./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1457802059 <...> Warning: Permanently added '10.128.1.174' (ED25519) to the list of known hosts. execve("./syz-executor1457802059", ["./syz-executor1457802059"], 0x7ffda0b81600 /* 10 vars */) = 0 brk(NULL) = 0x55558a299000 brk(0x55558a299d00) = 0x55558a299d00 arch_prctl(ARCH_SET_FS, 0x55558a299380) = 0 set_tid_address(0x55558a299650) = 5081 set_robust_list(0x55558a299660, 24) = 0 rseq(0x55558a299ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1457802059", 4096) = 28 getrandom("\x6c\xf0\x3e\x5c\xe5\x5b\x3f\xc6", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55558a299d00 brk(0x55558a2bad00) = 0x55558a2bad00 brk(0x55558a2bb000) = 0x55558a2bb000 mprotect(0x7f31a7180000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5082 attached , child_tidptr=0x55558a299650) = 5082 [pid 5082] set_robust_list(0x55558a299660, 24) = 0 [pid 5082] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5082] setpgid(0, 0) = 0 [pid 5082] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5082] write(3, "1000", 4) = 4 [pid 5082] close(3) = 0 [pid 5082] io_uring_setup(28910, {flags=0, sq_thread_cpu=0, sq_thread_idle=0, sq_entries=32768, cq_entries=65536, features=IORING_FEAT_SINGLE_MMAP|IORING_FEAT_NODROP|IORING_FEAT_SUBMIT_STABLE|IORING_FEAT_RW_CUR_POS|IORING_FEAT_CUR_PERSONALITY|IORING_FEAT_FAST_POLL|IORING_FEAT_POLL_32BITS|IORING_FEAT_SQPOLL_NONFIXED|IORING_FEAT_EXT_ARG|IORING_FEAT_NATIVE_WORKERS|IORING_FEAT_RSRC_TAGS|IORING_FEAT_CQE_SKIP|IORING_FEAT_LINKED_FILE|0x2000, sq_off={head=0, tail=4, ring_mask=16, ring_entries=24, flags=36, dropped=32, array=1048640}, cq_off={head=8, tail=12, ring_mask=20, ring_entries=28, overflow=44, cqes=64, flags=40}}) = 3 [pid 5082] mmap(NULL, 1179712, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_POPULATE, 3, 0) = 0x7f31a6fac000 [pid 5082] mmap(NULL, 2097152, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_POPULATE, 3, 0x10000000) = 0x7f31a6dac000 [pid 5082] io_uring_register(3, IORING_REGISTER_PBUF_RING, {ring_addr=NULL, ring_entries=2048, bgid=0, pad=0x1}, 1) = 0 [pid 5082] exit_group(0) = ? [pid 5082] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5082, si_uid=0, si_status=0, si_utime=0, si_stime=1 /* 0.01 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5083 attached [pid 5083] set_robust_list(0x55558a299660, 24) = 0 [pid 5083] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5081] <... clone resumed>, child_tidptr=0x55558a299650) = 5083 [pid 5083] <... prctl resumed>) = 0 [pid 5083] setpgid(0, 0) = 0 [pid 5083] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5083] write(3, "1000", 4) = 4 [pid 5083] close(3) = 0 [pid 5083] io_uring_setup(28910, {flags=0, sq_thread_cpu=0, sq_thread_idle=0, sq_entries=32768, cq_entries=65536, features=IORING_FEAT_SINGLE_MMAP|IORING_FEAT_NODROP|IORING_FEAT_SUBMIT_STABLE|IORING_FEAT_RW_CUR_POS|IORING_FEAT_CUR_PERSONALITY|IORING_FEAT_FAST_POLL|IORING_FEAT_POLL_32BITS|IORING_FEAT_SQPOLL_NONFIXED|IORING_FEAT_EXT_ARG|IORING_FEAT_NATIVE_WORKERS|IORING_FEAT_RSRC_TAGS|IORING_FEAT_CQE_SKIP|IORING_FEAT_LINKED_FILE|0x2000, sq_off={head=0, tail=4, ring_mask=16, ring_entries=24, flags=36, dropped=32, array=1048640}, cq_off={head=8, tail=12, ring_mask=20, ring_entries=28, overflow=44, cqes=64, flags=40}}) = 3 [pid 5083] mmap(NULL, 1179712, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_POPULATE, 3, 0) = 0x7f31a6fac000 [pid 5083] mmap(NULL, 2097152, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_POPULATE, 3, 0x10000000) = 0x7f31a6dac000 [pid 5083] io_uring_register(3, IORING_REGISTER_PBUF_RING, {ring_addr=NULL, ring_entries=2048, bgid=0, pad=0x1}, 1) = 0 [pid 5083] exit_group(0) = ? [pid 5083] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5083, si_uid=0, si_status=0, si_utime=0, si_stime=1 /* 0.01 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5084 attached [pid 5084] set_robust_list(0x55558a299660, 24) = 0 [pid 5081] <... clone resumed>, child_tidptr=0x55558a299650) = 5084 [ 62.726777][ T12] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x800000000 pfn:0x22031 [ 62.736645][ T12] flags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff) [ 62.744870][ T12] raw: 00fff80000000000 0000000000000000 dead000000000122 0000000000000000 [ 62.754103][ T12] raw: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000 [ 62.762992][ T12] page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0) [ 62.771947][ T12] page_owner tracks the page as freed [pid 5084] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5084] setpgid(0, 0) = 0 [pid 5084] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5084] write(3, "1000", 4) = 4 [ 62.778031][ T12] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x442dc0(GFP_KERNEL_ACCOUNT|__GFP_NOWARN|__GFP_COMP|__GFP_ZERO), pid 5082, tgid -1762111097 (syz-executor145), ts 5082, free_ts 62726727379 [ 62.799532][ T12] post_alloc_hook+0x1f3/0x230 [ 62.804778][ T12] get_page_from_freelist+0x2e7e/0x2f40 [ 62.810650][ T12] __alloc_pages_noprof+0x256/0x6c0 [ 62.815943][ T12] alloc_pages_mpol_noprof+0x3e8/0x680 [ 62.821564][ T12] skb_page_frag_refill+0x158/0x2f0 [pid 5084] close(3) = 0 [pid 5084] io_uring_setup(28910, {flags=0, sq_thread_cpu=0, sq_thread_idle=0, sq_entries=32768, cq_entries=65536, features=IORING_FEAT_SINGLE_MMAP|IORING_FEAT_NODROP|IORING_FEAT_SUBMIT_STABLE|IORING_FEAT_RW_CUR_POS|IORING_FEAT_CUR_PERSONALITY|IORING_FEAT_FAST_POLL|IORING_FEAT_POLL_32BITS|IORING_FEAT_SQPOLL_NONFIXED|IORING_FEAT_EXT_ARG|IORING_FEAT_NATIVE_WORKERS|IORING_FEAT_RSRC_TAGS|IORING_FEAT_CQE_SKIP|IORING_FEAT_LINKED_FILE|0x2000, sq_off={head=0, tail=4, ring_mask=16, ring_entries=24, flags=36, dropped=32, array=1048640}, cq_off={head=8, tail=12, ring_mask=20, ring_entries=28, overflow=44, cqes=64, flags=40}}) = 3 [pid 5084] mmap(NULL, 1179712, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_POPULATE, 3, 0) = 0x7f31a6fac000 [pid 5084] mmap(NULL, 2097152, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_POPULATE, 3, 0x10000000) = 0x7f31a6dac000 [ 62.826884][ T12] virtnet_rq_alloc+0x2f/0x860 [ 62.831856][ T12] try_fill_recv+0x5eb/0x1880 [ 62.837494][ T12] virtnet_poll+0xb58/0x1ad0 [ 62.842132][ T12] __napi_poll+0xcb/0x490 [ 62.846518][ T12] net_rx_action+0x7bb/0x10a0 [ 62.851226][ T12] __do_softirq+0x2c6/0x980 [ 62.856241][ T12] page last free pid 12 tgid 12 stack trace: [ 62.862260][ T12] free_unref_page+0xd3c/0xec0 [ 62.867597][ T12] __folio_put_large+0x168/0x1d0 [ 62.872631][ T12] __folio_put+0x299/0x390 [pid 5084] io_uring_register(3, IORING_REGISTER_PBUF_RING, {ring_addr=NULL, ring_entries=2048, bgid=0, pad=0x1}, 1) = 0 [pid 5084] exit_group(0) = ? [pid 5084] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5084, si_uid=0, si_status=0, si_utime=0, si_stime=1 /* 0.01 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55558a299650) = 5085 ./strace-static-x86_64: Process 5085 attached [pid 5085] set_robust_list(0x55558a299660, 24) = 0 [pid 5085] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5085] setpgid(0, 0) = 0 [ 62.877109][ T12] __io_remove_buffers+0x298/0x8f0 [ 62.882465][ T12] io_destroy_buffers+0x14e/0x490 [ 62.887667][ T12] io_ring_ctx_free+0x818/0xe70 [ 62.893008][ T12] io_ring_exit_work+0x7c7/0x850 [ 62.898578][ T12] process_scheduled_works+0xa2c/0x1830 [ 62.904778][ T12] worker_thread+0x86d/0xd70 [ 62.909707][ T12] kthread+0x2f0/0x390 [ 62.913913][ T12] ret_from_fork+0x4b/0x80 [ 62.919322][ T12] ret_from_fork_asm+0x1a/0x30 [pid 5085] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5085] write(3, "1000", 4) = 4 [pid 5085] close(3) = 0 [ 62.925288][ T12] ------------[ cut here ]------------ [ 62.928545][ T29] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x800000000 pfn:0x21f11 [ 62.931283][ T12] kernel BUG at include/linux/mm.h:1135! [ 62.947357][ T29] flags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff) [ 62.947433][ T12] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI [ 62.954488][ T29] raw: 00fff80000000000 0000000000000000 dead000000000122 0000000000000000 [ 62.961651][ T12] CPU: 0 PID: 12 Comm: kworker/u8:1 Not tainted 6.9.0-rc2-next-20240402-syzkaller #0 [ 62.961668][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 62.961679][ T12] Workqueue: events_unbound io_ring_exit_work [ 62.961704][ T12] RIP: 0010:__io_remove_buffers+0x8ee/0x8f0 [ 62.961728][ T12] Code: ff fb ff ff 48 c7 c7 3c 68 a9 8f e8 fc b6 56 fd e9 ee fb ff ff e8 12 dc f1 fc 48 89 ef 48 c7 c6 60 ff 1e 8c e8 13 20 3b fd 90 <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa [ 63.024091][ T12] RSP: 0018:ffffc90000117830 EFLAGS: 00010246 [ 63.030157][ T12] RAX: 12798bbc5474ca00 RBX: 0000000000000000 RCX: 0000000000000001 [ 63.038118][ T12] RDX: dffffc0000000000 RSI: ffffffff8bcad5c0 RDI: 0000000000000001 [ 63.046362][ T12] RBP: ffffea0000880c40 R08: ffffffff92f3a5ef R09: 1ffffffff25e74bd [ 63.054332][ T12] R10: dffffc0000000000 R11: fffffbfff25e74be R12: 0000000000000008 [ 63.062303][ T12] R13: 0000000000000002 R14: ffff88802d20d280 R15: ffffea0000880c74 [ 63.070267][ T12] FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 [ 63.079211][ T12] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 63.086408][ T12] CR2: 00000000200020c4 CR3: 000000007d97a000 CR4: 00000000003506f0 [ 63.094750][ T12] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 63.102820][ T12] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 63.111472][ T12] Call Trace: [ 63.114747][ T12] [ 63.117769][ T12] ? __die_body+0x88/0xe0 [ 63.122098][ T12] ? die+0xcf/0x110 [ 63.125927][ T12] ? do_trap+0x15a/0x3a0 [ 63.130162][ T12] ? __io_remove_buffers+0x8ee/0x8f0 [ 63.135562][ T12] ? do_error_trap+0x1dc/0x2c0 [ 63.140318][ T12] ? __io_remove_buffers+0x8ee/0x8f0 [ 63.145685][ T12] ? __pfx_do_error_trap+0x10/0x10 [ 63.150801][ T12] ? handle_invalid_op+0x34/0x40 [ 63.155756][ T12] ? __io_remove_buffers+0x8ee/0x8f0 [ 63.161036][ T12] ? exc_invalid_op+0x38/0x50 [ 63.165709][ T12] ? asm_exc_invalid_op+0x1a/0x20 [ 63.170732][ T12] ? __io_remove_buffers+0x8ee/0x8f0 [ 63.176114][ T12] io_destroy_buffers+0x14e/0x490 [ 63.181226][ T12] ? lockdep_hardirqs_on+0x99/0x150 [ 63.186424][ T12] ? __pfx_io_destroy_buffers+0x10/0x10 [ 63.191970][ T12] ? io_futex_cache_free+0x1e3/0x240 [ 63.197253][ T12] io_ring_ctx_free+0x818/0xe70 [ 63.202104][ T12] io_ring_exit_work+0x7c7/0x850 [ 63.207044][ T12] ? __pfx_io_ring_exit_work+0x10/0x10 [ 63.212499][ T12] ? __pfx_io_tctx_exit_cb+0x10/0x10 [ 63.217789][ T12] ? process_scheduled_works+0x945/0x1830 [ 63.223513][ T12] process_scheduled_works+0xa2c/0x1830 [ 63.229064][ T12] ? __pfx_process_scheduled_works+0x10/0x10 [ 63.235042][ T12] ? assign_work+0x364/0x3d0 [ 63.239626][ T12] worker_thread+0x86d/0xd70 [ 63.244218][ T12] ? __kthread_parkme+0x169/0x1d0 [ 63.249248][ T12] ? __pfx_worker_thread+0x10/0x10 [ 63.254350][ T12] kthread+0x2f0/0x390 [ 63.258436][ T12] ? __pfx_worker_thread+0x10/0x10 [ 63.263637][ T12] ? __pfx_kthread+0x10/0x10 [ 63.268424][ T12] ret_from_fork+0x4b/0x80 [ 63.272839][ T12] ? __pfx_kthread+0x10/0x10 [pid 5085] io_uring_setup(28910, {flags=0, sq_thread_cpu=0, sq_thread_idle=0, sq_entries=32768, cq_entries=65536, features=IORING_FEAT_SINGLE_MMAP|IORING_FEAT_NODROP|IORING_FEAT_SUBMIT_STABLE|IORING_FEAT_RW_CUR_POS|IORING_FEAT_CUR_PERSONALITY|IORING_FEAT_FAST_POLL|IORING_FEAT_POLL_32BITS|IORING_FEAT_SQPOLL_NONFIXED|IORING_FEAT_EXT_ARG|IORING_FEAT_NATIVE_WORKERS|IORING_FEAT_RSRC_TAGS|IORING_FEAT_CQE_SKIP|IORING_FEAT_LINKED_FILE|0x2000, sq_off={head=0, tail=4, ring_mask=16, ring_entries=24, flags=36, dropped=32, array=1048640}, cq_off={head=8, tail=12, ring_mask=20, ring_entries=28, overflow=44, cqes=64, flags=40}}) = 3 [pid 5085] mmap(NULL, 1179712, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_POPULATE, 3, 0) = 0x7f31a6fac000 [ 63.277425][ T12] ret_from_fork_asm+0x1a/0x30 [ 63.282191][ T12] [ 63.285199][ T12] Modules linked in: [ 63.289219][ T29] raw: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000 [ 63.289862][ T12] ---[ end trace 0000000000000000 ]--- [ 63.298738][ T29] page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0) [ 63.303974][ T12] RIP: 0010:__io_remove_buffers+0x8ee/0x8f0 [ 63.312767][ T51] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x800000000 pfn:0x7aee9 [pid 5085] mmap(NULL, 2097152, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_POPULATE, 3, 0x10000000) = 0x7f31a6dac000 [ 63.318501][ T12] Code: ff fb ff ff 48 c7 c7 3c 68 a9 8f e8 fc b6 56 fd e9 ee fb ff ff e8 12 dc f1 fc 48 89 ef 48 c7 c6 60 ff 1e 8c e8 13 20 3b fd 90 <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa [ 63.328332][ T51] flags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff) [ 63.353018][ T12] RSP: 0018:ffffc90000117830 EFLAGS: 00010246 [ 63.356912][ T29] page_owner tracks the page as allocated [ 63.361582][ T12] RAX: 12798bbc5474ca00 RBX: 0000000000000000 RCX: 0000000000000001 [pid 5085] io_uring_register(3, IORING_REGISTER_PBUF_RING, {ring_addr=NULL, ring_entries=2048, bgid=0, pad=0x1}, 1) = 0 [pid 5085] exit_group(0) = ? [ 63.374875][ T29] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x40cc0(GFP_KERNEL|__GFP_COMP), pid 5085, tgid -1480492764 (syz-executor145), ts 5085, free_ts 62928514863 [ 63.375485][ T12] RDX: dffffc0000000000 RSI: ffffffff8bcad5c0 RDI: 0000000000000001 [ 63.392658][ T51] raw: 00fff80000000000 0000000000000000 dead000000000122 0000000000000000 [ 63.400944][ T12] RBP: ffffea0000880c40 R08: ffffffff92f3a5ef R09: 1ffffffff25e74bd [ 63.409082][ T29] post_alloc_hook+0x1f3/0x230 [ 63.418073][ T12] R10: dffffc0000000000 R11: fffffbfff25e74be R12: 0000000000000008 [pid 5085] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5085, si_uid=0, si_status=0, si_utime=0, si_stime=1 /* 0.01 s */} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55558a299650) = 5086 ./strace-static-x86_64: Process 5086 attached [pid 5086] set_robust_list(0x55558a299660, 24) = 0 [pid 5086] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5086] setpgid(0, 0) = 0 [pid 5086] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5086] write(3, "1000", 4) = 4 [pid 5086] close(3) = 0 [pid 5086] io_uring_setup(28910, {flags=0, sq_thread_cpu=0, sq_thread_idle=0, sq_entries=32768, cq_entries=65536, features=IORING_FEAT_SINGLE_MMAP|IORING_FEAT_NODROP|IORING_FEAT_SUBMIT_STABLE|IORING_FEAT_RW_CUR_POS|IORING_FEAT_CUR_PERSONALITY|IORING_FEAT_FAST_POLL|IORING_FEAT_POLL_32BITS|IORING_FEAT_SQPOLL_NONFIXED|IORING_FEAT_EXT_ARG|IORING_FEAT_NATIVE_WORKERS|IORING_FEAT_RSRC_TAGS|IORING_FEAT_CQE_SKIP|IORING_FEAT_LINKED_FILE|0x2000, sq_off={head=0, tail=4, ring_mask=16, ring_entries=24, flags=36, dropped=32, array=1048640}, cq_off={head=8, tail=12, ring_mask=20, ring_entries=28, overflow=44, cqes=64, flags=40}}) = 3 [pid 5086] mmap(NULL, 1179712, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_POPULATE, 3, 0) = 0x7f31a6fac000 [pid 5086] mmap(NULL, 2097152, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_POPULATE, 3, 0x10000000) = 0x7f31a6dac000 [pid 5086] io_uring_register(3, IORING_REGISTER_PBUF_RING, {ring_addr=NULL, ring_entries=2048, bgid=0, pad=0x1}, 1) = 0 [pid 5086] exit_group(0) = ? [pid 5086] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5086, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55558a299650) = 5087 ./strace-static-x86_64: Process 5087 attached [pid 5087] set_robust_list(0x55558a299660, 24) = 0 [pid 5087] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5087] setpgid(0, 0) = 0 [pid 5087] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [ 63.422138][ T51] raw: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000 [ 63.430859][ T12] R13: 0000000000000002 R14: ffff88802d20d280 R15: ffffea0000880c74 [ 63.440774][ T29] get_page_from_freelist+0x2e7e/0x2f40 [ 63.453545][ T29] __alloc_pages_noprof+0x256/0x6c0 [ 63.459619][ T51] page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0) [ 63.464384][ T12] FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 [pid 5087] write(3, "1000", 4) = 4 [pid 5087] close(3) = 0 [pid 5087] io_uring_setup(28910, {flags=0, sq_thread_cpu=0, sq_thread_idle=0, sq_entries=32768, cq_entries=65536, features=IORING_FEAT_SINGLE_MMAP|IORING_FEAT_NODROP|IORING_FEAT_SUBMIT_STABLE|IORING_FEAT_RW_CUR_POS|IORING_FEAT_CUR_PERSONALITY|IORING_FEAT_FAST_POLL|IORING_FEAT_POLL_32BITS|IORING_FEAT_SQPOLL_NONFIXED|IORING_FEAT_EXT_ARG|IORING_FEAT_NATIVE_WORKERS|IORING_FEAT_RSRC_TAGS|IORING_FEAT_CQE_SKIP|IORING_FEAT_LINKED_FILE|0x2000, sq_off={head=0, tail=4, ring_mask=16, ring_entries=24, flags=36, dropped=32, array=1048640}, cq_off={head=8, tail=12, ring_mask=20, ring_entries=28, overflow=44, cqes=64, flags=40}}) = 3 [pid 5087] mmap(NULL, 1179712, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_POPULATE, 3, 0) = 0x7f31a6fac000 [pid 5087] mmap(NULL, 2097152, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_POPULATE, 3, 0x10000000) = 0x7f31a6dac000 [pid 5087] io_uring_register(3, IORING_REGISTER_PBUF_RING, {ring_addr=NULL, ring_entries=2048, bgid=0, pad=0x1}, 1) = 0 [pid 5087] exit_group(0) = ? [pid 5087] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5087, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5088 attached , child_tidptr=0x55558a299650) = 5088 [pid 5088] set_robust_list(0x55558a299660, 24) = 0 [pid 5088] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5088] setpgid(0, 0) = 0 [pid 5088] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5088] write(3, "1000", 4) = 4 [pid 5088] close(3) = 0 [pid 5088] io_uring_setup(28910, {flags=0, sq_thread_cpu=0, sq_thread_idle=0, sq_entries=32768, cq_entries=65536, features=IORING_FEAT_SINGLE_MMAP|IORING_FEAT_NODROP|IORING_FEAT_SUBMIT_STABLE|IORING_FEAT_RW_CUR_POS|IORING_FEAT_CUR_PERSONALITY|IORING_FEAT_FAST_POLL|IORING_FEAT_POLL_32BITS|IORING_FEAT_SQPOLL_NONFIXED|IORING_FEAT_EXT_ARG|IORING_FEAT_NATIVE_WORKERS|IORING_FEAT_RSRC_TAGS|IORING_FEAT_CQE_SKIP|IORING_FEAT_LINKED_FILE|0x2000, sq_off={head=0, tail=4, ring_mask=16, ring_entries=24, flags=36, dropped=32, array=1048640}, cq_off={head=8, tail=12, ring_mask=20, ring_entries=28, overflow=44, cqes=64, flags=40}}) = 3 [pid 5088] mmap(NULL, 1179712, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_POPULATE, 3, 0) = 0x7f31a6fac000 [pid 5088] mmap(NULL, 2097152, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_POPULATE, 3, 0x10000000) = 0x7f31a6dac000 [pid 5088] io_uring_register(3, IORING_REGISTER_PBUF_RING, {ring_addr=NULL, ring_entries=2048, bgid=0, pad=0x1}, 1) = 0 [pid 5088] exit_group(0) = ? [ 63.468541][ T29] __kmalloc_large_node+0x91/0x1f0 [ 63.482504][ T51] page_owner tracks the page as allocated [ 63.489467][ T51] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x442dc0(GFP_KERNEL_ACCOUNT|__GFP_NOWARN|__GFP_COMP|__GFP_ZERO), pid 5085, tgid -1032242546 (syz-executor145), ts 5085, free_ts 63312746492 [ 63.505708][ T12] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 63.511278][ T29] __kmalloc_noprof+0x2a4/0x410 [ 63.516431][ T12] CR2: 00007f31a71870f0 CR3: 000000007930c000 CR4: 00000000003506f0 [pid 5088] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5088, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55558a299650) = 5089 ./strace-static-x86_64: Process 5089 attached [pid 5089] set_robust_list(0x55558a299660, 24) = 0 [pid 5089] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5089] setpgid(0, 0) = 0 [pid 5089] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5089] write(3, "1000", 4) = 4 [pid 5089] close(3) = 0 [pid 5089] io_uring_setup(28910, {flags=0, sq_thread_cpu=0, sq_thread_idle=0, sq_entries=32768, cq_entries=65536, features=IORING_FEAT_SINGLE_MMAP|IORING_FEAT_NODROP|IORING_FEAT_SUBMIT_STABLE|IORING_FEAT_RW_CUR_POS|IORING_FEAT_CUR_PERSONALITY|IORING_FEAT_FAST_POLL|IORING_FEAT_POLL_32BITS|IORING_FEAT_SQPOLL_NONFIXED|IORING_FEAT_EXT_ARG|IORING_FEAT_NATIVE_WORKERS|IORING_FEAT_RSRC_TAGS|IORING_FEAT_CQE_SKIP|IORING_FEAT_LINKED_FILE|0x2000, sq_off={head=0, tail=4, ring_mask=16, ring_entries=24, flags=36, dropped=32, array=1048640}, cq_off={head=8, tail=12, ring_mask=20, ring_entries=28, overflow=44, cqes=64, flags=40}}) = 3 [pid 5089] mmap(NULL, 1179712, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_POPULATE, 3, 0) = 0x7f31a6fac000 [ 63.521902][ T29] io_alloc_hash_table+0x3a/0xc0 [ 63.533525][ T12] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 63.535605][ T51] post_alloc_hook+0x1f3/0x230 [ 63.548336][ T29] io_ring_ctx_alloc+0x128/0x1840 [ 63.549497][ T12] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 63.553388][ T29] io_uring_create+0x2ce/0x12f0 [ 63.553413][ T29] __se_sys_io_uring_setup+0x2ba/0x330 [ 63.565427][ T12] Kernel panic - not syncing: Fatal exception [ 63.567123][ T12] Kernel Offset: disabled