./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1496698428
<...>
DUID 00:04:03:2c:e5:fc:a2:19:b8:8b:c5:bf:62:63:19:3a:75:c6
forked to background, child pid 4650
[ 35.287032][ T4651] 8021q: adding VLAN 0 to HW filter on device bond0
[ 35.310614][ T4651] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK
syzkaller
Warning: Permanently added '10.128.0.94' (ECDSA) to the list of known hosts.
execve("./syz-executor1496698428", ["./syz-executor1496698428"], 0x7ffcebf4bf70 /* 10 vars */) = 0
brk(NULL) = 0x5555557e3000
brk(0x5555557e3c40) = 0x5555557e3c40
arch_prctl(ARCH_SET_FS, 0x5555557e3300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor1496698428", 4096) = 28
brk(0x555555804c40) = 0x555555804c40
brk(0x555555805000) = 0x555555805000
mprotect(0x7f4ef5b58000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
socket(AF_INET6, SOCK_STREAM, IPPROTO_SCTP) = 3
setsockopt(3, SOL_SCTP, SCTP_SOCKOPT_BINDX_ADD, "\x0a\x00\x4e\x23\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00", 28) = 0
io_uring_setup(1496, {flags=0, sq_thread_cpu=0, sq_thread_idle=0, sq_entries=2048, cq_entries=4096, features=IORING_FEAT_SINGLE_MMAP|IORING_FEAT_NODROP|IORING_FEAT_SUBMIT_STABLE|IORING_FEAT_RW_CUR_POS|IORING_FEAT_CUR_PERSONALITY|IORING_FEAT_FAST_POLL|IORING_FEAT_POLL_32BITS|IORING_FEAT_SQPOLL_NONFIXED|IORING_FEAT_EXT_ARG|IORING_FEAT_NATIVE_WORKERS|IORING_FEAT_RSRC_TAGS|IORING_FEAT_CQE_SKIP|IORING_FEAT_LINKED_FILE, sq_off={head=0, tail=64, ring_mask=256, ring_entries=264, flags=276, dropped=272, array=65856}, cq_off={head=128, tail=192, ring_mask=260, ring_entries=268, overflow=284, cqes=320, flags=280}}) = 4
mmap(0x20ee8000, 74048, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 4, 0) = 0x20ee8000
mmap(0x20ffe000, 131072, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 4, 0x10000000) = 0x20ffe000
io_uring_enter(4, 17678, 0, 0, NULL, 0) = 1
sendto(3, "\xeb", 1, 0, {sa_family=AF_INET6, sin6_port=htons(20003), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}, 28) = 1
exit_group(0) = ?
syzkaller login: [ 56.454150][ T5083] ==================================================================
[ 56.462246][ T5083] BUG: KASAN: use-after-free in __wake_up_common+0x637/0x650
[ 56.469622][ T5083] Read of size 8 at addr ffff88801dfc08f0 by task syz-executor149/5083
[ 56.477847][ T5083]
[ 56.480243][ T5083] CPU: 0 PID: 5083 Comm: syz-executor149 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
[ 56.490297][ T5083] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 56.500620][ T5083] Call Trace:
[ 56.503895][ T5083]
[ 56.506816][ T5083] dump_stack_lvl+0xd1/0x138
[ 56.511439][ T5083] print_report+0x15e/0x45d
[ 56.515941][ T5083] ? __phys_addr+0xc8/0x140
[ 56.520445][ T5083] ? __wake_up_common+0x637/0x650
[ 56.525457][ T5083] kasan_report+0xc0/0xf0
[ 56.529779][ T5083] ? __wake_up_common+0x637/0x650
[ 56.534795][ T5083] __wake_up_common+0x637/0x650
[ 56.539664][ T5083] __wake_up_common_lock+0xd4/0x140
[ 56.544867][ T5083] ? __wake_up_common+0x650/0x650
[ 56.549884][ T5083] ? sock_def_wakeup+0x4/0x2d0
[ 56.554661][ T5083] ? rcu_read_lock_sched_held+0x3e/0x70
[ 56.560210][ T5083] sock_def_wakeup+0xea/0x2d0
[ 56.564890][ T5083] sctp_do_sm+0x4080/0x5290
[ 56.569392][ T5083] ? sctp_do_8_2_transport_strike.constprop.0+0xb40/0xb40
[ 56.576498][ T5083] ? rcu_read_lock_sched_held+0x3e/0x70
[ 56.582033][ T5083] ? trace_kmem_cache_alloc+0xb1/0x110
[ 56.587486][ T5083] ? kmem_cache_alloc+0x1c5/0x320
[ 56.592515][ T5083] ? sctp_make_abort_user+0x240/0x4b0
[ 56.597891][ T5083] ? lockdep_hardirqs_on+0x7d/0x100
[ 56.603093][ T5083] ? sctp_make_op_error+0x310/0x310
[ 56.608287][ T5083] sctp_primitive_ABORT+0x9f/0xc0
[ 56.613302][ T5083] sctp_close+0x23f/0x940
[ 56.617638][ T5083] ? sctp_assoc_ulpevent_type_set+0x380/0x380
[ 56.623717][ T5083] ? __sock_release+0x86/0x280
[ 56.629074][ T5083] ? lock_acquire+0x32/0xc0
[ 56.633564][ T5083] ? __sock_release+0x86/0x280
[ 56.638317][ T5083] ? ip_mc_drop_socket+0x1a/0x290
[ 56.643330][ T5083] inet_release+0x132/0x270
[ 56.647831][ T5083] inet6_release+0x50/0x70
[ 56.652235][ T5083] __sock_release+0xcd/0x280
[ 56.656814][ T5083] sock_close+0x1c/0x20
[ 56.660960][ T5083] __fput+0x27c/0xa90
[ 56.664948][ T5083] ? __sock_release+0x280/0x280
[ 56.669787][ T5083] task_work_run+0x16f/0x270
[ 56.674370][ T5083] ? task_work_cancel+0x30/0x30
[ 56.679215][ T5083] ? do_raw_spin_unlock+0x175/0x230
[ 56.684404][ T5083] do_exit+0xb17/0x2a90
[ 56.688555][ T5083] ? lock_downgrade+0x6e0/0x6e0
[ 56.693391][ T5083] ? do_raw_spin_lock+0x124/0x2b0
[ 56.698403][ T5083] ? mm_update_next_owner+0x7b0/0x7b0
[ 56.703767][ T5083] ? rwlock_bug.part.0+0x90/0x90
[ 56.708692][ T5083] ? _raw_spin_unlock_irq+0x23/0x50
[ 56.713894][ T5083] do_group_exit+0xd4/0x2a0
[ 56.718392][ T5083] __x64_sys_exit_group+0x3e/0x50
[ 56.723400][ T5083] do_syscall_64+0x39/0xb0
[ 56.727804][ T5083] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 56.733692][ T5083] RIP: 0033:0x7f4ef5aea909
[ 56.738098][ T5083] Code: Unable to access opcode bytes at 0x7f4ef5aea8df.
[ 56.745099][ T5083] RSP: 002b:00007ffed9d0f1e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 56.753499][ T5083] RAX: ffffffffffffffda RBX: 00007f4ef5b5e290 RCX: 00007f4ef5aea909
[ 56.761457][ T5083] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[ 56.769419][ T5083] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 000000000000001c
[ 56.777377][ T5083] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4ef5b5e290
[ 56.785334][ T5083] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[ 56.793295][ T5083]
[ 56.796300][ T5083]
[ 56.798609][ T5083] Allocated by task 5083:
[ 56.802919][ T5083] kasan_save_stack+0x22/0x40
[ 56.807595][ T5083] kasan_set_track+0x25/0x30
[ 56.812194][ T5083] __kasan_slab_alloc+0x7f/0x90
[ 56.817034][ T5083] kmem_cache_alloc_bulk+0x3aa/0x730
[ 56.822304][ T5083] __io_alloc_req_refill+0xcc/0x40b
[ 56.827492][ T5083] io_submit_sqes.cold+0x7c/0xc2
[ 56.832419][ T5083] __do_sys_io_uring_enter+0x9e4/0x2c10
[ 56.837953][ T5083] do_syscall_64+0x39/0xb0
[ 56.842355][ T5083] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 56.848242][ T5083]
[ 56.850547][ T5083] Freed by task 56:
[ 56.854331][ T5083] kasan_save_stack+0x22/0x40
[ 56.858993][ T5083] kasan_set_track+0x25/0x30
[ 56.863569][ T5083] kasan_save_free_info+0x2e/0x40
[ 56.868712][ T5083] ____kasan_slab_free+0x160/0x1c0
[ 56.873827][ T5083] slab_free_freelist_hook+0x8b/0x1c0
[ 56.879288][ T5083] kmem_cache_free+0xec/0x4e0
[ 56.883959][ T5083] io_req_caches_free+0x1a9/0x1e6
[ 56.889583][ T5083] io_ring_exit_work+0x2e7/0xc80
[ 56.894507][ T5083] process_one_work+0x9bf/0x1750
[ 56.899478][ T5083] worker_thread+0x669/0x1090
[ 56.904142][ T5083] kthread+0x2e8/0x3a0
[ 56.908197][ T5083] ret_from_fork+0x1f/0x30
[ 56.912602][ T5083]
[ 56.914910][ T5083] The buggy address belongs to the object at ffff88801dfc08c0
[ 56.914910][ T5083] which belongs to the cache io_kiocb of size 216
[ 56.928684][ T5083] The buggy address is located 48 bytes inside of
[ 56.928684][ T5083] 216-byte region [ffff88801dfc08c0, ffff88801dfc0998)
[ 56.941852][ T5083]
[ 56.944160][ T5083] The buggy address belongs to the physical page:
[ 56.950555][ T5083] page:ffffea000077f000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1dfc0
[ 56.960774][ T5083] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 56.968306][ T5083] raw: 00fff00000000200 ffff88801866d500 dead000000000122 0000000000000000
[ 56.976875][ T5083] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 56.985437][ T5083] page dumped because: kasan: bad access detected
[ 56.992437][ T5083] page_owner tracks the page as allocated
[ 56.998240][ T5083] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5083, tgid 5083 (syz-executor149), ts 56446361486, free_ts 56418566842
[ 57.016820][ T5083] get_page_from_freelist+0x11bb/0x2d50
[ 57.022365][ T5083] __alloc_pages+0x1cb/0x5c0
[ 57.026944][ T5083] alloc_pages+0x1aa/0x270
[ 57.031349][ T5083] allocate_slab+0x25f/0x350
[ 57.035924][ T5083] ___slab_alloc+0xa91/0x1400
[ 57.040585][ T5083] kmem_cache_alloc_bulk+0x23d/0x730
[ 57.045862][ T5083] __io_alloc_req_refill+0xcc/0x40b
[ 57.051047][ T5083] io_submit_sqes.cold+0x7c/0xc2
[ 57.056003][ T5083] __do_sys_io_uring_enter+0x9e4/0x2c10
[ 57.061540][ T5083] do_syscall_64+0x39/0xb0
[ 57.065943][ T5083] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 57.071828][ T5083] page last free stack trace:
[ 57.076485][ T5083] free_pcp_prepare+0x4d0/0x910
[ 57.081328][ T5083] free_unref_page_list+0x176/0xcd0
[ 57.086530][ T5083] release_pages+0xcb1/0x1330
[ 57.091194][ T5083] tlb_batch_pages_flush+0xa8/0x1a0
[ 57.096406][ T5083] tlb_finish_mmu+0x14b/0x7e0
[ 57.101071][ T5083] exit_mmap+0x202/0x7c0
[ 57.105301][ T5083] __mmput+0x128/0x4c0
[ 57.109359][ T5083] mmput+0x60/0x70
[ 57.113158][ T5083] do_exit+0x9ac/0x2a90
[ 57.117305][ T5083] do_group_exit+0xd4/0x2a0
[ 57.121801][ T5083] get_signal+0x225f/0x24f0
[ 57.126293][ T5083] arch_do_signal_or_restart+0x79/0x5c0
[ 57.131826][ T5083] exit_to_user_mode_prepare+0x11f/0x240
[ 57.137471][ T5083] irqentry_exit_to_user_mode+0x9/0x40
[ 57.142920][ T5083] exc_page_fault+0xc0/0x170
[ 57.147498][ T5083] asm_exc_page_fault+0x26/0x30
[ 57.152340][ T5083]
[ 57.154644][ T5083] Memory state around the buggy address:
[ 57.160256][ T5083] ffff88801dfc0780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 57.168297][ T5083] ffff88801dfc0800: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
[ 57.176340][ T5083] >ffff88801dfc0880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 57.184378][ T5083] ^
[ 57.192075][ T5083] ffff88801dfc0900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 57.200117][ T5083] ffff88801dfc0980: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 57.208168][ T5083] ==================================================================
[ 57.216216][ T5083] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 57.223410][ T5083] CPU: 0 PID: 5083 Comm: syz-executor149 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
[ 57.233281][ T5083] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 57.243320][ T5083] Call Trace:
[ 57.246583][ T5083]
[ 57.249499][ T5083] dump_stack_lvl+0xd1/0x138
[ 57.254077][ T5083] panic+0x2cc/0x626
[ 57.257968][ T5083] ? panic_print_sys_info.part.0+0x112/0x112
[ 57.263945][ T5083] ? lock_downgrade+0x6e0/0x6e0
[ 57.268781][ T5083] ? dump_page.cold+0x21d/0x255
[ 57.273627][ T5083] check_panic_on_warn.cold+0x19/0x35
[ 57.278997][ T5083] end_report.part.0+0x36/0x73
[ 57.283746][ T5083] ? __wake_up_common+0x637/0x650
[ 57.288778][ T5083] kasan_report.cold+0xa/0xf
[ 57.293354][ T5083] ? __wake_up_common+0x637/0x650
[ 57.298367][ T5083] __wake_up_common+0x637/0x650
[ 57.303205][ T5083] __wake_up_common_lock+0xd4/0x140
[ 57.308393][ T5083] ? __wake_up_common+0x650/0x650
[ 57.313402][ T5083] ? sock_def_wakeup+0x4/0x2d0
[ 57.318159][ T5083] ? rcu_read_lock_sched_held+0x3e/0x70
[ 57.323694][ T5083] sock_def_wakeup+0xea/0x2d0
[ 57.328364][ T5083] sctp_do_sm+0x4080/0x5290
[ 57.332877][ T5083] ? sctp_do_8_2_transport_strike.constprop.0+0xb40/0xb40
[ 57.339985][ T5083] ? rcu_read_lock_sched_held+0x3e/0x70
[ 57.345520][ T5083] ? trace_kmem_cache_alloc+0xb1/0x110
[ 57.350975][ T5083] ? kmem_cache_alloc+0x1c5/0x320
[ 57.355990][ T5083] ? sctp_make_abort_user+0x240/0x4b0
[ 57.361351][ T5083] ? lockdep_hardirqs_on+0x7d/0x100
[ 57.366540][ T5083] ? sctp_make_op_error+0x310/0x310
[ 57.371727][ T5083] sctp_primitive_ABORT+0x9f/0xc0
[ 57.376833][ T5083] sctp_close+0x23f/0x940
[ 57.381162][ T5083] ? sctp_assoc_ulpevent_type_set+0x380/0x380
[ 57.387222][ T5083] ? __sock_release+0x86/0x280
[ 57.391974][ T5083] ? lock_acquire+0x32/0xc0
[ 57.396526][ T5083] ? __sock_release+0x86/0x280
[ 57.401287][ T5083] ? ip_mc_drop_socket+0x1a/0x290
[ 57.406304][ T5083] inet_release+0x132/0x270
[ 57.410801][ T5083] inet6_release+0x50/0x70
[ 57.415235][ T5083] __sock_release+0xcd/0x280
[ 57.419837][ T5083] sock_close+0x1c/0x20
[ 57.424078][ T5083] __fput+0x27c/0xa90
[ 57.428061][ T5083] ? __sock_release+0x280/0x280
[ 57.432908][ T5083] task_work_run+0x16f/0x270
[ 57.437504][ T5083] ? task_work_cancel+0x30/0x30
[ 57.442435][ T5083] ? do_raw_spin_unlock+0x175/0x230
[ 57.447633][ T5083] do_exit+0xb17/0x2a90
[ 57.451820][ T5083] ? lock_downgrade+0x6e0/0x6e0
[ 57.456656][ T5083] ? do_raw_spin_lock+0x124/0x2b0
[ 57.461669][ T5083] ? mm_update_next_owner+0x7b0/0x7b0
[ 57.467034][ T5083] ? rwlock_bug.part.0+0x90/0x90
[ 57.471962][ T5083] ? _raw_spin_unlock_irq+0x23/0x50
[ 57.477157][ T5083] do_group_exit+0xd4/0x2a0
[ 57.481655][ T5083] __x64_sys_exit_group+0x3e/0x50
[ 57.486661][ T5083] do_syscall_64+0x39/0xb0
[ 57.491066][ T5083] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 57.497228][ T5083] RIP: 0033:0x7f4ef5aea909
[ 57.501646][ T5083] Code: Unable to access opcode bytes at 0x7f4ef5aea8df.
[ 57.508732][ T5083] RSP: 002b:00007ffed9d0f1e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 57.517133][ T5083] RAX: ffffffffffffffda RBX: 00007f4ef5b5e290 RCX: 00007f4ef5aea909
[ 57.525089][ T5083] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[ 57.533047][ T5083] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 000000000000001c
[ 57.541004][ T5083] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4ef5b5e290
[ 57.548967][ T5083] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[ 57.556930][ T5083]
[ 57.560097][ T5083] Kernel Offset: disabled
[ 57.564420][ T5083] Rebooting in 86400 seconds..