[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. [ OK ] Started OpenBSD Secure Shell server. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.204' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 73.106345][ T8] ================================================================== [ 73.114917][ T8] BUG: KASAN: use-after-free in tipc_recvmsg+0xf77/0xf90 [ 73.122045][ T8] Read of size 4 at addr ffff8880328cf1c0 by task kworker/u4:0/8 [ 73.129753][ T8] [ 73.132063][ T8] CPU: 1 PID: 8 Comm: kworker/u4:0 Not tainted 5.14.0-rc1-syzkaller #0 [ 73.140300][ T8] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.150447][ T8] Workqueue: tipc_rcv tipc_conn_recv_work [ 73.156352][ T8] Call Trace: [ 73.159632][ T8] dump_stack_lvl+0xcd/0x134 [ 73.164524][ T8] print_address_description.constprop.0.cold+0x6c/0x309 [ 73.171646][ T8] ? tipc_recvmsg+0xf77/0xf90 [ 73.176339][ T8] ? tipc_recvmsg+0xf77/0xf90 [ 73.181008][ T8] kasan_report.cold+0x83/0xdf [ 73.185782][ T8] ? tipc_recvmsg+0xf77/0xf90 [ 73.190778][ T8] tipc_recvmsg+0xf77/0xf90 [ 73.195292][ T8] ? tsk_advance_rx_queue+0x460/0x460 [ 73.200694][ T8] ? is_dynamic_key+0x1a0/0x1a0 [ 73.205544][ T8] ? aa_af_perm+0x230/0x230 [ 73.210063][ T8] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 73.216657][ T8] ? security_socket_recvmsg+0x8f/0xc0 [ 73.222132][ T8] ? tsk_advance_rx_queue+0x460/0x460 [ 73.227532][ T8] sock_recvmsg+0xca/0x110 [ 73.231940][ T8] tipc_conn_rcv_from_sock+0x162/0x2f0 [ 73.237392][ T8] ? tipc_conn_rcv_sub+0x650/0x650 [ 73.242568][ T8] tipc_conn_recv_work+0xeb/0x190 [ 73.247583][ T8] process_one_work+0x98d/0x1630 [ 73.252811][ T8] ? pwq_dec_nr_in_flight+0x320/0x320 [ 73.258191][ T8] ? rwlock_bug.part.0+0x90/0x90 [ 73.263132][ T8] ? _raw_spin_lock_irq+0x41/0x50 [ 73.268179][ T8] worker_thread+0x658/0x11f0 [ 73.272869][ T8] ? process_one_work+0x1630/0x1630 [ 73.278059][ T8] kthread+0x3e5/0x4d0 [ 73.282138][ T8] ? set_kthread_struct+0x130/0x130 [ 73.287766][ T8] ret_from_fork+0x1f/0x30 [ 73.292199][ T8] [ 73.294513][ T8] Allocated by task 8446: [ 73.298836][ T8] kasan_save_stack+0x1b/0x40 [ 73.303503][ T8] __kasan_slab_alloc+0x84/0xa0 [ 73.308340][ T8] kmem_cache_alloc_node+0x266/0x3e0 [ 73.313896][ T8] __alloc_skb+0x20b/0x340 [ 73.318383][ T8] tipc_buf_acquire+0x25/0xe0 [ 73.323047][ T8] tipc_msg_build+0xf7/0x10a0 [ 73.327724][ T8] __tipc_sendstream+0x6d0/0x1150 [ 73.332749][ T8] tipc_sendstream+0x4c/0x70 [ 73.337345][ T8] sock_sendmsg+0xcf/0x120 [ 73.341748][ T8] sock_write_iter+0x289/0x3c0 [ 73.346496][ T8] new_sync_write+0x426/0x650 [ 73.351188][ T8] vfs_write+0x75a/0xa40 [ 73.355420][ T8] ksys_write+0x1ee/0x250 [ 73.359747][ T8] do_syscall_64+0x35/0xb0 [ 73.364207][ T8] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 73.370114][ T8] [ 73.372440][ T8] Freed by task 8: [ 73.376236][ T8] kasan_save_stack+0x1b/0x40 [ 73.380925][ T8] kasan_set_track+0x1c/0x30 [ 73.385515][ T8] kasan_set_free_info+0x20/0x30 [ 73.390460][ T8] __kasan_slab_free+0xfb/0x130 [ 73.395501][ T8] slab_free_freelist_hook+0xdf/0x240 [ 73.401387][ T8] kmem_cache_free+0x8e/0x5a0 [ 73.406261][ T8] kfree_skbmem+0x166/0x1b0 [ 73.411116][ T8] kfree_skb+0x140/0x3f0 [ 73.415605][ T8] tipc_recvmsg+0x70d/0xf90 [ 73.420122][ T8] sock_recvmsg+0xca/0x110 [ 73.424618][ T8] tipc_conn_rcv_from_sock+0x162/0x2f0 [ 73.430278][ T8] tipc_conn_recv_work+0xeb/0x190 [ 73.435325][ T8] process_one_work+0x98d/0x1630 [ 73.440360][ T8] worker_thread+0x658/0x11f0 [ 73.445273][ T8] kthread+0x3e5/0x4d0 [ 73.449434][ T8] ret_from_fork+0x1f/0x30 [ 73.454248][ T8] [ 73.456680][ T8] The buggy address belongs to the object at ffff8880328cf180 [ 73.456680][ T8] which belongs to the cache skbuff_fclone_cache of size 472 [ 73.472180][ T8] The buggy address is located 64 bytes inside of [ 73.472180][ T8] 472-byte region [ffff8880328cf180, ffff8880328cf358) [ 73.485764][ T8] The buggy address belongs to the page: [ 73.491384][ T8] page:ffffea0000ca3380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x328ce [ 73.501607][ T8] head:ffffea0000ca3380 order:1 compound_mapcount:0 [ 73.508189][ T8] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 73.516278][ T8] raw: 00fff00000010200 ffffea0000811500 0000000300000003 ffff8881400ee280 [ 73.524901][ T8] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 73.534165][ T8] page dumped because: kasan: bad access detected [ 73.540562][ T8] page_owner tracks the page as allocated [ 73.546275][ T8] page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 8424, ts 65082628156, free_ts 64879784131 [ 73.565657][ T8] get_page_from_freelist+0xa72/0x2f80 [ 73.571113][ T8] __alloc_pages+0x1b2/0x500 [ 73.575704][ T8] alloc_pages+0x18c/0x2a0 [ 73.580285][ T8] allocate_slab+0x32b/0x4c0 [ 73.584868][ T8] ___slab_alloc+0x4ba/0x820 [ 73.589536][ T8] __slab_alloc.constprop.0+0xa7/0xf0 [ 73.594902][ T8] kmem_cache_alloc_node+0x12c/0x3e0 [ 73.600185][ T8] __alloc_skb+0x20b/0x340 [ 73.604795][ T8] sk_stream_alloc_skb+0x109/0xc30 [ 73.609927][ T8] tcp_sendmsg_locked+0xc78/0x2f10 [ 73.615029][ T8] tcp_sendmsg+0x2b/0x40 [ 73.619270][ T8] inet_sendmsg+0x99/0xe0 [ 73.623608][ T8] sock_sendmsg+0xcf/0x120 [ 73.628013][ T8] sock_write_iter+0x289/0x3c0 [ 73.632928][ T8] new_sync_write+0x426/0x650 [ 73.637701][ T8] vfs_write+0x75a/0xa40 [ 73.641950][ T8] page last free stack trace: [ 73.646621][ T8] free_pcp_prepare+0x2c5/0x780 [ 73.651493][ T8] free_unref_page+0x19/0x690 [ 73.656171][ T8] unfreeze_partials+0x17c/0x1d0 [ 73.661215][ T8] put_cpu_partial+0x13d/0x230 [ 73.666117][ T8] qlist_free_all+0x5a/0xc0 [ 73.670738][ T8] kasan_quarantine_reduce+0x180/0x200 [ 73.676200][ T8] __kasan_slab_alloc+0x8e/0xa0 [ 73.681048][ T8] kmem_cache_alloc+0x216/0x3a0 [ 73.685988][ T8] getname_flags.part.0+0x50/0x4f0 [ 73.691116][ T8] user_path_at_empty+0xa1/0x100 [ 73.696061][ T8] vfs_statx+0x142/0x390 [ 73.700323][ T8] __do_sys_newlstat+0x91/0x110 [ 73.705183][ T8] do_syscall_64+0x35/0xb0 [ 73.709716][ T8] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 73.715927][ T8] [ 73.718419][ T8] Memory state around the buggy address: [ 73.724479][ T8] ffff8880328cf080: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc [ 73.732877][ T8] ffff8880328cf100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 73.740939][ T8] >ffff8880328cf180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.749107][ T8] ^ [ 73.755259][ T8] ffff8880328cf200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.763595][ T8] ffff8880328cf280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.771651][ T8] ================================================================== [ 73.780251][ T8] Disabling lock debugging due to kernel taint [ 73.786995][ T8] Kernel panic - not syncing: panic_on_warn set ... [ 73.793674][ T8] CPU: 1 PID: 8 Comm: kworker/u4:0 Tainted: G B 5.14.0-rc1-syzkaller #0 [ 73.803383][ T8] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.813513][ T8] Workqueue: tipc_rcv tipc_conn_recv_work [ 73.819444][ T8] Call Trace: [ 73.822712][ T8] dump_stack_lvl+0xcd/0x134 [ 73.827327][ T8] panic+0x306/0x73d [ 73.831486][ T8] ? __warn_printk+0xf3/0xf3 [ 73.836265][ T8] ? preempt_schedule_common+0x59/0xc0 [ 73.842075][ T8] ? tipc_recvmsg+0xf77/0xf90 [ 73.846896][ T8] ? preempt_schedule_thunk+0x16/0x18 [ 73.852260][ T8] ? trace_hardirqs_on+0x38/0x1c0 [ 73.857293][ T8] ? trace_hardirqs_on+0x51/0x1c0 [ 73.862316][ T8] ? tipc_recvmsg+0xf77/0xf90 [ 73.867006][ T8] ? tipc_recvmsg+0xf77/0xf90 [ 73.871867][ T8] end_report.cold+0x5a/0x5a [ 73.876467][ T8] kasan_report.cold+0x71/0xdf [ 73.881226][ T8] ? tipc_recvmsg+0xf77/0xf90 [ 73.885911][ T8] tipc_recvmsg+0xf77/0xf90 [ 73.890409][ T8] ? tsk_advance_rx_queue+0x460/0x460 [ 73.895794][ T8] ? is_dynamic_key+0x1a0/0x1a0 [ 73.900636][ T8] ? aa_af_perm+0x230/0x230 [ 73.905238][ T8] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 73.911467][ T8] ? security_socket_recvmsg+0x8f/0xc0 [ 73.916915][ T8] ? tsk_advance_rx_queue+0x460/0x460 [ 73.922380][ T8] sock_recvmsg+0xca/0x110 [ 73.926797][ T8] tipc_conn_rcv_from_sock+0x162/0x2f0 [ 73.932258][ T8] ? tipc_conn_rcv_sub+0x650/0x650 [ 73.937450][ T8] tipc_conn_recv_work+0xeb/0x190 [ 73.942468][ T8] process_one_work+0x98d/0x1630 [ 73.947402][ T8] ? pwq_dec_nr_in_flight+0x320/0x320 [ 73.952940][ T8] ? rwlock_bug.part.0+0x90/0x90 [ 73.957862][ T8] ? _raw_spin_lock_irq+0x41/0x50 [ 73.963583][ T8] worker_thread+0x658/0x11f0 [ 73.968254][ T8] ? process_one_work+0x1630/0x1630 [ 73.973443][ T8] kthread+0x3e5/0x4d0 [ 73.977500][ T8] ? set_kthread_struct+0x130/0x130 [ 73.982879][ T8] ret_from_fork+0x1f/0x30 [ 73.988874][ T8] Kernel Offset: disabled [ 73.993332][ T8] Rebooting in 86400 seconds..