Warning: Permanently added '10.128.0.233' (ED25519) to the list of known hosts. 2024/04/17 14:50:35 ignoring optional flag "sandboxArg"="0" 2024/04/17 14:50:35 parsed 1 programs 2024/04/17 14:50:35 executed programs: 0 [ 53.669956][ T2253] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k 2024/04/17 14:50:49 executed programs: 5 2024/04/17 14:50:54 executed programs: 239 [ 73.219012][ T4951] ================================================================== [ 73.227133][ T4951] BUG: KASAN: slab-use-after-free in hugetlb_fault+0x1689/0x1fb0 [ 73.234866][ T4951] Read of size 8 at addr ffff8880783fa020 by task syz-executor.3/4951 [ 73.243101][ T4951] [ 73.245424][ T4951] CPU: 0 PID: 4951 Comm: syz-executor.3 Not tainted 6.8.0-rc5-syzkaller #0 [ 73.254023][ T4951] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 73.264179][ T4951] Call Trace: [ 73.267549][ T4951] [ 73.270479][ T4951] dump_stack_lvl+0xf8/0x260 [ 73.275081][ T4951] ? __pfx_dump_stack_lvl+0x10/0x10 [ 73.280279][ T4951] ? __pfx__printk+0x10/0x10 [ 73.285164][ T4951] ? __virt_addr_valid+0x141/0x260 [ 73.290272][ T4951] ? __virt_addr_valid+0x219/0x260 [ 73.295381][ T4951] print_report+0x167/0x540 [ 73.299963][ T4951] ? __virt_addr_valid+0x141/0x260 [ 73.305245][ T4951] ? __virt_addr_valid+0x219/0x260 [ 73.310516][ T4951] ? hugetlb_fault+0x1689/0x1fb0 [ 73.315470][ T4951] kasan_report+0x142/0x180 [ 73.320064][ T4951] ? hugetlb_fault+0x1689/0x1fb0 [ 73.325013][ T4951] hugetlb_fault+0x1689/0x1fb0 [ 73.329792][ T4951] ? __lock_acquire+0x5cc/0xc10 [ 73.334615][ T4951] ? __pfx_hugetlb_fault+0x10/0x10 [ 73.339730][ T4951] ? __count_memcg_events+0x168/0x420 [ 73.345079][ T4951] ? __pfx_do_wp_page+0x10/0x10 [ 73.349905][ T4951] ? count_memcg_event_mm+0x8e/0x200 [ 73.355169][ T4951] ? debug_object_free+0x2e2/0x3a0 [ 73.360272][ T4951] handle_mm_fault+0x362e/0x5380 [ 73.365442][ T4951] ? __lock_acquire+0x5cc/0xc10 [ 73.370265][ T4951] ? reacquire_held_locks+0x3a3/0x5b0 [ 73.375607][ T4951] ? __lock_acquire+0x5cc/0xc10 [ 73.380431][ T4951] ? __pfx_handle_mm_fault+0x10/0x10 [ 73.385786][ T4951] ? __pfx_reacquire_held_locks+0x10/0x10 [ 73.391492][ T4951] ? lock_vma_under_rcu+0x17e/0x5b0 [ 73.396678][ T4951] ? __pfx_lock_release+0x10/0x10 [ 73.401672][ T4951] ? lock_vma_under_rcu+0x29f/0x5b0 [ 73.406872][ T4951] ? lock_vma_under_rcu+0x17e/0x5b0 [ 73.412044][ T4951] ? lock_vma_under_rcu+0x524/0x5b0 [ 73.417301][ T4951] ? lock_vma_under_rcu+0x17e/0x5b0 [ 73.422586][ T4951] ? __pfx_lock_vma_under_rcu+0x10/0x10 [ 73.428274][ T4951] ? __up_read+0x28a/0x370 [ 73.432666][ T4951] exc_page_fault+0x484/0x860 [ 73.437316][ T4951] asm_exc_page_fault+0x26/0x30 [ 73.442265][ T4951] RIP: 0033:0x7f79e3a2c621 [ 73.446678][ T4951] Code: 48 8b 54 24 08 48 85 d2 74 17 8b 44 24 18 0f c8 89 c0 48 89 44 24 18 48 83 fa 01 0f 85 b3 01 00 00 48 8b 44 24 10 8b 54 24 18 <89> 10 e9 15 fd ff ff 48 8b 44 24 10 8b 10 48 8b 44 24 08 48 85 c0 [ 73.466697][ T4951] RSP: 002b:00007ffdb86ef570 EFLAGS: 00010246 [ 73.472742][ T4951] RAX: 0000000020000004 RBX: 0000000000000004 RCX: 0000000000000000 [ 73.480688][ T4951] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055555593c360 [ 73.488631][ T4951] RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 [ 73.496601][ T4951] R10: 00007ffdb86ef6e0 R11: 0000000000000246 R12: 00007f79e3600128 [ 73.504543][ T4951] R13: fffffffffffffffe R14: 00007f79e3600000 R15: 00007f79e3600130 [ 73.512487][ T4951] [ 73.515612][ T4951] [ 73.517936][ T4951] Allocated by task 4953: [ 73.522233][ T4951] kasan_save_track+0x3f/0x80 [ 73.526969][ T4951] __kasan_slab_alloc+0x66/0x80 [ 73.531802][ T4951] kmem_cache_alloc+0x15a/0x390 [ 73.536649][ T4951] vm_area_alloc+0x1f/0x1c0 [ 73.541208][ T4951] mmap_region+0xa35/0x1a20 [ 73.545691][ T4951] do_mmap+0x6f2/0xbd0 [ 73.549729][ T4951] vm_mmap_pgoff+0x21a/0x3a0 [ 73.554287][ T4951] ksys_mmap_pgoff+0x314/0x3c0 [ 73.559025][ T4951] do_syscall_64+0x94/0x170 [ 73.563497][ T4951] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 73.569364][ T4951] [ 73.571664][ T4951] Freed by task 15: [ 73.575440][ T4951] kasan_save_track+0x3f/0x80 [ 73.580095][ T4951] kasan_save_free_info+0x40/0x50 [ 73.585088][ T4951] poison_slab_object+0xee/0x1a0 [ 73.590001][ T4951] __kasan_slab_free+0x37/0x60 [ 73.594823][ T4951] kmem_cache_free+0x136/0x330 [ 73.599647][ T4951] rcu_core+0xc4b/0x1470 [ 73.603947][ T4951] __do_softirq+0x1be/0x586 [ 73.608420][ T4951] [ 73.610719][ T4951] Last potentially related work creation: [ 73.616597][ T4951] kasan_save_stack+0x3f/0x60 [ 73.621241][ T4951] __kasan_record_aux_stack+0xac/0xc0 [ 73.626671][ T4951] call_rcu+0x159/0x8e0 [ 73.630795][ T4951] do_vmi_align_munmap+0xe35/0x14b0 [ 73.635967][ T4951] do_vmi_munmap+0x1b5/0x210 [ 73.640579][ T4951] mmap_region+0x63a/0x1a20 [ 73.645054][ T4951] do_mmap+0x6f2/0xbd0 [ 73.649199][ T4951] vm_mmap_pgoff+0x21a/0x3a0 [ 73.653873][ T4951] ksys_mmap_pgoff+0x314/0x3c0 [ 73.658607][ T4951] do_syscall_64+0x94/0x170 [ 73.663081][ T4951] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 73.669206][ T4951] [ 73.671505][ T4951] The buggy address belongs to the object at ffff8880783fa000 [ 73.671505][ T4951] which belongs to the cache vm_area_struct of size 176 [ 73.685834][ T4951] The buggy address is located 32 bytes inside of [ 73.685834][ T4951] freed 176-byte region [ffff8880783fa000, ffff8880783fa0b0) [ 73.699509][ T4951] [ 73.701810][ T4951] The buggy address belongs to the physical page: [ 73.708196][ T4951] page:ffffea0001e0fe80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x783fa [ 73.718312][ T4951] memcg:ffff88801459a301 [ 73.722546][ T4951] anon flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff) [ 73.730501][ T4951] page_type: 0xffffffff() [ 73.734907][ T4951] raw: 00fff00000000800 ffff88800a2e4b40 ffffea0001e08480 dead000000000003 [ 73.743993][ T4951] raw: 0000000000000000 0000000000110011 00000001ffffffff ffff88801459a301 [ 73.752639][ T4951] page dumped because: kasan: bad access detected [ 73.759199][ T4951] page_owner tracks the page as allocated [ 73.765511][ T4951] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1748, tgid 1748 (modprobe), ts 30274777986, free_ts 23443043961 [ 73.783470][ T4951] post_alloc_hook+0x10f/0x130 [ 73.788237][ T4951] get_page_from_freelist+0x345c/0x3600 [ 73.793841][ T4951] __alloc_pages+0x255/0x650 [ 73.798412][ T4951] alloc_slab_page+0x5f/0x160 [ 73.803178][ T4951] new_slab+0x70/0x270 [ 73.807229][ T4951] ___slab_alloc+0xa79/0x10b0 [ 73.811877][ T4951] kmem_cache_alloc+0x235/0x390 [ 73.816697][ T4951] vm_area_dup+0x21/0x160 [ 73.821170][ T4951] __split_vma+0xfe/0xb10 [ 73.825473][ T4951] do_vmi_align_munmap+0x3ba/0x14b0 [ 73.830639][ T4951] do_vmi_munmap+0x1b5/0x210 [ 73.835214][ T4951] mmap_region+0x63a/0x1a20 [ 73.839727][ T4951] do_mmap+0x6f2/0xbd0 [ 73.843787][ T4951] vm_mmap_pgoff+0x21a/0x3a0 [ 73.848611][ T4951] ksys_mmap_pgoff+0x2d9/0x3c0 [ 73.853434][ T4951] do_syscall_64+0x94/0x170 [ 73.857999][ T4951] page last free pid 1716 tgid 1716 stack trace: [ 73.864553][ T4951] free_unref_page_prepare+0x7e5/0x900 [ 73.870263][ T4951] free_unref_page+0x37/0x3a0 [ 73.874935][ T4951] pipe_read+0x4fc/0xdd0 [ 73.879195][ T4951] vfs_read+0x84f/0xb10 [ 73.883319][ T4951] ksys_read+0x163/0x250 [ 73.887627][ T4951] do_syscall_64+0x94/0x170 [ 73.892186][ T4951] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 73.898048][ T4951] [ 73.900452][ T4951] Memory state around the buggy address: [ 73.906598][ T4951] ffff8880783f9f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 73.914641][ T4951] ffff8880783f9f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 73.923461][ T4951] >ffff8880783fa000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.931576][ T4951] ^ [ 73.936743][ T4951] ffff8880783fa080: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fa fb [ 73.945075][ T4951] ffff8880783fa100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.953451][ T4951] ================================================================== [ 73.973280][ T4951] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 73.980765][ T4951] Kernel Offset: disabled [ 73.985119][ T4951] Rebooting in 86400 seconds..