./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2509775066 <...> Warning: Permanently added '10.128.0.194' (ECDSA) to the list of known hosts. execve("./syz-executor2509775066", ["./syz-executor2509775066"], 0x7ffea4b0fc40 /* 10 vars */) = 0 brk(NULL) = 0x5555562ab000 brk(0x5555562abd40) = 0x5555562abd40 arch_prctl(ARCH_SET_FS, 0x5555562ab400) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x5555562ab6d0) = 3604 set_robust_list(0x5555562ab6e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7f7393a70e30, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f7393a70380}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7f7393a70ed0, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f7393a70380}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2509775066", 4096) = 28 brk(0x5555562ccd40) = 0x5555562ccd40 brk(0x5555562cd000) = 0x5555562cd000 mprotect(0x7f7393b32000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGSEGV, {sa_handler=0x7f7393a6a360, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f7393a70380}, NULL, 8) = 0 rt_sigaction(SIGBUS, {sa_handler=0x7f7393a6a360, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f7393a70380}, NULL, 8) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555562ab6d0) = 3605 ./strace-static-x86_64: Process 3605 attached [pid 3605] set_robust_list(0x5555562ab6e0, 24) = 0 [pid 3605] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3605] setpgid(0, 0) = 0 [pid 3605] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3605] write(3, "1000", 4) = 4 [pid 3605] close(3) = 0 [pid 3605] futex(0x7f7393b383ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3605] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7393a3f000 [pid 3605] mprotect(0x7f7393a40000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3605] clone(child_stack=0x7f7393a5f2f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3606], tls=0x7f7393a5f700, child_tidptr=0x7f7393a5f9d0) = 3606 [pid 3605] futex(0x7f7393b383e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3605] futex(0x7f7393b383ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 3606 attached [pid 3606] set_robust_list(0x7f7393a5f9e0, 24) = 0 [pid 3606] openat(AT_FDCWD, NULL, O_RDONLY) = -1 EFAULT (Bad address) [pid 3606] futex(0x7f7393b383ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 3605] <... futex resumed>) = 0 [pid 3605] futex(0x7f7393b383e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3605] futex(0x7f7393b383ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3606] <... futex resumed>) = 1 [pid 3606] dup(-1) = -1 EBADF (Bad file descriptor) [pid 3606] futex(0x7f7393b383ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 3605] <... futex resumed>) = 0 [pid 3605] futex(0x7f7393b383e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3605] futex(0x7f7393b383ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3606] <... futex resumed>) = 1 [pid 3606] userfaultfd(UFFD_USER_MODE_ONLY|O_CLOEXEC) = 3 [pid 3606] futex(0x7f7393b383ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 3605] <... futex resumed>) = 0 [pid 3605] futex(0x7f7393b383e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3605] futex(0x7f7393b383ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3606] <... futex resumed>) = 1 [pid 3606] ioctl(3, UFFDIO_API, {api=0xaa, features=0 => features=UFFD_FEATURE_PAGEFAULT_FLAG_WP|UFFD_FEATURE_EVENT_FORK|UFFD_FEATURE_EVENT_REMAP|UFFD_FEATURE_EVENT_REMOVE|UFFD_FEATURE_MISSING_HUGETLBFS|UFFD_FEATURE_MISSING_SHMEM|UFFD_FEATURE_EVENT_UNMAP|UFFD_FEATURE_SIGBUS|UFFD_FEATURE_THREAD_ID|UFFD_FEATURE_MINOR_HUGETLBFS|UFFD_FEATURE_MINOR_SHMEM|0x800, ioctls=1<<_UFFDIO_REGISTER|1<<_UFFDIO_UNREGISTER|1<<_UFFDIO_API}) = 0 [pid 3606] futex(0x7f7393b383ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 3605] <... futex resumed>) = 0 [pid 3606] <... futex resumed>) = 1 [pid 3606] ioctl(3, UFFDIO_REGISTER, {range={start=0x200e2000, len=0xc00000}, mode=UFFDIO_REGISTER_MODE_MISSING [pid 3605] futex(0x7f7393b383e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3605] futex(0x7f7393b383ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3606] <... ioctl resumed>, ioctls=1<<_UFFDIO_WAKE|1<<_UFFDIO_COPY|1<<_UFFDIO_ZEROPAGE}) = 0 [pid 3606] futex(0x7f7393b383ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3606] futex(0x7f7393b383e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3605] <... futex resumed>) = 0 [pid 3605] futex(0x7f7393b383e8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3605] futex(0x7f7393b383ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3606] <... futex resumed>) = 0 [pid 3606] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x10} --- [pid 3606] futex(0x7f7393b383ec, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3605] <... futex resumed>) = 0 [pid 3606] futex(0x7f7393b383e8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3605] futex(0x7f7393b383e8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3606] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3605] <... futex resumed>) = 0 [pid 3606] ioctl(3, UFFDIO_UNREGISTER, {start=0x202f8000, len=0x1000} [pid 3605] futex(0x7f7393b383ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) syzkaller login: [ 40.752862][ T3606] ================================================================== [ 40.760950][ T3606] BUG: KASAN: use-after-free in mas_next_nentry+0x9e4/0xab0 [ 40.768234][ T3606] Read of size 8 at addr ffff888076721a20 by task syz-executor250/3606 [ 40.776458][ T3606] [ 40.778815][ T3606] CPU: 0 PID: 3606 Comm: syz-executor250 Not tainted 6.0.0-rc3-next-20220901-syzkaller #0 [ 40.788709][ T3606] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 40.798747][ T3606] Call Trace: [ 40.802011][ T3606] [ 40.804936][ T3606] dump_stack_lvl+0xcd/0x134 [ 40.809521][ T3606] print_report.cold+0x2ba/0x719 [ 40.814448][ T3606] ? mas_next_nentry+0x9e4/0xab0 [ 40.819385][ T3606] kasan_report+0xb1/0x1e0 [ 40.823794][ T3606] ? mas_next_nentry+0x9e4/0xab0 [ 40.828744][ T3606] mas_next_nentry+0x9e4/0xab0 [ 40.833509][ T3606] mas_next+0x1fb/0xc90 [ 40.837661][ T3606] userfaultfd_ioctl+0x33c3/0x4200 [ 40.842770][ T3606] ? userfaultfd_release+0x680/0x680 [ 40.848052][ T3606] ? rcu_read_lock_sched_held+0xd/0x70 [ 40.853499][ T3606] ? lock_release+0x560/0x780 [ 40.858171][ T3606] ? name_to_dev_t+0x760/0x990 [ 40.862952][ T3606] ? bpf_lsm_file_ioctl+0x5/0x10 [ 40.867899][ T3606] ? userfaultfd_release+0x680/0x680 [ 40.873199][ T3606] __x64_sys_ioctl+0x193/0x200 [ 40.877988][ T3606] do_syscall_64+0x35/0xb0 [ 40.882434][ T3606] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 40.888337][ T3606] RIP: 0033:0x7f7393aaf909 [ 40.892756][ T3606] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 40.912456][ T3606] RSP: 002b:00007f7393a5f208 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 40.920884][ T3606] RAX: ffffffffffffffda RBX: 00007f7393b383e8 RCX: 00007f7393aaf909 [ 40.928862][ T3606] RDX: 0000000020000240 RSI: 000000008010aa01 RDI: 0000000000000003 [ 40.936857][ T3606] RBP: 00007f7393b383e0 R08: 0000000000000000 R09: 0000000000000000 [ 40.944916][ T3606] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7393b383ec [ 40.952976][ T3606] R13: 00007fff099d5c8f R14: 00007f7393a5f300 R15: 0000000000022000 [ 40.960988][ T3606] [ 40.964012][ T3606] [ 40.966332][ T3606] Allocated by task 3604: [ 40.970653][ T3606] kasan_save_stack+0x1e/0x40 [ 40.975347][ T3606] __kasan_slab_alloc+0x90/0xc0 [ 40.980220][ T3606] kmem_cache_alloc_bulk+0x3f8/0x860 [ 40.985529][ T3606] mas_alloc_nodes+0x309/0x810 [ 40.990309][ T3606] mas_node_count_gfp+0x106/0x140 [ 40.995345][ T3606] mas_expected_entries+0x113/0x200 [ 41.000542][ T3606] dup_mmap+0x4ca/0x10b0 [ 41.004794][ T3606] dup_mm+0x91/0x370 [ 41.008696][ T3606] copy_process+0x3be1/0x7120 [ 41.013381][ T3606] kernel_clone+0xe7/0xab0 [ 41.017806][ T3606] __do_sys_clone+0xba/0x100 [ 41.022405][ T3606] do_syscall_64+0x35/0xb0 [ 41.026831][ T3606] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 41.032734][ T3606] [ 41.035053][ T3606] Freed by task 3606: [ 41.039025][ T3606] kasan_save_stack+0x1e/0x40 [ 41.043712][ T3606] kasan_set_track+0x21/0x30 [ 41.048312][ T3606] kasan_set_free_info+0x20/0x30 [ 41.053254][ T3606] ____kasan_slab_free+0x166/0x1c0 [ 41.058375][ T3606] slab_free_freelist_hook+0x8b/0x1c0 [ 41.063756][ T3606] kmem_cache_free_bulk.part.0+0x205/0x780 [ 41.069657][ T3606] mas_destroy+0x394/0x5c0 [ 41.074089][ T3606] mas_store_prealloc+0xec/0x150 [ 41.079045][ T3606] __vma_adjust+0xc47/0x1a70 [ 41.083648][ T3606] __split_vma+0x4b0/0x5c0 [ 41.088082][ T3606] split_vma+0x9f/0xe0 [ 41.092167][ T3606] userfaultfd_ioctl+0x3855/0x4200 [ 41.097303][ T3606] __x64_sys_ioctl+0x193/0x200 [ 41.102078][ T3606] do_syscall_64+0x35/0xb0 [ 41.106509][ T3606] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 41.112412][ T3606] [ 41.114728][ T3606] The buggy address belongs to the object at ffff888076721a00 [ 41.114728][ T3606] which belongs to the cache maple_node of size 256 [ 41.128714][ T3606] The buggy address is located 32 bytes inside of [ 41.128714][ T3606] 256-byte region [ffff888076721a00, ffff888076721b00) [ 41.141900][ T3606] [ 41.144220][ T3606] The buggy address belongs to the physical page: [ 41.150635][ T3606] page:ffffea0001d9c800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x76720 [ 41.160790][ T3606] head:ffffea0001d9c800 order:1 compound_mapcount:0 compound_pincount:0 [ 41.169113][ T3606] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 41.177101][ T3606] raw: 00fff00000010200 ffffea0001d9c880 dead000000000003 ffff88801184fdc0 [ 41.185774][ T3606] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 41.194354][ T3606] page dumped because: kasan: bad access detected [ 41.200761][ T3606] page_owner tracks the page as allocated [ 41.206553][ T3606] page last allocated via order 1, migratetype Unmovable, gfp_mask 0x52800(GFP_NOWAIT|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 3308, tgid 3308 (dhcpcd-run-hook), ts 23803367813, free_ts 21911174041 [ 41.226092][ T3606] get_page_from_freelist+0x109b/0x2ce0 [ 41.231645][ T3606] __alloc_pages+0x1c7/0x510 [ 41.236234][ T3606] alloc_pages+0x1a6/0x270 [ 41.240662][ T3606] allocate_slab+0x228/0x370 [ 41.245260][ T3606] ___slab_alloc+0xad0/0x1440 [ 41.249946][ T3606] kmem_cache_alloc_bulk+0x291/0x860 [ 41.255240][ T3606] mas_alloc_nodes+0x309/0x810 [ 41.260016][ T3606] mas_node_count_gfp+0x106/0x140 [ 41.265049][ T3606] mas_expected_entries+0x113/0x200 [ 41.270251][ T3606] dup_mmap+0x4ca/0x10b0 [ 41.274504][ T3606] dup_mm+0x91/0x370 [ 41.278409][ T3606] copy_process+0x3be1/0x7120 [ 41.283114][ T3606] kernel_clone+0xe7/0xab0 [ 41.287538][ T3606] __do_sys_clone+0xba/0x100 [ 41.292134][ T3606] do_syscall_64+0x35/0xb0 [ 41.296555][ T3606] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 41.302451][ T3606] page last free stack trace: [ 41.307114][ T3606] free_pcp_prepare+0x5e4/0xd20 [ 41.311976][ T3606] free_unref_page+0x19/0x4d0 [ 41.316666][ T3606] __unfreeze_partials+0x17c/0x1a0 [ 41.321784][ T3606] qlist_free_all+0x6a/0x170 [ 41.326372][ T3606] kasan_quarantine_reduce+0x180/0x200 [ 41.331833][ T3606] __kasan_slab_alloc+0xa2/0xc0 [ 41.336700][ T3606] kmem_cache_alloc+0x2b7/0x3d0 [ 41.341559][ T3606] getname_flags.part.0+0x50/0x4f0 [ 41.346669][ T3606] getname_flags+0x9a/0xe0 [ 41.351103][ T3606] user_path_at_empty+0x2b/0x60 [ 41.355954][ T3606] do_readlinkat+0xcd/0x2f0 [ 41.360460][ T3606] __x64_sys_readlink+0x74/0xb0 [ 41.365405][ T3606] do_syscall_64+0x35/0xb0 [ 41.369850][ T3606] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 41.375750][ T3606] [ 41.378067][ T3606] Memory state around the buggy address: [ 41.383691][ T3606] ffff888076721900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.391765][ T3606] ffff888076721980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.399824][ T3606] >ffff888076721a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.407884][ T3606] ^ [ 41.412986][ T3606] ffff888076721a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.421046][ T3606] ffff888076721b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.429104][ T3606] ================================================================== [ 41.437546][ T3606] Kernel panic - not syncing: panic_on_warn set ... [ 41.444149][ T3606] CPU: 0 PID: 3606 Comm: syz-executor250 Not tainted 6.0.0-rc3-next-20220901-syzkaller #0 [ 41.454055][ T3606] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 41.464113][ T3606] Call Trace: [ 41.467392][ T3606] [ 41.470326][ T3606] dump_stack_lvl+0xcd/0x134 [ 41.474948][ T3606] panic+0x2c8/0x622 [ 41.478859][ T3606] ? panic_print_sys_info.part.0+0x110/0x110 [ 41.484861][ T3606] ? preempt_schedule_common+0x59/0xc0 [ 41.490333][ T3606] ? preempt_schedule_thunk+0x16/0x18 [ 41.495725][ T3606] ? mas_next_nentry+0x9e4/0xab0 [ 41.500699][ T3606] end_report.part.0+0x3f/0x7c [ 41.505472][ T3606] kasan_report.cold+0xa/0xf [ 41.510070][ T3606] ? mas_next_nentry+0x9e4/0xab0 [ 41.515023][ T3606] mas_next_nentry+0x9e4/0xab0 [ 41.519809][ T3606] mas_next+0x1fb/0xc90 [ 41.523990][ T3606] userfaultfd_ioctl+0x33c3/0x4200 [ 41.529139][ T3606] ? userfaultfd_release+0x680/0x680 [ 41.534450][ T3606] ? rcu_read_lock_sched_held+0xd/0x70 [ 41.539916][ T3606] ? lock_release+0x560/0x780 [ 41.544606][ T3606] ? name_to_dev_t+0x760/0x990 [ 41.549389][ T3606] ? bpf_lsm_file_ioctl+0x5/0x10 [ 41.554338][ T3606] ? userfaultfd_release+0x680/0x680 [ 41.559637][ T3606] __x64_sys_ioctl+0x193/0x200 [ 41.564412][ T3606] do_syscall_64+0x35/0xb0 [ 41.568840][ T3606] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 41.574739][ T3606] RIP: 0033:0x7f7393aaf909 [ 41.579162][ T3606] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 41.598778][ T3606] RSP: 002b:00007f7393a5f208 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 41.607200][ T3606] RAX: ffffffffffffffda RBX: 00007f7393b383e8 RCX: 00007f7393aaf909 [ 41.615189][ T3606] RDX: 0000000020000240 RSI: 000000008010aa01 RDI: 0000000000000003 [ 41.623162][ T3606] RBP: 00007f7393b383e0 R08: 0000000000000000 R09: 0000000000000000 [ 41.631137][ T3606] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7393b383ec [ 41.639111][ T3606] R13: 00007fff099d5c8f R14: 00007f7393a5f300 R15: 0000000000022000 [ 41.647093][ T3606] [ 41.650284][ T3606] Kernel Offset: disabled [ 41.654609][ T3606] Rebooting in 86400 seconds..