./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2840864035 <...> DUID 00:04:5e:0c:a2:1f:75:5d:71:31:20:b7:6a:78:b2:8c:4a:f5 forked to background, child pid 192 Starting sshd: OK syzkaller syzkaller login: [ 12.981035][ T22] kauditd_printk_skb: 60 callbacks suppressed [ 12.981044][ T22] audit: type=1400 audit(1655514312.499:71): avc: denied { transition } for pid=264 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 12.985384][ T22] audit: type=1400 audit(1655514312.499:72): avc: denied { write } for pid=264 comm="sh" path="pipe:[593]" dev="pipefs" ino=593 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1 Warning: Permanently added '10.128.1.73' (ECDSA) to the list of known hosts. execve("./syz-executor2840864035", ["./syz-executor2840864035"], 0x7fff13f86cc0 /* 10 vars */) = 0 brk(NULL) = 0x555556ea8000 brk(0x555556ea8c40) = 0x555556ea8c40 arch_prctl(ARCH_SET_FS, 0x555556ea8300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x555556ea85d0) = 304 set_robust_list(0x555556ea85e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7fb027009380, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7fb027009a50}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7fb027009420, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fb027009a50}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2840864035", 4096) = 28 brk(0x555556ec9c40) = 0x555556ec9c40 brk(0x555556eca000) = 0x555556eca000 mprotect(0x7fb0270c9000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556ea85d0) = 305 ./strace-static-x86_64: Process 305 attached [pid 305] set_robust_list(0x555556ea85e0, 24) = 0 [pid 305] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 305] setpgid(0, 0) = 0 [pid 305] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 305] write(3, "1000", 4) = 4 [pid 305] close(3) = 0 [pid 305] futex(0x7fb0270cf42c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 305] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fb026fd9000 [pid 305] mprotect(0x7fb026fda000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 305] clone(child_stack=0x7fb026ff93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[306], tls=0x7fb026ff9700, child_tidptr=0x7fb026ff99d0) = 306 ./strace-static-x86_64: Process 306 attached [pid 306] set_robust_list(0x7fb026ff99e0, 24) = 0 [pid 306] futex(0x7fb0270cf428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 305] futex(0x7fb0270cf428, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 305] futex(0x7fb0270cf42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 306] <... futex resumed>) = 0 [pid 306] openat(AT_FDCWD, "/dev/net/tun", O_RDONLY) = 3 [pid 306] futex(0x7fb0270cf42c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 305] <... futex resumed>) = 0 [pid 305] futex(0x7fb0270cf428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 305] futex(0x7fb0270cf42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 306] ioctl(3, TUNSETIFF, 0x20000200) = 0 [pid 306] futex(0x7fb0270cf42c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 305] <... futex resumed>) = 0 [pid 305] futex(0x7fb0270cf428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 305] futex(0x7fb0270cf42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 306] socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) = 4 [pid 306] futex(0x7fb0270cf42c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 305] <... futex resumed>) = 0 [pid 305] futex(0x7fb0270cf428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 305] futex(0x7fb0270cf42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 306] socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL)) = 5 [pid 306] futex(0x7fb0270cf42c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 306] futex(0x7fb0270cf428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 305] <... futex resumed>) = 0 [pid 305] futex(0x7fb0270cf428, FUTEX_WAKE_PRIVATE, 1000000 [pid 306] <... futex resumed>) = 0 [pid 305] <... futex resumed>) = 1 [pid 306] ioctl(3, TUNSETQUEUE, 0x20000000 [pid 305] futex(0x7fb0270cf42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 306] <... ioctl resumed>) = 0 [pid 306] futex(0x7fb0270cf42c, FUTEX_WAKE_PRIVATE, 1000000 [pid 305] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 306] <... futex resumed>) = 0 [pid 306] futex(0x7fb0270cf428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 305] futex(0x7fb0270cf428, FUTEX_WAKE_PRIVATE, 1000000 [pid 306] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 306] ioctl(5, SIOCGIFINDEX, {ifr_name="rose0" [pid 305] <... futex resumed>) = 0 [pid 306] <... ioctl resumed>, ifr_ifindex=13}) = 0 [pid 305] futex(0x7fb0270cf42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 21.076171][ T22] audit: type=1400 audit(1655514320.599:73): avc: denied { execmem } for pid=304 comm="syz-executor284" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 21.092085][ T22] audit: type=1400 audit(1655514320.609:74): avc: denied { create } for pid=305 comm="syz-executor284" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=packet_socket permissive=1 [ 21.098207][ T22] audit: type=1400 audit(1655514320.609:75): avc: denied { read } for pid=193 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_kobject_uevent_socket permissive=1 [pid 306] futex(0x7fb0270cf42c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 305] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 306] futex(0x7fb0270cf428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 305] futex(0x7fb0270cf428, FUTEX_WAKE_PRIVATE, 1000000 [pid 306] <... futex resumed>) = 0 [pid 306] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x34\x00\x00\x00\x11\x00\x01\xe9\x0d\x7d\x1f\x07\xde\x1c\x8b\x3e\xec\x45\xb2\xfc\x0d\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", iov_len=52}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0 [pid 305] <... futex resumed>) = 1 [pid 305] futex(0x7fb0270cf42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 306] <... sendmsg resumed>) = 52 [pid 305] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 306] futex(0x7fb0270cf42c, FUTEX_WAKE_PRIVATE, 1000000 [pid 305] futex(0x7fb0270cf428, FUTEX_WAKE_PRIVATE, 1000000 [pid 306] <... futex resumed>) = 0 [pid 305] <... futex resumed>) = 0 [pid 306] ioctl(3, TUNSETIFF, 0x20000200 [ 21.121261][ T22] audit: type=1400 audit(1655514320.639:76): avc: denied { ioctl } for pid=305 comm="syz-executor284" path="socket:[10833]" dev="sockfs" ino=10833 ioctlcmd=0x8933 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=packet_socket permissive=1 [ 21.136597][ T306] netlink: 20 bytes leftover after parsing attributes in process `syz-executor284'. [pid 305] futex(0x7fb0270cf42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 306] <... ioctl resumed>) = 0 [pid 306] futex(0x7fb0270cf42c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 305] <... futex resumed>) = 0 [pid 306] futex(0x7fb0270cf428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 305] exit_group(0 [pid 306] <... futex resumed>) = ? [pid 305] <... exit_group resumed>) = ? [pid 306] +++ exited with 0 +++ [pid 305] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=305, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556ea85d0) = 310 ./strace-static-x86_64: Process 310 attached [pid 310] set_robust_list(0x555556ea85e0, 24) = 0 [pid 310] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 310] setpgid(0, 0) = 0 [pid 310] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 310] write(3, "1000", 4) = 4 [pid 310] close(3) = 0 [pid 310] futex(0x7fb0270cf42c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 310] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fb026fd9000 [pid 310] mprotect(0x7fb026fda000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 310] clone(child_stack=0x7fb026ff93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[311], tls=0x7fb026ff9700, child_tidptr=0x7fb026ff99d0) = 311 ./strace-static-x86_64: Process 311 attached [pid 310] futex(0x7fb0270cf428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 310] futex(0x7fb0270cf42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 311] set_robust_list(0x7fb026ff99e0, 24) = 0 [pid 311] openat(AT_FDCWD, "/dev/net/tun", O_RDONLY) = 3 [pid 311] futex(0x7fb0270cf42c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 311] futex(0x7fb0270cf428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 310] <... futex resumed>) = 0 [pid 310] futex(0x7fb0270cf428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 310] futex(0x7fb0270cf42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 311] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 311] ioctl(3, TUNSETIFF, 0x20000200) = 0 [pid 311] futex(0x7fb0270cf42c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 310] <... futex resumed>) = 0 [pid 310] futex(0x7fb0270cf428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 310] futex(0x7fb0270cf42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 311] socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) = 4 [pid 311] futex(0x7fb0270cf42c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 310] <... futex resumed>) = 0 [pid 310] futex(0x7fb0270cf428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 310] futex(0x7fb0270cf42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 311] socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL)) = 5 [pid 311] futex(0x7fb0270cf42c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 310] <... futex resumed>) = 0 [pid 310] futex(0x7fb0270cf428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 310] futex(0x7fb0270cf42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 311] ioctl(3, TUNSETQUEUE, 0x20000000) = 0 [pid 311] futex(0x7fb0270cf42c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 310] <... futex resumed>) = 0 [pid 310] futex(0x7fb0270cf428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 310] futex(0x7fb0270cf42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 311] ioctl(5, SIOCGIFINDEX, {ifr_name="rose0", ifr_ifindex=15}) = 0 [pid 311] futex(0x7fb0270cf42c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 310] <... futex resumed>) = 0 [pid 310] futex(0x7fb0270cf428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 310] futex(0x7fb0270cf42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 311] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x34\x00\x00\x00\x11\x00\x01\xe9\x0d\x7d\x1f\x07\xde\x1c\x8b\x3e\xec\x45\xb2\xfc\x0f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", iov_len=52}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0 [pid 310] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 310] futex(0x7fb0270cf43c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 310] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fb026fb8000 [pid 310] mprotect(0x7fb026fb9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 310] clone(child_stack=0x7fb026fd83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 312 attached [pid 312] set_robust_list(0x7fb026fd89e0, 24) = 0 [pid 312] futex(0x7fb0270cf438, FUTEX_WAIT_PRIVATE, 0, NULL [pid 310] <... clone resumed>, parent_tid=[312], tls=0x7fb026fd8700, child_tidptr=0x7fb026fd89d0) = 312 [pid 310] futex(0x7fb0270cf438, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 312] <... futex resumed>) = 0 [pid 312] ioctl(3, TUNSETIFF, 0x20000200 [pid 310] futex(0x7fb0270cf43c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 312] <... ioctl resumed>) = 0 [pid 312] futex(0x7fb0270cf43c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [ 21.278934][ T311] netlink: 20 bytes leftover after parsing attributes in process `syz-executor284'. [ 21.337054][ T311] ================================================================== [ 21.345130][ T311] BUG: KASAN: slab-out-of-bounds in netif_napi_del+0x2c/0x7a0 [ 21.352557][ T311] Write of size 8 at addr ffff8881dd9dbf10 by task syz-executor284/311 [ 21.360757][ T311] [ 21.363077][ T311] CPU: 0 PID: 311 Comm: syz-executor284 Not tainted 5.4.190-syzkaller-00044-g77dc925ddffb #0 [ 21.373183][ T311] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 21.383205][ T311] Call Trace: [ 21.386473][ T311] dump_stack+0x18e/0x1d5 [ 21.390788][ T311] ? netif_napi_del+0x2c/0x7a0 [ 21.395518][ T311] print_address_description+0x8c/0x630 [ 21.401073][ T311] ? printk+0x76/0x96 [ 21.405022][ T311] ? netif_napi_del+0x2c/0x7a0 [ 21.409784][ T311] ? vprintk_emit+0x3aa/0x3f0 [ 21.414425][ T311] ? netif_napi_del+0x2c/0x7a0 [ 21.419155][ T311] __kasan_report+0xf6/0x130 [ 21.423720][ T311] ? netif_napi_del+0x2c/0x7a0 [ 21.428447][ T311] kasan_report+0x30/0x60 [ 21.432744][ T311] check_memory_region+0x298/0x2d0 [ 21.437820][ T311] netif_napi_del+0x2c/0x7a0 [ 21.442375][ T311] free_netdev+0x188/0x310 [ 21.446759][ T311] netdev_run_todo+0xa79/0xc80 [ 21.451499][ T311] ? mutex_lock+0x6c/0xc0 [ 21.455798][ T311] rtnetlink_rcv_msg+0xa49/0xb90 [ 21.460704][ T311] ? __kasan_kmalloc+0x1a5/0x1e0 [ 21.465606][ T311] ? __kasan_kmalloc+0x131/0x1e0 [ 21.470515][ T311] ? __kmalloc_track_caller+0xfb/0x280 [ 21.475940][ T311] ? __alloc_skb+0xb5/0x4d0 [ 21.480413][ T311] ? netlink_sendmsg+0x687/0xb90 [ 21.485320][ T311] ? ____sys_sendmsg+0x4ee/0x7c0 [ 21.490247][ T311] ? __sys_sendmsg+0x235/0x2f0 [ 21.494977][ T311] ? do_syscall_64+0xcb/0x1c0 [ 21.499619][ T311] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 21.505652][ T311] ? avc_has_perm_noaudit+0x2b0/0x370 [ 21.510988][ T311] ? avc_has_perm+0x7c/0x1c0 [ 21.515542][ T311] ? avc_has_perm+0xfd/0x1c0 [ 21.520097][ T311] netlink_rcv_skb+0x190/0x3a0 [ 21.524828][ T311] ? rtnetlink_bind+0x80/0x80 [ 21.529483][ T311] netlink_unicast+0x771/0x8d0 [ 21.534233][ T311] netlink_sendmsg+0x913/0xb90 [ 21.538962][ T311] ? netlink_getsockopt+0x840/0x840 [ 21.544123][ T311] ____sys_sendmsg+0x4ee/0x7c0 [ 21.548855][ T311] __sys_sendmsg+0x235/0x2f0 [ 21.553415][ T311] do_syscall_64+0xcb/0x1c0 [ 21.557895][ T311] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 21.563754][ T311] RIP: 0033:0x7fb027047a69 [ 21.568135][ T311] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 21.587704][ T311] RSP: 002b:00007fb026ff9308 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 21.596080][ T311] RAX: ffffffffffffffda RBX: 00007fb0270cf428 RCX: 00007fb027047a69 [ 21.604016][ T311] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000004 [ 21.611956][ T311] RBP: 00007fb0270cf420 R08: 0000000000000000 R09: 0000000000000000 [ 21.619893][ T311] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb0270cf42c [ 21.627832][ T311] R13: 00007fb02709d064 R14: 74656e2f7665642f R15: 0000000000022000 [ 21.635770][ T311] [ 21.638071][ T311] Allocated by task 0: [ 21.642111][ T311] (stack is not available) [ 21.646490][ T311] [ 21.648784][ T311] Freed by task 0: [ 21.652486][ T311] (stack is not available) [ 21.656861][ T311] [ 21.659169][ T311] The buggy address belongs to the object at ffff8881dd9dbe00 [ 21.659169][ T311] which belongs to the cache kmalloc-256 of size 256 [ 21.673187][ T311] The buggy address is located 16 bytes to the right of [ 21.673187][ T311] 256-byte region [ffff8881dd9dbe00, ffff8881dd9dbf00) [ 21.686851][ T311] The buggy address belongs to the page: [ 21.692450][ T311] page:ffffea0007767680 refcount:1 mapcount:0 mapping:ffff8881f5c02780 index:0x0 compound_mapcount: 0 [ 21.703339][ T311] flags: 0x8000000000010200(slab|head) [ 21.708769][ T311] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5c02780 [ 21.717318][ T311] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 21.725861][ T311] page dumped because: kasan: bad access detected [ 21.732246][ T311] page_owner tracks the page as allocated [ 21.737930][ T311] page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC) [ 21.752905][ T311] prep_new_page+0x194/0x380 [ 21.757485][ T311] get_page_from_freelist+0x524/0x560 [ 21.762823][ T311] __alloc_pages_nodemask+0x2ab/0x6f0 [ 21.768160][ T311] alloc_slab_page+0x39/0x3e0 [ 21.772801][ T311] new_slab+0x97/0x450 [ 21.776839][ T311] ___slab_alloc+0x320/0x4b0 [ 21.781390][ T311] __slab_alloc+0x5a/0x90 [ 21.785684][ T311] __kmalloc+0x197/0x2b0 [ 21.789890][ T311] __register_sysctl_table+0x957/0x11c0 [ 21.795398][ T311] neigh_sysctl_register+0x42c/0x4d0 [ 21.800647][ T311] addrconf_sysctl_register+0xac/0x180 [ 21.806068][ T311] ipv6_add_dev+0xc0a/0x1050 [ 21.810621][ T311] addrconf_notify+0x591/0xe60 [ 21.815350][ T311] raw_notifier_call_chain+0x9d/0x110 [ 21.820694][ T311] register_netdevice+0xd9e/0x1140 [ 21.825769][ T311] tun_set_iff+0xa73/0x1050 [ 21.830244][ T311] page_owner free stack trace missing [ 21.835577][ T311] [ 21.837871][ T311] Memory state around the buggy address: [ 21.843469][ T311] ffff8881dd9dbe00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.851496][ T311] ffff8881dd9dbe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.859533][ T311] >ffff8881dd9dbf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.867564][ T311] ^ [ 21.872119][ T311] ffff8881dd9dbf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.880154][ T311] ffff8881dd9dc000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [pid 312] futex(0x7fb0270cf438, FUTEX_WAIT_PRIVATE, 0, NULL [pid 310] <... futex resumed>) = 0 [ 21.888178][ T311] ================================================================== [ 21.896212][ T311] Disabling lock debugging due to kernel taint [ 21.902421][ T311] kasan: CONFIG_KASAN_INLINE enabled [ 21.908013][ T311] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 21.916092][ T311] general protection fault: 0000 [#1] PREEMPT SMP KASAN [ 21.923014][ T311] CPU: 0 PID: 311 Comm: syz-executor284 Tainted: G B 5.4.190-syzkaller-00044-g77dc925ddffb #0 [ 21.934511][ T311] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 21.944541][ T311] RIP: 0010:netif_napi_del+0x28f/0x7a0 [ 21.949975][ T311] Code: 00 74 08 4c 89 ff e8 d0 39 32 fe 49 8b 2f 49 39 ef 75 10 e8 03 cd 05 fe eb 35 90 e8 fb cc 05 fe 48 89 dd 48 89 e8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 ef e8 a2 39 32 fe 48 8b 5d 00 48 89 ef [ 21.969551][ T311] RSP: 0018:ffff8881dd89f790 EFLAGS: 00010246 [ 21.975586][ T311] RAX: 0000000000000000 RBX: 1ffff1103bb3b7ff RCX: ffffffff835a6db0 [pid 310] exit_group(0) = ? [pid 312] <... futex resumed>) = ? [pid 312] +++ exited with 0 +++ [ 21.983532][ T311] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881dd9dbf38 [ 21.991484][ T311] RBP: 0000000000000000 R08: ffffffff835a6b83 R09: fffffbfff0d3170d [ 21.999430][ T311] R10: fffffbfff0d3170d R11: 1ffffffff0d3170c R12: ffff8881dd9dbf00 [ 22.007552][ T311] R13: dffffc0000000000 R14: ffff8881dd9dbf00 R15: ffff8881dd9dbf38 [ 22.015498][ T311] FS: 00007fb026ff9700(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000 [ 22.024394][ T311] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 22.030962][ T311] CR2: 00000000200002c0 CR3: 00000001dde54000 CR4: 00000000003406f0 [ 22.038919][ T311] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 22.046858][ T311] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 22.054794][ T311] Call Trace: [ 22.058066][ T311] free_netdev+0x188/0x310 [ 22.062456][ T311] netdev_run_todo+0xa79/0xc80 [ 22.067189][ T311] ? mutex_lock+0x6c/0xc0 [ 22.071496][ T311] rtnetlink_rcv_msg+0xa49/0xb90 [ 22.076407][ T311] ? __kasan_kmalloc+0x1a5/0x1e0 [ 22.081311][ T311] ? __kasan_kmalloc+0x131/0x1e0 [ 22.086213][ T311] ? __kmalloc_track_caller+0xfb/0x280 [ 22.091639][ T311] ? __alloc_skb+0xb5/0x4d0 [ 22.096115][ T311] ? netlink_sendmsg+0x687/0xb90 [ 22.101031][ T311] ? ____sys_sendmsg+0x4ee/0x7c0 [ 22.105933][ T311] ? __sys_sendmsg+0x235/0x2f0 [ 22.110662][ T311] ? do_syscall_64+0xcb/0x1c0 [ 22.115308][ T311] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 22.121343][ T311] ? avc_has_perm_noaudit+0x2b0/0x370 [ 22.126679][ T311] ? avc_has_perm+0x7c/0x1c0 [ 22.131234][ T311] ? avc_has_perm+0xfd/0x1c0 [ 22.135793][ T311] netlink_rcv_skb+0x190/0x3a0 [ 22.140531][ T311] ? rtnetlink_bind+0x80/0x80 [ 22.145174][ T311] netlink_unicast+0x771/0x8d0 [ 22.149906][ T311] netlink_sendmsg+0x913/0xb90 [ 22.154725][ T311] ? netlink_getsockopt+0x840/0x840 [ 22.159887][ T311] ____sys_sendmsg+0x4ee/0x7c0 [ 22.164619][ T311] __sys_sendmsg+0x235/0x2f0 [ 22.169178][ T311] do_syscall_64+0xcb/0x1c0 [ 22.173662][ T311] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 22.179525][ T311] RIP: 0033:0x7fb027047a69 [ 22.183919][ T311] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 22.203490][ T311] RSP: 002b:00007fb026ff9308 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 22.211870][ T311] RAX: ffffffffffffffda RBX: 00007fb0270cf428 RCX: 00007fb027047a69 [ 22.219819][ T311] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000004 [ 22.227756][ T311] RBP: 00007fb0270cf420 R08: 0000000000000000 R09: 0000000000000000 [ 22.235708][ T311] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb0270cf42c [ 22.243646][ T311] R13: 00007fb02709d064 R14: 74656e2f7665642f R15: 0000000000022000 [ 22.251585][ T311] Modules linked in: [ 22.255573][ T311] ---[ end trace 990390a057ecafcf ]--- [ 22.261054][ T311] RIP: 0010:netif_napi_del+0x28f/0x7a0 [ 22.266535][ T311] Code: 00 74 08 4c 89 ff e8 d0 39 32 fe 49 8b 2f 49 39 ef 75 10 e8 03 cd 05 fe eb 35 90 e8 fb cc 05 fe 48 89 dd 48 89 e8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 ef e8 a2 39 32 fe 48 8b 5d 00 48 89 ef [ 22.286130][ T311] RSP: 0018:ffff8881dd89f790 EFLAGS: 00010246 [ 22.292189][ T311] RAX: 0000000000000000 RBX: 1ffff1103bb3b7ff RCX: ffffffff835a6db0 [ 22.300160][ T311] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881dd9dbf38 [ 22.308121][ T311] RBP: 0000000000000000 R08: ffffffff835a6b83 R09: fffffbfff0d3170d [ 22.316083][ T311] R10: fffffbfff0d3170d R11: 1ffffffff0d3170c R12: ffff8881dd9dbf00 [ 22.324044][ T311] R13: dffffc0000000000 R14: ffff8881dd9dbf00 R15: ffff8881dd9dbf38 [ 22.332007][ T311] FS: 00007fb026ff9700(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000 [ 22.340921][ T311] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 22.347498][ T311] CR2: 00000000200002c0 CR3: 00000001dde54000 CR4: 00000000003406f0 [ 22.355448][ T311] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 22.363583][ T311] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 22.371541][ T311] Kernel panic - not syncing: Fatal exception [ 22.377742][ T311] Kernel Offset: disabled [ 22.382057][ T311] Rebooting in 86400 seconds..