Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.94' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 72.455876][ T6653] netlink: 12 bytes leftover after parsing attributes in process `syz-executor435'. executing program [ 72.520450][ T6675] netlink: 12 bytes leftover after parsing attributes in process `syz-executor435'. executing program executing program [ 72.568042][ T6686] lo speed is unknown, defaulting to 1000 [ 72.574166][ T6693] netlink: 12 bytes leftover after parsing attributes in process `syz-executor435'. [ 72.590881][ T6706] netlink: 12 bytes leftover after parsing attributes in process `syz-executor435'. [ 72.606903][ T6713] rdma_rxe: rxe_register_device failed with error -23 executing program [ 72.608794][ T6686] lo speed is unknown, defaulting to 1000 [ 72.628997][ T6705] netlink: 12 bytes leftover after parsing attributes in process `syz-executor435'. [ 72.641120][ T6713] rdma_rxe: failed to add lo [ 72.646955][ T6693] rdma_rxe: rxe_register_device failed with error -23 [ 72.662757][ T6693] rdma_rxe: failed to add lo [ 72.677597][ T6686] lo speed is unknown, defaulting to 1000 [ 72.683201][ T6733] rdma_rxe: rxe_register_device failed with error -23 [ 72.691945][ T6705] rdma_rxe: rxe_register_device failed with error -23 [ 72.705669][ T6726] netlink: 12 bytes leftover after parsing attributes in process `syz-executor435'. [ 72.719643][ T6705] rdma_rxe: failed to add lo [ 72.752660][ T6733] rdma_rxe: failed to add lo [ 72.760412][ T6726] rdma_rxe: rxe_register_device failed with error -23 [ 72.779915][ T6726] rdma_rxe: failed to add lo [ 72.923442][ T1440] lo speed is unknown, defaulting to 1000 [ 72.929818][ T6686] infiniband syz1: set down [ 72.954213][ T6686] infiniband syz1: added lo [ 73.025960][ T6686] infiniband syz1: Couldn't open port 1 executing program executing program executing program [ 73.115825][ T6877] netlink: 12 bytes leftover after parsing attributes in process `syz-executor435'. [ 73.187070][ T6686] RDS/IB: syz1: added [ 73.196864][ T6882] netlink: 12 bytes leftover after parsing attributes in process `syz-executor435'. [ 73.212027][ T6686] smc: adding ib device syz1 with port count 1 [ 73.247080][ T6887] netlink: 12 bytes leftover after parsing attributes in process `syz-executor435'. [ 73.258299][ T6686] smc: ib device syz1 port 1 has pnetid [ 73.345120][ T5] lo speed is unknown, defaulting to 1000 [ 73.364560][ T6686] lo speed is unknown, defaulting to 1000 [ 73.429172][ T6686] lo speed is unknown, defaulting to 1000 [ 73.495168][ T6686] lo speed is unknown, defaulting to 1000 [ 73.560130][ T6686] lo speed is unknown, defaulting to 1000 [ 73.614402][ T6686] lo speed is unknown, defaulting to 1000 [ 73.668020][ T6686] lo speed is unknown, defaulting to 1000 [ 73.719966][ T6686] lo speed is unknown, defaulting to 1000 [ 73.771314][ T6686] lo speed is unknown, defaulting to 1000 [ 73.822510][ T6686] lo speed is unknown, defaulting to 1000 [ 73.872561][ T6686] lo speed is unknown, defaulting to 1000 [ 73.923286][ T6686] lo speed is unknown, defaulting to 1000 [ 73.973546][ T6686] lo speed is unknown, defaulting to 1000 [ 74.024420][ T6686] lo speed is unknown, defaulting to 1000 [ 74.074770][ T6686] lo speed is unknown, defaulting to 1000 [ 74.130015][ T6686] lo speed is unknown, defaulting to 1000 [ 74.190878][ T6877] rdma_rxe: rxe_register_device failed with error -23 [ 74.203844][ T6882] rdma_rxe: rxe_register_device failed with error -23 [ 74.210935][ T6887] rdma_rxe: rxe_register_device failed with error -23 [ 74.213047][ T10] ================================================================== [ 74.225916][ T10] BUG: KASAN: use-after-free in vlan_dev_real_dev+0xf9/0x120 [ 74.226085][ T6686] syz-executor435 (6686) used greatest stack depth: 22128 bytes left [ 74.233322][ T10] Read of size 4 at addr ffff8880781120c4 by task kworker/u4:1/10 [ 74.249178][ T10] [ 74.251500][ T10] CPU: 1 PID: 10 Comm: kworker/u4:1 Not tainted 5.15.0-rc4-syzkaller #0 [ 74.259818][ T10] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.269891][ T10] Workqueue: gid-cache-wq netdevice_event_work_handler [ 74.276776][ T10] Call Trace: [ 74.280072][ T10] dump_stack_lvl+0xcd/0x134 [ 74.284694][ T10] print_address_description.constprop.0.cold+0x6c/0x309 [ 74.291746][ T10] ? vlan_dev_real_dev+0xf9/0x120 [ 74.296806][ T10] ? vlan_dev_real_dev+0xf9/0x120 [ 74.301861][ T10] kasan_report.cold+0x83/0xdf [ 74.306657][ T10] ? rwlock_bug.part.0+0x30/0x90 [ 74.311631][ T10] ? vlan_dev_real_dev+0xf9/0x120 [ 74.316697][ T10] vlan_dev_real_dev+0xf9/0x120 [ 74.321587][ T10] is_eth_port_of_netdev_filter.part.0+0xb1/0x2c0 [ 74.328217][ T10] is_eth_port_of_netdev_filter+0x28/0x40 [ 74.333973][ T10] ib_enum_roce_netdev+0x177/0x2f0 [ 74.339120][ T10] ? is_eth_port_of_netdev_filter.part.0+0x2c0/0x2c0 [ 74.345800][ T10] ? enum_all_gids_of_dev_cb+0x2d0/0x2d0 [ 74.351497][ T10] ? enum_all_gids_of_dev_cb+0x2d0/0x2d0 [ 74.357120][ T10] ? is_eth_port_of_netdev_filter.part.0+0x2c0/0x2c0 [ 74.363786][ T10] ib_enum_all_roce_netdevs+0xbd/0x130 [ 74.369278][ T10] ? ib_enum_roce_netdev+0x2f0/0x2f0 [ 74.374553][ T10] ? lock_downgrade+0x6e0/0x6e0 [ 74.379395][ T10] ? do_raw_spin_lock+0x120/0x2b0 [ 74.384413][ T10] ? enum_all_gids_of_dev_cb+0x2d0/0x2d0 [ 74.390054][ T10] netdevice_event_work_handler+0x9c/0x230 [ 74.395875][ T10] process_one_work+0x9bf/0x16b0 [ 74.400817][ T10] ? pwq_dec_nr_in_flight+0x2a0/0x2a0 [ 74.406186][ T10] ? rwlock_bug.part.0+0x90/0x90 [ 74.411117][ T10] ? _raw_spin_lock_irq+0x41/0x50 [ 74.416323][ T10] worker_thread+0x658/0x11f0 [ 74.421002][ T10] ? process_one_work+0x16b0/0x16b0 [ 74.426193][ T10] kthread+0x3e5/0x4d0 [ 74.430253][ T10] ? set_kthread_struct+0x130/0x130 [ 74.435442][ T10] ret_from_fork+0x1f/0x30 [ 74.439863][ T10] [ 74.442171][ T10] Allocated by task 6877: [ 74.446479][ T10] kasan_save_stack+0x1b/0x40 [ 74.451156][ T10] __kasan_kmalloc+0xa4/0xd0 [ 74.455737][ T10] kvmalloc_node+0x61/0x120 [ 74.460231][ T10] alloc_netdev_mqs+0x98/0xe80 [ 74.465157][ T10] rtnl_create_link+0x95a/0xb80 [ 74.469998][ T10] __rtnl_newlink+0xf73/0x1750 [ 74.474750][ T10] rtnl_newlink+0x64/0xa0 [ 74.479065][ T10] rtnetlink_rcv_msg+0x413/0xb80 [ 74.483989][ T10] netlink_rcv_skb+0x153/0x420 [ 74.488805][ T10] netlink_unicast+0x533/0x7d0 [ 74.493557][ T10] netlink_sendmsg+0x86d/0xdb0 [ 74.498316][ T10] sock_sendmsg+0xcf/0x120 [ 74.502727][ T10] ____sys_sendmsg+0x6e8/0x810 [ 74.507480][ T10] ___sys_sendmsg+0xf3/0x170 [ 74.512071][ T10] __sys_sendmsg+0xe5/0x1b0 [ 74.516564][ T10] do_syscall_64+0x35/0xb0 [ 74.520970][ T10] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 74.526887][ T10] [ 74.529197][ T10] Freed by task 6874: [ 74.533249][ T10] kasan_save_stack+0x1b/0x40 [ 74.537921][ T10] kasan_set_track+0x1c/0x30 [ 74.542679][ T10] kasan_set_free_info+0x20/0x30 [ 74.547607][ T10] __kasan_slab_free+0xff/0x130 [ 74.552455][ T10] slab_free_freelist_hook+0x81/0x190 [ 74.557823][ T10] kfree+0xe4/0x530 [ 74.561627][ T10] kvfree+0x42/0x50 [ 74.565424][ T10] device_release+0x9f/0x240 [ 74.570004][ T10] kobject_put+0x1c8/0x540 [ 74.574406][ T10] put_device+0x1b/0x30 [ 74.578562][ T10] free_netdev+0x3e0/0x5b0 [ 74.582969][ T10] ppp_destroy_interface+0x2ab/0x340 [ 74.588261][ T10] ppp_release+0x1bf/0x240 [ 74.592670][ T10] __fput+0x288/0x9f0 [ 74.596643][ T10] task_work_run+0xdd/0x1a0 [ 74.601134][ T10] exit_to_user_mode_prepare+0x27e/0x290 [ 74.606757][ T10] syscall_exit_to_user_mode+0x19/0x60 [ 74.612207][ T10] do_syscall_64+0x42/0xb0 [ 74.616618][ T10] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 74.622507][ T10] [ 74.624819][ T10] The buggy address belongs to the object at ffff888078112000 [ 74.624819][ T10] which belongs to the cache kmalloc-cg-4k of size 4096 [ 74.639119][ T10] The buggy address is located 196 bytes inside of [ 74.639119][ T10] 4096-byte region [ffff888078112000, ffff888078113000) [ 74.652466][ T10] The buggy address belongs to the page: [ 74.658256][ T10] page:ffffea0001e04400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x78110 [ 74.668425][ T10] head:ffffea0001e04400 order:3 compound_mapcount:0 compound_pincount:0 [ 74.676735][ T10] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 74.684709][ T10] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888010c4c280 [ 74.693283][ T10] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 74.701850][ T10] page dumped because: kasan: bad access detected [ 74.708248][ T10] page_owner tracks the page as allocated [ 74.713946][ T10] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6880, ts 73160788272, free_ts 73155121785 [ 74.733035][ T10] get_page_from_freelist+0xa72/0x2f80 [ 74.738572][ T10] __alloc_pages+0x1b2/0x500 [ 74.743172][ T10] alloc_pages+0x1a7/0x300 [ 74.747669][ T10] new_slab+0x319/0x490 [ 74.751860][ T10] ___slab_alloc+0x921/0xfe0 [ 74.756442][ T10] __slab_alloc.constprop.0+0x4d/0xa0 [ 74.761804][ T10] __kmalloc_node+0x2d2/0x370 [ 74.766471][ T10] kvmalloc_node+0x61/0x120 [ 74.770973][ T10] seq_read_iter+0x7e7/0x1240 [ 74.775641][ T10] kernfs_fop_read_iter+0x44f/0x5f0 [ 74.780828][ T10] new_sync_read+0x421/0x6e0 [ 74.785402][ T10] vfs_read+0x35c/0x600 [ 74.789543][ T10] ksys_read+0x12d/0x250 [ 74.793906][ T10] do_syscall_64+0x35/0xb0 [ 74.798313][ T10] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 74.804200][ T10] page last free stack trace: [ 74.808861][ T10] free_pcp_prepare+0x2c5/0x780 [ 74.813819][ T10] free_unref_page+0x19/0x690 [ 74.818488][ T10] __unfreeze_partials+0x340/0x360 [ 74.823599][ T10] qlist_free_all+0x5a/0xc0 [ 74.828091][ T10] kasan_quarantine_reduce+0x180/0x200 [ 74.833547][ T10] __kasan_slab_alloc+0x95/0xb0 [ 74.838394][ T10] kmem_cache_alloc+0x142/0x390 [ 74.843244][ T10] anon_vma_fork+0xed/0x630 [ 74.847805][ T10] dup_mm+0xa07/0x13e0 [ 74.851866][ T10] copy_process+0x6fcf/0x7580 [ 74.856539][ T10] kernel_clone+0xe7/0xac0 [ 74.860950][ T10] __do_sys_clone+0xc8/0x110 [ 74.865532][ T10] do_syscall_64+0x35/0xb0 [ 74.869960][ T10] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 74.875853][ T10] [ 74.878161][ T10] Memory state around the buggy address: [ 74.883789][ T10] ffff888078111f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.891837][ T10] ffff888078112000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.899883][ T10] >ffff888078112080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.907957][ T10] ^ [ 74.914092][ T10] ffff888078112100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.922137][ T10] ffff888078112180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.930183][ T10] ================================================================== [ 74.938224][ T10] Disabling lock debugging due to kernel taint [ 74.946372][ T10] Kernel panic - not syncing: panic_on_warn set ... [ 74.953058][ T10] CPU: 1 PID: 10 Comm: kworker/u4:1 Tainted: G B 5.15.0-rc4-syzkaller #0 [ 74.962778][ T10] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.972919][ T10] Workqueue: gid-cache-wq netdevice_event_work_handler [ 74.979778][ T10] Call Trace: [ 74.983050][ T10] dump_stack_lvl+0xcd/0x134 [ 74.987641][ T10] panic+0x2b0/0x6dd [ 74.991533][ T10] ? __warn_printk+0xf3/0xf3 [ 74.996126][ T10] ? preempt_schedule_common+0x59/0xc0 [ 75.001589][ T10] ? vlan_dev_real_dev+0xf9/0x120 [ 75.006616][ T10] ? preempt_schedule_thunk+0x16/0x18 [ 75.011989][ T10] ? trace_hardirqs_on+0x38/0x1c0 [ 75.017013][ T10] ? trace_hardirqs_on+0x51/0x1c0 [ 75.022038][ T10] ? vlan_dev_real_dev+0xf9/0x120 [ 75.027069][ T10] ? vlan_dev_real_dev+0xf9/0x120 [ 75.032095][ T10] end_report.cold+0x63/0x6f [ 75.036705][ T10] kasan_report.cold+0x71/0xdf [ 75.041638][ T10] ? rwlock_bug.part.0+0x30/0x90 [ 75.046578][ T10] ? vlan_dev_real_dev+0xf9/0x120 [ 75.051618][ T10] vlan_dev_real_dev+0xf9/0x120 [ 75.056474][ T10] is_eth_port_of_netdev_filter.part.0+0xb1/0x2c0 [ 75.062998][ T10] is_eth_port_of_netdev_filter+0x28/0x40 [ 75.068723][ T10] ib_enum_roce_netdev+0x177/0x2f0 [ 75.073838][ T10] ? is_eth_port_of_netdev_filter.part.0+0x2c0/0x2c0 [ 75.080607][ T10] ? enum_all_gids_of_dev_cb+0x2d0/0x2d0 [ 75.086247][ T10] ? enum_all_gids_of_dev_cb+0x2d0/0x2d0 [ 75.091885][ T10] ? is_eth_port_of_netdev_filter.part.0+0x2c0/0x2c0 [ 75.098740][ T10] ib_enum_all_roce_netdevs+0xbd/0x130 [ 75.104206][ T10] ? ib_enum_roce_netdev+0x2f0/0x2f0 [ 75.109511][ T10] ? lock_downgrade+0x6e0/0x6e0 [ 75.114366][ T10] ? do_raw_spin_lock+0x120/0x2b0 [ 75.119405][ T10] ? enum_all_gids_of_dev_cb+0x2d0/0x2d0 [ 75.125053][ T10] netdevice_event_work_handler+0x9c/0x230 [ 75.130891][ T10] process_one_work+0x9bf/0x16b0 [ 75.135851][ T10] ? pwq_dec_nr_in_flight+0x2a0/0x2a0 [ 75.141236][ T10] ? rwlock_bug.part.0+0x90/0x90 [ 75.146172][ T10] ? _raw_spin_lock_irq+0x41/0x50 [ 75.151198][ T10] worker_thread+0x658/0x11f0 [ 75.155906][ T10] ? process_one_work+0x16b0/0x16b0 [ 75.161111][ T10] kthread+0x3e5/0x4d0 [ 75.165178][ T10] ? set_kthread_struct+0x130/0x130 [ 75.170380][ T10] ret_from_fork+0x1f/0x30 [ 75.175102][ T10] Kernel Offset: disabled [ 75.179435][ T10] Rebooting in 86400 seconds..