./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1843957192
<...>
Warning: Permanently added '10.128.0.114' (ECDSA) to the list of known hosts.
execve("./syz-executor1843957192", ["./syz-executor1843957192"], 0x7ffe3374bbd0 /* 10 vars */) = 0
brk(NULL) = 0x555556871000
brk(0x555556871c40) = 0x555556871c40
arch_prctl(ARCH_SET_FS, 0x555556871300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor1843957192", 4096) = 28
brk(0x555556892c40) = 0x555556892c40
brk(0x555556893000) = 0x555556893000
mprotect(0x7fe5f9496000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5078 attached
, child_tidptr=0x5555568715d0) = 5078
[pid 5078] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5078] setpgid(0, 0) = 0
[pid 5078] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5078] write(3, "1000", 4) = 4
[pid 5078] close(3) = 0
[pid 5078] socket(AF_PACKET, SOCK_RAW, htons(0 /* ETH_P_??? */)) = 3
[pid 5078] pipe([4, 5]) = 0
[pid 5078] socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 6
[pid 5078] close(6) = 0
[pid 5078] socket(AF_NETLINK, SOCK_RAW, NETLINK_AUDIT) = 6
[pid 5078] io_uring_setup(820, {flags=0, sq_thread_cpu=0, sq_thread_idle=0, sq_entries=1024, cq_entries=2048, features=IORING_FEAT_SINGLE_MMAP|IORING_FEAT_NODROP|IORING_FEAT_SUBMIT_STABLE|IORING_FEAT_RW_CUR_POS|IORING_FEAT_CUR_PERSONALITY|IORING_FEAT_FAST_POLL|IORING_FEAT_POLL_32BITS|IORING_FEAT_SQPOLL_NONFIXED|IORING_FEAT_EXT_ARG|IORING_FEAT_NATIVE_WORKERS|IORING_FEAT_RSRC_TAGS|IORING_FEAT_CQE_SKIP|IORING_FEAT_LINKED_FILE, sq_off={head=0, tail=64, ring_mask=256, ring_entries=264, flags=276, dropped=272, array=33088}, cq_off={head=128, tail=192, ring_mask=260, ring_entries=268, overflow=284, cqes=320, flags=280}}) = 7
[pid 5078] mmap(0x20002000, 37184, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 7, 0) = 0x20002000
[pid 5078] mmap(0x20ffd000, 65536, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 7, 0x10000000) = 0x20ffd000
[pid 5078] io_uring_enter(7, 767, 0, 0, NULL, 0) = 1
[pid 5078] write(5, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 28) = 28
[pid 5078] splice(4, NULL, 6, NULL, 196607, 0) = 28
[pid 5078] exit_group(0) = ?
[ 60.457249][ T5078] ==================================================================
[ 60.465390][ T5078] BUG: KASAN: use-after-free in __wake_up_common+0x637/0x650
[ 60.472793][ T5078] Read of size 8 at addr ffff88807576d8f0 by task syz-executor184/5078
[ 60.481044][ T5078]
[ 60.483365][ T5078] CPU: 0 PID: 5078 Comm: syz-executor184 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
[ 60.493265][ T5078] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 60.503307][ T5078] Call Trace:
[ 60.506577][ T5078]
[ 60.509498][ T5078] dump_stack_lvl+0xd1/0x138
[ 60.514093][ T5078] print_report+0x15e/0x45d
[ 60.518599][ T5078] ? __phys_addr+0xc8/0x140
[ 60.523123][ T5078] ? __wake_up_common+0x637/0x650
[ 60.528162][ T5078] kasan_report+0xc0/0xf0
[ 60.532509][ T5078] ? __wake_up_common+0x637/0x650
[ 60.537546][ T5078] __wake_up_common+0x637/0x650
[ 60.542408][ T5078] __wake_up_common_lock+0xd4/0x140
[ 60.547618][ T5078] ? __wake_up_common+0x650/0x650
[ 60.552653][ T5078] ? debug_object_active_state+0x264/0x350
[ 60.558491][ T5078] ? fcntl_setlk+0xdc0/0xdc0
[ 60.563134][ T5078] pipe_release+0x18c/0x310
[ 60.567669][ T5078] __fput+0x27c/0xa90
[ 60.571675][ T5078] ? free_pipe_info+0x3b0/0x3b0
[ 60.576543][ T5078] task_work_run+0x16f/0x270
[ 60.581154][ T5078] ? task_work_cancel+0x30/0x30
[ 60.586023][ T5078] ? do_raw_spin_unlock+0x175/0x230
[ 60.591235][ T5078] do_exit+0xb17/0x2a90
[ 60.595412][ T5078] ? lock_downgrade+0x6e0/0x6e0
[ 60.600269][ T5078] ? do_raw_spin_lock+0x124/0x2b0
[ 60.605301][ T5078] ? mm_update_next_owner+0x7b0/0x7b0
[ 60.610705][ T5078] ? rwlock_bug.part.0+0x90/0x90
[ 60.615659][ T5078] ? _raw_spin_unlock_irq+0x23/0x50
[ 60.620883][ T5078] do_group_exit+0xd4/0x2a0
[ 60.625413][ T5078] __x64_sys_exit_group+0x3e/0x50
[ 60.630442][ T5078] do_syscall_64+0x39/0xb0
[ 60.634870][ T5078] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 60.640782][ T5078] RIP: 0033:0x7fe5f9427c89
[ 60.645201][ T5078] Code: Unable to access opcode bytes at 0x7fe5f9427c5f.
[ 60.652302][ T5078] RSP: 002b:00007ffd91cccba8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 60.660727][ T5078] RAX: ffffffffffffffda RBX: 00007fe5f949c370 RCX: 00007fe5f9427c89
[ 60.668707][ T5078] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[ 60.676685][ T5078] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
[ 60.684665][ T5078] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5f949c370
[ 60.692642][ T5078] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[ 60.700622][ T5078]
[ 60.703639][ T5078]
[ 60.705956][ T5078] Allocated by task 5078:
[ 60.710278][ T5078] kasan_save_stack+0x22/0x40
[ 60.714964][ T5078] kasan_set_track+0x25/0x30
[ 60.719562][ T5078] __kasan_slab_alloc+0x7f/0x90
[ 60.724420][ T5078] kmem_cache_alloc_bulk+0x3aa/0x730
[ 60.729712][ T5078] __io_alloc_req_refill+0xcc/0x40b
[ 60.734922][ T5078] io_submit_sqes.cold+0x7c/0xc2
[ 60.739871][ T5078] __do_sys_io_uring_enter+0x9e4/0x2c10
[ 60.745427][ T5078] do_syscall_64+0x39/0xb0
[ 60.749850][ T5078] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 60.755761][ T5078]
[ 60.758080][ T5078] Freed by task 1006:
[ 60.762056][ T5078] kasan_save_stack+0x22/0x40
[ 60.766745][ T5078] kasan_set_track+0x25/0x30
[ 60.771341][ T5078] kasan_save_free_info+0x2e/0x40
[ 60.776377][ T5078] ____kasan_slab_free+0x160/0x1c0
[ 60.781498][ T5078] slab_free_freelist_hook+0x8b/0x1c0
[ 60.786875][ T5078] kmem_cache_free+0xec/0x4e0
[ 60.791564][ T5078] io_req_caches_free+0x1a9/0x1e6
[ 60.796600][ T5078] io_ring_exit_work+0x2e7/0xc80
[ 60.801551][ T5078] process_one_work+0x9bf/0x1750
[ 60.806503][ T5078] worker_thread+0x669/0x1090
[ 60.811192][ T5078] kthread+0x2e8/0x3a0
[ 60.815266][ T5078] ret_from_fork+0x1f/0x30
[ 60.819696][ T5078]
[ 60.822015][ T5078] The buggy address belongs to the object at ffff88807576d8c0
[ 60.822015][ T5078] which belongs to the cache io_kiocb of size 216
[ 60.835805][ T5078] The buggy address is located 48 bytes inside of
[ 60.835805][ T5078] 216-byte region [ffff88807576d8c0, ffff88807576d998)
[ 60.848995][ T5078]
[ 60.851314][ T5078] The buggy address belongs to the physical page:
[ 60.857725][ T5078] page:ffffea0001d5db40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7576d
[ 60.867882][ T5078] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 60.875439][ T5078] raw: 00fff00000000200 ffff88801c475500 dead000000000122 0000000000000000
[ 60.884028][ T5078] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 60.892610][ T5078] page dumped because: kasan: bad access detected
[ 60.899016][ T5078] page_owner tracks the page as allocated
[ 60.904737][ T5078] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5078, tgid 5078 (syz-executor184), ts 60451826215, free_ts 54820642682
[ 60.923327][ T5078] get_page_from_freelist+0x11bb/0x2d50
[ 60.928895][ T5078] __alloc_pages+0x1cb/0x5c0
[ 60.933495][ T5078] alloc_pages+0x1aa/0x270
[ 60.937921][ T5078] allocate_slab+0x25f/0x350
[ 60.942515][ T5078] ___slab_alloc+0xa91/0x1400
[ 60.947195][ T5078] kmem_cache_alloc_bulk+0x23d/0x730
[ 60.952487][ T5078] __io_alloc_req_refill+0xcc/0x40b
[ 60.957694][ T5078] io_submit_sqes.cold+0x7c/0xc2
[ 60.962641][ T5078] __do_sys_io_uring_enter+0x9e4/0x2c10
[ 60.968202][ T5078] do_syscall_64+0x39/0xb0
[ 60.972627][ T5078] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 60.978534][ T5078] page last free stack trace:
[ 60.983201][ T5078] free_pcp_prepare+0x4d0/0x910
[ 60.988073][ T5078] free_unref_page+0x1d/0x490
[ 60.992766][ T5078] __folio_put+0xc5/0x140
[ 60.997109][ T5078] anon_pipe_buf_release+0x3fb/0x4c0
[ 61.002406][ T5078] pipe_read+0x614/0x1110
[ 61.006749][ T5078] vfs_read+0x7fa/0x930
[ 61.010913][ T5078] ksys_read+0x1ec/0x250
[ 61.015163][ T5078] do_syscall_64+0x39/0xb0
[ 61.019587][ T5078] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 61.025494][ T5078]
[ 61.027811][ T5078] Memory state around the buggy address:
[ 61.033436][ T5078] ffff88807576d780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 61.041497][ T5078] ffff88807576d800: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
[ 61.049556][ T5078] >ffff88807576d880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 61.057634][ T5078] ^
[ 61.065342][ T5078] ffff88807576d900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 61.073399][ T5078] ffff88807576d980: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 61.081453][ T5078] ==================================================================
[ 61.089507][ T5078] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 61.096695][ T5078] CPU: 0 PID: 5078 Comm: syz-executor184 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
[ 61.106596][ T5078] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 61.116652][ T5078] Call Trace:
[ 61.119930][ T5078]
[ 61.122862][ T5078] dump_stack_lvl+0xd1/0x138
[ 61.127464][ T5078] panic+0x2cc/0x626
[ 61.131375][ T5078] ? panic_print_sys_info.part.0+0x112/0x112
[ 61.137814][ T5078] ? lock_downgrade+0x6e0/0x6e0
[ 61.142674][ T5078] ? dump_page.cold+0x21d/0x255
[ 61.147546][ T5078] check_panic_on_warn.cold+0x19/0x35
[ 61.152941][ T5078] end_report.part.0+0x36/0x73
[ 61.157718][ T5078] ? __wake_up_common+0x637/0x650
[ 61.162756][ T5078] kasan_report.cold+0xa/0xf
[ 61.167355][ T5078] ? __wake_up_common+0x637/0x650
[ 61.172387][ T5078] __wake_up_common+0x637/0x650
[ 61.177246][ T5078] __wake_up_common_lock+0xd4/0x140
[ 61.182454][ T5078] ? __wake_up_common+0x650/0x650
[ 61.187489][ T5078] ? debug_object_active_state+0x264/0x350
[ 61.193327][ T5078] ? fcntl_setlk+0xdc0/0xdc0
[ 61.197941][ T5078] pipe_release+0x18c/0x310
[ 61.202458][ T5078] __fput+0x27c/0xa90
[ 61.206460][ T5078] ? free_pipe_info+0x3b0/0x3b0
[ 61.211503][ T5078] task_work_run+0x16f/0x270
[ 61.216114][ T5078] ? task_work_cancel+0x30/0x30
[ 61.220997][ T5078] ? do_raw_spin_unlock+0x175/0x230
[ 61.226212][ T5078] do_exit+0xb17/0x2a90
[ 61.230393][ T5078] ? lock_downgrade+0x6e0/0x6e0
[ 61.235263][ T5078] ? do_raw_spin_lock+0x124/0x2b0
[ 61.240297][ T5078] ? mm_update_next_owner+0x7b0/0x7b0
[ 61.245702][ T5078] ? rwlock_bug.part.0+0x90/0x90
[ 61.250669][ T5078] ? _raw_spin_unlock_irq+0x23/0x50
[ 61.255899][ T5078] do_group_exit+0xd4/0x2a0
[ 61.260425][ T5078] __x64_sys_exit_group+0x3e/0x50
[ 61.265459][ T5078] do_syscall_64+0x39/0xb0
[ 61.269887][ T5078] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 61.275803][ T5078] RIP: 0033:0x7fe5f9427c89
[ 61.280228][ T5078] Code: Unable to access opcode bytes at 0x7fe5f9427c5f.
[ 61.287242][ T5078] RSP: 002b:00007ffd91cccba8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 61.295658][ T5078] RAX: ffffffffffffffda RBX: 00007fe5f949c370 RCX: 00007fe5f9427c89
[ 61.303636][ T5078] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[ 61.311616][ T5078] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
[ 61.320637][ T5078] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5f949c370
[ 61.328613][ T5078] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[ 61.336597][ T5078]
[ 61.339821][ T5078] Kernel Offset: disabled
[ 61.344140][ T5078] Rebooting in 86400 seconds..