./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3065005942 <...> no interfaces have a carrier forked to background, child pid 3183 [ 26.525679][ T3184] 8021q: adding VLAN 0 to HW filter on device bond0 [ 26.537180][ T3184] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.1.52' (ECDSA) to the list of known hosts. execve("./syz-executor3065005942", ["./syz-executor3065005942"], 0x7ffd76b32720 /* 10 vars */) = 0 brk(NULL) = 0x555555d75000 brk(0x555555d75c40) = 0x555555d75c40 arch_prctl(ARCH_SET_FS, 0x555555d75300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor3065005942", 4096) = 28 brk(0x555555d96c40) = 0x555555d96c40 brk(0x555555d97000) = 0x555555d97000 mprotect(0x7fc367cff000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 openat(AT_FDCWD, "/sys/kernel/debug/failslab/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_futex/ignore-private", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/min-order", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3613 attached , child_tidptr=0x555555d755d0) = 3613 [pid 3613] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3613] setpgid(0, 0) = 0 [pid 3613] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3613] write(3, "1000", 4) = 4 [pid 3613] close(3) = 0 [pid 3613] openat(AT_FDCWD, "/dev/kvm", O_RDONLY) = 3 [pid 3613] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 3613] write(4, "40", 2) = 2 [pid 3613] ioctl(3, KVM_CREATE_VM, 0) = 5 [pid 3613] exit_group(0) = ? syzkaller login: [ 49.310734][ T3613] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. [ 49.328934][ T3613] debugfs: out of free dentries, can not create directory '3613-5' [pid 3613] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3613, si_uid=0, si_status=0, si_utime=0, si_stime=3} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3617 attached , child_tidptr=0x555555d755d0) = 3617 [pid 3617] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3617] setpgid(0, 0) = 0 [pid 3617] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3617] write(3, "1000", 4) = 4 [pid 3617] close(3) = 0 [pid 3617] openat(AT_FDCWD, "/dev/kvm", O_RDONLY) = 3 [pid 3617] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 3617] write(4, "40", 2) = 2 [pid 3617] ioctl(3, KVM_CREATE_VM, 0) = -1 ENOMEM (Cannot allocate memory) [pid 3617] exit_group(0) = ? [pid 3617] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3617, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555d755d0) = 3620 ./strace-static-x86_64: Process 3620 attached [pid 3620] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3620] setpgid(0, 0) = 0 [pid 3620] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3620] write(3, "1000", 4) = 4 [pid 3620] close(3) = 0 [pid 3620] openat(AT_FDCWD, "/dev/kvm", O_RDONLY) = 3 [pid 3620] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 3620] write(4, "40", 2) = 2 [ 49.492376][ T3620] ================================================================== [ 49.492386][ C1] BUG: unable to handle page fault for address: ffffc9000396a330 [ 49.492399][ C1] #PF: supervisor read access in kernel mode [ 49.500444][ T3620] BUG: KASAN: vmalloc-out-of-bounds in kvm_arch_hardware_enable+0x281/0x840 [ 49.508143][ C1] #PF: error_code(0x0000) - not-present page [ 49.514094][ T3620] Read of size 4 at addr ffffc9000396a330 by task syz-executor306/3620 [ 49.522741][ C1] PGD 11800067 P4D 11800067 [ 49.528689][ T3620] [ 49.528697][ T3620] CPU: 0 PID: 3620 Comm: syz-executor306 Not tainted 5.19.0-syzkaller-13930-g7ebfc85e2cd7 #0 [ 49.536906][ C1] PUD 119c9067 [ 49.541475][ T3620] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 49.543803][ C1] PMD 1cced067 PTE 0 [ 49.553929][ T3620] Call Trace: [ 49.553942][ T3620] [ 49.557380][ C1] [ 49.557389][ C1] Oops: 0000 [#1] PREEMPT SMP KASAN [ 49.567425][ T3620] dump_stack_lvl+0xcd/0x134 [ 49.571300][ C1] CPU: 1 PID: 3612 Comm: syz-executor306 Not tainted 5.19.0-syzkaller-13930-g7ebfc85e2cd7 #0 [ 49.574573][ T3620] ? kvm_arch_hardware_enable+0x281/0x840 [ 49.577491][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 49.579797][ T3620] print_report.cold+0x59/0x719 [ 49.584971][ C1] RIP: 0010:kvm_arch_hardware_enable+0x2ab/0x840 [ 49.589544][ T3620] ? kvm_arch_hardware_enable+0x281/0x840 [ 49.599671][ C1] Code: 48 89 e8 48 b9 00 00 00 00 00 fc ff df 48 c1 e8 03 0f b6 14 08 48 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 ed 04 00 00 <41> 8b 95 30 13 00 00 4d 8d b5 40 12 00 00 b9 08 00 00 00 4c 89 fe [ 49.605366][ T3620] kasan_report+0xb1/0x1e0 [ 49.615396][ C1] RSP: 0018:ffffc900001e0ea0 EFLAGS: 00010082 [ 49.620229][ T3620] ? kvm_arch_hardware_enable+0x281/0x840 [ 49.626538][ C1] [ 49.626545][ C1] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff81120fe0 [ 49.632249][ T3620] kasan_check_range+0x13d/0x180 [ 49.651833][ C1] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffc9000396a330 [ 49.656233][ T3620] kvm_arch_hardware_enable+0x281/0x840 [ 49.662269][ C1] RBP: ffffc9000396a330 R08: 0000000000000000 R09: 0000000000000003 [ 49.667972][ T3620] ? _flat_send_IPI_mask+0x53/0x60 [ 49.670285][ C1] R10: fffff5200072d466 R11: 0000000000000001 R12: 0000000000000000 [ 49.678235][ T3620] ? kvm_arch_vcpu_destroy+0x330/0x330 [ 49.683148][ C1] R13: ffffc90003969000 R14: 0023001000000000 R15: ffffc900001e0ef8 [ 49.691109][ T3620] ? send_call_function_single_ipi+0x1b5/0x320 [ 49.696637][ C1] FS: 0000555555d75300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 [ 49.704600][ T3620] ? sched_ttwu_pending+0x550/0x550 [ 49.709697][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 49.717641][ T3620] ? _raw_spin_unlock_irqrestore+0x50/0x70 [ 49.723075][ C1] CR2: ffffc9000396a330 CR3: 0000000071c38000 CR4: 00000000003526e0 [ 49.731026][ T3620] hardware_enable_nolock+0xa7/0x140 [ 49.737152][ C1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 49.746057][ T3620] smp_call_function_many_cond+0x10e2/0x1430 [ 49.751223][ C1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 49.757786][ T3620] ? vm_stat_fops_open+0x40/0x40 [ 49.763560][ C1] Call Trace: [ 49.763569][ C1] [ 49.771556][ T3620] ? smp_call_on_cpu+0x270/0x270 [ 49.776815][ C1] ? kvm_arch_vcpu_destroy+0x330/0x330 [ 49.784763][ T3620] ? lockdep_init_map_type+0x21a/0x7f0 [ 49.790716][ C1] ? sched_clock_cpu+0x69/0x2b0 [ 49.798668][ T3620] ? do_raw_spin_lock+0x120/0x2a0 [ 49.803576][ C1] ? cpuacct_all_seq_show+0x520/0x520 [ 49.806838][ T3620] ? rwlock_bug.part.0+0x90/0x90 [ 49.809666][ C1] hardware_enable_nolock+0xa7/0x140 [ 49.814574][ T3620] ? vm_stat_fops_open+0x40/0x40 [ 49.820006][ C1] __flush_smp_call_function_queue+0x205/0x9a0 [ 49.825437][ T3620] on_each_cpu_cond_mask+0x56/0xa0 [ 49.830262][ C1] ? vm_stat_fops_open+0x40/0x40 [ 49.835263][ T3620] kvm_dev_ioctl+0x131b/0x1ce0 [ 49.840602][ C1] __sysvec_call_function_single+0x95/0x3d0 [ 49.845519][ T3620] ? kvm_stat_data_open+0x380/0x380 [ 49.850767][ C1] sysvec_call_function_single+0x8e/0xc0 [ 49.855680][ T3620] ? _raw_spin_unlock_irq+0x1f/0x40 [ 49.861801][ C1] [ 49.866882][ T3620] ? bpf_lsm_file_ioctl+0x5/0x10 [ 49.871787][ C1] [ 49.871796][ C1] asm_sysvec_call_function_single+0x16/0x20 [ 49.876527][ T3620] ? kvm_stat_data_open+0x380/0x380 [ 49.882394][ C1] RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70 [ 49.887566][ T3620] __x64_sys_ioctl+0x193/0x200 [ 49.893171][ C1] Code: 74 24 10 e8 8a 76 dd f7 48 89 ef e8 12 f8 dd f7 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 13 b9 d0 f7 65 8b 05 3c 72 80 76 85 c0 74 0a 5b 5d c3 e8 30 81 [ 49.898342][ T3620] do_syscall_64+0x35/0xb0 [ 49.901258][ C1] RSP: 0018:ffffc900038efc88 EFLAGS: 00000206 [ 49.906167][ T3620] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 49.909078][ C1] [ 49.909083][ C1] RAX: 0000000000000006 RBX: 0000000000000200 RCX: 1ffffffff211c6ce [ 49.915030][ T3620] RIP: 0033:0x7fc367c92049 [ 49.920197][ C1] RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000001 [ 49.926583][ T3620] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 49.931314][ C1] RBP: ffff88802755d340 R08: 0000000000000001 R09: ffffffff908db957 [ 49.950894][ T3620] RSP: 002b:00007ffff927cd18 EFLAGS: 00000246 [ 49.955281][ C1] R10: 0000000000000001 R11: 0000000000000000 R12: ffff88801f710000 [ 49.961319][ T3620] ORIG_RAX: 0000000000000010 [ 49.967181][ C1] R13: ffff88802755d340 R14: ffffc900038efd20 R15: 0000000000000246 [ 49.969486][ T3620] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fc367c92049 [ 49.977443][ C1] do_notify_parent_cldstop+0x569/0xa40 [ 49.981823][ T3620] RDX: 0000000000000000 RSI: 000000000000ae01 RDI: 0000000000000003 [ 49.989772][ C1] ? force_sigsegv+0x150/0x150 [ 50.009352][ T3620] RBP: 00007ffff927cd30 R08: 0000000000000002 R09: 0000000000000001 [ 50.017300][ C1] ? lock_release+0x780/0x780 [ 50.023337][ T3620] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 [ 50.031284][ C1] ? ptrace_stop.part.0+0x2f1/0xa80 [ 50.035935][ T3620] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000 [ 50.043882][ C1] ? lock_downgrade+0x6e0/0x6e0 [ 50.051838][ T3620] [ 50.057349][ C1] ? _raw_spin_unlock_irq+0x1f/0x40 [ 50.065294][ T3620] [ 50.065303][ T3620] Memory state around the buggy address: [ 50.070032][ C1] ptrace_stop.part.0+0x834/0xa80 [ 50.077982][ T3620] ffffc9000396a200: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 50.082627][ C1] ptrace_do_notify+0x215/0x2b0 [ 50.090576][ T3620] ffffc9000396a280: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 50.095743][ C1] ? ptrace_stop.part.0+0xa80/0xa80 [ 50.103696][ T3620] >ffffc9000396a300: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 50.108512][ C1] ? _raw_spin_lock_irq+0x41/0x50 [ 50.111511][ T3620] ^ [ 50.116681][ C1] ptrace_notify+0xc4/0x140 [ 50.118988][ T3620] ffffc9000396a380: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 50.124588][ C1] syscall_exit_to_user_mode_prepare+0x129/0x280 [ 50.129590][ T3620] ffffc9000396a400: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 50.137621][ C1] syscall_exit_to_user_mode+0x9/0x50 [ 50.142443][ T3620] ================================================================== [ 50.150475][ C1] do_syscall_64+0x42/0xb0 [ 50.155644][ T3620] Kernel panic - not syncing: panic_on_warn set ... [ 50.163678][ C1] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 50.168694][ C1] RIP: 0033:0x7fc367c90a56 [ 50.174314][ C1] Code: 0f 1f 40 00 31 c9 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 49 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 90 48 83 ec 28 89 54 24 14 48 89 74 24 [ 50.178803][ C1] RSP: 002b:00007ffff927cd18 EFLAGS: 00000246 ORIG_RAX: 000000000000003d [ 50.193150][ C1] RAX: 0000000000000000 RBX: 000000000000c141 RCX: 00007fc367c90a56 [ 50.201192][ C1] RDX: 0000000040000001 RSI: 00007ffff927cd2c RDI: 00000000ffffffff [ 50.206547][ C1] RBP: 0000000000000e24 R08: 0000000000000031 R09: 00007ffff929e080 [ 50.214592][ C1] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffff927cd2c [ 50.218990][ C1] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000 [ 50.225562][ C1] [ 50.231428][ C1] Modules linked in: [ 50.255402][ C1] CR2: ffffc9000396a330 [ 50.271734][ C1] ---[ end trace 0000000000000000 ]--- [ 50.279688][ C1] RIP: 0010:kvm_arch_hardware_enable+0x2ab/0x840 [ 50.287660][ C1] Code: 48 89 e8 48 b9 00 00 00 00 00 fc ff df 48 c1 e8 03 0f b6 14 08 48 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 ed 04 00 00 <41> 8b 95 30 13 00 00 4d 8d b5 40 12 00 00 b9 08 00 00 00 4c 89 fe [ 50.295620][ C1] RSP: 0018:ffffc900001e0ea0 EFLAGS: 00010082 [ 50.306573][ C1] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff81120fe0 [ 50.310452][ C1] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffc9000396a330 [ 50.314589][ C1] RBP: ffffc9000396a330 R08: 0000000000000000 R09: 0000000000000003 [ 50.320030][ C1] R10: fffff5200072d466 R11: 0000000000000001 R12: 0000000000000000 [ 50.326340][ C1] R13: ffffc90003969000 R14: 0023001000000000 R15: ffffc900001e0ef8 [ 50.345931][ C1] FS: 0000555555d75300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 [ 50.351984][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 50.359943][ C1] CR2: ffffc9000396a330 CR3: 0000000071c38000 CR4: 00000000003526e0 [ 50.367906][ C1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 50.375860][ C1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 51.245071][ T3620] Shutting down cpus with NMI [ 51.298189][ T3620] Kernel Offset: disabled [ 51.302515][ T3620] Rebooting in 86400 seconds..