[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Started Getty on tty2. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.6' (ECDSA) to the list of known hosts. syzkaller login: [ 75.259627][ T6522] chnl_net:caif_netlink_parms(): no params data found [ 75.341248][ T6522] bridge0: port 1(bridge_slave_0) entered blocking state [ 75.350081][ T6522] bridge0: port 1(bridge_slave_0) entered disabled state [ 75.360285][ T6522] device bridge_slave_0 entered promiscuous mode [ 75.371070][ T6522] bridge0: port 2(bridge_slave_1) entered blocking state [ 75.379637][ T6522] bridge0: port 2(bridge_slave_1) entered disabled state [ 75.388680][ T6522] device bridge_slave_1 entered promiscuous mode [ 75.423213][ T6522] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 75.434595][ T6522] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 75.470408][ T6522] team0: Port device team_slave_0 added [ 75.478236][ T6522] team0: Port device team_slave_1 added [ 75.510778][ T6522] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 75.517844][ T6522] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 75.544806][ T6522] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 75.558000][ T6522] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 75.565692][ T6522] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 75.592116][ T6522] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 75.629056][ T6522] device hsr_slave_0 entered promiscuous mode [ 75.635972][ T6522] device hsr_slave_1 entered promiscuous mode [ 75.759498][ T6522] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 75.771585][ T6522] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 75.783196][ T6522] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 75.796012][ T6522] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 75.824978][ T6522] bridge0: port 2(bridge_slave_1) entered blocking state [ 75.832465][ T6522] bridge0: port 2(bridge_slave_1) entered forwarding state [ 75.840292][ T6522] bridge0: port 1(bridge_slave_0) entered blocking state [ 75.847572][ T6522] bridge0: port 1(bridge_slave_0) entered forwarding state [ 75.897252][ T6522] 8021q: adding VLAN 0 to HW filter on device bond0 [ 75.910781][ T1050] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 75.923358][ T1050] bridge0: port 1(bridge_slave_0) entered disabled state [ 75.934657][ T1050] bridge0: port 2(bridge_slave_1) entered disabled state [ 75.944122][ T1050] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 75.958211][ T6522] 8021q: adding VLAN 0 to HW filter on device team0 [ 75.969816][ T6840] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 75.979234][ T6840] bridge0: port 1(bridge_slave_0) entered blocking state [ 75.986564][ T6840] bridge0: port 1(bridge_slave_0) entered forwarding state [ 75.999266][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 76.008161][ T5] bridge0: port 2(bridge_slave_1) entered blocking state [ 76.015516][ T5] bridge0: port 2(bridge_slave_1) entered forwarding state [ 76.035662][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 76.046026][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 76.064153][ T6840] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 76.072773][ T6840] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 76.086707][ T6840] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 76.099102][ T6522] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 76.118884][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 76.127754][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 76.147862][ T6522] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 76.178644][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 76.205387][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 76.215433][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 76.225491][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 76.237359][ T6522] device veth0_vlan entered promiscuous mode [ 76.255388][ T6522] device veth1_vlan entered promiscuous mode [ 76.280107][ T1050] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 76.289983][ T1050] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 76.302658][ T6522] device veth0_macvtap entered promiscuous mode [ 76.316395][ T6522] device veth1_macvtap entered promiscuous mode [ 76.345719][ T6522] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 76.353444][ T1273] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 76.361530][ T1273] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 76.370818][ T1273] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 76.379808][ T1273] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 76.394455][ T6522] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 76.402454][ T1273] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 76.411044][ T1273] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 76.424186][ T6522] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 76.433658][ T6522] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 executing program [ 76.443323][ T6522] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 76.452639][ T6522] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 76.493577][ T6522] ------------[ cut here ]------------ [ 76.499068][ T6522] ODEBUG: free active (active state 0) object type: hrtimer hint: advance_sched+0x0/0x9a0 [ 76.512221][ T6522] WARNING: CPU: 1 PID: 6522 at lib/debugobjects.c:505 debug_print_object+0x16e/0x250 [ 76.522922][ T6522] Modules linked in: [ 76.526837][ T6522] CPU: 0 PID: 6522 Comm: syz-executor645 Not tainted 5.15.0-rc2-syzkaller #0 [ 76.536712][ T6522] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 76.547827][ T6522] RIP: 0010:debug_print_object+0x16e/0x250 [ 76.547900][ T6522] Code: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 af 00 00 00 48 8b 14 dd 00 38 e4 89 4c 89 ee 48 c7 c7 00 2c e4 89 e8 da b2 14 05 <0f> 0b 83 05 55 0c 91 09 01 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e c3 [ 76.547924][ T6522] RSP: 0018:ffffc90002def348 EFLAGS: 00010286 [ 76.579988][ T6522] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 [ 76.588369][ T6522] RDX: ffff888026023900 RSI: ffffffff815dbd98 RDI: fffff520005bde5b [ 76.596488][ T6522] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 76.604563][ T6522] R10: ffffffff815d5b3e R11: 0000000000000000 R12: ffffffff898df0a0 [ 76.612918][ T6522] R13: ffffffff89e43240 R14: ffffffff816581c0 R15: dffffc0000000000 [ 76.621197][ T6522] FS: 0000555556878300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 [ 76.630750][ T6522] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 76.637942][ T6522] CR2: 00007faee697d028 CR3: 0000000070fe7000 CR4: 00000000001506e0 [ 76.646075][ T6522] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 76.654463][ T6522] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 76.662640][ T6522] Call Trace: [ 76.666115][ T6522] ? lockdep_hardirqs_on+0x79/0x100 [ 76.671693][ T6522] debug_check_no_obj_freed+0x301/0x420 [ 76.677550][ T6522] slab_free_freelist_hook+0xde/0x190 [ 76.683289][ T6522] kfree+0xe4/0x530 [ 76.687124][ T6522] ? qdisc_create+0xbcf/0x1320 [ 76.691965][ T6522] ? taprio_destroy+0x3ce/0x4d0 [ 76.696843][ T6522] qdisc_create+0xbcf/0x1320 [ 76.701455][ T6522] ? tc_get_qdisc+0xb50/0xb50 [ 76.706459][ T6522] ? __nla_parse+0x3d/0x50 [ 76.710918][ T6522] tc_modify_qdisc+0x4c8/0x1a60 [ 76.715938][ T6522] ? qdisc_create+0x1320/0x1320 [ 76.720953][ T6522] ? qdisc_create+0x1320/0x1320 [ 76.725890][ T6522] rtnetlink_rcv_msg+0x413/0xb80 [ 76.730937][ T6522] ? rtnl_newlink+0xa0/0xa0 [ 76.735640][ T6522] ? netdev_core_pick_tx+0x2e0/0x2e0 [ 76.741121][ T6522] netlink_rcv_skb+0x153/0x420 [ 76.746035][ T6522] ? rtnl_newlink+0xa0/0xa0 [ 76.750565][ T6522] ? netlink_ack+0xa60/0xa60 [ 76.755593][ T6522] ? netlink_deliver_tap+0x1a2/0xc30 [ 76.760910][ T6522] ? netlink_deliver_tap+0x1b1/0xc30 [ 76.766317][ T6522] netlink_unicast+0x533/0x7d0 [ 76.771187][ T6522] ? netlink_attachskb+0x890/0x890 [ 76.776581][ T6522] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 76.783495][ T6522] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 76.789764][ T6522] ? __phys_addr_symbol+0x2c/0x70 [ 76.794880][ T6522] ? __sanitizer_cov_trace_cmp8+0x1d/0x70 [ 76.800713][ T6522] ? __check_object_size+0x16e/0x3f0 [ 76.806526][ T6522] netlink_sendmsg+0x86d/0xdb0 [ 76.811321][ T6522] ? netlink_unicast+0x7d0/0x7d0 [ 76.816356][ T6522] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 76.823254][ T6522] ? netlink_unicast+0x7d0/0x7d0 [ 76.828216][ T6522] sock_sendmsg+0xcf/0x120 [ 76.833022][ T6522] ____sys_sendmsg+0x6e8/0x810 [ 76.837957][ T6522] ? kernel_sendmsg+0x50/0x50 [ 76.842750][ T6522] ? do_recvmmsg+0x6d0/0x6d0 [ 76.847355][ T6522] ? lock_chain_count+0x20/0x20 [ 76.852540][ T6522] ___sys_sendmsg+0xf3/0x170 [ 76.857530][ T6522] ? sendmsg_copy_msghdr+0x160/0x160 [ 76.863613][ T6522] ? __lock_acquire+0x162f/0x54a0 [ 76.868872][ T6522] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 76.874973][ T6522] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 76.881068][ T6522] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 76.887480][ T6522] ? __fget_light+0x215/0x280 [ 76.888238][ C0] ================================================================== [ 76.892393][ T6522] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 76.900564][ C0] BUG: KASAN: use-after-free in advance_sched+0x967/0x9a0 [ 76.906852][ T6522] __sys_sendmsg+0xe5/0x1b0 [ 76.913888][ C0] Read of size 8 at addr ffff888019575510 by task systemd-journal/2965 [ 76.913910][ C0] [ 76.913919][ C0] CPU: 0 PID: 2965 Comm: systemd-journal Not tainted 5.15.0-rc2-syzkaller #0 [ 76.918499][ T6522] ? __sys_sendmsg_sock+0x30/0x30 [ 76.927169][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 76.927186][ C0] Call Trace: [ 76.927195][ C0] [ 76.927205][ C0] dump_stack_lvl+0xcd/0x134 [ 76.929657][ T6522] ? syscall_enter_from_user_mode+0x21/0x70 [ 76.938380][ C0] print_address_description.constprop.0.cold+0x6c/0x309 [ 76.938425][ C0] ? advance_sched+0x967/0x9a0 [ 76.943567][ T6522] do_syscall_64+0x35/0xb0 [ 76.953574][ C0] ? advance_sched+0x967/0x9a0 [ 76.953604][ C0] kasan_report.cold+0x83/0xdf [ 76.956978][ T6522] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 76.959815][ C0] ? advance_sched+0x967/0x9a0 [ 76.964598][ T6522] RIP: 0033:0x7f9bdf070b89 [ 76.970491][ C0] advance_sched+0x967/0x9a0 [ 76.977533][ T6522] Code: 28 c3 e8 4a 15 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 76.982342][ C0] ? taprio_dequeue_soft+0xa70/0xa70 [ 76.986756][ T6522] RSP: 002b:00007ffc7b9d88c8 EFLAGS: 00000246 [ 76.991590][ C0] __hrtimer_run_queues+0x609/0xe50 [ 76.991632][ C0] ? hrtimer_sleeper_start_expires+0x80/0x80 [ 76.996362][ T6522] ORIG_RAX: 000000000000002e [ 77.002323][ C0] ? ktime_get_update_offsets_now+0x3eb/0x5c0 [ 77.002370][ C0] hrtimer_interrupt+0x31c/0x790 [ 77.007100][ T6522] RAX: ffffffffffffffda RBX: 00007ffc7b9d88d8 RCX: 00007f9bdf070b89 [ 77.011515][ C0] __sysvec_apic_timer_interrupt+0x146/0x530 [ 77.016118][ T6522] RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000004 [ 77.036200][ C0] sysvec_apic_timer_interrupt+0x8e/0xc0 [ 77.036232][ C0] [ 77.041629][ T6522] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 [ 77.047651][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 77.053081][ T6522] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffc7b9d88e0 [ 77.059106][ C0] RIP: 0010:unwind_next_frame+0x2e2/0x1ce0 [ 77.063822][ T6522] R13: 00007ffc7b9d8900 R14: 0000000000000000 R15: 0000000000000000 [ 77.069836][ C0] Code: 44 89 5c 24 20 e8 ee b8 89 00 48 8b 54 24 38 48 8b 74 24 30 8b 4c 24 28 44 8b 5c 24 20 8b 14 95 60 02 85 8e 89 c8 48 8d 3c 40 <4c> 8d 8c 3f 34 5c e3 8d 83 c2 01 49 81 f9 5e 02 85 8e 0f 83 f3 10 [ 77.075066][ T6522] Kernel panic - not syncing: panic_on_warn set ... [ 77.082970][ C0] RSP: 0018:ffffc900014df988 EFLAGS: 00000246 [ 77.173902][ C0] RAX: 000000000000d29e RBX: 1ffff9200029bf39 RCX: 000000000000d29e [ 77.181877][ C0] RDX: 000000000000d29e RSI: 00000000000033bb RDI: 00000000000277da [ 77.190382][ C0] RBP: 0000000000000001 R08: 0000000000000000 R09: ffffc900014dfab0 [ 77.198387][ C0] R10: fffff5200029bf61 R11: 0000000000086089 R12: ffffc900014dfaf8 [ 77.206373][ C0] R13: ffffc900014dfae5 R14: ffffc900014dfab0 R15: ffffffff8133bbd5 [ 77.214379][ C0] ? __unwind_start+0x595/0x800 [ 77.219283][ C0] ? unwind_next_frame+0x120/0x1ce0 [ 77.224485][ C0] ? __unwind_start+0x596/0x800 [ 77.229481][ C0] ? deref_stack_reg+0x150/0x150 [ 77.234507][ C0] ? entry_SYSCALL_64_after_hwframe+0x44/0xae [ 77.240598][ C0] ? __sanitizer_cov_trace_cmp4+0x1c/0x70 [ 77.246456][ C0] ? get_stack_info_noinstr+0x14/0x120 [ 77.251956][ C0] __unwind_start+0x51b/0x800 [ 77.257097][ C0] ? lock_chain_count+0x20/0x20 [ 77.262056][ C0] ? create_prof_cpu_mask+0x20/0x20 [ 77.267372][ C0] arch_stack_walk+0x5c/0xe0 [ 77.272098][ C0] ? __unwind_start+0x596/0x800 [ 77.276956][ C0] stack_trace_save+0x8c/0xc0 [ 77.281932][ C0] ? stack_trace_consume_entry+0x160/0x160 [ 77.287764][ C0] kasan_save_stack+0x1b/0x40 [ 77.292625][ C0] ? prepare_creds+0x3f/0x7b0 [ 77.297314][ C0] ? do_faccessat+0x3f4/0x850 [ 77.302099][ C0] ? do_syscall_64+0x35/0xb0 [ 77.306694][ C0] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 77.312782][ C0] ? find_held_lock+0x2d/0x110 [ 77.317766][ C0] ? __kmalloc+0x5f/0x320 [ 77.322552][ C0] ? rcu_read_lock_sched_held+0x3a/0x70 [ 77.328102][ C0] __kasan_kmalloc+0xa4/0xd0 [ 77.332714][ C0] security_prepare_creds+0x10e/0x190 [ 77.338094][ C0] prepare_creds+0x56e/0x7b0 [ 77.342691][ C0] do_faccessat+0x3f4/0x850 [ 77.347383][ C0] ? stream_open+0x60/0x60 [ 77.351954][ C0] ? __secure_computing+0x104/0x360 [ 77.357269][ C0] do_syscall_64+0x35/0xb0 [ 77.361694][ C0] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 77.367597][ C0] RIP: 0033:0x7faee88659c7 [ 77.372028][ C0] Code: 83 c4 08 48 3d 01 f0 ff ff 73 01 c3 48 8b 0d c8 d4 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 b8 15 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a1 d4 2b 00 f7 d8 64 89 01 48 [ 77.392043][ C0] RSP: 002b:00007ffe9d476d18 EFLAGS: 00000246 ORIG_RAX: 0000000000000015 [ 77.400467][ C0] RAX: ffffffffffffffda RBX: 00007ffe9d479c30 RCX: 00007faee88659c7 [ 77.408717][ C0] RDX: 00007faee92d6a00 RSI: 0000000000000000 RDI: 0000555a993f49a3 [ 77.416868][ C0] RBP: 00007ffe9d476d50 R08: 0000000000000000 R09: 0000000000000000 [ 77.425015][ C0] R10: 0000000000000069 R11: 0000000000000246 R12: 0000000000000000 [ 77.433082][ C0] R13: 0000000000000000 R14: 00007ffe9d479c30 R15: 00007ffe9d477240 [ 77.441250][ C0] [ 77.441253][ T6522] CPU: 1 PID: 6522 Comm: syz-executor645 Not tainted 5.15.0-rc2-syzkaller #0 [ 77.443693][ C0] Allocated by task 6522: [ 77.452625][ T6522] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 77.457023][ C0] kasan_save_stack+0x1b/0x40 [ 77.467063][ T6522] Call Trace: [ 77.467078][ T6522] dump_stack_lvl+0xcd/0x134 [ 77.471828][ C0] __kasan_kmalloc+0xa4/0xd0 [ 77.475109][ T6522] panic+0x2b0/0x6dd [ 77.479676][ C0] taprio_change+0x5fb/0x4160 [ 77.484858][ T6522] ? __warn_printk+0xf3/0xf3 [ 77.488748][ C0] taprio_init+0x52e/0x670 [ 77.494204][ T6522] ? __warn.cold+0x1a/0x44 [ 77.498937][ C0] qdisc_create+0x475/0x1320 [ 77.503426][ T6522] ? debug_print_object+0x16e/0x250 [ 77.507904][ C0] tc_modify_qdisc+0x4c8/0x1a60 [ 77.512565][ T6522] __warn.cold+0x35/0x44 [ 77.517741][ C0] rtnetlink_rcv_msg+0x413/0xb80 [ 77.522575][ T6522] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 77.526798][ C0] netlink_rcv_skb+0x153/0x420 [ 77.531715][ T6522] ? debug_print_object+0x16e/0x250 [ 77.537945][ C0] netlink_unicast+0x533/0x7d0 [ 77.542800][ T6522] report_bug+0x1bd/0x210 [ 77.547991][ C0] netlink_sendmsg+0x86d/0xdb0 [ 77.552756][ T6522] handle_bug+0x3c/0x60 [ 77.557148][ C0] sock_sendmsg+0xcf/0x120 [ 77.561984][ T6522] exc_invalid_op+0x14/0x40 [ 77.566122][ C0] ____sys_sendmsg+0x6e8/0x810 [ 77.570540][ T6522] asm_exc_invalid_op+0x12/0x20 [ 77.575026][ C0] ___sys_sendmsg+0xf3/0x170 [ 77.579786][ T6522] RIP: 0010:debug_print_object+0x16e/0x250 [ 77.584633][ C0] __sys_sendmsg+0xe5/0x1b0 [ 77.589208][ T6522] Code: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 af 00 00 00 48 8b 14 dd 00 38 e4 89 4c 89 ee 48 c7 c7 00 2c e4 89 e8 da b2 14 05 <0f> 0b 83 05 55 0c 91 09 01 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e c3 [ 77.595081][ C0] do_syscall_64+0x35/0xb0 [ 77.599566][ T6522] RSP: 0018:ffffc90002def348 EFLAGS: 00010286 [ 77.619647][ C0] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 77.624144][ T6522] [ 77.624151][ T6522] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 [ 77.630193][ C0] [ 77.630202][ C0] Freed by task 13: [ 77.636075][ T6522] RDX: ffff888026023900 RSI: ffffffff815dbd98 RDI: fffff520005bde5b [ 77.638389][ C0] kasan_save_stack+0x1b/0x40 [ 77.646345][ T6522] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 77.648660][ C0] kasan_set_track+0x1c/0x30 [ 77.652448][ T6522] R10: ffffffff815d5b3e R11: 0000000000000000 R12: ffffffff898df0a0 [ 77.660403][ C0] kasan_set_free_info+0x20/0x30 [ 77.665059][ T6522] R13: ffffffff89e43240 R14: ffffffff816581c0 R15: dffffc0000000000 [ 77.673014][ C0] __kasan_slab_free+0xff/0x130 [ 77.677675][ T6522] ? ktime_add_safe+0x70/0x70 [ 77.685635][ C0] slab_free_freelist_hook+0x81/0x190 [ 77.690562][ T6522] ? wake_up_klogd.part.0+0x8e/0xd0 [ 77.698622][ C0] kfree+0xe4/0x530 [ 77.703682][ T6522] ? vprintk+0x88/0x90 [ 77.713991][ C0] rcu_core+0x7ab/0x1470 [ 77.719363][ T6522] ? debug_print_object+0x16e/0x250 [ 77.724636][ C0] __do_softirq+0x29b/0x9c2 [ 77.728444][ T6522] ? lockdep_hardirqs_on+0x79/0x100 [ 77.732495][ C0] [ 77.736924][ T6522] debug_check_no_obj_freed+0x301/0x420 [ 77.742102][ C0] Last potentially related work creation: [ 77.746748][ T6522] slab_free_freelist_hook+0xde/0x190 [ 77.751951][ C0] kasan_save_stack+0x1b/0x40 [ 77.754289][ T6522] kfree+0xe4/0x530 [ 77.759814][ C0] kasan_record_aux_stack+0xe9/0x110 [ 77.765517][ T6522] ? qdisc_create+0xbcf/0x1320 [ 77.770893][ C0] call_rcu+0xb1/0x750 [ 77.775575][ T6522] ? taprio_destroy+0x3ce/0x4d0 [ 77.779362][ C0] taprio_destroy+0x3ce/0x4d0 [ 77.784728][ T6522] qdisc_create+0xbcf/0x1320 [ 77.789466][ C0] qdisc_create+0xb7a/0x1320 [ 77.793525][ T6522] ? tc_get_qdisc+0xb50/0xb50 [ 77.798348][ C0] tc_modify_qdisc+0x4c8/0x1a60 [ 77.803034][ T6522] ? __nla_parse+0x3d/0x50 [ 77.807603][ C0] rtnetlink_rcv_msg+0x413/0xb80 [ 77.812178][ T6522] tc_modify_qdisc+0x4c8/0x1a60 [ 77.816833][ C0] netlink_rcv_skb+0x153/0x420 [ 77.821696][ T6522] ? qdisc_create+0x1320/0x1320 [ 77.826105][ C0] netlink_unicast+0x533/0x7d0 [ 77.831146][ T6522] ? qdisc_create+0x1320/0x1320 [ 77.835979][ C0] netlink_sendmsg+0x86d/0xdb0 [ 77.840845][ T6522] rtnetlink_rcv_msg+0x413/0xb80 [ 77.845675][ C0] sock_sendmsg+0xcf/0x120 [ 77.850430][ T6522] ? rtnl_newlink+0xa0/0xa0 [ 77.855257][ C0] ____sys_sendmsg+0x6e8/0x810 [ 77.860096][ T6522] ? netdev_core_pick_tx+0x2e0/0x2e0 [ 77.865213][ C0] ___sys_sendmsg+0xf3/0x170 [ 77.869622][ T6522] netlink_rcv_skb+0x153/0x420 [ 77.874187][ C0] __sys_sendmsg+0xe5/0x1b0 [ 77.879024][ T6522] ? rtnl_newlink+0xa0/0xa0 [ 77.884303][ C0] do_syscall_64+0x35/0xb0 [ 77.888885][ T6522] ? netlink_ack+0xa60/0xa60 [ 77.893632][ C0] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 77.898133][ T6522] ? netlink_deliver_tap+0x1a2/0xc30 [ 77.902707][ C0] [ 77.902716][ C0] The buggy address belongs to the object at ffff888019575500 [ 77.902716][ C0] which belongs to the cache kmalloc-96 of size 96 [ 77.907121][ T6522] ? netlink_deliver_tap+0x1b1/0xc30 [ 77.911792][ C0] The buggy address is located 16 bytes inside of [ 77.911792][ C0] 96-byte region [ffff888019575500, ffff888019575560) [ 77.917770][ T6522] netlink_unicast+0x533/0x7d0 [ 77.923119][ C0] The buggy address belongs to the page: [ 77.923132][ C0] page:ffffea0000655d40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x19575 [ 77.925530][ T6522] ? netlink_attachskb+0x890/0x890 [ 77.939933][ C0] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 77.945207][ T6522] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 77.958301][ C0] raw: 00fff00000000200 dead000000000100 dead000000000122 ffff888010c41780 [ 77.963214][ T6522] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 77.968839][ C0] raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 [ 77.978953][ T6522] ? __phys_addr_symbol+0x2c/0x70 [ 77.984049][ C0] page dumped because: kasan: bad access detected [ 77.991572][ T6522] ? __sanitizer_cov_trace_cmp8+0x1d/0x70 [ 77.997811][ C0] page_owner tracks the page as allocated [ 78.006373][ T6522] ? __check_object_size+0x16e/0x3f0 [ 78.012684][ C0] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 20196218339, free_ts 20185381966 [ 78.021738][ T6522] netlink_sendmsg+0x86d/0xdb0 [ 78.026782][ C0] get_page_from_freelist+0xa72/0x2f80 [ 78.033206][ T6522] ? netlink_unicast+0x7d0/0x7d0 [ 78.038895][ C0] __alloc_pages+0x1b2/0x500 [ 78.044619][ T6522] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 78.050235][ C0] alloc_pages+0x1a7/0x300 [ 78.065850][ T6522] ? netlink_unicast+0x7d0/0x7d0 [ 78.070592][ C0] new_slab+0x319/0x490 [ 78.076130][ T6522] sock_sendmsg+0xcf/0x120 [ 78.081044][ C0] ___slab_alloc+0x921/0xfe0 [ 78.085621][ T6522] ____sys_sendmsg+0x6e8/0x810 [ 78.091849][ C0] __slab_alloc.constprop.0+0x4d/0xa0 [ 78.096270][ T6522] ? kernel_sendmsg+0x50/0x50 [ 78.101176][ C0] __kmalloc+0x305/0x320 [ 78.105312][ T6522] ? do_recvmmsg+0x6d0/0x6d0 [ 78.110161][ C0] tomoyo_encode2.part.0+0xe9/0x3a0 [ 78.115094][ T6522] ? lock_chain_count+0x20/0x20 [ 78.119919][ C0] tomoyo_encode+0x28/0x50 [ 78.125285][ T6522] ___sys_sendmsg+0xf3/0x170 [ 78.130111][ C0] tomoyo_realpath_from_path+0x186/0x620 [ 78.134777][ T6522] ? sendmsg_copy_msghdr+0x160/0x160 [ 78.139343][ C0] tomoyo_path_perm+0x21b/0x400 [ 78.144611][ T6522] ? __lock_acquire+0x162f/0x54a0 [ 78.149438][ C0] security_inode_getattr+0xcf/0x140 [ 78.153942][ T6522] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 78.158512][ C0] vfs_fstat+0x43/0xb0 [ 78.164218][ T6522] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 78.169492][ C0] __do_sys_newfstat+0x81/0x100 [ 78.174419][ T6522] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 78.179425][ C0] do_syscall_64+0x35/0xb0 [ 78.184700][ T6522] ? __fget_light+0x215/0x280 [ 78.190852][ C0] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 78.195360][ T6522] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 78.201410][ C0] page last free stack trace: [ 78.206248][ T6522] __sys_sendmsg+0xe5/0x1b0 [ 78.212554][ C0] free_pcp_prepare+0x2c5/0x780 [ 78.216979][ T6522] ? __sys_sendmsg_sock+0x30/0x30 [ 78.221645][ C0] free_unref_page+0x19/0x690 [ 78.227624][ T6522] ? syscall_enter_from_user_mode+0x21/0x70 [ 78.234015][ C0] __vunmap+0x783/0xb70 [ 78.238681][ T6522] do_syscall_64+0x35/0xb0 [ 78.243156][ C0] __vfree+0x3c/0xd0 [ 78.248075][ T6522] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 78.253163][ C0] vfree+0x5a/0x90 [ 78.258090][ T6522] RIP: 0033:0x7f9bdf070b89 [ 78.263963][ C0] n_tty_close+0xcf/0x1e0 [ 78.268119][ T6522] Code: 28 c3 e8 4a 15 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 78.272935][ C0] tty_ldisc_close+0x110/0x190 [ 78.276810][ T6522] RSP: 002b:00007ffc7b9d88c8 EFLAGS: 00000246 [ 78.282692][ C0] tty_ldisc_kill+0x94/0x150 [ 78.286489][ T6522] ORIG_RAX: 000000000000002e [ 78.290906][ C0] tty_ldisc_release+0x154/0x2a0 [ 78.295311][ T6522] RAX: ffffffffffffffda RBX: 00007ffc7b9d88d8 RCX: 00007f9bdf070b89 [ 78.315247][ C0] tty_release_struct+0x20/0xe0 [ 78.320081][ T6522] RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000004 [ 78.326237][ C0] tty_release+0xc70/0x1200 [ 78.330836][ T6522] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 [ 78.335506][ C0] __fput+0x288/0x9f0 [ 78.340420][ T6522] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffc7b9d88e0 [ 78.348373][ C0] task_work_run+0xdd/0x1a0 [ 78.353214][ T6522] R13: 00007ffc7b9d8900 R14: 0000000000000000 R15: 0000000000000000 [ 78.361355][ C0] exit_to_user_mode_prepare+0x27e/0x290 [ 78.404848][ C0] syscall_exit_to_user_mode+0x19/0x60 [ 78.410426][ C0] do_syscall_64+0x42/0xb0 [ 78.414860][ C0] [ 78.417186][ C0] Memory state around the buggy address: [ 78.422804][ C0] ffff888019575400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 78.430861][ C0] ffff888019575480: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 78.438915][ C0] >ffff888019575500: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 78.447058][ C0] ^ [ 78.451648][ C0] ffff888019575580: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 78.459931][ C0] ffff888019575600: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 78.468241][ C0] ================================================================== [ 78.476380][ C0] Disabling lock debugging due to kernel taint [ 79.468226][ T6522] Shutting down cpus with NMI [ 79.473331][ T6522] Kernel Offset: disabled [ 79.477651][ T6522] Rebooting in 86400 seconds..