Warning: Permanently added '10.128.1.59' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 73.082025][ T6527] FAULT_INJECTION: forcing a failure. [ 73.082025][ T6527] name failslab, interval 1, probability 0, space 0, times 1 [ 73.094906][ T6527] CPU: 1 PID: 6527 Comm: syz-executor951 Not tainted 5.15.0-rc4-syzkaller #0 [ 73.103667][ T6527] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.113908][ T6527] Call Trace: [ 73.117186][ T6527] dump_stack_lvl+0xcd/0x134 [ 73.121779][ T6527] should_fail.cold+0x5/0xa [ 73.126323][ T6527] ? sk_psock_skb_ingress_self+0x4e/0x370 [ 73.132126][ T6527] should_failslab+0x5/0x10 [ 73.136634][ T6527] kmem_cache_alloc_trace+0x55/0x2b0 [ 73.141931][ T6527] sk_psock_skb_ingress_self+0x4e/0x370 [ 73.147488][ T6527] ? force_compatible_cpus_allowed_ptr+0x360/0x360 [ 73.153997][ T6527] sk_psock_verdict_apply+0x34c/0x430 [ 73.159374][ T6527] sk_psock_verdict_recv+0x2b0/0x7e0 [ 73.165434][ T6527] unix_read_sock+0xd7/0x250 [ 73.170208][ T6527] ? sk_psock_strp_read+0x6e0/0x6e0 [ 73.175433][ T6527] ? unix_compat_ioctl+0x30/0x30 [ 73.180402][ T6527] ? find_held_lock+0x2d/0x110 [ 73.185186][ T6527] ? unix_compat_ioctl+0x30/0x30 [ 73.190125][ T6527] sk_psock_verdict_data_ready+0x11a/0x180 [ 73.197061][ T6527] ? sk_psock_strp_read_done+0x10/0x10 [ 73.202551][ T6527] ? _raw_spin_unlock_irqrestore+0x50/0x70 [ 73.208363][ T6527] ? do_raw_spin_unlock+0x171/0x230 [ 73.213559][ T6527] unix_dgram_sendmsg+0xfa7/0x1950 [ 73.218691][ T6527] ? unix_stream_sendpage+0xca0/0xca0 [ 73.224054][ T6527] ? aa_af_perm+0x230/0x230 [ 73.228655][ T6527] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 73.234900][ T6527] ? unix_stream_sendpage+0xca0/0xca0 [ 73.240283][ T6527] sock_sendmsg+0xcf/0x120 [ 73.244907][ T6527] ____sys_sendmsg+0x331/0x810 [ 73.249770][ T6527] ? kernel_sendmsg+0x50/0x50 [ 73.254445][ T6527] ? do_recvmmsg+0x6d0/0x6d0 [ 73.259072][ T6527] ___sys_sendmsg+0xf3/0x170 [ 73.263662][ T6527] ? sendmsg_copy_msghdr+0x160/0x160 [ 73.269210][ T6527] ? mark_lock+0xef/0x17b0 [ 73.273625][ T6527] ? mark_lock+0xef/0x17b0 [ 73.278033][ T6527] ? lock_chain_count+0x20/0x20 [ 73.282869][ T6527] ? lock_chain_count+0x20/0x20 [ 73.287729][ T6527] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 73.293717][ T6527] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 73.300066][ T6527] ? __fget_light+0x215/0x280 [ 73.304747][ T6527] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 73.311079][ T6527] __sys_sendmmsg+0x195/0x470 [ 73.315923][ T6527] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 73.321068][ T6527] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 73.327232][ T6527] ? find_held_lock+0x2d/0x110 [ 73.331997][ T6527] ? __context_tracking_exit+0xb8/0xe0 [ 73.337803][ T6527] ? lock_downgrade+0x6e0/0x6e0 [ 73.342644][ T6527] ? lock_downgrade+0x6e0/0x6e0 [ 73.347494][ T6527] __x64_sys_sendmmsg+0x99/0x100 [ 73.352533][ T6527] ? syscall_enter_from_user_mode+0x21/0x70 [ 73.358616][ T6527] do_syscall_64+0x35/0xb0 [ 73.363155][ T6527] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 73.369149][ T6527] RIP: 0033:0x7ff4f4804419 [ 73.373570][ T6527] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 73.394392][ T6527] RSP: 002b:00007fff4aef6bd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 73.402820][ T6527] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ff4f4804419 [ 73.410922][ T6527] RDX: 0000000000000600 RSI: 0000000020003200 RDI: 0000000000000006 [ 73.419009][ T6527] RBP: 00007fff4aef6bf0 R08: 0000000000000001 R09: 0000000000000001 [ 73.427174][ T6527] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 [ 73.435144][ T6527] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000 [ 73.480553][ T6527] ================================================================== [ 73.488746][ T6527] BUG: KASAN: use-after-free in consume_skb+0x2e/0x160 [ 73.495602][ T6527] Read of size 4 at addr ffff88806ff1849c by task syz-executor951/6527 [ 73.503837][ T6527] [ 73.506166][ T6527] CPU: 1 PID: 6527 Comm: syz-executor951 Not tainted 5.15.0-rc4-syzkaller #0 [ 73.514999][ T6527] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.525373][ T6527] Call Trace: [ 73.528739][ T6527] dump_stack_lvl+0xcd/0x134 [ 73.533349][ T6527] print_address_description.constprop.0.cold+0x6c/0x309 [ 73.540552][ T6527] ? consume_skb+0x2e/0x160 [ 73.545196][ T6527] ? consume_skb+0x2e/0x160 [ 73.549688][ T6527] kasan_report.cold+0x83/0xdf [ 73.554457][ T6527] ? consume_skb+0x2e/0x160 [ 73.559131][ T6527] kasan_check_range+0x13d/0x180 [ 73.564068][ T6527] consume_skb+0x2e/0x160 [ 73.568400][ T6527] __sk_msg_free+0x26d/0x360 [ 73.573015][ T6527] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 73.578819][ T6527] sk_psock_stop+0x415/0x620 [ 73.583419][ T6527] sock_map_close+0x34a/0x780 [ 73.588085][ T6527] ? espintcp_init_sk+0xaa0/0xaa0 [ 73.593103][ T6527] ? sock_map_lookup+0x400/0x400 [ 73.598039][ T6527] ? down_write+0xe0/0x150 [ 73.602441][ T6527] ? __down_timeout+0x10/0x10 [ 73.607101][ T6527] ? locks_remove_file+0x2f9/0x570 [ 73.612207][ T6527] unix_release+0x7a/0xe0 [ 73.616574][ T6527] __sock_release+0xcd/0x280 [ 73.621161][ T6527] sock_close+0x18/0x20 [ 73.625307][ T6527] __fput+0x288/0x9f0 [ 73.629379][ T6527] ? __sock_release+0x280/0x280 [ 73.634231][ T6527] task_work_run+0xdd/0x1a0 [ 73.638732][ T6527] do_exit+0xbae/0x2a30 [ 73.642967][ T6527] ? __context_tracking_exit+0xb8/0xe0 [ 73.648443][ T6527] ? lock_downgrade+0x6e0/0x6e0 [ 73.653292][ T6527] ? lock_downgrade+0x6e0/0x6e0 [ 73.658135][ T6527] ? mm_update_next_owner+0x7a0/0x7a0 [ 73.663505][ T6527] do_group_exit+0x125/0x310 [ 73.668091][ T6527] __x64_sys_exit_group+0x3a/0x50 [ 73.674410][ T6527] do_syscall_64+0x35/0xb0 [ 73.678828][ T6527] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 73.684709][ T6527] RIP: 0033:0x7ff4f48030a9 [ 73.689115][ T6527] Code: Unable to access opcode bytes at RIP 0x7ff4f480307f. [ 73.696473][ T6527] RSP: 002b:00007fff4aef6b88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 73.704960][ T6527] RAX: ffffffffffffffda RBX: 00007ff4f4877410 RCX: 00007ff4f48030a9 [ 73.712937][ T6527] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 73.720923][ T6527] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000001 [ 73.728900][ T6527] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff4f4877410 [ 73.736861][ T6527] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 73.744841][ T6527] [ 73.747154][ T6527] Allocated by task 6527: [ 73.751472][ T6527] kasan_save_stack+0x1b/0x40 [ 73.756143][ T6527] __kasan_slab_alloc+0x83/0xb0 [ 73.760981][ T6527] kmem_cache_alloc+0x209/0x390 [ 73.765861][ T6527] skb_clone+0x170/0x3c0 [ 73.770091][ T6527] sk_psock_verdict_recv+0x72/0x7e0 [ 73.775369][ T6527] unix_read_sock+0xd7/0x250 [ 73.779948][ T6527] sk_psock_verdict_data_ready+0x11a/0x180 [ 73.785741][ T6527] unix_dgram_sendmsg+0xfa7/0x1950 [ 73.790855][ T6527] sock_sendmsg+0xcf/0x120 [ 73.795279][ T6527] ____sys_sendmsg+0x331/0x810 [ 73.800038][ T6527] ___sys_sendmsg+0xf3/0x170 [ 73.804630][ T6527] __sys_sendmmsg+0x195/0x470 [ 73.809301][ T6527] __x64_sys_sendmmsg+0x99/0x100 [ 73.814245][ T6527] do_syscall_64+0x35/0xb0 [ 73.818652][ T6527] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 73.824536][ T6527] [ 73.826858][ T6527] Freed by task 20: [ 73.830644][ T6527] kasan_save_stack+0x1b/0x40 [ 73.835317][ T6527] kasan_set_track+0x1c/0x30 [ 73.839899][ T6527] kasan_set_free_info+0x20/0x30 [ 73.844922][ T6527] __kasan_slab_free+0xff/0x130 [ 73.849792][ T6527] slab_free_freelist_hook+0x81/0x190 [ 73.855307][ T6527] kmem_cache_free+0x8a/0x5b0 [ 73.859988][ T6527] kfree_skbmem+0xef/0x1b0 [ 73.864401][ T6527] kfree_skb+0x140/0x3f0 [ 73.868642][ T6527] sk_psock_backlog+0x93b/0xda0 [ 73.873487][ T6527] process_one_work+0x9bf/0x16b0 [ 73.878420][ T6527] worker_thread+0x658/0x11f0 [ 73.883099][ T6527] kthread+0x3e5/0x4d0 [ 73.887187][ T6527] ret_from_fork+0x1f/0x30 [ 73.891656][ T6527] [ 73.894004][ T6527] The buggy address belongs to the object at ffff88806ff183c0 [ 73.894004][ T6527] which belongs to the cache skbuff_head_cache of size 232 [ 73.909023][ T6527] The buggy address is located 220 bytes inside of [ 73.909023][ T6527] 232-byte region [ffff88806ff183c0, ffff88806ff184a8) [ 73.922313][ T6527] The buggy address belongs to the page: [ 73.928635][ T6527] page:ffffea0001bfc600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6ff18 [ 73.938777][ T6527] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 73.946596][ T6527] raw: 00fff00000000200 ffffea000055f980 0000000b00000002 ffff888015fd9000 [ 73.955363][ T6527] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 73.963942][ T6527] page dumped because: kasan: bad access detected [ 73.970352][ T6527] page_owner tracks the page as allocated [ 73.976158][ T6527] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 4554, ts 63670365184, free_ts 63667414980 [ 73.992465][ T6527] get_page_from_freelist+0xa72/0x2f80 [ 73.997967][ T6527] __alloc_pages+0x1b2/0x500 [ 74.002548][ T6527] alloc_pages+0x1a7/0x300 [ 74.006952][ T6527] new_slab+0x319/0x490 [ 74.011102][ T6527] ___slab_alloc+0x921/0xfe0 [ 74.015680][ T6527] __slab_alloc.constprop.0+0x4d/0xa0 [ 74.021097][ T6527] kmem_cache_alloc_node+0x11f/0x3d0 [ 74.026375][ T6527] __alloc_skb+0x20b/0x340 [ 74.030779][ T6527] netlink_sendmsg+0x967/0xdb0 [ 74.035562][ T6527] sock_sendmsg+0xcf/0x120 [ 74.040010][ T6527] ____sys_sendmsg+0x6e8/0x810 [ 74.044760][ T6527] ___sys_sendmsg+0xf3/0x170 [ 74.049345][ T6527] __sys_sendmsg+0xe5/0x1b0 [ 74.053850][ T6527] do_syscall_64+0x35/0xb0 [ 74.058268][ T6527] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 74.064163][ T6527] page last free stack trace: [ 74.068823][ T6527] free_pcp_prepare+0x2c5/0x780 [ 74.073671][ T6527] free_unref_page+0x19/0x690 [ 74.078358][ T6527] qlist_free_all+0x5a/0xc0 [ 74.082876][ T6527] kasan_quarantine_reduce+0x180/0x200 [ 74.088332][ T6527] __kasan_slab_alloc+0x95/0xb0 [ 74.093171][ T6527] __kmalloc+0x1e7/0x320 [ 74.097408][ T6527] tomoyo_realpath_from_path+0xc3/0x620 [ 74.102947][ T6527] tomoyo_path_number_perm+0x1d5/0x590 [ 74.108423][ T6527] security_path_chmod+0xe0/0x150 [ 74.113533][ T6527] chmod_common+0x156/0x440 [ 74.118044][ T6527] __x64_sys_fchmod+0x10e/0x190 [ 74.122900][ T6527] do_syscall_64+0x35/0xb0 [ 74.127308][ T6527] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 74.133195][ T6527] [ 74.135520][ T6527] Memory state around the buggy address: [ 74.141148][ T6527] ffff88806ff18380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 74.149199][ T6527] ffff88806ff18400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.157256][ T6527] >ffff88806ff18480: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 74.165305][ T6527] ^ [ 74.170154][ T6527] ffff88806ff18500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.178199][ T6527] ffff88806ff18580: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc [ 74.186240][ T6527] ================================================================== [ 74.194280][ T6527] Disabling lock debugging due to kernel taint [ 74.200466][ T6527] Kernel panic - not syncing: panic_on_warn set ... [ 74.207044][ T6527] CPU: 1 PID: 6527 Comm: syz-executor951 Tainted: G B 5.15.0-rc4-syzkaller #0 [ 74.217385][ T6527] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.227441][ T6527] Call Trace: [ 74.230724][ T6527] dump_stack_lvl+0xcd/0x134 [ 74.235328][ T6527] panic+0x2b0/0x6dd [ 74.239317][ T6527] ? __warn_printk+0xf3/0xf3 [ 74.243934][ T6527] ? consume_skb+0x2e/0x160 [ 74.248428][ T6527] ? trace_hardirqs_on+0x38/0x1c0 [ 74.253496][ T6527] ? trace_hardirqs_on+0x51/0x1c0 [ 74.258505][ T6527] ? consume_skb+0x2e/0x160 [ 74.263006][ T6527] ? consume_skb+0x2e/0x160 [ 74.267515][ T6527] end_report.cold+0x63/0x6f [ 74.272093][ T6527] kasan_report.cold+0x71/0xdf [ 74.276843][ T6527] ? consume_skb+0x2e/0x160 [ 74.281354][ T6527] kasan_check_range+0x13d/0x180 [ 74.286279][ T6527] consume_skb+0x2e/0x160 [ 74.290605][ T6527] __sk_msg_free+0x26d/0x360 [ 74.295190][ T6527] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 74.301069][ T6527] sk_psock_stop+0x415/0x620 [ 74.305650][ T6527] sock_map_close+0x34a/0x780 [ 74.310336][ T6527] ? espintcp_init_sk+0xaa0/0xaa0 [ 74.315347][ T6527] ? sock_map_lookup+0x400/0x400 [ 74.320273][ T6527] ? down_write+0xe0/0x150 [ 74.324674][ T6527] ? __down_timeout+0x10/0x10 [ 74.329405][ T6527] ? locks_remove_file+0x2f9/0x570 [ 74.334561][ T6527] unix_release+0x7a/0xe0 [ 74.338888][ T6527] __sock_release+0xcd/0x280 [ 74.343518][ T6527] sock_close+0x18/0x20 [ 74.347658][ T6527] __fput+0x288/0x9f0 [ 74.351625][ T6527] ? __sock_release+0x280/0x280 [ 74.356491][ T6527] task_work_run+0xdd/0x1a0 [ 74.360994][ T6527] do_exit+0xbae/0x2a30 [ 74.365150][ T6527] ? __context_tracking_exit+0xb8/0xe0 [ 74.370691][ T6527] ? lock_downgrade+0x6e0/0x6e0 [ 74.375581][ T6527] ? lock_downgrade+0x6e0/0x6e0 [ 74.380429][ T6527] ? mm_update_next_owner+0x7a0/0x7a0 [ 74.385808][ T6527] do_group_exit+0x125/0x310 [ 74.390566][ T6527] __x64_sys_exit_group+0x3a/0x50 [ 74.395583][ T6527] do_syscall_64+0x35/0xb0 [ 74.399986][ T6527] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 74.405866][ T6527] RIP: 0033:0x7ff4f48030a9 [ 74.410260][ T6527] Code: Unable to access opcode bytes at RIP 0x7ff4f480307f. [ 74.417615][ T6527] RSP: 002b:00007fff4aef6b88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 74.426006][ T6527] RAX: ffffffffffffffda RBX: 00007ff4f4877410 RCX: 00007ff4f48030a9 [ 74.433966][ T6527] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 74.441918][ T6527] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000001 [ 74.449880][ T6527] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff4f4877410 [ 74.457854][ T6527] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 74.466254][ T6527] Kernel Offset: disabled [ 74.470595][ T6527] Rebooting in 86400 seconds..