Extracting prog: 30.427392353s
Minimizing prog: 25m48.896485621s
Simplifying prog options: 0s
Extracting C: 1m1.295152331s
Simplifying C: 8m6.708588743s


extracting reproducer from 37 programs
first checking the prog from the crash report
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-syz_open_procfs$pagemap-openat$tun-ioctl$TUNSETIFF-setns-ioctl$TUNGETVNETBE-ioctl$PAGEMAP_SCAN-process_madvise-syz_mount_image$udf
detailed listing:
executing program 0:
r0 = getpid()
r1 = syz_pidfd_open(r0, 0x0)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x1e9802, 0x0)
ioctl$BLKBSZSET(r2, 0x40081271, &(0x7f0000000100)=0x10000)
r3 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r4 = dup(r3)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r4, 0x0)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
r5 = syz_open_procfs$pagemap(0x0, &(0x7f0000000600))
r6 = openat$tun(0xffffffffffffff9c, &(0x7f0000000100), 0xc1842, 0x0)
ioctl$TUNSETIFF(r6, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101})
setns(r4, 0x80)
ioctl$TUNGETVNETBE(r6, 0x800454df, &(0x7f00000000c0))
ioctl$PAGEMAP_SCAN(r5, 0xc0606610, &(0x7f0000000000)={0x60, 0x0, &(0x7f000007c000/0x4000)=nil, &(0x7f0000154000/0x1000)=nil, 0x0, 0x0, 0x0, 0x2, 0xbb, 0x0, 0xc, 0x4})
process_madvise(r1, &(0x7f00000015c0)=[{&(0x7f0000000000)="96", 0x1}], 0x1, 0x65, 0x0)
syz_mount_image$udf(&(0x7f0000000080), &(0x7f0000000580)='./file0\x00', 0x0, &(0x7f00000005c0), 0x1, 0x537, &(0x7f0000000600)="$eJzs281vFHUcx/HPd2e3na4Iy4MFDJIVY0TQhrZYGutBoDSSAEVK9WA8FLrFDX0gbTFAlNSb/4AHbySGBDHxYvTARf8AEyNeOKjxoMbEy+pFMFHMzM7TLlu6tQ9L6ftF6MzOfHf39zS/3286vwoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgHDu3f026NTgUAAFhOxwZO7Olk/AcAYFU5yf0/AADAamJy9LFMH3xbsqP+6zL3SHH8/IXB3r7ab2sxmVJy/Hjvv9ve0bn3ha593eH2/u9fbFvVP3Byf/7gxNi5ycLUVGE4PzhePD0xXKj7Exb6/mq7/ALIj509PzwyMpXvaOusOH0h92vzI625nn0D+XQYO9jb1zeQiEln/ve332O2GX6THP0g0+dPfmrHJKW08LKYo+0stRY/E7v8TAz29vkZGS0OjU97Jy0VRKUqy6QpLKNlqIsF2SR56bKmxblny8hRUaaXfypZvyQnLIfd/i+G5/6A1KIkY968dL4p6YpWQJ09wJrl6I5M13/O6bhXZmH9p6V/Gp04LLm0HN2QacJK9qrfH3jXk9dtHnktf3h8ZCIRa6ngilrp48NyesD7JleO+v0rvmQnGp0YLLsWOTol0+bzb/vzCvnz0nU93VvfaE7OMDbP8TlebJukd+sckzPB1MFS3r/FzxcAAAAAAAAAyTVHu2X68nXXf32l/IjRd/tupYYmFEvDHP0iU9tXJbOqdQlOYn1HZKU/+1na9Le4ByfOXZwsnnlruub5rLv/1NT05NDp2qfVonTwDC401zqGaqnyWoZ6ZczRjEzv916LH+XnzNt/tDr26jtxW9gZbMPXyXYz237NFQvzeD7mBt+bnkf+AMzOzNEBmUZubAnWfmT9C4xHcquD1/9/JNOff1+Lx51y/39PN3v1pbhduEFnHvXpfj+/tryeMXqGnN2e3F+M/t/73uYF5RhAyOv/SzLdubnFv67C/r/68vPijsv07L/bgrhUk9cZuMH5nP/THSmOFvZ4sU/L9OP2MFZ+7NogdmMc2+7FvifToY2VseuC2E1xbIcX+6JM61U79rE4ttOLPSzTZ8V8GJv1YncEsa1xbNvpidHhJSvgB1zWHH0t04ffvWJhXQZrQIP+34lik/P/maptZJa+f15jQi1zjBO5xLGZoL0Oeu26a4vfRv12nardrr+Qac3MtiCu3KbCRYLr/Z9xu/5dpssHK2PDG6UNcWx7vdlqNK/+P5Gpf/RWlOeg/oOiimsoWf+Ppyu3UStpUP2vTxzLBenKzrMsVqOpi5fODo2OFibZYYcddqKdRvdMWA7e+N8q0/UjjoXzmGD8X1N+Fc///rocj/89VdtIg8b/DYljPcGsJZOW3Omxc5nNkjt18dLzxbGhM4UzhfH27r2dXV3dHXv3ZZrCyV28V3fZPQy8+r8l0x+3b0b3Z5Xzv9rz/2zVNtKg+t+YzFPFvKbuoliVvPo/JNM3M7ei++j7zf/D3//tfKpyG11/Dar/TYljuSBduXmWBQAAAAAAAAAAAAAAAACsJFlztEOm7397zsK/japn/d9w1TbSoPVfrYljw8v0dw11FzIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArAApOXpCpmdUsrvegTXS0eQWD7X/AgAA//8QRU36")

program crashed: kernel BUG in __free_one_page
single: successfully extracted reproducer
found reproducer with 16 syscalls
minimizing guilty program
testing program (duration=41.49840174s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-syz_open_procfs$pagemap-openat$tun-ioctl$TUNSETIFF-setns-ioctl$TUNGETVNETBE-ioctl$PAGEMAP_SCAN-process_madvise
detailed listing:
executing program 0:
r0 = getpid()
r1 = syz_pidfd_open(r0, 0x0)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x1e9802, 0x0)
ioctl$BLKBSZSET(r2, 0x40081271, &(0x7f0000000100)=0x10000)
r3 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r4 = dup(r3)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r4, 0x0)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
r5 = syz_open_procfs$pagemap(0x0, &(0x7f0000000600))
r6 = openat$tun(0xffffffffffffff9c, &(0x7f0000000100), 0xc1842, 0x0)
ioctl$TUNSETIFF(r6, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101})
setns(r4, 0x80)
ioctl$TUNGETVNETBE(r6, 0x800454df, &(0x7f00000000c0))
ioctl$PAGEMAP_SCAN(r5, 0xc0606610, &(0x7f0000000000)={0x60, 0x0, &(0x7f000007c000/0x4000)=nil, &(0x7f0000154000/0x1000)=nil, 0x0, 0x0, 0x0, 0x2, 0xbb, 0x0, 0xc, 0x4})
process_madvise(r1, &(0x7f00000015c0)=[{&(0x7f0000000000)="96", 0x1}], 0x1, 0x65, 0x0)

program crashed: kernel BUG in __free_one_page
testing program (duration=41.49840174s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-syz_open_procfs$pagemap-openat$tun-ioctl$TUNSETIFF-setns-ioctl$TUNGETVNETBE-ioctl$PAGEMAP_SCAN
detailed listing:
executing program 0:
r0 = getpid()
syz_pidfd_open(r0, 0x0)
r1 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x1e9802, 0x0)
ioctl$BLKBSZSET(r1, 0x40081271, &(0x7f0000000100)=0x10000)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r3 = dup(r2)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r3, 0x0)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
r4 = syz_open_procfs$pagemap(0x0, &(0x7f0000000600))
r5 = openat$tun(0xffffffffffffff9c, &(0x7f0000000100), 0xc1842, 0x0)
ioctl$TUNSETIFF(r5, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101})
setns(r3, 0x80)
ioctl$TUNGETVNETBE(r5, 0x800454df, &(0x7f00000000c0))
ioctl$PAGEMAP_SCAN(r4, 0xc0606610, &(0x7f0000000000)={0x60, 0x0, &(0x7f000007c000/0x4000)=nil, &(0x7f0000154000/0x1000)=nil, 0x0, 0x0, 0x0, 0x2, 0xbb, 0x0, 0xc, 0x4})

program did not crash
testing program (duration=41.49840174s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-syz_open_procfs$pagemap-openat$tun-ioctl$TUNSETIFF-setns-ioctl$TUNGETVNETBE-process_madvise
detailed listing:
executing program 0:
r0 = getpid()
r1 = syz_pidfd_open(r0, 0x0)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x1e9802, 0x0)
ioctl$BLKBSZSET(r2, 0x40081271, &(0x7f0000000100)=0x10000)
r3 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r4 = dup(r3)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r4, 0x0)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
syz_open_procfs$pagemap(0x0, &(0x7f0000000600))
r5 = openat$tun(0xffffffffffffff9c, &(0x7f0000000100), 0xc1842, 0x0)
ioctl$TUNSETIFF(r5, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101})
setns(r4, 0x80)
ioctl$TUNGETVNETBE(r5, 0x800454df, &(0x7f00000000c0))
process_madvise(r1, &(0x7f00000015c0)=[{&(0x7f0000000000)="96", 0x1}], 0x1, 0x65, 0x0)

program crashed: kernel BUG in __free_one_page
testing program (duration=41.49840174s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-syz_open_procfs$pagemap-openat$tun-ioctl$TUNSETIFF-setns-process_madvise
detailed listing:
executing program 0:
r0 = getpid()
r1 = syz_pidfd_open(r0, 0x0)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x1e9802, 0x0)
ioctl$BLKBSZSET(r2, 0x40081271, &(0x7f0000000100)=0x10000)
r3 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r4 = dup(r3)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r4, 0x0)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
syz_open_procfs$pagemap(0x0, &(0x7f0000000600))
r5 = openat$tun(0xffffffffffffff9c, &(0x7f0000000100), 0xc1842, 0x0)
ioctl$TUNSETIFF(r5, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101})
setns(r4, 0x80)
process_madvise(r1, &(0x7f00000015c0)=[{&(0x7f0000000000)="96", 0x1}], 0x1, 0x65, 0x0)

program crashed: kernel BUG in __free_one_page
testing program (duration=41.49840174s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-syz_open_procfs$pagemap-openat$tun-ioctl$TUNSETIFF-process_madvise
detailed listing:
executing program 0:
r0 = getpid()
r1 = syz_pidfd_open(r0, 0x0)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x1e9802, 0x0)
ioctl$BLKBSZSET(r2, 0x40081271, &(0x7f0000000100)=0x10000)
r3 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r4 = dup(r3)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r4, 0x0)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
syz_open_procfs$pagemap(0x0, &(0x7f0000000600))
r5 = openat$tun(0xffffffffffffff9c, &(0x7f0000000100), 0xc1842, 0x0)
ioctl$TUNSETIFF(r5, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101})
process_madvise(r1, &(0x7f00000015c0)=[{&(0x7f0000000000)="96", 0x1}], 0x1, 0x65, 0x0)

program crashed: kernel BUG in __free_one_page
testing program (duration=41.49840174s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-syz_open_procfs$pagemap-openat$tun-process_madvise
detailed listing:
executing program 0:
r0 = getpid()
r1 = syz_pidfd_open(r0, 0x0)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x1e9802, 0x0)
ioctl$BLKBSZSET(r2, 0x40081271, &(0x7f0000000100)=0x10000)
r3 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r4 = dup(r3)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r4, 0x0)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
syz_open_procfs$pagemap(0x0, &(0x7f0000000600))
openat$tun(0xffffffffffffff9c, &(0x7f0000000100), 0xc1842, 0x0)
process_madvise(r1, &(0x7f00000015c0)=[{&(0x7f0000000000)="96", 0x1}], 0x1, 0x65, 0x0)

program crashed: kernel BUG in __free_one_page
testing program (duration=41.49840174s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-syz_open_procfs$pagemap-process_madvise
detailed listing:
executing program 0:
r0 = getpid()
r1 = syz_pidfd_open(r0, 0x0)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x1e9802, 0x0)
ioctl$BLKBSZSET(r2, 0x40081271, &(0x7f0000000100)=0x10000)
r3 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r4 = dup(r3)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r4, 0x0)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
syz_open_procfs$pagemap(0x0, &(0x7f0000000600))
process_madvise(r1, &(0x7f00000015c0)=[{&(0x7f0000000000)="96", 0x1}], 0x1, 0x65, 0x0)

program crashed: kernel BUG in __free_one_page
testing program (duration=41.49840174s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-process_madvise
detailed listing:
executing program 0:
r0 = getpid()
r1 = syz_pidfd_open(r0, 0x0)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x1e9802, 0x0)
ioctl$BLKBSZSET(r2, 0x40081271, &(0x7f0000000100)=0x10000)
r3 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r4 = dup(r3)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r4, 0x0)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
process_madvise(r1, &(0x7f00000015c0)=[{&(0x7f0000000000)="96", 0x1}], 0x1, 0x65, 0x0)

program crashed: kernel BUG in __free_one_page
testing program (duration=41.49840174s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-process_madvise
detailed listing:
executing program 0:
r0 = getpid()
r1 = syz_pidfd_open(r0, 0x0)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x1e9802, 0x0)
ioctl$BLKBSZSET(r2, 0x40081271, &(0x7f0000000100)=0x10000)
r3 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r4 = dup(r3)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r4, 0x0)
process_madvise(r1, &(0x7f00000015c0)=[{&(0x7f0000000000)="96", 0x1}], 0x1, 0x65, 0x0)

program did not crash
testing program (duration=41.49840174s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-madvise-process_madvise
detailed listing:
executing program 0:
r0 = getpid()
r1 = syz_pidfd_open(r0, 0x0)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x1e9802, 0x0)
ioctl$BLKBSZSET(r2, 0x40081271, &(0x7f0000000100)=0x10000)
r3 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
dup(r3)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
process_madvise(r1, &(0x7f00000015c0)=[{&(0x7f0000000000)="96", 0x1}], 0x1, 0x65, 0x0)

program did not crash
testing program (duration=41.49840174s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-mmap-madvise-process_madvise
detailed listing:
executing program 0:
r0 = getpid()
r1 = syz_pidfd_open(r0, 0x0)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x1e9802, 0x0)
ioctl$BLKBSZSET(r2, 0x40081271, &(0x7f0000000100)=0x10000)
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, 0xffffffffffffffff, 0x0)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
process_madvise(r1, &(0x7f00000015c0)=[{&(0x7f0000000000)="96", 0x1}], 0x1, 0x65, 0x0)

program did not crash
testing program (duration=41.49840174s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-dup-mmap-madvise-process_madvise
detailed listing:
executing program 0:
r0 = getpid()
r1 = syz_pidfd_open(r0, 0x0)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x1e9802, 0x0)
ioctl$BLKBSZSET(r2, 0x40081271, &(0x7f0000000100)=0x10000)
r3 = dup(0xffffffffffffffff)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r3, 0x0)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
process_madvise(r1, &(0x7f00000015c0)=[{&(0x7f0000000000)="96", 0x1}], 0x1, 0x65, 0x0)

program did not crash
testing program (duration=41.49840174s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-openat$nullb-dup-mmap-madvise-process_madvise
detailed listing:
executing program 0:
r0 = getpid()
r1 = syz_pidfd_open(r0, 0x0)
openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x1e9802, 0x0)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r3 = dup(r2)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r3, 0x0)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
process_madvise(r1, &(0x7f00000015c0)=[{&(0x7f0000000000)="96", 0x1}], 0x1, 0x65, 0x0)

program did not crash
testing program (duration=41.49840174s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-process_madvise
detailed listing:
executing program 0:
r0 = getpid()
r1 = syz_pidfd_open(r0, 0x0)
ioctl$BLKBSZSET(0xffffffffffffffff, 0x40081271, &(0x7f0000000100)=0x10000)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r3 = dup(r2)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r3, 0x0)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
process_madvise(r1, &(0x7f00000015c0)=[{&(0x7f0000000000)="96", 0x1}], 0x1, 0x65, 0x0)

program did not crash
testing program (duration=41.49840174s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-process_madvise
detailed listing:
executing program 0:
getpid()
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x1e9802, 0x0)
ioctl$BLKBSZSET(r0, 0x40081271, &(0x7f0000000100)=0x10000)
r1 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r2 = dup(r1)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r2, 0x0)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
process_madvise(0xffffffffffffffff, &(0x7f00000015c0)=[{&(0x7f0000000000)="96", 0x1}], 0x1, 0x65, 0x0)

program did not crash
testing program (duration=41.49840174s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-process_madvise
detailed listing:
executing program 0:
r0 = syz_pidfd_open(0x0, 0x0)
r1 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x1e9802, 0x0)
ioctl$BLKBSZSET(r1, 0x40081271, &(0x7f0000000100)=0x10000)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r3 = dup(r2)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r3, 0x0)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
process_madvise(r0, &(0x7f00000015c0)=[{&(0x7f0000000000)="96", 0x1}], 0x1, 0x65, 0x0)

program did not crash
testing program (duration=41.49840174s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-process_madvise
detailed listing:
executing program 0:
r0 = getpid()
r1 = syz_pidfd_open(r0, 0x0)
r2 = openat$nullb(0xffffffffffffff9c, 0x0, 0x1e9802, 0x0)
ioctl$BLKBSZSET(r2, 0x40081271, &(0x7f0000000100)=0x10000)
r3 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r4 = dup(r3)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r4, 0x0)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
process_madvise(r1, &(0x7f00000015c0)=[{&(0x7f0000000000)="96", 0x1}], 0x1, 0x65, 0x0)

program did not crash
testing program (duration=41.49840174s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-process_madvise
detailed listing:
executing program 0:
r0 = getpid()
r1 = syz_pidfd_open(r0, 0x0)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x1e9802, 0x0)
ioctl$BLKBSZSET(r2, 0x40081271, 0x0)
r3 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r4 = dup(r3)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r4, 0x0)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
process_madvise(r1, &(0x7f00000015c0)=[{&(0x7f0000000000)="96", 0x1}], 0x1, 0x65, 0x0)

program did not crash
testing program (duration=41.49840174s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-process_madvise
detailed listing:
executing program 0:
r0 = getpid()
r1 = syz_pidfd_open(r0, 0x0)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x1e9802, 0x0)
ioctl$BLKBSZSET(r2, 0x40081271, &(0x7f0000000100)=0x10000)
r3 = openat$nullb(0xffffffffffffff9c, 0x0, 0x282, 0x0)
r4 = dup(r3)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r4, 0x0)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
process_madvise(r1, &(0x7f00000015c0)=[{&(0x7f0000000000)="96", 0x1}], 0x1, 0x65, 0x0)

program did not crash
testing program (duration=41.49840174s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-process_madvise
detailed listing:
executing program 0:
r0 = getpid()
r1 = syz_pidfd_open(r0, 0x0)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x1e9802, 0x0)
ioctl$BLKBSZSET(r2, 0x40081271, &(0x7f0000000100)=0x10000)
r3 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r4 = dup(r3)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r4, 0x0)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
process_madvise(r1, 0x0, 0x0, 0x65, 0x0)

program did not crash
testing program (duration=41.49840174s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-process_madvise
detailed listing:
executing program 0:
r0 = getpid()
r1 = syz_pidfd_open(r0, 0x0)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x1e9802, 0x0)
ioctl$BLKBSZSET(r2, 0x40081271, &(0x7f0000000100)=0x10000)
r3 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r4 = dup(r3)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r4, 0x0)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
process_madvise(r1, &(0x7f00000015c0)=[{0x0}], 0x1, 0x65, 0x0)

program did not crash
testing program (duration=41.49840174s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-process_madvise
detailed listing:
executing program 0:
r0 = getpid()
r1 = syz_pidfd_open(r0, 0x0)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x1e9802, 0x0)
ioctl$BLKBSZSET(r2, 0x40081271, &(0x7f0000000100)=0x10000)
r3 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r4 = dup(r3)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r4, 0x0)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
process_madvise(r1, &(0x7f00000015c0)=[{}], 0x1, 0x65, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=41.49840174s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-process_madvise
program crashed: kernel BUG in __free_one_page
simplifying C reproducer
testing compiled C program (duration=41.49840174s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-process_madvise
program crashed: kernel BUG in __free_one_page
testing compiled C program (duration=41.49840174s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-process_madvise
program did not crash
testing compiled C program (duration=41.49840174s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-process_madvise
program crashed: kernel BUG in __free_one_page
testing compiled C program (duration=41.49840174s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-process_madvise
program crashed: kernel BUG in __free_one_page
testing compiled C program (duration=41.49840174s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-process_madvise
program crashed: kernel BUG in __free_one_page
testing compiled C program (duration=41.49840174s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-process_madvise
program crashed: kernel BUG in __free_one_page
testing compiled C program (duration=41.49840174s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-process_madvise
program crashed: kernel BUG in __free_one_page
testing compiled C program (duration=41.49840174s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-process_madvise
program crashed: kernel BUG in __free_one_page
testing program (duration=41.49840174s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-process_madvise
detailed listing:
executing program 0:
r0 = getpid()
r1 = syz_pidfd_open(r0, 0x0)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x1e9802, 0x0)
ioctl$BLKBSZSET(r2, 0x40081271, &(0x7f0000000100)=0x10000)
r3 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r4 = dup(r3)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r4, 0x0)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
process_madvise(r1, &(0x7f00000015c0)=[{&(0x7f0000000000)="96", 0x1}], 0x1, 0x65, 0x0)

program crashed: kernel BUG in __free_one_page
validation run: crashed=true
testing program (duration=41.49840174s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-process_madvise
detailed listing:
executing program 0:
r0 = getpid()
r1 = syz_pidfd_open(r0, 0x0)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x1e9802, 0x0)
ioctl$BLKBSZSET(r2, 0x40081271, &(0x7f0000000100)=0x10000)
r3 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r4 = dup(r3)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r4, 0x0)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
process_madvise(r1, &(0x7f00000015c0)=[{&(0x7f0000000000)="96", 0x1}], 0x1, 0x65, 0x0)

program crashed: kernel BUG in __free_one_page
validation run: crashed=true
testing program (duration=41.49840174s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-syz_pidfd_open-openat$nullb-ioctl$BLKBSZSET-openat$nullb-dup-mmap-madvise-process_madvise
detailed listing:
executing program 0:
r0 = getpid()
r1 = syz_pidfd_open(r0, 0x0)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x1e9802, 0x0)
ioctl$BLKBSZSET(r2, 0x40081271, &(0x7f0000000100)=0x10000)
r3 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r4 = dup(r3)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r4, 0x0)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
process_madvise(r1, &(0x7f00000015c0)=[{&(0x7f0000000000)="96", 0x1}], 0x1, 0x65, 0x0)

program crashed: kernel BUG in __free_one_page
validation run: crashed=true
reproducing took 39m18.498473115s
repro crashed as (corrupted=false):
raw: 05ffc00000200000 fffffdffc362e008 ffff0001fea8cba0 0000000000000000
raw: 0000000000000000 0000000000000004 00000001f0000000 0000000000000000
page dumped because: VM_BUG_ON_PAGE(page_count(buddy) != 0)
------------[ cut here ]------------
kernel BUG at mm/internal.h:664!
Internal error: Oops - BUG: 00000000f2000800 [#1]  SMP
Modules linked in:
CPU: 0 UID: 0 PID: 6687 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025
pstate: 634000c5 (nZCv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : page_is_buddy mm/internal.h:664 [inline]
pc : find_buddy_page_pfn mm/internal.h:716 [inline]
pc : __free_one_page+0x8b8/0x988 mm/page_alloc.c:969
lr : page_is_buddy mm/internal.h:664 [inline]
lr : find_buddy_page_pfn mm/internal.h:716 [inline]
lr : __free_one_page+0x8b8/0x988 mm/page_alloc.c:969
sp : ffff8000a0ae71f0
x29: ffff8000a0ae7210 x28: fffffdffc3da8034 x27: fffffdffc3da8000
x26: 0000000000136a00 x25: 0000000000000000 x24: 0000000000000004
x23: 0000000000136a10 x22: dfff800000000000 x21: fffffdffc3da8400
x20: 0000000000000000 x19: ffff0001fea8c880 x18: 00000000ffffffff
x17: 3030303030303030 x16: ffff80008b0155d8 x15: 0000000000000001
x14: 1fffe000337976f2 x13: 0000000000000000 x12: 0000000000000000
x11: ffff6000337976f3 x10: 0000000000ff0100 x9 : e54470b289174000
x8 : e54470b289174000 x7 : ffff800080563530 x6 : 0000000000000000
x5 : 0000000000000001 x4 : 0000000000000000 x3 : ffff8000807de30c
x2 : 0000000000000001 x1 : 0000000100000001 x0 : 000000000000003b
Call trace:
 page_is_buddy mm/internal.h:664 [inline] (P)
 find_buddy_page_pfn mm/internal.h:716 [inline] (P)
 __free_one_page+0x8b8/0x988 mm/page_alloc.c:969 (P)
 split_large_buddy+0x108/0x1d0 mm/page_alloc.c:1512
 free_one_page+0x94/0x2e0 mm/page_alloc.c:1559
 free_unref_folios+0x6b0/0x1454 mm/page_alloc.c:2959
 folios_put_refs+0x608/0x718 mm/swap.c:997
 folios_put include/linux/mm.h:1419 [inline]
 __folio_batch_release+0x78/0xb0 mm/swap.c:1057
 folio_batch_release include/linux/pagevec.h:101 [inline]
 truncate_inode_pages_range+0x2f8/0xe18 mm/truncate.c:383
 truncate_inode_pages+0x2c/0x3c mm/truncate.c:460
 kill_bdev block/bdev.c:91 [inline]
 blkdev_flush_mapping+0xfc/0x254 block/bdev.c:712
 blkdev_put_whole block/bdev.c:719 [inline]
 bdev_release+0x478/0x654 block/bdev.c:1144
 blkdev_release+0x20/0x34 block/fops.c:699
 __fput+0x340/0x75c fs/file_table.c:468
 ____fput+0x20/0x58 fs/file_table.c:496
 task_work_run+0x1dc/0x260 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x524/0x1a14 kernel/exit.c:961
 do_group_exit+0x194/0x22c kernel/exit.c:1102
 __do_sys_exit_group kernel/exit.c:1113 [inline]
 __se_sys_exit_group kernel/exit.c:1111 [inline]
 pid_child_should_wake+0x0/0x1dc kernel/exit.c:1111
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x5c/0x254 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:763
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
Code: 90052f41 913e0021 aa1b03e0 97d585d0 (d4210000) 
---[ end trace 0000000000000000 ]---

final repro crashed as (corrupted=false):
raw: 05ffc00000200000 fffffdffc362e008 ffff0001fea8cba0 0000000000000000
raw: 0000000000000000 0000000000000004 00000001f0000000 0000000000000000
page dumped because: VM_BUG_ON_PAGE(page_count(buddy) != 0)
------------[ cut here ]------------
kernel BUG at mm/internal.h:664!
Internal error: Oops - BUG: 00000000f2000800 [#1]  SMP
Modules linked in:
CPU: 0 UID: 0 PID: 6687 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025
pstate: 634000c5 (nZCv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : page_is_buddy mm/internal.h:664 [inline]
pc : find_buddy_page_pfn mm/internal.h:716 [inline]
pc : __free_one_page+0x8b8/0x988 mm/page_alloc.c:969
lr : page_is_buddy mm/internal.h:664 [inline]
lr : find_buddy_page_pfn mm/internal.h:716 [inline]
lr : __free_one_page+0x8b8/0x988 mm/page_alloc.c:969
sp : ffff8000a0ae71f0
x29: ffff8000a0ae7210 x28: fffffdffc3da8034 x27: fffffdffc3da8000
x26: 0000000000136a00 x25: 0000000000000000 x24: 0000000000000004
x23: 0000000000136a10 x22: dfff800000000000 x21: fffffdffc3da8400
x20: 0000000000000000 x19: ffff0001fea8c880 x18: 00000000ffffffff
x17: 3030303030303030 x16: ffff80008b0155d8 x15: 0000000000000001
x14: 1fffe000337976f2 x13: 0000000000000000 x12: 0000000000000000
x11: ffff6000337976f3 x10: 0000000000ff0100 x9 : e54470b289174000
x8 : e54470b289174000 x7 : ffff800080563530 x6 : 0000000000000000
x5 : 0000000000000001 x4 : 0000000000000000 x3 : ffff8000807de30c
x2 : 0000000000000001 x1 : 0000000100000001 x0 : 000000000000003b
Call trace:
 page_is_buddy mm/internal.h:664 [inline] (P)
 find_buddy_page_pfn mm/internal.h:716 [inline] (P)
 __free_one_page+0x8b8/0x988 mm/page_alloc.c:969 (P)
 split_large_buddy+0x108/0x1d0 mm/page_alloc.c:1512
 free_one_page+0x94/0x2e0 mm/page_alloc.c:1559
 free_unref_folios+0x6b0/0x1454 mm/page_alloc.c:2959
 folios_put_refs+0x608/0x718 mm/swap.c:997
 folios_put include/linux/mm.h:1419 [inline]
 __folio_batch_release+0x78/0xb0 mm/swap.c:1057
 folio_batch_release include/linux/pagevec.h:101 [inline]
 truncate_inode_pages_range+0x2f8/0xe18 mm/truncate.c:383
 truncate_inode_pages+0x2c/0x3c mm/truncate.c:460
 kill_bdev block/bdev.c:91 [inline]
 blkdev_flush_mapping+0xfc/0x254 block/bdev.c:712
 blkdev_put_whole block/bdev.c:719 [inline]
 bdev_release+0x478/0x654 block/bdev.c:1144
 blkdev_release+0x20/0x34 block/fops.c:699
 __fput+0x340/0x75c fs/file_table.c:468
 ____fput+0x20/0x58 fs/file_table.c:496
 task_work_run+0x1dc/0x260 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x524/0x1a14 kernel/exit.c:961
 do_group_exit+0x194/0x22c kernel/exit.c:1102
 __do_sys_exit_group kernel/exit.c:1113 [inline]
 __se_sys_exit_group kernel/exit.c:1111 [inline]
 pid_child_should_wake+0x0/0x1dc kernel/exit.c:1111
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x5c/0x254 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:763
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
Code: 90052f41 913e0021 aa1b03e0 97d585d0 (d4210000) 
---[ end trace 0000000000000000 ]---