./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3144305891 <...> Warning: Permanently added '10.128.1.81' (ECDSA) to the list of known hosts. execve("./syz-executor3144305891", ["./syz-executor3144305891"], 0x7ffddf8adc90 /* 10 vars */) = 0 brk(NULL) = 0x555555e56000 brk(0x555555e56c40) = 0x555555e56c40 arch_prctl(ARCH_SET_FS, 0x555555e56300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x555555e565d0) = 3607 set_robust_list(0x555555e565e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7fc2d0ff8dd0, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7fc2d0ff94a0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7fc2d0ff8e70, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fc2d0ff94a0}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3144305891", 4096) = 28 brk(0x555555e77c40) = 0x555555e77c40 brk(0x555555e78000) = 0x555555e78000 mprotect(0x7fc2d10b9000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 futex(0x7fc2d10bf40c, FUTEX_WAKE_PRIVATE, 1000000) = 0 mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc2d0fc9000 mprotect(0x7fc2d0fca000, 131072, PROT_READ|PROT_WRITE) = 0 clone(child_stack=0x7fc2d0fe93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3608], tls=0x7fc2d0fe9700, child_tidptr=0x7fc2d0fe99d0) = 3608 futex(0x7fc2d10bf408, FUTEX_WAKE_PRIVATE, 1000000) = 0 futex(0x7fc2d10bf40c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 3608 attached [pid 3608] set_robust_list(0x7fc2d0fe99e0, 24) = 0 [pid 3608] openat(AT_FDCWD, "memory.current", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 3 [pid 3608] futex(0x7fc2d10bf40c, FUTEX_WAKE_PRIVATE, 1000000 [pid 3607] <... futex resumed>) = 0 [pid 3607] futex(0x7fc2d10bf408, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3607] futex(0x7fc2d10bf40c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3608] <... futex resumed>) = 1 [pid 3608] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651 [pid 3607] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3607] futex(0x7fc2d10bf40c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 3607] futex(0x7fc2d10bf40c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 3607] futex(0x7fc2d10bf41c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3607] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc2d0fa8000 [pid 3607] mprotect(0x7fc2d0fa9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3607] clone(child_stack=0x7fc2d0fc83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3609], tls=0x7fc2d0fc8700, child_tidptr=0x7fc2d0fc89d0) = 3609 [pid 3607] futex(0x7fc2d10bf418, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3607] futex(0x7fc2d10bf41c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 3609 attached [pid 3609] set_robust_list(0x7fc2d0fc89e0, 24) = 0 [pid 3609] mmap(0x20000000, 11755520, PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 3, 0 [pid 3608] <... write resumed>) = 3461120 [pid 3608] futex(0x7fc2d10bf40c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3608] futex(0x7fc2d10bf408, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3609] <... mmap resumed>) = 0x20000000 [pid 3609] futex(0x7fc2d10bf41c, FUTEX_WAKE_PRIVATE, 1000000 [pid 3607] <... futex resumed>) = 0 [pid 3609] <... futex resumed>) = 1 [pid 3607] futex(0x7fc2d10bf408, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3609] futex(0x7fc2d10bf418, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3607] futex(0x7fc2d10bf40c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3608] <... futex resumed>) = 0 [pid 3608] socket(AF_RDS, SOCK_SEQPACKET, 0) = 4 [pid 3608] futex(0x7fc2d10bf40c, FUTEX_WAKE_PRIVATE, 1000000 [pid 3607] <... futex resumed>) = 0 [pid 3607] futex(0x7fc2d10bf408, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3607] futex(0x7fc2d10bf40c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3608] <... futex resumed>) = 1 [pid 3608] bind(4, 0x20000040, 16) = 0 [pid 3608] futex(0x7fc2d10bf40c, FUTEX_WAKE_PRIVATE, 1000000 [pid 3607] <... futex resumed>) = 0 [pid 3607] futex(0x7fc2d10bf408, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3607] futex(0x7fc2d10bf40c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3608] <... futex resumed>) = 1 [ 50.661684][ T3608] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN [ 50.673422][ T3608] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] [ 50.681840][ T3608] CPU: 0 PID: 3608 Comm: syz-executor314 Not tainted 6.0.0-rc1-next-20220817-syzkaller #0 [ 50.691716][ T3608] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 50.701759][ T3608] RIP: 0010:sanity_check_pinned_pages+0x25e/0xec0 [ 50.708172][ T3608] Code: a2 06 00 00 e8 f3 8a c9 ff 4c 89 f0 48 c1 e8 03 80 3c 18 00 0f 85 8e 0a 00 00 4d 8b 26 49 8d 44 24 08 48 89 04 24 48 c1 e8 03 <80> 3c 18 00 0f 85 8b 0a 00 00 49 8b 6c 24 08 31 ff 49 89 ef 41 83 [ 50.727768][ T3608] RSP: 0018:ffffc900039df6d0 EFLAGS: 00010202 [ 50.733844][ T3608] RAX: 0000000000000001 RBX: dffffc0000000000 RCX: 0000000000000000 [ 50.741800][ T3608] RDX: ffff88802763bb00 RSI: ffffffff81b28a5d RDI: 0000000000000007 [ 50.749757][ T3608] RBP: 000000000000034e R08: 0000000000000007 R09: 0000000000000000 [ 50.757715][ T3608] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 [ 50.765761][ T3608] R13: 0000000000000001 R14: ffffc900039df7c8 R15: 0000000000000000 [ 50.773720][ T3608] FS: 00007fc2d0fe9700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 [ 50.782659][ T3608] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 50.789251][ T3608] CR2: 0000000020001600 CR3: 0000000076052000 CR4: 00000000003506f0 [ 50.797238][ T3608] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 50.805195][ T3608] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 50.813153][ T3608] Call Trace: [ 50.816427][ T3608] [ 50.819353][ T3608] unpin_user_pages_dirty_lock+0x4a/0x4c0 [ 50.825071][ T3608] ? lock_downgrade+0x6e0/0x6e0 [ 50.829911][ T3608] rds_rdma_free_op+0x28d/0x3c0 [ 50.834781][ T3608] ? rds_rdma_unuse+0x480/0x480 [ 50.839616][ T3608] ? lockdep_hardirqs_on+0x79/0x100 [ 50.844809][ T3608] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 50.850629][ T3608] ? free_unref_page+0x2f3/0x4d0 [ 50.855559][ T3608] rds_cmsg_rdma_args+0x32c/0x1540 [ 50.860664][ T3608] rds_sendmsg+0x1c5c/0x3040 [ 50.865250][ T3608] ? rds_send_drop_to+0x13e0/0x13e0 [ 50.870461][ T3608] ? __might_fault+0xd1/0x170 [ 50.875131][ T3608] ? aa_af_perm+0x230/0x230 [ 50.879629][ T3608] ? rds_send_drop_to+0x13e0/0x13e0 [ 50.884821][ T3608] sock_sendmsg+0xcf/0x120 [ 50.889228][ T3608] ____sys_sendmsg+0x6eb/0x810 [ 50.893981][ T3608] ? kernel_sendmsg+0x50/0x50 [ 50.898651][ T3608] ___sys_sendmsg+0x110/0x1b0 [ 50.903320][ T3608] ? do_recvmmsg+0x6e0/0x6e0 [ 50.907903][ T3608] ? __fget_files+0x248/0x440 [ 50.912596][ T3608] ? lock_downgrade+0x6e0/0x6e0 [ 50.917436][ T3608] ? lock_release+0x780/0x780 [ 50.922102][ T3608] ? __fget_files+0x26a/0x440 [ 50.926768][ T3608] ? __fget_light+0xe5/0x270 [ 50.931368][ T3608] __sys_sendmsg+0xf3/0x1c0 [ 50.935882][ T3608] ? __sys_sendmsg_sock+0x30/0x30 [ 50.940905][ T3608] ? lock_downgrade+0x6e0/0x6e0 [ 50.945776][ T3608] ? lockdep_hardirqs_on+0x79/0x100 [ 50.950988][ T3608] ? _raw_spin_unlock_irq+0x2a/0x40 [ 50.956172][ T3608] ? ptrace_notify+0xfa/0x140 [ 50.960840][ T3608] do_syscall_64+0x35/0xb0 [ 50.965255][ T3608] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 50.971147][ T3608] RIP: 0033:0x7fc2d1036e39 [ 50.975552][ T3608] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 50.995172][ T3608] RSP: 002b:00007fc2d0fe9308 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 51.003569][ T3608] RAX: ffffffffffffffda RBX: 00007fc2d10bf408 RCX: 00007fc2d1036e39 [pid 3608] sendmsg(4, 0x20001600, 0 [pid 3607] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 51.011528][ T3608] RDX: 0000000000000000 RSI: 0000000020001600 RDI: 0000000000000004 [ 51.019506][ T3608] RBP: 00007fc2d10bf400 R08: 0000000000000000 R09: 0000000000000000 [ 51.027466][ T3608] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc2d10bf40c [ 51.035425][ T3608] R13: 00007fc2d108d004 R14: 632e79726f6d656d R15: 0000000000022000 [ 51.043388][ T3608] [ 51.046392][ T3608] Modules linked in: [ 51.050537][ T3608] ---[ end trace 0000000000000000 ]--- [ 51.056026][ T3608] RIP: 0010:sanity_check_pinned_pages+0x25e/0xec0 [ 51.062497][ T3608] Code: a2 06 00 00 e8 f3 8a c9 ff 4c 89 f0 48 c1 e8 03 80 3c 18 00 0f 85 8e 0a 00 00 4d 8b 26 49 8d 44 24 08 48 89 04 24 48 c1 e8 03 <80> 3c 18 00 0f 85 8b 0a 00 00 49 8b 6c 24 08 31 ff 49 89 ef 41 83 [ 51.082152][ T3608] RSP: 0018:ffffc900039df6d0 EFLAGS: 00010202 [ 51.088277][ T3608] RAX: 0000000000000001 RBX: dffffc0000000000 RCX: 0000000000000000 [ 51.096256][ T3608] RDX: ffff88802763bb00 RSI: ffffffff81b28a5d RDI: 0000000000000007 [ 51.104256][ T3608] RBP: 000000000000034e R08: 0000000000000007 R09: 0000000000000000 [ 51.112339][ T3608] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 [ 51.120435][ T3608] R13: 0000000000000001 R14: ffffc900039df7c8 R15: 0000000000000000 [ 51.128442][ T3608] FS: 00007fc2d0fe9700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 [ 51.137432][ T3608] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 51.144036][ T3608] CR2: 000000002034d000 CR3: 0000000076052000 CR4: 00000000003506e0 [ 51.152045][ T3608] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 51.160066][ T3608] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 51.168080][ T3608] Kernel panic - not syncing: Fatal exception [ 51.174205][ T3608] Kernel Offset: disabled [ 51.178525][ T3608] Rebooting in 86400 seconds..