Warning: Permanently added '10.128.1.232' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 67.277937][ T6518] FAULT_INJECTION: forcing a failure. [ 67.277937][ T6518] name failslab, interval 1, probability 0, space 0, times 1 [ 67.291091][ T6518] CPU: 1 PID: 6518 Comm: syz-executor027 Not tainted 5.15.0-rc5-syzkaller #0 [ 67.299842][ T6518] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.310140][ T6518] Call Trace: [ 67.313412][ T6518] dump_stack_lvl+0xcd/0x134 [ 67.318009][ T6518] should_fail.cold+0x5/0xa [ 67.322502][ T6518] ? sk_psock_skb_ingress_self+0x4e/0x370 [ 67.328208][ T6518] should_failslab+0x5/0x10 [ 67.332694][ T6518] kmem_cache_alloc_trace+0x55/0x2b0 [ 67.337973][ T6518] sk_psock_skb_ingress_self+0x4e/0x370 [ 67.343503][ T6518] ? force_compatible_cpus_allowed_ptr+0x3d0/0x3d0 [ 67.349991][ T6518] sk_psock_verdict_apply+0x34c/0x430 [ 67.355350][ T6518] sk_psock_verdict_recv+0x2b0/0x7e0 [ 67.360622][ T6518] unix_read_sock+0xd7/0x250 [ 67.365201][ T6518] ? sk_psock_strp_read+0x6e0/0x6e0 [ 67.370385][ T6518] ? unix_compat_ioctl+0x30/0x30 [ 67.375397][ T6518] ? find_held_lock+0x2d/0x110 [ 67.380321][ T6518] ? unix_compat_ioctl+0x30/0x30 [ 67.385245][ T6518] sk_psock_verdict_data_ready+0x11a/0x180 [ 67.391042][ T6518] ? sk_psock_strp_read_done+0x10/0x10 [ 67.396551][ T6518] ? _raw_spin_unlock_irqrestore+0x50/0x70 [ 67.402342][ T6518] ? do_raw_spin_unlock+0x171/0x230 [ 67.407528][ T6518] unix_dgram_sendmsg+0xfa7/0x1950 [ 67.412632][ T6518] ? unix_stream_sendpage+0xca0/0xca0 [ 67.417991][ T6518] ? aa_af_perm+0x230/0x230 [ 67.422488][ T6518] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 67.428717][ T6518] ? unix_stream_sendpage+0xca0/0xca0 [ 67.434096][ T6518] sock_sendmsg+0xcf/0x120 [ 67.438517][ T6518] ____sys_sendmsg+0x331/0x810 [ 67.443287][ T6518] ? kernel_sendmsg+0x50/0x50 [ 67.447952][ T6518] ? do_recvmmsg+0x6d0/0x6d0 [ 67.452543][ T6518] ___sys_sendmsg+0xf3/0x170 [ 67.457128][ T6518] ? sendmsg_copy_msghdr+0x160/0x160 [ 67.462403][ T6518] ? mark_lock+0xef/0x17b0 [ 67.466804][ T6518] ? mark_lock+0xef/0x17b0 [ 67.471206][ T6518] ? lock_chain_count+0x20/0x20 [ 67.476041][ T6518] ? lock_chain_count+0x20/0x20 [ 67.480880][ T6518] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 67.486854][ T6518] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 67.493081][ T6518] ? __fget_light+0x215/0x280 [ 67.498263][ T6518] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 67.504491][ T6518] __sys_sendmmsg+0x195/0x470 [ 67.509162][ T6518] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 67.514172][ T6518] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 67.520142][ T6518] ? find_held_lock+0x2d/0x110 [ 67.524891][ T6518] ? __context_tracking_exit+0xb8/0xe0 [ 67.530344][ T6518] ? lock_downgrade+0x6e0/0x6e0 [ 67.535181][ T6518] ? lock_downgrade+0x6e0/0x6e0 [ 67.540025][ T6518] __x64_sys_sendmmsg+0x99/0x100 [ 67.544950][ T6518] ? syscall_enter_from_user_mode+0x21/0x70 [ 67.550829][ T6518] do_syscall_64+0x35/0xb0 [ 67.555227][ T6518] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 67.561119][ T6518] RIP: 0033:0x7f4b858bda49 [ 67.565528][ T6518] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 67.585311][ T6518] RSP: 002b:00007ffea7b55cb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 67.593715][ T6518] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f4b858bda49 [ 67.601678][ T6518] RDX: 0307017fdb7a66cb RSI: 0000000020002dc0 RDI: 0000000000000006 [ 67.609639][ T6518] RBP: 00007ffea7b55cc0 R08: 0000000000000001 R09: 00007f4b85880035 [ 67.617599][ T6518] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 [ 67.625559][ T6518] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 67.683497][ T6518] ================================================================== [ 67.691655][ T6518] BUG: KASAN: use-after-free in consume_skb+0x2e/0x160 [ 67.698495][ T6518] Read of size 4 at addr ffff8880707eeadc by task syz-executor027/6518 [ 67.706771][ T6518] [ 67.709079][ T6518] CPU: 1 PID: 6518 Comm: syz-executor027 Not tainted 5.15.0-rc5-syzkaller #0 [ 67.717818][ T6518] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.727899][ T6518] Call Trace: [ 67.731262][ T6518] dump_stack_lvl+0xcd/0x134 [ 67.735840][ T6518] print_address_description.constprop.0.cold+0x6c/0x309 [ 67.742861][ T6518] ? consume_skb+0x2e/0x160 [ 67.747356][ T6518] ? consume_skb+0x2e/0x160 [ 67.751847][ T6518] kasan_report.cold+0x83/0xdf [ 67.756596][ T6518] ? consume_skb+0x2e/0x160 [ 67.761521][ T6518] kasan_check_range+0x13d/0x180 [ 67.766445][ T6518] consume_skb+0x2e/0x160 [ 67.770766][ T6518] __sk_msg_free+0x26d/0x360 [ 67.775360][ T6518] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 67.781156][ T6518] sk_psock_stop+0x415/0x620 [ 67.785907][ T6518] sock_map_close+0x34a/0x780 [ 67.790566][ T6518] ? espintcp_init_sk+0xaa0/0xaa0 [ 67.795577][ T6518] ? sock_map_lookup+0x400/0x400 [ 67.800498][ T6518] ? down_write+0xe0/0x150 [ 67.804901][ T6518] ? __down_timeout+0x10/0x10 [ 67.809561][ T6518] ? locks_remove_file+0x2f9/0x570 [ 67.814675][ T6518] unix_release+0x7a/0xe0 [ 67.818997][ T6518] __sock_release+0xcd/0x280 [ 67.823580][ T6518] sock_close+0x18/0x20 [ 67.827719][ T6518] __fput+0x288/0x9f0 [ 67.831688][ T6518] ? __sock_release+0x280/0x280 [ 67.836525][ T6518] task_work_run+0xdd/0x1a0 [ 67.841020][ T6518] do_exit+0xbae/0x2a30 [ 67.845170][ T6518] ? __context_tracking_exit+0xb8/0xe0 [ 67.850617][ T6518] ? lock_downgrade+0x6e0/0x6e0 [ 67.855452][ T6518] ? lock_downgrade+0x6e0/0x6e0 [ 67.860305][ T6518] ? mm_update_next_owner+0x7a0/0x7a0 [ 67.865672][ T6518] do_group_exit+0x125/0x310 [ 67.870250][ T6518] __x64_sys_exit_group+0x3a/0x50 [ 67.875260][ T6518] do_syscall_64+0x35/0xb0 [ 67.879662][ T6518] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 67.885547][ T6518] RIP: 0033:0x7f4b858bc749 [ 67.889948][ T6518] Code: Unable to access opcode bytes at RIP 0x7f4b858bc71f. [ 67.897295][ T6518] RSP: 002b:00007ffea7b55c98 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 67.905691][ T6518] RAX: ffffffffffffffda RBX: 00007f4b85930410 RCX: 00007f4b858bc749 [ 67.913646][ T6518] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 67.921603][ T6518] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 00007f4b85880035 [ 67.929575][ T6518] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4b85930410 [ 67.937534][ T6518] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 67.945505][ T6518] [ 67.947811][ T6518] Allocated by task 6518: [ 67.952119][ T6518] kasan_save_stack+0x1b/0x40 [ 67.956782][ T6518] __kasan_slab_alloc+0x83/0xb0 [ 67.961623][ T6518] kmem_cache_alloc+0x209/0x390 [ 67.966459][ T6518] skb_clone+0x170/0x3c0 [ 67.970686][ T6518] sk_psock_verdict_recv+0x72/0x7e0 [ 67.975868][ T6518] unix_read_sock+0xd7/0x250 [ 67.980544][ T6518] sk_psock_verdict_data_ready+0x11a/0x180 [ 67.986340][ T6518] unix_dgram_sendmsg+0xfa7/0x1950 [ 67.991435][ T6518] sock_sendmsg+0xcf/0x120 [ 67.995834][ T6518] ____sys_sendmsg+0x331/0x810 [ 68.000586][ T6518] ___sys_sendmsg+0xf3/0x170 [ 68.005163][ T6518] __sys_sendmmsg+0x195/0x470 [ 68.009824][ T6518] __x64_sys_sendmmsg+0x99/0x100 [ 68.014743][ T6518] do_syscall_64+0x35/0xb0 [ 68.019141][ T6518] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 68.025019][ T6518] [ 68.027325][ T6518] Freed by task 1265: [ 68.031283][ T6518] kasan_save_stack+0x1b/0x40 [ 68.036028][ T6518] kasan_set_track+0x1c/0x30 [ 68.040600][ T6518] kasan_set_free_info+0x20/0x30 [ 68.045534][ T6518] __kasan_slab_free+0xff/0x130 [ 68.050385][ T6518] slab_free_freelist_hook+0x81/0x190 [ 68.055740][ T6518] kmem_cache_free+0x8a/0x5b0 [ 68.060398][ T6518] kfree_skbmem+0xef/0x1b0 [ 68.064796][ T6518] kfree_skb+0x140/0x3f0 [ 68.069020][ T6518] sk_psock_backlog+0x93b/0xda0 [ 68.073850][ T6518] process_one_work+0x9bf/0x16b0 [ 68.078770][ T6518] worker_thread+0x658/0x11f0 [ 68.083427][ T6518] kthread+0x3e5/0x4d0 [ 68.087479][ T6518] ret_from_fork+0x1f/0x30 [ 68.091889][ T6518] [ 68.094195][ T6518] The buggy address belongs to the object at ffff8880707eea00 [ 68.094195][ T6518] which belongs to the cache skbuff_head_cache of size 232 [ 68.108747][ T6518] The buggy address is located 220 bytes inside of [ 68.108747][ T6518] 232-byte region [ffff8880707eea00, ffff8880707eeae8) [ 68.121997][ T6518] The buggy address belongs to the page: [ 68.127614][ T6518] page:ffffea0001c1fb80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x707ee [ 68.137764][ T6518] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 68.145306][ T6518] raw: 00fff00000000200 ffffea0001c2a300 0000000d00000006 ffff888015de7640 [ 68.153885][ T6518] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 68.162444][ T6518] page dumped because: kasan: bad access detected [ 68.168830][ T6518] page_owner tracks the page as allocated [ 68.174517][ T6518] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 4503, ts 59395130268, free_ts 59369058078 [ 68.190554][ T6518] get_page_from_freelist+0xa72/0x2f80 [ 68.196010][ T6518] __alloc_pages+0x1b2/0x500 [ 68.200591][ T6518] alloc_pages+0x1a7/0x300 [ 68.204987][ T6518] new_slab+0x319/0x490 [ 68.209124][ T6518] ___slab_alloc+0x921/0xfe0 [ 68.213693][ T6518] __slab_alloc.constprop.0+0x4d/0xa0 [ 68.219047][ T6518] kmem_cache_alloc_node+0x11f/0x3d0 [ 68.224315][ T6518] __alloc_skb+0x20b/0x340 [ 68.228727][ T6518] alloc_skb_with_frags+0x93/0x620 [ 68.233822][ T6518] sock_alloc_send_pskb+0x783/0x910 [ 68.239001][ T6518] unix_dgram_sendmsg+0x3ec/0x1950 [ 68.244096][ T6518] sock_sendmsg+0xcf/0x120 [ 68.248497][ T6518] sock_write_iter+0x289/0x3c0 [ 68.253241][ T6518] new_sync_write+0x429/0x660 [ 68.257915][ T6518] vfs_write+0x7cf/0xae0 [ 68.262145][ T6518] ksys_write+0x1ee/0x250 [ 68.266455][ T6518] page last free stack trace: [ 68.271103][ T6518] free_pcp_prepare+0x2c5/0x780 [ 68.275936][ T6518] free_unref_page+0x19/0x690 [ 68.280593][ T6518] qlist_free_all+0x5a/0xc0 [ 68.285079][ T6518] kasan_quarantine_reduce+0x180/0x200 [ 68.290535][ T6518] __kasan_slab_alloc+0x95/0xb0 [ 68.295366][ T6518] __kmalloc+0x1e7/0x320 [ 68.299593][ T6518] tomoyo_realpath_from_path+0xc3/0x620 [ 68.305121][ T6518] tomoyo_path_perm+0x21b/0x400 [ 68.309951][ T6518] security_inode_getattr+0xcf/0x140 [ 68.315408][ T6518] vfs_statx+0x164/0x390 [ 68.319634][ T6518] __do_sys_newlstat+0x91/0x110 [ 68.324469][ T6518] do_syscall_64+0x35/0xb0 [ 68.328866][ T6518] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 68.334743][ T6518] [ 68.337047][ T6518] Memory state around the buggy address: [ 68.342655][ T6518] ffff8880707ee980: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 68.350702][ T6518] ffff8880707eea00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.358742][ T6518] >ffff8880707eea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc [ 68.366781][ T6518] ^ [ 68.373699][ T6518] ffff8880707eeb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 68.381835][ T6518] ffff8880707eeb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.390255][ T6518] ================================================================== [ 68.398318][ T6518] Disabling lock debugging due to kernel taint [ 68.404517][ T6518] Kernel panic - not syncing: panic_on_warn set ... [ 68.411103][ T6518] CPU: 1 PID: 6518 Comm: syz-executor027 Tainted: G B 5.15.0-rc5-syzkaller #0 [ 68.421255][ T6518] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.431305][ T6518] Call Trace: [ 68.434586][ T6518] dump_stack_lvl+0xcd/0x134 [ 68.439185][ T6518] panic+0x2b0/0x6dd [ 68.443091][ T6518] ? __warn_printk+0xf3/0xf3 [ 68.447682][ T6518] ? consume_skb+0x2e/0x160 [ 68.452273][ T6518] ? trace_hardirqs_on+0x38/0x1c0 [ 68.457293][ T6518] ? trace_hardirqs_on+0x51/0x1c0 [ 68.462305][ T6518] ? consume_skb+0x2e/0x160 [ 68.466833][ T6518] ? consume_skb+0x2e/0x160 [ 68.471361][ T6518] end_report.cold+0x63/0x6f [ 68.476036][ T6518] kasan_report.cold+0x71/0xdf [ 68.480819][ T6518] ? consume_skb+0x2e/0x160 [ 68.485392][ T6518] kasan_check_range+0x13d/0x180 [ 68.490312][ T6518] consume_skb+0x2e/0x160 [ 68.494623][ T6518] __sk_msg_free+0x26d/0x360 [ 68.499210][ T6518] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 68.505002][ T6518] sk_psock_stop+0x415/0x620 [ 68.509572][ T6518] sock_map_close+0x34a/0x780 [ 68.514285][ T6518] ? espintcp_init_sk+0xaa0/0xaa0 [ 68.519291][ T6518] ? sock_map_lookup+0x400/0x400 [ 68.524205][ T6518] ? down_write+0xe0/0x150 [ 68.528601][ T6518] ? __down_timeout+0x10/0x10 [ 68.533255][ T6518] ? locks_remove_file+0x2f9/0x570 [ 68.538350][ T6518] unix_release+0x7a/0xe0 [ 68.542680][ T6518] __sock_release+0xcd/0x280 [ 68.547250][ T6518] sock_close+0x18/0x20 [ 68.551470][ T6518] __fput+0x288/0x9f0 [ 68.555434][ T6518] ? __sock_release+0x280/0x280 [ 68.560282][ T6518] task_work_run+0xdd/0x1a0 [ 68.564766][ T6518] do_exit+0xbae/0x2a30 [ 68.568907][ T6518] ? __context_tracking_exit+0xb8/0xe0 [ 68.574352][ T6518] ? lock_downgrade+0x6e0/0x6e0 [ 68.579182][ T6518] ? lock_downgrade+0x6e0/0x6e0 [ 68.584012][ T6518] ? mm_update_next_owner+0x7a0/0x7a0 [ 68.589367][ T6518] do_group_exit+0x125/0x310 [ 68.593937][ T6518] __x64_sys_exit_group+0x3a/0x50 [ 68.598940][ T6518] do_syscall_64+0x35/0xb0 [ 68.603334][ T6518] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 68.609296][ T6518] RIP: 0033:0x7f4b858bc749 [ 68.613700][ T6518] Code: Unable to access opcode bytes at RIP 0x7f4b858bc71f. [ 68.621040][ T6518] RSP: 002b:00007ffea7b55c98 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 68.629426][ T6518] RAX: ffffffffffffffda RBX: 00007f4b85930410 RCX: 00007f4b858bc749 [ 68.638335][ T6518] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 68.646296][ T6518] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 00007f4b85880035 [ 68.654246][ T6518] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4b85930410 [ 68.662192][ T6518] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 68.670421][ T6518] Kernel Offset: disabled [ 68.674850][ T6518] Rebooting in 86400 seconds..