./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3908977255 <...> [ 98.048884][ T10] cfg80211: failed to load regulatory.db Warning: Permanently added '10.128.10.18' (ED25519) to the list of known hosts. execve("./syz-executor3908977255", ["./syz-executor3908977255"], 0x7ffdf4b093c0 /* 10 vars */) = 0 brk(NULL) = 0x55557c105000 brk(0x55557c105d00) = 0x55557c105d00 arch_prctl(ARCH_SET_FS, 0x55557c105380) = 0 set_tid_address(0x55557c105650) = 5845 set_robust_list(0x55557c105660, 24) = 0 rseq(0x55557c105ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3908977255", 4096) = 28 getrandom("\xfa\xf9\x4a\x78\xd4\x2b\x9d\x46", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55557c105d00 brk(0x55557c126d00) = 0x55557c126d00 brk(0x55557c127000) = 0x55557c127000 mprotect(0x7feea511f000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 openat(AT_FDCWD, "/proc/self/make-it-fail", O_WRONLY) = 3 close(3) = 0 openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_WRONLY) = 3 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/failslab/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_futex/ignore-private", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/min-order", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5846 attached [pid 5846] set_robust_list(0x55557c105660, 24 [pid 5845] <... clone resumed>, child_tidptr=0x55557c105650) = 5846 [pid 5846] <... set_robust_list resumed>) = 0 [pid 5846] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5846] setpgid(0, 0) = 0 [pid 5846] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5846] write(3, "1000", 4) = 4 [pid 5846] close(3) = 0 executing program [pid 5846] write(1, "executing program\n", 18) = 18 [pid 5846] openat(AT_FDCWD, "/dev/iommu", O_RDONLY) = 3 [pid 5846] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5846] write(4, "23", 2) = 2 [ 99.275927][ T5846] FAULT_INJECTION: forcing a failure. [ 99.275927][ T5846] name failslab, interval 1, probability 0, space 0, times 1 [ 99.289473][ T5846] CPU: 0 UID: 0 PID: 5846 Comm: syz-executor390 Not tainted 6.14.0-syzkaller-12456-gacc4d5ff0b61 #0 PREEMPT(full) [ 99.289500][ T5846] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 99.289512][ T5846] Call Trace: [ 99.289524][ T5846] [ 99.289533][ T5846] dump_stack_lvl+0x241/0x360 [ 99.289616][ T5846] ? __pfx_dump_stack_lvl+0x10/0x10 [ 99.289640][ T5846] ? __pfx__printk+0x10/0x10 [ 99.289668][ T5846] ? __pfx___might_resched+0x10/0x10 [ 99.289689][ T5846] ? lock_acquire+0x167/0x2f0 [ 99.289712][ T5846] should_fail_ex+0x424/0x570 [ 99.289752][ T5846] should_failslab+0xac/0x100 [ 99.289778][ T5846] kmem_cache_alloc_node_noprof+0x7d/0x3b0 [ 99.289809][ T5846] ? __alloc_skb+0x1c2/0x480 [ 99.289832][ T5846] ? __lock_acquire+0xad5/0xd80 [ 99.289845][ T5846] __alloc_skb+0x1c2/0x480 [ 99.289864][ T5846] ? __pfx___alloc_skb+0x10/0x10 [ 99.289882][ T5846] ? netlink_has_listeners+0x73/0x3a0 [ 99.289897][ T5846] alloc_uevent_skb+0x74/0x230 [ 99.289914][ T5846] kobject_uevent_net_broadcast+0x2fd/0x580 [ 99.289932][ T5846] kobject_uevent_env+0x57d/0x8e0 [ 99.289952][ T5846] swnode_register+0x4b3/0x540 [ 99.289969][ T5846] fwnode_create_software_node+0x199/0x1f0 [ 99.289988][ T5846] device_create_managed_software_node+0xd5/0x1f0 [ 99.290000][ T5846] ? iommufd_test+0x2efb/0x56a0 [ 99.290013][ T5846] iommufd_test+0x3335/0x56a0 [ 99.290037][ T5846] ? __pfx_iommufd_test+0x10/0x10 [ 99.290055][ T5846] ? __lock_acquire+0xad5/0xd80 [ 99.290094][ T5846] iommufd_fops_ioctl+0x4fc/0x610 [ 99.290111][ T5846] ? __pfx_iommufd_fops_ioctl+0x10/0x10 [ 99.290138][ T5846] ? __pfx_iommufd_fops_ioctl+0x10/0x10 [ 99.290154][ T5846] __se_sys_ioctl+0xf1/0x160 [ 99.290169][ T5846] do_syscall_64+0xf3/0x230 [ 99.290182][ T5846] ? clear_bhb_loop+0x45/0xa0 [ 99.290195][ T5846] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 99.290207][ T5846] RIP: 0033:0x7feea50b36e9 [ 99.290220][ T5846] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 99.290229][ T5846] RSP: 002b:00007ffcce8ad2c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 99.290244][ T5846] RAX: ffffffffffffffda RBX: 00007ffcce8ad2e0 RCX: 00007feea50b36e9 [pid 5846] ioctl(3, _IOC(_IOC_NONE, 0x3b, 0xa0, 0), 0x200000000200) = -1 ENOENT (No such file or directory) [pid 5846] exit_group(0) = ? [pid 5846] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5846, si_uid=0, si_status=0, si_utime=0, si_stime=27 /* 0.27 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 [ 99.290252][ T5846] RDX: 0000200000000200 RSI: 0000000000003ba0 RDI: 0000000000000003 [ 99.290259][ T5846] RBP: 0000000000000002 R08: 00007ffcce8ad066 R09: 00000000000000a0 [ 99.290266][ T5846] R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000001 [ 99.290273][ T5846] R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001 [ 99.290290][ T5846] [ 99.291382][ T5846] iommufd_mock iommufd_mock0: Adding to iommu group 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5848 attached , child_tidptr=0x55557c105650) = 5848 [pid 5848] set_robust_list(0x55557c105660, 24) = 0 [pid 5848] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5848] setpgid(0, 0) = 0 [pid 5848] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5848] write(3, "1000", 4) = 4 [pid 5848] close(3) = 0 [pid 5848] write(1, "executing program\n", 18executing program ) = 18 [pid 5848] openat(AT_FDCWD, "/dev/iommu", O_RDONLY) = 3 [pid 5848] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5848] write(4, "23", 2) = 2 [ 99.682074][ T5848] FAULT_INJECTION: forcing a failure. [ 99.682074][ T5848] name failslab, interval 1, probability 0, space 0, times 0 [ 99.696170][ T5848] CPU: 0 UID: 0 PID: 5848 Comm: syz-executor390 Not tainted 6.14.0-syzkaller-12456-gacc4d5ff0b61 #0 PREEMPT(full) [ 99.696189][ T5848] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 99.696196][ T5848] Call Trace: [ 99.696205][ T5848] [ 99.696211][ T5848] dump_stack_lvl+0x241/0x360 [ 99.696236][ T5848] ? __pfx_dump_stack_lvl+0x10/0x10 [ 99.696252][ T5848] ? __pfx__printk+0x10/0x10 [ 99.696270][ T5848] ? __pfx___might_resched+0x10/0x10 [ 99.696287][ T5848] should_fail_ex+0x424/0x570 [ 99.696308][ T5848] should_failslab+0xac/0x100 [ 99.696326][ T5848] kmem_cache_alloc_noprof+0x78/0x390 [ 99.696343][ T5848] ? __kernfs_new_node+0xdf/0x890 [ 99.696357][ T5848] __kernfs_new_node+0xdf/0x890 [ 99.696370][ T5848] ? __lock_acquire+0xad5/0xd80 [ 99.696385][ T5848] ? __pfx___kernfs_new_node+0x10/0x10 [ 99.696403][ T5848] ? kernfs_root+0x1c/0x230 [ 99.696415][ T5848] ? kernfs_root+0x1c/0x230 [ 99.696428][ T5848] kernfs_new_node+0x114/0x220 [ 99.696443][ T5848] kernfs_create_dir_ns+0x43/0x120 [ 99.696458][ T5848] sysfs_create_dir_ns+0x1a2/0x3f0 [ 99.696472][ T5848] ? __pfx_sysfs_create_dir_ns+0x10/0x10 [ 99.696488][ T5848] kobject_add_internal+0x435/0x8d0 [ 99.696507][ T5848] kobject_add+0x15b/0x230 [ 99.696541][ T5848] ? kobject_put+0x43d/0x480 [ 99.696556][ T5848] ? __pfx_kobject_add+0x10/0x10 [ 99.696574][ T5848] ? bus_get_dev_root+0x127/0x160 [ 99.696593][ T5848] ? get_device_parent+0x405/0x410 [ 99.696610][ T5848] ? device_add+0x318/0xbf0 [ 99.696630][ T5848] device_add+0x4e5/0xbf0 [ 99.696650][ T5848] ? iommufd_test+0x2efb/0x56a0 [ 99.696670][ T5848] iommufd_test+0x3350/0x56a0 [ 99.696703][ T5848] ? __pfx_iommufd_test+0x10/0x10 [ 99.696732][ T5848] ? __lock_acquire+0xad5/0xd80 [ 99.696777][ T5848] iommufd_fops_ioctl+0x4fc/0x610 [ 99.696800][ T5848] ? __pfx_iommufd_fops_ioctl+0x10/0x10 [ 99.696827][ T5848] ? __pfx_iommufd_fops_ioctl+0x10/0x10 [ 99.696843][ T5848] __se_sys_ioctl+0xf1/0x160 [ 99.696858][ T5848] do_syscall_64+0xf3/0x230 [ 99.696871][ T5848] ? clear_bhb_loop+0x45/0xa0 [ 99.696884][ T5848] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 99.696896][ T5848] RIP: 0033:0x7feea50b36e9 [ 99.696909][ T5848] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 99.696918][ T5848] RSP: 002b:00007ffcce8ad2c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 99.696932][ T5848] RAX: ffffffffffffffda RBX: 00007ffcce8ad2e0 RCX: 00007feea50b36e9 [ 99.696940][ T5848] RDX: 0000200000000200 RSI: 0000000000003ba0 RDI: 0000000000000003 [pid 5848] ioctl(3, _IOC(_IOC_NONE, 0x3b, 0xa0, 0), 0x200000000200) = -1 ENOMEM (Cannot allocate memory) [pid 5848] exit_group(0) = ? [pid 5848] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5848, si_uid=0, si_status=0, si_utime=0, si_stime=3 /* 0.03 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5849 attached , child_tidptr=0x55557c105650) = 5849 [pid 5849] set_robust_list(0x55557c105660, 24) = 0 [ 99.696947][ T5848] RBP: 0000000000000002 R08: 00007ffcce8ad066 R09: 00000000000000a0 [ 99.696954][ T5848] R10: 0000000000000002 R11: 0000000000000246 R12: 00007ffcce8ad2dc [ 99.696962][ T5848] R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001 [ 99.696979][ T5848] [ 100.013608][ T5848] kobject: kobject_add_internal failed for iommufd_mock0 (error: -12 parent: devices) [pid 5849] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5849] setpgid(0, 0) = 0 [pid 5849] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5849] write(3, "1000", 4) = 4 [pid 5849] close(3) = 0 executing program [pid 5849] write(1, "executing program\n", 18) = 18 [pid 5849] openat(AT_FDCWD, "/dev/iommu", O_RDONLY) = 3 [pid 5849] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 5849] write(4, "23", 2) = 2 [ 100.121568][ T5849] FAULT_INJECTION: forcing a failure. [ 100.121568][ T5849] name failslab, interval 1, probability 0, space 0, times 0 [ 100.137491][ T5849] CPU: 0 UID: 0 PID: 5849 Comm: syz-executor390 Not tainted 6.14.0-syzkaller-12456-gacc4d5ff0b61 #0 PREEMPT(full) [ 100.137519][ T5849] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 100.137530][ T5849] Call Trace: [ 100.137537][ T5849] [ 100.137543][ T5849] dump_stack_lvl+0x241/0x360 [ 100.137572][ T5849] ? __pfx_dump_stack_lvl+0x10/0x10 [ 100.137593][ T5849] ? __pfx__printk+0x10/0x10 [ 100.137617][ T5849] ? __pfx___might_resched+0x10/0x10 [ 100.137639][ T5849] should_fail_ex+0x424/0x570 [ 100.137666][ T5849] should_failslab+0xac/0x100 [ 100.137687][ T5849] kmem_cache_alloc_noprof+0x78/0x390 [ 100.137706][ T5849] ? __kernfs_new_node+0xdf/0x890 [ 100.137727][ T5849] __kernfs_new_node+0xdf/0x890 [ 100.137740][ T5849] ? __lock_acquire+0xad5/0xd80 [ 100.137764][ T5849] ? __pfx___kernfs_new_node+0x10/0x10 [ 100.137788][ T5849] ? kernfs_root+0x1c/0x230 [ 100.137803][ T5849] ? kernfs_root+0x1c/0x230 [ 100.137820][ T5849] kernfs_new_node+0x114/0x220 [ 100.137841][ T5849] kernfs_create_link+0xa5/0x1f0 [ 100.137864][ T5849] sysfs_do_create_link_sd+0x85/0x110 [ 100.137881][ T5849] software_node_notify+0xd9/0x1b0 [ 100.137899][ T5849] device_add+0x513/0xbf0 [ 100.137916][ T5849] ? iommufd_test+0x2efb/0x56a0 [ 100.137934][ T5849] iommufd_test+0x3350/0x56a0 [ 100.137958][ T5849] ? __pfx_iommufd_test+0x10/0x10 [ 100.137982][ T5849] ? __lock_acquire+0xad5/0xd80 [ 100.138024][ T5849] iommufd_fops_ioctl+0x4fc/0x610 [ 100.138056][ T5849] ? __pfx_iommufd_fops_ioctl+0x10/0x10 [ 100.138091][ T5849] ? __pfx_iommufd_fops_ioctl+0x10/0x10 [ 100.138111][ T5849] __se_sys_ioctl+0xf1/0x160 [ 100.138130][ T5849] do_syscall_64+0xf3/0x230 [ 100.138146][ T5849] ? clear_bhb_loop+0x45/0xa0 [ 100.138164][ T5849] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 100.138178][ T5849] RIP: 0033:0x7feea50b36e9 [ 100.138193][ T5849] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 100.138205][ T5849] RSP: 002b:00007ffcce8ad2c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 100.138223][ T5849] RAX: ffffffffffffffda RBX: 00007ffcce8ad2e0 RCX: 00007feea50b36e9 [ 100.138234][ T5849] RDX: 0000200000000200 RSI: 0000000000003ba0 RDI: 0000000000000003 [ 100.138244][ T5849] RBP: 0000000000000002 R08: 00007ffcce8ad066 R09: 00000000000000a0 [ 100.138253][ T5849] R10: 0000000000000002 R11: 0000000000000246 R12: 00007ffcce8ad2dc [ 100.138262][ T5849] R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001 [ 100.138285][ T5849] [ 100.139087][ T5849] iommufd_mock iommufd_mock0: Adding to iommu group 0 [ 100.422849][ T5849] ================================================================== [ 100.431435][ T5849] BUG: KASAN: slab-use-after-free in software_node_notify_remove+0x1bc/0x1c0 [ 100.440711][ T5849] Read of size 1 at addr ffff88807fe41108 by task syz-executor390/5849 [ 100.449497][ T5849] [ 100.452218][ T5849] CPU: 1 UID: 0 PID: 5849 Comm: syz-executor390 Not tainted 6.14.0-syzkaller-12456-gacc4d5ff0b61 #0 PREEMPT(full) [ 100.452246][ T5849] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 100.452256][ T5849] Call Trace: [ 100.452268][ T5849] [ 100.452277][ T5849] dump_stack_lvl+0x241/0x360 [ 100.452300][ T5849] ? __pfx_dump_stack_lvl+0x10/0x10 [ 100.452315][ T5849] ? rcu_is_watching+0x15/0xb0 [ 100.452329][ T5849] ? __virt_addr_valid+0x183/0x530 [ 100.452345][ T5849] ? lock_release+0x4e/0x3e0 [ 100.452357][ T5849] ? __virt_addr_valid+0x183/0x530 [ 100.452371][ T5849] ? __virt_addr_valid+0x183/0x530 [ 100.452385][ T5849] print_report+0x16e/0x5b0 [ 100.452400][ T5849] ? __virt_addr_valid+0x183/0x530 [ 100.452413][ T5849] ? __virt_addr_valid+0x183/0x530 [ 100.452426][ T5849] ? __virt_addr_valid+0x45f/0x530 [ 100.452439][ T5849] ? __phys_addr+0xba/0x170 [ 100.452453][ T5849] ? software_node_notify_remove+0x1bc/0x1c0 [ 100.452465][ T5849] kasan_report+0x143/0x180 [ 100.452479][ T5849] ? software_node_notify_remove+0x1bc/0x1c0 [ 100.452491][ T5849] software_node_notify_remove+0x1bc/0x1c0 [ 100.452503][ T5849] device_del+0x594/0x9b0 [ 100.452515][ T5849] ? __pfx_iommufd_object_remove+0x10/0x10 [ 100.452531][ T5849] ? __pfx_device_del+0x10/0x10 [ 100.452545][ T5849] device_unregister+0x20/0xc0 [ 100.452557][ T5849] iommufd_test+0x3715/0x56a0 [ 100.452571][ T5849] ? __pfx_iommufd_test+0x10/0x10 [ 100.452584][ T5849] ? __lock_acquire+0xad5/0xd80 [ 100.452604][ T5849] iommufd_fops_ioctl+0x4fc/0x610 [ 100.452620][ T5849] ? __pfx_iommufd_fops_ioctl+0x10/0x10 [ 100.452646][ T5849] ? __pfx_iommufd_fops_ioctl+0x10/0x10 [ 100.452660][ T5849] __se_sys_ioctl+0xf1/0x160 [ 100.452674][ T5849] do_syscall_64+0xf3/0x230 [ 100.452687][ T5849] ? clear_bhb_loop+0x45/0xa0 [ 100.452699][ T5849] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 100.452710][ T5849] RIP: 0033:0x7feea50b36e9 [ 100.452724][ T5849] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 100.452734][ T5849] RSP: 002b:00007ffcce8ad2c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 100.452748][ T5849] RAX: ffffffffffffffda RBX: 00007ffcce8ad2e0 RCX: 00007feea50b36e9 [ 100.452757][ T5849] RDX: 0000200000000200 RSI: 0000000000003ba0 RDI: 0000000000000003 [ 100.452764][ T5849] RBP: 0000000000000002 R08: 00007ffcce8ad066 R09: 00000000000000a0 [ 100.452772][ T5849] R10: 0000000000000002 R11: 0000000000000246 R12: 00007ffcce8ad2dc [ 100.452779][ T5849] R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001 [ 100.452790][ T5849] [ 100.452794][ T5849] [ 100.739989][ T5849] Allocated by task 5849: [ 100.744478][ T5849] kasan_save_track+0x3f/0x80 [ 100.749484][ T5849] __kasan_kmalloc+0x9d/0xb0 [ 100.754142][ T5849] __kmalloc_cache_noprof+0x236/0x370 [ 100.759606][ T5849] swnode_register+0x5a/0x540 [ 100.764322][ T5849] fwnode_create_software_node+0x199/0x1f0 [ 100.770672][ T5849] device_create_managed_software_node+0xd5/0x1f0 [ 100.777559][ T5849] iommufd_test+0x3335/0x56a0 [ 100.782322][ T5849] iommufd_fops_ioctl+0x4fc/0x610 [ 100.787851][ T5849] __se_sys_ioctl+0xf1/0x160 [ 100.792782][ T5849] do_syscall_64+0xf3/0x230 [ 100.797731][ T5849] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 100.804016][ T5849] [ 100.806549][ T5849] Freed by task 5849: [ 100.811122][ T5849] kasan_save_track+0x3f/0x80 [ 100.816556][ T5849] kasan_save_free_info+0x40/0x50 [ 100.821845][ T5849] __kasan_slab_free+0x59/0x70 [ 100.827191][ T5849] kfree+0x198/0x430 [ 100.831487][ T5849] kobject_put+0x22f/0x480 [ 100.836276][ T5849] software_node_notify_remove+0x159/0x1c0 [ 100.842498][ T5849] device_del+0x594/0x9b0 [ 100.847669][ T5849] device_unregister+0x20/0xc0 [ 100.853577][ T5849] iommufd_test+0x3715/0x56a0 [ 100.858482][ T5849] iommufd_fops_ioctl+0x4fc/0x610 [ 100.864934][ T5849] __se_sys_ioctl+0xf1/0x160 [ 100.870261][ T5849] do_syscall_64+0xf3/0x230 [ 100.875228][ T5849] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 100.881847][ T5849] [ 100.884689][ T5849] The buggy address belongs to the object at ffff88807fe41000 [ 100.884689][ T5849] which belongs to the cache kmalloc-512 of size 512 [ 100.902268][ T5849] The buggy address is located 264 bytes inside of [ 100.902268][ T5849] freed 512-byte region [ffff88807fe41000, ffff88807fe41200) [ 100.917839][ T5849] [ 100.920464][ T5849] The buggy address belongs to the physical page: [ 100.928320][ T5849] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7fe40 [ 100.939172][ T5849] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 100.948942][ T5849] anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 100.960280][ T5849] page_type: f5(slab) [ 100.964578][ T5849] raw: 00fff00000000040 ffff88801b041c80 0000000000000000 dead000000000001 [ 100.975619][ T5849] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 100.985555][ T5849] head: 00fff00000000040 ffff88801b041c80 0000000000000000 dead000000000001 [ 100.995586][ T5849] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 101.005759][ T5849] head: 00fff00000000002 ffffea0001ff9001 00000000ffffffff 00000000ffffffff [ 101.018420][ T5849] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 101.029034][ T5849] page dumped because: kasan: bad access detected [ 101.036804][ T5849] page_owner tracks the page as allocated [ 101.043607][ T5849] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5226, tgid 5226 (udevd), ts 58838564258, free_ts 55546510086 [ 101.068006][ T5849] post_alloc_hook+0x1f4/0x240 [ 101.074099][ T5849] get_page_from_freelist+0x352b/0x36c0 [ 101.079943][ T5849] __alloc_frozen_pages_noprof+0x211/0x5b0 [ 101.086059][ T5849] alloc_pages_mpol+0x339/0x690 [ 101.090979][ T5849] allocate_slab+0x8f/0x3a0 [ 101.095701][ T5849] ___slab_alloc+0xc3b/0x1500 [ 101.100656][ T5849] __slab_alloc+0x58/0xa0 [ 101.105393][ T5849] __kmalloc_cache_noprof+0x26a/0x370 [ 101.111319][ T5849] kernfs_fop_open+0x3a3/0xdf0 [ 101.116647][ T5849] do_dentry_open+0xdec/0x1960 [ 101.121740][ T5849] vfs_open+0x3b/0x370 [ 101.126138][ T5849] path_openat+0x2caf/0x35d0 [ 101.130941][ T5849] do_filp_open+0x284/0x4e0 [ 101.136118][ T5849] do_sys_openat2+0x12b/0x1d0 [ 101.141465][ T5849] __x64_sys_openat+0x249/0x2a0 [ 101.146448][ T5849] do_syscall_64+0xf3/0x230 [ 101.151204][ T5849] page last free pid 5223 tgid 5223 stack trace: [ 101.158029][ T5849] __free_frozen_pages+0xde8/0x10a0 [ 101.163700][ T5849] __mmdrop+0xb9/0x490 [ 101.168188][ T5849] finish_task_switch+0x304/0x870 [ 101.173536][ T5849] __schedule+0x1b90/0x5240 [ 101.178437][ T5849] schedule+0x163/0x360 [ 101.182826][ T5849] schedule_hrtimeout_range_clock+0x193/0x360 [ 101.189497][ T5849] do_epoll_wait+0xe2c/0x1100 [ 101.194976][ T5849] __x64_sys_epoll_wait+0x259/0x2b0 [ 101.200742][ T5849] do_syscall_64+0xf3/0x230 [ 101.205476][ T5849] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 101.211609][ T5849] [ 101.214058][ T5849] Memory state around the buggy address: [ 101.221018][ T5849] ffff88807fe41000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 101.229465][ T5849] ffff88807fe41080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 101.238079][ T5849] >ffff88807fe41100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 101.247053][ T5849] ^ [ 101.252201][ T5849] ffff88807fe41180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 101.261160][ T5849] ffff88807fe41200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 101.270608][ T5849] ================================================================== [ 101.282306][ T5849] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 101.291446][ T5849] CPU: 1 UID: 0 PID: 5849 Comm: syz-executor390 Not tainted 6.14.0-syzkaller-12456-gacc4d5ff0b61 #0 PREEMPT(full) [ 101.307563][ T5849] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 101.318545][ T5849] Call Trace: [ 101.322147][ T5849] [ 101.325969][ T5849] dump_stack_lvl+0x241/0x360 [ 101.331514][ T5849] ? __pfx_dump_stack_lvl+0x10/0x10 [ 101.338442][ T5849] ? __pfx__printk+0x10/0x10 [ 101.343716][ T5849] ? vscnprintf+0x5d/0x90 [ 101.348389][ T5849] panic+0x349/0x880 [ 101.353126][ T5849] ? check_panic_on_warn+0x21/0xb0 [ 101.359759][ T5849] ? __pfx_panic+0x10/0x10 [ 101.365094][ T5849] ? _raw_spin_unlock_irqrestore+0x134/0x140 [ 101.372993][ T5849] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 101.380537][ T5849] ? print_report+0x519/0x5b0 [ 101.385654][ T5849] check_panic_on_warn+0x86/0xb0 [ 101.391573][ T5849] ? software_node_notify_remove+0x1bc/0x1c0 [ 101.400432][ T5849] end_report+0x77/0x160 [ 101.405570][ T5849] kasan_report+0x154/0x180 [ 101.410742][ T5849] ? software_node_notify_remove+0x1bc/0x1c0 [ 101.417331][ T5849] software_node_notify_remove+0x1bc/0x1c0 [ 101.423647][ T5849] device_del+0x594/0x9b0 [ 101.428256][ T5849] ? __pfx_iommufd_object_remove+0x10/0x10 [ 101.434163][ T5849] ? __pfx_device_del+0x10/0x10 [ 101.439055][ T5849] device_unregister+0x20/0xc0 [ 101.443843][ T5849] iommufd_test+0x3715/0x56a0 [ 101.448550][ T5849] ? __pfx_iommufd_test+0x10/0x10 [ 101.454102][ T5849] ? __lock_acquire+0xad5/0xd80 [ 101.459665][ T5849] iommufd_fops_ioctl+0x4fc/0x610 [ 101.464848][ T5849] ? __pfx_iommufd_fops_ioctl+0x10/0x10 [ 101.470809][ T5849] ? __pfx_iommufd_fops_ioctl+0x10/0x10 [ 101.476485][ T5849] __se_sys_ioctl+0xf1/0x160 [ 101.481484][ T5849] do_syscall_64+0xf3/0x230 [ 101.486293][ T5849] ? clear_bhb_loop+0x45/0xa0 [ 101.491551][ T5849] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 101.498080][ T5849] RIP: 0033:0x7feea50b36e9 [ 101.503347][ T5849] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 101.528794][ T5849] RSP: 002b:00007ffcce8ad2c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 101.539100][ T5849] RAX: ffffffffffffffda RBX: 00007ffcce8ad2e0 RCX: 00007feea50b36e9 [ 101.547900][ T5849] RDX: 0000200000000200 RSI: 0000000000003ba0 RDI: 0000000000000003 [ 101.557186][ T5849] RBP: 0000000000000002 R08: 00007ffcce8ad066 R09: 00000000000000a0 [ 101.567314][ T5849] R10: 0000000000000002 R11: 0000000000000246 R12: 00007ffcce8ad2dc [ 101.577350][ T5849] R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001 [ 101.586721][ T5849] [ 101.590981][ T5849] Kernel Offset: disabled [ 101.596174][ T5849] Rebooting in 86400 seconds..