forked to background, child pid 3172 no interfaces have a carrier [ 24.195830][ T3173] 8021q: adding VLAN 0 to HW filter on device bond0 [ 24.208116][ T3173] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.1.90' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 38.109902][ T3585] ================================================================== [ 38.118382][ T3585] BUG: KASAN: use-after-free in strcmp+0x9b/0xb0 [ 38.124791][ T3585] Read of size 1 at addr ffff888022436144 by task syz-executor631/3585 [ 38.133060][ T3585] [ 38.135374][ T3585] CPU: 1 PID: 3585 Comm: syz-executor631 Not tainted 5.17.0-rc3-syzkaller #0 [ 38.144127][ T3585] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.154191][ T3585] Call Trace: [ 38.157470][ T3585] [ 38.160428][ T3585] dump_stack_lvl+0xcd/0x134 [ 38.165055][ T3585] print_address_description.constprop.0.cold+0x8d/0x336 [ 38.172101][ T3585] ? strcmp+0x9b/0xb0 [ 38.176093][ T3585] ? strcmp+0x9b/0xb0 [ 38.180059][ T3585] kasan_report.cold+0x83/0xdf [ 38.184836][ T3585] ? strcmp+0x9b/0xb0 [ 38.188854][ T3585] strcmp+0x9b/0xb0 [ 38.192694][ T3585] madvise_update_vma+0x4e6/0x7f0 [ 38.197776][ T3585] madvise_vma_behavior+0x116/0x1910 [ 38.203064][ T3585] ? madvise_vma_anon_name+0xc0/0xc0 [ 38.208355][ T3585] ? __sanitizer_cov_trace_cmp8+0x1d/0x70 [ 38.214084][ T3585] ? vmacache_find+0x62/0x330 [ 38.218769][ T3585] ? find_vma+0xbd/0x270 [ 38.223011][ T3585] madvise_walk_vmas+0x1d5/0x2d0 [ 38.228067][ T3585] ? madvise_vma_anon_name+0xc0/0xc0 [ 38.233358][ T3585] ? __remove_memory+0x40/0x40 [ 38.238127][ T3585] ? __down_timeout+0x10/0x10 [ 38.242808][ T3585] ? find_held_lock+0x2d/0x110 [ 38.247827][ T3585] do_madvise+0x249/0x3c0 [ 38.252167][ T3585] ? madvise_set_anon_name+0xe0/0xe0 [ 38.257464][ T3585] __x64_sys_madvise+0xa6/0x110 [ 38.262316][ T3585] ? syscall_enter_from_user_mode+0x21/0x70 [ 38.268220][ T3585] do_syscall_64+0x35/0xb0 [ 38.272649][ T3585] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 38.278694][ T3585] RIP: 0033:0x7f697f40aff9 [ 38.283115][ T3585] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 38.302918][ T3585] RSP: 002b:00007ffd5c1eda68 EFLAGS: 00000246 ORIG_RAX: 000000000000001c [ 38.311344][ T3585] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f697f40aff9 [ 38.319311][ T3585] RDX: 000000000000000b RSI: 0000000000001000 RDI: 0000000020ffc000 [ 38.327269][ T3585] RBP: 00007f697f3cefe0 R08: 0000000000000000 R09: 0000000000000000 [ 38.335228][ T3585] R10: 0000000020000000 R11: 0000000000000246 R12: 00007f697f3cf070 [ 38.343185][ T3585] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 38.351162][ T3585] [ 38.354167][ T3585] [ 38.356474][ T3585] Allocated by task 3585: [ 38.360781][ T3585] kasan_save_stack+0x1e/0x40 [ 38.365462][ T3585] __kasan_kmalloc+0xa9/0xd0 [ 38.370037][ T3585] madvise_update_vma+0x546/0x7f0 [ 38.375140][ T3585] madvise_vma_anon_name+0x7c/0xc0 [ 38.380240][ T3585] madvise_walk_vmas+0x1d5/0x2d0 [ 38.385167][ T3585] madvise_set_anon_name+0xac/0xe0 [ 38.390618][ T3585] __do_sys_prctl+0xeb5/0x12d0 [ 38.395372][ T3585] do_syscall_64+0x35/0xb0 [ 38.399778][ T3585] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 38.405659][ T3585] [ 38.407964][ T3585] Freed by task 3585: [ 38.411920][ T3585] kasan_save_stack+0x1e/0x40 [ 38.416580][ T3585] kasan_set_track+0x21/0x30 [ 38.421152][ T3585] kasan_set_free_info+0x20/0x30 [ 38.426077][ T3585] ____kasan_slab_free+0x130/0x160 [ 38.431170][ T3585] slab_free_freelist_hook+0x8b/0x1c0 [ 38.436530][ T3585] kfree+0xcb/0x280 [ 38.440323][ T3585] free_vma_anon_name+0xeb/0x110 [ 38.445408][ T3585] vm_area_free+0x11/0x30 [ 38.449725][ T3585] __vma_adjust+0x836/0x24a0 [ 38.454436][ T3585] vma_merge+0x860/0xeb0 [ 38.458725][ T3585] madvise_update_vma+0x1b6/0x7f0 [ 38.463740][ T3585] madvise_vma_behavior+0x116/0x1910 [ 38.469014][ T3585] madvise_walk_vmas+0x1d5/0x2d0 [ 38.473942][ T3585] do_madvise+0x249/0x3c0 [ 38.478258][ T3585] __x64_sys_madvise+0xa6/0x110 [ 38.483098][ T3585] do_syscall_64+0x35/0xb0 [ 38.487506][ T3585] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 38.493395][ T3585] [ 38.495702][ T3585] The buggy address belongs to the object at ffff888022436140 [ 38.495702][ T3585] which belongs to the cache kmalloc-32 of size 32 [ 38.509590][ T3585] The buggy address is located 4 bytes inside of [ 38.509590][ T3585] 32-byte region [ffff888022436140, ffff888022436160) [ 38.522598][ T3585] The buggy address belongs to the page: [ 38.528238][ T3585] page:ffffea0000890d80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x22436 [ 38.538380][ T3585] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 38.545938][ T3585] raw: 00fff00000000200 ffffea0001fce5c0 dead000000000003 ffff888010c41500 [ 38.554540][ T3585] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000 [ 38.563120][ T3585] page dumped because: kasan: bad access detected [ 38.569518][ T3585] page_owner tracks the page as allocated [ 38.575211][ T3585] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 2963, ts 14421373143, free_ts 12715492965 [ 38.591369][ T3585] get_page_from_freelist+0xa72/0x2f50 [ 38.596862][ T3585] __alloc_pages+0x1b2/0x500 [ 38.601446][ T3585] alloc_pages+0x1aa/0x310 [ 38.605852][ T3585] new_slab+0x28a/0x3b0 [ 38.609994][ T3585] ___slab_alloc+0x87c/0xe90 [ 38.614574][ T3585] __slab_alloc.constprop.0+0x4d/0xa0 [ 38.619939][ T3585] __kmalloc+0x2fb/0x340 [ 38.624171][ T3585] kobject_get_path+0xbe/0x230 [ 38.628930][ T3585] kobject_uevent_env+0x259/0x1600 [ 38.634029][ T3585] kobject_synth_uevent+0x701/0x850 [ 38.639232][ T3585] uevent_store+0x42/0x90 [ 38.643548][ T3585] drv_attr_store+0x6d/0xa0 [ 38.648062][ T3585] sysfs_kf_write+0x110/0x160 [ 38.652723][ T3585] kernfs_fop_write_iter+0x342/0x500 [ 38.657997][ T3585] new_sync_write+0x431/0x660 [ 38.662665][ T3585] vfs_write+0x7cd/0xae0 [ 38.666897][ T3585] page last free stack trace: [ 38.671573][ T3585] free_pcp_prepare+0x374/0x870 [ 38.676413][ T3585] free_unref_page+0x19/0x690 [ 38.681085][ T3585] kasan_depopulate_vmalloc_pte+0x5c/0x70 [ 38.686852][ T3585] __apply_to_page_range+0x686/0x1030 [ 38.692452][ T3585] kasan_release_vmalloc+0xa7/0xc0 [ 38.697598][ T3585] __purge_vmap_area_lazy+0x8f9/0x1c50 [ 38.703086][ T3585] _vm_unmap_aliases.part.0+0x3f0/0x500 [ 38.708712][ T3585] vm_unmap_aliases+0x45/0x50 [ 38.713412][ T3585] change_page_attr_set_clr+0x241/0x500 [ 38.719004][ T3585] set_memory_nx+0xb2/0x110 [ 38.723512][ T3585] free_init_pages+0x73/0xc0 [ 38.728404][ T3585] kernel_init+0x2e/0x1d0 [ 38.732748][ T3585] ret_from_fork+0x1f/0x30 [ 38.737190][ T3585] [ 38.739507][ T3585] Memory state around the buggy address: [ 38.745175][ T3585] ffff888022436000: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 38.753268][ T3585] ffff888022436080: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 38.761348][ T3585] >ffff888022436100: fb fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 38.769397][ T3585] ^ [ 38.775690][ T3585] ffff888022436180: 00 00 01 fc fc fc fc fc 00 00 00 04 fc fc fc fc [ 38.784137][ T3585] ffff888022436200: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 38.792220][ T3585] ================================================================== [ 38.800290][ T3585] Disabling lock debugging due to kernel taint [ 38.807515][ T3585] Kernel panic - not syncing: panic_on_warn set ... [ 38.814172][ T3585] CPU: 0 PID: 3585 Comm: syz-executor631 Tainted: G B 5.17.0-rc3-syzkaller #0 [ 38.824346][ T3585] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.834416][ T3585] Call Trace: [ 38.837695][ T3585] [ 38.840619][ T3585] dump_stack_lvl+0xcd/0x134 [ 38.845305][ T3585] panic+0x2b0/0x6dd [ 38.849200][ T3585] ? __warn_printk+0xf3/0xf3 [ 38.853782][ T3585] ? preempt_schedule_common+0x59/0xc0 [ 38.859241][ T3585] ? strcmp+0x9b/0xb0 [ 38.863224][ T3585] ? preempt_schedule_thunk+0x16/0x18 [ 38.868595][ T3585] ? trace_hardirqs_on+0x38/0x1c0 [ 38.873607][ T3585] ? trace_hardirqs_on+0x51/0x1c0 [ 38.878627][ T3585] ? strcmp+0x9b/0xb0 [ 38.882600][ T3585] ? strcmp+0x9b/0xb0 [ 38.886573][ T3585] end_report.cold+0x63/0x6f [ 38.891330][ T3585] kasan_report.cold+0x71/0xdf [ 38.896102][ T3585] ? strcmp+0x9b/0xb0 [ 38.900073][ T3585] strcmp+0x9b/0xb0 [ 38.903879][ T3585] madvise_update_vma+0x4e6/0x7f0 [ 38.908915][ T3585] madvise_vma_behavior+0x116/0x1910 [ 38.914374][ T3585] ? madvise_vma_anon_name+0xc0/0xc0 [ 38.919668][ T3585] ? __sanitizer_cov_trace_cmp8+0x1d/0x70 [ 38.925399][ T3585] ? vmacache_find+0x62/0x330 [ 38.930093][ T3585] ? find_vma+0xbd/0x270 [ 38.934328][ T3585] madvise_walk_vmas+0x1d5/0x2d0 [ 38.939268][ T3585] ? madvise_vma_anon_name+0xc0/0xc0 [ 38.944546][ T3585] ? __remove_memory+0x40/0x40 [ 38.949302][ T3585] ? __down_timeout+0x10/0x10 [ 38.953981][ T3585] ? find_held_lock+0x2d/0x110 [ 38.958746][ T3585] do_madvise+0x249/0x3c0 [ 38.963080][ T3585] ? madvise_set_anon_name+0xe0/0xe0 [ 38.968481][ T3585] __x64_sys_madvise+0xa6/0x110 [ 38.973342][ T3585] ? syscall_enter_from_user_mode+0x21/0x70 [ 38.979260][ T3585] do_syscall_64+0x35/0xb0 [ 38.984452][ T3585] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 38.990355][ T3585] RIP: 0033:0x7f697f40aff9 [ 38.994781][ T3585] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 39.014520][ T3585] RSP: 002b:00007ffd5c1eda68 EFLAGS: 00000246 ORIG_RAX: 000000000000001c [ 39.022956][ T3585] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f697f40aff9 [ 39.031232][ T3585] RDX: 000000000000000b RSI: 0000000000001000 RDI: 0000000020ffc000 [ 39.039230][ T3585] RBP: 00007f697f3cefe0 R08: 0000000000000000 R09: 0000000000000000 [ 39.047198][ T3585] R10: 0000000020000000 R11: 0000000000000246 R12: 00007f697f3cf070 [ 39.055166][ T3585] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 39.063137][ T3585] [ 39.066854][ T3585] Kernel Offset: disabled [ 39.071176][ T3585] Rebooting in 86400 seconds..