./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3176081711
<...>
Warning: Permanently added '10.128.0.24' (ECDSA) to the list of known hosts.
execve("./syz-executor3176081711", ["./syz-executor3176081711"], 0x7ffee4deae40 /* 10 vars */) = 0
brk(NULL) = 0x555556e60000
brk(0x555556e60d00) = 0x555556e60d00
arch_prctl(ARCH_SET_FS, 0x555556e603c0) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor3176081711", 4096) = 28
brk(0x555556e81d00) = 0x555556e81d00
brk(0x555556e82000) = 0x555556e82000
mprotect(0x7f988c798000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
getpid() = 3611
openat(AT_FDCWD, "/sys/kernel/debug/x86/nmi_longest_ns", O_WRONLY|O_CLOEXEC) = 3
write(3, "10000000000", 11) = 11
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/hung_task_check_interval_secs", O_WRONLY|O_CLOEXEC) = 3
write(3, "20", 2) = 2
close(3) = 0
openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_kallsyms", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_harden", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/kptr_restrict", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/softlockup_all_cpu_backtrace", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3
write(3, "100", 3) = 3
close(3) = 0
openat(AT_FDCWD, "/proc/sys/vm/oom_dump_tasks", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/debug/exception-trace", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/printk", O_WRONLY|O_CLOEXEC) = 3
write(3, "7 4 1 3", 7) = 7
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/keys/gc_delay", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/vm/oom_kill_allocating_task", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/ctrl-alt-del", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/cad_pid", O_WRONLY|O_CLOEXEC) = 3
write(3, "3611", 4) = 4
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/failslab/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_futex/ignore-private", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/min-order", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0
rt_sigaction(SIGSEGV, {sa_handler=0x7f988c6ee530, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f988c6ee800}, NULL, 8) = 0
rt_sigaction(SIGBUS, {sa_handler=0x7f988c6ee530, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f988c6ee800}, NULL, 8) = 0
getpid() = 3611
mkdir("./syzkaller.wI68id", 0700) = 0
chmod("./syzkaller.wI68id", 0777) = 0
chdir("./syzkaller.wI68id") = 0
userfaultfd(UFFD_USER_MODE_ONLY|O_CLOEXEC) = 3
ioctl(3, UFFDIO_API, {api=0xaa, features=UFFD_FEATURE_EVENT_REMAP|UFFD_FEATURE_EVENT_REMOVE => features=UFFD_FEATURE_PAGEFAULT_FLAG_WP|UFFD_FEATURE_EVENT_FORK|UFFD_FEATURE_EVENT_REMAP|UFFD_FEATURE_EVENT_REMOVE|UFFD_FEATURE_MISSING_HUGETLBFS|UFFD_FEATURE_MISSING_SHMEM|UFFD_FEATURE_EVENT_UNMAP|UFFD_FEATURE_SIGBUS|UFFD_FEATURE_THREAD_ID|UFFD_FEATURE_MINOR_HUGETLBFS|UFFD_FEATURE_MINOR_SHMEM|0x800, ioctls=1<<_UFFDIO_REGISTER|1<<_UFFDIO_UNREGISTER|1<<_UFFDIO_API}) = 0
ioctl(3, UFFDIO_REGISTER, {range={start=0x200e2000, len=0xc00000}, mode=UFFDIO_REGISTER_MODE_MISSING, ioctls=1<<_UFFDIO_WAKE|1<<_UFFDIO_COPY|1<<_UFFDIO_ZEROPAGE}) = 0
openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4
write(4, "14", 2) = 2
mremap(0x205de000, 16384, 53248, MREMAP_MAYMOVE|MREMAP_FIXED, 0x20440000) = -1 ENOMEM (Cannot allocate memory)
exit_group(0) = ?
[ 43.589336][ T3611] ==================================================================
[ 43.598629][ T3611] BUG: KASAN: use-after-free in anon_vma_interval_tree_remove+0xc7d/0xf30
[ 43.607128][ T3611] Read of size 8 at addr ffff88801bafb800 by task syz-executor317/3611
[ 43.615436][ T3611]
[ 43.617746][ T3611] CPU: 0 PID: 3611 Comm: syz-executor317 Not tainted 6.0.0-rc3-next-20220901-syzkaller #0
[ 43.627630][ T3611] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
[ 43.637686][ T3611] Call Trace:
[ 43.640954][ T3611]
[ 43.643909][ T3611] dump_stack_lvl+0xcd/0x134
[ 43.648490][ T3611] print_report.cold+0x2ba/0x719
[ 43.653414][ T3611] ? anon_vma_interval_tree_remove+0xc7d/0xf30
[ 43.659571][ T3611] kasan_report+0xb1/0x1e0
[ 43.663995][ T3611] ? anon_vma_interval_tree_remove+0xc7d/0xf30
[ 43.670172][ T3611] anon_vma_interval_tree_remove+0xc7d/0xf30
[ 43.676153][ T3611] ? mas_find+0x20d/0xce0
[ 43.680493][ T3611] unlink_anon_vmas+0x218/0x840
[ 43.685515][ T3611] free_pgtables+0x24d/0x420
[ 43.690182][ T3611] ? free_pgd_range+0xbf0/0xbf0
[ 43.695029][ T3611] exit_mmap+0x1ec/0x720
[ 43.699269][ T3611] ? __ia32_sys_remap_file_pages+0x150/0x150
[ 43.705261][ T3611] __mmput+0x128/0x4c0
[ 43.709319][ T3611] mmput+0x5c/0x70
[ 43.713027][ T3611] do_exit+0xb4c/0x2b60
[ 43.717166][ T3611] ? lock_release+0x560/0x780
[ 43.721830][ T3611] ? lock_downgrade+0x6e0/0x6e0
[ 43.726664][ T3611] ? do_raw_spin_lock+0x120/0x2a0
[ 43.731688][ T3611] ? mm_update_next_owner+0x7b0/0x7b0
[ 43.737044][ T3611] ? rwlock_bug.part.0+0x90/0x90
[ 43.741972][ T3611] do_group_exit+0xd0/0x2a0
[ 43.746462][ T3611] __x64_sys_exit_group+0x3a/0x50
[ 43.751481][ T3611] do_syscall_64+0x35/0xb0
[ 43.755897][ T3611] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 43.761781][ T3611] RIP: 0033:0x7f988c7325c9
[ 43.766184][ T3611] Code: Unable to access opcode bytes at RIP 0x7f988c73259f.
[ 43.773538][ T3611] RSP: 002b:00007ffcd7e47d48 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 43.781947][ T3611] RAX: ffffffffffffffda RBX: 00007f988c79e3d0 RCX: 00007f988c7325c9
[ 43.789903][ T3611] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[ 43.798044][ T3611] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 00007ffcd7003431
[ 43.806010][ T3611] R10: 0000000000000003 R11: 0000000000000246 R12: 00007f988c79e3d0
[ 43.813976][ T3611] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[ 43.821938][ T3611]
[ 43.824953][ T3611]
[ 43.827283][ T3611] Allocated by task 3611:
[ 43.831611][ T3611] kasan_save_stack+0x1e/0x40
[ 43.836302][ T3611] __kasan_slab_alloc+0x90/0xc0
[ 43.841158][ T3611] kmem_cache_alloc+0x2b7/0x3d0
[ 43.846019][ T3611] vm_area_dup+0x81/0x380
[ 43.850342][ T3611] copy_vma+0x376/0x880
[ 43.854490][ T3611] move_vma+0x449/0xf60
[ 43.858628][ T3611] __do_sys_mremap+0x487/0x16b0
[ 43.863466][ T3611] do_syscall_64+0x35/0xb0
[ 43.867881][ T3611] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 43.873765][ T3611]
[ 43.876073][ T3611] Freed by task 3611:
[ 43.880130][ T3611] kasan_save_stack+0x1e/0x40
[ 43.884797][ T3611] kasan_set_track+0x21/0x30
[ 43.889375][ T3611] kasan_set_free_info+0x20/0x30
[ 43.894294][ T3611] ____kasan_slab_free+0x166/0x1c0
[ 43.899395][ T3611] slab_free_freelist_hook+0x8b/0x1c0
[ 43.904766][ T3611] kmem_cache_free+0xe7/0x5b0
[ 43.909428][ T3611] copy_vma+0x6bc/0x880
[ 43.913578][ T3611] move_vma+0x449/0xf60
[ 43.917726][ T3611] __do_sys_mremap+0x487/0x16b0
[ 43.922644][ T3611] do_syscall_64+0x35/0xb0
[ 43.927056][ T3611] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 43.932932][ T3611]
[ 43.935236][ T3611] The buggy address belongs to the object at ffff88801bafb798
[ 43.935236][ T3611] which belongs to the cache vm_area_struct of size 152
[ 43.949534][ T3611] The buggy address is located 104 bytes inside of
[ 43.949534][ T3611] 152-byte region [ffff88801bafb798, ffff88801bafb830)
[ 43.962789][ T3611]
[ 43.965096][ T3611] The buggy address belongs to the physical page:
[ 43.971487][ T3611] page:ffffea00006ebec0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bafb
[ 43.981619][ T3611] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 43.989148][ T3611] raw: 00fff00000000200 ffffea000070ec80 dead000000000006 ffff888140006b40
[ 43.997735][ T3611] raw: 0000000000000000 0000000080120012 00000001ffffffff 0000000000000000
[ 44.006296][ T3611] page dumped because: kasan: bad access detected
[ 44.012686][ T3611] page_owner tracks the page as allocated
[ 44.018382][ T3611] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 3320, tgid 3320 (rm), ts 23678290379, free_ts 23003543409
[ 44.035900][ T3611] get_page_from_freelist+0x109b/0x2ce0
[ 44.041431][ T3611] __alloc_pages+0x1c7/0x510
[ 44.046001][ T3611] alloc_pages+0x1a6/0x270
[ 44.050403][ T3611] allocate_slab+0x228/0x370
[ 44.054977][ T3611] ___slab_alloc+0xad0/0x1440
[ 44.059644][ T3611] __slab_alloc.constprop.0+0x4d/0xa0
[ 44.065002][ T3611] kmem_cache_alloc+0x31c/0x3d0
[ 44.069846][ T3611] vm_area_dup+0x81/0x380
[ 44.074169][ T3611] __split_vma+0x9f/0x5c0
[ 44.078508][ T3611] do_mas_align_munmap+0x27e/0xee0
[ 44.083637][ T3611] do_mas_munmap+0x26a/0x2b0
[ 44.088214][ T3611] mmap_region+0x219/0x1bf0
[ 44.092782][ T3611] do_mmap+0x825/0xf50
[ 44.096853][ T3611] vm_mmap_pgoff+0x1ab/0x270
[ 44.101436][ T3611] ksys_mmap_pgoff+0x41b/0x5a0
[ 44.106195][ T3611] do_syscall_64+0x35/0xb0
[ 44.110609][ T3611] page last free stack trace:
[ 44.115269][ T3611] free_pcp_prepare+0x5e4/0xd20
[ 44.120119][ T3611] free_unref_page_list+0x16f/0xb90
[ 44.125303][ T3611] release_pages+0xc6c/0x1590
[ 44.129967][ T3611] tlb_batch_pages_flush+0xa8/0x1a0
[ 44.135250][ T3611] tlb_finish_mmu+0x147/0x7e0
[ 44.139918][ T3611] exit_mmap+0x1fe/0x720
[ 44.144152][ T3611] __mmput+0x128/0x4c0
[ 44.148207][ T3611] mmput+0x5c/0x70
[ 44.152450][ T3611] do_exit+0xb4c/0x2b60
[ 44.156591][ T3611] do_group_exit+0xd0/0x2a0
[ 44.161078][ T3611] __x64_sys_exit_group+0x3a/0x50
[ 44.166086][ T3611] do_syscall_64+0x35/0xb0
[ 44.170487][ T3611] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 44.176366][ T3611]
[ 44.178671][ T3611] Memory state around the buggy address:
[ 44.184294][ T3611] ffff88801bafb700: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
[ 44.192338][ T3611] ffff88801bafb780: fc fc fc fa fb fb fb fb fb fb fb fb fb fb fb fb
[ 44.200380][ T3611] >ffff88801bafb800: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fa fb
[ 44.208417][ T3611] ^
[ 44.212462][ T3611] ffff88801bafb880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 44.220503][ T3611] ffff88801bafb900: fb fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb
[ 44.228632][ T3611] ==================================================================
[ 44.237585][ T3611] Kernel panic - not syncing: panic_on_warn set ...
[ 44.244193][ T3611] CPU: 1 PID: 3611 Comm: syz-executor317 Not tainted 6.0.0-rc3-next-20220901-syzkaller #0
[ 44.254429][ T3611] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
[ 44.264494][ T3611] Call Trace:
[ 44.267767][ T3611]
[ 44.270707][ T3611] dump_stack_lvl+0xcd/0x134
[ 44.275306][ T3611] panic+0x2c8/0x622
[ 44.279216][ T3611] ? panic_print_sys_info.part.0+0x110/0x110
[ 44.285221][ T3611] ? preempt_schedule_common+0x59/0xc0
[ 44.290688][ T3611] ? preempt_schedule_thunk+0x16/0x18
[ 44.296092][ T3611] ? anon_vma_interval_tree_remove+0xc7d/0xf30
[ 44.302254][ T3611] end_report.part.0+0x3f/0x7c
[ 44.307018][ T3611] kasan_report.cold+0xa/0xf
[ 44.311607][ T3611] ? anon_vma_interval_tree_remove+0xc7d/0xf30
[ 44.317773][ T3611] anon_vma_interval_tree_remove+0xc7d/0xf30
[ 44.323777][ T3611] ? mas_find+0x20d/0xce0
[ 44.328120][ T3611] unlink_anon_vmas+0x218/0x840
[ 44.332992][ T3611] free_pgtables+0x24d/0x420
[ 44.337588][ T3611] ? free_pgd_range+0xbf0/0xbf0
[ 44.342459][ T3611] exit_mmap+0x1ec/0x720
[ 44.346734][ T3611] ? __ia32_sys_remap_file_pages+0x150/0x150
[ 44.352744][ T3611] __mmput+0x128/0x4c0
[ 44.356831][ T3611] mmput+0x5c/0x70
[ 44.360567][ T3611] do_exit+0xb4c/0x2b60
[ 44.364786][ T3611] ? lock_release+0x560/0x780
[ 44.369472][ T3611] ? lock_downgrade+0x6e0/0x6e0
[ 44.374328][ T3611] ? do_raw_spin_lock+0x120/0x2a0
[ 44.379358][ T3611] ? mm_update_next_owner+0x7b0/0x7b0
[ 44.384731][ T3611] ? rwlock_bug.part.0+0x90/0x90
[ 44.389681][ T3611] do_group_exit+0xd0/0x2a0
[ 44.394188][ T3611] __x64_sys_exit_group+0x3a/0x50
[ 44.399219][ T3611] do_syscall_64+0x35/0xb0
[ 44.403649][ T3611] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 44.409546][ T3611] RIP: 0033:0x7f988c7325c9
[ 44.413969][ T3611] Code: Unable to access opcode bytes at RIP 0x7f988c73259f.
[ 44.421325][ T3611] RSP: 002b:00007ffcd7e47d48 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 44.429741][ T3611] RAX: ffffffffffffffda RBX: 00007f988c79e3d0 RCX: 00007f988c7325c9
[ 44.437712][ T3611] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[ 44.445677][ T3611] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 00007ffcd7003431
[ 44.453653][ T3611] R10: 0000000000000003 R11: 0000000000000246 R12: 00007f988c79e3d0
[ 44.461634][ T3611] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[ 44.469640][ T3611]
[ 44.472877][ T3611] Kernel Offset: disabled
[ 44.477204][ T3611] Rebooting in 86400 seconds..