UBSAN: object-size-mismatch in wg_xmit IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready ================================================================================ UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2016:28 member access within address 000000001b8e33dc with insufficient space for an object of type 'struct sk_buff' CPU: 1 PID: 23 Comm: kworker/1:1 Not tainted 5.10.10-syzkaller-00198-g11167454e9cb #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x19c/0x1e2 lib/dump_stack.c:118 ubsan_epilogue lib/ubsan.c:148 [inline] handle_object_size_mismatch lib/ubsan.c:297 [inline] ubsan_type_mismatch_common+0x1ed/0x3a0 lib/ubsan.c:310 __ubsan_handle_type_mismatch_v1+0x4b/0x60 lib/ubsan.c:339 __skb_queue_before include/linux/skbuff.h:2016 [inline] __skb_queue_tail include/linux/skbuff.h:2049 [inline] wg_xmit+0x42c/0xa60 drivers/net/wireguard/device.c:182 __netdev_start_xmit include/linux/netdevice.h:4735 [inline] netdev_start_xmit+0x8a/0x160 include/linux/netdevice.h:4749 xmit_one net/core/dev.c:3564 [inline] dev_hard_start_xmit+0x18d/0x2f0 net/core/dev.c:3580 __dev_queue_xmit+0xf16/0x1920 net/core/dev.c:4140 dev_queue_xmit+0x17/0x20 net/core/dev.c:4173 neigh_connected_output+0x288/0x2b0 net/core/neighbour.c:1520 neigh_output include/net/neighbour.h:510 [inline] ip6_finish_output2+0xc34/0x1020 net/ipv6/ip6_output.c:117 __ip6_finish_output+0x3e6/0x530 net/ipv6/ip6_output.c:182 ip6_finish_output+0x20b/0x220 net/ipv6/ip6_output.c:192 NF_HOOK_COND include/linux/netfilter.h:290 [inline] ip6_output+0x18c/0x3f0 net/ipv6/ip6_output.c:215 dst_output include/net/dst.h:443 [inline] NF_HOOK+0x88/0x210 include/linux/netfilter.h:301 ndisc_send_skb+0x653/0x9f0 net/ipv6/ndisc.c:508 ndisc_send_rs+0x26c/0x360 net/ipv6/ndisc.c:702 addrconf_dad_completed+0x493/0x970 net/ipv6/addrconf.c:4192 addrconf_dad_work+0x9d0/0x12d0 net/ipv6/addrconf.c:3957 process_one_work+0x3d5/0x640 kernel/workqueue.c:2272 worker_thread+0x723/0xa60 kernel/workqueue.c:2418 kthread+0x365/0x400 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 ================================================================================ ================================================================================ UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1909:2 member access within address 000000001b8e33dc with insufficient space for an object of type 'struct sk_buff' CPU: 1 PID: 23 Comm: kworker/1:1 Not tainted 5.10.10-syzkaller-00198-g11167454e9cb #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x19c/0x1e2 lib/dump_stack.c:118 ubsan_epilogue lib/ubsan.c:148 [inline] handle_object_size_mismatch lib/ubsan.c:297 [inline] ubsan_type_mismatch_common+0x1ed/0x3a0 lib/ubsan.c:310 __ubsan_handle_type_mismatch_v1+0x4b/0x60 lib/ubsan.c:339 __skb_insert include/linux/skbuff.h:1909 [inline] __skb_queue_before include/linux/skbuff.h:2016 [inline] __skb_queue_tail include/linux/skbuff.h:2049 [inline] wg_xmit+0x48f/0xa60 drivers/net/wireguard/device.c:182 __netdev_start_xmit include/linux/netdevice.h:4735 [inline] netdev_start_xmit+0x8a/0x160 include/linux/netdevice.h:4749 xmit_one net/core/dev.c:3564 [inline] dev_hard_start_xmit+0x18d/0x2f0 net/core/dev.c:3580 __dev_queue_xmit+0xf16/0x1920 net/core/dev.c:4140 dev_queue_xmit+0x17/0x20 net/core/dev.c:4173 neigh_connected_output+0x288/0x2b0 net/core/neighbour.c:1520 neigh_output include/net/neighbour.h:510 [inline] ip6_finish_output2+0xc34/0x1020 net/ipv6/ip6_output.c:117 __ip6_finish_output+0x3e6/0x530 net/ipv6/ip6_output.c:182 ip6_finish_output+0x20b/0x220 net/ipv6/ip6_output.c:192 NF_HOOK_COND include/linux/netfilter.h:290 [inline] ip6_output+0x18c/0x3f0 net/ipv6/ip6_output.c:215 dst_output include/net/dst.h:443 [inline] NF_HOOK+0x88/0x210 include/linux/netfilter.h:301 ndisc_send_skb+0x653/0x9f0 net/ipv6/ndisc.c:508 ndisc_send_rs+0x26c/0x360 net/ipv6/ndisc.c:702 addrconf_dad_completed+0x493/0x970 net/ipv6/addrconf.c:4192 addrconf_dad_work+0x9d0/0x12d0 net/ipv6/addrconf.c:3957 process_one_work+0x3d5/0x640 kernel/workqueue.c:2272 worker_thread+0x723/0xa60 kernel/workqueue.c:2418 kthread+0x365/0x400 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 ================================================================================ DUID 00:04:ff:5e:17:7d:d8:53:5e:f8:54:ce:ed:1b:c4:81:88:80 forked to background, child pid 196 Starting sshd: OK syzkaller syzkaller login: [ 13.344612][ T22] kauditd_printk_skb: 60 callbacks suppressed [ 13.344619][ T22] audit: type=1400 audit(1669475222.580:71): avc: denied { transition } for pid=289 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 13.355866][ T22] audit: type=1400 audit(1669475222.600:72): avc: denied { write } for pid=289 comm="sh" path="pipe:[323]" dev="pipefs" ino=323 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1 Warning: Permanently added '10.128.0.189' (ECDSA) to the list of known hosts. 2022/11/26 15:07:09 fuzzer started 2022/11/26 15:07:09 connecting to host at 10.128.0.163:39379 2022/11/26 15:07:09 checking machine... 2022/11/26 15:07:09 checking revisions... 2022/11/26 15:07:09 testing simple program... [ 20.361112][ T22] audit: type=1400 audit(1669475229.600:73): avc: denied { integrity } for pid=361 comm="syz-fuzzer" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1 [ 20.370733][ T22] audit: type=1400 audit(1669475229.610:74): avc: denied { getattr } for pid=361 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 20.377669][ T22] audit: type=1400 audit(1669475229.610:75): avc: denied { read } for pid=361 comm="syz-fuzzer" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 20.386637][ T22] audit: type=1400 audit(1669475229.610:76): avc: denied { open } for pid=361 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 20.388296][ T370] cgroup: Unknown subsys name 'net' [ 20.409899][ T22] audit: type=1400 audit(1669475229.620:77): avc: denied { read } for pid=361 comm="syz-fuzzer" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 20.437851][ T22] audit: type=1400 audit(1669475229.620:78): avc: denied { open } for pid=361 comm="syz-fuzzer" path="/dev/raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 20.438055][ T370] cgroup: Unknown subsys name 'devices' [ 20.461278][ T22] audit: type=1400 audit(1669475229.620:79): avc: denied { mounton } for pid=370 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 20.489798][ T22] audit: type=1400 audit(1669475229.630:80): avc: denied { mount } for pid=370 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 20.512034][ T22] audit: type=1400 audit(1669475229.660:81): avc: denied { unmount } for pid=370 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 20.619230][ T370] cgroup: Unknown subsys name 'hugetlb' [ 20.625073][ T370] cgroup: Unknown subsys name 'rlimit' [ 20.779089][ T22] audit: type=1400 audit(1669475230.020:82): avc: denied { setattr } for pid=370 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 20.834931][ T373] bridge0: port 1(bridge_slave_0) entered blocking state [ 20.842159][ T373] bridge0: port 1(bridge_slave_0) entered disabled state [ 20.849577][ T373] device bridge_slave_0 entered promiscuous mode [ 20.856341][ T373] bridge0: port 2(bridge_slave_1) entered blocking state [ 20.863783][ T373] bridge0: port 2(bridge_slave_1) entered disabled state [ 20.871153][ T373] device bridge_slave_1 entered promiscuous mode [ 20.901123][ T373] bridge0: port 2(bridge_slave_1) entered blocking state [ 20.908290][ T373] bridge0: port 2(bridge_slave_1) entered forwarding state [ 20.915691][ T373] bridge0: port 1(bridge_slave_0) entered blocking state [ 20.922747][ T373] bridge0: port 1(bridge_slave_0) entered forwarding state [ 20.938874][ T371] bridge0: port 1(bridge_slave_0) entered disabled state [ 20.946019][ T371] bridge0: port 2(bridge_slave_1) entered disabled state [ 20.953338][ T371] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 20.961241][ T371] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 20.970599][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 20.978983][ T23] bridge0: port 1(bridge_slave_0) entered blocking state [ 20.986027][ T23] bridge0: port 1(bridge_slave_0) entered forwarding state [ 20.994581][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 21.003048][ T23] bridge0: port 2(bridge_slave_1) entered blocking state [ 21.010103][ T23] bridge0: port 2(bridge_slave_1) entered forwarding state [ 21.021578][ T371] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 21.037937][ T371] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 21.046310][ T371] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 21.054518][ T371] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 21.065251][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 21.076471][ T371] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 21.087158][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 21.098158][ T23] ================================================================================ [ 21.107857][ T23] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2016:28 [ 21.115758][ T23] member access within address 000000001b8e33dc with insufficient space [ 21.124305][ T23] for an object of type 'struct sk_buff' [ 21.130089][ T23] CPU: 1 PID: 23 Comm: kworker/1:1 Not tainted 5.10.10-syzkaller-00198-g11167454e9cb #0 [ 21.140114][ T23] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 21.150259][ T23] Workqueue: ipv6_addrconf addrconf_dad_work [ 21.156222][ T23] Call Trace: [ 21.159502][ T23] dump_stack+0x19c/0x1e2 [ 21.163834][ T23] ubsan_type_mismatch_common+0x1ed/0x3a0 [ 21.169620][ T23] __ubsan_handle_type_mismatch_v1+0x4b/0x60 [ 21.175588][ T23] wg_xmit+0x42c/0xa60 [ 21.179634][ T23] ? __sanitizer_cov_trace_switch+0x64/0x80 [ 21.185504][ T23] netdev_start_xmit+0x8a/0x160 [ 21.190865][ T23] dev_hard_start_xmit+0x18d/0x2f0 [ 21.196219][ T23] __dev_queue_xmit+0xf16/0x1920 [ 21.201393][ T23] ? __kasan_check_write+0x14/0x20 [ 21.206553][ T23] dev_queue_xmit+0x17/0x20 [ 21.211046][ T23] neigh_connected_output+0x288/0x2b0 [ 21.216420][ T23] ip6_finish_output2+0xc34/0x1020 [ 21.221640][ T23] ? ip6_mtu+0xf1/0x140 [ 21.225771][ T23] __ip6_finish_output+0x3e6/0x530 [ 21.230977][ T23] ip6_finish_output+0x20b/0x220 [ 21.235904][ T23] ? ip6_output+0x175/0x3f0 [ 21.240397][ T23] ip6_output+0x18c/0x3f0 [ 21.244727][ T23] ? ip6_dst_idev+0x40/0x40 [ 21.249204][ T23] NF_HOOK+0x88/0x210 [ 21.253247][ T23] ? NF_HOOK+0x210/0x210 [ 21.257472][ T23] ndisc_send_skb+0x653/0x9f0 [ 21.262126][ T23] ndisc_send_rs+0x26c/0x360 [ 21.266795][ T23] addrconf_dad_completed+0x493/0x970 [ 21.272139][ T23] addrconf_dad_work+0x9d0/0x12d0 [ 21.277152][ T23] process_one_work+0x3d5/0x640 [ 21.281977][ T23] worker_thread+0x723/0xa60 [ 21.286542][ T23] ? _raw_spin_lock_irqsave+0xa2/0x220 [ 21.292071][ T23] kthread+0x365/0x400 [ 21.296120][ T23] ? pr_cont_work+0x110/0x110 [ 21.300791][ T23] ? __list_add+0xc0/0xc0 [ 21.305191][ T23] ret_from_fork+0x1f/0x30 [ 21.309612][ T23] ================================================================================ [ 21.318910][ T23] ================================================================================ [ 21.328310][ T23] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1909:2 [ 21.336120][ T23] member access within address 000000001b8e33dc with insufficient space [ 21.344464][ T23] for an object of type 'struct sk_buff' [ 21.350094][ T23] CPU: 1 PID: 23 Comm: kworker/1:1 Not tainted 5.10.10-syzkaller-00198-g11167454e9cb #0 [ 21.359777][ T23] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 21.369917][ T23] Workqueue: ipv6_addrconf addrconf_dad_work [ 21.376013][ T23] Call Trace: [ 21.379301][ T23] dump_stack+0x19c/0x1e2 [ 21.383618][ T23] ubsan_type_mismatch_common+0x1ed/0x3a0 [ 21.389394][ T23] __ubsan_handle_type_mismatch_v1+0x4b/0x60 [ 21.395530][ T23] wg_xmit+0x48f/0xa60 [ 21.399582][ T23] ? __sanitizer_cov_trace_switch+0x64/0x80 [ 21.405627][ T23] netdev_start_xmit+0x8a/0x160 [ 21.410533][ T23] dev_hard_start_xmit+0x18d/0x2f0 [ 21.415749][ T23] __dev_queue_xmit+0xf16/0x1920 [ 21.420870][ T23] ? __kasan_check_write+0x14/0x20 [ 21.425969][ T23] dev_queue_xmit+0x17/0x20 [ 21.430471][ T23] neigh_connected_output+0x288/0x2b0 [ 21.435830][ T23] ip6_finish_output2+0xc34/0x1020 [ 21.440917][ T23] ? ip6_mtu+0xf1/0x140 [ 21.445050][ T23] __ip6_finish_output+0x3e6/0x530 [ 21.450341][ T23] ip6_finish_output+0x20b/0x220 [ 21.455260][ T23] ? ip6_output+0x175/0x3f0 [ 21.459738][ T23] ip6_output+0x18c/0x3f0 [ 21.464038][ T23] ? ip6_dst_idev+0x40/0x40 [ 21.468513][ T23] NF_HOOK+0x88/0x210 [ 21.472462][ T23] ? NF_HOOK+0x210/0x210 [ 21.476690][ T23] ndisc_send_skb+0x653/0x9f0 [ 21.481429][ T23] ndisc_send_rs+0x26c/0x360 [ 21.485989][ T23] addrconf_dad_completed+0x493/0x970 [ 21.491422][ T23] addrconf_dad_work+0x9d0/0x12d0 [ 21.496535][ T23] process_one_work+0x3d5/0x640 [ 21.501373][ T23] worker_thread+0x723/0xa60 [ 21.505942][ T23] ? _raw_spin_lock_irqsave+0xa2/0x220 [ 21.511462][ T23] kthread+0x365/0x400 [ 21.515534][ T23] ? pr_cont_work+0x110/0x110 [ 21.520213][ T23] ? __list_add+0xc0/0xc0 [ 21.524625][ T23] ret_from_fork+0x1f/0x30 [ 21.529532][ T23] ================================================================================ 2022/11/26 15:07:10 building call list... [ 21.545942][ T373] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation [ 21.627753][ T373] ================================================================== [ 21.635874][ T373] BUG: KASAN: use-after-free in task_active_pid_ns+0x9a/0xa0 [ 21.643396][ T373] Read of size 4 at addr ffff888100156f04 by task syz-executor.0/373 [ 21.651431][ T373] [ 21.653758][ T373] CPU: 1 PID: 373 Comm: syz-executor.0 Not tainted 5.10.10-syzkaller-00198-g11167454e9cb #0 [ 21.663887][ T373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 21.674006][ T373] Call Trace: [ 21.677362][ T373] dump_stack+0x19c/0x1e2 [ 21.681719][ T373] print_address_description+0x7e/0x6a0 [ 21.687343][ T373] ? printk+0x76/0x96 [ 21.691325][ T373] kasan_report+0x16f/0x210 [ 21.695806][ T373] ? task_active_pid_ns+0x9a/0xa0 [ 21.700912][ T373] ? task_active_pid_ns+0x9a/0xa0 [ 21.706260][ T373] __asan_report_load4_noabort+0x14/0x20 [ 21.711869][ T373] task_active_pid_ns+0x9a/0xa0 [ 21.717325][ T373] do_notify_parent+0x2c7/0xa70 [ 21.722249][ T373] ? __kasan_check_write+0x14/0x20 [ 21.727518][ T373] do_exit+0x1a52/0x2190 [ 21.731736][ T373] do_group_exit+0x13f/0x310 [ 21.736302][ T373] get_signal+0xbef/0x10c0 [ 21.740831][ T373] arch_do_signal+0x42/0x710 [ 21.745422][ T373] exit_to_user_mode_loop+0xa3/0xe0 [ 21.751573][ T373] syscall_exit_to_user_mode+0x77/0xa0 [ 21.757059][ T373] do_syscall_64+0x40/0x70 [ 21.761511][ T373] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 21.767562][ T373] RIP: 0033:0x7f07c25db2fe [ 21.771959][ T373] Code: Unable to access opcode bytes at RIP 0x7f07c25db2d4. [ 21.779323][ T373] RSP: 002b:00007ffe6e7b02e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 21.787718][ T373] RAX: fffffffffffffe00 RBX: 00007ffe6e7b0370 RCX: 00007f07c25db2fe [ 21.795670][ T373] RDX: 0000000000000040 RSI: 00007f07c2746020 RDI: 00000000000000f9 [ 21.803621][ T373] RBP: 0000000000000003 R08: 0000000000000000 R09: ffffffffffff0000 [ 21.811662][ T373] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000032 [ 21.819614][ T373] R13: 0000000000005426 R14: 0000000000000003 R15: 00007ffe6e7b03b0 [ 21.827566][ T373] [ 21.829875][ T373] Allocated by task 0: [ 21.833926][ T373] __kasan_kmalloc+0x11a/0x150 [ 21.838752][ T373] kasan_slab_alloc+0xe/0x10 [ 21.843318][ T373] slab_post_alloc_hook+0x3f/0x70 [ 21.848496][ T373] kmem_cache_alloc+0x143/0x200 [ 21.853324][ T373] alloc_pid+0x9a/0xb00 [ 21.857485][ T373] copy_process+0xdc0/0x2110 [ 21.862081][ T373] kernel_clone+0x1df/0x690 [ 21.866609][ T373] kernel_thread+0x11b/0x160 [ 21.871211][ T373] rest_init+0x22/0xf0 [ 21.875285][ T373] arch_call_rest_init+0xe/0x10 [ 21.880141][ T373] start_kernel+0x47d/0x518 [ 21.884634][ T373] x86_64_start_reservations+0x2a/0x2c [ 21.890071][ T373] x86_64_start_kernel+0x7a/0x7d [ 21.895074][ T373] secondary_startup_64_no_verify+0xb0/0xbb [ 21.900937][ T373] [ 21.903243][ T373] Freed by task 370: [ 21.907117][ T373] kasan_set_track+0x4c/0x80 [ 21.911773][ T373] kasan_set_free_info+0x1b/0x30 [ 21.916780][ T373] __kasan_slab_free+0x11c/0x150 [ 21.921733][ T373] kasan_slab_free+0xe/0x10 [ 21.926223][ T373] slab_free_freelist_hook+0x8b/0x160 [ 21.931575][ T373] kmem_cache_free+0x9a/0x1c0 [ 21.936399][ T373] put_pid+0xb3/0x120 [ 21.940357][ T373] proc_do_cad_pid+0x131/0x1d0 [ 21.945098][ T373] proc_sys_call_handler+0x48d/0x640 [ 21.950380][ T373] proc_sys_write+0x22/0x30 [ 21.954875][ T373] vfs_write+0x466/0x560 [ 21.959100][ T373] ksys_write+0x155/0x260 [ 21.963405][ T373] __x64_sys_write+0x7b/0x90 [ 21.967971][ T373] do_syscall_64+0x34/0x70 [ 21.972373][ T373] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 21.978237][ T373] [ 21.980553][ T373] The buggy address belongs to the object at ffff888100156f00 [ 21.980553][ T373] which belongs to the cache pid of size 112 [ 21.993984][ T373] The buggy address is located 4 bytes inside of [ 21.993984][ T373] 112-byte region [ffff888100156f00, ffff888100156f70) [ 22.007056][ T373] The buggy address belongs to the page: [ 22.013204][ T373] page:00000000ba9628b9 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100156 [ 22.023504][ T373] flags: 0x8000000000000200(slab) [ 22.028511][ T373] raw: 8000000000000200 dead000000000100 dead000000000122 ffff888100138280 [ 22.037083][ T373] raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000 [ 22.045640][ T373] page dumped because: kasan: bad access detected [ 22.052027][ T373] page_owner tracks the page as allocated [ 22.057751][ T373] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0() [ 22.066171][ T373] register_early_stack+0x41/0x80 [ 22.071190][ T373] init_page_owner+0x32/0x4f0 [ 22.075904][ T373] invoke_init_callbacks+0x63/0x6d [ 22.081112][ T373] page_ext_init+0x348/0x371 [ 22.085704][ T373] page_owner free stack trace missing [ 22.091058][ T373] [ 22.093369][ T373] Memory state around the buggy address: [ 22.098984][ T373] ffff888100156e00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 22.107320][ T373] ffff888100156e80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 22.115653][ T373] >ffff888100156f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 22.123695][ T373] ^ [ 22.127739][ T373] ffff888100156f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.136084][ T373] ffff888100157000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 22.144129][ T373] ================================================================== [ 22.152174][ T373] Disabling lock debugging due to kernel taint [ 22.158321][ T373] BUG: unable to handle page fault for address: ffffed122001beef [ 22.166022][ T373] #PF: supervisor read access in kernel mode [ 22.171986][ T373] #PF: error_code(0x0000) - not-present page [ 22.177969][ T373] PGD 23fff2067 P4D 23fff2067 PUD 0 [ 22.183367][ T373] Oops: 0000 [#1] PREEMPT SMP KASAN [ 22.188568][ T373] CPU: 1 PID: 373 Comm: syz-executor.0 Tainted: G B 5.10.10-syzkaller-00198-g11167454e9cb #0 [ 22.201032][ T373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 22.211270][ T373] RIP: 0010:task_active_pid_ns+0x69/0xa0 [ 22.216892][ T373] Code: 0d 5b 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 28 ae 4c 00 48 8b 03 eb 07 e8 ce [ 22.236653][ T373] RSP: 0018:ffffc9000078fb40 EFLAGS: 00010802 [ 22.242697][ T373] RAX: 1ffff1122001beef RBX: ffff8891000df778 RCX: 0000000000000002 [ 22.250733][ T373] RDX: 0000000000000000 RSI: 0000000000000086 RDI: 0000000000000001 [ 22.258689][ T373] RBP: ffffc9000078fb50 R08: ffff888119b26ac0 R09: fffffbfff0bc26f9 [ 22.266747][ T373] R10: fffffbfff0bc26f9 R11: 1ffffffff0bc26f8 R12: dffffc0000000000 [ 22.274700][ T373] R13: ffff888119b26ac0 R14: dffffc0000000000 R15: ffff888119b26fe0 [ 22.282651][ T373] FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000 [ 22.291653][ T373] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 22.298216][ T373] CR2: ffffed122001beef CR3: 0000000119bdb000 CR4: 00000000003506a0 [ 22.306298][ T373] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 22.314503][ T373] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 22.322465][ T373] Call Trace: [ 22.325745][ T373] do_notify_parent+0x2c7/0xa70 [ 22.330579][ T373] ? __kasan_check_write+0x14/0x20 [ 22.335665][ T373] do_exit+0x1a52/0x2190 [ 22.339888][ T373] do_group_exit+0x13f/0x310 [ 22.344473][ T373] get_signal+0xbef/0x10c0 [ 22.348871][ T373] arch_do_signal+0x42/0x710 [ 22.353447][ T373] exit_to_user_mode_loop+0xa3/0xe0 [ 22.358627][ T373] syscall_exit_to_user_mode+0x77/0xa0 [ 22.364089][ T373] do_syscall_64+0x40/0x70 [ 22.368606][ T373] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 22.374509][ T373] RIP: 0033:0x7f07c25db2fe [ 22.378910][ T373] Code: Unable to access opcode bytes at RIP 0x7f07c25db2d4. [ 22.386272][ T373] RSP: 002b:00007ffe6e7b02e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 22.394676][ T373] RAX: fffffffffffffe00 RBX: 00007ffe6e7b0370 RCX: 00007f07c25db2fe [ 22.402894][ T373] RDX: 0000000000000040 RSI: 00007f07c2746020 RDI: 00000000000000f9 [ 22.410930][ T373] RBP: 0000000000000003 R08: 0000000000000000 R09: ffffffffffff0000 [ 22.418883][ T373] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000032 [ 22.427026][ T373] R13: 0000000000005426 R14: 0000000000000003 R15: 00007ffe6e7b03b0 [ 22.435079][ T373] Modules linked in: [ 22.439049][ T373] CR2: ffffed122001beef [ 22.443200][ T373] ---[ end trace 01cb9c9191349011 ]--- [ 22.448742][ T373] RIP: 0010:task_active_pid_ns+0x69/0xa0 [ 22.454526][ T373] Code: 0d 5b 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 28 ae 4c 00 48 8b 03 eb 07 e8 ce [ 22.474305][ T373] RSP: 0018:ffffc9000078fb40 EFLAGS: 00010802 [ 22.480362][ T373] RAX: 1ffff1122001beef RBX: ffff8891000df778 RCX: 0000000000000002 [ 22.488429][ T373] RDX: 0000000000000000 RSI: 0000000000000086 RDI: 0000000000000001 [ 22.496384][ T373] RBP: ffffc9000078fb50 R08: ffff888119b26ac0 R09: fffffbfff0bc26f9 [ 22.504349][ T373] R10: fffffbfff0bc26f9 R11: 1ffffffff0bc26f8 R12: dffffc0000000000 [ 22.512297][ T373] R13: ffff888119b26ac0 R14: dffffc0000000000 R15: ffff888119b26fe0 [ 22.520267][ T373] FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000 [ 22.529375][ T373] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 22.536034][ T373] CR2: ffffed122001beef CR3: 0000000119bdb000 CR4: 00000000003506a0 [ 22.543996][ T373] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 22.551952][ T373] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 22.559901][ T373] Kernel panic - not syncing: Fatal exception [ 22.565987][ T373] Kernel Offset: disabled [ 22.570288][ T373] Rebooting in 86400 seconds.. syzkaller build log: go env (err=) GO111MODULE="auto" GOARCH="amd64" GOBIN="" GOCACHE="/syzkaller/.cache/go-build" GOENV="/syzkaller/.config/go/env" GOEXE="" GOEXPERIMENT="" GOFLAGS="" GOHOSTARCH="amd64" GOHOSTOS="linux" GOINSECURE="" GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod" GONOPROXY="" GONOSUMDB="" GOOS="linux" GOPATH="/syzkaller/jobs/linux/gopath" GOPRIVATE="" GOPROXY="https://proxy.golang.org,direct" GOROOT="/usr/local/go" GOSUMDB="sum.golang.org" GOTMPDIR="" GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64" GOVCS="" GOVERSION="go1.17" GCCGO="gccgo" AR="ar" CC="gcc" CXX="g++" CGO_ENABLED="1" GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod" CGO_CFLAGS="-g -O2" CGO_CPPFLAGS="" CGO_CXXFLAGS="-g -O2" CGO_FFLAGS="-g -O2" CGO_LDFLAGS="-g -O2" PKG_CONFIG="pkg-config" GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1864349920=/tmp/go-build -gno-record-gcc-switches" git status (err=) HEAD detached at c0b80a55c nothing to commit, working tree clean tput: No value for $TERM and no -T specified tput: No value for $TERM and no -T specified Makefile:32: run command via tools/syz-env for best compatibility, see: Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen make .descriptions tput: No value for $TERM and no -T specified tput: No value for $TERM and no -T specified bin/syz-sysgen touch .descriptions GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress mkdir -p ./bin/linux_amd64 gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \ -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \ -DHOSTGOOS_linux=1 -DGIT_REVISION=\"c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2\"