DUID 00:04:15:32:48:1d:3b:73:54:4f:46:a6:7d:b2:d0:ec:1f:b1
forked to background, child pid 3172
[ 33.132738][ T3173] 8021q: adding VLAN 0 to HW filter on device bond0
[ 33.143276][ T3173] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK
syzkaller
Warning: Permanently added '10.128.1.85' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 49.813996][ T3588] ==================================================================
[ 49.822255][ T3588] BUG: KASAN: use-after-free in strcmp+0x9b/0xb0
[ 49.828592][ T3588] Read of size 1 at addr ffff88807f0711c4 by task syz-executor286/3588
[ 49.837080][ T3588]
[ 49.839400][ T3588] CPU: 1 PID: 3588 Comm: syz-executor286 Not tainted 5.17.0-rc3-syzkaller #0
[ 49.848145][ T3588] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 49.858184][ T3588] Call Trace:
[ 49.861447][ T3588]
[ 49.864361][ T3588] dump_stack_lvl+0xcd/0x134
[ 49.868954][ T3588] print_address_description.constprop.0.cold+0x8d/0x336
[ 49.875978][ T3588] ? strcmp+0x9b/0xb0
[ 49.879945][ T3588] ? strcmp+0x9b/0xb0
[ 49.883920][ T3588] kasan_report.cold+0x83/0xdf
[ 49.888670][ T3588] ? strcmp+0x9b/0xb0
[ 49.892639][ T3588] strcmp+0x9b/0xb0
[ 49.896431][ T3588] madvise_update_vma+0x4e6/0x7f0
[ 49.901447][ T3588] madvise_vma_behavior+0x116/0x1910
[ 49.906719][ T3588] ? madvise_vma_anon_name+0xc0/0xc0
[ 49.911994][ T3588] ? __sanitizer_cov_trace_cmp8+0x1d/0x70
[ 49.917739][ T3588] ? vmacache_find+0x62/0x330
[ 49.922402][ T3588] ? find_vma+0xbd/0x270
[ 49.926635][ T3588] madvise_walk_vmas+0x1d5/0x2d0
[ 49.931560][ T3588] ? madvise_vma_anon_name+0xc0/0xc0
[ 49.936843][ T3588] ? __remove_memory+0x40/0x40
[ 49.941589][ T3588] ? __down_timeout+0x10/0x10
[ 49.946256][ T3588] ? find_held_lock+0x2d/0x110
[ 49.951038][ T3588] do_madvise+0x249/0x3c0
[ 49.955378][ T3588] ? madvise_set_anon_name+0xe0/0xe0
[ 49.960686][ T3588] __x64_sys_madvise+0xa6/0x110
[ 49.965535][ T3588] ? syscall_enter_from_user_mode+0x21/0x70
[ 49.971415][ T3588] do_syscall_64+0x35/0xb0
[ 49.975815][ T3588] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 49.981695][ T3588] RIP: 0033:0x7f28f5af2ff9
[ 49.986097][ T3588] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 50.005697][ T3588] RSP: 002b:00007ffd839620d8 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
[ 50.014217][ T3588] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f28f5af2ff9
[ 50.022191][ T3588] RDX: 000000000000000b RSI: 0000000000001000 RDI: 0000000020ffc000
[ 50.030158][ T3588] RBP: 00007f28f5ab6fe0 R08: 0000000000000000 R09: 0000000000000000
[ 50.038135][ T3588] R10: 0000000020000000 R11: 0000000000000246 R12: 00007f28f5ab7070
[ 50.046090][ T3588] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 50.054063][ T3588]
[ 50.057079][ T3588]
[ 50.059408][ T3588] Allocated by task 3588:
[ 50.063894][ T3588] kasan_save_stack+0x1e/0x40
[ 50.068562][ T3588] __kasan_kmalloc+0xa9/0xd0
[ 50.073137][ T3588] madvise_update_vma+0x546/0x7f0
[ 50.078146][ T3588] madvise_vma_anon_name+0x7c/0xc0
[ 50.083243][ T3588] madvise_walk_vmas+0x1d5/0x2d0
[ 50.088172][ T3588] madvise_set_anon_name+0xac/0xe0
[ 50.093266][ T3588] __do_sys_prctl+0xeb5/0x12d0
[ 50.099322][ T3588] do_syscall_64+0x35/0xb0
[ 50.103723][ T3588] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 50.109599][ T3588]
[ 50.111904][ T3588] Freed by task 3588:
[ 50.115861][ T3588] kasan_save_stack+0x1e/0x40
[ 50.120515][ T3588] kasan_set_track+0x21/0x30
[ 50.125082][ T3588] kasan_set_free_info+0x20/0x30
[ 50.130000][ T3588] ____kasan_slab_free+0x130/0x160
[ 50.135092][ T3588] slab_free_freelist_hook+0x8b/0x1c0
[ 50.140447][ T3588] kfree+0xcb/0x280
[ 50.144247][ T3588] free_vma_anon_name+0xeb/0x110
[ 50.149167][ T3588] vm_area_free+0x11/0x30
[ 50.153480][ T3588] __vma_adjust+0x836/0x24a0
[ 50.158053][ T3588] vma_merge+0x860/0xeb0
[ 50.162275][ T3588] madvise_update_vma+0x1b6/0x7f0
[ 50.167280][ T3588] madvise_vma_behavior+0x116/0x1910
[ 50.172563][ T3588] madvise_walk_vmas+0x1d5/0x2d0
[ 50.177499][ T3588] do_madvise+0x249/0x3c0
[ 50.181819][ T3588] __x64_sys_madvise+0xa6/0x110
[ 50.186661][ T3588] do_syscall_64+0x35/0xb0
[ 50.191098][ T3588] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 50.196978][ T3588]
[ 50.199294][ T3588] The buggy address belongs to the object at ffff88807f0711c0
[ 50.199294][ T3588] which belongs to the cache kmalloc-32 of size 32
[ 50.213150][ T3588] The buggy address is located 4 bytes inside of
[ 50.213150][ T3588] 32-byte region [ffff88807f0711c0, ffff88807f0711e0)
[ 50.226160][ T3588] The buggy address belongs to the page:
[ 50.231768][ T3588] page:ffffea0001fc1c40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7f071
[ 50.241894][ T3588] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 50.249426][ T3588] raw: 00fff00000000200 0000000000000000 dead000000000001 ffff888010c41500
[ 50.257990][ T3588] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000
[ 50.266548][ T3588] page dumped because: kasan: bad access detected
[ 50.272948][ T3588] page_owner tracks the page as allocated
[ 50.278637][ T3588] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 2962, ts 21704624424, free_ts 19381656493
[ 50.294504][ T3588] get_page_from_freelist+0xa72/0x2f50
[ 50.299956][ T3588] __alloc_pages+0x1b2/0x500
[ 50.304526][ T3588] alloc_pages+0x1aa/0x310
[ 50.308923][ T3588] new_slab+0x28a/0x3b0
[ 50.313061][ T3588] ___slab_alloc+0x87c/0xe90
[ 50.317632][ T3588] __slab_alloc.constprop.0+0x4d/0xa0
[ 50.322986][ T3588] __kmalloc+0x2fb/0x340
[ 50.327212][ T3588] tomoyo_encode2.part.0+0xe9/0x3a0
[ 50.332394][ T3588] tomoyo_encode+0x28/0x50
[ 50.336791][ T3588] tomoyo_realpath_from_path+0x186/0x620
[ 50.342409][ T3588] tomoyo_check_open_permission+0x272/0x380
[ 50.348283][ T3588] tomoyo_file_open+0xa3/0xd0
[ 50.352962][ T3588] security_file_open+0x45/0xb0
[ 50.357797][ T3588] do_dentry_open+0x358/0x1240
[ 50.362559][ T3588] path_openat+0x1c9e/0x2940
[ 50.367128][ T3588] do_filp_open+0x1aa/0x400
[ 50.371611][ T3588] page last free stack trace:
[ 50.376259][ T3588] free_pcp_prepare+0x374/0x870
[ 50.381090][ T3588] free_unref_page+0x19/0x690
[ 50.385747][ T3588] __vunmap+0x798/0xc50
[ 50.389886][ T3588] free_work+0x58/0x70
[ 50.393936][ T3588] process_one_work+0x9ac/0x1650
[ 50.399120][ T3588] worker_thread+0x657/0x1110
[ 50.403779][ T3588] kthread+0x2e9/0x3a0
[ 50.407831][ T3588] ret_from_fork+0x1f/0x30
[ 50.412228][ T3588]
[ 50.414530][ T3588] Memory state around the buggy address:
[ 50.420138][ T3588] ffff88807f071080: fa fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[ 50.428180][ T3588] ffff88807f071100: fa fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[ 50.436221][ T3588] >ffff88807f071180: fb fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[ 50.444257][ T3588] ^
[ 50.450389][ T3588] ffff88807f071200: fb fb fb fb fc fc fc fc 00 00 06 fc fc fc fc fc
[ 50.458432][ T3588] ffff88807f071280: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[ 50.466474][ T3588] ==================================================================
[ 50.474507][ T3588] Disabling lock debugging due to kernel taint
[ 50.480863][ T3588] Kernel panic - not syncing: panic_on_warn set ...
[ 50.487453][ T3588] CPU: 0 PID: 3588 Comm: syz-executor286 Tainted: G B 5.17.0-rc3-syzkaller #0
[ 50.497601][ T3588] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 50.507636][ T3588] Call Trace:
[ 50.510895][ T3588]
[ 50.513813][ T3588] dump_stack_lvl+0xcd/0x134
[ 50.518388][ T3588] panic+0x2b0/0x6dd
[ 50.522267][ T3588] ? __warn_printk+0xf3/0xf3
[ 50.526840][ T3588] ? preempt_schedule_common+0x59/0xc0
[ 50.532279][ T3588] ? strcmp+0x9b/0xb0
[ 50.536240][ T3588] ? preempt_schedule_thunk+0x16/0x18
[ 50.541603][ T3588] ? trace_hardirqs_on+0x38/0x1c0
[ 50.546607][ T3588] ? trace_hardirqs_on+0x51/0x1c0
[ 50.551615][ T3588] ? strcmp+0x9b/0xb0
[ 50.555574][ T3588] ? strcmp+0x9b/0xb0
[ 50.559534][ T3588] end_report.cold+0x63/0x6f
[ 50.564112][ T3588] kasan_report.cold+0x71/0xdf
[ 50.568865][ T3588] ? strcmp+0x9b/0xb0
[ 50.572847][ T3588] strcmp+0x9b/0xb0
[ 50.576636][ T3588] madvise_update_vma+0x4e6/0x7f0
[ 50.581657][ T3588] madvise_vma_behavior+0x116/0x1910
[ 50.586923][ T3588] ? madvise_vma_anon_name+0xc0/0xc0
[ 50.592194][ T3588] ? __sanitizer_cov_trace_cmp8+0x1d/0x70
[ 50.597987][ T3588] ? vmacache_find+0x62/0x330
[ 50.602663][ T3588] ? find_vma+0xbd/0x270
[ 50.606884][ T3588] madvise_walk_vmas+0x1d5/0x2d0
[ 50.611803][ T3588] ? madvise_vma_anon_name+0xc0/0xc0
[ 50.617068][ T3588] ? __remove_memory+0x40/0x40
[ 50.621812][ T3588] ? __down_timeout+0x10/0x10
[ 50.626475][ T3588] ? find_held_lock+0x2d/0x110
[ 50.631232][ T3588] do_madvise+0x249/0x3c0
[ 50.635553][ T3588] ? madvise_set_anon_name+0xe0/0xe0
[ 50.640821][ T3588] __x64_sys_madvise+0xa6/0x110
[ 50.645653][ T3588] ? syscall_enter_from_user_mode+0x21/0x70
[ 50.651527][ T3588] do_syscall_64+0x35/0xb0
[ 50.655934][ T3588] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 50.661815][ T3588] RIP: 0033:0x7f28f5af2ff9
[ 50.666209][ T3588] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 50.685795][ T3588] RSP: 002b:00007ffd839620d8 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
[ 50.694184][ T3588] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f28f5af2ff9
[ 50.702139][ T3588] RDX: 000000000000000b RSI: 0000000000001000 RDI: 0000000020ffc000
[ 50.710089][ T3588] RBP: 00007f28f5ab6fe0 R08: 0000000000000000 R09: 0000000000000000
[ 50.718036][ T3588] R10: 0000000020000000 R11: 0000000000000246 R12: 00007f28f5ab7070
[ 50.725983][ T3588] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 50.733955][ T3588]
[ 50.737198][ T3588] Kernel Offset: disabled
[ 50.741504][ T3588] Rebooting in 86400 seconds..