[BUG] After unloading the nfsd module, a use-after-free occurred due to Objects remaining on __kmem_cache_shutdown().
From: 김강민
Date: Sat Oct 11 2025 - 16:20:28 EST
Dear Linux kernel developers and maintainers,
Hello,
This bug was discovered through syzkaller.
Kernel driver involved: nfsd
Version detected by syzkaller:
- Commit version: cd5a0afbdf8033dc83786315d63f8b325bdba2fd
Details
If the test driver is forcibly unloaded, objects remain in memory,
which can later lead to issues such as use-after-free.
Additionally, This issue can be easily reproduced with the following command.
$ sudo rmmod -f nfsd
Note: Since the nfsd service is running internally with open ports and
mounted shares, it may affect this issue. Therefore, the boot log is
attached as a file.
Please let me know if any further information is required.
Best Regards,
GangMin Kim.
Object 0x00000000640d33cb @offset=384
Object 0x0000000050bdc312 @offset=576
Slab 0x00000000e04f3eb3 objects=21 used=4 fp=0x00000000f1d8fe07 flags=0x100000000000200(workingset|node=0|zone=1)
------------[ cut here ]------------
WARNING: CPU: 0 PID: 3875 at mm/slub.c:1249 __slab_err+0x34/0x40 mm/slub.c:1249
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs nfsd(-) auth_rpcgss lockd grace sunrpc
CPU: 0 UID: 0 PID: 3875 Comm: syz.0.1 Tainted: G R B 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__slab_err+0x34/0x40 mm/slub.c:1249
Code: f9 48 89 fe 4c 8b 47 20 48 c7 c7 80 6b cb a3 81 e2 ff 7f 00 00 e8 3c 5f b3 ff be 01 00 00 00 bf 05 00 00 00 e8 ed d1 9b ff 90 <0f> 0b 90 e9 f4 a7 d9 02 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc9001583fda8 EFLAGS: 00010082
RAX: 0000000000011460 RBX: ffff88800469f980 RCX: ffffffff819d8c23
RDX: 0000000000080000 RSI: ffffc90000e69000 RDI: 0000000000000007
RBP: ffff888003b80000 R08: 0000000000000001 R09: fffffbfff4b26c28
R10: 0000000000000000 R11: 3078302062616c53 R12: ffff8880019013c0
R13: ffff88800469f980 R14: ffff888003b80fc0 R15: ffff88800469f980
FS: 00007f953c1a76c0(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd313bee6f4 CR3: 0000000003069000 CR4: 0000000000750ef0
PKRU: 80000000
Call Trace:
<TASK>
list_slab_objects mm/slub.c:7936 [inline]
free_partial mm/slub.c:7957 [inline]
__kmem_cache_shutdown+0x20f/0x300 mm/slub.c:7995
kmem_cache_destroy mm/slab_common.c:529 [inline]
kmem_cache_destroy+0x60/0x190 mm/slab_common.c:487
exit_nfsd+0x58/0xe10 fs/nfsd/trace.c:91 [nfsd]
__do_sys_delete_module+0x343/0x510 kernel/module/main.c:835
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0x280 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f953d754dad
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f953c1a7018 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 00007f953d9c5fa0 RCX: 00007f953d754dad
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000200000000040
RBP: 00007f953d7f8d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
</TASK>
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
kmem_cache_destroy nfsd_cacherep: Slab cache still has objects when called from exit_nfsd+0x58/0xe10 fs/nfsd/trace.c:91 [nfsd]
WARNING: CPU: 0 PID: 3875 at mm/slab_common.c:531 kmem_cache_destroy mm/slab_common.c:531 [inline]
WARNING: CPU: 0 PID: 3875 at mm/slab_common.c:531 kmem_cache_destroy+0x135/0x190 mm/slab_common.c:487
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs nfsd(-) auth_rpcgss lockd grace sunrpc
CPU: 0 UID: 0 PID: 3875 Comm: syz.0.1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:kmem_cache_destroy mm/slab_common.c:531 [inline]
RIP: 0010:kmem_cache_destroy+0x135/0x190 mm/slab_common.c:487
Code: e8 02 48 89 df e8 cb 3e 0f 00 eb 90 90 48 8b 53 68 48 8b 4c 24 08 48 c7 c6 a0 22 2e a3 48 c7 c7 78 45 cb a3 e8 5c 24 aa ff 90 <0f> 0b 90 90 48 8b 53 70 48 8b 43 78 48 c7 c7 20 02 09 a4 48 89 42
RSP: 0018:ffffc9001583fe08 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8880019013c0 RCX: ffffffff81394b84
RDX: 0000000000080000 RSI: ffffc90000e69000 RDI: 0000000000000001
RBP: 1ffff92002b07fc4 R08: 0000000000000001 R09: ffffed100da047d9
R10: 0000000000000001 R11: 000000002d2d2d2d R12: ffffffffc06419c0
R13: ffffffffc0641e48 R14: ffff88800a5caf00 R15: 0000000000000000
FS: 00007f953c1a76c0(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd313bee6f4 CR3: 0000000003069000 CR4: 0000000000750ef0
PKRU: 80000000
Call Trace:
<TASK>
exit_nfsd+0x58/0xe10 fs/nfsd/trace.c:91 [nfsd]
__do_sys_delete_module+0x343/0x510 kernel/module/main.c:835
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0x280 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f953d754dad
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f953c1a7018 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 00007f953d9c5fa0 RCX: 00007f953d754dad
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000200000000040
RBP: 00007f953d7f8d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
</TASK>
---[ end trace 0000000000000000 ]---
==================================================================
BUG: KASAN: slab-use-after-free in nfsd_inet6addr_event+0x39f/0x430 fs/nfsd/nfssvc.c:489 [nfsd]
Read of size 8 at addr ffff888004e3c180 by task kworker/u4:1/25
CPU: 0 UID: 0 PID: 25 Comm: kworker/u4:1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: netns cleanup_net
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0xab/0xe0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xd0/0x610 mm/kasan/report.c:482
kasan_report+0xce/0x100 mm/kasan/report.c:595
nfsd_inet6addr_event+0x39f/0x430 fs/nfsd/nfssvc.c:489 [nfsd]
notifier_call_chain+0x101/0x2f0 kernel/notifier.c:85
atomic_notifier_call_chain+0x32/0x50 kernel/notifier.c:223
addrconf_ifdown.isra.0+0xd44/0x1700 net/ipv6/addrconf.c:3978
addrconf_notify+0x362/0x1730 net/ipv6/addrconf.c:3776
notifier_call_chain+0x101/0x2f0 kernel/notifier.c:85
call_netdevice_notifiers_info+0xb9/0x130 net/core/dev.c:2229
call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
call_netdevice_notifiers net/core/dev.c:2281 [inline]
netif_close_many+0x27f/0x4b0 net/core/dev.c:1784
unregister_netdevice_many_notify+0x59c/0x1e30 net/core/dev.c:12224
ops_exit_rtnl_list net/core/net_namespace.c:187 [inline]
ops_undo_list+0x65a/0x810 net/core/net_namespace.c:248
cleanup_net+0x378/0x670 net/core/net_namespace.c:695
process_one_work+0x66c/0x10c0 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x91a/0x1230 kernel/workqueue.c:3427
kthread+0x365/0x700 kernel/kthread.c:463
ret_from_fork+0x17e/0x260 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 288 on cpu 0 at 23.285783s:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
kasan_save_track+0x17/0x60 mm/kasan/common.c:77
poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
__kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:417
kasan_kmalloc include/linux/kasan.h:262 [inline]
__do_kmalloc_node mm/slub.c:5603 [inline]
__kmalloc_noprof+0x1a8/0x5b0 mm/slub.c:5615
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
ops_init+0x77/0x460 net/core/net_namespace.c:127
setup_net+0x100/0x310 net/core/net_namespace.c:445
copy_net_ns+0x31b/0x420 net/core/net_namespace.c:580
create_new_namespaces+0x3ea/0xa90 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0xc7/0x170 kernel/nsproxy.c:218
ksys_unshare+0x3fb/0x980 kernel/fork.c:3129
__do_sys_unshare kernel/fork.c:3200 [inline]
__se_sys_unshare kernel/fork.c:3198 [inline]
__x64_sys_unshare+0x31/0x40 kernel/fork.c:3198
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0x280 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 3875 on cpu 0 at 48.578264s:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
kasan_save_track+0x17/0x60 mm/kasan/common.c:77
__kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:587
kasan_save_free_info mm/kasan/kasan.h:406 [inline]
poison_slab_object mm/kasan/common.c:252 [inline]
__kasan_slab_free+0x43/0x70 mm/kasan/common.c:284
kasan_slab_free include/linux/kasan.h:234 [inline]
slab_free_hook mm/slub.c:2514 [inline]
slab_free mm/slub.c:6566 [inline]
kfree+0x1a8/0x420 mm/slub.c:6773
ops_free_list net/core/net_namespace.c:215 [inline]
ops_undo_list+0x48f/0x810 net/core/net_namespace.c:256
ops_undo_single net/core/net_namespace.c:265 [inline]
__unregister_pernet_operations net/core/net_namespace.c:1339 [inline]
unregister_pernet_operations+0x1ca/0x3d0 net/core/net_namespace.c:1403
unregister_pernet_subsys+0x21/0x30 net/core/net_namespace.c:1450
exit_nfsd+0x53/0xe10 fs/nfsd/trace.c:91 [nfsd]
__do_sys_delete_module+0x343/0x510 kernel/module/main.c:835
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0x280 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888004e3c000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 384 bytes inside of
freed 8192-byte region [ffff888004e3c000, ffff888004e3e000)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4e38
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x100000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0100000000000040 ffff888001042280 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
head: 0100000000000040 ffff888001042280 dead000000000122 0000000000000000
head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
head: 0100000000000003 ffffea0000138e01 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888004e3c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888004e3c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888004e3c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888004e3c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888004e3c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
=============================================================================
BUG nfs4_client (Tainted: G R B W ): Objects remaining on __kmem_cache_shutdown()
-----------------------------------------------------------------------------
Object 0x00000000a598313c @offset=0
Slab 0x0000000077f165de objects=11 used=1 fp=0x00000000d4be4177 flags=0x100000000000240(workingset|head|node=0|zone=1)
------------[ cut here ]------------
WARNING: CPU: 0 PID: 3875 at mm/slub.c:1249 __slab_err+0x34/0x40 mm/slub.c:1249
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs nfsd(-) auth_rpcgss lockd grace sunrpc
CPU: 0 UID: 0 PID: 3875 Comm: syz.0.1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__slab_err+0x34/0x40 mm/slub.c:1249
Code: f9 48 89 fe 4c 8b 47 20 48 c7 c7 80 6b cb a3 81 e2 ff 7f 00 00 e8 3c 5f b3 ff be 01 00 00 00 bf 05 00 00 00 e8 ed d1 9b ff 90 <0f> 0b 90 e9 f4 a7 d9 02 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc9001583fda0 EFLAGS: 00010082
RAX: 0000000000079ea8 RBX: ffff88800469f600 RCX: ffffffff819d8c23
RDX: 0000000000080000 RSI: ffffc90000e69000 RDI: 0000000000000007
RBP: ffff88801d1c4000 R08: 0000000000000001 R09: fffffbfff4b26c28
R10: 0000000000000000 R11: 3078302062616c53 R12: ffff8880046aca00
R13: ffff88800469f600 R14: ffff88801d1c7ee8 R15: ffff88800469f600
FS: 00007f953c1a76c0(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fac32a1c510 CR3: 0000000003069000 CR4: 0000000000750ef0
PKRU: 80000000
Call Trace:
<TASK>
list_slab_objects mm/slub.c:7936 [inline]
free_partial mm/slub.c:7957 [inline]
__kmem_cache_shutdown+0x20f/0x300 mm/slub.c:7995
kmem_cache_destroy mm/slab_common.c:529 [inline]
kmem_cache_destroy+0x60/0x190 mm/slab_common.c:487
nfsd4_free_slabs+0x15/0x60 fs/nfsd/nfs4state.c:4808 [nfsd]
exit_nfsd+0x62/0xe10 fs/nfsd/trace.c:91 [nfsd]
__do_sys_delete_module+0x343/0x510 kernel/module/main.c:835
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0x280 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f953d754dad
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f953c1a7018 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 00007f953d9c5fa0 RCX: 00007f953d754dad
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000200000000040
RBP: 00007f953d7f8d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
</TASK>
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
kmem_cache_destroy nfs4_client: Slab cache still has objects when called from nfsd4_free_slabs+0x15/0x60 fs/nfsd/nfs4state.c:4808 [nfsd]
WARNING: CPU: 0 PID: 3875 at mm/slab_common.c:531 kmem_cache_destroy mm/slab_common.c:531 [inline]
WARNING: CPU: 0 PID: 3875 at mm/slab_common.c:531 kmem_cache_destroy+0x135/0x190 mm/slab_common.c:487
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs nfsd(-) auth_rpcgss lockd grace sunrpc
CPU: 0 UID: 0 PID: 3875 Comm: syz.0.1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:kmem_cache_destroy mm/slab_common.c:531 [inline]
RIP: 0010:kmem_cache_destroy+0x135/0x190 mm/slab_common.c:487
Code: e8 02 48 89 df e8 cb 3e 0f 00 eb 90 90 48 8b 53 68 48 8b 4c 24 08 48 c7 c6 a0 22 2e a3 48 c7 c7 78 45 cb a3 e8 5c 24 aa ff 90 <0f> 0b 90 90 48 8b 53 70 48 8b 43 78 48 c7 c7 20 02 09 a4 48 89 42
RSP: 0018:ffffc9001583fe00 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff8880046aca00 RCX: ffffffff9fd94b84
RDX: 0000000000080000 RSI: ffffc90000e69000 RDI: 0000000000000001
RBP: 1ffff92002b07fc4 R08: 0000000000000001 R09: fffff52002b07f7a
R10: 0000000000000001 R11: 000000002d2d2d2d R12: ffffffffc06419c0
R13: ffffffffc0641e48 R14: ffff88800a5caf00 R15: 0000000000000000
FS: 00007f953c1a76c0(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fac32a1c510 CR3: 0000000003069000 CR4: 0000000000750ef0
PKRU: 80000000
Call Trace:
<TASK>
nfsd4_free_slabs+0x15/0x60 fs/nfsd/nfs4state.c:4808 [nfsd]
exit_nfsd+0x62/0xe10 fs/nfsd/trace.c:91 [nfsd]
__do_sys_delete_module+0x343/0x510 kernel/module/main.c:835
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0x280 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f953d754dad
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f953c1a7018 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 00007f953d9c5fa0 RCX: 00007f953d754dad
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000200000000040
RBP: 00007f953d7f8d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
</TASK>
---[ end trace 0000000000000000 ]---
BUG: unable to handle page fault for address: fffffbfff80c58d9
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 6dfcc067 P4D 6dfcc067 PUD 6dfc8067 PMD 42f8067 PTE 0
Oops: Oops: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 25 Comm: kworker/u4:1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:notifier_call_chain+0xc4/0x2f0 kernel/notifier.c:75
Code: 00 e8 90 a6 2a 00 31 ff 89 ee e8 37 9f 2a 00 85 ed 0f 84 a2 00 00 00 4c 89 eb e8 77 a6 2a 00 48 8d 7b 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 df 01 00 00 48 89 d8 4c 8b 6b 08 48 c1 e8 03
RSP: 0018:ffffc9000019f710 EFLAGS: 00010212
RAX: 1ffffffff80c58d9 RBX: ffffffffc062c6c0 RCX: ffffffff9fe37b09
RDX: ffff888001365e00 RSI: 0000000000000000 RDI: ffffffffc062c6c8
RBP: 00000000ffffffff R08: 0000000000000000 R09: ffffed10013c1505
R10: 00000000ffffffff R11: 00000000363a3fc5 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88803902d800
FS: 0000000000000000(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80c58d9 CR3: 000000001086c000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
atomic_notifier_call_chain+0x32/0x50 kernel/notifier.c:223
addrconf_ifdown.isra.0+0xd44/0x1700 net/ipv6/addrconf.c:3978
addrconf_notify+0x362/0x1730 net/ipv6/addrconf.c:3776
notifier_call_chain+0x101/0x2f0 kernel/notifier.c:85
call_netdevice_notifiers_info+0xb9/0x130 net/core/dev.c:2229
call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
call_netdevice_notifiers net/core/dev.c:2281 [inline]
netif_close_many+0x27f/0x4b0 net/core/dev.c:1784
unregister_netdevice_many_notify+0x59c/0x1e30 net/core/dev.c:12224
ops_exit_rtnl_list net/core/net_namespace.c:187 [inline]
ops_undo_list+0x65a/0x810 net/core/net_namespace.c:248
cleanup_net+0x378/0x670 net/core/net_namespace.c:695
process_one_work+0x66c/0x10c0 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x91a/0x1230 kernel/workqueue.c:3427
kthread+0x365/0x700 kernel/kthread.c:463
ret_from_fork+0x17e/0x260 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs auth_rpcgss lockd grace sunrpc [last unloaded: nfsd]
CR2: fffffbfff80c58d9
---[ end trace 0000000000000000 ]---
RIP: 0010:notifier_call_chain+0xc4/0x2f0 kernel/notifier.c:75
Code: 00 e8 90 a6 2a 00 31 ff 89 ee e8 37 9f 2a 00 85 ed 0f 84 a2 00 00 00 4c 89 eb e8 77 a6 2a 00 48 8d 7b 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 df 01 00 00 48 89 d8 4c 8b 6b 08 48 c1 e8 03
RSP: 0018:ffffc9000019f710 EFLAGS: 00010212
RAX: 1ffffffff80c58d9 RBX: ffffffffc062c6c0 RCX: ffffffff9fe37b09
RDX: ffff888001365e00 RSI: 0000000000000000 RDI: ffffffffc062c6c8
RBP: 00000000ffffffff R08: 0000000000000000 R09: ffffed10013c1505
R10: 00000000ffffffff R11: 00000000363a3fc5 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88803902d800
FS: 0000000000000000(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80c58d9 CR3: 000000001086c000 CR4: 0000000000750ef0
PKRU: 55555554
note: kworker/u4:1[25] exited with irqs disabled
----------------
Code disassembly (best guess):
0: 00 e8 add %ch,%al
2: 90 nop
3: a6 cmpsb %es:(%rdi),%ds:(%rsi)
4: 2a 00 sub (%rax),%al
6: 31 ff xor %edi,%edi
8: 89 ee mov %ebp,%esi
a: e8 37 9f 2a 00 call 0x2a9f46
f: 85 ed test %ebp,%ebp
11: 0f 84 a2 00 00 00 je 0xb9
17: 4c 89 eb mov %r13,%rbx
1a: e8 77 a6 2a 00 call 0x2aa696
1f: 48 8d 7b 08 lea 0x8(%rbx),%rdi
23: 48 89 f8 mov %rdi,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1) <-- trapping instruction
2f: 0f 85 df 01 00 00 jne 0x214
35: 48 89 d8 mov %rbx,%rax
38: 4c 8b 6b 08 mov 0x8(%rbx),%r13
3c: 48 c1 e8 03 shr $0x3,%rax
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
</TASK>
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
kmem_cache_destroy nfsd_cacherep: Slab cache still has objects when called from exit_nfsd+0x58/0xe10 [nfsd]
WARNING: CPU: 0 PID: 3875 at mm/slab_common.c:531 kmem_cache_destroy+0x135/0x190
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs nfsd(-) auth_rpcgss lockd grace sunrpc
CPU: 0 UID: 0 PID: 3875 Comm: syz.0.1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:kmem_cache_destroy+0x135/0x190
Code: e8 02 48 89 df e8 cb 3e 0f 00 eb 90 90 48 8b 53 68 48 8b 4c 24 08 48 c7 c6 a0 22 2e a3 48 c7 c7 78 45 cb a3 e8 5c 24 aa ff 90 <0f> 0b 90 90 48 8b 53 70 48 8b 43 78 48 c7 c7 20 02 09 a4 48 89 42
RSP: 0018:ffffc9001583fe08 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8880019013c0 RCX: ffffffff81394b84
RDX: 0000000000080000 RSI: ffffc90000e69000 RDI: 0000000000000001
RBP: 1ffff92002b07fc4 R08: 0000000000000001 R09: ffffed100da047d9
R10: 0000000000000001 R11: 000000002d2d2d2d R12: ffffffffc06419c0
R13: ffffffffc0641e48 R14: ffff88800a5caf00 R15: 0000000000000000
FS: 00007f953c1a76c0(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd313bee6f4 CR3: 0000000003069000 CR4: 0000000000750ef0
PKRU: 80000000
Call Trace:
<TASK>
exit_nfsd+0x58/0xe10 [nfsd]
__do_sys_delete_module+0x343/0x510
do_syscall_64+0xa4/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f953d754dad
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f953c1a7018 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 00007f953d9c5fa0 RCX: 00007f953d754dad
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000200000000040
RBP: 00007f953d7f8d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
</TASK>
---[ end trace 0000000000000000 ]---
==================================================================
BUG: KASAN: slab-use-after-free in nfsd_inet6addr_event+0x39f/0x430 [nfsd]
Read of size 8 at addr ffff888004e3c180 by task kworker/u4:1/25
CPU: 0 UID: 0 PID: 25 Comm: kworker/u4:1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: netns cleanup_net
Call Trace:
<TASK>
dump_stack_lvl+0xab/0xe0
print_report+0xd0/0x610
kasan_report+0xce/0x100
nfsd_inet6addr_event+0x39f/0x430 [nfsd]
notifier_call_chain+0x101/0x2f0
atomic_notifier_call_chain+0x32/0x50
addrconf_ifdown.isra.0+0xd44/0x1700
addrconf_notify+0x362/0x1730
notifier_call_chain+0x101/0x2f0
call_netdevice_notifiers_info+0xb9/0x130
netif_close_many+0x27f/0x4b0
unregister_netdevice_many_notify+0x59c/0x1e30
ops_undo_list+0x65a/0x810
cleanup_net+0x378/0x670
process_one_work+0x66c/0x10c0
worker_thread+0x91a/0x1230
kthread+0x365/0x700
ret_from_fork+0x17e/0x260
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 288 on cpu 0 at 23.285783s:
kasan_save_stack+0x33/0x60
kasan_save_track+0x17/0x60
__kasan_kmalloc+0x8f/0xa0
__kmalloc_noprof+0x1a8/0x5b0
ops_init+0x77/0x460
setup_net+0x100/0x310
copy_net_ns+0x31b/0x420
create_new_namespaces+0x3ea/0xa90
unshare_nsproxy_namespaces+0xc7/0x170
ksys_unshare+0x3fb/0x980
__x64_sys_unshare+0x31/0x40
do_syscall_64+0xa4/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 3875 on cpu 0 at 48.578264s:
kasan_save_stack+0x33/0x60
kasan_save_track+0x17/0x60
__kasan_save_free_info+0x3b/0x60
__kasan_slab_free+0x43/0x70
kfree+0x1a8/0x420
ops_undo_list+0x48f/0x810
unregister_pernet_operations+0x1ca/0x3d0
unregister_pernet_subsys+0x21/0x30
exit_nfsd+0x53/0xe10 [nfsd]
__do_sys_delete_module+0x343/0x510
do_syscall_64+0xa4/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888004e3c000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 384 bytes inside of
freed 8192-byte region [ffff888004e3c000, ffff888004e3e000)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4e38
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x100000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0100000000000040 ffff888001042280 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
head: 0100000000000040 ffff888001042280 dead000000000122 0000000000000000
head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
head: 0100000000000003 ffffea0000138e01 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888004e3c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888004e3c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888004e3c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888004e3c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888004e3c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
=============================================================================
BUG nfs4_client (Tainted: G R B W ): Objects remaining on __kmem_cache_shutdown()
-----------------------------------------------------------------------------
Object 0x00000000a598313c @offset=0
Slab 0x0000000077f165de objects=11 used=1 fp=0x00000000d4be4177 flags=0x100000000000240(workingset|head|node=0|zone=1)
------------[ cut here ]------------
WARNING: CPU: 0 PID: 3875 at mm/slub.c:1249 __slab_err+0x34/0x40
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs nfsd(-) auth_rpcgss lockd grace sunrpc
CPU: 0 UID: 0 PID: 3875 Comm: syz.0.1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__slab_err+0x34/0x40
Code: f9 48 89 fe 4c 8b 47 20 48 c7 c7 80 6b cb a3 81 e2 ff 7f 00 00 e8 3c 5f b3 ff be 01 00 00 00 bf 05 00 00 00 e8 ed d1 9b ff 90 <0f> 0b 90 e9 f4 a7 d9 02 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc9001583fda0 EFLAGS: 00010082
RAX: 0000000000079ea8 RBX: ffff88800469f600 RCX: ffffffff819d8c23
RDX: 0000000000080000 RSI: ffffc90000e69000 RDI: 0000000000000007
RBP: ffff88801d1c4000 R08: 0000000000000001 R09: fffffbfff4b26c28
R10: 0000000000000000 R11: 3078302062616c53 R12: ffff8880046aca00
R13: ffff88800469f600 R14: ffff88801d1c7ee8 R15: ffff88800469f600
FS: 00007f953c1a76c0(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fac32a1c510 CR3: 0000000003069000 CR4: 0000000000750ef0
PKRU: 80000000
Call Trace:
<TASK>
__kmem_cache_shutdown+0x20f/0x300
kmem_cache_destroy+0x60/0x190
nfsd4_free_slabs+0x15/0x60 [nfsd]
exit_nfsd+0x62/0xe10 [nfsd]
__do_sys_delete_module+0x343/0x510
do_syscall_64+0xa4/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f953d754dad
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f953c1a7018 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 00007f953d9c5fa0 RCX: 00007f953d754dad
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000200000000040
RBP: 00007f953d7f8d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
</TASK>
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
kmem_cache_destroy nfs4_client: Slab cache still has objects when called from nfsd4_free_slabs+0x15/0x60 [nfsd]
WARNING: CPU: 0 PID: 3875 at mm/slab_common.c:531 kmem_cache_destroy+0x135/0x190
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs nfsd(-) auth_rpcgss lockd grace sunrpc
CPU: 0 UID: 0 PID: 3875 Comm: syz.0.1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:kmem_cache_destroy+0x135/0x190
Code: e8 02 48 89 df e8 cb 3e 0f 00 eb 90 90 48 8b 53 68 48 8b 4c 24 08 48 c7 c6 a0 22 2e a3 48 c7 c7 78 45 cb a3 e8 5c 24 aa ff 90 <0f> 0b 90 90 48 8b 53 70 48 8b 43 78 48 c7 c7 20 02 09 a4 48 89 42
RSP: 0018:ffffc9001583fe00 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff8880046aca00 RCX: ffffffff9fd94b84
RDX: 0000000000080000 RSI: ffffc90000e69000 RDI: 0000000000000001
RBP: 1ffff92002b07fc4 R08: 0000000000000001 R09: fffff52002b07f7a
R10: 0000000000000001 R11: 000000002d2d2d2d R12: ffffffffc06419c0
R13: ffffffffc0641e48 R14: ffff88800a5caf00 R15: 0000000000000000
FS: 00007f953c1a76c0(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fac32a1c510 CR3: 0000000003069000 CR4: 0000000000750ef0
PKRU: 80000000
Call Trace:
<TASK>
nfsd4_free_slabs+0x15/0x60 [nfsd]
exit_nfsd+0x62/0xe10 [nfsd]
__do_sys_delete_module+0x343/0x510
do_syscall_64+0xa4/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f953d754dad
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f953c1a7018 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 00007f953d9c5fa0 RCX: 00007f953d754dad
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000200000000040
RBP: 00007f953d7f8d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
</TASK>
---[ end trace 0000000000000000 ]---
BUG: unable to handle page fault for address: fffffbfff80c58d9
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 6dfcc067 P4D 6dfcc067 PUD 6dfc8067 PMD 42f8067 PTE 0
Oops: Oops: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 25 Comm: kworker/u4:1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:notifier_call_chain+0xc4/0x2f0
Code: 00 e8 90 a6 2a 00 31 ff 89 ee e8 37 9f 2a 00 85 ed 0f 84 a2 00 00 00 4c 89 eb e8 77 a6 2a 00 48 8d 7b 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 df 01 00 00 48 89 d8 4c 8b 6b 08 48 c1 e8 03
RSP: 0018:ffffc9000019f710 EFLAGS: 00010212
RAX: 1ffffffff80c58d9 RBX: ffffffffc062c6c0 RCX: ffffffff9fe37b09
RDX: ffff888001365e00 RSI: 0000000000000000 RDI: ffffffffc062c6c8
RBP: 00000000ffffffff R08: 0000000000000000 R09: ffffed10013c1505
R10: 00000000ffffffff R11: 00000000363a3fc5 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88803902d800
FS: 0000000000000000(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80c58d9 CR3: 000000001086c000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
atomic_notifier_call_chain+0x32/0x50
addrconf_ifdown.isra.0+0xd44/0x1700
addrconf_notify+0x362/0x1730
notifier_call_chain+0x101/0x2f0
call_netdevice_notifiers_info+0xb9/0x130
netif_close_many+0x27f/0x4b0
unregister_netdevice_many_notify+0x59c/0x1e30
ops_undo_list+0x65a/0x810
cleanup_net+0x378/0x670
process_one_work+0x66c/0x10c0
worker_thread+0x91a/0x1230
kthread+0x365/0x700
ret_from_fork+0x17e/0x260
ret_from_fork_asm+0x1a/0x30
</TASK>
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs auth_rpcgss lockd grace sunrpc [last unloaded: nfsd]
CR2: fffffbfff80c58d9
---[ end trace 0000000000000000 ]---
RIP: 0010:notifier_call_chain+0xc4/0x2f0
Code: 00 e8 90 a6 2a 00 31 ff 89 ee e8 37 9f 2a 00 85 ed 0f 84 a2 00 00 00 4c 89 eb e8 77 a6 2a 00 48 8d 7b 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 df 01 00 00 48 89 d8 4c 8b 6b 08 48 c1 e8 03
RSP: 0018:ffffc9000019f710 EFLAGS: 00010212
RAX: 1ffffffff80c58d9 RBX: ffffffffc062c6c0 RCX: ffffffff9fe37b09
RDX: ffff888001365e00 RSI: 0000000000000000 RDI: ffffffffc062c6c8
RBP: 00000000ffffffff R08: 0000000000000000 R09: ffffed10013c1505
R10: 00000000ffffffff R11: 00000000363a3fc5 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88803902d800
FS: 0000000000000000(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80c58d9 CR3: 000000001086c000 CR4: 0000000000750ef0
PKRU: 55555554
note: kworker/u4:1[25] exited with irqs disabled
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
==================================================================
BUG: KASAN: slab-use-after-free in nfsd_inet6addr_event+0x39f/0x430 [nfsd]
Read of size 8 at addr ffff888004e3c180 by task kworker/u4:1/25
CPU: 0 UID: 0 PID: 25 Comm: kworker/u4:1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: netns cleanup_net
Call Trace:
<TASK>
dump_stack_lvl+0xab/0xe0
print_report+0xd0/0x610
kasan_report+0xce/0x100
nfsd_inet6addr_event+0x39f/0x430 [nfsd]
notifier_call_chain+0x101/0x2f0
atomic_notifier_call_chain+0x32/0x50
addrconf_ifdown.isra.0+0xd44/0x1700
addrconf_notify+0x362/0x1730
notifier_call_chain+0x101/0x2f0
call_netdevice_notifiers_info+0xb9/0x130
netif_close_many+0x27f/0x4b0
unregister_netdevice_many_notify+0x59c/0x1e30
ops_undo_list+0x65a/0x810
cleanup_net+0x378/0x670
process_one_work+0x66c/0x10c0
worker_thread+0x91a/0x1230
kthread+0x365/0x700
ret_from_fork+0x17e/0x260
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 288 on cpu 0 at 23.285783s:
kasan_save_stack+0x33/0x60
kasan_save_track+0x17/0x60
__kasan_kmalloc+0x8f/0xa0
__kmalloc_noprof+0x1a8/0x5b0
ops_init+0x77/0x460
setup_net+0x100/0x310
copy_net_ns+0x31b/0x420
create_new_namespaces+0x3ea/0xa90
unshare_nsproxy_namespaces+0xc7/0x170
ksys_unshare+0x3fb/0x980
__x64_sys_unshare+0x31/0x40
do_syscall_64+0xa4/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 3875 on cpu 0 at 48.578264s:
kasan_save_stack+0x33/0x60
kasan_save_track+0x17/0x60
__kasan_save_free_info+0x3b/0x60
__kasan_slab_free+0x43/0x70
kfree+0x1a8/0x420
ops_undo_list+0x48f/0x810
unregister_pernet_operations+0x1ca/0x3d0
unregister_pernet_subsys+0x21/0x30
exit_nfsd+0x53/0xe10 [nfsd]
__do_sys_delete_module+0x343/0x510
do_syscall_64+0xa4/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888004e3c000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 384 bytes inside of
freed 8192-byte region [ffff888004e3c000, ffff888004e3e000)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4e38
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x100000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0100000000000040 ffff888001042280 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
head: 0100000000000040 ffff888001042280 dead000000000122 0000000000000000
head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
head: 0100000000000003 ffffea0000138e01 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888004e3c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888004e3c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888004e3c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888004e3c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888004e3c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
=============================================================================
BUG nfs4_client (Tainted: G R B W ): Objects remaining on __kmem_cache_shutdown()
-----------------------------------------------------------------------------
Object 0x00000000a598313c @offset=0
Slab 0x0000000077f165de objects=11 used=1 fp=0x00000000d4be4177 flags=0x100000000000240(workingset|head|node=0|zone=1)
------------[ cut here ]------------
WARNING: CPU: 0 PID: 3875 at mm/slub.c:1249 __slab_err+0x34/0x40
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs nfsd(-) auth_rpcgss lockd grace sunrpc
CPU: 0 UID: 0 PID: 3875 Comm: syz.0.1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__slab_err+0x34/0x40
Code: f9 48 89 fe 4c 8b 47 20 48 c7 c7 80 6b cb a3 81 e2 ff 7f 00 00 e8 3c 5f b3 ff be 01 00 00 00 bf 05 00 00 00 e8 ed d1 9b ff 90 <0f> 0b 90 e9 f4 a7 d9 02 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc9001583fda0 EFLAGS: 00010082
RAX: 0000000000079ea8 RBX: ffff88800469f600 RCX: ffffffff819d8c23
RDX: 0000000000080000 RSI: ffffc90000e69000 RDI: 0000000000000007
RBP: ffff88801d1c4000 R08: 0000000000000001 R09: fffffbfff4b26c28
R10: 0000000000000000 R11: 3078302062616c53 R12: ffff8880046aca00
R13: ffff88800469f600 R14: ffff88801d1c7ee8 R15: ffff88800469f600
FS: 00007f953c1a76c0(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fac32a1c510 CR3: 0000000003069000 CR4: 0000000000750ef0
PKRU: 80000000
Call Trace:
<TASK>
__kmem_cache_shutdown+0x20f/0x300
kmem_cache_destroy+0x60/0x190
nfsd4_free_slabs+0x15/0x60 [nfsd]
exit_nfsd+0x62/0xe10 [nfsd]
__do_sys_delete_module+0x343/0x510
do_syscall_64+0xa4/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f953d754dad
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f953c1a7018 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 00007f953d9c5fa0 RCX: 00007f953d754dad
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000200000000040
RBP: 00007f953d7f8d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
</TASK>
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
kmem_cache_destroy nfs4_client: Slab cache still has objects when called from nfsd4_free_slabs+0x15/0x60 [nfsd]
WARNING: CPU: 0 PID: 3875 at mm/slab_common.c:531 kmem_cache_destroy+0x135/0x190
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs nfsd(-) auth_rpcgss lockd grace sunrpc
CPU: 0 UID: 0 PID: 3875 Comm: syz.0.1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:kmem_cache_destroy+0x135/0x190
Code: e8 02 48 89 df e8 cb 3e 0f 00 eb 90 90 48 8b 53 68 48 8b 4c 24 08 48 c7 c6 a0 22 2e a3 48 c7 c7 78 45 cb a3 e8 5c 24 aa ff 90 <0f> 0b 90 90 48 8b 53 70 48 8b 43 78 48 c7 c7 20 02 09 a4 48 89 42
RSP: 0018:ffffc9001583fe00 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff8880046aca00 RCX: ffffffff9fd94b84
RDX: 0000000000080000 RSI: ffffc90000e69000 RDI: 0000000000000001
RBP: 1ffff92002b07fc4 R08: 0000000000000001 R09: fffff52002b07f7a
R10: 0000000000000001 R11: 000000002d2d2d2d R12: ffffffffc06419c0
R13: ffffffffc0641e48 R14: ffff88800a5caf00 R15: 0000000000000000
FS: 00007f953c1a76c0(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fac32a1c510 CR3: 0000000003069000 CR4: 0000000000750ef0
PKRU: 80000000
Call Trace:
<TASK>
nfsd4_free_slabs+0x15/0x60 [nfsd]
exit_nfsd+0x62/0xe10 [nfsd]
__do_sys_delete_module+0x343/0x510
do_syscall_64+0xa4/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f953d754dad
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f953c1a7018 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 00007f953d9c5fa0 RCX: 00007f953d754dad
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000200000000040
RBP: 00007f953d7f8d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
</TASK>
---[ end trace 0000000000000000 ]---
BUG: unable to handle page fault for address: fffffbfff80c58d9
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 6dfcc067 P4D 6dfcc067 PUD 6dfc8067 PMD 42f8067 PTE 0
Oops: Oops: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 25 Comm: kworker/u4:1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:notifier_call_chain+0xc4/0x2f0
Code: 00 e8 90 a6 2a 00 31 ff 89 ee e8 37 9f 2a 00 85 ed 0f 84 a2 00 00 00 4c 89 eb e8 77 a6 2a 00 48 8d 7b 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 df 01 00 00 48 89 d8 4c 8b 6b 08 48 c1 e8 03
RSP: 0018:ffffc9000019f710 EFLAGS: 00010212
RAX: 1ffffffff80c58d9 RBX: ffffffffc062c6c0 RCX: ffffffff9fe37b09
RDX: ffff888001365e00 RSI: 0000000000000000 RDI: ffffffffc062c6c8
RBP: 00000000ffffffff R08: 0000000000000000 R09: ffffed10013c1505
R10: 00000000ffffffff R11: 00000000363a3fc5 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88803902d800
FS: 0000000000000000(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80c58d9 CR3: 000000001086c000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
atomic_notifier_call_chain+0x32/0x50
addrconf_ifdown.isra.0+0xd44/0x1700
addrconf_notify+0x362/0x1730
notifier_call_chain+0x101/0x2f0
call_netdevice_notifiers_info+0xb9/0x130
netif_close_many+0x27f/0x4b0
unregister_netdevice_many_notify+0x59c/0x1e30
ops_undo_list+0x65a/0x810
cleanup_net+0x378/0x670
process_one_work+0x66c/0x10c0
worker_thread+0x91a/0x1230
kthread+0x365/0x700
ret_from_fork+0x17e/0x260
ret_from_fork_asm+0x1a/0x30
</TASK>
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs auth_rpcgss lockd grace sunrpc [last unloaded: nfsd]
CR2: fffffbfff80c58d9
---[ end trace 0000000000000000 ]---
RIP: 0010:notifier_call_chain+0xc4/0x2f0
Code: 00 e8 90 a6 2a 00 31 ff 89 ee e8 37 9f 2a 00 85 ed 0f 84 a2 00 00 00 4c 89 eb e8 77 a6 2a 00 48 8d 7b 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 df 01 00 00 48 89 d8 4c 8b 6b 08 48 c1 e8 03
RSP: 0018:ffffc9000019f710 EFLAGS: 00010212
RAX: 1ffffffff80c58d9 RBX: ffffffffc062c6c0 RCX: ffffffff9fe37b09
RDX: ffff888001365e00 RSI: 0000000000000000 RDI: ffffffffc062c6c8
RBP: 00000000ffffffff R08: 0000000000000000 R09: ffffed10013c1505
R10: 00000000ffffffff R11: 00000000363a3fc5 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88803902d800
FS: 0000000000000000(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80c58d9 CR3: 000000001086c000 CR4: 0000000000750ef0
PKRU: 55555554
note: kworker/u4:1[25] exited with irqs disabled
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
BUG nfs4_client (Tainted: G R B W ): Objects remaining on __kmem_cache_shutdown()
-----------------------------------------------------------------------------
Object 0x00000000a598313c @offset=0
Slab 0x0000000077f165de objects=11 used=1 fp=0x00000000d4be4177 flags=0x100000000000240(workingset|head|node=0|zone=1)
------------[ cut here ]------------
WARNING: CPU: 0 PID: 3875 at mm/slub.c:1249 __slab_err+0x34/0x40
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs nfsd(-) auth_rpcgss lockd grace sunrpc
CPU: 0 UID: 0 PID: 3875 Comm: syz.0.1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__slab_err+0x34/0x40
Code: f9 48 89 fe 4c 8b 47 20 48 c7 c7 80 6b cb a3 81 e2 ff 7f 00 00 e8 3c 5f b3 ff be 01 00 00 00 bf 05 00 00 00 e8 ed d1 9b ff 90 <0f> 0b 90 e9 f4 a7 d9 02 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc9001583fda0 EFLAGS: 00010082
RAX: 0000000000079ea8 RBX: ffff88800469f600 RCX: ffffffff819d8c23
RDX: 0000000000080000 RSI: ffffc90000e69000 RDI: 0000000000000007
RBP: ffff88801d1c4000 R08: 0000000000000001 R09: fffffbfff4b26c28
R10: 0000000000000000 R11: 3078302062616c53 R12: ffff8880046aca00
R13: ffff88800469f600 R14: ffff88801d1c7ee8 R15: ffff88800469f600
FS: 00007f953c1a76c0(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fac32a1c510 CR3: 0000000003069000 CR4: 0000000000750ef0
PKRU: 80000000
Call Trace:
<TASK>
__kmem_cache_shutdown+0x20f/0x300
kmem_cache_destroy+0x60/0x190
nfsd4_free_slabs+0x15/0x60 [nfsd]
exit_nfsd+0x62/0xe10 [nfsd]
__do_sys_delete_module+0x343/0x510
do_syscall_64+0xa4/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f953d754dad
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f953c1a7018 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 00007f953d9c5fa0 RCX: 00007f953d754dad
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000200000000040
RBP: 00007f953d7f8d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
</TASK>
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
kmem_cache_destroy nfs4_client: Slab cache still has objects when called from nfsd4_free_slabs+0x15/0x60 [nfsd]
WARNING: CPU: 0 PID: 3875 at mm/slab_common.c:531 kmem_cache_destroy+0x135/0x190
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs nfsd(-) auth_rpcgss lockd grace sunrpc
CPU: 0 UID: 0 PID: 3875 Comm: syz.0.1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:kmem_cache_destroy+0x135/0x190
Code: e8 02 48 89 df e8 cb 3e 0f 00 eb 90 90 48 8b 53 68 48 8b 4c 24 08 48 c7 c6 a0 22 2e a3 48 c7 c7 78 45 cb a3 e8 5c 24 aa ff 90 <0f> 0b 90 90 48 8b 53 70 48 8b 43 78 48 c7 c7 20 02 09 a4 48 89 42
RSP: 0018:ffffc9001583fe00 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff8880046aca00 RCX: ffffffff9fd94b84
RDX: 0000000000080000 RSI: ffffc90000e69000 RDI: 0000000000000001
RBP: 1ffff92002b07fc4 R08: 0000000000000001 R09: fffff52002b07f7a
R10: 0000000000000001 R11: 000000002d2d2d2d R12: ffffffffc06419c0
R13: ffffffffc0641e48 R14: ffff88800a5caf00 R15: 0000000000000000
FS: 00007f953c1a76c0(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fac32a1c510 CR3: 0000000003069000 CR4: 0000000000750ef0
PKRU: 80000000
Call Trace:
<TASK>
nfsd4_free_slabs+0x15/0x60 [nfsd]
exit_nfsd+0x62/0xe10 [nfsd]
__do_sys_delete_module+0x343/0x510
do_syscall_64+0xa4/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f953d754dad
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f953c1a7018 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 00007f953d9c5fa0 RCX: 00007f953d754dad
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000200000000040
RBP: 00007f953d7f8d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
</TASK>
---[ end trace 0000000000000000 ]---
BUG: unable to handle page fault for address: fffffbfff80c58d9
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 6dfcc067 P4D 6dfcc067 PUD 6dfc8067 PMD 42f8067 PTE 0
Oops: Oops: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 25 Comm: kworker/u4:1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:notifier_call_chain+0xc4/0x2f0
Code: 00 e8 90 a6 2a 00 31 ff 89 ee e8 37 9f 2a 00 85 ed 0f 84 a2 00 00 00 4c 89 eb e8 77 a6 2a 00 48 8d 7b 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 df 01 00 00 48 89 d8 4c 8b 6b 08 48 c1 e8 03
RSP: 0018:ffffc9000019f710 EFLAGS: 00010212
RAX: 1ffffffff80c58d9 RBX: ffffffffc062c6c0 RCX: ffffffff9fe37b09
RDX: ffff888001365e00 RSI: 0000000000000000 RDI: ffffffffc062c6c8
RBP: 00000000ffffffff R08: 0000000000000000 R09: ffffed10013c1505
R10: 00000000ffffffff R11: 00000000363a3fc5 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88803902d800
FS: 0000000000000000(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80c58d9 CR3: 000000001086c000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
atomic_notifier_call_chain+0x32/0x50
addrconf_ifdown.isra.0+0xd44/0x1700
addrconf_notify+0x362/0x1730
notifier_call_chain+0x101/0x2f0
call_netdevice_notifiers_info+0xb9/0x130
netif_close_many+0x27f/0x4b0
unregister_netdevice_many_notify+0x59c/0x1e30
ops_undo_list+0x65a/0x810
cleanup_net+0x378/0x670
process_one_work+0x66c/0x10c0
worker_thread+0x91a/0x1230
kthread+0x365/0x700
ret_from_fork+0x17e/0x260
ret_from_fork_asm+0x1a/0x30
</TASK>
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs auth_rpcgss lockd grace sunrpc [last unloaded: nfsd]
CR2: fffffbfff80c58d9
---[ end trace 0000000000000000 ]---
RIP: 0010:notifier_call_chain+0xc4/0x2f0
Code: 00 e8 90 a6 2a 00 31 ff 89 ee e8 37 9f 2a 00 85 ed 0f 84 a2 00 00 00 4c 89 eb e8 77 a6 2a 00 48 8d 7b 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 df 01 00 00 48 89 d8 4c 8b 6b 08 48 c1 e8 03
RSP: 0018:ffffc9000019f710 EFLAGS: 00010212
RAX: 1ffffffff80c58d9 RBX: ffffffffc062c6c0 RCX: ffffffff9fe37b09
RDX: ffff888001365e00 RSI: 0000000000000000 RDI: ffffffffc062c6c8
RBP: 00000000ffffffff R08: 0000000000000000 R09: ffffed10013c1505
R10: 00000000ffffffff R11: 00000000363a3fc5 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88803902d800
FS: 0000000000000000(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80c58d9 CR3: 000000001086c000 CR4: 0000000000750ef0
PKRU: 55555554
note: kworker/u4:1[25] exited with irqs disabled
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
</TASK>
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
kmem_cache_destroy nfs4_client: Slab cache still has objects when called from nfsd4_free_slabs+0x15/0x60 [nfsd]
WARNING: CPU: 0 PID: 3875 at mm/slab_common.c:531 kmem_cache_destroy+0x135/0x190
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs nfsd(-) auth_rpcgss lockd grace sunrpc
CPU: 0 UID: 0 PID: 3875 Comm: syz.0.1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:kmem_cache_destroy+0x135/0x190
Code: e8 02 48 89 df e8 cb 3e 0f 00 eb 90 90 48 8b 53 68 48 8b 4c 24 08 48 c7 c6 a0 22 2e a3 48 c7 c7 78 45 cb a3 e8 5c 24 aa ff 90 <0f> 0b 90 90 48 8b 53 70 48 8b 43 78 48 c7 c7 20 02 09 a4 48 89 42
RSP: 0018:ffffc9001583fe00 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff8880046aca00 RCX: ffffffff9fd94b84
RDX: 0000000000080000 RSI: ffffc90000e69000 RDI: 0000000000000001
RBP: 1ffff92002b07fc4 R08: 0000000000000001 R09: fffff52002b07f7a
R10: 0000000000000001 R11: 000000002d2d2d2d R12: ffffffffc06419c0
R13: ffffffffc0641e48 R14: ffff88800a5caf00 R15: 0000000000000000
FS: 00007f953c1a76c0(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fac32a1c510 CR3: 0000000003069000 CR4: 0000000000750ef0
PKRU: 80000000
Call Trace:
<TASK>
nfsd4_free_slabs+0x15/0x60 [nfsd]
exit_nfsd+0x62/0xe10 [nfsd]
__do_sys_delete_module+0x343/0x510
do_syscall_64+0xa4/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f953d754dad
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f953c1a7018 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 00007f953d9c5fa0 RCX: 00007f953d754dad
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000200000000040
RBP: 00007f953d7f8d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
</TASK>
---[ end trace 0000000000000000 ]---
BUG: unable to handle page fault for address: fffffbfff80c58d9
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 6dfcc067 P4D 6dfcc067 PUD 6dfc8067 PMD 42f8067 PTE 0
Oops: Oops: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 25 Comm: kworker/u4:1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:notifier_call_chain+0xc4/0x2f0
Code: 00 e8 90 a6 2a 00 31 ff 89 ee e8 37 9f 2a 00 85 ed 0f 84 a2 00 00 00 4c 89 eb e8 77 a6 2a 00 48 8d 7b 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 df 01 00 00 48 89 d8 4c 8b 6b 08 48 c1 e8 03
RSP: 0018:ffffc9000019f710 EFLAGS: 00010212
RAX: 1ffffffff80c58d9 RBX: ffffffffc062c6c0 RCX: ffffffff9fe37b09
RDX: ffff888001365e00 RSI: 0000000000000000 RDI: ffffffffc062c6c8
RBP: 00000000ffffffff R08: 0000000000000000 R09: ffffed10013c1505
R10: 00000000ffffffff R11: 00000000363a3fc5 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88803902d800
FS: 0000000000000000(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80c58d9 CR3: 000000001086c000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
atomic_notifier_call_chain+0x32/0x50
addrconf_ifdown.isra.0+0xd44/0x1700
addrconf_notify+0x362/0x1730
notifier_call_chain+0x101/0x2f0
call_netdevice_notifiers_info+0xb9/0x130
netif_close_many+0x27f/0x4b0
unregister_netdevice_many_notify+0x59c/0x1e30
ops_undo_list+0x65a/0x810
cleanup_net+0x378/0x670
process_one_work+0x66c/0x10c0
worker_thread+0x91a/0x1230
kthread+0x365/0x700
ret_from_fork+0x17e/0x260
ret_from_fork_asm+0x1a/0x30
</TASK>
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs auth_rpcgss lockd grace sunrpc [last unloaded: nfsd]
CR2: fffffbfff80c58d9
---[ end trace 0000000000000000 ]---
RIP: 0010:notifier_call_chain+0xc4/0x2f0
Code: 00 e8 90 a6 2a 00 31 ff 89 ee e8 37 9f 2a 00 85 ed 0f 84 a2 00 00 00 4c 89 eb e8 77 a6 2a 00 48 8d 7b 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 df 01 00 00 48 89 d8 4c 8b 6b 08 48 c1 e8 03
RSP: 0018:ffffc9000019f710 EFLAGS: 00010212
RAX: 1ffffffff80c58d9 RBX: ffffffffc062c6c0 RCX: ffffffff9fe37b09
RDX: ffff888001365e00 RSI: 0000000000000000 RDI: ffffffffc062c6c8
RBP: 00000000ffffffff R08: 0000000000000000 R09: ffffed10013c1505
R10: 00000000ffffffff R11: 00000000363a3fc5 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88803902d800
FS: 0000000000000000(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80c58d9 CR3: 000000001086c000 CR4: 0000000000750ef0
PKRU: 55555554
note: kworker/u4:1[25] exited with irqs disabled
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
RBP: 00007f953d7f8d40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f953d9c6038 R14: 00007f953d9c5fa0 R15: 00007ffd33e5e730
</TASK>
---[ end trace 0000000000000000 ]---
BUG: unable to handle page fault for address: fffffbfff80c58d9
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 6dfcc067 P4D 6dfcc067 PUD 6dfc8067 PMD 42f8067 PTE 0
Oops: Oops: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 25 Comm: kworker/u4:1 Tainted: G R B W 6.17.0-12340-gcd5a0afbdf80 #8 PREEMPT(voluntary)
Tainted: [R]=FORCED_RMMOD, [B]=BAD_PAGE, [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:notifier_call_chain+0xc4/0x2f0
Code: 00 e8 90 a6 2a 00 31 ff 89 ee e8 37 9f 2a 00 85 ed 0f 84 a2 00 00 00 4c 89 eb e8 77 a6 2a 00 48 8d 7b 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 df 01 00 00 48 89 d8 4c 8b 6b 08 48 c1 e8 03
RSP: 0018:ffffc9000019f710 EFLAGS: 00010212
RAX: 1ffffffff80c58d9 RBX: ffffffffc062c6c0 RCX: ffffffff9fe37b09
RDX: ffff888001365e00 RSI: 0000000000000000 RDI: ffffffffc062c6c8
RBP: 00000000ffffffff R08: 0000000000000000 R09: ffffed10013c1505
R10: 00000000ffffffff R11: 00000000363a3fc5 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88803902d800
FS: 0000000000000000(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80c58d9 CR3: 000000001086c000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
atomic_notifier_call_chain+0x32/0x50
addrconf_ifdown.isra.0+0xd44/0x1700
addrconf_notify+0x362/0x1730
notifier_call_chain+0x101/0x2f0
call_netdevice_notifiers_info+0xb9/0x130
netif_close_many+0x27f/0x4b0
unregister_netdevice_many_notify+0x59c/0x1e30
ops_undo_list+0x65a/0x810
cleanup_net+0x378/0x670
process_one_work+0x66c/0x10c0
worker_thread+0x91a/0x1230
kthread+0x365/0x700
ret_from_fork+0x17e/0x260
ret_from_fork_asm+0x1a/0x30
</TASK>
Modules linked in: rpcsec_gss_krb5 nfsv4 nfs auth_rpcgss lockd grace sunrpc [last unloaded: nfsd]
CR2: fffffbfff80c58d9
---[ end trace 0000000000000000 ]---
RIP: 0010:notifier_call_chain+0xc4/0x2f0
Code: 00 e8 90 a6 2a 00 31 ff 89 ee e8 37 9f 2a 00 85 ed 0f 84 a2 00 00 00 4c 89 eb e8 77 a6 2a 00 48 8d 7b 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 df 01 00 00 48 89 d8 4c 8b 6b 08 48 c1 e8 03
RSP: 0018:ffffc9000019f710 EFLAGS: 00010212
RAX: 1ffffffff80c58d9 RBX: ffffffffc062c6c0 RCX: ffffffff9fe37b09
RDX: ffff888001365e00 RSI: 0000000000000000 RDI: ffffffffc062c6c8
RBP: 00000000ffffffff R08: 0000000000000000 R09: ffffed10013c1505
R10: 00000000ffffffff R11: 00000000363a3fc5 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88803902d800
FS: 0000000000000000(0000) GS:ffff8880c772e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80c58d9 CR3: 000000001086c000 CR4: 0000000000750ef0
PKRU: 55555554
note: kworker/u4:1[25] exited with irqs disabled
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>#define _GNU_SOURCE
#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static bool write_file(const char* file, const char* what, ...)
{
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1)
return false;
if (write(fd, buf, len) != len) {
int err = errno;
close(fd);
errno = err;
return false;
}
close(fd);
return true;
}
static void kill_and_wait(int pid, int* status)
{
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
for (int i = 0; i < 100; i++) {
if (waitpid(-1, status, WNOHANG | __WALL) == pid)
return;
usleep(1000);
}
DIR* dir = opendir("/sys/fs/fuse/connections");
if (dir) {
for (;;) {
struct dirent* ent = readdir(dir);
if (!ent)
break;
if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
continue;
char abort[300];
snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
ent->d_name);
int fd = open(abort, O_WRONLY);
if (fd == -1) {
continue;
}
if (write(fd, abort, 1) < 0) {
}
close(fd);
}
closedir(dir);
} else {
}
while (waitpid(-1, status, __WALL) != pid) {
}
}
static void setup_test()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
write_file("/proc/self/oom_score_adj", "1000");
}
static void execute_one(void);
#define WAIT_FLAGS __WALL
static void loop(void)
{
int iter = 0;
for (;; iter++) {
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
setup_test();
execute_one();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
sleep_ms(10);
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
break;
if (current_time_ms() - start < 5000)
continue;
kill_and_wait(pid, &status);
break;
}
}
}
void execute_one(void)
{
if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
}
// delete_module arguments: [
// name: ptr[in, buffer] {
// buffer: {6e 66 73 64 00} (length 0x5)
// }
// flags: delete_module_flags = 0x200 (8 bytes)
// ]
memcpy((void*)0x200000000040, "nfsd\000", 5);
syscall(__NR_delete_module, /*name=*/0x200000000040ul,
/*flags=O_TRUNC*/ 0x200ul);
}
int main(void)
{
syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
/*fd=*/(intptr_t)-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
/*fd=*/(intptr_t)-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
/*fd=*/(intptr_t)-1, /*offset=*/0ul);
const char* reason;
(void)reason;
loop();
return 0;
}[ 0.000000] Linux version 6.17.0-12340-gcd5a0afbdf80 (allz@allz-VMware-Virtual-Platform) (gcc (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0, GNU ld (GNU Binutils for Ubuntu) 2.42) #8 SMP PREEMPT_DYNAMIC Thu Oct 9 04:21:21 KST 2025
[ 0.000000] Command line: console=ttyS0 nokaslr root=/dev/sda net.ifnames=0 mitigations=off
[ 0.000000] x86 CPU feature dependency check failure: CPU0 has '18*32+31' enabled but '18*32+26' disabled. Kernel might be fine, but no guarantees.
[ 0.000000] BIOS-provided physical RAM map:
[ 0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable
[ 0.000000] BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved
[ 0.000000] BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved
[ 0.000000] BIOS-e820: [mem 0x0000000000100000-0x000000007ffdffff] usable
[ 0.000000] BIOS-e820: [mem 0x000000007ffe0000-0x000000007fffffff] reserved
[ 0.000000] BIOS-e820: [mem 0x00000000feffc000-0x00000000feffffff] reserved
[ 0.000000] BIOS-e820: [mem 0x00000000fffc0000-0x00000000ffffffff] reserved
[ 0.000000] BIOS-e820: [mem 0x000000fd00000000-0x000000ffffffffff] reserved
[ 0.000000] NX (Execute Disable) protection: active
[ 0.000000] APIC: Static calls initialized
[ 0.000000] SMBIOS 3.0.0 present.
[ 0.000000] DMI: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 0.000000] DMI: Memory slots populated: 1/1
[ 0.000000] Hypervisor detected: KVM
[ 0.000000] last_pfn = 0x7ffe0 max_arch_pfn = 0x400000000
[ 0.000000] kvm-clock: Using msrs 4b564d01 and 4b564d00
[ 0.000001] kvm-clock: using sched offset of 396439363 cycles
[ 0.000005] clocksource: kvm-clock: mask: 0xffffffffffffffff max_cycles: 0x1cd42e4dffb, max_idle_ns: 881590591483 ns
[ 0.000011] tsc: Detected 4299.996 MHz processor
[ 0.003409] e820: update [mem 0x00000000-0x00000fff] usable ==> reserved
[ 0.003416] e820: remove [mem 0x000a0000-0x000fffff] usable
[ 0.003424] last_pfn = 0x7ffe0 max_arch_pfn = 0x400000000
[ 0.003523] MTRR map: 4 entries (3 fixed + 1 variable; max 19), built from 8 variable MTRRs
[ 0.003531] x86/PAT: Configuration [0-7]: WB WC UC- UC WB WP UC- WT
[ 0.005679] found SMP MP-table at [mem 0x000f5480-0x000f548f]
[ 0.005700] Using GB pages for direct mapping
[ 0.006618] ACPI: Early table checksum verification disabled
[ 0.006624] ACPI: RSDP 0x00000000000F52A0 000014 (v00 BOCHS )
[ 0.006641] ACPI: RSDT 0x000000007FFE1CAD 000034 (v01 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.006653] ACPI: FACP 0x000000007FFE1B59 000074 (v01 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.006667] ACPI: DSDT 0x000000007FFE0040 001B19 (v01 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.006675] ACPI: FACS 0x000000007FFE0000 000040
[ 0.006681] ACPI: APIC 0x000000007FFE1BCD 000080 (v03 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.006689] ACPI: HPET 0x000000007FFE1C4D 000038 (v01 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.006696] ACPI: WAET 0x000000007FFE1C85 000028 (v01 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.006703] ACPI: Reserving FACP table memory at [mem 0x7ffe1b59-0x7ffe1bcc]
[ 0.006706] ACPI: Reserving DSDT table memory at [mem 0x7ffe0040-0x7ffe1b58]
[ 0.006709] ACPI: Reserving FACS table memory at [mem 0x7ffe0000-0x7ffe003f]
[ 0.006712] ACPI: Reserving APIC table memory at [mem 0x7ffe1bcd-0x7ffe1c4c]
[ 0.006715] ACPI: Reserving HPET table memory at [mem 0x7ffe1c4d-0x7ffe1c84]
[ 0.006717] ACPI: Reserving WAET table memory at [mem 0x7ffe1c85-0x7ffe1cac]
[ 0.007768] No NUMA configuration found
[ 0.007772] Faking a node at [mem 0x0000000000000000-0x000000007ffdffff]
[ 0.007782] NODE_DATA(0) allocated [mem 0x7ffdc900-0x7ffdffff]
[ 0.007817] Zone ranges:
[ 0.007818] DMA [mem 0x0000000000001000-0x0000000000ffffff]
[ 0.007823] DMA32 [mem 0x0000000001000000-0x000000007ffdffff]
[ 0.007826] Normal empty
[ 0.007828] Movable zone start for each node
[ 0.007830] Early memory node ranges
[ 0.007831] node 0: [mem 0x0000000000001000-0x000000000009efff]
[ 0.007834] node 0: [mem 0x0000000000100000-0x000000007ffdffff]
[ 0.007838] Initmem setup node 0 [mem 0x0000000000001000-0x000000007ffdffff]
[ 0.007945] On node 0, zone DMA: 1 pages in unavailable ranges
[ 0.008061] On node 0, zone DMA: 97 pages in unavailable ranges
[ 0.024301] On node 0, zone DMA32: 32 pages in unavailable ranges
[ 0.077918] KernelAddressSanitizer initialized (generic)
[ 0.078402] ACPI: PM-Timer IO Port: 0x608
[ 0.078433] ACPI: LAPIC_NMI (acpi_id[0xff] dfl dfl lint[0x1])
[ 0.078620] IOAPIC[0]: apic_id 0, version 17, address 0xfec00000, GSI 0-23
[ 0.078627] ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl)
[ 0.078632] ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level)
[ 0.078636] ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)
[ 0.078640] ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level)
[ 0.078644] ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level)
[ 0.078652] ACPI: Using ACPI (MADT) for SMP configuration information
[ 0.078655] ACPI: HPET id: 0x8086a201 base: 0xfed00000
[ 0.078662] TSC deadline timer available
[ 0.078668] CPU topo: Max. logical packages: 1
[ 0.078669] CPU topo: Max. logical dies: 1
[ 0.078671] CPU topo: Max. dies per package: 1
[ 0.078677] CPU topo: Max. threads per core: 1
[ 0.078679] CPU topo: Num. cores per package: 2
[ 0.078681] CPU topo: Num. threads per package: 2
[ 0.078682] CPU topo: Allowing 2 present CPUs plus 0 hotplug CPUs
[ 0.078711] kvm-guest: APIC: eoi() replaced with kvm_guest_apic_eoi_write()
[ 0.078747] kvm-guest: KVM setup pv remote TLB flush
[ 0.078757] kvm-guest: setup PV sched yield
[ 0.078780] PM: hibernation: Registered nosave memory: [mem 0x00000000-0x00000fff]
[ 0.078785] PM: hibernation: Registered nosave memory: [mem 0x0009f000-0x000fffff]
[ 0.078789] [mem 0x80000000-0xfeffbfff] available for PCI devices
[ 0.078792] Booting paravirtualized kernel on KVM
[ 0.078796] clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 1910969940391419 ns
[ 0.087244] setup_percpu: NR_CPUS:64 nr_cpumask_bits:2 nr_cpu_ids:2 nr_node_ids:1
[ 0.087688] percpu: Embedded 64 pages/cpu s221336 r8192 d32616 u1048576
[ 0.087708] pcpu-alloc: s221336 r8192 d32616 u1048576 alloc=1*2097152
[ 0.087715] pcpu-alloc: [0] 0 1
[ 0.087800] Kernel command line: net.ifnames=0 console=ttyS0 nokaslr root=/dev/sda net.ifnames=0 mitigations=off
[ 0.087927] Unknown kernel command line parameters "nokaslr", will be passed to user space.
[ 0.088132] random: crng init done
[ 0.088134] printk: log buffer data + meta data: 262144 + 917504 = 1179648 bytes
[ 0.088536] Dentry cache hash table entries: 262144 (order: 9, 2097152 bytes, linear)
[ 0.088771] Inode-cache hash table entries: 131072 (order: 8, 1048576 bytes, linear)
[ 0.088944] Fallback order for Node 0: 0
[ 0.088950] Built 1 zonelists, mobility grouping on. Total pages: 524158
[ 0.088953] Policy zone: DMA32
[ 0.088956] mem auto-init: stack:all(zero), heap alloc:off, heap free:off
[ 0.088959] stackdepot: allocating hash table via alloc_large_system_hash
[ 0.088965] stackdepot hash table entries: 1048576 (order: 12, 16777216 bytes, linear)
[ 0.092058] stackdepot: allocating space for 8192 stack pools via memblock
[ 0.106424] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
[ 0.108174] Dynamic Preempt: voluntary
[ 0.108432] rcu: Preemptible hierarchical RCU implementation.
[ 0.108435] rcu: RCU event tracing is enabled.
[ 0.108436] rcu: RCU restricting CPUs from NR_CPUS=64 to nr_cpu_ids=2.
[ 0.108441] Trampoline variant of Tasks RCU enabled.
[ 0.108443] Tracing variant of Tasks RCU enabled.
[ 0.108445] rcu: RCU calculated value of scheduler-enlistment delay is 100 jiffies.
[ 0.108448] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=2
[ 0.108475] RCU Tasks: Setting shift to 1 and lim to 1 rcu_task_cb_adjust=1 rcu_task_cpu_ids=2.
[ 0.108481] RCU Tasks Trace: Setting shift to 1 and lim to 1 rcu_task_cb_adjust=1 rcu_task_cpu_ids=2.
[ 0.120145] NR_IRQS: 4352, nr_irqs: 440, preallocated irqs: 16
[ 0.120520] rcu: srcu_init: Setting srcu_struct sizes based on contention.
[ 0.126697] Console: colour VGA+ 80x25
[ 0.126767] printk: legacy console [ttyS0] enabled
[ 0.288674] ACPI: Core revision 20250807
[ 0.289746] clocksource: hpet: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604467 ns
[ 0.291701] APIC: Switch to symmetric I/O mode setup
[ 0.293231] x2apic enabled
[ 0.294410] APIC: Switched APIC routing to: physical x2apic
[ 0.295568] kvm-guest: APIC: send_IPI_mask() replaced with kvm_send_ipi_mask()
[ 0.297101] kvm-guest: APIC: send_IPI_mask_allbutself() replaced with kvm_send_ipi_mask_allbutself()
[ 0.298983] kvm-guest: setup PV IPIs
[ 0.301774] ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1
[ 0.303068] clocksource: tsc-early: mask: 0xffffffffffffffff max_cycles: 0x3dfb5f2bb8d, max_idle_ns: 440795206700 ns
[ 0.305392] Calibrating delay loop (skipped) preset value.. 8599.99 BogoMIPS (lpj=4299996)
[ 0.306691] x86/cpu: User Mode Instruction Prevention (UMIP) activated
[ 0.307625] Last level iTLB entries: 4KB 512, 2MB 255, 4MB 127
[ 0.308386] Last level dTLB entries: 4KB 512, 2MB 255, 4MB 127, 1GB 0
[ 0.309415] mitigations: Enabled attack vectors: SMT mitigations: off
[ 0.310385] Speculative Store Bypass: Vulnerable
[ 0.312388] Spectre V2 : Vulnerable
[ 0.313073] Speculative Return Stack Overflow: Vulnerable
[ 0.313383] Spectre V1 : Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers
[ 0.314471] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
[ 0.315383] x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
[ 0.316382] x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
[ 0.317382] x86/fpu: Supporting XSAVE feature 0x020: 'AVX-512 opmask'
[ 0.318383] x86/fpu: Supporting XSAVE feature 0x040: 'AVX-512 Hi256'
[ 0.319387] x86/fpu: Supporting XSAVE feature 0x080: 'AVX-512 ZMM_Hi256'
[ 0.320383] x86/fpu: Supporting XSAVE feature 0x200: 'Protection Keys User registers'
[ 0.321388] x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256
[ 0.322383] x86/fpu: xstate_offset[5]: 832, xstate_sizes[5]: 64
[ 0.323383] x86/fpu: xstate_offset[6]: 896, xstate_sizes[6]: 512
[ 0.324382] x86/fpu: xstate_offset[7]: 1408, xstate_sizes[7]: 1024
[ 0.325387] x86/fpu: xstate_offset[9]: 2432, xstate_sizes[9]: 8
[ 0.326383] x86/fpu: Enabled xstate features 0x2e7, context size is 2440 bytes, using 'compacted' format.
[ 0.375506] Freeing SMP alternatives memory: 48K
[ 0.376387] pid_max: default: 32768 minimum: 301
[ 0.377505] LSM: initializing lsm=capability,selinux
[ 0.378444] SELinux: Initializing.
[ 0.379381] Mount-cache hash table entries: 4096 (order: 3, 32768 bytes, linear)
[ 0.380397] Mountpoint-cache hash table entries: 4096 (order: 3, 32768 bytes, linear)
[ 0.382624] smpboot: CPU0: AMD Ryzen 9 9950X3D 16-Core Processor (family: 0x1a, model: 0x44, stepping: 0x0)
[ 0.383824] Performance Events: AMD PMU driver.
[ 0.384395] ... version: 0
[ 0.385381] ... bit width: 48
[ 0.385388] ... generic counters: 4
[ 0.386387] ... generic bitmap: 000000000000000f
[ 0.387387] ... fixed-purpose counters: 0
[ 0.388381] ... fixed-purpose bitmap: 0000000000000000
[ 0.388387] ... value mask: 0000ffffffffffff
[ 0.389387] ... max period: 00007fffffffffff
[ 0.390387] ... global_ctrl mask: 000000000000000f
[ 0.391589] signal: max sigframe size: 3376
[ 0.392494] rcu: Hierarchical SRCU implementation.
[ 0.393389] rcu: Max phase no-delay instances is 400.
[ 0.394519] Timer migration: 1 hierarchy levels; 8 children per group; 1 crossnode level
[ 0.395919] smp: Bringing up secondary CPUs ...
[ 0.396678] smpboot: x86: Booting SMP configuration:
[ 0.397393] .... node #0, CPUs: #1
[ 0.398476] smp: Brought up 1 node, 2 CPUs
[ 0.400381] smpboot: Total of 2 processors activated (17199.98 BogoMIPS)
[ 0.400918] Memory: 1665712K/2096632K available (56796K kernel code, 9208K rwdata, 12128K rodata, 9948K init, 936K bss, 426400K reserved, 0K cma-reserved)
[ 0.401734] devtmpfs: initialized
[ 0.403652] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 1911260446275000 ns
[ 0.405424] posixtimers hash table entries: 1024 (order: 2, 16384 bytes, linear)
[ 0.407407] futex hash table entries: 512 (32768 bytes on 1 NUMA nodes, total 32 KiB, linear).
[ 0.408683] PM: RTC time: 20:13:23, date: 2025-10-11
[ 0.410662] NET: Registered PF_NETLINK/PF_ROUTE protocol family
[ 0.411765] audit: initializing netlink subsys (disabled)
[ 0.413468] audit: type=2000 audit(1760213604.084:1): state=initialized audit_enabled=0 res=1
[ 0.413748] thermal_sys: Registered thermal governor 'step_wise'
[ 0.414436] cpuidle: using governor menu
[ 0.416877] PCI: Using configuration type 1 for base access
[ 0.417390] PCI: Using configuration type 1 for extended access
[ 0.418533] kprobes: kprobe jump-optimization is enabled. All kprobes are optimized if possible.
[ 0.420528] HugeTLB: registered 2.00 MiB page size, pre-allocated 0 pages
[ 0.421389] HugeTLB: 28 KiB vmemmap can be freed for a 2.00 MiB page
[ 0.424779] ACPI: Added _OSI(Module Device)
[ 0.425389] ACPI: Added _OSI(Processor Device)
[ 0.426388] ACPI: Added _OSI(Processor Aggregator Device)
[ 0.431381] ACPI: 1 ACPI AML tables successfully acquired and loaded
[ 0.433381] ACPI: Interpreter enabled
[ 0.433445] ACPI: PM: (supports S0 S3 S4 S5)
[ 0.434389] ACPI: Using IOAPIC for interrupt routing
[ 0.435467] PCI: Using host bridge windows from ACPI; if necessary, use "pci=nocrs" and report a bug
[ 0.436388] PCI: Using E820 reservations for host bridge windows
[ 0.437924] ACPI: Enabled 2 GPEs in block 00 to 0F
[ 0.447334] ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-ff])
[ 0.447403] acpi PNP0A03:00: _OSC: OS supports [ExtendedConfig ASPM ClockPM Segments MSI HPX-Type3]
[ 0.448734] PCI host bridge to bus 0000:00
[ 0.449421] pci_bus 0000:00: root bus resource [io 0x0000-0x0cf7 window]
[ 0.450389] pci_bus 0000:00: root bus resource [io 0x0d00-0xffff window]
[ 0.451398] pci_bus 0000:00: root bus resource [mem 0x000a0000-0x000bffff window]
[ 0.452393] pci_bus 0000:00: root bus resource [mem 0x80000000-0xfebfffff window]
[ 0.453389] pci_bus 0000:00: root bus resource [mem 0x100000000-0x17fffffff window]
[ 0.454390] pci_bus 0000:00: root bus resource [bus 00-ff]
[ 0.455681] pci 0000:00:00.0: [8086:1237] type 00 class 0x060000 conventional PCI endpoint
[ 0.457425] pci 0000:00:01.0: [8086:7000] type 00 class 0x060100 conventional PCI endpoint
[ 0.459381] pci 0000:00:01.1: [8086:7010] type 00 class 0x010180 conventional PCI endpoint
[ 0.460148] pci 0000:00:01.1: BAR 4 [io 0xc040-0xc04f]
[ 0.460451] pci 0000:00:01.1: BAR 0 [io 0x01f0-0x01f7]: legacy IDE quirk
[ 0.461388] pci 0000:00:01.1: BAR 1 [io 0x03f6]: legacy IDE quirk
[ 0.462388] pci 0000:00:01.1: BAR 2 [io 0x0170-0x0177]: legacy IDE quirk
[ 0.463388] pci 0000:00:01.1: BAR 3 [io 0x0376]: legacy IDE quirk
[ 0.465021] pci 0000:00:01.3: [8086:7113] type 00 class 0x068000 conventional PCI endpoint
[ 0.465974] pci 0000:00:01.3: quirk: [io 0x0600-0x063f] claimed by PIIX4 ACPI
[ 0.466401] pci 0000:00:01.3: quirk: [io 0x0700-0x070f] claimed by PIIX4 SMB
[ 0.468016] pci 0000:00:02.0: [1234:1111] type 00 class 0x030000 conventional PCI endpoint
[ 0.470106] pci 0000:00:02.0: BAR 0 [mem 0xfd000000-0xfdffffff pref]
[ 0.470415] pci 0000:00:02.0: BAR 2 [mem 0xfebb0000-0xfebb0fff]
[ 0.471436] pci 0000:00:02.0: ROM [mem 0xfeba0000-0xfebaffff pref]
[ 0.472752] pci 0000:00:02.0: Video device with shadowed ROM at [mem 0x000c0000-0x000dffff]
[ 0.474381] pci 0000:00:03.0: [8086:100e] type 00 class 0x020000 conventional PCI endpoint
[ 0.475381] pci 0000:00:03.0: BAR 0 [mem 0xfeb80000-0xfeb9ffff]
[ 0.475402] pci 0000:00:03.0: BAR 1 [io 0xc000-0xc03f]
[ 0.476446] pci 0000:00:03.0: ROM [mem 0xfeb00000-0xfeb7ffff pref]
[ 0.482296] ACPI: PCI: Interrupt link LNKA configured for IRQ 10
[ 0.482979] ACPI: PCI: Interrupt link LNKB configured for IRQ 10
[ 0.483896] ACPI: PCI: Interrupt link LNKC configured for IRQ 11
[ 0.484876] ACPI: PCI: Interrupt link LNKD configured for IRQ 11
[ 0.485614] ACPI: PCI: Interrupt link LNKS configured for IRQ 9
[ 0.487766] iommu: Default domain type: Translated
[ 0.488389] iommu: DMA domain TLB invalidation policy: lazy mode
[ 0.489773] SCSI subsystem initialized
[ 0.490654] libata version 3.00 loaded.
[ 0.490661] ACPI: bus type USB registered
[ 0.491530] usbcore: registered new interface driver usbfs
[ 0.492434] usbcore: registered new interface driver hub
[ 0.493426] usbcore: registered new device driver usb
[ 0.494877] pps_core: LinuxPPS API ver. 1 registered
[ 0.495392] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@xxxxxxxx>
[ 0.496421] PTP clock support registered
[ 0.497598] Advanced Linux Sound Architecture Driver Initialized.
[ 0.499501] NetLabel: Initializing
[ 0.500381] NetLabel: domain hash size = 128
[ 0.500388] NetLabel: protocols = UNLABELED CIPSOv4 CALIPSO
[ 0.501490] NetLabel: unlabeled traffic allowed by default
[ 0.502565] PCI: Using ACPI for IRQ routing
[ 0.503394] PCI: pci_cache_line_size set to 64 bytes
[ 0.503564] e820: reserve RAM buffer [mem 0x0009fc00-0x0009ffff]
[ 0.503581] e820: reserve RAM buffer [mem 0x7ffe0000-0x7fffffff]
[ 0.503668] pci 0000:00:02.0: vgaarb: setting as boot VGA device
[ 0.504381] pci 0000:00:02.0: vgaarb: bridge control possible
[ 0.504381] pci 0000:00:02.0: vgaarb: VGA device added: decodes=io+mem,owns=io+mem,locks=none
[ 0.504394] vgaarb: loaded
[ 0.505381] hpet0: at MMIO 0xfed00000, IRQs 2, 8, 0
[ 0.505388] hpet0: 3 comparators, 64-bit 100.000000 MHz counter
[ 0.508558] clocksource: Switched to clocksource kvm-clock
[ 0.510550] VFS: Disk quotas dquot_6.6.0
[ 0.511560] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[ 0.514005] pnp: PnP ACPI init
[ 0.515222] pnp 00:02: [dma 2]
[ 0.516560] pnp: PnP ACPI: found 6 devices
[ 0.529096] clocksource: acpi_pm: mask: 0xffffff max_cycles: 0xffffff, max_idle_ns: 2085701024 ns
[ 0.531351] NET: Registered PF_INET protocol family
[ 0.532665] IP idents hash table entries: 32768 (order: 6, 262144 bytes, linear)
[ 0.535223] tcp_listen_portaddr_hash hash table entries: 1024 (order: 2, 16384 bytes, linear)
[ 0.537350] Table-perturb hash table entries: 65536 (order: 6, 262144 bytes, linear)
[ 0.539300] TCP established hash table entries: 16384 (order: 5, 131072 bytes, linear)
[ 0.541321] TCP bind hash table entries: 16384 (order: 7, 524288 bytes, linear)
[ 0.543314] TCP: Hash tables configured (established 16384 bind 16384)
[ 0.545035] UDP hash table entries: 1024 (order: 4, 65536 bytes, linear)
[ 0.546699] UDP-Lite hash table entries: 1024 (order: 4, 65536 bytes, linear)
[ 0.548608] NET: Registered PF_UNIX/PF_LOCAL protocol family
[ 0.550790] pci_bus 0000:00: resource 4 [io 0x0000-0x0cf7 window]
[ 0.552283] pci_bus 0000:00: resource 5 [io 0x0d00-0xffff window]
[ 0.553830] pci_bus 0000:00: resource 6 [mem 0x000a0000-0x000bffff window]
[ 0.555504] pci_bus 0000:00: resource 7 [mem 0x80000000-0xfebfffff window]
[ 0.557178] pci_bus 0000:00: resource 8 [mem 0x100000000-0x17fffffff window]
[ 0.559123] pci 0000:00:01.0: PIIX3: Enabling Passive Release
[ 0.560394] pci 0000:00:00.0: Limiting direct PCI/PCI transfers
[ 0.561968] PCI: CLS 0 bytes, default 64
[ 0.563174] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x3dfb5f2bb8d, max_idle_ns: 440795206700 ns
[ 0.568135] Initialise system trusted keyrings
[ 0.569538] workingset: timestamp_bits=56 max_order=19 bucket_order=0
[ 0.572682] Key type cifs.idmap registered
[ 0.574571] 9p: Installing v9fs 9p2000 file system support
[ 0.584167] Key type asymmetric registered
[ 0.585223] Asymmetric key parser 'x509' registered
[ 0.586521] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 251)
[ 0.588453] io scheduler mq-deadline registered
[ 0.589480] io scheduler kyber registered
[ 0.591070] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
[ 0.593113] ACPI: button: Power Button [PWRF]
[ 0.595326] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[ 0.597504] 00:04: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
[ 0.602019] Non-volatile memory driver v1.3
[ 0.603115] Linux agpgart interface v0.103
[ 0.604445] ACPI: bus type drm_connector registered
[ 0.611138] loop: module loaded
[ 0.614717] scsi host0: ata_piix
[ 0.616034] scsi host1: ata_piix
[ 0.617055] ata1: PATA max MWDMA2 cmd 0x1f0 ctl 0x3f6 bmdma 0xc040 irq 14 lpm-pol 0
[ 0.618968] ata2: PATA max MWDMA2 cmd 0x170 ctl 0x376 bmdma 0xc048 irq 15 lpm-pol 0
[ 0.622201] e100: Intel(R) PRO/100 Network Driver
[ 0.623438] e100: Copyright(c) 1999-2006 Intel Corporation
[ 0.624797] e1000: Intel(R) PRO/1000 Network Driver
[ 0.625931] e1000: Copyright (c) 1999-2006 Intel Corporation.
[ 0.777617] ata2: found unknown device (class 0)
[ 0.779191] ata1: found unknown device (class 0)
[ 0.781261] ata2.00: ATAPI: QEMU DVD-ROM, 2.5+, max UDMA/100
[ 0.784189] ata1.00: ATA-7: QEMU HARDDISK, 2.5+, max UDMA/100
[ 0.785695] ata1.00: 41943040 sectors, multi 16: LBA48
[ 0.788036] scsi 0:0:0:0: Direct-Access ATA QEMU HARDDISK 2.5+ PQ: 0 ANSI: 5
[ 0.790969] sd 0:0:0:0: Attached scsi generic sg0 type 0
[ 0.792423] sd 0:0:0:0: [sda] 41943040 512-byte logical blocks: (21.5 GB/20.0 GiB)
[ 0.794641] sd 0:0:0:0: [sda] Write Protect is off
[ 0.796052] sd 0:0:0:0: [sda] Mode Sense: 00 3a 00 00
[ 0.796113] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[ 0.798173] scsi 1:0:0:0: CD-ROM QEMU QEMU DVD-ROM 2.5+ PQ: 0 ANSI: 5
[ 0.798503] sd 0:0:0:0: [sda] Preferred minimum I/O size 512 bytes
[ 0.808909] sd 0:0:0:0: [sda] Attached SCSI disk
[ 0.823336] sr 1:0:0:0: [sr0] scsi3-mmc drive: 4x/4x cd/rw xa/form2 tray
[ 0.825005] cdrom: Uniform CD-ROM driver Revision: 3.20
[ 0.843302] sr 1:0:0:0: Attached scsi CD-ROM sr0
[ 0.843970] sr 1:0:0:0: Attached scsi generic sg1 type 5
[ 0.985204] ACPI: \_SB_.LNKC: Enabled at IRQ 11
[ 1.323184] e1000 0000:00:03.0 eth0: (PCI:33MHz:32-bit) 52:54:00:12:34:56
[ 1.325091] e1000 0000:00:03.0 eth0: Intel(R) PRO/1000 Network Connection
[ 1.327366] e1000e: Intel(R) PRO/1000 Network Driver
[ 1.328596] e1000e: Copyright(c) 1999 - 2015 Intel Corporation.
[ 1.330294] sky2: driver version 1.30
[ 1.332146] usbcore: registered new interface driver usblp
[ 1.333761] usbcore: registered new interface driver usb-storage
[ 1.335438] i8042: PNP: PS/2 Controller [PNP0303:KBD,PNP0f13:MOU] at 0x60,0x64 irq 1,12
[ 1.338773] serio: i8042 KBD port at 0x60,0x64 irq 1
[ 1.340160] serio: i8042 AUX port at 0x60,0x64 irq 12
[ 1.342432] input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input1
[ 1.343334] rtc_cmos 00:05: RTC can wake from S4
[ 1.347709] rtc_cmos 00:05: registered as rtc0
[ 1.349187] rtc_cmos 00:05: alarms up to one day, y3k, 242 bytes nvram, hpet irqs
[ 1.352132] device-mapper: ioctl: 4.50.0-ioctl (2025-04-28) initialised: dm-devel@xxxxxxxxxxxxxxx
[ 1.354647] amd_pstate: The CPPC feature is supported but currently disabled by the BIOS.
Please enable it if your BIOS has the CPPC option.
[ 1.358719] amd_pstate: the _CPC object is not present in SBIOS or ACPI disabled
[ 1.360840] hid: raw HID events driver (C) Jiri Kosina
[ 1.363886] usbcore: registered new interface driver usbhid
[ 1.365390] usbhid: USB HID core driver
[ 1.367310] Initializing XFRM netlink socket
[ 1.368805] NET: Registered PF_INET6 protocol family
[ 1.371187] Segment Routing with IPv6
[ 1.372173] In-situ OAM (IOAM) with IPv6
[ 1.373252] sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver
[ 1.375189] NET: Registered PF_PACKET protocol family
[ 1.376514] 9pnet: Installing 9P2000 support
[ 1.377775] Key type dns_resolver registered
[ 1.379576] IPI shorthand broadcast: enabled
[ 1.392146] sched_clock: Marking stable (1214414698, 176848652)->(1508407377, -117144027)
[ 1.394735] registered taskstats version 1
[ 1.395792] Loading compiled-in X.509 certificates
[ 1.407406] Demotion targets for Node 0: null
[ 1.408762] PM: Magic number: 13:142:245
[ 1.409925] netconsole: network logging started
[ 1.411305] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 1.413955] kworker/u8:1 (63) used greatest stack depth: 29296 bytes left
[ 1.416372] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 1.418260] Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600'
[ 1.420176] ALSA device list:
[ 1.421050] faux_driver regulatory: Direct firmware load for regulatory.db failed with error -2
[ 1.423308] No soundcards found.
[ 1.424828] check access for rdinit=/init failed: -2, ignoring
[ 1.425895] cfg80211: failed to load regulatory.db
[ 1.779494] input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input3
[ 1.781486] md: Waiting for all devices to be available before autodetect
[ 1.782782] md: If you don't use raid, use raid=noautodetect
[ 1.783874] md: Autodetecting RAID arrays.
[ 1.784553] md: autorun ...
[ 1.785054] md: ... autorun DONE.
[ 1.790159] EXT4-fs (sda): INFO: recovery required on readonly filesystem
[ 1.791377] EXT4-fs (sda): write access will be enabled during recovery
[ 1.826422] EXT4-fs (sda): orphan cleanup on readonly fs
[ 1.827543] EXT4-fs (sda): 1 orphan inode deleted
[ 1.828478] EXT4-fs (sda): recovery complete
[ 1.833997] EXT4-fs (sda): mounted filesystem f2060cf2-f7fa-446d-8f32-d759106ed261 ro with ordered data mode. Quota mode: none.
[ 1.836186] VFS: Mounted root (ext4 filesystem) readonly on device 8:0.
[ 1.837895] devtmpfs: mounted
[ 1.841327] Freeing unused kernel image (initmem) memory: 9948K
[ 1.842524] Write protecting the kernel read-only data: 69632k
[ 1.844134] Freeing unused kernel image (text/rodata gap) memory: 544K
[ 1.845474] Freeing unused kernel image (rodata/data gap) memory: 160K
[ 1.880857] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 1.882099] Run /sbin/init as init process
[ 1.882829] with arguments:
[ 1.882831] /sbin/init
[ 1.882833] nokaslr
[ 1.882835] with environment:
[ 1.882837] HOME=/
[ 1.882838] TERM=linux
[ 2.045036] SELinux: Permission firmware_load in class system not defined in policy.
[ 2.046248] SELinux: Permission kexec_image_load in class system not defined in policy.
[ 2.047602] SELinux: Permission kexec_initramfs_load in class system not defined in policy.
[ 2.049041] SELinux: Permission policy_load in class system not defined in policy.
[ 2.050465] SELinux: Permission x509_certificate_load in class system not defined in policy.
[ 2.051958] SELinux: Permission watch_mountns in class file not defined in policy.
[ 2.053341] SELinux: Permission watch_mountns in class dir not defined in policy.
[ 2.054731] SELinux: Permission watch_mountns in class lnk_file not defined in policy.
[ 2.056210] SELinux: Permission watch_mountns in class chr_file not defined in policy.
[ 2.057711] SELinux: Permission watch_mountns in class blk_file not defined in policy.
[ 2.059139] SELinux: Permission watch_mountns in class sock_file not defined in policy.
[ 2.060586] SELinux: Permission watch_mountns in class fifo_file not defined in policy.
[ 2.062064] SELinux: Permission nlmsg in class netlink_route_socket not defined in policy.
[ 2.063511] SELinux: Permission nlmsg in class netlink_tcpdiag_socket not defined in policy.
[ 2.065000] SELinux: Permission nlmsg in class netlink_xfrm_socket not defined in policy.
[ 2.066503] SELinux: Permission nlmsg in class netlink_audit_socket not defined in policy.
[ 2.068054] SELinux: Class mctp_socket not defined in policy.
[ 2.069097] SELinux: Class anon_inode not defined in policy.
[ 2.070101] SELinux: Class io_uring not defined in policy.
[ 2.071104] SELinux: Class user_namespace not defined in policy.
[ 2.072110] SELinux: the above unknown classes and permissions will be allowed
[ 2.082493] SELinux: policy capability network_peer_controls=1
[ 2.083845] SELinux: policy capability open_perms=1
[ 2.084809] SELinux: policy capability extended_socket_class=1
[ 2.085957] SELinux: policy capability always_check_network=0
[ 2.086956] SELinux: policy capability cgroup_seclabel=1
[ 2.087917] SELinux: policy capability nnp_nosuid_transition=1
[ 2.088973] SELinux: policy capability genfs_seclabel_symlinks=0
[ 2.090066] SELinux: policy capability ioctl_skip_cloexec=0
[ 2.091020] SELinux: policy capability userspace_initial_context=0
[ 2.092179] SELinux: policy capability netlink_xperm=0
[ 2.093138] SELinux: policy capability netif_wildcard=0
[ 2.094145] SELinux: policy capability genfs_seclabel_wildcard=0
[ 2.095310] SELinux: policy capability functionfs_seclabel=0
[ 2.114630] audit: type=1403 audit(1760213605.784:2): auid=4294967295 ses=4294967295 lsm=selinux res=1
[ 2.116873] systemd[1]: Successfully loaded SELinux policy in 184.231ms.
[ 2.160520] systemd[1]: Relabelled /dev, /dev/shm, /run, /sys/fs/cgroup in 5.776ms.
[ 2.166600] systemd[1]: systemd 247.3-7+deb11u5 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified)
[ 2.170977] systemd[1]: Detected virtualization kvm.
[ 2.171964] systemd[1]: Detected architecture x86-64.
[ 2.176309] systemd[1]: Set hostname to <syzkaller>.
[ 2.211377] systemd-cryptse (71) used greatest stack depth: 25664 bytes left
[ 2.260613] grep (83) used greatest stack depth: 25296 bytes left
[ 2.263704] selinux-autorel (69) used greatest stack depth: 25200 bytes left
[ 2.267612] systemd-sysv-ge (80) used greatest stack depth: 24848 bytes left
[ 2.366788] systemd[1]: /etc/systemd/system/ksmbd.service:5: Unknown key name 'Type' in section 'Unit', ignoring.
[ 2.368511] systemd[1]: /etc/systemd/system/ksmbd.service:6: Unknown key name 'Restart' in section 'Unit', ignoring.
[ 2.370285] systemd[1]: /etc/systemd/system/ksmbd.service:7: Unknown key name 'RestartSec' in section 'Unit', ignoring.
[ 2.384393] systemd[1]: Queued start job for default target Graphical Interface.
[ 2.385798] systemd[1]: system-getty.slice: unit configures an IP firewall, but the local system does not support BPF/cgroup firewalling.
[ 2.387820] systemd[1]: (This warning is only shown for the first unit using IP firewalling.)
[ 2.396517] systemd[1]: Created slice system-getty.slice.
[ 2.399944] systemd[1]: Created slice system-modprobe.slice.
[ 2.402947] systemd[1]: Created slice system-serial\x2dgetty.slice.
[ 2.405926] systemd[1]: Created slice User and Session Slice.
[ 2.408630] systemd[1]: Started Dispatch Password Requests to Console Directory Watch.
[ 2.412259] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
[ 2.416556] systemd[1]: Set up automount Arbitrary Executable File Formats File System Automount Point.
[ 2.420026] systemd[1]: Reached target Local Encrypted Volumes.
[ 2.422572] systemd[1]: Reached target Paths.
[ 2.424231] systemd[1]: Reached target Slices.
[ 2.425945] systemd[1]: Reached target Swap.
[ 2.431807] systemd[1]: Listening on RPCbind Server Activation Socket.
[ 2.435514] systemd[1]: Listening on Syslog Socket.
[ 2.438302] systemd[1]: Listening on fsck to fsckd communication Socket.
[ 2.441438] systemd[1]: Listening on initctl Compatibility Named Pipe.
[ 2.445083] systemd[1]: Listening on Journal Audit Socket.
[ 2.445109] audit: type=1400 audit(1760213606.114:3): avc: denied { audit_read } for pid=1 comm="systemd" capability=37 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[ 2.451090] systemd[1]: Listening on Journal Socket (/dev/log).
[ 2.454389] systemd[1]: Listening on Journal Socket.
[ 2.457458] systemd[1]: Listening on udev Control Socket.
[ 2.460590] systemd[1]: Listening on udev Kernel Socket.
[ 2.476342] systemd[1]: Mounting Huge Pages File System...
[ 2.483215] systemd[1]: Mounting POSIX Message Queue File System...
[ 2.487893] systemd[1]: Mounting NFSD configuration filesystem...
[ 2.496079] systemd[1]: Mounting RPC Pipe File System...
[ 2.501168] systemd[1]: Mounting Kernel Debug File System...
[ 2.506310] systemd[1]: Mounting Kernel Trace File System...
[ 2.508626] systemd[1]: Condition check resulted in Kernel Module supporting RPCSEC_GSS being skipped.
[ 2.510098] systemd[1]: Condition check resulted in Create list of static device nodes for the current kernel being skipped.
[ 2.512447] audit: type=1400 audit(1760213606.177:4): avc: denied { module_load } for pid=88 comm="modprobe" path="/usr/lib/modules/6.17.0-12340-gcd5a0afbdf80/kernel/net/sunrpc/sunrpc.ko" dev="sda" ino=702328 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=system permissive=1
[ 2.519984] systemd[1]: Starting Load Kernel Module configfs...
[ 2.527814] systemd[1]: Starting Load Kernel Module drm...
[ 2.531942] systemd[1]: Starting Load Kernel Module fuse...
[ 2.541638] systemd[1]: Condition check resulted in Set Up Additional Binary Formats being skipped.
[ 2.548770] systemd[1]: Starting File System Check on Root Device...
[ 2.554362] systemd[1]: Starting Journal Service...
[ 2.570414] systemd[1]: Starting Load Kernel Modules...
[ 2.598131] systemd[1]: Starting Coldplug All udev Devices...
[ 2.616097] systemd[1]: Mounted Huge Pages File System.
[ 2.626902] systemd[1]: Mounted POSIX Message Queue File System.
[ 2.634603] systemd[1]: Mounted Kernel Debug File System.
[ 2.644753] systemd[1]: Mounted Kernel Trace File System.
[ 2.653585] systemd[1]: modprobe@configfs.service: Succeeded.
[ 2.659028] systemd[1]: Finished Load Kernel Module configfs.
[ 2.668051] systemd[1]: modprobe@drm.service: Succeeded.
[ 2.671403] systemd[1]: Finished Load Kernel Module drm.
[ 2.674589] RPC: Registered named UNIX socket transport module.
[ 2.675737] RPC: Registered udp transport module.
[ 2.676403] systemd[1]: modprobe@fuse.service: Succeeded.
[ 2.676656] RPC: Registered tcp transport module.
[ 2.678616] RPC: Registered tcp-with-tls transport module.
[ 2.679645] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 2.680356] systemd[1]: Finished Load Kernel Module fuse.
[ 2.689173] systemd[1]: Finished File System Check on Root Device.
[ 2.697553] systemd[1]: Started Journal Service.
[ 2.822203] EXT4-fs (sda): re-mounted f2060cf2-f7fa-446d-8f32-d759106ed261 r/w.
[ 2.858399] systemd-journald[97]: Received client request to flush runtime journal.
[ 2.884175] systemd-journald[97]: File /var/log/journal/075c7e28cae94a4895bb78e420011ab5/system.journal corrupted or uncleanly shut down, renaming and replacing.
[ 2.938191] modprobe (88) used greatest stack depth: 24144 bytes left
[ 3.403414] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
[ 4.507134] ksmbd: running
[ 5.579109] NFSD: Using UMH upcall client tracking operations.
[ 5.582432] NFSD: Using UMH upcall client tracking operations.
[ 5.583651] NFSD: starting 90-second grace period (net effffff9)
[ 6.182847] NFS: Registering the id_resolver key type
[ 6.183786] Key type id_resolver registered
[ 6.184555] Key type id_legacy registered
[ 6.222934] audit: type=1400 audit(1760213609.892:5): avc: denied { watch_reads } for pid=1 comm="systemd" path="/run/mount/utab.lock" dev="tmpfs" ino=436 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
[ 6.227602] mount.nfs (236) used greatest stack depth: 23488 bytes left
[ 6.300272] audit: type=1107 audit(1760213609.970:6): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/lib/systemd/system/graphical.target" cmdline="" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=service permissive=1
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
[ 6.337789] audit: type=1400 audit(1760213610.007:7): avc: denied { checkpoint_restore } for pid=245 comm="agetty" capability=40 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[ 19.259755] audit: type=1107 audit(1760213622.929:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/lib/systemd/system/user@.service" cmdline="/lib/systemd/systemd-logind" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=service permissive=1
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
[ 19.277984] audit: type=1107 audit(1760213622.947:9): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/run/systemd/transient/session-1.scope" cmdline="/lib/systemd/systemd-logind" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service permissive=1
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
[ 19.424864] audit: type=1107 audit(1760213623.094:10): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/run/systemd/transient/session-1.scope" cmdline="/lib/systemd/systemd-logind" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service permissive=1
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Attachment:
.config
Description: XML document