DUID 00:04:66:e4:01:83:27:57:c7:2c:b4:77:89:67:fd:32:a2:9b
forked to background, child pid 4671
[   36.610096][ T4672] 8021q: adding VLAN 0 to HW filter on device bond0
[   36.621618][ T4672] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK

syzkaller
Warning: Permanently added '10.128.0.121' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   62.900409][ T5771] ==================================================================
[   62.908505][ T5771] BUG: KASAN: slab-use-after-free in iommufd_access_unpin_pages+0x363/0x370
[   62.917192][ T5771] Read of size 8 at addr ffff888022286e20 by task syz-executor669/5771
[   62.925418][ T5771] 
[   62.927744][ T5771] CPU: 0 PID: 5771 Comm: syz-executor669 Not tainted 6.4.0-rc5-syzkaller-00313-g4c605260bc60 #0
[   62.938138][ T5771] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
[   62.948178][ T5771] Call Trace:
[   62.951452][ T5771]  <TASK>
[   62.954374][ T5771]  dump_stack_lvl+0xd9/0x150
[   62.958967][ T5771]  print_address_description.constprop.0+0x2c/0x3c0
[   62.965570][ T5771]  ? iommufd_access_unpin_pages+0x363/0x370
[   62.971489][ T5771]  kasan_report+0x11c/0x130
[   62.975990][ T5771]  ? iommufd_access_unpin_pages+0x363/0x370
[   62.981879][ T5771]  iommufd_access_unpin_pages+0x363/0x370
[   62.987683][ T5771]  ? iommufd_access_rw+0x490/0x490
[   62.992789][ T5771]  ? iommufd_access_notify_unmap+0x1e7/0x3a0
[   62.998787][ T5771]  iommufd_test_access_unmap+0x24b/0x390
[   63.004420][ T5771]  ? mock_domain_alloc+0x1e0/0x1e0
[   63.009523][ T5771]  iommufd_access_notify_unmap+0x24c/0x3a0
[   63.015346][ T5771]  ? iommufd_access_destroy_object+0x150/0x150
[   63.021499][ T5771]  iopt_unmap_iova_range+0x4c4/0x5f0
[   63.026783][ T5771]  iopt_unmap_all+0x27/0x50
[   63.031281][ T5771]  iommufd_ioas_unmap+0x3d0/0x490
[   63.036468][ T5771]  ? iommufd_ioas_copy+0x7e0/0x7e0
[   63.041565][ T5771]  iommufd_fops_ioctl+0x317/0x4b0
[   63.046576][ T5771]  ? iommufd_get_object.part.0+0x2b0/0x2b0
[   63.052376][ T5771]  ? __fget_files+0x26a/0x480
[   63.057055][ T5771]  ? bpf_lsm_file_ioctl+0x9/0x10
[   63.061991][ T5771]  ? iommufd_get_object.part.0+0x2b0/0x2b0
[   63.067792][ T5771]  __x64_sys_ioctl+0x197/0x210
[   63.072552][ T5771]  do_syscall_64+0x39/0xb0
[   63.076966][ T5771]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   63.082855][ T5771] RIP: 0033:0x7fec1dae3b19
[   63.087253][ T5771] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[   63.106847][ T5771] RSP: 002b:00007fec1da74308 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   63.115241][ T5771] RAX: ffffffffffffffda RBX: 00007fec1db6b438 RCX: 00007fec1dae3b19
[   63.123197][ T5771] RDX: 0000000020000100 RSI: 0000000000003b86 RDI: 0000000000000003
[   63.131152][ T5771] RBP: 00007fec1db6b430 R08: 00007fec1da74700 R09: 0000000000000000
[   63.139106][ T5771] R10: 00007fec1da74700 R11: 0000000000000246 R12: 00007fec1db6b43c
[   63.147063][ T5771] R13: 00007fec1db39074 R14: 6d6f692f7665642f R15: 0000000000022000
[   63.155024][ T5771]  </TASK>
[   63.158032][ T5771] 
[   63.160339][ T5771] Allocated by task 5770:
[   63.164664][ T5771]  kasan_save_stack+0x22/0x40
[   63.169362][ T5771]  kasan_set_track+0x25/0x30
[   63.173957][ T5771]  __kasan_kmalloc+0xa2/0xb0
[   63.178550][ T5771]  iopt_alloc_area_pages+0x94/0x560
[   63.183744][ T5771]  iopt_map_user_pages+0x205/0x4e0
[   63.188847][ T5771]  iommufd_ioas_map+0x329/0x5f0
[   63.193680][ T5771]  iommufd_fops_ioctl+0x317/0x4b0
[   63.198778][ T5771]  __x64_sys_ioctl+0x197/0x210
[   63.203533][ T5771]  do_syscall_64+0x39/0xb0
[   63.207942][ T5771]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   63.213833][ T5771] 
[   63.216148][ T5771] Freed by task 5770:
[   63.220110][ T5771]  kasan_save_stack+0x22/0x40
[   63.224776][ T5771]  kasan_set_track+0x25/0x30
[   63.229352][ T5771]  kasan_save_free_info+0x2e/0x40
[   63.234362][ T5771]  ____kasan_slab_free+0x160/0x1c0
[   63.239475][ T5771]  slab_free_freelist_hook+0x8b/0x1c0
[   63.244832][ T5771]  __kmem_cache_free+0xaf/0x2d0
[   63.249688][ T5771]  iopt_unmap_iova_range+0x288/0x5f0
[   63.254978][ T5771]  iopt_unmap_all+0x27/0x50
[   63.259668][ T5771]  iommufd_ioas_unmap+0x3d0/0x490
[   63.264963][ T5771]  iommufd_fops_ioctl+0x317/0x4b0
[   63.269994][ T5771]  __x64_sys_ioctl+0x197/0x210
[   63.274903][ T5771]  do_syscall_64+0x39/0xb0
[   63.279413][ T5771]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   63.285301][ T5771] 
[   63.287609][ T5771] The buggy address belongs to the object at ffff888022286e00
[   63.287609][ T5771]  which belongs to the cache kmalloc-cg-192 of size 192
[   63.301900][ T5771] The buggy address is located 32 bytes inside of
[   63.301900][ T5771]  freed 192-byte region [ffff888022286e00, ffff888022286ec0)
[   63.315600][ T5771] 
[   63.317904][ T5771] The buggy address belongs to the physical page:
[   63.324292][ T5771] page:ffffea000088a180 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x22286
[   63.334431][ T5771] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[   63.342043][ T5771] page_type: 0xffffffff()
[   63.346358][ T5771] raw: 00fff00000000200 ffff88801244ddc0 dead000000000122 0000000000000000
[   63.355009][ T5771] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[   63.363657][ T5771] page dumped because: kasan: bad access detected
[   63.370057][ T5771] page_owner tracks the page as allocated
[   63.375775][ T5771] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5725, tgid 5724 (syz-executor669), ts 62798621274, free_ts 62769254078
[   63.394340][ T5771]  post_alloc_hook+0x2db/0x350
[   63.399100][ T5771]  get_page_from_freelist+0xf41/0x2c00
[   63.404555][ T5771]  __alloc_pages+0x1cb/0x4a0
[   63.409130][ T5771]  alloc_pages+0x1aa/0x270
[   63.413533][ T5771]  allocate_slab+0x25f/0x390
[   63.418109][ T5771]  ___slab_alloc+0xa91/0x1400
[   63.422770][ T5771]  __slab_alloc.constprop.0+0x56/0xa0
[   63.428128][ T5771]  __kmem_cache_alloc_node+0x136/0x320
[   63.433574][ T5771]  kmalloc_trace+0x26/0xe0
[   63.437981][ T5771]  iopt_alloc_area_pages+0x94/0x560
[   63.443256][ T5771]  iopt_map_user_pages+0x205/0x4e0
[   63.448358][ T5771]  iommufd_ioas_map+0x329/0x5f0
[   63.453187][ T5771]  iommufd_fops_ioctl+0x317/0x4b0
[   63.458196][ T5771]  __x64_sys_ioctl+0x197/0x210
[   63.463383][ T5771]  do_syscall_64+0x39/0xb0
[   63.467877][ T5771]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   63.473762][ T5771] page last free stack trace:
[   63.478418][ T5771]  free_unref_page_prepare+0x62e/0xcb0
[   63.483863][ T5771]  free_unref_page_list+0xe3/0xa70
[   63.488963][ T5771]  release_pages+0xcd8/0x1380
[   63.493627][ T5771]  tlb_batch_pages_flush+0xa8/0x1a0
[   63.498813][ T5771]  tlb_finish_mmu+0x14b/0x7e0
[   63.503477][ T5771]  exit_mmap+0x2b2/0x930
[   63.507706][ T5771]  __mmput+0x128/0x4c0
[   63.511768][ T5771]  mmput+0x60/0x70
[   63.515474][ T5771]  do_exit+0x9b0/0x29b0
[   63.519609][ T5771]  do_group_exit+0xd4/0x2a0
[   63.524092][ T5771]  __x64_sys_exit_group+0x3e/0x50
[   63.529097][ T5771]  do_syscall_64+0x39/0xb0
[   63.533508][ T5771]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   63.539418][ T5771] 
[   63.541725][ T5771] Memory state around the buggy address:
[   63.547332][ T5771]  ffff888022286d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   63.556017][ T5771]  ffff888022286d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   63.564956][ T5771] >ffff888022286e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   63.573182][ T5771]                                ^
[   63.578374][ T5771]  ffff888022286e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   63.586618][ T5771]  ffff888022286f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   63.594666][ T5771] ==================================================================
[   63.603603][ T5771] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   63.610813][ T5771] CPU: 0 PID: 5771 Comm: syz-executor669 Not tainted 6.4.0-rc5-syzkaller-00313-g4c605260bc60 #0
[   63.621235][ T5771] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
[   63.631276][ T5771] Call Trace:
[   63.634539][ T5771]  <TASK>
[   63.637456][ T5771]  dump_stack_lvl+0xd9/0x150
[   63.642035][ T5771]  panic+0x686/0x730
[   63.645924][ T5771]  ? panic_smp_self_stop+0xa0/0xa0
[   63.651027][ T5771]  ? preempt_schedule_thunk+0x1a/0x20
[   63.656393][ T5771]  ? preempt_schedule_common+0x45/0xb0
[   63.661943][ T5771]  check_panic_on_warn+0xb1/0xc0
[   63.666904][ T5771]  end_report+0xe9/0x120
[   63.671152][ T5771]  ? iommufd_access_unpin_pages+0x363/0x370
[   63.677064][ T5771]  kasan_report+0xf9/0x130
[   63.681494][ T5771]  ? iommufd_access_unpin_pages+0x363/0x370
[   63.687387][ T5771]  iommufd_access_unpin_pages+0x363/0x370
[   63.693124][ T5771]  ? iommufd_access_rw+0x490/0x490
[   63.698235][ T5771]  ? iommufd_access_notify_unmap+0x1e7/0x3a0
[   63.704215][ T5771]  iommufd_test_access_unmap+0x24b/0x390
[   63.709843][ T5771]  ? mock_domain_alloc+0x1e0/0x1e0
[   63.714940][ T5771]  iommufd_access_notify_unmap+0x24c/0x3a0
[   63.720739][ T5771]  ? iommufd_access_destroy_object+0x150/0x150
[   63.726888][ T5771]  iopt_unmap_iova_range+0x4c4/0x5f0
[   63.732167][ T5771]  iopt_unmap_all+0x27/0x50
[   63.736672][ T5771]  iommufd_ioas_unmap+0x3d0/0x490
[   63.741683][ T5771]  ? iommufd_ioas_copy+0x7e0/0x7e0
[   63.746781][ T5771]  iommufd_fops_ioctl+0x317/0x4b0
[   63.751795][ T5771]  ? iommufd_get_object.part.0+0x2b0/0x2b0
[   63.757610][ T5771]  ? __fget_files+0x26a/0x480
[   63.762289][ T5771]  ? bpf_lsm_file_ioctl+0x9/0x10
[   63.767246][ T5771]  ? iommufd_get_object.part.0+0x2b0/0x2b0
[   63.773116][ T5771]  __x64_sys_ioctl+0x197/0x210
[   63.777891][ T5771]  do_syscall_64+0x39/0xb0
[   63.782312][ T5771]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   63.788228][ T5771] RIP: 0033:0x7fec1dae3b19
[   63.792633][ T5771] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[   63.812226][ T5771] RSP: 002b:00007fec1da74308 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   63.820624][ T5771] RAX: ffffffffffffffda RBX: 00007fec1db6b438 RCX: 00007fec1dae3b19
[   63.828580][ T5771] RDX: 0000000020000100 RSI: 0000000000003b86 RDI: 0000000000000003
[   63.836534][ T5771] RBP: 00007fec1db6b430 R08: 00007fec1da74700 R09: 0000000000000000
[   63.844487][ T5771] R10: 00007fec1da74700 R11: 0000000000000246 R12: 00007fec1db6b43c
[   63.852448][ T5771] R13: 00007fec1db39074 R14: 6d6f692f7665642f R15: 0000000000022000
[   63.860433][ T5771]  </TASK>
[   63.863705][ T5771] Kernel Offset: disabled
[   63.868039][ T5771] Rebooting in 86400 seconds..