Warning: Permanently added '10.128.10.6' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 67.522301][ T6535] FAULT_INJECTION: forcing a failure. [ 67.522301][ T6535] name failslab, interval 1, probability 0, space 0, times 1 [ 67.535695][ T6535] CPU: 1 PID: 6535 Comm: syz-executor614 Not tainted 5.15.0-rc5-syzkaller #0 [ 67.544473][ T6535] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.554524][ T6535] Call Trace: [ 67.557795][ T6535] dump_stack_lvl+0xcd/0x134 [ 67.562387][ T6535] should_fail.cold+0x5/0xa [ 67.566876][ T6535] ? sk_psock_skb_ingress_self+0x4e/0x370 [ 67.572664][ T6535] should_failslab+0x5/0x10 [ 67.577236][ T6535] kmem_cache_alloc_trace+0x55/0x2b0 [ 67.582508][ T6535] sk_psock_skb_ingress_self+0x4e/0x370 [ 67.588081][ T6535] ? force_compatible_cpus_allowed_ptr+0x3d0/0x3d0 [ 67.594879][ T6535] sk_psock_verdict_apply+0x34c/0x430 [ 67.600237][ T6535] sk_psock_verdict_recv+0x2b0/0x7e0 [ 67.605508][ T6535] unix_read_sock+0xd7/0x250 [ 67.610080][ T6535] ? sk_psock_strp_read+0x6e0/0x6e0 [ 67.615262][ T6535] ? unix_compat_ioctl+0x30/0x30 [ 67.620182][ T6535] ? find_held_lock+0x2d/0x110 [ 67.624930][ T6535] ? unix_compat_ioctl+0x30/0x30 [ 67.629849][ T6535] sk_psock_verdict_data_ready+0x11a/0x180 [ 67.635637][ T6535] ? sk_psock_strp_read_done+0x10/0x10 [ 67.641125][ T6535] ? _raw_spin_unlock_irqrestore+0x50/0x70 [ 67.646918][ T6535] ? do_raw_spin_unlock+0x171/0x230 [ 67.652102][ T6535] unix_dgram_sendmsg+0xfa7/0x1950 [ 67.657208][ T6535] ? unix_stream_sendpage+0xca0/0xca0 [ 67.662590][ T6535] ? aa_af_perm+0x230/0x230 [ 67.667088][ T6535] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 67.673314][ T6535] ? unix_stream_sendpage+0xca0/0xca0 [ 67.678666][ T6535] sock_sendmsg+0xcf/0x120 [ 67.683069][ T6535] ____sys_sendmsg+0x331/0x810 [ 67.687815][ T6535] ? kernel_sendmsg+0x50/0x50 [ 67.692472][ T6535] ? do_recvmmsg+0x6d0/0x6d0 [ 67.697069][ T6535] ___sys_sendmsg+0xf3/0x170 [ 67.701641][ T6535] ? sendmsg_copy_msghdr+0x160/0x160 [ 67.706906][ T6535] ? mark_lock+0xef/0x17b0 [ 67.711393][ T6535] ? mark_lock+0xef/0x17b0 [ 67.715795][ T6535] ? lock_chain_count+0x20/0x20 [ 67.720626][ T6535] ? lock_chain_count+0x20/0x20 [ 67.725465][ T6535] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 67.731432][ T6535] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 67.737663][ T6535] ? __fget_light+0x215/0x280 [ 67.742322][ T6535] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 67.748558][ T6535] __sys_sendmmsg+0x195/0x470 [ 67.753229][ T6535] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 67.758236][ T6535] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 67.764296][ T6535] ? find_held_lock+0x2d/0x110 [ 67.769045][ T6535] ? __context_tracking_exit+0xb8/0xe0 [ 67.774508][ T6535] ? lock_downgrade+0x6e0/0x6e0 [ 67.779342][ T6535] ? lock_downgrade+0x6e0/0x6e0 [ 67.784188][ T6535] __x64_sys_sendmmsg+0x99/0x100 [ 67.789108][ T6535] ? syscall_enter_from_user_mode+0x21/0x70 [ 67.794988][ T6535] do_syscall_64+0x35/0xb0 [ 67.799410][ T6535] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 67.805291][ T6535] RIP: 0033:0x7f0f42793a49 [ 67.809689][ T6535] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 67.829277][ T6535] RSP: 002b:00007ffea1b898f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 67.837672][ T6535] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f0f42793a49 [ 67.845622][ T6535] RDX: 0307017fdb7a66cb RSI: 0000000020002dc0 RDI: 0000000000000006 [ 67.853571][ T6535] RBP: 00007ffea1b89900 R08: 0000000000000001 R09: 00007f0f42750035 [ 67.861521][ T6535] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 [ 67.869472][ T6535] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 67.913575][ T6535] ================================================================== [ 67.921717][ T6535] BUG: KASAN: use-after-free in consume_skb+0x2e/0x160 [ 67.928551][ T6535] Read of size 4 at addr ffff88801f924c1c by task syz-executor614/6535 [ 67.936764][ T6535] [ 67.939066][ T6535] CPU: 0 PID: 6535 Comm: syz-executor614 Not tainted 5.15.0-rc5-syzkaller #0 [ 67.947805][ T6535] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.957838][ T6535] Call Trace: [ 67.961100][ T6535] dump_stack_lvl+0xcd/0x134 [ 67.965676][ T6535] print_address_description.constprop.0.cold+0x6c/0x309 [ 67.972683][ T6535] ? consume_skb+0x2e/0x160 [ 67.977166][ T6535] ? consume_skb+0x2e/0x160 [ 67.981651][ T6535] kasan_report.cold+0x83/0xdf [ 67.986398][ T6535] ? consume_skb+0x2e/0x160 [ 67.990881][ T6535] kasan_check_range+0x13d/0x180 [ 67.995803][ T6535] consume_skb+0x2e/0x160 [ 68.000111][ T6535] __sk_msg_free+0x26d/0x360 [ 68.004683][ T6535] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 68.010478][ T6535] sk_psock_stop+0x415/0x620 [ 68.015052][ T6535] sock_map_close+0x34a/0x780 [ 68.019708][ T6535] ? espintcp_init_sk+0xaa0/0xaa0 [ 68.024712][ T6535] ? sock_map_lookup+0x400/0x400 [ 68.029629][ T6535] ? down_write+0xe0/0x150 [ 68.034027][ T6535] ? __down_timeout+0x10/0x10 [ 68.038682][ T6535] ? locks_remove_file+0x2f9/0x570 [ 68.043778][ T6535] unix_release+0x7a/0xe0 [ 68.048088][ T6535] __sock_release+0xcd/0x280 [ 68.052665][ T6535] sock_close+0x18/0x20 [ 68.056847][ T6535] __fput+0x288/0x9f0 [ 68.060815][ T6535] ? __sock_release+0x280/0x280 [ 68.065653][ T6535] task_work_run+0xdd/0x1a0 [ 68.070181][ T6535] do_exit+0xbae/0x2a30 [ 68.074441][ T6535] ? __context_tracking_exit+0xb8/0xe0 [ 68.079888][ T6535] ? lock_downgrade+0x6e0/0x6e0 [ 68.084723][ T6535] ? lock_downgrade+0x6e0/0x6e0 [ 68.089557][ T6535] ? mm_update_next_owner+0x7a0/0x7a0 [ 68.094934][ T6535] do_group_exit+0x125/0x310 [ 68.099530][ T6535] __x64_sys_exit_group+0x3a/0x50 [ 68.104546][ T6535] do_syscall_64+0x35/0xb0 [ 68.108954][ T6535] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 68.114845][ T6535] RIP: 0033:0x7f0f42792749 [ 68.119249][ T6535] Code: Unable to access opcode bytes at RIP 0x7f0f4279271f. [ 68.126595][ T6535] RSP: 002b:00007ffea1b898d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 68.135000][ T6535] RAX: ffffffffffffffda RBX: 00007f0f42806410 RCX: 00007f0f42792749 [ 68.144363][ T6535] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 68.152320][ T6535] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 00007f0f42750035 [ 68.160285][ T6535] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0f42806410 [ 68.168240][ T6535] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 68.176212][ T6535] [ 68.178518][ T6535] Allocated by task 6535: [ 68.182829][ T6535] kasan_save_stack+0x1b/0x40 [ 68.187490][ T6535] __kasan_slab_alloc+0x83/0xb0 [ 68.192332][ T6535] kmem_cache_alloc+0x209/0x390 [ 68.197167][ T6535] skb_clone+0x170/0x3c0 [ 68.201398][ T6535] sk_psock_verdict_recv+0x72/0x7e0 [ 68.206590][ T6535] unix_read_sock+0xd7/0x250 [ 68.211160][ T6535] sk_psock_verdict_data_ready+0x11a/0x180 [ 68.216948][ T6535] unix_dgram_sendmsg+0xfa7/0x1950 [ 68.222041][ T6535] sock_sendmsg+0xcf/0x120 [ 68.226442][ T6535] ____sys_sendmsg+0x331/0x810 [ 68.231203][ T6535] ___sys_sendmsg+0xf3/0x170 [ 68.235776][ T6535] __sys_sendmmsg+0x195/0x470 [ 68.240434][ T6535] __x64_sys_sendmmsg+0x99/0x100 [ 68.245350][ T6535] do_syscall_64+0x35/0xb0 [ 68.249747][ T6535] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 68.255623][ T6535] [ 68.257926][ T6535] Freed by task 7: [ 68.261622][ T6535] kasan_save_stack+0x1b/0x40 [ 68.266278][ T6535] kasan_set_track+0x1c/0x30 [ 68.270848][ T6535] kasan_set_free_info+0x20/0x30 [ 68.275766][ T6535] __kasan_slab_free+0xff/0x130 [ 68.280594][ T6535] slab_free_freelist_hook+0x81/0x190 [ 68.285950][ T6535] kmem_cache_free+0x8a/0x5b0 [ 68.290605][ T6535] kfree_skbmem+0xef/0x1b0 [ 68.295006][ T6535] kfree_skb+0x140/0x3f0 [ 68.299239][ T6535] sk_psock_backlog+0x932/0xda0 [ 68.304078][ T6535] process_one_work+0x9bf/0x16b0 [ 68.308997][ T6535] worker_thread+0x658/0x11f0 [ 68.313653][ T6535] kthread+0x3e5/0x4d0 [ 68.317701][ T6535] ret_from_fork+0x1f/0x30 [ 68.322097][ T6535] [ 68.324413][ T6535] The buggy address belongs to the object at ffff88801f924b40 [ 68.324413][ T6535] which belongs to the cache skbuff_head_cache of size 232 [ 68.338978][ T6535] The buggy address is located 220 bytes inside of [ 68.338978][ T6535] 232-byte region [ffff88801f924b40, ffff88801f924c28) [ 68.352235][ T6535] The buggy address belongs to the page: [ 68.357848][ T6535] page:ffffea00007e4900 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1f924 [ 68.367979][ T6535] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 68.375508][ T6535] raw: 00fff00000000200 0000000000000000 0000000500000001 ffff888143def640 [ 68.384072][ T6535] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 68.392632][ T6535] page dumped because: kasan: bad access detected [ 68.399023][ T6535] page_owner tracks the page as allocated [ 68.404718][ T6535] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 4567, ts 58317120590, free_ts 58300268713 [ 68.420755][ T6535] get_page_from_freelist+0xa72/0x2f80 [ 68.426201][ T6535] __alloc_pages+0x1b2/0x500 [ 68.430783][ T6535] alloc_pages+0x1a7/0x300 [ 68.435177][ T6535] new_slab+0x319/0x490 [ 68.439324][ T6535] ___slab_alloc+0x921/0xfe0 [ 68.443895][ T6535] __slab_alloc.constprop.0+0x4d/0xa0 [ 68.449258][ T6535] kmem_cache_alloc+0x365/0x390 [ 68.454091][ T6535] skb_clone+0x170/0x3c0 [ 68.458315][ T6535] netlink_broadcast+0x9a4/0xd50 [ 68.463233][ T6535] netlink_sendmsg+0xa52/0xda0 [ 68.467979][ T6535] sock_sendmsg+0xcf/0x120 [ 68.472379][ T6535] ____sys_sendmsg+0x6e8/0x810 [ 68.477131][ T6535] ___sys_sendmsg+0xf3/0x170 [ 68.481699][ T6535] __sys_sendmsg+0xe5/0x1b0 [ 68.486181][ T6535] do_syscall_64+0x35/0xb0 [ 68.490579][ T6535] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 68.496453][ T6535] page last free stack trace: [ 68.501102][ T6535] free_pcp_prepare+0x2c5/0x780 [ 68.505933][ T6535] free_unref_page+0x19/0x690 [ 68.510589][ T6535] qlist_free_all+0x5a/0xc0 [ 68.515070][ T6535] kasan_quarantine_reduce+0x180/0x200 [ 68.520521][ T6535] __kasan_slab_alloc+0x95/0xb0 [ 68.525354][ T6535] kmem_cache_alloc+0x209/0x390 [ 68.530187][ T6535] getname_flags.part.0+0x50/0x4f0 [ 68.535293][ T6535] getname_flags+0x9a/0xe0 [ 68.539689][ T6535] user_path_at_empty+0x2b/0x60 [ 68.544521][ T6535] vfs_statx+0x142/0x390 [ 68.548742][ T6535] __do_sys_newstat+0x91/0x110 [ 68.553486][ T6535] do_syscall_64+0x35/0xb0 [ 68.557883][ T6535] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 68.563761][ T6535] [ 68.566067][ T6535] Memory state around the buggy address: [ 68.571672][ T6535] ffff88801f924b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 68.579711][ T6535] ffff88801f924b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.587749][ T6535] >ffff88801f924c00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 68.595781][ T6535] ^ [ 68.600608][ T6535] ffff88801f924c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.608643][ T6535] ffff88801f924d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc [ 68.616677][ T6535] ================================================================== [ 68.624709][ T6535] Disabling lock debugging due to kernel taint [ 68.630966][ T6535] Kernel panic - not syncing: panic_on_warn set ... [ 68.637546][ T6535] CPU: 0 PID: 6535 Comm: syz-executor614 Tainted: G B 5.15.0-rc5-syzkaller #0 [ 68.647705][ T6535] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.657759][ T6535] Call Trace: [ 68.661034][ T6535] dump_stack_lvl+0xcd/0x134 [ 68.665636][ T6535] panic+0x2b0/0x6dd [ 68.669540][ T6535] ? __warn_printk+0xf3/0xf3 [ 68.674130][ T6535] ? consume_skb+0x2e/0x160 [ 68.678678][ T6535] ? trace_hardirqs_on+0x38/0x1c0 [ 68.683696][ T6535] ? trace_hardirqs_on+0x51/0x1c0 [ 68.688705][ T6535] ? consume_skb+0x2e/0x160 [ 68.693278][ T6535] ? consume_skb+0x2e/0x160 [ 68.697856][ T6535] end_report.cold+0x63/0x6f [ 68.702609][ T6535] kasan_report.cold+0x71/0xdf [ 68.707352][ T6535] ? consume_skb+0x2e/0x160 [ 68.711860][ T6535] kasan_check_range+0x13d/0x180 [ 68.716806][ T6535] consume_skb+0x2e/0x160 [ 68.721118][ T6535] __sk_msg_free+0x26d/0x360 [ 68.725701][ T6535] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 68.731515][ T6535] sk_psock_stop+0x415/0x620 [ 68.736090][ T6535] sock_map_close+0x34a/0x780 [ 68.740746][ T6535] ? espintcp_init_sk+0xaa0/0xaa0 [ 68.745748][ T6535] ? sock_map_lookup+0x400/0x400 [ 68.750680][ T6535] ? down_write+0xe0/0x150 [ 68.755077][ T6535] ? __down_timeout+0x10/0x10 [ 68.759735][ T6535] ? locks_remove_file+0x2f9/0x570 [ 68.764828][ T6535] unix_release+0x7a/0xe0 [ 68.769136][ T6535] __sock_release+0xcd/0x280 [ 68.773708][ T6535] sock_close+0x18/0x20 [ 68.777859][ T6535] __fput+0x288/0x9f0 [ 68.781849][ T6535] ? __sock_release+0x280/0x280 [ 68.786694][ T6535] task_work_run+0xdd/0x1a0 [ 68.791179][ T6535] do_exit+0xbae/0x2a30 [ 68.795316][ T6535] ? __context_tracking_exit+0xb8/0xe0 [ 68.800758][ T6535] ? lock_downgrade+0x6e0/0x6e0 [ 68.805676][ T6535] ? lock_downgrade+0x6e0/0x6e0 [ 68.810508][ T6535] ? mm_update_next_owner+0x7a0/0x7a0 [ 68.815948][ T6535] do_group_exit+0x125/0x310 [ 68.820519][ T6535] __x64_sys_exit_group+0x3a/0x50 [ 68.825624][ T6535] do_syscall_64+0x35/0xb0 [ 68.830022][ T6535] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 68.835898][ T6535] RIP: 0033:0x7f0f42792749 [ 68.840297][ T6535] Code: Unable to access opcode bytes at RIP 0x7f0f4279271f. [ 68.847638][ T6535] RSP: 002b:00007ffea1b898d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 68.856026][ T6535] RAX: ffffffffffffffda RBX: 00007f0f42806410 RCX: 00007f0f42792749 [ 68.863987][ T6535] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 68.871949][ T6535] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 00007f0f42750035 [ 68.879901][ T6535] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0f42806410 [ 68.887852][ T6535] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 68.896094][ T6535] Kernel Offset: disabled [ 68.900403][ T6535] Rebooting in 86400 seconds..