./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor374400501
<...>
DUID 00:04:e3:a1:4c:5b:a4:47:39:93:9a:5d:f6:69:14:97:a9:57
forked to background, child pid 3188
[ 23.181379][ T3189] 8021q: adding VLAN 0 to HW filter on device bond0
[ 23.190286][ T3189] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK
syzkaller
Warning: Permanently added '10.128.0.4' (ECDSA) to the list of known hosts.
execve("./syz-executor374400501", ["./syz-executor374400501"], 0x7ffcefe96d00 /* 10 vars */) = 0
brk(NULL) = 0x555555aad000
brk(0x555555aadc40) = 0x555555aadc40
arch_prctl(ARCH_SET_FS, 0x555555aad300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor374400501", 4096) = 27
brk(0x555555acec40) = 0x555555acec40
brk(0x555555acf000) = 0x555555acf000
mprotect(0x7f10ee645000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
io_uring_setup(25248, {flags=0, sq_thread_cpu=0, sq_thread_idle=0, sq_entries=32768, cq_entries=65536, features=IORING_FEAT_SINGLE_MMAP|IORING_FEAT_NODROP|IORING_FEAT_SUBMIT_STABLE|IORING_FEAT_RW_CUR_POS|IORING_FEAT_CUR_PERSONALITY|IORING_FEAT_FAST_POLL|IORING_FEAT_POLL_32BITS|IORING_FEAT_SQPOLL_NONFIXED|IORING_FEAT_EXT_ARG|IORING_FEAT_NATIVE_WORKERS|IORING_FEAT_RSRC_TAGS|IORING_FEAT_CQE_SKIP|0x1000, sq_off={head=0, tail=64, ring_mask=256, ring_entries=264, flags=276, dropped=272, array=1048896}, cq_off={head=128, tail=192, ring_mask=260, ring_entries=268, overflow=284, cqes=320, flags=280}}) = 3
mmap(0x20000000, 1179968, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 3, 0) = 0x20000000
mmap(0x20000000, 2097088, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 3, 0x10000000) = 0x20000000
syzkaller login: [ 39.876547][ T3609] ==================================================================
[ 39.884656][ T3609] BUG: KASAN: double-free in __kmem_cache_free+0xab/0x3b0
[ 39.891800][ T3609] Free of addr ffff88801e642000 by task syz-executor374/3609
[ 39.899160][ T3609]
[ 39.901476][ T3609] CPU: 0 PID: 3609 Comm: syz-executor374 Not tainted 6.0.0-rc6-next-20220923-syzkaller #0
[ 39.911377][ T3609] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
[ 39.921427][ T3609] Call Trace:
[ 39.924704][ T3609]
[ 39.927636][ T3609] dump_stack_lvl+0xcd/0x134
[ 39.932243][ T3609] print_report+0x15e/0x45d
[ 39.936754][ T3609] ? __phys_addr+0xc4/0x140
[ 39.941259][ T3609] ? __kmem_cache_free+0xab/0x3b0
[ 39.946298][ T3609] ? __kmem_cache_free+0xab/0x3b0
[ 39.951334][ T3609] kasan_report_invalid_free+0x97/0x1b0
[ 39.956897][ T3609] ? __kmem_cache_free+0xab/0x3b0
[ 39.961949][ T3609] ____kasan_slab_free+0x185/0x1c0
[ 39.967076][ T3609] slab_free_freelist_hook+0x8b/0x1c0
[ 39.972460][ T3609] ? io_clean_op+0x581/0xb10
[ 39.977059][ T3609] __kmem_cache_free+0xab/0x3b0
[ 39.981927][ T3609] ? io_recv+0x1100/0x1100
[ 39.986348][ T3609] io_clean_op+0x581/0xb10
[ 39.990786][ T3609] io_free_batch_list+0x46f/0x7e0
[ 39.995824][ T3609] __io_submit_flush_completions+0x22b/0x2e0
[ 40.001819][ T3609] ctx_flush_and_put+0xdf/0x1b0
[ 40.006686][ T3609] tctx_task_work+0x153/0x4a0
[ 40.011371][ T3609] ? handle_tw_list+0x420/0x420
[ 40.016236][ T3609] ? lock_downgrade+0x6e0/0x6e0
[ 40.021088][ T3609] ? do_raw_spin_lock+0x120/0x2a0
[ 40.026123][ T3609] ? rwlock_bug.part.0+0x90/0x90
[ 40.031065][ T3609] ? ptrace_stop.part.0+0x5f4/0x8c0
[ 40.036273][ T3609] task_work_run+0x16b/0x270
[ 40.040878][ T3609] ? task_work_cancel+0x30/0x30
[ 40.045747][ T3609] ptrace_notify+0x114/0x140
[ 40.050344][ T3609] syscall_exit_to_user_mode_prepare+0x129/0x280
[ 40.056682][ T3609] syscall_exit_to_user_mode+0x9/0x50
[ 40.062063][ T3609] do_syscall_64+0x42/0xb0
[ 40.066484][ T3609] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 40.072392][ T3609] RIP: 0033:0x7f10ee5d8bb9
[ 40.076807][ T3609] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 40.096415][ T3609] RSP: 002b:00007fff7120f998 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
[ 40.104834][ T3609] RAX: 00000000000040b2 RBX: 0000000000000003 RCX: 00007f10ee5d8bb9
[ 40.112809][ T3609] RDX: 0000000000000000 RSI: 00000000000040b2 RDI: 0000000000000003
[ 40.120780][ T3609] RBP: 00007f10ee59cd60 R08: 0000000020000000 R09: 0000000000000008
[ 40.128751][ T3609] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f10ee59cdf0
[ 40.136723][ T3609] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 40.144702][ T3609]
[ 40.147715][ T3609]
[ 40.150029][ T3609] Allocated by task 3609:
[ 40.154347][ T3609] kasan_save_stack+0x1e/0x40
[ 40.159037][ T3609] kasan_set_track+0x21/0x30
[ 40.163641][ T3609] __kasan_kmalloc+0xa1/0xb0
[ 40.168241][ T3609] __kmalloc+0x54/0xc0
[ 40.172316][ T3609] io_alloc_async_data+0x9b/0x160
[ 40.177349][ T3609] io_sendmsg_prep_async+0x19b/0x3c0
[ 40.182634][ T3609] io_req_prep_async+0x1d9/0x300
[ 40.187581][ T3609] io_submit_sqes+0xfcd/0x1df0
[ 40.192355][ T3609] __do_sys_io_uring_enter+0xac6/0x2410
[ 40.197909][ T3609] do_syscall_64+0x35/0xb0
[ 40.202325][ T3609] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 40.208232][ T3609]
[ 40.210547][ T3609] Freed by task 3609:
[ 40.214517][ T3609] kasan_save_stack+0x1e/0x40
[ 40.219246][ T3609] kasan_set_track+0x21/0x30
[ 40.223855][ T3609] kasan_save_free_info+0x2a/0x40
[ 40.228893][ T3609] ____kasan_slab_free+0x160/0x1c0
[ 40.234043][ T3609] slab_free_freelist_hook+0x8b/0x1c0
[ 40.239435][ T3609] __kmem_cache_free+0xab/0x3b0
[ 40.244299][ T3609] io_send_zc_cleanup+0x133/0x180
[ 40.249336][ T3609] io_clean_op+0xf4/0xb10
[ 40.253680][ T3609] io_free_batch_list+0x46f/0x7e0
[ 40.258718][ T3609] __io_submit_flush_completions+0x22b/0x2e0
[ 40.264711][ T3609] ctx_flush_and_put+0xdf/0x1b0
[ 40.269583][ T3609] tctx_task_work+0x153/0x4a0
[ 40.274270][ T3609] task_work_run+0x16b/0x270
[ 40.278875][ T3609] ptrace_notify+0x114/0x140
[ 40.283474][ T3609] syscall_exit_to_user_mode_prepare+0x129/0x280
[ 40.289831][ T3609] syscall_exit_to_user_mode+0x9/0x50
[ 40.295216][ T3609] do_syscall_64+0x42/0xb0
[ 40.299639][ T3609] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 40.305554][ T3609]
[ 40.307882][ T3609] The buggy address belongs to the object at ffff88801e642000
[ 40.307882][ T3609] which belongs to the cache kmalloc-512 of size 512
[ 40.321931][ T3609] The buggy address is located 0 bytes inside of
[ 40.321931][ T3609] 512-byte region [ffff88801e642000, ffff88801e642200)
[ 40.335031][ T3609]
[ 40.337346][ T3609] The buggy address belongs to the physical page:
[ 40.343745][ T3609] page:ffffea0000799000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1e640
[ 40.353907][ T3609] head:ffffea0000799000 order:2 compound_mapcount:0 compound_pincount:0
[ 40.362225][ T3609] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 40.370211][ T3609] raw: 00fff00000010200 ffff888011841c80 dead000000100010 0000000000000000
[ 40.378793][ T3609] raw: 0000000000000000 dead000000000001 00000001ffffffff 0000000000000000
[ 40.387380][ T3609] page dumped because: kasan: bad access detected
[ 40.393790][ T3609] page_owner tracks the page as allocated
[ 40.399495][ T3609] page last allocated via order 2, migratetype Unmovable, gfp_mask 0x52800(GFP_NOWAIT|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 7630490778, free_ts 0
[ 40.417053][ T3609] get_page_from_freelist+0x1092/0x2d20
[ 40.422609][ T3609] __alloc_pages+0x1c7/0x5a0
[ 40.427204][ T3609] alloc_page_interleave+0x1e/0x200
[ 40.432414][ T3609] alloc_pages+0x22f/0x270
[ 40.436842][ T3609] allocate_slab+0x213/0x300
[ 40.441441][ T3609] ___slab_alloc+0xac1/0x1430
[ 40.446129][ T3609] __slab_alloc.constprop.0+0x4d/0xa0
[ 40.451509][ T3609] __kmem_cache_alloc_node+0x18a/0x3d0
[ 40.456979][ T3609] kmalloc_node_trace+0x1d/0x60
[ 40.461839][ T3609] iolatency_pd_alloc+0xc1/0x1c0
[ 40.467054][ T3609] blkcg_activate_policy+0x1e4/0xba0
[ 40.472356][ T3609] blk_iolatency_init+0x290/0x5e0
[ 40.477392][ T3609] blkcg_init_queue+0x17d/0x620
[ 40.482273][ T3609] __alloc_disk_node+0x29d/0x650
[ 40.487232][ T3609] __blk_alloc_disk+0x35/0x90
[ 40.491922][ T3609] brd_alloc.part.0+0x281/0x760
[ 40.496791][ T3609] page_owner free stack trace missing
[ 40.502158][ T3609]
[ 40.504485][ T3609] Memory state around the buggy address:
[ 40.510117][ T3609] ffff88801e641f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 40.518188][ T3609] ffff88801e641f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 40.526267][ T3609] >ffff88801e642000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 40.534324][ T3609] ^
[ 40.538387][ T3609] ffff88801e642080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 40.546459][ T3609] ffff88801e642100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 40.554515][ T3609] ==================================================================
[ 40.562712][ T3609] Kernel panic - not syncing: panic_on_warn set ...
[ 40.569309][ T3609] CPU: 1 PID: 3609 Comm: syz-executor374 Not tainted 6.0.0-rc6-next-20220923-syzkaller #0
[ 40.579199][ T3609] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
[ 40.589252][ T3609] Call Trace:
[ 40.592526][ T3609]
[ 40.595467][ T3609] dump_stack_lvl+0xcd/0x134
[ 40.600115][ T3609] panic+0x2c8/0x622
[ 40.604033][ T3609] ? panic_print_sys_info.part.0+0x110/0x110
[ 40.610038][ T3609] ? preempt_schedule_common+0x59/0xc0
[ 40.615513][ T3609] ? preempt_schedule_thunk+0x16/0x18
[ 40.620909][ T3609] ? __kmem_cache_free+0xab/0x3b0
[ 40.625949][ T3609] ? __kmem_cache_free+0xab/0x3b0
[ 40.630990][ T3609] end_report.part.0+0x3f/0x7c
[ 40.635766][ T3609] kasan_report_invalid_free.cold+0x8/0xd
[ 40.641494][ T3609] ? __kmem_cache_free+0xab/0x3b0
[ 40.646541][ T3609] ____kasan_slab_free+0x185/0x1c0
[ 40.651668][ T3609] slab_free_freelist_hook+0x8b/0x1c0
[ 40.657136][ T3609] ? io_clean_op+0x581/0xb10
[ 40.661734][ T3609] __kmem_cache_free+0xab/0x3b0
[ 40.666599][ T3609] ? io_recv+0x1100/0x1100
[ 40.671028][ T3609] io_clean_op+0x581/0xb10
[ 40.675454][ T3609] io_free_batch_list+0x46f/0x7e0
[ 40.680489][ T3609] __io_submit_flush_completions+0x22b/0x2e0
[ 40.686484][ T3609] ctx_flush_and_put+0xdf/0x1b0
[ 40.691347][ T3609] tctx_task_work+0x153/0x4a0
[ 40.696035][ T3609] ? handle_tw_list+0x420/0x420
[ 40.700895][ T3609] ? lock_downgrade+0x6e0/0x6e0
[ 40.705748][ T3609] ? do_raw_spin_lock+0x120/0x2a0
[ 40.710778][ T3609] ? rwlock_bug.part.0+0x90/0x90
[ 40.715721][ T3609] ? ptrace_stop.part.0+0x5f4/0x8c0
[ 40.720925][ T3609] task_work_run+0x16b/0x270
[ 40.725527][ T3609] ? task_work_cancel+0x30/0x30
[ 40.730396][ T3609] ptrace_notify+0x114/0x140
[ 40.734990][ T3609] syscall_exit_to_user_mode_prepare+0x129/0x280
[ 40.741327][ T3609] syscall_exit_to_user_mode+0x9/0x50
[ 40.746710][ T3609] do_syscall_64+0x42/0xb0
[ 40.751127][ T3609] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 40.757038][ T3609] RIP: 0033:0x7f10ee5d8bb9
[ 40.761452][ T3609] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 40.781059][ T3609] RSP: 002b:00007fff7120f998 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
[ 40.789473][ T3609] RAX: 00000000000040b2 RBX: 0000000000000003 RCX: 00007f10ee5d8bb9
[ 40.797452][ T3609] RDX: 0000000000000000 RSI: 00000000000040b2 RDI: 0000000000000003
[ 40.805434][ T3609] RBP: 00007f10ee59cd60 R08: 0000000020000000 R09: 0000000000000008
[ 40.813422][ T3609] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f10ee59cdf0
[ 40.821397][ T3609] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 40.829378][ T3609]
[ 40.832579][ T3609] Kernel Offset: disabled
[ 40.836911][ T3609] Rebooting in 86400 seconds..