EXT4-fs (loop6): revision level too high, forcing read-only mode EXT4-fs (loop6): mounted filesystem without journal. Opts: ,errors=continue ================================================================== BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline] BUG: KASAN: use-after-free in atomic_fetch_add_relaxed include/asm-generic/atomic-instrumented.h:142 [inline] BUG: KASAN: use-after-free in __refcount_add include/linux/refcount.h:193 [inline] BUG: KASAN: use-after-free in __refcount_inc include/linux/refcount.h:250 [inline] BUG: KASAN: use-after-free in refcount_inc include/linux/refcount.h:267 [inline] BUG: KASAN: use-after-free in get_task_struct include/linux/sched/task.h:104 [inline] BUG: KASAN: use-after-free in kthread_stop+0x76/0x610 kernel/kthread.c:616 Write of size 4 at addr ffff88800cf61960 by task syz-executor.6/415 CPU: 1 PID: 415 Comm: syz-executor.6 Not tainted 5.10.56 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:118 print_address_description.constprop.0+0x1c/0x210 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report.cold+0x37/0x7c mm/kasan/report.c:562 check_memory_region_inline mm/kasan/generic.c:186 [inline] check_memory_region+0xf9/0x1e0 mm/kasan/generic.c:192 instrument_atomic_read_write include/linux/instrumented.h:101 [inline] atomic_fetch_add_relaxed include/asm-generic/atomic-instrumented.h:142 [inline] __refcount_add include/linux/refcount.h:193 [inline] __refcount_inc include/linux/refcount.h:250 [inline] refcount_inc include/linux/refcount.h:267 [inline] get_task_struct include/linux/sched/task.h:104 [inline] kthread_stop+0x76/0x610 kernel/kthread.c:616 ext4_stop_mmpd+0x47/0xd0 fs/ext4/mmp.c:254 ext4_put_super+0x87c/0xf90 fs/ext4/super.c:1263 generic_shutdown_super+0x142/0x370 fs/super.c:464 kill_block_super+0x9d/0xf0 fs/super.c:1446 deactivate_locked_super+0x99/0x160 fs/super.c:335 deactivate_super+0xad/0xd0 fs/super.c:366 cleanup_mnt+0x396/0x500 fs/namespace.c:1118 task_work_run+0xe2/0x1a0 kernel/task_work.c:151 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_user_mode_loop kernel/entry/common.c:164 [inline] exit_to_user_mode_prepare+0x155/0x160 kernel/entry/common.c:191 syscall_exit_to_user_mode+0x38/0x230 kernel/entry/common.c:266 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x467a67 Code: ff d0 48 89 c7 b8 3c 00 00 00 0f 05 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc59c58c88 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 RAX: 0000000000000000 RBX: 0000000000000036 RCX: 0000000000467a67 RDX: 00007ffc59c58d5a RSI: 0000000000000002 RDI: 00007ffc59c58d50 RBP: 00007ffc59c58d50 R08: 00000000ffffffff R09: 00007ffc59c58b20 R10: 0000000002722b43 R11: 0000000000000246 R12: 00000000004bee70 R13: 00007ffc59c59e20 R14: 0000000002722b00 R15: 00007ffc59c59e60 Allocated by task 2: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:461 slab_post_alloc_hook mm/slab.h:532 [inline] slab_alloc_node mm/slub.c:2889 [inline] kmem_cache_alloc_node+0x14b/0x370 mm/slub.c:2925 alloc_task_struct_node kernel/fork.c:170 [inline] dup_task_struct kernel/fork.c:860 [inline] copy_process+0x4380/0x6650 kernel/fork.c:1947 kernel_clone+0xe7/0xa20 kernel/fork.c:2465 kernel_thread+0xb5/0xf0 kernel/fork.c:2517 create_kthread kernel/kthread.c:315 [inline] kthreadd+0x4bb/0x710 kernel/kthread.c:658 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:296 Freed by task 4477: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355 __kasan_slab_free+0x110/0x150 mm/kasan/common.c:422 slab_free_hook mm/slub.c:1542 [inline] slab_free_freelist_hook+0x64/0x150 mm/slub.c:1575 slab_free mm/slub.c:3140 [inline] kmem_cache_free+0x97/0x2f0 mm/slub.c:3156 __put_task_struct+0x25a/0x3e0 kernel/fork.c:741 put_task_struct include/linux/sched/task.h:113 [inline] delayed_put_task_struct+0x1a4/0x2b0 kernel/exit.c:173 rcu_do_batch kernel/rcu/tree.c:2484 [inline] rcu_core+0x52d/0x1660 kernel/rcu/tree.c:2719 __do_softirq+0x1b8/0x867 kernel/softirq.c:298 Last call_rcu(): kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_record_aux_stack+0x9e/0xb0 mm/kasan/generic.c:346 __call_rcu kernel/rcu/tree.c:2960 [inline] call_rcu+0x8a/0xa20 kernel/rcu/tree.c:3034 put_task_struct_rcu_user+0x7f/0xb0 kernel/exit.c:179 finish_task_switch+0x428/0x5d0 kernel/sched/core.c:3649 context_switch kernel/sched/core.c:3779 [inline] __schedule+0x850/0x1e80 kernel/sched/core.c:4525 schedule+0xcb/0x270 kernel/sched/core.c:4603 freezable_schedule include/linux/freezer.h:172 [inline] futex_wait_queue_me+0x2a7/0x570 kernel/futex.c:2607 futex_wait+0x1df/0x5d0 kernel/futex.c:2709 do_futex+0xf86/0x1a50 kernel/futex.c:3735 __do_sys_futex+0x2bb/0x480 kernel/futex.c:3798 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Second to last call_rcu(): kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_record_aux_stack+0x9e/0xb0 mm/kasan/generic.c:346 __call_rcu kernel/rcu/tree.c:2960 [inline] call_rcu+0x8a/0xa20 kernel/rcu/tree.c:3034 put_task_struct_rcu_user+0x7f/0xb0 kernel/exit.c:179 finish_task_switch+0x428/0x5d0 kernel/sched/core.c:3649 context_switch kernel/sched/core.c:3779 [inline] __schedule+0x850/0x1e80 kernel/sched/core.c:4525 preempt_schedule_common kernel/sched/core.c:4684 [inline] _cond_resched+0x45/0x80 kernel/sched/core.c:6117 zap_pte_range mm/memory.c:1335 [inline] zap_pmd_range mm/memory.c:1380 [inline] zap_pud_range mm/memory.c:1409 [inline] zap_p4d_range mm/memory.c:1430 [inline] unmap_page_range+0xfe3/0x1e30 mm/memory.c:1451 unmap_single_vma+0x198/0x300 mm/memory.c:1496 unmap_vmas+0x16d/0x2f0 mm/memory.c:1528 exit_mmap+0x27f/0x4e0 mm/mmap.c:3220 __mmput kernel/fork.c:1088 [inline] mmput+0xca/0x340 kernel/fork.c:1109 exit_mm kernel/exit.c:487 [inline] do_exit+0xb42/0x2770 kernel/exit.c:798 do_group_exit+0x125/0x310 kernel/exit.c:908 __do_sys_exit_group kernel/exit.c:919 [inline] __se_sys_exit_group kernel/exit.c:917 [inline] __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:917 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff88800cf61940 which belongs to the cache task_struct of size 6208 The buggy address is located 32 bytes inside of 6208-byte region [ffff88800cf61940, ffff88800cf63180) The buggy address belongs to the page: page:000000007836df8c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xcf60 head:000000007836df8c order:3 compound_mapcount:0 compound_pincount:0 flags: 0x100000000010200(slab|head) raw: 0100000000010200 dead000000000100 dead000000000122 ffff888007fdc140 raw: 0000000000000000 0000000000050005 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88800cf61800: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88800cf61880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88800cf61900: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ^ ffff88800cf61980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88800cf61a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 1 PID: 415 at lib/refcount.c:25 refcount_warn_saturate+0x178/0x1f0 lib/refcount.c:25 Modules linked in: CPU: 1 PID: 415 Comm: syz-executor.6 Tainted: G B 5.10.56 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 RIP: 0010:refcount_warn_saturate+0x178/0x1f0 lib/refcount.c:25 Code: 03 31 ff 89 de e8 e8 25 51 ff 84 db 0f 85 2e ff ff ff e8 ab 2c 51 ff 48 c7 c7 c0 37 3b 84 c6 05 ee 66 54 03 01 e8 c7 1e c9 01 <0f> 0b e9 0f ff ff ff e8 8c 2c 51 ff 0f b6 1d d8 66 54 03 31 ff 89 RSP: 0018:ffff888043b47d38 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff88800c9d4bc0 RSI: ffffffff812930d3 RDI: ffffed1008768f99 RBP: ffff88800cf61960 R08: 0000000000000001 R09: ffff88806cf1ff9b R10: 0000000000000000 R11: 0000000000000001 R12: ffff88800cf61960 R13: ffff888044f00848 R14: 0000000000000000 R15: ffff888044f00438 FS: 0000000002721400(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f34ea716918 CR3: 0000000043bc0000 CR4: 0000000000350ee0 Call Trace: __refcount_add include/linux/refcount.h:199 [inline] __refcount_inc include/linux/refcount.h:250 [inline] refcount_inc include/linux/refcount.h:267 [inline] get_task_struct include/linux/sched/task.h:104 [inline] kthread_stop+0x583/0x610 kernel/kthread.c:616 ext4_stop_mmpd+0x47/0xd0 fs/ext4/mmp.c:254 ext4_put_super+0x87c/0xf90 fs/ext4/super.c:1263 generic_shutdown_super+0x142/0x370 fs/super.c:464 kill_block_super+0x9d/0xf0 fs/super.c:1446 deactivate_locked_super+0x99/0x160 fs/super.c:335 deactivate_super+0xad/0xd0 fs/super.c:366 cleanup_mnt+0x396/0x500 fs/namespace.c:1118 task_work_run+0xe2/0x1a0 kernel/task_work.c:151 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_user_mode_loop kernel/entry/common.c:164 [inline] exit_to_user_mode_prepare+0x155/0x160 kernel/entry/common.c:191 syscall_exit_to_user_mode+0x38/0x230 kernel/entry/common.c:266 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x467a67 Code: ff d0 48 89 c7 b8 3c 00 00 00 0f 05 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc59c58c88 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 RAX: 0000000000000000 RBX: 0000000000000036 RCX: 0000000000467a67 RDX: 00007ffc59c58d5a RSI: 0000000000000002 RDI: 00007ffc59c58d50 RBP: 00007ffc59c58d50 R08: 00000000ffffffff R09: 00007ffc59c58b20 R10: 0000000002722b43 R11: 0000000000000246 R12: 00000000004bee70 R13: 00007ffc59c59e20 R14: 0000000002722b00 R15: 00007ffc59c59e60 irq event stamp: 243282 hardirqs last enabled at (243281): [] quarantine_put+0x87/0x1a0 mm/kasan/quarantine.c:217 hardirqs last disabled at (243282): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (243282): [] _raw_spin_lock_irqsave+0x4b/0x50 kernel/locking/spinlock.c:159 softirqs last enabled at (243072): [] asm_call_irq_on_stack+0x12/0x20 softirqs last disabled at (243063): [] asm_call_irq_on_stack+0x12/0x20 ---[ end trace 0ccb0d88d3d7043c ]--- ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 415 at lib/refcount.c:28 refcount_warn_saturate+0x103/0x1f0 lib/refcount.c:28 Modules linked in: CPU: 1 PID: 415 Comm: syz-executor.6 Tainted: G B W 5.10.56 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 RIP: 0010:refcount_warn_saturate+0x103/0x1f0 lib/refcount.c:28 Code: 1d 82 67 54 03 31 ff 89 de e8 59 26 51 ff 84 db 75 a3 e8 20 2d 51 ff 48 c7 c7 20 38 3b 84 c6 05 62 67 54 03 01 e8 3c 1f c9 01 <0f> 0b eb 87 e8 04 2d 51 ff 0f b6 1d 4b 67 54 03 31 ff 89 de e8 24 RSP: 0018:ffff888043b47d38 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff88800c9d4bc0 RSI: ffffffff812930d3 RDI: ffffed1008768f99 RBP: ffff88800cf61960 R08: 0000000000000001 R09: ffff88806cf1ff9b R10: 0000000000000000 R11: 0000000000000001 R12: ffff88800cf61960 R13: 0000000000000000 R14: 0000000000000000 R15: ffff888044f00438 FS: 0000000002721400(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f34ea716918 CR3: 0000000043bc0000 CR4: 0000000000350ee0 Call Trace: __refcount_sub_and_test include/linux/refcount.h:283 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] put_task_struct include/linux/sched/task.h:112 [inline] kthread_stop+0x56c/0x610 kernel/kthread.c:623 ext4_stop_mmpd+0x47/0xd0 fs/ext4/mmp.c:254 ext4_put_super+0x87c/0xf90 fs/ext4/super.c:1263 generic_shutdown_super+0x142/0x370 fs/super.c:464 kill_block_super+0x9d/0xf0 fs/super.c:1446 deactivate_locked_super+0x99/0x160 fs/super.c:335 deactivate_super+0xad/0xd0 fs/super.c:366 cleanup_mnt+0x396/0x500 fs/namespace.c:1118 task_work_run+0xe2/0x1a0 kernel/task_work.c:151 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_user_mode_loop kernel/entry/common.c:164 [inline] exit_to_user_mode_prepare+0x155/0x160 kernel/entry/common.c:191 syscall_exit_to_user_mode+0x38/0x230 kernel/entry/common.c:266 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x467a67 Code: ff d0 48 89 c7 b8 3c 00 00 00 0f 05 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc59c58c88 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 RAX: 0000000000000000 RBX: 0000000000000036 RCX: 0000000000467a67 RDX: 00007ffc59c58d5a RSI: 0000000000000002 RDI: 00007ffc59c58d50 RBP: 00007ffc59c58d50 R08: 00000000ffffffff R09: 00007ffc59c58b20 R10: 0000000002722b43 R11: 0000000000000246 R12: 00000000004bee70 R13: 00007ffc59c59e20 R14: 0000000002722b00 R15: 00007ffc59c59e60 irq event stamp: 243282 hardirqs last enabled at (243281): [] quarantine_put+0x87/0x1a0 mm/kasan/quarantine.c:217 hardirqs last disabled at (243282): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (243282): [] _raw_spin_lock_irqsave+0x4b/0x50 kernel/locking/spinlock.c:159 softirqs last enabled at (243072): [] asm_call_irq_on_stack+0x12/0x20 softirqs last disabled at (243063): [] asm_call_irq_on_stack+0x12/0x20 ---[ end trace 0ccb0d88d3d7043d ]--- EXT4-fs (loop5): mounted filesystem without journal. Opts: ,errors=continue EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue audit: type=1400 audit(1628569750.610:10): avc: denied { sys_admin } for pid=4514 comm="syz-executor.1" capability=21 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=cap_userns permissive=1 FAT-fs (loop7): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1) FAT-fs (loop7): error, fat_free_clusters: deleting FAT entry beyond EOF FAT-fs (loop7): Filesystem has been set read-only syz-executor.2 (4487) used greatest stack depth: 23856 bytes left EXT4-fs (loop5): mounted filesystem without journal. Opts: ,errors=continue EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue FAT-fs (loop7): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1) general protection fault, probably for non-canonical address 0x45e3ddfe220040: 0000 [#1] SMP KASAN NOPTI CPU: 1 PID: 110 Comm: systemd-udevd Tainted: G B W 5.10.56 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 RIP: 0010:compound_head include/linux/page-flags.h:185 [inline] RIP: 0010:virt_to_head_page include/linux/mm.h:860 [inline] RIP: 0010:qlink_to_cache mm/kasan/quarantine.c:130 [inline] RIP: 0010:qlist_free_all+0x8d/0xd0 mm/kasan/quarantine.c:167 Code: df 48 85 db 75 cc 48 89 f0 4c 01 e8 72 56 4c 89 f2 48 2b 15 15 61 3a 03 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 f3 60 3a 03 <48> 8b 50 08 48 8d 4a ff 83 e2 01 48 0f 45 c1 48 8b 78 18 eb 93 49 RSP: 0018:ffff8880164ffbb8 EFLAGS: 00010203 RAX: 0045e3ddfe220040 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000777f80000000 RSI: 117dffff88801566 RDI: 0000000000000000 RBP: dffffc0000000000 R08: 0000000000000004 R09: ffffffff816abb01 FAT-fs (loop7): error, fat_free_clusters: deleting FAT entry beyond EOF R10: ffff88800cf61942 R11: 0000000000000001 R12: ffff8880164ffbf0 R13: 0000000080000000 R14: ffffffff80000000 R15: 117dffff88801566 FS: 00007f34ea78e8c0(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000 FAT-fs (loop7): Filesystem has been set read-only CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2cc2b000 CR3: 000000000e7f8000 CR4: 0000000000350ee0 Call Trace: quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:267 __kasan_kmalloc.constprop.0+0x9e/0xd0 mm/kasan/common.c:442 slab_post_alloc_hook mm/slab.h:532 [inline] slab_alloc_node mm/slub.c:2889 [inline] slab_alloc mm/slub.c:2897 [inline] kmem_cache_alloc+0x13b/0x350 mm/slub.c:2902 getname_flags.part.0+0x50/0x4f0 fs/namei.c:138 getname_flags fs/namei.c:2642 [inline] user_path_at_empty+0xa1/0x100 fs/namei.c:2642 user_path_at include/linux/namei.h:59 [inline] vfs_statx+0x142/0x390 fs/stat.c:193 vfs_fstatat fs/stat.c:215 [inline] vfs_lstat include/linux/fs.h:3124 [inline] __do_sys_newlstat+0x91/0x110 fs/stat.c:370 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f34e9601335 Code: 69 db 2b 00 64 c7 00 16 00 00 00 b8 ff ff ff ff c3 0f 1f 40 00 83 ff 01 48 89 f0 77 30 48 89 c7 48 89 d6 b8 06 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 03 f3 c3 90 48 8b 15 31 db 2b 00 f7 d8 64 89 RSP: 002b:00007fffcf2ba028 EFLAGS: 00000246 ORIG_RAX: 0000000000000006 RAX: ffffffffffffffda RBX: 000055f68c39f880 RCX: 00007f34e9601335 RDX: 00007fffcf2ba060 RSI: 00007fffcf2ba060 RDI: 000055f68c39e880 RBP: 00007fffcf2ba120 R08: 00007f34e98c0238 R09: 0000000000001010 R10: 00007f34e98bfb58 R11: 0000000000000246 R12: 000055f68c39e880 R13: 000055f68c39e8a7 R14: 000055f68c3aa9a1 R15: 000055f68c3aa9a7 Modules linked in: ---[ end trace 0ccb0d88d3d7043e ]--- RIP: 0010:compound_head include/linux/page-flags.h:185 [inline] RIP: 0010:virt_to_head_page include/linux/mm.h:860 [inline] RIP: 0010:qlink_to_cache mm/kasan/quarantine.c:130 [inline] RIP: 0010:qlist_free_all+0x8d/0xd0 mm/kasan/quarantine.c:167 Code: df 48 85 db 75 cc 48 89 f0 4c 01 e8 72 56 4c 89 f2 48 2b 15 15 61 3a 03 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 f3 60 3a 03 <48> 8b 50 08 48 8d 4a ff 83 e2 01 48 0f 45 c1 48 8b 78 18 eb 93 49 RSP: 0018:ffff8880164ffbb8 EFLAGS: 00010203 RAX: 0045e3ddfe220040 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000777f80000000 RSI: 117dffff88801566 RDI: 0000000000000000 RBP: dffffc0000000000 R08: 0000000000000004 R09: ffffffff816abb01 R10: ffff88800cf61942 R11: 0000000000000001 R12: ffff8880164ffbf0 R13: 0000000080000000 R14: ffffffff80000000 R15: 117dffff88801566 FS: 00007f34ea78e8c0(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2cc2b000 CR3: 000000000e7f8000 CR4: 0000000000350ee0 ------------[ cut here ]------------ WARNING: CPU: 1 PID: 4588 at arch/x86/include/asm/fpu/internal.h:324 copy_xregs_to_kernel arch/x86/include/asm/fpu/internal.h:324 [inline] WARNING: CPU: 1 PID: 4588 at arch/x86/include/asm/fpu/internal.h:324 copy_fpregs_to_fpstate+0x17a/0x1d0 arch/x86/kernel/fpu/core.c:98 Modules linked in: CPU: 1 PID: 4588 Comm: syz-executor.6 Tainted: G B D W 5.10.56 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 RIP: 0010:copy_xregs_to_kernel arch/x86/include/asm/fpu/internal.h:324 [inline] RIP: 0010:copy_fpregs_to_fpstate+0x17a/0x1d0 arch/x86/kernel/fpu/core.c:98 Code: 01 00 00 00 5b 5d 41 5c 41 5d 41 5e c3 e8 fe 18 37 00 48 0f ae 43 40 eb e1 e8 f2 18 37 00 0f 0b e9 23 ff ff ff e8 e6 18 37 00 <0f> 0b e9 3c ff ff ff 48 c7 c7 f8 e3 44 85 e8 73 4a 62 00 e9 ec fe RSP: 0018:ffff8880435f7b10 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88800cf62e02 RCX: ffffffff81086ca5 RDX: ffff888015b8b280 RSI: ffffffff81086d6a RDI: 0000000000000005 RBP: 00000000fffffffe R08: 0000000000000000 R09: ffff888015b8b287 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000007 R13: 0000000000000000 R14: 0000000000000001 R15: ffff888015b8c740 FS: 0000000002721400(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8f90e88718 CR3: 000000000eb78000 CR4: 0000000000350ee0 Call Trace: fpu__copy+0x39c/0x550 arch/x86/kernel/fpu/core.c:243 dup_task_struct kernel/fork.c:873 [inline] copy_process+0x6da/0x6650 kernel/fork.c:1947 kernel_clone+0xe7/0xa20 kernel/fork.c:2465 __do_sys_clone+0xc8/0x110 kernel/fork.c:2582 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x467a31 Code: 48 85 ff 74 3d 48 85 f6 74 38 48 83 ee 10 48 89 4e 08 48 89 3e 48 89 d7 4c 89 c2 4d 89 c8 4c 8b 54 24 08 b8 38 00 00 00 0f 05 <48> 85 c0 7c 13 74 01 c3 31 ed 58 5f ff d0 48 89 c7 b8 3c 00 00 00 RSP: 002b:00007ffc59c59a88 EFLAGS: 00000206 ORIG_RAX: 0000000000000038 RAX: ffffffffffffffda RBX: 00007f8f90e88700 RCX: 0000000000467a31 RDX: 00007f8f90e889d0 RSI: 00007f8f90e882f0 RDI: 00000000003d0f00 RBP: 00007ffc59c59cc0 R08: 00007f8f90e88700 R09: 00007f8f90e88700 R10: 00007f8f90e889d0 R11: 0000000000000206 R12: 00007ffc59c59b3e R13: 00007ffc59c59b3f R14: 00007f8f90e88300 R15: 0000000000022000 irq event stamp: 0 hardirqs last enabled at (0): [<0000000000000000>] 0x0 hardirqs last disabled at (0): [] copy_process+0x15bc/0x6650 kernel/fork.c:2049 softirqs last enabled at (0): [] copy_process+0x15fd/0x6650 kernel/fork.c:2053 softirqs last disabled at (0): [<0000000000000000>] 0x0 ---[ end trace 0ccb0d88d3d7043f ]--- ------------[ cut here ]------------ Bad FPU state detected at copy_kernel_to_xregs arch/x86/include/asm/fpu/internal.h:335 [inline], reinitializing FPU registers. Bad FPU state detected at __copy_kernel_to_fpregs arch/x86/include/asm/fpu/internal.h:410 [inline], reinitializing FPU registers. Bad FPU state detected at copy_kernel_to_fpregs+0x99/0xe0 arch/x86/include/asm/fpu/internal.h:434, reinitializing FPU registers. WARNING: CPU: 1 PID: 4609 at arch/x86/mm/extable.c:65 ex_handler_fprestore+0xf0/0x110 arch/x86/mm/extable.c:65 Modules linked in: CPU: 1 PID: 4609 Comm: syz-executor.6 Tainted: G B D W 5.10.56 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 RIP: 0010:ex_handler_fprestore+0xf0/0x110 arch/x86/mm/extable.c:65 Code: e8 25 87 2e 00 b8 01 00 00 00 5b 5d 41 5c c3 e8 16 87 2e 00 48 89 de 48 c7 c7 40 dd 24 84 c6 05 a8 c0 31 04 01 e8 2f 79 a6 02 <0f> 0b eb 90 48 89 df e8 94 b8 59 00 e9 3d ff ff ff e8 1a b9 59 00 RSP: 0018:ffff888045ccfce8 EFLAGS: 00010082 RAX: 0000000000000000 RBX: ffffffff81087a19 RCX: 0000000000000000 RDX: ffff88800cf61942 RSI: ffffffff812930d3 RDI: ffffed1008b99f8f RBP: 0000000000000000 R08: 0000000000000001 R09: ffff88806cf1ff9b R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff84ad3e10 R13: 000000000000000d R14: 0000000000000000 R15: 0000000000000000 FS: 00007f8f90e88700(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8f90e88718 CR3: 000000000eb78000 CR4: 0000000000350ee0 Call Trace: fixup_exception+0x9d/0xd0 arch/x86/mm/extable.c:183 __exc_general_protection arch/x86/kernel/traps.c:559 [inline] exc_general_protection+0xeb/0x2e0 arch/x86/kernel/traps.c:526 asm_exc_general_protection+0x1e/0x30 arch/x86/include/asm/idtentry.h:565 RIP: 0010:copy_kernel_to_fpregs+0x99/0xe0 arch/x86/include/asm/fpu/internal.h:435 Code: 44 24 20 e8 59 0c 37 00 48 8b 6c 24 20 0f 1f 44 00 00 e8 4a 0c 37 00 e8 45 0c 37 00 b8 ff ff ff ff 48 89 ef 89 c2 48 0f c7 1f 32 0c 37 00 48 b8 00 00 00 00 00 fc ff df 48 c7 04 03 00 00 00 RSP: 0018:ffff888045ccfe80 EFLAGS: 00010093 RAX: 00000000ffffffff RBX: 1ffff11008b99fd0 RCX: ffffffff810881a3 RDX: 00000000ffffffff RSI: ffffffff81087a0b RDI: ffff88800cf62e42 RBP: ffff88800cf62e42 R08: 0000000000000000 R09: ffff88800cf61949 R10: 0000000000000000 R11: 0000000000000001 R12: ffff88800cf62e02 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 __fpregs_load_activate arch/x86/include/asm/fpu/internal.h:505 [inline] switch_fpu_return+0x92/0x300 arch/x86/kernel/fpu/core.c:406 arch_exit_to_user_mode_prepare arch/x86/include/asm/entry-common.h:59 [inline] exit_to_user_mode_prepare+0x141/0x160 kernel/entry/common.c:193 syscall_exit_to_user_mode+0x38/0x230 kernel/entry/common.c:266 ret_from_fork+0x15/0x30 arch/x86/entry/entry_64.S:289 RIP: 0033:0x467a31 Code: 48 85 ff 74 3d 48 85 f6 74 38 48 83 ee 10 48 89 4e 08 48 89 3e 48 89 d7 4c 89 c2 4d 89 c8 4c 8b 54 24 08 b8 38 00 00 00 0f 05 <48> 85 c0 7c 13 74 01 c3 31 ed 58 5f ff d0 48 89 c7 b8 3c 00 00 00 RSP: 002b:00007f8f90e882f0 EFLAGS: 00000206 ORIG_RAX: 0000000000000038 RAX: 0000000000000000 RBX: 00007f8f90e88700 RCX: 0000000000467a31 RDX: 00007f8f90e889d0 RSI: 00007f8f90e882f0 RDI: 00000000003d0f00 RBP: 00007ffc59c59cc0 R08: 00007f8f90e88700 R09: 00007f8f90e88700 R10: 00007f8f90e889d0 R11: 0000000000000206 R12: 00007ffc59c59b3e R13: 00007ffc59c59b3f R14: 00007f8f90e88300 R15: 0000000000022000 irq event stamp: 0 hardirqs last enabled at (0): [<0000000000000000>] 0x0 hardirqs last disabled at (0): [] copy_process+0x15bc/0x6650 kernel/fork.c:2049 softirqs last enabled at (0): [] copy_process+0x15fd/0x6650 kernel/fork.c:2053 softirqs last disabled at (0): [<0000000000000000>] 0x0 ---[ end trace 0ccb0d88d3d70440 ]--- general protection fault, probably for non-canonical address 0xdffffc0000002007: 0000 [#2] SMP KASAN NOPTI KASAN: probably user-memory-access in range [0x0000000000010038-0x000000000001003f] CPU: 1 PID: 4588 Comm: syz-executor.6 Tainted: G B D W 5.10.56 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 RIP: 0010:pick_next_task_fair+0x3eb/0xb10 kernel/sched/fair.c:7062 Code: 85 0d 07 00 00 4c 29 e5 48 01 ab 50 0a 00 00 e9 1b ff ff ff 49 be 00 00 00 00 00 fc ff df 49 8d 7c 24 40 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 9c 05 00 00 49 8b 74 24 40 48 85 f6 74 27 48 RSP: 0018:ffff8880435f7c90 EFLAGS: 00010013 RAX: 0000000000002007 RBX: ffff88806cf33180 RCX: 0000000000000002 RDX: 1ffff1100d9e6653 RSI: ffff88800cf619c0 RDI: 000000000001003f RBP: ffff88800cf619c0 R08: 0000000000000000 R09: ffffffff8544fb4f R10: fffffbfff0a89f69 R11: 0000000000000001 R12: 000000000000ffff R13: ffff888015b8b280 R14: dffffc0000000000 R15: ffffffff84a51960 FS: 0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2cb2d000 CR3: 000000000eb78000 CR4: 0000000000350ee0 Call Trace: pick_next_task kernel/sched/core.c:4342 [inline] __schedule+0x330/0x1e80 kernel/sched/core.c:4493 do_task_dead+0xc3/0xf0 kernel/sched/core.c:4542 do_exit+0x18a9/0x2770 kernel/exit.c:862 do_group_exit+0x125/0x310 kernel/exit.c:908 __do_sys_exit_group kernel/exit.c:919 [inline] __se_sys_exit_group kernel/exit.c:917 [inline] __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:917 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x466609 Code: Unable to access opcode bytes at RIP 0x4665df. RSP: 002b:00007ffc59c59d68 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 000000000000001e RCX: 0000000000466609 RDX: 00000000004193eb RSI: ffffffffffffffbc RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000001b2cb2c8a4 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffc59c59e60 Modules linked in: ---[ end trace 0ccb0d88d3d70441 ]--- RIP: 0010:compound_head include/linux/page-flags.h:185 [inline] RIP: 0010:virt_to_head_page include/linux/mm.h:860 [inline] RIP: 0010:qlink_to_cache mm/kasan/quarantine.c:130 [inline] RIP: 0010:qlist_free_all+0x8d/0xd0 mm/kasan/quarantine.c:167 Code: df 48 85 db 75 cc 48 89 f0 4c 01 e8 72 56 4c 89 f2 48 2b 15 15 61 3a 03 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 f3 60 3a 03 <48> 8b 50 08 48 8d 4a ff 83 e2 01 48 0f 45 c1 48 8b 78 18 eb 93 49 RSP: 0018:ffff8880164ffbb8 EFLAGS: 00010203 RAX: 0045e3ddfe220040 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000777f80000000 RSI: 117dffff88801566 RDI: 0000000000000000 RBP: dffffc0000000000 R08: 0000000000000004 R09: ffffffff816abb01 R10: ffff88800cf61942 R11: 0000000000000001 R12: ffff8880164ffbf0 R13: 0000000080000000 R14: ffffffff80000000 R15: 117dffff88801566 FS: 0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2cb2d000 CR3: 000000000eb78000 CR4: 0000000000350ee0 note: syz-executor.6[4588] exited with preempt_count 2 Fixing recursive fault but reboot is needed!