DUID 00:04:98:96:05:40:f2:aa:0a:66:7a:29:c2:20:2e:76:e0:ec
forked to background, child pid 3174
[ 29.500552][ T3175] 8021q: adding VLAN 0 to HW filter on device bond0
[ 29.517956][ T3175] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK
syzkaller
Warning: Permanently added '10.128.0.206' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 46.056889][ T3589] ==================================================================
[ 46.065072][ T3589] BUG: KASAN: use-after-free in strcmp+0x9b/0xb0
[ 46.071431][ T3589] Read of size 1 at addr ffff8880225a9ac4 by task syz-executor424/3589
[ 46.079654][ T3589]
[ 46.081967][ T3589] CPU: 0 PID: 3589 Comm: syz-executor424 Not tainted 5.17.0-rc3-syzkaller #0
[ 46.090716][ T3589] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 46.100773][ T3589] Call Trace:
[ 46.104050][ T3589]
[ 46.106974][ T3589] dump_stack_lvl+0xcd/0x134
[ 46.111576][ T3589] print_address_description.constprop.0.cold+0x8d/0x336
[ 46.118608][ T3589] ? strcmp+0x9b/0xb0
[ 46.122595][ T3589] ? strcmp+0x9b/0xb0
[ 46.126576][ T3589] kasan_report.cold+0x83/0xdf
[ 46.131346][ T3589] ? strcmp+0x9b/0xb0
[ 46.135325][ T3589] strcmp+0x9b/0xb0
[ 46.139142][ T3589] madvise_update_vma+0x4e6/0x7f0
[ 46.144177][ T3589] madvise_vma_behavior+0x116/0x1910
[ 46.149468][ T3589] ? madvise_vma_anon_name+0xc0/0xc0
[ 46.154759][ T3589] ? __sanitizer_cov_trace_cmp8+0x1d/0x70
[ 46.160480][ T3589] ? vmacache_find+0x62/0x330
[ 46.165164][ T3589] ? find_vma+0xbd/0x270
[ 46.169409][ T3589] madvise_walk_vmas+0x1d5/0x2d0
[ 46.174348][ T3589] ? madvise_vma_anon_name+0xc0/0xc0
[ 46.179641][ T3589] ? __remove_memory+0x40/0x40
[ 46.184415][ T3589] ? __down_timeout+0x10/0x10
[ 46.189094][ T3589] ? find_held_lock+0x2d/0x110
[ 46.193863][ T3589] do_madvise+0x249/0x3c0
[ 46.198193][ T3589] ? madvise_set_anon_name+0xe0/0xe0
[ 46.203491][ T3589] __x64_sys_madvise+0xa6/0x110
[ 46.208342][ T3589] ? syscall_enter_from_user_mode+0x21/0x70
[ 46.214243][ T3589] do_syscall_64+0x35/0xb0
[ 46.218656][ T3589] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 46.224552][ T3589] RIP: 0033:0x7fca2a0d3ff9
[ 46.228962][ T3589] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 46.248567][ T3589] RSP: 002b:00007ffec08d46c8 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
[ 46.256985][ T3589] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fca2a0d3ff9
[ 46.264953][ T3589] RDX: 000000000000000b RSI: 0000000000001000 RDI: 0000000020ffc000
[ 46.272924][ T3589] RBP: 00007fca2a097fe0 R08: 0000000000000000 R09: 0000000000000000
[ 46.280890][ T3589] R10: 0000000020000000 R11: 0000000000000246 R12: 00007fca2a098070
[ 46.288858][ T3589] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 46.296845][ T3589]
[ 46.299854][ T3589]
[ 46.302168][ T3589] Allocated by task 3589:
[ 46.306481][ T3589] kasan_save_stack+0x1e/0x40
[ 46.311155][ T3589] __kasan_kmalloc+0xa9/0xd0
[ 46.315736][ T3589] madvise_update_vma+0x546/0x7f0
[ 46.320754][ T3589] madvise_vma_anon_name+0x7c/0xc0
[ 46.325868][ T3589] madvise_walk_vmas+0x1d5/0x2d0
[ 46.330804][ T3589] madvise_set_anon_name+0xac/0xe0
[ 46.335909][ T3589] __do_sys_prctl+0xeb5/0x12d0
[ 46.340669][ T3589] do_syscall_64+0x35/0xb0
[ 46.345081][ T3589] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 46.350977][ T3589]
[ 46.353291][ T3589] Freed by task 3589:
[ 46.357257][ T3589] kasan_save_stack+0x1e/0x40
[ 46.361934][ T3589] kasan_set_track+0x21/0x30
[ 46.366516][ T3589] kasan_set_free_info+0x20/0x30
[ 46.371444][ T3589] ____kasan_slab_free+0x130/0x160
[ 46.376544][ T3589] slab_free_freelist_hook+0x8b/0x1c0
[ 46.381914][ T3589] kfree+0xcb/0x280
[ 46.385715][ T3589] free_vma_anon_name+0xeb/0x110
[ 46.390647][ T3589] vm_area_free+0x11/0x30
[ 46.394972][ T3589] __vma_adjust+0x836/0x24a0
[ 46.399555][ T3589] vma_merge+0x860/0xeb0
[ 46.403797][ T3589] madvise_update_vma+0x1b6/0x7f0
[ 46.408815][ T3589] madvise_vma_behavior+0x116/0x1910
[ 46.414095][ T3589] madvise_walk_vmas+0x1d5/0x2d0
[ 46.419028][ T3589] do_madvise+0x249/0x3c0
[ 46.423352][ T3589] __x64_sys_madvise+0xa6/0x110
[ 46.428208][ T3589] do_syscall_64+0x35/0xb0
[ 46.432618][ T3589] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 46.438511][ T3589]
[ 46.440825][ T3589] The buggy address belongs to the object at ffff8880225a9ac0
[ 46.440825][ T3589] which belongs to the cache kmalloc-32 of size 32
[ 46.454732][ T3589] The buggy address is located 4 bytes inside of
[ 46.454732][ T3589] 32-byte region [ffff8880225a9ac0, ffff8880225a9ae0)
[ 46.467737][ T3589] The buggy address belongs to the page:
[ 46.473353][ T3589] page:ffffea0000896a40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x225a9
[ 46.483496][ T3589] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 46.491039][ T3589] raw: 00fff00000000200 dead000000000100 dead000000000122 ffff888010c41500
[ 46.499614][ T3589] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000
[ 46.508182][ T3589] page dumped because: kasan: bad access detected
[ 46.514582][ T3589] page_owner tracks the page as allocated
[ 46.520280][ T3589] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 13570698147, free_ts 13555377644
[ 46.536073][ T3589] get_page_from_freelist+0xa72/0x2f50
[ 46.541529][ T3589] __alloc_pages+0x1b2/0x500
[ 46.546117][ T3589] alloc_page_interleave+0x1e/0x200
[ 46.551322][ T3589] alloc_pages+0x2b1/0x310
[ 46.555739][ T3589] new_slab+0x28a/0x3b0
[ 46.559892][ T3589] ___slab_alloc+0x87c/0xe90
[ 46.564481][ T3589] __slab_alloc.constprop.0+0x4d/0xa0
[ 46.569858][ T3589] kmem_cache_alloc_trace+0x289/0x2c0
[ 46.575248][ T3589] bpf_iter_reg_target+0x43/0x1e0
[ 46.580273][ T3589] task_iter_init+0x2d1/0x2e7
[ 46.584951][ T3589] do_one_initcall+0x103/0x650
[ 46.589711][ T3589] kernel_init_freeable+0x6b1/0x73a
[ 46.594907][ T3589] kernel_init+0x1a/0x1d0
[ 46.599246][ T3589] ret_from_fork+0x1f/0x30
[ 46.603657][ T3589] page last free stack trace:
[ 46.608315][ T3589] free_pcp_prepare+0x374/0x870
[ 46.613158][ T3589] free_unref_page+0x19/0x690
[ 46.617833][ T3589] __vunmap+0x798/0xc50
[ 46.621985][ T3589] free_work+0x58/0x70
[ 46.626052][ T3589] process_one_work+0x9ac/0x1650
[ 46.630983][ T3589] worker_thread+0x657/0x1110
[ 46.635650][ T3589] kthread+0x2e9/0x3a0
[ 46.639715][ T3589] ret_from_fork+0x1f/0x30
[ 46.644134][ T3589]
[ 46.646451][ T3589] Memory state around the buggy address:
[ 46.652082][ T3589] ffff8880225a9980: 00 00 00 00 fc fc fc fc 00 00 00 00 fc fc fc fc
[ 46.660148][ T3589] ffff8880225a9a00: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc
[ 46.668209][ T3589] >ffff8880225a9a80: 00 00 01 fc fc fc fc fc fa fb fb fb fc fc fc fc
[ 46.676259][ T3589] ^
[ 46.682405][ T3589] ffff8880225a9b00: 00 00 00 00 fc fc fc fc 00 00 00 fc fc fc fc fc
[ 46.690458][ T3589] ffff8880225a9b80: 00 00 00 04 fc fc fc fc fb fb fb fb fc fc fc fc
[ 46.698509][ T3589] ==================================================================
[ 46.706553][ T3589] Disabling lock debugging due to kernel taint
[ 46.713029][ T3589] Kernel panic - not syncing: panic_on_warn set ...
[ 46.719615][ T3589] CPU: 1 PID: 3589 Comm: syz-executor424 Tainted: G B 5.17.0-rc3-syzkaller #0
[ 46.729766][ T3589] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 46.739801][ T3589] Call Trace:
[ 46.743062][ T3589]
[ 46.745978][ T3589] dump_stack_lvl+0xcd/0x134
[ 46.750559][ T3589] panic+0x2b0/0x6dd
[ 46.754439][ T3589] ? __warn_printk+0xf3/0xf3
[ 46.759012][ T3589] ? preempt_schedule_common+0x59/0xc0
[ 46.764457][ T3589] ? strcmp+0x9b/0xb0
[ 46.768422][ T3589] ? preempt_schedule_thunk+0x16/0x18
[ 46.773781][ T3589] ? trace_hardirqs_on+0x38/0x1c0
[ 46.778793][ T3589] ? trace_hardirqs_on+0x51/0x1c0
[ 46.783801][ T3589] ? strcmp+0x9b/0xb0
[ 46.787782][ T3589] ? strcmp+0x9b/0xb0
[ 46.791748][ T3589] end_report.cold+0x63/0x6f
[ 46.796343][ T3589] kasan_report.cold+0x71/0xdf
[ 46.801101][ T3589] ? strcmp+0x9b/0xb0
[ 46.805071][ T3589] strcmp+0x9b/0xb0
[ 46.808865][ T3589] madvise_update_vma+0x4e6/0x7f0
[ 46.813963][ T3589] madvise_vma_behavior+0x116/0x1910
[ 46.819234][ T3589] ? madvise_vma_anon_name+0xc0/0xc0
[ 46.824506][ T3589] ? __sanitizer_cov_trace_cmp8+0x1d/0x70
[ 46.830210][ T3589] ? vmacache_find+0x62/0x330
[ 46.834880][ T3589] ? find_vma+0xbd/0x270
[ 46.839134][ T3589] madvise_walk_vmas+0x1d5/0x2d0
[ 46.844067][ T3589] ? madvise_vma_anon_name+0xc0/0xc0
[ 46.849358][ T3589] ? __remove_memory+0x40/0x40
[ 46.854118][ T3589] ? __down_timeout+0x10/0x10
[ 46.858784][ T3589] ? find_held_lock+0x2d/0x110
[ 46.863555][ T3589] do_madvise+0x249/0x3c0
[ 46.867884][ T3589] ? madvise_set_anon_name+0xe0/0xe0
[ 46.873277][ T3589] __x64_sys_madvise+0xa6/0x110
[ 46.878150][ T3589] ? syscall_enter_from_user_mode+0x21/0x70
[ 46.884044][ T3589] do_syscall_64+0x35/0xb0
[ 46.888448][ T3589] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 46.894328][ T3589] RIP: 0033:0x7fca2a0d3ff9
[ 46.898739][ T3589] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 46.918336][ T3589] RSP: 002b:00007ffec08d46c8 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
[ 46.926739][ T3589] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fca2a0d3ff9
[ 46.934696][ T3589] RDX: 000000000000000b RSI: 0000000000001000 RDI: 0000000020ffc000
[ 46.942652][ T3589] RBP: 00007fca2a097fe0 R08: 0000000000000000 R09: 0000000000000000
[ 46.950619][ T3589] R10: 0000000020000000 R11: 0000000000000246 R12: 00007fca2a098070
[ 46.958590][ T3589] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 46.966551][ T3589]
[ 46.969625][ T3589] Kernel Offset: disabled
[ 46.973947][ T3589] Rebooting in 86400 seconds..