UBSAN: object-size-mismatch in wg_xmit IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready ================================================================================ UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2004:28 member access within address ffff8881daa97618 with insufficient space for an object of type 'struct sk_buff' CPU: 1 PID: 378 Comm: kworker/1:2 Not tainted 5.4.197-syzkaller-00109-g8368124477c8-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x18e/0x1d4 lib/dump_stack.c:118 ubsan_epilogue lib/ubsan.c:148 [inline] handle_object_size_mismatch lib/ubsan.c:297 [inline] ubsan_type_mismatch_common+0x1ed/0x3a0 lib/ubsan.c:310 __ubsan_handle_type_mismatch_v1+0x4b/0x60 lib/ubsan.c:340 __skb_queue_before include/linux/skbuff.h:2004 [inline] __skb_queue_tail include/linux/skbuff.h:2037 [inline] wg_xmit+0x41d/0xa60 drivers/net/wireguard/device.c:185 __netdev_start_xmit include/linux/netdevice.h:4519 [inline] netdev_start_xmit+0x8a/0x160 include/linux/netdevice.h:4533 xmit_one net/core/dev.c:3209 [inline] dev_hard_start_xmit+0x123/0x270 net/core/dev.c:3225 __dev_queue_xmit+0xe50/0x1840 net/core/dev.c:3789 dev_queue_xmit+0x17/0x20 net/core/dev.c:3822 neigh_connected_output+0x28f/0x2c0 net/core/neighbour.c:1529 neigh_output include/net/neighbour.h:525 [inline] ip6_finish_output2+0xda3/0x12f0 net/ipv6/ip6_output.c:144 __ip6_finish_output+0x3e6/0x530 net/ipv6/ip6_output.c:209 ip6_finish_output+0x20b/0x220 net/ipv6/ip6_output.c:219 NF_HOOK_COND include/linux/netfilter.h:297 [inline] ip6_output+0x155/0x380 net/ipv6/ip6_output.c:242 dst_output include/net/dst.h:444 [inline] NF_HOOK+0x88/0x220 include/linux/netfilter.h:308 ndisc_send_skb+0x667/0xa10 net/ipv6/ndisc.c:508 ndisc_send_rs+0x222/0x320 net/ipv6/ndisc.c:702 addrconf_dad_completed+0x443/0x910 net/ipv6/addrconf.c:4236 addrconf_dad_work+0x948/0x11c0 net/ipv6/addrconf.c:4002 process_one_work+0x38d/0x5e0 kernel/workqueue.c:2287 worker_thread+0x71b/0xa60 kernel/workqueue.c:2433 kthread+0x33b/0x3d0 kernel/kthread.c:288 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 ================================================================================ ================================================================================ UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1897:2 member access within address ffff8881daa97618 with insufficient space for an object of type 'struct sk_buff' CPU: 1 PID: 378 Comm: kworker/1:2 Not tainted 5.4.197-syzkaller-00109-g8368124477c8-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x18e/0x1d4 lib/dump_stack.c:118 ubsan_epilogue lib/ubsan.c:148 [inline] handle_object_size_mismatch lib/ubsan.c:297 [inline] ubsan_type_mismatch_common+0x1ed/0x3a0 lib/ubsan.c:310 __ubsan_handle_type_mismatch_v1+0x4b/0x60 lib/ubsan.c:340 __skb_insert include/linux/skbuff.h:1897 [inline] __skb_queue_before include/linux/skbuff.h:2004 [inline] __skb_queue_tail include/linux/skbuff.h:2037 [inline] wg_xmit+0x480/0xa60 drivers/net/wireguard/device.c:185 __netdev_start_xmit include/linux/netdevice.h:4519 [inline] netdev_start_xmit+0x8a/0x160 include/linux/netdevice.h:4533 xmit_one net/core/dev.c:3209 [inline] dev_hard_start_xmit+0x123/0x270 net/core/dev.c:3225 __dev_queue_xmit+0xe50/0x1840 net/core/dev.c:3789 dev_queue_xmit+0x17/0x20 net/core/dev.c:3822 neigh_connected_output+0x28f/0x2c0 net/core/neighbour.c:1529 neigh_output include/net/neighbour.h:525 [inline] ip6_finish_output2+0xda3/0x12f0 net/ipv6/ip6_output.c:144 __ip6_finish_output+0x3e6/0x530 net/ipv6/ip6_output.c:209 ip6_finish_output+0x20b/0x220 net/ipv6/ip6_output.c:219 NF_HOOK_COND include/linux/netfilter.h:297 [inline] ip6_output+0x155/0x380 net/ipv6/ip6_output.c:242 dst_output include/net/dst.h:444 [inline] NF_HOOK+0x88/0x220 include/linux/netfilter.h:308 ndisc_send_skb+0x667/0xa10 net/ipv6/ndisc.c:508 ndisc_send_rs+0x222/0x320 net/ipv6/ndisc.c:702 addrconf_dad_completed+0x443/0x910 net/ipv6/addrconf.c:4236 addrconf_dad_work+0x948/0x11c0 net/ipv6/addrconf.c:4002 process_one_work+0x38d/0x5e0 kernel/workqueue.c:2287 worker_thread+0x71b/0xa60 kernel/workqueue.c:2433 kthread+0x33b/0x3d0 kernel/kthread.c:288 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 ================================================================================ Warning: Permanently added '10.128.0.18' (ECDSA) to the list of known hosts. 2022/07/27 19:15:01 fuzzer started 2022/07/27 19:15:01 connecting to host at 10.128.0.163:37351 2022/07/27 19:15:01 checking machine... 2022/07/27 19:15:01 checking revisions... 2022/07/27 19:15:01 testing simple program... [ 22.668374][ T22] audit: type=1400 audit(1658949301.450:73): avc: denied { getattr } for pid=362 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 22.692076][ T22] audit: type=1400 audit(1658949301.450:74): avc: denied { read } for pid=362 comm="syz-fuzzer" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 22.694906][ T371] cgroup1: Unknown subsys name 'net' [ 22.713118][ T22] audit: type=1400 audit(1658949301.450:75): avc: denied { open } for pid=362 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 22.741830][ T22] audit: type=1400 audit(1658949301.460:76): avc: denied { read } for pid=362 comm="syz-fuzzer" name="raw-gadget" dev="devtmpfs" ino=936 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 22.742140][ T371] cgroup1: Unknown subsys name 'devices' [ 22.764789][ T22] audit: type=1400 audit(1658949301.460:77): avc: denied { open } for pid=362 comm="syz-fuzzer" path="/dev/raw-gadget" dev="devtmpfs" ino=936 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 22.794325][ T22] audit: type=1400 audit(1658949301.480:78): avc: denied { mounton } for pid=371 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 22.817093][ T22] audit: type=1400 audit(1658949301.480:79): avc: denied { mount } for pid=371 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 22.839657][ T22] audit: type=1400 audit(1658949301.500:80): avc: denied { unmount } for pid=371 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 22.952340][ T371] cgroup1: Unknown subsys name 'hugetlb' [ 22.959204][ T371] cgroup1: Unknown subsys name 'rlimit' [ 23.051550][ T22] audit: type=1400 audit(1658949301.840:81): avc: denied { setattr } for pid=371 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=936 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 23.075188][ T22] audit: type=1400 audit(1658949301.860:82): avc: denied { execmem } for pid=372 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 23.131340][ T374] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.138553][ T374] bridge0: port 1(bridge_slave_0) entered disabled state [ 23.146399][ T374] device bridge_slave_0 entered promiscuous mode [ 23.153398][ T374] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.160435][ T374] bridge0: port 2(bridge_slave_1) entered disabled state [ 23.168115][ T374] device bridge_slave_1 entered promiscuous mode [ 23.203930][ T374] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.211527][ T374] bridge0: port 2(bridge_slave_1) entered forwarding state [ 23.218758][ T374] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.225802][ T374] bridge0: port 1(bridge_slave_0) entered forwarding state [ 23.245791][ T75] bridge0: port 1(bridge_slave_0) entered disabled state [ 23.253286][ T75] bridge0: port 2(bridge_slave_1) entered disabled state [ 23.261213][ T75] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 23.268590][ T75] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 23.278086][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 23.286680][ T23] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.294096][ T23] bridge0: port 1(bridge_slave_0) entered forwarding state [ 23.305627][ T75] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 23.315840][ T75] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.323111][ T75] bridge0: port 2(bridge_slave_1) entered forwarding state [ 23.333023][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 23.342301][ T75] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 23.356514][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 23.371036][ T378] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 23.380909][ T107] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 23.394494][ T107] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 23.403716][ T107] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 23.414573][ T378] ================================================================================ [ 23.423993][ T378] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2004:28 [ 23.432012][ T378] member access within address ffff8881daa97618 with insufficient space [ 23.440449][ T378] for an object of type 'struct sk_buff' [ 23.446236][ T378] CPU: 1 PID: 378 Comm: kworker/1:2 Not tainted 5.4.197-syzkaller-00109-g8368124477c8-dirty #0 [ 23.456805][ T378] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 [ 23.466863][ T378] Workqueue: ipv6_addrconf addrconf_dad_work [ 23.472921][ T378] Call Trace: [ 23.476188][ T378] dump_stack+0x18e/0x1d4 [ 23.480500][ T378] ubsan_type_mismatch_common+0x1ed/0x3a0 [ 23.486282][ T378] __ubsan_handle_type_mismatch_v1+0x4b/0x60 [ 23.492234][ T378] wg_xmit+0x41d/0xa60 [ 23.496278][ T378] netdev_start_xmit+0x8a/0x160 [ 23.501118][ T378] dev_hard_start_xmit+0x123/0x270 [ 23.506215][ T378] __dev_queue_xmit+0xe50/0x1840 [ 23.511577][ T378] dev_queue_xmit+0x17/0x20 [ 23.516234][ T378] neigh_connected_output+0x28f/0x2c0 [ 23.521673][ T378] ip6_finish_output2+0xda3/0x12f0 [ 23.526762][ T378] ? ip6_mtu+0xfb/0x150 [ 23.531005][ T378] __ip6_finish_output+0x3e6/0x530 [ 23.536884][ T378] ip6_finish_output+0x20b/0x220 [ 23.541798][ T378] ? ip6_output+0x13e/0x380 [ 23.546279][ T378] ip6_output+0x155/0x380 [ 23.550586][ T378] ? ip6_dst_idev+0x40/0x40 [ 23.555065][ T378] NF_HOOK+0x88/0x220 [ 23.559017][ T378] ? NF_HOOK+0x220/0x220 [ 23.563230][ T378] ndisc_send_skb+0x667/0xa10 [ 23.567881][ T378] ndisc_send_rs+0x222/0x320 [ 23.572463][ T378] addrconf_dad_completed+0x443/0x910 [ 23.577821][ T378] addrconf_dad_work+0x948/0x11c0 [ 23.582821][ T378] process_one_work+0x38d/0x5e0 [ 23.587661][ T378] worker_thread+0x71b/0xa60 [ 23.592223][ T378] ? __kasan_check_write+0x14/0x20 [ 23.597314][ T378] kthread+0x33b/0x3d0 [ 23.601375][ T378] ? pr_cont_work+0x110/0x110 [ 23.606103][ T378] ? __list_add+0xc0/0xc0 [ 23.610463][ T378] ret_from_fork+0x1f/0x30 [ 23.614919][ T378] ================================================================================ [ 23.624214][ T378] ================================================================================ [ 23.634039][ T378] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1897:2 [ 23.641779][ T378] member access within address ffff8881daa97618 with insufficient space [ 23.650333][ T378] for an object of type 'struct sk_buff' [ 23.655978][ T378] CPU: 1 PID: 378 Comm: kworker/1:2 Not tainted 5.4.197-syzkaller-00109-g8368124477c8-dirty #0 [ 23.666554][ T378] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 [ 23.676627][ T378] Workqueue: ipv6_addrconf addrconf_dad_work [ 23.682781][ T378] Call Trace: [ 23.686141][ T378] dump_stack+0x18e/0x1d4 [ 23.690452][ T378] ubsan_type_mismatch_common+0x1ed/0x3a0 [ 23.696148][ T378] __ubsan_handle_type_mismatch_v1+0x4b/0x60 [ 23.702119][ T378] wg_xmit+0x480/0xa60 [ 23.706171][ T378] netdev_start_xmit+0x8a/0x160 [ 23.711022][ T378] dev_hard_start_xmit+0x123/0x270 [ 23.716416][ T378] __dev_queue_xmit+0xe50/0x1840 [ 23.721341][ T378] dev_queue_xmit+0x17/0x20 [ 23.725869][ T378] neigh_connected_output+0x28f/0x2c0 [ 23.731409][ T378] ip6_finish_output2+0xda3/0x12f0 [ 23.736624][ T378] ? ip6_mtu+0xfb/0x150 [ 23.740845][ T378] __ip6_finish_output+0x3e6/0x530 [ 23.745932][ T378] ip6_finish_output+0x20b/0x220 [ 23.750844][ T378] ? ip6_output+0x13e/0x380 [ 23.755319][ T378] ip6_output+0x155/0x380 [ 23.759727][ T378] ? ip6_dst_idev+0x40/0x40 [ 23.764215][ T378] NF_HOOK+0x88/0x220 [ 23.768179][ T378] ? NF_HOOK+0x220/0x220 [ 23.772390][ T378] ndisc_send_skb+0x667/0xa10 [ 23.777039][ T378] ndisc_send_rs+0x222/0x320 [ 23.781598][ T378] addrconf_dad_completed+0x443/0x910 [ 23.786941][ T378] addrconf_dad_work+0x948/0x11c0 [ 23.791942][ T378] process_one_work+0x38d/0x5e0 [ 23.796786][ T378] worker_thread+0x71b/0xa60 [ 23.801610][ T378] ? __kasan_check_write+0x14/0x20 2022/07/27 19:15:02 building call list... [ 23.806921][ T378] kthread+0x33b/0x3d0 [ 23.811047][ T378] ? pr_cont_work+0x110/0x110 [ 23.815705][ T378] ? __list_add+0xc0/0xc0 [ 23.820004][ T378] ret_from_fork+0x1f/0x30 [ 23.824443][ T378] ================================================================================ [ 23.842295][ T374] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation [ 24.446658][ T287] device bridge_slave_1 left promiscuous mode [ 24.453134][ T287] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.460672][ T287] device bridge_slave_0 left promiscuous mode [ 24.466910][ T287] bridge0: port 1(bridge_slave_0) entered disabled state syzkaller build log: go env (err=) GO111MODULE="auto" GOARCH="amd64" GOBIN="" GOCACHE="/syzkaller/.cache/go-build" GOENV="/syzkaller/.config/go/env" GOEXE="" GOEXPERIMENT="" GOFLAGS="" GOHOSTARCH="amd64" GOHOSTOS="linux" GOINSECURE="" GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod" GONOPROXY="" GONOSUMDB="" GOOS="linux" GOPATH="/syzkaller/jobs/linux/gopath" GOPRIVATE="" GOPROXY="https://proxy.golang.org,direct" GOROOT="/usr/local/go" GOSUMDB="sum.golang.org" GOTMPDIR="" GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64" GOVCS="" GOVERSION="go1.17" GCCGO="gccgo" AR="ar" CC="gcc" CXX="g++" CGO_ENABLED="1" GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod" CGO_CFLAGS="-g -O2" CGO_CPPFLAGS="" CGO_CXXFLAGS="-g -O2" CGO_FFLAGS="-g -O2" CGO_LDFLAGS="-g -O2" PKG_CONFIG="pkg-config" GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2011568109=/tmp/go-build -gno-record-gcc-switches" git status (err=) HEAD detached at 8b277b8e2 nothing to commit, working tree clean go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen make .descriptions bin/syz-sysgen touch .descriptions GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8b277b8e2ac2f385eec24532a4786cc4ad12e9ae -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220509-111052'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8b277b8e2ac2f385eec24532a4786cc4ad12e9ae -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220509-111052'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8b277b8e2ac2f385eec24532a4786cc4ad12e9ae -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220509-111052'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress mkdir -p ./bin/linux_amd64 gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \ -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \ -DHOSTGOOS_linux=1 -DGIT_REVISION=\"8b277b8e2ac2f385eec24532a4786cc4ad12e9ae\"