./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3811477932 <...> DUID 00:04:b0:7e:30:9f:4d:11:81:da:bf:2d:3d:77:4c:17:c1:ba forked to background, child pid 4878 [ 35.487019][ T4879] 8021q: adding VLAN 0 to HW filter on device bond0 [ 35.505472][ T4879] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.0.109' (ECDSA) to the list of known hosts. execve("./syz-executor3811477932", ["./syz-executor3811477932"], 0x7fff0642ba50 /* 10 vars */) = 0 brk(NULL) = 0x55555600c000 brk(0x55555600cc40) = 0x55555600cc40 arch_prctl(ARCH_SET_FS, 0x55555600c300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor3811477932", 4096) = 28 brk(0x55555602dc40) = 0x55555602dc40 brk(0x55555602e000) = 0x55555602e000 mprotect(0x7f8dcb846000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555600c5d0) = 5305 ./strace-static-x86_64: Process 5305 attached [pid 5305] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5305] setpgid(0, 0) = 0 [pid 5305] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5305] write(3, "1000", 4) = 4 [pid 5305] close(3) = 0 [pid 5305] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3 [pid 5305] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = 0 [pid 5305] exit_group(0) = ? [pid 5305] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5305, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555600c5d0) = 5307 ./strace-static-x86_64: Process 5307 attached [pid 5307] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5307] setpgid(0, 0) = 0 [pid 5307] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5307] write(3, "1000", 4) = 4 [pid 5307] close(3) = 0 [pid 5307] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3 [pid 5307] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = 0 [pid 5307] exit_group(0) = ? [pid 5307] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5307, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555600c5d0) = 5309 ./strace-static-x86_64: Process 5309 attached [pid 5309] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5309] setpgid(0, 0) = 0 [pid 5309] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5309] write(3, "1000", 4) = 4 [pid 5309] close(3) = 0 [pid 5309] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3 [pid 5309] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = 0 [pid 5309] exit_group(0) = ? [pid 5309] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5309, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555600c5d0) = 5311 ./strace-static-x86_64: Process 5311 attached [pid 5311] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5311] setpgid(0, 0) = 0 [pid 5311] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5311] write(3, "1000", 4) = 4 [pid 5311] close(3) = 0 [pid 5311] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3 [pid 5311] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = 0 [pid 5311] exit_group(0) = ? [pid 5311] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5311, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555600c5d0) = 5313 ./strace-static-x86_64: Process 5313 attached [pid 5313] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5313] setpgid(0, 0) = 0 [pid 5313] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5313] write(3, "1000", 4) = 4 [pid 5313] close(3) = 0 [pid 5313] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3 [pid 5313] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = 0 [pid 5313] exit_group(0) = ? [pid 5313] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5313, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555600c5d0) = 5315 ./strace-static-x86_64: Process 5315 attached [pid 5315] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5315] setpgid(0, 0) = 0 [pid 5315] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5315] write(3, "1000", 4) = 4 [pid 5315] close(3) = 0 [pid 5315] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3 [pid 5315] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = 0 [pid 5315] exit_group(0) = ? [pid 5315] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5315, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5317 attached , child_tidptr=0x55555600c5d0) = 5317 [pid 5317] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5317] setpgid(0, 0) = 0 [pid 5317] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5317] write(3, "1000", 4) = 4 [pid 5317] close(3) = 0 [pid 5317] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3 [pid 5317] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = 0 [pid 5317] exit_group(0) = ? [pid 5317] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5317, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5319 attached , child_tidptr=0x55555600c5d0) = 5319 [pid 5319] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5319] setpgid(0, 0) = 0 [pid 5319] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5319] write(3, "1000", 4) = 4 [pid 5319] close(3) = 0 [pid 5319] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3 [pid 5319] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = 0 [pid 5319] exit_group(0) = ? [pid 5319] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5319, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5321 attached [pid 5321] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5321] setpgid(0, 0) = 0 [pid 5321] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5304] <... clone resumed>, child_tidptr=0x55555600c5d0) = 5321 [pid 5321] <... openat resumed>) = 3 [pid 5321] write(3, "1000", 4) = 4 [pid 5321] close(3) = 0 [pid 5321] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3 [pid 5321] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = -1 EADDRINUSE (Address already in use) [pid 5321] exit_group(0) = ? [pid 5321] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5321, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555600c5d0) = 5322 ./strace-static-x86_64: Process 5322 attached [pid 5322] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5322] setpgid(0, 0) = 0 [pid 5322] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5322] write(3, "1000", 4) = 4 [pid 5322] close(3) = 0 [pid 5322] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3 [pid 5322] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = -1 EADDRINUSE (Address already in use) [pid 5322] exit_group(0) = ? [pid 5322] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5322, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555600c5d0) = 5323 ./strace-static-x86_64: Process 5323 attached [pid 5323] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5323] setpgid(0, 0) = 0 [pid 5323] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5323] write(3, "1000", 4) = 4 [pid 5323] close(3) = 0 [pid 5323] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3 [pid 5323] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = -1 EADDRINUSE (Address already in use) [pid 5323] exit_group(0) = ? [pid 5323] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5323, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555600c5d0) = 5324 ./strace-static-x86_64: Process 5324 attached [pid 5324] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5324] setpgid(0, 0) = 0 [pid 5324] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5324] write(3, "1000", 4) = 4 [pid 5324] close(3) = 0 [pid 5324] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3 [pid 5324] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = -1 EADDRINUSE (Address already in use) [pid 5324] exit_group(0) = ? [pid 5324] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5324, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555600c5d0) = 5325 ./strace-static-x86_64: Process 5325 attached [pid 5325] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5325] setpgid(0, 0) = 0 [pid 5325] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5325] write(3, "1000", 4) = 4 [pid 5325] close(3) = 0 [pid 5325] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3 [pid 5325] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = -1 EADDRINUSE (Address already in use) [pid 5325] exit_group(0) = ? [pid 5325] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5325, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5326 attached [pid 5326] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5326] setpgid(0, 0) = 0 [pid 5326] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5326] write(3, "1000", 4) = 4 [pid 5326] close(3) = 0 [pid 5326] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3 [pid 5326] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = -1 EADDRINUSE (Address already in use) [pid 5326] exit_group(0) = ? [pid 5304] <... clone resumed>, child_tidptr=0x55555600c5d0) = 5326 [pid 5326] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5326, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5327 attached , child_tidptr=0x55555600c5d0) = 5327 [pid 5327] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5327] setpgid(0, 0) = 0 [pid 5327] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5327] write(3, "1000", 4) = 4 [pid 5327] close(3) = 0 [pid 5327] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3 syzkaller login: [ 61.080164][ T5327] ================================================================== [ 61.088267][ T5327] BUG: KASAN: use-after-free in rxrpc_lookup_local+0xdcf/0xfb0 [ 61.095836][ T5327] Read of size 2 at addr ffff88807e64ca1c by task syz-executor381/5327 [ 61.104601][ T5327] [ 61.106927][ T5327] CPU: 0 PID: 5327 Comm: syz-executor381 Not tainted 6.1.0-syzkaller-07447-gaba5b397cad7 #0 [ 61.117000][ T5327] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 61.127072][ T5327] Call Trace: [ 61.130483][ T5327] [ 61.134459][ T5327] dump_stack_lvl+0xd1/0x138 [ 61.139077][ T5327] print_report+0x15e/0x45d [ 61.143609][ T5327] ? __phys_addr+0xc8/0x140 [ 61.148131][ T5327] ? rxrpc_lookup_local+0xdcf/0xfb0 [ 61.153351][ T5327] kasan_report+0xbf/0x1f0 [ 61.157798][ T5327] ? rxrpc_lookup_local+0xdcf/0xfb0 [ 61.163552][ T5327] rxrpc_lookup_local+0xdcf/0xfb0 [ 61.168772][ T5327] rxrpc_bind+0x35e/0x5c0 [ 61.173115][ T5327] __sys_bind+0x1ed/0x260 [ 61.177449][ T5327] ? __ia32_sys_socketpair+0x100/0x100 [ 61.182989][ T5327] ? _raw_spin_unlock_irq+0x23/0x50 [ 61.188216][ T5327] ? lockdep_hardirqs_on+0x7d/0x100 [ 61.193437][ T5327] ? _raw_spin_unlock_irq+0x2e/0x50 [ 61.198640][ T5327] __x64_sys_bind+0x73/0xb0 [ 61.203232][ T5327] do_syscall_64+0x39/0xb0 [ 61.207647][ T5327] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 61.213561][ T5327] RIP: 0033:0x7f8dcb7d9d59 [ 61.217976][ T5327] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 61.237605][ T5327] RSP: 002b:00007ffe3812f4e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000031 [ 61.246585][ T5327] RAX: ffffffffffffffda RBX: 000000000000ee5b RCX: 00007f8dcb7d9d59 [ 61.254704][ T5327] RDX: 0000000000000024 RSI: 0000000020000080 RDI: 0000000000000003 [ 61.262769][ T5327] RBP: 0000000000000000 R08: 00007ffe3812f688 R09: 00007ffe3812f688 [ 61.270929][ T5327] R10: 00007ffe3812ef60 R11: 0000000000000246 R12: 00007ffe3812f4fc [ 61.278926][ T5327] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000 [ 61.286911][ T5327] [ 61.289942][ T5327] [ 61.292262][ T5327] Allocated by task 5319: [ 61.296575][ T5327] kasan_save_stack+0x22/0x40 [ 61.301279][ T5327] kasan_set_track+0x25/0x30 [ 61.305930][ T5327] __kasan_kmalloc+0xa5/0xb0 [ 61.310633][ T5327] rxrpc_lookup_local+0x4d9/0xfb0 [ 61.315772][ T5327] rxrpc_bind+0x35e/0x5c0 [ 61.320147][ T5327] __sys_bind+0x1ed/0x260 [ 61.325037][ T5327] __x64_sys_bind+0x73/0xb0 [ 61.329581][ T5327] do_syscall_64+0x39/0xb0 [ 61.334030][ T5327] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 61.340001][ T5327] [ 61.342330][ T5327] Freed by task 0: [ 61.346236][ T5327] kasan_save_stack+0x22/0x40 [ 61.350941][ T5327] kasan_set_track+0x25/0x30 [ 61.355540][ T5327] kasan_save_free_info+0x2e/0x40 [ 61.360569][ T5327] ____kasan_slab_free+0x160/0x1c0 [ 61.365694][ T5327] slab_free_freelist_hook+0x8b/0x1c0 [ 61.371067][ T5327] __kmem_cache_free+0xaf/0x3b0 [ 61.375929][ T5327] rcu_core+0x81f/0x1980 [ 61.380183][ T5327] __do_softirq+0x1fb/0xadc [ 61.384684][ T5327] [ 61.387011][ T5327] Last potentially related work creation: [ 61.392748][ T5327] kasan_save_stack+0x22/0x40 [ 61.397775][ T5327] __kasan_record_aux_stack+0xbc/0xd0 [ 61.403170][ T5327] __call_rcu_common.constprop.0+0x99/0x820 [ 61.409076][ T5327] rxrpc_put_local.part.0+0x128/0x170 [ 61.414472][ T5327] rxrpc_put_local+0x25/0x30 [ 61.419176][ T5327] rxrpc_release+0x237/0x550 [ 61.424315][ T5327] __sock_release+0xcd/0x280 [ 61.428924][ T5327] sock_close+0x1c/0x20 [ 61.433086][ T5327] __fput+0x27c/0xa90 [ 61.437082][ T5327] task_work_run+0x16f/0x270 [ 61.441709][ T5327] do_exit+0xb3d/0x2a30 [ 61.445874][ T5327] do_group_exit+0xd4/0x2a0 [ 61.450742][ T5327] __x64_sys_exit_group+0x3e/0x50 [ 61.455790][ T5327] do_syscall_64+0x39/0xb0 [ 61.460252][ T5327] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 61.466201][ T5327] [ 61.468551][ T5327] The buggy address belongs to the object at ffff88807e64c800 [ 61.468551][ T5327] which belongs to the cache kmalloc-1k of size 1024 [ 61.482607][ T5327] The buggy address is located 540 bytes inside of [ 61.482607][ T5327] 1024-byte region [ffff88807e64c800, ffff88807e64cc00) [ 61.496078][ T5327] [ 61.498404][ T5327] The buggy address belongs to the physical page: [ 61.504912][ T5327] page:ffffea0001f99200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e648 [ 61.515149][ T5327] head:ffffea0001f99200 order:3 compound_mapcount:0 compound_pincount:0 [ 61.523479][ T5327] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 61.531462][ T5327] raw: 00fff00000010200 ffff888012441dc0 dead000000000122 0000000000000000 [ 61.540040][ T5327] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 61.549042][ T5327] page dumped because: kasan: bad access detected [ 61.555453][ T5327] page_owner tracks the page as allocated [ 61.561157][ T5327] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5299, tgid 5299 (sshd), ts 60992979100, free_ts 55300183714 [ 61.582429][ T5327] get_page_from_freelist+0x10b5/0x2d50 [ 61.587987][ T5327] __alloc_pages+0x1cb/0x5b0 [ 61.592606][ T5327] alloc_pages+0x1aa/0x270 [ 61.597038][ T5327] allocate_slab+0x25f/0x350 [ 61.601636][ T5327] ___slab_alloc+0xa91/0x1400 [ 61.606405][ T5327] __slab_alloc.constprop.0+0x56/0xa0 [ 61.611794][ T5327] __kmem_cache_alloc_node+0x1a4/0x430 [ 61.617431][ T5327] __kmalloc_node_track_caller+0x4b/0xc0 [ 61.623340][ T5327] __alloc_skb+0xe9/0x310 [ 61.627716][ T5327] tcp_stream_alloc_skb+0x3c/0x580 [ 61.632849][ T5327] tcp_sendmsg_locked+0xc4c/0x2960 [ 61.638077][ T5327] tcp_sendmsg+0x2f/0x50 [ 61.642415][ T5327] inet_sendmsg+0x9d/0xe0 [ 61.646777][ T5327] sock_sendmsg+0xd3/0x120 [ 61.651184][ T5327] sock_write_iter+0x295/0x3d0 [ 61.656117][ T5327] vfs_write+0x9ed/0xdd0 [ 61.660522][ T5327] page last free stack trace: [ 61.665201][ T5327] free_pcp_prepare+0x65c/0xd90 [ 61.671024][ T5327] free_unref_page+0x1d/0x4d0 [ 61.675815][ T5327] __folio_put+0x109/0x140 [ 61.680310][ T5327] skb_release_data+0x522/0x870 [ 61.685159][ T5327] napi_consume_skb+0x14e/0x290 [ 61.690213][ T5327] net_rx_action+0x346/0xde0 [ 61.694904][ T5327] __do_softirq+0x1fb/0xadc [ 61.699417][ T5327] [ 61.701822][ T5327] Memory state around the buggy address: [ 61.707624][ T5327] ffff88807e64c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.716284][ T5327] ffff88807e64c980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.724504][ T5327] >ffff88807e64ca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.732652][ T5327] ^ [ 61.737603][ T5327] ffff88807e64ca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.745756][ T5327] ffff88807e64cb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.754612][ T5327] ================================================================== [ 61.764617][ T5327] Kernel panic - not syncing: panic_on_warn set ... [ 61.771606][ T5327] CPU: 1 PID: 5327 Comm: syz-executor381 Not tainted 6.1.0-syzkaller-07447-gaba5b397cad7 #0 [ 61.782663][ T5327] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 61.793194][ T5327] Call Trace: [ 61.796727][ T5327] [ 61.799665][ T5327] dump_stack_lvl+0xd1/0x138 [ 61.805316][ T5327] panic+0x2cc/0x626 [ 61.809205][ T5327] ? panic_print_sys_info.part.0+0x110/0x110 [ 61.815266][ T5327] ? preempt_schedule_common+0x59/0xc0 [ 61.820760][ T5327] ? preempt_schedule_thunk+0x1a/0x1c [ 61.826132][ T5327] end_report.part.0+0x3f/0x7c [ 61.830888][ T5327] ? rxrpc_lookup_local+0xdcf/0xfb0 [ 61.836965][ T5327] kasan_report.cold+0xa/0xf [ 61.841567][ T5327] ? rxrpc_lookup_local+0xdcf/0xfb0 [ 61.846850][ T5327] rxrpc_lookup_local+0xdcf/0xfb0 [ 61.851871][ T5327] rxrpc_bind+0x35e/0x5c0 [ 61.856442][ T5327] __sys_bind+0x1ed/0x260 [ 61.860763][ T5327] ? __ia32_sys_socketpair+0x100/0x100 [ 61.866330][ T5327] ? _raw_spin_unlock_irq+0x23/0x50 [ 61.871800][ T5327] ? lockdep_hardirqs_on+0x7d/0x100 [ 61.877022][ T5327] ? _raw_spin_unlock_irq+0x2e/0x50 [ 61.882310][ T5327] __x64_sys_bind+0x73/0xb0 [ 61.886832][ T5327] do_syscall_64+0x39/0xb0 [ 61.891337][ T5327] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 61.897515][ T5327] RIP: 0033:0x7f8dcb7d9d59 [ 61.902036][ T5327] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 61.921995][ T5327] RSP: 002b:00007ffe3812f4e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000031 [ 61.930412][ T5327] RAX: ffffffffffffffda RBX: 000000000000ee5b RCX: 00007f8dcb7d9d59 [ 61.938553][ T5327] RDX: 0000000000000024 RSI: 0000000020000080 RDI: 0000000000000003 [ 61.946697][ T5327] RBP: 0000000000000000 R08: 00007ffe3812f688 R09: 00007ffe3812f688 [ 61.955099][ T5327] R10: 00007ffe3812ef60 R11: 0000000000000246 R12: 00007ffe3812f4fc [ 61.963090][ T5327] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000 [ 61.971065][ T5327] [ 61.974239][ T5327] Kernel Offset: disabled [ 61.978862][ T5327] Rebooting in 86400 seconds..