./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3232873114 <...> Warning: Permanently added '10.128.1.188' (ED25519) to the list of known hosts. execve("./syz-executor3232873114", ["./syz-executor3232873114"], 0x7ffc5c004140 /* 10 vars */) = 0 brk(NULL) = 0x55556a090000 brk(0x55556a090d00) = 0x55556a090d00 arch_prctl(ARCH_SET_FS, 0x55556a090380) = 0 set_tid_address(0x55556a090650) = 5099 set_robust_list(0x55556a090660, 24) = 0 rseq(0x55556a090ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3232873114", 4096) = 28 getrandom("\x5c\xd0\x12\xdd\x30\xd0\x99\x70", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55556a090d00 brk(0x55556a0b1d00) = 0x55556a0b1d00 brk(0x55556a0b2000) = 0x55556a0b2000 mprotect(0x7f7791d2a000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5100 attached , child_tidptr=0x55556a090650) = 5100 [pid 5100] set_robust_list(0x55556a090660, 24) = 0 [pid 5100] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5100] setpgid(0, 0) = 0 [pid 5100] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5100] write(3, "1000", 4) = 4 [pid 5100] close(3) = 0 [pid 5100] write(1, "executing program\n", 18executing program ) = 18 [pid 5100] socket(AF_PPPOX, SOCK_STREAM, 1) = 3 [pid 5100] socket(AF_PPPOX, SOCK_STREAM, 1) = 4 [pid 5100] socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 5 [pid 5100] connect(4, {sa_family=AF_PPPOX, sa_data="\x01\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xaa\x00\x00\x00\x00"}, 50) = 0 [pid 5100] connect(3, {sa_family=AF_PPPOX, sa_data="\x01\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x02\x00\x00\x00\xac\x14\x14\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x01\x00\x03\x00\x00\x00\x00\x00"}, 38) = 0 [pid 5100] exit_group(0) = ? [pid 5100] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5100, si_uid=0, si_status=0, si_utime=0, si_stime=1 /* 0.01 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5101 attached [pid 5101] set_robust_list(0x55556a090660, 24 [pid 5099] <... clone resumed>, child_tidptr=0x55556a090650) = 5101 [pid 5101] <... set_robust_list resumed>) = 0 [pid 5101] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5101] setpgid(0, 0) = 0 [pid 5101] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5101] write(3, "1000", 4) = 4 [pid 5101] close(3) = 0 [pid 5101] write(1, "executing program\n", 18executing program ) = 18 [pid 5101] socket(AF_PPPOX, SOCK_STREAM, 1) = 3 [pid 5101] socket(AF_PPPOX, SOCK_STREAM, 1) = 4 [pid 5101] socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 5 [pid 5101] connect(4, {sa_family=AF_PPPOX, sa_data="\x01\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xaa\x00\x00\x00\x00"}, 50) = 0 [pid 5101] connect(3, {sa_family=AF_PPPOX, sa_data="\x01\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x02\x00\x00\x00\xac\x14\x14\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x01\x00\x03\x00\x00\x00\x00\x00"}, 38) = 0 [pid 5101] exit_group(0) = ? [pid 5101] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5101, si_uid=0, si_status=0, si_utime=0, si_stime=1 /* 0.01 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5102 attached , child_tidptr=0x55556a090650) = 5102 [pid 5102] set_robust_list(0x55556a090660, 24) = 0 [pid 5102] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5102] setpgid(0, 0) = 0 [pid 5102] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5102] write(3, "1000", 4) = 4 [pid 5102] close(3) = 0 [pid 5102] write(1, "executing program\n", 18executing program ) = 18 [pid 5102] socket(AF_PPPOX, SOCK_STREAM, 1) = 3 [pid 5102] socket(AF_PPPOX, SOCK_STREAM, 1) = 4 [pid 5102] socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 5 [pid 5102] connect(4, {sa_family=AF_PPPOX, sa_data="\x01\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xaa\x00\x00\x00\x00"}, 50) = 0 [pid 5102] connect(3, {sa_family=AF_PPPOX, sa_data="\x01\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x02\x00\x00\x00\xac\x14\x14\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x01\x00\x03\x00\x00\x00\x00\x00"}, 38) = 0 [pid 5102] exit_group(0) = ? [pid 5102] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5102, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- restart_syscall(<... resuming interrupted clone ...>) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5103 attached , child_tidptr=0x55556a090650) = 5103 [pid 5103] set_robust_list(0x55556a090660, 24) = 0 [pid 5103] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5103] setpgid(0, 0) = 0 [pid 5103] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [ 117.545002][ T12] ================================================================== [ 117.558206][ T12] BUG: KASAN: slab-use-after-free in l2tp_tunnel_del_work+0xe5/0x330 [ 117.573579][ T12] Read of size 8 at addr ffff88802361a0b8 by task kworker/u8:1/12 [ 117.586074][ T12] [ 117.591374][ T12] CPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc5-syzkaller-01137-g1c5fc27bc48a #0 [ 117.610691][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 117.632650][ T12] Workqueue: l2tp l2tp_tunnel_del_work [ 117.640339][ T12] Call Trace: [ 117.643858][ T12] [ 117.651438][ T12] dump_stack_lvl+0x241/0x360 [ 117.658105][ T12] ? __pfx_dump_stack_lvl+0x10/0x10 [ 117.669007][ T12] ? __pfx__printk+0x10/0x10 [ 117.674934][ T12] ? _printk+0xd5/0x120 [ 117.690740][ T12] ? __virt_addr_valid+0x183/0x520 [ 117.705199][ T12] ? __virt_addr_valid+0x183/0x520 [ 117.712745][ T12] print_report+0x169/0x550 [ 117.730675][ T12] ? __virt_addr_valid+0x183/0x520 [ 117.737706][ T12] ? __virt_addr_valid+0x183/0x520 [ 117.752747][ T12] ? __virt_addr_valid+0x44e/0x520 [ 117.759456][ T12] ? __phys_addr+0xba/0x170 [ 117.768334][ T12] ? l2tp_tunnel_del_work+0xe5/0x330 [ 117.775098][ T12] kasan_report+0x143/0x180 [ 117.781381][ T12] ? l2tp_tunnel_del_work+0xe5/0x330 [ 117.793976][ T12] l2tp_tunnel_del_work+0xe5/0x330 [ 117.810410][ T12] ? process_scheduled_works+0x945/0x1830 [ 117.816697][ T12] process_scheduled_works+0xa2c/0x1830 [ 117.826912][ T12] ? __pfx_process_scheduled_works+0x10/0x10 [ 117.837685][ T12] ? assign_work+0x364/0x3d0 [ 117.850579][ T12] worker_thread+0x86d/0xd50 [ 117.856943][ T12] ? __kthread_parkme+0x169/0x1d0 [ 117.863226][ T12] ? __pfx_worker_thread+0x10/0x10 [ 117.873109][ T12] kthread+0x2f0/0x390 [ 117.878865][ T12] ? __pfx_worker_thread+0x10/0x10 [ 117.889645][ T12] ? __pfx_kthread+0x10/0x10 [ 117.896928][ T12] ret_from_fork+0x4b/0x80 [ 117.905557][ T12] ? __pfx_kthread+0x10/0x10 [ 117.917415][ T12] ret_from_fork_asm+0x1a/0x30 [ 117.927615][ T12] [ 117.932845][ T12] [ 117.935633][ T12] Allocated by task 5102: [ 117.941434][ T12] kasan_save_track+0x3f/0x80 [ 117.949714][ T12] __kasan_kmalloc+0x98/0xb0 [ 117.955910][ T12] __kmalloc_noprof+0x1f9/0x400 [ 117.965042][ T12] l2tp_session_create+0x3b/0xc20 [ 117.974339][ T12] pppol2tp_connect+0xca3/0x17a0 [ 117.982129][ T12] __sys_connect+0x2df/0x310 [ 117.991166][ T12] __x64_sys_connect+0x7a/0x90 [ 117.998996][ T12] do_syscall_64+0xf3/0x230 [ 118.007062][ T12] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 118.017248][ T12] [ 118.020537][ T12] Freed by task 0: [ 118.025008][ T12] kasan_save_track+0x3f/0x80 [ 118.032587][ T12] kasan_save_free_info+0x40/0x50 [ 118.040171][ T12] poison_slab_object+0xe0/0x150 [ 118.047239][ T12] __kasan_slab_free+0x37/0x60 [ 118.053700][ T12] kfree+0x149/0x360 [ 118.058250][ T12] __sk_destruct+0x58/0x5f0 [ 118.067118][ T12] rcu_core+0xafd/0x1830 [ 118.071750][ T12] handle_softirqs+0x2c4/0x970 [ 118.082548][ T12] __irq_exit_rcu+0xf4/0x1c0 [ 118.087927][ T12] irq_exit_rcu+0x9/0x30 [ 118.093946][ T12] sysvec_apic_timer_interrupt+0xa6/0xc0 [ 118.103477][ T12] asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 118.117587][ T12] [ 118.120032][ T12] Last potentially related work creation: [ 118.127165][ T12] kasan_save_stack+0x3f/0x60 [ 118.135532][ T12] __kasan_record_aux_stack+0xac/0xc0 [ 118.143641][ T12] call_rcu+0x167/0xa70 [ 118.152183][ T12] pppol2tp_release+0x24b/0x350 [ 118.160010][ T12] sock_close+0xbc/0x240 [ 118.164676][ T12] __fput+0x406/0x8b0 [ 118.170790][ T12] task_work_run+0x24f/0x310 [ 118.179667][ T12] do_exit+0xa27/0x27e0 [ 118.189888][ T12] do_group_exit+0x207/0x2c0 [ 118.196842][ T12] __x64_sys_exit_group+0x3f/0x40 [ 118.203841][ T12] do_syscall_64+0xf3/0x230 [ 118.213080][ T12] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 118.219606][ T12] [ 118.222072][ T12] The buggy address belongs to the object at ffff88802361a000 [ 118.222072][ T12] which belongs to the cache kmalloc-1k of size 1024 [ 118.254939][ T12] The buggy address is located 184 bytes inside of [ 118.254939][ T12] freed 1024-byte region [ffff88802361a000, ffff88802361a400) [ 118.287109][ T12] [ 118.290329][ T12] The buggy address belongs to the physical page: [ 118.304007][ T12] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x23618 [ 118.317020][ T12] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 118.336731][ T12] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 118.356196][ T12] page_type: 0xffffefff(slab) [ 118.363704][ T12] raw: 00fff00000000040 ffff888015041dc0 ffffea00008d3400 0000000000000002 [ 118.378864][ T12] raw: 0000000000000000 0000000080100010 00000001ffffefff 0000000000000000 [ 118.393144][ T12] head: 00fff00000000040 ffff888015041dc0 ffffea00008d3400 0000000000000002 [ 118.402981][ T12] head: 0000000000000000 0000000080100010 00000001ffffefff 0000000000000000 [ 118.418702][ T12] head: 00fff00000000003 ffffea00008d8601 ffffffffffffffff 0000000000000000 [ 118.432702][ T12] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 118.443905][ T12] page dumped because: kasan: bad access detected [ 118.451666][ T12] page_owner tracks the page as allocated [ 118.458671][ T12] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4757, tgid 4757 (S41dhcpcd), ts 76204097888, free_ts 76202473642 [ 118.485755][ T12] post_alloc_hook+0x1f3/0x230 [ 118.496305][ T12] get_page_from_freelist+0x2e4c/0x2f10 [ 118.508883][ T12] __alloc_pages_noprof+0x256/0x6c0 [ 118.517850][ T12] alloc_slab_page+0x5f/0x120 [ 118.524062][ T12] allocate_slab+0x5a/0x2f0 [ 118.531511][ T12] ___slab_alloc+0xcd1/0x14b0 [ 118.536393][ T12] __slab_alloc+0x58/0xa0 [ 118.543253][ T12] __kmalloc_noprof+0x257/0x400 [ 118.552671][ T12] tomoyo_init_log+0x1b3e/0x2050 [ 118.561009][ T12] tomoyo_supervisor+0x38a/0x11f0 [ 118.570310][ T12] tomoyo_env_perm+0x178/0x210 [ 118.586742][ T12] tomoyo_find_next_domain+0x1384/0x1cf0 [ 118.594259][ T12] tomoyo_bprm_check_security+0x115/0x180 [ 118.602018][ T12] security_bprm_check+0x65/0x90 [ 118.608380][ T12] bprm_execve+0xa56/0x17c0 [ 118.616587][ T12] do_execveat_common+0x553/0x700 [ 118.629730][ T12] page last free pid 4757 tgid 4757 stack trace: [ 118.639462][ T12] free_unref_page+0xd22/0xea0 [ 118.644969][ T12] __slab_free+0x31b/0x3d0 [ 118.653282][ T12] qlist_free_all+0x9e/0x140 [ 118.663194][ T12] kasan_quarantine_reduce+0x14f/0x170 [ 118.669750][ T12] __kasan_slab_alloc+0x23/0x80 [ 118.679450][ T12] __kmalloc_noprof+0x1a3/0x400 [ 118.694084][ T12] tomoyo_supervisor+0xe0d/0x11f0 [ 118.705033][ T12] tomoyo_env_perm+0x178/0x210 [ 118.714383][ T12] tomoyo_find_next_domain+0x1384/0x1cf0 [ 118.724048][ T12] tomoyo_bprm_check_security+0x115/0x180 [ 118.731559][ T12] security_bprm_check+0x65/0x90 [ 118.739305][ T12] bprm_execve+0xa56/0x17c0 [ 118.744013][ T12] do_execveat_common+0x553/0x700 [ 118.753404][ T12] __x64_sys_execve+0x92/0xb0 [ 118.761125][ T12] do_syscall_64+0xf3/0x230 [ 118.772770][ T12] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 118.781262][ T12] [ 118.792851][ T12] Memory state around the buggy address: [ 118.802154][ T12] ffff888023619f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 118.818215][ T12] ffff88802361a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 118.834183][ T12] >ffff88802361a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 118.846200][ T12] ^ [ 118.854024][ T12] ffff88802361a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 118.868066][ T12] ffff88802361a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 118.880140][ T12] ================================================================== [ 118.892387][ T12] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 118.903012][ T12] CPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc5-syzkaller-01137-g1c5fc27bc48a #0 [ 118.918322][ T12] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 118.935653][ T12] Workqueue: l2tp l2tp_tunnel_del_work [ 118.946504][ T12] Call Trace: [ 118.951280][ T12] [ 118.959425][ T12] dump_stack_lvl+0x241/0x360 [ 118.965211][ T12] ? __pfx_dump_stack_lvl+0x10/0x10 [ 118.971632][ T12] ? __pfx__printk+0x10/0x10 [ 118.980054][ T12] ? vscnprintf+0x5d/0x90 [ 118.985190][ T12] panic+0x349/0x860 [ 118.992790][ T12] ? check_panic_on_warn+0x21/0xb0 [ 119.002550][ T12] ? __pfx_panic+0x10/0x10 [ 119.008951][ T12] ? mark_lock+0x9a/0x350 [ 119.018812][ T12] ? _raw_spin_unlock_irqrestore+0xd8/0x140 [ 119.025276][ T12] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 119.032883][ T12] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 119.050229][ T12] ? print_report+0x502/0x550 [ 119.056267][ T12] check_panic_on_warn+0x86/0xb0 [ 119.066565][ T12] ? l2tp_tunnel_del_work+0xe5/0x330 [ 119.078850][ T12] end_report+0x77/0x160 [ 119.093283][ T12] kasan_report+0x154/0x180 [ 119.105239][ T12] ? l2tp_tunnel_del_work+0xe5/0x330 [ 119.115271][ T12] l2tp_tunnel_del_work+0xe5/0x330 [ 119.123313][ T12] ? process_scheduled_works+0x945/0x1830 [ 119.133789][ T12] process_scheduled_works+0xa2c/0x1830 [ 119.145326][ T12] ? __pfx_process_scheduled_works+0x10/0x10 [ 119.155203][ T12] ? assign_work+0x364/0x3d0 [ 119.163800][ T12] worker_thread+0x86d/0xd50 [ 119.170856][ T12] ? __kthread_parkme+0x169/0x1d0 [ 119.179652][ T12] ? __pfx_worker_thread+0x10/0x10 [ 119.194135][ T12] kthread+0x2f0/0x390 [ 119.200966][ T12] ? __pfx_worker_thread+0x10/0x10 [ 119.206896][ T12] ? __pfx_kthread+0x10/0x10 [ 119.213267][ T12] ret_from_fork+0x4b/0x80 [ 119.221847][ T12] ? __pfx_kthread+0x10/0x10 [ 119.233077][ T12] ret_from_fork_asm+0x1a/0x30 [ 119.242589][ T12] [ 119.247148][ T12] Kernel Offset: disabled [ 119.257092][ T12] Rebooting in 86400 seconds..