Use-after-scope Read in tick_sched_handle' bug.(Plain text)
From: Dongsong Yu
Date: Wed May 02 2018 - 07:07:38 EST
Hi,
I've got the following bug report while fuzzing linux kenrel (4.16.0) on
arm64 with syzkaller.
The kernel config file and poc generated by C reproducer are attached.
Syzkaller hit 'KASAN: use-after-scope Read in tick_sched_handle' bug.
==================================================================
BUG: KASAN: use-after-scope in tick_sched_handle.isra.5+0x64/0xa8
kernel/time/tick-sched.c:162
Read of size 8 at addr ffff800073866578 by task syzkaller195252/1474
CPU: 0 PID: 1474 Comm: syzkaller195252 Not tainted 4.16.0 #2
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x0/0x350 arch/arm64/kernel/time.c:64
show_stack+0x20/0x30 arch/arm64/kernel/traps.c:151
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x11c/0x198 lib/dump_stack.c:53
print_address_description+0x60/0x270 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x248/0x348 mm/kasan/report.c:412
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
__asan_load8+0x84/0xa8 mm/kasan/kasan.c:698
tick_sched_handle.isra.5+0x64/0xa8 kernel/time/tick-sched.c:162
tick_sched_timer+0x50/0xe0 kernel/time/tick-sched.c:1194
__run_hrtimer kernel/time/hrtimer.c:1349 [inline]
__hrtimer_run_queues+0x1dc/0x2c0 kernel/time/hrtimer.c:1411
hrtimer_interrupt+0x180/0x390 kernel/time/hrtimer.c:1469
timer_handler drivers/clocksource/arm_arch_timer.c:588 [inline]
arch_timer_handler_virt+0x44/0x70 drivers/clocksource/arm_arch_timer.c:599
handle_percpu_devid_irq+0xdc/0x1e8 kernel/irq/chip.c:896
generic_handle_irq_desc include/linux/irqdesc.h:159 [inline]
generic_handle_irq+0x48/0x68 kernel/irq/irqdesc.c:606
__handle_domain_irq+0x8c/0x108 kernel/irq/irqdesc.c:643
handle_domain_irq include/linux/irqdesc.h:177 [inline]
gic_handle_irq+0x6c/0xd8 drivers/irqchip/irq-gic.c:367
el1_irq+0xb0/0x128 arch/arm64/kernel/entry.S:602
prep_new_page mm/page_alloc.c:1816 [inline]
get_page_from_freelist+0x628/0x1998 mm/page_alloc.c:3239
__alloc_pages_nodemask+0x244/0x1600 mm/page_alloc.c:4245
alloc_pages_current+0x128/0x1f0 mm/mempolicy.c:2055
alloc_pages include/linux/gfp.h:492 [inline]
pte_alloc_one arch/arm64/include/asm/pgalloc.h:104 [inline]
__pte_alloc+0x8c/0x200 mm/memory.c:654
do_anonymous_page+0x844/0x9b0 mm/memory.c:3141
handle_pte_fault mm/memory.c:3977 [inline]
__handle_mm_fault+0xb94/0x1528 mm/memory.c:4103
handle_mm_fault+0x288/0x3e0 mm/memory.c:4140
__do_page_fault arch/arm64/mm/fault.c:377 [inline]
do_page_fault+0x398/0x630 arch/arm64/mm/fault.c:459
do_translation_fault+0x90/0xb0 arch/arm64/mm/fault.c:561
do_mem_abort+0xbc/0x208 arch/arm64/mm/fault.c:698
el0_da+0x20/0x24
The buggy address belongs to the page:
page:ffff7e0001ce1980 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x4fffc00000000000()
raw: 4fffc00000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: ffff7e0001ce19a0 ffff7e0001ce19a0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff800073866400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff800073866480: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> ffff800073866500: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
ffff800073866580: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffff800073866600: f8 f8 f8 f8 f8 f8 00 00 00 00 00 00 00 00 00 00
==================================================================
Syzkaller hit 'KASAN: use-after-scope Read in tick_sched_handle' bug.
==================================================================
BUG: KASAN: use-after-scope in tick_sched_handle.isra.5+0x64/0xa8 kernel/time/tick-sched.c:162
Read of size 8 at addr ffff800073866578 by task syzkaller195252/1474
CPU: 0 PID: 1474 Comm: syzkaller195252 Not tainted 4.16.0 #2
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x0/0x350 arch/arm64/kernel/time.c:64
show_stack+0x20/0x30 arch/arm64/kernel/traps.c:151
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x11c/0x198 lib/dump_stack.c:53
print_address_description+0x60/0x270 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x248/0x348 mm/kasan/report.c:412
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
__asan_load8+0x84/0xa8 mm/kasan/kasan.c:698
tick_sched_handle.isra.5+0x64/0xa8 kernel/time/tick-sched.c:162
tick_sched_timer+0x50/0xe0 kernel/time/tick-sched.c:1194
__run_hrtimer kernel/time/hrtimer.c:1349 [inline]
__hrtimer_run_queues+0x1dc/0x2c0 kernel/time/hrtimer.c:1411
hrtimer_interrupt+0x180/0x390 kernel/time/hrtimer.c:1469
timer_handler drivers/clocksource/arm_arch_timer.c:588 [inline]
arch_timer_handler_virt+0x44/0x70 drivers/clocksource/arm_arch_timer.c:599
handle_percpu_devid_irq+0xdc/0x1e8 kernel/irq/chip.c:896
generic_handle_irq_desc include/linux/irqdesc.h:159 [inline]
generic_handle_irq+0x48/0x68 kernel/irq/irqdesc.c:606
__handle_domain_irq+0x8c/0x108 kernel/irq/irqdesc.c:643
handle_domain_irq include/linux/irqdesc.h:177 [inline]
gic_handle_irq+0x6c/0xd8 drivers/irqchip/irq-gic.c:367
el1_irq+0xb0/0x128 arch/arm64/kernel/entry.S:602
prep_new_page mm/page_alloc.c:1816 [inline]
get_page_from_freelist+0x628/0x1998 mm/page_alloc.c:3239
__alloc_pages_nodemask+0x244/0x1600 mm/page_alloc.c:4245
alloc_pages_current+0x128/0x1f0 mm/mempolicy.c:2055
alloc_pages include/linux/gfp.h:492 [inline]
pte_alloc_one arch/arm64/include/asm/pgalloc.h:104 [inline]
__pte_alloc+0x8c/0x200 mm/memory.c:654
do_anonymous_page+0x844/0x9b0 mm/memory.c:3141
handle_pte_fault mm/memory.c:3977 [inline]
__handle_mm_fault+0xb94/0x1528 mm/memory.c:4103
handle_mm_fault+0x288/0x3e0 mm/memory.c:4140
__do_page_fault arch/arm64/mm/fault.c:377 [inline]
do_page_fault+0x398/0x630 arch/arm64/mm/fault.c:459
do_translation_fault+0x90/0xb0 arch/arm64/mm/fault.c:561
do_mem_abort+0xbc/0x208 arch/arm64/mm/fault.c:698
el0_da+0x20/0x24
The buggy address belongs to the page:
page:ffff7e0001ce1980 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x4fffc00000000000()
raw: 4fffc00000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: ffff7e0001ce19a0 ffff7e0001ce19a0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff800073866400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff800073866480: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffff800073866500: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
ffff800073866580: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffff800073866600: f8 f8 f8 f8 f8 f8 00 00 00 00 00 00 00 00 00 00
==================================================================
Syzkaller reproducer:
# {Threaded:false Collide:false Repeat:true Procs:1 Sandbox: Fault:false FaultCall:-1 FaultNth:0 EnableTun:false UseTmpDir:false HandleSegv:false WaitRepeat:false Debug:false Repro:false}
mmap(&(0x7f0000000000/0xff4000)=nil, 0xff4000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000ff3000)={0x4, 0x78, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffc, 0xfffffffffffffffe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000755000-0x1)=0x0, 0x0}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0xffffffff, 0xffffffffffffffff, 0x0)
C reproducer:
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <stdint.h>
#include <string.h>
#define BITMASK_LEN(type,bf_len) (type)((1ull << (bf_len)) - 1)
#define BITMASK_LEN_OFF(type,bf_off,bf_len) (type)(BITMASK_LEN(type, (bf_len)) << (bf_off))
#define STORE_BY_BITMASK(type,addr,val,bf_off,bf_len) if ((bf_off) == 0 && (bf_len) == 0) { *(type*)(addr) = (type)(val); } else { type new_val = *(type*)(addr); new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); *(type*)(addr) = new_val; }
static void test();
void loop()
{
while (1) {
test();
}
}
#ifndef __NR_perf_event_open
#define __NR_perf_event_open 241
#endif
#ifndef __NR_mmap
#define __NR_mmap 222
#endif
void test()
{
syscall(__NR_mmap, 0x20000000, 0xff4000, 3, 0x32, -1, 0);
*(uint32_t*)0x20ff3000 = 4;
*(uint32_t*)0x20ff3004 = 0x78;
*(uint8_t*)0x20ff3008 = 0;
*(uint8_t*)0x20ff3009 = 0;
*(uint8_t*)0x20ff300a = 0;
*(uint8_t*)0x20ff300b = 0;
*(uint32_t*)0x20ff300c = 0;
*(uint64_t*)0x20ff3010 = 0;
*(uint64_t*)0x20ff3018 = 0;
*(uint64_t*)0x20ff3020 = 0;
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 0, 1);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 1, 1);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 2, 1);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 3, 1);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 4, 1);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 5, 5, 1);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 6, 1);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 7, 1);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 8, 1);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 9, 1);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 10, 1);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 11, 1);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 12, 1);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 13, 1);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 14, 1);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 15, 2);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 17, 1);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0xfffffffffffffffc, 18, 1);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0xfffffffffffffffe, 19, 1);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 20, 1);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 21, 1);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 22, 1);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 23, 1);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 24, 1);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 25, 1);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 26, 1);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 27, 1);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 28, 1);
STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 29, 35);
*(uint32_t*)0x20ff3030 = 0;
*(uint32_t*)0x20ff3034 = 0;
*(uint64_t*)0x20ff3038 = 0x20754fff;
*(uint64_t*)0x20ff3040 = 0;
*(uint64_t*)0x20ff3048 = 0;
*(uint64_t*)0x20ff3050 = 0;
*(uint64_t*)0x20ff3058 = 0;
*(uint32_t*)0x20ff3060 = 0;
*(uint64_t*)0x20ff3068 = 0;
*(uint32_t*)0x20ff3070 = 0;
*(uint16_t*)0x20ff3074 = 0;
*(uint16_t*)0x20ff3076 = 0;
syscall(__NR_perf_event_open, 0x20ff3000, 0, 0xffffffff, -1, 0);
}
int main()
{
for (;;) {
loop();
}
}
Reproducing stats:
Extracting prog: 2h1m22.924601726s
Minimizing prog: 1h48m16.849171795s
Simplifying prog options: 0s
Extracting C: 2m26.99357181s
Simplifying C: 22m38.534842559s
Reproducing log:
146 programs, 1 VMs
extracting reproducer from 146 programs
single: executing 1 programs separately with timeout 10s
testing program (duration=10s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): accept4$inet-mmap-socketpair-mmap-lremovexattr-mmap-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-mmap-syz_open_pts-mmap-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-mmap-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-mmap-mmap-perf_event_open
program did not crash
single: failed to extract reproducer
bisect: bisecting 146 programs with base timeout 10s
bisect: bisecting 146 programs
bisect: executing all 146 programs
testing program (duration=46s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 5, 4, 11, 4, 3, 12, 11, 15, 14, 10, 4, 5, 3, 11, 9, 6, 3, 16, 9, 8, 11, 7, 9, 5, 13, 10, 11, 4, 7, 7, 9, 10, 11, 4, 16, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program crashed: KASAN: use-after-scope Read in pud_huge
bisect: guilty chunks: [<146>]
bisect: guilty chunks split: [], <146>, []
bisect: chunk split: <146> => <73>, <73>
bisect: triggering crash without chunk #1
testing program (duration=28s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program did not crash
bisect: triggering crash without chunk #2
testing program (duration=28s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 5, 4, 11, 4, 3, 12, 11, 15, 14, 10, 4, 5, 3, 11, 9, 6, 3, 16, 9, 8, 11, 7, 9, 5, 13, 10, 11, 4, 7, 7, 9, 10, 11, 4, 16, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5]
program did not crash
bisect: not crashed, both chunks required
bisect: guilty chunks: [<73>, <73>]
bisect: guilty chunks split: [], <73>, [<73>]
bisect: chunk split: <73> => <36>, <37>
bisect: triggering crash without chunk #1
testing program (duration=37s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program did not crash
bisect: triggering crash without chunk #2
testing program (duration=37s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 5, 4, 11, 4, 3, 12, 11, 15, 14, 10, 4, 5, 3, 11, 9, 6, 3, 16, 9, 8, 11, 7, 9, 5, 13, 10, 11, 4, 7, 7, 9, 10, 11, 4, 16, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program did not crash
bisect: not crashed, both chunks required
bisect: guilty chunks: [<36>, <37>, <73>]
bisect: guilty chunks split: [], <36>, [<37>, <73>]
bisect: chunk split: <36> => <18>, <18>
bisect: triggering crash without chunk #1
testing program (duration=42s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [16, 9, 8, 11, 7, 9, 5, 13, 10, 11, 4, 7, 7, 9, 10, 11, 4, 16, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program did not crash
bisect: triggering crash without chunk #2
testing program (duration=42s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 5, 4, 11, 4, 3, 12, 11, 15, 14, 10, 4, 5, 3, 11, 9, 6, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program crashed: KASAN: use-after-scope Read in pud_huge
bisect: crashed, chunk #2 evicted
bisect: guilty chunks: [<18>, <37>, <73>]
bisect: guilty chunks split: [], <18>, [<37>, <73>]
bisect: chunk split: <18> => <9>, <9>
bisect: triggering crash without chunk #1
testing program (duration=39s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [14, 10, 4, 5, 3, 11, 9, 6, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program did not crash
bisect: triggering crash without chunk #2
testing program (duration=39s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 5, 4, 11, 4, 3, 12, 11, 15, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program did not crash
bisect: not crashed, both chunks required
bisect: guilty chunks: [<9>, <9>, <37>, <73>]
bisect: guilty chunks split: [], <9>, [<9>, <37>, <73>]
bisect: chunk split: <9> => <4>, <5>
bisect: triggering crash without chunk #1
testing program (duration=41s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [4, 3, 12, 11, 15, 14, 10, 4, 5, 3, 11, 9, 6, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program did not crash
bisect: triggering crash without chunk #2
testing program (duration=40s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 5, 4, 11, 14, 10, 4, 5, 3, 11, 9, 6, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program did not crash
bisect: not crashed, both chunks required
bisect: guilty chunks: [<4>, <5>, <9>, <37>, <73>]
bisect: guilty chunks split: [], <4>, [<5>, <9>, <37>, <73>]
bisect: chunk split: <4> => <2>, <2>
bisect: triggering crash without chunk #1
testing program (duration=41s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [4, 11, 4, 3, 12, 11, 15, 14, 10, 4, 5, 3, 11, 9, 6, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program did not crash
bisect: triggering crash without chunk #2
testing program (duration=41s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 5, 4, 3, 12, 11, 15, 14, 10, 4, 5, 3, 11, 9, 6, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program crashed: KASAN: use-after-scope Read in pud_huge
bisect: crashed, chunk #2 evicted
bisect: guilty chunks: [<2>, <5>, <9>, <37>, <73>]
bisect: guilty chunks split: [], <2>, [<5>, <9>, <37>, <73>]
bisect: chunk split: <2> => <1>, <1>
bisect: triggering crash without chunk #1
testing program (duration=41s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [5, 4, 3, 12, 11, 15, 14, 10, 4, 5, 3, 11, 9, 6, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program did not crash
bisect: triggering crash without chunk #2
testing program (duration=41s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 4, 3, 12, 11, 15, 14, 10, 4, 5, 3, 11, 9, 6, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program crashed: KASAN: use-after-scope Read in pud_huge
bisect: crashed, chunk #2 evicted
bisect: guilty chunks: [<1>, <5>, <9>, <37>, <73>]
bisect: guilty chunks split: [<1>], <5>, [<9>, <37>, <73>]
bisect: chunk split: <5> => <2>, <3>
bisect: triggering crash without chunk #1
testing program (duration=40s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 11, 15, 14, 10, 4, 5, 3, 11, 9, 6, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program crashed: KASAN: use-after-scope Read in pud_huge
bisect: crashed, chunk #1 evicted
bisect: guilty chunks: [<1>, <3>, <9>, <37>, <73>]
bisect: guilty chunks split: [<1>], <3>, [<9>, <37>, <73>]
bisect: chunk split: <3> => <1>, <2>
bisect: triggering crash without chunk #1
testing program (duration=40s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 11, 15, 14, 10, 4, 5, 3, 11, 9, 6, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program did not crash
bisect: triggering crash without chunk #2
testing program (duration=40s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 14, 10, 4, 5, 3, 11, 9, 6, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program crashed: KASAN: use-after-scope Write in save_trace
bisect: crashed, chunk #2 evicted
bisect: guilty chunks: [<1>, <1>, <9>, <37>, <73>]
bisect: guilty chunks split: [<1>, <1>], <9>, [<37>, <73>]
bisect: chunk split: <9> => <4>, <5>
bisect: triggering crash without chunk #1
testing program (duration=39s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 11, 9, 6, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program crashed: KASAN: use-after-scope Read in pud_huge
bisect: crashed, chunk #1 evicted
bisect: guilty chunks: [<1>, <1>, <5>, <37>, <73>]
bisect: guilty chunks split: [<1>, <1>], <5>, [<37>, <73>]
bisect: chunk split: <5> => <2>, <3>
bisect: triggering crash without chunk #1
testing program (duration=38s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 9, 6, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program did not crash
bisect: triggering crash without chunk #2
testing program (duration=38s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 11, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program crashed: KASAN: use-after-scope Write in save_trace
bisect: crashed, chunk #2 evicted
bisect: guilty chunks: [<1>, <1>, <2>, <37>, <73>]
bisect: guilty chunks split: [<1>, <1>], <2>, [<37>, <73>]
bisect: chunk split: <2> => <1>, <1>
bisect: triggering crash without chunk #1
testing program (duration=38s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 11, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program did not crash
bisect: triggering crash without chunk #2
testing program (duration=38s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program crashed: KASAN: use-after-scope Read in pud_huge
bisect: crashed, chunk #2 evicted
bisect: guilty chunks: [<1>, <1>, <1>, <37>, <73>]
bisect: guilty chunks split: [<1>, <1>, <1>], <37>, [<73>]
bisect: chunk split: <37> => <18>, <19>
bisect: triggering crash without chunk #1
testing program (duration=33s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program did not crash
bisect: triggering crash without chunk #2
testing program (duration=33s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program crashed: KASAN: use-after-scope Read in pud_huge
bisect: crashed, chunk #2 evicted
bisect: guilty chunks: [<1>, <1>, <1>, <18>, <73>]
bisect: guilty chunks split: [<1>, <1>, <1>], <18>, [<73>]
bisect: chunk split: <18> => <9>, <9>
bisect: triggering crash without chunk #1
testing program (duration=31s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 2, 11, 31, 5, 6, 5, 8, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program did not crash
bisect: triggering crash without chunk #2
testing program (duration=31s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program crashed: KASAN: use-after-scope Write in save_trace
bisect: crashed, chunk #2 evicted
bisect: guilty chunks: [<1>, <1>, <1>, <9>, <73>]
bisect: guilty chunks split: [<1>, <1>, <1>], <9>, [<73>]
bisect: chunk split: <9> => <4>, <5>
bisect: triggering crash without chunk #1
testing program (duration=30s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 4, 16, 22, 11, 15, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program did not crash
bisect: triggering crash without chunk #2
testing program (duration=30s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 7, 10, 5, 4, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program did not crash
bisect: not crashed, both chunks required
bisect: guilty chunks: [<1>, <1>, <1>, <4>, <5>, <73>]
bisect: guilty chunks split: [<1>, <1>, <1>], <4>, [<5>, <73>]
bisect: chunk split: <4> => <2>, <2>
bisect: triggering crash without chunk #1
testing program (duration=30s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 4, 16, 22, 11, 15, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program crashed: KASAN: use-after-scope Write in __save_stack_trace
bisect: crashed, chunk #1 evicted
bisect: guilty chunks: [<1>, <1>, <1>, <2>, <5>, <73>]
bisect: guilty chunks split: [<1>, <1>, <1>], <2>, [<5>, <73>]
bisect: chunk split: <2> => <1>, <1>
bisect: triggering crash without chunk #1
testing program (duration=30s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 4, 4, 16, 22, 11, 15, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program did not crash
bisect: triggering crash without chunk #2
testing program (duration=30s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 16, 22, 11, 15, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program did not crash
bisect: not crashed, both chunks required
bisect: guilty chunks: [<1>, <1>, <1>, <1>, <1>, <5>, <73>]
bisect: guilty chunks split: [<1>, <1>, <1>, <1>, <1>], <5>, [<73>]
bisect: chunk split: <5> => <2>, <3>
bisect: triggering crash without chunk #1
testing program (duration=30s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 11, 15, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program crashed: KASAN: use-after-scope Read in pud_huge
bisect: crashed, chunk #1 evicted
bisect: guilty chunks: [<1>, <1>, <1>, <1>, <1>, <3>, <73>]
bisect: guilty chunks split: [<1>, <1>, <1>, <1>, <1>], <3>, [<73>]
bisect: chunk split: <3> => <1>, <2>
bisect: triggering crash without chunk #1
testing program (duration=30s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 11, 15, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program did not crash
bisect: triggering crash without chunk #2
testing program (duration=29s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program crashed: KASAN: use-after-scope Read in __save_stack_trace
bisect: crashed, chunk #2 evicted
bisect: guilty chunks: [<1>, <1>, <1>, <1>, <1>, <1>, <73>]
bisect: guilty chunks split: [<1>, <1>, <1>, <1>, <1>, <1>], <73>, []
bisect: chunk split: <73> => <36>, <37>
bisect: triggering crash without chunk #1
testing program (duration=20s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9]
program did not crash
bisect: triggering crash without chunk #2
testing program (duration=20s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3]
program crashed: KASAN: use-after-scope Read in __save_stack_trace
bisect: crashed, chunk #2 evicted
bisect: guilty chunks: [<1>, <1>, <1>, <1>, <1>, <1>, <36>]
bisect: guilty chunks split: [<1>, <1>, <1>, <1>, <1>, <1>], <36>, []
bisect: chunk split: <36> => <18>, <18>
bisect: triggering crash without chunk #1
testing program (duration=16s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3]
program crashed: KASAN: use-after-scope Read in __save_stack_trace
bisect: crashed, chunk #1 evicted
bisect: guilty chunks: [<1>, <1>, <1>, <1>, <1>, <1>, <18>]
bisect: guilty chunks split: [<1>, <1>, <1>, <1>, <1>, <1>], <18>, []
bisect: chunk split: <18> => <9>, <9>
bisect: triggering crash without chunk #1
testing program (duration=13s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 11, 4, 7, 10, 9, 18, 10, 34, 3]
program did not crash
bisect: triggering crash without chunk #2
testing program (duration=13s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 10, 4, 7, 15, 28, 21, 12, 6, 5]
program did not crash
bisect: not crashed, both chunks required
bisect: guilty chunks: [<1>, <1>, <1>, <1>, <1>, <1>, <9>, <9>]
bisect: guilty chunks split: [<1>, <1>, <1>, <1>, <1>, <1>], <9>, [<9>]
bisect: chunk split: <9> => <4>, <5>
bisect: triggering crash without chunk #1
testing program (duration=15s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3]
program crashed: KASAN: use-after-scope Read in pud_huge
bisect: crashed, chunk #1 evicted
bisect: guilty chunks: [<1>, <1>, <1>, <1>, <1>, <1>, <5>, <9>]
bisect: guilty chunks split: [<1>, <1>, <1>, <1>, <1>, <1>], <5>, [<9>]
bisect: chunk split: <5> => <2>, <3>
bisect: triggering crash without chunk #1
testing program (duration=14s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3]
program crashed: KASAN: use-after-scope Write in save_trace
bisect: crashed, chunk #1 evicted
bisect: guilty chunks: [<1>, <1>, <1>, <1>, <1>, <1>, <3>, <9>]
bisect: guilty chunks split: [<1>, <1>, <1>, <1>, <1>, <1>], <3>, [<9>]
bisect: chunk split: <3> => <1>, <2>
bisect: triggering crash without chunk #1
testing program (duration=14s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3]
program did not crash
bisect: triggering crash without chunk #2
testing program (duration=14s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 12, 11, 4, 7, 10, 9, 18, 10, 34, 3]
program crashed: KASAN: use-after-scope Read in pud_huge
bisect: crashed, chunk #2 evicted
bisect: guilty chunks: [<1>, <1>, <1>, <1>, <1>, <1>, <1>, <9>]
bisect: guilty chunks split: [<1>, <1>, <1>, <1>, <1>, <1>, <1>], <9>, []
bisect: chunk split: <9> => <4>, <5>
bisect: triggering crash without chunk #1
testing program (duration=13s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 12, 9, 18, 10, 34, 3]
program did not crash
bisect: triggering crash without chunk #2
testing program (duration=12s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 12, 11, 4, 7, 10]
program crashed: KASAN: use-after-scope Read in __save_stack_trace
bisect: crashed, chunk #2 evicted
bisect: guilty chunks: [<1>, <1>, <1>, <1>, <1>, <1>, <1>, <4>]
bisect: guilty chunks split: [<1>, <1>, <1>, <1>, <1>, <1>, <1>], <4>, []
bisect: chunk split: <4> => <2>, <2>
bisect: triggering crash without chunk #1
testing program (duration=12s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 12, 7, 10]
program did not crash
bisect: triggering crash without chunk #2
testing program (duration=12s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 12, 11, 4]
program did not crash
bisect: not crashed, both chunks required
bisect: guilty chunks: [<1>, <1>, <1>, <1>, <1>, <1>, <1>, <2>, <2>]
bisect: guilty chunks split: [<1>, <1>, <1>, <1>, <1>, <1>, <1>], <2>, [<2>]
bisect: chunk split: <2> => <1>, <1>
bisect: triggering crash without chunk #1
testing program (duration=12s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 12, 4, 7, 10]
program crashed: KASAN: use-after-scope Read in pud_huge
bisect: crashed, chunk #1 evicted
bisect: guilty chunks: [<1>, <1>, <1>, <1>, <1>, <1>, <1>, <1>, <2>]
bisect: guilty chunks split: [<1>, <1>, <1>, <1>, <1>, <1>, <1>, <1>], <2>, []
bisect: chunk split: <2> => <1>, <1>
bisect: triggering crash without chunk #1
testing program (duration=12s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 12, 4, 10]
program crashed: KASAN: use-after-scope Read in pud_huge
bisect: crashed, chunk #1 evicted
bisect: guilty chunks: [<1>, <1>, <1>, <1>, <1>, <1>, <1>, <1>, <1>]
bisect: success, 9 programs left
bisect: 9 programs left:
executing program 0:
r0 = accept4$inet(0xffffffffffffff9c, 0x0, &(0x7f0000568000-0x4)=0x0, 0x80800)
mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
socketpair(0x15, 0x3, 0x0, &(0x7f0000001000-0x8)={<r1=>0x0, <r2=>0x0})
mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
lremovexattr(&(0x7f0000001000-0x8)='./file0\x00', &(0x7f0000002000-0x11)=@random={'btrfs.\x00', '^trusted\\\x00'})
mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
getsockopt$inet_sctp6_SCTP_AUTO_ASCONF(r2, 0x84, 0x1e, &(0x7f0000001000-0x4)=0x0, &(0x7f000054f000-0x4)=0x4)
syncfs(r2)
mmap(&(0x7f0000000000/0xff2000)=nil, 0xff2000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
r3 = syz_open_pts(r0, 0x100)
mmap(&(0x7f0000ff2000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
ioctl$TIOCGSID(r3, 0x5429, &(0x7f0000ff3000-0x4)=0x0)
getsockopt$inet_sctp6_SCTP_RESET_STREAMS(r1, 0x84, 0x77, &(0x7f000017e000)={<r4=>0x0, 0x400, 0x9, [0xffffffff, 0x6, 0x2, 0x8, 0x3, 0x40, 0x0, 0x8000, 0x80000000]}, &(0x7f0000954000-0x4)=0x1a)
mmap(&(0x7f0000ff3000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE(r2, 0x84, 0x7c, &(0x7f0000ff3000)={r4, 0x6, 0x4}, &(0x7f00009d8000-0x4)=0x8)
mmap(&(0x7f0000ff3000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000ff3000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000ff3000)={0x4, 0x78, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffc, 0xfffffffffffffffe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000755000-0x1)=0x0, 0x0}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0xffffffff, 0xffffffffffffffff, 0x0)
executing program 0:
mmap(&(0x7f0000000000/0xfe7000)=nil, 0xfe7000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
capset(&(0x7f00008d9000-0x8)={0x19980330, 0x0}, &(0x7f0000fda000+0x525)={0x0, 0x401, 0x0, 0x0, 0x0, 0x0})
r0 = dup3(0xffffffffffffffff, 0xffffffffffffffff, 0x80000)
mmap(&(0x7f0000fe7000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000fe7000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000fe7000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000fe7000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000fe7000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000fe7000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000fe7000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000fe7000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
recvmmsg(r0, &(0x7f0000fe8000-0x78)=[{{&(0x7f00001fb000-0x60)=@nfc_llcp={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ""/63, 0x0}, 0x60, &(0x7f0000fe7000)=[{&(0x7f0000c3d000-0x3)=""/3, 0x3}], 0x1, &(0x7f0000fe7000)=""/0, 0x0, 0x1}, 0xe4c7}, {{&(0x7f0000fe8000-0x6)=@hci={0x0, 0x0, 0x0}, 0x6, &(0x7f0000d25000)=[{&(0x7f0000fe7000)=""/9, 0x9}, {&(0x7f0000578000-0xaa)=""/170, 0xaa}, {&(0x7f0000fe8000-0x44)=""/68, 0x44}], 0x3, &(0x7f0000fe8000-0xb4)=""/180, 0xb4, 0x3f}, 0x1000}], 0x2, 0x40000040, &(0x7f0000fe7000)={0x0, 0x1c9c380})
executing program 0:
ioctl$TIOCGPGRP(0xffffffffffffff9c, 0x540f, &(0x7f0000c86000)=<r0=>0x0)
prctl$setptracer(0x59616d61, r0)
ioprio_get$uid(0x2000000000000000, 0x0)
executing program 0:
mmap(&(0x7f0000000000/0xd000)=nil, 0xd000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
r0 = memfd_create(&(0x7f0000000000)='ppp1em1\x00', 0x20000000000001)
ftruncate(r0, 0x457e)
fcntl$setstatus(r0, 0x4, 0x40000)
sendfile(r0, r0, &(0x7f0000004000-0x8)=0xfffffffffffffffe, 0x1)
executing program 0:
mmap(&(0x7f0000000000/0x6000)=nil, 0x6000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
r0 = getpid()
r1 = syz_open_procfs(r0, &(0x7f0000004000)='ns\x00')
read(r1, &(0x7f0000006000-0x1000)=""/4096, 0x1000)
executing program 0:
r0 = socket$unix(0x1, 0x5, 0x0)
r1 = getpgid(0x0)
mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
r2 = syz_open_procfs(r1, &(0x7f0000000000)='net/fib_trie\x00')
mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO(r2, 0x84, 0x22, &(0x7f0000000000)={0x7, 0x8000, 0x10001, 0x5, <r3=>0x0}, &(0x7f0000002000-0x4)=0x10)
setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO(r2, 0x84, 0x22, &(0x7f0000000000)={0x7fffffff, 0x1, 0x5, 0x1, r3}, 0x10)
mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
pwritev(r2, &(0x7f0000003000-0x40)=[{&(0x7f0000003000-0x5b)="cffaa6bbddd0811b2bedf6d5b0e9b81db7a90b5e7ef059c123400f2ef14e29fad5ec92bdbaf558162b57ea08d5dacbe30477c09db824b87c8cdf7712466a0813010c9cb426ece37980f83adfc4fbb529a29b868af00a14a2dc01a8", 0x5b}, {&(0x7f0000003000-0x3)="98336c15e2", 0x5}, {&(0x7f0000002000)="ab4777713bca5e38b38e423391b790daea073a4d93120853cbff8c75a45ad93a7d77b7efe3dd6501204eb96cc90d6357", 0x30}, {&(0x7f0000002000)="3f8a532a2c4396b4ecab010d0413ede01e2251ec9cd60802e1f74cf53912f911a16b9e8e789c833f856836860cdfd56ca8f23faa96e79d553631bcdef8fd4aef1515290390c6ec37c4c557f2f55c3112d5a868d63bcfd329f06deaf4d92bdc2e39c4610b60ce7da75ad98e18934cb8d436c714905e886bd0561421fd93f672d69169a16dbafcd7da9556c32602755762c2d84796a1d38d5951691396d08839259a571cd127a99d0412fff6c55e3f5b0a70cfef029cb5f7ddb5ee", 0xba}], 0x4, 0x0)
mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
setsockopt$inet6_MCAST_JOIN_GROUP(r2, 0x29, 0x2a, &(0x7f0000002000-0x88)={0x8, {{0xa, 0x2, 0x7fffffff, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x8}, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}}, 0x88)
mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
getsockopt$inet6_opts(r2, 0x29, 0x37, &(0x7f0000001000)=""/31, &(0x7f0000002000)=0x1f)
bind$unix(r0, &(0x7f0000000000)=@file={0x0, './file0\x00'}, 0xa)
r4 = semget(0x1, 0x3, 0x4)
semctl$SETALL(r4, 0x0, 0x11, &(0x7f0000003000-0x8)=[0x1, 0x4, 0x1ff, 0x1ff])
executing program 0:
mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
r0 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vcs\x00', 0x4000, 0x0)
mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
ioctl$sock_inet_SIOCSIFNETMASK(r0, 0x891c, &(0x7f0000001000-0x20)={@generic="a1d96b096c872816a63308dfa274e68b", @ifru_addrs={0x2, 0x2, @rand_addr=0x6, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}})
mmap(&(0x7f0000000000/0x14000)=nil, 0x14000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
r1 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000011000)='net/tcp\x00')
ioctl$DRM_IOCTL_ADD_CTX(r1, 0xc0086420, &(0x7f0000013000-0x8)={0x0, 0x0})
mmap(&(0x7f0000014000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000004000)={0x8, &(0x7f0000014000)=[{0x7fff, 0x8, 0x9, 0x3ee8535e}, {0x9, 0xa0ba319, 0x7, 0x0}, {0x800000000, 0x1, 0x6, 0x6}, {0x81, 0x5, 0x4, 0x10001}, {0x40, 0x6, 0x8, 0x2}, {0x4, 0xe9, 0x9, 0x6b}, {0x80, 0x8001, 0x5, 0xfff}, {0x7fffffff, 0x7fffffff, 0xfffffffffffffffc, 0x0}]}, 0x10)
r2 = socket$netlink(0x10, 0x3, 0x0)
getsockopt$bt_hci(r0, 0x0, 0x0, &(0x7f0000010000-0x70)=""/112, &(0x7f000000f000)=0x70)
sendfile(r2, r1, &(0x7f0000013000)=0x2000000000000002, 0x0)
executing program 0:
mmap(&(0x7f0000000000/0x5000)=nil, 0x5000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
r0 = add_key(&(0x7f0000002000-0xb)='cifs.idmap\x00', &(0x7f0000001000)={0x73, 0x79, 0x7a, 0x0, 0x0}, &(0x7f0000005000)="", 0x0, 0xfffffffffffffffb)
add_key(&(0x7f0000001000)='dns_resolver\x00', &(0x7f0000000000)={0x73, 0x79, 0x7a, 0x3, 0x0}, 0x0, 0xd4, r0)
executing program 0:
mmap(&(0x7f0000000000/0xc000)=nil, 0xc000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
setrlimit(0x7, &(0x7f0000001000-0x10)={0x0, 0x0})
inotify_init1(0x0)
mmap(&(0x7f000000c000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(0xffffffffffffffff, 0xc00c642d, &(0x7f000000c000)={0x0, 0x80000, <r0=>0xffffffffffffffff})
mmap(&(0x7f000000c000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, &(0x7f000000d000-0x10)={0x0, <r1=>0x0, 0x4})
mmap(&(0x7f000000c000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
r2 = openat$autofs(0xffffffffffffff9c, &(0x7f000000d000-0xc)='/dev/autofs\x00', 0x0, 0x0)
ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(r0, 0xc00c642d, &(0x7f0000006000)={r1, 0x80000, r2})
bisect: trying to concatenate
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): accept4$inet-mmap-socketpair-mmap-lremovexattr-mmap-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-mmap-syz_open_pts-mmap-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-mmap-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-mmap-mmap-perf_event_open-mmap-capset-dup3-mmap-mmap-mmap-mmap-mmap-mmap-mmap-mmap-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-mmap-memfd_create-ftruncate-fcntl$setstatus-sendfile-mmap-getpid-syz_open_procfs-read-socket$unix-getpgid-mmap-mmap-syz_open_procfs-mmap-mmap-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-mmap-mmap-mmap-mmap-mmap-pwritev-mmap-setsockopt$inet6_MCAST_JOIN_GROUP-mmap-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-mmap-openat$vcs-mmap-ioctl$sock_inet_SIOCSIFNETMASK-mmap-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX-mmap-setsockopt$SO_ATTACH_FILTER-socket$netlink-getsockopt$bt_hci-sendfile-mmap-mmap-add_key-add_key-mmap-setrlimit-inotify_init1-mmap-ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD-mmap-ioctl$DRM_IOCTL_GEM_OPEN-mmap-openat$autofs-ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD
program crashed: KASAN: use-after-scope Read in pud_huge
bisect: concatenation succeded
found reproducer with 90 syscalls
minimizing guilty program
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX-setsockopt$SO_ATTACH_FILTER-socket$netlink-getsockopt$bt_hci-sendfile-add_key-add_key-setrlimit-inotify_init1-ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD-ioctl$DRM_IOCTL_GEM_OPEN-openat$autofs-ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD
program crashed: KASAN: use-after-scope Read in __sync_icache_dcache
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX-setsockopt$SO_ATTACH_FILTER-socket$netlink-getsockopt$bt_hci-sendfile-add_key-add_key-setrlimit-inotify_init1-ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD-ioctl$DRM_IOCTL_GEM_OPEN-openat$autofs
program crashed: KASAN: use-after-scope Read in __save_stack_trace
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX-setsockopt$SO_ATTACH_FILTER-socket$netlink-getsockopt$bt_hci-sendfile-add_key-add_key-setrlimit-inotify_init1-ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD-ioctl$DRM_IOCTL_GEM_OPEN
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX-setsockopt$SO_ATTACH_FILTER-socket$netlink-getsockopt$bt_hci-sendfile-add_key-add_key-setrlimit-inotify_init1-ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX-setsockopt$SO_ATTACH_FILTER-socket$netlink-getsockopt$bt_hci-sendfile-add_key-add_key-setrlimit-inotify_init1
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX-setsockopt$SO_ATTACH_FILTER-socket$netlink-getsockopt$bt_hci-sendfile-add_key-add_key-setrlimit
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX-setsockopt$SO_ATTACH_FILTER-socket$netlink-getsockopt$bt_hci-sendfile-add_key-add_key
program crashed: KASAN: use-after-scope Write in save_trace
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX-setsockopt$SO_ATTACH_FILTER-socket$netlink-getsockopt$bt_hci-sendfile-add_key
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX-setsockopt$SO_ATTACH_FILTER-socket$netlink-getsockopt$bt_hci-sendfile
program crashed: KASAN: use-after-scope Read in __save_stack_trace
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX-setsockopt$SO_ATTACH_FILTER-socket$netlink-getsockopt$bt_hci
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX-setsockopt$SO_ATTACH_FILTER-socket$netlink
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX-setsockopt$SO_ATTACH_FILTER
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX
program crashed: KASAN: use-after-scope Write in save_trace
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs
program crashed: KASAN: use-after-scope Read in __save_stack_trace
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL
program crashed: KASAN: use-after-scope Read in __save_stack_trace
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget
program crashed: KASAN: use-after-scope Write in save_trace
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid
program crashed: KASAN: use-after-scope Read in __save_stack_trace
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset
program crashed: KASAN: use-after-scope Read in __save_stack_trace
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open
program crashed: KASAN: use-after-scope Read in __save_stack_trace
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE
program did not crash
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-perf_event_open
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-perf_event_open
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-perf_event_open
program crashed: KASAN: use-after-scope Read in __save_stack_trace
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-perf_event_open
program crashed: KASAN: use-after-scope Write in save_trace
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-perf_event_open
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-perf_event_open
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-perf_event_open
program crashed: KASAN: use-after-scope Read in __save_stack_trace
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-perf_event_open
program crashed: KASAN: use-after-scope Read in pud_huge
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-perf_event_open
program crashed: KASAN: use-after-scope Read in __save_stack_trace
testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): perf_event_open
program did not crash
extracting C reproducer
testing compiled C program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-perf_event_open
program crashed: KASAN: use-after-scope Write in __save_stack_trace
simplifying C reproducer
testing compiled C program (duration=18s, {Threaded:true Collide:false Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-perf_event_open
program crashed: KASAN: use-after-scope Read in __save_stack_trace
testing compiled C program (duration=18s, {Threaded:false Collide:false Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-perf_event_open
program crashed: KASAN: use-after-scope Write in __alloc_pages_nodemask
testing compiled C program (duration=18s, {Threaded:false Collide:false Repeat:false Procs:1 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-perf_event_open
program did not crash
testing compiled C program (duration=18s, {Threaded:false Collide:false Repeat:true Procs:1 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-perf_event_open
program crashed: KASAN: use-after-scope Read in __save_stack_trace
testing compiled C program (duration=18s, {Threaded:false Collide:false Repeat:true Procs:1 Sandbox:none Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-perf_event_open
program crashed: KASAN: use-after-scope Write in __alloc_pages_nodemask
testing compiled C program (duration=18s, {Threaded:false Collide:false Repeat:true Procs:1 Sandbox: Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-perf_event_open
program crashed: KASAN: use-after-scope Write in tcp_ack
testing compiled C program (duration=18s, {Threaded:false Collide:false Repeat:true Procs:1 Sandbox: Fault:false FaultCall:-1 FaultNth:0 EnableTun:false UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-perf_event_open
program crashed: KASAN: use-after-scope Write in __alloc_pages_nodemask
testing compiled C program (duration=18s, {Threaded:false Collide:false Repeat:true Procs:1 Sandbox: Fault:false FaultCall:-1 FaultNth:0 EnableTun:false UseTmpDir:false HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-perf_event_open
program crashed: KASAN: use-after-scope Write in __alloc_pages_nodemask
testing compiled C program (duration=18s, {Threaded:false Collide:false Repeat:true Procs:1 Sandbox: Fault:false FaultCall:-1 FaultNth:0 EnableTun:false UseTmpDir:false HandleSegv:false WaitRepeat:true Debug:false Repro:true}): mmap-perf_event_open
program crashed: KASAN: use-after-scope Read in __save_stack_trace
testing compiled C program (duration=18s, {Threaded:false Collide:false Repeat:true Procs:1 Sandbox: Fault:false FaultCall:-1 FaultNth:0 EnableTun:false UseTmpDir:false HandleSegv:false WaitRepeat:false Debug:false Repro:true}): mmap-perf_event_open
program crashed: KASAN: use-after-scope Read in tick_sched_handle
reproducing took 4h14m45.302271036s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-scope in tick_sched_handle.isra.5+0x64/0xa8
Read of size 8 at addr ffff800073866578 by task syzkaller195252/1474
CPU: 0 PID: 1474 Comm: syzkaller195252 Not tainted 4.16.0 #2
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x0/0x350
show_stack+0x20/0x30
dump_stack+0x11c/0x198
print_address_description+0x60/0x270
kasan_report+0x248/0x348
__asan_load8+0x84/0xa8
tick_sched_handle.isra.5+0x64/0xa8
tick_sched_timer+0x50/0xe0
__hrtimer_run_queues+0x1dc/0x2c0
hrtimer_interrupt+0x180/0x390
arch_timer_handler_virt+0x44/0x70
handle_percpu_devid_irq+0xdc/0x1e8
generic_handle_irq+0x48/0x68
__handle_domain_irq+0x8c/0x108
gic_handle_irq+0x6c/0xd8
el1_irq+0xb0/0x128
get_page_from_freelist+0x628/0x1998
__alloc_pages_nodemask+0x244/0x1600
alloc_pages_current+0x128/0x1f0
__pte_alloc+0x8c/0x200
do_anonymous_page+0x844/0x9b0
__handle_mm_fault+0xb94/0x1528
handle_mm_fault+0x288/0x3e0
do_page_fault+0x398/0x630
do_translation_fault+0x90/0xb0
do_mem_abort+0xbc/0x208
el0_da+0x20/0x24
The buggy address belongs to the page:
page:ffff7e0001ce1980 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x4fffc00000000000()
raw: 4fffc00000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: ffff7e0001ce19a0 ffff7e0001ce19a0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff800073866400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff800073866480: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffff800073866500: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
ffff800073866580: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffff800073866600: f8 f8 f8 f8 f8 f8 00 00 00 00 00 00 00 00 00 00
==================================================================
final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-scope in tick_sched_handle.isra.5+0x64/0xa8
Read of size 8 at addr ffff800073866578 by task syzkaller195252/1474
CPU: 0 PID: 1474 Comm: syzkaller195252 Not tainted 4.16.0 #2
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x0/0x350
show_stack+0x20/0x30
dump_stack+0x11c/0x198
print_address_description+0x60/0x270
kasan_report+0x248/0x348
__asan_load8+0x84/0xa8
tick_sched_handle.isra.5+0x64/0xa8
tick_sched_timer+0x50/0xe0
__hrtimer_run_queues+0x1dc/0x2c0
hrtimer_interrupt+0x180/0x390
arch_timer_handler_virt+0x44/0x70
handle_percpu_devid_irq+0xdc/0x1e8
generic_handle_irq+0x48/0x68
__handle_domain_irq+0x8c/0x108
gic_handle_irq+0x6c/0xd8
el1_irq+0xb0/0x128
get_page_from_freelist+0x628/0x1998
__alloc_pages_nodemask+0x244/0x1600
alloc_pages_current+0x128/0x1f0
__pte_alloc+0x8c/0x200
do_anonymous_page+0x844/0x9b0
__handle_mm_fault+0xb94/0x1528
handle_mm_fault+0x288/0x3e0
do_page_fault+0x398/0x630
do_translation_fault+0x90/0xb0
do_mem_abort+0xbc/0x208
el0_da+0x20/0x24
The buggy address belongs to the page:
page:ffff7e0001ce1980 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x4fffc00000000000()
raw: 4fffc00000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: ffff7e0001ce19a0 ffff7e0001ce19a0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff800073866400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff800073866480: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffff800073866500: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
ffff800073866580: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffff800073866600: f8 f8 f8 f8 f8 f8 00 00 00 00 00 00 00 00 00 00
==================================================================
Attachment:
config
Description: Binary data
Attachment:
tick_sched_handle.c
Description: Binary data