DUID 00:04:6d:8d:bc:0e:4f:6f:26:62:62:35:cf:10:b8:8b:0d:d5 forked to background, child pid 3173 [ 28.337855][ T3174] 8021q: adding VLAN 0 to HW filter on device bond0 [ 28.355243][ T3174] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.0.100' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 49.745747][ T3592] ================================================================== [ 49.753990][ T3592] BUG: KASAN: slab-out-of-bounds in bpf_prog_test_run_xdp+0x10ac/0x1150 [ 49.762442][ T3592] Write of size 8 at addr ffff88801dc53000 by task syz-executor098/3592 [ 49.770788][ T3592] [ 49.773119][ T3592] CPU: 1 PID: 3592 Comm: syz-executor098 Not tainted 5.16.0-syzkaller-11587-gdd5152ab338c #0 [ 49.783262][ T3592] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.793316][ T3592] Call Trace: [ 49.796594][ T3592] [ 49.799525][ T3592] dump_stack_lvl+0xcd/0x134 [ 49.804138][ T3592] print_address_description.constprop.0.cold+0x8d/0x336 [ 49.811197][ T3592] ? bpf_prog_test_run_xdp+0x10ac/0x1150 [ 49.816880][ T3592] ? bpf_prog_test_run_xdp+0x10ac/0x1150 [ 49.823498][ T3592] kasan_report.cold+0x83/0xdf [ 49.828393][ T3592] ? __sanitizer_cov_trace_const_cmp4+0x41/0x70 [ 49.834671][ T3592] ? bpf_prog_test_run_xdp+0x10ac/0x1150 [ 49.840368][ T3592] bpf_prog_test_run_xdp+0x10ac/0x1150 [ 49.845886][ T3592] ? bpf_prog_test_run_skb+0x1de0/0x1de0 [ 49.851585][ T3592] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 49.857874][ T3592] ? __fget_light+0x215/0x280 [ 49.862573][ T3592] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 49.868831][ T3592] ? bpf_prog_test_run_skb+0x1de0/0x1de0 [ 49.874482][ T3592] __sys_bpf+0x1858/0x59a0 [ 49.878919][ T3592] ? bpf_link_get_from_fd+0x110/0x110 [ 49.884311][ T3592] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 49.890316][ T3592] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 49.896325][ T3592] ? find_held_lock+0x2d/0x110 [ 49.901130][ T3592] ? trace_hardirqs_on+0x38/0x1c0 [ 49.906174][ T3592] __x64_sys_bpf+0x75/0xb0 [ 49.910691][ T3592] ? syscall_enter_from_user_mode+0x21/0x70 [ 49.916606][ T3592] do_syscall_64+0x35/0xb0 [ 49.921045][ T3592] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 49.926961][ T3592] RIP: 0033:0x7fada7c9e229 [ 49.931387][ T3592] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 49.951092][ T3592] RSP: 002b:00007fff58406588 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ 49.959524][ T3592] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fada7c9e229 [ 49.967600][ T3592] RDX: 0000000000000048 RSI: 0000000020000000 RDI: 000000000000000a [ 49.975797][ T3592] RBP: 00007fada7c62210 R08: 0000000000000000 R09: 0000000000000000 [ 49.983884][ T3592] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fada7c622a0 [ 49.992370][ T3592] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 50.000476][ T3592] [ 50.003594][ T3592] [ 50.005926][ T3592] Allocated by task 3592: [ 50.010251][ T3592] kasan_save_stack+0x1e/0x50 [ 50.014955][ T3592] __kasan_kmalloc+0xa9/0xd0 [ 50.020729][ T3592] bpf_test_init.isra.0+0x9f/0x150 [ 50.025961][ T3592] bpf_prog_test_run_xdp+0x2f8/0x1150 [ 50.031348][ T3592] __sys_bpf+0x1858/0x59a0 [ 50.035860][ T3592] __x64_sys_bpf+0x75/0xb0 [ 50.040288][ T3592] do_syscall_64+0x35/0xb0 [ 50.044711][ T3592] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 50.050624][ T3592] [ 50.052956][ T3592] The buggy address belongs to the object at ffff88801dc52000 [ 50.052956][ T3592] which belongs to the cache kmalloc-4k of size 4096 [ 50.067384][ T3592] The buggy address is located 0 bytes to the right of [ 50.067384][ T3592] 4096-byte region [ffff88801dc52000, ffff88801dc53000) [ 50.081284][ T3592] The buggy address belongs to the page: [ 50.087438][ T3592] page:ffffea0000771400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1dc50 [ 50.097789][ T3592] head:ffffea0000771400 order:3 compound_mapcount:0 compound_pincount:0 [ 50.106558][ T3592] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 50.114648][ T3592] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888010c42140 [ 50.123679][ T3592] raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000 [ 50.132869][ T3592] page dumped because: kasan: bad access detected [ 50.140338][ T3592] page_owner tracks the page as allocated [ 50.146071][ T3592] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3592, ts 49734537716, free_ts 49716400399 [ 50.165271][ T3592] get_page_from_freelist+0xa72/0x2f50 [ 50.170744][ T3592] __alloc_pages+0x1b2/0x500 [ 50.175438][ T3592] alloc_pages+0x1aa/0x310 [ 50.179865][ T3592] new_slab+0x28a/0x3b0 [ 50.184033][ T3592] ___slab_alloc+0x87c/0xe90 [ 50.188640][ T3592] __slab_alloc.constprop.0+0x4d/0xa0 [ 50.194033][ T3592] kmem_cache_alloc_trace+0x289/0x2c0 [ 50.199423][ T3592] ima_calc_file_hash_tfm+0x282/0x3b0 [ 50.204810][ T3592] ima_calc_file_hash+0x19d/0x4b0 [ 50.209847][ T3592] ima_collect_measurement+0x4c9/0x570 [ 50.215404][ T3592] process_measurement+0xd37/0x1920 [ 50.220615][ T3592] ima_bprm_check+0xd0/0x220 [ 50.225211][ T3592] security_bprm_check+0x7d/0xa0 [ 50.230162][ T3592] bprm_execve+0x732/0x19b0 [ 50.234714][ T3592] do_execveat_common+0x5e3/0x780 [ 50.239759][ T3592] __x64_sys_execve+0x8f/0xc0 [ 50.244449][ T3592] page last free stack trace: [ 50.249209][ T3592] free_pcp_prepare+0x374/0x870 [ 50.254190][ T3592] free_unref_page+0x19/0x690 [ 50.258877][ T3592] __unfreeze_partials+0x320/0x340 [ 50.264090][ T3592] qlist_free_all+0x6d/0x160 [ 50.268687][ T3592] kasan_quarantine_reduce+0x180/0x200 [ 50.274168][ T3592] __kasan_slab_alloc+0xa2/0xc0 [ 50.279028][ T3592] kmem_cache_alloc+0x202/0x3a0 [ 50.283891][ T3592] getname_flags.part.0+0x50/0x4f0 [ 50.289126][ T3592] getname_flags+0x9a/0xe0 [ 50.293550][ T3592] user_path_at_empty+0x2b/0x60 [ 50.298412][ T3592] vfs_statx+0x142/0x390 [ 50.302710][ T3592] __do_sys_newfstatat+0x96/0x120 [ 50.307744][ T3592] do_syscall_64+0x35/0xb0 [ 50.312169][ T3592] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 50.318173][ T3592] [ 50.320579][ T3592] Memory state around the buggy address: [ 50.326910][ T3592] ffff88801dc52f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 50.334985][ T3592] ffff88801dc52f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 50.343051][ T3592] >ffff88801dc53000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.351115][ T3592] ^ [ 50.355201][ T3592] ffff88801dc53080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.363271][ T3592] ffff88801dc53100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.371331][ T3592] ================================================================== [ 50.379394][ T3592] Disabling lock debugging due to kernel taint [ 50.385829][ T3592] Kernel panic - not syncing: panic_on_warn set ... [ 50.392606][ T3592] CPU: 0 PID: 3592 Comm: syz-executor098 Tainted: G B 5.16.0-syzkaller-11587-gdd5152ab338c #0 [ 50.404141][ T3592] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.414208][ T3592] Call Trace: [ 50.417501][ T3592] [ 50.420616][ T3592] dump_stack_lvl+0xcd/0x134 [ 50.425244][ T3592] panic+0x2b0/0x6dd [ 50.431172][ T3592] ? __warn_printk+0xf3/0xf3 [ 50.436032][ T3592] ? preempt_schedule_common+0x59/0xc0 [ 50.441599][ T3592] ? bpf_prog_test_run_xdp+0x10ac/0x1150 [ 50.447405][ T3592] ? preempt_schedule_thunk+0x16/0x18 [ 50.452841][ T3592] ? trace_hardirqs_on+0x38/0x1c0 [ 50.457901][ T3592] ? trace_hardirqs_on+0x51/0x1c0 [ 50.462960][ T3592] ? bpf_prog_test_run_xdp+0x10ac/0x1150 [ 50.468597][ T3592] ? bpf_prog_test_run_xdp+0x10ac/0x1150 [ 50.474679][ T3592] end_report.cold+0x63/0x6f [ 50.479276][ T3592] kasan_report.cold+0x71/0xdf [ 50.484236][ T3592] ? __sanitizer_cov_trace_const_cmp4+0x41/0x70 [ 50.490493][ T3592] ? bpf_prog_test_run_xdp+0x10ac/0x1150 [ 50.496406][ T3592] bpf_prog_test_run_xdp+0x10ac/0x1150 [ 50.502067][ T3592] ? bpf_prog_test_run_skb+0x1de0/0x1de0 [ 50.507857][ T3592] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 50.514136][ T3592] ? __fget_light+0x215/0x280 [ 50.518821][ T3592] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 50.525258][ T3592] ? bpf_prog_test_run_skb+0x1de0/0x1de0 [ 50.530979][ T3592] __sys_bpf+0x1858/0x59a0 [ 50.535401][ T3592] ? bpf_link_get_from_fd+0x110/0x110 [ 50.540854][ T3592] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 50.546832][ T3592] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 50.552823][ T3592] ? find_held_lock+0x2d/0x110 [ 50.557592][ T3592] ? trace_hardirqs_on+0x38/0x1c0 [ 50.562636][ T3592] __x64_sys_bpf+0x75/0xb0 [ 50.567153][ T3592] ? syscall_enter_from_user_mode+0x21/0x70 [ 50.573049][ T3592] do_syscall_64+0x35/0xb0 [ 50.577692][ T3592] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 50.583707][ T3592] RIP: 0033:0x7fada7c9e229 [ 50.588133][ T3592] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 50.607749][ T3592] RSP: 002b:00007fff58406588 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ 50.616158][ T3592] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fada7c9e229 [ 50.624822][ T3592] RDX: 0000000000000048 RSI: 0000000020000000 RDI: 000000000000000a [ 50.632813][ T3592] RBP: 00007fada7c62210 R08: 0000000000000000 R09: 0000000000000000 [ 50.640972][ T3592] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fada7c622a0 [ 50.649109][ T3592] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 50.657086][ T3592] [ 50.660781][ T3592] Kernel Offset: disabled [ 50.665126][ T3592] Rebooting in 86400 seconds..