Extracting prog: 2m21.694345934s
Minimizing prog: 42m44.856127757s
Simplifying prog options: 4m43.486214772s
Extracting C: 1m42.974957677s
Simplifying C: 0s
extracting reproducer from 37 programs
first checking the prog from the crash report
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-sendmsg$kcm-prlimit64-sched_setscheduler-sched_setaffinity-prctl$PR_SCHED_CORE-syz_open_dev$MSR-read$msr-ioperm-mremap-write$cgroup_pressure-socket$inet6_tcp-bind$inet6-setsockopt$inet6_tcp_int-shutdown-getsockopt$inet6_tcp_TCP_ZEROCOPY_RECEIVE-setsockopt$sock_attach_bpf
detailed listing:
executing program 0:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000180)=[{0x0}], 0x1}, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x4)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0)
read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8)
ioperm(0x7, 0x81, 0x2)
mremap(&(0x7f0000041000/0x2000)=nil, 0x2000, 0x2000, 0x3, &(0x7f00004c3000/0x2000)=nil)
write$cgroup_pressure(0xffffffffffffffff, &(0x7f0000000140)={'full'}, 0xfffffdef)
r2 = socket$inet6_tcp(0xa, 0x1, 0x0)
bind$inet6(r2, &(0x7f0000000040)={0xa, 0x2, 0x0, @loopback, 0x7}, 0x1c)
setsockopt$inet6_tcp_int(r2, 0x6, 0x2000000000000022, &(0x7f0000000200)=0x1, 0x4)
shutdown(r2, 0x1)
getsockopt$inet6_tcp_TCP_ZEROCOPY_RECEIVE(r2, 0x6, 0x23, &(0x7f00000000c0)={&(0x7f00004c4000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000100)=0x40)
setsockopt$sock_attach_bpf(0xffffffffffffffff, 0x1, 0x7, &(0x7f0000000340), 0x4)
program crashed: KASAN: slab-use-after-free Read in mremap
program crashed: KASAN: slab-use-after-free Read in mremap
single: successfully extracted reproducer
found reproducer with 17 syscalls
minimizing guilty program
testing program (duration=51.244646989s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-sendmsg$kcm-prlimit64-sched_setscheduler-sched_setaffinity-prctl$PR_SCHED_CORE-syz_open_dev$MSR-read$msr-ioperm-mremap-write$cgroup_pressure-socket$inet6_tcp-bind$inet6-setsockopt$inet6_tcp_int-shutdown-getsockopt$inet6_tcp_TCP_ZEROCOPY_RECEIVE
detailed listing:
executing program 0:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000180)=[{0x0}], 0x1}, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x4)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0)
read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8)
ioperm(0x7, 0x81, 0x2)
mremap(&(0x7f0000041000/0x2000)=nil, 0x2000, 0x2000, 0x3, &(0x7f00004c3000/0x2000)=nil)
write$cgroup_pressure(0xffffffffffffffff, &(0x7f0000000140)={'full'}, 0xfffffdef)
r2 = socket$inet6_tcp(0xa, 0x1, 0x0)
bind$inet6(r2, &(0x7f0000000040)={0xa, 0x2, 0x0, @loopback, 0x7}, 0x1c)
setsockopt$inet6_tcp_int(r2, 0x6, 0x2000000000000022, &(0x7f0000000200)=0x1, 0x4)
shutdown(r2, 0x1)
getsockopt$inet6_tcp_TCP_ZEROCOPY_RECEIVE(r2, 0x6, 0x23, &(0x7f00000000c0)={&(0x7f00004c4000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000100)=0x40)
program crashed: KASAN: slab-use-after-free Read in mremap
testing program (duration=51.244646989s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-sendmsg$kcm-prlimit64-sched_setscheduler-sched_setaffinity-prctl$PR_SCHED_CORE-syz_open_dev$MSR-read$msr-ioperm-mremap-write$cgroup_pressure-socket$inet6_tcp-bind$inet6-setsockopt$inet6_tcp_int-shutdown
detailed listing:
executing program 0:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000180)=[{0x0}], 0x1}, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x4)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0)
read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8)
ioperm(0x7, 0x81, 0x2)
mremap(&(0x7f0000041000/0x2000)=nil, 0x2000, 0x2000, 0x3, &(0x7f00004c3000/0x2000)=nil)
write$cgroup_pressure(0xffffffffffffffff, &(0x7f0000000140)={'full'}, 0xfffffdef)
r2 = socket$inet6_tcp(0xa, 0x1, 0x0)
bind$inet6(r2, &(0x7f0000000040)={0xa, 0x2, 0x0, @loopback, 0x7}, 0x1c)
setsockopt$inet6_tcp_int(r2, 0x6, 0x2000000000000022, &(0x7f0000000200)=0x1, 0x4)
shutdown(r2, 0x1)
program crashed: KASAN: slab-use-after-free Read in mremap
testing program (duration=51.244646989s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-sendmsg$kcm-prlimit64-sched_setscheduler-sched_setaffinity-prctl$PR_SCHED_CORE-syz_open_dev$MSR-read$msr-ioperm-mremap-write$cgroup_pressure-socket$inet6_tcp-bind$inet6-setsockopt$inet6_tcp_int
detailed listing:
executing program 0:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000180)=[{0x0}], 0x1}, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x4)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0)
read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8)
ioperm(0x7, 0x81, 0x2)
mremap(&(0x7f0000041000/0x2000)=nil, 0x2000, 0x2000, 0x3, &(0x7f00004c3000/0x2000)=nil)
write$cgroup_pressure(0xffffffffffffffff, &(0x7f0000000140)={'full'}, 0xfffffdef)
r2 = socket$inet6_tcp(0xa, 0x1, 0x0)
bind$inet6(r2, &(0x7f0000000040)={0xa, 0x2, 0x0, @loopback, 0x7}, 0x1c)
setsockopt$inet6_tcp_int(r2, 0x6, 0x2000000000000022, &(0x7f0000000200)=0x1, 0x4)
program crashed: KASAN: slab-use-after-free Read in mremap
testing program (duration=51.244646989s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-sendmsg$kcm-prlimit64-sched_setscheduler-sched_setaffinity-prctl$PR_SCHED_CORE-syz_open_dev$MSR-read$msr-ioperm-mremap-write$cgroup_pressure-socket$inet6_tcp-bind$inet6
detailed listing:
executing program 0:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000180)=[{0x0}], 0x1}, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x4)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0)
read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8)
ioperm(0x7, 0x81, 0x2)
mremap(&(0x7f0000041000/0x2000)=nil, 0x2000, 0x2000, 0x3, &(0x7f00004c3000/0x2000)=nil)
write$cgroup_pressure(0xffffffffffffffff, &(0x7f0000000140)={'full'}, 0xfffffdef)
r2 = socket$inet6_tcp(0xa, 0x1, 0x0)
bind$inet6(r2, &(0x7f0000000040)={0xa, 0x2, 0x0, @loopback, 0x7}, 0x1c)
program crashed: KASAN: slab-use-after-free Read in mremap
testing program (duration=51.244646989s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-sendmsg$kcm-prlimit64-sched_setscheduler-sched_setaffinity-prctl$PR_SCHED_CORE-syz_open_dev$MSR-read$msr-ioperm-mremap-write$cgroup_pressure-socket$inet6_tcp
detailed listing:
executing program 0:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000180)=[{0x0}], 0x1}, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x4)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0)
read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8)
ioperm(0x7, 0x81, 0x2)
mremap(&(0x7f0000041000/0x2000)=nil, 0x2000, 0x2000, 0x3, &(0x7f00004c3000/0x2000)=nil)
write$cgroup_pressure(0xffffffffffffffff, &(0x7f0000000140)={'full'}, 0xfffffdef)
socket$inet6_tcp(0xa, 0x1, 0x0)
program crashed: KASAN: slab-use-after-free Read in mremap
testing program (duration=51.244646989s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-sendmsg$kcm-prlimit64-sched_setscheduler-sched_setaffinity-prctl$PR_SCHED_CORE-syz_open_dev$MSR-read$msr-ioperm-mremap-write$cgroup_pressure
detailed listing:
executing program 0:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000180)=[{0x0}], 0x1}, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x4)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0)
read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8)
ioperm(0x7, 0x81, 0x2)
mremap(&(0x7f0000041000/0x2000)=nil, 0x2000, 0x2000, 0x3, &(0x7f00004c3000/0x2000)=nil)
write$cgroup_pressure(0xffffffffffffffff, &(0x7f0000000140)={'full'}, 0xfffffdef)
program crashed: KASAN: slab-use-after-free Read in mremap
testing program (duration=51.244646989s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-sendmsg$kcm-prlimit64-sched_setscheduler-sched_setaffinity-prctl$PR_SCHED_CORE-syz_open_dev$MSR-read$msr-ioperm-mremap
detailed listing:
executing program 0:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000180)=[{0x0}], 0x1}, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x4)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0)
read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8)
ioperm(0x7, 0x81, 0x2)
mremap(&(0x7f0000041000/0x2000)=nil, 0x2000, 0x2000, 0x3, &(0x7f00004c3000/0x2000)=nil)
program crashed: KASAN: slab-use-after-free Read in mremap
testing program (duration=51.244646989s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-sendmsg$kcm-prlimit64-sched_setscheduler-sched_setaffinity-prctl$PR_SCHED_CORE-syz_open_dev$MSR-read$msr-ioperm
detailed listing:
executing program 0:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000180)=[{0x0}], 0x1}, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x4)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0)
read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8)
ioperm(0x7, 0x81, 0x2)
program did not crash
testing program (duration=51.244646989s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-sendmsg$kcm-prlimit64-sched_setscheduler-sched_setaffinity-prctl$PR_SCHED_CORE-syz_open_dev$MSR-read$msr-mremap
detailed listing:
executing program 0:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000180)=[{0x0}], 0x1}, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x4)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0)
read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8)
mremap(&(0x7f0000041000/0x2000)=nil, 0x2000, 0x2000, 0x3, &(0x7f00004c3000/0x2000)=nil)
program crashed: KASAN: slab-use-after-free Read in mremap
testing program (duration=51.244646989s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-sendmsg$kcm-prlimit64-sched_setscheduler-sched_setaffinity-prctl$PR_SCHED_CORE-syz_open_dev$MSR-mremap
detailed listing:
executing program 0:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000180)=[{0x0}], 0x1}, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x4)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0)
mremap(&(0x7f0000041000/0x2000)=nil, 0x2000, 0x2000, 0x3, &(0x7f00004c3000/0x2000)=nil)
program did not crash
testing program (duration=51.244646989s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-sendmsg$kcm-prlimit64-sched_setscheduler-sched_setaffinity-prctl$PR_SCHED_CORE-read$msr-mremap
detailed listing:
executing program 0:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000180)=[{0x0}], 0x1}, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x4)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
read$msr(0xffffffffffffffff, &(0x7f0000019680)=""/102392, 0x18ff8)
mremap(&(0x7f0000041000/0x2000)=nil, 0x2000, 0x2000, 0x3, &(0x7f00004c3000/0x2000)=nil)
program did not crash
testing program (duration=51.244646989s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-sendmsg$kcm-prlimit64-sched_setscheduler-sched_setaffinity-syz_open_dev$MSR-read$msr-mremap
detailed listing:
executing program 0:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000180)=[{0x0}], 0x1}, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x4)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
r1 = syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0)
read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8)
mremap(&(0x7f0000041000/0x2000)=nil, 0x2000, 0x2000, 0x3, &(0x7f00004c3000/0x2000)=nil)
program crashed: KASAN: slab-use-after-free Read in mremap
testing program (duration=51.244646989s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-sendmsg$kcm-prlimit64-sched_setscheduler-syz_open_dev$MSR-read$msr-mremap
detailed listing:
executing program 0:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000180)=[{0x0}], 0x1}, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x4)
r1 = syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0)
read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8)
mremap(&(0x7f0000041000/0x2000)=nil, 0x2000, 0x2000, 0x3, &(0x7f00004c3000/0x2000)=nil)
program crashed: KASAN: slab-use-after-free Read in mremap
testing program (duration=51.244646989s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-sendmsg$kcm-prlimit64-syz_open_dev$MSR-read$msr-mremap
detailed listing:
executing program 0:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000180)=[{0x0}], 0x1}, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0)
read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8)
mremap(&(0x7f0000041000/0x2000)=nil, 0x2000, 0x2000, 0x3, &(0x7f00004c3000/0x2000)=nil)
program crashed: KASAN: slab-use-after-free Read in mremap
testing program (duration=51.244646989s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-sendmsg$kcm-syz_open_dev$MSR-read$msr-mremap
detailed listing:
executing program 0:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000180)=[{0x0}], 0x1}, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0)
read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8)
mremap(&(0x7f0000041000/0x2000)=nil, 0x2000, 0x2000, 0x3, &(0x7f00004c3000/0x2000)=nil)
program crashed: KASAN: slab-use-after-free Read in mremap
testing program (duration=51.244646989s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-syz_open_dev$MSR-read$msr-mremap
detailed listing:
executing program 0:
socket$kcm(0x10, 0x2, 0x0)
r0 = syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0)
read$msr(r0, &(0x7f0000019680)=""/102392, 0x18ff8)
mremap(&(0x7f0000041000/0x2000)=nil, 0x2000, 0x2000, 0x3, &(0x7f00004c3000/0x2000)=nil)
program did not crash
testing program (duration=51.244646989s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$kcm-syz_open_dev$MSR-read$msr-mremap
detailed listing:
executing program 0:
sendmsg$kcm(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000180)=[{0x0}], 0x1}, 0x0)
r0 = syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0)
read$msr(r0, &(0x7f0000019680)=""/102392, 0x18ff8)
mremap(&(0x7f0000041000/0x2000)=nil, 0x2000, 0x2000, 0x3, &(0x7f00004c3000/0x2000)=nil)
program did not crash
testing program (duration=51.244646989s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-sendmsg$kcm-syz_open_dev$MSR-read$msr-mremap
detailed listing:
executing program 0:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, 0x0, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0)
read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8)
mremap(&(0x7f0000041000/0x2000)=nil, 0x2000, 0x2000, 0x3, &(0x7f00004c3000/0x2000)=nil)
program did not crash
testing program (duration=51.244646989s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-sendmsg$kcm-syz_open_dev$MSR-read$msr-mremap
detailed listing:
executing program 0:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000040)={0x0, 0x0, 0x0}, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0)
read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8)
mremap(&(0x7f0000041000/0x2000)=nil, 0x2000, 0x2000, 0x3, &(0x7f00004c3000/0x2000)=nil)
program crashed: KASAN: slab-use-after-free Read in mremap
testing program (duration=51.244646989s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-sendmsg$kcm-syz_open_dev$MSR-read$msr-mremap
detailed listing:
executing program 0:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000040)={0x0, 0x0, 0x0}, 0x0)
r1 = syz_open_dev$MSR(0x0, 0x0, 0x0)
read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8)
mremap(&(0x7f0000041000/0x2000)=nil, 0x2000, 0x2000, 0x3, &(0x7f00004c3000/0x2000)=nil)
program did not crash
testing program (duration=51.244646989s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-sendmsg$kcm-syz_open_dev$MSR-read$msr-mremap
detailed listing:
executing program 0:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000040)={0x0, 0x0, 0x0}, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0)
read$msr(r1, 0x0, 0x0)
mremap(&(0x7f0000041000/0x2000)=nil, 0x2000, 0x2000, 0x3, &(0x7f00004c3000/0x2000)=nil)
program did not crash
extracting C reproducer
testing compiled C program (duration=51.244646989s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-sendmsg$kcm-syz_open_dev$MSR-read$msr-mremap
program did not crash
simplifying guilty program options
testing program (duration=51.244646989s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-sendmsg$kcm-syz_open_dev$MSR-read$msr-mremap
detailed listing:
executing program 0:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000040)={0x0, 0x0, 0x0}, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0)
read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8)
mremap(&(0x7f0000041000/0x2000)=nil, 0x2000, 0x2000, 0x3, &(0x7f00004c3000/0x2000)=nil)
program did not crash
testing program (duration=51.244646989s, {Threaded:true Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-sendmsg$kcm-syz_open_dev$MSR-read$msr-mremap
detailed listing:
executing program 0:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000040)={0x0, 0x0, 0x0}, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0)
read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8)
mremap(&(0x7f0000041000/0x2000)=nil, 0x2000, 0x2000, 0x3, &(0x7f00004c3000/0x2000)=nil)
program did not crash
testing program (duration=51.244646989s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-sendmsg$kcm-syz_open_dev$MSR-read$msr-mremap
detailed listing:
executing program 0:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000040)={0x0, 0x0, 0x0}, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0)
read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8)
mremap(&(0x7f0000041000/0x2000)=nil, 0x2000, 0x2000, 0x3, &(0x7f00004c3000/0x2000)=nil)
program did not crash
testing program (duration=51.244646989s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-sendmsg$kcm-syz_open_dev$MSR-read$msr-mremap
detailed listing:
executing program 0:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000040)={0x0, 0x0, 0x0}, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0)
read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8)
mremap(&(0x7f0000041000/0x2000)=nil, 0x2000, 0x2000, 0x3, &(0x7f00004c3000/0x2000)=nil)
program crashed: KASAN: slab-use-after-free Read in mremap
validation run: crashed=true
testing program (duration=51.244646989s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-sendmsg$kcm-syz_open_dev$MSR-read$msr-mremap
detailed listing:
executing program 0:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000040)={0x0, 0x0, 0x0}, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0)
read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8)
mremap(&(0x7f0000041000/0x2000)=nil, 0x2000, 0x2000, 0x3, &(0x7f00004c3000/0x2000)=nil)
program crashed: KASAN: slab-use-after-free Read in mremap
validation run: crashed=true
testing program (duration=51.244646989s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$kcm-sendmsg$kcm-syz_open_dev$MSR-read$msr-mremap
detailed listing:
executing program 0:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000040)={0x0, 0x0, 0x0}, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0)
read$msr(r1, &(0x7f0000019680)=""/102392, 0x18ff8)
mremap(&(0x7f0000041000/0x2000)=nil, 0x2000, 0x2000, 0x3, &(0x7f00004c3000/0x2000)=nil)
program crashed: KASAN: slab-use-after-free Read in mremap
validation run: crashed=true
reproducing took 57m51.302259567s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in vma_multi_allowed mm/mremap.c:1623 [inline]
BUG: KASAN: slab-use-after-free in remap_move mm/mremap.c:1884 [inline]
BUG: KASAN: slab-use-after-free in do_mremap mm/mremap.c:1923 [inline]
BUG: KASAN: slab-use-after-free in __do_sys_mremap mm/mremap.c:1987 [inline]
BUG: KASAN: slab-use-after-free in __se_sys_mremap+0xb33/0x1150 mm/mremap.c:1955
Read of size 8 at addr ffff888075a117d8 by task syz.1.62/6251
CPU: 1 UID: 0 PID: 6251 Comm: syz.1.62 Not tainted 6.17.0-rc1-next-20250814-syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
vma_multi_allowed mm/mremap.c:1623 [inline]
remap_move mm/mremap.c:1884 [inline]
do_mremap mm/mremap.c:1923 [inline]
__do_sys_mremap mm/mremap.c:1987 [inline]
__se_sys_mremap+0xb33/0x1150 mm/mremap.c:1955
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f07b198ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f07b2775038 EFLAGS: 00000246 ORIG_RAX: 0000000000000019
RAX: ffffffffffffffda RBX: 00007f07b1bb6090 RCX: 00007f07b198ebe9
RDX: 0000000000002000 RSI: 0000000000002000 RDI: 0000200000041000
RBP: 00007f07b1a11e19 R08: 00002000004c3000 R09: 0000000000000000
R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f07b1bb6128 R14: 00007f07b1bb6090 R15: 00007ffea0f75c48
Allocated by task 5975:
kasan_save_stack mm/kasan/common.c:56 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
unpoison_slab_object mm/kasan/common.c:339 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:365
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4180 [inline]
slab_alloc_node mm/slub.c:4229 [inline]
kmem_cache_alloc_noprof+0x1c1/0x3c0 mm/slub.c:4236
vm_area_dup+0x2b/0x680 mm/vma_init.c:122
dup_mmap+0x90c/0x1ac0 mm/mmap.c:1780
dup_mm kernel/fork.c:1485 [inline]
copy_mm+0x13c/0x4b0 kernel/fork.c:1537
copy_process+0x1706/0x3c00 kernel/fork.c:2175
kernel_clone+0x21e/0x840 kernel/fork.c:2605
__do_sys_clone kernel/fork.c:2748 [inline]
__se_sys_clone kernel/fork.c:2732 [inline]
__x64_sys_clone+0x18b/0x1e0 kernel/fork.c:2732
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 6243:
kasan_save_stack mm/kasan/common.c:56 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
__kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587
kasan_save_free_info mm/kasan/kasan.h:406 [inline]
poison_slab_object mm/kasan/common.c:252 [inline]
__kasan_slab_free+0x5b/0x80 mm/kasan/common.c:284
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2417 [inline]
slab_free_after_rcu_debug+0x129/0x2a0 mm/slub.c:4730
rcu_do_batch kernel/rcu/tree.c:2605 [inline]
rcu_core+0xca8/0x1770 kernel/rcu/tree.c:2861
handle_softirqs+0x286/0x870 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
Last potentially related work creation:
kasan_save_stack+0x3e/0x60 mm/kasan/common.c:56
kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:559
slab_free_hook mm/slub.c:2378 [inline]
slab_free mm/slub.c:4680 [inline]
kmem_cache_free+0x2f6/0x400 mm/slub.c:4782
remove_vma mm/vma.c:468 [inline]
vms_complete_munmap_vmas+0x626/0x8a0 mm/vma.c:1293
do_vmi_align_munmap+0x358/0x420 mm/vma.c:1536
do_vmi_munmap+0x253/0x2e0 mm/vma.c:1584
do_munmap+0xe1/0x140 mm/mmap.c:1068
mremap_to+0x2df/0x7a0 mm/mremap.c:1372
remap_move mm/mremap.c:1879 [inline]
do_mremap mm/mremap.c:1923 [inline]
__do_sys_mremap mm/mremap.c:1987 [inline]
__se_sys_mremap+0xadf/0x1150 mm/mremap.c:1955
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888075a11780
which belongs to the cache vm_area_struct of size 256
The buggy address is located 88 bytes inside of
freed 256-byte region [ffff888075a11780, ffff888075a11880)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x75a11
memcg:ffff888027da7c81
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000000 ffff88801bad5b40 ffffea0000c27b00 dead000000000002
raw: 0000000000000000 00000000000c000c 00000000f5000000 ffff888027da7c81
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5528, tgid 5528 (dhcpcd), ts 33820876554, free_ts 33614927260
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:2487 [inline]
allocate_slab+0x8a/0x370 mm/slub.c:2655
new_slab mm/slub.c:2709 [inline]
___slab_alloc+0xbeb/0x1410 mm/slub.c:3891
__slab_alloc mm/slub.c:3981 [inline]
__slab_alloc_node mm/slub.c:4056 [inline]
slab_alloc_node mm/slub.c:4217 [inline]
kmem_cache_alloc_noprof+0x283/0x3c0 mm/slub.c:4236
vm_area_dup+0x2b/0x680 mm/vma_init.c:122
dup_mmap+0x90c/0x1ac0 mm/mmap.c:1780
dup_mm kernel/fork.c:1485 [inline]
copy_mm+0x13c/0x4b0 kernel/fork.c:1537
copy_process+0x1706/0x3c00 kernel/fork.c:2175
kernel_clone+0x21e/0x840 kernel/fork.c:2605
__do_sys_clone kernel/fork.c:2748 [inline]
__se_sys_clone kernel/fork.c:2732 [inline]
__x64_sys_clone+0x18b/0x1e0 kernel/fork.c:2732
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 0 tgid 0 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
__free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895
pagetable_free include/linux/mm.h:2917 [inline]
pagetable_dtor_free include/linux/mm.h:3015 [inline]
__tlb_remove_table+0x2d2/0x3b0 include/asm-generic/tlb.h:220
__tlb_remove_table_free mm/mmu_gather.c:227 [inline]
tlb_remove_table_rcu+0x85/0x100 mm/mmu_gather.c:290
rcu_do_batch kernel/rcu/tree.c:2605 [inline]
rcu_core+0xca8/0x1770 kernel/rcu/tree.c:2861
handle_softirqs+0x286/0x870 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
Memory state around the buggy address:
ffff888075a11680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888075a11700: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff888075a11780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888075a11800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888075a11880: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
==================================================================
final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in vma_multi_allowed mm/mremap.c:1623 [inline]
BUG: KASAN: slab-use-after-free in remap_move mm/mremap.c:1884 [inline]
BUG: KASAN: slab-use-after-free in do_mremap mm/mremap.c:1923 [inline]
BUG: KASAN: slab-use-after-free in __do_sys_mremap mm/mremap.c:1987 [inline]
BUG: KASAN: slab-use-after-free in __se_sys_mremap+0xb33/0x1150 mm/mremap.c:1955
Read of size 8 at addr ffff888075a117d8 by task syz.1.62/6251
CPU: 1 UID: 0 PID: 6251 Comm: syz.1.62 Not tainted 6.17.0-rc1-next-20250814-syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
vma_multi_allowed mm/mremap.c:1623 [inline]
remap_move mm/mremap.c:1884 [inline]
do_mremap mm/mremap.c:1923 [inline]
__do_sys_mremap mm/mremap.c:1987 [inline]
__se_sys_mremap+0xb33/0x1150 mm/mremap.c:1955
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f07b198ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f07b2775038 EFLAGS: 00000246 ORIG_RAX: 0000000000000019
RAX: ffffffffffffffda RBX: 00007f07b1bb6090 RCX: 00007f07b198ebe9
RDX: 0000000000002000 RSI: 0000000000002000 RDI: 0000200000041000
RBP: 00007f07b1a11e19 R08: 00002000004c3000 R09: 0000000000000000
R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f07b1bb6128 R14: 00007f07b1bb6090 R15: 00007ffea0f75c48
Allocated by task 5975:
kasan_save_stack mm/kasan/common.c:56 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
unpoison_slab_object mm/kasan/common.c:339 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:365
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4180 [inline]
slab_alloc_node mm/slub.c:4229 [inline]
kmem_cache_alloc_noprof+0x1c1/0x3c0 mm/slub.c:4236
vm_area_dup+0x2b/0x680 mm/vma_init.c:122
dup_mmap+0x90c/0x1ac0 mm/mmap.c:1780
dup_mm kernel/fork.c:1485 [inline]
copy_mm+0x13c/0x4b0 kernel/fork.c:1537
copy_process+0x1706/0x3c00 kernel/fork.c:2175
kernel_clone+0x21e/0x840 kernel/fork.c:2605
__do_sys_clone kernel/fork.c:2748 [inline]
__se_sys_clone kernel/fork.c:2732 [inline]
__x64_sys_clone+0x18b/0x1e0 kernel/fork.c:2732
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 6243:
kasan_save_stack mm/kasan/common.c:56 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
__kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587
kasan_save_free_info mm/kasan/kasan.h:406 [inline]
poison_slab_object mm/kasan/common.c:252 [inline]
__kasan_slab_free+0x5b/0x80 mm/kasan/common.c:284
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2417 [inline]
slab_free_after_rcu_debug+0x129/0x2a0 mm/slub.c:4730
rcu_do_batch kernel/rcu/tree.c:2605 [inline]
rcu_core+0xca8/0x1770 kernel/rcu/tree.c:2861
handle_softirqs+0x286/0x870 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
Last potentially related work creation:
kasan_save_stack+0x3e/0x60 mm/kasan/common.c:56
kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:559
slab_free_hook mm/slub.c:2378 [inline]
slab_free mm/slub.c:4680 [inline]
kmem_cache_free+0x2f6/0x400 mm/slub.c:4782
remove_vma mm/vma.c:468 [inline]
vms_complete_munmap_vmas+0x626/0x8a0 mm/vma.c:1293
do_vmi_align_munmap+0x358/0x420 mm/vma.c:1536
do_vmi_munmap+0x253/0x2e0 mm/vma.c:1584
do_munmap+0xe1/0x140 mm/mmap.c:1068
mremap_to+0x2df/0x7a0 mm/mremap.c:1372
remap_move mm/mremap.c:1879 [inline]
do_mremap mm/mremap.c:1923 [inline]
__do_sys_mremap mm/mremap.c:1987 [inline]
__se_sys_mremap+0xadf/0x1150 mm/mremap.c:1955
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888075a11780
which belongs to the cache vm_area_struct of size 256
The buggy address is located 88 bytes inside of
freed 256-byte region [ffff888075a11780, ffff888075a11880)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x75a11
memcg:ffff888027da7c81
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000000 ffff88801bad5b40 ffffea0000c27b00 dead000000000002
raw: 0000000000000000 00000000000c000c 00000000f5000000 ffff888027da7c81
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5528, tgid 5528 (dhcpcd), ts 33820876554, free_ts 33614927260
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:2487 [inline]
allocate_slab+0x8a/0x370 mm/slub.c:2655
new_slab mm/slub.c:2709 [inline]
___slab_alloc+0xbeb/0x1410 mm/slub.c:3891
__slab_alloc mm/slub.c:3981 [inline]
__slab_alloc_node mm/slub.c:4056 [inline]
slab_alloc_node mm/slub.c:4217 [inline]
kmem_cache_alloc_noprof+0x283/0x3c0 mm/slub.c:4236
vm_area_dup+0x2b/0x680 mm/vma_init.c:122
dup_mmap+0x90c/0x1ac0 mm/mmap.c:1780
dup_mm kernel/fork.c:1485 [inline]
copy_mm+0x13c/0x4b0 kernel/fork.c:1537
copy_process+0x1706/0x3c00 kernel/fork.c:2175
kernel_clone+0x21e/0x840 kernel/fork.c:2605
__do_sys_clone kernel/fork.c:2748 [inline]
__se_sys_clone kernel/fork.c:2732 [inline]
__x64_sys_clone+0x18b/0x1e0 kernel/fork.c:2732
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 0 tgid 0 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
__free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895
pagetable_free include/linux/mm.h:2917 [inline]
pagetable_dtor_free include/linux/mm.h:3015 [inline]
__tlb_remove_table+0x2d2/0x3b0 include/asm-generic/tlb.h:220
__tlb_remove_table_free mm/mmu_gather.c:227 [inline]
tlb_remove_table_rcu+0x85/0x100 mm/mmu_gather.c:290
rcu_do_batch kernel/rcu/tree.c:2605 [inline]
rcu_core+0xca8/0x1770 kernel/rcu/tree.c:2861
handle_softirqs+0x286/0x870 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
Memory state around the buggy address:
ffff888075a11680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888075a11700: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff888075a11780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888075a11800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888075a11880: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
==================================================================