./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1868598263 <...> [ 98.270445][ T979] cfg80211: failed to load regulatory.db Warning: Permanently added '10.128.0.205' (ED25519) to the list of known hosts. execve("./syz-executor1868598263", ["./syz-executor1868598263"], 0x7ffca6ce1750 /* 10 vars */) = 0 brk(NULL) = 0x555575241000 brk(0x555575241d00) = 0x555575241d00 arch_prctl(ARCH_SET_FS, 0x555575241380) = 0 set_tid_address(0x555575241650) = 5873 set_robust_list(0x555575241660, 24) = 0 rseq(0x555575241ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1868598263", 4096) = 28 getrandom("\xc2\xab\xc0\x56\xab\x6c\xf7\xd6", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555575241d00 brk(0x555575262d00) = 0x555575262d00 brk(0x555575263000) = 0x555575263000 mprotect(0x7ff9af72b000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5875 attached , child_tidptr=0x555575241650) = 5875 [pid 5875] set_robust_list(0x555575241660, 24) = 0 [pid 5873] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5875] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5876 attached [pid 5873] <... clone resumed>, child_tidptr=0x555575241650) = 5876 [pid 5873] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5877 attached [pid 5876] set_robust_list(0x555575241660, 24 [pid 5877] set_robust_list(0x555575241660, 24 [pid 5876] <... set_robust_list resumed>) = 0 [pid 5877] <... set_robust_list resumed>) = 0 [pid 5875] <... clone resumed>, child_tidptr=0x555575241650) = 5877 [pid 5877] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5876] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5878 attached [pid 5878] set_robust_list(0x555575241660, 24 [pid 5873] <... clone resumed>, child_tidptr=0x555575241650) = 5878 [pid 5878] <... set_robust_list resumed>) = 0 [pid 5873] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5878] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5877] <... prctl resumed>) = 0 [pid 5873] <... clone resumed>, child_tidptr=0x555575241650) = 5879 ./strace-static-x86_64: Process 5881 attached ./strace-static-x86_64: Process 5880 attached ./strace-static-x86_64: Process 5879 attached [pid 5873] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5877] setpgid(0, 0 [pid 5876] <... clone resumed>, child_tidptr=0x555575241650) = 5880 [pid 5881] set_robust_list(0x555575241660, 24 [pid 5880] set_robust_list(0x555575241660, 24 [pid 5879] set_robust_list(0x555575241660, 24 [pid 5878] <... clone resumed>, child_tidptr=0x555575241650) = 5881 [pid 5877] <... setpgid resumed>) = 0 ./strace-static-x86_64: Process 5882 attached [pid 5881] <... set_robust_list resumed>) = 0 [pid 5880] <... set_robust_list resumed>) = 0 [pid 5879] <... set_robust_list resumed>) = 0 [pid 5877] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5873] <... clone resumed>, child_tidptr=0x555575241650) = 5882 [pid 5882] set_robust_list(0x555575241660, 24 [pid 5881] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5880] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5879] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5882] <... set_robust_list resumed>) = 0 [pid 5880] <... prctl resumed>) = 0 [pid 5882] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5877] <... openat resumed>) = 3 [pid 5880] setpgid(0, 0./strace-static-x86_64: Process 5883 attached ./strace-static-x86_64: Process 5884 attached [pid 5881] <... prctl resumed>) = 0 [pid 5880] <... setpgid resumed>) = 0 [pid 5877] write(3, "1000", 4 [pid 5884] set_robust_list(0x555575241660, 24 [pid 5883] set_robust_list(0x555575241660, 24 [pid 5882] <... clone resumed>, child_tidptr=0x555575241650) = 5883 [pid 5881] setpgid(0, 0 [pid 5880] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5879] <... clone resumed>, child_tidptr=0x555575241650) = 5884 [pid 5884] <... set_robust_list resumed>) = 0 [pid 5883] <... set_robust_list resumed>) = 0 [pid 5881] <... setpgid resumed>) = 0 [pid 5880] <... openat resumed>) = 3 [pid 5877] <... write resumed>) = 4 [pid 5884] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5883] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5881] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5877] close(3 [pid 5883] <... prctl resumed>) = 0 [pid 5884] <... prctl resumed>) = 0 [pid 5883] setpgid(0, 0 [pid 5880] write(3, "1000", 4 [pid 5877] <... close resumed>) = 0 [pid 5883] <... setpgid resumed>) = 0 [pid 5884] setpgid(0, 0 [pid 5881] <... openat resumed>) = 3 [pid 5880] <... write resumed>) = 4 [pid 5877] write(1, "executing program\n", 18 [pid 5884] <... setpgid resumed>) = 0 executing program [pid 5880] close(3 [pid 5877] <... write resumed>) = 18 [pid 5880] <... close resumed>) = 0 [pid 5877] perf_event_open(executing program [pid 5884] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5883] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5881] write(3, "1000", 4 [pid 5880] write(1, "executing program\n", 18 [pid 5883] <... openat resumed>) = 3 [pid 5880] <... write resumed>) = 18 [pid 5884] <... openat resumed>) = 3 [pid 5881] <... write resumed>) = 4 [pid 5884] write(3, "1000", 4 [pid 5883] write(3, "1000", 4 [pid 5881] close(3 [pid 5880] perf_event_open(executing program [pid 5884] <... write resumed>) = 4 [pid 5881] <... close resumed>) = 0 [pid 5877] <... perf_event_open resumed>{type=PERF_TYPE_TRACEPOINT, size=PERF_ATTR_SIZE_VER7, config=330, sample_period=4, sample_type=PERF_SAMPLE_TIME|PERF_SAMPLE_CALLCHAIN|PERF_SAMPLE_STREAM_ID, read_format=PERF_FORMAT_TOTAL_TIME_RUNNING|PERF_FORMAT_ID|PERF_FORMAT_GROUP, precise_ip=0 /* arbitrary skid */, ...}, 0, -1, -1, PERF_FLAG_FD_OUTPUT|PERF_FLAG_FD_CLOEXEC) = 3 [pid 5884] close(3 [pid 5883] <... write resumed>) = 4 [pid 5881] write(1, "executing program\n", 18 [pid 5883] close(3 [pid 5880] <... perf_event_open resumed>{type=PERF_TYPE_TRACEPOINT, size=PERF_ATTR_SIZE_VER7, config=330, sample_period=4, sample_type=PERF_SAMPLE_TIME|PERF_SAMPLE_CALLCHAIN|PERF_SAMPLE_STREAM_ID, read_format=PERF_FORMAT_TOTAL_TIME_RUNNING|PERF_FORMAT_ID|PERF_FORMAT_GROUP, precise_ip=0 /* arbitrary skid */, ...}, 0, -1, -1, PERF_FLAG_FD_OUTPUT|PERF_FLAG_FD_CLOEXEC) = 3 [pid 5884] <... close resumed>) = 0 [pid 5883] <... close resumed>) = 0 [pid 5880] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_STACK_TRACE, key_size=4, value_size=128, max_entries=4, map_flags=BPF_F_RDONLY|BPF_F_STACK_BUILD_ID, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 80 [pid 5884] write(1, "executing program\n", 18executing program executing program [pid 5883] write(1, "executing program\n", 18 [pid 5881] <... write resumed>) = 18 [pid 5877] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_STACK_TRACE, key_size=4, value_size=128, max_entries=4, map_flags=BPF_F_RDONLY|BPF_F_STACK_BUILD_ID, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 80 [pid 5884] <... write resumed>) = 18 [pid 5883] <... write resumed>) = 18 [pid 5881] perf_event_open( [pid 5880] <... bpf resumed>) = 4 [pid 5880] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_RAW_TRACEPOINT, insn_cnt=8, insns=0x200000000080, license="GPL", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(4, 16, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=0x2d /* BPF_??? */, prog_btf_fd=0, func_info_rec_size=0, func_info=NULL, func_info_cnt=0, line_info_rec_size=0, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL}, 148 [pid 5884] perf_event_open( [pid 5883] perf_event_open( [pid 5881] <... perf_event_open resumed>{type=PERF_TYPE_TRACEPOINT, size=PERF_ATTR_SIZE_VER7, config=330, sample_period=4, sample_type=PERF_SAMPLE_TIME|PERF_SAMPLE_CALLCHAIN|PERF_SAMPLE_STREAM_ID, read_format=PERF_FORMAT_TOTAL_TIME_RUNNING|PERF_FORMAT_ID|PERF_FORMAT_GROUP, precise_ip=0 /* arbitrary skid */, ...}, 0, -1, -1, PERF_FLAG_FD_OUTPUT|PERF_FLAG_FD_CLOEXEC) = 3 [pid 5884] <... perf_event_open resumed>{type=PERF_TYPE_TRACEPOINT, size=PERF_ATTR_SIZE_VER7, config=330, sample_period=4, sample_type=PERF_SAMPLE_TIME|PERF_SAMPLE_CALLCHAIN|PERF_SAMPLE_STREAM_ID, read_format=PERF_FORMAT_TOTAL_TIME_RUNNING|PERF_FORMAT_ID|PERF_FORMAT_GROUP, precise_ip=0 /* arbitrary skid */, ...}, 0, -1, -1, PERF_FLAG_FD_OUTPUT|PERF_FLAG_FD_CLOEXEC) = 3 [pid 5883] <... perf_event_open resumed>{type=PERF_TYPE_TRACEPOINT, size=PERF_ATTR_SIZE_VER7, config=330, sample_period=4, sample_type=PERF_SAMPLE_TIME|PERF_SAMPLE_CALLCHAIN|PERF_SAMPLE_STREAM_ID, read_format=PERF_FORMAT_TOTAL_TIME_RUNNING|PERF_FORMAT_ID|PERF_FORMAT_GROUP, precise_ip=0 /* arbitrary skid */, ...}, 0, -1, -1, PERF_FLAG_FD_OUTPUT|PERF_FLAG_FD_CLOEXEC) = 3 [pid 5881] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_STACK_TRACE, key_size=4, value_size=128, max_entries=4, map_flags=BPF_F_RDONLY|BPF_F_STACK_BUILD_ID, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 80 [pid 5880] <... bpf resumed>) = 5 [pid 5877] <... bpf resumed>) = 4 [pid 5884] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_STACK_TRACE, key_size=4, value_size=128, max_entries=4, map_flags=BPF_F_RDONLY|BPF_F_STACK_BUILD_ID, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 80 [pid 5883] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_STACK_TRACE, key_size=4, value_size=128, max_entries=4, map_flags=BPF_F_RDONLY|BPF_F_STACK_BUILD_ID, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 80 [pid 5881] <... bpf resumed>) = 4 [pid 5877] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_RAW_TRACEPOINT, insn_cnt=8, insns=0x200000000080, license="GPL", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(4, 16, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=0x2d /* BPF_??? */, prog_btf_fd=0, func_info_rec_size=0, func_info=NULL, func_info_cnt=0, line_info_rec_size=0, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL}, 148 [pid 5881] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_RAW_TRACEPOINT, insn_cnt=8, insns=0x200000000080, license="GPL", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(4, 16, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=0x2d /* BPF_??? */, prog_btf_fd=0, func_info_rec_size=0, func_info=NULL, func_info_cnt=0, line_info_rec_size=0, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL}, 148 [pid 5880] bpf(BPF_RAW_TRACEPOINT_OPEN, {raw_tracepoint={name="kfree", prog_fd=5}}, 24) = 6 [pid 5884] <... bpf resumed>) = 4 [pid 5883] <... bpf resumed>) = 4 [pid 5881] <... bpf resumed>) = 5 [pid 5877] <... bpf resumed>) = 5 [pid 5881] bpf(BPF_RAW_TRACEPOINT_OPEN, {raw_tracepoint={name="kfree", prog_fd=5}}, 24 [pid 5880] perf_event_open( [pid 5884] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_RAW_TRACEPOINT, insn_cnt=8, insns=0x200000000080, license="GPL", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(4, 16, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=0x2d /* BPF_??? */, prog_btf_fd=0, func_info_rec_size=0, func_info=NULL, func_info_cnt=0, line_info_rec_size=0, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL}, 148 [pid 5883] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_RAW_TRACEPOINT, insn_cnt=8, insns=0x200000000080, license="GPL", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(4, 16, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=0x2d /* BPF_??? */, prog_btf_fd=0, func_info_rec_size=0, func_info=NULL, func_info_cnt=0, line_info_rec_size=0, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL}, 148 [pid 5881] <... bpf resumed>) = 6 [pid 5877] bpf(BPF_RAW_TRACEPOINT_OPEN, {raw_tracepoint={name="kfree", prog_fd=5}}, 24 [pid 5881] perf_event_open( [pid 5880] <... perf_event_open resumed>{type=PERF_TYPE_SOFTWARE, size=PERF_ATTR_SIZE_VER7, config=PERF_COUNT_SW_CPU_CLOCK, sample_period=19761, sample_type=0, read_format=PERF_FORMAT_TOTAL_TIME_ENABLED, precise_ip=0 /* arbitrary skid */, ...}, 0, -1, -1, PERF_FLAG_FD_NO_GROUP|PERF_FLAG_FD_OUTPUT) = 7 [pid 5884] <... bpf resumed>) = 5 [pid 5883] <... bpf resumed>) = 5 [pid 5877] <... bpf resumed>) = 6 [pid 5881] <... perf_event_open resumed>{type=PERF_TYPE_SOFTWARE, size=PERF_ATTR_SIZE_VER7, config=PERF_COUNT_SW_CPU_CLOCK, sample_period=19761, sample_type=0, read_format=PERF_FORMAT_TOTAL_TIME_ENABLED, precise_ip=0 /* arbitrary skid */, ...}, 0, -1, -1, PERF_FLAG_FD_NO_GROUP|PERF_FLAG_FD_OUTPUT) = 7 [pid 5880] bpf(BPF_PROG_LOAD, NULL, 0 [pid 5877] perf_event_open( [pid 5883] bpf(BPF_RAW_TRACEPOINT_OPEN, {raw_tracepoint={name="kfree", prog_fd=5}}, 24) = 6 [pid 5883] perf_event_open( [pid 5880] <... bpf resumed>) = -1 E2BIG (Argument list too long) [pid 5883] <... perf_event_open resumed>{type=PERF_TYPE_SOFTWARE, size=PERF_ATTR_SIZE_VER7, config=PERF_COUNT_SW_CPU_CLOCK, sample_period=19761, sample_type=0, read_format=PERF_FORMAT_TOTAL_TIME_ENABLED, precise_ip=0 /* arbitrary skid */, ...}, 0, -1, -1, PERF_FLAG_FD_NO_GROUP|PERF_FLAG_FD_OUTPUT) = 7 [pid 5883] bpf(BPF_PROG_LOAD, NULL, 0) = -1 E2BIG (Argument list too long) [pid 5880] exit_group(0) = ? [pid 5883] exit_group(0) = ? [pid 5880] +++ exited with 0 +++ [pid 5883] +++ exited with 0 +++ [pid 5882] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5883, si_uid=0, si_status=0, si_utime=0, si_stime=5 /* 0.05 s */} --- [pid 5882] restart_syscall(<... resuming interrupted clone ...>) = 0 [pid 5882] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5886 attached [pid 5884] bpf(BPF_RAW_TRACEPOINT_OPEN, {raw_tracepoint={name="kfree", prog_fd=5}}, 24 [pid 5877] <... perf_event_open resumed>{type=PERF_TYPE_SOFTWARE, size=PERF_ATTR_SIZE_VER7, config=PERF_COUNT_SW_CPU_CLOCK, sample_period=19761, sample_type=0, read_format=PERF_FORMAT_TOTAL_TIME_ENABLED, precise_ip=0 /* arbitrary skid */, ...}, 0, -1, -1, PERF_FLAG_FD_NO_GROUP|PERF_FLAG_FD_OUTPUT) = 7 [pid 5876] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5880, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 5886] set_robust_list(0x555575241660, 24 [pid 5884] <... bpf resumed>) = 6 [pid 5882] <... clone resumed>, child_tidptr=0x555575241650) = 5886 [pid 5886] <... set_robust_list resumed>) = 0 [pid 5877] bpf(BPF_PROG_LOAD, NULL, 0 [pid 5886] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5884] perf_event_open( [pid 5886] <... prctl resumed>) = 0 [pid 5884] <... perf_event_open resumed>{type=PERF_TYPE_SOFTWARE, size=PERF_ATTR_SIZE_VER7, config=PERF_COUNT_SW_CPU_CLOCK, sample_period=19761, sample_type=0, read_format=PERF_FORMAT_TOTAL_TIME_ENABLED, precise_ip=0 /* arbitrary skid */, ...}, 0, -1, -1, PERF_FLAG_FD_NO_GROUP|PERF_FLAG_FD_OUTPUT) = 7 [pid 5886] setpgid(0, 0) = 0 [pid 5877] <... bpf resumed>) = -1 E2BIG (Argument list too long) [pid 5886] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5884] bpf(BPF_PROG_LOAD, NULL, 0 [pid 5876] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5887 attached [pid 5886] <... openat resumed>) = 3 [pid 5884] <... bpf resumed>) = -1 E2BIG (Argument list too long) [pid 5884] exit_group(0 [pid 5876] <... clone resumed>, child_tidptr=0x555575241650) = 5887 [ 101.960350][ C1] hrtimer: interrupt took 53439 ns [ 101.981810][ C1] ================================================================== [ 101.990716][ C1] BUG: KASAN: slab-out-of-bounds in __bpf_get_stackid+0x677/0xcf0 [ 101.999410][ C1] Write of size 8 at addr ffff88802769ba58 by task syz-executor186/5881 [ 102.008030][ C1] [ 102.010505][ C1] CPU: 1 UID: 0 PID: 5881 Comm: syz-executor186 Not tainted 6.17.0-rc1-syzkaller-g8f5ae30d69d7 #0 PREEMPT(full) [ 102.010526][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 102.010536][ C1] Call Trace: [ 102.010547][ C1] [ 102.010556][ C1] dump_stack_lvl+0x189/0x250 [ 102.010582][ C1] ? __virt_addr_valid+0x1c8/0x5c0 [ 102.010601][ C1] ? rcu_is_watching+0x15/0xb0 [ 102.010616][ C1] ? __kasan_check_byte+0x12/0x40 [ 102.010637][ C1] ? __pfx_dump_stack_lvl+0x10/0x10 [ 102.010653][ C1] ? rcu_is_watching+0x15/0xb0 [ 102.010666][ C1] ? lock_release+0x4b/0x3e0 [ 102.010688][ C1] ? __virt_addr_valid+0x1c8/0x5c0 [ 102.010706][ C1] ? __virt_addr_valid+0x4a5/0x5c0 [ 102.010724][ C1] print_report+0xca/0x240 [ 102.010738][ C1] ? __bpf_get_stackid+0x677/0xcf0 [ 102.010761][ C1] kasan_report+0x118/0x150 [ 102.010781][ C1] ? __bpf_get_stackid+0x677/0xcf0 [ 102.010802][ C1] ? sysvec_apic_timer_interrupt+0xe/0xc0 [ 102.010839][ C1] __bpf_get_stackid+0x677/0xcf0 [ 102.010864][ C1] ? bpf_prog_b724608cae728045+0x27/0x2f [ 102.010878][ C1] bpf_get_stackid_raw_tp+0x196/0x210 [ 102.010898][ C1] bpf_prog_b724608cae728045+0x27/0x2f [ 102.010910][ C1] bpf_trace_run2+0x284/0x4b0 [ 102.010928][ C1] ? lockdep_hardirqs_on+0x9c/0x150 [ 102.010946][ C1] ? bpf_trace_run2+0x186/0x4b0 [ 102.010963][ C1] ? __pfx_bpf_trace_run2+0x10/0x10 [ 102.010992][ C1] ? slab_free_after_rcu_debug+0x60/0x2a0 [ 102.011012][ C1] ? rcu_core+0xc37/0x1770 [ 102.011031][ C1] ? slab_free_after_rcu_debug+0x60/0x2a0 [ 102.011047][ C1] __traceiter_kfree+0x2b/0x50 [ 102.011062][ C1] ? slab_free_after_rcu_debug+0x60/0x2a0 [ 102.011077][ C1] kfree+0x3a0/0x440 [ 102.011096][ C1] ? rcu_core+0xc37/0x1770 [ 102.011115][ C1] slab_free_after_rcu_debug+0x60/0x2a0 [ 102.011131][ C1] ? __pfx_slab_free_after_rcu_debug+0x10/0x10 [ 102.011146][ C1] ? rcu_core+0xc37/0x1770 [ 102.011165][ C1] rcu_core+0xca8/0x1770 [ 102.011192][ C1] ? __pfx_rcu_core+0x10/0x10 [ 102.011212][ C1] ? __irq_exit_rcu+0xd8/0x1f0 [ 102.011227][ C1] ? __pfx___irq_exit_rcu+0x10/0x10 [ 102.011243][ C1] ? irqentry_exit+0x74/0x90 [ 102.011264][ C1] ? __pfx_rcu_core_si+0x10/0x10 [ 102.011285][ C1] handle_softirqs+0x283/0x870 [ 102.011301][ C1] ? __irq_exit_rcu+0xca/0x1f0 [ 102.011316][ C1] ? __pfx_handle_softirqs+0x10/0x10 [ 102.011332][ C1] ? irqtime_account_irq+0xb6/0x1c0 [ 102.011351][ C1] __irq_exit_rcu+0xca/0x1f0 [ 102.011365][ C1] ? __pfx___irq_exit_rcu+0x10/0x10 [ 102.011382][ C1] irq_exit_rcu+0x9/0x30 [ 102.011394][ C1] sysvec_apic_timer_interrupt+0xa6/0xc0 [ 102.011413][ C1] [ 102.011418][ C1] [ 102.011424][ C1] asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 102.011441][ C1] RIP: 0010:_raw_spin_unlock_irq+0x29/0x50 [ 102.011461][ C1] Code: 90 f3 0f 1e fa 53 48 89 fb 48 83 c7 18 48 8b 74 24 08 e8 aa 9c 21 f6 48 89 df e8 02 34 22 f6 e8 ed 85 4b f6 fb bf 01 00 00 00 52 2d 14 f6 65 8b 05 cb 70 24 07 85 c0 74 07 5b c3 cc cc cc cc [ 102.011474][ C1] RSP: 0018:ffffc9000428fd20 EFLAGS: 00000282 [ 102.011490][ C1] RAX: 2f79cc1df6f7d000 RBX: ffffffff8e1713c0 RCX: 2f79cc1df6f7d000 [ 102.011501][ C1] RDX: 0000000000000000 RSI: ffffffff8d9b6d6c RDI: 0000000000000001 [ 102.011511][ C1] RBP: 1ffff1100f654b46 R08: ffffffff8fa37e37 R09: 1ffffffff1f46fc6 [ 102.011521][ C1] R10: dffffc0000000000 R11: fffffbfff1f46fc7 R12: ffff88807b2a6ca8 [ 102.011532][ C1] R13: ffff88807b2a6328 R14: 00000000000102f9 R15: 1ffff1100f654c65 [ 102.011549][ C1] ptrace_stop+0x57f/0x940 [ 102.011574][ C1] ptrace_notify+0x20f/0x2c0 [ 102.011589][ C1] ? __pfx_ptrace_notify+0x10/0x10 [ 102.011603][ C1] ? __pfx_perf_trace_preemptirq_template+0x10/0x10 [ 102.011624][ C1] ? rcu_is_watching+0x15/0xb0 [ 102.011640][ C1] syscall_exit_work+0xc6/0x1d0 [ 102.011662][ C1] do_syscall_64+0x2ad/0x3b0 [ 102.011682][ C1] ? lockdep_hardirqs_on+0x9c/0x150 [ 102.011700][ C1] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 102.011714][ C1] ? clear_bhb_loop+0x60/0xb0 [ 102.011730][ C1] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 102.011744][ C1] RIP: 0033:0x7ff9af6b7f29 [ 102.011757][ C1] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 102.011769][ C1] RSP: 002b:00007ffeb7f5ad78 EFLAGS: 00000246 ORIG_RAX: 000000000000012a [ 102.011783][ C1] RAX: 0000000000000007 RBX: 0000000000000000 RCX: 00007ff9af6b7f29 [ 102.011793][ C1] RDX: ffffffffffffffff RSI: 0000000000000000 RDI: 00002000000003c0 [ 102.011802][ C1] RBP: 0000000000000000 R08: 0000000000000003 R09: 00000000000000a0 [ 102.011811][ C1] R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000 [ 102.011820][ C1] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 102.011835][ C1] [ 102.011840][ C1] [ 102.536888][ C1] Allocated by task 5877: [ 102.541272][ C1] kasan_save_track+0x3e/0x80 [ 102.546232][ C1] __kasan_kmalloc+0x93/0xb0 [ 102.551103][ C1] __kmalloc_node_noprof+0x276/0x4e0 [ 102.556582][ C1] bpf_map_area_alloc+0x64/0x180 [ 102.561819][ C1] prealloc_elems_and_freelist+0x86/0x1d0 [ 102.567818][ C1] stack_map_alloc+0x33f/0x4c0 [ 102.572928][ C1] map_create+0xaa0/0x14d0 [ 102.577462][ C1] __sys_bpf+0x60f/0x870 [ 102.582064][ C1] __x64_sys_bpf+0x7c/0x90 [ 102.586483][ C1] do_syscall_64+0xfa/0x3b0 [ 102.591542][ C1] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 102.597867][ C1] [ 102.600491][ C1] The buggy address belongs to the object at ffff88802769b800 [ 102.600491][ C1] which belongs to the cache kmalloc-1k of size 1024 [ 102.614739][ C1] The buggy address is located 24 bytes to the right of [ 102.614739][ C1] allocated 576-byte region [ffff88802769b800, ffff88802769ba40) [ 102.629786][ C1] [ 102.632267][ C1] The buggy address belongs to the physical page: [ 102.639279][ C1] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x27698 [ 102.648627][ C1] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 102.657759][ C1] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 102.665690][ C1] page_type: f5(slab) [ 102.669791][ C1] raw: 00fff00000000040 ffff88801a441dc0 ffffea00009b3c00 dead000000000002 [ 102.678645][ C1] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 102.688057][ C1] head: 00fff00000000040 ffff88801a441dc0 ffffea00009b3c00 dead000000000002 [ 102.697801][ C1] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 102.706814][ C1] head: 00fff00000000003 ffffea00009da601 00000000ffffffff 00000000ffffffff [ 102.717027][ C1] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 102.726424][ C1] page dumped because: kasan: bad access detected [ 102.733370][ C1] page_owner tracks the page as allocated [ 102.739584][ C1] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x252800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid 13, tgid 13 (kworker/u8:1), ts 13014806172, free_ts 0 [ 102.758611][ C1] post_alloc_hook+0x240/0x2a0 [ 102.763588][ C1] get_page_from_freelist+0x21e4/0x22c0 [ 102.769516][ C1] __alloc_frozen_pages_noprof+0x181/0x370 [ 102.775512][ C1] allocate_slab+0x65/0x370 [ 102.780230][ C1] ___slab_alloc+0xbeb/0x1410 [ 102.784944][ C1] __kmalloc_cache_node_noprof+0x29a/0x3d0 [ 102.791034][ C1] blk_mq_alloc_and_init_hctx+0x181/0xd60 [ 102.796760][ C1] __blk_mq_realloc_hw_ctxs+0x169/0x400 [ 102.802514][ C1] blk_mq_init_allocated_queue+0x400/0x1490 [ 102.808506][ C1] blk_mq_alloc_queue+0x191/0x280 [ 102.813579][ C1] scsi_alloc_sdev+0x767/0xb40 [ 102.818621][ C1] scsi_probe_and_add_lun+0x1c5/0x4580 [ 102.824181][ C1] __scsi_scan_target+0x1dd/0xd10 [ 102.829298][ C1] scsi_scan_host_selected+0x372/0x690 [ 102.834769][ C1] do_scan_async+0x124/0x760 [ 102.839362][ C1] async_run_entry_fn+0xa8/0x3f0 [ 102.844318][ C1] page_owner free stack trace missing [ 102.849770][ C1] [ 102.852118][ C1] Memory state around the buggy address: [ 102.857867][ C1] ffff88802769b900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 executing program [pid 5886] write(3, "1000", 4 [pid 5887] set_robust_list(0x555575241660, 24 [pid 5886] <... write resumed>) = 4 [pid 5884] <... exit_group resumed>) = ? [pid 5887] <... set_robust_list resumed>) = 0 [pid 5886] close(3 [pid 5884] +++ exited with 0 +++ [pid 5887] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5886] <... close resumed>) = 0 [pid 5879] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5884, si_uid=0, si_status=0, si_utime=0, si_stime=1 /* 0.01 s */} --- [pid 5879] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5886] write(1, "executing program\n", 18./strace-static-x86_64: Process 5888 attached [pid 5887] <... prctl resumed>) = 0 [pid 5886] <... write resumed>) = 18 [pid 5877] exit_group(0 [pid 5887] setpgid(0, 0) = 0 [pid 5886] perf_event_open( [pid 5887] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5886] <... perf_event_open resumed>{type=PERF_TYPE_TRACEPOINT, size=PERF_ATTR_SIZE_VER7, config=330, sample_period=4, sample_type=PERF_SAMPLE_TIME|PERF_SAMPLE_CALLCHAIN|PERF_SAMPLE_STREAM_ID, read_format=PERF_FORMAT_TOTAL_TIME_RUNNING|PERF_FORMAT_ID|PERF_FORMAT_GROUP, precise_ip=0 /* arbitrary skid */, ...}, 0, -1, -1, PERF_FLAG_FD_OUTPUT|PERF_FLAG_FD_CLOEXEC) = 3 [pid 5888] set_robust_list(0x555575241660, 24 [pid 5887] <... openat resumed>) = 3 [pid 5888] <... set_robust_list resumed>) = 0 [pid 5877] <... exit_group resumed>) = ? [pid 5888] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5879] <... clone resumed>, child_tidptr=0x555575241650) = 5888 [ 102.866122][ C1] ffff88802769b980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 102.874367][ C1] >ffff88802769ba00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 102.882426][ C1] ^ [ 102.889361][ C1] ffff88802769ba80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 102.897512][ C1] ffff88802769bb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 102.905755][ C1] ================================================================== [ 102.914058][ C1] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 102.921519][ C1] CPU: 1 UID: 0 PID: 5881 Comm: syz-executor186 Not tainted 6.17.0-rc1-syzkaller-g8f5ae30d69d7 #0 PREEMPT(full) [ 102.936991][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 102.947058][ C1] Call Trace: [ 102.950355][ C1] [ 102.953213][ C1] dump_stack_lvl+0x99/0x250 [ 102.957813][ C1] ? __asan_memcpy+0x40/0x70 [ 102.962407][ C1] ? __pfx_dump_stack_lvl+0x10/0x10 [ 102.967745][ C1] ? __pfx__printk+0x10/0x10 [ 102.972367][ C1] vpanic+0x281/0x750 [ 102.976540][ C1] ? __pfx___irq_exit_rcu+0x10/0x10 [ 102.981738][ C1] ? __pfx_vpanic+0x10/0x10 [ 102.986331][ C1] ? irqentry_exit+0x74/0x90 [ 102.991023][ C1] ? lockdep_hardirqs_on+0x9c/0x150 [ 102.996255][ C1] panic+0xb9/0xc0 [ 102.999992][ C1] ? __pfx_panic+0x10/0x10 [ 103.004414][ C1] ? _raw_spin_unlock_irqrestore+0xa8/0x110 [ 103.010402][ C1] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 103.016738][ C1] ? __bpf_get_stackid+0x677/0xcf0 [ 103.021862][ C1] check_panic_on_warn+0x89/0xb0 [ 103.026810][ C1] ? __bpf_get_stackid+0x677/0xcf0 [ 103.031927][ C1] end_report+0x78/0x160 [ 103.036172][ C1] kasan_report+0x129/0x150 [ 103.040684][ C1] ? __bpf_get_stackid+0x677/0xcf0 [ 103.045813][ C1] ? sysvec_apic_timer_interrupt+0xe/0xc0 [ 103.051546][ C1] __bpf_get_stackid+0x677/0xcf0 [ 103.056493][ C1] ? bpf_prog_b724608cae728045+0x27/0x2f [ 103.062138][ C1] bpf_get_stackid_raw_tp+0x196/0x210 [ 103.067629][ C1] bpf_prog_b724608cae728045+0x27/0x2f [ 103.073095][ C1] bpf_trace_run2+0x284/0x4b0 [ 103.077780][ C1] ? lockdep_hardirqs_on+0x9c/0x150 [ 103.082983][ C1] ? bpf_trace_run2+0x186/0x4b0 [ 103.087931][ C1] ? __pfx_bpf_trace_run2+0x10/0x10 [ 103.093140][ C1] ? slab_free_after_rcu_debug+0x60/0x2a0 [ 103.098877][ C1] ? rcu_core+0xc37/0x1770 [ 103.103307][ C1] ? slab_free_after_rcu_debug+0x60/0x2a0 [ 103.109026][ C1] __traceiter_kfree+0x2b/0x50 [ 103.113792][ C1] ? slab_free_after_rcu_debug+0x60/0x2a0 [ 103.119602][ C1] kfree+0x3a0/0x440 [ 103.123528][ C1] ? rcu_core+0xc37/0x1770 [ 103.128007][ C1] slab_free_after_rcu_debug+0x60/0x2a0 [ 103.133622][ C1] ? __pfx_slab_free_after_rcu_debug+0x10/0x10 [ 103.140053][ C1] ? rcu_core+0xc37/0x1770 [ 103.144479][ C1] rcu_core+0xca8/0x1770 [ 103.148735][ C1] ? __pfx_rcu_core+0x10/0x10 [ 103.153421][ C1] ? __irq_exit_rcu+0xd8/0x1f0 [ 103.158189][ C1] ? __pfx___irq_exit_rcu+0x10/0x10 [ 103.163398][ C1] ? irqentry_exit+0x74/0x90 [ 103.168003][ C1] ? __pfx_rcu_core_si+0x10/0x10 [ 103.172959][ C1] handle_softirqs+0x283/0x870 [ 103.177754][ C1] ? __irq_exit_rcu+0xca/0x1f0 [ 103.182547][ C1] ? __pfx_handle_softirqs+0x10/0x10 [ 103.188322][ C1] ? irqtime_account_irq+0xb6/0x1c0 [ 103.193561][ C1] __irq_exit_rcu+0xca/0x1f0 [ 103.198163][ C1] ? __pfx___irq_exit_rcu+0x10/0x10 [ 103.203366][ C1] irq_exit_rcu+0x9/0x30 [ 103.207693][ C1] sysvec_apic_timer_interrupt+0xa6/0xc0 [ 103.213366][ C1] [ 103.216297][ C1] [ 103.219246][ C1] asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 103.225253][ C1] RIP: 0010:_raw_spin_unlock_irq+0x29/0x50 [ 103.231094][ C1] Code: 90 f3 0f 1e fa 53 48 89 fb 48 83 c7 18 48 8b 74 24 08 e8 aa 9c 21 f6 48 89 df e8 02 34 22 f6 e8 ed 85 4b f6 fb bf 01 00 00 00 52 2d 14 f6 65 8b 05 cb 70 24 07 85 c0 74 07 5b c3 cc cc cc cc [ 103.250791][ C1] RSP: 0018:ffffc9000428fd20 EFLAGS: 00000282 [ 103.256915][ C1] RAX: 2f79cc1df6f7d000 RBX: ffffffff8e1713c0 RCX: 2f79cc1df6f7d000 [ 103.264907][ C1] RDX: 0000000000000000 RSI: ffffffff8d9b6d6c RDI: 0000000000000001 [ 103.272880][ C1] RBP: 1ffff1100f654b46 R08: ffffffff8fa37e37 R09: 1ffffffff1f46fc6 [ 103.280852][ C1] R10: dffffc0000000000 R11: fffffbfff1f46fc7 R12: ffff88807b2a6ca8 [ 103.288916][ C1] R13: ffff88807b2a6328 R14: 00000000000102f9 R15: 1ffff1100f654c65 [ 103.297091][ C1] ptrace_stop+0x57f/0x940 [ 103.301548][ C1] ptrace_notify+0x20f/0x2c0 [ 103.306242][ C1] ? __pfx_ptrace_notify+0x10/0x10 [ 103.311381][ C1] ? __pfx_perf_trace_preemptirq_template+0x10/0x10 [ 103.318018][ C1] ? rcu_is_watching+0x15/0xb0 [ 103.323113][ C1] syscall_exit_work+0xc6/0x1d0 [ 103.328077][ C1] do_syscall_64+0x2ad/0x3b0 [ 103.332678][ C1] ? lockdep_hardirqs_on+0x9c/0x150 [ 103.338159][ C1] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 103.344419][ C1] ? clear_bhb_loop+0x60/0xb0 [ 103.349101][ C1] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 103.354996][ C1] RIP: 0033:0x7ff9af6b7f29 [ 103.359443][ C1] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 103.379145][ C1] RSP: 002b:00007ffeb7f5ad78 EFLAGS: 00000246 ORIG_RAX: 000000000000012a [ 103.387752][ C1] RAX: 0000000000000007 RBX: 0000000000000000 RCX: 00007ff9af6b7f29 [ 103.395765][ C1] RDX: ffffffffffffffff RSI: 0000000000000000 RDI: 00002000000003c0 [ 103.403923][ C1] RBP: 0000000000000000 R08: 0000000000000003 R09: 00000000000000a0 [ 103.412381][ C1] R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000 [ 103.420467][ C1] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 103.428657][ C1] [ 103.432098][ C1] Kernel Offset: disabled [ 103.436465][ C1] Rebooting in 86400 seconds..