Warning: Permanently added '[localhost]:13720' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 569.356690][ C3] ================================================================== [ 569.361733][ C3] BUG: KASAN: use-after-free in sock_def_write_space+0x613/0x640 [ 569.361733][ C3] Read of size 8 at addr ffff88801d3705c0 by task ksoftirqd/3/27 [ 569.361733][ C3] [ 569.361733][ C3] CPU: 3 PID: 27 Comm: ksoftirqd/3 Not tainted 5.7.0-syzkaller #0 [ 569.361733][ C3] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 569.361733][ C3] Call Trace: [ 569.361733][ C3] dump_stack+0x188/0x20d [ 569.361733][ C3] ? sock_def_write_space+0x613/0x640 [ 569.361733][ C3] ? sock_def_write_space+0x613/0x640 [ 569.361733][ C3] print_address_description.constprop.0.cold+0xd3/0x413 [ 569.361733][ C3] ? vprintk_func+0x97/0x1a6 [ 569.361733][ C3] ? sock_def_write_space+0x613/0x640 [ 569.361733][ C3] kasan_report.cold+0x1f/0x37 [ 569.361733][ C3] ? sock_def_write_space+0x613/0x640 [ 569.361733][ C3] sock_def_write_space+0x613/0x640 [ 569.361733][ C3] sock_wfree+0x1cc/0x240 [ 569.361733][ C3] ? sk_common_release+0x370/0x370 [ 569.361733][ C3] skb_release_head_state+0xe2/0x250 [ 569.361733][ C3] skb_release_all+0x11/0x60 [ 569.361733][ C3] consume_skb+0xf3/0x400 [ 569.361733][ C3] __dev_kfree_skb_any+0x9c/0xc0 [ 569.361733][ C3] e1000_unmap_and_free_tx_resource.isra.0+0x214/0x3a0 [ 569.361733][ C3] e1000_clean+0x442/0x1b10 [ 569.361733][ C3] ? finish_task_switch+0x147/0x750 [ 569.361733][ C3] ? e1000_clean_rx_irq+0x1370/0x1370 [ 569.361733][ C3] ? net_rx_action+0x25f/0x1070 [ 569.361733][ C3] ? lockdep_hardirqs_on_prepare+0x1bc/0x590 [ 569.361733][ C3] net_rx_action+0x4c2/0x1070 [ 569.361733][ C3] ? debug_smp_processor_id+0x2f/0x185 [ 569.361733][ C3] ? napi_busy_loop+0x9e0/0x9e0 [ 569.361733][ C3] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 569.361733][ C3] __do_softirq+0x26c/0x9f7 [ 569.361733][ C3] ? takeover_tasklets+0x810/0x810 [ 569.361733][ C3] run_ksoftirqd+0x89/0x100 [ 569.361733][ C3] smpboot_thread_fn+0x653/0x9e0 [ 569.361733][ C3] ? __smpboot_create_thread.part.0+0x340/0x340 [ 569.361733][ C3] ? __kthread_parkme+0x13f/0x1e0 [ 569.361733][ C3] ? __smpboot_create_thread.part.0+0x340/0x340 [ 569.361733][ C3] kthread+0x388/0x470 [ 569.361733][ C3] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 569.361733][ C3] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 569.361733][ C3] ret_from_fork+0x24/0x30 [ 569.361733][ C3] [ 569.361733][ C3] Allocated by task 8386: [ 569.361733][ C3] save_stack+0x1b/0x40 [ 569.361733][ C3] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 569.361733][ C3] kmem_cache_alloc+0x11b/0x740 [ 569.361733][ C3] sock_alloc_inode+0x18/0x1c0 [ 569.361733][ C3] alloc_inode+0x61/0x1e0 [ 569.361733][ C3] new_inode_pseudo+0x14/0xe0 [ 569.361733][ C3] sock_alloc+0x3c/0x260 [ 569.361733][ C3] __sock_create+0xba/0x730 [ 569.361733][ C3] __sys_socket+0xef/0x200 [ 569.361733][ C3] __ia32_sys_socket+0x6f/0xb0 [ 569.361733][ C3] do_fast_syscall_32+0x270/0xe90 [ 569.361733][ C3] entry_SYSENTER_compat+0x70/0x7f [ 569.361733][ C3] [ 569.361733][ C3] Freed by task 0: [ 569.361733][ C3] save_stack+0x1b/0x40 [ 569.361733][ C3] __kasan_slab_free+0xf7/0x140 [ 569.361733][ C3] kmem_cache_free+0x7f/0x320 [ 569.361733][ C3] i_callback+0x3f/0x70 [ 569.361733][ C3] rcu_core+0x59f/0x1370 [ 569.361733][ C3] __do_softirq+0x26c/0x9f7 [ 569.361733][ C3] [ 569.361733][ C3] The buggy address belongs to the object at ffff88801d370540 [ 569.361733][ C3] which belongs to the cache sock_inode_cache of size 1216 [ 569.361733][ C3] The buggy address is located 128 bytes inside of [ 569.361733][ C3] 1216-byte region [ffff88801d370540, ffff88801d370a00) [ 569.361733][ C3] The buggy address belongs to the page: [ 569.361733][ C3] page:ffffea000074dc00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801d370ffd [ 569.361733][ C3] flags: 0xfffe0000000200(slab) [ 569.361733][ C3] raw: 00fffe0000000200 ffffea000074e9c8 ffffea000074e188 ffff88802bdbda80 [ 569.361733][ C3] raw: ffff88801d370ffd ffff88801d370000 0000000100000003 0000000000000000 [ 569.361733][ C3] page dumped because: kasan: bad access detected [ 569.361733][ C3] [ 569.361733][ C3] Memory state around the buggy address: [ 569.361733][ C3] ffff88801d370480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 569.361733][ C3] ffff88801d370500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 569.361733][ C3] >ffff88801d370580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 569.361733][ C3] ^ [ 569.361733][ C3] ffff88801d370600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 569.361733][ C3] ffff88801d370680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 569.361733][ C3] ================================================================== [ 569.361733][ C3] Disabling lock debugging due to kernel taint [ 570.734287][ C3] Kernel panic - not syncing: panic_on_warn set ... [ 570.743712][ C3] CPU: 3 PID: 27 Comm: ksoftirqd/3 Tainted: G B 5.7.0-syzkaller #0 [ 570.743712][ C3] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 570.743712][ C3] Call Trace: [ 570.743712][ C3] dump_stack+0x188/0x20d [ 570.743712][ C3] ? sock_def_write_space+0x530/0x640 [ 570.743712][ C3] panic+0x2e3/0x75c [ 570.743712][ C3] ? add_taint.cold+0x16/0x16 [ 570.743712][ C3] ? retint_kernel+0x2b/0x2b [ 570.743712][ C3] ? trace_hardirqs_on+0x55/0x230 [ 570.743712][ C3] ? sock_def_write_space+0x613/0x640 [ 570.743712][ C3] ? sock_def_write_space+0x613/0x640 [ 570.743712][ C3] end_report+0x4d/0x53 [ 570.743712][ C3] kasan_report.cold+0xd/0x37 [ 570.743712][ C3] ? sock_def_write_space+0x613/0x640 [ 570.743712][ C3] sock_def_write_space+0x613/0x640 [ 570.743712][ C3] sock_wfree+0x1cc/0x240 [ 570.743712][ C3] ? sk_common_release+0x370/0x370 [ 570.743712][ C3] skb_release_head_state+0xe2/0x250 [ 570.743712][ C3] skb_release_all+0x11/0x60 [ 570.743712][ C3] consume_skb+0xf3/0x400 [ 570.743712][ C3] __dev_kfree_skb_any+0x9c/0xc0 [ 570.743712][ C3] e1000_unmap_and_free_tx_resource.isra.0+0x214/0x3a0 [ 570.743712][ C3] e1000_clean+0x442/0x1b10 [ 570.743712][ C3] ? finish_task_switch+0x147/0x750 [ 570.743712][ C3] ? e1000_clean_rx_irq+0x1370/0x1370 [ 570.743712][ C3] ? net_rx_action+0x25f/0x1070 [ 570.743712][ C3] ? lockdep_hardirqs_on_prepare+0x1bc/0x590 [ 570.743712][ C3] net_rx_action+0x4c2/0x1070 [ 570.743712][ C3] ? debug_smp_processor_id+0x2f/0x185 [ 570.743712][ C3] ? napi_busy_loop+0x9e0/0x9e0 [ 570.743712][ C3] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 570.743712][ C3] __do_softirq+0x26c/0x9f7 [ 570.743712][ C3] ? takeover_tasklets+0x810/0x810 [ 570.743712][ C3] run_ksoftirqd+0x89/0x100 [ 570.743712][ C3] smpboot_thread_fn+0x653/0x9e0 [ 570.743712][ C3] ? __smpboot_create_thread.part.0+0x340/0x340 [ 570.743712][ C3] ? __kthread_parkme+0x13f/0x1e0 [ 570.743712][ C3] ? __smpboot_create_thread.part.0+0x340/0x340 [ 570.743712][ C3] kthread+0x388/0x470 [ 570.743712][ C3] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 570.743712][ C3] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 570.743712][ C3] ret_from_fork+0x24/0x30 [ 570.743712][ C3] Kernel Offset: disabled [ 570.743712][ C3] Rebooting in 86400 seconds..