Syzkaller hit 'KASAN: use-after-scope Read in tick_sched_handle' bug. ================================================================== BUG: KASAN: use-after-scope in tick_sched_handle.isra.5+0x64/0xa8 kernel/time/tick-sched.c:162 Read of size 8 at addr ffff800073866578 by task syzkaller195252/1474 CPU: 0 PID: 1474 Comm: syzkaller195252 Not tainted 4.16.0 #2 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x350 arch/arm64/kernel/time.c:64 show_stack+0x20/0x30 arch/arm64/kernel/traps.c:151 __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x11c/0x198 lib/dump_stack.c:53 print_address_description+0x60/0x270 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x248/0x348 mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] __asan_load8+0x84/0xa8 mm/kasan/kasan.c:698 tick_sched_handle.isra.5+0x64/0xa8 kernel/time/tick-sched.c:162 tick_sched_timer+0x50/0xe0 kernel/time/tick-sched.c:1194 __run_hrtimer kernel/time/hrtimer.c:1349 [inline] __hrtimer_run_queues+0x1dc/0x2c0 kernel/time/hrtimer.c:1411 hrtimer_interrupt+0x180/0x390 kernel/time/hrtimer.c:1469 timer_handler drivers/clocksource/arm_arch_timer.c:588 [inline] arch_timer_handler_virt+0x44/0x70 drivers/clocksource/arm_arch_timer.c:599 handle_percpu_devid_irq+0xdc/0x1e8 kernel/irq/chip.c:896 generic_handle_irq_desc include/linux/irqdesc.h:159 [inline] generic_handle_irq+0x48/0x68 kernel/irq/irqdesc.c:606 __handle_domain_irq+0x8c/0x108 kernel/irq/irqdesc.c:643 handle_domain_irq include/linux/irqdesc.h:177 [inline] gic_handle_irq+0x6c/0xd8 drivers/irqchip/irq-gic.c:367 el1_irq+0xb0/0x128 arch/arm64/kernel/entry.S:602 prep_new_page mm/page_alloc.c:1816 [inline] get_page_from_freelist+0x628/0x1998 mm/page_alloc.c:3239 __alloc_pages_nodemask+0x244/0x1600 mm/page_alloc.c:4245 alloc_pages_current+0x128/0x1f0 mm/mempolicy.c:2055 alloc_pages include/linux/gfp.h:492 [inline] pte_alloc_one arch/arm64/include/asm/pgalloc.h:104 [inline] __pte_alloc+0x8c/0x200 mm/memory.c:654 do_anonymous_page+0x844/0x9b0 mm/memory.c:3141 handle_pte_fault mm/memory.c:3977 [inline] __handle_mm_fault+0xb94/0x1528 mm/memory.c:4103 handle_mm_fault+0x288/0x3e0 mm/memory.c:4140 __do_page_fault arch/arm64/mm/fault.c:377 [inline] do_page_fault+0x398/0x630 arch/arm64/mm/fault.c:459 do_translation_fault+0x90/0xb0 arch/arm64/mm/fault.c:561 do_mem_abort+0xbc/0x208 arch/arm64/mm/fault.c:698 el0_da+0x20/0x24 The buggy address belongs to the page: page:ffff7e0001ce1980 count:0 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x4fffc00000000000() raw: 4fffc00000000000 0000000000000000 0000000000000000 00000000ffffffff raw: ffff7e0001ce19a0 ffff7e0001ce19a0 0000000000000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff800073866400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff800073866480: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 >ffff800073866500: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffff800073866580: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffff800073866600: f8 f8 f8 f8 f8 f8 00 00 00 00 00 00 00 00 00 00 ================================================================== Syzkaller reproducer: # {Threaded:false Collide:false Repeat:true Procs:1 Sandbox: Fault:false FaultCall:-1 FaultNth:0 EnableTun:false UseTmpDir:false HandleSegv:false WaitRepeat:false Debug:false Repro:false} mmap(&(0x7f0000000000/0xff4000)=nil, 0xff4000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000ff3000)={0x4, 0x78, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffc, 0xfffffffffffffffe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000755000-0x1)=0x0, 0x0}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0xffffffff, 0xffffffffffffffff, 0x0) C reproducer: // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #define BITMASK_LEN(type,bf_len) (type)((1ull << (bf_len)) - 1) #define BITMASK_LEN_OFF(type,bf_off,bf_len) (type)(BITMASK_LEN(type, (bf_len)) << (bf_off)) #define STORE_BY_BITMASK(type,addr,val,bf_off,bf_len) if ((bf_off) == 0 && (bf_len) == 0) { *(type*)(addr) = (type)(val); } else { type new_val = *(type*)(addr); new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); *(type*)(addr) = new_val; } static void test(); void loop() { while (1) { test(); } } #ifndef __NR_perf_event_open #define __NR_perf_event_open 241 #endif #ifndef __NR_mmap #define __NR_mmap 222 #endif void test() { syscall(__NR_mmap, 0x20000000, 0xff4000, 3, 0x32, -1, 0); *(uint32_t*)0x20ff3000 = 4; *(uint32_t*)0x20ff3004 = 0x78; *(uint8_t*)0x20ff3008 = 0; *(uint8_t*)0x20ff3009 = 0; *(uint8_t*)0x20ff300a = 0; *(uint8_t*)0x20ff300b = 0; *(uint32_t*)0x20ff300c = 0; *(uint64_t*)0x20ff3010 = 0; *(uint64_t*)0x20ff3018 = 0; *(uint64_t*)0x20ff3020 = 0; STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 0, 1); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 1, 1); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 2, 1); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 3, 1); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 4, 1); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 5, 5, 1); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 6, 1); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 7, 1); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 8, 1); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 9, 1); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 10, 1); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 11, 1); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 12, 1); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 13, 1); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 14, 1); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 15, 2); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 17, 1); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0xfffffffffffffffc, 18, 1); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0xfffffffffffffffe, 19, 1); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 20, 1); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 21, 1); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 22, 1); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 23, 1); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 24, 1); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 25, 1); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 26, 1); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 27, 1); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 28, 1); STORE_BY_BITMASK(uint64_t, 0x20ff3028, 0, 29, 35); *(uint32_t*)0x20ff3030 = 0; *(uint32_t*)0x20ff3034 = 0; *(uint64_t*)0x20ff3038 = 0x20754fff; *(uint64_t*)0x20ff3040 = 0; *(uint64_t*)0x20ff3048 = 0; *(uint64_t*)0x20ff3050 = 0; *(uint64_t*)0x20ff3058 = 0; *(uint32_t*)0x20ff3060 = 0; *(uint64_t*)0x20ff3068 = 0; *(uint32_t*)0x20ff3070 = 0; *(uint16_t*)0x20ff3074 = 0; *(uint16_t*)0x20ff3076 = 0; syscall(__NR_perf_event_open, 0x20ff3000, 0, 0xffffffff, -1, 0); } int main() { for (;;) { loop(); } } Reproducing stats: Extracting prog: 2h1m22.924601726s Minimizing prog: 1h48m16.849171795s Simplifying prog options: 0s Extracting C: 2m26.99357181s Simplifying C: 22m38.534842559s Reproducing log: 146 programs, 1 VMs extracting reproducer from 146 programs single: executing 1 programs separately with timeout 10s testing program (duration=10s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): accept4$inet-mmap-socketpair-mmap-lremovexattr-mmap-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-mmap-syz_open_pts-mmap-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-mmap-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-mmap-mmap-perf_event_open program did not crash single: failed to extract reproducer bisect: bisecting 146 programs with base timeout 10s bisect: bisecting 146 programs bisect: executing all 146 programs testing program (duration=46s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 5, 4, 11, 4, 3, 12, 11, 15, 14, 10, 4, 5, 3, 11, 9, 6, 3, 16, 9, 8, 11, 7, 9, 5, 13, 10, 11, 4, 7, 7, 9, 10, 11, 4, 16, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program crashed: KASAN: use-after-scope Read in pud_huge bisect: guilty chunks: [<146>] bisect: guilty chunks split: [], <146>, [] bisect: chunk split: <146> => <73>, <73> bisect: triggering crash without chunk #1 testing program (duration=28s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program did not crash bisect: triggering crash without chunk #2 testing program (duration=28s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 5, 4, 11, 4, 3, 12, 11, 15, 14, 10, 4, 5, 3, 11, 9, 6, 3, 16, 9, 8, 11, 7, 9, 5, 13, 10, 11, 4, 7, 7, 9, 10, 11, 4, 16, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5] program did not crash bisect: not crashed, both chunks required bisect: guilty chunks: [<73>, <73>] bisect: guilty chunks split: [], <73>, [<73>] bisect: chunk split: <73> => <36>, <37> bisect: triggering crash without chunk #1 testing program (duration=37s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program did not crash bisect: triggering crash without chunk #2 testing program (duration=37s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 5, 4, 11, 4, 3, 12, 11, 15, 14, 10, 4, 5, 3, 11, 9, 6, 3, 16, 9, 8, 11, 7, 9, 5, 13, 10, 11, 4, 7, 7, 9, 10, 11, 4, 16, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program did not crash bisect: not crashed, both chunks required bisect: guilty chunks: [<36>, <37>, <73>] bisect: guilty chunks split: [], <36>, [<37>, <73>] bisect: chunk split: <36> => <18>, <18> bisect: triggering crash without chunk #1 testing program (duration=42s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [16, 9, 8, 11, 7, 9, 5, 13, 10, 11, 4, 7, 7, 9, 10, 11, 4, 16, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program did not crash bisect: triggering crash without chunk #2 testing program (duration=42s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 5, 4, 11, 4, 3, 12, 11, 15, 14, 10, 4, 5, 3, 11, 9, 6, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program crashed: KASAN: use-after-scope Read in pud_huge bisect: crashed, chunk #2 evicted bisect: guilty chunks: [<18>, <37>, <73>] bisect: guilty chunks split: [], <18>, [<37>, <73>] bisect: chunk split: <18> => <9>, <9> bisect: triggering crash without chunk #1 testing program (duration=39s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [14, 10, 4, 5, 3, 11, 9, 6, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program did not crash bisect: triggering crash without chunk #2 testing program (duration=39s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 5, 4, 11, 4, 3, 12, 11, 15, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program did not crash bisect: not crashed, both chunks required bisect: guilty chunks: [<9>, <9>, <37>, <73>] bisect: guilty chunks split: [], <9>, [<9>, <37>, <73>] bisect: chunk split: <9> => <4>, <5> bisect: triggering crash without chunk #1 testing program (duration=41s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [4, 3, 12, 11, 15, 14, 10, 4, 5, 3, 11, 9, 6, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program did not crash bisect: triggering crash without chunk #2 testing program (duration=40s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 5, 4, 11, 14, 10, 4, 5, 3, 11, 9, 6, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program did not crash bisect: not crashed, both chunks required bisect: guilty chunks: [<4>, <5>, <9>, <37>, <73>] bisect: guilty chunks split: [], <4>, [<5>, <9>, <37>, <73>] bisect: chunk split: <4> => <2>, <2> bisect: triggering crash without chunk #1 testing program (duration=41s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [4, 11, 4, 3, 12, 11, 15, 14, 10, 4, 5, 3, 11, 9, 6, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program did not crash bisect: triggering crash without chunk #2 testing program (duration=41s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 5, 4, 3, 12, 11, 15, 14, 10, 4, 5, 3, 11, 9, 6, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program crashed: KASAN: use-after-scope Read in pud_huge bisect: crashed, chunk #2 evicted bisect: guilty chunks: [<2>, <5>, <9>, <37>, <73>] bisect: guilty chunks split: [], <2>, [<5>, <9>, <37>, <73>] bisect: chunk split: <2> => <1>, <1> bisect: triggering crash without chunk #1 testing program (duration=41s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [5, 4, 3, 12, 11, 15, 14, 10, 4, 5, 3, 11, 9, 6, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program did not crash bisect: triggering crash without chunk #2 testing program (duration=41s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 4, 3, 12, 11, 15, 14, 10, 4, 5, 3, 11, 9, 6, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program crashed: KASAN: use-after-scope Read in pud_huge bisect: crashed, chunk #2 evicted bisect: guilty chunks: [<1>, <5>, <9>, <37>, <73>] bisect: guilty chunks split: [<1>], <5>, [<9>, <37>, <73>] bisect: chunk split: <5> => <2>, <3> bisect: triggering crash without chunk #1 testing program (duration=40s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 11, 15, 14, 10, 4, 5, 3, 11, 9, 6, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program crashed: KASAN: use-after-scope Read in pud_huge bisect: crashed, chunk #1 evicted bisect: guilty chunks: [<1>, <3>, <9>, <37>, <73>] bisect: guilty chunks split: [<1>], <3>, [<9>, <37>, <73>] bisect: chunk split: <3> => <1>, <2> bisect: triggering crash without chunk #1 testing program (duration=40s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 11, 15, 14, 10, 4, 5, 3, 11, 9, 6, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program did not crash bisect: triggering crash without chunk #2 testing program (duration=40s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 14, 10, 4, 5, 3, 11, 9, 6, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program crashed: KASAN: use-after-scope Write in save_trace bisect: crashed, chunk #2 evicted bisect: guilty chunks: [<1>, <1>, <9>, <37>, <73>] bisect: guilty chunks split: [<1>, <1>], <9>, [<37>, <73>] bisect: chunk split: <9> => <4>, <5> bisect: triggering crash without chunk #1 testing program (duration=39s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 11, 9, 6, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program crashed: KASAN: use-after-scope Read in pud_huge bisect: crashed, chunk #1 evicted bisect: guilty chunks: [<1>, <1>, <5>, <37>, <73>] bisect: guilty chunks split: [<1>, <1>], <5>, [<37>, <73>] bisect: chunk split: <5> => <2>, <3> bisect: triggering crash without chunk #1 testing program (duration=38s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 9, 6, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program did not crash bisect: triggering crash without chunk #2 testing program (duration=38s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 11, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program crashed: KASAN: use-after-scope Write in save_trace bisect: crashed, chunk #2 evicted bisect: guilty chunks: [<1>, <1>, <2>, <37>, <73>] bisect: guilty chunks split: [<1>, <1>], <2>, [<37>, <73>] bisect: chunk split: <2> => <1>, <1> bisect: triggering crash without chunk #1 testing program (duration=38s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 11, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program did not crash bisect: triggering crash without chunk #2 testing program (duration=38s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program crashed: KASAN: use-after-scope Read in pud_huge bisect: crashed, chunk #2 evicted bisect: guilty chunks: [<1>, <1>, <1>, <37>, <73>] bisect: guilty chunks split: [<1>, <1>, <1>], <37>, [<73>] bisect: chunk split: <37> => <18>, <19> bisect: triggering crash without chunk #1 testing program (duration=33s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 9, 9, 9, 2, 4, 4, 6, 3, 4, 32, 3, 3, 8, 10, 3, 7, 5, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program did not crash bisect: triggering crash without chunk #2 testing program (duration=33s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 2, 11, 31, 5, 6, 5, 8, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program crashed: KASAN: use-after-scope Read in pud_huge bisect: crashed, chunk #2 evicted bisect: guilty chunks: [<1>, <1>, <1>, <18>, <73>] bisect: guilty chunks split: [<1>, <1>, <1>], <18>, [<73>] bisect: chunk split: <18> => <9>, <9> bisect: triggering crash without chunk #1 testing program (duration=31s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 2, 11, 31, 5, 6, 5, 8, 5, 5, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program did not crash bisect: triggering crash without chunk #2 testing program (duration=31s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 7, 10, 5, 4, 4, 16, 22, 11, 15, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program crashed: KASAN: use-after-scope Write in save_trace bisect: crashed, chunk #2 evicted bisect: guilty chunks: [<1>, <1>, <1>, <9>, <73>] bisect: guilty chunks split: [<1>, <1>, <1>], <9>, [<73>] bisect: chunk split: <9> => <4>, <5> bisect: triggering crash without chunk #1 testing program (duration=30s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 4, 16, 22, 11, 15, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program did not crash bisect: triggering crash without chunk #2 testing program (duration=30s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 7, 10, 5, 4, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program did not crash bisect: not crashed, both chunks required bisect: guilty chunks: [<1>, <1>, <1>, <4>, <5>, <73>] bisect: guilty chunks split: [<1>, <1>, <1>], <4>, [<5>, <73>] bisect: chunk split: <4> => <2>, <2> bisect: triggering crash without chunk #1 testing program (duration=30s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 4, 16, 22, 11, 15, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program crashed: KASAN: use-after-scope Write in __save_stack_trace bisect: crashed, chunk #1 evicted bisect: guilty chunks: [<1>, <1>, <1>, <2>, <5>, <73>] bisect: guilty chunks split: [<1>, <1>, <1>], <2>, [<5>, <73>] bisect: chunk split: <2> => <1>, <1> bisect: triggering crash without chunk #1 testing program (duration=30s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 4, 4, 16, 22, 11, 15, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program did not crash bisect: triggering crash without chunk #2 testing program (duration=30s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 16, 22, 11, 15, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program did not crash bisect: not crashed, both chunks required bisect: guilty chunks: [<1>, <1>, <1>, <1>, <1>, <5>, <73>] bisect: guilty chunks split: [<1>, <1>, <1>, <1>, <1>], <5>, [<73>] bisect: chunk split: <5> => <2>, <3> bisect: triggering crash without chunk #1 testing program (duration=30s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 11, 15, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program crashed: KASAN: use-after-scope Read in pud_huge bisect: crashed, chunk #1 evicted bisect: guilty chunks: [<1>, <1>, <1>, <1>, <1>, <3>, <73>] bisect: guilty chunks split: [<1>, <1>, <1>, <1>, <1>], <3>, [<73>] bisect: chunk split: <3> => <1>, <2> bisect: triggering crash without chunk #1 testing program (duration=30s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 11, 15, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program did not crash bisect: triggering crash without chunk #2 testing program (duration=29s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program crashed: KASAN: use-after-scope Read in __save_stack_trace bisect: crashed, chunk #2 evicted bisect: guilty chunks: [<1>, <1>, <1>, <1>, <1>, <1>, <73>] bisect: guilty chunks split: [<1>, <1>, <1>, <1>, <1>, <1>], <73>, [] bisect: chunk split: <73> => <36>, <37> bisect: triggering crash without chunk #1 testing program (duration=20s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 9, 9, 7, 6, 12, 9, 7, 11, 7, 5, 13, 14, 6, 6, 6, 5, 4, 16, 7, 7, 7, 9, 10, 10, 6, 3, 10, 8, 4, 16, 10, 8, 4, 11, 6, 5, 9] program did not crash bisect: triggering crash without chunk #2 testing program (duration=20s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 10, 8, 3, 7, 6, 6, 7, 7, 5, 5, 4, 15, 4, 5, 5, 9, 9, 8, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3] program crashed: KASAN: use-after-scope Read in __save_stack_trace bisect: crashed, chunk #2 evicted bisect: guilty chunks: [<1>, <1>, <1>, <1>, <1>, <1>, <36>] bisect: guilty chunks split: [<1>, <1>, <1>, <1>, <1>, <1>], <36>, [] bisect: chunk split: <36> => <18>, <18> bisect: triggering crash without chunk #1 testing program (duration=16s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 10, 4, 7, 15, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3] program crashed: KASAN: use-after-scope Read in __save_stack_trace bisect: crashed, chunk #1 evicted bisect: guilty chunks: [<1>, <1>, <1>, <1>, <1>, <1>, <18>] bisect: guilty chunks split: [<1>, <1>, <1>, <1>, <1>, <1>], <18>, [] bisect: chunk split: <18> => <9>, <9> bisect: triggering crash without chunk #1 testing program (duration=13s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 11, 4, 7, 10, 9, 18, 10, 34, 3] program did not crash bisect: triggering crash without chunk #2 testing program (duration=13s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 10, 4, 7, 15, 28, 21, 12, 6, 5] program did not crash bisect: not crashed, both chunks required bisect: guilty chunks: [<1>, <1>, <1>, <1>, <1>, <1>, <9>, <9>] bisect: guilty chunks split: [<1>, <1>, <1>, <1>, <1>, <1>], <9>, [<9>] bisect: chunk split: <9> => <4>, <5> bisect: triggering crash without chunk #1 testing program (duration=15s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 28, 21, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3] program crashed: KASAN: use-after-scope Read in pud_huge bisect: crashed, chunk #1 evicted bisect: guilty chunks: [<1>, <1>, <1>, <1>, <1>, <1>, <5>, <9>] bisect: guilty chunks split: [<1>, <1>, <1>, <1>, <1>, <1>], <5>, [<9>] bisect: chunk split: <5> => <2>, <3> bisect: triggering crash without chunk #1 testing program (duration=14s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 12, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3] program crashed: KASAN: use-after-scope Write in save_trace bisect: crashed, chunk #1 evicted bisect: guilty chunks: [<1>, <1>, <1>, <1>, <1>, <1>, <3>, <9>] bisect: guilty chunks split: [<1>, <1>, <1>, <1>, <1>, <1>], <3>, [<9>] bisect: chunk split: <3> => <1>, <2> bisect: triggering crash without chunk #1 testing program (duration=14s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 6, 5, 11, 4, 7, 10, 9, 18, 10, 34, 3] program did not crash bisect: triggering crash without chunk #2 testing program (duration=14s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 12, 11, 4, 7, 10, 9, 18, 10, 34, 3] program crashed: KASAN: use-after-scope Read in pud_huge bisect: crashed, chunk #2 evicted bisect: guilty chunks: [<1>, <1>, <1>, <1>, <1>, <1>, <1>, <9>] bisect: guilty chunks split: [<1>, <1>, <1>, <1>, <1>, <1>, <1>], <9>, [] bisect: chunk split: <9> => <4>, <5> bisect: triggering crash without chunk #1 testing program (duration=13s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 12, 9, 18, 10, 34, 3] program did not crash bisect: triggering crash without chunk #2 testing program (duration=12s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 12, 11, 4, 7, 10] program crashed: KASAN: use-after-scope Read in __save_stack_trace bisect: crashed, chunk #2 evicted bisect: guilty chunks: [<1>, <1>, <1>, <1>, <1>, <1>, <1>, <4>] bisect: guilty chunks split: [<1>, <1>, <1>, <1>, <1>, <1>, <1>], <4>, [] bisect: chunk split: <4> => <2>, <2> bisect: triggering crash without chunk #1 testing program (duration=12s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 12, 7, 10] program did not crash bisect: triggering crash without chunk #2 testing program (duration=12s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 12, 11, 4] program did not crash bisect: not crashed, both chunks required bisect: guilty chunks: [<1>, <1>, <1>, <1>, <1>, <1>, <1>, <2>, <2>] bisect: guilty chunks split: [<1>, <1>, <1>, <1>, <1>, <1>, <1>], <2>, [<2>] bisect: chunk split: <2> => <1>, <1> bisect: triggering crash without chunk #1 testing program (duration=12s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 12, 4, 7, 10] program crashed: KASAN: use-after-scope Read in pud_huge bisect: crashed, chunk #1 evicted bisect: guilty chunks: [<1>, <1>, <1>, <1>, <1>, <1>, <1>, <1>, <2>] bisect: guilty chunks split: [<1>, <1>, <1>, <1>, <1>, <1>, <1>, <1>], <2>, [] bisect: chunk split: <2> => <1>, <1> bisect: triggering crash without chunk #1 testing program (duration=12s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): [18, 12, 3, 5, 4, 22, 12, 4, 10] program crashed: KASAN: use-after-scope Read in pud_huge bisect: crashed, chunk #1 evicted bisect: guilty chunks: [<1>, <1>, <1>, <1>, <1>, <1>, <1>, <1>, <1>] bisect: success, 9 programs left bisect: 9 programs left: executing program 0: r0 = accept4$inet(0xffffffffffffff9c, 0x0, &(0x7f0000568000-0x4)=0x0, 0x80800) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) socketpair(0x15, 0x3, 0x0, &(0x7f0000001000-0x8)={0x0, 0x0}) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) lremovexattr(&(0x7f0000001000-0x8)='./file0\x00', &(0x7f0000002000-0x11)=@random={'btrfs.\x00', '^trusted\\\x00'}) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp6_SCTP_AUTO_ASCONF(r2, 0x84, 0x1e, &(0x7f0000001000-0x4)=0x0, &(0x7f000054f000-0x4)=0x4) syncfs(r2) mmap(&(0x7f0000000000/0xff2000)=nil, 0xff2000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r3 = syz_open_pts(r0, 0x100) mmap(&(0x7f0000ff2000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$TIOCGSID(r3, 0x5429, &(0x7f0000ff3000-0x4)=0x0) getsockopt$inet_sctp6_SCTP_RESET_STREAMS(r1, 0x84, 0x77, &(0x7f000017e000)={0x0, 0x400, 0x9, [0xffffffff, 0x6, 0x2, 0x8, 0x3, 0x40, 0x0, 0x8000, 0x80000000]}, &(0x7f0000954000-0x4)=0x1a) mmap(&(0x7f0000ff3000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE(r2, 0x84, 0x7c, &(0x7f0000ff3000)={r4, 0x6, 0x4}, &(0x7f00009d8000-0x4)=0x8) mmap(&(0x7f0000ff3000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff3000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f0000ff3000)={0x4, 0x78, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffc, 0xfffffffffffffffe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000755000-0x1)=0x0, 0x0}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0xffffffff, 0xffffffffffffffff, 0x0) executing program 0: mmap(&(0x7f0000000000/0xfe7000)=nil, 0xfe7000, 0x3, 0x32, 0xffffffffffffffff, 0x0) capset(&(0x7f00008d9000-0x8)={0x19980330, 0x0}, &(0x7f0000fda000+0x525)={0x0, 0x401, 0x0, 0x0, 0x0, 0x0}) r0 = dup3(0xffffffffffffffff, 0xffffffffffffffff, 0x80000) mmap(&(0x7f0000fe7000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000fe7000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000fe7000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000fe7000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000fe7000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000fe7000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000fe7000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000fe7000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) recvmmsg(r0, &(0x7f0000fe8000-0x78)=[{{&(0x7f00001fb000-0x60)=@nfc_llcp={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ""/63, 0x0}, 0x60, &(0x7f0000fe7000)=[{&(0x7f0000c3d000-0x3)=""/3, 0x3}], 0x1, &(0x7f0000fe7000)=""/0, 0x0, 0x1}, 0xe4c7}, {{&(0x7f0000fe8000-0x6)=@hci={0x0, 0x0, 0x0}, 0x6, &(0x7f0000d25000)=[{&(0x7f0000fe7000)=""/9, 0x9}, {&(0x7f0000578000-0xaa)=""/170, 0xaa}, {&(0x7f0000fe8000-0x44)=""/68, 0x44}], 0x3, &(0x7f0000fe8000-0xb4)=""/180, 0xb4, 0x3f}, 0x1000}], 0x2, 0x40000040, &(0x7f0000fe7000)={0x0, 0x1c9c380}) executing program 0: ioctl$TIOCGPGRP(0xffffffffffffff9c, 0x540f, &(0x7f0000c86000)=0x0) prctl$setptracer(0x59616d61, r0) ioprio_get$uid(0x2000000000000000, 0x0) executing program 0: mmap(&(0x7f0000000000/0xd000)=nil, 0xd000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = memfd_create(&(0x7f0000000000)='ppp1em1\x00', 0x20000000000001) ftruncate(r0, 0x457e) fcntl$setstatus(r0, 0x4, 0x40000) sendfile(r0, r0, &(0x7f0000004000-0x8)=0xfffffffffffffffe, 0x1) executing program 0: mmap(&(0x7f0000000000/0x6000)=nil, 0x6000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = getpid() r1 = syz_open_procfs(r0, &(0x7f0000004000)='ns\x00') read(r1, &(0x7f0000006000-0x1000)=""/4096, 0x1000) executing program 0: r0 = socket$unix(0x1, 0x5, 0x0) r1 = getpgid(0x0) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r2 = syz_open_procfs(r1, &(0x7f0000000000)='net/fib_trie\x00') mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO(r2, 0x84, 0x22, &(0x7f0000000000)={0x7, 0x8000, 0x10001, 0x5, 0x0}, &(0x7f0000002000-0x4)=0x10) setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO(r2, 0x84, 0x22, &(0x7f0000000000)={0x7fffffff, 0x1, 0x5, 0x1, r3}, 0x10) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) pwritev(r2, &(0x7f0000003000-0x40)=[{&(0x7f0000003000-0x5b)="cffaa6bbddd0811b2bedf6d5b0e9b81db7a90b5e7ef059c123400f2ef14e29fad5ec92bdbaf558162b57ea08d5dacbe30477c09db824b87c8cdf7712466a0813010c9cb426ece37980f83adfc4fbb529a29b868af00a14a2dc01a8", 0x5b}, {&(0x7f0000003000-0x3)="98336c15e2", 0x5}, {&(0x7f0000002000)="ab4777713bca5e38b38e423391b790daea073a4d93120853cbff8c75a45ad93a7d77b7efe3dd6501204eb96cc90d6357", 0x30}, {&(0x7f0000002000)="3f8a532a2c4396b4ecab010d0413ede01e2251ec9cd60802e1f74cf53912f911a16b9e8e789c833f856836860cdfd56ca8f23faa96e79d553631bcdef8fd4aef1515290390c6ec37c4c557f2f55c3112d5a868d63bcfd329f06deaf4d92bdc2e39c4610b60ce7da75ad98e18934cb8d436c714905e886bd0561421fd93f672d69169a16dbafcd7da9556c32602755762c2d84796a1d38d5951691396d08839259a571cd127a99d0412fff6c55e3f5b0a70cfef029cb5f7ddb5ee", 0xba}], 0x4, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) setsockopt$inet6_MCAST_JOIN_GROUP(r2, 0x29, 0x2a, &(0x7f0000002000-0x88)={0x8, {{0xa, 0x2, 0x7fffffff, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x8}, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}}, 0x88) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet6_opts(r2, 0x29, 0x37, &(0x7f0000001000)=""/31, &(0x7f0000002000)=0x1f) bind$unix(r0, &(0x7f0000000000)=@file={0x0, './file0\x00'}, 0xa) r4 = semget(0x1, 0x3, 0x4) semctl$SETALL(r4, 0x0, 0x11, &(0x7f0000003000-0x8)=[0x1, 0x4, 0x1ff, 0x1ff]) executing program 0: mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vcs\x00', 0x4000, 0x0) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$sock_inet_SIOCSIFNETMASK(r0, 0x891c, &(0x7f0000001000-0x20)={@generic="a1d96b096c872816a63308dfa274e68b", @ifru_addrs={0x2, 0x2, @rand_addr=0x6, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}}) mmap(&(0x7f0000000000/0x14000)=nil, 0x14000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r1 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000011000)='net/tcp\x00') ioctl$DRM_IOCTL_ADD_CTX(r1, 0xc0086420, &(0x7f0000013000-0x8)={0x0, 0x0}) mmap(&(0x7f0000014000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000004000)={0x8, &(0x7f0000014000)=[{0x7fff, 0x8, 0x9, 0x3ee8535e}, {0x9, 0xa0ba319, 0x7, 0x0}, {0x800000000, 0x1, 0x6, 0x6}, {0x81, 0x5, 0x4, 0x10001}, {0x40, 0x6, 0x8, 0x2}, {0x4, 0xe9, 0x9, 0x6b}, {0x80, 0x8001, 0x5, 0xfff}, {0x7fffffff, 0x7fffffff, 0xfffffffffffffffc, 0x0}]}, 0x10) r2 = socket$netlink(0x10, 0x3, 0x0) getsockopt$bt_hci(r0, 0x0, 0x0, &(0x7f0000010000-0x70)=""/112, &(0x7f000000f000)=0x70) sendfile(r2, r1, &(0x7f0000013000)=0x2000000000000002, 0x0) executing program 0: mmap(&(0x7f0000000000/0x5000)=nil, 0x5000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = add_key(&(0x7f0000002000-0xb)='cifs.idmap\x00', &(0x7f0000001000)={0x73, 0x79, 0x7a, 0x0, 0x0}, &(0x7f0000005000)="", 0x0, 0xfffffffffffffffb) add_key(&(0x7f0000001000)='dns_resolver\x00', &(0x7f0000000000)={0x73, 0x79, 0x7a, 0x3, 0x0}, 0x0, 0xd4, r0) executing program 0: mmap(&(0x7f0000000000/0xc000)=nil, 0xc000, 0x3, 0x32, 0xffffffffffffffff, 0x0) setrlimit(0x7, &(0x7f0000001000-0x10)={0x0, 0x0}) inotify_init1(0x0) mmap(&(0x7f000000c000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(0xffffffffffffffff, 0xc00c642d, &(0x7f000000c000)={0x0, 0x80000, 0xffffffffffffffff}) mmap(&(0x7f000000c000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$DRM_IOCTL_GEM_OPEN(0xffffffffffffffff, 0xc010640b, &(0x7f000000d000-0x10)={0x0, 0x0, 0x4}) mmap(&(0x7f000000c000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r2 = openat$autofs(0xffffffffffffff9c, &(0x7f000000d000-0xc)='/dev/autofs\x00', 0x0, 0x0) ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(r0, 0xc00c642d, &(0x7f0000006000)={r1, 0x80000, r2}) bisect: trying to concatenate testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): accept4$inet-mmap-socketpair-mmap-lremovexattr-mmap-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-mmap-syz_open_pts-mmap-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-mmap-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-mmap-mmap-perf_event_open-mmap-capset-dup3-mmap-mmap-mmap-mmap-mmap-mmap-mmap-mmap-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-mmap-memfd_create-ftruncate-fcntl$setstatus-sendfile-mmap-getpid-syz_open_procfs-read-socket$unix-getpgid-mmap-mmap-syz_open_procfs-mmap-mmap-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-mmap-mmap-mmap-mmap-mmap-pwritev-mmap-setsockopt$inet6_MCAST_JOIN_GROUP-mmap-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-mmap-openat$vcs-mmap-ioctl$sock_inet_SIOCSIFNETMASK-mmap-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX-mmap-setsockopt$SO_ATTACH_FILTER-socket$netlink-getsockopt$bt_hci-sendfile-mmap-mmap-add_key-add_key-mmap-setrlimit-inotify_init1-mmap-ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD-mmap-ioctl$DRM_IOCTL_GEM_OPEN-mmap-openat$autofs-ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD program crashed: KASAN: use-after-scope Read in pud_huge bisect: concatenation succeded found reproducer with 90 syscalls minimizing guilty program testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX-setsockopt$SO_ATTACH_FILTER-socket$netlink-getsockopt$bt_hci-sendfile-add_key-add_key-setrlimit-inotify_init1-ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD-ioctl$DRM_IOCTL_GEM_OPEN-openat$autofs-ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD program crashed: KASAN: use-after-scope Read in __sync_icache_dcache testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX-setsockopt$SO_ATTACH_FILTER-socket$netlink-getsockopt$bt_hci-sendfile-add_key-add_key-setrlimit-inotify_init1-ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD-ioctl$DRM_IOCTL_GEM_OPEN-openat$autofs program crashed: KASAN: use-after-scope Read in __save_stack_trace testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX-setsockopt$SO_ATTACH_FILTER-socket$netlink-getsockopt$bt_hci-sendfile-add_key-add_key-setrlimit-inotify_init1-ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD-ioctl$DRM_IOCTL_GEM_OPEN program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX-setsockopt$SO_ATTACH_FILTER-socket$netlink-getsockopt$bt_hci-sendfile-add_key-add_key-setrlimit-inotify_init1-ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX-setsockopt$SO_ATTACH_FILTER-socket$netlink-getsockopt$bt_hci-sendfile-add_key-add_key-setrlimit-inotify_init1 program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX-setsockopt$SO_ATTACH_FILTER-socket$netlink-getsockopt$bt_hci-sendfile-add_key-add_key-setrlimit program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX-setsockopt$SO_ATTACH_FILTER-socket$netlink-getsockopt$bt_hci-sendfile-add_key-add_key program crashed: KASAN: use-after-scope Write in save_trace testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX-setsockopt$SO_ATTACH_FILTER-socket$netlink-getsockopt$bt_hci-sendfile-add_key program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX-setsockopt$SO_ATTACH_FILTER-socket$netlink-getsockopt$bt_hci-sendfile program crashed: KASAN: use-after-scope Read in __save_stack_trace testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX-setsockopt$SO_ATTACH_FILTER-socket$netlink-getsockopt$bt_hci program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX-setsockopt$SO_ATTACH_FILTER-socket$netlink program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX-setsockopt$SO_ATTACH_FILTER program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs-ioctl$DRM_IOCTL_ADD_CTX program crashed: KASAN: use-after-scope Write in save_trace testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK-syz_open_procfs program crashed: KASAN: use-after-scope Read in __save_stack_trace testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs-ioctl$sock_inet_SIOCSIFNETMASK program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL-openat$vcs program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget-semctl$SETALL program crashed: KASAN: use-after-scope Read in __save_stack_trace testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix-semget program crashed: KASAN: use-after-scope Write in save_trace testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts-bind$unix program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP-getsockopt$inet6_opts program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev-setsockopt$inet6_MCAST_JOIN_GROUP program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-pwritev program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO-setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs-getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid-syz_open_procfs program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix-getpgid program crashed: KASAN: use-after-scope Read in __save_stack_trace testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read-socket$unix program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs-read program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid-syz_open_procfs program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile-getpid program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus-sendfile program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate-fcntl$setstatus program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create-ftruncate program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid-memfd_create program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer-ioprio_get$uid program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP-prctl$setptracer program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg-ioctl$TIOCGPGRP program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3-recvmmsg program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset-dup3 program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open-capset program crashed: KASAN: use-after-scope Read in __save_stack_trace testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE-perf_event_open program crashed: KASAN: use-after-scope Read in __save_stack_trace testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE program did not crash testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-getsockopt$inet_sctp6_SCTP_RESET_STREAMS-perf_event_open program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-ioctl$TIOCGSID-perf_event_open program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-syz_open_pts-perf_event_open program crashed: KASAN: use-after-scope Read in __save_stack_trace testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-syncfs-perf_event_open program crashed: KASAN: use-after-scope Write in save_trace testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-getsockopt$inet_sctp6_SCTP_AUTO_ASCONF-perf_event_open program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-lremovexattr-perf_event_open program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-socketpair-perf_event_open program crashed: KASAN: use-after-scope Read in __save_stack_trace testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-accept4$inet-perf_event_open program crashed: KASAN: use-after-scope Read in pud_huge testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-perf_event_open program crashed: KASAN: use-after-scope Read in __save_stack_trace testing program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): perf_event_open program did not crash extracting C reproducer testing compiled C program (duration=18s, {Threaded:true Collide:true Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-perf_event_open program crashed: KASAN: use-after-scope Write in __save_stack_trace simplifying C reproducer testing compiled C program (duration=18s, {Threaded:true Collide:false Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-perf_event_open program crashed: KASAN: use-after-scope Read in __save_stack_trace testing compiled C program (duration=18s, {Threaded:false Collide:false Repeat:true Procs:8 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-perf_event_open program crashed: KASAN: use-after-scope Write in __alloc_pages_nodemask testing compiled C program (duration=18s, {Threaded:false Collide:false Repeat:false Procs:1 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-perf_event_open program did not crash testing compiled C program (duration=18s, {Threaded:false Collide:false Repeat:true Procs:1 Sandbox:setuid Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-perf_event_open program crashed: KASAN: use-after-scope Read in __save_stack_trace testing compiled C program (duration=18s, {Threaded:false Collide:false Repeat:true Procs:1 Sandbox:none Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-perf_event_open program crashed: KASAN: use-after-scope Write in __alloc_pages_nodemask testing compiled C program (duration=18s, {Threaded:false Collide:false Repeat:true Procs:1 Sandbox: Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-perf_event_open program crashed: KASAN: use-after-scope Write in tcp_ack testing compiled C program (duration=18s, {Threaded:false Collide:false Repeat:true Procs:1 Sandbox: Fault:false FaultCall:-1 FaultNth:0 EnableTun:false UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-perf_event_open program crashed: KASAN: use-after-scope Write in __alloc_pages_nodemask testing compiled C program (duration=18s, {Threaded:false Collide:false Repeat:true Procs:1 Sandbox: Fault:false FaultCall:-1 FaultNth:0 EnableTun:false UseTmpDir:false HandleSegv:true WaitRepeat:true Debug:false Repro:true}): mmap-perf_event_open program crashed: KASAN: use-after-scope Write in __alloc_pages_nodemask testing compiled C program (duration=18s, {Threaded:false Collide:false Repeat:true Procs:1 Sandbox: Fault:false FaultCall:-1 FaultNth:0 EnableTun:false UseTmpDir:false HandleSegv:false WaitRepeat:true Debug:false Repro:true}): mmap-perf_event_open program crashed: KASAN: use-after-scope Read in __save_stack_trace testing compiled C program (duration=18s, {Threaded:false Collide:false Repeat:true Procs:1 Sandbox: Fault:false FaultCall:-1 FaultNth:0 EnableTun:false UseTmpDir:false HandleSegv:false WaitRepeat:false Debug:false Repro:true}): mmap-perf_event_open program crashed: KASAN: use-after-scope Read in tick_sched_handle reproducing took 4h14m45.302271036s repro crashed as (corrupted=false): ================================================================== BUG: KASAN: use-after-scope in tick_sched_handle.isra.5+0x64/0xa8 Read of size 8 at addr ffff800073866578 by task syzkaller195252/1474 CPU: 0 PID: 1474 Comm: syzkaller195252 Not tainted 4.16.0 #2 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x350 show_stack+0x20/0x30 dump_stack+0x11c/0x198 print_address_description+0x60/0x270 kasan_report+0x248/0x348 __asan_load8+0x84/0xa8 tick_sched_handle.isra.5+0x64/0xa8 tick_sched_timer+0x50/0xe0 __hrtimer_run_queues+0x1dc/0x2c0 hrtimer_interrupt+0x180/0x390 arch_timer_handler_virt+0x44/0x70 handle_percpu_devid_irq+0xdc/0x1e8 generic_handle_irq+0x48/0x68 __handle_domain_irq+0x8c/0x108 gic_handle_irq+0x6c/0xd8 el1_irq+0xb0/0x128 get_page_from_freelist+0x628/0x1998 __alloc_pages_nodemask+0x244/0x1600 alloc_pages_current+0x128/0x1f0 __pte_alloc+0x8c/0x200 do_anonymous_page+0x844/0x9b0 __handle_mm_fault+0xb94/0x1528 handle_mm_fault+0x288/0x3e0 do_page_fault+0x398/0x630 do_translation_fault+0x90/0xb0 do_mem_abort+0xbc/0x208 el0_da+0x20/0x24 The buggy address belongs to the page: page:ffff7e0001ce1980 count:0 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x4fffc00000000000() raw: 4fffc00000000000 0000000000000000 0000000000000000 00000000ffffffff raw: ffff7e0001ce19a0 ffff7e0001ce19a0 0000000000000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff800073866400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff800073866480: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 >ffff800073866500: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffff800073866580: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffff800073866600: f8 f8 f8 f8 f8 f8 00 00 00 00 00 00 00 00 00 00 ================================================================== final repro crashed as (corrupted=false): ================================================================== BUG: KASAN: use-after-scope in tick_sched_handle.isra.5+0x64/0xa8 Read of size 8 at addr ffff800073866578 by task syzkaller195252/1474 CPU: 0 PID: 1474 Comm: syzkaller195252 Not tainted 4.16.0 #2 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x350 show_stack+0x20/0x30 dump_stack+0x11c/0x198 print_address_description+0x60/0x270 kasan_report+0x248/0x348 __asan_load8+0x84/0xa8 tick_sched_handle.isra.5+0x64/0xa8 tick_sched_timer+0x50/0xe0 __hrtimer_run_queues+0x1dc/0x2c0 hrtimer_interrupt+0x180/0x390 arch_timer_handler_virt+0x44/0x70 handle_percpu_devid_irq+0xdc/0x1e8 generic_handle_irq+0x48/0x68 __handle_domain_irq+0x8c/0x108 gic_handle_irq+0x6c/0xd8 el1_irq+0xb0/0x128 get_page_from_freelist+0x628/0x1998 __alloc_pages_nodemask+0x244/0x1600 alloc_pages_current+0x128/0x1f0 __pte_alloc+0x8c/0x200 do_anonymous_page+0x844/0x9b0 __handle_mm_fault+0xb94/0x1528 handle_mm_fault+0x288/0x3e0 do_page_fault+0x398/0x630 do_translation_fault+0x90/0xb0 do_mem_abort+0xbc/0x208 el0_da+0x20/0x24 The buggy address belongs to the page: page:ffff7e0001ce1980 count:0 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x4fffc00000000000() raw: 4fffc00000000000 0000000000000000 0000000000000000 00000000ffffffff raw: ffff7e0001ce19a0 ffff7e0001ce19a0 0000000000000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff800073866400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff800073866480: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 >ffff800073866500: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffff800073866580: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffff800073866600: f8 f8 f8 f8 f8 f8 00 00 00 00 00 00 00 00 00 00 ==================================================================