./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor974665040 <...> Warning: Permanently added '10.128.1.64' (ED25519) to the list of known hosts. execve("./syz-executor974665040", ["./syz-executor974665040"], 0x7ffde0eb5bd0 /* 10 vars */) = 0 brk(NULL) = 0x55556ee02000 brk(0x55556ee02d00) = 0x55556ee02d00 arch_prctl(ARCH_SET_FS, 0x55556ee02380) = 0 set_tid_address(0x55556ee02650) = 5093 set_robust_list(0x55556ee02660, 24) = 0 rseq(0x55556ee02ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor974665040", 4096) = 27 getrandom("\x8b\xa8\x23\xa4\x88\xaf\xe4\x08", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55556ee02d00 brk(0x55556ee23d00) = 0x55556ee23d00 brk(0x55556ee24000) = 0x55556ee24000 mprotect(0x7fe88e52b000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5094 attached [pid 5094] set_robust_list(0x55556ee02660, 24 [pid 5093] <... clone resumed>, child_tidptr=0x55556ee02650) = 5094 [pid 5094] <... set_robust_list resumed>) = 0 [pid 5094] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5093] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5095 attached [pid 5095] set_robust_list(0x55556ee02660, 24) = 0 [pid 5095] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5095] setpgid(0, 0) = 0 [pid 5095] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC./strace-static-x86_64: Process 5096 attached [pid 5094] <... clone resumed>, child_tidptr=0x55556ee02650) = 5095 [pid 5096] set_robust_list(0x55556ee02660, 24 [pid 5093] <... clone resumed>, child_tidptr=0x55556ee02650) = 5096 [pid 5095] <... openat resumed>) = 3 [pid 5095] write(3, "1000", 4 [pid 5096] <... set_robust_list resumed>) = 0 [pid 5095] <... write resumed>) = 4 [pid 5096] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLDexecuting program [pid 5093] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5095] close(3./strace-static-x86_64: Process 5097 attached ) = 0 [pid 5097] set_robust_list(0x55556ee02660, 24 [pid 5096] <... clone resumed>, child_tidptr=0x55556ee02650) = 5097 [pid 5097] <... set_robust_list resumed>) = 0 [pid 5095] write(1, "executing program\n", 18) = 18 [pid 5097] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5095] socket(AF_PPPOX, SOCK_STREAM, 1 [pid 5097] <... prctl resumed>) = 0 [pid 5097] setpgid(0, 0 [pid 5095] <... socket resumed>) = 3 [pid 5097] <... setpgid resumed>) = 0 [pid 5095] socket(AF_PPPOX, SOCK_STREAM, 1./strace-static-x86_64: Process 5098 attached [pid 5097] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5095] <... socket resumed>) = 4 [pid 5098] set_robust_list(0x55556ee02660, 24 [pid 5095] socket(AF_INET, SOCK_DGRAM, IPPROTO_IP [pid 5098] <... set_robust_list resumed>) = 0 [pid 5097] <... openat resumed>) = 3 [pid 5095] <... socket resumed>) = 5 [pid 5093] <... clone resumed>, child_tidptr=0x55556ee02650) = 5098 [pid 5098] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5097] write(3, "1000", 4 [pid 5093] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5095] connect(4, {sa_family=AF_PPPOX, sa_data="\x01\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xaa\x00\x00\x00\x00"}, 50./strace-static-x86_64: Process 5100 attached ./strace-static-x86_64: Process 5099 attached [pid 5097] <... write resumed>) = 4 [pid 5095] <... connect resumed>) = 0 [pid 5100] set_robust_list(0x55556ee02660, 24) = 0 [pid 5099] set_robust_list(0x55556ee02660, 24 [pid 5098] <... clone resumed>, child_tidptr=0x55556ee02650) = 5099 [pid 5097] close(3 [pid 5099] <... set_robust_list resumed>) = 0 [pid 5097] <... close resumed>) = 0 executing program [pid 5099] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5097] write(1, "executing program\n", 18 [pid 5095] connect(3, {sa_family=AF_PPPOX, sa_data="\x01\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x02\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x01\x00\x03\x00\x00\x00\x00\x00"}, 38 [pid 5100] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5099] <... prctl resumed>) = 0 [pid 5097] <... write resumed>) = 18 [pid 5095] <... connect resumed>) = 0 [pid 5097] socket(AF_PPPOX, SOCK_STREAM, 1 [pid 5099] setpgid(0, 0 [pid 5093] <... clone resumed>, child_tidptr=0x55556ee02650) = 5100 [pid 5099] <... setpgid resumed>) = 0 [pid 5097] <... socket resumed>) = 3 [pid 5095] exit_group(0 [pid 5093] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5101 attached ./strace-static-x86_64: Process 5102 attached [pid 5099] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5097] socket(AF_PPPOX, SOCK_STREAM, 1 [pid 5102] set_robust_list(0x55556ee02660, 24 [pid 5100] <... clone resumed>, child_tidptr=0x55556ee02650) = 5101 [pid 5097] <... socket resumed>) = 4 [pid 5095] <... exit_group resumed>) = ? [pid 5102] <... set_robust_list resumed>) = 0 [pid 5101] set_robust_list(0x55556ee02660, 24 [pid 5099] <... openat resumed>) = 3 [pid 5097] socket(AF_INET, SOCK_DGRAM, IPPROTO_IP [pid 5093] <... clone resumed>, child_tidptr=0x55556ee02650) = 5102 [pid 5101] <... set_robust_list resumed>) = 0 [pid 5097] <... socket resumed>) = 5 [pid 5101] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5099] write(3, "1000", 4 [pid 5102] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5101] <... prctl resumed>) = 0 [pid 5099] <... write resumed>) = 4 [pid 5097] connect(4, {sa_family=AF_PPPOX, sa_data="\x01\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xaa\x00\x00\x00\x00"}, 50 [pid 5095] +++ exited with 0 +++ [pid 5101] setpgid(0, 0 [pid 5099] close(3) = 0 ./strace-static-x86_64: Process 5103 attached [pid 5101] <... setpgid resumed>) = 0 [pid 5099] write(1, "executing program\n", 18 [pid 5097] <... connect resumed>) = -1 ENODEV (No such device) [pid 5094] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5095, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 5094] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5102] <... clone resumed>, child_tidptr=0x55556ee02650) = 5103 ./strace-static-x86_64: Process 5104 attached [pid 5104] set_robust_list(0x55556ee02660, 24) = 0 [pid 5104] prctl(PR_SET_PDEATHSIG, SIGKILLexecuting program ) = 0 [pid 5103] set_robust_list(0x55556ee02660, 24 [pid 5101] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5099] <... write resumed>) = 18 [pid 5097] connect(3, {sa_family=AF_PPPOX, sa_data="\x01\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x02\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x01\x00\x03\x00\x00\x00\x00\x00"}, 38 [pid 5094] <... clone resumed>, child_tidptr=0x55556ee02650) = 5104 [pid 5104] setpgid(0, 0 [pid 5103] <... set_robust_list resumed>) = 0 [pid 5099] socket(AF_PPPOX, SOCK_STREAM, 1 [pid 5104] <... setpgid resumed>) = 0 [pid 5097] <... connect resumed>) = -1 ENODEV (No such device) [pid 5104] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5103] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5101] <... openat resumed>) = 3 [pid 5099] <... socket resumed>) = 3 [pid 5103] <... prctl resumed>) = 0 [pid 5101] write(3, "1000", 4 [pid 5097] exit_group(0 [pid 5103] setpgid(0, 0) = 0 [pid 5101] <... write resumed>) = 4 [pid 5104] <... openat resumed>) = 3 [pid 5103] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5101] close(3 [pid 5099] socket(AF_PPPOX, SOCK_STREAM, 1 [pid 5097] <... exit_group resumed>) = ? [pid 5104] write(3, "1000", 4 [pid 5101] <... close resumed>) = 0 [pid 5099] <... socket resumed>) = 4 [pid 5097] +++ exited with 0 +++ [pid 5104] <... write resumed>) = 4 executing program [pid 5103] <... openat resumed>) = 3 [pid 5099] socket(AF_INET, SOCK_DGRAM, IPPROTO_IP [pid 5104] close(3 [pid 5101] write(1, "executing program\n", 18 [pid 5104] <... close resumed>) = 0 [pid 5103] write(3, "1000", 4 [pid 5101] <... write resumed>) = 18 [pid 5099] <... socket resumed>) = 5 executing program [pid 5096] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5097, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 5104] write(1, "executing program\n", 18 [pid 5103] <... write resumed>) = 4 [pid 5101] socket(AF_PPPOX, SOCK_STREAM, 1 [pid 5099] connect(4, {sa_family=AF_PPPOX, sa_data="\x01\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xaa\x00\x00\x00\x00"}, 50 [pid 5096] restart_syscall(<... resuming interrupted clone ...> [pid 5104] <... write resumed>) = 18 [pid 5103] close(3 [pid 5101] <... socket resumed>) = 3 [pid 5103] <... close resumed>) = 0 executing program [pid 5104] socket(AF_PPPOX, SOCK_STREAM, 1 [pid 5103] write(1, "executing program\n", 18 [pid 5099] <... connect resumed>) = -1 ENODEV (No such device) [pid 5104] <... socket resumed>) = 3 [pid 5103] <... write resumed>) = 18 [pid 5101] socket(AF_PPPOX, SOCK_STREAM, 1 [pid 5099] connect(3, {sa_family=AF_PPPOX, sa_data="\x01\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x02\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x01\x00\x03\x00\x00\x00\x00\x00"}, 38 [pid 5104] socket(AF_PPPOX, SOCK_STREAM, 1 [pid 5103] socket(AF_PPPOX, SOCK_STREAM, 1 [pid 5099] <... connect resumed>) = -1 ENODEV (No such device) [pid 5104] <... socket resumed>) = 4 [pid 5101] <... socket resumed>) = 4 [pid 5103] <... socket resumed>) = 3 [pid 5101] socket(AF_INET, SOCK_DGRAM, IPPROTO_IP [pid 5104] socket(AF_INET, SOCK_DGRAM, IPPROTO_IP [pid 5103] socket(AF_PPPOX, SOCK_STREAM, 1 [pid 5101] <... socket resumed>) = 5 [pid 5099] exit_group(0 [pid 5104] <... socket resumed>) = 5 [pid 5103] <... socket resumed>) = 4 [pid 5101] connect(4, {sa_family=AF_PPPOX, sa_data="\x01\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xaa\x00\x00\x00\x00"}, 50 [pid 5099] <... exit_group resumed>) = ? [pid 5096] <... restart_syscall resumed>) = 0 [pid 5104] connect(4, {sa_family=AF_PPPOX, sa_data="\x01\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xaa\x00\x00\x00\x00"}, 50 [pid 5103] socket(AF_INET, SOCK_DGRAM, IPPROTO_IP [pid 5101] <... connect resumed>) = -1 ENODEV (No such device) [pid 5099] +++ exited with 0 +++ [pid 5104] <... connect resumed>) = -1 ENODEV (No such device) [pid 5103] <... socket resumed>) = 5 [pid 5101] connect(3, {sa_family=AF_PPPOX, sa_data="\x01\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x02\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x01\x00\x03\x00\x00\x00\x00\x00"}, 38 [pid 5098] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5099, si_uid=0, si_status=0, si_utime=0, si_stime=1 /* 0.01 s */} --- [pid 5103] connect(4, {sa_family=AF_PPPOX, sa_data="\x01\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xaa\x00\x00\x00\x00"}, 50 [pid 5104] connect(3, {sa_family=AF_PPPOX, sa_data="\x01\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x02\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x01\x00\x03\x00\x00\x00\x00\x00"}, 38) = -1 ENODEV (No such device) [pid 5101] <... connect resumed>) = -1 ENODEV (No such device) [pid 5096] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5104] exit_group(0 [pid 5103] <... connect resumed>) = -1 ENODEV (No such device) [pid 5098] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5104] <... exit_group resumed>) = ? [pid 5104] +++ exited with 0 +++ [pid 5094] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5104, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 5094] restart_syscall(<... resuming interrupted clone ...> [pid 5098] <... clone resumed>, child_tidptr=0x55556ee02650) = 5105 ./strace-static-x86_64: Process 5106 attached ./strace-static-x86_64: Process 5105 attached [pid 5103] connect(3, {sa_family=AF_PPPOX, sa_data="\x01\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x02\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x01\x00\x03\x00\x00\x00\x00\x00"}, 38 [pid 5101] exit_group(0 [pid 5094] <... restart_syscall resumed>) = 0 [pid 5106] set_robust_list(0x55556ee02660, 24 [pid 5105] set_robust_list(0x55556ee02660, 24 [pid 5103] <... connect resumed>) = -1 ENODEV (No such device) [pid 5101] <... exit_group resumed>) = ? [pid 5096] <... clone resumed>, child_tidptr=0x55556ee02650) = 5106 [pid 5106] <... set_robust_list resumed>) = 0 [pid 5105] <... set_robust_list resumed>) = 0 [pid 5103] exit_group(0 [pid 5101] +++ exited with 0 +++ [ 57.257196][ T1093] ================================================================== [ 57.265298][ T1093] BUG: KASAN: slab-use-after-free in l2tp_session_delete+0x28/0x9e0 [ 57.273313][ T1093] Write of size 8 at addr ffff88802d75e008 by task kworker/u8:5/1093 [ 57.281477][ T1093] [ 57.283818][ T1093] CPU: 1 UID: 0 PID: 1093 Comm: kworker/u8:5 Not tainted 6.10.0-rc4-next-20240621-syzkaller #0 [ 57.294132][ T1093] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 57.304182][ T1093] Workqueue: l2tp l2tp_tunnel_del_work [ 57.309657][ T1093] Call Trace: [ 57.312926][ T1093] [ 57.315855][ T1093] dump_stack_lvl+0x241/0x360 [ 57.320544][ T1093] ? __pfx_dump_stack_lvl+0x10/0x10 [ 57.325742][ T1093] ? __pfx__printk+0x10/0x10 [ 57.330418][ T1093] ? _printk+0xd5/0x120 [ 57.334559][ T1093] ? __virt_addr_valid+0x183/0x520 [ 57.339747][ T1093] ? __virt_addr_valid+0x183/0x520 [ 57.344847][ T1093] print_report+0x169/0x550 [ 57.349345][ T1093] ? __virt_addr_valid+0x183/0x520 [ 57.354442][ T1093] ? __virt_addr_valid+0x183/0x520 [ 57.359561][ T1093] ? __virt_addr_valid+0x44e/0x520 [ 57.364664][ T1093] ? __phys_addr+0xba/0x170 [ 57.369153][ T1093] ? l2tp_session_delete+0x28/0x9e0 [ 57.374338][ T1093] kasan_report+0x143/0x180 [ 57.378828][ T1093] ? l2tp_session_delete+0x28/0x9e0 [ 57.384015][ T1093] kasan_check_range+0x282/0x290 [ 57.388947][ T1093] l2tp_session_delete+0x28/0x9e0 [ 57.393955][ T1093] ? l2tp_tunnel_del_work+0x1d3/0x330 [ 57.399320][ T1093] l2tp_tunnel_del_work+0x1cb/0x330 [ 57.404512][ T1093] ? process_scheduled_works+0x945/0x1830 [ 57.410303][ T1093] process_scheduled_works+0xa2c/0x1830 [ 57.415848][ T1093] ? __pfx_process_scheduled_works+0x10/0x10 [ 57.421822][ T1093] ? assign_work+0x364/0x3d0 [ 57.426397][ T1093] worker_thread+0x86d/0xd50 [ 57.430974][ T1093] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 57.436852][ T1093] ? __kthread_parkme+0x169/0x1d0 [ 57.441863][ T1093] ? __pfx_worker_thread+0x10/0x10 [ 57.446959][ T1093] kthread+0x2f0/0x390 [ 57.451016][ T1093] ? __pfx_worker_thread+0x10/0x10 [ 57.456118][ T1093] ? __pfx_kthread+0x10/0x10 [ 57.460783][ T1093] ret_from_fork+0x4b/0x80 [ 57.465185][ T1093] ? __pfx_kthread+0x10/0x10 [ 57.469760][ T1093] ret_from_fork_asm+0x1a/0x30 [ 57.474518][ T1093] [ 57.477524][ T1093] [ 57.479829][ T1093] Allocated by task 5095: [ 57.484143][ T1093] kasan_save_track+0x3f/0x80 [ 57.488804][ T1093] __kasan_kmalloc+0x98/0xb0 [ 57.493381][ T1093] __kmalloc_noprof+0x1f9/0x400 [ 57.498217][ T1093] l2tp_session_create+0x3b/0xc20 [ 57.503225][ T1093] pppol2tp_connect+0xca3/0x17a0 [ 57.508144][ T1093] __sys_connect+0x2df/0x310 [ 57.512718][ T1093] __x64_sys_connect+0x7a/0x90 [ 57.517472][ T1093] do_syscall_64+0xf3/0x230 [ 57.521986][ T1093] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 57.527864][ T1093] [ 57.530169][ T1093] Freed by task 5101: [ 57.534128][ T1093] kasan_save_track+0x3f/0x80 [ 57.538791][ T1093] kasan_save_free_info+0x40/0x50 [ 57.543801][ T1093] poison_slab_object+0xe0/0x150 [ 57.548719][ T1093] __kasan_slab_free+0x37/0x60 [ 57.553462][ T1093] kfree+0x149/0x360 [ 57.557340][ T1093] __sk_destruct+0x58/0x5f0 [ 57.561835][ T1093] rcu_core+0xaaa/0x17a0 [ 57.566062][ T1093] handle_softirqs+0x2c4/0x970 [ 57.570808][ T1093] do_softirq+0x11b/0x1e0 [ 57.575117][ T1093] __local_bh_enable_ip+0x1bb/0x200 [ 57.580297][ T1093] l2tp_tunnel_get+0x40d/0x500 [ 57.585044][ T1093] pppol2tp_connect+0x6b3/0x17a0 [ 57.589966][ T1093] __sys_connect+0x2df/0x310 [ 57.594541][ T1093] __x64_sys_connect+0x7a/0x90 [ 57.599293][ T1093] do_syscall_64+0xf3/0x230 [ 57.603797][ T1093] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 57.609673][ T1093] [ 57.611977][ T1093] Last potentially related work creation: [ 57.617667][ T1093] kasan_save_stack+0x3f/0x60 [ 57.622498][ T1093] __kasan_record_aux_stack+0xac/0xc0 [ 57.627855][ T1093] call_rcu+0x167/0xa70 [ 57.631998][ T1093] pppol2tp_release+0x24b/0x350 [ 57.636832][ T1093] sock_close+0xbc/0x240 [ 57.641057][ T1093] __fput+0x24a/0x8a0 [ 57.645026][ T1093] task_work_run+0x24f/0x310 [ 57.649601][ T1093] do_exit+0xa27/0x28e0 [ 57.653831][ T1093] do_group_exit+0x207/0x2c0 [ 57.658417][ T1093] __x64_sys_exit_group+0x3f/0x40 [ 57.663601][ T1093] do_syscall_64+0xf3/0x230 [ 57.668085][ T1093] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 57.673962][ T1093] [ 57.676271][ T1093] The buggy address belongs to the object at ffff88802d75e000 [ 57.676271][ T1093] which belongs to the cache kmalloc-1k of size 1024 [ 57.690496][ T1093] The buggy address is located 8 bytes inside of [ 57.690496][ T1093] freed 1024-byte region [ffff88802d75e000, ffff88802d75e400) [ 57.704472][ T1093] [ 57.706783][ T1093] The buggy address belongs to the physical page: [ 57.713201][ T1093] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2d758 [ 57.721986][ T1093] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 57.730495][ T1093] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 57.738043][ T1093] page_type: 0xffffefff(slab) [ 57.742708][ T1093] raw: 00fff00000000040 ffff888015041dc0 dead000000000100 dead000000000122 [ 57.751383][ T1093] raw: 0000000000000000 0000000000100010 00000001ffffefff 0000000000000000 [ 57.759962][ T1093] head: 00fff00000000040 ffff888015041dc0 dead000000000100 dead000000000122 [ 57.768707][ T1093] head: 0000000000000000 0000000000100010 00000001ffffefff 0000000000000000 [ 57.777380][ T1093] head: 00fff00000000003 ffffea0000b5d601 ffffffffffffffff 0000000000000000 [ 57.786039][ T1093] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 57.794690][ T1093] page dumped because: kasan: bad access detected [ 57.801114][ T1093] page_owner tracks the page as allocated [ 57.806814][ T1093] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4717, tgid 4717 (udevd), ts 27477638703, free_ts 27187740744 [ 57.827551][ T1093] post_alloc_hook+0x1f3/0x230 [ 57.832305][ T1093] get_page_from_freelist+0x2ccb/0x2d80 [ 57.837845][ T1093] __alloc_pages_noprof+0x256/0x6c0 [ 57.843154][ T1093] alloc_slab_page+0x5f/0x120 [ 57.847813][ T1093] allocate_slab+0x5a/0x2f0 [ 57.852385][ T1093] ___slab_alloc+0xcd1/0x14b0 [ 57.857049][ T1093] __slab_alloc+0x58/0xa0 [ 57.861359][ T1093] __kmalloc_noprof+0x257/0x400 [ 57.866202][ T1093] load_elf_binary+0x2f1/0x2690 [ 57.871048][ T1093] bprm_execve+0xaf8/0x1770 [ 57.875573][ T1093] do_execveat_common+0x553/0x700 [ 57.880748][ T1093] __x64_sys_execve+0x92/0xb0 [ 57.885429][ T1093] do_syscall_64+0xf3/0x230 [ 57.889919][ T1093] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 57.895804][ T1093] page last free pid 4709 tgid 4709 stack trace: [ 57.902141][ T1093] free_unref_page+0xd22/0xea0 [ 57.906889][ T1093] __put_partials+0xeb/0x130 [ 57.911550][ T1093] put_cpu_partial+0x17c/0x250 [ 57.916305][ T1093] __slab_free+0x2ea/0x3d0 [ 57.920700][ T1093] qlist_free_all+0x9e/0x140 [ 57.925269][ T1093] kasan_quarantine_reduce+0x14f/0x170 [ 57.930708][ T1093] __kasan_slab_alloc+0x23/0x80 [ 57.935545][ T1093] kmem_cache_alloc_noprof+0x135/0x2a0 [ 57.940987][ T1093] getname_flags+0xb7/0x540 [ 57.945483][ T1093] do_sys_openat2+0xd2/0x1d0 [ 57.950066][ T1093] __x64_sys_openat+0x247/0x2a0 [ 57.954992][ T1093] do_syscall_64+0xf3/0x230 [ 57.959479][ T1093] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 57.965362][ T1093] [ 57.967677][ T1093] Memory state around the buggy address: [ 57.973287][ T1093] ffff88802d75df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 57.981416][ T1093] ffff88802d75df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 57.989477][ T1093] >ffff88802d75e000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.997615][ T1093] ^ [ 58.001927][ T1093] ffff88802d75e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [pid 5106] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5105] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5103] <... exit_group resumed>) = ? [pid 5094] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55556ee02650) = 5107 ./strace-static-x86_64: Process 5107 attached [pid 5106] <... prctl resumed>) = 0 [pid 5105] <... prctl resumed>) = 0 [pid 5107] set_robust_list(0x55556ee02660, 24) = 0 [pid 5107] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5107] setpgid(0, 0) = 0 [pid 5107] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5103] +++ exited with 0 +++ [pid 5100] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5101, si_uid=0, si_status=0, si_utime=0, si_stime=1 /* 0.01 s */} --- [pid 5106] setpgid(0, 0 [pid 5105] setpgid(0, 0 [pid 5102] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5103, si_uid=0, si_status=0, si_utime=0, si_stime=74 /* 0.74 s */} --- [pid 5107] write(3, "1000", 4executing program ) = 4 [pid 5107] close(3) = 0 [pid 5107] write(1, "executing program\n", 18) = 18 [pid 5107] socket(AF_PPPOX, SOCK_STREAM, 1) = 3 [pid 5107] socket(AF_PPPOX, SOCK_STREAM, 1) = 4 [pid 5107] socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 5 [ 58.009979][ T1093] ffff88802d75e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.018194][ T1093] ================================================================== [ 58.035258][ T1093] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 58.042653][ T1093] CPU: 0 UID: 0 PID: 1093 Comm: kworker/u8:5 Not tainted 6.10.0-rc4-next-20240621-syzkaller #0 [ 58.053084][ T1093] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 58.063123][ T1093] Workqueue: l2tp l2tp_tunnel_del_work [ 58.068581][ T1093] Call Trace: [ 58.071880][ T1093] [ 58.074814][ T1093] dump_stack_lvl+0x241/0x360 [ 58.079489][ T1093] ? __pfx_dump_stack_lvl+0x10/0x10 [ 58.084682][ T1093] ? __pfx__printk+0x10/0x10 [ 58.089287][ T1093] ? preempt_schedule+0xe1/0xf0 [ 58.094127][ T1093] ? vscnprintf+0x5d/0x90 [ 58.098436][ T1093] panic+0x349/0x870 [ 58.102332][ T1093] ? check_panic_on_warn+0x21/0xb0 [ 58.107544][ T1093] ? __pfx_panic+0x10/0x10 [ 58.111952][ T1093] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 58.117927][ T1093] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 58.124327][ T1093] ? print_report+0x502/0x550 [ 58.128990][ T1093] check_panic_on_warn+0x86/0xb0 [ 58.133916][ T1093] ? l2tp_session_delete+0x28/0x9e0 [ 58.139108][ T1093] end_report+0x77/0x160 [ 58.143329][ T1093] kasan_report+0x154/0x180 [ 58.147828][ T1093] ? l2tp_session_delete+0x28/0x9e0 [ 58.153004][ T1093] kasan_check_range+0x282/0x290 [ 58.157936][ T1093] l2tp_session_delete+0x28/0x9e0 [ 58.162949][ T1093] ? l2tp_tunnel_del_work+0x1d3/0x330 [ 58.168300][ T1093] l2tp_tunnel_del_work+0x1cb/0x330 [ 58.173483][ T1093] ? process_scheduled_works+0x945/0x1830 [ 58.179195][ T1093] process_scheduled_works+0xa2c/0x1830 [ 58.184816][ T1093] ? __pfx_process_scheduled_works+0x10/0x10 [ 58.190777][ T1093] ? assign_work+0x364/0x3d0 [ 58.195346][ T1093] worker_thread+0x86d/0xd50 [ 58.199919][ T1093] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 58.205801][ T1093] ? __kthread_parkme+0x169/0x1d0 [ 58.210813][ T1093] ? __pfx_worker_thread+0x10/0x10 [ 58.215903][ T1093] kthread+0x2f0/0x390 [ 58.219954][ T1093] ? __pfx_worker_thread+0x10/0x10 [ 58.225042][ T1093] ? __pfx_kthread+0x10/0x10 [ 58.229618][ T1093] ret_from_fork+0x4b/0x80 [ 58.234019][ T1093] ? __pfx_kthread+0x10/0x10 [ 58.238592][ T1093] ret_from_fork_asm+0x1a/0x30 [ 58.243339][ T1093] [ 58.246579][ T1093] Kernel Offset: disabled [ 58.250892][ T1093] Rebooting in 86400 seconds..