Re: Follow-up on Kernel Bug Report KASAN slab-use-after-free in __lock_acquire

24 views

Skip to first unread message

Bai, Shuangpeng

unread,

May 13, 2024, 11:55:39 PMMay 13

to Ryusuke Konishi, Steven Rostedt, Bai, Shuangpeng, mi...@redhat.com, pet...@infradead.org, juri....@redhat.com, vincent...@linaro.org, dietmar....@arm.com, bse...@google.com, mgo...@suse.de, bri...@redhat.com, vsch...@redhat.com, syzk...@googlegroups.com

Hi kernel maintainers,

I triggered a similar UAF bug in Linux v6.8, where the freed object is task. Here are the reproducer and compilation config.

Please let me know for any updates. Thank you.

Best,
Shuangpeng

[ 248.467179][ C0] ==================================================================
[ 248.470293][ C0] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave (./include/linux/instrumented.h:96 ./include/linux/atomic/atomic-instrumented.h:1295 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
[ 248.474124][ C0] Write of size 4 at addr ffff888023b508d4 by task swapper/0/0
[ 248.474955][ C0]
[ 248.475226][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.8.0 #6
[ 248.476039][ C0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 248.477037][ C0] Call Trace:
[ 248.477418][ C0] <IRQ>
[ 248.477744][ C0] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))
[ 248.478275][ C0] print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)
[ 248.478787][ C0] ? __phys_addr (arch/x86/mm/physaddr.c:32 (discriminator 4))
[ 248.479303][ C0] ? _raw_spin_lock_irqsave (./include/linux/instrumented.h:96 ./include/linux/atomic/atomic-instrumented.h:1295 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
[ 248.479916][ C0] kasan_report (mm/kasan/report.c:603)
[ 248.480422][ C0] ? _raw_spin_lock_irqsave (./include/linux/instrumented.h:96 ./include/linux/atomic/atomic-instrumented.h:1295 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
[ 248.481343][ C0] kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189)
[ 248.481874][ C0] _raw_spin_lock_irqsave (./include/linux/instrumented.h:96 ./include/linux/atomic/atomic-instrumented.h:1295 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
[ 248.482296][ C0] ? _raw_spin_lock_irqsave (./arch/x86/include/asm/atomic.h:115 ./include/linux/atomic/atomic-arch-fallback.h:2164 ./include/linux/atomic/atomic-instrumented.h:1296 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
[ 248.482716][ C0] ? __pfx__raw_spin_lock_irqsave (kernel/locking/spinlock.c:161)
[ 248.483170][ C0] ? __pfx__raw_spin_lock_irqsave (kernel/locking/spinlock.c:161)
[ 248.483626][ C0] ? __pfx_sched_clock_cpu (kernel/sched/clock.c:389)
[ 248.484035][ C0] ? _raw_spin_lock (./arch/x86/include/asm/atomic.h:115 ./include/linux/atomic/atomic-arch-fallback.h:2164 ./include/linux/atomic/atomic-instrumented.h:1296 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154)
[ 248.484413][ C0] ? run_posix_cpu_timers (kernel/time/posix-cpu-timers.c:1435)
[ 248.484826][ C0] ? __pfx_nilfs_construction_timeout (fs/nilfs2/segment.c:2443)
[ 248.485300][ C0] try_to_wake_up (kernel/sched/core.c:4253)
[ 248.485671][ C0] ? __pfx_try_to_wake_up (kernel/sched/core.c:4223)
[ 248.486077][ C0] ? __pfx_nilfs_construction_timeout (fs/nilfs2/segment.c:2443)
[ 248.486562][ C0] ? __pfx_nilfs_construction_timeout (fs/nilfs2/segment.c:2443)
[ 248.487032][ C0] call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)
[ 248.487379][ C0] ? __pfx_nilfs_construction_timeout (fs/nilfs2/segment.c:2443)
[ 248.487847][ C0] __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2038)
[ 248.488240][ C0] ? __pfx___run_timers.part.0 (kernel/time/timer.c:2007)
[ 248.488665][ C0] ? __pfx_sched_clock_cpu (kernel/sched/clock.c:389)
[ 248.489065][ C0] ? kvm_sched_clock_read (arch/x86/kernel/kvmclock.c:91)
[ 248.489458][ C0] ? sched_clock (arch/x86/kernel/tsc.c:286 (discriminator 3))
[ 248.489802][ C0] ? sched_clock_cpu (kernel/sched/clock.c:394)
[ 248.490171][ C0] ? tick_program_event (kernel/time/tick-oneshot.c:45)
[ 248.490559][ C0] run_timer_softirq (kernel/time/timer.c:2053)
[ 248.490934][ C0] __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)
[ 248.491281][ C0] irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632 kernel/softirq.c:644)
[ 248.491623][ C0] sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1076 (discriminator 14))
[ 248.492050][ C0] </IRQ>
[ 248.492278][ C0] <TASK>
[ 248.492504][ C0] asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:649)
[ 248.492964][ C0] RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:72 arch/x86/kernel/process.c:743)
[ 248.493356][ C0] Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 eb 0c 0f 1f 44 00 00 0f 00 2d 19 18 45 00 0f 1f 44 00 00 fb f4 <fa> c30
All code
========
0: 90 nop
1: 90 nop
2: 90 nop
3: 90 nop
4: 90 nop
5: 90 nop
6: 90 nop
7: 90 nop
8: 90 nop
9: 90 nop
a: 90 nop
b: 90 nop
c: f3 0f 1e fa endbr64
10: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
15: eb 0c jmp 0x23
17: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
1c: 0f 00 2d 19 18 45 00 verw 0x451819(%rip) # 0x45183c
23: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
28: fb sti
29: f4 hlt
2a:* fa cli <-- trapping instruction
2b: 30 .byte 0x30

Code starting with the faulting instruction
===========================================
0: fa cli
1: 30 .byte 0x30
[ 248.494787][ C0] RSP: 0018:ffffffff8c807e08 EFLAGS: 00000246
[ 248.495250][ C0] RAX: 0000000000041abc RBX: 0000000000000000 RCX: ffffffff8a213f3c
[ 248.495844][ C0] RDX: ffffed1017346c0e RSI: 0000000000000000 RDI: 0000000000000000
[ 248.496437][ C0] RBP: dffffc0000000000 R08: 0000000000000001 R09: ffffed1017346c0d
[ 248.497026][ C0] R10: ffff8880b9a3606b R11: ffffffff9188ec68 R12: 0000000000000000
[ 248.497618][ C0] R13: ffffffff8eaa2190 R14: 0000000000000000 R15: 0000000000000000
[ 248.498215][ C0] ? ct_kernel_exit (kernel/context_tracking.c:148 (discriminator 9))
[ 248.498594][ C0] default_idle_call (./include/linux/cpuidle.h:144 kernel/sched/idle.c:98)
[ 248.498971][ C0] do_idle (kernel/sched/idle.c:171 kernel/sched/idle.c:312)
[ 248.499300][ C0] ? __pfx_do_idle (kernel/sched/idle.c:238)
[ 248.499668][ C0] ? __pfx_kthreadd (kernel/kthread.c:737)
[ 248.500043][ C0] ? __radix_tree_lookup (lib/radix-tree.c:779)
[ 248.500458][ C0] cpu_startup_entry (kernel/sched/idle.c:409 (discriminator 1))
[ 248.500837][ C0] rest_init (init/main.c:703)
[ 248.501173][ C0] ? regulator_has_full_constraints (drivers/regulator/core.c:5915)
[ 248.501641][ C0] ? __pfx_x86_late_time_init (arch/x86/kernel/time.c:86)
[ 248.502084][ C0] arch_call_rest_init+0x13/0x40 [ 248.502477][ C0] start_kernel (init/main.c:971)
[ 248.502839][ C0] x86_64_start_reservations (arch/x86/kernel/head64.c:543)
[ 248.503276][ C0] x86_64_start_kernel (./arch/x86/include/asm/page_64.h:26 arch/x86/kernel/head64.c:326 arch/x86/kernel/head64.c:492)
[ 248.503728][ C0] secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:461)
[ 248.504228][ C0] </TASK>
[ 248.504470][ C0]
[ 248.504656][ C0] Allocated by task 2:
[ 248.504972][ C0] kasan_save_stack (mm/kasan/common.c:48)
[ 248.505342][ C0] kasan_save_track (./arch/x86/include/asm/current.h:42 mm/kasan/common.c:60 mm/kasan/common.c:69)
[ 248.505710][ C0] __kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338)
[ 248.506104][ C0] kmem_cache_alloc_node (mm/slub.c:3814 mm/slub.c:3860 mm/slub.c:3903)
[ 248.506524][ C0] copy_process (kernel/fork.c:1105 kernel/fork.c:2327)
[ 248.506885][ C0] kernel_clone (./include/linux/random.h:26 kernel/fork.c:2903)
[ 248.507241][ C0] kernel_thread (kernel/fork.c:2953)
[ 248.507597][ C0] kthreadd (kernel/kthread.c:413 kernel/kthread.c:764)
[ 248.507928][ C0] ret_from_fork (arch/x86/kernel/process.c:153)
[ 248.508290][ C0] ret_from_fork_asm (arch/x86/entry/entry_64.S:251)
[ 248.508666][ C0]
[ 248.508852][ C0] Freed by task 16:
[ 248.509148][ C0] kasan_save_stack (mm/kasan/common.c:48)
[ 248.509518][ C0] kasan_save_track (./arch/x86/include/asm/current.h:42 mm/kasan/common.c:60 mm/kasan/common.c:69)
[ 248.509899][ C0] kasan_save_free_info (mm/kasan/generic.c:592)
[ 248.510290][ C0] poison_slab_object (mm/kasan/common.c:240 mm/kasan/common.c:211)
[ 248.510682][ C0] __kasan_slab_free (mm/kasan/common.c:256)
[ 248.511059][ C0] kmem_cache_free (mm/slub.c:4299 mm/slub.c:4363)
[ 248.511431][ C0] delayed_put_task_struct (kernel/exit.c:230)
[ 248.511852][ C0] rcu_core (./arch/x86/include/asm/preempt.h:26 kernel/rcu/tree.c:2197 kernel/rcu/tree.c:2465)
[ 248.512182][ C0] __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)
[ 248.512587][ C0]
[ 248.512852][ C0] Last potentially related work creation:
[ 248.513396][ C0] kasan_save_stack (mm/kasan/common.c:48)
[ 248.513791][ C0] __kasan_record_aux_stack (mm/kasan/generic.c:551)
[ 248.514215][ C0] __call_rcu_common.constprop.0 (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:67 ./arch/x86/include/asm/irqflags.h:103 kernel/rcu/tree.c:2716)
[ 248.514681][ C0] put_task_struct_rcu_user (kernel/exit.c:236)
[ 248.515097][ C0] __schedule (kernel/sched/core.c:6608)
[ 248.515452][ C0] schedule_idle (./arch/x86/include/asm/bitops.h:206 (discriminator 1) ./arch/x86/include/asm/bitops.h:238 (discriminator 1) ./include/linux/thread_info.h:184 (discriminator 1) ./include/linux/sched.h:2102 (discriminator 1) kernel/sched/core.c:6844 (discriminator 1))
[ 248.515804][ C0] do_idle (kernel/sched/idle.c:238)
[ 248.516129][ C0] cpu_startup_entry (kernel/sched/idle.c:409 (discriminator 1))
[ 248.516508][ C0] rest_init (init/main.c:703)
[ 248.516848][ C0] arch_call_rest_init+0x13/0x40 [ 248.517246][ C0] start_kernel (init/main.c:971)
[ 248.517624][ C0] x86_64_start_reservations (arch/x86/kernel/head64.c:543)
[ 248.518154][ C0] x86_64_start_kernel (./arch/x86/include/asm/page_64.h:26 arch/x86/kernel/head64.c:326 arch/x86/kernel/head64.c:492)
[ 248.518551][ C0] secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:461)
[ 248.519026][ C0]
[ 248.519213][ C0] The buggy address belongs to the object at ffff888023b50000
[ 248.519213][ C0] which belongs to the cache task_struct of size 4352
[ 248.520271][ C0] The buggy address is located 2260 bytes inside of
[ 248.520271][ C0] freed 4352-byte region [ffff888023b50000, ffff888023b51100)
[ 248.521601][ C0]
[ 248.521901][ C0] The buggy address belongs to the physical page:
[ 248.522395][ C0] page:ffffea00008ed400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x23b50
[ 248.523166][ C0] head:ffffea00008ed400 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 248.523842][ C0] flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 248.524448][ C0] page_type: 0xffffffff()
[ 248.524787][ C0] raw: 00fff00000000840 ffff888012acf3c0 ffffea000053ba00 dead000000000002
[ 248.525487][ C0] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
[ 248.526306][ C0] page dumped because: kasan: bad access detected
[ 248.526848][ C0] page_owner tracks the page as allocated
[ 248.527281][ C0] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOME7
[ 248.527300][ C0] post_alloc_hook (./include/linux/page_owner.h:31 mm/page_alloc.c:1533)
[ 248.527313][ C0] get_page_from_freelist (mm/page_alloc.c:1542 mm/page_alloc.c:3311)
[ 248.527325][ C0] __alloc_pages (mm/page_alloc.c:4570)
[ 248.527336][ C0] allocate_slab (mm/slub.c:2191 mm/slub.c:2354)
[ 248.527348][ C0] ___slab_alloc (mm/slub.c:3541)
[ 248.527361][ C0] __slab_alloc.constprop.0 (mm/slub.c:3625)
[ 248.534253][ C0] kmem_cache_alloc_node (mm/slub.c:3678 mm/slub.c:3850 mm/slub.c:3903)
[ 248.534670][ C0] copy_process (kernel/fork.c:1105 kernel/fork.c:2327)
[ 248.535031][ C0] kernel_clone (./include/linux/random.h:26 kernel/fork.c:2903)
[ 248.535382][ C0] user_mode_thread (kernel/fork.c:2971)
[ 248.535759][ C0] call_usermodehelper_exec_work (kernel/umh.c:174 kernel/umh.c:158)
[ 248.536223][ C0] process_one_work (kernel/workqueue.c:2638)
[ 248.536608][ C0] worker_thread (kernel/workqueue.c:2700 kernel/workqueue.c:2787)
[ 248.536971][ C0] kthread (kernel/kthread.c:388)
[ 248.537298][ C0] ret_from_fork (arch/x86/kernel/process.c:153)
[ 248.537652][ C0] ret_from_fork_asm (arch/x86/entry/entry_64.S:251)
[ 248.538055][ C0] page last free pid 6141 tgid 6141 stack trace:
[ 248.538539][ C0] free_unref_page_prepare (./include/linux/page_owner.h:24 mm/page_alloc.c:1140 mm/page_alloc.c:2346)
[ 248.538962][ C0] free_unref_page (mm/page_alloc.c:2486)
[ 248.539332][ C0] __put_partials (mm/slub.c:2917)
[ 248.539704][ C0] qlist_free_all (mm/kasan/quarantine.c:174)
[ 248.540071][ C0] kasan_quarantine_reduce (./include/linux/srcu.h:285 mm/kasan/quarantine.c:287)
[ 248.540497][ C0] __kasan_slab_alloc (mm/kasan/common.c:324)
[ 248.540881][ C0] __kmalloc_node (mm/slub.c:3814 mm/slub.c:3860 mm/slub.c:3980 mm/slub.c:3988)
[ 248.541254][ C0] kvmalloc_node (mm/util.c:623)
[ 248.541610][ C0] seq_read_iter (fs/seq_file.c:210)
[ 248.541994][ C0] kernfs_fop_read_iter (fs/kernfs/file.c:279)
[ 248.542398][ C0] vfs_read (fs/read_write.c:396 fs/read_write.c:476)
[ 248.542730][ C0] ksys_read (fs/read_write.c:620)
[ 248.543092][ C0] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 248.543451][ C0] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)
[ 248.543949][ C0]
[ 248.544146][ C0] Memory state around the buggy address:
[ 248.544576][ C0] ffff888023b50780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 248.545186][ C0] ffff888023b50800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 248.545808][ C0] >ffff888023b50880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 248.546417][ C0] ^
[ 248.546925][ C0] ffff888023b50900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 248.547535][ C0] ffff888023b50980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 248.548145][ C0] ==================================================================
[ 248.548756][ C0] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 248.549301][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.8.0 #6
[ 248.549902][ C0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 248.550598][ C0] Call Trace:
[ 248.550860][ C0] <IRQ>
[ 248.551084][ C0] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))
[ 248.551447][ C0] panic (kernel/panic.c:344)
[ 248.551760][ C0] ? snprintf (lib/vsprintf.c:2954)
[ 248.552095][ C0] ? __pfx_panic (kernel/panic.c:278)
[ 248.552447][ C0] ? _raw_spin_lock_irqsave (./include/linux/instrumented.h:96 ./include/linux/atomic/atomic-instrumented.h:1295 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
[ 248.552873][ C0] ? __pfx__printk (kernel/printk/printk.c:2323)
[ 248.553235][ C0] ? dump_page (./include/linux/page_owner.h:52 mm/debug.c:142)
[ 248.553595][ C0] ? check_panic_on_warn (kernel/panic.c:236)
[ 248.554003][ C0] ? _raw_spin_lock_irqsave (./include/linux/instrumented.h:96 ./include/linux/atomic/atomic-instrumented.h:1295 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
[ 248.554432][ C0] check_panic_on_warn (kernel/panic.c:237)
[ 248.554822][ C0] end_report (mm/kasan/report.c:226)
[ 248.555153][ C0] kasan_report (./arch/x86/include/asm/smap.h:56 mm/kasan/report.c:606)
[ 248.555499][ C0] ? _raw_spin_lock_irqsave (./include/linux/instrumented.h:96 ./include/linux/atomic/atomic-instrumented.h:1295 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
[ 248.555928][ C0] kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189)
[ 248.556307][ C0] _raw_spin_lock_irqsave (./include/linux/instrumented.h:96 ./include/linux/atomic/atomic-instrumented.h:1295 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
[ 248.556719][ C0] ? _raw_spin_lock_irqsave (./arch/x86/include/asm/atomic.h:115 ./include/linux/atomic/atomic-arch-fallback.h:2164 ./include/linux/atomic/atomic-instrumented.h:1296 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
[ 248.557147][ C0] ? __pfx__raw_spin_lock_irqsave (kernel/locking/spinlock.c:161)
[ 248.557611][ C0] ? __pfx__raw_spin_lock_irqsave (kernel/locking/spinlock.c:161)
[ 248.558074][ C0] ? __pfx_sched_clock_cpu (kernel/sched/clock.c:389)
[ 248.558489][ C0] ? _raw_spin_lock (./arch/x86/include/asm/atomic.h:115 ./include/linux/atomic/atomic-arch-fallback.h:2164 ./include/linux/atomic/atomic-instrumented.h:1296 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154)
[ 248.558868][ C0] ? run_posix_cpu_timers (kernel/time/posix-cpu-timers.c:1435)
[ 248.559281][ C0] ? __pfx_nilfs_construction_timeout (fs/nilfs2/segment.c:2443)
[ 248.559772][ C0] try_to_wake_up (kernel/sched/core.c:4253)
[ 248.560140][ C0] ? __pfx_try_to_wake_up (kernel/sched/core.c:4223)
[ 248.560547][ C0] ? __pfx_nilfs_construction_timeout (fs/nilfs2/segment.c:2443)
[ 248.561036][ C0] ? __pfx_nilfs_construction_timeout (fs/nilfs2/segment.c:2443)
[ 248.561522][ C0] call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)
[ 248.561887][ C0] ? __pfx_nilfs_construction_timeout (fs/nilfs2/segment.c:2443)
[ 248.562374][ C0] __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2038)
[ 248.562779][ C0] ? __pfx___run_timers.part.0 (kernel/time/timer.c:2007)
[ 248.563219][ C0] ? __pfx_sched_clock_cpu (kernel/sched/clock.c:389)
[ 248.563634][ C0] ? kvm_sched_clock_read (arch/x86/kernel/kvmclock.c:91)
[ 248.564042][ C0] ? sched_clock (arch/x86/kernel/tsc.c:286 (discriminator 3))
[ 248.564390][ C0] ? sched_clock_cpu (kernel/sched/clock.c:394)
[ 248.564774][ C0] ? tick_program_event (kernel/time/tick-oneshot.c:45)
[ 248.565173][ C0] run_timer_softirq (kernel/time/timer.c:2053)
[ 248.565560][ C0] __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)
[ 248.565930][ C0] irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632 kernel/softirq.c:644)
[ 248.566289][ C0] sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1076 (discriminator 14))
[ 248.566733][ C0] </IRQ>
[ 248.566964][ C0] <TASK>
[ 248.567195][ C0] asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:649)
[ 248.567662][ C0] RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:72 arch/x86/kernel/process.c:743)
[ 248.568062][ C0] Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 eb 0c 0f 1f 44 00 00 0f 00 2d 19 18 45 00 0f 1f 44 00 00 fb f4 <fa> c30
All code
========
0: 90 nop
1: 90 nop
2: 90 nop
3: 90 nop
4: 90 nop
5: 90 nop
6: 90 nop
7: 90 nop
8: 90 nop
9: 90 nop
a: 90 nop
b: 90 nop
c: f3 0f 1e fa endbr64
10: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
15: eb 0c jmp 0x23
17: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
1c: 0f 00 2d 19 18 45 00 verw 0x451819(%rip) # 0x45183c
23: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
28: fb sti
29: f4 hlt
2a:* fa cli <-- trapping instruction
2b: 30 .byte 0x30

Code starting with the faulting instruction
===========================================
0: fa cli
1: 30 .byte 0x30
[ 248.569522][ C0] RSP: 0018:ffffffff8c807e08 EFLAGS: 00000246
[ 248.569996][ C0] RAX: 0000000000041abc RBX: 0000000000000000 RCX: ffffffff8a213f3c
[ 248.570603][ C0] RDX: ffffed1017346c0e RSI: 0000000000000000 RDI: 0000000000000000
[ 248.571204][ C0] RBP: dffffc0000000000 R08: 0000000000000001 R09: ffffed1017346c0d
[ 248.571809][ C0] R10: ffff8880b9a3606b R11: ffffffff9188ec68 R12: 0000000000000000
[ 248.572412][ C0] R13: ffffffff8eaa2190 R14: 0000000000000000 R15: 0000000000000000
[ 248.573016][ C0] ? ct_kernel_exit (kernel/context_tracking.c:148 (discriminator 9))
[ 248.573397][ C0] default_idle_call (./include/linux/cpuidle.h:144 kernel/sched/idle.c:98)
[ 248.573781][ C0] do_idle (kernel/sched/idle.c:171 kernel/sched/idle.c:312)
[ 248.574110][ C0] ? __pfx_do_idle (kernel/sched/idle.c:238)
[ 248.574477][ C0] ? __pfx_kthreadd (kernel/kthread.c:737)
[ 248.574851][ C0] ? __radix_tree_lookup (lib/radix-tree.c:779)
[ 248.575267][ C0] cpu_startup_entry (kernel/sched/idle.c:409 (discriminator 1))
[ 248.575648][ C0] rest_init (init/main.c:703)
[ 248.575986][ C0] ? regulator_has_full_constraints (drivers/regulator/core.c:5915)
[ 248.576456][ C0] ? __pfx_x86_late_time_init (arch/x86/kernel/time.c:86)
[ 248.576887][ C0] arch_call_rest_init+0x13/0x40 [ 248.577279][ C0] start_kernel (init/main.c:971)
[ 248.577636][ C0] x86_64_start_reservations (arch/x86/kernel/head64.c:543)
[ 248.578068][ C0] x86_64_start_kernel (./arch/x86/include/asm/page_64.h:26 arch/x86/kernel/head64.c:326 arch/x86/kernel/head64.c:492)
[ 248.578461][ C0] secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:461)
[ 248.578936][ C0] </TASK>
[ 248.579475][ C0] Kernel Offset: disabled
[ 248.579808][ C0] Rebooting in 86400 seconds..

> On Apr 1, 2024, at 12:52, Bai, Shuangpeng <sjb...@psu.edu> wrote:
>
> Here are the C reproducer and the kernel compile config. Please let me know if there is anything I can help.
>
> Thanks for your attention!
>
> Best,
> Shuangpeng
>
>
>
> > On Apr 1, 2024, at 12:47, Ryusuke Konishi <konishi...@gmail.com> wrote:
> >
> > [Some people who received this message don't often get email from konishi...@gmail.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
> >
> > On Tue, Apr 2, 2024 at 12:08 AM Steven Rostedt wrote:
> >>
> >> On Sun, 31 Mar 2024 03:54:25 +0000
> >> "Bai, Shuangpeng" <sjb...@psu.edu> wrote:
> >>
> >>> Dear Maintainers,
> >>>
> >>> I hope you're well. I'm reaching out to inquire about any progress made regarding the kernel vulnerability report we submitted several months ago. Any updates you can provide would be greatly appreciated.
> >>>
> >>> Thank you for your attention to this matter.
> >>>
> >>> Best regards,
> >>> Shuangpeng Bai
> >>>
> >>>> On Nov 7, 2023, at 16:15, Bai, Shuangpeng <ba...@psu.edu> wrote:
> >>>>
> >>>>
> >>>> This previous report is already generated from the kernel with CONFIG_DEBUG_OBJECTS_TIMERS=y.
> >>>> I re-ran the reproducer and got a new report. I checked it and found some stacktrace changed,
> >>>> but did not find more debug output. I will provide the new report for you to check.
> >>>>
> >>>> Besides, this reproducer has to be compiled with flag -lpthread and it needs several minutes
> >>>> to trigger this bug. Therefore, this bug may be a multi-thread issue.
> >>>>
> >>>> # starting with repeated NILFS messages
> >>>> [ 352.714485][T18659] NILFS (loop2): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 352.718614][T18659] NILFS (loop2): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>
> >>
> >> This looks like an issue with NILFS, I added the maintainer to the Cc.
> >> It may possibly be freeing a timer while it is still queued.
> >> There's a new timer_shutdown() call that should be called on timers that
> >> are about to be freed.
> >>
> >> -- Steve
> >
> > This reproducer appears to be performing some kind of fuzzing or
> > stress testing on NILFS.
> >
> > Shuangpeng, could you send me the information about the reproducer ?
> >
> > I'm fixing the issues reported by syzbot one by one, and I'm currently
> > digging into a thread cleanup issue when unmounting the file system.
> > This timer issue might be related to that.
> >
> > Regards,
> > Ryusuke Konishi
> >
> >>
> >>
> >>>> [ 352.752798][T18661] loop1: detected capacity change from 0 to 4096
> >>>> [ 352.768928][T18669] NILFS (loop2): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 352.782515][T18661] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 352.812504][T18661] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 352.874996][T18675] NILFS (loop1): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 352.958343][T18668] loop0: detected capacity change from 0 to 4096
> >>>> [ 352.975915][T18668] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 352.989207][T18668] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 353.045594][T18684] NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 353.077724][T18677] loop3: detected capacity change from 0 to 4096
> >>>> [ 353.106242][T18677] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 353.122939][T18677] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 353.152833][T18680] loop2: detected capacity change from 0 to 4096
> >>>> [ 353.163071][T18691] NILFS (loop3): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 353.187294][T18680] NILFS (loop2): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 353.196134][T18680] NILFS (loop2): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 353.235813][T18693] NILFS (loop2): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 353.342703][T18687] loop1: detected capacity change from 0 to 4096
> >>>> [ 353.382688][T18696] loop0: detected capacity change from 0 to 4096
> >>>> [ 353.412304][T18687] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 353.415704][T18696] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 353.422680][T18687] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 353.425542][T18696] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 353.448337][T18700] NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 353.460781][T18701] NILFS (loop1): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 353.661179][T18704] loop3: detected capacity change from 0 to 4096
> >>>> [ 353.693584][T18704] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 353.714622][T18704] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 353.777468][T18719] NILFS (loop3): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 353.861292][T18714] loop2: detected capacity change from 0 to 4096
> >>>> [ 353.884017][T18714] NILFS (loop2): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 353.907060][T18714] NILFS (loop2): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 353.949163][T18727] NILFS (loop2): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 353.951656][T18718] loop0: detected capacity change from 0 to 4096
> >>>> [ 353.964327][T18718] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 353.976041][T18718] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 353.986114][   T31] kauditd_printk_skb: 30 callbacks suppressed
> >>>> [ 353.986130][   T31] audit: type=1800 audit(1699388315.168:1613): pid=18729 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:uncon0
> >>>> [ 354.016406][T18720] loop1: detected capacity change from 0 to 4096
> >>>> [ 354.023631][T18730] NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 354.045193][T18720] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 354.060154][T18720] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 354.067333][   T31] audit: type=1800 audit(1699388315.248:1614): pid=18731 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:uncon0
> >>>> [ 354.122986][T18732] NILFS (loop1): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 354.144287][   T31] audit: type=1800 audit(1699388315.328:1615): pid=18735 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:uncon0
> >>>> [ 354.146625][T18726] loop3: detected capacity change from 0 to 4096
> >>>> [ 354.188121][T18726] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 354.196809][T18726] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 354.242828][T18740] NILFS (loop3): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 354.304330][   T31] audit: type=1800 audit(1699388315.488:1616): pid=18742 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:uncon0
> >>>> [ 354.355196][T18737] loop2: detected capacity change from 0 to 4096
> >>>> [ 354.374917][T18737] NILFS (loop2): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 354.389450][T18737] NILFS (loop2): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 354.424042][T18748] loop1: detected capacity change from 0 to 4096
> >>>> [ 354.438795][T18752] NILFS (loop2): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 354.445404][T18748] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 354.456844][T18748] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 354.460280][   T31] audit: type=1800 audit(1699388315.638:1617): pid=18753 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:uncon0
> >>>> [ 354.477834][T18741] loop0: detected capacity change from 0 to 4096
> >>>> [ 354.496421][T18741] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 354.500778][T18741] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 354.539308][T18756] NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 354.553986][T18757] NILFS (loop1): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 354.626691][   T31] audit: type=1800 audit(1699388315.808:1618): pid=18758 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:uncon0
> >>>> [ 354.676773][T18755] loop3: detected capacity change from 0 to 4096
> >>>> [ 354.684837][T18755] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 354.691622][T18755] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 354.694465][   T31] audit: type=1800 audit(1699388315.808:1619): pid=18759 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:uncon0
> >>>> [ 354.755032][T18765] NILFS (loop3): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 354.773876][   T31] audit: type=1800 audit(1699388315.958:1620): pid=18766 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:uncon0
> >>>> [ 354.947133][T18776] loop3: detected capacity change from 0 to 4096
> >>>> [ 354.956020][T18776] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 354.960855][T18776] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 354.983627][T18764] loop1: detected capacity change from 0 to 4096
> >>>> [ 354.997861][T18764] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 355.002850][T18777] NILFS (loop3): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 355.012859][T18764] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 355.027786][T18769] loop0: detected capacity change from 0 to 4096
> >>>> [ 355.035007][T18769] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 355.041275][T18769] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 355.041753][   T31] audit: type=1800 audit(1699388316.218:1621): pid=18779 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:uncon0
> >>>> [ 355.057565][T18780] NILFS (loop1): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 355.076443][T18782] NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 355.086044][   T31] audit: type=1800 audit(1699388316.268:1622): pid=18781 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:uncon0
> >>>> [ 355.386761][T18791] loop0: detected capacity change from 0 to 4096
> >>>> [ 355.388599][T18797] loop3: detected capacity change from 0 to 4096
> >>>> [ 355.392783][T18797] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 355.397215][T18797] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 355.411115][T18791] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 355.417148][T18798] NILFS (loop3): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 355.428982][T18791] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 355.463779][T18801] NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 355.481786][T18793] loop1: detected capacity change from 0 to 4096
> >>>> [ 355.487972][T18793] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 355.495103][T18793] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 355.508866][T18805] NILFS (loop1): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 355.734359][T18812] loop3: detected capacity change from 0 to 4096
> >>>> [ 355.754292][T18812] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 355.778961][T18812] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 355.826321][T18819] NILFS (loop3): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 355.859821][T18816] loop1: detected capacity change from 0 to 4096
> >>>> [ 355.868762][T18816] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 355.876983][T18817] loop0: detected capacity change from 0 to 4096
> >>>> [ 355.882469][T18816] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 355.885541][T18817] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 355.890587][T18817] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 355.910954][T18823] NILFS (loop1): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 355.936384][T18825] NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 356.159845][T18830] loop3: detected capacity change from 0 to 4096
> >>>> [ 356.175403][T18830] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 356.220383][T18830] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 356.250346][T18833] loop1: detected capacity change from 0 to 4096
> >>>> [ 356.259085][T18839] NILFS (loop3): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 356.266252][T18833] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 356.269050][T18833] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 356.290477][T18841] NILFS (loop1): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 356.434634][T18836] loop0: detected capacity change from 0 to 4096
> >>>> [ 356.443084][T18836] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 356.471174][T18836] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 356.578462][T18850] NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 356.607328][T18844] loop3: detected capacity change from 0 to 4096
> >>>> [ 356.642869][T18844] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 356.659979][T18844] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 356.737504][T18859] NILFS (loop3): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 356.900146][T18863] loop0: detected capacity change from 0 to 4096
> >>>> [ 356.902703][T18858] loop1: detected capacity change from 0 to 4096
> >>>> [ 356.915511][T18863] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 356.919387][T18858] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 356.924532][T18863] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 356.943410][T18858] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 356.973967][T18869] NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 357.000198][T18870] NILFS (loop1): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 357.108552][T18866] loop3: detected capacity change from 0 to 4096
> >>>> [ 357.146722][T18866] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 357.151261][T18866] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 357.254888][T18882] NILFS (loop3): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 357.379668][T18880] loop1: detected capacity change from 0 to 4096
> >>>> [ 357.404899][T18881] loop0: detected capacity change from 0 to 4096
> >>>> [ 357.411234][T18880] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 357.422680][T18880] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 357.434975][T18881] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 357.453627][T18881] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 357.506066][T18888] NILFS (loop1): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 357.511958][T18889] NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 357.568636][T18885] loop3: detected capacity change from 0 to 4096
> >>>> [ 357.593327][T18885] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 357.615138][T18885] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 357.628660][T18894] NILFS (loop3): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 357.716656][T18895] loop1: detected capacity change from 0 to 4096
> >>>> [ 357.721690][T18895] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 357.730096][T18895] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 357.795117][T18902] NILFS (loop1): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 357.903980][T18900] loop0: detected capacity change from 0 to 4096
> >>>> [ 357.929923][T18900] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 357.939956][T18900] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 357.971780][T18913] NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 358.016599][T18908] loop3: detected capacity change from 0 to 4096
> >>>> [ 358.021329][T18908] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 358.031665][T18908] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 358.066436][T18915] NILFS (loop3): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 358.163119][T18912] loop1: detected capacity change from 0 to 4096
> >>>> [ 358.179317][T18912] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 358.195290][T18912] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 358.277473][T18922] NILFS (loop1): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 358.428769][T18921] loop0: detected capacity change from 0 to 4096
> >>>> [ 358.478338][T18925] loop3: detected capacity change from 0 to 4096
> >>>> [ 358.508641][T18921] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 358.524908][T18925] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 358.559037][T18925] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 358.573652][T18921] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 358.583900][T18929] loop1: detected capacity change from 0 to 4096
> >>>> [ 358.588637][T18929] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 358.592128][T18933] NILFS (loop3): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 358.596740][T18929] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 358.615955][T18935] NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 358.621294][T18936] NILFS (loop1): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 358.987200][T18941] loop0: detected capacity change from 0 to 4096
> >>>> [ 359.019285][T18941] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 359.032224][T18941] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 359.076661][T18952] NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 359.086250][   T31] kauditd_printk_skb: 25 callbacks suppressed
> >>>> [ 359.086267][   T31] audit: type=1800 audit(1699388320.268:1648): pid=18953 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:uncon0
> >>>> [ 359.120347][T18943] loop3: detected capacity change from 0 to 4096
> >>>> [ 359.178847][T18943] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 359.181823][T18949] loop1: detected capacity change from 0 to 4096
> >>>> [ 359.189125][T18943] NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 359.207912][T18949] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 359.237458][T18949] NILFS (loop1): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 359.253873][T18958] NILFS (loop3): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 359.325356][T18959] NILFS (loop1): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
> >>>> [ 359.362129][   T31] audit: type=1800 audit(1699388320.538:1649): pid=18960 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:uncon0
> >>>> [ 359.436270][   T31] audit: type=1800 audit(1699388320.568:1650): pid=18961 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:uncon0
> >>>> [ 359.460548][T18955] loop0: detected capacity change from 0 to 4096
> >>>> [ 359.480389][T18955] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 1024)
> >>>> [ 359.487106][T18955] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 4096)
> >>>> [ 359.576524][    C0] ==================================================================
> >>>> [ 359.578242][ C0] BUG: KASAN: slab-use-after-free in __lock_acquire (kernel/locking/lockdep.c:5004)
> >>>> [ 359.580730][    C0] Read of size 8 at addr ffff888078a7aa88 by task systemd/1
> >>>> [ 359.581927][    C0]
> >>>> [ 359.582963][    C0] CPU: 0 PID: 1 Comm: systemd Not tainted 6.6.0-06824-g8bc9e6515183 #4
> >>>> [ 359.584677][    C0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> >>>> [ 359.588858][    C0] Call Trace:
> >>>> [ 359.589599][    C0] <IRQ>
> >>>> [ 359.590378][ C0] dump_stack_lvl (lib/dump_stack.c:107)
> >>>> [ 359.591490][ C0] print_report (mm/kasan/report.c:365 mm/kasan/report.c:475)
> >>>> [ 359.592426][ C0] ? __virt_addr_valid (arch/x86/mm/physaddr.c:66)
> >>>> [ 359.593490][ C0] ? __phys_addr (arch/x86/mm/physaddr.c:32 (discriminator 4))
> >>>> [ 359.594431][ C0] ? __lock_acquire (kernel/locking/lockdep.c:5004)
> >>>> [ 359.595430][ C0] kasan_report (mm/kasan/report.c:590)
> >>>> [ 359.596320][ C0] ? __lock_acquire (kernel/locking/lockdep.c:5004)
> >>>> [ 359.597340][ C0] __lock_acquire (kernel/locking/lockdep.c:5004)
> >>>> [ 359.598325][ C0] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4992)
> >>>> [ 359.599591][ C0] ? lockdep_unlock (kernel/locking/lockdep.c:157)
> >>>> [ 359.600584][ C0] ? __lock_acquire (kernel/locking/lockdep.c:186 kernel/locking/lockdep.c:3872 kernel/locking/lockdep.c:5136)
> >>>> [ 359.601616][ C0] lock_acquire (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5755 kernel/locking/lockdep.c:5718)
> >>>> [ 359.602565][ C0] ? try_to_wake_up (kernel/sched/core.c:4049 kernel/sched/core.c:4228)
> >>>> [ 359.603537][ C0] ? lock_sync (kernel/locking/lockdep.c:5721)
> >>>> [ 359.604449][ C0] ? __lock_acquire (./arch/x86/include/asm/bitops.h:228 ./arch/x86/include/asm/bitops.h:240 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 kernel/locking/lockdep.c:228 kernel/locking/lockdep.c:3780 kernel/locking/lockdep.c:3836 kernel/locking/lockdep.c:5136)
> >>>> [ 359.605470][ C0] ? _raw_spin_lock_irqsave (./include/linux/spinlock_api_smp.h:108 kernel/locking/spinlock.c:162)
> >>>> [ 359.606546][ C0] ? nilfs_segctor_zeropad_segsum (fs/nilfs2/segment.c:2441)
> >>>> [ 359.607763][ C0] _raw_spin_lock_irqsave (./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
> >>>> [ 359.608827][ C0] ? try_to_wake_up (kernel/sched/core.c:4049 kernel/sched/core.c:4228)
> >>>> [ 359.609818][ C0] try_to_wake_up (kernel/sched/core.c:4049 kernel/sched/core.c:4228)
> >>>> [ 359.610788][ C0] ? sched_ttwu_pending (kernel/sched/core.c:4196)
> >>>> [ 359.611791][ C0] ? do_raw_spin_unlock (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 ./include/asm-generic/qspinlock.h:57 kernel/locking/spinlock_debug.c:100 kernel/locking/spinlock_debug.c:140)
> >>>> [ 359.612769][ C0] ? nilfs_segctor_zeropad_segsum (fs/nilfs2/segment.c:2441)
> >>>> [ 359.613920][ C0] call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)
> >>>> [ 359.614795][ C0] ? timer_shutdown_sync (kernel/time/timer.c:1677)
> >>>> [ 359.615699][ C0] ? lock_downgrade (kernel/locking/lockdep.c:5761)
> >>>> [ 359.616616][ C0] ? _raw_spin_unlock_irq (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:77 ./include/linux/spinlock_api_smp.h:159 kernel/locking/spinlock.c:202)
> >>>> [ 359.617526][ C0] ? nilfs_segctor_zeropad_segsum (fs/nilfs2/segment.c:2441)
> >>>> [ 359.618660][ C0] __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2022)
> >>>> [ 359.619582][ C0] ? call_timer_fn (kernel/time/timer.c:1995)
> >>>> [ 359.620451][ C0] ? __wake_up_locked_sync_key (kernel/sched/clock.c:389)
> >>>> [ 359.621468][ C0] ? kvm_sched_clock_read (arch/x86/kernel/kvmclock.c:91)
> >>>> [ 359.622388][ C0] ? sched_clock (arch/x86/kernel/tsc.c:286 (discriminator 3))
> >>>> [ 359.623148][ C0] ? sched_clock_cpu (kernel/sched/clock.c:394)
> >>>> [ 359.624006][ C0] ? tick_program_event (kernel/time/tick-oneshot.c:45)
> >>>> [ 359.624927][ C0] run_timer_softirq (kernel/time/timer.c:2037)
> >>>> [ 359.625783][ C0] __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)
> >>>> [ 359.626648][ C0] irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632 kernel/softirq.c:644)
> >>>> [ 359.627465][ C0] sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1076 (discriminator 14))
> >>>> [ 359.628483][    C0] </IRQ>
> >>>> [ 359.629026][    C0] <TASK>
> >>>> [ 359.629580][ C0] asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:645)
> >>>> [ 359.630661][ C0] RIP: 0010:__sanitizer_cov_trace_pc (kernel/kcov.c:225)
> >>>> [ 359.631756][ C0] Code: 82 e8 15 00 00 83 f8 02 75 20 48 8b 8a f0 15 00 00 8b 92 ec 15 00 00 48 8b 01 48 83 c0 01 48 39 c2 76 076
> >>>>
> >>>> Code starting with the faulting instruction
> >>>> ===========================================
> >>>> 0: 82                    (bad)
> >>>> 1: e8 15 00 00 83        call   0xffffffff8300001b
> >>>> 6: f8                    clc
> >>>> 7: 02 75 20              add    0x20(%rbp),%dh
> >>>> a: 48 8b 8a f0 15 00 00 mov    0x15f0(%rdx),%rcx
> >>>> 11: 8b 92 ec 15 00 00     mov    0x15ec(%rdx),%edx
> >>>> 17: 48 8b 01              mov    (%rcx),%rax
> >>>> 1a: 48 83 c0 01           add    $0x1,%rax
> >>>> 1e: 48 39 c2              cmp    %rax,%rdx
> >>>> 21: 76 76                 jbe    0x99
> >>>> [ 359.634714][    C0] RSP: 0018:ffffc900004975c0 EFLAGS: 00000293
> >>>> [ 359.635262][    C0] RAX: 0000000000000000 RBX: ffffc90000497688 RCX: ffffffff8139d476
> >>>> [ 359.635961][    C0] RDX: ffff888012eda080 RSI: ffffffff8139d4d5 RDI: 0000000000000005
> >>>> [ 359.636641][    C0] RBP: ffffc900004979c8 R08: 0000000000000005 R09: 0000000000000000
> >>>> [ 359.637333][    C0] R10: 0000000000000001 R11: 0000000000000001 R12: ffffc90000497690
> >>>> [ 359.638032][    C0] R13: ffffc90000497698 R14: 0000000000000001 R15: ffffc90000498000
> >>>> [ 359.638713][ C0] ? stack_access_ok (./arch/x86/include/asm/stacktrace.h:60 arch/x86/kernel/unwind_orc.c:393)
> >>>> [ 359.639152][ C0] ? stack_access_ok (arch/x86/kernel/unwind_orc.c:398)
> >>>> [ 359.639586][ C0] stack_access_ok (arch/x86/kernel/unwind_orc.c:398)
> >>>> [ 359.640009][ C0] unwind_next_frame (arch/x86/kernel/unwind_orc.c:403 arch/x86/kernel/unwind_orc.c:585)
> >>>> [ 359.640458][ C0] ? kasan_save_stack (mm/kasan/common.c:46)
> >>>> [ 359.640891][ C0] ? write_profile (kernel/stacktrace.c:83)
> >>>> [ 359.641314][ C0] arch_stack_walk (./arch/x86/include/asm/unwind.h:50 arch/x86/kernel/stacktrace.c:24)
> >>>> [ 359.641725][ C0] ? kasan_save_stack (mm/kasan/common.c:46)
> >>>> [ 359.642155][ C0] stack_trace_save (kernel/stacktrace.c:123)
> >>>> [ 359.642572][ C0] ? filter_irq_stacks (kernel/stacktrace.c:114)
> >>>> [ 359.643012][ C0] ? __lock_acquire (./arch/x86/include/asm/bitops.h:228 ./arch/x86/include/asm/bitops.h:240 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 kernel/locking/lockdep.c:228 kernel/locking/lockdep.c:3780 kernel/locking/lockdep.c:3836 kernel/locking/lockdep.c:5136)
> >>>> [ 359.643464][ C0] kasan_save_stack (mm/kasan/common.c:46)
> >>>> [ 359.643888][ C0] ? kasan_save_stack (mm/kasan/common.c:46)
> >>>> [ 359.644319][ C0] ? kasan_save_stack (mm/kasan/common.c:47)
> >>>> [ 359.644746][ C0] ? kasan_save_stack (mm/kasan/common.c:46)
> >>>> [ 359.645175][ C0] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4992)
> >>>> [ 359.645703][ C0] ? alloc_empty_file (fs/file_table.c:217)
> >>>> [ 359.646149][ C0] ? path_openat (fs/namei.c:3766)
> >>>> [ 359.646561][ C0] ? do_filp_open (fs/namei.c:3810)
> >>>> [ 359.647031][ C0] ? do_sys_openat2 (fs/open.c:1441)
> >>>> [ 359.647464][ C0] ? __x64_sys_openat (fs/open.c:1466)
> >>>> [ 359.647907][ C0] ? do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82)
> >>>> [ 359.648328][ C0] ? entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)
> >>>> [ 359.648861][ C0] ? stack_access_ok (arch/x86/kernel/unwind_orc.c:398)
> >>>> [ 359.649294][ C0] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4992)
> >>>> [ 359.649821][ C0] ? find_held_lock (kernel/locking/lockdep.c:5243)
> >>>> [ 359.650254][ C0] ? kmem_cache_alloc (./include/linux/sched/mm.h:306 mm/slab.h:709 mm/slab.c:3221 mm/slab.c:3246 mm/slab.c:3423 mm/slab.c:3432)
> >>>> [ 359.650693][ C0] kasan_set_track (mm/kasan/common.c:52)
> >>>> [ 359.651101][ C0] __kasan_slab_alloc (mm/kasan/common.c:328)
> >>>> [ 359.651532][ C0] kmem_cache_alloc (mm/slab.h:763 mm/slab.c:3237 mm/slab.c:3246 mm/slab.c:3423 mm/slab.c:3432)
> >>>> [ 359.651963][ C0] security_file_alloc (security/security.c:612 security/security.c:2603)
> >>>> [ 359.652415][ C0] ? kmem_cache_alloc (./include/trace/events/kmem.h:12 ./include/trace/events/kmem.h:12 mm/slab.c:3425 mm/slab.c:3432)
> >>>> [ 359.652858][ C0] init_file (fs/file_table.c:167)
> >>>> [ 359.653227][ C0] alloc_empty_file (fs/file_table.c:221)
> >>>> [ 359.653650][ C0] path_openat (fs/namei.c:3766)
> >>>> [ 359.654051][ C0] ? path_lookupat (fs/namei.c:3761)
> >>>> [ 359.654629][ C0] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4992)
> >>>> [ 359.655148][ C0] do_filp_open (fs/namei.c:3810)
> >>>> [ 359.655543][ C0] ? may_open_dev (fs/namei.c:3803)
> >>>> [ 359.655935][ C0] ? find_held_lock (kernel/locking/lockdep.c:5243)
> >>>> [ 359.656348][ C0] ? alloc_fd (fs/file.c:555 (discriminator 10))
> >>>> [ 359.656724][ C0] ? do_raw_spin_lock (./arch/x86/include/asm/atomic.h:115 ./include/linux/atomic/atomic-arch-fallback.h:2164 ./include/linux/atomic/atomic-instrumented.h:1296 ./include/asm-generic/qspinlock.h:111 kernel/locking/spinlock_debug.c:115)
> >>>> [ 359.657160][ C0] ? spin_bug (kernel/locking/spinlock_debug.c:113)
> >>>> [ 359.657539][ C0] ? _raw_spin_unlock (./arch/x86/include/asm/preempt.h:104 ./include/linux/spinlock_api_smp.h:143 kernel/locking/spinlock.c:186)
> >>>> [ 359.657970][ C0] ? alloc_fd (fs/file.c:555 (discriminator 10))
> >>>> [ 359.658363][ C0] do_sys_openat2 (fs/open.c:1441)
> >>>> [ 359.658805][ C0] ? build_open_flags (fs/open.c:1426)
> >>>> [ 359.659262][ C0] ? __do_sys_lstat (fs/stat.c:441)
> >>>> [ 359.659695][ C0] __x64_sys_openat (fs/open.c:1466)
> >>>> [ 359.660126][ C0] ? __ia32_sys_open (fs/open.c:1466)
> >>>> [ 359.660567][ C0] ? syscall_enter_from_user_mode (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:77 kernel/entry/common.c:111)
> >>>> [ 359.661082][ C0] do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82)
> >>>> [ 359.661484][ C0] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)
> >>>> [ 359.661999][    C0] RIP: 0033:0x7f4db67214fc
> >>>> [ 359.662614][ C0] Code: 24 18 31 c0 41 83 e2 40 75 44 89 f0 25 00 00 41 00 3d 00 00 41 00 74 36 44 89 c2 4c 89 ce bf 9c ff ff ff0
> >>>>
> >>>> Code starting with the faulting instruction
> >>>> ===========================================
> >>>> 0: 24 18                 and    $0x18,%al
> >>>> 2: 31 c0                 xor    %eax,%eax
> >>>> 4: 41 83 e2 40           and    $0x40,%r10d
> >>>> 8: 75 44                 jne    0x4e
> >>>> a: 89 f0                 mov    %esi,%eax
> >>>> c: 25 00 00 41 00        and    $0x410000,%eax
> >>>> 11: 3d 00 00 41 00        cmp    $0x410000,%eax
> >>>> 16: 74 36                 je     0x4e
> >>>> 18: 44 89 c2              mov    %r8d,%edx
> >>>> 1b: 4c 89 ce              mov    %r9,%rsi
> >>>> 1e: bf 9c ff ff f0        mov    $0xf0ffff9c,%edi
> >>>> [ 359.664272][    C0] RSP: 002b:00007fff2b4412a0 EFLAGS: 00000287 ORIG_RAX: 0000000000000101
> >>>> [ 359.664998][    C0] RAX: ffffffffffffffda RBX: 000000000000002f RCX: 00007f4db67214fc
> >>>> [ 359.665681][    C0] RDX: 0000000000090800 RSI: 0000558cb4fdc950 RDI: 00000000ffffff9c
> >>>> [ 359.666369][    C0] RBP: 00007fff2b441420 R08: 0000000000090800 R09: 0000558cb4fdc950
> >>>> [ 359.667050][    C0] R10: 0000000000000000 R11: 0000000000000287 R12: 0000558cb4fdc950
> >>>> [ 359.667729][    C0] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> >>>> [ 359.668411][    C0] </TASK>
> >>>> [ 359.668685][    C0]
> >>>> [ 359.668895][    C0] Allocated by task 1023:
> >>>> [ 359.669271][ C0] kasan_save_stack (mm/kasan/common.c:46)
> >>>> [ 359.669688][ C0] kasan_set_track (mm/kasan/common.c:52)
> >>>> [ 359.670104][ C0] __kasan_slab_alloc (mm/kasan/common.c:328)
> >>>> [ 359.670531][ C0] kmem_cache_alloc_node (mm/slab.h:763 mm/slab.c:3237 mm/slab.c:3509)
> >>>> [ 359.670990][ C0] copy_process (kernel/fork.c:1111 kernel/fork.c:2325)
> >>>> [ 359.671399][ C0] kernel_clone (./include/linux/random.h:26 kernel/fork.c:2908)
> >>>> [ 359.671789][ C0] user_mode_thread (kernel/fork.c:2976)
> >>>> [ 359.672204][ C0] call_usermodehelper_exec_work (kernel/umh.c:174 kernel/umh.c:158)
> >>>> [ 359.672719][ C0] process_one_work (kernel/workqueue.c:2635)
> >>>> [ 359.673157][ C0] worker_thread (kernel/workqueue.c:2697 kernel/workqueue.c:2784)
> >>>> [ 359.673570][ C0] kthread (kernel/kthread.c:388)
> >>>> [ 359.673933][ C0] ret_from_fork (arch/x86/kernel/process.c:153)
> >>>> [ 359.674336][ C0] ret_from_fork_asm (arch/x86/entry/entry_64.S:250)
> >>>> [ 359.674754][    C0]
> >>>> [ 359.674964][    C0] Freed by task 15:
> >>>> [ 359.675299][ C0] kasan_save_stack (mm/kasan/common.c:46)
> >>>> [ 359.675714][ C0] kasan_set_track (mm/kasan/common.c:52)
> >>>> [ 359.676123][ C0] kasan_save_free_info (mm/kasan/generic.c:524)
> >>>> [ 359.676565][ C0] ____kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200)
> >>>> [ 359.677013][ C0] kmem_cache_free (mm/slab.c:3370 mm/slab.c:3557 mm/slab.c:3582 mm/slab.c:3575)
> >>>> [ 359.677433][ C0] delayed_put_task_struct (./include/linux/sched/task.h:137 ./include/linux/sched/task.h:123 kernel/exit.c:226)
> >>>> [ 359.677904][ C0] rcu_core (./include/linux/rcupdate.h:306 kernel/rcu/tree.c:2155 kernel/rcu/tree.c:2417)
> >>>> [ 359.678281][ C0] __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)
> >>>> [ 359.678675][    C0]
> >>>> [ 359.678879][    C0] Last potentially related work creation:
> >>>> [ 359.679358][ C0] kasan_save_stack (mm/kasan/common.c:46)
> >>>> [ 359.679773][ C0] __kasan_record_aux_stack (mm/kasan/generic.c:492)
> >>>> [ 359.680239][ C0] __call_rcu_common.constprop.0 (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:67 ./arch/x86/include/asm/irqflags.h:103 kernel/rcu/tree.c:2668)
> >>>> [ 359.680754][ C0] put_task_struct_rcu_user (kernel/exit.c:233)
> >>>> [ 359.681226][ C0] schedule_tail (kernel/sched/core.c:5308)
> >>>> [ 359.681609][ C0] ret_from_fork (arch/x86/kernel/process.c:146)
> >>>> [ 359.682000][ C0] ret_from_fork_asm (arch/x86/entry/entry_64.S:250)
> >>>> [ 359.682425][    C0]
> >>>> [ 359.682634][    C0] Second to last potentially related work creation:
> >>>> [ 359.683194][ C0] kasan_save_stack (mm/kasan/common.c:46)
> >>>> [ 359.683610][ C0] __kasan_record_aux_stack (mm/kasan/generic.c:492)
> >>>> [ 359.684081][ C0] __call_rcu_common.constprop.0 (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:67 ./arch/x86/include/asm/irqflags.h:103 kernel/rcu/tree.c:2668)
> >>>> [ 359.684599][ C0] put_task_struct_rcu_user (kernel/exit.c:233)
> >>>> [ 359.685068][ C0] __schedule (kernel/sched/core.c:6569)
> >>>> [ 359.685453][ C0] schedule (kernel/sched/core.c:6764 kernel/sched/core.c:6778)
> >>>> [ 359.685810][ C0] syslog_print (kernel/printk/printk.c:1579 (discriminator 9))
> >>>> [ 359.686206][ C0] do_syslog.part.0 (kernel/printk/printk.c:1732)
> >>>> [ 359.686629][ C0] do_syslog (kernel/printk/printk.c:1717)
> >>>> [ 359.686994][ C0] kmsg_read (fs/proc/kmsg.c:37)
> >>>> [ 359.687359][ C0] proc_reg_read (fs/proc/inode.c:316 fs/proc/inode.c:326)
> >>>> [ 359.687765][ C0] vfs_read (fs/read_write.c:468)
> >>>> [ 359.688135][ C0] ksys_read (fs/read_write.c:614)
> >>>> [ 359.688509][ C0] do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82)
> >>>> [ 359.688913][ C0] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)
> >>>> [ 359.690229][    C0]
> >>>> [ 359.690448][    C0] The buggy address belongs to the object at ffff888078a7a080
> >>>> [ 359.690448][    C0] which belongs to the cache task_struct of size 7040
> >>>> [ 359.691757][    C0] The buggy address is located 2568 bytes inside of
> >>>> [ 359.691757][    C0] freed 7040-byte region [ffff888078a7a080, ffff888078a7bc00)
> >>>> [ 359.693085][    C0]
> >>>> [ 359.693331][    C0] The buggy address belongs to the physical page:
> >>>> [ 359.701955][    C0] page:ffffea0001e29e80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x78a7a
> >>>> [ 359.707962][    C0] head:ffffea0001e29e80 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
> >>>> [ 359.710802][    C0] flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
> >>>> [ 359.720623][    C0] page_type: 0x1()
> >>>> [ 359.721378][    C0] raw: 00fff00000000840 ffff888140056400 ffffea0001de7190 ffffea0001cd4290
> >>>> [ 359.729672][    C0] raw: 0000000000000000 ffff888078a7a080 0000000100000001 0000000000000000
> >>>> [ 359.731430][    C0] page dumped because: kasan: bad access detected
> >>>> [ 359.732917][    C0] page_owner tracks the page as allocated
> >>>> [ 359.734150][    C0] page last allocated via order 1, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP5
> >>>> [ 359.737414][ C0] post_alloc_hook (./include/linux/page_owner.h:31 mm/page_alloc.c:1536)
> >>>> [ 359.738074][ C0] get_page_from_freelist (mm/page_alloc.c:1545 mm/page_alloc.c:3170)
> >>>> [ 359.738957][ C0] __alloc_pages (mm/page_alloc.c:4427)
> >>>> [ 359.739367][ C0] cache_grow_begin (mm/slab.c:1357 mm/slab.c:2550)
> >>>> [ 359.739875][ C0] cache_alloc_refill (mm/slab.c:394 mm/slab.c:2929)
> >>>> [ 359.740430][ C0] kmem_cache_alloc_node (mm/slab.c:2999 mm/slab.c:2982 mm/slab.c:3182 mm/slab.c:3230 mm/slab.c:3509)
> >>>> [ 359.742775][ C0] copy_process (kernel/fork.c:1111 kernel/fork.c:2325)
> >>>> [ 359.743887][ C0] kernel_clone (./include/linux/random.h:26 kernel/fork.c:2908)
> >>>> [ 359.744938][ C0] __do_sys_clone (kernel/fork.c:3039)
> >>>> [ 359.746261][ C0] do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82)
> >>>> [ 359.747657][ C0] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)
> >>>> [ 359.749060][    C0] page last free stack trace:
> >>>> [ 359.750458][ C0] free_unref_page_prepare (./include/linux/page_owner.h:24 mm/page_alloc.c:1136 mm/page_alloc.c:2312)
> >>>> [ 359.751911][ C0] free_unref_page (mm/page_alloc.c:2405)
> >>>> [ 359.753121][ C0] slabs_destroy (mm/slab.c:1614 mm/slab.c:1628)
> >>>> [ 359.754275][ C0] ___cache_free (mm/slab.c:3342 mm/slab.c:3404)
> >>>> [ 359.755480][ C0] qlist_free_all (mm/kasan/quarantine.c:169 mm/kasan/quarantine.c:185)
> >>>> [ 359.759274][ C0] kasan_quarantine_reduce (./include/linux/srcu.h:285 mm/kasan/quarantine.c:293)
> >>>> [ 359.760712][ C0] __kasan_slab_alloc (mm/kasan/common.c:307)
> >>>> [ 359.761958][ C0] __kmem_cache_alloc_node (mm/slab.h:763 mm/slab.c:3237 mm/slab.c:3521)
> >>>> [ 359.763375][ C0] __kmalloc (./include/linux/kasan.h:198 mm/slab_common.c:1007 mm/slab_common.c:1020)
> >>>> [ 359.764169][ C0] tomoyo_encode2.part.0 (security/tomoyo/realpath.c:46)
> >>>> [ 359.765230][ C0] tomoyo_encode (security/tomoyo/realpath.c:31 security/tomoyo/realpath.c:80)
> >>>> [ 359.766235][ C0] tomoyo_realpath_from_path (security/tomoyo/realpath.c:286)
> >>>> [ 359.767773][ C0] tomoyo_check_open_permission (security/tomoyo/file.c:152 security/tomoyo/file.c:771)
> >>>> [ 359.769066][ C0] tomoyo_file_open (security/tomoyo/tomoyo.c:332 security/tomoyo/tomoyo.c:327)
> >>>> [ 359.770169][ C0] security_file_open (security/security.c:2836 (discriminator 13))
> >>>> [ 359.771275][ C0] do_dentry_open (fs/open.c:936)
> >>>> [ 359.772318][    C0]
> >>>> [ 359.772754][    C0] Memory state around the buggy address:
> >>>> [ 359.773907][    C0] ffff888078a7a980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >>>> [ 359.776112][    C0] ffff888078a7aa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >>>> [ 359.779415][    C0] >ffff888078a7aa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >>>> [ 359.781466][    C0]                       ^
> >>>> [ 359.782523][    C0] ffff888078a7ab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >>>> [ 359.784487][    C0] ffff888078a7ab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >>>> [ 359.786457][    C0] ==================================================================
> >>>> [ 359.789070][    C0] Kernel panic - not syncing: KASAN: panic_on_warn set ...
> >>>> [ 359.790040][    C0] CPU: 0 PID: 1 Comm: systemd Not tainted 6.6.0-06824-g8bc9e6515183 #4
> >>>> [ 359.790927][    C0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> >>>> [ 359.791829][    C0] Call Trace:
> >>>> [ 359.799854][    C0] <IRQ>
> >>>> [ 359.800719][ C0] dump_stack_lvl (lib/dump_stack.c:107)
> >>>> [ 359.802588][ C0] panic (kernel/panic.c:340)
> >>>> [ 359.804193][ C0] ? panic_smp_self_stop+0xa0/0xa0
> >>>> [ 359.805979][ C0] ? lock_downgrade (kernel/locking/lockdep.c:5761)
> >>>> [ 359.809995][ C0] ? dump_page (./include/linux/page_owner.h:52 mm/debug.c:142)
> >>>> [ 359.811057][ C0] ? check_panic_on_warn (kernel/panic.c:235)
> >>>> [ 359.812171][ C0] ? __lock_acquire (kernel/locking/lockdep.c:5004)
> >>>> [ 359.813293][ C0] check_panic_on_warn (kernel/panic.c:236)
> >>>> [ 359.814456][ C0] ? __lock_acquire (kernel/locking/lockdep.c:5004)
> >>>> [ 359.815524][ C0] end_report (mm/kasan/report.c:225)
> >>>> [ 359.816541][ C0] kasan_report (./arch/x86/include/asm/smap.h:56 mm/kasan/report.c:593)
> >>>> [ 359.818627][ C0] ? __lock_acquire (kernel/locking/lockdep.c:5004)
> >>>> [ 359.819869][ C0] __lock_acquire (kernel/locking/lockdep.c:5004)
> >>>> [ 359.821075][ C0] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4992)
> >>>> [ 359.822467][ C0] ? lockdep_unlock (kernel/locking/lockdep.c:157)
> >>>> [ 359.823567][ C0] ? __lock_acquire (kernel/locking/lockdep.c:186 kernel/locking/lockdep.c:3872 kernel/locking/lockdep.c:5136)
> >>>> [ 359.824760][ C0] lock_acquire (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5755 kernel/locking/lockdep.c:5718)
> >>>> [ 359.825842][ C0] ? try_to_wake_up (kernel/sched/core.c:4049 kernel/sched/core.c:4228)
> >>>> [ 359.826934][ C0] ? lock_sync (kernel/locking/lockdep.c:5721)
> >>>> [ 359.829033][ C0] ? __lock_acquire (./arch/x86/include/asm/bitops.h:228 ./arch/x86/include/asm/bitops.h:240 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 kernel/locking/lockdep.c:228 kernel/locking/lockdep.c:3780 kernel/locking/lockdep.c:3836 kernel/locking/lockdep.c:5136)
> >>>> [ 359.830197][ C0] ? _raw_spin_lock_irqsave (./include/linux/spinlock_api_smp.h:108 kernel/locking/spinlock.c:162)
> >>>> [ 359.831320][ C0] ? nilfs_segctor_zeropad_segsum (fs/nilfs2/segment.c:2441)
> >>>> [ 359.832592][ C0] _raw_spin_lock_irqsave (./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
> >>>> [ 359.833708][ C0] ? try_to_wake_up (kernel/sched/core.c:4049 kernel/sched/core.c:4228)
> >>>> [ 359.834758][ C0] try_to_wake_up (kernel/sched/core.c:4049 kernel/sched/core.c:4228)
> >>>> [ 359.835759][ C0] ? sched_ttwu_pending (kernel/sched/core.c:4196)
> >>>> [ 359.836879][ C0] ? do_raw_spin_unlock (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 ./include/asm-generic/qspinlock.h:57 kernel/locking/spinlock_debug.c:100 kernel/locking/spinlock_debug.c:140)
> >>>> [ 359.838025][ C0] ? nilfs_segctor_zeropad_segsum (fs/nilfs2/segment.c:2441)
> >>>> [ 359.839365][ C0] call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)
> >>>> [ 359.840371][ C0] ? timer_shutdown_sync (kernel/time/timer.c:1677)
> >>>> [ 359.841504][ C0] ? lock_downgrade (kernel/locking/lockdep.c:5761)
> >>>> [ 359.842631][ C0] ? _raw_spin_unlock_irq (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:77 ./include/linux/spinlock_api_smp.h:159 kernel/locking/spinlock.c:202)
> >>>> [ 359.844016][ C0] ? nilfs_segctor_zeropad_segsum (fs/nilfs2/segment.c:2441)
> >>>> [ 359.845419][ C0] __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2022)
> >>>> [ 359.846681][ C0] ? call_timer_fn (kernel/time/timer.c:1995)
> >>>> [ 359.849000][ C0] ? __wake_up_locked_sync_key (kernel/sched/clock.c:389)
> >>>> [ 359.850377][ C0] ? kvm_sched_clock_read (arch/x86/kernel/kvmclock.c:91)
> >>>> [ 359.851800][ C0] ? sched_clock (arch/x86/kernel/tsc.c:286 (discriminator 3))
> >>>> [ 359.852888][ C0] ? sched_clock_cpu (kernel/sched/clock.c:394)
> >>>> [ 359.854113][ C0] ? tick_program_event (kernel/time/tick-oneshot.c:45)
> >>>> [ 359.855344][ C0] run_timer_softirq (kernel/time/timer.c:2037)
> >>>> [ 359.856372][ C0] __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)
> >>>> [ 359.857190][ C0] irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632 kernel/softirq.c:644)
> >>>> [ 359.858530][ C0] sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1076 (discriminator 14))
> >>>> [ 359.859733][    C0] </IRQ>
> >>>> [ 359.860313][    C0] <TASK>
> >>>> [ 359.861008][ C0] asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:645)
> >>>> [ 359.862320][ C0] RIP: 0010:__sanitizer_cov_trace_pc (kernel/kcov.c:225)
> >>>> [ 359.863646][ C0] Code: 82 e8 15 00 00 83 f8 02 75 20 48 8b 8a f0 15 00 00 8b 92 ec 15 00 00 48 8b 01 48 83 c0 01 48 39 c2 76 076
> >>>>
> >>>> Code starting with the faulting instruction
> >>>> ===========================================
> >>>> 0: 82                    (bad)
> >>>> 1: e8 15 00 00 83        call   0xffffffff8300001b
> >>>> 6: f8                    clc
> >>>> 7: 02 75 20              add    0x20(%rbp),%dh
> >>>> a: 48 8b 8a f0 15 00 00 mov    0x15f0(%rdx),%rcx
> >>>> 11: 8b 92 ec 15 00 00     mov    0x15ec(%rdx),%edx
> >>>> 17: 48 8b 01              mov    (%rcx),%rax
> >>>> 1a: 48 83 c0 01           add    $0x1,%rax
> >>>> 1e: 48 39 c2              cmp    %rax,%rdx
> >>>> 21: 76 76                 jbe    0x99
> >>>> [ 359.868886][    C0] RSP: 0018:ffffc900004975c0 EFLAGS: 00000293
> >>>> [ 359.870210][    C0] RAX: 0000000000000000 RBX: ffffc90000497688 RCX: ffffffff8139d476
> >>>> [ 359.872065][    C0] RDX: ffff888012eda080 RSI: ffffffff8139d4d5 RDI: 0000000000000005
> >>>> [ 359.873874][    C0] RBP: ffffc900004979c8 R08: 0000000000000005 R09: 0000000000000000
> >>>> [ 359.875522][    C0] R10: 0000000000000001 R11: 0000000000000001 R12: ffffc90000497690
> >>>> [ 359.877445][    C0] R13: ffffc90000497698 R14: 0000000000000001 R15: ffffc90000498000
> >>>> [ 359.879694][ C0] ? stack_access_ok (./arch/x86/include/asm/stacktrace.h:60 arch/x86/kernel/unwind_orc.c:393)
> >>>> [ 359.880993][ C0] ? stack_access_ok (arch/x86/kernel/unwind_orc.c:398)
> >>>> [ 359.882036][ C0] stack_access_ok (arch/x86/kernel/unwind_orc.c:398)
> >>>> [ 359.883140][ C0] unwind_next_frame (arch/x86/kernel/unwind_orc.c:403 arch/x86/kernel/unwind_orc.c:585)
> >>>> [ 359.884338][ C0] ? kasan_save_stack (mm/kasan/common.c:46)
> >>>> [ 359.885511][ C0] ? write_profile (kernel/stacktrace.c:83)
> >>>> [ 359.886668][ C0] arch_stack_walk (./arch/x86/include/asm/unwind.h:50 arch/x86/kernel/stacktrace.c:24)
> >>>> [ 359.888967][ C0] ? kasan_save_stack (mm/kasan/common.c:46)
> >>>> [ 359.890049][ C0] stack_trace_save (kernel/stacktrace.c:123)
> >>>> [ 359.891103][ C0] ? filter_irq_stacks (kernel/stacktrace.c:114)
> >>>> [ 359.892244][ C0] ? __lock_acquire (./arch/x86/include/asm/bitops.h:228 ./arch/x86/include/asm/bitops.h:240 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 kernel/locking/lockdep.c:228 kernel/locking/lockdep.c:3780 kernel/locking/lockdep.c:3836 kernel/locking/lockdep.c:5136)
> >>>> [ 359.893357][ C0] kasan_save_stack (mm/kasan/common.c:46)
> >>>> [ 359.894390][ C0] ? kasan_save_stack (mm/kasan/common.c:46)
> >>>> [ 359.895394][ C0] ? kasan_save_stack (mm/kasan/common.c:47)
> >>>> [ 359.896431][ C0] ? kasan_save_stack (mm/kasan/common.c:46)
> >>>> [ 359.899146][ C0] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4992)
> >>>> [ 359.900387][ C0] ? alloc_empty_file (fs/file_table.c:217)
> >>>> [ 359.901480][ C0] ? path_openat (fs/namei.c:3766)
> >>>> [ 359.902757][ C0] ? do_filp_open (fs/namei.c:3810)
> >>>> [ 359.904231][ C0] ? do_sys_openat2 (fs/open.c:1441)
> >>>> [ 359.905359][ C0] ? __x64_sys_openat (fs/open.c:1466)
> >>>> [ 359.906477][ C0] ? do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82)
> >>>> [ 359.908824][ C0] ? entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)
> >>>> [ 359.910204][ C0] ? stack_access_ok (arch/x86/kernel/unwind_orc.c:398)
> >>>> [ 359.911166][ C0] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4992)
> >>>> [ 359.912475][ C0] ? find_held_lock (kernel/locking/lockdep.c:5243)
> >>>> [ 359.913572][ C0] ? kmem_cache_alloc (./include/linux/sched/mm.h:306 mm/slab.h:709 mm/slab.c:3221 mm/slab.c:3246 mm/slab.c:3423 mm/slab.c:3432)
> >>>> [ 359.914724][ C0] kasan_set_track (mm/kasan/common.c:52)
> >>>> [ 359.915787][ C0] __kasan_slab_alloc (mm/kasan/common.c:328)
> >>>> [ 359.916878][ C0] kmem_cache_alloc (mm/slab.h:763 mm/slab.c:3237 mm/slab.c:3246 mm/slab.c:3423 mm/slab.c:3432)
> >>>> [ 359.918207][ C0] security_file_alloc (security/security.c:612 security/security.c:2603)
> >>>> [ 359.920666][ C0] ? kmem_cache_alloc (./include/trace/events/kmem.h:12 ./include/trace/events/kmem.h:12 mm/slab.c:3425 mm/slab.c:3432)
> >>>> [ 359.921692][ C0] init_file (fs/file_table.c:167)
> >>>> [ 359.922629][ C0] alloc_empty_file (fs/file_table.c:221)
> >>>> [ 359.923674][ C0] path_openat (fs/namei.c:3766)
> >>>> [ 359.924725][ C0] ? path_lookupat (fs/namei.c:3761)
> >>>> [ 359.925843][ C0] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4992)
> >>>> [ 359.927172][ C0] do_filp_open (fs/namei.c:3810)
> >>>> [ 359.929414][ C0] ? may_open_dev (fs/namei.c:3803)
> >>>> [ 359.930468][ C0] ? find_held_lock (kernel/locking/lockdep.c:5243)
> >>>> [ 359.931463][ C0] ? alloc_fd (fs/file.c:555 (discriminator 10))
> >>>> [ 359.932390][ C0] ? do_raw_spin_lock (./arch/x86/include/asm/atomic.h:115 ./include/linux/atomic/atomic-arch-fallback.h:2164 ./include/linux/atomic/atomic-instrumented.h:1296 ./include/asm-generic/qspinlock.h:111 kernel/locking/spinlock_debug.c:115)
> >>>> [ 359.933423][ C0] ? spin_bug (kernel/locking/spinlock_debug.c:113)
> >>>> [ 359.934372][ C0] ? _raw_spin_unlock (./arch/x86/include/asm/preempt.h:104 ./include/linux/spinlock_api_smp.h:143 kernel/locking/spinlock.c:186)
> >>>> [ 359.935365][ C0] ? alloc_fd (fs/file.c:555 (discriminator 10))
> >>>> [ 359.936242][ C0] do_sys_openat2 (fs/open.c:1441)
> >>>> [ 359.937083][ C0] ? build_open_flags (fs/open.c:1426)
> >>>> [ 359.938184][ C0] ? __do_sys_lstat (fs/stat.c:441)
> >>>> [ 359.939205][ C0] __x64_sys_openat (fs/open.c:1466)
> >>>> [ 359.940247][ C0] ? __ia32_sys_open (fs/open.c:1466)
> >>>> [ 359.941299][ C0] ? syscall_enter_from_user_mode (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:77 kernel/entry/common.c:111)
> >>>> [ 359.942553][ C0] do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82)
> >>>> [ 359.943688][ C0] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)
> >>>> [ 359.945168][    C0] RIP: 0033:0x7f4db67214fc
> >>>> [ 359.946208][ C0] Code: 24 18 31 c0 41 83 e2 40 75 44 89 f0 25 00 00 41 00 3d 00 00 41 00 74 36 44 89 c2 4c 89 ce bf 9c ff ff ff0
> >>>>
> >>>> Code starting with the faulting instruction
> >>>> ===========================================
> >>>> 0: 24 18                 and    $0x18,%al
> >>>> 2: 31 c0                 xor    %eax,%eax
> >>>> 4: 41 83 e2 40           and    $0x40,%r10d
> >>>> 8: 75 44                 jne    0x4e
> >>>> a: 89 f0                 mov    %esi,%eax
> >>>> c: 25 00 00 41 00        and    $0x410000,%eax
> >>>> 11: 3d 00 00 41 00        cmp    $0x410000,%eax
> >>>> 16: 74 36                 je     0x4e
> >>>> 18: 44 89 c2              mov    %r8d,%edx
> >>>> 1b: 4c 89 ce              mov    %r9,%rsi
> >>>> 1e: bf 9c ff ff f0        mov    $0xf0ffff9c,%edi
> >>>> [ 359.951731][    C0] RSP: 002b:00007fff2b4412a0 EFLAGS: 00000287 ORIG_RAX: 0000000000000101
> >>>> [ 359.953540][    C0] RAX: ffffffffffffffda RBX: 000000000000002f RCX: 00007f4db67214fc
> >>>> [ 359.955346][    C0] RDX: 0000000000090800 RSI: 0000558cb4fdc950 RDI: 00000000ffffff9c
> >>>> [ 359.957000][    C0] RBP: 00007fff2b441420 R08: 0000000000090800 R09: 0000558cb4fdc950
> >>>> [ 359.960202][    C0] R10: 0000000000000000 R11: 0000000000000287 R12: 0000558cb4fdc950
> >>>> [ 359.961798][    C0] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> >>>> [ 359.968702][    C0] </TASK>
> >>>> [ 359.977817][    C0] Kernel Offset: disabled
> >>>> [ 359.978803][    C0] Rebooting in 86400 seconds..
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>> On Nov 7, 2023, at 12:11, Steven Rostedt <ros...@goodmis.org> wrote:
> >>>>>
> >>>>> On Tue, 7 Nov 2023 16:23:37 +0000
> >>>>> "Bai, Shuangpeng" <ba...@psu.edu> wrote:
> >>>>>
> >>>>>> Dear Kernel Maintainers,
> >>>>>>
> >>>>>> I hope this email finds you well. I am writing to follow up on a kernel bug report that we submitted last week, which has not received a response yet.
> >>>>>>
> >>>>>
> >>>>> Note, a lot of maintainers drop all emails that are HTML format (which this is).
> >>>>>
> >>>>
> >>>> Thank you for letting me know this! I will report bugs by plain-text emails in future.
> >>>>
> >>>>>> We understand that maintainers like yourself have numerous responsibilities and a substantial workload, and we appreciate your hard work in maintaining the kernel. We are aware that sometimes reports might be overlooked or delayed in the process.
> >>>>>>
> >>>>>> We would be most grateful for your guidance on the next steps or whether we should consider alternative channels such as secu...@kernel.org<mailto:secu...@kernel.org> or reaching out to vendors like RedHat.
> >>>>>>
> >>>>>> Your valuable insights and assistance in this matter would be highly appreciated.
> >>>>>>
> >>>>>
> >>>>>>
> >>>>>> [ 314.465397][    C1] ==================================================================
> >>>>>> [ 314.467080][ C1] BUG: KASAN: slab-use-after-free in __lock_acquire (kernel/locking/lockdep.c:5004)
> >>>>>> [ 314.469666][    C1] Read of size 8 at addr ffff88801bd9ad08 by task systemd-udevd/8228
> >>>>>> [ 314.471271][    C1]
> >>>>>> [ 314.471719][    C1] CPU: 1 PID: 8228 Comm: systemd-udevd Not tainted 6.6.0-06824-g8bc9e6515183 #4
> >>>>>> [ 314.473512][    C1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> >>>>>> [ 314.475321][    C1] Call Trace:
> >>>>>> [ 314.475991][    C1] <IRQ>
> >>>>>> [ 314.476576][ C1] dump_stack_lvl (lib/dump_stack.c:107)
> >>>>>> [ 314.478518][ C1] print_report (mm/kasan/report.c:365 mm/kasan/report.c:475)
> >>>>>> [ 314.479423][ C1] ? __virt_addr_valid (arch/x86/mm/physaddr.c:66)
> >>>>>> [ 314.480440][ C1] ? __phys_addr (arch/x86/mm/physaddr.c:32 (discriminator 4))
> >>>>>> [ 314.481348][ C1] ? __lock_acquire (kernel/locking/lockdep.c:5004)
> >>>>>> [ 314.482328][ C1] kasan_report (mm/kasan/report.c:590)
> >>>>>> [ 314.483164][ C1] ? __lock_acquire (kernel/locking/lockdep.c:5004)
> >>>>>> [ 314.484185][ C1] __lock_acquire (kernel/locking/lockdep.c:5004)
> >>>>>> [ 314.485199][ C1] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4992)
> >>>>>> [ 314.486418][ C1] ? lockdep_unlock (kernel/locking/lockdep.c:157)
> >>>>>> [ 314.487390][ C1] ? __lock_acquire (kernel/locking/lockdep.c:186 kernel/locking/lockdep.c:3872 kernel/locking/lockdep.c:5136)
> >>>>>> [ 314.488411][ C1] lock_acquire (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5755 kernel/locking/lockdep.c:5718)
> >>>>>> [ 314.489329][ C1] ? try_to_wake_up (kernel/sched/core.c:4049 kernel/sched/core.c:4228)
> >>>>>> [ 314.490296][ C1] ? lock_sync (kernel/locking/lockdep.c:5721)
> >>>>>> [ 314.491182][ C1] ? __lock_acquire (./arch/x86/include/asm/bitops.h:228 ./arch/x86/include/asm/bitops.h:240 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 kernel/locking/lockdep.c:228 kernel/locking/lockdep.c:3780 kernel/locking/lockdep.c:3836 kernel/locking/lockdep.c:5136)
> >>>>>> [ 314.492196][ C1] ? _raw_spin_lock_irqsave (./include/linux/spinlock_api_smp.h:108 kernel/locking/spinlock.c:162)
> >>>>>> [ 314.493263][ C1] ? nilfs_segctor_zeropad_segsum (fs/nilfs2/segment.c:2441)
> >>>>>> [ 314.494511][ C1] _raw_spin_lock_irqsave (./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
> >>>>>> [ 314.495579][ C1] ? try_to_wake_up (kernel/sched/core.c:4049 kernel/sched/core.c:4228)
> >>>>>> [ 314.496572][ C1] try_to_wake_up (kernel/sched/core.c:4049 kernel/sched/core.c:4228)
> >>>>>> [ 314.497480][ C1] ? sched_ttwu_pending (kernel/sched/core.c:4196)
> >>>>>> [ 314.498493][ C1] ? do_raw_spin_unlock (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 ./include/asm-generic/qspinlock.h:57 kernel/locking/spinlock_debug.c:100 kernel/locking/spinlock_debug.c:140)
> >>>>>> [ 314.499518][ C1] ? nilfs_segctor_zeropad_segsum (fs/nilfs2/segment.c:2441)
> >>>>>> [ 314.500737][ C1] call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)
> >>>>>> [ 314.501704][ C1] ? timer_shutdown_sync (kernel/time/timer.c:1677)
> >>>>>> [ 314.502752][ C1] ? lock_downgrade (kernel/locking/lockdep.c:5761)
> >>>>>> [ 314.503765][ C1] ? _raw_spin_unlock_irq (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:77 ./include/linux/spinlock_api_smp.h:159 kernel/locking/spinlock.c:202)
> >>>>>> [ 314.504826][ C1] ? nilfs_segctor_zeropad_segsum (fs/nilfs2/segment.c:2441)
> >>>>>> [ 314.506064][ C1] __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2022)
> >>>>>
> >>>>> This could be a bug where something was freed but still had something
> >>>>> queued on the timer list. That would cause a crash in the timer code.
> >>>>>
> >>>>> Can you run with CONFIG_DEBUG_OBJECTS_TIMERS enabled?
> >>>>>
> >>>>> That would help detect such cases.
> >>>>>
> >>>>> -- Steve
> >>>>>
> >>>>>
> >>>>>> [ 314.507087][ C1] ? call_timer_fn (kernel/time/timer.c:1995)
> >>>>>> [ 314.508045][ C1] ? __wake_up_locked_sync_key (kernel/sched/clock.c:389)
> >>>>>> [ 314.509164][ C1] ? kvm_sched_clock_read (arch/x86/kernel/kvmclock.c:91)
> >>>>>> [ 314.510194][ C1] ? sched_clock (arch/x86/kernel/tsc.c:286 (discriminator 3))
> >>>>>> [ 314.511081][ C1] ? sched_clock_cpu (kernel/sched/clock.c:394)
> >>>>>> [ 314.512056][ C1] ? tick_program_event (kernel/time/tick-oneshot.c:45)
> >>>>>> [ 314.513103][ C1] run_timer_softirq (kernel/time/timer.c:2037)
> >>>>>> [ 314.514094][ C1] __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)
> >>>>>> [ 314.514998][ C1] irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632 kernel/softirq.c:644)
> >>>>>> [ 314.515887][ C1] sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1076 (discriminator 14))
> >>>>>> [ 314.516936][    C1] </IRQ>
> >>>>>> [ 314.517514][    C1] <TASK>
> >>>>>> [ 314.518086][ C1] asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:645)
> >>>>>> [ 314.519451][ C1] RIP: 0010:stack_access_ok (arch/x86/kernel/unwind_orc.c:389)
> >>>>>> [ 314.521252][ C1] Code: 6f ff ff ff 4c 89 e7 e8 26 8d a0 00 eb a4 4c 89 e7 e8 1c 8d a0 00 eb ce 66 2e 0f 1f 84 00 00 00 00 00 41 57 41 56 41 55 41 54 <55> 48 89 f5 53 48 89 f8
> >>>
> >>
>

ATT27679.config

repro.c

k.config

Ryusuke Konishi

unread,

May 14, 2024, 1:07:54 AMMay 14

to Bai, Shuangpeng, Steven Rostedt, Bai, Shuangpeng, mi...@redhat.com, pet...@infradead.org, juri....@redhat.com, vincent...@linaro.org, dietmar....@arm.com, bse...@google.com, mgo...@suse.de, bri...@redhat.com, vsch...@redhat.com, syzk...@googlegroups.com

Hi Shuangpeng,

Sorry for not replying.

I have confirmed that it can be reproduced using the reproducer you
sent me earlier, so please be patient.

I plan to fix it, but there are multiple issues and I am currently
debugging and resolving them one by one.

I would like to confirm one thing in advance: When positing a patch
for this, is it okay to add a Reported-by tag with your email address?

Thanks,
Ryusuke Konishi

Bai, Shuangpeng

unread,

May 14, 2024, 1:17:27 AMMay 14

Hi Ryusuke,

Thank you for your reply! I greatly appreciate your contribution to maintaining the kernel.

The new reproducer we found can trigger the bug in kernel v6.8 (newer than my first report), so I think it may be helpful in analyzing the root cause.

Please use sjb...@psu.edu for Reported-by tag and let me know anything I can help with.

Best,
Shuangpeng

Ryusuke Konishi

unread,

May 14, 2024, 1:49:57 AMMay 14

On Tue, May 14, 2024 at 2:17 PM Bai, Shuangpeng wrote:
>
> Hi Ryusuke,
>
> Thank you for your reply! I greatly appreciate your contribution to maintaining the kernel.
>
> The new reproducer we found can trigger the bug in kernel v6.8 (newer than my first report), so I think it may be helpful in analyzing the root cause.

Got it. I'll try this too.

>
> Please use sjb...@psu.edu for Reported-by tag and let me know anything I can help with.

OK, I'll do that then.

Also, if we exchange details regarding this issue in the future,
please narrow down the recipients (Cc:) to avoid noisy communication.
Unless other parts are involved (I suspect it's a nilfs-specific
issue), you can keep it private, or if you want to keep a public log,
please use linux...@vger.kernel.org.

Thanks,
Ryusuke Konishi

Reply all

Reply to author

Forward

0 new messages