[ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.6' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 71.631577][ T6537] FAULT_INJECTION: forcing a failure. [ 71.631577][ T6537] name failslab, interval 1, probability 0, space 0, times 1 [ 71.644655][ T6537] CPU: 0 PID: 6537 Comm: syz-executor560 Not tainted 5.15.0-rc4-syzkaller #0 [ 71.653422][ T6537] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 71.663504][ T6537] Call Trace: [ 71.666775][ T6537] dump_stack_lvl+0xcd/0x134 [ 71.671369][ T6537] should_fail.cold+0x5/0xa [ 71.675856][ T6537] ? sk_psock_skb_ingress_self+0x4e/0x370 [ 71.681564][ T6537] should_failslab+0x5/0x10 [ 71.686055][ T6537] kmem_cache_alloc_trace+0x55/0x2b0 [ 71.691332][ T6537] sk_psock_skb_ingress_self+0x4e/0x370 [ 71.696875][ T6537] ? force_compatible_cpus_allowed_ptr+0x360/0x360 [ 71.703379][ T6537] sk_psock_verdict_apply+0x34c/0x430 [ 71.708753][ T6537] sk_psock_verdict_recv+0x2b0/0x7e0 [ 71.714082][ T6537] unix_read_sock+0xd7/0x250 [ 71.718706][ T6537] ? sk_psock_strp_read+0x6e0/0x6e0 [ 71.723888][ T6537] ? unix_compat_ioctl+0x30/0x30 [ 71.728817][ T6537] ? find_held_lock+0x2d/0x110 [ 71.733568][ T6537] ? unix_compat_ioctl+0x30/0x30 [ 71.738491][ T6537] sk_psock_verdict_data_ready+0x11a/0x180 [ 71.744325][ T6537] ? sk_psock_strp_read_done+0x10/0x10 [ 71.749769][ T6537] ? _raw_spin_unlock_irqrestore+0x50/0x70 [ 71.755598][ T6537] ? do_raw_spin_unlock+0x171/0x230 [ 71.760783][ T6537] unix_dgram_sendmsg+0xfa7/0x1950 [ 71.765889][ T6537] ? unix_stream_sendpage+0xca0/0xca0 [ 71.771244][ T6537] ? aa_af_perm+0x230/0x230 [ 71.775748][ T6537] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 71.781974][ T6537] ? unix_stream_sendpage+0xca0/0xca0 [ 71.787332][ T6537] sock_sendmsg+0xcf/0x120 [ 71.791757][ T6537] ____sys_sendmsg+0x331/0x810 [ 71.796506][ T6537] ? kernel_sendmsg+0x50/0x50 [ 71.801180][ T6537] ? do_recvmmsg+0x6d0/0x6d0 [ 71.805766][ T6537] ___sys_sendmsg+0xf3/0x170 [ 71.810342][ T6537] ? sendmsg_copy_msghdr+0x160/0x160 [ 71.815612][ T6537] ? mark_lock+0xef/0x17b0 [ 71.820026][ T6537] ? mark_lock+0xef/0x17b0 [ 71.824439][ T6537] ? lock_chain_count+0x20/0x20 [ 71.829271][ T6537] ? lock_chain_count+0x20/0x20 [ 71.834111][ T6537] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 71.840093][ T6537] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 71.846336][ T6537] ? __fget_light+0x215/0x280 [ 71.851012][ T6537] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 71.857246][ T6537] __sys_sendmmsg+0x195/0x470 [ 71.861916][ T6537] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 71.866928][ T6537] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 71.872899][ T6537] ? find_held_lock+0x2d/0x110 [ 71.877650][ T6537] ? __context_tracking_exit+0xb8/0xe0 [ 71.883095][ T6537] ? lock_downgrade+0x6e0/0x6e0 [ 71.887926][ T6537] ? lock_downgrade+0x6e0/0x6e0 [ 71.892771][ T6537] __x64_sys_sendmmsg+0x99/0x100 [ 71.897693][ T6537] ? syscall_enter_from_user_mode+0x21/0x70 [ 71.903572][ T6537] do_syscall_64+0x35/0xb0 [ 71.907971][ T6537] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 71.913849][ T6537] RIP: 0033:0x7f1730dd0a49 [ 71.918261][ T6537] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 71.938037][ T6537] RSP: 002b:00007ffcc7f6abf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 71.946443][ T6537] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f1730dd0a49 [ 71.954397][ T6537] RDX: 0307017fdb7a66cb RSI: 0000000020002dc0 RDI: 0000000000000006 [ 71.962797][ T6537] RBP: 00007ffcc7f6ac00 R08: 0000000000000001 R09: 00007f1730d90035 [ 71.970752][ T6537] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 [ 71.978705][ T6537] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 72.024453][ T6537] ================================================================== [ 72.032633][ T6537] BUG: KASAN: use-after-free in consume_skb+0x2e/0x160 [ 72.039493][ T6537] Read of size 4 at addr ffff88807137a99c by task syz-executor560/6537 [ 72.047736][ T6537] [ 72.050053][ T6537] CPU: 1 PID: 6537 Comm: syz-executor560 Not tainted 5.15.0-rc4-syzkaller #0 [ 72.058794][ T6537] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 72.068835][ T6537] Call Trace: [ 72.072103][ T6537] dump_stack_lvl+0xcd/0x134 [ 72.076699][ T6537] print_address_description.constprop.0.cold+0x6c/0x309 [ 72.083711][ T6537] ? consume_skb+0x2e/0x160 [ 72.088204][ T6537] ? consume_skb+0x2e/0x160 [ 72.092694][ T6537] kasan_report.cold+0x83/0xdf [ 72.097447][ T6537] ? consume_skb+0x2e/0x160 [ 72.101979][ T6537] kasan_check_range+0x13d/0x180 [ 72.106908][ T6537] consume_skb+0x2e/0x160 [ 72.111249][ T6537] __sk_msg_free+0x26d/0x360 [ 72.115865][ T6537] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 72.121683][ T6537] sk_psock_stop+0x415/0x620 [ 72.126284][ T6537] sock_map_close+0x34a/0x780 [ 72.130960][ T6537] ? espintcp_init_sk+0xaa0/0xaa0 [ 72.135993][ T6537] ? sock_map_lookup+0x400/0x400 [ 72.140931][ T6537] ? down_write+0xe0/0x150 [ 72.145352][ T6537] ? __down_timeout+0x10/0x10 [ 72.150030][ T6537] ? locks_remove_file+0x2f9/0x570 [ 72.155154][ T6537] unix_release+0x7a/0xe0 [ 72.159487][ T6537] __sock_release+0xcd/0x280 [ 72.164087][ T6537] sock_close+0x18/0x20 [ 72.168242][ T6537] __fput+0x288/0x9f0 [ 72.172227][ T6537] ? __sock_release+0x280/0x280 [ 72.177086][ T6537] task_work_run+0xdd/0x1a0 [ 72.181598][ T6537] do_exit+0xbae/0x2a30 [ 72.185756][ T6537] ? __context_tracking_exit+0xb8/0xe0 [ 72.191222][ T6537] ? lock_downgrade+0x6e0/0x6e0 [ 72.196093][ T6537] ? lock_downgrade+0x6e0/0x6e0 [ 72.200948][ T6537] ? mm_update_next_owner+0x7a0/0x7a0 [ 72.206338][ T6537] do_group_exit+0x125/0x310 [ 72.211038][ T6537] __x64_sys_exit_group+0x3a/0x50 [ 72.216065][ T6537] do_syscall_64+0x35/0xb0 [ 72.220484][ T6537] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.226473][ T6537] RIP: 0033:0x7f1730dcf749 [ 72.230890][ T6537] Code: Unable to access opcode bytes at RIP 0x7f1730dcf71f. [ 72.238245][ T6537] RSP: 002b:00007ffcc7f6abd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 72.246658][ T6537] RAX: ffffffffffffffda RBX: 00007f1730e43410 RCX: 00007f1730dcf749 [ 72.254627][ T6537] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 72.262592][ T6537] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 00007f1730d90035 [ 72.270561][ T6537] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1730e43410 [ 72.278530][ T6537] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 72.286524][ T6537] [ 72.288839][ T6537] Allocated by task 6537: [ 72.293153][ T6537] kasan_save_stack+0x1b/0x40 [ 72.297836][ T6537] __kasan_slab_alloc+0x83/0xb0 [ 72.302680][ T6537] kmem_cache_alloc+0x209/0x390 [ 72.307533][ T6537] skb_clone+0x170/0x3c0 [ 72.311778][ T6537] sk_psock_verdict_recv+0x72/0x7e0 [ 72.316977][ T6537] unix_read_sock+0xd7/0x250 [ 72.321565][ T6537] sk_psock_verdict_data_ready+0x11a/0x180 [ 72.327461][ T6537] unix_dgram_sendmsg+0xfa7/0x1950 [ 72.332595][ T6537] sock_sendmsg+0xcf/0x120 [ 72.337020][ T6537] ____sys_sendmsg+0x331/0x810 [ 72.341960][ T6537] ___sys_sendmsg+0xf3/0x170 [ 72.346560][ T6537] __sys_sendmmsg+0x195/0x470 [ 72.351244][ T6537] __x64_sys_sendmmsg+0x99/0x100 [ 72.356199][ T6537] do_syscall_64+0x35/0xb0 [ 72.360614][ T6537] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.366943][ T6537] [ 72.369278][ T6537] Freed by task 2673: [ 72.373249][ T6537] kasan_save_stack+0x1b/0x40 [ 72.377929][ T6537] kasan_set_track+0x1c/0x30 [ 72.382520][ T6537] kasan_set_free_info+0x20/0x30 [ 72.387459][ T6537] __kasan_slab_free+0xff/0x130 [ 72.392306][ T6537] slab_free_freelist_hook+0x81/0x190 [ 72.397679][ T6537] kmem_cache_free+0x8a/0x5b0 [ 72.402361][ T6537] kfree_skbmem+0xef/0x1b0 [ 72.406778][ T6537] kfree_skb+0x140/0x3f0 [ 72.411020][ T6537] sk_psock_backlog+0x932/0xda0 [ 72.415868][ T6537] process_one_work+0x9bf/0x16b0 [ 72.420805][ T6537] worker_thread+0x658/0x11f0 [ 72.425480][ T6537] kthread+0x3e5/0x4d0 [ 72.429555][ T6537] ret_from_fork+0x1f/0x30 [ 72.433971][ T6537] [ 72.436294][ T6537] The buggy address belongs to the object at ffff88807137a8c0 [ 72.436294][ T6537] which belongs to the cache skbuff_head_cache of size 232 [ 72.452545][ T6537] The buggy address is located 220 bytes inside of [ 72.452545][ T6537] 232-byte region [ffff88807137a8c0, ffff88807137a9a8) [ 72.465813][ T6537] The buggy address belongs to the page: [ 72.471433][ T6537] page:ffffea0001c4de80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7137a [ 72.481586][ T6537] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 72.489138][ T6537] raw: 00fff00000000200 ffffea0001c95ec0 0000000b0000000b ffff8881400e3640 [ 72.497731][ T6537] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 72.506310][ T6537] page dumped because: kasan: bad access detected [ 72.512720][ T6537] page_owner tracks the page as allocated [ 72.518438][ T6537] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 4526, ts 54017639449, free_ts 54001355317 [ 72.534509][ T6537] get_page_from_freelist+0xa72/0x2f80 [ 72.539988][ T6537] __alloc_pages+0x1b2/0x500 [ 72.544576][ T6537] alloc_pages+0x1a7/0x300 [ 72.548990][ T6537] new_slab+0x319/0x490 [ 72.553158][ T6537] ___slab_alloc+0x921/0xfe0 [ 72.557746][ T6537] __slab_alloc.constprop.0+0x4d/0xa0 [ 72.563208][ T6537] kmem_cache_alloc_node+0x11f/0x3d0 [ 72.568503][ T6537] __alloc_skb+0x214/0x360 [ 72.572927][ T6537] netlink_sendmsg+0x967/0xda0 [ 72.577689][ T6537] sock_sendmsg+0xcf/0x120 [ 72.582103][ T6537] ____sys_sendmsg+0x6e8/0x810 [ 72.586874][ T6537] ___sys_sendmsg+0xf3/0x170 [ 72.591468][ T6537] __sys_sendmsg+0xe5/0x1b0 [ 72.595973][ T6537] do_syscall_64+0x35/0xb0 [ 72.600388][ T6537] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.606285][ T6537] page last free stack trace: [ 72.610944][ T6537] free_pcp_prepare+0x2c5/0x780 [ 72.615794][ T6537] free_unref_page+0x19/0x690 [ 72.620470][ T6537] proc_pid_cmdline_read+0x595/0x8c0 [ 72.625754][ T6537] vfs_read+0x1b5/0x600 [ 72.629904][ T6537] ksys_read+0x12d/0x250 [ 72.634227][ T6537] do_syscall_64+0x35/0xb0 [ 72.638639][ T6537] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.644547][ T6537] [ 72.646880][ T6537] Memory state around the buggy address: [ 72.652515][ T6537] ffff88807137a880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 72.660578][ T6537] ffff88807137a900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.668630][ T6537] >ffff88807137a980: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 72.676690][ T6537] ^ [ 72.681552][ T6537] ffff88807137aa00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.689625][ T6537] ffff88807137aa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc [ 72.697693][ T6537] ================================================================== [ 72.705745][ T6537] Disabling lock debugging due to kernel taint [ 72.711937][ T6537] Kernel panic - not syncing: panic_on_warn set ... [ 72.711949][ T6537] CPU: 1 PID: 6537 Comm: syz-executor560 Tainted: G B 5.15.0-rc4-syzkaller #0 [ 72.711974][ T6537] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 72.711987][ T6537] Call Trace: [ 72.711998][ T6537] dump_stack_lvl+0xcd/0x134 [ 72.712028][ T6537] panic+0x2b0/0x6dd [ 72.750432][ T6537] ? __warn_printk+0xf3/0xf3 [ 72.755049][ T6537] ? consume_skb+0x2e/0x160 [ 72.759555][ T6537] ? trace_hardirqs_on+0x38/0x1c0 [ 72.764583][ T6537] ? trace_hardirqs_on+0x51/0x1c0 [ 72.769609][ T6537] ? consume_skb+0x2e/0x160 [ 72.774109][ T6537] ? consume_skb+0x2e/0x160 [ 72.778610][ T6537] end_report.cold+0x63/0x6f [ 72.783194][ T6537] kasan_report.cold+0x71/0xdf [ 72.787950][ T6537] ? consume_skb+0x2e/0x160 [ 72.792451][ T6537] kasan_check_range+0x13d/0x180 [ 72.797382][ T6537] consume_skb+0x2e/0x160 [ 72.801711][ T6537] __sk_msg_free+0x26d/0x360 [ 72.806303][ T6537] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 72.812110][ T6537] sk_psock_stop+0x415/0x620 [ 72.816704][ T6537] sock_map_close+0x34a/0x780 [ 72.821385][ T6537] ? espintcp_init_sk+0xaa0/0xaa0 [ 72.826411][ T6537] ? sock_map_lookup+0x400/0x400 [ 72.831343][ T6537] ? down_write+0xe0/0x150 [ 72.835756][ T6537] ? __down_timeout+0x10/0x10 [ 72.840425][ T6537] ? locks_remove_file+0x2f9/0x570 [ 72.845970][ T6537] unix_release+0x7a/0xe0 [ 72.850295][ T6537] __sock_release+0xcd/0x280 [ 72.854891][ T6537] sock_close+0x18/0x20 [ 72.859040][ T6537] __fput+0x288/0x9f0 [ 72.863019][ T6537] ? __sock_release+0x280/0x280 [ 72.867865][ T6537] task_work_run+0xdd/0x1a0 [ 72.872368][ T6537] do_exit+0xbae/0x2a30 [ 72.876518][ T6537] ? __context_tracking_exit+0xb8/0xe0 [ 72.881973][ T6537] ? lock_downgrade+0x6e0/0x6e0 [ 72.886829][ T6537] ? lock_downgrade+0x6e0/0x6e0 [ 72.891676][ T6537] ? mm_update_next_owner+0x7a0/0x7a0 [ 72.897047][ T6537] do_group_exit+0x125/0x310 [ 72.901635][ T6537] __x64_sys_exit_group+0x3a/0x50 [ 72.906654][ T6537] do_syscall_64+0x35/0xb0 [ 72.911062][ T6537] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.916976][ T6537] RIP: 0033:0x7f1730dcf749 [ 72.921381][ T6537] Code: Unable to access opcode bytes at RIP 0x7f1730dcf71f. [ 72.928730][ T6537] RSP: 002b:00007ffcc7f6abd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 72.937134][ T6537] RAX: ffffffffffffffda RBX: 00007f1730e43410 RCX: 00007f1730dcf749 [ 72.945181][ T6537] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 72.953143][ T6537] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 00007f1730d90035 [ 72.961105][ T6537] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1730e43410 [ 72.969068][ T6537] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 72.977307][ T6537] Kernel Offset: disabled [ 72.981667][ T6537] Rebooting in 86400 seconds..