./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor4017411979

<...>
Warning: Permanently added '10.128.1.106' (ECDSA) to the list of known hosts.
execve("./syz-executor4017411979", ["./syz-executor4017411979"], 0x7ffdc7c5b7a0 /* 10 vars */) = 0
brk(NULL)                               = 0x555555cbc000
brk(0x555555cbcc40)                     = 0x555555cbcc40
arch_prctl(ARCH_SET_FS, 0x555555cbc300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor4017411979", 4096) = 28
brk(0x555555cddc40)                     = 0x555555cddc40
brk(0x555555cde000)                     = 0x555555cde000
mprotect(0x7f95ae04a000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5073 attached
, child_tidptr=0x555555cbc5d0) = 5073
[pid  5073] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5073] setpgid(0, 0)               = 0
[pid  5073] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  5073] write(3, "1000", 4)         = 4
[pid  5073] close(3)                    = 0
[pid  5073] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3
[pid  5073] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = 0
[pid  5073] exit_group(0)               = ?
[pid  5073] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5073, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5075 attached
, child_tidptr=0x555555cbc5d0) = 5075
[pid  5075] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5075] setpgid(0, 0)               = 0
[pid  5075] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  5075] write(3, "1000", 4)         = 4
[pid  5075] close(3)                    = 0
[pid  5075] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3
[pid  5075] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = 0
[pid  5075] exit_group(0)               = ?
[pid  5075] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5075, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555cbc5d0) = 5077
./strace-static-x86_64: Process 5077 attached
[pid  5077] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5077] setpgid(0, 0)               = 0
[pid  5077] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  5077] write(3, "1000", 4)         = 4
[pid  5077] close(3)                    = 0
[pid  5077] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3
[pid  5077] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = 0
[pid  5077] exit_group(0)               = ?
[pid  5077] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5077, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555cbc5d0) = 5079
./strace-static-x86_64: Process 5079 attached
[pid  5079] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5079] setpgid(0, 0)               = 0
[pid  5079] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  5079] write(3, "1000", 4)         = 4
[pid  5079] close(3)                    = 0
[pid  5079] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3
[pid  5079] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = -1 EADDRINUSE (Address already in use)
[pid  5079] exit_group(0)               = ?
[pid  5079] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5079, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5080 attached
, child_tidptr=0x555555cbc5d0) = 5080
[pid  5080] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5080] setpgid(0, 0)               = 0
[pid  5080] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  5080] write(3, "1000", 4)         = 4
[pid  5080] close(3)                    = 0
[pid  5080] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3
[pid  5080] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = -1 EADDRINUSE (Address already in use)
[pid  5080] exit_group(0)               = ?
[pid  5080] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5080, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5081 attached
, child_tidptr=0x555555cbc5d0) = 5081
[pid  5081] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5081] setpgid(0, 0)               = 0
[pid  5081] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  5081] write(3, "1000", 4)         = 4
[pid  5081] close(3)                    = 0
[pid  5081] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3
syzkaller login: [   56.124161][ T5081] ==================================================================
[   56.132250][ T5081] BUG: KASAN: use-after-free in rxrpc_lookup_local+0xdcf/0xfb0
[   56.139802][ T5081] Read of size 2 at addr ffff8880755b521c by task syz-executor401/5081
[   56.148023][ T5081] 
[   56.150340][ T5081] CPU: 0 PID: 5081 Comm: syz-executor401 Not tainted 6.1.0-syzkaller-13139-gf9ff5644bcc0 #0
[   56.160420][ T5081] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   56.170484][ T5081] Call Trace:
[   56.173765][ T5081]  <TASK>
[   56.176683][ T5081]  dump_stack_lvl+0xd1/0x138
[   56.181280][ T5081]  print_report+0x15e/0x45d
[   56.185776][ T5081]  ? __phys_addr+0xc8/0x140
[   56.190276][ T5081]  ? rxrpc_lookup_local+0xdcf/0xfb0
[   56.195474][ T5081]  kasan_report+0xbf/0x1f0
[   56.199883][ T5081]  ? rxrpc_lookup_local+0xdcf/0xfb0
[   56.205076][ T5081]  rxrpc_lookup_local+0xdcf/0xfb0
[   56.210095][ T5081]  rxrpc_bind+0x35e/0x5c0
[   56.214431][ T5081]  __sys_bind+0x1ed/0x260
[   56.218749][ T5081]  ? __ia32_sys_socketpair+0x100/0x100
[   56.224200][ T5081]  ? _raw_spin_unlock_irq+0x23/0x50
[   56.229390][ T5081]  ? lockdep_hardirqs_on+0x7d/0x100
[   56.234577][ T5081]  ? _raw_spin_unlock_irq+0x2e/0x50
[   56.239779][ T5081]  __x64_sys_bind+0x73/0xb0
[   56.244293][ T5081]  do_syscall_64+0x39/0xb0
[   56.248703][ T5081]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   56.254587][ T5081] RIP: 0033:0x7f95adfddd59
[   56.258990][ T5081] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[   56.278585][ T5081] RSP: 002b:00007fffe4994e28 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
[   56.286985][ T5081] RAX: ffffffffffffffda RBX: 000000000000daff RCX: 00007f95adfddd59
[   56.294946][ T5081] RDX: 0000000000000024 RSI: 0000000020000080 RDI: 0000000000000003
[   56.302903][ T5081] RBP: 0000000000000000 R08: 00007fffe4994fc8 R09: 00007fffe4994fc8
[   56.310871][ T5081] R10: 00007fffe49948a0 R11: 0000000000000246 R12: 00007fffe4994e3c
[   56.318851][ T5081] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000
[   56.326814][ T5081]  </TASK>
[   56.329818][ T5081] 
[   56.332126][ T5081] Allocated by task 5077:
[   56.336431][ T5081]  kasan_save_stack+0x22/0x40
[   56.341095][ T5081]  kasan_set_track+0x25/0x30
[   56.345677][ T5081]  __kasan_kmalloc+0xa5/0xb0
[   56.350270][ T5081]  rxrpc_lookup_local+0x4d9/0xfb0
[   56.355286][ T5081]  rxrpc_bind+0x35e/0x5c0
[   56.359610][ T5081]  __sys_bind+0x1ed/0x260
[   56.363957][ T5081]  __x64_sys_bind+0x73/0xb0
[   56.368467][ T5081]  do_syscall_64+0x39/0xb0
[   56.372877][ T5081]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   56.378756][ T5081] 
[   56.381061][ T5081] Freed by task 0:
[   56.384771][ T5081]  kasan_save_stack+0x22/0x40
[   56.389453][ T5081]  kasan_set_track+0x25/0x30
[   56.394030][ T5081]  kasan_save_free_info+0x2e/0x40
[   56.399042][ T5081]  ____kasan_slab_free+0x160/0x1c0
[   56.404151][ T5081]  slab_free_freelist_hook+0x8b/0x1c0
[   56.409544][ T5081]  __kmem_cache_free+0xaf/0x3b0
[   56.414377][ T5081]  rcu_core+0x81f/0x1980
[   56.418624][ T5081]  __do_softirq+0x1fb/0xadc
[   56.423122][ T5081] 
[   56.425432][ T5081] Last potentially related work creation:
[   56.431127][ T5081]  kasan_save_stack+0x22/0x40
[   56.435790][ T5081]  __kasan_record_aux_stack+0xbc/0xd0
[   56.441150][ T5081]  __call_rcu_common.constprop.0+0x99/0x820
[   56.447044][ T5081]  rxrpc_put_local.part.0+0x128/0x170
[   56.452427][ T5081]  rxrpc_put_local+0x25/0x30
[   56.457014][ T5081]  rxrpc_release+0x237/0x550
[   56.461595][ T5081]  __sock_release+0xcd/0x280
[   56.466189][ T5081]  sock_close+0x1c/0x20
[   56.470377][ T5081]  __fput+0x27c/0xa90
[   56.474369][ T5081]  task_work_run+0x16f/0x270
[   56.479070][ T5081]  do_exit+0xaa8/0x2950
[   56.483229][ T5081]  do_group_exit+0xd4/0x2a0
[   56.487731][ T5081]  __x64_sys_exit_group+0x3e/0x50
[   56.492759][ T5081]  do_syscall_64+0x39/0xb0
[   56.497196][ T5081]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   56.503080][ T5081] 
[   56.505395][ T5081] The buggy address belongs to the object at ffff8880755b5000
[   56.505395][ T5081]  which belongs to the cache kmalloc-1k of size 1024
[   56.519448][ T5081] The buggy address is located 540 bytes inside of
[   56.519448][ T5081]  1024-byte region [ffff8880755b5000, ffff8880755b5400)
[   56.532795][ T5081] 
[   56.535103][ T5081] The buggy address belongs to the physical page:
[   56.541506][ T5081] page:ffffea0001d56c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x755b0
[   56.551668][ T5081] head:ffffea0001d56c00 order:3 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0
[   56.561714][ T5081] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[   56.569702][ T5081] raw: 00fff00000010200 ffff888012041dc0 dead000000000122 0000000000000000
[   56.578330][ T5081] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[   56.586899][ T5081] page dumped because: kasan: bad access detected
[   56.593304][ T5081] page_owner tracks the page as allocated
[   56.599027][ T5081] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5069, tgid 5069 (sh), ts 55995988174, free_ts 55983834036
[   56.618765][ T5081]  get_page_from_freelist+0x119c/0x2ce0
[   56.624340][ T5081]  __alloc_pages+0x1cb/0x5b0
[   56.628944][ T5081]  alloc_pages+0x1aa/0x270
[   56.633353][ T5081]  allocate_slab+0x25f/0x350
[   56.637943][ T5081]  ___slab_alloc+0xa91/0x1400
[   56.642617][ T5081]  __slab_alloc.constprop.0+0x56/0xa0
[   56.647999][ T5081]  __kmem_cache_alloc_node+0x1a4/0x430
[   56.653454][ T5081]  __kmalloc+0x4a/0xd0
[   56.657516][ T5081]  tomoyo_init_log+0x1282/0x1ec0
[   56.662468][ T5081]  tomoyo_supervisor+0x354/0xf10
[   56.667411][ T5081]  tomoyo_env_perm+0x183/0x200
[   56.672172][ T5081]  tomoyo_find_next_domain+0x13d2/0x1f80
[   56.677821][ T5081]  tomoyo_bprm_check_security+0x133/0x1c0
[   56.683534][ T5081]  security_bprm_check+0x49/0xb0
[   56.688461][ T5081]  bprm_execve+0x732/0x19f0
[   56.692960][ T5081]  do_execveat_common+0x724/0x890
[   56.697998][ T5081] page last free stack trace:
[   56.702668][ T5081]  free_pcp_prepare+0x65c/0xc00
[   56.707536][ T5081]  free_unref_page+0x1d/0x490
[   56.712230][ T5081]  __unfreeze_partials+0x17c/0x1a0
[   56.717363][ T5081]  qlist_free_all+0x6a/0x170
[   56.721946][ T5081]  kasan_quarantine_reduce+0x192/0x220
[   56.727419][ T5081]  __kasan_slab_alloc+0x66/0x90
[   56.732257][ T5081]  kmem_cache_alloc+0x1e4/0x430
[   56.737093][ T5081]  mas_alloc_nodes+0x429/0x810
[   56.741853][ T5081]  mas_preallocate+0x1bb/0x360
[   56.746629][ T5081]  vma_expand+0x1d0/0xb80
[   56.750945][ T5081]  mmap_region+0x14bf/0x1dd0
[   56.755531][ T5081]  do_mmap+0x831/0xf60
[   56.759609][ T5081]  vm_mmap_pgoff+0x1af/0x280
[   56.764196][ T5081]  ksys_mmap_pgoff+0x41f/0x5a0
[   56.768946][ T5081]  do_syscall_64+0x39/0xb0
[   56.773354][ T5081]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   56.779253][ T5081] 
[   56.781570][ T5081] Memory state around the buggy address:
[   56.787183][ T5081]  ffff8880755b5100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   56.795228][ T5081]  ffff8880755b5180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   56.803272][ T5081] >ffff8880755b5200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   56.811323][ T5081]                             ^
[   56.816165][ T5081]  ffff8880755b5280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   56.824207][ T5081]  ffff8880755b5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   56.832259][ T5081] ==================================================================
[   56.841551][ T5081] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   56.848767][ T5081] CPU: 1 PID: 5081 Comm: syz-executor401 Not tainted 6.1.0-syzkaller-13139-gf9ff5644bcc0 #0
[   56.858839][ T5081] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   56.868875][ T5081] Call Trace:
[   56.872141][ T5081]  <TASK>
[   56.875056][ T5081]  dump_stack_lvl+0xd1/0x138
[   56.879640][ T5081]  panic+0x2cc/0x626
[   56.883521][ T5081]  ? panic_print_sys_info.part.0+0x110/0x110
[   56.889492][ T5081]  ? preempt_schedule_thunk+0x1a/0x20
[   56.894858][ T5081]  ? preempt_schedule_common+0x59/0xc0
[   56.900307][ T5081]  check_panic_on_warn.cold+0x19/0x35
[   56.905666][ T5081]  end_report.part.0+0x36/0x73
[   56.910416][ T5081]  ? rxrpc_lookup_local+0xdcf/0xfb0
[   56.915605][ T5081]  kasan_report.cold+0xa/0xf
[   56.920183][ T5081]  ? rxrpc_lookup_local+0xdcf/0xfb0
[   56.925374][ T5081]  rxrpc_lookup_local+0xdcf/0xfb0
[   56.930393][ T5081]  rxrpc_bind+0x35e/0x5c0
[   56.934709][ T5081]  __sys_bind+0x1ed/0x260
[   56.939028][ T5081]  ? __ia32_sys_socketpair+0x100/0x100
[   56.944476][ T5081]  ? _raw_spin_unlock_irq+0x23/0x50
[   56.949665][ T5081]  ? lockdep_hardirqs_on+0x7d/0x100
[   56.955374][ T5081]  ? _raw_spin_unlock_irq+0x2e/0x50
[   56.961322][ T5081]  __x64_sys_bind+0x73/0xb0
[   56.966787][ T5081]  do_syscall_64+0x39/0xb0
[   56.971195][ T5081]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   56.977074][ T5081] RIP: 0033:0x7f95adfddd59
[   56.981471][ T5081] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[   57.001067][ T5081] RSP: 002b:00007fffe4994e28 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
[   57.009486][ T5081] RAX: ffffffffffffffda RBX: 000000000000daff RCX: 00007f95adfddd59
[   57.017456][ T5081] RDX: 0000000000000024 RSI: 0000000020000080 RDI: 0000000000000003
[   57.025426][ T5081] RBP: 0000000000000000 R08: 00007fffe4994fc8 R09: 00007fffe4994fc8
[   57.033398][ T5081] R10: 00007fffe49948a0 R11: 0000000000000246 R12: 00007fffe4994e3c
[   57.041371][ T5081] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000
[   57.049358][ T5081]  </TASK>
[   57.052422][ T5081] Kernel Offset: disabled
[   57.056738][ T5081] Rebooting in 86400 seconds..