./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1690343375 <...> Warning: Permanently added '10.128.0.242' (ECDSA) to the list of known hosts. execve("./syz-executor1690343375", ["./syz-executor1690343375"], 0x7fffaf037a70 /* 10 vars */) = 0 brk(NULL) = 0x555556fcb000 brk(0x555556fcbc40) = 0x555556fcbc40 arch_prctl(ARCH_SET_FS, 0x555556fcb300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x555556fcb5d0) = 304 set_robust_list(0x555556fcb5e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7fa821313380, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7fa821313a50}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7fa821313420, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fa821313a50}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1690343375", 4096) = 28 brk(0x555556fecc40) = 0x555556fecc40 brk(0x555556fed000) = 0x555556fed000 mprotect(0x7fa8213d3000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556fcb5d0) = 305 ./strace-static-x86_64: Process 305 attached [pid 305] set_robust_list(0x555556fcb5e0, 24) = 0 [pid 305] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 305] setpgid(0, 0) = 0 [pid 305] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 305] write(3, "1000", 4) = 4 [pid 305] close(3) = 0 [pid 305] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 305] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa8212e3000 [pid 305] mprotect(0x7fa8212e4000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 305] clone(child_stack=0x7fa8213033f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 306 attached , parent_tid=[306], tls=0x7fa821303700, child_tidptr=0x7fa8213039d0) = 306 [pid 306] set_robust_list(0x7fa8213039e0, 24) = 0 [pid 306] futex(0x7fa8213d9428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 305] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 306] <... futex resumed>) = 0 [pid 306] openat(AT_FDCWD, "/dev/net/tun", O_RDONLY) = 3 [pid 306] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 305] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 306] futex(0x7fa8213d9428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 305] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 305] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 306] <... futex resumed>) = 0 [pid 305] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 306] ioctl(3, TUNSETIFF, 0x20000200) = 0 [pid 306] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 306] futex(0x7fa8213d9428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 305] <... futex resumed>) = 0 [pid 305] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000 [pid 306] <... futex resumed>) = 0 [pid 305] <... futex resumed>) = 1 [pid 306] socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) = 4 [pid 305] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 306] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 306] futex(0x7fa8213d9428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 305] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 305] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000 [pid 306] <... futex resumed>) = 0 [pid 305] <... futex resumed>) = 1 [pid 306] socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL)) = 5 [pid 305] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 306] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 306] futex(0x7fa8213d9428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 305] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 305] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000 [pid 306] <... futex resumed>) = 0 [pid 306] ioctl(5, SIOCGIFINDEX, {ifr_name="rose0", ifr_ifindex=13}) = 0 [pid 306] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 306] futex(0x7fa8213d9428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 305] <... futex resumed>) = 1 [pid 305] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 305] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000 [pid 306] <... futex resumed>) = 0 [pid 306] ioctl(3, TUNSETQUEUE, 0x20000340 [pid 305] <... futex resumed>) = 1 [ 21.508447][ T22] audit: type=1400 audit(1656877006.010:73): avc: denied { execmem } for pid=304 comm="syz-executor169" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [pid 305] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 306] <... ioctl resumed>) = 0 [pid 306] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 306] futex(0x7fa8213d9428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 305] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 305] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000 [pid 306] <... futex resumed>) = 0 [pid 306] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x34\x00\x00\x00\x11\x00\x01\xe9\x0d\x7d\x1f\xc7\x4e\x1b\xed\x42\xec\x45\xb2\xfc\x0d\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", iov_len=52}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0 [pid 305] <... futex resumed>) = 1 [ 21.540574][ T22] audit: type=1400 audit(1656877006.040:74): avc: denied { create } for pid=305 comm="syz-executor169" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=packet_socket permissive=1 [ 21.560630][ T22] audit: type=1400 audit(1656877006.060:75): avc: denied { read } for pid=193 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_kobject_uevent_socket permissive=1 [ 21.568987][ T306] netlink: 20 bytes leftover after parsing attributes in process `syz-executor169'. [pid 305] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 305] futex(0x7fa8213d943c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 305] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa8212c2000 [pid 305] mprotect(0x7fa8212c3000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 305] clone(child_stack=0x7fa8212e23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 309 attached [pid 309] set_robust_list(0x7fa8212e29e0, 24 [pid 305] <... clone resumed>, parent_tid=[309], tls=0x7fa8212e2700, child_tidptr=0x7fa8212e29d0) = 309 [pid 309] <... set_robust_list resumed>) = 0 [pid 305] futex(0x7fa8213d9438, FUTEX_WAKE_PRIVATE, 1000000 [pid 309] ioctl(3, TUNSETIFF, 0x20000200 [pid 305] <... futex resumed>) = 0 [pid 305] futex(0x7fa8213d943c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 306] <... sendmsg resumed>) = 52 [pid 306] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 21.581692][ T22] audit: type=1400 audit(1656877006.060:76): avc: denied { ioctl } for pid=305 comm="syz-executor169" path="socket:[10040]" dev="sockfs" ino=10040 ioctlcmd=0x8933 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=packet_socket permissive=1 [pid 306] futex(0x7fa8213d9428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 309] <... ioctl resumed>) = 0 [pid 309] futex(0x7fa8213d943c, FUTEX_WAKE_PRIVATE, 1000000 [pid 305] <... futex resumed>) = 0 [pid 305] exit_group(0 [pid 306] <... futex resumed>) = ? [pid 305] <... exit_group resumed>) = ? [pid 309] <... futex resumed>) = ? [pid 306] +++ exited with 0 +++ [pid 309] +++ exited with 0 +++ [ 21.656605][ T306] syz-executor169 (306) used greatest stack depth: 26448 bytes left [pid 305] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=305, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 310 attached , child_tidptr=0x555556fcb5d0) = 310 [pid 310] set_robust_list(0x555556fcb5e0, 24) = 0 [pid 310] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 310] setpgid(0, 0) = 0 [pid 310] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 310] write(3, "1000", 4) = 4 [pid 310] close(3) = 0 [pid 310] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 310] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa8212e3000 [pid 310] mprotect(0x7fa8212e4000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 310] clone(child_stack=0x7fa8213033f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 311 attached , parent_tid=[311], tls=0x7fa821303700, child_tidptr=0x7fa8213039d0) = 311 [pid 311] set_robust_list(0x7fa8213039e0, 24) = 0 [pid 311] futex(0x7fa8213d9428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 310] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 311] <... futex resumed>) = 0 [pid 310] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 311] openat(AT_FDCWD, "/dev/net/tun", O_RDONLY) = 3 [pid 311] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 310] <... futex resumed>) = 0 [pid 310] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 310] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 311] ioctl(3, TUNSETIFF, 0x20000200) = 0 [pid 311] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 310] <... futex resumed>) = 0 [pid 310] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 310] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 311] socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) = 4 [pid 311] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 310] <... futex resumed>) = 0 [pid 310] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 310] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 311] socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL)) = 5 [pid 311] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 310] <... futex resumed>) = 0 [pid 310] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 310] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 311] ioctl(5, SIOCGIFINDEX, {ifr_name="rose0", ifr_ifindex=15}) = 0 [pid 311] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 310] <... futex resumed>) = 0 [pid 310] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 310] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 311] ioctl(3, TUNSETQUEUE, 0x20000340) = 0 [pid 311] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 310] <... futex resumed>) = 0 [pid 310] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 310] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 311] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x34\x00\x00\x00\x11\x00\x01\xe9\x0d\x7d\x1f\xc7\x4e\x1b\xed\x42\xec\x45\xb2\xfc\x0f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", iov_len=52}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 52 [pid 311] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 310] <... futex resumed>) = 0 [pid 310] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 310] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 311] ioctl(3, TUNSETIFF, 0x20000200) = 0 [pid 311] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000 [pid 310] <... futex resumed>) = 0 [pid 310] exit_group(0) = ? [pid 311] <... futex resumed>) = ? [pid 311] +++ exited with 0 +++ [pid 310] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=310, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556fcb5d0) = 312 ./strace-static-x86_64: Process 312 attached [pid 312] set_robust_list(0x555556fcb5e0, 24) = 0 [pid 312] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 312] setpgid(0, 0) = 0 [pid 312] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 312] write(3, "1000", 4) = 4 [pid 312] close(3) = 0 [pid 312] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 312] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa8212e3000 [pid 312] mprotect(0x7fa8212e4000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 312] clone(child_stack=0x7fa8213033f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[313], tls=0x7fa821303700, child_tidptr=0x7fa8213039d0) = 313 [pid 312] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 312] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 313 attached [pid 313] set_robust_list(0x7fa8213039e0, 24) = 0 [pid 313] openat(AT_FDCWD, "/dev/net/tun", O_RDONLY) = 3 [pid 313] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 312] <... futex resumed>) = 0 [pid 312] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 312] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 21.791377][ T311] netlink: 20 bytes leftover after parsing attributes in process `syz-executor169'. [pid 313] ioctl(3, TUNSETIFF, 0x20000200) = 0 [pid 313] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 312] <... futex resumed>) = 0 [pid 312] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 312] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 313] socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) = 4 [pid 313] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 312] <... futex resumed>) = 0 [pid 312] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 312] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 313] socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL)) = 5 [pid 313] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 312] <... futex resumed>) = 0 [pid 312] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 312] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 313] ioctl(5, SIOCGIFINDEX, {ifr_name="rose0", ifr_ifindex=17}) = 0 [pid 313] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 312] <... futex resumed>) = 0 [pid 312] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 312] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 313] ioctl(3, TUNSETQUEUE, 0x20000340) = 0 [pid 313] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 312] <... futex resumed>) = 0 [pid 312] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 312] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 313] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x34\x00\x00\x00\x11\x00\x01\xe9\x0d\x7d\x1f\xc7\x4e\x1b\xed\x42\xec\x45\xb2\xfc\x11\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", iov_len=52}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 52 [pid 313] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 312] <... futex resumed>) = 0 [pid 312] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 312] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 313] ioctl(3, TUNSETIFF, 0x20000200) = 0 [pid 313] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 312] <... futex resumed>) = 0 [pid 312] exit_group(0) = ? [ 21.859348][ T313] netlink: 20 bytes leftover after parsing attributes in process `syz-executor169'. [pid 313] +++ exited with 0 +++ [pid 312] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=312, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556fcb5d0) = 314 ./strace-static-x86_64: Process 314 attached [pid 314] set_robust_list(0x555556fcb5e0, 24) = 0 [pid 314] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 314] setpgid(0, 0) = 0 [pid 314] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 314] write(3, "1000", 4) = 4 [pid 314] close(3) = 0 [pid 314] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 314] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa8212e3000 [pid 314] mprotect(0x7fa8212e4000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 314] clone(child_stack=0x7fa8213033f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[315], tls=0x7fa821303700, child_tidptr=0x7fa8213039d0) = 315 [pid 314] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 314] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 315 attached [pid 315] set_robust_list(0x7fa8213039e0, 24) = 0 [pid 315] openat(AT_FDCWD, "/dev/net/tun", O_RDONLY) = 3 [pid 315] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 314] <... futex resumed>) = 0 [pid 314] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 314] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 315] ioctl(3, TUNSETIFF, 0x20000200) = 0 [pid 315] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 314] <... futex resumed>) = 0 [pid 314] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 314] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 315] socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) = 4 [pid 315] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 314] <... futex resumed>) = 0 [pid 314] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 314] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 315] socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL)) = 5 [pid 315] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 314] <... futex resumed>) = 0 [pid 314] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 314] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 315] ioctl(5, SIOCGIFINDEX, {ifr_name="rose0", ifr_ifindex=19}) = 0 [pid 315] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 314] <... futex resumed>) = 0 [pid 314] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 314] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 315] ioctl(3, TUNSETQUEUE, 0x20000340) = 0 [pid 315] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 314] <... futex resumed>) = 0 [pid 314] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 314] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 315] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x34\x00\x00\x00\x11\x00\x01\xe9\x0d\x7d\x1f\xc7\x4e\x1b\xed\x42\xec\x45\xb2\xfc\x13\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", iov_len=52}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 52 [pid 315] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 314] <... futex resumed>) = 0 [pid 314] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 314] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 315] ioctl(3, TUNSETIFF, 0x20000200) = 0 [pid 315] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000 [pid 314] <... futex resumed>) = 0 [pid 314] exit_group(0) = ? [pid 315] <... futex resumed>) = ? [ 21.968457][ T315] netlink: 20 bytes leftover after parsing attributes in process `syz-executor169'. [pid 315] +++ exited with 0 +++ [pid 314] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=314, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556fcb5d0) = 316 ./strace-static-x86_64: Process 316 attached [pid 316] set_robust_list(0x555556fcb5e0, 24) = 0 [pid 316] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 316] setpgid(0, 0) = 0 [pid 316] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 316] write(3, "1000", 4) = 4 [pid 316] close(3) = 0 [pid 316] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 316] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa8212e3000 [pid 316] mprotect(0x7fa8212e4000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 316] clone(child_stack=0x7fa8213033f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[317], tls=0x7fa821303700, child_tidptr=0x7fa8213039d0) = 317 [pid 316] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 316] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 317 attached [pid 317] set_robust_list(0x7fa8213039e0, 24) = 0 [pid 317] openat(AT_FDCWD, "/dev/net/tun", O_RDONLY) = 3 [pid 317] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 316] <... futex resumed>) = 0 [pid 316] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 316] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 317] ioctl(3, TUNSETIFF, 0x20000200) = 0 [pid 317] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 316] <... futex resumed>) = 0 [pid 317] futex(0x7fa8213d9428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 316] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 316] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 317] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 317] socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) = 4 [pid 317] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 316] <... futex resumed>) = 0 [pid 316] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 316] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 317] socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL)) = 5 [pid 317] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 316] <... futex resumed>) = 0 [pid 316] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 316] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 317] ioctl(5, SIOCGIFINDEX, {ifr_name="rose0", ifr_ifindex=21}) = 0 [pid 317] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 316] <... futex resumed>) = 0 [pid 316] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 316] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 317] ioctl(3, TUNSETQUEUE, 0x20000340) = 0 [pid 317] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 316] <... futex resumed>) = 0 [pid 316] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 316] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 317] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x34\x00\x00\x00\x11\x00\x01\xe9\x0d\x7d\x1f\xc7\x4e\x1b\xed\x42\xec\x45\xb2\xfc\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", iov_len=52}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 52 [pid 317] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 316] <... futex resumed>) = 0 [pid 316] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 316] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 317] ioctl(3, TUNSETIFF, 0x20000200) = 0 [pid 317] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 316] <... futex resumed>) = 0 [pid 316] exit_group(0) = ? [ 22.079072][ T317] netlink: 20 bytes leftover after parsing attributes in process `syz-executor169'. [pid 317] +++ exited with 0 +++ [pid 316] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=316, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556fcb5d0) = 318 ./strace-static-x86_64: Process 318 attached [pid 318] set_robust_list(0x555556fcb5e0, 24) = 0 [pid 318] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 318] setpgid(0, 0) = 0 [pid 318] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 318] write(3, "1000", 4) = 4 [pid 318] close(3) = 0 [pid 318] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 318] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa8212e3000 [pid 318] mprotect(0x7fa8212e4000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 318] clone(child_stack=0x7fa8213033f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[319], tls=0x7fa821303700, child_tidptr=0x7fa8213039d0) = 319 [pid 318] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 318] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 319 attached [pid 319] set_robust_list(0x7fa8213039e0, 24) = 0 [pid 319] openat(AT_FDCWD, "/dev/net/tun", O_RDONLY) = 3 [pid 319] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 318] <... futex resumed>) = 0 [pid 318] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 318] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 319] ioctl(3, TUNSETIFF, 0x20000200) = 0 [pid 319] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 318] <... futex resumed>) = 0 [pid 318] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000 [pid 319] socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE [pid 318] <... futex resumed>) = 0 [pid 318] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 319] <... socket resumed>) = 4 [pid 319] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 318] <... futex resumed>) = 0 [pid 318] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 318] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 319] socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL)) = 5 [pid 319] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 318] <... futex resumed>) = 0 [pid 318] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 318] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 319] ioctl(5, SIOCGIFINDEX, {ifr_name="rose0", ifr_ifindex=23}) = 0 [pid 319] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 318] <... futex resumed>) = 0 [pid 318] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 318] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 319] ioctl(3, TUNSETQUEUE, 0x20000340) = 0 [pid 319] futex(0x7fa8213d942c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 318] <... futex resumed>) = 0 [pid 318] futex(0x7fa8213d9428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 318] futex(0x7fa8213d942c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 319] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x34\x00\x00\x00\x11\x00\x01\xe9\x0d\x7d\x1f\xc7\x4e\x1b\xed\x42\xec\x45\xb2\xfc\x17\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", iov_len=52}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0 [pid 318] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 318] futex(0x7fa8213d943c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 318] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa8212c2000 [pid 318] mprotect(0x7fa8212c3000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 318] clone(child_stack=0x7fa8212e23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[320], tls=0x7fa8212e2700, child_tidptr=0x7fa8212e29d0) = 320 ./strace-static-x86_64: Process 320 attached [pid 320] set_robust_list(0x7fa8212e29e0, 24 [pid 318] futex(0x7fa8213d9438, FUTEX_WAKE_PRIVATE, 1000000 [pid 320] <... set_robust_list resumed>) = 0 [pid 318] <... futex resumed>) = 0 [pid 320] ioctl(3, TUNSETIFF, 0x20000200 [pid 318] futex(0x7fa8213d943c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 320] <... ioctl resumed>) = 0 [pid 320] futex(0x7fa8213d943c, FUTEX_WAKE_PRIVATE, 1000000 [pid 318] <... futex resumed>) = 0 [pid 320] <... futex resumed>) = 1 [ 22.194256][ T319] netlink: 20 bytes leftover after parsing attributes in process `syz-executor169'. [ 22.272158][ T319] ================================================================== [ 22.280239][ T319] BUG: KASAN: slab-out-of-bounds in netif_napi_del+0x2c/0x7a0 [ 22.287660][ T319] Write of size 8 at addr ffff8881e2b17f10 by task syz-executor169/319 [ 22.295859][ T319] [ 22.298159][ T319] CPU: 1 PID: 319 Comm: syz-executor169 Not tainted 5.4.190-syzkaller-00060-g148e4ba7f4fc #0 [ 22.308271][ T319] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 [ 22.318291][ T319] Call Trace: [ 22.321553][ T319] dump_stack+0x18e/0x1d5 [ 22.325861][ T319] ? netif_napi_del+0x2c/0x7a0 [ 22.330599][ T319] print_address_description+0x8c/0x630 [ 22.336118][ T319] ? printk+0x76/0x96 [ 22.340082][ T319] ? netif_napi_del+0x2c/0x7a0 [ 22.344809][ T319] ? vprintk_emit+0x3aa/0x3f0 [ 22.349454][ T319] ? netif_napi_del+0x2c/0x7a0 [ 22.354184][ T319] __kasan_report+0xf6/0x130 [ 22.358749][ T319] ? netif_napi_del+0x2c/0x7a0 [ 22.363489][ T319] kasan_report+0x30/0x60 [ 22.367785][ T319] check_memory_region+0x298/0x2d0 [ 22.372871][ T319] netif_napi_del+0x2c/0x7a0 [ 22.377454][ T319] free_netdev+0x188/0x310 [ 22.381846][ T319] netdev_run_todo+0xa79/0xc80 [ 22.386592][ T319] ? mutex_lock+0x6c/0xc0 [ 22.390907][ T319] rtnetlink_rcv_msg+0xa49/0xb90 [ 22.395829][ T319] ? __kasan_kmalloc+0x1a5/0x1e0 [ 22.400736][ T319] ? __kasan_kmalloc+0x131/0x1e0 [ 22.405645][ T319] ? __kmalloc_track_caller+0xfb/0x280 [ 22.411090][ T319] ? __alloc_skb+0xb5/0x4d0 [ 22.415564][ T319] ? netlink_sendmsg+0x687/0xb90 [ 22.420484][ T319] ? ____sys_sendmsg+0x4ee/0x7c0 [ 22.425397][ T319] ? __sys_sendmsg+0x235/0x2f0 [ 22.430129][ T319] ? do_syscall_64+0xcb/0x1c0 [ 22.434790][ T319] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 22.440837][ T319] ? avc_has_perm_noaudit+0x2b0/0x370 [ 22.446175][ T319] ? avc_has_perm+0x7c/0x1c0 [ 22.450731][ T319] ? avc_has_perm+0xfd/0x1c0 [ 22.455288][ T319] netlink_rcv_skb+0x190/0x3a0 [ 22.460020][ T319] ? rtnetlink_bind+0x80/0x80 [ 22.464665][ T319] netlink_unicast+0x771/0x8d0 [ 22.469410][ T319] netlink_sendmsg+0x913/0xb90 [ 22.474145][ T319] ? netlink_getsockopt+0x840/0x840 [ 22.479312][ T319] ____sys_sendmsg+0x4ee/0x7c0 [ 22.484046][ T319] __sys_sendmsg+0x235/0x2f0 [ 22.488623][ T319] do_syscall_64+0xcb/0x1c0 [ 22.493105][ T319] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 22.498965][ T319] RIP: 0033:0x7fa821351a69 [ 22.503350][ T319] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 22.522944][ T319] RSP: 002b:00007fa821303308 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 22.531332][ T319] RAX: ffffffffffffffda RBX: 00007fa8213d9428 RCX: 00007fa821351a69 [ 22.539272][ T319] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000004 [ 22.547222][ T319] RBP: 00007fa8213d9420 R08: 0000000000000000 R09: 0000000000000000 [ 22.555160][ T319] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa8213d942c [ 22.563100][ T319] R13: 00007fa8213a7064 R14: 74656e2f7665642f R15: 0000000000022000 [ 22.571048][ T319] [ 22.573351][ T319] Allocated by task 299: [ 22.577579][ T319] __kasan_kmalloc+0x131/0x1e0 [ 22.582312][ T319] __kmalloc_track_caller+0xfb/0x280 [ 22.587565][ T319] __alloc_skb+0xb5/0x4d0 [ 22.591863][ T319] sk_stream_alloc_skb+0x1ee/0xa80 [ 22.597393][ T319] tcp_sendmsg_locked+0xcc7/0x36d0 [ 22.602473][ T319] tcp_sendmsg+0x2c/0x40 [ 22.606682][ T319] sock_write_iter+0x284/0x380 [ 22.611415][ T319] __vfs_write+0x4f9/0x6a0 [ 22.615798][ T319] vfs_write+0x210/0x4f0 [ 22.620008][ T319] ksys_write+0x158/0x260 [ 22.624304][ T319] do_syscall_64+0xcb/0x1c0 [ 22.628771][ T319] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 22.634625][ T319] [ 22.636920][ T319] Freed by task 299: [ 22.640783][ T319] __kasan_slab_free+0x178/0x240 [ 22.645685][ T319] slab_free_freelist_hook+0x80/0x150 [ 22.651020][ T319] kfree+0xc6/0x260 [ 22.654824][ T319] __kfree_skb+0x55/0x170 [ 22.659121][ T319] tcp_ack+0x2098/0x6140 [ 22.663330][ T319] tcp_rcv_established+0xba0/0x17e0 [ 22.668496][ T319] tcp_v4_do_rcv+0x39e/0x760 [ 22.673053][ T319] __release_sock+0x165/0x3f0 [ 22.677708][ T319] release_sock+0x5d/0x1a0 [ 22.682091][ T319] tcp_sendmsg+0x36/0x40 [ 22.686299][ T319] sock_write_iter+0x284/0x380 [ 22.691032][ T319] __vfs_write+0x4f9/0x6a0 [ 22.695426][ T319] vfs_write+0x210/0x4f0 [ 22.699635][ T319] ksys_write+0x158/0x260 [ 22.703938][ T319] do_syscall_64+0xcb/0x1c0 [ 22.708419][ T319] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 22.714274][ T319] [ 22.716586][ T319] The buggy address belongs to the object at ffff8881e2b17800 [ 22.716586][ T319] which belongs to the cache kmalloc-1k of size 1024 [ 22.730619][ T319] The buggy address is located 784 bytes to the right of [ 22.730619][ T319] 1024-byte region [ffff8881e2b17800, ffff8881e2b17c00) [ 22.744464][ T319] The buggy address belongs to the page: [ 22.750069][ T319] page:ffffea00078ac400 refcount:1 mapcount:0 mapping:ffff8881f5c02280 index:0x0 compound_mapcount: 0 [ 22.760965][ T319] flags: 0x8000000000010200(slab|head) [ 22.766393][ T319] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5c02280 [ 22.774947][ T319] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 22.783496][ T319] page dumped because: kasan: bad access detected [ 22.789874][ T319] page_owner tracks the page as allocated [ 22.795563][ T319] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC) [ 22.810559][ T319] prep_new_page+0x194/0x380 [ 22.815117][ T319] get_page_from_freelist+0x524/0x560 [ 22.820547][ T319] __alloc_pages_nodemask+0x2ab/0x6f0 [ 22.825883][ T319] alloc_slab_page+0x39/0x3e0 [ 22.830524][ T319] new_slab+0x97/0x450 [ 22.834558][ T319] ___slab_alloc+0x320/0x4b0 [ 22.839111][ T319] __slab_alloc+0x5a/0x90 [ 22.843404][ T319] __kmalloc_track_caller+0x168/0x280 [ 22.848741][ T319] __alloc_skb+0xb5/0x4d0 [ 22.853063][ T319] sk_stream_alloc_skb+0x1ee/0xa80 [ 22.858138][ T319] tcp_sendmsg_locked+0xcc7/0x36d0 [ 22.863212][ T319] tcp_sendmsg+0x2c/0x40 [ 22.867419][ T319] sock_write_iter+0x284/0x380 [ 22.872148][ T319] __vfs_write+0x4f9/0x6a0 [ 22.876531][ T319] vfs_write+0x210/0x4f0 [ 22.880745][ T319] ksys_write+0x158/0x260 [ 22.885044][ T319] page last free stack trace: [ 22.889689][ T319] __free_pages_ok+0x7ee/0x920 [ 22.894420][ T319] page_to_skb+0x62e/0x910 [ 22.898806][ T319] receive_mergeable+0x73e/0x2300 [ 22.903801][ T319] receive_buf+0x104/0x1940 [ 22.908285][ T319] virtnet_poll+0x554/0x10b0 [ 22.912935][ T319] napi_poll+0x195/0x670 [ 22.917141][ T319] net_rx_action+0x2dd/0x890 [ 22.921699][ T319] __do_softirq+0x23e/0x643 [ 22.926170][ T319] irq_exit+0x195/0x1c0 [ 22.930288][ T319] do_IRQ+0xc4/0x1b0 [ 22.934147][ T319] ret_from_intr+0x0/0x14 [ 22.938443][ T319] rcu_idle_exit+0x3c4/0x450 [ 22.943001][ T319] do_idle+0x45d/0x590 [ 22.947033][ T319] cpu_startup_entry+0x15/0x20 [ 22.951767][ T319] start_secondary+0x312/0x390 [ 22.956508][ T319] secondary_startup_64+0xa4/0xb0 [ 22.961491][ T319] [ 22.963785][ T319] Memory state around the buggy address: [ 22.969385][ T319] ffff8881e2b17e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.977414][ T319] ffff8881e2b17e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.985548][ T319] >ffff8881e2b17f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.993588][ T319] ^ [ 22.998153][ T319] ffff8881e2b17f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.006179][ T319] ffff8881e2b18000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 23.014201][ T319] ================================================================== [ 23.022227][ T319] Disabling lock debugging due to kernel taint [ 23.028548][ T319] kasan: CONFIG_KASAN_INLINE enabled [ 23.033835][ T319] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 23.041877][ T319] general protection fault: 0000 [#1] PREEMPT SMP KASAN [ 23.048867][ T319] CPU: 1 PID: 319 Comm: syz-executor169 Tainted: G B 5.4.190-syzkaller-00060-g148e4ba7f4fc #0 [ 23.060365][ T319] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 [ 23.070396][ T319] RIP: 0010:netif_napi_del+0x28f/0x7a0 [pid 320] futex(0x7fa8213d9438, FUTEX_WAIT_PRIVATE, 0, NULL [pid 318] exit_group(0) = ? [pid 320] <... futex resumed>) = ? [pid 320] +++ exited with 0 +++ [ 23.075898][ T319] Code: 00 74 08 4c 89 ff e8 10 3f 32 fe 49 8b 2f 49 39 ef 75 10 e8 43 d2 05 fe eb 35 90 e8 3b d2 05 fe 48 89 dd 48 89 e8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 ef e8 e2 3e 32 fe 48 8b 5d 00 48 89 ef [ 23.095477][ T319] RSP: 0018:ffff8881dd147790 EFLAGS: 00010246 [ 23.101521][ T319] RAX: 0000000000000000 RBX: 1ffff1103c562fff RCX: ffffffff835a7b10 [ 23.109463][ T319] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881e2b17f38 [ 23.117403][ T319] RBP: 0000000000000000 R08: ffffffff835a78e3 R09: fffffbfff0d3170d [ 23.125346][ T319] R10: fffffbfff0d3170d R11: 1ffffffff0d3170c R12: ffff8881e2b17f00 [ 23.133297][ T319] R13: dffffc0000000000 R14: ffff8881e2b17f00 R15: ffff8881e2b17f38 [ 23.141240][ T319] FS: 00007fa821303700(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000 [ 23.150133][ T319] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 23.156681][ T319] CR2: 00007fa821392c10 CR3: 00000001dd008000 CR4: 00000000003406e0 [ 23.164635][ T319] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 23.172574][ T319] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 23.180511][ T319] Call Trace: [ 23.183784][ T319] free_netdev+0x188/0x310 [ 23.188175][ T319] netdev_run_todo+0xa79/0xc80 [ 23.192915][ T319] ? mutex_lock+0x6c/0xc0 [ 23.197226][ T319] rtnetlink_rcv_msg+0xa49/0xb90 [ 23.202137][ T319] ? __kasan_kmalloc+0x1a5/0x1e0 [ 23.207045][ T319] ? __kasan_kmalloc+0x131/0x1e0 [ 23.211952][ T319] ? __kmalloc_track_caller+0xfb/0x280 [ 23.217381][ T319] ? __alloc_skb+0xb5/0x4d0 [ 23.221849][ T319] ? netlink_sendmsg+0x687/0xb90 [ 23.226753][ T319] ? ____sys_sendmsg+0x4ee/0x7c0 [ 23.231673][ T319] ? __sys_sendmsg+0x235/0x2f0 [ 23.236402][ T319] ? do_syscall_64+0xcb/0x1c0 [ 23.241047][ T319] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 23.247079][ T319] ? avc_has_perm_noaudit+0x2b0/0x370 [ 23.252419][ T319] ? avc_has_perm+0x7c/0x1c0 [ 23.256987][ T319] ? avc_has_perm+0xfd/0x1c0 [ 23.261547][ T319] netlink_rcv_skb+0x190/0x3a0 [ 23.266280][ T319] ? rtnetlink_bind+0x80/0x80 [ 23.270923][ T319] netlink_unicast+0x771/0x8d0 [ 23.275655][ T319] netlink_sendmsg+0x913/0xb90 [ 23.280394][ T319] ? netlink_getsockopt+0x840/0x840 [ 23.285560][ T319] ____sys_sendmsg+0x4ee/0x7c0 [ 23.290293][ T319] __sys_sendmsg+0x235/0x2f0 [ 23.294857][ T319] do_syscall_64+0xcb/0x1c0 [ 23.299330][ T319] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 23.305188][ T319] RIP: 0033:0x7fa821351a69 [ 23.309572][ T319] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 23.329141][ T319] RSP: 002b:00007fa821303308 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 23.337517][ T319] RAX: ffffffffffffffda RBX: 00007fa8213d9428 RCX: 00007fa821351a69 [ 23.345469][ T319] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000004 [ 23.353406][ T319] RBP: 00007fa8213d9420 R08: 0000000000000000 R09: 0000000000000000 [ 23.361343][ T319] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa8213d942c [ 23.369280][ T319] R13: 00007fa8213a7064 R14: 74656e2f7665642f R15: 0000000000022000 [ 23.377230][ T319] Modules linked in: [ 23.381548][ T319] ---[ end trace dc9f4416afdd0f49 ]--- [ 23.387041][ T319] RIP: 0010:netif_napi_del+0x28f/0x7a0 [ 23.392496][ T319] Code: 00 74 08 4c 89 ff e8 10 3f 32 fe 49 8b 2f 49 39 ef 75 10 e8 43 d2 05 fe eb 35 90 e8 3b d2 05 fe 48 89 dd 48 89 e8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 ef e8 e2 3e 32 fe 48 8b 5d 00 48 89 ef [ 23.412203][ T319] RSP: 0018:ffff8881dd147790 EFLAGS: 00010246 [ 23.418246][ T319] RAX: 0000000000000000 RBX: 1ffff1103c562fff RCX: ffffffff835a7b10 [ 23.426207][ T319] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881e2b17f38 [ 23.434170][ T319] RBP: 0000000000000000 R08: ffffffff835a78e3 R09: fffffbfff0d3170d [ 23.442132][ T319] R10: fffffbfff0d3170d R11: 1ffffffff0d3170c R12: ffff8881e2b17f00 [ 23.450083][ T319] R13: dffffc0000000000 R14: ffff8881e2b17f00 R15: ffff8881e2b17f38 [ 23.458053][ T319] FS: 00007fa821303700(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000 [ 23.466998][ T319] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 23.473596][ T319] CR2: 00007fa821392c10 CR3: 00000001dd008000 CR4: 00000000003406e0 [ 23.481549][ T319] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 23.489512][ T319] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 23.497474][ T319] Kernel panic - not syncing: Fatal exception [ 23.503670][ T319] Kernel Offset: disabled [ 23.507970][ T319] Rebooting in 86400 seconds..