UBSAN: object-size-mismatch in wg_xmit IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready ================================================================================ UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2016:28 member access within address 0000000001f5e535 with insufficient space for an object of type 'struct sk_buff' CPU: 1 PID: 371 Comm: kworker/1:2 Not tainted 5.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x19c/0x1e2 lib/dump_stack.c:118 ubsan_epilogue lib/ubsan.c:148 [inline] handle_object_size_mismatch lib/ubsan.c:297 [inline] ubsan_type_mismatch_common+0x1ed/0x3a0 lib/ubsan.c:310 __ubsan_handle_type_mismatch_v1+0x4b/0x60 lib/ubsan.c:339 __skb_queue_before include/linux/skbuff.h:2016 [inline] __skb_queue_tail include/linux/skbuff.h:2049 [inline] wg_xmit+0x42c/0xa60 drivers/net/wireguard/device.c:182 __netdev_start_xmit include/linux/netdevice.h:4735 [inline] netdev_start_xmit+0x8a/0x160 include/linux/netdevice.h:4749 xmit_one net/core/dev.c:3564 [inline] dev_hard_start_xmit+0x18d/0x2f0 net/core/dev.c:3580 __dev_queue_xmit+0xf16/0x1920 net/core/dev.c:4140 dev_queue_xmit+0x17/0x20 net/core/dev.c:4173 neigh_connected_output+0x288/0x2b0 net/core/neighbour.c:1520 neigh_output include/net/neighbour.h:510 [inline] ip6_finish_output2+0xc34/0x1020 net/ipv6/ip6_output.c:117 __ip6_finish_output+0x279/0x370 net/ipv6/ip6_output.c:143 ip6_finish_output+0x20b/0x220 net/ipv6/ip6_output.c:153 NF_HOOK_COND include/linux/netfilter.h:290 [inline] ip6_output+0x18c/0x3f0 net/ipv6/ip6_output.c:176 dst_output include/net/dst.h:443 [inline] NF_HOOK+0x88/0x210 include/linux/netfilter.h:301 ndisc_send_skb+0x653/0x9f0 net/ipv6/ndisc.c:508 ndisc_send_rs+0x26c/0x360 net/ipv6/ndisc.c:702 addrconf_dad_completed+0x493/0x970 net/ipv6/addrconf.c:4191 addrconf_dad_work+0x9d0/0x12d0 net/ipv6/addrconf.c:3956 process_one_work+0x3d5/0x640 kernel/workqueue.c:2272 worker_thread+0x723/0xa60 kernel/workqueue.c:2418 kthread+0x365/0x400 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 ================================================================================ ================================================================================ UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1909:2 member access within address 0000000001f5e535 with insufficient space for an object of type 'struct sk_buff' CPU: 1 PID: 371 Comm: kworker/1:2 Not tainted 5.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x19c/0x1e2 lib/dump_stack.c:118 ubsan_epilogue lib/ubsan.c:148 [inline] handle_object_size_mismatch lib/ubsan.c:297 [inline] ubsan_type_mismatch_common+0x1ed/0x3a0 lib/ubsan.c:310 __ubsan_handle_type_mismatch_v1+0x4b/0x60 lib/ubsan.c:339 __skb_insert include/linux/skbuff.h:1909 [inline] __skb_queue_before include/linux/skbuff.h:2016 [inline] __skb_queue_tail include/linux/skbuff.h:2049 [inline] wg_xmit+0x48f/0xa60 drivers/net/wireguard/device.c:182 __netdev_start_xmit include/linux/netdevice.h:4735 [inline] netdev_start_xmit+0x8a/0x160 include/linux/netdevice.h:4749 xmit_one net/core/dev.c:3564 [inline] dev_hard_start_xmit+0x18d/0x2f0 net/core/dev.c:3580 __dev_queue_xmit+0xf16/0x1920 net/core/dev.c:4140 dev_queue_xmit+0x17/0x20 net/core/dev.c:4173 neigh_connected_output+0x288/0x2b0 net/core/neighbour.c:1520 neigh_output include/net/neighbour.h:510 [inline] ip6_finish_output2+0xc34/0x1020 net/ipv6/ip6_output.c:117 __ip6_finish_output+0x279/0x370 net/ipv6/ip6_output.c:143 ip6_finish_output+0x20b/0x220 net/ipv6/ip6_output.c:153 NF_HOOK_COND include/linux/netfilter.h:290 [inline] ip6_output+0x18c/0x3f0 net/ipv6/ip6_output.c:176 dst_output include/net/dst.h:443 [inline] NF_HOOK+0x88/0x210 include/linux/netfilter.h:301 ndisc_send_skb+0x653/0x9f0 net/ipv6/ndisc.c:508 ndisc_send_rs+0x26c/0x360 net/ipv6/ndisc.c:702 addrconf_dad_completed+0x493/0x970 net/ipv6/addrconf.c:4191 addrconf_dad_work+0x9d0/0x12d0 net/ipv6/addrconf.c:3956 process_one_work+0x3d5/0x640 kernel/workqueue.c:2272 worker_thread+0x723/0xa60 kernel/workqueue.c:2418 kthread+0x365/0x400 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 ================================================================================ Warning: Permanently added '10.128.1.107' (ECDSA) to the list of known hosts. 2022/11/14 09:41:39 fuzzer started 2022/11/14 09:41:39 connecting to host at 10.128.0.163:32925 2022/11/14 09:41:39 checking machine... 2022/11/14 09:41:39 checking revisions... 2022/11/14 09:41:39 testing simple program... [ 19.893347][ T22] audit: type=1400 audit(1668418899.840:73): avc: denied { integrity } for pid=361 comm="syz-fuzzer" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1 [ 19.903361][ T22] audit: type=1400 audit(1668418899.850:74): avc: denied { getattr } for pid=361 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 19.907582][ T22] audit: type=1400 audit(1668418899.850:75): avc: denied { read } for pid=361 comm="syz-fuzzer" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 19.911021][ T22] audit: type=1400 audit(1668418899.850:76): avc: denied { open } for pid=361 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 19.919009][ T370] cgroup: Unknown subsys name 'net' [ 19.924353][ T22] audit: type=1400 audit(1668418899.850:77): avc: denied { read } for pid=361 comm="syz-fuzzer" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 19.952777][ T22] audit: type=1400 audit(1668418899.850:78): avc: denied { open } for pid=361 comm="syz-fuzzer" path="/dev/raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 19.952980][ T370] cgroup: Unknown subsys name 'devices' [ 19.976856][ T22] audit: type=1400 audit(1668418899.870:79): avc: denied { mounton } for pid=370 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 20.005696][ T22] audit: type=1400 audit(1668418899.870:80): avc: denied { mount } for pid=370 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 20.028541][ T22] audit: type=1400 audit(1668418899.880:81): avc: denied { unmount } for pid=370 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 20.141479][ T370] cgroup: Unknown subsys name 'hugetlb' [ 20.147439][ T370] cgroup: Unknown subsys name 'rlimit' [ 20.220979][ T22] audit: type=1400 audit(1668418900.170:82): avc: denied { setattr } for pid=370 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 20.287588][ T373] bridge0: port 1(bridge_slave_0) entered blocking state [ 20.294957][ T373] bridge0: port 1(bridge_slave_0) entered disabled state [ 20.303026][ T373] device bridge_slave_0 entered promiscuous mode [ 20.310915][ T373] bridge0: port 2(bridge_slave_1) entered blocking state [ 20.318308][ T373] bridge0: port 2(bridge_slave_1) entered disabled state [ 20.325892][ T373] device bridge_slave_1 entered promiscuous mode [ 20.359666][ T373] bridge0: port 2(bridge_slave_1) entered blocking state [ 20.366954][ T373] bridge0: port 2(bridge_slave_1) entered forwarding state [ 20.374548][ T373] bridge0: port 1(bridge_slave_0) entered blocking state [ 20.381737][ T373] bridge0: port 1(bridge_slave_0) entered forwarding state [ 20.400782][ T23] bridge0: port 1(bridge_slave_0) entered disabled state [ 20.408410][ T23] bridge0: port 2(bridge_slave_1) entered disabled state [ 20.416024][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 20.424384][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 20.436055][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 20.444617][ T23] bridge0: port 1(bridge_slave_0) entered blocking state [ 20.451811][ T23] bridge0: port 1(bridge_slave_0) entered forwarding state [ 20.459615][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 20.468116][ T23] bridge0: port 2(bridge_slave_1) entered blocking state [ 20.475268][ T23] bridge0: port 2(bridge_slave_1) entered forwarding state [ 20.487519][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 20.495717][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 20.517531][ T36] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 20.526519][ T36] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 20.536512][ T36] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 20.545557][ T36] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 20.555281][ T371] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 20.567887][ T371] ================================================================================ [ 20.577523][ T371] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2016:28 [ 20.585468][ T371] member access within address 0000000001f5e535 with insufficient space [ 20.594240][ T371] for an object of type 'struct sk_buff' [ 20.599922][ T371] CPU: 1 PID: 371 Comm: kworker/1:2 Not tainted 5.10.0-syzkaller #0 [ 20.608059][ T371] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 20.619538][ T371] Workqueue: ipv6_addrconf addrconf_dad_work [ 20.626387][ T371] Call Trace: [ 20.629815][ T371] dump_stack+0x19c/0x1e2 [ 20.634360][ T371] ubsan_type_mismatch_common+0x1ed/0x3a0 [ 20.640075][ T371] __ubsan_handle_type_mismatch_v1+0x4b/0x60 [ 20.646141][ T371] wg_xmit+0x42c/0xa60 [ 20.650284][ T371] ? __sanitizer_cov_trace_switch+0x64/0x80 [ 20.656264][ T371] netdev_start_xmit+0x8a/0x160 [ 20.661119][ T371] dev_hard_start_xmit+0x18d/0x2f0 [ 20.666228][ T371] __dev_queue_xmit+0xf16/0x1920 [ 20.671162][ T371] ? __kasan_check_write+0x14/0x20 [ 20.676523][ T371] dev_queue_xmit+0x17/0x20 [ 20.681009][ T371] neigh_connected_output+0x288/0x2b0 [ 20.686371][ T371] ip6_finish_output2+0xc34/0x1020 [ 20.691491][ T371] ? ip6_mtu+0xf1/0x140 [ 20.695644][ T371] __ip6_finish_output+0x279/0x370 [ 20.700749][ T371] ip6_finish_output+0x20b/0x220 [ 20.705702][ T371] ? ip6_output+0x175/0x3f0 [ 20.710193][ T371] ip6_output+0x18c/0x3f0 [ 20.714618][ T371] ? ip6_dst_idev+0x40/0x40 [ 20.719128][ T371] NF_HOOK+0x88/0x210 [ 20.723089][ T371] ? NF_HOOK+0x210/0x210 [ 20.727416][ T371] ndisc_send_skb+0x653/0x9f0 [ 20.732085][ T371] ndisc_send_rs+0x26c/0x360 [ 20.736835][ T371] addrconf_dad_completed+0x493/0x970 [ 20.742419][ T371] addrconf_dad_work+0x9d0/0x12d0 [ 20.747777][ T371] process_one_work+0x3d5/0x640 [ 20.752799][ T371] worker_thread+0x723/0xa60 [ 20.757653][ T371] ? _raw_spin_lock_irqsave+0xa2/0x220 [ 20.763211][ T371] kthread+0x365/0x400 [ 20.767568][ T371] ? pr_cont_work+0x110/0x110 [ 20.772516][ T371] ? __list_add+0xc0/0xc0 [ 20.776930][ T371] ret_from_fork+0x1f/0x30 [ 20.781365][ T371] ================================================================================ [ 20.790938][ T371] ================================================================================ [ 20.800375][ T371] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1909:2 [ 20.808865][ T371] member access within address 0000000001f5e535 with insufficient space [ 20.817467][ T371] for an object of type 'struct sk_buff' [ 20.823133][ T371] CPU: 1 PID: 371 Comm: kworker/1:2 Not tainted 5.10.0-syzkaller #0 [ 20.831102][ T371] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 20.841514][ T371] Workqueue: ipv6_addrconf addrconf_dad_work [ 20.847483][ T371] Call Trace: [ 20.850759][ T371] dump_stack+0x19c/0x1e2 [ 20.855162][ T371] ubsan_type_mismatch_common+0x1ed/0x3a0 [ 20.860977][ T371] __ubsan_handle_type_mismatch_v1+0x4b/0x60 [ 20.867262][ T371] wg_xmit+0x48f/0xa60 [ 20.871321][ T371] ? __sanitizer_cov_trace_switch+0x64/0x80 [ 20.877292][ T371] netdev_start_xmit+0x8a/0x160 [ 20.882219][ T371] dev_hard_start_xmit+0x18d/0x2f0 [ 20.887338][ T371] __dev_queue_xmit+0xf16/0x1920 [ 20.892264][ T371] ? __kasan_check_write+0x14/0x20 [ 20.897366][ T371] dev_queue_xmit+0x17/0x20 [ 20.902205][ T371] neigh_connected_output+0x288/0x2b0 [ 20.907660][ T371] ip6_finish_output2+0xc34/0x1020 [ 20.912841][ T371] ? ip6_mtu+0xf1/0x140 [ 20.916981][ T371] __ip6_finish_output+0x279/0x370 [ 20.922430][ T371] ip6_finish_output+0x20b/0x220 [ 20.927527][ T371] ? ip6_output+0x175/0x3f0 [ 20.932352][ T371] ip6_output+0x18c/0x3f0 [ 20.936877][ T371] ? ip6_dst_idev+0x40/0x40 [ 20.941372][ T371] NF_HOOK+0x88/0x210 [ 20.945346][ T371] ? NF_HOOK+0x210/0x210 [ 20.949672][ T371] ndisc_send_skb+0x653/0x9f0 [ 20.954843][ T371] ndisc_send_rs+0x26c/0x360 [ 20.959522][ T371] addrconf_dad_completed+0x493/0x970 [ 20.965092][ T371] addrconf_dad_work+0x9d0/0x12d0 [ 20.970274][ T371] process_one_work+0x3d5/0x640 [ 20.975107][ T371] worker_thread+0x723/0xa60 [ 20.979939][ T371] ? _raw_spin_lock_irqsave+0xa2/0x220 [ 20.985505][ T371] kthread+0x365/0x400 [ 20.989680][ T371] ? pr_cont_work+0x110/0x110 [ 20.994487][ T371] ? __list_add+0xc0/0xc0 [ 20.998997][ T371] ret_from_fork+0x1f/0x30 [ 21.003868][ T371] ================================================================================ 2022/11/14 09:41:41 building call list... [ 21.019428][ T373] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation [ 21.110026][ T373] ================================================================== [ 21.118319][ T373] BUG: KASAN: use-after-free in task_active_pid_ns+0x9a/0xa0 [ 21.126127][ T373] Read of size 4 at addr ffff88810015a0c4 by task syz-executor.0/373 [ 21.134522][ T373] [ 21.136931][ T373] CPU: 0 PID: 373 Comm: syz-executor.0 Not tainted 5.10.0-syzkaller #0 [ 21.145522][ T373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 21.155758][ T373] Call Trace: [ 21.159136][ T373] dump_stack+0x19c/0x1e2 [ 21.163465][ T373] print_address_description+0x7e/0x6a0 [ 21.169097][ T373] ? printk+0x76/0x96 [ 21.173071][ T373] kasan_report+0x16f/0x210 [ 21.177566][ T373] ? task_active_pid_ns+0x9a/0xa0 [ 21.182588][ T373] ? task_active_pid_ns+0x9a/0xa0 [ 21.187614][ T373] __asan_report_load4_noabort+0x14/0x20 [ 21.193240][ T373] task_active_pid_ns+0x9a/0xa0 [ 21.198194][ T373] do_notify_parent+0x2c7/0xa70 [ 21.203050][ T373] ? __kasan_check_write+0x14/0x20 [ 21.208172][ T373] do_exit+0x1a52/0x2190 [ 21.212432][ T373] do_group_exit+0x13f/0x310 [ 21.217136][ T373] get_signal+0xbef/0x10c0 [ 21.221650][ T373] arch_do_signal+0x42/0x710 [ 21.226496][ T373] exit_to_user_mode_loop+0xa3/0xe0 [ 21.231687][ T373] syscall_exit_to_user_mode+0x77/0xa0 [ 21.237419][ T373] do_syscall_64+0x40/0x70 [ 21.241921][ T373] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 21.247799][ T373] RIP: 0033:0x7f9fad181263 [ 21.252201][ T373] Code: Unable to access opcode bytes at RIP 0x7f9fad181239. [ 21.260084][ T373] RSP: 002b:00007fffb778e148 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 21.268494][ T373] RAX: 000000000000000c RBX: 0000000000000002 RCX: 00007f9fad181263 [ 21.276726][ T373] RDX: 000000000000000c RSI: 00007fffb778e210 RDI: 00000000000000f8 [ 21.284694][ T373] RBP: 00007fffb778e1ac R08: 00007fffb77ef080 R09: 00007fffb77ef0b8 [ 21.292969][ T373] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000032 [ 21.300953][ T373] R13: 0000000000005217 R14: 0000000000000003 R15: 00007fffb778e210 [ 21.308935][ T373] [ 21.311265][ T373] Allocated by task 0: [ 21.315352][ T373] __kasan_kmalloc+0x11a/0x150 [ 21.320109][ T373] kasan_slab_alloc+0xe/0x10 [ 21.324875][ T373] slab_post_alloc_hook+0x3f/0x70 [ 21.329971][ T373] kmem_cache_alloc+0x143/0x200 [ 21.334820][ T373] alloc_pid+0x9a/0xb00 [ 21.339142][ T373] copy_process+0xdc0/0x2110 [ 21.343719][ T373] kernel_clone+0x1df/0x690 [ 21.348373][ T373] kernel_thread+0x11b/0x160 [ 21.352973][ T373] rest_init+0x22/0xf0 [ 21.357242][ T373] arch_call_rest_init+0xe/0x10 [ 21.362094][ T373] start_kernel+0x47d/0x518 [ 21.366586][ T373] x86_64_start_reservations+0x2a/0x2c [ 21.372032][ T373] x86_64_start_kernel+0x7a/0x7d [ 21.376984][ T373] secondary_startup_64_no_verify+0xb0/0xbb [ 21.383050][ T373] [ 21.385367][ T373] Freed by task 370: [ 21.389261][ T373] kasan_set_track+0x4c/0x80 [ 21.394023][ T373] kasan_set_free_info+0x1b/0x30 [ 21.398957][ T373] __kasan_slab_free+0x11c/0x150 [ 21.403883][ T373] kasan_slab_free+0xe/0x10 [ 21.409501][ T373] slab_free_freelist_hook+0x8b/0x160 [ 21.414963][ T373] kmem_cache_free+0x9a/0x1c0 [ 21.419888][ T373] put_pid+0xb3/0x120 [ 21.423867][ T373] proc_do_cad_pid+0x131/0x1d0 [ 21.428618][ T373] proc_sys_call_handler+0x48d/0x640 [ 21.434044][ T373] proc_sys_write+0x22/0x30 [ 21.438806][ T373] vfs_write+0x466/0x560 [ 21.443045][ T373] ksys_write+0x155/0x260 [ 21.447478][ T373] __x64_sys_write+0x7b/0x90 [ 21.452254][ T373] do_syscall_64+0x34/0x70 [ 21.456776][ T373] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 21.462886][ T373] [ 21.465215][ T373] The buggy address belongs to the object at ffff88810015a0c0 [ 21.465215][ T373] which belongs to the cache pid of size 112 [ 21.478866][ T373] The buggy address is located 4 bytes inside of [ 21.478866][ T373] 112-byte region [ffff88810015a0c0, ffff88810015a130) [ 21.492346][ T373] The buggy address belongs to the page: [ 21.498061][ T373] page:00000000de6236d4 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10015a [ 21.508547][ T373] flags: 0x8000000000000200(slab) [ 21.513721][ T373] raw: 8000000000000200 dead000000000100 dead000000000122 ffff888100134dc0 [ 21.522392][ T373] raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000 [ 21.531086][ T373] page dumped because: kasan: bad access detected [ 21.537577][ T373] page_owner tracks the page as allocated [ 21.543473][ T373] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0() [ 21.551988][ T373] register_early_stack+0x41/0x80 [ 21.557063][ T373] init_page_owner+0x32/0x4f0 [ 21.561749][ T373] invoke_init_callbacks+0x63/0x6d [ 21.566849][ T373] page_ext_init+0x348/0x371 [ 21.571417][ T373] page_owner free stack trace missing [ 21.576771][ T373] [ 21.579110][ T373] Memory state around the buggy address: [ 21.585086][ T373] ffff888100159f80: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 21.593230][ T373] ffff88810015a000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 21.601394][ T373] >ffff88810015a080: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 21.609439][ T373] ^ [ 21.615666][ T373] ffff88810015a100: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 21.623894][ T373] ffff88810015a180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 21.632204][ T373] ================================================================== [ 21.640248][ T373] Disabling lock debugging due to kernel taint [ 21.646490][ T373] BUG: unable to handle page fault for address: ffffed122001c527 [ 21.654377][ T373] #PF: supervisor read access in kernel mode [ 21.660531][ T373] #PF: error_code(0x0000) - not-present page [ 21.666606][ T373] PGD 23fff2067 P4D 23fff2067 PUD 0 [ 21.671907][ T373] Oops: 0000 [#1] PREEMPT SMP KASAN [ 21.677203][ T373] CPU: 0 PID: 373 Comm: syz-executor.0 Tainted: G B 5.10.0-syzkaller #0 [ 21.686921][ T373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 21.696987][ T373] RIP: 0010:task_active_pid_ns+0x69/0xa0 [ 21.702793][ T373] Code: 5d 56 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 28 a7 4c 00 48 8b 03 eb 07 e8 1e [ 21.722737][ T373] RSP: 0018:ffffc90000937b40 EFLAGS: 00010806 [ 21.728898][ T373] RAX: 1ffff1122001c527 RBX: ffff8891000e2938 RCX: 0000000000000002 [ 21.737223][ T373] RDX: 0000000000000000 RSI: 0000000000000086 RDI: 0000000000000001 [ 21.745481][ T373] RBP: ffffc90000937b50 R08: ffff888119ae6ac0 R09: fffffbfff0bc26f9 [ 21.753519][ T373] R10: fffffbfff0bc26f9 R11: 1ffffffff0bc26f8 R12: dffffc0000000000 [ 21.761553][ T373] R13: ffff888119ae6ac0 R14: dffffc0000000000 R15: ffff888119ae6fe0 [ 21.769522][ T373] FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000 [ 21.778429][ T373] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 21.785078][ T373] CR2: ffffed122001c527 CR3: 000000011590f000 CR4: 00000000003506b0 [ 21.793307][ T373] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 21.801627][ T373] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 21.809661][ T373] Call Trace: [ 21.813019][ T373] do_notify_parent+0x2c7/0xa70 [ 21.817848][ T373] ? __kasan_check_write+0x14/0x20 [ 21.823024][ T373] do_exit+0x1a52/0x2190 [ 21.827438][ T373] do_group_exit+0x13f/0x310 [ 21.832187][ T373] get_signal+0xbef/0x10c0 [ 21.836698][ T373] arch_do_signal+0x42/0x710 [ 21.841305][ T373] exit_to_user_mode_loop+0xa3/0xe0 [ 21.846580][ T373] syscall_exit_to_user_mode+0x77/0xa0 [ 21.852174][ T373] do_syscall_64+0x40/0x70 [ 21.856768][ T373] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 21.862666][ T373] RIP: 0033:0x7f9fad181263 [ 21.867148][ T373] Code: Unable to access opcode bytes at RIP 0x7f9fad181239. [ 21.876055][ T373] RSP: 002b:00007fffb778e148 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 21.884621][ T373] RAX: 000000000000000c RBX: 0000000000000002 RCX: 00007f9fad181263 [ 21.892746][ T373] RDX: 000000000000000c RSI: 00007fffb778e210 RDI: 00000000000000f8 [ 21.900921][ T373] RBP: 00007fffb778e1ac R08: 00007fffb77ef080 R09: 00007fffb77ef0b8 [ 21.909133][ T373] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000032 [ 21.917177][ T373] R13: 0000000000005217 R14: 0000000000000003 R15: 00007fffb778e210 [ 21.925130][ T373] Modules linked in: [ 21.929028][ T373] CR2: ffffed122001c527 [ 21.933163][ T373] ---[ end trace c7539476c6f0379d ]--- [ 21.938692][ T373] RIP: 0010:task_active_pid_ns+0x69/0xa0 [ 21.944597][ T373] Code: 5d 56 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 28 a7 4c 00 48 8b 03 eb 07 e8 1e [ 21.964702][ T373] RSP: 0018:ffffc90000937b40 EFLAGS: 00010806 [ 21.971156][ T373] RAX: 1ffff1122001c527 RBX: ffff8891000e2938 RCX: 0000000000000002 [ 21.979370][ T373] RDX: 0000000000000000 RSI: 0000000000000086 RDI: 0000000000000001 [ 21.987657][ T373] RBP: ffffc90000937b50 R08: ffff888119ae6ac0 R09: fffffbfff0bc26f9 [ 21.995896][ T373] R10: fffffbfff0bc26f9 R11: 1ffffffff0bc26f8 R12: dffffc0000000000 [ 22.004056][ T373] R13: ffff888119ae6ac0 R14: dffffc0000000000 R15: ffff888119ae6fe0 [ 22.012205][ T373] FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000 [ 22.021268][ T373] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 22.027928][ T373] CR2: ffffed122001c527 CR3: 000000011590f000 CR4: 00000000003506b0 [ 22.036349][ T373] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 22.044577][ T373] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 22.052641][ T373] Kernel panic - not syncing: Fatal exception [ 23.184354][ T373] Shutting down cpus with NMI [ 23.189511][ T373] Kernel Offset: disabled [ 23.193991][ T373] Rebooting in 86400 seconds.. syzkaller build log: go env (err=) GO111MODULE="auto" GOARCH="amd64" GOBIN="" GOCACHE="/syzkaller/.cache/go-build" GOENV="/syzkaller/.config/go/env" GOEXE="" GOEXPERIMENT="" GOFLAGS="" GOHOSTARCH="amd64" GOHOSTOS="linux" GOINSECURE="" GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod" GONOPROXY="" GONOSUMDB="" GOOS="linux" GOPATH="/syzkaller/jobs/linux/gopath" GOPRIVATE="" GOPROXY="https://proxy.golang.org,direct" GOROOT="/usr/local/go" GOSUMDB="sum.golang.org" GOTMPDIR="" GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64" GOVCS="" GOVERSION="go1.17" GCCGO="gccgo" AR="ar" CC="gcc" CXX="g++" CGO_ENABLED="1" GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod" CGO_CFLAGS="-g -O2" CGO_CPPFLAGS="" CGO_CXXFLAGS="-g -O2" CGO_FFLAGS="-g -O2" CGO_LDFLAGS="-g -O2" PKG_CONFIG="pkg-config" GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3838711862=/tmp/go-build -gno-record-gcc-switches" git status (err=) HEAD detached at c0b80a55c nothing to commit, working tree clean tput: No value for $TERM and no -T specified tput: No value for $TERM and no -T specified Makefile:32: run command via tools/syz-env for best compatibility, see: Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen make .descriptions tput: No value for $TERM and no -T specified tput: No value for $TERM and no -T specified bin/syz-sysgen touch .descriptions GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress mkdir -p ./bin/linux_amd64 gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \ -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \ -DHOSTGOOS_linux=1 -DGIT_REVISION=\"c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2\"