program syz-executor.7 is using a deprecated SCSI ioctl, please convert it to SG_IO
Oops: general protection fault, probably for non-canonical address 0xdffffc0020000031: 0000 [#1] SMP KASAN NOPTI
KASAN: probably user-memory-access in range [0x0000000100000188-0x000000010000018f]
CPU: 0 UID: 0 PID: 66 Comm: kworker/u8:1 Tainted: G W 6.17.0-rc3-next-20250829 #1 PREEMPT(voluntary)
Tainted: [W]=WARN
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:perf_tp_event+0x175/0xe70
Code: ff df 48 89 85 a8 fd ff ff 48 c1 e8 03 4c 01 e0 48 89 85 c8 fd ff ff e8 c9 51 ea ff 48 8d bb f0 01 00 00 48 89 f8 48 c1 e8 03 <42> 0f b6 04 20 84 c0 74 08 3c 03 0f 8e c5 0b 00 00 44 8b ab f0 01
RSP: 0018:ffff888009a572c0 EFLAGS: 00010013
RAX: 0000000020000031 RBX: 00000000ffffff9f RCX: 0000000000000002
RDX: ffff88800978b700 RSI: ffffffff818995b7 RDI: 000000010000018f
RBP: ffff888009a57530 R08: ffff88806ce31340 R09: ffffe8ffffc16860
R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
R13: 0000000000000014 R14: ffff88806ce31340 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880e55dd000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055fc0ce003e0 CR3: 000000001c39e000 CR4: 0000000000350ef0
Call Trace:
perf_trace_run_bpf_submit+0xef/0x180
perf_trace_preemptirq_template+0x259/0x430
trace_irq_enable.constprop.0+0xa6/0x100
trace_hardirqs_on+0x26/0x40
__call_rcu_common.constprop.0+0x4c1/0x960
neigh_parms_release+0x17c/0x1d0
inetdev_event+0xfef/0x1860
notifier_call_chain+0xc0/0x360
call_netdevice_notifiers_info+0xbe/0x140
unregister_netdevice_many_notify+0xad2/0x1e10
default_device_exit_batch+0x6e3/0x920
ops_undo_list+0x34c/0xa50
cleanup_net+0x38d/0x770
process_one_work+0x8e1/0x19c0
worker_thread+0x67e/0xe90
kthread+0x3c8/0x740
ret_from_fork+0x34b/0x430
ret_from_fork_asm+0x1a/0x30
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:perf_tp_event+0x175/0xe70
Code: ff df 48 89 85 a8 fd ff ff 48 c1 e8 03 4c 01 e0 48 89 85 c8 fd ff ff e8 c9 51 ea ff 48 8d bb f0 01 00 00 48 89 f8 48 c1 e8 03 <42> 0f b6 04 20 84 c0 74 08 3c 03 0f 8e c5 0b 00 00 44 8b ab f0 01
RSP: 0018:ffff888009a572c0 EFLAGS: 00010013
RAX: 0000000020000031 RBX: 00000000ffffff9f RCX: 0000000000000002
RDX: ffff88800978b700 RSI: ffffffff818995b7 RDI: 000000010000018f
RBP: ffff888009a57530 R08: ffff88806ce31340 R09: ffffe8ffffc16860
R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
R13: 0000000000000014 R14: ffff88806ce31340 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880e55dd000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055fc0ce003e0 CR3: 000000001c39e000 CR4: 0000000000350ef0
note: kworker/u8:1[66] exited with irqs disabled
note: kworker/u8:1[66] exited with preempt_count 1
Bluetooth: hci4: Opcode 0x0c03 failed: -110
Bluetooth: hci4: hardware error 0x08
Bluetooth: hci3: Controller not accepting commands anymore: ncmd = 0
Bluetooth: hci3: Injecting HCI hardware error event
Bluetooth: hci3: hardware error 0x00
Bluetooth: hci4: Opcode 0x0c03 failed: -110
Bluetooth: hci3: Opcode 0x0c03 failed: -110
9pnet_fd: p9_fd_create_unix (4017): problem connecting socket: ./file0: -30
loop6: detected capacity change from 0 to 640
loop2: detected capacity change from 0 to 512
9pnet_fd: p9_fd_create_unix (4026): problem connecting socket: ./file0: -30
sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s
sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current]
sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present
sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 00 00 00 00 08 00
I/O error, dev sr0, sector 0 op 0x0:(READ) flags 0x80700 phys_seg 4 prio class 2
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
I/O error, dev sr0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2
Buffer I/O error on dev sr0, logical block 0, async page read
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
I/O error, dev sr0, sector 1 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2
Buffer I/O error on dev sr0, logical block 1, async page read
EXT4-fs (loop6): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback.
EXT4-fs (loop2): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
ext4 filesystem being mounted at /syzkaller-testdir563199222/syzkaller.aGS1tu/2/file0 supports timestamps until 2038-01-19 (0x7fffffff)
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
I/O error, dev sr0, sector 2 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2
Buffer I/O error on dev sr0, logical block 2, async page read
EXT4-fs error (device loop2): ext4_lookup:1789: inode #2: comm syz-executor.2: deleted inode referenced: 12
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
I/O error, dev sr0, sector 3 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2
Buffer I/O error on dev sr0, logical block 3, async page read
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
I/O error, dev sr0, sector 4 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2
Buffer I/O error on dev sr0, logical block 4, async page read
==================================================================
BUG: KASAN: slab-use-after-free in __mutex_lock+0xc72/0x1020
Read of size 4 at addr ffff88800978b734 by task syz-executor.7/4037
CPU: 0 UID: 0 PID: 4037 Comm: syz-executor.7 Tainted: G D W 6.17.0-rc3-next-20250829 #1 PREEMPT(voluntary)
Tainted: [D]=DIE, [W]=WARN
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
dump_stack_lvl+0xca/0x120
print_report+0xcb/0x610
kasan_report+0xca/0x100
__mutex_lock+0xc72/0x1020
dev_ethtool+0x212/0x50f0
dev_ioctl+0x2b5/0x1050
sock_do_ioctl+0x15f/0x240
sock_ioctl+0x40d/0x630
__x64_sys_ioctl+0x18f/0x210
do_syscall_64+0xbf/0x360
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f013c04db19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f01395c3188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f013c160f60 RCX: 00007f013c04db19
RDX: 0000000020000240 RSI: 0000000000008946 RDI: 0000000000000004
RBP: 00007f013c0a7f6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe955dbb0f R14: 00007f01395c3300 R15: 0000000000022000
Allocated by task 2:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
__kasan_slab_alloc+0x59/0x70
kmem_cache_alloc_node_noprof+0x21a/0x690
copy_process+0x461/0x73c0
kernel_clone+0xea/0x7f0
kernel_thread+0xd7/0x120
kthreadd+0x4ab/0x760
ret_from_fork+0x34b/0x430
ret_from_fork_asm+0x1a/0x30
Freed by task 14:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
__kasan_save_free_info+0x3a/0x60
__kasan_slab_free+0x3f/0x50
kmem_cache_free+0x2a1/0x540
rcu_core+0x7c8/0x1800
handle_softirqs+0x1b1/0x770
run_ksoftirqd+0x2e/0x60
smpboot_thread_fn+0x41d/0x9d0
kthread+0x3c8/0x740
ret_from_fork+0x34b/0x430
ret_from_fork_asm+0x1a/0x30
Last potentially related work creation:
kasan_save_stack+0x24/0x50
kasan_record_aux_stack+0x89/0xa0
__call_rcu_common.constprop.0+0x70/0x960
delayed_put_task_struct+0xde/0x260
rcu_core+0x7c8/0x1800
handle_softirqs+0x1b1/0x770
run_ksoftirqd+0x2e/0x60
smpboot_thread_fn+0x41d/0x9d0
kthread+0x3c8/0x740
ret_from_fork+0x34b/0x430
ret_from_fork_asm+0x1a/0x30
Second to last potentially related work creation:
kasan_save_stack+0x24/0x50
kasan_record_aux_stack+0x89/0xa0
__call_rcu_common.constprop.0+0x70/0x960
put_task_struct_rcu_user+0x75/0xc0
__schedule+0xe86/0x3590
__cond_resched+0x4c/0x80
__mutex_lock+0xb8/0x1020
kernfs_seq_start+0x4f/0x240
seq_read_iter+0x2cb/0x1320
kernfs_fop_read_iter+0x425/0x5b0
vfs_read+0x868/0xc70
ksys_read+0x121/0x240
do_syscall_64+0xbf/0x360
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88800978b700
which belongs to the cache task_struct of size 6784
The buggy address is located 52 bytes inside of
freed 6784-byte region [ffff88800978b700, ffff88800978d180)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9788
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x100000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0100000000000040 ffff888008ff7640 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000040004 00000000f5000000 0000000000000000
head: 0100000000000040 ffff888008ff7640 dead000000000122 0000000000000000
head: 0000000000000000 0000000000040004 00000000f5000000 0000000000000000
head: 0100000000000003 ffffea000025e201 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88800978b600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88800978b680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88800978b700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88800978b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88800978b800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
I/O error, dev sr0, sector 5 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2
Buffer I/O error on dev sr0, logical block 5, async page read
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
I/O error, dev sr0, sector 6 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2
Buffer I/O error on dev sr0, logical block 6, async page read
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
I/O error, dev sr0, sector 7 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2
Buffer I/O error on dev sr0, logical block 7, async page read
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
I/O error, dev sr0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2
Buffer I/O error on dev sr0, logical block 0, async page read
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
Buffer I/O error on dev sr0, logical block 1, async page read
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
9pnet_fd: p9_fd_create_unix (4046): problem connecting socket: ./file0: -30
EXT4-fs (loop6): unmounting filesystem 00000000-0000-0000-0000-000000000000.
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s
sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current]
sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present
sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 00 00 00 00 08 00
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
----------------
Code disassembly (best guess), 1 bytes skipped:
0: df 48 89 fisttps -0x77(%rax)
3: 85 a8 fd ff ff 48 test %ebp,0x48fffffd(%rax)
9: c1 e8 03 shr $0x3,%eax
c: 4c 01 e0 add %r12,%rax
f: 48 89 85 c8 fd ff ff mov %rax,-0x238(%rbp)
16: e8 c9 51 ea ff callq 0xffea51e4
1b: 48 8d bb f0 01 00 00 lea 0x1f0(%rbx),%rdi
22: 48 89 f8 mov %rdi,%rax
25: 48 c1 e8 03 shr $0x3,%rax
* 29: 42 0f b6 04 20 movzbl (%rax,%r12,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 08 je 0x3a
32: 3c 03 cmp $0x3,%al
34: 0f 8e c5 0b 00 00 jle 0xbff
3a: 44 rex.R
3b: 8b .byte 0x8b
3c: ab stos %eax,%es:(%rdi)
3d: f0 lock
3e: 01 .byte 0x1