./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2491329948
<...>
Warning: Permanently added '10.128.1.124' (ECDSA) to the list of known hosts.
execve("./syz-executor2491329948", ["./syz-executor2491329948"], 0x7ffed3a00960 /* 10 vars */) = 0
brk(NULL) = 0x555556ca6000
brk(0x555556ca6c40) = 0x555556ca6c40
arch_prctl(ARCH_SET_FS, 0x555556ca6300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor2491329948", 4096) = 28
brk(0x555556cc7c40) = 0x555556cc7c40
brk(0x555556cc8000) = 0x555556cc8000
mprotect(0x7fe425a7e000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5077 attached
, child_tidptr=0x555556ca65d0) = 5077
[pid 5077] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5077] setpgid(0, 0) = 0
[pid 5077] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5077] write(3, "1000", 4) = 4
[pid 5077] close(3) = 0
[pid 5077] openat(AT_FDCWD, "/dev/snd/midiC2D0", O_WRONLY|O_NOCTTY|O_SYNC|O_NOATIME) = 3
[pid 5077] dup(3) = 4
[pid 5077] io_uring_setup(27435, {flags=0, sq_thread_cpu=0, sq_thread_idle=0, sq_entries=32768, cq_entries=65536, features=IORING_FEAT_SINGLE_MMAP|IORING_FEAT_NODROP|IORING_FEAT_SUBMIT_STABLE|IORING_FEAT_RW_CUR_POS|IORING_FEAT_CUR_PERSONALITY|IORING_FEAT_FAST_POLL|IORING_FEAT_POLL_32BITS|IORING_FEAT_SQPOLL_NONFIXED|IORING_FEAT_EXT_ARG|IORING_FEAT_NATIVE_WORKERS|IORING_FEAT_RSRC_TAGS|IORING_FEAT_CQE_SKIP|IORING_FEAT_LINKED_FILE, sq_off={head=0, tail=64, ring_mask=256, ring_entries=264, flags=276, dropped=272, array=1048896}, cq_off={head=128, tail=192, ring_mask=260, ring_entries=268, overflow=284, cqes=320, flags=280}}) = 5
[pid 5077] mmap(0x20ee8000, 1179968, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 5, 0) = 0x20ee8000
[pid 5077] mmap(0x20ffd000, 2097152, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 5, 0x10000000) = 0x20ffd000
[pid 5077] io_uring_enter(5, 17678, 0, 0, NULL, 0) = 1
[pid 5077] write(4, "\x30\x80\xee\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2f\x64\x65\x76\x2f\x73\x6e\x64\x2f\x6d\x69\x64\x69\x43\x23\x44\x23\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4294966572) = 4096
[pid 5077] exit_group(0) = ?
[ 57.313009][ T5077] ==================================================================
[ 57.321113][ T5077] BUG: KASAN: use-after-free in io_fallback_tw+0x6d/0x119
[ 57.328261][ T5077] Read of size 8 at addr ffff88801f65a948 by task syz-executor249/5077
[ 57.336658][ T5077]
[ 57.338982][ T5077] CPU: 0 PID: 5077 Comm: syz-executor249 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
[ 57.348892][ T5077] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 57.358962][ T5077] Call Trace:
[ 57.362346][ T5077]
[ 57.365266][ T5077] dump_stack_lvl+0xd1/0x138
[ 57.369861][ T5077] print_report+0x15e/0x45d
[ 57.374356][ T5077] ? __phys_addr+0xc8/0x140
[ 57.378854][ T5077] ? io_fallback_tw+0x6d/0x119
[ 57.383618][ T5077] kasan_report+0xc0/0xf0
[ 57.387976][ T5077] ? io_fallback_tw+0x6d/0x119
[ 57.392753][ T5077] io_fallback_tw+0x6d/0x119
[ 57.397368][ T5077] tctx_task_work.cold+0xf/0x2c
[ 57.402238][ T5077] ? handle_tw_list+0x460/0x460
[ 57.407099][ T5077] ? lock_downgrade+0x6e0/0x6e0
[ 57.411960][ T5077] ? do_raw_spin_lock+0x124/0x2b0
[ 57.417007][ T5077] ? rwlock_bug.part.0+0x90/0x90
[ 57.421955][ T5077] ? _raw_spin_unlock_irq+0x23/0x50
[ 57.427196][ T5077] task_work_run+0x16f/0x270
[ 57.431807][ T5077] ? task_work_cancel+0x30/0x30
[ 57.436681][ T5077] ? do_raw_spin_unlock+0x175/0x230
[ 57.441890][ T5077] do_exit+0xb17/0x2a90
[ 57.446066][ T5077] ? lock_downgrade+0x6e0/0x6e0
[ 57.450954][ T5077] ? do_raw_spin_lock+0x124/0x2b0
[ 57.455988][ T5077] ? mm_update_next_owner+0x7b0/0x7b0
[ 57.461381][ T5077] ? rwlock_bug.part.0+0x90/0x90
[ 57.466333][ T5077] ? _raw_spin_unlock_irq+0x23/0x50
[ 57.471553][ T5077] do_group_exit+0xd4/0x2a0
[ 57.476076][ T5077] __x64_sys_exit_group+0x3e/0x50
[ 57.481103][ T5077] do_syscall_64+0x39/0xb0
[ 57.485530][ T5077] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 57.491440][ T5077] RIP: 0033:0x7fe425a101c9
[ 57.495857][ T5077] Code: Unable to access opcode bytes at 0x7fe425a1019f.
[ 57.502964][ T5077] RSP: 002b:00007ffd5fb65db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 57.511381][ T5077] RAX: ffffffffffffffda RBX: 00007fe425a84350 RCX: 00007fe425a101c9
[ 57.519362][ T5077] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[ 57.527342][ T5077] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
[ 57.535319][ T5077] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe425a84350
[ 57.543291][ T5077] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[ 57.551301][ T5077]
[ 57.554316][ T5077]
[ 57.556633][ T5077] Allocated by task 5077:
[ 57.560954][ T5077] kasan_save_stack+0x22/0x40
[ 57.565642][ T5077] kasan_set_track+0x25/0x30
[ 57.570238][ T5077] __kasan_slab_alloc+0x7f/0x90
[ 57.575092][ T5077] kmem_cache_alloc_bulk+0x3aa/0x730
[ 57.580384][ T5077] __io_alloc_req_refill+0xcc/0x40b
[ 57.585592][ T5077] io_submit_sqes.cold+0x7c/0xc2
[ 57.590537][ T5077] __do_sys_io_uring_enter+0x9e4/0x2c10
[ 57.596097][ T5077] do_syscall_64+0x39/0xb0
[ 57.600518][ T5077] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 57.606425][ T5077]
[ 57.608745][ T5077] Freed by task 33:
[ 57.612543][ T5077] kasan_save_stack+0x22/0x40
[ 57.617227][ T5077] kasan_set_track+0x25/0x30
[ 57.621823][ T5077] kasan_save_free_info+0x2e/0x40
[ 57.626855][ T5077] ____kasan_slab_free+0x160/0x1c0
[ 57.631971][ T5077] slab_free_freelist_hook+0x8b/0x1c0
[ 57.637342][ T5077] kmem_cache_free+0xec/0x4e0
[ 57.642021][ T5077] io_req_caches_free+0x1a9/0x1e6
[ 57.647060][ T5077] io_ring_exit_work+0x2e7/0xc80
[ 57.652005][ T5077] process_one_work+0x9bf/0x1750
[ 57.656952][ T5077] worker_thread+0x669/0x1090
[ 57.661636][ T5077] kthread+0x2e8/0x3a0
[ 57.665707][ T5077] ret_from_fork+0x1f/0x30
[ 57.670141][ T5077]
[ 57.672469][ T5077] The buggy address belongs to the object at ffff88801f65a8c0
[ 57.672469][ T5077] which belongs to the cache io_kiocb of size 216
[ 57.686274][ T5077] The buggy address is located 136 bytes inside of
[ 57.686274][ T5077] 216-byte region [ffff88801f65a8c0, ffff88801f65a998)
[ 57.699905][ T5077]
[ 57.702225][ T5077] The buggy address belongs to the physical page:
[ 57.708626][ T5077] page:ffffea00007d9680 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1f65a
[ 57.718955][ T5077] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 57.726517][ T5077] raw: 00fff00000000200 ffff88801c1958c0 dead000000000122 0000000000000000
[ 57.735102][ T5077] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 57.743677][ T5077] page dumped because: kasan: bad access detected
[ 57.750082][ T5077] page_owner tracks the page as allocated
[ 57.755903][ T5077] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5077, tgid 5077 (syz-executor249), ts 57307254177, free_ts 52676347079
[ 57.774490][ T5077] get_page_from_freelist+0x11bb/0x2d50
[ 57.780053][ T5077] __alloc_pages+0x1cb/0x5c0
[ 57.784669][ T5077] alloc_pages+0x1aa/0x270
[ 57.789466][ T5077] allocate_slab+0x25f/0x350
[ 57.794057][ T5077] ___slab_alloc+0xa91/0x1400
[ 57.798761][ T5077] kmem_cache_alloc_bulk+0x23d/0x730
[ 57.804138][ T5077] __io_alloc_req_refill+0xcc/0x40b
[ 57.809342][ T5077] io_submit_sqes.cold+0x7c/0xc2
[ 57.814313][ T5077] __do_sys_io_uring_enter+0x9e4/0x2c10
[ 57.819871][ T5077] do_syscall_64+0x39/0xb0
[ 57.824293][ T5077] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 57.830208][ T5077] page last free stack trace:
[ 57.834870][ T5077] free_pcp_prepare+0x4d0/0x910
[ 57.839730][ T5077] free_unref_page+0x1d/0x490
[ 57.844421][ T5077] __vunmap+0x7fe/0xc00
[ 57.848579][ T5077] free_work+0x5c/0x80
[ 57.852655][ T5077] process_one_work+0x9bf/0x1750
[ 57.857598][ T5077] worker_thread+0x669/0x1090
[ 57.862283][ T5077] kthread+0x2e8/0x3a0
[ 57.866353][ T5077] ret_from_fork+0x1f/0x30
[ 57.870784][ T5077]
[ 57.873102][ T5077] Memory state around the buggy address:
[ 57.878817][ T5077] ffff88801f65a800: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
[ 57.886880][ T5077] ffff88801f65a880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 57.894938][ T5077] >ffff88801f65a900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 57.902991][ T5077] ^
[ 57.909398][ T5077] ffff88801f65a980: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 57.917698][ T5077] ffff88801f65aa00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 57.926454][ T5077] ==================================================================
[ 57.938613][ T5077] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 57.945821][ T5077] CPU: 0 PID: 5077 Comm: syz-executor249 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
[ 57.955725][ T5077] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 57.965788][ T5077] Call Trace:
[ 57.969080][ T5077]
[ 57.972001][ T5077] dump_stack_lvl+0xd1/0x138
[ 57.976583][ T5077] panic+0x2cc/0x626
[ 57.980565][ T5077] ? panic_print_sys_info.part.0+0x112/0x112
[ 57.986547][ T5077] ? preempt_schedule_thunk+0x1a/0x20
[ 57.991918][ T5077] ? preempt_schedule_common+0x59/0xc0
[ 57.997379][ T5077] check_panic_on_warn.cold+0x19/0x35
[ 58.002748][ T5077] end_report.part.0+0x36/0x73
[ 58.007511][ T5077] ? io_fallback_tw+0x6d/0x119
[ 58.012716][ T5077] kasan_report.cold+0xa/0xf
[ 58.017317][ T5077] ? io_fallback_tw+0x6d/0x119
[ 58.022095][ T5077] io_fallback_tw+0x6d/0x119
[ 58.026701][ T5077] tctx_task_work.cold+0xf/0x2c
[ 58.031561][ T5077] ? handle_tw_list+0x460/0x460
[ 58.036420][ T5077] ? lock_downgrade+0x6e0/0x6e0
[ 58.041277][ T5077] ? do_raw_spin_lock+0x124/0x2b0
[ 58.046337][ T5077] ? rwlock_bug.part.0+0x90/0x90
[ 58.051287][ T5077] ? _raw_spin_unlock_irq+0x23/0x50
[ 58.056518][ T5077] task_work_run+0x16f/0x270
[ 58.061128][ T5077] ? task_work_cancel+0x30/0x30
[ 58.065994][ T5077] ? do_raw_spin_unlock+0x175/0x230
[ 58.071203][ T5077] do_exit+0xb17/0x2a90
[ 58.075382][ T5077] ? lock_downgrade+0x6e0/0x6e0
[ 58.080241][ T5077] ? do_raw_spin_lock+0x124/0x2b0
[ 58.085283][ T5077] ? mm_update_next_owner+0x7b0/0x7b0
[ 58.090674][ T5077] ? rwlock_bug.part.0+0x90/0x90
[ 58.095626][ T5077] ? _raw_spin_unlock_irq+0x23/0x50
[ 58.100842][ T5077] do_group_exit+0xd4/0x2a0
[ 58.105370][ T5077] __x64_sys_exit_group+0x3e/0x50
[ 58.110399][ T5077] do_syscall_64+0x39/0xb0
[ 58.114824][ T5077] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 58.120736][ T5077] RIP: 0033:0x7fe425a101c9
[ 58.125184][ T5077] Code: Unable to access opcode bytes at 0x7fe425a1019f.
[ 58.132198][ T5077] RSP: 002b:00007ffd5fb65db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 58.140622][ T5077] RAX: ffffffffffffffda RBX: 00007fe425a84350 RCX: 00007fe425a101c9
[ 58.148593][ T5077] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[ 58.156564][ T5077] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
[ 58.164537][ T5077] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe425a84350
[ 58.172518][ T5077] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[ 58.180518][ T5077]
[ 58.183866][ T5077] Kernel Offset: disabled
[ 58.188186][ T5077] Rebooting in 86400 seconds..