DUID 00:04:8a:84:28:17:ce:93:6d:14:d5:a0:40:fa:67:36:71:42 forked to background, child pid 3176 [ 26.880291][ T3177] 8021q: adding VLAN 0 to HW filter on device bond0 [ 26.892833][ T3177] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.1.32' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 43.349517][ T3591] ================================================================== [ 43.357688][ T3591] BUG: KASAN: slab-out-of-bounds in bpf_prog_test_run_xdp+0x10ac/0x1150 [ 43.366015][ T3591] Write of size 8 at addr ffff888077551000 by task syz-executor404/3591 [ 43.374372][ T3591] [ 43.376691][ T3591] CPU: 1 PID: 3591 Comm: syz-executor404 Not tainted 5.17.0-rc1-syzkaller-00550-g000fe940e51f #0 [ 43.387170][ T3591] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.397209][ T3591] Call Trace: [ 43.400475][ T3591] [ 43.403395][ T3591] dump_stack_lvl+0xcd/0x134 [ 43.407988][ T3591] print_address_description.constprop.0.cold+0x8d/0x336 [ 43.415181][ T3591] ? bpf_prog_test_run_xdp+0x10ac/0x1150 [ 43.420808][ T3591] ? bpf_prog_test_run_xdp+0x10ac/0x1150 [ 43.426440][ T3591] kasan_report.cold+0x83/0xdf [ 43.431371][ T3591] ? __sanitizer_cov_trace_cmp2+0x11/0x80 [ 43.437078][ T3591] ? bpf_prog_test_run_xdp+0x10ac/0x1150 [ 43.442704][ T3591] bpf_prog_test_run_xdp+0x10ac/0x1150 [ 43.448160][ T3591] ? bpf_prog_test_run_skb+0x1de0/0x1de0 [ 43.453786][ T3591] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 43.460016][ T3591] ? __fget_light+0x215/0x280 [ 43.464697][ T3591] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 43.470930][ T3591] ? bpf_prog_test_run_skb+0x1de0/0x1de0 [ 43.476564][ T3591] __sys_bpf+0x1858/0x59a0 [ 43.480972][ T3591] ? bpf_link_get_from_fd+0x110/0x110 [ 43.486335][ T3591] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 43.492304][ T3591] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 43.498276][ T3591] ? find_held_lock+0x2d/0x110 [ 43.503041][ T3591] ? trace_hardirqs_on+0x38/0x1c0 [ 43.508053][ T3591] __x64_sys_bpf+0x75/0xb0 [ 43.512460][ T3591] ? syscall_enter_from_user_mode+0x21/0x70 [ 43.518345][ T3591] do_syscall_64+0x35/0xb0 [ 43.522747][ T3591] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 43.528634][ T3591] RIP: 0033:0x7fab0da64229 [ 43.533055][ T3591] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 43.552650][ T3591] RSP: 002b:00007ffcd63b93b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ 43.561055][ T3591] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fab0da64229 [ 43.569015][ T3591] RDX: 0000000000000048 RSI: 0000000020000000 RDI: 000000000000000a [ 43.576979][ T3591] RBP: 00007fab0da28210 R08: 0000000000000000 R09: 0000000000000000 [ 43.584939][ T3591] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fab0da282a0 [ 43.592897][ T3591] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 43.600865][ T3591] [ 43.603869][ T3591] [ 43.606177][ T3591] Allocated by task 3591: [ 43.610485][ T3591] kasan_save_stack+0x1e/0x40 [ 43.615160][ T3591] __kasan_kmalloc+0xa9/0xd0 [ 43.619739][ T3591] bpf_test_init.isra.0+0x9f/0x150 [ 43.624841][ T3591] bpf_prog_test_run_xdp+0x2f8/0x1150 [ 43.630203][ T3591] __sys_bpf+0x1858/0x59a0 [ 43.634607][ T3591] __x64_sys_bpf+0x75/0xb0 [ 43.639008][ T3591] do_syscall_64+0x35/0xb0 [ 43.643419][ T3591] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 43.649299][ T3591] [ 43.651606][ T3591] The buggy address belongs to the object at ffff888077550000 [ 43.651606][ T3591] which belongs to the cache kmalloc-4k of size 4096 [ 43.665811][ T3591] The buggy address is located 0 bytes to the right of [ 43.665811][ T3591] 4096-byte region [ffff888077550000, ffff888077551000) [ 43.679504][ T3591] The buggy address belongs to the page: [ 43.685122][ T3591] page:ffffea0001dd5400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x77550 [ 43.695255][ T3591] head:ffffea0001dd5400 order:3 compound_mapcount:0 compound_pincount:0 [ 43.703569][ T3591] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 43.711550][ T3591] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888010c42140 [ 43.720118][ T3591] raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000 [ 43.728682][ T3591] page dumped because: kasan: bad access detected [ 43.735073][ T3591] page_owner tracks the page as allocated [ 43.740783][ T3591] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 3591, ts 43349371784, free_ts 43330616571 [ 43.761287][ T3591] get_page_from_freelist+0xa72/0x2f50 [ 43.766736][ T3591] __alloc_pages+0x1b2/0x500 [ 43.771310][ T3591] alloc_pages+0x1aa/0x310 [ 43.775712][ T3591] new_slab+0x28a/0x3b0 [ 43.779902][ T3591] ___slab_alloc+0x87c/0xe90 [ 43.784489][ T3591] __slab_alloc.constprop.0+0x4d/0xa0 [ 43.789859][ T3591] __kmalloc+0x2fb/0x340 [ 43.794176][ T3591] bpf_test_init.isra.0+0x9f/0x150 [ 43.799288][ T3591] bpf_prog_test_run_xdp+0x2f8/0x1150 [ 43.804649][ T3591] __sys_bpf+0x1858/0x59a0 [ 43.809048][ T3591] __x64_sys_bpf+0x75/0xb0 [ 43.813476][ T3591] do_syscall_64+0x35/0xb0 [ 43.817887][ T3591] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 43.823767][ T3591] page last free stack trace: [ 43.828432][ T3591] free_pcp_prepare+0x374/0x870 [ 43.833270][ T3591] free_unref_page+0x19/0x690 [ 43.837932][ T3591] __unfreeze_partials+0x320/0x340 [ 43.843029][ T3591] qlist_free_all+0x6d/0x160 [ 43.847607][ T3591] kasan_quarantine_reduce+0x180/0x200 [ 43.853051][ T3591] __kasan_slab_alloc+0xa2/0xc0 [ 43.857889][ T3591] kmem_cache_alloc+0x202/0x3a0 [ 43.862729][ T3591] getname_flags.part.0+0x50/0x4f0 [ 43.867831][ T3591] getname_flags+0x9a/0xe0 [ 43.872235][ T3591] user_path_at_empty+0x2b/0x60 [ 43.877071][ T3591] vfs_statx+0x142/0x390 [ 43.881302][ T3591] __do_sys_newfstatat+0x96/0x120 [ 43.886314][ T3591] do_syscall_64+0x35/0xb0 [ 43.890717][ T3591] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 43.896690][ T3591] [ 43.898998][ T3591] Memory state around the buggy address: [ 43.904610][ T3591] ffff888077550f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 43.912668][ T3591] ffff888077550f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 43.920713][ T3591] >ffff888077551000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.928843][ T3591] ^ [ 43.932896][ T3591] ffff888077551080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.940939][ T3591] ffff888077551100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.949413][ T3591] ================================================================== [ 43.957468][ T3591] Disabling lock debugging due to kernel taint [ 43.963817][ T3591] Kernel panic - not syncing: panic_on_warn set ... [ 43.970422][ T3591] CPU: 1 PID: 3591 Comm: syz-executor404 Tainted: G B 5.17.0-rc1-syzkaller-00550-g000fe940e51f #0 [ 43.982303][ T3591] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.992358][ T3591] Call Trace: [ 43.995630][ T3591] [ 43.998564][ T3591] dump_stack_lvl+0xcd/0x134 [ 44.003158][ T3591] panic+0x2b0/0x6dd [ 44.007052][ T3591] ? __warn_printk+0xf3/0xf3 [ 44.011641][ T3591] ? preempt_schedule_common+0x59/0xc0 [ 44.017098][ T3591] ? bpf_prog_test_run_xdp+0x10ac/0x1150 [ 44.022728][ T3591] ? preempt_schedule_thunk+0x16/0x18 [ 44.028100][ T3591] ? trace_hardirqs_on+0x38/0x1c0 [ 44.033117][ T3591] ? trace_hardirqs_on+0x51/0x1c0 [ 44.038135][ T3591] ? bpf_prog_test_run_xdp+0x10ac/0x1150 [ 44.043805][ T3591] ? bpf_prog_test_run_xdp+0x10ac/0x1150 [ 44.049437][ T3591] end_report.cold+0x63/0x6f [ 44.054029][ T3591] kasan_report.cold+0x71/0xdf [ 44.058796][ T3591] ? __sanitizer_cov_trace_cmp2+0x11/0x80 [ 44.064513][ T3591] ? bpf_prog_test_run_xdp+0x10ac/0x1150 [ 44.070143][ T3591] bpf_prog_test_run_xdp+0x10ac/0x1150 [ 44.075616][ T3591] ? bpf_prog_test_run_skb+0x1de0/0x1de0 [ 44.081263][ T3591] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 44.087507][ T3591] ? __fget_light+0x215/0x280 [ 44.092191][ T3591] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 44.098453][ T3591] ? bpf_prog_test_run_skb+0x1de0/0x1de0 [ 44.104102][ T3591] __sys_bpf+0x1858/0x59a0 [ 44.108520][ T3591] ? bpf_link_get_from_fd+0x110/0x110 [ 44.113890][ T3591] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 44.119873][ T3591] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 44.125858][ T3591] ? find_held_lock+0x2d/0x110 [ 44.130630][ T3591] ? trace_hardirqs_on+0x38/0x1c0 [ 44.135655][ T3591] __x64_sys_bpf+0x75/0xb0 [ 44.140074][ T3591] ? syscall_enter_from_user_mode+0x21/0x70 [ 44.145972][ T3591] do_syscall_64+0x35/0xb0 [ 44.150388][ T3591] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 44.156284][ T3591] RIP: 0033:0x7fab0da64229 [ 44.160698][ T3591] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 44.180995][ T3591] RSP: 002b:00007ffcd63b93b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ 44.189406][ T3591] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fab0da64229 [ 44.197369][ T3591] RDX: 0000000000000048 RSI: 0000000020000000 RDI: 000000000000000a [ 44.205338][ T3591] RBP: 00007fab0da28210 R08: 0000000000000000 R09: 0000000000000000 [ 44.213304][ T3591] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fab0da282a0 [ 44.221268][ T3591] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 44.229239][ T3591] [ 44.232417][ T3591] Kernel Offset: disabled [ 44.236733][ T3591] Rebooting in 86400 seconds..