./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor672878993 <...> Warning: Permanently added '10.128.0.189' (ED25519) to the list of known hosts. execve("./syz-executor672878993", ["./syz-executor672878993"], 0x7ffcf0db49f0 /* 10 vars */) = 0 brk(NULL) = 0x55555a1a3000 brk(0x55555a1a3d00) = 0x55555a1a3d00 arch_prctl(ARCH_SET_FS, 0x55555a1a3380) = 0 set_tid_address(0x55555a1a3650) = 5841 set_robust_list(0x55555a1a3660, 24) = 0 rseq(0x55555a1a3ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor672878993", 4096) = 27 getrandom("\xe3\x7a\x16\x4d\x59\x55\xbc\xa4", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55555a1a3d00 brk(0x55555a1c4d00) = 0x55555a1c4d00 brk(0x55555a1c5000) = 0x55555a1c5000 mprotect(0x7f7586d4f000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5842 attached [pid 5842] set_robust_list(0x55555a1a3660, 24 [pid 5841] <... clone resumed>, child_tidptr=0x55555a1a3650) = 5842 [pid 5842] <... set_robust_list resumed>) = 0 [pid 5842] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5842] setpgid(0, 0) = 0 [pid 5842] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5842] write(3, "1000", 4) = 4 [pid 5842] close(3) = 0 [pid 5842] write(1, "executing program\n", 18executing program ) = 18 [pid 5842] prlimit64(0, RLIMIT_RTPRIO, {rlim_cur=8, rlim_max=8589934731}, NULL) = 0 [pid 5842] sched_setscheduler(0, SCHED_FIFO, [7]) = 0 [pid 5842] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_ARRAY, key_size=4, value_size=8, max_entries=1, map_flags=BPF_F_RDONLY_PROG, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=0, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 80) = 3 [pid 5842] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_RINGBUF, key_size=0, value_size=0, max_entries=262144, map_flags=0, inner_map_fd=0, map_name="", map_ifindex=0, btf_fd=0, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 80) = 4 [ 89.106008][ T5842] ================================================================== [ 89.114150][ T5842] BUG: KASAN: slab-use-after-free in do_check+0xb388/0xe170 [ 89.121496][ T5842] Read of size 1 at addr ffff88801deeef79 by task syz-executor672/5842 [ 89.129736][ T5842] [ 89.132080][ T5842] CPU: 1 UID: 0 PID: 5842 Comm: syz-executor672 Not tainted 6.16.0-rc1-next-20250611-syzkaller #0 PREEMPT(full) [ 89.132117][ T5842] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 89.132133][ T5842] Call Trace: [ 89.132140][ T5842] [ 89.132148][ T5842] dump_stack_lvl+0x189/0x250 [ 89.132165][ T5842] ? __virt_addr_valid+0x1c8/0x5c0 [ 89.132183][ T5842] ? rcu_is_watching+0x15/0xb0 [ 89.132207][ T5842] ? __kasan_check_byte+0x12/0x40 [ 89.132222][ T5842] ? __pfx_dump_stack_lvl+0x10/0x10 [ 89.132234][ T5842] ? rcu_is_watching+0x15/0xb0 [ 89.132247][ T5842] ? lock_release+0x4b/0x3e0 [ 89.132269][ T5842] ? __virt_addr_valid+0x1c8/0x5c0 [ 89.132301][ T5842] ? __virt_addr_valid+0x4a5/0x5c0 [ 89.132317][ T5842] print_report+0xd2/0x2b0 [ 89.132338][ T5842] ? do_check+0xb388/0xe170 [ 89.132357][ T5842] kasan_report+0x118/0x150 [ 89.132371][ T5842] ? kvrealloc_noprof+0x60/0xe0 [ 89.132398][ T5842] ? do_check+0xb388/0xe170 [ 89.132420][ T5842] do_check+0xb388/0xe170 [ 89.132456][ T5842] ? stack_depot_save_flags+0x429/0x900 [ 89.132518][ T5842] ? __pfx_do_check+0x10/0x10 [ 89.132536][ T5842] ? __asan_memset+0x22/0x50 [ 89.132556][ T5842] ? init_func_state+0x1ddf/0x2d20 [ 89.132579][ T5842] do_check_common+0x168d/0x20b0 [ 89.132605][ T5842] bpf_check+0x1381e/0x19e50 [ 89.132626][ T5842] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 89.132649][ T5842] ? __lock_acquire+0xab9/0xd20 [ 89.132672][ T5842] ? do_raw_spin_lock+0x121/0x290 [ 89.132692][ T5842] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 89.132714][ T5842] ? __free_frozen_pages+0x76a/0xe70 [ 89.132737][ T5842] ? __pfx_bpf_check+0x10/0x10 [ 89.132755][ T5842] ? __lock_acquire+0xab9/0xd20 [ 89.132780][ T5842] ? __pfx___mutex_trylock_common+0x10/0x10 [ 89.132796][ T5842] ? pcpu_block_update+0x437/0x8d0 [ 89.132817][ T5842] ? __lock_acquire+0xab9/0xd20 [ 89.132840][ T5842] ? ktime_get_with_offset+0x8c/0x2a0 [ 89.132859][ T5842] ? seqcount_lockdep_reader_access+0x123/0x1c0 [ 89.132875][ T5842] ? lockdep_hardirqs_on+0x9c/0x150 [ 89.132893][ T5842] ? ktime_get_with_offset+0x8c/0x2a0 [ 89.132907][ T5842] ? seqcount_lockdep_reader_access+0x175/0x1c0 [ 89.132928][ T5842] ? __pfx_seqcount_lockdep_reader_access+0x10/0x10 [ 89.132949][ T5842] ? bpf_obj_name_cpy+0x194/0x1e0 [ 89.132963][ T5842] ? bpf_lsm_bpf_prog_load+0x9/0x20 [ 89.132976][ T5842] ? security_bpf_prog_load+0x7f/0x310 [ 89.132996][ T5842] bpf_prog_load+0x1318/0x1930 [ 89.133020][ T5842] ? __pfx_bpf_prog_load+0x10/0x10 [ 89.133048][ T5842] ? bpf_lsm_bpf+0x9/0x20 [ 89.133059][ T5842] ? security_bpf+0x7e/0x300 [ 89.133076][ T5842] __sys_bpf+0x5f1/0x860 [ 89.133096][ T5842] ? __pfx___sys_bpf+0x10/0x10 [ 89.133122][ T5842] ? rcu_is_watching+0x15/0xb0 [ 89.133136][ T5842] __x64_sys_bpf+0x7c/0x90 [ 89.133154][ T5842] do_syscall_64+0xfa/0x3b0 [ 89.133174][ T5842] ? lockdep_hardirqs_on+0x9c/0x150 [ 89.133211][ T5842] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.133226][ T5842] ? clear_bhb_loop+0x60/0xb0 [ 89.133250][ T5842] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.133265][ T5842] RIP: 0033:0x7f7586cdbeb9 [ 89.133283][ T5842] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 89.133297][ T5842] RSP: 002b:00007ffc2e683128 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ 89.133314][ T5842] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7586cdbeb9 [ 89.133325][ T5842] RDX: 0000000000000094 RSI: 0000200000000840 RDI: 0000000000000005 [ 89.133335][ T5842] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000006 [ 89.133344][ T5842] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 89.133353][ T5842] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001 [ 89.133369][ T5842] [ 89.133374][ T5842] [ 89.505537][ T5842] Allocated by task 5842: [ 89.509861][ T5842] kasan_save_track+0x3e/0x80 [ 89.514569][ T5842] __kasan_kmalloc+0x93/0xb0 [ 89.519164][ T5842] __kmalloc_cache_noprof+0x230/0x3d0 [ 89.524538][ T5842] do_check_common+0x13f/0x20b0 [ 89.529388][ T5842] bpf_check+0x1381e/0x19e50 [ 89.533979][ T5842] bpf_prog_load+0x1318/0x1930 [ 89.538751][ T5842] __sys_bpf+0x5f1/0x860 [ 89.543020][ T5842] __x64_sys_bpf+0x7c/0x90 [ 89.547438][ T5842] do_syscall_64+0xfa/0x3b0 [ 89.551953][ T5842] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.557845][ T5842] [ 89.560185][ T5842] Freed by task 5842: [ 89.564178][ T5842] kasan_save_track+0x3e/0x80 [ 89.568865][ T5842] kasan_save_free_info+0x46/0x50 [ 89.573897][ T5842] __kasan_slab_free+0x62/0x70 [ 89.578656][ T5842] kfree+0x18e/0x440 [ 89.582559][ T5842] push_stack+0x247/0x3c0 [ 89.586926][ T5842] check_cond_jmp_op+0x1069/0x2340 [ 89.592070][ T5842] do_check+0x672c/0xe170 [ 89.596406][ T5842] do_check_common+0x168d/0x20b0 [ 89.601376][ T5842] bpf_check+0x1381e/0x19e50 [ 89.605966][ T5842] bpf_prog_load+0x1318/0x1930 [ 89.610735][ T5842] __sys_bpf+0x5f1/0x860 [ 89.614983][ T5842] __x64_sys_bpf+0x7c/0x90 [ 89.619426][ T5842] do_syscall_64+0xfa/0x3b0 [ 89.623936][ T5842] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.629832][ T5842] [ 89.632166][ T5842] The buggy address belongs to the object at ffff88801deeef00 [ 89.632166][ T5842] which belongs to the cache kmalloc-192 of size 192 [ 89.646218][ T5842] The buggy address is located 121 bytes inside of [ 89.646218][ T5842] freed 192-byte region [ffff88801deeef00, ffff88801deeefc0) [ 89.660013][ T5842] [ 89.662340][ T5842] The buggy address belongs to the physical page: [ 89.668761][ T5842] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1deee [ 89.677524][ T5842] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 89.684641][ T5842] page_type: f5(slab) [ 89.688625][ T5842] raw: 00fff00000000000 ffff88801a4413c0 ffffea00006fca40 dead000000000004 [ 89.697213][ T5842] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 89.705791][ T5842] page dumped because: kasan: bad access detected [ 89.712206][ T5842] page_owner tracks the page as allocated [ 89.717920][ T5842] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 2954361175, free_ts 2954343552 [ 89.736240][ T5842] post_alloc_hook+0x240/0x2a0 [ 89.741030][ T5842] get_page_from_freelist+0x21e4/0x22c0 [ 89.746583][ T5842] __alloc_frozen_pages_noprof+0x181/0x370 [ 89.752393][ T5842] alloc_pages_mpol+0x232/0x4a0 [ 89.757248][ T5842] allocate_slab+0x8a/0x3b0 [ 89.761773][ T5842] ___slab_alloc+0xbfc/0x1480 [ 89.766454][ T5842] __kmalloc_node_noprof+0x2fd/0x4e0 [ 89.771737][ T5842] __vmalloc_node_range_noprof+0x5a9/0x12f0 [ 89.777631][ T5842] vmalloc_huge_node_noprof+0xb3/0xf0 [ 89.783006][ T5842] alloc_large_system_hash+0x2b8/0x5e0 [ 89.788493][ T5842] posixtimer_init+0x140/0x270 [ 89.793258][ T5842] do_one_initcall+0x233/0x820 [ 89.798022][ T5842] do_initcall_level+0x137/0x1f0 [ 89.802967][ T5842] do_initcalls+0x69/0xd0 [ 89.807304][ T5842] kernel_init_freeable+0x3d9/0x570 [ 89.812509][ T5842] kernel_init+0x1d/0x1d0 [ 89.816837][ T5842] page last free pid 1 tgid 1 stack trace: [ 89.822637][ T5842] __free_frozen_pages+0xc71/0xe70 [ 89.827762][ T5842] kasan_populate_vmalloc+0x18a/0x1a0 [ 89.833151][ T5842] alloc_vmap_area+0xd51/0x1490 [ 89.838001][ T5842] __get_vm_area_node+0x1f8/0x300 [ 89.843025][ T5842] __vmalloc_node_range_noprof+0x301/0x12f0 [ 89.848924][ T5842] vmalloc_huge_node_noprof+0xb3/0xf0 [ 89.854294][ T5842] alloc_large_system_hash+0x2b8/0x5e0 [ 89.859773][ T5842] posixtimer_init+0x140/0x270 [ 89.864541][ T5842] do_one_initcall+0x233/0x820 [ 89.869304][ T5842] do_initcall_level+0x137/0x1f0 [ 89.874245][ T5842] do_initcalls+0x69/0xd0 [ 89.878585][ T5842] kernel_init_freeable+0x3d9/0x570 [ 89.883783][ T5842] kernel_init+0x1d/0x1d0 [ 89.888119][ T5842] ret_from_fork+0x3f9/0x770 [ 89.892726][ T5842] ret_from_fork_asm+0x1a/0x30 [ 89.897488][ T5842] [ 89.899811][ T5842] Memory state around the buggy address: [ 89.905438][ T5842] ffff88801deeee00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 89.913496][ T5842] ffff88801deeee80: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 89.921550][ T5842] >ffff88801deeef00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 89.929620][ T5842] ^ [ 89.937591][ T5842] ffff88801deeef80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 89.945650][ T5842] ffff88801deef000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 89.953703][ T5842] ================================================================== [ 89.961847][ T5842] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 89.969056][ T5842] CPU: 1 UID: 0 PID: 5842 Comm: syz-executor672 Not tainted 6.16.0-rc1-next-20250611-syzkaller #0 PREEMPT(full) [ 89.980993][ T5842] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 89.991068][ T5842] Call Trace: [ 89.994364][ T5842] [ 89.997328][ T5842] dump_stack_lvl+0x99/0x250 [ 90.001951][ T5842] ? __asan_memcpy+0x40/0x70 [ 90.006568][ T5842] ? __pfx_dump_stack_lvl+0x10/0x10 [ 90.011783][ T5842] ? __pfx__printk+0x10/0x10 [ 90.016403][ T5842] panic+0x2db/0x790 [ 90.020333][ T5842] ? __pfx_panic+0x10/0x10 [ 90.024789][ T5842] ? _raw_spin_unlock_irqrestore+0xa8/0x110 [ 90.030717][ T5842] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 90.036640][ T5842] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 90.043016][ T5842] ? print_memory_metadata+0x314/0x400 [ 90.048508][ T5842] ? do_check+0xb388/0xe170 [ 90.053055][ T5842] check_panic_on_warn+0x89/0xb0 [ 90.058041][ T5842] ? do_check+0xb388/0xe170 [ 90.062598][ T5842] end_report+0x78/0x160 [ 90.066873][ T5842] kasan_report+0x129/0x150 [ 90.071407][ T5842] ? kvrealloc_noprof+0x60/0xe0 [ 90.076286][ T5842] ? do_check+0xb388/0xe170 [ 90.080825][ T5842] do_check+0xb388/0xe170 [ 90.085179][ T5842] ? stack_depot_save_flags+0x429/0x900 [ 90.090790][ T5842] ? __pfx_do_check+0x10/0x10 [ 90.095495][ T5842] ? __asan_memset+0x22/0x50 [ 90.100122][ T5842] ? init_func_state+0x1ddf/0x2d20 [ 90.105282][ T5842] do_check_common+0x168d/0x20b0 [ 90.110258][ T5842] bpf_check+0x1381e/0x19e50 [ 90.114881][ T5842] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 90.120798][ T5842] ? __lock_acquire+0xab9/0xd20 [ 90.125674][ T5842] ? do_raw_spin_lock+0x121/0x290 [ 90.130727][ T5842] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 90.136648][ T5842] ? __free_frozen_pages+0x76a/0xe70 [ 90.141990][ T5842] ? __pfx_bpf_check+0x10/0x10 [ 90.146785][ T5842] ? __lock_acquire+0xab9/0xd20 [ 90.151675][ T5842] ? __pfx___mutex_trylock_common+0x10/0x10 [ 90.157598][ T5842] ? pcpu_block_update+0x437/0x8d0 [ 90.162746][ T5842] ? __lock_acquire+0xab9/0xd20 [ 90.167629][ T5842] ? ktime_get_with_offset+0x8c/0x2a0 [ 90.173034][ T5842] ? seqcount_lockdep_reader_access+0x123/0x1c0 [ 90.179310][ T5842] ? lockdep_hardirqs_on+0x9c/0x150 [ 90.184552][ T5842] ? ktime_get_with_offset+0x8c/0x2a0 [ 90.189948][ T5842] ? seqcount_lockdep_reader_access+0x175/0x1c0 [ 90.196219][ T5842] ? __pfx_seqcount_lockdep_reader_access+0x10/0x10 [ 90.202853][ T5842] ? bpf_obj_name_cpy+0x194/0x1e0 [ 90.207910][ T5842] ? bpf_lsm_bpf_prog_load+0x9/0x20 [ 90.213138][ T5842] ? security_bpf_prog_load+0x7f/0x310 [ 90.218642][ T5842] bpf_prog_load+0x1318/0x1930 [ 90.223444][ T5842] ? __pfx_bpf_prog_load+0x10/0x10 [ 90.228598][ T5842] ? bpf_lsm_bpf+0x9/0x20 [ 90.232944][ T5842] ? security_bpf+0x7e/0x300 [ 90.237569][ T5842] __sys_bpf+0x5f1/0x860 [ 90.241846][ T5842] ? __pfx___sys_bpf+0x10/0x10 [ 90.246648][ T5842] ? rcu_is_watching+0x15/0xb0 [ 90.251443][ T5842] __x64_sys_bpf+0x7c/0x90 [ 90.255887][ T5842] do_syscall_64+0xfa/0x3b0 [ 90.260407][ T5842] ? lockdep_hardirqs_on+0x9c/0x150 [ 90.265613][ T5842] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 90.271685][ T5842] ? clear_bhb_loop+0x60/0xb0 [ 90.276368][ T5842] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 90.282262][ T5842] RIP: 0033:0x7f7586cdbeb9 [ 90.286680][ T5842] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 90.306289][ T5842] RSP: 002b:00007ffc2e683128 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ 90.314745][ T5842] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7586cdbeb9 [ 90.322719][ T5842] RDX: 0000000000000094 RSI: 0000200000000840 RDI: 0000000000000005 [ 90.330694][ T5842] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000006 [ 90.338679][ T5842] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 90.346666][ T5842] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001 [ 90.354645][ T5842] [ 90.357959][ T5842] Kernel Offset: disabled [ 90.362290][ T5842] Rebooting in 86400 seconds..