./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2344543851 <...> Warning: Permanently added '10.128.10.15' (ECDSA) to the list of known hosts. execve("./syz-executor2344543851", ["./syz-executor2344543851"], 0x7ffe4150a630 /* 10 vars */) = 0 brk(NULL) = 0x5555562a1000 brk(0x5555562a1c40) = 0x5555562a1c40 arch_prctl(ARCH_SET_FS, 0x5555562a1300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor2344543851", 4096) = 28 brk(0x5555562c2c40) = 0x5555562c2c40 brk(0x5555562c3000) = 0x5555562c3000 mprotect(0x7f00dc24b000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) = 3 sendmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x3c\x00\x00\x00\x10\x00\x01\x04\x00\xee\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\xff\xff\xff\xff\x01\x00\x00\x00\x01\x00\x00\x00\x1c\x00\x12\x00\x0c\x00\x01\x00\x62\x72\x69\x64\x67\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", iov_len=60}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 60 socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM) = 4 [ 57.672820][ T5072] netlink: 12 bytes leftover after parsing attributes in process `syz-executor234'. [ 57.712164][ C1] ================================================================== [ 57.720263][ C1] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x5f79/0x6d80 [ 57.728202][ C1] Read of size 4 at addr ffffc900001e0ad0 by task udevd/4433 [ 57.735589][ C1] [ 57.737923][ C1] CPU: 1 PID: 4433 Comm: udevd Not tainted 6.2.0-rc1-syzkaller-00095-ge4cf7c25bae5 #0 [ 57.747489][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 57.757562][ C1] Call Trace: [ 57.760855][ C1] [ 57.763721][ C1] dump_stack_lvl+0xd1/0x138 [ 57.768341][ C1] print_report+0x15e/0x45d [ 57.772878][ C1] ? xfrm_state_find+0x5f79/0x6d80 [ 57.778025][ C1] kasan_report+0xbf/0x1f0 [ 57.782475][ C1] ? xfrm_state_find+0x5f79/0x6d80 [ 57.787623][ C1] xfrm_state_find+0x5f79/0x6d80 [ 57.792599][ C1] ? xfrm_state_add+0xe30/0xe30 [ 57.797480][ C1] ? find_held_lock+0x2d/0x110 [ 57.802278][ C1] ? xfrm_tmpl_resolve+0x653/0xd40 [ 57.807413][ C1] ? lock_downgrade+0x6e0/0x6e0 [ 57.812293][ C1] xfrm_tmpl_resolve+0x2f3/0xd40 [ 57.817263][ C1] ? __xfrm_dst_lookup+0x130/0x130 [ 57.822399][ C1] ? xfrm_policy_find_inexact_candidates+0x13f/0x1d0 [ 57.829104][ C1] ? find_held_lock+0x2d/0x110 [ 57.833902][ C1] xfrm_resolve_and_create_bundle+0x123/0x2580 [ 57.840089][ C1] ? lock_downgrade+0x6e0/0x6e0 [ 57.844969][ C1] ? xfrm_tmpl_resolve+0xd40/0xd40 [ 57.850105][ C1] ? xfrm_policy_match+0x2e0/0x2e0 [ 57.855248][ C1] ? xfrm_expand_policies+0x25b/0x680 [ 57.860649][ C1] xfrm_lookup_with_ifid+0x449/0x20f0 [ 57.866047][ C1] ? xfrm_expand_policies+0x680/0x680 [ 57.871446][ C1] ? ip_route_output_key_hash+0x1c9/0x300 [ 57.877193][ C1] ? ip_route_output_key_hash_rcu+0x2bc0/0x2bc0 [ 57.883469][ C1] xfrm_lookup_route+0x3a/0x1e0 [ 57.888347][ C1] ip_route_output_flow+0x118/0x150 [ 57.893575][ C1] igmpv3_newpack+0x29d/0x1110 [ 57.898367][ C1] ? ip_mc_join_group+0x30/0x30 [ 57.903248][ C1] ? lock_chain_count+0x20/0x20 [ 57.908122][ C1] add_grhead+0x266/0x300 [ 57.912479][ C1] add_grec+0xea5/0x1100 [ 57.916757][ C1] ? add_grhead+0x300/0x300 [ 57.921294][ C1] ? rwlock_bug.part.0+0x90/0x90 [ 57.926256][ C1] igmp_ifc_timer_expire+0x636/0xf70 [ 57.931575][ C1] call_timer_fn+0x1da/0x7c0 [ 57.936192][ C1] ? add_grec+0x1100/0x1100 [ 57.940723][ C1] ? timer_fixup_activate+0x3e0/0x3e0 [ 57.946120][ C1] ? lock_downgrade+0x6e0/0x6e0 [ 57.950997][ C1] ? add_grec+0x1100/0x1100 [ 57.955531][ C1] ? _raw_spin_unlock_irq+0x23/0x50 [ 57.960754][ C1] ? add_grec+0x1100/0x1100 [ 57.965281][ C1] ? add_grec+0x1100/0x1100 [ 57.969811][ C1] expire_timers+0x2c6/0x5c0 [ 57.974435][ C1] run_timer_softirq+0x326/0x910 [ 57.979404][ C1] ? expire_timers+0x5c0/0x5c0 [ 57.984195][ C1] ? kvm_sched_clock_read+0x18/0x40 [ 57.989415][ C1] __do_softirq+0x1fb/0xadc [ 57.993950][ C1] __irq_exit_rcu+0x123/0x180 [ 57.998653][ C1] irq_exit_rcu+0x9/0x20 [ 58.002920][ C1] sysvec_apic_timer_interrupt+0x97/0xc0 [ 58.008574][ C1] [ 58.011515][ C1] [ 58.014460][ C1] asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 58.020469][ C1] RIP: 0010:unwind_get_return_address+0x46/0xa0 [ 58.026757][ C1] Code: 04 02 84 c0 74 04 3c 03 7e 51 8b 03 85 c0 75 05 5b 31 c0 5d c3 48 8d 6b 48 48 b8 00 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 <80> 3c 02 00 75 32 48 8b 7b 48 e8 1b 23 1b 00 85 c0 74 d3 48 b8 00 [ 58.046392][ C1] RSP: 0018:ffffc9000318f970 EFLAGS: 00000a06 [ 58.052482][ C1] RAX: dffffc0000000000 RBX: ffffc9000318f988 RCX: 0000000000000000 [ 58.060470][ C1] RDX: 1ffff92000631f3a RSI: ffffc9000318fd20 RDI: ffffc9000318f988 [ 58.068458][ C1] RBP: ffffc9000318f9d0 R08: ffffffff8f02dd6a R09: ffffc9000318f9bc [ 58.076447][ C1] R10: fffff52000631f3c R11: ffffc9000318fd48 R12: ffffc9000318fa40 [ 58.084433][ C1] R13: 0000000000000000 R14: ffff88807dbb3a80 R15: 0000000000001000 [ 58.092437][ C1] ? write_profile+0x410/0x410 [ 58.097240][ C1] arch_stack_walk+0x97/0xf0 [ 58.101860][ C1] ? getname_flags.part.0+0x50/0x4f0 [ 58.107183][ C1] stack_trace_save+0x90/0xc0 [ 58.111902][ C1] ? filter_irq_stacks+0x90/0x90 [ 58.116892][ C1] ? __lock_acquire+0x166e/0x56d0 [ 58.121951][ C1] kasan_save_stack+0x22/0x40 [ 58.126653][ C1] ? kasan_save_stack+0x22/0x40 [ 58.131529][ C1] ? kasan_set_track+0x25/0x30 [ 58.136317][ C1] ? __kasan_slab_alloc+0x82/0x90 [ 58.141364][ C1] ? kmem_cache_alloc+0x1e4/0x430 [ 58.146413][ C1] ? do_wp_page+0x12a3/0x3370 [ 58.151121][ C1] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 58.157223][ C1] ? find_held_lock+0x2d/0x110 [ 58.162021][ C1] ? kmem_cache_alloc+0x47/0x430 [ 58.166987][ C1] kasan_set_track+0x25/0x30 [ 58.171600][ C1] __kasan_slab_alloc+0x82/0x90 [ 58.176468][ C1] kmem_cache_alloc+0x1e4/0x430 [ 58.181345][ C1] getname_flags.part.0+0x50/0x4f0 [ 58.186491][ C1] getname+0x92/0xd0 [ 58.190415][ C1] do_sys_openat2+0xf5/0x4c0 [ 58.195027][ C1] ? build_open_flags+0x6f0/0x6f0 [ 58.200074][ C1] ? up_write+0x520/0x520 [ 58.204435][ C1] __x64_sys_openat+0x143/0x1f0 [ 58.209304][ C1] ? __ia32_sys_open+0x1c0/0x1c0 [ 58.214273][ C1] ? syscall_enter_from_user_mode+0x26/0xb0 [ 58.220199][ C1] do_syscall_64+0x39/0xb0 [ 58.224649][ C1] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 58.230565][ C1] RIP: 0033:0x7efc31325697 [ 58.234998][ C1] Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f [ 58.254632][ C1] RSP: 002b:00007fff1e502270 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 58.263069][ C1] RAX: ffffffffffffffda RBX: 000055f281ea3040 RCX: 00007efc31325697 [ 58.271060][ C1] RDX: 0000000000080141 RSI: 000055f281e860d8 RDI: 00000000ffffff9c [ 58.279055][ C1] RBP: 000055f281e860d8 R08: 00000000ffffffff R09: 0000000000000000 [ 58.287046][ C1] R10: 00000000000001a4 R11: 0000000000000246 R12: 0000000000080141 [ 58.295038][ C1] R13: ffffffffffffffff R14: 00000000ffffffff R15: 00000000ffffffff [ 58.303035][ C1] [ 58.306070][ C1] [ 58.308408][ C1] The buggy address belongs to the virtual mapping at [ 58.308408][ C1] [ffffc900001d9000, ffffc900001e2000) created by: [ 58.308408][ C1] irq_init_percpu_irqstack+0x1d0/0x320 [ 58.327019][ C1] [ 58.329347][ C1] The buggy address belongs to the physical page: [ 58.335765][ C1] page:ffffea0002e64240 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb9909 [ 58.345933][ C1] flags: 0xfff00000001000(reserved|node=0|zone=1|lastcpupid=0x7ff) [ 58.353940][ C1] raw: 00fff00000001000 ffffea0002e64248 ffffea0002e64248 0000000000000000 [ 58.362544][ C1] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 58.371135][ C1] page dumped because: kasan: bad access detected [ 58.377554][ C1] page_owner info is not present (never set?) [ 58.383621][ C1] [ 58.385955][ C1] Memory state around the buggy address: [ 58.391589][ C1] ffffc900001e0980: 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.399668][ C1] ffffc900001e0a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 [ 58.407747][ C1] >ffffc900001e0a80: f1 f1 00 00 00 00 00 00 00 00 f3 f3 f3 f3 00 00 [ 58.415818][ C1] ^ [ 58.422505][ C1] ffffc900001e0b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.430577][ C1] ffffc900001e0b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 [ 58.438644][ C1] ================================================================== [ 58.446809][ C1] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 58.454010][ C1] CPU: 1 PID: 4433 Comm: udevd Not tainted 6.2.0-rc1-syzkaller-00095-ge4cf7c25bae5 #0 [ 58.463561][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 58.473623][ C1] Call Trace: [ 58.476916][ C1] [ 58.479773][ C1] dump_stack_lvl+0xd1/0x138 [ 58.484393][ C1] panic+0x2cc/0x626 [ 58.488316][ C1] ? panic_print_sys_info.part.0+0x110/0x110 [ 58.494334][ C1] ? asm_common_interrupt+0x26/0x40 [ 58.499566][ C1] check_panic_on_warn.cold+0x19/0x35 [ 58.504967][ C1] end_report.part.0+0x36/0x73 [ 58.509765][ C1] ? xfrm_state_find+0x5f79/0x6d80 [ 58.514989][ C1] kasan_report.cold+0xa/0xf [ 58.519614][ C1] ? xfrm_state_find+0x5f79/0x6d80 [ 58.524761][ C1] xfrm_state_find+0x5f79/0x6d80 [ 58.529739][ C1] ? xfrm_state_add+0xe30/0xe30 [ 58.534914][ C1] ? find_held_lock+0x2d/0x110 [ 58.540098][ C1] ? xfrm_tmpl_resolve+0x653/0xd40 [ 58.545233][ C1] ? lock_downgrade+0x6e0/0x6e0 [ 58.550103][ C1] xfrm_tmpl_resolve+0x2f3/0xd40 [ 58.555033][ C1] ? __xfrm_dst_lookup+0x130/0x130 [ 58.560132][ C1] ? xfrm_policy_find_inexact_candidates+0x13f/0x1d0 [ 58.566794][ C1] ? find_held_lock+0x2d/0x110 [ 58.571549][ C1] xfrm_resolve_and_create_bundle+0x123/0x2580 [ 58.577703][ C1] ? lock_downgrade+0x6e0/0x6e0 [ 58.582540][ C1] ? xfrm_tmpl_resolve+0xd40/0xd40 [ 58.587641][ C1] ? xfrm_policy_match+0x2e0/0x2e0 [ 58.592745][ C1] ? xfrm_expand_policies+0x25b/0x680 [ 58.598104][ C1] xfrm_lookup_with_ifid+0x449/0x20f0 [ 58.603465][ C1] ? xfrm_expand_policies+0x680/0x680 [ 58.608826][ C1] ? ip_route_output_key_hash+0x1c9/0x300 [ 58.614538][ C1] ? ip_route_output_key_hash_rcu+0x2bc0/0x2bc0 [ 58.620767][ C1] xfrm_lookup_route+0x3a/0x1e0 [ 58.625607][ C1] ip_route_output_flow+0x118/0x150 [ 58.630788][ C1] igmpv3_newpack+0x29d/0x1110 [ 58.635541][ C1] ? ip_mc_join_group+0x30/0x30 [ 58.640382][ C1] ? lock_chain_count+0x20/0x20 [ 58.645220][ C1] add_grhead+0x266/0x300 [ 58.649539][ C1] add_grec+0xea5/0x1100 [ 58.653773][ C1] ? add_grhead+0x300/0x300 [ 58.658263][ C1] ? rwlock_bug.part.0+0x90/0x90 [ 58.663186][ C1] igmp_ifc_timer_expire+0x636/0xf70 [ 58.668463][ C1] call_timer_fn+0x1da/0x7c0 [ 58.673057][ C1] ? add_grec+0x1100/0x1100 [ 58.677546][ C1] ? timer_fixup_activate+0x3e0/0x3e0 [ 58.682915][ C1] ? lock_downgrade+0x6e0/0x6e0 [ 58.687757][ C1] ? add_grec+0x1100/0x1100 [ 58.692250][ C1] ? _raw_spin_unlock_irq+0x23/0x50 [ 58.697439][ C1] ? add_grec+0x1100/0x1100 [ 58.701937][ C1] ? add_grec+0x1100/0x1100 [ 58.706431][ C1] expire_timers+0x2c6/0x5c0 [ 58.711016][ C1] run_timer_softirq+0x326/0x910 [ 58.715951][ C1] ? expire_timers+0x5c0/0x5c0 [ 58.720707][ C1] ? kvm_sched_clock_read+0x18/0x40 [ 58.725893][ C1] __do_softirq+0x1fb/0xadc [ 58.730387][ C1] __irq_exit_rcu+0x123/0x180 [ 58.735050][ C1] irq_exit_rcu+0x9/0x20 [ 58.739278][ C1] sysvec_apic_timer_interrupt+0x97/0xc0 [ 58.744894][ C1] [ 58.747809][ C1] [ 58.750725][ C1] asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 58.756700][ C1] RIP: 0010:unwind_get_return_address+0x46/0xa0 [ 58.762928][ C1] Code: 04 02 84 c0 74 04 3c 03 7e 51 8b 03 85 c0 75 05 5b 31 c0 5d c3 48 8d 6b 48 48 b8 00 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 <80> 3c 02 00 75 32 48 8b 7b 48 e8 1b 23 1b 00 85 c0 74 d3 48 b8 00 [ 58.782520][ C1] RSP: 0018:ffffc9000318f970 EFLAGS: 00000a06 [ 58.788569][ C1] RAX: dffffc0000000000 RBX: ffffc9000318f988 RCX: 0000000000000000 [ 58.796532][ C1] RDX: 1ffff92000631f3a RSI: ffffc9000318fd20 RDI: ffffc9000318f988 [ 58.804492][ C1] RBP: ffffc9000318f9d0 R08: ffffffff8f02dd6a R09: ffffc9000318f9bc [ 58.812447][ C1] R10: fffff52000631f3c R11: ffffc9000318fd48 R12: ffffc9000318fa40 [ 58.820408][ C1] R13: 0000000000000000 R14: ffff88807dbb3a80 R15: 0000000000001000 [ 58.828377][ C1] ? write_profile+0x410/0x410 [ 58.833142][ C1] arch_stack_walk+0x97/0xf0 [ 58.837727][ C1] ? getname_flags.part.0+0x50/0x4f0 [ 58.843007][ C1] stack_trace_save+0x90/0xc0 [ 58.847679][ C1] ? filter_irq_stacks+0x90/0x90 [ 58.852615][ C1] ? __lock_acquire+0x166e/0x56d0 [ 58.857625][ C1] kasan_save_stack+0x22/0x40 [ 58.862287][ C1] ? kasan_save_stack+0x22/0x40 [ 58.867121][ C1] ? kasan_set_track+0x25/0x30 [ 58.871867][ C1] ? __kasan_slab_alloc+0x82/0x90 [ 58.876894][ C1] ? kmem_cache_alloc+0x1e4/0x430 [ 58.881904][ C1] ? do_wp_page+0x12a3/0x3370 [ 58.886568][ C1] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 58.892541][ C1] ? find_held_lock+0x2d/0x110 [ 58.897310][ C1] ? kmem_cache_alloc+0x47/0x430 [ 58.902233][ C1] kasan_set_track+0x25/0x30 [ 58.906807][ C1] __kasan_slab_alloc+0x82/0x90 [ 58.911654][ C1] kmem_cache_alloc+0x1e4/0x430 [ 58.916488][ C1] getname_flags.part.0+0x50/0x4f0 [ 58.921601][ C1] getname+0x92/0xd0 [ 58.925492][ C1] do_sys_openat2+0xf5/0x4c0 [ 58.930066][ C1] ? build_open_flags+0x6f0/0x6f0 [ 58.935073][ C1] ? up_write+0x520/0x520 [ 58.939392][ C1] __x64_sys_openat+0x143/0x1f0 [ 58.944227][ C1] ? __ia32_sys_open+0x1c0/0x1c0 [ 58.949232][ C1] ? syscall_enter_from_user_mode+0x26/0xb0 [ 58.955112][ C1] do_syscall_64+0x39/0xb0 [ 58.959519][ C1] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 58.965401][ C1] RIP: 0033:0x7efc31325697 [ 58.969800][ C1] Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f [ 58.989389][ C1] RSP: 002b:00007fff1e502270 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 58.997801][ C1] RAX: ffffffffffffffda RBX: 000055f281ea3040 RCX: 00007efc31325697 [ 59.005754][ C1] RDX: 0000000000080141 RSI: 000055f281e860d8 RDI: 00000000ffffff9c [ 59.013707][ C1] RBP: 000055f281e860d8 R08: 00000000ffffffff R09: 0000000000000000 [ 59.021663][ C1] R10: 00000000000001a4 R11: 0000000000000246 R12: 0000000000080141 [ 59.029614][ C1] R13: ffffffffffffffff R14: 00000000ffffffff R15: 00000000ffffffff [ 59.037571][ C1] [ 59.040728][ C1] Kernel Offset: disabled [ 59.045045][ C1] Rebooting in 86400 seconds..