syzkaller syzkaller login: [ 11.088348][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #80!!! [ 11.198389][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #80!!! [ 11.548355][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #80!!! [ 11.622425][ T23] kauditd_printk_skb: 60 callbacks suppressed [ 11.622431][ T23] audit: type=1400 audit(1647096238.139:71): avc: denied { transition } for pid=290 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 11.627649][ T23] audit: type=1400 audit(1647096238.139:72): avc: denied { write } for pid=290 comm="sh" path="pipe:[241]" dev="pipefs" ino=241 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1 [ 11.769289][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #80!!! [ 11.771400][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #80!!! Warning: Permanently added '10.128.10.15' (ECDSA) to the list of known hosts. [ 18.668278][ T23] audit: type=1400 audit(1647096245.179:73): avc: denied { execmem } for pid=365 comm="syz-executor270" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 18.671149][ T23] audit: type=1400 audit(1647096245.189:74): avc: denied { mounton } for pid=366 comm="syz-executor270" path="/sys/fs/fuse/connections" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=dir permissive=1 [ 18.674538][ T23] audit: type=1400 audit(1647096245.189:75): avc: denied { mount } for pid=366 comm="syz-executor270" name="/" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=filesystem permissive=1 [ 18.677808][ T23] audit: type=1400 audit(1647096245.189:76): avc: denied { mounton } for pid=366 comm="syz-executor270" path="/" dev="sda1" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 18.680914][ T23] audit: type=1400 audit(1647096245.189:77): avc: denied { module_request } for pid=366 comm="syz-executor270" kmod="netdev-nr0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 18.693959][ T366] bridge0: port 1(bridge_slave_0) entered blocking state [ 18.700980][ T366] bridge0: port 1(bridge_slave_0) entered disabled state [ 18.708183][ T366] device bridge_slave_0 entered promiscuous mode [ 18.715009][ T366] bridge0: port 2(bridge_slave_1) entered blocking state [ 18.722144][ T366] bridge0: port 2(bridge_slave_1) entered disabled state [ 18.729439][ T366] device bridge_slave_1 entered promiscuous mode [ 18.751344][ T23] audit: type=1400 audit(1647096245.269:78): avc: denied { create } for pid=366 comm="syz-executor270" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 18.755585][ T366] bridge0: port 2(bridge_slave_1) entered blocking state [ 18.772097][ T23] audit: type=1400 audit(1647096245.269:79): avc: denied { write } for pid=366 comm="syz-executor270" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 18.779021][ T366] bridge0: port 2(bridge_slave_1) entered forwarding state [ 18.779086][ T366] bridge0: port 1(bridge_slave_0) entered blocking state [ 18.799808][ T23] audit: type=1400 audit(1647096245.269:80): avc: denied { read } for pid=366 comm="syz-executor270" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 18.806677][ T366] bridge0: port 1(bridge_slave_0) entered forwarding state [ 18.849491][ T367] bridge0: port 1(bridge_slave_0) entered disabled state [ 18.856677][ T367] bridge0: port 2(bridge_slave_1) entered disabled state [ 18.864258][ T367] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 18.871946][ T367] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 18.889701][ T367] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 18.898016][ T367] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 18.906451][ T367] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 18.914538][ T367] bridge0: port 1(bridge_slave_0) entered blocking state [ 18.921549][ T367] bridge0: port 1(bridge_slave_0) entered forwarding state [ 18.929509][ T367] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 18.937546][ T367] bridge0: port 2(bridge_slave_1) entered blocking state [ 18.944584][ T367] bridge0: port 2(bridge_slave_1) entered forwarding state [ 18.951848][ T367] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 18.959728][ T367] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 18.974030][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 18.982286][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 18.990929][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready executing program executing program [ 19.003069][ T23] audit: type=1400 audit(1647096245.519:81): avc: denied { mounton } for pid=366 comm="syz-executor270" path="/dev/binderfs" dev="devtmpfs" ino=363 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:device_t tclass=dir permissive=1 [ 19.026099][ T23] audit: type=1400 audit(1647096245.519:82): avc: denied { mount } for pid=366 comm="syz-executor270" name="/" dev="binder" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=filesystem permissive=1 [ 19.027358][ T372] netlink: 244 bytes leftover after parsing attributes in process `syz-executor270'. executing program executing program executing program [ 19.091630][ T373] netlink: 244 bytes leftover after parsing attributes in process `syz-executor270'. [ 19.111347][ T374] netlink: 244 bytes leftover after parsing attributes in process `syz-executor270'. [ 19.131157][ T375] netlink: 244 bytes leftover after parsing attributes in process `syz-executor270'. executing program [ 19.150831][ T376] netlink: 244 bytes leftover after parsing attributes in process `syz-executor270'. executing program executing program [ 19.192220][ T377] netlink: 244 bytes leftover after parsing attributes in process `syz-executor270'. [ 19.221906][ T378] netlink: 244 bytes leftover after parsing attributes in process `syz-executor270'. executing program executing program [ 19.241684][ T379] netlink: 244 bytes leftover after parsing attributes in process `syz-executor270'. [ 19.271285][ T380] netlink: 244 bytes leftover after parsing attributes in process `syz-executor270'. executing program [ 19.311631][ T381] netlink: 244 bytes leftover after parsing attributes in process `syz-executor270'. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 21.048522][ T420] ================================================================== [ 21.056608][ T420] BUG: KASAN: slab-out-of-bounds in packet_recvmsg+0xb5b/0x1930 [ 21.064207][ T420] Read of size 241 at addr ffff88811e36c668 by task syz-executor270/420 [ 21.072509][ T420] [ 21.074829][ T420] CPU: 1 PID: 420 Comm: syz-executor270 Not tainted 5.10.102-syzkaller-00171-ge1b86e7f5cbb #0 [ 21.085034][ T420] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 21.095061][ T420] Call Trace: [ 21.098328][ T420] dump_stack_lvl+0x1e2/0x24b [ 21.102979][ T420] ? show_regs_print_info+0x18/0x18 [ 21.108148][ T420] ? devkmsg_release+0x127/0x127 [ 21.113056][ T420] print_address_description+0x8d/0x3d0 [ 21.118570][ T420] __kasan_report+0x142/0x220 [ 21.123217][ T420] ? packet_recvmsg+0xb5b/0x1930 [ 21.128128][ T420] kasan_report+0x51/0x70 [ 21.132434][ T420] kasan_check_range+0x2b6/0x2f0 [ 21.137357][ T420] ? packet_recvmsg+0xb5b/0x1930 [ 21.142263][ T420] memcpy+0x2d/0x70 [ 21.146038][ T420] packet_recvmsg+0xb5b/0x1930 [ 21.150786][ T420] ? packet_sendmsg+0x6810/0x6810 [ 21.155778][ T420] ? avc_has_perm_noaudit+0x2ed/0x4d0 [ 21.161116][ T420] ? security_socket_recvmsg+0xb2/0xd0 [ 21.166539][ T420] ? packet_sendmsg+0x6810/0x6810 [ 21.171534][ T420] ____sys_recvmsg+0x2b0/0x5e0 [ 21.176278][ T420] ? _copy_from_user+0x93/0xd0 [ 21.181011][ T420] ? __sys_recvmsg_sock+0x130/0x130 [ 21.186177][ T420] ? import_iovec+0xe5/0x120 [ 21.190738][ T420] __sys_recvmsg+0x310/0x850 [ 21.195297][ T420] ? ____sys_recvmsg+0x5e0/0x5e0 [ 21.200205][ T420] ? __sys_setsockopt+0x52c/0x870 [ 21.205198][ T420] ? debug_smp_processor_id+0x1c/0x20 [ 21.210542][ T420] ? fpregs_assert_state_consistent+0xb6/0xe0 [ 21.216593][ T420] __x64_sys_recvmsg+0x7f/0x90 [ 21.221333][ T420] do_syscall_64+0x31/0x70 [ 21.225719][ T420] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 21.231583][ T420] RIP: 0033:0x7f3df847ec29 [ 21.235970][ T420] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 21.255544][ T420] RSP: 002b:00007ffee9c7f798 EFLAGS: 00000246 ORIG_RAX: 000000000000002f [ 21.263930][ T420] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f3df847ec29 [ 21.271871][ T420] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000005 [ 21.279812][ T420] RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d [ 21.287838][ T420] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffee9c7f7b0 [ 21.295792][ T420] R13: 00000000000f4240 R14: 00000000000051a6 R15: 00007ffee9c7f7a4 [ 21.303732][ T420] [ 21.306030][ T420] Allocated by task 108: [ 21.310255][ T420] __kasan_slab_alloc+0xb2/0xe0 [ 21.315075][ T420] kmem_cache_alloc+0x1a2/0x380 [ 21.319895][ T420] skb_clone+0x1cc/0x370 [ 21.324105][ T420] dev_queue_xmit_nit+0x27a/0xa80 [ 21.329093][ T420] xmit_one+0x88/0x480 [ 21.333128][ T420] dev_hard_start_xmit+0xad/0x1c0 [ 21.338117][ T420] sch_direct_xmit+0x28f/0x9b0 [ 21.342856][ T420] __qdisc_run+0x245/0x3e0 [ 21.347246][ T420] net_tx_action+0x6d2/0x9e0 [ 21.351805][ T420] __do_softirq+0x27e/0x598 [ 21.356272][ T420] [ 21.358576][ T420] The buggy address belongs to the object at ffff88811e36c640 [ 21.358576][ T420] which belongs to the cache skbuff_head_cache of size 240 [ 21.373130][ T420] The buggy address is located 40 bytes inside of [ 21.373130][ T420] 240-byte region [ffff88811e36c640, ffff88811e36c730) [ 21.386297][ T420] The buggy address belongs to the page: [ 21.391906][ T420] page:ffffea000478db00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e36c [ 21.402109][ T420] flags: 0x8000000000000200(slab) [ 21.407105][ T420] raw: 8000000000000200 dead000000000100 dead000000000122 ffff888107fe8f00 [ 21.415655][ T420] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 21.424203][ T420] page dumped because: kasan: bad access detected [ 21.430583][ T420] page_owner tracks the page as allocated [ 21.436272][ T420] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 108, ts 21048417509, free_ts 20918564837 [ 21.452221][ T420] get_page_from_freelist+0xa74/0xa90 [ 21.457575][ T420] __alloc_pages_nodemask+0x3c8/0x820 [ 21.462914][ T420] allocate_slab+0x6b/0x350 [ 21.467385][ T420] ___slab_alloc+0x143/0x2f0 [ 21.471941][ T420] kmem_cache_alloc+0x26f/0x380 [ 21.476757][ T420] skb_clone+0x1cc/0x370 [ 21.481062][ T420] dev_queue_xmit_nit+0x27a/0xa80 [ 21.486056][ T420] xmit_one+0x88/0x480 [ 21.490095][ T420] dev_hard_start_xmit+0xad/0x1c0 [ 21.495092][ T420] sch_direct_xmit+0x28f/0x9b0 [ 21.499828][ T420] __qdisc_run+0x245/0x3e0 [ 21.504213][ T420] net_tx_action+0x6d2/0x9e0 [ 21.508770][ T420] __do_softirq+0x27e/0x598 [ 21.513247][ T420] asm_call_irq_on_stack+0xf/0x20 [ 21.518236][ T420] do_softirq_own_stack+0x60/0x80 [ 21.523226][ T420] __irq_exit_rcu+0x128/0x150 [ 21.527867][ T420] page last free stack trace: [ 21.532515][ T420] __free_pages_ok+0xbe7/0xc20 [ 21.537243][ T420] __free_pages+0x2d6/0x4a0 [ 21.541726][ T420] free_pages+0x7c/0x90 [ 21.545852][ T420] packet_set_ring+0x18d1/0x2610 [ 21.550756][ T420] packet_release+0x781/0xd00 [ 21.555401][ T420] sock_close+0xdb/0x260 [ 21.559610][ T420] __fput+0x348/0x7d0 [ 21.563567][ T420] ____fput+0x15/0x20 [ 21.567516][ T420] task_work_run+0x147/0x1b0 [ 21.572072][ T420] exit_to_user_mode_prepare+0xc3/0xe0 [ 21.577499][ T420] syscall_exit_to_user_mode+0x24/0x40 [ 21.582921][ T420] do_syscall_64+0x3d/0x70 [ 21.587306][ T420] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 21.593161][ T420] [ 21.595455][ T420] Memory state around the buggy address: [ 21.601057][ T420] ffff88811e36c600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 21.609092][ T420] ffff88811e36c680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 21.617119][ T420] >ffff88811e36c700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 21.625145][ T420] ^ [ 21.630742][ T420] ffff88811e36c780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.638778][ T420] ffff88811e36c800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc executing program [ 21.646802][ T420] ================================================================== [ 21.654841][ T420] Disabling lock debugging due to kernel taint executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 24.091941][ T434] __nla_validate_parse: 52 callbacks suppressed [ 24.091948][ T434] netlink: 244 bytes leftover after parsing attributes in process `syz-executor270'. executing program [ 24.171668][ T435] netlink: 244 bytes leftover after parsing attributes in process `syz-executor270'. executing program [ 24.251795][ T436] netlink: 244 bytes leftover after parsing attributes in process `syz-executor270'. executing program [ 24.332164][ T437] netlink: 244 bytes leftover after parsing attributes in process `syz-executor270'. executing program [ 24.411349][ T438] netlink: 244 bytes leftover after parsing attributes in process `syz-executor270'. executing program [ 24.491716][ T439] netlink: 244 bytes leftover after parsing attributes in process `syz-executor270'. executing program [ 24.571708][ T440] netlink: 244 bytes leftover after parsing attributes in process `syz-executor270'. executing program [ 24.652161][ T441] netlink: 244 bytes leftover after parsing attributes in process `syz-executor270'. executing program [ 24.731360][ T442] netlink: 244 bytes leftover after parsing attributes in process `syz-executor270'. executing program [ 24.892088][ T443] netlink: 244 bytes leftover after parsing attributes in process `syz-executor270'. executing program [ 25.208500][ T444] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ____sys_recvmsg+0x5d4/0x5e0 [ 25.219693][ T444] CPU: 1 PID: 444 Comm: syz-executor270 Tainted: G B 5.10.102-syzkaller-00171-ge1b86e7f5cbb #0 [ 25.231287][ T444] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.241316][ T444] Call Trace: [ 25.244598][ T444] dump_stack_lvl+0x1e2/0x24b [ 25.249254][ T444] ? panic+0x203/0x7d9 [ 25.253319][ T444] ? show_regs_print_info+0x18/0x18 [ 25.258489][ T444] dump_stack+0x15/0x1d [ 25.262614][ T444] panic+0x2a1/0x7d9 [ 25.266479][ T444] ? ____sys_recvmsg+0x5d4/0x5e0 [ 25.271398][ T444] ? ____sys_recvmsg+0x42e/0x5e0 [ 25.276307][ T444] ? nmi_panic+0x97/0x97 [ 25.280520][ T444] ? avc_has_perm_noaudit+0x2ed/0x4d0 [ 25.285862][ T444] __stack_chk_fail+0x16/0x20 [ 25.290506][ T444] ____sys_recvmsg+0x5d4/0x5e0 [ 25.295235][ T444] ? _copy_from_user+0x93/0xd0 [ 25.299968][ T444] ? __sys_recvmsg_sock+0x130/0x130 [ 25.305136][ T444] ? skb_orphan_partial+0x580/0x580 [ 25.310306][ T444] __sys_recvmsg+0x310/0x850 [ 25.314865][ T444] ? ____sys_recvmsg+0x5e0/0x5e0 [ 25.319774][ T444] ? __sys_setsockopt+0x52c/0x870 [ 25.324769][ T444] ? debug_smp_processor_id+0x1c/0x20 [ 25.330113][ T444] ? fpregs_assert_state_consistent+0xb6/0xe0 [ 25.336146][ T444] __x64_sys_recvmsg+0x7f/0x90 [ 25.340876][ T444] do_syscall_64+0x31/0x70 [ 25.345258][ T444] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 25.351120][ T444] RIP: 0033:0x7f3df847ec29 [ 25.355504][ T444] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 25.375089][ T444] RSP: 002b:00007ffee9c7f798 EFLAGS: 00000246 ORIG_RAX: 000000000000002f [ 25.383477][ T444] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f3df847ec29 [ 25.391419][ T444] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000005 [ 25.399359][ T444] RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d [ 25.407299][ T444] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffee9c7f7b0 [ 25.415241][ T444] R13: 00000000000f4240 R14: 0000000000006128 R15: 00007ffee9c7f7a4 [ 25.423370][ T444] Kernel Offset: disabled [ 25.427672][ T444] Rebooting in 86400 seconds..