./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1349612605 <...> DUID 00:04:e3:a1:4c:5b:a4:47:39:93:9a:5d:f6:69:14:97:a9:57 forked to background, child pid 4651 [ 34.923798][ T4652] 8021q: adding VLAN 0 to HW filter on device bond0 [ 34.934599][ T4652] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.0.3' (ECDSA) to the list of known hosts. execve("./syz-executor1349612605", ["./syz-executor1349612605"], 0x7ffdf8540640 /* 10 vars */) = 0 brk(NULL) = 0x555556478000 brk(0x555556478c40) = 0x555556478c40 arch_prctl(ARCH_SET_FS, 0x555556478300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor1349612605", 4096) = 28 brk(0x555556499c40) = 0x555556499c40 brk(0x55555649a000) = 0x55555649a000 mprotect(0x7f0a3139d000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5077 attached , child_tidptr=0x5555564785d0) = 5077 [pid 5077] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5077] setpgid(0, 0) = 0 [pid 5077] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5077] write(3, "1000", 4) = 4 [pid 5077] close(3) = 0 [pid 5077] mkdirat(AT_FDCWD, "./file0", 000) = 0 [pid 5077] openat(AT_FDCWD, "/dev/fuse", O_RDWR|O_CREAT, 000) = 3 [pid 5077] mount(NULL, "./file0", "fuse", 0, "fd=0x0000000000000003,rootmode=00000000000000000040000,user_id=00000000000000000000,group_id=0000000"...) = 0 [pid 5077] read(3, "\x68\x00\x00\x00\x1a\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x26\x00\x00\x00\x00\x00\x02\x00\xfb\xff\xff\x73\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 8224) = 104 [pid 5077] write(3, "\x50\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x26\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 80) = 80 [pid 5077] io_uring_setup(25082, {flags=0, sq_thread_cpu=0, sq_thread_idle=0, sq_entries=32768, cq_entries=65536, features=IORING_FEAT_SINGLE_MMAP|IORING_FEAT_NODROP|IORING_FEAT_SUBMIT_STABLE|IORING_FEAT_RW_CUR_POS|IORING_FEAT_CUR_PERSONALITY|IORING_FEAT_FAST_POLL|IORING_FEAT_POLL_32BITS|IORING_FEAT_SQPOLL_NONFIXED|IORING_FEAT_EXT_ARG|IORING_FEAT_NATIVE_WORKERS|IORING_FEAT_RSRC_TAGS|IORING_FEAT_CQE_SKIP|IORING_FEAT_LINKED_FILE, sq_off={head=0, tail=64, ring_mask=256, ring_entries=264, flags=276, dropped=272, array=1048896}, cq_off={head=128, tail=192, ring_mask=260, ring_entries=268, overflow=284, cqes=320, flags=280}}) = 4 [pid 5077] mmap(0x20ee8000, 1179968, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 4, 0) = 0x20ee8000 [pid 5077] mmap(0x20ffd000, 2097152, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 4, 0x10000000) = 0x20ffd000 [pid 5077] io_uring_enter(4, 17678, 0, 0, NULL, 0) = 1 [pid 5077] stat("./file0", [pid 5076] kill(-5077, SIGKILL) = 0 [pid 5077] <... stat resumed> ) = ? [pid 5076] kill(5077, SIGKILL [pid 5077] +++ killed by SIGKILL +++ <... kill resumed>) = 0 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=5077, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=2 /* 0.02 s */} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5079 attached , child_tidptr=0x5555564785d0) = 5079 [pid 5079] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5079] setpgid(0, 0) = 0 [pid 5079] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5079] write(3, "1000", 4) = 4 [pid 5079] close(3) = 0 [pid 5079] mkdirat(AT_FDCWD, "./file0", 000) = -1 EEXIST (File exists) [pid 5079] openat(AT_FDCWD, "/dev/fuse", O_RDWR|O_CREAT, 000) = 3 [pid 5079] mount(NULL, "./file0", "fuse", 0, "fd=0x0000000000000003,rootmode=00000000000000000040000,user_id=00000000000000000000,group_id=0000000"...) = 0 [pid 5079] read(3, "\x68\x00\x00\x00\x1a\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x26\x00\x00\x00\x00\x00\x02\x00\xfb\xff\xff\x73\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 8224) = 104 [pid 5079] write(3, "\x50\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x26\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 80) = 80 [pid 5079] io_uring_setup(25082, {flags=0, sq_thread_cpu=0, sq_thread_idle=0, sq_entries=32768, cq_entries=65536, features=IORING_FEAT_SINGLE_MMAP|IORING_FEAT_NODROP|IORING_FEAT_SUBMIT_STABLE|IORING_FEAT_RW_CUR_POS|IORING_FEAT_CUR_PERSONALITY|IORING_FEAT_FAST_POLL|IORING_FEAT_POLL_32BITS|IORING_FEAT_SQPOLL_NONFIXED|IORING_FEAT_EXT_ARG|IORING_FEAT_NATIVE_WORKERS|IORING_FEAT_RSRC_TAGS|IORING_FEAT_CQE_SKIP|IORING_FEAT_LINKED_FILE, sq_off={head=0, tail=64, ring_mask=256, ring_entries=264, flags=276, dropped=272, array=1048896}, cq_off={head=128, tail=192, ring_mask=260, ring_entries=268, overflow=284, cqes=320, flags=280}}) = 4 [pid 5079] mmap(0x20ee8000, 1179968, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 4, 0) = 0x20ee8000 [pid 5079] mmap(0x20ffd000, 2097152, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 4, 0x10000000) = 0x20ffd000 syzkaller login: [ 65.036211][ T4401] ================================================================== [ 65.044321][ T4401] BUG: KASAN: use-after-free in io_fallback_req_func+0xc7/0x204 [ 65.051957][ T4401] Read of size 8 at addr ffff8880793aa948 by task kworker/0:3/4401 [ 65.059832][ T4401] [ 65.062141][ T4401] CPU: 0 PID: 4401 Comm: kworker/0:3 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0 [ 65.071670][ T4401] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [pid 5079] io_uring_enter(4, 17678, 0, 0, NULL, 0) = 1 [ 65.081708][ T4401] Workqueue: events io_fallback_req_func [ 65.087333][ T4401] Call Trace: [ 65.090595][ T4401] [ 65.093511][ T4401] dump_stack_lvl+0xd1/0x138 [ 65.098121][ T4401] print_report+0x15e/0x45d [ 65.102639][ T4401] ? __phys_addr+0xc8/0x140 [ 65.107145][ T4401] ? io_fallback_req_func+0xc7/0x204 [ 65.112431][ T4401] kasan_report+0xc0/0xf0 [ 65.116783][ T4401] ? io_fallback_req_func+0xc7/0x204 [ 65.122063][ T4401] io_fallback_req_func+0xc7/0x204 [ 65.127180][ T4401] ? __io_commit_cqring_flush.cold+0x42/0x42 [ 65.133192][ T4401] process_one_work+0x9bf/0x1750 [ 65.138134][ T4401] ? pwq_dec_nr_in_flight+0x2a0/0x2a0 [ 65.143496][ T4401] ? rcu_read_lock_sched_held+0x3e/0x70 [ 65.149050][ T4401] ? rwlock_bug.part.0+0x90/0x90 [ 65.153985][ T4401] ? lock_acquire+0x32/0xc0 [ 65.158480][ T4401] ? worker_thread+0x16d/0x1090 [ 65.163338][ T4401] worker_thread+0x669/0x1090 [ 65.168015][ T4401] ? __kthread_parkme+0x163/0x220 [ 65.173039][ T4401] ? process_one_work+0x1750/0x1750 [ 65.178255][ T4401] kthread+0x2e8/0x3a0 [ 65.182316][ T4401] ? kthread_complete_and_exit+0x40/0x40 [ 65.187940][ T4401] ret_from_fork+0x1f/0x30 [ 65.192361][ T4401] [ 65.195369][ T4401] [ 65.197676][ T4401] Allocated by task 5077: [ 65.201982][ T4401] kasan_save_stack+0x22/0x40 [ 65.206659][ T4401] kasan_set_track+0x25/0x30 [ 65.211248][ T4401] __kasan_slab_alloc+0x7f/0x90 [ 65.216110][ T4401] kmem_cache_alloc_bulk+0x3aa/0x730 [ 65.221390][ T4401] __io_alloc_req_refill+0xcc/0x40b [ 65.226600][ T4401] io_submit_sqes.cold+0x7c/0xc2 [ 65.231539][ T4401] __do_sys_io_uring_enter+0x9e4/0x2c10 [ 65.237111][ T4401] do_syscall_64+0x39/0xb0 [ 65.241551][ T4401] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 65.247479][ T4401] [ 65.249787][ T4401] Freed by task 31: [ 65.253578][ T4401] kasan_save_stack+0x22/0x40 [ 65.258247][ T4401] kasan_set_track+0x25/0x30 [ 65.262835][ T4401] kasan_save_free_info+0x2e/0x40 [ 65.267876][ T4401] ____kasan_slab_free+0x160/0x1c0 [ 65.272986][ T4401] slab_free_freelist_hook+0x8b/0x1c0 [ 65.278370][ T4401] kmem_cache_free+0xec/0x4e0 [ 65.283056][ T4401] io_req_caches_free+0x1a9/0x1e6 [ 65.288071][ T4401] io_ring_exit_work+0x2e7/0xc80 [ 65.292998][ T4401] process_one_work+0x9bf/0x1750 [ 65.297928][ T4401] worker_thread+0x669/0x1090 [ 65.302601][ T4401] kthread+0x2e8/0x3a0 [ 65.306678][ T4401] ret_from_fork+0x1f/0x30 [ 65.311085][ T4401] [ 65.313394][ T4401] The buggy address belongs to the object at ffff8880793aa8c0 [ 65.313394][ T4401] which belongs to the cache io_kiocb of size 216 [ 65.327189][ T4401] The buggy address is located 136 bytes inside of [ 65.327189][ T4401] 216-byte region [ffff8880793aa8c0, ffff8880793aa998) [ 65.340462][ T4401] [ 65.342776][ T4401] The buggy address belongs to the physical page: [ 65.349180][ T4401] page:ffffea0001e4ea80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x793aa [ 65.359323][ T4401] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 65.366872][ T4401] raw: 00fff00000000200 ffff88814610fc80 dead000000000122 0000000000000000 [ 65.375475][ T4401] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 65.384070][ T4401] page dumped because: kasan: bad access detected [ 65.390493][ T4401] page_owner tracks the page as allocated [ 65.396202][ T4401] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5077, tgid 5077 (syz-executor134), ts 60034717602, free_ts 59988620363 [ 65.414781][ T4401] get_page_from_freelist+0x11bb/0x2d50 [ 65.420328][ T4401] __alloc_pages+0x1cb/0x5c0 [ 65.424915][ T4401] alloc_pages+0x1aa/0x270 [ 65.429323][ T4401] allocate_slab+0x25f/0x350 [ 65.433902][ T4401] ___slab_alloc+0xa91/0x1400 [ 65.438575][ T4401] kmem_cache_alloc_bulk+0x23d/0x730 [ 65.443873][ T4401] __io_alloc_req_refill+0xcc/0x40b [ 65.449063][ T4401] io_submit_sqes.cold+0x7c/0xc2 [ 65.454001][ T4401] __do_sys_io_uring_enter+0x9e4/0x2c10 [ 65.459562][ T4401] do_syscall_64+0x39/0xb0 [ 65.463969][ T4401] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 65.469891][ T4401] page last free stack trace: [ 65.474559][ T4401] free_pcp_prepare+0x4d0/0x910 [ 65.479404][ T4401] free_unref_page_list+0x176/0xcd0 [ 65.484595][ T4401] release_pages+0xcb1/0x1330 [ 65.489267][ T4401] tlb_batch_pages_flush+0xa8/0x1a0 [ 65.494482][ T4401] tlb_finish_mmu+0x14b/0x7e0 [ 65.499150][ T4401] exit_mmap+0x202/0x7c0 [ 65.503382][ T4401] __mmput+0x128/0x4c0 [ 65.507440][ T4401] mmput+0x60/0x70 [ 65.511155][ T4401] do_exit+0x9ac/0x2a90 [ 65.515334][ T4401] do_group_exit+0xd4/0x2a0 [ 65.519841][ T4401] get_signal+0x225f/0x24f0 [ 65.524364][ T4401] arch_do_signal_or_restart+0x79/0x5c0 [ 65.529933][ T4401] exit_to_user_mode_prepare+0x11f/0x240 [ 65.535581][ T4401] irqentry_exit_to_user_mode+0x9/0x40 [ 65.541039][ T4401] exc_page_fault+0xc0/0x170 [ 65.545626][ T4401] asm_exc_page_fault+0x26/0x30 [ 65.550489][ T4401] [ 65.552805][ T4401] Memory state around the buggy address: [ 65.558430][ T4401] ffff8880793aa800: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc [ 65.566476][ T4401] ffff8880793aa880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 65.574525][ T4401] >ffff8880793aa900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.582572][ T4401] ^ [ 65.588987][ T4401] ffff8880793aa980: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.597052][ T4401] ffff8880793aaa00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.605130][ T4401] ================================================================== [ 65.614990][ T4401] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 65.622225][ T4401] CPU: 0 PID: 4401 Comm: kworker/0:3 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0 [ 65.631775][ T4401] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 65.641820][ T4401] Workqueue: events io_fallback_req_func [ 65.647451][ T4401] Call Trace: [ 65.650729][ T4401] [ 65.653660][ T4401] dump_stack_lvl+0xd1/0x138 [ 65.658243][ T4401] panic+0x2cc/0x626 [ 65.662141][ T4401] ? panic_print_sys_info.part.0+0x112/0x112 [ 65.668121][ T4401] ? preempt_schedule_thunk+0x1a/0x20 [ 65.673490][ T4401] ? preempt_schedule_common+0x59/0xc0 [ 65.678955][ T4401] check_panic_on_warn.cold+0x19/0x35 [ 65.684359][ T4401] end_report.part.0+0x36/0x73 [ 65.689135][ T4401] ? io_fallback_req_func+0xc7/0x204 [ 65.694417][ T4401] kasan_report.cold+0xa/0xf [ 65.699018][ T4401] ? io_fallback_req_func+0xc7/0x204 [ 65.704303][ T4401] io_fallback_req_func+0xc7/0x204 [ 65.709429][ T4401] ? __io_commit_cqring_flush.cold+0x42/0x42 [ 65.715417][ T4401] process_one_work+0x9bf/0x1750 [ 65.720376][ T4401] ? pwq_dec_nr_in_flight+0x2a0/0x2a0 [ 65.725767][ T4401] ? rcu_read_lock_sched_held+0x3e/0x70 [ 65.731321][ T4401] ? rwlock_bug.part.0+0x90/0x90 [ 65.736268][ T4401] ? lock_acquire+0x32/0xc0 [ 65.740778][ T4401] ? worker_thread+0x16d/0x1090 [ 65.745640][ T4401] worker_thread+0x669/0x1090 [ 65.750329][ T4401] ? __kthread_parkme+0x163/0x220 [ 65.755355][ T4401] ? process_one_work+0x1750/0x1750 [ 65.760564][ T4401] kthread+0x2e8/0x3a0 [ 65.764637][ T4401] ? kthread_complete_and_exit+0x40/0x40 [ 65.770276][ T4401] ret_from_fork+0x1f/0x30 [ 65.774714][ T4401] [ 65.777863][ T4401] Kernel Offset: disabled [ 65.782179][ T4401] Rebooting in 86400 seconds..