Warning: Permanently added '10.128.0.227' (ED25519) to the list of known hosts. 2024/04/27 13:38:11 ignoring optional flag "sandboxArg"="0" 2024/04/27 13:38:11 parsed 1 programs 2024/04/27 13:38:12 executed programs: 0 [ 50.229624][ T2568] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 51.779483][ T2574] veth0_vlan: entered promiscuous mode [ 54.499730][ T3431] ================================================================== [ 54.507912][ T3431] BUG: KASAN: slab-use-after-free in __mutex_unlock_slowpath+0xef/0x5c0 [ 54.516225][ T3431] Read of size 8 at addr ffff888116331880 by task vhost-3430/3431 [ 54.524274][ T3431] [ 54.526592][ T3431] CPU: 1 PID: 3431 Comm: vhost-3430 Not tainted 6.9.0-rc4-syzkaller #0 [ 54.534904][ T3431] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 54.545036][ T3431] Call Trace: [ 54.548369][ T3431] [ 54.551281][ T3431] dump_stack_lvl+0x108/0x280 [ 54.556026][ T3431] ? __pfx_dump_stack_lvl+0x10/0x10 [ 54.561282][ T3431] ? __pfx__printk+0x10/0x10 [ 54.565940][ T3431] ? _printk+0xce/0x120 [ 54.570066][ T3431] ? __virt_addr_valid+0x141/0x260 [ 54.575167][ T3431] ? __virt_addr_valid+0x219/0x260 [ 54.580253][ T3431] print_report+0x169/0x550 [ 54.584905][ T3431] ? __virt_addr_valid+0x141/0x260 [ 54.589990][ T3431] ? __virt_addr_valid+0x219/0x260 [ 54.595110][ T3431] ? __mutex_unlock_slowpath+0xef/0x5c0 [ 54.601261][ T3431] kasan_report+0x143/0x180 [ 54.605946][ T3431] ? __mutex_unlock_slowpath+0xef/0x5c0 [ 54.611978][ T3431] ? vhost_task_fn+0x2b1/0x2e0 [ 54.616986][ T3431] kasan_check_range+0x282/0x290 [ 54.622168][ T3431] ? vhost_task_fn+0x2b1/0x2e0 [ 54.626914][ T3431] __mutex_unlock_slowpath+0xef/0x5c0 [ 54.632441][ T3431] ? __pfx___mutex_unlock_slowpath+0x10/0x10 [ 54.639003][ T3431] ? _raw_spin_unlock_irqrestore+0xca/0x130 [ 54.644955][ T3431] ? _raw_spin_unlock_irqrestore+0xcf/0x130 [ 54.650993][ T3431] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 54.657468][ T3431] ? complete+0xb4/0x1c0 [ 54.661686][ T3431] vhost_task_fn+0x2b1/0x2e0 [ 54.666259][ T3431] ? __pfx_vhost_task_fn+0x10/0x10 [ 54.671346][ T3431] ? do_raw_spin_unlock+0x13c/0x8b0 [ 54.676527][ T3431] ? __pfx_vhost_task_fn+0x10/0x10 [ 54.681698][ T3431] ret_from_fork+0x32/0x60 [ 54.686092][ T3431] ? __pfx_vhost_task_fn+0x10/0x10 [ 54.691349][ T3431] ret_from_fork_asm+0x1a/0x30 [ 54.696116][ T3431] [ 54.699380][ T3431] [ 54.701681][ T3431] Allocated by task 3430: [ 54.706067][ T3431] kasan_save_track+0x3f/0x80 [ 54.710722][ T3431] __kasan_kmalloc+0x98/0xb0 [ 54.715368][ T3431] kmalloc_trace+0x1c9/0x3a0 [ 54.719929][ T3431] vhost_task_create+0x142/0x2e0 [ 54.724928][ T3431] vhost_worker_create+0x172/0x360 [ 54.730035][ T3431] vhost_dev_set_owner+0x3b3/0x8a0 [ 54.735293][ T3431] vhost_dev_ioctl+0xbd/0xba0 [ 54.740401][ T3431] vhost_vsock_dev_ioctl+0x6af/0xd10 [ 54.745759][ T3431] __se_sys_ioctl+0xab/0xf0 [ 54.750320][ T3431] do_syscall_64+0x8f/0x1a0 [ 54.754830][ T3431] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 54.760793][ T3431] [ 54.763286][ T3431] Freed by task 3429: [ 54.767413][ T3431] kasan_save_track+0x3f/0x80 [ 54.772150][ T3431] kasan_save_free_info+0x40/0x50 [ 54.777148][ T3431] poison_slab_object+0xee/0x1a0 [ 54.782839][ T3431] __kasan_slab_free+0x37/0x60 [ 54.787572][ T3431] kfree+0x139/0x350 [ 54.791436][ T3431] vhost_dev_cleanup+0x83d/0xa30 [ 54.796341][ T3431] vhost_vsock_dev_release+0x33b/0x3a0 [ 54.801955][ T3431] __fput+0x301/0x670 [ 54.805909][ T3431] __se_sys_close+0x11d/0x170 [ 54.810822][ T3431] do_syscall_64+0x8f/0x1a0 [ 54.816607][ T3431] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 54.822643][ T3431] [ 54.824955][ T3431] The buggy address belongs to the object at ffff888116331800 [ 54.824955][ T3431] which belongs to the cache kmalloc-512 of size 512 [ 54.839238][ T3431] The buggy address is located 128 bytes inside of [ 54.839238][ T3431] freed 512-byte region [ffff888116331800, ffff888116331a00) [ 54.853696][ T3431] [ 54.856100][ T3431] The buggy address belongs to the physical page: [ 54.862597][ T3431] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x116330 [ 54.871414][ T3431] head: order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 54.879096][ T3431] flags: 0x200000000000840(slab|head|node=0|zone=2) [ 54.885743][ T3431] page_type: 0xffffffff() [ 54.890048][ T3431] raw: 0200000000000840 ffff888100041c80 dead000000000100 dead000000000122 [ 54.898607][ T3431] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 54.907258][ T3431] head: 0200000000000840 ffff888100041c80 dead000000000100 dead000000000122 [ 54.915896][ T3431] head: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 54.925412][ T3431] head: 0200000000000002 ffffea000458cc01 dead000000000122 00000000ffffffff [ 54.934348][ T3431] head: 0000000400000000 0000000000000000 00000000ffffffff 0000000000000000 [ 54.943175][ T3431] page dumped because: kasan: bad access detected [ 54.949649][ T3431] page_owner tracks the page as allocated [ 54.955421][ T3431] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1958, tgid 1958 (udevd), ts 7849636983, free_ts 5697807279 [ 54.976310][ T3431] post_alloc_hook+0x10f/0x130 [ 54.981227][ T3431] get_page_from_freelist+0x33de/0x3580 [ 54.986743][ T3431] __alloc_pages+0x256/0x670 [ 54.991307][ T3431] alloc_slab_page+0x5f/0x160 [ 54.995955][ T3431] new_slab+0x70/0x270 [ 55.000427][ T3431] ___slab_alloc+0xb0d/0x1040 [ 55.005160][ T3431] kmalloc_trace+0x254/0x3a0 [ 55.009807][ T3431] kernfs_fop_open+0x309/0xaf0 [ 55.014648][ T3431] do_dentry_open+0x74c/0x11c0 [ 55.019383][ T3431] path_openat+0x225a/0x27f0 [ 55.024028][ T3431] do_filp_open+0x22b/0x440 [ 55.028586][ T3431] do_sys_openat2+0xf6/0x180 [ 55.033147][ T3431] __x64_sys_openat+0x20d/0x260 [ 55.037968][ T3431] do_syscall_64+0x8f/0x1a0 [ 55.042452][ T3431] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 55.048315][ T3431] page last free pid 9 tgid 9 stack trace: [ 55.054195][ T3431] free_unref_page_prepare+0x87f/0x9a0 [ 55.059732][ T3431] free_unref_page+0x37/0x3a0 [ 55.064394][ T3431] vfree+0x10e/0x210 [ 55.068262][ T3431] delayed_vfree_work+0x3c/0x70 [ 55.073083][ T3431] process_scheduled_works+0x8b6/0x12f0 [ 55.078602][ T3431] worker_thread+0x869/0xca0 [ 55.083350][ T3431] kthread+0x268/0x2c0 [ 55.087482][ T3431] ret_from_fork+0x32/0x60 [ 55.092043][ T3431] ret_from_fork_asm+0x1a/0x30 [ 55.096972][ T3431] [ 55.099273][ T3431] Memory state around the buggy address: [ 55.104964][ T3431] ffff888116331780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 55.113011][ T3431] ffff888116331800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.121161][ T3431] >ffff888116331880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.129193][ T3431] ^ [ 55.133228][ T3431] ffff888116331900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.141562][ T3431] ffff888116331980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.149968][ T3431] ================================================================== [ 55.158817][ T3431] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 55.166613][ T3431] Kernel Offset: disabled [ 55.171008][ T3431] Rebooting in 86400 seconds..