Extracting prog: 31m50.344423385s
Minimizing prog: 73.612µs
Simplifying prog options: 20m46.317774369s
Extracting C: 6m10.220262485s
Simplifying C: 0s
extracting reproducer from 24 programs
testing a last program of every proc
single: executing 4 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone
detailed listing:
executing program 0:
syz_clone(0x2c9a4080, 0x0, 0x5f5, 0x0, 0x0, 0xfffffffffffffffc)
program did not crash
program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_sctp
detailed listing:
executing program 0:
socket$inet_sctp(0x2, 0x7f9d5c50d5d0ee45, 0x84)
program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x3, 0x2d, &(0x7f00000003c0)={{0x12, 0x1, 0x0, 0x5a, 0xe4, 0xc4, 0x10, 0x596, 0x1, 0x5f5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0xd6, 0x0, 0x1, 0xb5, 0xe1, 0x45, 0x0, [], [{{0x9, 0x5, 0x83, 0x0, 0x3ff, 0x3, 0x7, 0x4}}]}}]}}]}}, 0x0)
program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x3, 0x36, &(0x7f0000000500)=ANY=[@ANYBLOB="12010002a69bbc104f959941760f010203010902240001040000000904330202020c07"], 0x0)
program did not crash
single: failed to extract reproducer
bisect: bisecting 24 programs with base timeout 30s
testing program (duration=36s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]
detailed listing:
executing program 1:
syz_usb_connect$cdc_ecm(0x1, 0x4d, &(0x7f0000000400)={{0x12, 0x1, 0x300, 0x2, 0x0, 0x0, 0x8, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x3b, 0x1, 0x1, 0x2, 0xc73ebdfa468265f4, 0x7, [{{0x9, 0x4, 0x0, 0x7, 0x2, 0x2, 0x6, 0x0, 0x6, {{0x5}, {0x5, 0x24, 0x0, 0x8001}, {0xd, 0x24, 0xf, 0x1, 0x9, 0x9, 0x5, 0x81}}, {[], {{0x9, 0x5, 0x82, 0x2, 0x7ff, 0x6, 0x4, 0x3}}, {{0x9, 0x5, 0x3, 0x2, 0x200, 0x4, 0x3, 0xea}}}}}]}}]}}, &(0x7f0000000940)={0x0, 0x0, 0xf, &(0x7f0000000080)={0x5, 0xf, 0xf, 0x1, [@ss_cap={0xa, 0x10, 0x3, 0x2, 0x3, 0x3, 0x0, 0x3}]}, 0x1, [{0x0, 0x0}]})
executing program 1:
syz_usb_connect(0x0, 0x24, &(0x7f00000005c0)={{0x12, 0x1, 0x250, 0x69, 0xd0, 0xae, 0x10, 0x5ac, 0x249, 0xdea6, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x3, 0x3, 0x60, 0x8, [{{0x9, 0x4, 0xd8, 0x80, 0x0, 0x3, 0xef, 0x2, 0x9c}}]}}]}}, &(0x7f0000000e80)={0x0, 0x0, 0x0, 0x0})
executing program 1:
quotactl_fd$Q_GETFMT(0xffffffffffffffff, 0xffffffff80000400, 0x0, 0x0)
executing program 1:
syz_usb_connect(0x2, 0x2d, &(0x7f0000000000)=ANY=[@ANYBLOB="1201500285d5c2086004040031960154030109021b000100031003090458080119662194090586"], &(0x7f0000000100)={0x0, 0x0, 0x0, 0x0})
executing program 2:
syz_usb_connect(0x0, 0x24, &(0x7f0000000240)=ANY=[@ANYBLOB="12010000f2d07c40501d89601dd0000010010902120001000000000904"], 0x0)
executing program 1:
syz_usb_connect(0x0, 0x24, &(0x7f0000000300)={{0x12, 0x1, 0x201, 0x14, 0x3d, 0xc0, 0x20, 0x84f, 0x1, 0x6c05, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x4, 0x7, 0x0, 0x6, [{{0x9, 0x4, 0x5b, 0x0, 0x0, 0x98, 0xc7, 0xa2, 0xff}}]}}]}}, &(0x7f0000000200)={0x0, 0x0, 0x0, 0x0})
executing program 0:
io_setup(0x0, &(0x7f00000000c0))
executing program 0:
mmap(&(0x7f0000000000/0xb36000)=nil, 0x7ffffffff000, 0x0, 0x8031, 0xffffffffffffffff, 0x0)
executing program 0:
clock_adjtime(0x0, &(0x7f0000000200)={0x7fffffff, 0x8000000000000001, 0x80000001, 0xd6, 0x9c7, 0x2, 0x100, 0xd5e3, 0x7, 0x8000, 0x3, 0x7, 0xf2e8, 0x8000000000000001, 0x6, 0x8, 0x9, 0x1fc00000000, 0x100, 0x6, 0x2, 0x4d8, 0x8, 0x200, 0x8001, 0x4})
executing program 0:
faccessat2(0xffffffffffffffff, 0x0, 0x98, 0x200)
executing program 0:
prctl$PR_GET_PDEATHSIG(0x2, &(0x7f0000000000))
executing program 0:
syz_usb_connect(0x3, 0x36, &(0x7f0000000500)=ANY=[@ANYBLOB="12010002a69bbc104f959941760f010203010902240001040000000904330202020c07"], 0x0)
executing program 2:
mremap(&(0x7f0000ff8000/0x3000)=nil, 0x7fffdf00a000, 0x3000, 0x3, &(0x7f0000ff5000/0x3000)=nil)
executing program 3:
openat$6lowpan_enable(0xffffff9c, &(0x7f0000000040), 0x2, 0x0)
executing program 2:
keyctl$KEYCTL_MOVE(0x1e, 0x0, 0x0, 0x0, 0x0)
executing program 3:
prctl$PR_SCHED_CORE(0x4d, 0x0, 0x0, 0x0, 0x0)
executing program 2:
msgrcv(0x0, 0x0, 0x0, 0x1, 0x6000)
executing program 3:
syz_open_dev$video(&(0x7f0000000040), 0xa7, 0x0)
executing program 3:
set_tid_address(0x0)
executing program 3:
add_key(&(0x7f0000000000)='keyring\x00', &(0x7f0000001000), &(0x7f0000001000)='.', 0x1, 0x0)
executing program 2:
msgget(0x2, 0x200)
executing program 1:
syz_usb_connect(0x3, 0x2d, &(0x7f00000003c0)={{0x12, 0x1, 0x0, 0x5a, 0xe4, 0xc4, 0x10, 0x596, 0x1, 0x5f5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0xd6, 0x0, 0x1, 0xb5, 0xe1, 0x45, 0x0, [], [{{0x9, 0x5, 0x83, 0x0, 0x3ff, 0x3, 0x7, 0x4}}]}}]}}]}}, 0x0)
executing program 3:
socket$inet_sctp(0x2, 0x7f9d5c50d5d0ee45, 0x84)
executing program 2:
syz_clone(0x2c9a4080, 0x0, 0x5f5, 0x0, 0x0, 0xfffffffffffffffc)
program did not crash
replaying the whole log did not cause a kernel crash
single: executing 4 programs separately with timeout 1m40s
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone
detailed listing:
executing program 0:
syz_clone(0x2c9a4080, 0x0, 0x5f5, 0x0, 0x0, 0xfffffffffffffffc)
program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_sctp
detailed listing:
executing program 0:
socket$inet_sctp(0x2, 0x7f9d5c50d5d0ee45, 0x84)
program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x3, 0x2d, &(0x7f00000003c0)={{0x12, 0x1, 0x0, 0x5a, 0xe4, 0xc4, 0x10, 0x596, 0x1, 0x5f5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0xd6, 0x0, 0x1, 0xb5, 0xe1, 0x45, 0x0, [], [{{0x9, 0x5, 0x83, 0x0, 0x3ff, 0x3, 0x7, 0x4}}]}}]}}]}}, 0x0)
program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x3, 0x36, &(0x7f0000000500)=ANY=[@ANYBLOB="12010002a69bbc104f959941760f010203010902240001040000000904330202020c07"], 0x0)
program did not crash
single: failed to extract reproducer
bisect: bisecting 24 programs with base timeout 1m40s
testing program (duration=1m46s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]
detailed listing:
executing program 1:
syz_usb_connect$cdc_ecm(0x1, 0x4d, &(0x7f0000000400)={{0x12, 0x1, 0x300, 0x2, 0x0, 0x0, 0x8, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x3b, 0x1, 0x1, 0x2, 0xc73ebdfa468265f4, 0x7, [{{0x9, 0x4, 0x0, 0x7, 0x2, 0x2, 0x6, 0x0, 0x6, {{0x5}, {0x5, 0x24, 0x0, 0x8001}, {0xd, 0x24, 0xf, 0x1, 0x9, 0x9, 0x5, 0x81}}, {[], {{0x9, 0x5, 0x82, 0x2, 0x7ff, 0x6, 0x4, 0x3}}, {{0x9, 0x5, 0x3, 0x2, 0x200, 0x4, 0x3, 0xea}}}}}]}}]}}, &(0x7f0000000940)={0x0, 0x0, 0xf, &(0x7f0000000080)={0x5, 0xf, 0xf, 0x1, [@ss_cap={0xa, 0x10, 0x3, 0x2, 0x3, 0x3, 0x0, 0x3}]}, 0x1, [{0x0, 0x0}]})
executing program 1:
syz_usb_connect(0x0, 0x24, &(0x7f00000005c0)={{0x12, 0x1, 0x250, 0x69, 0xd0, 0xae, 0x10, 0x5ac, 0x249, 0xdea6, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x3, 0x3, 0x60, 0x8, [{{0x9, 0x4, 0xd8, 0x80, 0x0, 0x3, 0xef, 0x2, 0x9c}}]}}]}}, &(0x7f0000000e80)={0x0, 0x0, 0x0, 0x0})
executing program 1:
quotactl_fd$Q_GETFMT(0xffffffffffffffff, 0xffffffff80000400, 0x0, 0x0)
executing program 1:
syz_usb_connect(0x2, 0x2d, &(0x7f0000000000)=ANY=[@ANYBLOB="1201500285d5c2086004040031960154030109021b000100031003090458080119662194090586"], &(0x7f0000000100)={0x0, 0x0, 0x0, 0x0})
executing program 2:
syz_usb_connect(0x0, 0x24, &(0x7f0000000240)=ANY=[@ANYBLOB="12010000f2d07c40501d89601dd0000010010902120001000000000904"], 0x0)
executing program 1:
syz_usb_connect(0x0, 0x24, &(0x7f0000000300)={{0x12, 0x1, 0x201, 0x14, 0x3d, 0xc0, 0x20, 0x84f, 0x1, 0x6c05, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x4, 0x7, 0x0, 0x6, [{{0x9, 0x4, 0x5b, 0x0, 0x0, 0x98, 0xc7, 0xa2, 0xff}}]}}]}}, &(0x7f0000000200)={0x0, 0x0, 0x0, 0x0})
executing program 0:
io_setup(0x0, &(0x7f00000000c0))
executing program 0:
mmap(&(0x7f0000000000/0xb36000)=nil, 0x7ffffffff000, 0x0, 0x8031, 0xffffffffffffffff, 0x0)
executing program 0:
clock_adjtime(0x0, &(0x7f0000000200)={0x7fffffff, 0x8000000000000001, 0x80000001, 0xd6, 0x9c7, 0x2, 0x100, 0xd5e3, 0x7, 0x8000, 0x3, 0x7, 0xf2e8, 0x8000000000000001, 0x6, 0x8, 0x9, 0x1fc00000000, 0x100, 0x6, 0x2, 0x4d8, 0x8, 0x200, 0x8001, 0x4})
executing program 0:
faccessat2(0xffffffffffffffff, 0x0, 0x98, 0x200)
executing program 0:
prctl$PR_GET_PDEATHSIG(0x2, &(0x7f0000000000))
executing program 0:
syz_usb_connect(0x3, 0x36, &(0x7f0000000500)=ANY=[@ANYBLOB="12010002a69bbc104f959941760f010203010902240001040000000904330202020c07"], 0x0)
executing program 2:
mremap(&(0x7f0000ff8000/0x3000)=nil, 0x7fffdf00a000, 0x3000, 0x3, &(0x7f0000ff5000/0x3000)=nil)
executing program 3:
openat$6lowpan_enable(0xffffff9c, &(0x7f0000000040), 0x2, 0x0)
executing program 2:
keyctl$KEYCTL_MOVE(0x1e, 0x0, 0x0, 0x0, 0x0)
executing program 3:
prctl$PR_SCHED_CORE(0x4d, 0x0, 0x0, 0x0, 0x0)
executing program 2:
msgrcv(0x0, 0x0, 0x0, 0x1, 0x6000)
executing program 3:
syz_open_dev$video(&(0x7f0000000040), 0xa7, 0x0)
executing program 3:
set_tid_address(0x0)
executing program 3:
add_key(&(0x7f0000000000)='keyring\x00', &(0x7f0000001000), &(0x7f0000001000)='.', 0x1, 0x0)
executing program 2:
msgget(0x2, 0x200)
executing program 1:
syz_usb_connect(0x3, 0x2d, &(0x7f00000003c0)={{0x12, 0x1, 0x0, 0x5a, 0xe4, 0xc4, 0x10, 0x596, 0x1, 0x5f5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0xd6, 0x0, 0x1, 0xb5, 0xe1, 0x45, 0x0, [], [{{0x9, 0x5, 0x83, 0x0, 0x3ff, 0x3, 0x7, 0x4}}]}}]}}]}}, 0x0)
executing program 3:
socket$inet_sctp(0x2, 0x7f9d5c50d5d0ee45, 0x84)
executing program 2:
syz_clone(0x2c9a4080, 0x0, 0x5f5, 0x0, 0x0, 0xfffffffffffffffc)
program did not crash
replaying the whole log did not cause a kernel crash
single: executing 4 programs separately with timeout 6m0s
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone
detailed listing:
executing program 0:
syz_clone(0x2c9a4080, 0x0, 0x5f5, 0x0, 0x0, 0xfffffffffffffffc)
program crashed: KASAN: slab-use-after-free Write in flush_tlb_func
single: successfully extracted reproducer
found reproducer with 1 syscalls
minimizing guilty program
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
simplifying guilty program options
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone
detailed listing:
executing program 0:
syz_clone(0x2c9a4080, 0x0, 0x5f5, 0x0, 0x0, 0xfffffffffffffffc)
program crashed: KASAN: slab-use-after-free Write in flush_tlb_func
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone
detailed listing:
executing program 0:
syz_clone(0x2c9a4080, 0x0, 0x5f5, 0x0, 0x0, 0xfffffffffffffffc)
program did not crash
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone
detailed listing:
executing program 0:
syz_clone(0x2c9a4080, 0x0, 0x5f5, 0x0, 0x0, 0xfffffffffffffffc)
program crashed: KASAN: slab-use-after-free Write in flush_tlb_func
validation run: crashed=true
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone
detailed listing:
executing program 0:
syz_clone(0x2c9a4080, 0x0, 0x5f5, 0x0, 0x0, 0xfffffffffffffffc)
program crashed: KASAN: slab-use-after-free Write in flush_tlb_func
validation run: crashed=true
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone
detailed listing:
executing program 0:
syz_clone(0x2c9a4080, 0x0, 0x5f5, 0x0, 0x0, 0xfffffffffffffffc)
program crashed: KASAN: slab-use-after-free Write in flush_tlb_func
validation run: crashed=true
reproducing took 1h12m16.062509185s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_write include/linux/instrumented.h:82 [inline]
BUG: KASAN: slab-use-after-free in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
BUG: KASAN: slab-use-after-free in cpumask_clear_cpu include/linux/cpumask.h:628 [inline]
BUG: KASAN: slab-use-after-free in flush_tlb_func+0x23d/0x6c0 arch/x86/mm/tlb.c:1132
Write of size 8 at addr ffff888062d50a00 by task syz-executor/14537
CPU: 1 UID: 0 PID: 14537 Comm: syz-executor Not tainted 6.16.0-rc4-next-20250630-syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xd2/0x2b0 mm/kasan/report.c:521
kasan_report+0x118/0x150 mm/kasan/report.c:634
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:189
instrument_atomic_write include/linux/instrumented.h:82 [inline]
clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
cpumask_clear_cpu include/linux/cpumask.h:628 [inline]
flush_tlb_func+0x23d/0x6c0 arch/x86/mm/tlb.c:1132
csd_do_func kernel/smp.c:134 [inline]
__flush_smp_call_function_queue+0x370/0xaa0 kernel/smp.c:540
__sysvec_call_function_single+0xa8/0x3d0 arch/x86/kernel/smp.c:271
instr_sysvec_call_function_single arch/x86/kernel/smp.c:266 [inline]
sysvec_call_function_single+0x9e/0xc0 arch/x86/kernel/smp.c:266
asm_sysvec_call_function_single+0x1a/0x20 arch/x86/include/asm/idtentry.h:709
RIP: 0010:console_flush_all+0x7f7/0xc40 kernel/printk/printk.c:3227
Code: 48 21 c3 0f 85 e9 01 00 00 e8 65 2d 1f 00 48 8b 5c 24 20 4d 85 f6 75 07 e8 56 2d 1f 00 eb 06 e8 4f 2d 1f 00 fb 48 8b 44 24 28 <42> 80 3c 20 00 74 08 48 89 df e8 3a 41 83 00 48 8b 1b 48 8b 44 24
RSP: 0018:ffffc90002f769a0 EFLAGS: 00000293
RAX: 1ffffffff1d78deb RBX: ffffffff8ebc6f58 RCX: ffff888028938000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90002f76af0 R08: ffffffff8fc29737 R09: 1ffffffff1f852e6
R10: dffffc0000000000 R11: fffffbfff1f852e7 R12: dffffc0000000000
R13: 0000000000000001 R14: 0000000000000200 R15: ffffffff8ebc6f00
__console_flush_and_unlock kernel/printk/printk.c:3285 [inline]
console_unlock+0xc4/0x270 kernel/printk/printk.c:3325
vprintk_emit+0x5b7/0x7a0 kernel/printk/printk.c:2450
_printk+0xcf/0x120 kernel/printk/printk.c:2475
batadv_hardif_enable_interface+0x7b9/0xa30 net/batman-adv/hard-interface.c:758
batadv_meshif_slave_add+0x79/0x100 net/batman-adv/mesh-interface.c:845
do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2946
do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3148
rtnl_changelink net/core/rtnetlink.c:3759 [inline]
__rtnl_newlink net/core/rtnetlink.c:3918 [inline]
rtnl_newlink+0x160b/0x1c70 net/core/rtnetlink.c:4055
rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6944
netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2534
netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
netlink_unicast+0x758/0x8d0 net/netlink/af_netlink.c:1339
netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1883
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:729
__sys_sendto+0x3bd/0x520 net/socket.c:2228
__do_sys_sendto net/socket.c:2235 [inline]
__se_sys_sendto net/socket.c:2231 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2231
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa3e51907bc
Code: 2a 5f 02 00 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b 7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 70 5f 02 00 48 8b
RSP: 002b:00007ffec13df020 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fa3e5ee4620 RCX: 00007fa3e51907bc
RDX: 0000000000000028 RSI: 00007fa3e5ee4670 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007ffec13df074 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
R13: 0000000000000000 R14: 00007fa3e5ee4670 R15: 0000000000000000
Allocated by task 12635:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:319 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4180 [inline]
slab_alloc_node mm/slub.c:4229 [inline]
kmem_cache_alloc_noprof+0x1c1/0x3c0 mm/slub.c:4236
dup_mm kernel/fork.c:1466 [inline]
copy_mm+0xdb/0x4b0 kernel/fork.c:1528
copy_process+0x1706/0x3c00 kernel/fork.c:2168
kernel_clone+0x21e/0x870 kernel/fork.c:2598
__do_sys_clone kernel/fork.c:2741 [inline]
__se_sys_clone kernel/fork.c:2725 [inline]
__x64_sys_clone+0x18b/0x1e0 kernel/fork.c:2725
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 14812:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2417 [inline]
slab_free mm/slub.c:4680 [inline]
kmem_cache_free+0x18f/0x400 mm/slub.c:4782
exit_mm+0x1da/0x2c0 kernel/exit.c:581
do_exit+0x648/0x2300 kernel/exit.c:947
do_group_exit+0x21c/0x2d0 kernel/exit.c:1100
__do_sys_exit_group kernel/exit.c:1111 [inline]
__se_sys_exit_group kernel/exit.c:1109 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1109
x64_sys_call+0x21ba/0x21c0 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888062d50000
which belongs to the cache mm_struct of size 2584
The buggy address is located 2560 bytes inside of
freed 2584-byte region [ffff888062d50000, ffff888062d50a18)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x62d50
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff888032eda981
ksm flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801a84bb40 ffffea0001ee6800 dead000000000003
raw: 0000000000000000 00000000800b000b 00000000f5000000 ffff888032eda981
head: 00fff00000000040 ffff88801a84bb40 ffffea0001ee6800 dead000000000003
head: 0000000000000000 00000000800b000b 00000000f5000000 ffff888032eda981
head: 00fff00000000003 ffffea00018b5401 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5961, tgid 5961 (syz-executor), ts 204900620208, free_ts 204846446167
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1848
prep_new_page mm/page_alloc.c:1856 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3855
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5145
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
alloc_slab_page mm/slub.c:2487 [inline]
allocate_slab+0x8a/0x370 mm/slub.c:2655
new_slab mm/slub.c:2709 [inline]
___slab_alloc+0xbeb/0x1410 mm/slub.c:3891
__slab_alloc mm/slub.c:3981 [inline]
__slab_alloc_node mm/slub.c:4056 [inline]
slab_alloc_node mm/slub.c:4217 [inline]
kmem_cache_alloc_noprof+0x283/0x3c0 mm/slub.c:4236
dup_mm kernel/fork.c:1466 [inline]
copy_mm+0xdb/0x4b0 kernel/fork.c:1528
copy_process+0x1706/0x3c00 kernel/fork.c:2168
kernel_clone+0x21e/0x870 kernel/fork.c:2598
__do_sys_clone kernel/fork.c:2741 [inline]
__se_sys_clone kernel/fork.c:2725 [inline]
__x64_sys_clone+0x18b/0x1e0 kernel/fork.c:2725
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5970 tgid 5970 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1392 [inline]
__free_frozen_pages+0xb80/0xd80 mm/page_alloc.c:2892
discard_slab mm/slub.c:2753 [inline]
__put_partials+0x156/0x1a0 mm/slub.c:3218
put_cpu_partial+0x17c/0x250 mm/slub.c:3293
__slab_free+0x2d5/0x3c0 mm/slub.c:4550
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4180 [inline]
slab_alloc_node mm/slub.c:4229 [inline]
__do_kmalloc_node mm/slub.c:4364 [inline]
__kvmalloc_node_noprof+0x2b0/0x5f0 mm/slub.c:5052
kvmalloc_array_node_noprof include/linux/slab.h:1065 [inline]
alloc_fdtable+0xe4/0x2a0 fs/file.c:204
dup_fd+0x86c/0xb60 fs/file.c:405
copy_files+0xc9/0x120 kernel/fork.c:1582
copy_process+0x15b2/0x3c00 kernel/fork.c:2156
kernel_clone+0x21e/0x870 kernel/fork.c:2598
__do_sys_clone kernel/fork.c:2741 [inline]
__se_sys_clone kernel/fork.c:2725 [inline]
__x64_sys_clone+0x18b/0x1e0 kernel/fork.c:2725
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888062d50900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888062d50980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888062d50a00: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888062d50a80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
ffff888062d50b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
0: 48 21 c3 and %rax,%rbx
3: 0f 85 e9 01 00 00 jne 0x1f2
9: e8 65 2d 1f 00 call 0x1f2d73
e: 48 8b 5c 24 20 mov 0x20(%rsp),%rbx
13: 4d 85 f6 test %r14,%r14
16: 75 07 jne 0x1f
18: e8 56 2d 1f 00 call 0x1f2d73
1d: eb 06 jmp 0x25
1f: e8 4f 2d 1f 00 call 0x1f2d73
24: fb sti
25: 48 8b 44 24 28 mov 0x28(%rsp),%rax
* 2a: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi
34: e8 3a 41 83 00 call 0x834173
39: 48 8b 1b mov (%rbx),%rbx
3c: 48 rex.W
3d: 8b .byte 0x8b
3e: 44 rex.R
3f: 24 .byte 0x24
final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_write include/linux/instrumented.h:82 [inline]
BUG: KASAN: slab-use-after-free in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
BUG: KASAN: slab-use-after-free in cpumask_clear_cpu include/linux/cpumask.h:628 [inline]
BUG: KASAN: slab-use-after-free in flush_tlb_func+0x23d/0x6c0 arch/x86/mm/tlb.c:1132
Write of size 8 at addr ffff888062d50a00 by task syz-executor/14537
CPU: 1 UID: 0 PID: 14537 Comm: syz-executor Not tainted 6.16.0-rc4-next-20250630-syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xd2/0x2b0 mm/kasan/report.c:521
kasan_report+0x118/0x150 mm/kasan/report.c:634
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:189
instrument_atomic_write include/linux/instrumented.h:82 [inline]
clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
cpumask_clear_cpu include/linux/cpumask.h:628 [inline]
flush_tlb_func+0x23d/0x6c0 arch/x86/mm/tlb.c:1132
csd_do_func kernel/smp.c:134 [inline]
__flush_smp_call_function_queue+0x370/0xaa0 kernel/smp.c:540
__sysvec_call_function_single+0xa8/0x3d0 arch/x86/kernel/smp.c:271
instr_sysvec_call_function_single arch/x86/kernel/smp.c:266 [inline]
sysvec_call_function_single+0x9e/0xc0 arch/x86/kernel/smp.c:266
asm_sysvec_call_function_single+0x1a/0x20 arch/x86/include/asm/idtentry.h:709
RIP: 0010:console_flush_all+0x7f7/0xc40 kernel/printk/printk.c:3227
Code: 48 21 c3 0f 85 e9 01 00 00 e8 65 2d 1f 00 48 8b 5c 24 20 4d 85 f6 75 07 e8 56 2d 1f 00 eb 06 e8 4f 2d 1f 00 fb 48 8b 44 24 28 <42> 80 3c 20 00 74 08 48 89 df e8 3a 41 83 00 48 8b 1b 48 8b 44 24
RSP: 0018:ffffc90002f769a0 EFLAGS: 00000293
RAX: 1ffffffff1d78deb RBX: ffffffff8ebc6f58 RCX: ffff888028938000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90002f76af0 R08: ffffffff8fc29737 R09: 1ffffffff1f852e6
R10: dffffc0000000000 R11: fffffbfff1f852e7 R12: dffffc0000000000
R13: 0000000000000001 R14: 0000000000000200 R15: ffffffff8ebc6f00
__console_flush_and_unlock kernel/printk/printk.c:3285 [inline]
console_unlock+0xc4/0x270 kernel/printk/printk.c:3325
vprintk_emit+0x5b7/0x7a0 kernel/printk/printk.c:2450
_printk+0xcf/0x120 kernel/printk/printk.c:2475
batadv_hardif_enable_interface+0x7b9/0xa30 net/batman-adv/hard-interface.c:758
batadv_meshif_slave_add+0x79/0x100 net/batman-adv/mesh-interface.c:845
do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2946
do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3148
rtnl_changelink net/core/rtnetlink.c:3759 [inline]
__rtnl_newlink net/core/rtnetlink.c:3918 [inline]
rtnl_newlink+0x160b/0x1c70 net/core/rtnetlink.c:4055
rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6944
netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2534
netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
netlink_unicast+0x758/0x8d0 net/netlink/af_netlink.c:1339
netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1883
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:729
__sys_sendto+0x3bd/0x520 net/socket.c:2228
__do_sys_sendto net/socket.c:2235 [inline]
__se_sys_sendto net/socket.c:2231 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2231
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa3e51907bc
Code: 2a 5f 02 00 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b 7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 70 5f 02 00 48 8b
RSP: 002b:00007ffec13df020 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fa3e5ee4620 RCX: 00007fa3e51907bc
RDX: 0000000000000028 RSI: 00007fa3e5ee4670 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007ffec13df074 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
R13: 0000000000000000 R14: 00007fa3e5ee4670 R15: 0000000000000000
Allocated by task 12635:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:319 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4180 [inline]
slab_alloc_node mm/slub.c:4229 [inline]
kmem_cache_alloc_noprof+0x1c1/0x3c0 mm/slub.c:4236
dup_mm kernel/fork.c:1466 [inline]
copy_mm+0xdb/0x4b0 kernel/fork.c:1528
copy_process+0x1706/0x3c00 kernel/fork.c:2168
kernel_clone+0x21e/0x870 kernel/fork.c:2598
__do_sys_clone kernel/fork.c:2741 [inline]
__se_sys_clone kernel/fork.c:2725 [inline]
__x64_sys_clone+0x18b/0x1e0 kernel/fork.c:2725
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 14812:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2417 [inline]
slab_free mm/slub.c:4680 [inline]
kmem_cache_free+0x18f/0x400 mm/slub.c:4782
exit_mm+0x1da/0x2c0 kernel/exit.c:581
do_exit+0x648/0x2300 kernel/exit.c:947
do_group_exit+0x21c/0x2d0 kernel/exit.c:1100
__do_sys_exit_group kernel/exit.c:1111 [inline]
__se_sys_exit_group kernel/exit.c:1109 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1109
x64_sys_call+0x21ba/0x21c0 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888062d50000
which belongs to the cache mm_struct of size 2584
The buggy address is located 2560 bytes inside of
freed 2584-byte region [ffff888062d50000, ffff888062d50a18)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x62d50
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff888032eda981
ksm flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801a84bb40 ffffea0001ee6800 dead000000000003
raw: 0000000000000000 00000000800b000b 00000000f5000000 ffff888032eda981
head: 00fff00000000040 ffff88801a84bb40 ffffea0001ee6800 dead000000000003
head: 0000000000000000 00000000800b000b 00000000f5000000 ffff888032eda981
head: 00fff00000000003 ffffea00018b5401 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5961, tgid 5961 (syz-executor), ts 204900620208, free_ts 204846446167
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1848
prep_new_page mm/page_alloc.c:1856 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3855
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5145
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
alloc_slab_page mm/slub.c:2487 [inline]
allocate_slab+0x8a/0x370 mm/slub.c:2655
new_slab mm/slub.c:2709 [inline]
___slab_alloc+0xbeb/0x1410 mm/slub.c:3891
__slab_alloc mm/slub.c:3981 [inline]
__slab_alloc_node mm/slub.c:4056 [inline]
slab_alloc_node mm/slub.c:4217 [inline]
kmem_cache_alloc_noprof+0x283/0x3c0 mm/slub.c:4236
dup_mm kernel/fork.c:1466 [inline]
copy_mm+0xdb/0x4b0 kernel/fork.c:1528
copy_process+0x1706/0x3c00 kernel/fork.c:2168
kernel_clone+0x21e/0x870 kernel/fork.c:2598
__do_sys_clone kernel/fork.c:2741 [inline]
__se_sys_clone kernel/fork.c:2725 [inline]
__x64_sys_clone+0x18b/0x1e0 kernel/fork.c:2725
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5970 tgid 5970 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1392 [inline]
__free_frozen_pages+0xb80/0xd80 mm/page_alloc.c:2892
discard_slab mm/slub.c:2753 [inline]
__put_partials+0x156/0x1a0 mm/slub.c:3218
put_cpu_partial+0x17c/0x250 mm/slub.c:3293
__slab_free+0x2d5/0x3c0 mm/slub.c:4550
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4180 [inline]
slab_alloc_node mm/slub.c:4229 [inline]
__do_kmalloc_node mm/slub.c:4364 [inline]
__kvmalloc_node_noprof+0x2b0/0x5f0 mm/slub.c:5052
kvmalloc_array_node_noprof include/linux/slab.h:1065 [inline]
alloc_fdtable+0xe4/0x2a0 fs/file.c:204
dup_fd+0x86c/0xb60 fs/file.c:405
copy_files+0xc9/0x120 kernel/fork.c:1582
copy_process+0x15b2/0x3c00 kernel/fork.c:2156
kernel_clone+0x21e/0x870 kernel/fork.c:2598
__do_sys_clone kernel/fork.c:2741 [inline]
__se_sys_clone kernel/fork.c:2725 [inline]
__x64_sys_clone+0x18b/0x1e0 kernel/fork.c:2725
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888062d50900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888062d50980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888062d50a00: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888062d50a80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
ffff888062d50b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
0: 48 21 c3 and %rax,%rbx
3: 0f 85 e9 01 00 00 jne 0x1f2
9: e8 65 2d 1f 00 call 0x1f2d73
e: 48 8b 5c 24 20 mov 0x20(%rsp),%rbx
13: 4d 85 f6 test %r14,%r14
16: 75 07 jne 0x1f
18: e8 56 2d 1f 00 call 0x1f2d73
1d: eb 06 jmp 0x25
1f: e8 4f 2d 1f 00 call 0x1f2d73
24: fb sti
25: 48 8b 44 24 28 mov 0x28(%rsp),%rax
* 2a: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi
34: e8 3a 41 83 00 call 0x834173
39: 48 8b 1b mov (%rbx),%rbx
3c: 48 rex.W
3d: 8b .byte 0x8b
3e: 44 rex.R
3f: 24 .byte 0x24