./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1051208061

<...>
DUID 00:04:64:fe:60:40:6b:21:45:e2:2b:76:87:02:d2:43:fb:60
forked to background, child pid 4672
[   33.030628][ T4673] 8021q: adding VLAN 0 to HW filter on device bond0
[   33.040324][ T4673] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK

syzkaller
Warning: Permanently added '10.128.0.244' (ECDSA) to the list of known hosts.
execve("./syz-executor1051208061", ["./syz-executor1051208061"], 0x7ffd4cba6450 /* 10 vars */) = 0
brk(NULL)                               = 0x5555556d6000
brk(0x5555556d6c40)                     = 0x5555556d6c40
arch_prctl(ARCH_SET_FS, 0x5555556d6300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor1051208061", 4096) = 28
brk(0x5555556f7c40)                     = 0x5555556f7c40
brk(0x5555556f8000)                     = 0x5555556f8000
mprotect(0x7f2944c63000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
socket(AF_INET, SOCK_RAW, IPPROTO_SCTP) = 3
syzkaller login: [   57.890254][ T5004] ==================================================================
[   57.898352][ T5004] BUG: KASAN: stack-out-of-bounds in ipmr_ioctl+0xb12/0xbd0
[   57.905647][ T5004] Read of size 4 at addr ffffc90003aefae4 by task syz-executor105/5004
[   57.913874][ T5004] 
[   57.916186][ T5004] CPU: 0 PID: 5004 Comm: syz-executor105 Not tainted 6.4.0-rc6-syzkaller-01304-gc08afcdcf952 #0
[   57.926584][ T5004] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
[   57.936636][ T5004] Call Trace:
[   57.939907][ T5004]  <TASK>
[   57.942828][ T5004]  dump_stack_lvl+0xd9/0x150
[   57.947428][ T5004]  print_address_description.constprop.0+0x2c/0x3c0
[   57.954211][ T5004]  ? ipmr_ioctl+0xb12/0xbd0
[   57.958808][ T5004]  kasan_report+0x11c/0x130
[   57.963329][ T5004]  ? ipmr_ioctl+0xb12/0xbd0
[   57.967851][ T5004]  ipmr_ioctl+0xb12/0xbd0
[   57.972196][ T5004]  ? ip_mroute_getsockopt+0x530/0x530
[   57.977645][ T5004]  raw_ioctl+0x4e/0x1e0
[   57.981794][ T5004]  sk_ioctl+0x151/0x440
[   57.985944][ T5004]  ? sock_ioctl_inout+0x150/0x150
[   57.991058][ T5004]  ? mark_held_locks+0x9f/0xe0
[   57.995815][ T5004]  ? kasan_quarantine_put+0xf9/0x220
[   58.001183][ T5004]  ? find_held_lock+0x2d/0x110
[   58.005973][ T5004]  inet_ioctl+0x18c/0x380
[   58.010306][ T5004]  ? ipip_gro_complete+0x140/0x140
[   58.015421][ T5004]  ? lock_downgrade+0x690/0x690
[   58.020281][ T5004]  ? __kmem_cache_free+0xaf/0x2d0
[   58.025337][ T5004]  ? tomoyo_path_number_perm+0x166/0x570
[   58.030976][ T5004]  ? tomoyo_execute_permission+0x4a0/0x4a0
[   58.036803][ T5004]  sock_do_ioctl+0xcc/0x230
[   58.041416][ T5004]  ? get_user_ifreq+0x250/0x250
[   58.046283][ T5004]  ? vfs_fileattr_set+0xc40/0xc40
[   58.051331][ T5004]  sock_ioctl+0x1f8/0x680
[   58.055667][ T5004]  ? br_ioctl_call+0xb0/0xb0
[   58.060264][ T5004]  ? lock_downgrade+0x690/0x690
[   58.065126][ T5004]  ? bpf_lsm_file_ioctl+0x9/0x10
[   58.070079][ T5004]  ? br_ioctl_call+0xb0/0xb0
[   58.074677][ T5004]  __x64_sys_ioctl+0x197/0x210
[   58.079478][ T5004]  do_syscall_64+0x39/0xb0
[   58.083935][ T5004]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   58.089866][ T5004] RIP: 0033:0x7f2944bf6ad9
[   58.094292][ T5004] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[   58.113924][ T5004] RSP: 002b:00007ffd8897a028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   58.122350][ T5004] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2944bf6ad9
[   58.130427][ T5004] RDX: 0000000000000000 RSI: 00000000000089e1 RDI: 0000000000000003
[   58.138421][ T5004] RBP: 00007f2944bbac80 R08: 0000000000000000 R09: 0000000000000000
[   58.146403][ T5004] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2944bbad10
[   58.154408][ T5004] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   58.162404][ T5004]  </TASK>
[   58.170396][ T5004] 
[   58.172713][ T5004] The buggy address belongs to stack of task syz-executor105/5004
[   58.180682][ T5004]  and is located at offset 36 in frame:
[   58.186302][ T5004]  sk_ioctl+0x0/0x440
[   58.190296][ T5004] 
[   58.192612][ T5004] This frame has 2 objects:
[   58.197106][ T5004]  [32, 36) 'karg'
[   58.197120][ T5004]  [48, 88) 'buffer'
[   58.200843][ T5004] 
[   58.207038][ T5004] The buggy address belongs to the virtual mapping at
[   58.207038][ T5004]  [ffffc90003ae8000, ffffc90003af1000) created by:
[   58.207038][ T5004]  kernel_clone+0xeb/0x890
[   58.224521][ T5004] 
[   58.226861][ T5004] The buggy address belongs to the physical page:
[   58.233278][ T5004] page:ffffea0001dcaec0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x772bb
[   58.243448][ T5004] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   58.250774][ T5004] page_type: 0xffffffff()
[   58.255153][ T5004] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
[   58.263737][ T5004] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[   58.272317][ T5004] page dumped because: kasan: bad access detected
[   58.278721][ T5004] page_owner tracks the page as allocated
[   58.284425][ T5004] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5001, tgid 5001 (strace-static-x), ts 57864656556, free_ts 57860072523
[   58.303969][ T5004]  post_alloc_hook+0x2db/0x350
[   58.308757][ T5004]  get_page_from_freelist+0xf41/0x2c00
[   58.314229][ T5004]  __alloc_pages+0x1cb/0x4a0
[   58.318832][ T5004]  alloc_pages+0x1aa/0x270
[   58.323260][ T5004]  __vmalloc_node_range+0xb1c/0x14a0
[   58.328556][ T5004]  copy_process+0x13bb/0x75c0
[   58.333248][ T5004]  kernel_clone+0xeb/0x890
[   58.337695][ T5004]  __do_sys_clone+0xba/0x100
[   58.342294][ T5004]  do_syscall_64+0x39/0xb0
[   58.346713][ T5004]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   58.352635][ T5004] page last free stack trace:
[   58.357322][ T5004]  free_unref_page_prepare+0x62e/0xcb0
[   58.362813][ T5004]  free_unref_page_list+0xe3/0xa70
[   58.367962][ T5004]  release_pages+0xcd8/0x1380
[   58.372743][ T5004]  tlb_batch_pages_flush+0xa8/0x1a0
[   58.377954][ T5004]  tlb_finish_mmu+0x14b/0x7e0
[   58.382748][ T5004]  exit_mmap+0x2b2/0x930
[   58.387023][ T5004]  __mmput+0x128/0x4c0
[   58.391140][ T5004]  mmput+0x60/0x70
[   58.394984][ T5004]  begin_new_exec+0xfe7/0x3060
[   58.400718][ T5004]  load_elf_binary+0x801/0x4f40
[   58.405597][ T5004]  bprm_execve+0x7fd/0x1980
[   58.410128][ T5004]  do_execveat_common+0x72c/0x8e0
[   58.415176][ T5004]  __x64_sys_execve+0x93/0xc0
[   58.419860][ T5004]  do_syscall_64+0x39/0xb0
[   58.424281][ T5004]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   58.430190][ T5004] 
[   58.432600][ T5004] Memory state around the buggy address:
[   58.438494][ T5004]  ffffc90003aef980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1
[   58.446566][ T5004]  ffffc90003aefa00: f1 f1 f1 00 f3 f3 f3 00 00 00 00 00 00 00 00 00
[   58.454721][ T5004] >ffffc90003aefa80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 00 00
[   58.462774][ T5004]                                                        ^
[   58.469974][ T5004]  ffffc90003aefb00: 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
[   58.478075][ T5004]  ffffc90003aefb80: 00 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 00 f2 f2
[   58.486128][ T5004] ==================================================================
[   58.496803][ T5004] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   58.504018][ T5004] CPU: 0 PID: 5004 Comm: syz-executor105 Not tainted 6.4.0-rc6-syzkaller-01304-gc08afcdcf952 #0
[   58.514435][ T5004] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
[   58.524922][ T5004] Call Trace:
[   58.528199][ T5004]  <TASK>
[   58.531127][ T5004]  dump_stack_lvl+0xd9/0x150
[   58.535735][ T5004]  panic+0x686/0x730
[   58.539657][ T5004]  ? panic_smp_self_stop+0xa0/0xa0
[   58.544780][ T5004]  ? preempt_schedule_thunk+0x1a/0x20
[   58.550164][ T5004]  ? preempt_schedule_common+0x45/0xb0
[   58.555635][ T5004]  check_panic_on_warn+0xb1/0xc0
[   58.560588][ T5004]  end_report+0xe9/0x120
[   58.564841][ T5004]  ? ipmr_ioctl+0xb12/0xbd0
[   58.569355][ T5004]  kasan_report+0xf9/0x130
[   58.573787][ T5004]  ? ipmr_ioctl+0xb12/0xbd0
[   58.578305][ T5004]  ipmr_ioctl+0xb12/0xbd0
[   58.582645][ T5004]  ? ip_mroute_getsockopt+0x530/0x530
[   58.588033][ T5004]  raw_ioctl+0x4e/0x1e0
[   58.592195][ T5004]  sk_ioctl+0x151/0x440
[   58.596359][ T5004]  ? sock_ioctl_inout+0x150/0x150
[   58.601395][ T5004]  ? mark_held_locks+0x9f/0xe0
[   58.606180][ T5004]  ? kasan_quarantine_put+0xf9/0x220
[   58.611486][ T5004]  ? find_held_lock+0x2d/0x110
[   58.616267][ T5004]  inet_ioctl+0x18c/0x380
[   58.620602][ T5004]  ? ipip_gro_complete+0x140/0x140
[   58.625714][ T5004]  ? lock_downgrade+0x690/0x690
[   58.630597][ T5004]  ? __kmem_cache_free+0xaf/0x2d0
[   58.635634][ T5004]  ? tomoyo_path_number_perm+0x166/0x570
[   58.641271][ T5004]  ? tomoyo_execute_permission+0x4a0/0x4a0
[   58.647099][ T5004]  sock_do_ioctl+0xcc/0x230
[   58.651607][ T5004]  ? get_user_ifreq+0x250/0x250
[   58.656464][ T5004]  ? vfs_fileattr_set+0xc40/0xc40
[   58.661506][ T5004]  sock_ioctl+0x1f8/0x680
[   58.665846][ T5004]  ? br_ioctl_call+0xb0/0xb0
[   58.670457][ T5004]  ? lock_downgrade+0x690/0x690
[   58.675349][ T5004]  ? bpf_lsm_file_ioctl+0x9/0x10
[   58.680308][ T5004]  ? br_ioctl_call+0xb0/0xb0
[   58.684903][ T5004]  __x64_sys_ioctl+0x197/0x210
[   58.689681][ T5004]  do_syscall_64+0x39/0xb0
[   58.694101][ T5004]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   58.700016][ T5004] RIP: 0033:0x7f2944bf6ad9
[   58.704430][ T5004] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[   58.724037][ T5004] RSP: 002b:00007ffd8897a028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   58.732625][ T5004] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2944bf6ad9
[   58.740595][ T5004] RDX: 0000000000000000 RSI: 00000000000089e1 RDI: 0000000000000003
[   58.748831][ T5004] RBP: 00007f2944bbac80 R08: 0000000000000000 R09: 0000000000000000
[   58.756811][ T5004] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2944bbad10
[   58.764814][ T5004] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   58.772790][ T5004]  </TASK>
[   58.775962][ T5004] Kernel Offset: disabled
[   58.780372][ T5004] Rebooting in 86400 seconds..