./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1435476052 <...> Warning: Permanently added '10.128.1.82' (ED25519) to the list of known hosts. execve("./syz-executor1435476052", ["./syz-executor1435476052"], 0x7ffdaa8be3f0 /* 10 vars */) = 0 brk(NULL) = 0x55555693f000 brk(0x55555693fd00) = 0x55555693fd00 arch_prctl(ARCH_SET_FS, 0x55555693f380) = 0 set_tid_address(0x55555693f650) = 5061 set_robust_list(0x55555693f660, 24) = 0 rseq(0x55555693fca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1435476052", 4096) = 28 getrandom("\x70\x28\x38\x3b\xc8\xe9\x79\x73", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55555693fd00 brk(0x555556960d00) = 0x555556960d00 brk(0x555556961000) = 0x555556961000 mprotect(0x7f0ed90a2000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5062 attached , child_tidptr=0x55555693f650) = 5062 [pid 5062] set_robust_list(0x55555693f660, 24) = 0 [pid 5062] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5062] setpgid(0, 0) = 0 [pid 5062] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5062] write(3, "1000", 4) = 4 [pid 5062] close(3) = 0 [pid 5062] io_setup(3760, [0x7f0ed8fba000]) = 0 [pid 5062] socket(AF_XDP, SOCK_RAW, 0) = 3 [pid 5062] io_submit(0x7f0ed8fba000, 1, [{aio_data=0, aio_lio_opcode=IOCB_CMD_POLL, aio_fildes=3, aio_buf=0, aio_resfd=0xffffffff}]) = 1 [pid 5062] io_cancel(0x7f0ed8fba000, {aio_data=0, aio_lio_opcode=IOCB_CMD_PREAD, aio_fildes=-1}, NULL) = 0 [pid 5062] exit_group(0) = ? [pid 5062] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5062, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5063 attached , child_tidptr=0x55555693f650) = 5063 [pid 5063] set_robust_list(0x55555693f660, 24) = 0 [pid 5063] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5063] setpgid(0, 0) = 0 [pid 5063] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5063] write(3, "1000", 4) = 4 [pid 5063] close(3) = 0 [pid 5063] io_setup(3760, [0x7f0ed8fba000]) = 0 [pid 5063] socket(AF_XDP, SOCK_RAW, 0) = 3 [pid 5063] io_submit(0x7f0ed8fba000, 1, [{aio_data=0, aio_lio_opcode=IOCB_CMD_POLL, aio_fildes=3, aio_buf=0, aio_resfd=0xffffffff}]) = 1 [pid 5063] io_cancel(0x7f0ed8fba000, {aio_data=0, aio_lio_opcode=IOCB_CMD_PREAD, aio_fildes=-1}, NULL) = 0 [pid 5063] exit_group(0) = ? [pid 5063] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5063, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5064 attached , child_tidptr=0x55555693f650) = 5064 [pid 5064] set_robust_list(0x55555693f660, 24) = 0 [pid 5064] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5064] setpgid(0, 0) = 0 [pid 5064] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5064] write(3, "1000", 4) = 4 [pid 5064] close(3) = 0 [pid 5064] io_setup(3760, [0x7f0ed8fba000]) = 0 [pid 5064] socket(AF_XDP, SOCK_RAW, 0) = 3 [pid 5064] io_submit(0x7f0ed8fba000, 1, [{aio_data=0, aio_lio_opcode=IOCB_CMD_POLL, aio_fildes=3, aio_buf=0, aio_resfd=0xffffffff}]) = 1 [pid 5064] io_cancel(0x7f0ed8fba000, {aio_data=0, aio_lio_opcode=IOCB_CMD_PREAD, aio_fildes=-1}, NULL) = 0 [pid 5064] exit_group(0) = ? [pid 5064] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5064, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5065 attached , child_tidptr=0x55555693f650) = 5065 [pid 5065] set_robust_list(0x55555693f660, 24) = 0 [pid 5065] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5065] setpgid(0, 0) = 0 [pid 5065] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5065] write(3, "1000", 4) = 4 [pid 5065] close(3) = 0 [pid 5065] io_setup(3760, [0x7f0ed8fba000]) = 0 [pid 5065] socket(AF_XDP, SOCK_RAW, 0) = 3 [pid 5065] io_submit(0x7f0ed8fba000, 1, [{aio_data=0, aio_lio_opcode=IOCB_CMD_POLL, aio_fildes=3, aio_buf=0, aio_resfd=0xffffffff}]) = 1 [pid 5065] io_cancel(0x7f0ed8fba000, {aio_data=0, aio_lio_opcode=IOCB_CMD_PREAD, aio_fildes=-1}, NULL) = 0 [pid 5065] exit_group(0) = ? [pid 5065] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5065, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5066 attached , child_tidptr=0x55555693f650) = 5066 [pid 5066] set_robust_list(0x55555693f660, 24) = 0 [pid 5066] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5066] setpgid(0, 0) = 0 [pid 5066] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5066] write(3, "1000", 4) = 4 [pid 5066] close(3) = 0 [pid 5066] io_setup(3760, [0x7f0ed8fba000]) = 0 [pid 5066] socket(AF_XDP, SOCK_RAW, 0) = 3 [pid 5066] io_submit(0x7f0ed8fba000, 1, [{aio_data=0, aio_lio_opcode=IOCB_CMD_POLL, aio_fildes=3, aio_buf=0, aio_resfd=0xffffffff}]) = 1 [pid 5066] io_cancel(0x7f0ed8fba000, {aio_data=0, aio_lio_opcode=IOCB_CMD_PREAD, aio_fildes=-1}, NULL) = 0 [pid 5066] exit_group(0) = ? [pid 5066] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5066, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5067 attached , child_tidptr=0x55555693f650) = 5067 [pid 5067] set_robust_list(0x55555693f660, 24) = 0 [pid 5067] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5067] setpgid(0, 0) = 0 [pid 5067] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5067] write(3, "1000", 4) = 4 [pid 5067] close(3) = 0 [pid 5067] io_setup(3760, [0x7f0ed8fba000]) = 0 [pid 5067] socket(AF_XDP, SOCK_RAW, 0) = 3 [pid 5067] io_submit(0x7f0ed8fba000, 1, [{aio_data=0, aio_lio_opcode=IOCB_CMD_POLL, aio_fildes=3, aio_buf=0, aio_resfd=0xffffffff}]) = 1 [pid 5067] io_cancel(0x7f0ed8fba000, {aio_data=0, aio_lio_opcode=IOCB_CMD_PREAD, aio_fildes=-1}, NULL) = 0 [pid 5067] exit_group(0) = ? [pid 5067] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5067, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5068 attached , child_tidptr=0x55555693f650) = 5068 [pid 5068] set_robust_list(0x55555693f660, 24) = 0 [pid 5068] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5068] setpgid(0, 0) = 0 [pid 5068] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5068] write(3, "1000", 4) = 4 [pid 5068] close(3) = 0 [pid 5068] io_setup(3760, [0x7f0ed8fba000]) = 0 [pid 5068] socket(AF_XDP, SOCK_RAW, 0) = 3 [pid 5068] io_submit(0x7f0ed8fba000, 1, [{aio_data=0, aio_lio_opcode=IOCB_CMD_POLL, aio_fildes=3, aio_buf=0, aio_resfd=0xffffffff}]) = 1 [pid 5068] io_cancel(0x7f0ed8fba000, {aio_data=0, aio_lio_opcode=IOCB_CMD_PREAD, aio_fildes=-1}, NULL) = 0 [pid 5068] exit_group(0) = ? [pid 5068] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5068, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5069 attached , child_tidptr=0x55555693f650) = 5069 [pid 5069] set_robust_list(0x55555693f660, 24) = 0 [pid 5069] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5069] setpgid(0, 0) = 0 [pid 5069] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5069] write(3, "1000", 4) = 4 [pid 5069] close(3) = 0 [pid 5069] io_setup(3760, [0x7f0ed8fba000]) = 0 [pid 5069] socket(AF_XDP, SOCK_RAW, 0) = 3 [pid 5069] io_submit(0x7f0ed8fba000, 1, [{aio_data=0, aio_lio_opcode=IOCB_CMD_POLL, aio_fildes=3, aio_buf=0, aio_resfd=0xffffffff}]) = 1 [pid 5069] io_cancel(0x7f0ed8fba000, {aio_data=0, aio_lio_opcode=IOCB_CMD_PREAD, aio_fildes=-1}, NULL) = 0 [pid 5069] exit_group(0) = ? [pid 5069] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5069, si_uid=0, si_status=0, si_utime=0, si_stime=1 /* 0.01 s */} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5070 attached , child_tidptr=0x55555693f650) = 5070 [pid 5070] set_robust_list(0x55555693f660, 24) = 0 [pid 5070] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5070] setpgid(0, 0) = 0 [pid 5070] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5070] write(3, "1000", 4) = 4 [pid 5070] close(3) = 0 [pid 5070] io_setup(3760, [0x7f0ed8fba000]) = 0 [pid 5070] socket(AF_XDP, SOCK_RAW, 0) = 3 [pid 5070] io_submit(0x7f0ed8fba000, 1, [{aio_data=0, aio_lio_opcode=IOCB_CMD_POLL, aio_fildes=3, aio_buf=0, aio_resfd=0xffffffff}]) = 1 [pid 5070] io_cancel(0x7f0ed8fba000, {aio_data=0, aio_lio_opcode=IOCB_CMD_PREAD, aio_fildes=-1}, NULL) = 0 [pid 5070] exit_group(0) = ? [pid 5070] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5070, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5071 attached , child_tidptr=0x55555693f650) = 5071 [pid 5071] set_robust_list(0x55555693f660, 24) = 0 [pid 5071] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5071] setpgid(0, 0) = 0 [pid 5071] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5071] write(3, "1000", 4) = 4 [pid 5071] close(3) = 0 [pid 5071] io_setup(3760, [0x7f0ed8fba000]) = 0 [pid 5071] socket(AF_XDP, SOCK_RAW, 0) = 3 [pid 5071] io_submit(0x7f0ed8fba000, 1, [{aio_data=0, aio_lio_opcode=IOCB_CMD_POLL, aio_fildes=3, aio_buf=0, aio_resfd=0xffffffff}]) = 1 [pid 5071] io_cancel(0x7f0ed8fba000, {aio_data=0, aio_lio_opcode=IOCB_CMD_PREAD, aio_fildes=-1}, NULL) = 0 [pid 5071] exit_group(0) = ? [pid 5071] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5071, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5072 attached , child_tidptr=0x55555693f650) = 5072 [pid 5072] set_robust_list(0x55555693f660, 24) = 0 [pid 5072] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5072] setpgid(0, 0) = 0 [pid 5072] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5072] write(3, "1000", 4) = 4 [pid 5072] close(3) = 0 [pid 5072] io_setup(3760, [0x7f0ed8fba000]) = 0 [pid 5072] socket(AF_XDP, SOCK_RAW, 0) = 3 [pid 5072] io_submit(0x7f0ed8fba000, 1, [{aio_data=0, aio_lio_opcode=IOCB_CMD_POLL, aio_fildes=3, aio_buf=0, aio_resfd=0xffffffff}]) = 1 [pid 5072] io_cancel(0x7f0ed8fba000, {aio_data=0, aio_lio_opcode=IOCB_CMD_PREAD, aio_fildes=-1}, NULL) = 0 [pid 5072] exit_group(0) = ? [pid 5072] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5072, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5073 attached , child_tidptr=0x55555693f650) = 5073 [pid 5073] set_robust_list(0x55555693f660, 24) = 0 [pid 5073] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5073] setpgid(0, 0) = 0 [pid 5073] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5073] write(3, "1000", 4) = 4 [pid 5073] close(3) = 0 [pid 5073] io_setup(3760, [0x7f0ed8fba000]) = 0 [pid 5073] socket(AF_XDP, SOCK_RAW, 0) = 3 [pid 5073] io_submit(0x7f0ed8fba000, 1, [{aio_data=0, aio_lio_opcode=IOCB_CMD_POLL, aio_fildes=3, aio_buf=0, aio_resfd=0xffffffff}]) = 1 [pid 5073] io_cancel(0x7f0ed8fba000, {aio_data=0, aio_lio_opcode=IOCB_CMD_PREAD, aio_fildes=-1}, NULL) = 0 [pid 5073] exit_group(0) = ? [pid 5073] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5073, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5074 attached [pid 5074] set_robust_list(0x55555693f660, 24 [pid 5061] <... clone resumed>, child_tidptr=0x55555693f650) = 5074 [pid 5074] <... set_robust_list resumed>) = 0 [pid 5074] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5074] setpgid(0, 0) = 0 [pid 5074] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5074] write(3, "1000", 4) = 4 [pid 5074] close(3) = 0 [pid 5074] io_setup(3760, [0x7f0ed8fba000]) = 0 [pid 5074] socket(AF_XDP, SOCK_RAW, 0) = 3 [pid 5074] io_submit(0x7f0ed8fba000, 1, [{aio_data=0, aio_lio_opcode=IOCB_CMD_POLL, aio_fildes=3, aio_buf=0, aio_resfd=0xffffffff}]) = 1 [pid 5074] io_cancel(0x7f0ed8fba000, {aio_data=0, aio_lio_opcode=IOCB_CMD_PREAD, aio_fildes=-1}, NULL) = 0 [pid 5074] exit_group(0) = ? [pid 5074] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5074, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5075 attached , child_tidptr=0x55555693f650) = 5075 [pid 5075] set_robust_list(0x55555693f660, 24) = 0 [pid 5075] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5075] setpgid(0, 0) = 0 [pid 5075] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5075] write(3, "1000", 4) = 4 [pid 5075] close(3) = 0 [pid 5075] io_setup(3760, [0x7f0ed8fba000]) = 0 [pid 5075] socket(AF_XDP, SOCK_RAW, 0) = 3 [pid 5075] io_submit(0x7f0ed8fba000, 1, [{aio_data=0, aio_lio_opcode=IOCB_CMD_POLL, aio_fildes=3, aio_buf=0, aio_resfd=0xffffffff}]) = 1 [pid 5075] io_cancel(0x7f0ed8fba000, {aio_data=0, aio_lio_opcode=IOCB_CMD_PREAD, aio_fildes=-1}, NULL) = 0 [pid 5075] exit_group(0) = ? [pid 5075] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5075, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5076 attached , child_tidptr=0x55555693f650) = 5076 [pid 5076] set_robust_list(0x55555693f660, 24) = 0 [pid 5076] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5076] setpgid(0, 0) = 0 [pid 5076] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5076] write(3, "1000", 4) = 4 [pid 5076] close(3) = 0 [pid 5076] io_setup(3760, [0x7f0ed8fba000]) = 0 [pid 5076] socket(AF_XDP, SOCK_RAW, 0) = 3 [pid 5076] io_submit(0x7f0ed8fba000, 1, [{aio_data=0, aio_lio_opcode=IOCB_CMD_POLL, aio_fildes=3, aio_buf=0, aio_resfd=0xffffffff}]) = 1 [pid 5076] io_cancel(0x7f0ed8fba000, {aio_data=0, aio_lio_opcode=IOCB_CMD_PREAD, aio_fildes=-1}, NULL) = 0 [pid 5076] exit_group(0) = ? [pid 5076] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5076, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5077 attached , child_tidptr=0x55555693f650) = 5077 [pid 5077] set_robust_list(0x55555693f660, 24) = 0 [pid 5077] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5077] setpgid(0, 0) = 0 [pid 5077] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5077] write(3, "1000", 4) = 4 [pid 5077] close(3) = 0 [pid 5077] io_setup(3760, [0x7f0ed8fba000]) = 0 [pid 5077] socket(AF_XDP, SOCK_RAW, 0) = 3 [pid 5077] io_submit(0x7f0ed8fba000, 1, [{aio_data=0, aio_lio_opcode=IOCB_CMD_POLL, aio_fildes=3, aio_buf=0, aio_resfd=0xffffffff}]) = 1 [pid 5077] io_cancel(0x7f0ed8fba000, {aio_data=0, aio_lio_opcode=IOCB_CMD_PREAD, aio_fildes=-1}, NULL) = 0 [pid 5077] exit_group(0) = ? [pid 5077] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5077, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5078 attached , child_tidptr=0x55555693f650) = 5078 [pid 5078] set_robust_list(0x55555693f660, 24) = 0 [pid 5078] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5078] setpgid(0, 0) = 0 [pid 5078] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5078] write(3, "1000", 4) = 4 [pid 5078] close(3) = 0 [pid 5078] io_setup(3760, [0x7f0ed8fba000]) = 0 [pid 5078] socket(AF_XDP, SOCK_RAW, 0) = 3 [pid 5078] io_submit(0x7f0ed8fba000, 1, [{aio_data=0, aio_lio_opcode=IOCB_CMD_POLL, aio_fildes=3, aio_buf=0, aio_resfd=0xffffffff}]) = 1 [pid 5078] io_cancel(0x7f0ed8fba000, {aio_data=0, aio_lio_opcode=IOCB_CMD_PREAD, aio_fildes=-1}, NULL) = 0 [pid 5078] exit_group(0) = ? [pid 5078] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5078, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5079 attached , child_tidptr=0x55555693f650) = 5079 [pid 5079] set_robust_list(0x55555693f660, 24) = 0 [pid 5079] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5079] setpgid(0, 0) = 0 [pid 5079] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5079] write(3, "1000", 4) = 4 [pid 5079] close(3) = 0 [pid 5079] io_setup(3760, [0x7f0ed8fba000]) = 0 [pid 5079] socket(AF_XDP, SOCK_RAW, 0) = 3 [pid 5079] io_submit(0x7f0ed8fba000, 1, [{aio_data=0, aio_lio_opcode=IOCB_CMD_POLL, aio_fildes=3, aio_buf=0, aio_resfd=0xffffffff}]) = 1 [ 77.560901][ T5079] ================================================================== [ 77.569015][ T5079] BUG: KASAN: slab-use-after-free in __se_sys_io_cancel+0x2c7/0x2d0 [ 77.577017][ T5079] Read of size 4 at addr ffff888077597ca0 by task syz-executor143/5079 [ 77.585263][ T5079] [ 77.587595][ T5079] CPU: 1 PID: 5079 Comm: syz-executor143 Not tainted 6.8.0-rc6-syzkaller-00238-g5ad3cb0ed525 #0 [ 77.597997][ T5079] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 [ 77.608056][ T5079] Call Trace: [ 77.611335][ T5079] [ 77.614262][ T5079] dump_stack_lvl+0x1e7/0x2e0 [ 77.618952][ T5079] ? __pfx_dump_stack_lvl+0x10/0x10 [ 77.624159][ T5079] ? __pfx__printk+0x10/0x10 [ 77.628763][ T5079] ? _printk+0xd5/0x120 [ 77.632929][ T5079] ? __virt_addr_valid+0x183/0x520 [ 77.638051][ T5079] ? __virt_addr_valid+0x183/0x520 [ 77.643176][ T5079] print_report+0x167/0x540 [ 77.647688][ T5079] ? __virt_addr_valid+0x183/0x520 [ 77.652806][ T5079] ? __virt_addr_valid+0x183/0x520 [ 77.657923][ T5079] ? __virt_addr_valid+0x44e/0x520 [ 77.663040][ T5079] ? __phys_addr+0xba/0x170 [ 77.667556][ T5079] ? __se_sys_io_cancel+0x2c7/0x2d0 [ 77.672762][ T5079] kasan_report+0x142/0x180 [ 77.677274][ T5079] ? __se_sys_io_cancel+0x2c7/0x2d0 [ 77.682481][ T5079] __se_sys_io_cancel+0x2c7/0x2d0 [ 77.687517][ T5079] do_syscall_64+0xf9/0x240 [ 77.692038][ T5079] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 77.697953][ T5079] RIP: 0033:0x7f0ed902faf9 [ 77.702376][ T5079] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 77.723023][ T5079] RSP: 002b:00007ffd80216058 EFLAGS: 00000246 ORIG_RAX: 00000000000000d2 [ 77.731452][ T5079] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0ed902faf9 [ 77.739436][ T5079] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 00007f0ed8fba000 [ 77.747411][ T5079] RBP: 0000000000012e22 R08: 0000000000000000 R09: 0000000000000006 [ 77.755399][ T5079] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd8021606c [ 77.763382][ T5079] R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001 [ 77.771376][ T5079] [ 77.774404][ T5079] [ 77.776727][ T5079] Allocated by task 5079: [ 77.781048][ T5079] kasan_save_track+0x3f/0x80 [ 77.785732][ T5079] __kasan_slab_alloc+0x66/0x80 [ 77.790583][ T5079] kmem_cache_alloc+0x16f/0x340 [ 77.795441][ T5079] io_submit_one+0x154/0x18b0 [ 77.800124][ T5079] __se_sys_io_submit+0x17f/0x300 [ 77.805149][ T5079] do_syscall_64+0xf9/0x240 [ 77.809654][ T5079] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 77.815556][ T5079] [ 77.817874][ T5079] Freed by task 55: [ 77.821673][ T5079] kasan_save_track+0x3f/0x80 [ 77.826351][ T5079] kasan_save_free_info+0x40/0x50 [ 77.831389][ T5079] poison_slab_object+0xa6/0xe0 [ 77.836243][ T5079] __kasan_slab_free+0x37/0x60 [ 77.841032][ T5079] kmem_cache_free+0x102/0x2a0 [ 77.845800][ T5079] aio_poll_complete_work+0x467/0x670 [ 77.851183][ T5079] process_scheduled_works+0x913/0x1420 [ 77.856738][ T5079] worker_thread+0xa5f/0x1000 [ 77.861426][ T5079] kthread+0x2ef/0x390 [ 77.865496][ T5079] ret_from_fork+0x4b/0x80 [ 77.869922][ T5079] ret_from_fork_asm+0x1b/0x30 [ 77.874692][ T5079] [ 77.877013][ T5079] Last potentially related work creation: [ 77.882721][ T5079] kasan_save_stack+0x3f/0x60 [ 77.887406][ T5079] __kasan_record_aux_stack+0xac/0xc0 [ 77.892784][ T5079] insert_work+0x3e/0x330 [ 77.897116][ T5079] __queue_work+0xbf4/0x1000 [ 77.901707][ T5079] queue_work_on+0x14f/0x250 [ 77.906295][ T5079] aio_poll_cancel+0xbb/0x130 [ 77.910971][ T5079] __se_sys_io_cancel+0x126/0x2d0 [ 77.915999][ T5079] do_syscall_64+0xf9/0x240 [ 77.920502][ T5079] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 77.926418][ T5079] [ 77.928738][ T5079] The buggy address belongs to the object at ffff888077597c80 [ 77.928738][ T5079] which belongs to the cache aio_kiocb of size 216 [ 77.942613][ T5079] The buggy address is located 32 bytes inside of [ 77.942613][ T5079] freed 216-byte region [ffff888077597c80, ffff888077597d58) [ 77.956338][ T5079] [ 77.958667][ T5079] The buggy address belongs to the physical page: [ 77.965075][ T5079] page:ffffea0001dd65c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x77597 [ 77.975224][ T5079] flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff) [ 77.982771][ T5079] page_type: 0xffffffff() [ 77.987104][ T5079] raw: 00fff00000000800 ffff888018fce780 dead000000000122 0000000000000000 [ 77.995692][ T5079] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 78.004265][ T5079] page dumped because: kasan: bad access detected [ 78.010671][ T5079] page_owner tracks the page as allocated [ 78.016381][ T5079] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5063, tgid 5063 (syz-executor143), ts 75204492533, free_ts 68699733502 [ 78.034957][ T5079] post_alloc_hook+0x1ea/0x210 [ 78.039740][ T5079] get_page_from_freelist+0x33ea/0x3580 [ 78.045291][ T5079] __alloc_pages+0x255/0x680 [ 78.049890][ T5079] alloc_slab_page+0x5f/0x160 [ 78.054571][ T5079] new_slab+0x84/0x2f0 [ 78.058643][ T5079] ___slab_alloc+0xd17/0x13e0 [ 78.063316][ T5079] kmem_cache_alloc+0x24d/0x340 [ 78.068174][ T5079] io_submit_one+0x154/0x18b0 [ 78.072857][ T5079] __se_sys_io_submit+0x17f/0x300 [ 78.077884][ T5079] do_syscall_64+0xf9/0x240 [ 78.082383][ T5079] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 78.088285][ T5079] page last free pid 5055 tgid 5055 stack trace: [ 78.094603][ T5079] free_unref_page_prepare+0x95d/0xa80 [ 78.100069][ T5079] free_unref_page+0x37/0x3f0 [ 78.104749][ T5079] pipe_read+0x6f5/0x13f0 [ 78.109081][ T5079] vfs_read+0x978/0xb70 [ 78.113237][ T5079] ksys_read+0x1a0/0x2c0 [ 78.117483][ T5079] do_syscall_64+0xf9/0x240 [ 78.121988][ T5079] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 78.127898][ T5079] [ 78.130217][ T5079] Memory state around the buggy address: [ 78.135840][ T5079] ffff888077597b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.143899][ T5079] ffff888077597c00: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc [ 78.151955][ T5079] >ffff888077597c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.160011][ T5079] ^ [ 78.165124][ T5079] ffff888077597d00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc [ 78.173183][ T5079] ffff888077597d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 78.181238][ T5079] ================================================================== [ 78.194443][ T5079] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 78.201669][ T5079] CPU: 1 PID: 5079 Comm: syz-executor143 Not tainted 6.8.0-rc6-syzkaller-00238-g5ad3cb0ed525 #0 [ 78.212086][ T5079] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 [ 78.222139][ T5079] Call Trace: [ 78.225416][ T5079] [ 78.228347][ T5079] dump_stack_lvl+0x1e7/0x2e0 [ 78.233035][ T5079] ? __pfx_dump_stack_lvl+0x10/0x10 [ 78.238235][ T5079] ? __pfx__printk+0x10/0x10 [ 78.242837][ T5079] ? vscnprintf+0x5d/0x90 [ 78.247171][ T5079] panic+0x349/0x860 [ 78.251075][ T5079] ? check_panic_on_warn+0x21/0xb0 [ 78.256190][ T5079] ? __pfx_panic+0x10/0x10 [ 78.260619][ T5079] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 78.266605][ T5079] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 78.272966][ T5079] ? print_report+0x4ff/0x540 [ 78.277655][ T5079] check_panic_on_warn+0x86/0xb0 [ 78.282614][ T5079] ? __se_sys_io_cancel+0x2c7/0x2d0 [ 78.287816][ T5079] end_report+0x6e/0x140 [ 78.292078][ T5079] kasan_report+0x153/0x180 [ 78.296587][ T5079] ? __se_sys_io_cancel+0x2c7/0x2d0 [ 78.301795][ T5079] __se_sys_io_cancel+0x2c7/0x2d0 [ 78.306834][ T5079] do_syscall_64+0xf9/0x240 [ 78.311340][ T5079] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 78.317245][ T5079] RIP: 0033:0x7f0ed902faf9 [ 78.321661][ T5079] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 78.341267][ T5079] RSP: 002b:00007ffd80216058 EFLAGS: 00000246 ORIG_RAX: 00000000000000d2 [ 78.349685][ T5079] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0ed902faf9 [ 78.357658][ T5079] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 00007f0ed8fba000 [ 78.365629][ T5079] RBP: 0000000000012e22 R08: 0000000000000000 R09: 0000000000000006 [ 78.373600][ T5079] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd8021606c [ 78.381569][ T5079] R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001 [ 78.389548][ T5079] [ 78.392662][ T5079] Kernel Offset: disabled [ 78.396986][ T5079] Rebooting in 86400 seconds..