DUID 00:04:53:46:a9:9d:03:7a:46:b2:48:ff:4a:ea:3f:46:f2:43
forked to background, child pid 3171
[ 31.228600][ T3172] 8021q: adding VLAN 0 to HW filter on device bond0
[ 31.242593][ T3172] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK
syzkaller
Warning: Permanently added '10.128.1.80' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 51.768970][ T3587] ==================================================================
[ 51.777304][ T3587] BUG: KASAN: use-after-free in strcmp+0x9b/0xb0
[ 51.783730][ T3587] Read of size 1 at addr ffff8880231637c4 by task syz-executor159/3587
[ 51.791959][ T3587]
[ 51.794284][ T3587] CPU: 1 PID: 3587 Comm: syz-executor159 Not tainted 5.17.0-rc2-next-20220204-syzkaller #0
[ 51.804246][ T3587] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 51.814289][ T3587] Call Trace:
[ 51.817558][ T3587]
[ 51.820476][ T3587] dump_stack_lvl+0xcd/0x134
[ 51.825072][ T3587] print_address_description.constprop.0.cold+0xa5/0x3e0
[ 51.832091][ T3587] ? strcmp+0x9b/0xb0
[ 51.836069][ T3587] ? strcmp+0x9b/0xb0
[ 51.840062][ T3587] kasan_report.cold+0x83/0xdf
[ 51.844817][ T3587] ? strcmp+0x9b/0xb0
[ 51.848788][ T3587] strcmp+0x9b/0xb0
[ 51.852578][ T3587] madvise_update_vma+0x4e6/0x7f0
[ 51.857594][ T3587] madvise_vma_behavior+0x116/0x19d0
[ 51.862869][ T3587] ? madvise_vma_anon_name+0xc0/0xc0
[ 51.868153][ T3587] ? __sanitizer_cov_trace_cmp8+0x1d/0x70
[ 51.873892][ T3587] ? vmacache_find+0x62/0x330
[ 51.878597][ T3587] ? find_vma+0xbd/0x270
[ 51.882863][ T3587] madvise_walk_vmas+0x1d5/0x2d0
[ 51.887811][ T3587] ? madvise_vma_anon_name+0xc0/0xc0
[ 51.893091][ T3587] ? __remove_memory+0x40/0x40
[ 51.897961][ T3587] ? __down_timeout+0x10/0x10
[ 51.902644][ T3587] ? find_held_lock+0x2d/0x110
[ 51.907416][ T3587] do_madvise+0x249/0x3c0
[ 51.911746][ T3587] ? madvise_set_anon_name+0xe0/0xe0
[ 51.917040][ T3587] __x64_sys_madvise+0xa6/0x110
[ 51.921883][ T3587] ? syscall_enter_from_user_mode+0x21/0x70
[ 51.927785][ T3587] do_syscall_64+0x35/0xb0
[ 51.932202][ T3587] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 51.938095][ T3587] RIP: 0033:0x7f60caa93ff9
[ 51.942513][ T3587] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 51.962121][ T3587] RSP: 002b:00007fff7d85f3e8 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
[ 51.970554][ T3587] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f60caa93ff9
[ 51.978662][ T3587] RDX: 000000000000000b RSI: 0000000000001000 RDI: 0000000020ffc000
[ 51.986640][ T3587] RBP: 00007f60caa57fe0 R08: 0000000000000000 R09: 0000000000000000
[ 51.994612][ T3587] R10: 0000000020000000 R11: 0000000000000246 R12: 00007f60caa58070
[ 52.002577][ T3587] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 52.010561][ T3587]
[ 52.013576][ T3587]
[ 52.015888][ T3587] Allocated by task 3587:
[ 52.020201][ T3587] kasan_save_stack+0x1e/0x40
[ 52.024883][ T3587] __kasan_kmalloc+0xa9/0xd0
[ 52.029471][ T3587] madvise_update_vma+0x546/0x7f0
[ 52.034591][ T3587] madvise_vma_anon_name+0x7c/0xc0
[ 52.039713][ T3587] madvise_walk_vmas+0x1d5/0x2d0
[ 52.044671][ T3587] madvise_set_anon_name+0xac/0xe0
[ 52.049794][ T3587] __do_sys_prctl+0xeb5/0x12d0
[ 52.054736][ T3587] do_syscall_64+0x35/0xb0
[ 52.059245][ T3587] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 52.065147][ T3587]
[ 52.067462][ T3587] Freed by task 3587:
[ 52.071429][ T3587] kasan_save_stack+0x1e/0x40
[ 52.076191][ T3587] kasan_set_track+0x21/0x30
[ 52.080780][ T3587] kasan_set_free_info+0x20/0x30
[ 52.085717][ T3587] ____kasan_slab_free+0x166/0x1a0
[ 52.090826][ T3587] slab_free_freelist_hook+0x8b/0x1c0
[ 52.096209][ T3587] kfree+0xce/0x2d0
[ 52.100012][ T3587] free_vma_anon_name+0xeb/0x110
[ 52.104976][ T3587] vm_area_free+0x11/0x30
[ 52.109296][ T3587] __vma_adjust+0x836/0x24a0
[ 52.113882][ T3587] vma_merge+0x860/0xeb0
[ 52.118139][ T3587] madvise_update_vma+0x1b6/0x7f0
[ 52.123161][ T3587] madvise_vma_behavior+0x116/0x19d0
[ 52.128438][ T3587] madvise_walk_vmas+0x1d5/0x2d0
[ 52.133380][ T3587] do_madvise+0x249/0x3c0
[ 52.137698][ T3587] __x64_sys_madvise+0xa6/0x110
[ 52.142539][ T3587] do_syscall_64+0x35/0xb0
[ 52.147043][ T3587] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 52.152933][ T3587]
[ 52.155250][ T3587] The buggy address belongs to the object at ffff8880231637c0
[ 52.155250][ T3587] which belongs to the cache kmalloc-32 of size 32
[ 52.169140][ T3587] The buggy address is located 4 bytes inside of
[ 52.169140][ T3587] 32-byte region [ffff8880231637c0, ffff8880231637e0)
[ 52.182245][ T3587] The buggy address belongs to the page:
[ 52.187865][ T3587] page:ffffea00008c58c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x23163
[ 52.198011][ T3587] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 52.205568][ T3587] raw: 00fff00000000200 dead000000000100 dead000000000122 ffff888010c41500
[ 52.214150][ T3587] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000
[ 52.222732][ T3587] page dumped because: kasan: bad access detected
[ 52.229148][ T3587] page_owner tracks the page as allocated
[ 52.234866][ T3587] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 17707481459, free_ts 17668236203
[ 52.250717][ T3587] get_page_from_freelist+0x13ea/0x31d0
[ 52.256280][ T3587] __alloc_pages+0x1b2/0x500
[ 52.260878][ T3587] alloc_pages+0x1aa/0x310
[ 52.265296][ T3587] new_slab+0x295/0x400
[ 52.269454][ T3587] ___slab_alloc+0x7ed/0xe00
[ 52.274043][ T3587] __slab_alloc.constprop.0+0x4d/0xa0
[ 52.279420][ T3587] kmem_cache_alloc_trace+0x289/0x2c0
[ 52.284807][ T3587] proc_init_fs_context+0x47/0x420
[ 52.289919][ T3587] alloc_fs_context+0x582/0xa00
[ 52.294970][ T3587] vfs_kern_mount.part.0+0x24/0x170
[ 52.300186][ T3587] kern_mount+0x4f/0xc0
[ 52.304345][ T3587] process_sysctl_arg+0x38e/0x470
[ 52.309386][ T3587] parse_args+0x46e/0x8b0
[ 52.313728][ T3587] do_sysctl_args+0xc3/0x130
[ 52.318320][ T3587] kernel_init+0x6f/0x1d0
[ 52.322663][ T3587] ret_from_fork+0x1f/0x30
[ 52.327089][ T3587] page last free stack trace:
[ 52.331751][ T3587] free_pcp_prepare+0x549/0xd20
[ 52.336614][ T3587] free_unref_page+0x19/0x6c0
[ 52.341301][ T3587] kasan_depopulate_vmalloc_pte+0x5c/0x70
[ 52.347047][ T3587] __apply_to_page_range+0x686/0x1030
[ 52.352435][ T3587] kasan_release_vmalloc+0xa7/0xc0
[ 52.357563][ T3587] __purge_vmap_area_lazy+0x8f9/0x1c50
[ 52.363026][ T3587] _vm_unmap_aliases.part.0+0x3f0/0x500
[ 52.368577][ T3587] vm_unmap_aliases+0x45/0x50
[ 52.373258][ T3587] change_page_attr_set_clr+0x241/0x500
[ 52.378816][ T3587] set_memory_nx+0xb2/0x110
[ 52.383320][ T3587] free_init_pages+0x73/0xc0
[ 52.387914][ T3587] kernel_init+0x2e/0x1d0
[ 52.392256][ T3587] ret_from_fork+0x1f/0x30
[ 52.396681][ T3587]
[ 52.399003][ T3587] Memory state around the buggy address:
[ 52.404630][ T3587] ffff888023163680: fb fb fb fb fc fc fc fc 00 00 03 fc fc fc fc fc
[ 52.412688][ T3587] ffff888023163700: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[ 52.420753][ T3587] >ffff888023163780: fb fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[ 52.428810][ T3587] ^
[ 52.434959][ T3587] ffff888023163800: fb fb fb fb fc fc fc fc 00 00 01 fc fc fc fc fc
[ 52.443022][ T3587] ffff888023163880: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[ 52.451083][ T3587] ==================================================================
[ 52.459137][ T3587] Disabling lock debugging due to kernel taint
[ 52.465810][ T3587] Kernel panic - not syncing: panic_on_warn set ...
[ 52.472397][ T3587] CPU: 1 PID: 3587 Comm: syz-executor159 Tainted: G B 5.17.0-rc2-next-20220204-syzkaller #0
[ 52.483776][ T3587] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 52.493819][ T3587] Call Trace:
[ 52.497085][ T3587]
[ 52.500001][ T3587] dump_stack_lvl+0xcd/0x134
[ 52.504584][ T3587] panic+0x2b0/0x605
[ 52.508468][ T3587] ? __warn_printk+0xf3/0xf3
[ 52.513046][ T3587] ? preempt_schedule_common+0x59/0xc0
[ 52.518494][ T3587] ? strcmp+0x9b/0xb0
[ 52.522460][ T3587] ? preempt_schedule_thunk+0x16/0x18
[ 52.527825][ T3587] ? trace_hardirqs_on+0x38/0x1c0
[ 52.532838][ T3587] ? trace_hardirqs_on+0x51/0x1c0
[ 52.537845][ T3587] ? strcmp+0x9b/0xb0
[ 52.541806][ T3587] ? strcmp+0x9b/0xb0
[ 52.545788][ T3587] end_report.cold+0x63/0x6f
[ 52.550364][ T3587] kasan_report.cold+0x71/0xdf
[ 52.555112][ T3587] ? strcmp+0x9b/0xb0
[ 52.559078][ T3587] strcmp+0x9b/0xb0
[ 52.562889][ T3587] madvise_update_vma+0x4e6/0x7f0
[ 52.567898][ T3587] madvise_vma_behavior+0x116/0x19d0
[ 52.573177][ T3587] ? madvise_vma_anon_name+0xc0/0xc0
[ 52.578503][ T3587] ? __sanitizer_cov_trace_cmp8+0x1d/0x70
[ 52.584216][ T3587] ? vmacache_find+0x62/0x330
[ 52.588898][ T3587] ? find_vma+0xbd/0x270
[ 52.593130][ T3587] madvise_walk_vmas+0x1d5/0x2d0
[ 52.598062][ T3587] ? madvise_vma_anon_name+0xc0/0xc0
[ 52.603333][ T3587] ? __remove_memory+0x40/0x40
[ 52.608086][ T3587] ? __down_timeout+0x10/0x10
[ 52.612754][ T3587] ? find_held_lock+0x2d/0x110
[ 52.617518][ T3587] do_madvise+0x249/0x3c0
[ 52.621840][ T3587] ? madvise_set_anon_name+0xe0/0xe0
[ 52.627121][ T3587] __x64_sys_madvise+0xa6/0x110
[ 52.631965][ T3587] ? syscall_enter_from_user_mode+0x21/0x70
[ 52.637882][ T3587] do_syscall_64+0x35/0xb0
[ 52.642298][ T3587] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 52.648197][ T3587] RIP: 0033:0x7f60caa93ff9
[ 52.652615][ T3587] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 52.672218][ T3587] RSP: 002b:00007fff7d85f3e8 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
[ 52.680625][ T3587] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f60caa93ff9
[ 52.688588][ T3587] RDX: 000000000000000b RSI: 0000000000001000 RDI: 0000000020ffc000
[ 52.696556][ T3587] RBP: 00007f60caa57fe0 R08: 0000000000000000 R09: 0000000000000000
[ 52.704524][ T3587] R10: 0000000020000000 R11: 0000000000000246 R12: 00007f60caa58070
[ 52.712487][ T3587] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 52.720456][ T3587]
[ 52.723621][ T3587] Kernel Offset: disabled
[ 52.727983][ T3587] Rebooting in 86400 seconds..