./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2905694965

<...>
Warning: Permanently added '10.128.1.182' (ED25519) to the list of known hosts.
execve("./syz-executor2905694965", ["./syz-executor2905694965"], 0x7ffdc3b95f00 /* 10 vars */) = 0
brk(NULL)                               = 0x5555676db000
brk(0x5555676dbd00)                     = 0x5555676dbd00
arch_prctl(ARCH_SET_FS, 0x5555676db380) = 0
set_tid_address(0x5555676db650)         = 5829
set_robust_list(0x5555676db660, 24)     = 0
rseq(0x5555676dbca0, 0x20, 0, 0x53053053) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor2905694965", 4096) = 28
getrandom("\x51\xfd\x62\xfc\x11\xa5\xa7\x30", 8, GRND_NONBLOCK) = 8
brk(NULL)                               = 0x5555676dbd00
brk(0x5555676fcd00)                     = 0x5555676fcd00
brk(0x5555676fd000)                     = 0x5555676fd000
mprotect(0x7f9e43f83000, 16384, PROT_READ) = 0
mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000
[   62.179292][   T30] audit: type=1400 audit(1751771152.176:62): avc:  denied  { write } for  pid=5826 comm="strace-static-x" path="pipe:[4484]" dev="pipefs" ino=4484 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1
mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000
mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000
write(1, "executing program\n", 18executing program
)     = 18
openat(AT_FDCWD, "/dev/comedi4", O_WRONLY|O_SYNC|O_CLOEXEC) = 3
epoll_create(3)                         = 4
epoll_ctl(4, EPOLL_CTL_ADD, 3, {events=EPOLLHUP|EPOLLET, data={u32=0, u64=0}}) = 0
[   62.219667][   T30] audit: type=1400 audit(1751771152.216:63): avc:  denied  { execmem } for  pid=5829 comm="syz-executor290" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   62.240408][   T30] audit: type=1400 audit(1751771152.246:64): avc:  denied  { write } for  pid=5829 comm="syz-executor290" name="comedi4" dev="devtmpfs" ino=1280 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
ioctl(3, COMEDI_DEVCONFIG, 0)           = 0
[   62.264168][   T30] audit: type=1400 audit(1751771152.246:65): avc:  denied  { open } for  pid=5829 comm="syz-executor290" path="/dev/comedi4" dev="devtmpfs" ino=1280 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   62.288563][   T30] audit: type=1400 audit(1751771152.266:66): avc:  denied  { ioctl } for  pid=5829 comm="syz-executor290" path="/dev/comedi4" dev="devtmpfs" ino=1280 ioctlcmd=0x6400 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
exit_group(0)                           = ?
[   62.317054][ T5829] ==================================================================
[   62.325140][ T5829] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0x3a/0x60
[   62.333343][ T5829] Read of size 1 at addr ffff888030692ab0 by task syz-executor290/5829
[   62.341563][ T5829] 
[   62.343879][ T5829] CPU: 0 UID: 0 PID: 5829 Comm: syz-executor290 Not tainted 6.16.0-rc4-syzkaller-00319-g05df91921da6 #0 PREEMPT(full) 
[   62.343894][ T5829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[   62.343901][ T5829] Call Trace:
[   62.343905][ T5829]  <TASK>
[   62.343909][ T5829]  dump_stack_lvl+0x116/0x1f0
[   62.343929][ T5829]  print_report+0xcd/0x680
[   62.343946][ T5829]  ? __virt_addr_valid+0x81/0x610
[   62.343959][ T5829]  ? __phys_addr+0xe8/0x180
[   62.343972][ T5829]  ? _raw_spin_lock_irqsave+0x3a/0x60
[   62.343986][ T5829]  kasan_report+0xe0/0x110
[   62.344001][ T5829]  ? _raw_spin_lock_irqsave+0x3a/0x60
[   62.344016][ T5829]  ? _raw_spin_lock_irqsave+0x3a/0x60
[   62.344029][ T5829]  __kasan_check_byte+0x36/0x50
[   62.344045][ T5829]  lock_acquire+0xfc/0x350
[   62.344057][ T5829]  _raw_spin_lock_irqsave+0x3a/0x60
[   62.344070][ T5829]  ? remove_wait_queue+0x25/0x180
[   62.344085][ T5829]  remove_wait_queue+0x25/0x180
[   62.344100][ T5829]  ep_remove_wait_queue+0x85/0x1d0
[   62.344124][ T5829]  ep_clear_and_put+0x186/0x440
[   62.344138][ T5829]  ? __pfx_ep_eventpoll_release+0x10/0x10
[   62.344151][ T5829]  ep_eventpoll_release+0x3e/0x60
[   62.344165][ T5829]  __fput+0x3ff/0xb70
[   62.344175][ T5829]  ? _raw_spin_unlock_irq+0x23/0x50
[   62.344189][ T5829]  task_work_run+0x150/0x240
[   62.344202][ T5829]  ? __pfx_task_work_run+0x10/0x10
[   62.344213][ T5829]  ? do_raw_spin_unlock+0x172/0x230
[   62.344227][ T5829]  do_exit+0x86c/0x2bd0
[   62.344248][ T5829]  ? do_raw_spin_lock+0x12c/0x2b0
[   62.344264][ T5829]  ? __pfx_do_exit+0x10/0x10
[   62.344286][ T5829]  ? rcu_is_watching+0x12/0xc0
[   62.344306][ T5829]  do_group_exit+0xd3/0x2a0
[   62.344329][ T5829]  __x64_sys_exit_group+0x3e/0x50
[   62.344351][ T5829]  x64_sys_call+0x1530/0x1730
[   62.344368][ T5829]  do_syscall_64+0xcd/0x4c0
[   62.344393][ T5829]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   62.344410][ T5829] RIP: 0033:0x7f9e43f0ecb9
[   62.344423][ T5829] Code: Unable to access opcode bytes at 0x7f9e43f0ec8f.
[   62.344430][ T5829] RSP: 002b:00007fff517851d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   62.344444][ T5829] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9e43f0ecb9
[   62.344460][ T5829] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[   62.344468][ T5829] RBP: 00007f9e43f89290 R08: ffffffffffffffb8 R09: 00007fff517853f8
[   62.344477][ T5829] R10: 00007fff517853f8 R11: 0000000000000246 R12: 00007f9e43f89290
[   62.344486][ T5829] R13: 0000000000000000 R14: 00007f9e43f89ce0 R15: 00007f9e43ee0ab0
[   62.344499][ T5829]  </TASK>
[   62.344503][ T5829] 
[   62.588224][ T5829] Allocated by task 1:
[   62.592271][ T5829]  kasan_save_stack+0x33/0x60
[   62.596938][ T5829]  kasan_save_track+0x14/0x30
[   62.601599][ T5829]  __kasan_kmalloc+0xaa/0xb0
[   62.606175][ T5829]  comedi_device_postconfig+0x2cb/0xc80
[   62.611706][ T5829]  comedi_auto_config+0x1a3/0x440
[   62.616716][ T5829]  comedi_test_init+0xd0/0x160
[   62.621480][ T5829]  do_one_initcall+0x120/0x6e0
[   62.626226][ T5829]  kernel_init_freeable+0x5c2/0x900
[   62.631413][ T5829]  kernel_init+0x1c/0x2b0
[   62.635727][ T5829]  ret_from_fork+0x5d4/0x6f0
[   62.640320][ T5829]  ret_from_fork_asm+0x1a/0x30
[   62.645067][ T5829] 
[   62.647371][ T5829] Freed by task 5829:
[   62.651329][ T5829]  kasan_save_stack+0x33/0x60
[   62.655991][ T5829]  kasan_save_track+0x14/0x30
[   62.660652][ T5829]  kasan_save_free_info+0x3b/0x60
[   62.665658][ T5829]  __kasan_slab_free+0x51/0x70
[   62.670407][ T5829]  kfree+0x2b4/0x4d0
[   62.674284][ T5829]  comedi_device_detach+0x2a4/0x9e0
[   62.679471][ T5829]  do_devconfig_ioctl+0x46c/0x580
[   62.684488][ T5829]  comedi_unlocked_ioctl+0x15bb/0x2e90
[   62.689930][ T5829]  __x64_sys_ioctl+0x18e/0x210
[   62.694677][ T5829]  do_syscall_64+0xcd/0x4c0
[   62.699170][ T5829]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   62.705044][ T5829] 
[   62.707352][ T5829] The buggy address belongs to the object at ffff888030692a00
[   62.707352][ T5829]  which belongs to the cache kmalloc-256 of size 256
[   62.721384][ T5829] The buggy address is located 176 bytes inside of
[   62.721384][ T5829]  freed 256-byte region [ffff888030692a00, ffff888030692b00)
[   62.735160][ T5829] 
[   62.737475][ T5829] The buggy address belongs to the physical page:
[   62.743863][ T5829] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888030692200 pfn:0x30692
[   62.753908][ T5829] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   62.762386][ T5829] flags: 0xfff00000000240(workingset|head|node=0|zone=1|lastcpupid=0x7ff)
[   62.770867][ T5829] page_type: f5(slab)
[   62.774833][ T5829] raw: 00fff00000000240 ffff88801b841b40 ffffea0000c18d10 ffffea0000cd5510
[   62.783398][ T5829] raw: ffff888030692200 000000000010000e 00000000f5000000 0000000000000000
[   62.791964][ T5829] head: 00fff00000000240 ffff88801b841b40 ffffea0000c18d10 ffffea0000cd5510
[   62.800614][ T5829] head: ffff888030692200 000000000010000e 00000000f5000000 0000000000000000
[   62.809291][ T5829] head: 00fff00000000001 ffffea0000c1a481 00000000ffffffff 00000000ffffffff
[   62.817955][ T5829] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   62.826602][ T5829] page dumped because: kasan: bad access detected
[   62.833005][ T5829] page_owner tracks the page as allocated
[   62.838700][ T5829] page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 13048445995, free_ts 0
[   62.858418][ T5829]  post_alloc_hook+0x1c0/0x230
[   62.863172][ T5829]  get_page_from_freelist+0x1321/0x3890
[   62.868710][ T5829]  __alloc_frozen_pages_noprof+0x261/0x23f0
[   62.874589][ T5829]  alloc_pages_mpol+0x1fb/0x550
[   62.879427][ T5829]  new_slab+0x23b/0x330
[   62.883570][ T5829]  ___slab_alloc+0xd9c/0x1940
[   62.888257][ T5829]  __slab_alloc.constprop.0+0x56/0xb0
[   62.893613][ T5829]  __kmalloc_cache_noprof+0xfb/0x3e0
[   62.898882][ T5829]  bus_add_driver+0x92/0x690
[   62.903546][ T5829]  driver_register+0x15c/0x4b0
[   62.908305][ T5829]  usb_register_driver+0x216/0x4d0
[   62.913401][ T5829]  do_one_initcall+0x120/0x6e0
[   62.918148][ T5829]  kernel_init_freeable+0x5c2/0x900
[   62.923337][ T5829]  kernel_init+0x1c/0x2b0
[   62.927650][ T5829]  ret_from_fork+0x5d4/0x6f0
[   62.932231][ T5829]  ret_from_fork_asm+0x1a/0x30
[   62.936976][ T5829] page_owner free stack trace missing
[   62.942321][ T5829] 
[   62.944628][ T5829] Memory state around the buggy address:
[   62.950252][ T5829]  ffff888030692980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   62.958293][ T5829]  ffff888030692a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   62.966334][ T5829] >ffff888030692a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   62.974381][ T5829]                                      ^
[   62.979989][ T5829]  ffff888030692b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   62.988049][ T5829]  ffff888030692b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   62.996089][ T5829] ==================================================================
[   63.004142][ T5829] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   63.011336][ T5829] CPU: 0 UID: 0 PID: 5829 Comm: syz-executor290 Not tainted 6.16.0-rc4-syzkaller-00319-g05df91921da6 #0 PREEMPT(full) 
[   63.023738][ T5829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[   63.033777][ T5829] Call Trace:
[   63.037040][ T5829]  <TASK>
[   63.039959][ T5829]  dump_stack_lvl+0x3d/0x1f0
[   63.044545][ T5829]  panic+0x71c/0x800
[   63.048437][ T5829]  ? __pfx_panic+0x10/0x10
[   63.052844][ T5829]  ? __pfx__printk+0x10/0x10
[   63.057417][ T5829]  ? end_report+0x4c/0x170
[   63.061822][ T5829]  ? check_panic_on_warn+0x1f/0xb0
[   63.066936][ T5829]  ? _raw_spin_lock_irqsave+0x3a/0x60
[   63.072308][ T5829]  check_panic_on_warn+0xab/0xb0
[   63.077239][ T5829]  end_report+0x107/0x170
[   63.081560][ T5829]  kasan_report+0xee/0x110
[   63.085968][ T5829]  ? _raw_spin_lock_irqsave+0x3a/0x60
[   63.091327][ T5829]  ? _raw_spin_lock_irqsave+0x3a/0x60
[   63.096686][ T5829]  __kasan_check_byte+0x36/0x50
[   63.101525][ T5829]  lock_acquire+0xfc/0x350
[   63.105927][ T5829]  _raw_spin_lock_irqsave+0x3a/0x60
[   63.111112][ T5829]  ? remove_wait_queue+0x25/0x180
[   63.116124][ T5829]  remove_wait_queue+0x25/0x180
[   63.120983][ T5829]  ep_remove_wait_queue+0x85/0x1d0
[   63.126084][ T5829]  ep_clear_and_put+0x186/0x440
[   63.130922][ T5829]  ? __pfx_ep_eventpoll_release+0x10/0x10
[   63.136628][ T5829]  ep_eventpoll_release+0x3e/0x60
[   63.141640][ T5829]  __fput+0x3ff/0xb70
[   63.145606][ T5829]  ? _raw_spin_unlock_irq+0x23/0x50
[   63.150791][ T5829]  task_work_run+0x150/0x240
[   63.155370][ T5829]  ? __pfx_task_work_run+0x10/0x10
[   63.160465][ T5829]  ? do_raw_spin_unlock+0x172/0x230
[   63.165651][ T5829]  do_exit+0x86c/0x2bd0
[   63.169799][ T5829]  ? do_raw_spin_lock+0x12c/0x2b0
[   63.174807][ T5829]  ? __pfx_do_exit+0x10/0x10
[   63.179388][ T5829]  ? rcu_is_watching+0x12/0xc0
[   63.184139][ T5829]  do_group_exit+0xd3/0x2a0
[   63.188632][ T5829]  __x64_sys_exit_group+0x3e/0x50
[   63.193645][ T5829]  x64_sys_call+0x1530/0x1730
[   63.198308][ T5829]  do_syscall_64+0xcd/0x4c0
[   63.202801][ T5829]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   63.208678][ T5829] RIP: 0033:0x7f9e43f0ecb9
[   63.213076][ T5829] Code: Unable to access opcode bytes at 0x7f9e43f0ec8f.
[   63.220082][ T5829] RSP: 002b:00007fff517851d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   63.228479][ T5829] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9e43f0ecb9
[   63.236435][ T5829] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[   63.244388][ T5829] RBP: 00007f9e43f89290 R08: ffffffffffffffb8 R09: 00007fff517853f8
[   63.252343][ T5829] R10: 00007fff517853f8 R11: 0000000000000246 R12: 00007f9e43f89290
[   63.260317][ T5829] R13: 0000000000000000 R14: 00007f9e43f89ce0 R15: 00007f9e43ee0ab0
[   63.268275][ T5829]  </TASK>
[   63.271481][ T5829] Kernel Offset: disabled
[   63.275783][ T5829] Rebooting in 86400 seconds..