./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3419586764 <...> Warning: Permanently added '10.128.0.127' (ED25519) to the list of known hosts. execve("./syz-executor3419586764", ["./syz-executor3419586764"], 0x7ffd62db7c00 /* 10 vars */) = 0 brk(NULL) = 0x5555568d3000 brk(0x5555568d3d40) = 0x5555568d3d40 arch_prctl(ARCH_SET_FS, 0x5555568d33c0) = 0 set_tid_address(0x5555568d3690) = 5059 set_robust_list(0x5555568d36a0, 24) = 0 rseq(0x5555568d3ce0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3419586764", 4096) = 28 getrandom("\x45\x45\x60\x54\x36\x3e\xfb\xba", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x5555568d3d40 brk(0x5555568f4d40) = 0x5555568f4d40 brk(0x5555568f5000) = 0x5555568f5000 mprotect(0x7f79c59bc000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 futex(0x7f79c59c230c, FUTEX_WAKE_PRIVATE, 1000000) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7f79c595eae0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f79c5950160}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f79c58db000 mprotect(0x7f79c58dc000, 131072, PROT_READ|PROT_WRITE) = 0 rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f79c58fb990, parent_tid=0x7f79c58fb990, exit_signal=0, stack=0x7f79c58db000, stack_size=0x20300, tls=0x7f79c58fb6c0}./strace-static-x86_64: Process 5060 attached [pid 5060] rseq(0x7f79c58fbfe0, 0x20, 0, 0x53053053) = 0 [pid 5059] <... clone3 resumed> => {parent_tid=[5060]}, 88) = 5060 [pid 5060] set_robust_list(0x7f79c58fb9a0, 24 [pid 5059] rt_sigprocmask(SIG_SETMASK, [], [pid 5060] <... set_robust_list resumed>) = 0 [pid 5059] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5060] rt_sigprocmask(SIG_SETMASK, [], [pid 5059] futex(0x7f79c59c2308, FUTEX_WAKE_PRIVATE, 1000000 [pid 5060] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5059] <... futex resumed>) = 0 [pid 5060] openat(AT_FDCWD, "/dev/ptp0", O_RDONLY [pid 5059] futex(0x7f79c59c230c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5060] <... openat resumed>) = 3 [pid 5060] futex(0x7f79c59c230c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5060] futex(0x7f79c59c2308, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5059] <... futex resumed>) = 0 [pid 5059] futex(0x7f79c59c2308, FUTEX_WAKE_PRIVATE, 1000000 [pid 5060] <... futex resumed>) = 0 [pid 5059] <... futex resumed>) = 1 [pid 5060] read(3, [pid 5059] futex(0x7f79c59c230c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5059] futex(0x7f79c59c231c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5059] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f79c58ba000 [pid 5059] mprotect(0x7f79c58bb000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5059] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5059] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f79c58da990, parent_tid=0x7f79c58da990, exit_signal=0, stack=0x7f79c58ba000, stack_size=0x20300, tls=0x7f79c58da6c0}./strace-static-x86_64: Process 5061 attached [pid 5061] rseq(0x7f79c58dafe0, 0x20, 0, 0x53053053) = 0 [pid 5059] <... clone3 resumed> => {parent_tid=[5061]}, 88) = 5061 [pid 5061] set_robust_list(0x7f79c58da9a0, 24) = 0 [pid 5061] rt_sigprocmask(SIG_SETMASK, [], [pid 5059] rt_sigprocmask(SIG_SETMASK, [], [pid 5061] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5059] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5061] futex(0x7f79c59c2318, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5059] futex(0x7f79c59c2318, FUTEX_WAKE_PRIVATE, 1000000 [pid 5061] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5059] <... futex resumed>) = 0 [pid 5061] read(3, [pid 5059] futex(0x7f79c59c231c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5061] <... read resumed>0x20000040, 138) = -1 EINVAL (Invalid argument) [pid 5061] futex(0x7f79c59c231c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5059] <... futex resumed>) = 0 [pid 5061] <... futex resumed>) = 1 [ 97.420417][ T781] cfg80211: failed to load regulatory.db [pid 5061] futex(0x7f79c59c2318, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5059] exit_group(0) = ? [pid 5061] <... futex resumed>) = ? [pid 5061] +++ exited with 0 +++ [ 97.601322][ T5060] ================================================================== [ 97.609455][ T5060] BUG: KASAN: slab-use-after-free in ptp_read+0x7c4/0x830 [ 97.617912][ T5060] Read of size 4 at addr ffff88801af1d004 by task syz-executor341/5060 [ 97.626160][ T5060] [ 97.628486][ T5060] CPU: 0 PID: 5060 Comm: syz-executor341 Not tainted 6.6.0-rc6-next-20231018-syzkaller #0 [ 97.638412][ T5060] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023 [ 97.648499][ T5060] Call Trace: [ 97.651785][ T5060] [ 97.654735][ T5060] dump_stack_lvl+0xd9/0x1b0 [ 97.659414][ T5060] print_report+0xc4/0x620 [ 97.663945][ T5060] ? __virt_addr_valid+0x5e/0x580 [ 97.668987][ T5060] ? __phys_addr+0xc6/0x140 [ 97.673507][ T5060] kasan_report+0xda/0x110 [ 97.677937][ T5060] ? ptp_read+0x7c4/0x830 [ 97.682277][ T5060] ? ptp_read+0x7c4/0x830 [ 97.686617][ T5060] ptp_read+0x7c4/0x830 [ 97.690788][ T5060] ? ptp_poll+0x1b0/0x1b0 [ 97.695473][ T5060] ? cpuusage_read+0x10/0x10 [ 97.700098][ T5060] ? fsnotify_perm.part.0+0x23c/0x5c0 [ 97.705484][ T5060] ? fsnotify_perm.part.0+0x247/0x5c0 [ 97.710892][ T5060] ? apparmor_file_permission+0x21f/0x4f0 [ 97.716624][ T5060] ? ptp_poll+0x1b0/0x1b0 [ 97.720965][ T5060] posix_clock_read+0x138/0x1b0 [ 97.725841][ T5060] ? posix_clock_compat_ioctl+0x30/0x30 [ 97.731408][ T5060] vfs_read+0x1ce/0x8f0 [ 97.735582][ T5060] ? kernel_read+0x1b0/0x1b0 [ 97.740204][ T5060] ? ptrace_stop.part.0+0x61a/0x900 [ 97.745422][ T5060] ? __fget_files+0x1c6/0x340 [ 97.750118][ T5060] ? __fget_light+0xe6/0x260 [ 97.754737][ T5060] ksys_read+0x12f/0x250 [ 97.759106][ T5060] ? vfs_write+0xdf0/0xdf0 [ 97.763641][ T5060] ? lockdep_hardirqs_on+0x7d/0x100 [ 97.768972][ T5060] ? _raw_spin_unlock_irq+0x2e/0x50 [ 97.774187][ T5060] ? ptrace_notify+0xf4/0x130 [ 97.778890][ T5060] do_syscall_64+0x3f/0x110 [ 97.783419][ T5060] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 97.789382][ T5060] RIP: 0033:0x7f79c5938c39 [ 97.793802][ T5060] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 97.813432][ T5060] RSP: 002b:00007f79c58fb238 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 97.821892][ T5060] RAX: ffffffffffffffda RBX: 00007f79c59c2308 RCX: 00007f79c5938c39 [ 97.829888][ T5060] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 97.837959][ T5060] RBP: 00007f79c59c2300 R08: 00007f79c58fb6c0 R09: 00007f79c58fb6c0 [ 97.845935][ T5060] R10: 00007f79c58fb6c0 R11: 0000000000000246 R12: 7074702f7665642f [ 97.854466][ T5060] R13: 0000000000000000 R14: 00007ffca835e430 R15: 00007ffca835e518 [ 97.862484][ T5060] [ 97.865510][ T5060] [ 97.867849][ T5060] Allocated by task 5060: [ 97.872186][ T5060] kasan_save_stack+0x33/0x50 [ 97.876889][ T5060] kasan_set_track+0x25/0x30 [ 97.881503][ T5060] __kasan_kmalloc+0xa2/0xb0 [ 97.886116][ T5060] ptp_open+0xe3/0x4f0 [ 97.890250][ T5060] posix_clock_open+0x17e/0x240 [ 97.895256][ T5060] chrdev_open+0x26d/0x6e0 [ 97.899708][ T5060] do_dentry_open+0x8d4/0x18d0 [ 97.904503][ T5060] path_openat+0x1d3b/0x2ce0 [ 97.909132][ T5060] do_filp_open+0x1de/0x430 [ 97.913656][ T5060] do_sys_openat2+0x176/0x1e0 [ 97.918391][ T5060] __x64_sys_openat+0x175/0x210 [ 97.923413][ T5060] do_syscall_64+0x3f/0x110 [ 97.927952][ T5060] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 97.934020][ T5060] [ 97.936353][ T5060] Freed by task 5061: [ 97.940421][ T5060] kasan_save_stack+0x33/0x50 [ 97.945561][ T5060] kasan_set_track+0x25/0x30 [ 97.950256][ T5060] kasan_save_free_info+0x2b/0x40 [ 97.955476][ T5060] ____kasan_slab_free+0x15b/0x1b0 [ 97.960620][ T5060] slab_free_freelist_hook+0x114/0x1e0 [ 97.966141][ T5060] __kmem_cache_free+0xc0/0x180 [ 97.971021][ T5060] ptp_release+0x204/0x2b0 [ 97.975471][ T5060] ptp_read+0xf6/0x830 [ 97.979576][ T5060] posix_clock_read+0x138/0x1b0 [ 97.984468][ T5060] vfs_read+0x1ce/0x8f0 [ 97.988639][ T5060] ksys_read+0x12f/0x250 [ 97.992914][ T5060] do_syscall_64+0x3f/0x110 [ 97.997479][ T5060] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 98.003430][ T5060] [ 98.005769][ T5060] The buggy address belongs to the object at ffff88801af1c000 [ 98.005769][ T5060] which belongs to the cache kmalloc-8k of size 8192 [ 98.019841][ T5060] The buggy address is located 4100 bytes inside of [ 98.019841][ T5060] freed 8192-byte region [ffff88801af1c000, ffff88801af1e000) [ 98.033828][ T5060] [ 98.036154][ T5060] The buggy address belongs to the physical page: [ 98.045007][ T5060] page:ffffea00006bc600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1af18 [ 98.055340][ T5060] head:ffffea00006bc600 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 98.064280][ T5060] flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 98.072276][ T5060] page_type: 0xffffffff() [ 98.076616][ T5060] raw: 00fff00000000840 ffff888012c42280 ffffea000067c800 0000000000000002 [ 98.085249][ T5060] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 [ 98.093846][ T5060] page dumped because: kasan: bad access detected [ 98.100266][ T5060] page_owner tracks the page as allocated [ 98.105989][ T5060] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4710, tgid 4710 (rcS), ts 62110954256, free_ts 62079685567 [ 98.125824][ T5060] post_alloc_hook+0x2cf/0x340 [ 98.131043][ T5060] get_page_from_freelist+0xa16/0x3680 [ 98.136509][ T5060] __alloc_pages+0x1d0/0x4c0 [ 98.141111][ T5060] alloc_pages_mpol+0x258/0x5f0 [ 98.145991][ T5060] allocate_slab+0x251/0x380 [ 98.150584][ T5060] ___slab_alloc+0x8c7/0x1580 [ 98.155267][ T5060] __slab_alloc.constprop.0+0x56/0xa0 [ 98.160745][ T5060] __kmem_cache_alloc_node+0x131/0x310 [ 98.166241][ T5060] kmalloc_trace+0x27/0xf0 [ 98.170773][ T5060] tomoyo_init_log+0xcdf/0x2110 [ 98.175655][ T5060] tomoyo_supervisor+0x30c/0xea0 [ 98.180620][ T5060] tomoyo_env_perm+0x18f/0x200 [ 98.185407][ T5060] tomoyo_find_next_domain+0xef6/0x2020 [ 98.190981][ T5060] tomoyo_bprm_check_security+0x12b/0x1d0 [ 98.196754][ T5060] security_bprm_check+0x6a/0xe0 [ 98.201718][ T5060] bprm_execve+0x738/0x1a90 [ 98.206244][ T5060] page last free stack trace: [ 98.210931][ T5060] free_unref_page_prepare+0x476/0xa40 [ 98.216401][ T5060] free_unref_page+0x33/0x3b0 [ 98.221611][ T5060] __unfreeze_partials+0x21d/0x240 [ 98.226833][ T5060] qlist_free_all+0x6a/0x170 [ 98.231455][ T5060] kasan_quarantine_reduce+0x18e/0x1d0 [ 98.236949][ T5060] __kasan_slab_alloc+0x65/0x90 [ 98.241814][ T5060] __kmem_cache_alloc_node+0x195/0x310 [ 98.247372][ T5060] kmalloc_trace+0x27/0xf0 [ 98.251796][ T5060] tomoyo_init_log+0x1a0/0x2110 [ 98.256656][ T5060] tomoyo_supervisor+0x30c/0xea0 [ 98.262556][ T5060] tomoyo_path_permission+0x270/0x3b0 [ 98.268147][ T5060] tomoyo_check_open_permission+0x371/0x3b0 [ 98.274067][ T5060] tomoyo_file_open+0xa8/0xd0 [ 98.278779][ T5060] security_file_open+0x6a/0xe0 [ 98.284180][ T5060] do_dentry_open+0x583/0x18d0 [ 98.288965][ T5060] path_openat+0x1d3b/0x2ce0 [ 98.293577][ T5060] [ 98.295899][ T5060] Memory state around the buggy address: [ 98.301534][ T5060] ffff88801af1cf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 98.309615][ T5060] ffff88801af1cf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 98.319160][ T5060] >ffff88801af1d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 98.327239][ T5060] ^ [ 98.331370][ T5060] ffff88801af1d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 98.339458][ T5060] ffff88801af1d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 98.347516][ T5060] ================================================================== [ 98.356638][ T5060] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 98.363871][ T5060] CPU: 0 PID: 5060 Comm: syz-executor341 Not tainted 6.6.0-rc6-next-20231018-syzkaller #0 [ 98.373802][ T5060] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023 [ 98.383882][ T5060] Call Trace: [ 98.387162][ T5060] [ 98.390094][ T5060] dump_stack_lvl+0xd9/0x1b0 [ 98.394711][ T5060] panic+0x6dc/0x790 [ 98.398620][ T5060] ? panic_smp_self_stop+0xa0/0xa0 [ 98.403768][ T5060] ? preempt_schedule_thunk+0x1a/0x30 [ 98.409180][ T5060] ? preempt_schedule_common+0x45/0xc0 [ 98.414668][ T5060] ? check_panic_on_warn+0x1f/0xb0 [ 98.419810][ T5060] check_panic_on_warn+0xab/0xb0 [ 98.424777][ T5060] end_report+0x118/0x160 [ 98.429164][ T5060] kasan_report+0xea/0x110 [ 98.433686][ T5060] ? ptp_read+0x7c4/0x830 [ 98.438030][ T5060] ? ptp_read+0x7c4/0x830 [ 98.442389][ T5060] ptp_read+0x7c4/0x830 [ 98.446558][ T5060] ? ptp_poll+0x1b0/0x1b0 [ 98.450898][ T5060] ? cpuusage_read+0x10/0x10 [ 98.455516][ T5060] ? fsnotify_perm.part.0+0x23c/0x5c0 [ 98.460919][ T5060] ? fsnotify_perm.part.0+0x247/0x5c0 [ 98.466397][ T5060] ? apparmor_file_permission+0x21f/0x4f0 [ 98.472133][ T5060] ? ptp_poll+0x1b0/0x1b0 [ 98.476484][ T5060] posix_clock_read+0x138/0x1b0 [ 98.481361][ T5060] ? posix_clock_compat_ioctl+0x30/0x30 [ 98.486925][ T5060] vfs_read+0x1ce/0x8f0 [ 98.491108][ T5060] ? kernel_read+0x1b0/0x1b0 [ 98.495715][ T5060] ? ptrace_stop.part.0+0x61a/0x900 [ 98.500925][ T5060] ? __fget_files+0x1c6/0x340 [ 98.505619][ T5060] ? __fget_light+0xe6/0x260 [ 98.510228][ T5060] ksys_read+0x12f/0x250 [ 98.514491][ T5060] ? vfs_write+0xdf0/0xdf0 [ 98.518940][ T5060] ? lockdep_hardirqs_on+0x7d/0x100 [ 98.524178][ T5060] ? _raw_spin_unlock_irq+0x2e/0x50 [ 98.529386][ T5060] ? ptrace_notify+0xf4/0x130 [ 98.534090][ T5060] do_syscall_64+0x3f/0x110 [ 98.538615][ T5060] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 98.544525][ T5060] RIP: 0033:0x7f79c5938c39 [ 98.548946][ T5060] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 98.568834][ T5060] RSP: 002b:00007f79c58fb238 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 98.577269][ T5060] RAX: ffffffffffffffda RBX: 00007f79c59c2308 RCX: 00007f79c5938c39 [ 98.585577][ T5060] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 98.594977][ T5060] RBP: 00007f79c59c2300 R08: 00007f79c58fb6c0 R09: 00007f79c58fb6c0 [ 98.603092][ T5060] R10: 00007f79c58fb6c0 R11: 0000000000000246 R12: 7074702f7665642f [ 98.611079][ T5060] R13: 0000000000000000 R14: 00007ffca835e430 R15: 00007ffca835e518 [ 98.619070][ T5060] [ 98.622350][ T5060] Kernel Offset: disabled [ 98.626691][ T5060] Rebooting in 86400 seconds..