KASAN: use-after-free Read in task_active_pid_ns cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation ================================================================== BUG: KASAN: use-after-free in ns_of_pid include/linux/pid.h:153 [inline] BUG: KASAN: use-after-free in task_active_pid_ns+0x9a/0xa0 kernel/pid.c:509 Read of size 4 at addr ffff888100152184 by task syz-executor.0/374 CPU: 1 PID: 374 Comm: syz-executor.0 Not tainted 5.11.0-rc1-syzkaller-00046-g2569063c7140 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x19c/0x1e2 lib/dump_stack.c:120 print_address_description+0x7a/0x3b0 mm/kasan/report.c:230 __kasan_report mm/kasan/report.c:396 [inline] kasan_report+0x18e/0x230 mm/kasan/report.c:413 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308 ns_of_pid include/linux/pid.h:153 [inline] task_active_pid_ns+0x9a/0xa0 kernel/pid.c:509 do_notify_parent+0x2f6/0x990 kernel/signal.c:1950 exit_notify kernel/exit.c:681 [inline] do_exit+0x140b/0x2250 kernel/exit.c:843 do_group_exit+0x13a/0x300 kernel/exit.c:920 get_signal+0xd59/0x1320 kernel/signal.c:2770 arch_do_signal_or_restart+0x5d/0x5c0 arch/x86/kernel/signal.c:811 handle_signal_work kernel/entry/common.c:147 [inline] exit_to_user_mode_loop+0xd4/0x110 kernel/entry/common.c:171 exit_to_user_mode_prepare kernel/entry/common.c:201 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline] syscall_exit_to_user_mode+0x75/0xa0 kernel/entry/common.c:302 do_syscall_64+0x40/0x70 arch/x86/entry/common.c:56 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f4e815f32fe Code: Unable to access opcode bytes at RIP 0x7f4e815f32d4. RSP: 002b:00007ffecb776338 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: 0000000000000000 RBX: 00007ffecb7763c0 RCX: 00007f4e815f32fe RDX: 0000000000000040 RSI: 00007f4e8175e020 RDI: 00000000000000f9 RBP: 0000000000000003 R08: 00000000000002e8 R09: ffffffffffff0000 R10: 00007f4e81738000 R11: 0000000000000246 R12: 0000000000000032 R13: 0000000000006ec9 R14: 0000000000000003 R15: 00007ffecb776400 Allocated by task 0: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:401 [inline] ____kasan_kmalloc+0xcb/0x100 mm/kasan/common.c:429 __kasan_slab_alloc+0x11/0x20 mm/kasan/common.c:437 kasan_slab_alloc include/linux/kasan.h:205 [inline] slab_post_alloc_hook mm/slab.h:512 [inline] slab_alloc_node mm/slub.c:2892 [inline] slab_alloc mm/slub.c:2900 [inline] kmem_cache_alloc+0x17d/0x2b0 mm/slub.c:2905 alloc_pid+0x9c/0xad0 kernel/pid.c:180 copy_process+0x16d7/0x32d0 kernel/fork.c:2115 kernel_clone+0x1d7/0x840 kernel/fork.c:2464 kernel_thread+0x11b/0x160 kernel/fork.c:2516 rest_init+0x22/0xf0 init/main.c:686 arch_call_rest_init+0xe/0x10 init/main.c:846 start_kernel+0x45a/0x4cc init/main.c:1061 x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:525 x86_64_start_kernel+0x7a/0x7d arch/x86/kernel/head64.c:506 secondary_startup_64_no_verify+0xb0/0xbb Freed by task 370: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track+0x4c/0x80 mm/kasan/common.c:46 kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:354 ____kasan_slab_free+0xf6/0x120 mm/kasan/common.c:362 __kasan_slab_free+0xe/0x10 mm/kasan/common.c:369 kasan_slab_free include/linux/kasan.h:188 [inline] slab_free_hook mm/slub.c:1547 [inline] slab_free_freelist_hook+0x7b/0x150 mm/slub.c:1580 slab_free mm/slub.c:3143 [inline] kmem_cache_free+0x9e/0x1d0 mm/slub.c:3159 put_pid+0xb3/0x120 kernel/pid.c:114 proc_do_cad_pid+0x131/0x1d0 kernel/sysctl.c:1401 proc_sys_call_handler+0x501/0x7c0 fs/proc/proc_sysctl.c:591 proc_sys_write+0x22/0x30 fs/proc/proc_sysctl.c:617 call_write_iter include/linux/fs.h:1901 [inline] new_sync_write fs/read_write.c:518 [inline] vfs_write+0xb57/0xe50 fs/read_write.c:605 ksys_write+0x157/0x260 fs/read_write.c:658 __do_sys_write fs/read_write.c:670 [inline] __se_sys_write fs/read_write.c:667 [inline] __x64_sys_write+0x7b/0x90 fs/read_write.c:667 do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff888100152180 which belongs to the cache pid of size 112 The buggy address is located 4 bytes inside of 112-byte region [ffff888100152180, ffff8881001521f0) The buggy address belongs to the page: page:00000000e10c63dc refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100152 flags: 0x8000000000000200(slab) raw: 8000000000000200 dead000000000100 dead000000000122 ffff888100125140 raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(), pid 1, ts 987467602 create_dummy_stack mm/page_owner.c:64 [inline] register_early_stack+0x41/0x80 mm/page_owner.c:80 init_page_owner+0x32/0x810 mm/page_owner.c:90 invoke_init_callbacks mm/page_ext.c:98 [inline] page_ext_init+0x342/0x369 mm/page_ext.c:407 kernel_init_freeable+0x205/0x306 init/main.c:1530 page_owner free stack trace missing Memory state around the buggy address: ffff888100152080: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ffff888100152100: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc >ffff888100152180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc ^ ffff888100152200: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ffff888100152280: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ================================================================== BUG: unable to handle page fault for address: ffffed122001b53f #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 23fff2067 P4D 23fff2067 PUD 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 374 Comm: syz-executor.0 Tainted: G B 5.11.0-rc1-syzkaller-00046-g2569063c7140 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 RIP: 0010:ns_of_pid include/linux/pid.h:153 [inline] RIP: 0010:task_active_pid_ns+0x69/0xa0 kernel/pid.c:509 Code: 4d ca 22 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 88 bb 59 00 48 8b 03 eb 07 e8 0e RSP: 0018:ffffc90000917b90 EFLAGS: 00010806 RAX: 1ffff1122001b53f RBX: ffff8891000da9f8 RCX: 0000000000000002 RDX: 0000000000000000 RSI: 0000000000000082 RDI: 0000000000000001 RBP: ffffc90000917ba0 R08: ffffffff813d1193 R09: fffffbfff0c7aaf9 R10: fffffbfff0c7aaf9 R11: 1ffffffff0c7aaf8 R12: 0000000000000011 R13: 0000000000000011 R14: dffffc0000000000 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffed122001b53f CR3: 0000000119157000 CR4: 00000000003506a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: do_notify_parent+0x2f6/0x990 kernel/signal.c:1950 exit_notify kernel/exit.c:681 [inline] do_exit+0x140b/0x2250 kernel/exit.c:843 do_group_exit+0x13a/0x300 kernel/exit.c:920 get_signal+0xd59/0x1320 kernel/signal.c:2770 arch_do_signal_or_restart+0x5d/0x5c0 arch/x86/kernel/signal.c:811 handle_signal_work kernel/entry/common.c:147 [inline] exit_to_user_mode_loop+0xd4/0x110 kernel/entry/common.c:171 exit_to_user_mode_prepare kernel/entry/common.c:201 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline] syscall_exit_to_user_mode+0x75/0xa0 kernel/entry/common.c:302 do_syscall_64+0x40/0x70 arch/x86/entry/common.c:56 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f4e815f32fe Code: Unable to access opcode bytes at RIP 0x7f4e815f32d4. RSP: 002b:00007ffecb776338 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: 0000000000000000 RBX: 00007ffecb7763c0 RCX: 00007f4e815f32fe RDX: 0000000000000040 RSI: 00007f4e8175e020 RDI: 00000000000000f9 RBP: 0000000000000003 R08: 00000000000002e8 R09: ffffffffffff0000 R10: 00007f4e81738000 R11: 0000000000000246 R12: 0000000000000032 R13: 0000000000006ec9 R14: 0000000000000003 R15: 00007ffecb776400 Modules linked in: CR2: ffffed122001b53f ---[ end trace 298419b119b38927 ]--- RIP: 0010:ns_of_pid include/linux/pid.h:153 [inline] RIP: 0010:task_active_pid_ns+0x69/0xa0 kernel/pid.c:509 Code: 4d ca 22 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 88 bb 59 00 48 8b 03 eb 07 e8 0e RSP: 0018:ffffc90000917b90 EFLAGS: 00010806 RAX: 1ffff1122001b53f RBX: ffff8891000da9f8 RCX: 0000000000000002 RDX: 0000000000000000 RSI: 0000000000000082 RDI: 0000000000000001 RBP: ffffc90000917ba0 R08: ffffffff813d1193 R09: fffffbfff0c7aaf9 R10: fffffbfff0c7aaf9 R11: 1ffffffff0c7aaf8 R12: 0000000000000011 R13: 0000000000000011 R14: dffffc0000000000 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffed122001b53f CR3: 0000000119157000 CR4: 00000000003506a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 4d ca 22 00 rex.WRB lretq $0x22 4: 48 8d 7b 04 lea 0x4(%rbx),%rdi 8: 48 89 f8 mov %rdi,%rax b: 48 c1 e8 03 shr $0x3,%rax f: 42 8a 04 30 mov (%rax,%r14,1),%al 13: 84 c0 test %al,%al 15: 75 33 jne 0x4a 17: 8b 43 04 mov 0x4(%rbx),%eax 1a: 48 c1 e0 04 shl $0x4,%rax 1e: 48 8d 5c 03 68 lea 0x68(%rbx,%rax,1),%rbx 23: 48 89 d8 mov %rbx,%rax 26: 48 c1 e8 03 shr $0x3,%rax * 2a: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1) <-- trapping instruction 2f: 74 08 je 0x39 31: 48 89 df mov %rbx,%rdi 34: e8 88 bb 59 00 callq 0x59bbc1 39: 48 8b 03 mov (%rbx),%rax 3c: eb 07 jmp 0x45 3e: e8 .byte 0xe8 3f: 0e (bad) DUID 00:04:dc:fa:5a:ab:93:5f:12:a8:cb:eb:0b:97:8a:94:6e:8b forked to background, child pid 197 Starting sshd: OK syzkaller syzkaller login: [ 20.708941][ T23] kauditd_printk_skb: 60 callbacks suppressed [ 20.708950][ T23] audit: type=1400 audit(1667801865.010:71): avc: denied { transition } for pid=353 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 20.715288][ T23] audit: type=1400 audit(1667801865.030:72): avc: denied { write } for pid=353 comm="sh" path="pipe:[270]" dev="pipefs" ino=270 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1 Warning: Permanently added '10.128.0.236' (ECDSA) to the list of known hosts. 2022/11/07 06:17:51 fuzzer started 2022/11/07 06:17:51 connecting to host at 10.128.0.163:44605 2022/11/07 06:17:51 checking machine... 2022/11/07 06:17:51 checking revisions... 2022/11/07 06:17:51 testing simple program... [ 27.627139][ T23] audit: type=1400 audit(1667801871.930:73): avc: denied { integrity } for pid=362 comm="syz-fuzzer" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1 [ 27.644181][ T370] cgroup: Unknown subsys name 'net' [ 27.649645][ T23] audit: type=1400 audit(1667801871.940:74): avc: denied { getattr } for pid=362 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 27.677971][ T23] audit: type=1400 audit(1667801871.940:75): avc: denied { read } for pid=362 comm="syz-fuzzer" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 27.678183][ T370] cgroup: Unknown subsys name 'devices' [ 27.699288][ T23] audit: type=1400 audit(1667801871.940:76): avc: denied { open } for pid=362 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 27.727778][ T23] audit: type=1400 audit(1667801871.940:77): avc: denied { read } for pid=362 comm="syz-fuzzer" name="raw-gadget" dev="devtmpfs" ino=166 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 27.750601][ T23] audit: type=1400 audit(1667801871.940:78): avc: denied { open } for pid=362 comm="syz-fuzzer" path="/dev/raw-gadget" dev="devtmpfs" ino=166 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 27.774012][ T23] audit: type=1400 audit(1667801871.950:79): avc: denied { mounton } for pid=370 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 27.796756][ T23] audit: type=1400 audit(1667801871.950:80): avc: denied { mount } for pid=370 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 27.819262][ T23] audit: type=1400 audit(1667801871.970:81): avc: denied { unmount } for pid=370 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 27.902088][ T370] cgroup: Unknown subsys name 'hugetlb' [ 27.907887][ T370] cgroup: Unknown subsys name 'rlimit' [ 28.031500][ T23] audit: type=1400 audit(1667801872.340:82): avc: denied { setattr } for pid=370 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=166 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 28.101853][ T374] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.109088][ T374] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.116432][ T374] device bridge_slave_0 entered promiscuous mode [ 28.123190][ T374] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.130230][ T374] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.137741][ T374] device bridge_slave_1 entered promiscuous mode [ 28.165091][ T374] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.172275][ T374] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.179510][ T374] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.186628][ T374] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.201922][ T74] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.209269][ T74] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.217112][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 28.224835][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 28.240983][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 28.250601][ T74] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.257632][ T74] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.265664][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 28.273859][ T74] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.280884][ T74] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.288693][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 28.296741][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 28.310807][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 28.318674][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 28.326888][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 28.339759][ T123] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 28.348516][ T123] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready 2022/11/07 06:17:52 building call list... [ 28.363330][ T374] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation [ 28.430746][ T374] ================================================================== [ 28.439433][ T374] BUG: KASAN: use-after-free in task_active_pid_ns+0x9a/0xa0 [ 28.446820][ T374] Read of size 4 at addr ffff888100152184 by task syz-executor.0/374 [ 28.454981][ T374] [ 28.457300][ T374] CPU: 1 PID: 374 Comm: syz-executor.0 Not tainted 5.11.0-rc1-syzkaller-00046-g2569063c7140 #0 [ 28.468675][ T374] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 28.478728][ T374] Call Trace: [ 28.482097][ T374] dump_stack+0x19c/0x1e2 [ 28.486425][ T374] ? task_active_pid_ns+0x9a/0xa0 [ 28.491436][ T374] print_address_description+0x7a/0x3b0 [ 28.496978][ T374] ? task_active_pid_ns+0x9a/0xa0 [ 28.501999][ T374] kasan_report+0x18e/0x230 [ 28.506506][ T374] ? task_active_pid_ns+0x9a/0xa0 [ 28.511542][ T374] __asan_report_load4_noabort+0x14/0x20 [ 28.517174][ T374] task_active_pid_ns+0x9a/0xa0 [ 28.522020][ T374] do_notify_parent+0x2f6/0x990 [ 28.526957][ T374] ? __kasan_check_write+0x14/0x20 [ 28.532094][ T374] do_exit+0x140b/0x2250 [ 28.536413][ T374] ? mutex_unlock+0x1d/0x40 [ 28.540922][ T374] do_group_exit+0x13a/0x300 [ 28.545506][ T374] ? __kasan_check_write+0x14/0x20 [ 28.550711][ T374] get_signal+0xd59/0x1320 [ 28.555123][ T374] ? init_wait_entry+0xe0/0xe0 [ 28.560051][ T374] arch_do_signal_or_restart+0x5d/0x5c0 [ 28.565594][ T374] exit_to_user_mode_loop+0xd4/0x110 [ 28.570979][ T374] syscall_exit_to_user_mode+0x75/0xa0 [ 28.576436][ T374] do_syscall_64+0x40/0x70 [ 28.580853][ T374] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 28.586841][ T374] RIP: 0033:0x7f4e815f32fe [ 28.591249][ T374] Code: Unable to access opcode bytes at RIP 0x7f4e815f32d4. [ 28.598598][ T374] RSP: 002b:00007ffecb776338 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 28.607001][ T374] RAX: 0000000000000000 RBX: 00007ffecb7763c0 RCX: 00007f4e815f32fe [ 28.615068][ T374] RDX: 0000000000000040 RSI: 00007f4e8175e020 RDI: 00000000000000f9 [ 28.623031][ T374] RBP: 0000000000000003 R08: 00000000000002e8 R09: ffffffffffff0000 [ 28.631097][ T374] R10: 00007f4e81738000 R11: 0000000000000246 R12: 0000000000000032 [ 28.639061][ T374] R13: 0000000000006ec9 R14: 0000000000000003 R15: 00007ffecb776400 [ 28.647204][ T374] [ 28.649514][ T374] Allocated by task 0: [ 28.653569][ T374] ____kasan_kmalloc+0xcb/0x100 [ 28.658506][ T374] __kasan_slab_alloc+0x11/0x20 [ 28.663354][ T374] kmem_cache_alloc+0x17d/0x2b0 [ 28.668231][ T374] alloc_pid+0x9c/0xad0 [ 28.672430][ T374] copy_process+0x16d7/0x32d0 [ 28.677203][ T374] kernel_clone+0x1d7/0x840 [ 28.681706][ T374] kernel_thread+0x11b/0x160 [ 28.686286][ T374] rest_init+0x22/0xf0 [ 28.690518][ T374] arch_call_rest_init+0xe/0x10 [ 28.695362][ T374] start_kernel+0x45a/0x4cc [ 28.699861][ T374] x86_64_start_reservations+0x2a/0x2c [ 28.705568][ T374] x86_64_start_kernel+0x7a/0x7d [ 28.711218][ T374] secondary_startup_64_no_verify+0xb0/0xbb [ 28.717287][ T374] [ 28.719612][ T374] Freed by task 370: [ 28.723488][ T374] kasan_set_track+0x4c/0x80 [ 28.728093][ T374] kasan_set_free_info+0x23/0x40 [ 28.733199][ T374] ____kasan_slab_free+0xf6/0x120 [ 28.738394][ T374] __kasan_slab_free+0xe/0x10 [ 28.743069][ T374] slab_free_freelist_hook+0x7b/0x150 [ 28.748622][ T374] kmem_cache_free+0x9e/0x1d0 [ 28.753306][ T374] put_pid+0xb3/0x120 [ 28.757484][ T374] proc_do_cad_pid+0x131/0x1d0 [ 28.762238][ T374] proc_sys_call_handler+0x501/0x7c0 [ 28.767513][ T374] proc_sys_write+0x22/0x30 [ 28.772011][ T374] vfs_write+0xb57/0xe50 [ 28.776255][ T374] ksys_write+0x157/0x260 [ 28.780753][ T374] __x64_sys_write+0x7b/0x90 [ 28.785344][ T374] do_syscall_64+0x34/0x70 [ 28.789857][ T374] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 28.795772][ T374] [ 28.798096][ T374] The buggy address belongs to the object at ffff888100152180 [ 28.798096][ T374] which belongs to the cache pid of size 112 [ 28.811449][ T374] The buggy address is located 4 bytes inside of [ 28.811449][ T374] 112-byte region [ffff888100152180, ffff8881001521f0) [ 28.824989][ T374] The buggy address belongs to the page: [ 28.830627][ T374] page:00000000e10c63dc refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100152 [ 28.841382][ T374] flags: 0x8000000000000200(slab) [ 28.846436][ T374] raw: 8000000000000200 dead000000000100 dead000000000122 ffff888100125140 [ 28.855010][ T374] raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000 [ 28.863691][ T374] page dumped because: kasan: bad access detected [ 28.870267][ T374] page_owner tracks the page as allocated [ 28.876089][ T374] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(), pid 1, ts 987467602 [ 28.886328][ T374] register_early_stack+0x41/0x80 [ 28.891438][ T374] init_page_owner+0x32/0x810 [ 28.896117][ T374] page_ext_init+0x342/0x369 [ 28.900701][ T374] kernel_init_freeable+0x205/0x306 [ 28.905887][ T374] page_owner free stack trace missing [ 28.911232][ T374] [ 28.913538][ T374] Memory state around the buggy address: [ 28.919155][ T374] ffff888100152080: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 28.927380][ T374] ffff888100152100: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 28.935435][ T374] >ffff888100152180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 28.943504][ T374] ^ [ 28.947928][ T374] ffff888100152200: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 28.956243][ T374] ffff888100152280: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 28.964293][ T374] ================================================================== [ 28.972443][ T374] Disabling lock debugging due to kernel taint [ 28.978852][ T374] BUG: unable to handle page fault for address: ffffed122001b53f [ 28.986641][ T374] #PF: supervisor read access in kernel mode [ 28.992787][ T374] #PF: error_code(0x0000) - not-present page [ 28.998753][ T374] PGD 23fff2067 P4D 23fff2067 PUD 0 [ 29.004470][ T374] Oops: 0000 [#1] PREEMPT SMP KASAN [ 29.009739][ T374] CPU: 1 PID: 374 Comm: syz-executor.0 Tainted: G B 5.11.0-rc1-syzkaller-00046-g2569063c7140 #0 [ 29.021438][ T374] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 29.031739][ T374] RIP: 0010:task_active_pid_ns+0x69/0xa0 [ 29.037367][ T374] Code: 4d ca 22 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 88 bb 59 00 48 8b 03 eb 07 e8 0e [ 29.056962][ T374] RSP: 0018:ffffc90000917b90 EFLAGS: 00010806 [ 29.063019][ T374] RAX: 1ffff1122001b53f RBX: ffff8891000da9f8 RCX: 0000000000000002 [ 29.071094][ T374] RDX: 0000000000000000 RSI: 0000000000000082 RDI: 0000000000000001 [ 29.079085][ T374] RBP: ffffc90000917ba0 R08: ffffffff813d1193 R09: fffffbfff0c7aaf9 [ 29.087061][ T374] R10: fffffbfff0c7aaf9 R11: 1ffffffff0c7aaf8 R12: 0000000000000011 [ 29.095037][ T374] R13: 0000000000000011 R14: dffffc0000000000 R15: dffffc0000000000 [ 29.103015][ T374] FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 [ 29.112293][ T374] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 29.118957][ T374] CR2: ffffed122001b53f CR3: 0000000119157000 CR4: 00000000003506a0 [ 29.127369][ T374] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 29.135532][ T374] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 29.143521][ T374] Call Trace: [ 29.146798][ T374] do_notify_parent+0x2f6/0x990 [ 29.151649][ T374] ? __kasan_check_write+0x14/0x20 [ 29.156761][ T374] do_exit+0x140b/0x2250 [ 29.161082][ T374] ? mutex_unlock+0x1d/0x40 [ 29.165584][ T374] do_group_exit+0x13a/0x300 [ 29.170249][ T374] ? __kasan_check_write+0x14/0x20 [ 29.175347][ T374] get_signal+0xd59/0x1320 [ 29.179765][ T374] ? init_wait_entry+0xe0/0xe0 [ 29.184528][ T374] arch_do_signal_or_restart+0x5d/0x5c0 [ 29.190154][ T374] exit_to_user_mode_loop+0xd4/0x110 [ 29.195431][ T374] syscall_exit_to_user_mode+0x75/0xa0 [ 29.200887][ T374] do_syscall_64+0x40/0x70 [ 29.205290][ T374] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 29.211179][ T374] RIP: 0033:0x7f4e815f32fe [ 29.215680][ T374] Code: Unable to access opcode bytes at RIP 0x7f4e815f32d4. [ 29.223151][ T374] RSP: 002b:00007ffecb776338 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 29.231833][ T374] RAX: 0000000000000000 RBX: 00007ffecb7763c0 RCX: 00007f4e815f32fe [ 29.239794][ T374] RDX: 0000000000000040 RSI: 00007f4e8175e020 RDI: 00000000000000f9 [ 29.247758][ T374] RBP: 0000000000000003 R08: 00000000000002e8 R09: ffffffffffff0000 [ 29.255993][ T374] R10: 00007f4e81738000 R11: 0000000000000246 R12: 0000000000000032 [ 29.264227][ T374] R13: 0000000000006ec9 R14: 0000000000000003 R15: 00007ffecb776400 [ 29.272192][ T374] Modules linked in: [ 29.276176][ T374] CR2: ffffed122001b53f [ 29.280331][ T374] ---[ end trace 298419b119b38927 ]--- [ 29.285957][ T374] RIP: 0010:task_active_pid_ns+0x69/0xa0 [ 29.291789][ T374] Code: 4d ca 22 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 88 bb 59 00 48 8b 03 eb 07 e8 0e [ 29.311675][ T374] RSP: 0018:ffffc90000917b90 EFLAGS: 00010806 [ 29.318025][ T374] RAX: 1ffff1122001b53f RBX: ffff8891000da9f8 RCX: 0000000000000002 [ 29.326084][ T374] RDX: 0000000000000000 RSI: 0000000000000082 RDI: 0000000000000001 [ 29.334230][ T374] RBP: ffffc90000917ba0 R08: ffffffff813d1193 R09: fffffbfff0c7aaf9 [ 29.342298][ T374] R10: fffffbfff0c7aaf9 R11: 1ffffffff0c7aaf8 R12: 0000000000000011 [ 29.350356][ T374] R13: 0000000000000011 R14: dffffc0000000000 R15: dffffc0000000000 [ 29.358325][ T374] FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 [ 29.367512][ T374] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 29.374227][ T374] CR2: ffffed122001b53f CR3: 0000000119157000 CR4: 00000000003506a0 [ 29.382293][ T374] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 29.390608][ T374] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 29.398940][ T374] Kernel panic - not syncing: Fatal exception [ 29.405168][ T374] Kernel Offset: disabled [ 29.409590][ T374] Rebooting in 86400 seconds.. syzkaller build log: go env (err=) GO111MODULE="auto" GOARCH="amd64" GOBIN="" GOCACHE="/syzkaller/.cache/go-build" GOENV="/syzkaller/.config/go/env" GOEXE="" GOEXPERIMENT="" GOFLAGS="" GOHOSTARCH="amd64" GOHOSTOS="linux" GOINSECURE="" GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod" GONOPROXY="" GONOSUMDB="" GOOS="linux" GOPATH="/syzkaller/jobs/linux/gopath" GOPRIVATE="" GOPROXY="https://proxy.golang.org,direct" GOROOT="/usr/local/go" GOSUMDB="sum.golang.org" GOTMPDIR="" GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64" GOVCS="" GOVERSION="go1.17" GCCGO="gccgo" AR="ar" CC="gcc" CXX="g++" CGO_ENABLED="1" GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod" CGO_CFLAGS="-g -O2" CGO_CPPFLAGS="" CGO_CXXFLAGS="-g -O2" CGO_FFLAGS="-g -O2" CGO_LDFLAGS="-g -O2" PKG_CONFIG="pkg-config" GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build629744628=/tmp/go-build -gno-record-gcc-switches" git status (err=) HEAD detached at 23bf86af9 nothing to commit, working tree clean tput: No value for $TERM and no -T specified tput: No value for $TERM and no -T specified Makefile:32: run command via tools/syz-env for best compatibility, see: Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen make .descriptions tput: No value for $TERM and no -T specified tput: No value for $TERM and no -T specified bin/syz-sysgen touch .descriptions GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=23bf86af9a2ba03cda2b5b913bafb76ce8ce14b8 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221023-092708'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=23bf86af9a2ba03cda2b5b913bafb76ce8ce14b8 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221023-092708'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=23bf86af9a2ba03cda2b5b913bafb76ce8ce14b8 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221023-092708'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress mkdir -p ./bin/linux_amd64 gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \ -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \ -DHOSTGOOS_linux=1 -DGIT_REVISION=\"23bf86af9a2ba03cda2b5b913bafb76ce8ce14b8\"