UBSAN: object-size-mismatch in wg_xmit ================================================================================ UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2016:28 member access within address 00000000f64dbd84 with insufficient space for an object of type 'struct sk_buff' CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.10.10-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x19c/0x1e2 lib/dump_stack.c:118 ubsan_epilogue lib/ubsan.c:148 [inline] handle_object_size_mismatch lib/ubsan.c:297 [inline] ubsan_type_mismatch_common+0x1ed/0x3a0 lib/ubsan.c:310 __ubsan_handle_type_mismatch_v1+0x4b/0x60 lib/ubsan.c:339 __skb_queue_before include/linux/skbuff.h:2016 [inline] __skb_queue_tail include/linux/skbuff.h:2049 [inline] wg_xmit+0x42c/0xa60 drivers/net/wireguard/device.c:182 __netdev_start_xmit include/linux/netdevice.h:4735 [inline] netdev_start_xmit+0x8a/0x160 include/linux/netdevice.h:4749 xmit_one net/core/dev.c:3564 [inline] dev_hard_start_xmit+0x18d/0x2f0 net/core/dev.c:3580 __dev_queue_xmit+0xf16/0x1920 net/core/dev.c:4140 dev_queue_xmit+0x17/0x20 net/core/dev.c:4173 neigh_connected_output+0x288/0x2b0 net/core/neighbour.c:1520 neigh_output include/net/neighbour.h:510 [inline] ip6_finish_output2+0xc34/0x1020 net/ipv6/ip6_output.c:117 __ip6_finish_output+0x3e6/0x530 net/ipv6/ip6_output.c:182 ip6_finish_output+0x20b/0x220 net/ipv6/ip6_output.c:192 NF_HOOK_COND include/linux/netfilter.h:290 [inline] ip6_output+0x18c/0x3f0 net/ipv6/ip6_output.c:215 dst_output include/net/dst.h:443 [inline] NF_HOOK+0x88/0x210 include/linux/netfilter.h:301 ndisc_send_skb+0x653/0x9f0 net/ipv6/ndisc.c:508 ndisc_send_rs+0x26c/0x360 net/ipv6/ndisc.c:702 addrconf_dad_completed+0x493/0x970 net/ipv6/addrconf.c:4191 addrconf_dad_work+0x9d0/0x12d0 net/ipv6/addrconf.c:3956 process_one_work+0x3d5/0x640 kernel/workqueue.c:2272 worker_thread+0x723/0xa60 kernel/workqueue.c:2418 kthread+0x365/0x400 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 ================================================================================ ================================================================================ UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1909:2 member access within address 00000000f64dbd84 with insufficient space for an object of type 'struct sk_buff' CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.10.10-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x19c/0x1e2 lib/dump_stack.c:118 ubsan_epilogue lib/ubsan.c:148 [inline] handle_object_size_mismatch lib/ubsan.c:297 [inline] ubsan_type_mismatch_common+0x1ed/0x3a0 lib/ubsan.c:310 __ubsan_handle_type_mismatch_v1+0x4b/0x60 lib/ubsan.c:339 __skb_insert include/linux/skbuff.h:1909 [inline] __skb_queue_before include/linux/skbuff.h:2016 [inline] __skb_queue_tail include/linux/skbuff.h:2049 [inline] wg_xmit+0x48f/0xa60 drivers/net/wireguard/device.c:182 __netdev_start_xmit include/linux/netdevice.h:4735 [inline] netdev_start_xmit+0x8a/0x160 include/linux/netdevice.h:4749 xmit_one net/core/dev.c:3564 [inline] dev_hard_start_xmit+0x18d/0x2f0 net/core/dev.c:3580 __dev_queue_xmit+0xf16/0x1920 net/core/dev.c:4140 dev_queue_xmit+0x17/0x20 net/core/dev.c:4173 neigh_connected_output+0x288/0x2b0 net/core/neighbour.c:1520 neigh_output include/net/neighbour.h:510 [inline] ip6_finish_output2+0xc34/0x1020 net/ipv6/ip6_output.c:117 __ip6_finish_output+0x3e6/0x530 net/ipv6/ip6_output.c:182 ip6_finish_output+0x20b/0x220 net/ipv6/ip6_output.c:192 NF_HOOK_COND include/linux/netfilter.h:290 [inline] ip6_output+0x18c/0x3f0 net/ipv6/ip6_output.c:215 dst_output include/net/dst.h:443 [inline] NF_HOOK+0x88/0x210 include/linux/netfilter.h:301 ndisc_send_skb+0x653/0x9f0 net/ipv6/ndisc.c:508 ndisc_send_rs+0x26c/0x360 net/ipv6/ndisc.c:702 addrconf_dad_completed+0x493/0x970 net/ipv6/addrconf.c:4191 addrconf_dad_work+0x9d0/0x12d0 net/ipv6/addrconf.c:3956 process_one_work+0x3d5/0x640 kernel/workqueue.c:2272 worker_thread+0x723/0xa60 kernel/workqueue.c:2418 kthread+0x365/0x400 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 ================================================================================ forked to background, child pid 197 no interfaces have a carrier Starting sshd: OK syzkaller syzkaller login: [ 13.888203][ T22] kauditd_printk_skb: 60 callbacks suppressed [ 13.888210][ T22] audit: type=1400 audit(1669477689.060:71): avc: denied { transition } for pid=290 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 13.899678][ T22] audit: type=1400 audit(1669477689.070:72): avc: denied { write } for pid=290 comm="sh" path="pipe:[11352]" dev="pipefs" ino=11352 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1 Warning: Permanently added '10.128.10.45' (ECDSA) to the list of known hosts. 2022/11/26 15:48:16 fuzzer started 2022/11/26 15:48:16 connecting to host at 10.128.0.163:44439 2022/11/26 15:48:16 checking machine... 2022/11/26 15:48:16 checking revisions... 2022/11/26 15:48:16 testing simple program... [ 21.195543][ T22] audit: type=1400 audit(1669477696.370:73): avc: denied { integrity } for pid=362 comm="syz-fuzzer" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1 [ 21.220657][ T22] audit: type=1400 audit(1669477696.390:74): avc: denied { getattr } for pid=362 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 21.236392][ T370] cgroup: Unknown subsys name 'net' [ 21.246046][ T22] audit: type=1400 audit(1669477696.390:75): avc: denied { read } for pid=362 comm="syz-fuzzer" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 21.272156][ T22] audit: type=1400 audit(1669477696.390:76): avc: denied { open } for pid=362 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 21.272321][ T370] cgroup: Unknown subsys name 'devices' [ 21.297020][ T22] audit: type=1400 audit(1669477696.400:77): avc: denied { read } for pid=362 comm="syz-fuzzer" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 21.297037][ T22] audit: type=1400 audit(1669477696.400:78): avc: denied { open } for pid=362 comm="syz-fuzzer" path="/dev/raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 21.297053][ T22] audit: type=1400 audit(1669477696.410:79): avc: denied { mounton } for pid=370 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 21.297067][ T22] audit: type=1400 audit(1669477696.410:80): avc: denied { mount } for pid=370 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 21.297085][ T22] audit: type=1400 audit(1669477696.430:81): avc: denied { unmount } for pid=370 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 21.503944][ T370] cgroup: Unknown subsys name 'hugetlb' [ 21.509849][ T370] cgroup: Unknown subsys name 'rlimit' [ 21.604057][ T22] audit: type=1400 audit(1669477696.780:82): avc: denied { setattr } for pid=370 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 21.681862][ T374] bridge0: port 1(bridge_slave_0) entered blocking state [ 21.689294][ T374] bridge0: port 1(bridge_slave_0) entered disabled state [ 21.697756][ T374] device bridge_slave_0 entered promiscuous mode [ 21.704682][ T374] bridge0: port 2(bridge_slave_1) entered blocking state [ 21.711872][ T374] bridge0: port 2(bridge_slave_1) entered disabled state [ 21.719675][ T374] device bridge_slave_1 entered promiscuous mode [ 21.751286][ T374] bridge0: port 2(bridge_slave_1) entered blocking state [ 21.758508][ T374] bridge0: port 2(bridge_slave_1) entered forwarding state [ 21.765800][ T374] bridge0: port 1(bridge_slave_0) entered blocking state [ 21.772832][ T374] bridge0: port 1(bridge_slave_0) entered forwarding state [ 21.790229][ T73] bridge0: port 1(bridge_slave_0) entered disabled state [ 21.797417][ T73] bridge0: port 2(bridge_slave_1) entered disabled state [ 21.805640][ T73] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 21.813243][ T73] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 21.822374][ T372] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 21.830481][ T372] bridge0: port 1(bridge_slave_0) entered blocking state [ 21.837500][ T372] bridge0: port 1(bridge_slave_0) entered forwarding state [ 21.852463][ T73] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 21.860602][ T73] bridge0: port 2(bridge_slave_1) entered blocking state [ 21.867655][ T73] bridge0: port 2(bridge_slave_1) entered forwarding state [ 21.874962][ T73] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 21.882944][ T73] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 21.902316][ T73] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 21.910627][ T73] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 21.920117][ T73] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 21.928534][ T73] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 21.936515][ T73] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 21.949653][ T5] ================================================================================ [ 21.958968][ T5] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2016:28 [ 21.966793][ T5] member access within address 00000000f64dbd84 with insufficient space [ 21.975117][ T5] for an object of type 'struct sk_buff' [ 21.980729][ T5] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.10.10-syzkaller #0 [ 21.988588][ T5] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 21.998624][ T5] Workqueue: ipv6_addrconf addrconf_dad_work [ 22.004665][ T5] Call Trace: [ 22.007932][ T5] dump_stack+0x19c/0x1e2 [ 22.012241][ T5] ubsan_type_mismatch_common+0x1ed/0x3a0 [ 22.017932][ T5] __ubsan_handle_type_mismatch_v1+0x4b/0x60 [ 22.024060][ T5] wg_xmit+0x42c/0xa60 [ 22.028104][ T5] ? __sanitizer_cov_trace_switch+0x64/0x80 [ 22.034022][ T5] netdev_start_xmit+0x8a/0x160 [ 22.038847][ T5] dev_hard_start_xmit+0x18d/0x2f0 [ 22.043929][ T5] __dev_queue_xmit+0xf16/0x1920 [ 22.048926][ T5] ? __kasan_check_write+0x14/0x20 [ 22.054018][ T5] dev_queue_xmit+0x17/0x20 [ 22.058541][ T5] neigh_connected_output+0x288/0x2b0 [ 22.063971][ T5] ip6_finish_output2+0xc34/0x1020 [ 22.069055][ T5] ? ip6_mtu+0xf1/0x140 [ 22.073182][ T5] __ip6_finish_output+0x3e6/0x530 [ 22.078263][ T5] ip6_finish_output+0x20b/0x220 [ 22.083172][ T5] ? ip6_output+0x175/0x3f0 [ 22.087648][ T5] ip6_output+0x18c/0x3f0 [ 22.091958][ T5] ? ip6_dst_idev+0x40/0x40 [ 22.096431][ T5] NF_HOOK+0x88/0x210 [ 22.100415][ T5] ? NF_HOOK+0x210/0x210 [ 22.104641][ T5] ndisc_send_skb+0x653/0x9f0 [ 22.109377][ T5] ndisc_send_rs+0x26c/0x360 [ 22.113938][ T5] addrconf_dad_completed+0x493/0x970 [ 22.119369][ T5] addrconf_dad_work+0x9d0/0x12d0 [ 22.124411][ T5] process_one_work+0x3d5/0x640 [ 22.129240][ T5] worker_thread+0x723/0xa60 [ 22.133804][ T5] kthread+0x365/0x400 [ 22.137844][ T5] ? pr_cont_work+0x110/0x110 [ 22.142491][ T5] ? __list_add+0xc0/0xc0 [ 22.146796][ T5] ret_from_fork+0x1f/0x30 [ 22.151219][ T5] ================================================================================ [ 22.160519][ T5] ================================================================================ [ 22.169891][ T5] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1909:2 [ 22.177604][ T5] member access within address 00000000f64dbd84 with insufficient space [ 22.185924][ T5] for an object of type 'struct sk_buff' [ 22.191763][ T5] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.10.10-syzkaller #0 [ 22.201225][ T5] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 22.211261][ T5] Workqueue: ipv6_addrconf addrconf_dad_work [ 22.217211][ T5] Call Trace: [ 22.220470][ T5] dump_stack+0x19c/0x1e2 [ 22.224772][ T5] ubsan_type_mismatch_common+0x1ed/0x3a0 [ 22.230463][ T5] __ubsan_handle_type_mismatch_v1+0x4b/0x60 [ 22.236412][ T5] wg_xmit+0x48f/0xa60 [ 22.240451][ T5] ? __sanitizer_cov_trace_switch+0x64/0x80 [ 22.246312][ T5] netdev_start_xmit+0x8a/0x160 [ 22.251132][ T5] dev_hard_start_xmit+0x18d/0x2f0 [ 22.256212][ T5] __dev_queue_xmit+0xf16/0x1920 [ 22.261121][ T5] ? __kasan_check_write+0x14/0x20 [ 22.266200][ T5] dev_queue_xmit+0x17/0x20 [ 22.270673][ T5] neigh_connected_output+0x288/0x2b0 [ 22.276016][ T5] ip6_finish_output2+0xc34/0x1020 [ 22.281100][ T5] ? ip6_mtu+0xf1/0x140 [ 22.285225][ T5] __ip6_finish_output+0x3e6/0x530 [ 22.290306][ T5] ip6_finish_output+0x20b/0x220 [ 22.295214][ T5] ? ip6_output+0x175/0x3f0 [ 22.299685][ T5] ip6_output+0x18c/0x3f0 [ 22.303984][ T5] ? ip6_dst_idev+0x40/0x40 [ 22.308457][ T5] NF_HOOK+0x88/0x210 [ 22.312408][ T5] ? NF_HOOK+0x210/0x210 [ 22.316622][ T5] ndisc_send_skb+0x653/0x9f0 [ 22.321368][ T5] ndisc_send_rs+0x26c/0x360 [ 22.325929][ T5] addrconf_dad_completed+0x493/0x970 [ 22.331270][ T5] addrconf_dad_work+0x9d0/0x12d0 [ 22.336271][ T5] process_one_work+0x3d5/0x640 [ 22.341094][ T5] worker_thread+0x723/0xa60 [ 22.345658][ T5] kthread+0x365/0x400 [ 22.349718][ T5] ? pr_cont_work+0x110/0x110 2022/11/26 15:48:17 building call list... [ 22.354374][ T5] ? __list_add+0xc0/0xc0 [ 22.358673][ T5] ret_from_fork+0x1f/0x30 [ 22.363102][ T5] ================================================================================ [ 22.374919][ T374] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation [ 22.434693][ T374] ================================================================== [ 22.442786][ T374] BUG: KASAN: use-after-free in task_active_pid_ns+0x9a/0xa0 [ 22.450147][ T374] Read of size 4 at addr ffff888100156604 by task syz-executor.0/374 [ 22.458189][ T374] [ 22.460515][ T374] CPU: 1 PID: 374 Comm: syz-executor.0 Not tainted 5.10.10-syzkaller #0 [ 22.468820][ T374] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 22.478866][ T374] Call Trace: [ 22.482152][ T374] dump_stack+0x19c/0x1e2 [ 22.486475][ T374] print_address_description+0x7e/0x6a0 [ 22.492014][ T374] ? printk+0x76/0x96 [ 22.496086][ T374] kasan_report+0x16f/0x210 [ 22.500576][ T374] ? task_active_pid_ns+0x9a/0xa0 [ 22.505598][ T374] ? task_active_pid_ns+0x9a/0xa0 [ 22.510624][ T374] __asan_report_load4_noabort+0x14/0x20 [ 22.516249][ T374] task_active_pid_ns+0x9a/0xa0 [ 22.521096][ T374] do_notify_parent+0x2c7/0xa70 [ 22.525945][ T374] ? __kasan_check_write+0x14/0x20 [ 22.531052][ T374] do_exit+0x1a52/0x2190 [ 22.535283][ T374] ? memset+0x35/0x40 [ 22.539254][ T374] do_group_exit+0x13f/0x310 [ 22.543832][ T374] get_signal+0xbef/0x10c0 [ 22.548254][ T374] arch_do_signal+0x42/0x710 [ 22.552846][ T374] exit_to_user_mode_loop+0xa3/0xe0 [ 22.558043][ T374] syscall_exit_to_user_mode+0x77/0xa0 [ 22.563498][ T374] do_syscall_64+0x40/0x70 [ 22.567919][ T374] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 22.573808][ T374] RIP: 0033:0x7f416ef3f263 [ 22.578210][ T374] Code: Unable to access opcode bytes at RIP 0x7f416ef3f239. [ 22.585569][ T374] RSP: 002b:00007ffc157b01a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 22.593980][ T374] RAX: 000000000000000c RBX: 0000000000000002 RCX: 00007f416ef3f263 [ 22.601944][ T374] RDX: 000000000000000c RSI: 00007ffc157b0270 RDI: 00000000000000f8 [ 22.609905][ T374] RBP: 00007ffc157b020c R08: 00007ffc157c1080 R09: 00007ffc157c10b8 [ 22.617864][ T374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000032 [ 22.625829][ T374] R13: 0000000000005764 R14: 0000000000000003 R15: 00007ffc157b0270 [ 22.633793][ T374] [ 22.636119][ T374] Allocated by task 0: [ 22.640185][ T374] __kasan_kmalloc+0x11a/0x150 [ 22.644941][ T374] kasan_slab_alloc+0xe/0x10 [ 22.649604][ T374] slab_post_alloc_hook+0x3f/0x70 [ 22.654613][ T374] kmem_cache_alloc+0x143/0x200 [ 22.659449][ T374] alloc_pid+0x9a/0xb00 [ 22.663588][ T374] copy_process+0xdc0/0x2110 [ 22.668159][ T374] kernel_clone+0x1df/0x690 [ 22.672645][ T374] kernel_thread+0x11b/0x160 [ 22.677229][ T374] rest_init+0x22/0xf0 [ 22.681284][ T374] arch_call_rest_init+0xe/0x10 [ 22.686206][ T374] start_kernel+0x47d/0x518 [ 22.690693][ T374] x86_64_start_reservations+0x2a/0x2c [ 22.696229][ T374] x86_64_start_kernel+0x7a/0x7d [ 22.701242][ T374] secondary_startup_64_no_verify+0xb0/0xbb [ 22.707198][ T374] [ 22.709513][ T374] Freed by task 370: [ 22.713395][ T374] kasan_set_track+0x4c/0x80 [ 22.717972][ T374] kasan_set_free_info+0x1b/0x30 [ 22.723162][ T374] __kasan_slab_free+0x11c/0x150 [ 22.728083][ T374] kasan_slab_free+0xe/0x10 [ 22.732572][ T374] slab_free_freelist_hook+0x8b/0x160 [ 22.737936][ T374] kmem_cache_free+0x9a/0x1c0 [ 22.742598][ T374] put_pid+0xb3/0x120 [ 22.746650][ T374] proc_do_cad_pid+0x131/0x1d0 [ 22.751404][ T374] proc_sys_call_handler+0x48d/0x640 [ 22.756684][ T374] proc_sys_write+0x22/0x30 [ 22.761201][ T374] vfs_write+0x466/0x560 [ 22.765440][ T374] ksys_write+0x155/0x260 [ 22.770012][ T374] __x64_sys_write+0x7b/0x90 [ 22.775034][ T374] do_syscall_64+0x34/0x70 [ 22.779425][ T374] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 22.786940][ T374] [ 22.789266][ T374] The buggy address belongs to the object at ffff888100156600 [ 22.789266][ T374] which belongs to the cache pid of size 112 [ 22.802859][ T374] The buggy address is located 4 bytes inside of [ 22.802859][ T374] 112-byte region [ffff888100156600, ffff888100156670) [ 22.816100][ T374] The buggy address belongs to the page: [ 22.821736][ T374] page:0000000031746e05 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100156 [ 22.831958][ T374] flags: 0x8000000000000200(slab) [ 22.836961][ T374] raw: 8000000000000200 dead000000000100 dead000000000122 ffff888100138dc0 [ 22.845580][ T374] raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000 [ 22.854220][ T374] page dumped because: kasan: bad access detected [ 22.860627][ T374] page_owner tracks the page as allocated [ 22.866323][ T374] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0() [ 22.874709][ T374] register_early_stack+0x41/0x80 [ 22.879708][ T374] init_page_owner+0x32/0x4f0 [ 22.884363][ T374] invoke_init_callbacks+0x63/0x6d [ 22.889451][ T374] page_ext_init+0x348/0x371 [ 22.894010][ T374] page_owner free stack trace missing [ 22.899350][ T374] [ 22.901654][ T374] Memory state around the buggy address: [ 22.907348][ T374] ffff888100156500: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 22.915385][ T374] ffff888100156580: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 22.923421][ T374] >ffff888100156600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 22.931546][ T374] ^ [ 22.935587][ T374] ffff888100156680: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 22.943630][ T374] ffff888100156700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 22.951659][ T374] ================================================================== [ 22.959776][ T374] Disabling lock debugging due to kernel taint [ 22.965911][ T374] BUG: unable to handle page fault for address: ffffed122001bdcf [ 22.973689][ T374] #PF: supervisor read access in kernel mode [ 22.979645][ T374] #PF: error_code(0x0000) - not-present page [ 22.985593][ T374] PGD 23fff2067 P4D 23fff2067 PUD 0 [ 22.990866][ T374] Oops: 0000 [#1] PREEMPT SMP KASAN [ 22.996044][ T374] CPU: 1 PID: 374 Comm: syz-executor.0 Tainted: G B 5.10.10-syzkaller #0 [ 23.005728][ T374] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 23.015862][ T374] RIP: 0010:task_active_pid_ns+0x69/0xa0 [ 23.021469][ T374] Code: 0d 5b 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 28 ae 4c 00 48 8b 03 eb 07 e8 ce [ 23.041045][ T374] RSP: 0018:ffffc900002ffb40 EFLAGS: 00010806 [ 23.047084][ T374] RAX: 1ffff1122001bdcf RBX: ffff8891000dee78 RCX: 0000000000000002 [ 23.055031][ T374] RDX: 0000000000000000 RSI: 0000000000000086 RDI: 0000000000000001 [ 23.062977][ T374] RBP: ffffc900002ffb50 R08: ffff8881198fbd00 R09: fffffbfff0bc26f9 [ 23.070922][ T374] R10: fffffbfff0bc26f9 R11: 1ffffffff0bc26f8 R12: dffffc0000000000 [ 23.078871][ T374] R13: ffff8881198fbd00 R14: dffffc0000000000 R15: ffff8881198fc220 [ 23.086821][ T374] FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000 [ 23.095722][ T374] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 23.102280][ T374] CR2: ffffed122001bdcf CR3: 0000000119689000 CR4: 00000000003506a0 [ 23.110232][ T374] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 23.118181][ T374] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 23.126123][ T374] Call Trace: [ 23.129392][ T374] do_notify_parent+0x2c7/0xa70 [ 23.134218][ T374] ? __kasan_check_write+0x14/0x20 [ 23.139303][ T374] do_exit+0x1a52/0x2190 [ 23.143521][ T374] ? memset+0x35/0x40 [ 23.147484][ T374] do_group_exit+0x13f/0x310 [ 23.152048][ T374] get_signal+0xbef/0x10c0 [ 23.156449][ T374] arch_do_signal+0x42/0x710 [ 23.161014][ T374] exit_to_user_mode_loop+0xa3/0xe0 [ 23.166188][ T374] syscall_exit_to_user_mode+0x77/0xa0 [ 23.171620][ T374] do_syscall_64+0x40/0x70 [ 23.176024][ T374] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 23.181898][ T374] RIP: 0033:0x7f416ef3f263 [ 23.186288][ T374] Code: Unable to access opcode bytes at RIP 0x7f416ef3f239. [ 23.193627][ T374] RSP: 002b:00007ffc157b01a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 23.202027][ T374] RAX: 000000000000000c RBX: 0000000000000002 RCX: 00007f416ef3f263 [ 23.209975][ T374] RDX: 000000000000000c RSI: 00007ffc157b0270 RDI: 00000000000000f8 [ 23.217920][ T374] RBP: 00007ffc157b020c R08: 00007ffc157c1080 R09: 00007ffc157c10b8 [ 23.225864][ T374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000032 [ 23.233830][ T374] R13: 0000000000005764 R14: 0000000000000003 R15: 00007ffc157b0270 [ 23.241777][ T374] Modules linked in: [ 23.245649][ T374] CR2: ffffed122001bdcf [ 23.249781][ T374] ---[ end trace 40f801c0a5db317a ]--- [ 23.255303][ T374] RIP: 0010:task_active_pid_ns+0x69/0xa0 [ 23.260915][ T374] Code: 0d 5b 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 28 ae 4c 00 48 8b 03 eb 07 e8 ce [ 23.280778][ T374] RSP: 0018:ffffc900002ffb40 EFLAGS: 00010806 [ 23.286837][ T374] RAX: 1ffff1122001bdcf RBX: ffff8891000dee78 RCX: 0000000000000002 [ 23.294797][ T374] RDX: 0000000000000000 RSI: 0000000000000086 RDI: 0000000000000001 [ 23.303906][ T374] RBP: ffffc900002ffb50 R08: ffff8881198fbd00 R09: fffffbfff0bc26f9 [ 23.311953][ T374] R10: fffffbfff0bc26f9 R11: 1ffffffff0bc26f8 R12: dffffc0000000000 [ 23.320373][ T374] R13: ffff8881198fbd00 R14: dffffc0000000000 R15: ffff8881198fc220 [ 23.328324][ T374] FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000 [ 23.337228][ T374] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 23.343897][ T374] CR2: ffffed122001bdcf CR3: 0000000119689000 CR4: 00000000003506a0 [ 23.351946][ T374] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 23.359901][ T374] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 23.367850][ T374] Kernel panic - not syncing: Fatal exception [ 24.476100][ T374] Shutting down cpus with NMI [ 24.480870][ T374] Kernel Offset: disabled [ 24.485281][ T374] Rebooting in 86400 seconds.. syzkaller build log: go env (err=) GO111MODULE="auto" GOARCH="amd64" GOBIN="" GOCACHE="/syzkaller/.cache/go-build" GOENV="/syzkaller/.config/go/env" GOEXE="" GOEXPERIMENT="" GOFLAGS="" GOHOSTARCH="amd64" GOHOSTOS="linux" GOINSECURE="" GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod" GONOPROXY="" GONOSUMDB="" GOOS="linux" GOPATH="/syzkaller/jobs/linux/gopath" GOPRIVATE="" GOPROXY="https://proxy.golang.org,direct" GOROOT="/usr/local/go" GOSUMDB="sum.golang.org" GOTMPDIR="" GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64" GOVCS="" GOVERSION="go1.17" GCCGO="gccgo" AR="ar" CC="gcc" CXX="g++" CGO_ENABLED="1" GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod" CGO_CFLAGS="-g -O2" CGO_CPPFLAGS="" CGO_CXXFLAGS="-g -O2" CGO_FFLAGS="-g -O2" CGO_LDFLAGS="-g -O2" PKG_CONFIG="pkg-config" GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3336956617=/tmp/go-build -gno-record-gcc-switches" git status (err=) HEAD detached at c0b80a55c nothing to commit, working tree clean tput: No value for $TERM and no -T specified tput: No value for $TERM and no -T specified Makefile:32: run command via tools/syz-env for best compatibility, see: Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen make .descriptions tput: No value for $TERM and no -T specified tput: No value for $TERM and no -T specified bin/syz-sysgen touch .descriptions GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress mkdir -p ./bin/linux_amd64 gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \ -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \ -DHOSTGOOS_linux=1 -DGIT_REVISION=\"c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2\"