Warning: Permanently added '10.128.1.40' (ECDSA) to the list of known hosts. executing program [ 49.136137][ T3589] ================================================================== [ 49.144312][ T3589] BUG: KASAN: use-after-free in strcmp+0x66/0xa0 [ 49.150661][ T3589] Read of size 1 at addr ffff888018b592c4 by task syz-executor997/3589 [ 49.158998][ T3589] [ 49.161376][ T3589] CPU: 1 PID: 3589 Comm: syz-executor997 Not tainted 5.17.0-rc3-syzkaller #0 [ 49.170130][ T3589] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.180197][ T3589] Call Trace: [ 49.183489][ T3589] [ 49.186422][ T3589] dump_stack_lvl+0x1dc/0x2d8 [ 49.191113][ T3589] ? show_regs_print_info+0x12/0x12 [ 49.196415][ T3589] ? _printk+0xcf/0x118 [ 49.200584][ T3589] ? wake_up_klogd+0xb2/0xf0 [ 49.205202][ T3589] ? log_buf_vmcoreinfo_setup+0x498/0x498 [ 49.210936][ T3589] ? _raw_spin_lock_irqsave+0xdd/0x120 [ 49.216411][ T3589] print_address_description+0x65/0x3a0 [ 49.222046][ T3589] ? strcmp+0x66/0xa0 [ 49.226044][ T3589] kasan_report+0x19a/0x1f0 [ 49.230565][ T3589] ? strcmp+0x66/0xa0 [ 49.234572][ T3589] strcmp+0x66/0xa0 [ 49.238378][ T3589] madvise_update_vma+0x49d/0x7e0 [ 49.243419][ T3589] do_madvise+0xb6e/0x1200 [ 49.247863][ T3589] ? madvise_set_anon_name+0x520/0x520 [ 49.253325][ T3589] ? rcu_read_lock_sched_held+0x89/0x130 [ 49.258968][ T3589] ? __bpf_trace_rcu_stall_warning+0x10/0x10 [ 49.264967][ T3589] ? rcu_read_lock_sched_held+0x89/0x130 [ 49.270654][ T3589] ? __context_tracking_exit+0x7a/0xd0 [ 49.276172][ T3589] ? __lock_acquire+0x2b00/0x2b00 [ 49.281209][ T3589] ? lockdep_hardirqs_on_prepare+0x412/0x780 [ 49.287197][ T3589] ? print_irqtrace_events+0x220/0x220 [ 49.292676][ T3589] ? vtime_user_exit+0x2b2/0x3e0 [ 49.297618][ T3589] ? syscall_enter_from_user_mode+0x2e/0x1b0 [ 49.303585][ T3589] __x64_sys_madvise+0xa2/0xb0 [ 49.308349][ T3589] do_syscall_64+0x44/0xd0 [ 49.312795][ T3589] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 49.318710][ T3589] RIP: 0033:0x7fba2b6b7ff9 [ 49.323135][ T3589] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 49.342746][ T3589] RSP: 002b:00007ffdddc7a618 EFLAGS: 00000246 ORIG_RAX: 000000000000001c [ 49.351167][ T3589] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fba2b6b7ff9 [ 49.359138][ T3589] RDX: 000000000000000b RSI: 0000000000001000 RDI: 0000000020ffc000 [ 49.367108][ T3589] RBP: 00007fba2b67bfe0 R08: 0000000000000000 R09: 0000000000000000 [ 49.375139][ T3589] R10: 0000000020000000 R11: 0000000000000246 R12: 00007fba2b67c070 [ 49.383108][ T3589] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 49.391105][ T3589] [ 49.394127][ T3589] [ 49.396438][ T3589] Allocated by task 3589: [ 49.400874][ T3589] ____kasan_kmalloc+0xdc/0x110 [ 49.405734][ T3589] __kmalloc+0x253/0x380 [ 49.410003][ T3589] madvise_update_vma+0x584/0x7e0 [ 49.415028][ T3589] madvise_set_anon_name+0x367/0x520 [ 49.420461][ T3589] prctl_set_vma+0x19b/0x220 [ 49.425056][ T3589] __do_sys_prctl+0x183/0x1120 [ 49.429818][ T3589] do_syscall_64+0x44/0xd0 [ 49.434233][ T3589] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 49.440114][ T3589] [ 49.442423][ T3589] Freed by task 3589: [ 49.446381][ T3589] kasan_set_track+0x4c/0x70 [ 49.450959][ T3589] kasan_set_free_info+0x1f/0x40 [ 49.455882][ T3589] ____kasan_slab_free+0x126/0x180 [ 49.460995][ T3589] slab_free_freelist_hook+0x12e/0x1a0 [ 49.466439][ T3589] kfree+0xb8/0x2e0 [ 49.470229][ T3589] vm_area_free+0x11/0x30 [ 49.474541][ T3589] __vma_adjust+0x315d/0x3910 [ 49.479200][ T3589] vma_merge+0xd15/0x1020 [ 49.483510][ T3589] madvise_update_vma+0x235/0x7e0 [ 49.488534][ T3589] do_madvise+0xb6e/0x1200 [ 49.492935][ T3589] __x64_sys_madvise+0xa2/0xb0 [ 49.497682][ T3589] do_syscall_64+0x44/0xd0 [ 49.502095][ T3589] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 49.508128][ T3589] [ 49.510467][ T3589] The buggy address belongs to the object at ffff888018b592c0 [ 49.510467][ T3589] which belongs to the cache kmalloc-32 of size 32 [ 49.524348][ T3589] The buggy address is located 4 bytes inside of [ 49.524348][ T3589] 32-byte region [ffff888018b592c0, ffff888018b592e0) [ 49.537456][ T3589] The buggy address belongs to the page: [ 49.543188][ T3589] page:ffffea000062d640 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x18b59 [ 49.553326][ T3589] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 49.560864][ T3589] raw: 00fff00000000200 ffffea000069d2c0 dead000000000003 ffff888011441500 [ 49.569443][ T3589] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000 [ 49.578004][ T3589] page dumped because: kasan: bad access detected [ 49.584405][ T3589] page_owner tracks the page as allocated [ 49.590104][ T3589] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 22, ts 6054220736, free_ts 6053740729 [ 49.605937][ T3589] get_page_from_freelist+0x729/0x9e0 [ 49.611526][ T3589] __alloc_pages+0x255/0x580 [ 49.616124][ T3589] allocate_slab+0xce/0x3f0 [ 49.620616][ T3589] ___slab_alloc+0x3fe/0xc30 [ 49.625189][ T3589] __kmalloc+0x2eb/0x380 [ 49.629416][ T3589] shmem_initxattrs+0xcd/0x1e0 [ 49.634188][ T3589] security_inode_init_security+0x2a2/0x3c0 [ 49.640070][ T3589] shmem_mknod+0xb0/0x1b0 [ 49.644403][ T3589] vfs_mknod+0x3f5/0x5a0 [ 49.648641][ T3589] devtmpfs_work_loop+0x921/0x1080 [ 49.653763][ T3589] devtmpfsd+0x44/0x50 [ 49.658101][ T3589] kthread+0x2a3/0x2d0 [ 49.662325][ T3589] ret_from_fork+0x1f/0x30 [ 49.666871][ T3589] page last free stack trace: [ 49.671556][ T3589] free_pcp_prepare+0xd1c/0xe00 [ 49.676431][ T3589] free_unref_page+0x7d/0x580 [ 49.681107][ T3589] __vunmap+0x936/0xa80 [ 49.685274][ T3589] free_work+0x66/0x90 [ 49.689359][ T3589] process_one_work+0x850/0x1130 [ 49.694306][ T3589] worker_thread+0xab1/0x1300 [ 49.699000][ T3589] kthread+0x2a3/0x2d0 [ 49.703061][ T3589] ret_from_fork+0x1f/0x30 [ 49.707469][ T3589] [ 49.709776][ T3589] Memory state around the buggy address: [ 49.715409][ T3589] ffff888018b59180: 00 00 01 fc fc fc fc fc fb fb fb fb fc fc fc fc [ 49.723468][ T3589] ffff888018b59200: 00 00 01 fc fc fc fc fc 00 00 01 fc fc fc fc fc [ 49.731628][ T3589] >ffff888018b59280: 00 00 01 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 49.739687][ T3589] ^ [ 49.745840][ T3589] ffff888018b59300: 00 00 01 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 49.753904][ T3589] ffff888018b59380: 00 00 01 fc fc fc fc fc 00 00 01 fc fc fc fc fc [ 49.761948][ T3589] ================================================================== [ 49.770086][ T3589] Disabling lock debugging due to kernel taint [ 49.776901][ T3589] Kernel panic - not syncing: panic_on_warn set ... [ 49.783500][ T3589] CPU: 1 PID: 3589 Comm: syz-executor997 Tainted: G B 5.17.0-rc3-syzkaller #0 [ 49.793759][ T3589] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.803822][ T3589] Call Trace: [ 49.807198][ T3589] [ 49.810126][ T3589] dump_stack_lvl+0x1dc/0x2d8 [ 49.814806][ T3589] ? show_regs_print_info+0x12/0x12 [ 49.820010][ T3589] ? log_buf_vmcoreinfo_setup+0x498/0x498 [ 49.825755][ T3589] ? preempt_schedule+0x16b/0x190 [ 49.830773][ T3589] ? schedule_preempt_disabled+0x20/0x20 [ 49.836398][ T3589] panic+0x2d6/0x810 [ 49.840278][ T3589] ? trace_hardirqs_on+0x30/0x80 [ 49.845196][ T3589] ? nmi_panic+0x90/0x90 [ 49.849441][ T3589] ? _raw_spin_unlock_irqrestore+0x128/0x130 [ 49.855405][ T3589] ? print_memory_metadata+0xe0/0x140 [ 49.860781][ T3589] ? strcmp+0x66/0xa0 [ 49.864767][ T3589] end_report+0x83/0x90 [ 49.868926][ T3589] kasan_report+0x1bf/0x1f0 [ 49.873429][ T3589] ? strcmp+0x66/0xa0 [ 49.877512][ T3589] strcmp+0x66/0xa0 [ 49.881315][ T3589] madvise_update_vma+0x49d/0x7e0 [ 49.886426][ T3589] do_madvise+0xb6e/0x1200 [ 49.890836][ T3589] ? madvise_set_anon_name+0x520/0x520 [ 49.896279][ T3589] ? rcu_read_lock_sched_held+0x89/0x130 [ 49.901912][ T3589] ? __bpf_trace_rcu_stall_warning+0x10/0x10 [ 49.908107][ T3589] ? rcu_read_lock_sched_held+0x89/0x130 [ 49.913792][ T3589] ? __context_tracking_exit+0x7a/0xd0 [ 49.919254][ T3589] ? __lock_acquire+0x2b00/0x2b00 [ 49.924303][ T3589] ? lockdep_hardirqs_on_prepare+0x412/0x780 [ 49.930320][ T3589] ? print_irqtrace_events+0x220/0x220 [ 49.935764][ T3589] ? vtime_user_exit+0x2b2/0x3e0 [ 49.940684][ T3589] ? syscall_enter_from_user_mode+0x2e/0x1b0 [ 49.946656][ T3589] __x64_sys_madvise+0xa2/0xb0 [ 49.951423][ T3589] do_syscall_64+0x44/0xd0 [ 49.955831][ T3589] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 49.961731][ T3589] RIP: 0033:0x7fba2b6b7ff9 [ 49.966148][ T3589] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 49.985849][ T3589] RSP: 002b:00007ffdddc7a618 EFLAGS: 00000246 ORIG_RAX: 000000000000001c [ 49.994283][ T3589] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fba2b6b7ff9 [ 50.002357][ T3589] RDX: 000000000000000b RSI: 0000000000001000 RDI: 0000000020ffc000 [ 50.010339][ T3589] RBP: 00007fba2b67bfe0 R08: 0000000000000000 R09: 0000000000000000 [ 50.018379][ T3589] R10: 0000000020000000 R11: 0000000000000246 R12: 00007fba2b67c070 [ 50.026352][ T3589] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 50.034320][ T3589] [ 50.037583][ T3589] Kernel Offset: disabled [ 50.041919][ T3589] Rebooting in 86400 seconds..