UBSAN: object-size-mismatch in send4 ================================================================================ UBSAN: object-size-mismatch in ./include/net/flow.h:200:33 member access within address ffffc90000087ba0 with insufficient space for an object of type 'struct flowi' CPU: 0 PID: 8 Comm: kworker/u4:0 Not tainted 5.12.0-rc4-syzkaller-00001-g4d93874b9e9c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 Workqueue: wg-kex-wg0 wg_packet_handshake_send_worker Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x1bb/0x220 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:148 [inline] handle_object_size_mismatch lib/ubsan.c:229 [inline] ubsan_type_mismatch_common+0x1e9/0x390 lib/ubsan.c:242 __ubsan_handle_type_mismatch_v1+0x4b/0x60 lib/ubsan.c:271 flowi4_to_flowi_common include/net/flow.h:200 [inline] send4+0x2f3/0xd90 drivers/net/wireguard/socket.c:52 wg_socket_send_skb_to_peer+0xcd/0x210 drivers/net/wireguard/socket.c:174 wg_socket_send_buffer_to_peer+0xce/0x100 drivers/net/wireguard/socket.c:199 wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline] wg_packet_handshake_send_worker+0x16f/0x1b0 drivers/net/wireguard/send.c:51 process_one_work+0x3d5/0x640 kernel/workqueue.c:2275 worker_thread+0x723/0xa60 kernel/workqueue.c:2421 kthread+0x349/0x3d0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 ================================================================================ ================================================================================ UBSAN: object-size-mismatch in ./include/net/flow.h:200:33 member access within address ffffc90000087ba0 with insufficient space for an object of type 'union (unnamed union at ./include/net/flow.h:175:2)' CPU: 0 PID: 8 Comm: kworker/u4:0 Not tainted 5.12.0-rc4-syzkaller-00001-g4d93874b9e9c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 Workqueue: wg-kex-wg0 wg_packet_handshake_send_worker Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x1bb/0x220 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:148 [inline] handle_object_size_mismatch lib/ubsan.c:229 [inline] ubsan_type_mismatch_common+0x1e9/0x390 lib/ubsan.c:242 __ubsan_handle_type_mismatch_v1+0x4b/0x60 lib/ubsan.c:271 flowi4_to_flowi_common include/net/flow.h:200 [inline] send4+0x302/0xd90 drivers/net/wireguard/socket.c:52 wg_socket_send_skb_to_peer+0xcd/0x210 drivers/net/wireguard/socket.c:174 wg_socket_send_buffer_to_peer+0xce/0x100 drivers/net/wireguard/socket.c:199 wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline] wg_packet_handshake_send_worker+0x16f/0x1b0 drivers/net/wireguard/send.c:51 process_one_work+0x3d5/0x640 kernel/workqueue.c:2275 worker_thread+0x723/0xa60 kernel/workqueue.c:2421 kthread+0x349/0x3d0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 ================================================================================ Warning: Permanently added '10.128.15.195' (ECDSA) to the list of known hosts. 2022/11/04 11:38:49 fuzzer started 2022/11/04 11:38:50 connecting to host at 10.128.0.163:40953 2022/11/04 11:38:50 checking machine... 2022/11/04 11:38:50 checking revisions... 2022/11/04 11:38:50 testing simple program... [ 18.519236][ T24] audit: type=1400 audit(1667561930.240:73): avc: denied { integrity } for pid=366 comm="syz-fuzzer" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1 [ 18.527821][ T24] audit: type=1400 audit(1667561930.250:74): avc: denied { getattr } for pid=366 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 18.534143][ T24] audit: type=1400 audit(1667561930.250:75): avc: denied { read } for pid=366 comm="syz-fuzzer" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 18.541556][ T24] audit: type=1400 audit(1667561930.250:76): avc: denied { open } for pid=366 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 18.542153][ T374] cgroup: Unknown subsys name 'net' [ 18.565483][ T24] audit: type=1400 audit(1667561930.260:77): avc: denied { read } for pid=366 comm="syz-fuzzer" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 18.595222][ T24] audit: type=1400 audit(1667561930.260:78): avc: denied { open } for pid=366 comm="syz-fuzzer" path="/dev/raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 18.595429][ T374] cgroup: Unknown subsys name 'devices' [ 18.618697][ T24] audit: type=1400 audit(1667561930.270:79): avc: denied { mounton } for pid=374 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 18.647517][ T24] audit: type=1400 audit(1667561930.270:80): avc: denied { mount } for pid=374 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 18.670318][ T24] audit: type=1400 audit(1667561930.300:81): avc: denied { unmount } for pid=374 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 18.782083][ T374] cgroup: Unknown subsys name 'hugetlb' [ 18.787868][ T374] cgroup: Unknown subsys name 'rlimit' [ 18.861901][ T24] audit: type=1400 audit(1667561930.590:82): avc: denied { setattr } for pid=374 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 18.917665][ T376] bridge0: port 1(bridge_slave_0) entered blocking state [ 18.924996][ T376] bridge0: port 1(bridge_slave_0) entered disabled state [ 18.933090][ T376] device bridge_slave_0 entered promiscuous mode [ 18.940062][ T376] bridge0: port 2(bridge_slave_1) entered blocking state [ 18.948982][ T376] bridge0: port 2(bridge_slave_1) entered disabled state [ 18.957017][ T376] device bridge_slave_1 entered promiscuous mode [ 18.984112][ T376] bridge0: port 2(bridge_slave_1) entered blocking state [ 18.991875][ T376] bridge0: port 2(bridge_slave_1) entered forwarding state [ 18.999809][ T376] bridge0: port 1(bridge_slave_0) entered blocking state [ 19.007169][ T376] bridge0: port 1(bridge_slave_0) entered forwarding state [ 19.023813][ T58] bridge0: port 1(bridge_slave_0) entered disabled state [ 19.031596][ T58] bridge0: port 2(bridge_slave_1) entered disabled state [ 19.038882][ T58] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 19.047407][ T58] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 19.056620][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 19.065290][ T5] bridge0: port 1(bridge_slave_0) entered blocking state [ 19.072441][ T5] bridge0: port 1(bridge_slave_0) entered forwarding state [ 19.090675][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 19.099640][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 19.108341][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 19.117141][ T5] bridge0: port 2(bridge_slave_1) entered blocking state [ 19.124183][ T5] bridge0: port 2(bridge_slave_1) entered forwarding state [ 19.132577][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 19.141458][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 19.151903][ T110] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 19.162565][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 19.173215][ T110] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 19.182982][ T8] ================================================================================ [ 19.192463][ T8] UBSAN: object-size-mismatch in ./include/net/flow.h:200:33 [ 19.200249][ T8] member access within address ffffc90000087ba0 with insufficient space [ 19.208766][ T8] for an object of type 'struct flowi' [ 19.214234][ T8] CPU: 0 PID: 8 Comm: kworker/u4:0 Not tainted 5.12.0-rc4-syzkaller-00001-g4d93874b9e9c #0 [ 19.224389][ T8] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 [ 19.234544][ T8] Workqueue: wg-kex-wg0 wg_packet_handshake_send_worker [ 19.241672][ T8] Call Trace: [ 19.245246][ T8] dump_stack+0x1bb/0x220 [ 19.249574][ T8] ubsan_type_mismatch_common+0x1e9/0x390 [ 19.255866][ T8] __ubsan_handle_type_mismatch_v1+0x4b/0x60 [ 19.262364][ T8] send4+0x2f3/0xd90 [ 19.266248][ T8] wg_socket_send_skb_to_peer+0xcd/0x210 [ 19.271946][ T8] wg_socket_send_buffer_to_peer+0xce/0x100 [ 19.277928][ T8] wg_packet_handshake_send_worker+0x16f/0x1b0 [ 19.285486][ T8] process_one_work+0x3d5/0x640 [ 19.290589][ T8] worker_thread+0x723/0xa60 [ 19.295285][ T8] kthread+0x349/0x3d0 [ 19.299592][ T8] ? pr_cont_work+0x110/0x110 [ 19.304427][ T8] ? __list_add+0xc0/0xc0 [ 19.309180][ T8] ret_from_fork+0x1f/0x30 [ 19.313908][ T8] ================================================================================ [ 19.323491][ T8] ================================================================================ [ 19.333357][ T8] UBSAN: object-size-mismatch in ./include/net/flow.h:200:33 [ 19.340862][ T8] member access within address ffffc90000087ba0 with insufficient space [ 19.349522][ T8] for an object of type 'union (unnamed union at ./include/net/flow.h:175:2)' [ 19.358753][ T8] CPU: 0 PID: 8 Comm: kworker/u4:0 Not tainted 5.12.0-rc4-syzkaller-00001-g4d93874b9e9c #0 [ 19.369121][ T8] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 [ 19.379377][ T8] Workqueue: wg-kex-wg0 wg_packet_handshake_send_worker [ 19.386871][ T8] Call Trace: [ 19.390844][ T8] dump_stack+0x1bb/0x220 [ 19.395659][ T8] ubsan_type_mismatch_common+0x1e9/0x390 [ 19.401637][ T8] __ubsan_handle_type_mismatch_v1+0x4b/0x60 [ 19.407616][ T8] send4+0x302/0xd90 [ 19.411668][ T8] wg_socket_send_skb_to_peer+0xcd/0x210 [ 19.417511][ T8] wg_socket_send_buffer_to_peer+0xce/0x100 [ 19.423638][ T8] wg_packet_handshake_send_worker+0x16f/0x1b0 [ 19.429905][ T8] process_one_work+0x3d5/0x640 [ 19.434924][ T8] worker_thread+0x723/0xa60 [ 19.439703][ T8] kthread+0x349/0x3d0 [ 19.443771][ T8] ? pr_cont_work+0x110/0x110 [ 19.448524][ T8] ? __list_add+0xc0/0xc0 [ 19.452838][ T8] ret_from_fork+0x1f/0x30 [ 19.457294][ T8] ================================================================================ [ 19.468789][ T110] ================================================================================ [ 19.478273][ T110] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2034:28 [ 19.486089][ T110] member access within address ffffc900008e7600 with insufficient space [ 19.494504][ T110] for an object of type 'struct sk_buff' [ 19.500295][ T110] CPU: 1 PID: 110 Comm: kworker/1:3 Not tainted 5.12.0-rc4-syzkaller-00001-g4d93874b9e9c #0 [ 19.510866][ T110] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 [ 19.520984][ T110] Workqueue: ipv6_addrconf addrconf_dad_work [ 19.527045][ T110] Call Trace: [ 19.530318][ T110] dump_stack+0x1bb/0x220 [ 19.534628][ T110] ubsan_type_mismatch_common+0x1e9/0x390 [ 19.540344][ T110] __ubsan_handle_type_mismatch_v1+0x4b/0x60 [ 19.546308][ T110] wg_xmit+0x4fc/0xab0 [ 19.550565][ T110] ? skb_network_protocol+0x182/0x440 [ 19.556026][ T110] netdev_start_xmit+0x8a/0x160 [ 19.561013][ T110] dev_hard_start_xmit+0x18d/0x2f0 [ 19.566200][ T110] __dev_queue_xmit+0xeea/0x1960 [ 19.571222][ T110] dev_queue_xmit+0x17/0x20 [ 19.578111][ T110] neigh_connected_output+0x288/0x2b0 [ 19.583571][ T110] ip6_finish_output2+0xc34/0x1020 [ 19.588993][ T110] ? ip6_mtu+0xf1/0x140 [ 19.593141][ T110] __ip6_finish_output+0x3e6/0x530 [ 19.598236][ T110] ip6_finish_output+0x1c9/0x1e0 [ 19.603333][ T110] ? ip6_output+0x175/0x3f0 [ 19.607858][ T110] ip6_output+0x18c/0x3f0 [ 19.612252][ T110] ? ip6_dst_idev+0x40/0x40 [ 19.616724][ T110] NF_HOOK+0x88/0x210 [ 19.620692][ T110] ? NF_HOOK+0x210/0x210 [ 19.625015][ T110] ndisc_send_skb+0x62b/0x9b0 [ 19.629694][ T110] ndisc_send_rs+0x26c/0x360 [ 19.634273][ T110] addrconf_dad_completed+0x493/0x970 [ 19.639627][ T110] addrconf_dad_work+0x9d0/0x12d0 [ 19.644627][ T110] process_one_work+0x3d5/0x640 [ 19.649457][ T110] worker_thread+0x723/0xa60 [ 19.654191][ T110] ? __kasan_check_write+0x14/0x20 [ 19.659726][ T110] ? _raw_spin_lock_irqsave+0x9e/0x190 [ 19.665266][ T110] kthread+0x349/0x3d0 [ 19.669327][ T110] ? pr_cont_work+0x110/0x110 [ 19.674002][ T110] ? __list_add+0xc0/0xc0 [ 19.678402][ T110] ret_from_fork+0x1f/0x30 [ 19.683694][ T110] ================================================================================ [ 19.693664][ T110] ================================================================================ [ 19.703831][ T110] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1927:2 [ 19.711856][ T110] member access within address ffffc900008e7600 with insufficient space [ 19.720454][ T110] for an object of type 'struct sk_buff' [ 19.726194][ T110] CPU: 1 PID: 110 Comm: kworker/1:3 Not tainted 5.12.0-rc4-syzkaller-00001-g4d93874b9e9c #0 [ 19.736779][ T110] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 [ 19.747494][ T110] Workqueue: ipv6_addrconf addrconf_dad_work [ 19.753725][ T110] Call Trace: [ 19.756995][ T110] dump_stack+0x1bb/0x220 [ 19.761475][ T110] ubsan_type_mismatch_common+0x1e9/0x390 [ 19.767346][ T110] __ubsan_handle_type_mismatch_v1+0x4b/0x60 [ 19.773299][ T110] wg_xmit+0x55f/0xab0 [ 19.777433][ T110] ? skb_network_protocol+0x182/0x440 [ 19.782962][ T110] netdev_start_xmit+0x8a/0x160 [ 19.788033][ T110] dev_hard_start_xmit+0x18d/0x2f0 [ 19.793119][ T110] __dev_queue_xmit+0xeea/0x1960 [ 19.798032][ T110] dev_queue_xmit+0x17/0x20 [ 19.802511][ T110] neigh_connected_output+0x288/0x2b0 [ 19.807854][ T110] ip6_finish_output2+0xc34/0x1020 [ 19.812944][ T110] ? ip6_mtu+0xf1/0x140 [ 19.817072][ T110] __ip6_finish_output+0x3e6/0x530 [ 19.822393][ T110] ip6_finish_output+0x1c9/0x1e0 [ 19.827683][ T110] ? ip6_output+0x175/0x3f0 [ 19.832371][ T110] ip6_output+0x18c/0x3f0 [ 19.836870][ T110] ? ip6_dst_idev+0x40/0x40 [ 19.841377][ T110] NF_HOOK+0x88/0x210 [ 19.845425][ T110] ? NF_HOOK+0x210/0x210 [ 19.849731][ T110] ndisc_send_skb+0x62b/0x9b0 [ 19.854536][ T110] ndisc_send_rs+0x26c/0x360 [ 19.859371][ T110] addrconf_dad_completed+0x493/0x970 [ 19.864902][ T110] addrconf_dad_work+0x9d0/0x12d0 [ 19.870079][ T110] process_one_work+0x3d5/0x640 [ 19.874969][ T110] worker_thread+0x723/0xa60 [ 19.879856][ T110] ? __kasan_check_write+0x14/0x20 [ 19.885074][ T110] ? _raw_spin_lock_irqsave+0x9e/0x190 [ 19.890635][ T110] kthread+0x349/0x3d0 2022/11/04 11:38:51 building call list... [ 19.894787][ T110] ? pr_cont_work+0x110/0x110 [ 19.899686][ T110] ? __list_add+0xc0/0xc0 [ 19.904289][ T110] ret_from_fork+0x1f/0x30 [ 19.908930][ T110] ================================================================================ [ 19.925475][ T376] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation [ 20.030862][ T376] ================================================================== [ 20.039342][ T376] BUG: KASAN: use-after-free in task_active_pid_ns+0x9a/0xa0 [ 20.046982][ T376] Read of size 4 at addr ffff888100156544 by task syz-executor.0/376 [ 20.055121][ T376] [ 20.057685][ T376] CPU: 1 PID: 376 Comm: syz-executor.0 Not tainted 5.12.0-rc4-syzkaller-00001-g4d93874b9e9c #0 [ 20.068260][ T376] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 [ 20.078757][ T376] Call Trace: [ 20.082034][ T376] dump_stack+0x1bb/0x220 [ 20.086716][ T376] print_address_description+0x7a/0x3b0 [ 20.092696][ T376] kasan_report+0x19b/0x1e0 [ 20.097210][ T376] ? task_active_pid_ns+0x9a/0xa0 [ 20.102779][ T376] ? task_active_pid_ns+0x9a/0xa0 [ 20.108157][ T376] __asan_report_load4_noabort+0x14/0x20 [ 20.113791][ T376] task_active_pid_ns+0x9a/0xa0 [ 20.118714][ T376] do_notify_parent+0x2c7/0xa50 [ 20.124034][ T376] do_exit+0x1163/0x1aa0 [ 20.128289][ T376] do_group_exit+0x13a/0x300 [ 20.133056][ T376] get_signal+0xb1e/0x1130 [ 20.137459][ T376] arch_do_signal_or_restart+0x5d/0x6c0 [ 20.143306][ T376] exit_to_user_mode_loop+0xd4/0x110 [ 20.148688][ T376] exit_to_user_mode_prepare+0x59/0x80 [ 20.154440][ T376] syscall_exit_to_user_mode+0x24/0x40 [ 20.160081][ T376] do_syscall_64+0x40/0x70 [ 20.165036][ T376] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 20.171027][ T376] RIP: 0033:0x7fe88c80d353 [ 20.175526][ T376] Code: Unable to access opcode bytes at RIP 0x7fe88c80d329. [ 20.183191][ T376] RSP: 002b:00007ffea4cbffe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 20.192025][ T376] RAX: 0000000000000000 RBX: 00007ffea4cc0070 RCX: 00007fe88c80d353 [ 20.200263][ T376] RDX: 0000000000000000 RSI: 0000000000004c01 RDI: 0000000000000003 [ 20.208568][ T376] RBP: 0000000000000003 R08: 0000000000000000 R09: 00007ffea4cbfe80 [ 20.217135][ T376] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000032 [ 20.225284][ T376] R13: 0000000000004dce R14: 0000000000000003 R15: 00007ffea4cc00b0 [ 20.233487][ T376] [ 20.235890][ T376] Allocated by task 0: [ 20.239937][ T376] __kasan_slab_alloc+0xa2/0xd0 [ 20.244773][ T376] slab_post_alloc_hook+0x3f/0x70 [ 20.249862][ T376] kmem_cache_alloc+0x139/0x230 [ 20.254689][ T376] alloc_pid+0x97/0xae0 [ 20.258823][ T376] copy_process+0xe4a/0x21b0 [ 20.263570][ T376] kernel_clone+0x1df/0x6a0 [ 20.268220][ T376] kernel_thread+0x109/0x150 [ 20.272786][ T376] rest_init+0x22/0xf0 [ 20.277013][ T376] arch_call_rest_init+0xe/0x10 [ 20.281852][ T376] start_kernel+0x45f/0x4d1 [ 20.286336][ T376] x86_64_start_reservations+0x2a/0x2c [ 20.291864][ T376] x86_64_start_kernel+0x7a/0x7d [ 20.296777][ T376] secondary_startup_64_no_verify+0xb0/0xbb [ 20.302656][ T376] [ 20.304964][ T376] Freed by task 374: [ 20.308829][ T376] kasan_set_track+0x4c/0x80 [ 20.313554][ T376] kasan_set_free_info+0x23/0x40 [ 20.318901][ T376] ____kasan_slab_free+0x113/0x150 [ 20.324082][ T376] __kasan_slab_free+0xe/0x10 [ 20.328830][ T376] slab_free_freelist_hook+0xa7/0x170 [ 20.337257][ T376] kmem_cache_free+0x9a/0x190 [ 20.342297][ T376] put_pid+0xb3/0x120 [ 20.346813][ T376] proc_do_cad_pid+0x131/0x1d0 [ 20.351762][ T376] proc_sys_call_handler+0x492/0x640 [ 20.357290][ T376] proc_sys_write+0x22/0x30 [ 20.363445][ T376] vfs_write+0x466/0x560 [ 20.367965][ T376] ksys_write+0x155/0x260 [ 20.372667][ T376] __x64_sys_write+0x7b/0x90 [ 20.377489][ T376] do_syscall_64+0x34/0x70 [ 20.382249][ T376] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 20.388350][ T376] [ 20.390918][ T376] The buggy address belongs to the object at ffff888100156540 [ 20.390918][ T376] which belongs to the cache pid of size 112 [ 20.405475][ T376] The buggy address is located 4 bytes inside of [ 20.405475][ T376] 112-byte region [ffff888100156540, ffff8881001565b0) [ 20.419188][ T376] The buggy address belongs to the page: [ 20.424808][ T376] page:ffffea0004005580 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100156 [ 20.435620][ T376] flags: 0x8000000000000200(slab) [ 20.441135][ T376] raw: 8000000000000200 dead000000000100 dead000000000122 ffff88810012fdc0 [ 20.450854][ T376] raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000 [ 20.460336][ T376] page dumped because: kasan: bad access detected [ 20.467109][ T376] page_owner tracks the page as allocated [ 20.472899][ T376] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(), pid 1, ts 1262543955 [ 20.483306][ T376] register_early_stack+0x41/0x80 [ 20.488403][ T376] init_page_owner+0x32/0x4f0 [ 20.493145][ T376] invoke_init_callbacks+0x63/0x6d [ 20.498231][ T376] page_ext_init+0x316/0x333 [ 20.502904][ T376] page_owner free stack trace missing [ 20.508490][ T376] [ 20.510913][ T376] Memory state around the buggy address: [ 20.516610][ T376] ffff888100156400: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 20.524867][ T376] ffff888100156480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 20.533730][ T376] >ffff888100156500: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 20.541966][ T376] ^ [ 20.549926][ T376] ffff888100156580: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 20.558058][ T376] ffff888100156600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 20.566350][ T376] ================================================================== [ 20.574381][ T376] Disabling lock debugging due to kernel taint [ 20.580605][ T376] BUG: unable to handle page fault for address: ffffed122001bdb7 [ 20.588300][ T376] #PF: supervisor read access in kernel mode [ 20.594509][ T376] #PF: error_code(0x0000) - not-present page [ 20.601713][ T376] PGD 23fff2067 P4D 23fff2067 PUD 0 [ 20.607000][ T376] Oops: 0000 [#1] PREEMPT SMP KASAN [ 20.612347][ T376] CPU: 1 PID: 376 Comm: syz-executor.0 Tainted: G B 5.12.0-rc4-syzkaller-00001-g4d93874b9e9c #0 [ 20.624924][ T376] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 [ 20.635577][ T376] RIP: 0010:task_active_pid_ns+0x69/0xa0 [ 20.641385][ T376] Code: 1d 23 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 f8 bc 4c 00 48 8b 03 eb 07 e8 de [ 20.661431][ T376] RSP: 0018:ffffc90000947b68 EFLAGS: 00010806 [ 20.667585][ T376] RAX: 1ffff1122001bdb7 RBX: ffff8891000dedb8 RCX: 0000000000000002 [ 20.675725][ T376] RDX: 0000000000000000 RSI: 0000000000000082 RDI: 0000000000000001 [ 20.683859][ T376] RBP: ffffc90000947b78 R08: ffffffff8135ddf3 R09: fffffbfff0bb92f5 [ 20.692069][ T376] R10: fffffbfff0bb92f5 R11: 1ffffffff0bb92f4 R12: dffffc0000000000 [ 20.700385][ T376] R13: ffff88811b400000 R14: dffffc0000000000 R15: ffff88811b400578 [ 20.708521][ T376] FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000 [ 20.717891][ T376] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 20.724548][ T376] CR2: ffffed122001bdb7 CR3: 000000011b4d1000 CR4: 00000000003506a0 [ 20.732613][ T376] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 20.741435][ T376] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 20.750409][ T376] Call Trace: [ 20.754809][ T376] do_notify_parent+0x2c7/0xa50 [ 20.759748][ T376] do_exit+0x1163/0x1aa0 [ 20.764666][ T376] do_group_exit+0x13a/0x300 [ 20.769319][ T376] get_signal+0xb1e/0x1130 [ 20.773725][ T376] arch_do_signal_or_restart+0x5d/0x6c0 [ 20.779276][ T376] exit_to_user_mode_loop+0xd4/0x110 [ 20.784655][ T376] exit_to_user_mode_prepare+0x59/0x80 [ 20.790559][ T376] syscall_exit_to_user_mode+0x24/0x40 [ 20.796313][ T376] do_syscall_64+0x40/0x70 [ 20.800710][ T376] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 20.806609][ T376] RIP: 0033:0x7fe88c80d353 [ 20.811382][ T376] Code: Unable to access opcode bytes at RIP 0x7fe88c80d329. [ 20.820297][ T376] RSP: 002b:00007ffea4cbffe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 20.829053][ T376] RAX: 0000000000000000 RBX: 00007ffea4cc0070 RCX: 00007fe88c80d353 [ 20.837002][ T376] RDX: 0000000000000000 RSI: 0000000000004c01 RDI: 0000000000000003 [ 20.845274][ T376] RBP: 0000000000000003 R08: 0000000000000000 R09: 00007ffea4cbfe80 [ 20.853487][ T376] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000032 [ 20.862080][ T376] R13: 0000000000004dce R14: 0000000000000003 R15: 00007ffea4cc00b0 [ 20.870051][ T376] Modules linked in: [ 20.874096][ T376] CR2: ffffed122001bdb7 [ 20.878224][ T376] ---[ end trace a089e3446305001c ]--- [ 20.883752][ T376] RIP: 0010:task_active_pid_ns+0x69/0xa0 [ 20.889560][ T376] Code: 1d 23 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 f8 bc 4c 00 48 8b 03 eb 07 e8 de [ 20.909514][ T376] RSP: 0018:ffffc90000947b68 EFLAGS: 00010806 [ 20.915842][ T376] RAX: 1ffff1122001bdb7 RBX: ffff8891000dedb8 RCX: 0000000000000002 [ 20.924575][ T376] RDX: 0000000000000000 RSI: 0000000000000082 RDI: 0000000000000001 [ 20.932729][ T376] RBP: ffffc90000947b78 R08: ffffffff8135ddf3 R09: fffffbfff0bb92f5 [ 20.940968][ T376] R10: fffffbfff0bb92f5 R11: 1ffffffff0bb92f4 R12: dffffc0000000000 [ 20.948934][ T376] R13: ffff88811b400000 R14: dffffc0000000000 R15: ffff88811b400578 [ 20.957071][ T376] FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000 [ 20.966247][ T376] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 20.972915][ T376] CR2: ffffed122001bdb7 CR3: 000000011b4d1000 CR4: 00000000003506a0 [ 20.981313][ T376] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 20.990016][ T376] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 20.998308][ T376] Kernel panic - not syncing: Fatal exception [ 21.005189][ T376] Kernel Offset: disabled [ 21.009931][ T376] Rebooting in 86400 seconds.. syzkaller build log: go env (err=) GO111MODULE="auto" GOARCH="amd64" GOBIN="" GOCACHE="/syzkaller/.cache/go-build" GOENV="/syzkaller/.config/go/env" GOEXE="" GOEXPERIMENT="" GOFLAGS="" GOHOSTARCH="amd64" GOHOSTOS="linux" GOINSECURE="" GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod" GONOPROXY="" GONOSUMDB="" GOOS="linux" GOPATH="/syzkaller/jobs/linux/gopath" GOPRIVATE="" GOPROXY="https://proxy.golang.org,direct" GOROOT="/usr/local/go" GOSUMDB="sum.golang.org" GOTMPDIR="" GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64" GOVCS="" GOVERSION="go1.17" GCCGO="gccgo" AR="ar" CC="gcc" CXX="g++" CGO_ENABLED="1" GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod" CGO_CFLAGS="-g -O2" CGO_CPPFLAGS="" CGO_CXXFLAGS="-g -O2" CGO_FFLAGS="-g -O2" CGO_LDFLAGS="-g -O2" PKG_CONFIG="pkg-config" GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1213366711=/tmp/go-build -gno-record-gcc-switches" git status (err=) HEAD detached at 267e3bb15 nothing to commit, working tree clean go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen make .descriptions bin/syz-sysgen touch .descriptions GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=267e3bb1576b2f9fa97ae49305aaaa80768ba385 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221004-181533'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=267e3bb1576b2f9fa97ae49305aaaa80768ba385 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221004-181533'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=267e3bb1576b2f9fa97ae49305aaaa80768ba385 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221004-181533'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress mkdir -p ./bin/linux_amd64 gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \ -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \ -DHOSTGOOS_linux=1 -DGIT_REVISION=\"267e3bb1576b2f9fa97ae49305aaaa80768ba385\"