./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor4001925819
<...>
Warning: Permanently added '10.128.1.109' (ED25519) to the list of known hosts.
execve("./syz-executor4001925819", ["./syz-executor4001925819"], 0x7fff8f9c77d0 /* 10 vars */) = 0
brk(NULL) = 0x555555633000
brk(0x555555633e00) = 0x555555633e00
arch_prctl(ARCH_SET_FS, 0x555555633480) = 0
set_tid_address(0x555555633750) = 5075
set_robust_list(0x555555633760, 24) = 0
rseq(0x555555633da0, 0x20, 0, 0x53053053) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor4001925819", 4096) = 28
getrandom("\x31\x17\xf9\x67\x38\x6b\x6c\xc3", 8, GRND_NONBLOCK) = 8
brk(NULL) = 0x555555633e00
brk(0x555555654e00) = 0x555555654e00
brk(0x555555655000) = 0x555555655000
mprotect(0x7f1669a6b000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0
rt_sigaction(SIGSEGV, {sa_handler=0x7f16699c68e0, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f16699ce2a0}, NULL, 8) = 0
rt_sigaction(SIGBUS, {sa_handler=0x7f16699c68e0, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f16699ce2a0}, NULL, 8) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555633750) = 5076
./strace-static-x86_64: Process 5076 attached
[pid 5076] set_robust_list(0x555555633760, 24) = 0
[pid 5076] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5076] setpgid(0, 0) = 0
[pid 5076] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5076] write(3, "1000", 4) = 4
[pid 5076] close(3) = 0
[pid 5076] socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 4]) = 0
[pid 5076] pipe([5, 6]) = 0
[pid 5076] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\xb5", iov_len=1}], msg_iovlen=1, msg_control=[{cmsg_len=20, cmsg_level=SOL_SOCKET, cmsg_type=SCM_RIGHTS, cmsg_data=[4]}, {cmsg_len=24, cmsg_level=SOL_SOCKET, cmsg_type=SCM_RIGHTS, cmsg_data=[3, 6]}], msg_controllen=48, msg_flags=MSG_DONTWAIT|MSG_NOSIGNAL|MSG_BATCH}, MSG_OOB|MSG_DONTROUTE|MSG_NOSIGNAL|MSG_FASTOPEN) = 1
[pid 5076] exit_group(0) = ?
[pid 5076] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5076, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555633750) = 5077
./strace-static-x86_64: Process 5077 attached
[pid 5077] set_robust_list(0x555555633760, 24) = 0
[pid 5077] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5077] setpgid(0, 0) = 0
[pid 5077] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5077] write(3, "1000", 4) = 4
[ 75.836565][ T59] ==================================================================
[ 75.844697][ T59] BUG: KASAN: slab-use-after-free in __unix_gc+0xe0f/0xf70
[ 75.851927][ T59] Read of size 8 at addr ffff8880237e3640 by task kworker/u4:4/59
[ 75.859731][ T59]
[ 75.862056][ T59] CPU: 0 PID: 59 Comm: kworker/u4:4 Not tainted 6.8.0-rc3-syzkaller-00766-ge7689879d14e #0
[ 75.872033][ T59] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
[ 75.882090][ T59] Workqueue: events_unbound __unix_gc
[ 75.887483][ T59] Call Trace:
[ 75.890775][ T59]
[ 75.893727][ T59] dump_stack_lvl+0x1e7/0x2e0
[ 75.898442][ T59] ? __pfx_dump_stack_lvl+0x10/0x10
[ 75.904093][ T59] ? __pfx__printk+0x10/0x10
[ 75.908708][ T59] ? _printk+0xd5/0x120
[ 75.912867][ T59] ? __virt_addr_valid+0x183/0x520
[ 75.917991][ T59] ? __virt_addr_valid+0x183/0x520
[ 75.923115][ T59] print_report+0x167/0x540
[ 75.927635][ T59] ? __virt_addr_valid+0x183/0x520
[ 75.932755][ T59] ? __virt_addr_valid+0x183/0x520
[ 75.937889][ T59] ? __virt_addr_valid+0x44e/0x520
[ 75.943012][ T59] ? __phys_addr+0xba/0x170
[ 75.947548][ T59] ? __unix_gc+0xe0f/0xf70
[ 75.951978][ T59] kasan_report+0x142/0x180
[ 75.956487][ T59] ? __unix_gc+0xe0f/0xf70
[ 75.960918][ T59] __unix_gc+0xe0f/0xf70
[ 75.965479][ T59] ? __pfx___unix_gc+0x10/0x10
[ 75.970446][ T59] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 75.976798][ T59] ? process_scheduled_works+0x825/0x1420
[ 75.982569][ T59] process_scheduled_works+0x913/0x1420
[ 75.988143][ T59] ? __pfx_process_scheduled_works+0x10/0x10
[ 75.994141][ T59] ? assign_work+0x364/0x3d0
[ 75.998747][ T59] worker_thread+0xa5f/0x1000
[ 76.003444][ T59] ? __pfx_worker_thread+0x10/0x10
[ 76.008569][ T59] kthread+0x2ef/0x390
[ 76.012641][ T59] ? __pfx_worker_thread+0x10/0x10
[ 76.017764][ T59] ? __pfx_kthread+0x10/0x10
[ 76.022359][ T59] ret_from_fork+0x4b/0x80
[ 76.026785][ T59] ? __pfx_kthread+0x10/0x10
[ 76.031389][ T59] ret_from_fork_asm+0x1b/0x30
[ 76.036169][ T59]
[ 76.039192][ T59]
[ 76.041514][ T59] Allocated by task 5076:
[ 76.045837][ T59] kasan_save_track+0x3f/0x80
[ 76.050524][ T59] __kasan_slab_alloc+0x66/0x80
[ 76.055374][ T59] kmem_cache_alloc+0x16f/0x340
[ 76.060232][ T59] sk_prot_alloc+0x58/0x210
[ 76.064755][ T59] sk_alloc+0x38/0x370
[ 76.068925][ T59] unix_create1+0xb4/0x7f0
[ 76.073350][ T59] unix_create+0x14e/0x200
[ 76.077771][ T59] __sock_create+0x48f/0x920
[ 76.082366][ T59] __sys_socketpair+0x33d/0x720
[ 76.087323][ T59] __x64_sys_socketpair+0x9b/0xb0
[ 76.092895][ T59] do_syscall_64+0xf9/0x240
[ 76.097416][ T59] entry_SYSCALL_64_after_hwframe+0x6f/0x77
[ 76.103319][ T59]
[ 76.105645][ T59] Freed by task 23:
[ 76.109447][ T59] kasan_save_track+0x3f/0x80
[ 76.114143][ T59] kasan_save_free_info+0x4e/0x60
[ 76.119173][ T59] poison_slab_object+0xa6/0xe0
[ 76.124037][ T59] __kasan_slab_free+0x34/0x70
[ 76.128816][ T59] kmem_cache_free+0x102/0x2a0
[ 76.133589][ T59] __sk_destruct+0x470/0x5f0
[ 76.138185][ T59] unix_release_sock+0x903/0xd20
[ 76.143128][ T59] unix_release+0x91/0xc0
[ 76.147462][ T59] sock_close+0xbc/0x240
[ 76.151710][ T59] __fput+0x429/0x8a0
[ 76.155700][ T59] delayed_fput+0x59/0x80
[ 76.160035][ T59] process_scheduled_works+0x913/0x1420
[ 76.165606][ T59] worker_thread+0xa5f/0x1000
[ 76.170294][ T59] kthread+0x2ef/0x390
[ 76.174363][ T59] ret_from_fork+0x4b/0x80
[ 76.178788][ T59] ret_from_fork_asm+0x1b/0x30
[ 76.183561][ T59]
[ 76.185886][ T59] The buggy address belongs to the object at ffff8880237e3000
[ 76.185886][ T59] which belongs to the cache UNIX-STREAM of size 1920
[ 76.200028][ T59] The buggy address is located 1600 bytes inside of
[ 76.200028][ T59] freed 1920-byte region [ffff8880237e3000, ffff8880237e3780)
[ 76.214006][ T59]
[ 76.216333][ T59] The buggy address belongs to the physical page:
[ 76.222742][ T59] page:ffffea00008df800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x237e0
[ 76.232893][ T59] head:ffffea00008df800 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 76.241824][ T59] flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 76.249801][ T59] page_type: 0xffffffff()
[ 76.254134][ T59] raw: 00fff00000000840 ffff8880183aa280 dead000000000122 0000000000000000
[ 76.262718][ T59] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[ 76.271306][ T59] page dumped because: kasan: bad access detected
[ 76.277715][ T59] page_owner tracks the page as allocated
[ 76.283428][ T59] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5069, tgid 5069 (sftp-server), ts 69550911589, free_ts 69532294849
[ 76.304883][ T59] post_alloc_hook+0x1ea/0x210
[ 76.309657][ T59] get_page_from_freelist+0x33ea/0x3580
[ 76.315386][ T59] __alloc_pages+0x255/0x680
[ 76.319983][ T59] alloc_slab_page+0x5f/0x160
[ 76.324667][ T59] new_slab+0x84/0x2f0
[ 76.328743][ T59] ___slab_alloc+0xd17/0x13e0
[ 76.333427][ T59] kmem_cache_alloc+0x24d/0x340
[ 76.338285][ T59] sk_prot_alloc+0x58/0x210
[ 76.342794][ T59] sk_alloc+0x38/0x370
[ 76.346872][ T59] unix_create1+0xb4/0x7f0
[ 76.351291][ T59] unix_stream_connect+0x348/0x1110
[ 76.356494][ T59] __sys_connect+0x2df/0x310
[ 76.361090][ T59] __x64_sys_connect+0x7a/0x90
[ 76.365859][ T59] do_syscall_64+0xf9/0x240
[ 76.370373][ T59] entry_SYSCALL_64_after_hwframe+0x6f/0x77
[ 76.376268][ T59] page last free pid 5069 tgid 5069 stack trace:
[ 76.382592][ T59] free_unref_page_prepare+0x968/0xa90
[ 76.388056][ T59] free_unref_page+0x37/0x3f0
[ 76.392739][ T59] __put_partials+0xeb/0x130
[ 76.397340][ T59] put_cpu_partial+0x17b/0x250
[ 76.402103][ T59] __slab_free+0x302/0x410
[ 76.406519][ T59] qlist_free_all+0x6d/0xd0
[ 76.411032][ T59] kasan_quarantine_reduce+0x14f/0x170
[ 76.416502][ T59] __kasan_slab_alloc+0x23/0x80
[ 76.421361][ T59] kmem_cache_alloc+0x16f/0x340
[ 76.426222][ T59] vm_area_alloc+0x24/0x1d0
[ 76.430734][ T59] mmap_region+0xbd8/0x1fa0
[ 76.435248][ T59] do_mmap+0x7ae/0xe60
[ 76.439321][ T59] vm_mmap_pgoff+0x1e2/0x420
[ 76.443918][ T59] ksys_mmap_pgoff+0x503/0x6e0
[ 76.448691][ T59] do_syscall_64+0xf9/0x240
[ 76.453196][ T59] entry_SYSCALL_64_after_hwframe+0x6f/0x77
[ 76.459093][ T59]
[ 76.461425][ T59] Memory state around the buggy address:
[ 76.467054][ T59] ffff8880237e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.475116][ T59] ffff8880237e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[pid 5077] close(3) = 0
[pid 5077] socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 4]) = 0
[pid 5077] pipe([5, 6]) = 0
[pid 5077] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\xb5", iov_len=1}], msg_iovlen=1, msg_control=[{cmsg_len=20, cmsg_level=SOL_SOCKET, cmsg_type=SCM_RIGHTS, cmsg_data=[4]}, {cmsg_len=24, cmsg_level=SOL_SOCKET, cmsg_type=SCM_RIGHTS, cmsg_data=[3, 6]}], msg_controllen=48, msg_flags=MSG_DONTWAIT|MSG_NOSIGNAL|MSG_BATCH}, MSG_OOB|MSG_DONTROUTE|MSG_NOSIGNAL|MSG_FASTOPEN) = 1
[pid 5077] exit_group(0) = ?
[pid 5077] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5077, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
[ 76.484052][ T59] >ffff8880237e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.492111][ T59] ^
[ 76.498259][ T59] ffff8880237e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.506318][ T59] ffff8880237e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.514378][ T59] ==================================================================
[ 76.523554][ T59] Kernel panic - not syncing: KASAN: panic_on_warn set ...
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555633750) = 5078
./strace-static-x86_64: Process 5078 attached
[pid 5078] set_robust_list(0x555555633760, 24) = 0
[pid 5078] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5078] setpgid(0, 0) = 0
[pid 5078] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5078] write(3, "1000", 4) = 4
[pid 5078] close(3) = 0
[pid 5078] socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 4]) = 0
[pid 5078] pipe([5, 6]) = 0
[pid 5078] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\xb5", iov_len=1}], msg_iovlen=1, msg_control=[{cmsg_len=20, cmsg_level=SOL_SOCKET, cmsg_type=SCM_RIGHTS, cmsg_data=[4]}, {cmsg_len=24, cmsg_level=SOL_SOCKET, cmsg_type=SCM_RIGHTS, cmsg_data=[3, 6]}], msg_controllen=48, msg_flags=MSG_DONTWAIT|MSG_NOSIGNAL|MSG_BATCH}, MSG_OOB|MSG_DONTROUTE|MSG_NOSIGNAL|MSG_FASTOPEN) = 1
[pid 5078] exit_group(0) = ?
[ 76.530781][ T59] CPU: 1 PID: 59 Comm: kworker/u4:4 Not tainted 6.8.0-rc3-syzkaller-00766-ge7689879d14e #0
[ 76.540789][ T59] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
[ 76.550873][ T59] Workqueue: events_unbound __unix_gc
[ 76.556298][ T59] Call Trace:
[ 76.559608][ T59]
[ 76.562570][ T59] dump_stack_lvl+0x1e7/0x2e0
[ 76.567286][ T59] ? __pfx_dump_stack_lvl+0x10/0x10
[ 76.572516][ T59] ? __pfx__printk+0x10/0x10
[ 76.577128][ T59] ? vscnprintf+0x5d/0x90
[ 76.581465][ T59] panic+0x349/0x860
[ 76.585378][ T59] ? check_panic_on_warn+0x21/0xb0
[ 76.590506][ T59] ? __pfx_panic+0x10/0x10
[ 76.594941][ T59] ? _raw_spin_unlock_irqrestore+0x130/0x140
[ 76.600931][ T59] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 76.607272][ T59] ? print_report+0x4ff/0x540
[ 76.611955][ T59] check_panic_on_warn+0x86/0xb0
[ 76.616902][ T59] ? __unix_gc+0xe0f/0xf70
[ 76.621332][ T59] end_report+0x6e/0x140
[ 76.625577][ T59] kasan_report+0x153/0x180
[ 76.630082][ T59] ? __unix_gc+0xe0f/0xf70
[ 76.634516][ T59] __unix_gc+0xe0f/0xf70
[ 76.638778][ T59] ? __pfx___unix_gc+0x10/0x10
[ 76.643555][ T59] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 76.649897][ T59] ? process_scheduled_works+0x825/0x1420
[ 76.655629][ T59] process_scheduled_works+0x913/0x1420
[ 76.661241][ T59] ? __pfx_process_scheduled_works+0x10/0x10
[ 76.667243][ T59] ? assign_work+0x364/0x3d0
[ 76.671851][ T59] worker_thread+0xa5f/0x1000
[ 76.676553][ T59] ? __pfx_worker_thread+0x10/0x10
[ 76.681706][ T59] kthread+0x2ef/0x390
[ 76.685784][ T59] ? __pfx_worker_thread+0x10/0x10
[ 76.690907][ T59] ? __pfx_kthread+0x10/0x10
[ 76.695507][ T59] ret_from_fork+0x4b/0x80
[ 76.699935][ T59] ? __pfx_kthread+0x10/0x10
[ 76.704527][ T59] ret_from_fork_asm+0x1b/0x30
[ 76.709396][ T59]
[ 76.712700][ T59] Kernel Offset: disabled
[ 76.717025][ T59] Rebooting in 86400 seconds..