrl-alt-del", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/cad_pid", O_WRONLY|O_CLOEXEC) = 3 write(3, "5102", 4) = 4 close(3) = 0 rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGSEGV, {sa_handler=0x7f40d8ec3140, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f40d8ecbb20}, NULL, 8) = 0 rt_sigaction(SIGBUS, {sa_handler=0x7f40d8ec3140, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f40d8ecbb20}, NULL, 8) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5103 attached , child_tidptr=0x555585452750) = 5103 [pid 5103] set_robust_list(0x555585452760, 24) = 0 [pid 5103] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5103] setpgid(0, 0) = 0 [pid 5103] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5103] write(3, "1000", 4) = 4 [pid 5103] close(3) = 0 executing program [pid 5103] write(1, "executing program\n", 18) = 18 [pid 5103] futex(0x7f40d8f8860c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5103] rt_sigaction(SIGRT_1, {sa_handler=0x7f40d8f21d90, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f40d8ecbb20}, NULL, 8) = 0 [pid 5103] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5103] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f40d8e91000 [pid 5103] mprotect(0x7f40d8e92000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5103] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5103] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f40d8eb1990, parent_tid=0x7f40d8eb1990, exit_signal=0, stack=0x7f40d8e91000, stack_size=0x20240, tls=0x7f40d8eb16c0}./strace-static-x86_64: Process 5104 attached [pid 5104] rseq(0x7f40d8eb1fe0, 0x20, 0, 0x53053053) = 0 [pid 5103] <... clone3 resumed> => {parent_tid=[5104]}, 88) = 5104 [pid 5104] set_robust_list(0x7f40d8eb19a0, 24 [pid 5103] rt_sigprocmask(SIG_SETMASK, [], [pid 5104] <... set_robust_list resumed>) = 0 [pid 5103] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5104] rt_sigprocmask(SIG_SETMASK, [], [pid 5103] futex(0x7f40d8f88608, FUTEX_WAKE_PRIVATE, 1000000 [pid 5104] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5103] <... futex resumed>) = 0 [pid 5104] memfd_create("syzkaller", 0 [pid 5103] futex(0x7f40d8f8860c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5104] <... memfd_create resumed>) = 3 [pid 5104] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f40d0a00000 [pid 5104] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5104] munmap(0x7f40d0a00000, 138412032) = 0 [pid 5104] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5104] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5104] close(3) = 0 [pid 5104] close(4) = 0 [pid 5104] mkdir("./file1", 0777) = 0 [ 89.898066][ T5104] loop0: detected capacity change from 0 to 32768 [ 89.945813][ T5104] BTRFS: device fsid c9fe44da-de57-406a-8241-57ec7d4412cf devid 1 transid 8 /dev/loop0 (7:0) scanned by syz-executor938 (5104) [ 89.968285][ T5104] BTRFS info (device loop0): first mount of filesystem c9fe44da-de57-406a-8241-57ec7d4412cf [ 89.979517][ T5104] BTRFS info (device loop0): using crc32c (crc32c-intel) checksum algorithm [ 89.988828][ T5104] BTRFS info (device loop0): using free-space-tree [pid 5104] mount("/dev/loop0", "./file1", "btrfs", MS_SYNCHRONOUS|MS_NODIRATIME|MS_I_VERSION, "nossd_spread,nodatasum,compress-force,compress=lzo,flushoncommit,autodefrag,acl,nodiscard,") = 0 [pid 5104] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 5104] chdir("./file1") = 0 [pid 5104] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5104] ioctl(4, LOOP_CLR_FD) = 0 [pid 5104] close(4) = 0 [pid 5104] futex(0x7f40d8f8860c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5104] futex(0x7f40d8f88608, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5103] <... futex resumed>) = 0 [pid 5103] futex(0x7f40d8f88608, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5104] <... futex resumed>) = 0 [pid 5103] futex(0x7f40d8f8860c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5104] open("./bus", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_SYNC|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 5104] futex(0x7f40d8f8860c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5103] <... futex resumed>) = 0 [pid 5104] <... futex resumed>) = 1 [pid 5104] futex(0x7f40d8f88608, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5103] futex(0x7f40d8f88608, FUTEX_WAKE_PRIVATE, 1000000 [pid 5104] <... futex resumed>) = 0 [pid 5103] <... futex resumed>) = 1 [pid 5104] open("./bus", O_RDWR|O_CREAT|O_NOCTTY|O_SYNC|O_DIRECT|O_NOATIME, 000) = 5 [pid 5103] futex(0x7f40d8f8860c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5104] futex(0x7f40d8f8860c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5103] <... futex resumed>) = 0 [pid 5103] futex(0x7f40d8f88608, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5104] ftruncate(5, 33587195 [pid 5103] futex(0x7f40d8f8860c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5104] <... ftruncate resumed>) = 0 [pid 5104] futex(0x7f40d8f8860c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5103] <... futex resumed>) = 0 [pid 5103] futex(0x7f40d8f88608, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5103] futex(0x7f40d8f8860c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5104] mmap(0x20000000, 6291456, PROT_READ|PROT_WRITE|PROT_EXEC|PROT_SEM|PROT_GROWSUP|0x7ffff0, MAP_SHARED|MAP_FIXED|MAP_LOCKED|1< [pid 5103] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5103] futex(0x7f40d8f8861c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5103] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f40d8e70000 [pid 5103] mprotect(0x7f40d8e71000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5103] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5103] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f40d8e90990, parent_tid=0x7f40d8e90990, exit_signal=0, stack=0x7f40d8e70000, stack_size=0x20240, tls=0x7f40d8e906c0} => {parent_tid=[5124]}, 88) = 5124 [pid 5103] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5103] futex(0x7f40d8f88618, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5103] futex(0x7f40d8f8861c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5124 attached [pid 5124] rseq(0x7f40d8e90fe0, 0x20, 0, 0x53053053) = 0 [pid 5124] set_robust_list(0x7f40d8e909a0, 24) = 0 [pid 5124] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5124] mmap(0x20000000, 11755520, PROT_READ|PROT_EXEC|PROT_SEM|PROT_GROWSUP, MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS|MAP_POPULATE|1< [pid 5103] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 90.211162][ T5104] ================================================================== [ 90.219286][ T5104] BUG: KASAN: slab-use-after-free in handle_mm_fault+0x14f0/0x19a0 [ 90.227221][ T5104] Read of size 8 at addr ffff888028fe2400 by task syz-executor938/5104 [ 90.235470][ T5104] [ 90.237815][ T5104] CPU: 1 UID: 0 PID: 5104 Comm: syz-executor938 Not tainted 6.10.0-rc7-next-20240712-syzkaller #0 [ 90.248445][ T5104] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 90.258543][ T5104] Call Trace: [ 90.261834][ T5104] [ 90.264770][ T5104] dump_stack_lvl+0x241/0x360 [ 90.269539][ T5104] ? __pfx_dump_stack_lvl+0x10/0x10 [ 90.274730][ T5104] ? __pfx__printk+0x10/0x10 [ 90.279318][ T5104] ? _printk+0xd5/0x120 [ 90.283463][ T5104] ? __virt_addr_valid+0x183/0x530 [ 90.288558][ T5104] ? __virt_addr_valid+0x183/0x530 [ 90.293661][ T5104] print_report+0x169/0x550 [ 90.298167][ T5104] ? __virt_addr_valid+0x183/0x530 [ 90.303268][ T5104] ? __virt_addr_valid+0x183/0x530 [ 90.308464][ T5104] ? __virt_addr_valid+0x45f/0x530 [ 90.313568][ T5104] ? __phys_addr+0xba/0x170 [ 90.318085][ T5104] ? handle_mm_fault+0x14f0/0x19a0 [ 90.323196][ T5104] kasan_report+0x143/0x180 [ 90.327689][ T5104] ? handle_mm_fault+0x14f0/0x19a0 [ 90.332786][ T5104] handle_mm_fault+0x14f0/0x19a0 [ 90.337718][ T5104] ? __pfx_handle_mm_fault+0x10/0x10 [ 90.343012][ T5104] ? __pfx_find_vma+0x10/0x10 [ 90.347686][ T5104] ? vma_is_secretmem+0xd/0x50 [ 90.352451][ T5104] ? check_vma_flags+0x500/0x5a0 [ 90.357391][ T5104] __get_user_pages+0x6ec/0x16a0 [ 90.362331][ T5104] ? __pfx___get_user_pages+0x10/0x10 [ 90.367694][ T5104] ? mlock_drain_local+0x79/0x490 [ 90.372712][ T5104] ? mlock_drain_local+0x79/0x490 [ 90.377724][ T5104] populate_vma_page_range+0x264/0x330 [ 90.383166][ T5104] ? __pfx_populate_vma_page_range+0x10/0x10 [ 90.389128][ T5104] ? userfaultfd_unmap_complete+0x30c/0x360 [ 90.395007][ T5104] ? do_mmap+0x961/0x1010 [ 90.399328][ T5104] __mm_populate+0x27a/0x460 [ 90.403921][ T5104] ? __pfx___mm_populate+0x10/0x10 [ 90.409017][ T5104] ? __pfx_ima_file_mmap+0x10/0x10 [ 90.414135][ T5104] ? security_mmap_file+0x178/0x1a0 [ 90.419320][ T5104] vm_mmap_pgoff+0x2c3/0x3d0 [ 90.423897][ T5104] ? __pfx_vm_mmap_pgoff+0x10/0x10 [ 90.428988][ T5104] ? __fget_files+0x29/0x470 [ 90.433560][ T5104] ? __fget_files+0x3f6/0x470 [ 90.438220][ T5104] ksys_mmap_pgoff+0x4f1/0x720 [ 90.442969][ T5104] ? __x64_sys_mmap+0x7f/0x140 [ 90.447721][ T5104] do_syscall_64+0xf3/0x230 [ 90.452212][ T5104] ? clear_bhb_loop+0x35/0x90 [ 90.456873][ T5104] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 90.462750][ T5104] RIP: 0033:0x7f40d8efc0c9 [ 90.467149][ T5104] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 90.486832][ T5104] RSP: 002b:00007f40d8eb1158 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 [ 90.495233][ T5104] RAX: ffffffffffffffda RBX: 00007f40d8f88608 RCX: 00007f40d8efc0c9 [ 90.503187][ T5104] RDX: 00000000027fffff RSI: 0000000000600000 RDI: 0000000020000000 [ 90.511139][ T5104] RBP: 00007f40d8f88600 R08: 0000000000000004 R09: 0000000000000000 [ 90.519099][ T5104] R10: 0000000004002011 R11: 0000000000000246 R12: 00007f40d8f8860c [ 90.527071][ T5104] R13: 0000000000000006 R14: 00007ffedaef6a70 R15: 00007ffedaef6b58 [ 90.535031][ T5104] [ 90.538033][ T5104] [ 90.540340][ T5104] Allocated by task 5104: [ 90.544646][ T5104] kasan_save_track+0x3f/0x80 [ 90.549335][ T5104] __kasan_slab_alloc+0x66/0x80 [ 90.554173][ T5104] kmem_cache_alloc_noprof+0x135/0x2a0 [ 90.559615][ T5104] vm_area_alloc+0x24/0x1d0 [ 90.564102][ T5104] mmap_region+0xc3d/0x2090 [ 90.568594][ T5104] do_mmap+0x8f9/0x1010 [ 90.572732][ T5104] vm_mmap_pgoff+0x1dd/0x3d0 [ 90.577308][ T5104] ksys_mmap_pgoff+0x4f1/0x720 [ 90.582060][ T5104] do_syscall_64+0xf3/0x230 [ 90.586555][ T5104] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 90.592430][ T5104] [ 90.594736][ T5104] Freed by task 5104: [ 90.598693][ T5104] kasan_save_track+0x3f/0x80 [ 90.603357][ T5104] kasan_save_free_info+0x40/0x50 [ 90.608364][ T5104] poison_slab_object+0xe0/0x150 [ 90.613280][ T5104] __kasan_slab_free+0x37/0x60 [ 90.618026][ T5104] kmem_cache_free+0x145/0x350 [ 90.622773][ T5104] rcu_core+0xafd/0x1830 [ 90.627001][ T5104] handle_softirqs+0x2c4/0x970 [ 90.631748][ T5104] __irq_exit_rcu+0xf4/0x1c0 [ 90.636325][ T5104] irq_exit_rcu+0x9/0x30 [ 90.640548][ T5104] sysvec_apic_timer_interrupt+0xa6/0xc0 [ 90.646166][ T5104] asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 90.652127][ T5104] [ 90.654433][ T5104] Last potentially related work creation: [ 90.660139][ T5104] kasan_save_stack+0x3f/0x60 [ 90.664804][ T5104] __kasan_record_aux_stack+0xac/0xc0 [ 90.670161][ T5104] call_rcu+0x167/0xa70 [ 90.674305][ T5104] do_vmi_align_munmap+0x155c/0x18c0 [ 90.679573][ T5104] do_vmi_munmap+0x261/0x2f0 [ 90.684143][ T5104] mmap_region+0x72f/0x2090 [ 90.688624][ T5104] do_mmap+0x8f9/0x1010 [ 90.692759][ T5104] vm_mmap_pgoff+0x1dd/0x3d0 [ 90.697333][ T5104] do_syscall_64+0xf3/0x230 [ 90.701822][ T5104] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 90.707697][ T5104] [ 90.710000][ T5104] The buggy address belongs to the object at ffff888028fe23e0 [ 90.710000][ T5104] which belongs to the cache vm_area_struct of size 184 [ 90.724298][ T5104] The buggy address is located 32 bytes inside of [ 90.724298][ T5104] freed 184-byte region [ffff888028fe23e0, ffff888028fe2498) [ 90.737986][ T5104] [ 90.740295][ T5104] The buggy address belongs to the physical page: [ 90.746693][ T5104] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x28fe2 [ 90.755447][ T5104] anon flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 90.762973][ T5104] page_type: 0xfdffffff(slab) [ 90.767643][ T5104] raw: 00fff00000000000 ffff888015eefb40 0000000000000000 dead000000000001 [ 90.776224][ T5104] raw: 0000000000000000 0000000000100010 00000001fdffffff 0000000000000000 [ 90.784785][ T5104] page dumped because: kasan: bad access detected [ 90.791192][ T5104] page_owner tracks the page as allocated [ 90.796892][ T5104] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4759, tgid 4759 (ifup), ts 29539767822, free_ts 29536901547 [ 90.815477][ T5104] post_alloc_hook+0x1f3/0x230 [ 90.820257][ T5104] get_page_from_freelist+0x2ccb/0x2d80 [ 90.825790][ T5104] __alloc_pages_noprof+0x256/0x6c0 [ 90.830972][ T5104] alloc_slab_page+0x5f/0x120 [ 90.835637][ T5104] allocate_slab+0x5a/0x2f0 [ 90.840128][ T5104] ___slab_alloc+0xcd1/0x14b0 [ 90.844791][ T5104] __slab_alloc+0x58/0xa0 [ 90.849106][ T5104] kmem_cache_alloc_noprof+0x1c1/0x2a0 [ 90.854548][ T5104] vm_area_dup+0x27/0x290 [ 90.858860][ T5104] __split_vma+0x1a9/0xc30 [ 90.863261][ T5104] do_vmi_align_munmap+0x433/0x18c0 [ 90.868450][ T5104] do_vmi_munmap+0x261/0x2f0 [ 90.873023][ T5104] mmap_region+0x72f/0x2090 [ 90.877507][ T5104] do_mmap+0x8f9/0x1010 [ 90.881643][ T5104] vm_mmap_pgoff+0x1dd/0x3d0 [ 90.886231][ T5104] ksys_mmap_pgoff+0x4f1/0x720 [ 90.890994][ T5104] page last free pid 4759 tgid 4759 stack trace: [ 90.897316][ T5104] free_unref_folios+0x103a/0x1b00 [ 90.902425][ T5104] folios_put_refs+0x76e/0x860 [ 90.907179][ T5104] free_pages_and_swap_cache+0x5c8/0x690 [ 90.912799][ T5104] tlb_flush_mmu+0x3a3/0x680 [ 90.917378][ T5104] tlb_finish_mmu+0xd4/0x200 [ 90.921954][ T5104] exit_mmap+0x44f/0xc80 [ 90.926181][ T5104] __mmput+0x115/0x390 [ 90.930233][ T5104] exec_mmap+0x680/0x710 [ 90.934463][ T5104] begin_new_exec+0x125f/0x1f50 [ 90.939384][ T5104] load_elf_binary+0x969/0x2680 [ 90.944225][ T5104] bprm_execve+0xaf8/0x1770 [ 90.948713][ T5104] do_execveat_common+0x553/0x700 [ 90.953716][ T5104] __x64_sys_execve+0x92/0xb0 [ 90.958384][ T5104] do_syscall_64+0xf3/0x230 [ 90.962873][ T5104] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 90.968750][ T5104] [ 90.971059][ T5104] Memory state around the buggy address: [ 90.976667][ T5104] ffff888028fe2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 90.984708][ T5104] ffff888028fe2380: fb fb fb fb fc fc fc fc fc fc fc fc fa fb fb fb [ 90.992749][ T5104] >ffff888028fe2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 91.000789][ T5104] ^ [ 91.004833][ T5104] ffff888028fe2480: fb fb fb fc fc fc fc fc fc fc fc fa fb fb fb fb [ 91.012874][ T5104] ffff888028fe2500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 91.020927][ T5104] ================================================================== [ 91.032912][ T5104] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 91.040140][ T5104] CPU: 1 UID: 0 PID: 5104 Comm: syz-executor938 Not tainted 6.10.0-rc7-next-20240712-syzkaller #0 [ 91.050734][ T5104] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 91.060798][ T5104] Call Trace: [ 91.064094][ T5104] [ 91.067020][ T5104] dump_stack_lvl+0x241/0x360 [ 91.071701][ T5104] ? __pfx_dump_stack_lvl+0x10/0x10 [ 91.076887][ T5104] ? __pfx__printk+0x10/0x10 [ 91.081465][ T5104] ? rcu_is_watching+0x15/0xb0 [ 91.086217][ T5104] ? preempt_schedule+0xe1/0xf0 [ 91.091059][ T5104] ? vscnprintf+0x5d/0x90 [ 91.095374][ T5104] panic+0x349/0x870 [ 91.099258][ T5104] ? check_panic_on_warn+0x21/0xb0 [ 91.104356][ T5104] ? __pfx_panic+0x10/0x10 [ 91.108762][ T5104] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 91.114728][ T5104] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 91.121039][ T5104] ? print_report+0x502/0x550 [ 91.125791][ T5104] check_panic_on_warn+0x86/0xb0 [ 91.130716][ T5104] ? handle_mm_fault+0x14f0/0x19a0 [ 91.135811][ T5104] end_report+0x77/0x160 [ 91.140039][ T5104] kasan_report+0x154/0x180 [ 91.144528][ T5104] ? handle_mm_fault+0x14f0/0x19a0 [ 91.149625][ T5104] handle_mm_fault+0x14f0/0x19a0 [ 91.154561][ T5104] ? __pfx_handle_mm_fault+0x10/0x10 [ 91.159835][ T5104] ? __pfx_find_vma+0x10/0x10 [ 91.164506][ T5104] ? vma_is_secretmem+0xd/0x50 [ 91.169258][ T5104] ? check_vma_flags+0x500/0x5a0 [ 91.174183][ T5104] __get_user_pages+0x6ec/0x16a0 [ 91.179113][ T5104] ? __pfx___get_user_pages+0x10/0x10 [ 91.184476][ T5104] ? mlock_drain_local+0x79/0x490 [ 91.189574][ T5104] ? mlock_drain_local+0x79/0x490 [ 91.194586][ T5104] populate_vma_page_range+0x264/0x330 [ 91.200031][ T5104] ? __pfx_populate_vma_page_range+0x10/0x10 [ 91.205996][ T5104] ? userfaultfd_unmap_complete+0x30c/0x360 [ 91.211894][ T5104] ? do_mmap+0x961/0x1010 [ 91.216235][ T5104] __mm_populate+0x27a/0x460 [ 91.220834][ T5104] ? __pfx___mm_populate+0x10/0x10 [ 91.225938][ T5104] ? __pfx_ima_file_mmap+0x10/0x10 [ 91.231042][ T5104] ? security_mmap_file+0x178/0x1a0 [ 91.236233][ T5104] vm_mmap_pgoff+0x2c3/0x3d0 [ 91.240817][ T5104] ? __pfx_vm_mmap_pgoff+0x10/0x10 [ 91.245916][ T5104] ? __fget_files+0x29/0x470 [ 91.250526][ T5104] ? __fget_files+0x3f6/0x470 [ 91.255190][ T5104] ksys_mmap_pgoff+0x4f1/0x720 [ 91.259945][ T5104] ? __x64_sys_mmap+0x7f/0x140 [ 91.264711][ T5104] do_syscall_64+0xf3/0x230 [ 91.269206][ T5104] ? clear_bhb_loop+0x35/0x90 [ 91.273874][ T5104] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 91.279752][ T5104] RIP: 0033:0x7f40d8efc0c9 [ 91.284413][ T5104] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 91.304005][ T5104] RSP: 002b:00007f40d8eb1158 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 [ 91.312406][ T5104] RAX: ffffffffffffffda RBX: 00007f40d8f88608 RCX: 00007f40d8efc0c9 [ 91.320364][ T5104] RDX: 00000000027fffff RSI: 0000000000600000 RDI: 0000000020000000 [ 91.328319][ T5104] RBP: 00007f40d8f88600 R08: 0000000000000004 R09: 0000000000000000 [ 91.336275][ T5104] R10: 0000000004002011 R11: 0000000000000246 R12: 00007f40d8f8860c [ 91.344235][ T5104] R13: 0000000000000006 R14: 00007ffedaef6a70 R15: 00007ffedaef6b58 [ 91.352195][ T5104] [ 91.355480][ T5104] Kernel Offset: disabled [ 91.359792][ T5104] Rebooting in 86400 seconds..