Warning: Permanently added '10.128.0.2' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 71.669948][ T6550] FAULT_INJECTION: forcing a failure. [ 71.669948][ T6550] name failslab, interval 1, probability 0, space 0, times 1 [ 71.682975][ T6550] CPU: 1 PID: 6550 Comm: syz-executor225 Not tainted 5.15.0-rc4-syzkaller #0 [ 71.691730][ T6550] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 71.701772][ T6550] Call Trace: [ 71.705041][ T6550] dump_stack_lvl+0xcd/0x134 [ 71.709637][ T6550] should_fail.cold+0x5/0xa [ 71.714133][ T6550] ? sk_psock_skb_ingress_self+0x4e/0x370 [ 71.719844][ T6550] should_failslab+0x5/0x10 [ 71.724335][ T6550] kmem_cache_alloc_trace+0x55/0x2b0 [ 71.729614][ T6550] sk_psock_skb_ingress_self+0x4e/0x370 [ 71.735323][ T6550] ? force_compatible_cpus_allowed_ptr+0x360/0x360 [ 71.741818][ T6550] sk_psock_verdict_apply+0x34c/0x430 [ 71.747238][ T6550] sk_psock_verdict_recv+0x2b0/0x7e0 [ 71.752524][ T6550] unix_read_sock+0xd7/0x250 [ 71.757104][ T6550] ? sk_psock_strp_read+0x6e0/0x6e0 [ 71.762327][ T6550] ? unix_compat_ioctl+0x30/0x30 [ 71.767271][ T6550] ? find_held_lock+0x2d/0x110 [ 71.772094][ T6550] ? unix_compat_ioctl+0x30/0x30 [ 71.777063][ T6550] sk_psock_verdict_data_ready+0x11a/0x180 [ 71.783032][ T6550] ? sk_psock_strp_read_done+0x10/0x10 [ 71.788487][ T6550] ? _raw_spin_unlock_irqrestore+0x50/0x70 [ 71.794284][ T6550] ? do_raw_spin_unlock+0x171/0x230 [ 71.799472][ T6550] unix_dgram_sendmsg+0xfa7/0x1950 [ 71.804579][ T6550] ? unix_stream_sendpage+0xca0/0xca0 [ 71.809937][ T6550] ? aa_af_perm+0x230/0x230 [ 71.814436][ T6550] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 71.820670][ T6550] ? unix_stream_sendpage+0xca0/0xca0 [ 71.826051][ T6550] sock_sendmsg+0xcf/0x120 [ 71.830461][ T6550] ____sys_sendmsg+0x331/0x810 [ 71.835229][ T6550] ? kernel_sendmsg+0x50/0x50 [ 71.839911][ T6550] ? do_recvmmsg+0x6d0/0x6d0 [ 71.844497][ T6550] ___sys_sendmsg+0xf3/0x170 [ 71.849081][ T6550] ? sendmsg_copy_msghdr+0x160/0x160 [ 71.854357][ T6550] ? mark_lock+0xef/0x17b0 [ 71.858791][ T6550] ? mark_lock+0xef/0x17b0 [ 71.863197][ T6550] ? lock_chain_count+0x20/0x20 [ 71.868474][ T6550] ? lock_chain_count+0x20/0x20 [ 71.873313][ T6550] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 71.879282][ T6550] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 71.885527][ T6550] ? __fget_light+0x215/0x280 [ 71.890188][ T6550] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 71.896417][ T6550] __sys_sendmmsg+0x195/0x470 [ 71.901082][ T6550] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 71.906090][ T6550] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 71.912063][ T6550] ? find_held_lock+0x2d/0x110 [ 71.916826][ T6550] ? __context_tracking_exit+0xb8/0xe0 [ 71.922270][ T6550] ? lock_downgrade+0x6e0/0x6e0 [ 71.927106][ T6550] ? lock_downgrade+0x6e0/0x6e0 [ 71.931949][ T6550] __x64_sys_sendmmsg+0x99/0x100 [ 71.936874][ T6550] ? syscall_enter_from_user_mode+0x21/0x70 [ 71.942765][ T6550] do_syscall_64+0x35/0xb0 [ 71.947169][ T6550] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 71.953046][ T6550] RIP: 0033:0x7f9df63e53b9 [ 71.957443][ T6550] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 71.977032][ T6550] RSP: 002b:00007ffc6aa65418 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 71.985449][ T6550] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f9df63e53b9 [ 71.993417][ T6550] RDX: 0307017fdb7a66cb RSI: 0000000020002dc0 RDI: 0000000000000006 [ 72.001375][ T6550] RBP: 00007ffc6aa65430 R08: 0000000000000001 R09: 0000000000000001 [ 72.009327][ T6550] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 [ 72.017284][ T6550] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000 [ 72.063237][ T6550] ================================================================== [ 72.071404][ T6550] BUG: KASAN: use-after-free in consume_skb+0x2e/0x160 [ 72.078262][ T6550] Read of size 4 at addr ffff88807136d21c by task syz-executor225/6550 [ 72.086491][ T6550] [ 72.088808][ T6550] CPU: 1 PID: 6550 Comm: syz-executor225 Not tainted 5.15.0-rc4-syzkaller #0 [ 72.097548][ T6550] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 72.107592][ T6550] Call Trace: [ 72.110868][ T6550] dump_stack_lvl+0xcd/0x134 [ 72.115463][ T6550] print_address_description.constprop.0.cold+0x6c/0x309 [ 72.122473][ T6550] ? consume_skb+0x2e/0x160 [ 72.126963][ T6550] ? consume_skb+0x2e/0x160 [ 72.131451][ T6550] kasan_report.cold+0x83/0xdf [ 72.136204][ T6550] ? consume_skb+0x2e/0x160 [ 72.140697][ T6550] kasan_check_range+0x13d/0x180 [ 72.145623][ T6550] consume_skb+0x2e/0x160 [ 72.149953][ T6550] __sk_msg_free+0x26d/0x360 [ 72.154534][ T6550] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 72.160343][ T6550] sk_psock_stop+0x415/0x620 [ 72.164928][ T6550] sock_map_close+0x34a/0x780 [ 72.169590][ T6550] ? espintcp_init_sk+0xaa0/0xaa0 [ 72.174606][ T6550] ? sock_map_lookup+0x400/0x400 [ 72.179544][ T6550] ? down_write+0xe0/0x150 [ 72.183948][ T6550] ? __down_timeout+0x10/0x10 [ 72.188610][ T6550] ? locks_remove_file+0x2f9/0x570 [ 72.193721][ T6550] unix_release+0x7a/0xe0 [ 72.198044][ T6550] __sock_release+0xcd/0x280 [ 72.202639][ T6550] sock_close+0x18/0x20 [ 72.206781][ T6550] __fput+0x288/0x9f0 [ 72.210753][ T6550] ? __sock_release+0x280/0x280 [ 72.215616][ T6550] task_work_run+0xdd/0x1a0 [ 72.220107][ T6550] do_exit+0xbae/0x2a30 [ 72.224249][ T6550] ? __context_tracking_exit+0xb8/0xe0 [ 72.229698][ T6550] ? lock_downgrade+0x6e0/0x6e0 [ 72.234537][ T6550] ? lock_downgrade+0x6e0/0x6e0 [ 72.239375][ T6550] ? mm_update_next_owner+0x7a0/0x7a0 [ 72.244751][ T6550] do_group_exit+0x125/0x310 [ 72.249333][ T6550] __x64_sys_exit_group+0x3a/0x50 [ 72.254345][ T6550] do_syscall_64+0x35/0xb0 [ 72.258751][ T6550] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.264632][ T6550] RIP: 0033:0x7f9df63e4049 [ 72.269029][ T6550] Code: Unable to access opcode bytes at RIP 0x7f9df63e401f. [ 72.276373][ T6550] RSP: 002b:00007ffc6aa653c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 72.284767][ T6550] RAX: ffffffffffffffda RBX: 00007f9df6458410 RCX: 00007f9df63e4049 [ 72.292725][ T6550] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 72.300678][ T6550] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000001 [ 72.308632][ T6550] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9df6458410 [ 72.316587][ T6550] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 72.324569][ T6550] [ 72.326876][ T6550] Allocated by task 6550: [ 72.331184][ T6550] kasan_save_stack+0x1b/0x40 [ 72.335850][ T6550] __kasan_slab_alloc+0x83/0xb0 [ 72.340685][ T6550] kmem_cache_alloc+0x209/0x390 [ 72.345555][ T6550] skb_clone+0x170/0x3c0 [ 72.349790][ T6550] sk_psock_verdict_recv+0x72/0x7e0 [ 72.354979][ T6550] unix_read_sock+0xd7/0x250 [ 72.359553][ T6550] sk_psock_verdict_data_ready+0x11a/0x180 [ 72.365358][ T6550] unix_dgram_sendmsg+0xfa7/0x1950 [ 72.370453][ T6550] sock_sendmsg+0xcf/0x120 [ 72.374855][ T6550] ____sys_sendmsg+0x331/0x810 [ 72.379609][ T6550] ___sys_sendmsg+0xf3/0x170 [ 72.384195][ T6550] __sys_sendmmsg+0x195/0x470 [ 72.388869][ T6550] __x64_sys_sendmmsg+0x99/0x100 [ 72.393789][ T6550] do_syscall_64+0x35/0xb0 [ 72.398194][ T6550] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.404074][ T6550] [ 72.406384][ T6550] Freed by task 5: [ 72.410079][ T6550] kasan_save_stack+0x1b/0x40 [ 72.414780][ T6550] kasan_set_track+0x1c/0x30 [ 72.419354][ T6550] kasan_set_free_info+0x20/0x30 [ 72.424274][ T6550] __kasan_slab_free+0xff/0x130 [ 72.429104][ T6550] slab_free_freelist_hook+0x81/0x190 [ 72.434477][ T6550] kmem_cache_free+0x8a/0x5b0 [ 72.439138][ T6550] kfree_skbmem+0xef/0x1b0 [ 72.443558][ T6550] kfree_skb+0x140/0x3f0 [ 72.447793][ T6550] sk_psock_backlog+0x93b/0xda0 [ 72.452635][ T6550] process_one_work+0x9bf/0x16b0 [ 72.457568][ T6550] worker_thread+0x658/0x11f0 [ 72.462236][ T6550] kthread+0x3e5/0x4d0 [ 72.466298][ T6550] ret_from_fork+0x1f/0x30 [ 72.470727][ T6550] [ 72.473039][ T6550] The buggy address belongs to the object at ffff88807136d140 [ 72.473039][ T6550] which belongs to the cache skbuff_head_cache of size 232 [ 72.487609][ T6550] The buggy address is located 220 bytes inside of [ 72.487609][ T6550] 232-byte region [ffff88807136d140, ffff88807136d228) [ 72.500872][ T6550] The buggy address belongs to the page: [ 72.506499][ T6550] page:ffffea0001c4db40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7136d [ 72.516669][ T6550] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 72.524218][ T6550] raw: 00fff00000000200 dead000000000100 dead000000000122 ffff8881441d0140 [ 72.532794][ T6550] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 72.541360][ T6550] page dumped because: kasan: bad access detected [ 72.547760][ T6550] page_owner tracks the page as allocated [ 72.553468][ T6550] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 4544, ts 41737809503, free_ts 41726907968 [ 72.569520][ T6550] get_page_from_freelist+0xa72/0x2f80 [ 72.574972][ T6550] __alloc_pages+0x1b2/0x500 [ 72.579544][ T6550] alloc_pages+0x1a7/0x300 [ 72.583940][ T6550] new_slab+0x319/0x490 [ 72.588080][ T6550] ___slab_alloc+0x921/0xfe0 [ 72.592653][ T6550] __slab_alloc.constprop.0+0x4d/0xa0 [ 72.598060][ T6550] kmem_cache_alloc_node+0x11f/0x3d0 [ 72.603332][ T6550] __alloc_skb+0x20b/0x340 [ 72.607754][ T6550] netlink_sendmsg+0x967/0xdb0 [ 72.612524][ T6550] sock_sendmsg+0xcf/0x120 [ 72.616937][ T6550] ____sys_sendmsg+0x6e8/0x810 [ 72.621687][ T6550] ___sys_sendmsg+0xf3/0x170 [ 72.626259][ T6550] __sys_sendmsg+0xe5/0x1b0 [ 72.630870][ T6550] do_syscall_64+0x35/0xb0 [ 72.635284][ T6550] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.641174][ T6550] page last free stack trace: [ 72.645838][ T6550] free_pcp_prepare+0x2c5/0x780 [ 72.650677][ T6550] free_unref_page+0x19/0x690 [ 72.655340][ T6550] __mmdrop+0xcb/0x3f0 [ 72.659504][ T6550] __mmput+0x3f1/0x4b0 [ 72.663560][ T6550] mmput+0x58/0x60 [ 72.667266][ T6550] free_bprm+0x65/0x2e0 [ 72.671403][ T6550] kernel_execve+0x380/0x460 [ 72.675982][ T6550] call_usermodehelper_exec_async+0x2e3/0x580 [ 72.682040][ T6550] ret_from_fork+0x1f/0x30 [ 72.686448][ T6550] [ 72.688755][ T6550] Memory state around the buggy address: [ 72.694365][ T6550] ffff88807136d100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 72.702509][ T6550] ffff88807136d180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.710568][ T6550] >ffff88807136d200: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 72.718604][ T6550] ^ [ 72.723481][ T6550] ffff88807136d280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.731568][ T6550] ffff88807136d300: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc [ 72.739614][ T6550] ================================================================== [ 72.747668][ T6550] Disabling lock debugging due to kernel taint [ 72.753845][ T6550] Kernel panic - not syncing: panic_on_warn set ... [ 72.760417][ T6550] CPU: 1 PID: 6550 Comm: syz-executor225 Tainted: G B 5.15.0-rc4-syzkaller #0 [ 72.770566][ T6550] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 72.780615][ T6550] Call Trace: [ 72.783891][ T6550] dump_stack_lvl+0xcd/0x134 [ 72.788494][ T6550] panic+0x2b0/0x6dd [ 72.792395][ T6550] ? __warn_printk+0xf3/0xf3 [ 72.796994][ T6550] ? consume_skb+0x2e/0x160 [ 72.801489][ T6550] ? trace_hardirqs_on+0x38/0x1c0 [ 72.806506][ T6550] ? trace_hardirqs_on+0x51/0x1c0 [ 72.811516][ T6550] ? consume_skb+0x2e/0x160 [ 72.816004][ T6550] ? consume_skb+0x2e/0x160 [ 72.820502][ T6550] end_report.cold+0x63/0x6f [ 72.825085][ T6550] kasan_report.cold+0x71/0xdf [ 72.829829][ T6550] ? consume_skb+0x2e/0x160 [ 72.834315][ T6550] kasan_check_range+0x13d/0x180 [ 72.839246][ T6550] consume_skb+0x2e/0x160 [ 72.843566][ T6550] __sk_msg_free+0x26d/0x360 [ 72.848140][ T6550] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 72.853931][ T6550] sk_psock_stop+0x415/0x620 [ 72.858506][ T6550] sock_map_close+0x34a/0x780 [ 72.863160][ T6550] ? espintcp_init_sk+0xaa0/0xaa0 [ 72.868255][ T6550] ? sock_map_lookup+0x400/0x400 [ 72.873262][ T6550] ? down_write+0xe0/0x150 [ 72.877658][ T6550] ? __down_timeout+0x10/0x10 [ 72.882315][ T6550] ? locks_remove_file+0x2f9/0x570 [ 72.887419][ T6550] unix_release+0x7a/0xe0 [ 72.891735][ T6550] __sock_release+0xcd/0x280 [ 72.896308][ T6550] sock_close+0x18/0x20 [ 72.900454][ T6550] __fput+0x288/0x9f0 [ 72.904417][ T6550] ? __sock_release+0x280/0x280 [ 72.909248][ T6550] task_work_run+0xdd/0x1a0 [ 72.913743][ T6550] do_exit+0xbae/0x2a30 [ 72.917879][ T6550] ? __context_tracking_exit+0xb8/0xe0 [ 72.923322][ T6550] ? lock_downgrade+0x6e0/0x6e0 [ 72.928152][ T6550] ? lock_downgrade+0x6e0/0x6e0 [ 72.932983][ T6550] ? mm_update_next_owner+0x7a0/0x7a0 [ 72.938340][ T6550] do_group_exit+0x125/0x310 [ 72.942914][ T6550] __x64_sys_exit_group+0x3a/0x50 [ 72.947919][ T6550] do_syscall_64+0x35/0xb0 [ 72.952332][ T6550] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.958319][ T6550] RIP: 0033:0x7f9df63e4049 [ 72.962722][ T6550] Code: Unable to access opcode bytes at RIP 0x7f9df63e401f. [ 72.970059][ T6550] RSP: 002b:00007ffc6aa653c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 72.978449][ T6550] RAX: ffffffffffffffda RBX: 00007f9df6458410 RCX: 00007f9df63e4049 [ 72.986398][ T6550] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 72.994346][ T6550] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000001 [ 73.002298][ T6550] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9df6458410 [ 73.010256][ T6550] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 73.018282][ T6550] Kernel Offset: disabled [ 73.022643][ T6550] Rebooting in 86400 seconds..