[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.208' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 57.199984][ T6534] FAULT_INJECTION: forcing a failure. [ 57.199984][ T6534] name failslab, interval 1, probability 0, space 0, times 1 [ 57.213196][ T6534] CPU: 1 PID: 6534 Comm: syz-executor679 Not tainted 5.15.0-rc4-syzkaller #0 [ 57.222166][ T6534] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.232202][ T6534] Call Trace: [ 57.235683][ T6534] dump_stack_lvl+0xcd/0x134 [ 57.240288][ T6534] should_fail.cold+0x5/0xa [ 57.244778][ T6534] ? sk_psock_skb_ingress_self+0x4e/0x370 [ 57.250485][ T6534] should_failslab+0x5/0x10 [ 57.254974][ T6534] kmem_cache_alloc_trace+0x55/0x2b0 [ 57.260249][ T6534] sk_psock_skb_ingress_self+0x4e/0x370 [ 57.265782][ T6534] ? force_compatible_cpus_allowed_ptr+0x360/0x360 [ 57.272691][ T6534] sk_psock_verdict_apply+0x34c/0x430 [ 57.278086][ T6534] sk_psock_verdict_recv+0x2b0/0x7e0 [ 57.283371][ T6534] unix_read_sock+0xd7/0x250 [ 57.287954][ T6534] ? sk_psock_strp_read+0x6e0/0x6e0 [ 57.293150][ T6534] ? unix_compat_ioctl+0x30/0x30 [ 57.298421][ T6534] ? find_held_lock+0x2d/0x110 [ 57.303174][ T6534] ? unix_compat_ioctl+0x30/0x30 [ 57.308100][ T6534] sk_psock_verdict_data_ready+0x11a/0x180 [ 57.313897][ T6534] ? sk_psock_strp_read_done+0x10/0x10 [ 57.319344][ T6534] ? _raw_spin_unlock_irqrestore+0x50/0x70 [ 57.325156][ T6534] ? do_raw_spin_unlock+0x171/0x230 [ 57.330360][ T6534] unix_dgram_sendmsg+0xfa7/0x1950 [ 57.335473][ T6534] ? unix_stream_sendpage+0xca0/0xca0 [ 57.340950][ T6534] ? aa_af_perm+0x230/0x230 [ 57.345465][ T6534] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 57.351698][ T6534] ? unix_stream_sendpage+0xca0/0xca0 [ 57.357059][ T6534] sock_sendmsg+0xcf/0x120 [ 57.361469][ T6534] ____sys_sendmsg+0x331/0x810 [ 57.366222][ T6534] ? kernel_sendmsg+0x50/0x50 [ 57.370885][ T6534] ? do_recvmmsg+0x6d0/0x6d0 [ 57.375471][ T6534] ___sys_sendmsg+0xf3/0x170 [ 57.380051][ T6534] ? sendmsg_copy_msghdr+0x160/0x160 [ 57.385326][ T6534] ? mark_lock+0xef/0x17b0 [ 57.389733][ T6534] ? mark_lock+0xef/0x17b0 [ 57.394136][ T6534] ? lock_chain_count+0x20/0x20 [ 57.398973][ T6534] ? lock_chain_count+0x20/0x20 [ 57.403898][ T6534] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 57.409870][ T6534] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 57.416304][ T6534] ? __fget_light+0x215/0x280 [ 57.421515][ T6534] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 57.427769][ T6534] __sys_sendmmsg+0x195/0x470 [ 57.432443][ T6534] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 57.437456][ T6534] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 57.443454][ T6534] ? find_held_lock+0x2d/0x110 [ 57.448210][ T6534] ? __context_tracking_exit+0xb8/0xe0 [ 57.453744][ T6534] ? lock_downgrade+0x6e0/0x6e0 [ 57.458760][ T6534] ? lock_downgrade+0x6e0/0x6e0 [ 57.463629][ T6534] __x64_sys_sendmmsg+0x99/0x100 [ 57.468556][ T6534] ? syscall_enter_from_user_mode+0x21/0x70 [ 57.474461][ T6534] do_syscall_64+0x35/0xb0 [ 57.478956][ T6534] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 57.484838][ T6534] RIP: 0033:0x7fcdd177a3b9 [ 57.489241][ T6534] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 57.508921][ T6534] RSP: 002b:00007ffd06871d08 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 57.517320][ T6534] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fcdd177a3b9 [ 57.525453][ T6534] RDX: 0307017fdb7a66cb RSI: 0000000020002dc0 RDI: 0000000000000006 [ 57.533407][ T6534] RBP: 00007ffd06871d20 R08: 0000000000000001 R09: 0000000000000001 [ 57.541362][ T6534] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 [ 57.549598][ T6534] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000 [ 57.586635][ T6534] ================================================================== [ 57.594949][ T6534] BUG: KASAN: use-after-free in consume_skb+0x2e/0x160 [ 57.602582][ T6534] Read of size 4 at addr ffff88807e26cd5c by task syz-executor679/6534 [ 57.611718][ T6534] [ 57.614029][ T6534] CPU: 1 PID: 6534 Comm: syz-executor679 Not tainted 5.15.0-rc4-syzkaller #0 [ 57.623412][ T6534] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.633945][ T6534] Call Trace: [ 57.637335][ T6534] dump_stack_lvl+0xcd/0x134 [ 57.641911][ T6534] print_address_description.constprop.0.cold+0x6c/0x309 [ 57.649866][ T6534] ? consume_skb+0x2e/0x160 [ 57.654799][ T6534] ? consume_skb+0x2e/0x160 [ 57.659287][ T6534] kasan_report.cold+0x83/0xdf [ 57.664038][ T6534] ? consume_skb+0x2e/0x160 [ 57.668841][ T6534] kasan_check_range+0x13d/0x180 [ 57.674123][ T6534] consume_skb+0x2e/0x160 [ 57.678601][ T6534] __sk_msg_free+0x26d/0x360 [ 57.683180][ T6534] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 57.688981][ T6534] sk_psock_stop+0x415/0x620 [ 57.693583][ T6534] sock_map_close+0x34a/0x780 [ 57.698257][ T6534] ? espintcp_init_sk+0xaa0/0xaa0 [ 57.703285][ T6534] ? sock_map_lookup+0x400/0x400 [ 57.708225][ T6534] ? down_write+0xe0/0x150 [ 57.712633][ T6534] ? __down_timeout+0x10/0x10 [ 57.717297][ T6534] ? locks_remove_file+0x2f9/0x570 [ 57.722407][ T6534] unix_release+0x7a/0xe0 [ 57.726732][ T6534] __sock_release+0xcd/0x280 [ 57.731311][ T6534] sock_close+0x18/0x20 [ 57.735453][ T6534] __fput+0x288/0x9f0 [ 57.739426][ T6534] ? __sock_release+0x280/0x280 [ 57.744268][ T6534] task_work_run+0xdd/0x1a0 [ 57.748767][ T6534] do_exit+0xbae/0x2a30 [ 57.752913][ T6534] ? __context_tracking_exit+0xb8/0xe0 [ 57.758471][ T6534] ? lock_downgrade+0x6e0/0x6e0 [ 57.763313][ T6534] ? lock_downgrade+0x6e0/0x6e0 [ 57.768158][ T6534] ? mm_update_next_owner+0x7a0/0x7a0 [ 57.773531][ T6534] do_group_exit+0x125/0x310 [ 57.778116][ T6534] __x64_sys_exit_group+0x3a/0x50 [ 57.783132][ T6534] do_syscall_64+0x35/0xb0 [ 57.787542][ T6534] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 57.793778][ T6534] RIP: 0033:0x7fcdd1779049 [ 57.798187][ T6534] Code: Unable to access opcode bytes at RIP 0x7fcdd177901f. [ 57.805563][ T6534] RSP: 002b:00007ffd06871cb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 57.813970][ T6534] RAX: ffffffffffffffda RBX: 00007fcdd17ed410 RCX: 00007fcdd1779049 [ 57.821935][ T6534] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 57.829899][ T6534] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000001 [ 57.837861][ T6534] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fcdd17ed410 [ 57.846024][ T6534] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 57.854002][ T6534] [ 57.856313][ T6534] Allocated by task 6534: [ 57.860617][ T6534] kasan_save_stack+0x1b/0x40 [ 57.865286][ T6534] __kasan_slab_alloc+0x83/0xb0 [ 57.870119][ T6534] kmem_cache_alloc+0x209/0x390 [ 57.874957][ T6534] skb_clone+0x170/0x3c0 [ 57.879194][ T6534] sk_psock_verdict_recv+0x72/0x7e0 [ 57.884381][ T6534] unix_read_sock+0xd7/0x250 [ 57.888967][ T6534] sk_psock_verdict_data_ready+0x11a/0x180 [ 57.894768][ T6534] unix_dgram_sendmsg+0xfa7/0x1950 [ 57.899868][ T6534] sock_sendmsg+0xcf/0x120 [ 57.904271][ T6534] ____sys_sendmsg+0x331/0x810 [ 57.909021][ T6534] ___sys_sendmsg+0xf3/0x170 [ 57.913599][ T6534] __sys_sendmmsg+0x195/0x470 [ 57.918268][ T6534] __x64_sys_sendmmsg+0x99/0x100 [ 57.923202][ T6534] do_syscall_64+0x35/0xb0 [ 57.927610][ T6534] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 57.933494][ T6534] [ 57.935802][ T6534] Freed by task 1053: [ 57.939762][ T6534] kasan_save_stack+0x1b/0x40 [ 57.944432][ T6534] kasan_set_track+0x1c/0x30 [ 57.949357][ T6534] kasan_set_free_info+0x20/0x30 [ 57.954277][ T6534] __kasan_slab_free+0xff/0x130 [ 57.959115][ T6534] slab_free_freelist_hook+0x81/0x190 [ 57.964612][ T6534] kmem_cache_free+0x8a/0x5b0 [ 57.969560][ T6534] kfree_skbmem+0xef/0x1b0 [ 57.973991][ T6534] kfree_skb+0x140/0x3f0 [ 57.978235][ T6534] sk_psock_backlog+0x93b/0xda0 [ 57.983076][ T6534] process_one_work+0x9bf/0x16b0 [ 57.988007][ T6534] worker_thread+0x658/0x11f0 [ 57.992673][ T6534] kthread+0x3e5/0x4d0 [ 57.996734][ T6534] ret_from_fork+0x1f/0x30 [ 58.001136][ T6534] [ 58.003442][ T6534] The buggy address belongs to the object at ffff88807e26cc80 [ 58.003442][ T6534] which belongs to the cache skbuff_head_cache of size 232 [ 58.018000][ T6534] The buggy address is located 220 bytes inside of [ 58.018000][ T6534] 232-byte region [ffff88807e26cc80, ffff88807e26cd68) [ 58.031349][ T6534] The buggy address belongs to the page: [ 58.036982][ T6534] page:ffffea0001f89b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e26c [ 58.047118][ T6534] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 58.054654][ T6534] raw: 00fff00000000200 0000000000000000 dead000000000122 ffff8881445f7000 [ 58.063260][ T6534] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 58.071822][ T6534] page dumped because: kasan: bad access detected [ 58.078300][ T6534] page_owner tracks the page as allocated [ 58.083997][ T6534] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 6532, ts 57118420627, free_ts 57103748921 [ 58.100131][ T6534] register_dummy_stack+0x66/0xb0 [ 58.105151][ T6534] init_page_owner+0x44/0x890 [ 58.109815][ T6534] page_ext_init+0x4c6/0x4d9 [ 58.114415][ T6534] kernel_init_freeable+0x48b/0x73a [ 58.119687][ T6534] page last free stack trace: [ 58.124343][ T6534] free_pcp_prepare+0x2c5/0x780 [ 58.129178][ T6534] free_unref_page+0x19/0x690 [ 58.133838][ T6534] kasan_depopulate_vmalloc_pte+0x5c/0x70 [ 58.139542][ T6534] __apply_to_page_range+0x694/0x1080 [ 58.144906][ T6534] kasan_release_vmalloc+0xa7/0xc0 [ 58.150005][ T6534] __purge_vmap_area_lazy+0x8f9/0x1c50 [ 58.155452][ T6534] _vm_unmap_aliases.part.0+0x3f0/0x500 [ 58.160988][ T6534] vm_unmap_aliases+0x47/0x50 [ 58.165652][ T6534] change_page_attr_set_clr+0x241/0x500 [ 58.171189][ T6534] set_memory_ro+0x78/0xa0 [ 58.175591][ T6534] bpf_int_jit_compile+0xe36/0x11e0 [ 58.180780][ T6534] bpf_prog_select_runtime+0x464/0x6a0 [ 58.186226][ T6534] bpf_migrate_filter+0x2dc/0x380 [ 58.191239][ T6534] bpf_prog_create_from_user+0x51b/0x660 [ 58.196855][ T6534] do_seccomp+0x388/0x2890 [ 58.201262][ T6534] prctl_set_seccomp+0x4a/0x70 [ 58.206014][ T6534] [ 58.208317][ T6534] Memory state around the buggy address: [ 58.213923][ T6534] ffff88807e26cc00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 58.221971][ T6534] ffff88807e26cc80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.230023][ T6534] >ffff88807e26cd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc [ 58.238068][ T6534] ^ [ 58.245009][ T6534] ffff88807e26cd80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 58.253076][ T6534] ffff88807e26ce00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.261204][ T6534] ================================================================== [ 58.269242][ T6534] Disabling lock debugging due to kernel taint [ 58.275417][ T6534] Kernel panic - not syncing: panic_on_warn set ... [ 58.282271][ T6534] CPU: 1 PID: 6534 Comm: syz-executor679 Tainted: G B 5.15.0-rc4-syzkaller #0 [ 58.292423][ T6534] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.302480][ T6534] Call Trace: [ 58.305753][ T6534] dump_stack_lvl+0xcd/0x134 [ 58.310334][ T6534] panic+0x2b0/0x6dd [ 58.314213][ T6534] ? __warn_printk+0xf3/0xf3 [ 58.318788][ T6534] ? consume_skb+0x2e/0x160 [ 58.323303][ T6534] ? trace_hardirqs_on+0x38/0x1c0 [ 58.328316][ T6534] ? trace_hardirqs_on+0x51/0x1c0 [ 58.333329][ T6534] ? consume_skb+0x2e/0x160 [ 58.337819][ T6534] ? consume_skb+0x2e/0x160 [ 58.342314][ T6534] end_report.cold+0x63/0x6f [ 58.346891][ T6534] kasan_report.cold+0x71/0xdf [ 58.351643][ T6534] ? consume_skb+0x2e/0x160 [ 58.356139][ T6534] kasan_check_range+0x13d/0x180 [ 58.361066][ T6534] consume_skb+0x2e/0x160 [ 58.365484][ T6534] __sk_msg_free+0x26d/0x360 [ 58.370079][ T6534] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 58.375878][ T6534] sk_psock_stop+0x415/0x620 [ 58.380462][ T6534] sock_map_close+0x34a/0x780 [ 58.385296][ T6534] ? espintcp_init_sk+0xaa0/0xaa0 [ 58.390330][ T6534] ? sock_map_lookup+0x400/0x400 [ 58.395354][ T6534] ? down_write+0xe0/0x150 [ 58.399753][ T6534] ? __down_timeout+0x10/0x10 [ 58.404409][ T6534] ? locks_remove_file+0x2f9/0x570 [ 58.409509][ T6534] unix_release+0x7a/0xe0 [ 58.413828][ T6534] __sock_release+0xcd/0x280 [ 58.418401][ T6534] sock_close+0x18/0x20 [ 58.422539][ T6534] __fput+0x288/0x9f0 [ 58.426511][ T6534] ? __sock_release+0x280/0x280 [ 58.431353][ T6534] task_work_run+0xdd/0x1a0 [ 58.435841][ T6534] do_exit+0xbae/0x2a30 [ 58.439982][ T6534] ? __context_tracking_exit+0xb8/0xe0 [ 58.445427][ T6534] ? lock_downgrade+0x6e0/0x6e0 [ 58.450261][ T6534] ? lock_downgrade+0x6e0/0x6e0 [ 58.455092][ T6534] ? mm_update_next_owner+0x7a0/0x7a0 [ 58.460468][ T6534] do_group_exit+0x125/0x310 [ 58.465043][ T6534] __x64_sys_exit_group+0x3a/0x50 [ 58.470136][ T6534] do_syscall_64+0x35/0xb0 [ 58.474539][ T6534] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 58.480419][ T6534] RIP: 0033:0x7fcdd1779049 [ 58.484831][ T6534] Code: Unable to access opcode bytes at RIP 0x7fcdd177901f. [ 58.492432][ T6534] RSP: 002b:00007ffd06871cb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 58.500997][ T6534] RAX: ffffffffffffffda RBX: 00007fcdd17ed410 RCX: 00007fcdd1779049 [ 58.508949][ T6534] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 58.516904][ T6534] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000001 [ 58.524855][ T6534] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fcdd17ed410 [ 58.532812][ T6534] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 58.542312][ T6534] Kernel Offset: disabled [ 58.546618][ T6534] Rebooting in 86400 seconds..