Warning: Permanently added '10.128.10.0' (ED25519) to the list of known hosts. 2024/06/10 14:24:11 ignoring optional flag "sandboxArg"="0" 2024/06/10 14:24:11 parsed 1 programs [ 51.433345][ T2672] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k 2024/06/10 14:24:15 executed programs: 0 [ 68.889986][ T5180] mmap: syz-executor.0 (5180) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst. 2024/06/10 14:24:29 executed programs: 5 [ 70.045978][ T5327] ================================================================== [ 70.054246][ T5327] BUG: KASAN: slab-use-after-free in finish_fault+0x8b9/0xe90 [ 70.061733][ T5327] Read of size 8 at addr ffff88807d3e6000 by task syz-executor.4/5327 [ 70.069874][ T5327] [ 70.072202][ T5327] CPU: 1 PID: 5327 Comm: syz-executor.4 Not tainted 6.10.0-rc1-syzkaller #0 [ 70.080868][ T5327] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 70.090934][ T5327] Call Trace: [ 70.094446][ T5327] [ 70.097386][ T5327] dump_stack_lvl+0x108/0x280 [ 70.102135][ T5327] ? __pfx_dump_stack_lvl+0x10/0x10 [ 70.107571][ T5327] ? __pfx__printk+0x10/0x10 [ 70.112219][ T5327] ? __virt_addr_valid+0x141/0x260 [ 70.117423][ T5327] ? __virt_addr_valid+0x219/0x260 [ 70.122645][ T5327] print_report+0x169/0x550 [ 70.127269][ T5327] ? __virt_addr_valid+0x141/0x260 [ 70.132411][ T5327] ? __virt_addr_valid+0x219/0x260 [ 70.137523][ T5327] ? finish_fault+0x8b9/0xe90 [ 70.142294][ T5327] kasan_report+0x143/0x180 [ 70.146801][ T5327] ? finish_fault+0x8b9/0xe90 [ 70.151645][ T5327] finish_fault+0x8b9/0xe90 [ 70.156155][ T5327] ? __pfx_finish_fault+0x10/0x10 [ 70.161157][ T5327] ? __pfx_lock_release+0x10/0x10 [ 70.166301][ T5327] ? __do_fault+0x1a7/0x310 [ 70.170870][ T5327] __handle_mm_fault+0x142c/0x5b30 [ 70.175992][ T5327] ? __pfx___handle_mm_fault+0x10/0x10 [ 70.181527][ T5327] ? __pfx_lock_release+0x10/0x10 [ 70.186560][ T5327] ? do_raw_spin_unlock+0x13c/0x8b0 [ 70.191870][ T5327] ? folio_mark_accessed+0xa2/0x8b0 [ 70.197149][ T5327] ? follow_page_pte+0x1f8/0x12b0 [ 70.202329][ T5327] ? __pfx_follow_page_pte+0x10/0x10 [ 70.207789][ T5327] ? __count_memcg_events+0x172/0x420 [ 70.213149][ T5327] ? follow_page_mask+0xd8a/0x2090 [ 70.218255][ T5327] ? __pfx_follow_page_mask+0x10/0x10 [ 70.223713][ T5327] ? find_vma+0xca/0x130 [ 70.227944][ T5327] handle_mm_fault+0x122/0x470 [ 70.232708][ T5327] __get_user_pages+0x74f/0x1180 [ 70.237737][ T5327] ? __pfx___get_user_pages+0x10/0x10 [ 70.243266][ T5327] ? __pfx_mt_find+0x10/0x10 [ 70.247843][ T5327] populate_vma_page_range+0x1bc/0x260 [ 70.253413][ T5327] ? __pfx_populate_vma_page_range+0x10/0x10 [ 70.259655][ T5327] ? do_mmap+0x6b6/0xc20 [ 70.263874][ T5327] __mm_populate+0x21c/0x380 [ 70.268467][ T5327] ? __pfx___mm_populate+0x10/0x10 [ 70.273564][ T5327] __se_sys_remap_file_pages+0x681/0x850 [ 70.279446][ T5327] ? __pfx___se_sys_remap_file_pages+0x10/0x10 [ 70.285587][ T5327] ? __pfx___se_sys_rt_sigprocmask+0x10/0x10 [ 70.291565][ T5327] do_syscall_64+0x8d/0x170 [ 70.296507][ T5327] ? clear_bhb_loop+0x55/0xb0 [ 70.301270][ T5327] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.307251][ T5327] RIP: 0033:0x7f7fdb67cf69 [ 70.311646][ T5327] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 70.331580][ T5327] RSP: 002b:00007f7fdc4790c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d8 [ 70.340311][ T5327] RAX: ffffffffffffffda RBX: 00007f7fdb7b4050 RCX: 00007f7fdb67cf69 [ 70.348317][ T5327] RDX: 0000000000000000 RSI: 0000000000200000 RDI: 00000000202ec000 [ 70.356295][ T5327] RBP: 00007f7fdb6da6fe R08: 0000000000000000 R09: 0000000000000000 [ 70.364250][ T5327] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 70.372329][ T5327] R13: 0000000000000006 R14: 00007f7fdb7b4050 R15: 00007ffdd5234cb8 [ 70.380293][ T5327] [ 70.383314][ T5327] [ 70.385612][ T5327] Allocated by task 4924: [ 70.389934][ T5327] kasan_save_track+0x3f/0x80 [ 70.394595][ T5327] __kasan_slab_alloc+0x66/0x80 [ 70.399474][ T5327] kmem_cache_alloc_noprof+0x12b/0x350 [ 70.405024][ T5327] vm_area_dup+0x5b/0x160 [ 70.409358][ T5327] __split_vma+0xfe/0xa30 [ 70.413671][ T5327] do_vmi_align_munmap+0x32a/0x13c0 [ 70.419016][ T5327] do_vmi_munmap+0x1c4/0x230 [ 70.423601][ T5327] mmap_region+0x607/0x19a0 [ 70.428084][ T5327] do_mmap+0x6b6/0xc20 [ 70.432124][ T5327] vm_mmap_pgoff+0x1aa/0x320 [ 70.436682][ T5327] ksys_mmap_pgoff+0x2d2/0x3f0 [ 70.441453][ T5327] do_syscall_64+0x8d/0x170 [ 70.445927][ T5327] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.451792][ T5327] [ 70.454091][ T5327] Freed by task 4924: [ 70.458038][ T5327] kasan_save_track+0x3f/0x80 [ 70.462693][ T5327] kasan_save_free_info+0x40/0x50 [ 70.467775][ T5327] poison_slab_object+0xe0/0x150 [ 70.472703][ T5327] __kasan_slab_free+0x37/0x60 [ 70.477453][ T5327] kmem_cache_free+0x12c/0x3b0 [ 70.482198][ T5327] __vm_area_free+0x66/0x80 [ 70.486675][ T5327] exit_mmap+0x51d/0x950 [ 70.490987][ T5327] __mmput+0x9b/0x2d0 [ 70.495047][ T5327] exit_mm+0x114/0x1b0 [ 70.499156][ T5327] do_exit+0x7d5/0x2550 [ 70.503293][ T5327] do_group_exit+0x1ba/0x280 [ 70.508146][ T5327] __x64_sys_exit_group+0x3f/0x40 [ 70.513149][ T5327] do_syscall_64+0x8d/0x170 [ 70.517744][ T5327] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.523650][ T5327] [ 70.526051][ T5327] The buggy address belongs to the object at ffff88807d3e6000 [ 70.526051][ T5327] which belongs to the cache vma_lock of size 152 [ 70.540180][ T5327] The buggy address is located 0 bytes inside of [ 70.540180][ T5327] freed 152-byte region [ffff88807d3e6000, ffff88807d3e6098) [ 70.553905][ T5327] [ 70.556236][ T5327] The buggy address belongs to the physical page: [ 70.562631][ T5327] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88807d3e6798 pfn:0x7d3e6 [ 70.572841][ T5327] memcg:ffff8880158d5801 [ 70.577343][ T5327] flags: 0xfff00000000200(workingset|node=0|zone=1|lastcpupid=0x7ff) [ 70.585509][ T5327] page_type: 0xfdffffff(slab) [ 70.590168][ T5327] raw: 00fff00000000200 ffff88800a2dbc80 ffffea00005c8d50 ffffea0001f3e210 [ 70.598719][ T5327] raw: ffff88807d3e6798 0000000000120005 00000001fdffffff ffff8880158d5801 [ 70.607278][ T5327] page dumped because: kasan: bad access detected [ 70.613765][ T5327] page_owner tracks the page as allocated [ 70.619463][ T5327] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x152cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1968, tgid 1968 (modprobe), ts 27069492018, free_ts 27069464461 [ 70.638364][ T5327] post_alloc_hook+0x10f/0x130 [ 70.643371][ T5327] get_page_from_freelist+0x2c3f/0x2cf0 [ 70.648890][ T5327] __alloc_pages_noprof+0x256/0x670 [ 70.654153][ T5327] alloc_slab_page+0x5f/0x120 [ 70.658810][ T5327] allocate_slab+0x5d/0x290 [ 70.663375][ T5327] ___slab_alloc+0xa7f/0x11d0 [ 70.668130][ T5327] kmem_cache_alloc_noprof+0x1eb/0x350 [ 70.673567][ T5327] vm_area_alloc+0x109/0x1c0 [ 70.678128][ T5327] mmap_region+0xa36/0x19a0 [ 70.682637][ T5327] do_mmap+0x6b6/0xc20 [ 70.686712][ T5327] vm_mmap_pgoff+0x1aa/0x320 [ 70.691301][ T5327] elf_load+0x11d/0x520 [ 70.695546][ T5327] load_elf_binary+0xd99/0x2390 [ 70.700372][ T5327] bprm_execve+0x891/0x12f0 [ 70.704866][ T5327] kernel_execve+0x532/0x610 [ 70.709430][ T5327] call_usermodehelper_exec_async+0x204/0x320 [ 70.715828][ T5327] page last free pid 1968 tgid 1968 stack trace: [ 70.722125][ T5327] free_unref_folios+0xd99/0x16d0 [ 70.727144][ T5327] folios_put_refs+0x4cc/0x5b0 [ 70.732077][ T5327] free_pages_and_swap_cache+0x415/0x4e0 [ 70.737688][ T5327] tlb_flush_mmu+0x2ad/0x4e0 [ 70.742279][ T5327] tlb_finish_mmu+0xb6/0x1c0 [ 70.746935][ T5327] setup_arg_pages+0xb44/0xda0 [ 70.751683][ T5327] load_elf_binary+0xa59/0x2390 [ 70.756508][ T5327] bprm_execve+0x891/0x12f0 [ 70.761004][ T5327] kernel_execve+0x532/0x610 [ 70.765658][ T5327] call_usermodehelper_exec_async+0x204/0x320 [ 70.772004][ T5327] ret_from_fork+0x32/0x60 [ 70.776456][ T5327] ret_from_fork_asm+0x1a/0x30 [ 70.781207][ T5327] [ 70.783541][ T5327] Memory state around the buggy address: [ 70.789252][ T5327] ffff88807d3e5f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 70.797490][ T5327] ffff88807d3e5f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 70.805789][ T5327] >ffff88807d3e6000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.814194][ T5327] ^ [ 70.818330][ T5327] ffff88807d3e6080: fb fb fb fc fc fc fc fc fc fc fc fa fb fb fb fb [ 70.826392][ T5327] ffff88807d3e6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 70.834454][ T5327] ================================================================== [ 70.842944][ T5327] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 70.850440][ T5327] Kernel Offset: disabled [ 70.854749][ T5327] Rebooting in 86400 seconds..