Warning: Permanently added '10.128.0.78' (ED25519) to the list of known hosts. 2025/08/14 23:04:01 ignoring optional flag "sandboxArg"="0" 2025/08/14 23:04:02 parsed 1 programs [ 71.446608][ T1908] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k 2025/08/14 23:04:09 executed programs: 0 [ 78.727373][ T2432] Zero length message leads to an empty skb 2025/08/14 23:04:15 executed programs: 49 2025/08/14 23:04:20 executed programs: 77 2025/08/14 23:04:25 executed programs: 113 2025/08/14 23:04:30 executed programs: 145 2025/08/14 23:04:35 executed programs: 184 [ 107.137137][ T4777] ================================================================== [ 107.145223][ T4777] BUG: KASAN: slab-use-after-free in __se_sys_mremap+0x838/0xda0 [ 107.153093][ T4777] Read of size 8 at addr ffff8881270b62d8 by task syz.2.227/4777 [ 107.160890][ T4777] [ 107.163238][ T4777] CPU: 1 UID: 0 PID: 4777 Comm: syz.2.227 Not tainted 6.17.0-rc1-syzkaller #0 PREEMPT(none) [ 107.163248][ T4777] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 107.163254][ T4777] Call Trace: [ 107.163262][ T4777] [ 107.163267][ T4777] dump_stack_lvl+0xf4/0x170 [ 107.163282][ T4777] ? __pfx_dump_stack_lvl+0x10/0x10 [ 107.163291][ T4777] ? rcu_is_watching+0x1f/0xa0 [ 107.163297][ T4777] ? __virt_addr_valid+0x176/0x2b0 [ 107.163306][ T4777] ? lock_release+0x42/0x2f0 [ 107.163313][ T4777] ? lock_acquire+0x69/0x210 [ 107.163320][ T4777] ? __virt_addr_valid+0x176/0x2b0 [ 107.163325][ T4777] ? __virt_addr_valid+0x262/0x2b0 [ 107.163332][ T4777] print_report+0xca/0x240 [ 107.163339][ T4777] ? __se_sys_mremap+0x838/0xda0 [ 107.163347][ T4777] kasan_report+0x118/0x150 [ 107.163356][ T4777] ? __se_sys_mremap+0x838/0xda0 [ 107.163364][ T4777] __se_sys_mremap+0x838/0xda0 [ 107.163376][ T4777] ? __pfx___se_sys_mremap+0x10/0x10 [ 107.163387][ T4777] ? switch_fpu_return+0xe6/0x180 [ 107.163396][ T4777] do_syscall_64+0x8f/0x250 [ 107.163405][ T4777] ? fpregs_assert_state_consistent+0x48/0x60 [ 107.163413][ T4777] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 107.163420][ T4777] RIP: 0033:0x7f3626e8ebe9 [ 107.163429][ T4777] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 107.163435][ T4777] RSP: 002b:00007f3626cff038 EFLAGS: 00000246 ORIG_RAX: 0000000000000019 [ 107.163448][ T4777] RAX: ffffffffffffffda RBX: 00007f36270b5fa0 RCX: 00007f3626e8ebe9 [ 107.163454][ T4777] RDX: 0000000000002000 RSI: 0000000000002000 RDI: 0000200000041000 [ 107.163459][ T4777] RBP: 00007f3626f11e19 R08: 00002000004c3000 R09: 0000000000000000 [ 107.163463][ T4777] R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000 [ 107.163468][ T4777] R13: 00007f36270b6038 R14: 00007f36270b5fa0 R15: 00007ffedd290738 [ 107.163475][ T4777] [ 107.163479][ T4777] [ 107.357870][ T4777] Allocated by task 1920: [ 107.362175][ T4777] kasan_save_track+0x3e/0x80 [ 107.366839][ T4777] __kasan_slab_alloc+0x6c/0x80 [ 107.371670][ T4777] kmem_cache_alloc_noprof+0x1b1/0x400 [ 107.377116][ T4777] vm_area_dup+0x22/0x490 [ 107.381419][ T4777] dup_mmap+0x79a/0x15b0 [ 107.385804][ T4777] copy_mm+0x119/0x400 [ 107.389839][ T4777] copy_process+0xffa/0x3080 [ 107.394483][ T4777] kernel_clone+0x176/0x680 [ 107.398951][ T4777] __x64_sys_clone+0x186/0x1e0 [ 107.403773][ T4777] do_syscall_64+0x8f/0x250 [ 107.408331][ T4777] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 107.414381][ T4777] [ 107.416684][ T4777] Freed by task 798: [ 107.420560][ T4777] kasan_save_track+0x3e/0x80 [ 107.425207][ T4777] kasan_save_free_info+0x46/0x50 [ 107.430200][ T4777] __kasan_slab_free+0x5b/0x80 [ 107.434934][ T4777] slab_free_after_rcu_debug+0x131/0x290 [ 107.440537][ T4777] rcu_core+0xbdf/0x1570 [ 107.444777][ T4777] handle_softirqs+0x19d/0x500 [ 107.449601][ T4777] __irq_exit_rcu+0x48/0x140 [ 107.454270][ T4777] sysvec_apic_timer_interrupt+0x92/0xb0 [ 107.459876][ T4777] asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 107.465855][ T4777] [ 107.468248][ T4777] Last potentially related work creation: [ 107.473959][ T4777] kasan_save_stack+0x3e/0x60 [ 107.478610][ T4777] kasan_record_aux_stack+0xbd/0xd0 [ 107.483865][ T4777] kmem_cache_free+0x2b5/0x460 [ 107.488607][ T4777] vms_complete_munmap_vmas+0x390/0x680 [ 107.494151][ T4777] do_vmi_align_munmap+0x307/0x350 [ 107.499235][ T4777] do_vmi_munmap+0x192/0x210 [ 107.503795][ T4777] do_munmap+0xdb/0x130 [ 107.507919][ T4777] mremap_to+0x2e7/0x7b0 [ 107.512138][ T4777] __se_sys_mremap+0x813/0xda0 [ 107.516896][ T4777] do_syscall_64+0x8f/0x250 [ 107.521564][ T4777] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 107.527513][ T4777] [ 107.529823][ T4777] The buggy address belongs to the object at ffff8881270b6280 [ 107.529823][ T4777] which belongs to the cache vm_area_struct of size 256 [ 107.544190][ T4777] The buggy address is located 88 bytes inside of [ 107.544190][ T4777] freed 256-byte region [ffff8881270b6280, ffff8881270b6380) [ 107.557961][ T4777] [ 107.560365][ T4777] The buggy address belongs to the physical page: [ 107.566846][ T4777] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1270b6 [ 107.575760][ T4777] memcg:ffff8881272d3e81 [ 107.579981][ T4777] flags: 0x200000000000000(node=0|zone=2) [ 107.585697][ T4777] page_type: f5(slab) [ 107.589660][ T4777] raw: 0200000000000000 ffff888100ec3b40 ffffea000429f400 dead000000000002 [ 107.598216][ T4777] raw: 0000000000000000 00000000000c000c 00000000f5000000 ffff8881272d3e81 [ 107.606870][ T4777] page dumped because: kasan: bad access detected [ 107.613371][ T4777] page_owner tracks the page as allocated [ 107.619088][ T4777] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 3414, tgid 3414 (modprobe), ts 90326800439, free_ts 90279010524 [ 107.638077][ T4777] post_alloc_hook+0x168/0x1a0 [ 107.642819][ T4777] get_page_from_freelist+0x2889/0x2a40 [ 107.648344][ T4777] __alloc_frozen_pages_noprof+0x26b/0x460 [ 107.654208][ T4777] alloc_pages_mpol+0xcb/0x270 [ 107.658944][ T4777] allocate_slab+0x8a/0x320 [ 107.663440][ T4777] ___slab_alloc+0x9c6/0x10a0 [ 107.668089][ T4777] kmem_cache_alloc_noprof+0x26e/0x400 [ 107.673547][ T4777] vm_area_alloc+0x1f/0x130 [ 107.678022][ T4777] mmap_region+0xcf6/0x1b90 [ 107.682507][ T4777] do_mmap+0x930/0xc30 [ 107.686543][ T4777] vm_mmap_pgoff+0x1c0/0x370 [ 107.691101][ T4777] ksys_mmap_pgoff+0x2be/0x3f0 [ 107.695837][ T4777] do_syscall_64+0x8f/0x250 [ 107.700400][ T4777] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 107.706263][ T4777] page last free pid 23 tgid 23 stack trace: [ 107.712294][ T4777] __free_frozen_pages+0x9fc/0xb60 [ 107.717904][ T4777] __tlb_remove_table+0x1c3/0x2a0 [ 107.722988][ T4777] tlb_remove_table_rcu+0x6e/0xd0 [ 107.727999][ T4777] rcu_core+0xbdf/0x1570 [ 107.732224][ T4777] handle_softirqs+0x19d/0x500 [ 107.736970][ T4777] run_ksoftirqd+0x28/0x40 [ 107.741450][ T4777] smpboot_thread_fn+0x3f7/0x7d0 [ 107.746361][ T4777] kthread+0x59b/0x690 [ 107.750402][ T4777] ret_from_fork+0x136/0x2d0 [ 107.754974][ T4777] ret_from_fork_asm+0x1a/0x30 [ 107.759722][ T4777] [ 107.762022][ T4777] Memory state around the buggy address: [ 107.767620][ T4777] ffff8881270b6180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 107.775652][ T4777] ffff8881270b6200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 107.783857][ T4777] >ffff8881270b6280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 107.791888][ T4777] ^ [ 107.798877][ T4777] ffff8881270b6300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 107.807178][ T4777] ffff8881270b6380: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 107.815262][ T4777] ================================================================== [ 107.824121][ T4777] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 107.831551][ T4777] Kernel Offset: disabled [ 107.835946][ T4777] Rebooting in 86400 seconds..