KASAN: use-after-free Read in attach_pid ================================================================== BUG: KASAN: use-after-free in hlist_add_head_rcu include/linux/rculist.h:588 [inline] BUG: KASAN: use-after-free in attach_pid+0xf3/0x1f0 kernel/pid.c:334 Read of size 8 at addr ffff888100155860 by task init/1 CPU: 0 PID: 1 Comm: init Not tainted 5.12.0-rc4-syzkaller-00016-gf68f40638559 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x1bb/0x220 lib/dump_stack.c:120 print_address_description+0x7a/0x3b0 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report+0x19b/0x1e0 mm/kasan/report.c:416 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:309 hlist_add_head_rcu include/linux/rculist.h:588 [inline] attach_pid+0xf3/0x1f0 kernel/pid.c:334 copy_process+0x1f3a/0x21d0 kernel/fork.c:2296 kernel_clone+0x1df/0x6a0 kernel/fork.c:2500 __do_sys_vfork+0x76/0xb0 kernel/fork.c:2579 do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fd804f232b8 Code: 00 00 e8 db 9f fb ff 48 89 e7 e8 43 3f 05 00 e9 ab fe ff ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 5f b8 3a 00 00 00 0f 05 <57> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 90 1b 0f 00 f7 d8 64 89 01 48 RSP: 002b:00007ffd668955f0 EFLAGS: 00000246 ORIG_RAX: 000000000000003a RAX: ffffffffffffffda RBX: 000055e9e8d679f0 RCX: 00007fd804f232b8 RDX: 0000000000000008 RSI: 0000000000000000 RDI: 00007fd8050a6e18 RBP: 00007ffd66895670 R08: 0000000000000007 R09: 000055e9e8d68390 R10: 00007ffd66895630 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000018 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 0: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:427 [inline] __kasan_slab_alloc+0xa2/0xd0 mm/kasan/common.c:460 kasan_slab_alloc include/linux/kasan.h:223 [inline] slab_post_alloc_hook+0x3f/0x70 mm/slab.h:516 slab_alloc_node mm/slub.c:2907 [inline] slab_alloc mm/slub.c:2915 [inline] kmem_cache_alloc+0x139/0x230 mm/slub.c:2920 alloc_pid+0x97/0xae0 kernel/pid.c:180 copy_process+0xe6f/0x21d0 kernel/fork.c:2123 kernel_clone+0x1df/0x6a0 kernel/fork.c:2500 kernel_thread+0x109/0x150 kernel/fork.c:2552 rest_init+0x22/0xf0 init/main.c:687 arch_call_rest_init+0xe/0x10 init/main.c:849 start_kernel+0x45f/0x4d1 init/main.c:1064 x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:525 x86_64_start_kernel+0x7a/0x7d arch/x86/kernel/head64.c:506 secondary_startup_64_no_verify+0xb0/0xbb Freed by task 417: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track+0x4c/0x80 mm/kasan/common.c:46 kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:357 ____kasan_slab_free+0x113/0x150 mm/kasan/common.c:360 __kasan_slab_free+0xe/0x10 mm/kasan/common.c:367 kasan_slab_free include/linux/kasan.h:199 [inline] slab_free_hook mm/slub.c:1562 [inline] slab_free_freelist_hook+0xa7/0x170 mm/slub.c:1600 slab_free mm/slub.c:3161 [inline] kmem_cache_free+0x9a/0x190 mm/slub.c:3177 put_pid+0xb3/0x120 kernel/pid.c:114 proc_do_cad_pid+0x131/0x1d0 kernel/sysctl.c:1401 proc_sys_call_handler+0x492/0x640 fs/proc/proc_sysctl.c:591 proc_sys_write+0x22/0x30 fs/proc/proc_sysctl.c:617 call_write_iter include/linux/fs.h:1977 [inline] new_sync_write fs/read_write.c:518 [inline] vfs_write+0x466/0x560 fs/read_write.c:605 ksys_write+0x155/0x260 fs/read_write.c:658 __do_sys_write fs/read_write.c:670 [inline] __se_sys_write fs/read_write.c:667 [inline] __x64_sys_write+0x7b/0x90 fs/read_write.c:667 do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff888100155840 which belongs to the cache pid of size 112 The buggy address is located 32 bytes inside of 112-byte region [ffff888100155840, ffff8881001558b0) The buggy address belongs to the page: page:ffffea0004005540 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100155 flags: 0x4000000000000200(slab) raw: 4000000000000200 dead000000000100 dead000000000122 ffff88810012bdc0 raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(), pid 1, ts 1004486484 create_dummy_stack mm/page_owner.c:64 [inline] register_early_stack+0x41/0x80 mm/page_owner.c:80 init_page_owner+0x32/0x4f0 mm/page_owner.c:90 invoke_init_callbacks+0x63/0x6d mm/page_ext.c:98 page_ext_init+0x316/0x333 mm/page_ext.c:407 page_owner free stack trace missing Memory state around the buggy address: ffff888100155700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ffff888100155780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc >ffff888100155800: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ^ ffff888100155880: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc ffff888100155900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc ================================================================== BUG: unable to handle page fault for address: ffffed122001bc17 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 23fff2067 P4D 23fff2067 PUD 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 1 Comm: init Tainted: G B 5.12.0-rc4-syzkaller-00016-gf68f40638559 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 RIP: 0010:ns_of_pid include/linux/pid.h:153 [inline] RIP: 0010:task_active_pid_ns+0x69/0xa0 kernel/pid.c:509 Code: ad 5d 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 78 9c 4f 00 48 8b 03 eb 07 e8 6e RSP: 0018:ffffc90000017df0 EFLAGS: 00010a06 RAX: 1ffff1122001bc17 RBX: ffff8891000de0b8 RCX: ffffffff813d0aea RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff888100155844 RBP: ffffc90000017e00 R08: ffffffff813d185e R09: ffffed102368b509 R10: ffffed102368b509 R11: 1ffff1102368b508 R12: 0000000000004100 R13: ffffc90000017eb8 R14: dffffc0000000000 R15: dffffc0000000000 FS: 00007fd804db9800(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffed122001bc17 CR3: 0000000108596000 CR4: 00000000003506b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: pid_vnr+0x1b/0x30 kernel/pid.c:488 kernel_clone+0x226/0x6a0 kernel/fork.c:2513 __do_sys_vfork+0x76/0xb0 kernel/fork.c:2579 do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fd804f232b8 Code: 00 00 e8 db 9f fb ff 48 89 e7 e8 43 3f 05 00 e9 ab fe ff ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 5f b8 3a 00 00 00 0f 05 <57> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 90 1b 0f 00 f7 d8 64 89 01 48 RSP: 002b:00007ffd668955f0 EFLAGS: 00000246 ORIG_RAX: 000000000000003a RAX: ffffffffffffffda RBX: 000055e9e8d679f0 RCX: 00007fd804f232b8 RDX: 0000000000000008 RSI: 0000000000000000 RDI: 00007fd8050a6e18 RBP: 00007ffd66895670 R08: 0000000000000007 R09: 000055e9e8d68390 R10: 00007ffd66895630 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000018 R14: 0000000000000000 R15: 0000000000000000 Modules linked in: CR2: ffffed122001bc17 ---[ end trace d9fe3c26ab088b67 ]--- RIP: 0010:ns_of_pid include/linux/pid.h:153 [inline] RIP: 0010:task_active_pid_ns+0x69/0xa0 kernel/pid.c:509 Code: ad 5d 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 78 9c 4f 00 48 8b 03 eb 07 e8 6e RSP: 0018:ffffc90000017df0 EFLAGS: 00010a06 RAX: 1ffff1122001bc17 RBX: ffff8891000de0b8 RCX: ffffffff813d0aea RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff888100155844 RBP: ffffc90000017e00 R08: ffffffff813d185e R09: ffffed102368b509 R10: ffffed102368b509 R11: 1ffff1102368b508 R12: 0000000000004100 R13: ffffc90000017eb8 R14: dffffc0000000000 R15: dffffc0000000000 FS: 00007fd804db9800(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffed122001bc17 CR3: 0000000108596000 CR4: 00000000003506b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: ad lods %ds:(%rsi),%eax 1: 5d pop %rbp 2: 1d 00 48 8d 7b sbb $0x7b8d4800,%eax 7: 04 48 add $0x48,%al 9: 89 f8 mov %edi,%eax b: 48 c1 e8 03 shr $0x3,%rax f: 42 8a 04 30 mov (%rax,%r14,1),%al 13: 84 c0 test %al,%al 15: 75 33 jne 0x4a 17: 8b 43 04 mov 0x4(%rbx),%eax 1a: 48 c1 e0 04 shl $0x4,%rax 1e: 48 8d 5c 03 68 lea 0x68(%rbx,%rax,1),%rbx 23: 48 89 d8 mov %rbx,%rax 26: 48 c1 e8 03 shr $0x3,%rax * 2a: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1) <-- trapping instruction 2f: 74 08 je 0x39 31: 48 89 df mov %rbx,%rdi 34: e8 78 9c 4f 00 callq 0x4f9cb1 39: 48 8b 03 mov (%rbx),%rax 3c: eb 07 jmp 0x45 3e: e8 .byte 0xe8 3f: 6e outsb %ds:(%rsi),(%dx) Warning: Permanently added '10.128.1.44' (ECDSA) to the list of known hosts. 2022/11/16 07:58:50 fuzzer started 2022/11/16 07:58:50 connecting to host at 10.128.0.163:40957 2022/11/16 07:58:50 checking machine... 2022/11/16 07:58:50 checking revisions... 2022/11/16 07:58:50 testing simple program... [ 19.329088][ T28] audit: type=1400 audit(1668585530.580:62): avc: denied { integrity } for pid=407 comm="syz-fuzzer" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1 [ 19.335936][ T28] audit: type=1400 audit(1668585530.590:63): avc: denied { getattr } for pid=407 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 19.341385][ T28] audit: type=1400 audit(1668585530.590:64): avc: denied { read } for pid=407 comm="syz-fuzzer" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 19.346648][ T28] audit: type=1400 audit(1668585530.590:65): avc: denied { open } for pid=407 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 19.351297][ T417] cgroup: Unknown subsys name 'net' [ 19.362569][ T28] audit: type=1400 audit(1668585530.590:66): avc: denied { read } for pid=407 comm="syz-fuzzer" name="raw-gadget" dev="devtmpfs" ino=161 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 19.390543][ T28] audit: type=1400 audit(1668585530.590:67): avc: denied { open } for pid=407 comm="syz-fuzzer" path="/dev/raw-gadget" dev="devtmpfs" ino=161 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 19.390877][ T417] cgroup: Unknown subsys name 'devices' [ 19.414335][ T28] audit: type=1400 audit(1668585530.600:68): avc: denied { mounton } for pid=417 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 19.442303][ T28] audit: type=1400 audit(1668585530.600:69): avc: denied { mount } for pid=417 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 19.464505][ T28] audit: type=1400 audit(1668585530.620:70): avc: denied { unmount } for pid=417 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 19.576443][ T417] cgroup: Unknown subsys name 'hugetlb' [ 19.582019][ T417] cgroup: Unknown subsys name 'rlimit' [ 19.705666][ T28] audit: type=1400 audit(1668585530.960:71): avc: denied { setattr } for pid=417 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=161 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 19.769929][ T420] bridge0: port 1(bridge_slave_0) entered blocking state [ 19.777700][ T420] bridge0: port 1(bridge_slave_0) entered disabled state [ 19.786548][ T420] device bridge_slave_0 entered promiscuous mode [ 19.793891][ T420] bridge0: port 2(bridge_slave_1) entered blocking state [ 19.801005][ T420] bridge0: port 2(bridge_slave_1) entered disabled state [ 19.808431][ T420] device bridge_slave_1 entered promiscuous mode [ 19.840543][ T420] bridge0: port 2(bridge_slave_1) entered blocking state [ 19.847868][ T420] bridge0: port 2(bridge_slave_1) entered forwarding state [ 19.855241][ T420] bridge0: port 1(bridge_slave_0) entered blocking state [ 19.862250][ T420] bridge0: port 1(bridge_slave_0) entered forwarding state [ 19.878644][ T5] bridge0: port 1(bridge_slave_0) entered disabled state [ 19.886523][ T5] bridge0: port 2(bridge_slave_1) entered disabled state [ 19.893732][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 19.901690][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 19.910951][ T418] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 19.919049][ T418] bridge0: port 1(bridge_slave_0) entered blocking state [ 19.925993][ T418] bridge0: port 1(bridge_slave_0) entered forwarding state [ 19.935128][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 19.943133][ T5] bridge0: port 2(bridge_slave_1) entered blocking state [ 19.950255][ T5] bridge0: port 2(bridge_slave_1) entered forwarding state [ 19.960560][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 19.969449][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 19.982691][ T420] device veth0_vlan entered promiscuous mode [ 19.989168][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 19.997974][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 20.006014][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 20.013382][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 20.020834][ T1] ================================================================== [ 20.028712][ T1] BUG: KASAN: use-after-free in attach_pid+0xf3/0x1f0 [ 20.035389][ T1] Read of size 8 at addr ffff888100155860 by task init/1 [ 20.042371][ T1] [ 20.044503][ T1] CPU: 0 PID: 1 Comm: init Not tainted 5.12.0-rc4-syzkaller-00016-gf68f40638559 #0 [ 20.053630][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 20.063517][ T1] Call Trace: [ 20.066636][ T1] dump_stack+0x1bb/0x220 [ 20.070848][ T1] print_address_description+0x7a/0x3b0 [ 20.076189][ T1] kasan_report+0x19b/0x1e0 [ 20.080528][ T1] ? attach_pid+0xf3/0x1f0 [ 20.084777][ T1] ? attach_pid+0xf3/0x1f0 [ 20.089039][ T1] __asan_report_load8_noabort+0x14/0x20 [ 20.094496][ T1] attach_pid+0xf3/0x1f0 [ 20.099114][ T1] copy_process+0x1f3a/0x21d0 [ 20.103609][ T1] kernel_clone+0x1df/0x6a0 [ 20.107952][ T1] __do_sys_vfork+0x76/0xb0 [ 20.112378][ T1] do_syscall_64+0x34/0x70 [ 20.116628][ T1] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 20.122356][ T1] RIP: 0033:0x7fd804f232b8 [ 20.126615][ T1] Code: 00 00 e8 db 9f fb ff 48 89 e7 e8 43 3f 05 00 e9 ab fe ff ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 5f b8 3a 00 00 00 0f 05 <57> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 90 1b 0f 00 f7 d8 64 89 01 48 [ 20.146137][ T1] RSP: 002b:00007ffd668955f0 EFLAGS: 00000246 ORIG_RAX: 000000000000003a [ 20.154381][ T1] RAX: ffffffffffffffda RBX: 000055e9e8d679f0 RCX: 00007fd804f232b8 [ 20.162289][ T1] RDX: 0000000000000008 RSI: 0000000000000000 RDI: 00007fd8050a6e18 [ 20.170099][ T1] RBP: 00007ffd66895670 R08: 0000000000000007 R09: 000055e9e8d68390 [ 20.178272][ T1] R10: 00007ffd66895630 R11: 0000000000000246 R12: 0000000000000000 [ 20.186149][ T1] R13: 0000000000000018 R14: 0000000000000000 R15: 0000000000000000 [ 20.194057][ T1] [ 20.196221][ T1] Allocated by task 0: [ 20.200216][ T1] __kasan_slab_alloc+0xa2/0xd0 [ 20.205159][ T1] slab_post_alloc_hook+0x3f/0x70 [ 20.210015][ T1] kmem_cache_alloc+0x139/0x230 [ 20.214706][ T1] alloc_pid+0x97/0xae0 [ 20.218702][ T1] copy_process+0xe6f/0x21d0 [ 20.223132][ T1] kernel_clone+0x1df/0x6a0 [ 20.227704][ T1] kernel_thread+0x109/0x150 [ 20.232727][ T1] rest_init+0x22/0xf0 [ 20.236647][ T1] arch_call_rest_init+0xe/0x10 [ 20.241939][ T1] start_kernel+0x45f/0x4d1 [ 20.246457][ T1] x86_64_start_reservations+0x2a/0x2c [ 20.251752][ T1] x86_64_start_kernel+0x7a/0x7d [ 20.256527][ T1] secondary_startup_64_no_verify+0xb0/0xbb [ 20.262245][ T1] [ 20.264415][ T1] Freed by task 417: [ 20.268147][ T1] kasan_set_track+0x4c/0x80 [ 20.272592][ T1] kasan_set_free_info+0x23/0x40 [ 20.277353][ T1] ____kasan_slab_free+0x113/0x150 [ 20.282305][ T1] __kasan_slab_free+0xe/0x10 [ 20.286811][ T1] slab_free_freelist_hook+0xa7/0x170 [ 20.292023][ T1] kmem_cache_free+0x9a/0x190 [ 20.296529][ T1] put_pid+0xb3/0x120 [ 20.300512][ T1] proc_do_cad_pid+0x131/0x1d0 [ 20.305184][ T1] proc_sys_call_handler+0x492/0x640 [ 20.310300][ T1] proc_sys_write+0x22/0x30 [ 20.314626][ T1] vfs_write+0x466/0x560 [ 20.318883][ T1] ksys_write+0x155/0x260 [ 20.323175][ T1] __x64_sys_write+0x7b/0x90 [ 20.327644][ T1] do_syscall_64+0x34/0x70 [ 20.331894][ T1] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 20.337629][ T1] [ 20.339798][ T1] The buggy address belongs to the object at ffff888100155840 [ 20.339798][ T1] which belongs to the cache pid of size 112 [ 20.353090][ T1] The buggy address is located 32 bytes inside of [ 20.353090][ T1] 112-byte region [ffff888100155840, ffff8881001558b0) [ 20.366373][ T1] The buggy address belongs to the page: [ 20.371833][ T1] page:ffffea0004005540 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100155 [ 20.381902][ T1] flags: 0x4000000000000200(slab) [ 20.386855][ T1] raw: 4000000000000200 dead000000000100 dead000000000122 ffff88810012bdc0 [ 20.395285][ T1] raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000 [ 20.403685][ T1] page dumped because: kasan: bad access detected [ 20.409935][ T1] page_owner tracks the page as allocated [ 20.415593][ T1] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(), pid 1, ts 1004486484 [ 20.425828][ T1] register_early_stack+0x41/0x80 [ 20.430865][ T1] init_page_owner+0x32/0x4f0 [ 20.435373][ T1] invoke_init_callbacks+0x63/0x6d [ 20.440429][ T1] page_ext_init+0x316/0x333 [ 20.444854][ T1] page_owner free stack trace missing [ 20.450178][ T1] [ 20.452328][ T1] Memory state around the buggy address: [ 20.458670][ T1] ffff888100155700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 20.466566][ T1] ffff888100155780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 20.474667][ T1] >ffff888100155800: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 20.482547][ T1] ^ [ 20.489831][ T1] ffff888100155880: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 20.497926][ T1] ffff888100155900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 20.505877][ T1] ================================================================== [ 20.515471][ T1] Disabling lock debugging due to kernel taint [ 20.525556][ T1] BUG: unable to handle page fault for address: ffffed122001bc17 [ 20.533230][ T418] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 20.533439][ T1] #PF: supervisor read access in kernel mode [ 20.542751][ T420] device veth1_macvtap entered promiscuous mode [ 20.547058][ T1] #PF: error_code(0x0000) - not-present page [ 20.547071][ T1] PGD 23fff2067 P4D 23fff2067 PUD 0 [ 20.547091][ T1] Oops: 0000 [#1] PREEMPT SMP KASAN [ 20.547105][ T1] CPU: 0 PID: 1 Comm: init Tainted: G B 5.12.0-rc4-syzkaller-00016-gf68f40638559 #0 [ 20.557814][ T418] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 20.558948][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 20.558960][ T1] RIP: 0010:task_active_pid_ns+0x69/0xa0 [ 20.603540][ T1] Code: ad 5d 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 78 9c 4f 00 48 8b 03 eb 07 e8 6e [ 20.623240][ T1] RSP: 0018:ffffc90000017df0 EFLAGS: 00010a06 [ 20.629138][ T1] RAX: 1ffff1122001bc17 RBX: ffff8891000de0b8 RCX: ffffffff813d0aea [ 20.636947][ T1] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff888100155844 [ 20.645069][ T1] RBP: ffffc90000017e00 R08: ffffffff813d185e R09: ffffed102368b509 [ 20.652882][ T1] R10: ffffed102368b509 R11: 1ffff1102368b508 R12: 0000000000004100 [ 20.660789][ T1] R13: ffffc90000017eb8 R14: dffffc0000000000 R15: dffffc0000000000 [ 20.669068][ T1] FS: 00007fd804db9800(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000 [ 20.677807][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 20.684398][ T1] CR2: ffffed122001bc17 CR3: 0000000108596000 CR4: 00000000003506b0 [ 20.693393][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 20.701589][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 20.710006][ T1] Call Trace: [ 20.713222][ T1] pid_vnr+0x1b/0x30 [ 20.716951][ T1] kernel_clone+0x226/0x6a0 [ 20.721391][ T1] __do_sys_vfork+0x76/0xb0 [ 20.725813][ T1] do_syscall_64+0x34/0x70 [ 20.730065][ T1] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 20.735791][ T1] RIP: 0033:0x7fd804f232b8 [ 20.740148][ T1] Code: 00 00 e8 db 9f fb ff 48 89 e7 e8 43 3f 05 00 e9 ab fe ff ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 5f b8 3a 00 00 00 0f 05 <57> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 90 1b 0f 00 f7 d8 64 89 01 48 [ 20.760186][ T1] RSP: 002b:00007ffd668955f0 EFLAGS: 00000246 ORIG_RAX: 000000000000003a [ 20.768528][ T1] RAX: ffffffffffffffda RBX: 000055e9e8d679f0 RCX: 00007fd804f232b8 [ 20.776335][ T1] RDX: 0000000000000008 RSI: 0000000000000000 RDI: 00007fd8050a6e18 [ 20.784484][ T1] RBP: 00007ffd66895670 R08: 0000000000000007 R09: 000055e9e8d68390 [ 20.792296][ T1] R10: 00007ffd66895630 R11: 0000000000000246 R12: 0000000000000000 [ 20.800282][ T1] R13: 0000000000000018 R14: 0000000000000000 R15: 0000000000000000 [ 20.808395][ T1] Modules linked in: [ 20.812108][ T1] CR2: ffffed122001bc17 [ 20.816197][ T1] ---[ end trace d9fe3c26ab088b67 ]--- [ 20.821486][ T1] RIP: 0010:task_active_pid_ns+0x69/0xa0 [ 20.827034][ T1] Code: ad 5d 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 78 9c 4f 00 48 8b 03 eb 07 e8 6e [ 20.847392][ T1] RSP: 0018:ffffc90000017df0 EFLAGS: 00010a06 [ 20.853817][ T1] RAX: 1ffff1122001bc17 RBX: ffff8891000de0b8 RCX: ffffffff813d0aea [ 20.862196][ T1] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff888100155844 [ 20.870333][ T1] RBP: ffffc90000017e00 R08: ffffffff813d185e R09: ffffed102368b509 [ 20.878353][ T1] R10: ffffed102368b509 R11: 1ffff1102368b508 R12: 0000000000004100 [ 20.886682][ T1] R13: ffffc90000017eb8 R14: dffffc0000000000 R15: dffffc0000000000 [ 20.895111][ T1] FS: 00007fd804db9800(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000 [ 20.903994][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 20.910585][ T1] CR2: ffffed122001bc17 CR3: 0000000108596000 CR4: 00000000003506b0 [ 20.918756][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 20.926734][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 20.934560][ T1] Kernel panic - not syncing: Fatal exception [ 20.940640][ T1] Kernel Offset: disabled [ 20.944721][ T1] Rebooting in 86400 seconds.. syzkaller build log: go env (err=) GO111MODULE="auto" GOARCH="amd64" GOBIN="" GOCACHE="/syzkaller/.cache/go-build" GOENV="/syzkaller/.config/go/env" GOEXE="" GOEXPERIMENT="" GOFLAGS="" GOHOSTARCH="amd64" GOHOSTOS="linux" GOINSECURE="" GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod" GONOPROXY="" GONOSUMDB="" GOOS="linux" GOPATH="/syzkaller/jobs/linux/gopath" GOPRIVATE="" GOPROXY="https://proxy.golang.org,direct" GOROOT="/usr/local/go" GOSUMDB="sum.golang.org" GOTMPDIR="" GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64" GOVCS="" GOVERSION="go1.17" GCCGO="gccgo" AR="ar" CC="gcc" CXX="g++" CGO_ENABLED="1" GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod" CGO_CFLAGS="-g -O2" CGO_CPPFLAGS="" CGO_CXXFLAGS="-g -O2" CGO_FFLAGS="-g -O2" CGO_LDFLAGS="-g -O2" PKG_CONFIG="pkg-config" GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2990475542=/tmp/go-build -gno-record-gcc-switches" git status (err=) HEAD detached at 6feb842be nothing to commit, working tree clean tput: No value for $TERM and no -T specified tput: No value for $TERM and no -T specified Makefile:32: run command via tools/syz-env for best compatibility, see: Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen make .descriptions tput: No value for $TERM and no -T specified tput: No value for $TERM and no -T specified bin/syz-sysgen touch .descriptions GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=6feb842be06bf94e4751c499cd8b4659974c6f03 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221107-095747'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=6feb842be06bf94e4751c499cd8b4659974c6f03 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221107-095747'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=6feb842be06bf94e4751c499cd8b4659974c6f03 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221107-095747'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress mkdir -p ./bin/linux_amd64 gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \ -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \ -DHOSTGOOS_linux=1 -DGIT_REVISION=\"6feb842be06bf94e4751c499cd8b4659974c6f03\"