UBSAN: object-size-mismatch in wg_xmit IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready ================================================================================ UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2016:28 member access within address 00000000864bd5da with insufficient space for an object of type 'struct sk_buff' CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 5.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x19c/0x1e2 lib/dump_stack.c:118 ubsan_epilogue lib/ubsan.c:148 [inline] handle_object_size_mismatch lib/ubsan.c:297 [inline] ubsan_type_mismatch_common+0x21f/0x3c0 lib/ubsan.c:310 __ubsan_handle_type_mismatch_v1+0x4d/0x60 lib/ubsan.c:339 __skb_queue_before include/linux/skbuff.h:2016 [inline] __skb_queue_tail include/linux/skbuff.h:2049 [inline] wg_xmit+0x40c/0xa20 drivers/net/wireguard/device.c:182 __netdev_start_xmit include/linux/netdevice.h:4735 [inline] netdev_start_xmit+0x8a/0x160 include/linux/netdevice.h:4749 xmit_one net/core/dev.c:3564 [inline] dev_hard_start_xmit+0x1aa/0x540 net/core/dev.c:3580 __dev_queue_xmit+0xf66/0x1a70 net/core/dev.c:4140 dev_queue_xmit+0x17/0x20 net/core/dev.c:4173 neigh_connected_output+0x275/0x2a0 net/core/neighbour.c:1520 neigh_output include/net/neighbour.h:510 [inline] ip6_finish_output2+0xbdc/0x1000 net/ipv6/ip6_output.c:117 __ip6_finish_output+0x281/0x380 net/ipv6/ip6_output.c:143 ip6_finish_output+0x34/0x210 net/ipv6/ip6_output.c:153 NF_HOOK_COND include/linux/netfilter.h:290 [inline] ip6_output+0x17c/0x400 net/ipv6/ip6_output.c:176 dst_output include/net/dst.h:443 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] ndisc_send_skb+0x682/0xb90 net/ipv6/ndisc.c:508 ndisc_send_rs+0x268/0x360 net/ipv6/ndisc.c:702 addrconf_dad_completed+0x438/0x910 net/ipv6/addrconf.c:4213 addrconf_dad_work+0xbde/0x1390 net/ipv6/addrconf.c:3980 process_one_work+0x38d/0x7c0 kernel/workqueue.c:2276 worker_thread+0x6f4/0xa20 kernel/workqueue.c:2422 kthread+0x367/0x400 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 ================================================================================ ================================================================================ UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1909:2 member access within address 00000000864bd5da with insufficient space for an object of type 'struct sk_buff' CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 5.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x19c/0x1e2 lib/dump_stack.c:118 ubsan_epilogue lib/ubsan.c:148 [inline] handle_object_size_mismatch lib/ubsan.c:297 [inline] ubsan_type_mismatch_common+0x21f/0x3c0 lib/ubsan.c:310 __ubsan_handle_type_mismatch_v1+0x4d/0x60 lib/ubsan.c:339 __skb_insert include/linux/skbuff.h:1909 [inline] __skb_queue_before include/linux/skbuff.h:2016 [inline] __skb_queue_tail include/linux/skbuff.h:2049 [inline] wg_xmit+0x46f/0xa20 drivers/net/wireguard/device.c:182 __netdev_start_xmit include/linux/netdevice.h:4735 [inline] netdev_start_xmit+0x8a/0x160 include/linux/netdevice.h:4749 xmit_one net/core/dev.c:3564 [inline] dev_hard_start_xmit+0x1aa/0x540 net/core/dev.c:3580 __dev_queue_xmit+0xf66/0x1a70 net/core/dev.c:4140 dev_queue_xmit+0x17/0x20 net/core/dev.c:4173 neigh_connected_output+0x275/0x2a0 net/core/neighbour.c:1520 neigh_output include/net/neighbour.h:510 [inline] ip6_finish_output2+0xbdc/0x1000 net/ipv6/ip6_output.c:117 __ip6_finish_output+0x281/0x380 net/ipv6/ip6_output.c:143 ip6_finish_output+0x34/0x210 net/ipv6/ip6_output.c:153 NF_HOOK_COND include/linux/netfilter.h:290 [inline] ip6_output+0x17c/0x400 net/ipv6/ip6_output.c:176 dst_output include/net/dst.h:443 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] ndisc_send_skb+0x682/0xb90 net/ipv6/ndisc.c:508 ndisc_send_rs+0x268/0x360 net/ipv6/ndisc.c:702 addrconf_dad_completed+0x438/0x910 net/ipv6/addrconf.c:4213 addrconf_dad_work+0xbde/0x1390 net/ipv6/addrconf.c:3980 process_one_work+0x38d/0x7c0 kernel/workqueue.c:2276 worker_thread+0x6f4/0xa20 kernel/workqueue.c:2422 kthread+0x367/0x400 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 ================================================================================ Warning: Permanently added '10.128.0.237' (ECDSA) to the list of known hosts. 2023/03/28 07:55:58 fuzzer started 2023/03/28 07:55:58 connecting to host at 10.128.0.163:36057 2023/03/28 07:55:58 checking machine... 2023/03/28 07:55:58 checking revisions... 2023/03/28 07:55:59 testing simple program... [ 22.499845][ T22] audit: type=1400 audit(1679990159.030:73): avc: denied { getattr } for pid=362 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 22.515203][ T371] cgroup: Unknown subsys name 'net' [ 22.524328][ T22] audit: type=1400 audit(1679990159.030:74): avc: denied { read } for pid=362 comm="syz-fuzzer" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 22.549577][ T22] audit: type=1400 audit(1679990159.030:75): avc: denied { open } for pid=362 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 22.549751][ T371] cgroup: Unknown subsys name 'devices' [ 22.572885][ T22] audit: type=1400 audit(1679990159.030:76): avc: denied { read } for pid=362 comm="syz-fuzzer" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 22.601225][ T22] audit: type=1400 audit(1679990159.030:77): avc: denied { open } for pid=362 comm="syz-fuzzer" path="/dev/raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 22.624585][ T22] audit: type=1400 audit(1679990159.030:78): avc: denied { mounton } for pid=371 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 22.647813][ T22] audit: type=1400 audit(1679990159.030:79): avc: denied { mount } for pid=371 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 22.670119][ T22] audit: type=1400 audit(1679990159.070:80): avc: denied { unmount } for pid=371 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 22.762054][ T371] cgroup: Unknown subsys name 'hugetlb' [ 22.768068][ T371] cgroup: Unknown subsys name 'rlimit' [ 22.951503][ T22] audit: type=1400 audit(1679990159.490:81): avc: denied { setattr } for pid=371 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 22.974825][ T22] audit: type=1400 audit(1679990159.510:82): avc: denied { execmem } for pid=373 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 23.021462][ T374] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.028516][ T374] bridge0: port 1(bridge_slave_0) entered disabled state [ 23.035976][ T374] device bridge_slave_0 entered promiscuous mode [ 23.042786][ T374] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.049876][ T374] bridge0: port 2(bridge_slave_1) entered disabled state [ 23.057652][ T374] device bridge_slave_1 entered promiscuous mode [ 23.089890][ T374] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.096956][ T374] bridge0: port 2(bridge_slave_1) entered forwarding state [ 23.104241][ T374] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.111267][ T374] bridge0: port 1(bridge_slave_0) entered forwarding state [ 23.128440][ T23] bridge0: port 1(bridge_slave_0) entered disabled state [ 23.135972][ T23] bridge0: port 2(bridge_slave_1) entered disabled state [ 23.143917][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 23.152163][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 23.171369][ T104] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 23.179728][ T104] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 23.188166][ T104] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.195248][ T104] bridge0: port 1(bridge_slave_0) entered forwarding state [ 23.202906][ T104] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 23.211296][ T104] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.218421][ T104] bridge0: port 2(bridge_slave_1) entered forwarding state [ 23.226978][ T104] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 23.234990][ T104] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 23.251108][ T372] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 23.259008][ T372] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 23.271409][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 23.284345][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 23.299020][ T374] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation [ 23.309804][ T23] ================================================================================ [ 23.319307][ T23] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2016:28 [ 23.327372][ T23] member access within address 00000000864bd5da with insufficient space [ 23.335809][ T23] for an object of type 'struct sk_buff' [ 23.341458][ T23] CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 5.10.0-syzkaller #0 [ 23.349375][ T23] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 [ 23.359503][ T23] Workqueue: ipv6_addrconf addrconf_dad_work [ 23.365486][ T23] Call Trace: [ 23.368858][ T23] dump_stack+0x19c/0x1e2 [ 23.373176][ T23] ubsan_type_mismatch_common+0x21f/0x3c0 [ 23.378876][ T23] __ubsan_handle_type_mismatch_v1+0x4d/0x60 [ 23.384859][ T23] wg_xmit+0x40c/0xa20 [ 23.388908][ T23] ? skb_network_protocol+0x186/0x420 [ 23.394259][ T23] netdev_start_xmit+0x8a/0x160 [ 23.399171][ T23] dev_hard_start_xmit+0x1aa/0x540 [ 23.404260][ T23] __dev_queue_xmit+0xf66/0x1a70 [ 23.409373][ T23] dev_queue_xmit+0x17/0x20 [ 23.413856][ T23] neigh_connected_output+0x275/0x2a0 [ 23.419212][ T23] ip6_finish_output2+0xbdc/0x1000 [ 23.424324][ T23] ? ip6_mtu+0xda/0x130 [ 23.428475][ T23] __ip6_finish_output+0x281/0x380 [ 23.433678][ T23] ip6_finish_output+0x34/0x210 [ 23.438592][ T23] ? ip6_output+0x3ce/0x400 [ 23.443070][ T23] ip6_output+0x17c/0x400 [ 23.447375][ T23] ? ip6_dst_idev+0x40/0x40 [ 23.451857][ T23] ndisc_send_skb+0x682/0xb90 [ 23.456515][ T23] ? addrconf_addr_solict_mult+0xe0/0xe0 [ 23.462133][ T23] ndisc_send_rs+0x268/0x360 [ 23.466712][ T23] addrconf_dad_completed+0x438/0x910 [ 23.472088][ T23] addrconf_dad_work+0xbde/0x1390 [ 23.477091][ T23] process_one_work+0x38d/0x7c0 [ 23.481940][ T23] worker_thread+0x6f4/0xa20 [ 23.486536][ T23] ? __kasan_check_write+0x14/0x20 [ 23.491728][ T23] kthread+0x367/0x400 [ 23.495792][ T23] ? pr_cont_work+0x110/0x110 [ 23.500450][ T23] ? __list_add+0xc0/0xc0 [ 23.504757][ T23] ret_from_fork+0x1f/0x30 [ 23.509299][ T23] ================================================================================ [ 23.518726][ T23] ================================================================================ [ 23.528056][ T23] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1909:2 [ 23.535882][ T23] member access within address 00000000864bd5da with insufficient space [ 23.544238][ T23] for an object of type 'struct sk_buff' [ 23.549947][ T23] CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 5.10.0-syzkaller #0 [ 23.558020][ T23] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 [ 23.568095][ T23] Workqueue: ipv6_addrconf addrconf_dad_work [ 23.574132][ T23] Call Trace: [ 23.577410][ T23] dump_stack+0x19c/0x1e2 [ 23.581725][ T23] ubsan_type_mismatch_common+0x21f/0x3c0 [ 23.587541][ T23] __ubsan_handle_type_mismatch_v1+0x4d/0x60 [ 23.593591][ T23] wg_xmit+0x46f/0xa20 [ 23.597659][ T23] ? skb_network_protocol+0x186/0x420 [ 23.603020][ T23] netdev_start_xmit+0x8a/0x160 [ 23.607855][ T23] dev_hard_start_xmit+0x1aa/0x540 [ 23.613030][ T23] __dev_queue_xmit+0xf66/0x1a70 [ 23.617943][ T23] dev_queue_xmit+0x17/0x20 [ 23.622427][ T23] neigh_connected_output+0x275/0x2a0 [ 23.627802][ T23] ip6_finish_output2+0xbdc/0x1000 [ 23.632937][ T23] ? ip6_mtu+0xda/0x130 [ 23.637264][ T23] __ip6_finish_output+0x281/0x380 [ 23.642470][ T23] ip6_finish_output+0x34/0x210 [ 23.647334][ T23] ? ip6_output+0x3ce/0x400 [ 23.651929][ T23] ip6_output+0x17c/0x400 [ 23.656255][ T23] ? ip6_dst_idev+0x40/0x40 [ 23.660969][ T23] ndisc_send_skb+0x682/0xb90 [ 23.665656][ T23] ? addrconf_addr_solict_mult+0xe0/0xe0 [ 23.671374][ T23] ndisc_send_rs+0x268/0x360 [ 23.675941][ T23] addrconf_dad_completed+0x438/0x910 [ 23.681287][ T23] addrconf_dad_work+0xbde/0x1390 [ 23.686288][ T23] process_one_work+0x38d/0x7c0 2023/03/28 07:56:00 building call list... [ 23.691115][ T23] worker_thread+0x6f4/0xa20 [ 23.695682][ T23] ? __kasan_check_write+0x14/0x20 [ 23.700780][ T23] kthread+0x367/0x400 [ 23.704877][ T23] ? pr_cont_work+0x110/0x110 [ 23.709561][ T23] ? __list_add+0xc0/0xc0 [ 23.714139][ T23] ret_from_fork+0x1f/0x30 [ 23.719035][ T23] ================================================================================ [ 23.800501][ T374] ================================================================== [ 23.808713][ T374] BUG: KASAN: use-after-free in task_active_pid_ns+0x9b/0xa0 [ 23.816427][ T374] Read of size 4 at addr ffff88810015b904 by task syz-executor.0/374 [ 23.824577][ T374] [ 23.826911][ T374] CPU: 0 PID: 374 Comm: syz-executor.0 Not tainted 5.10.0-syzkaller #0 [ 23.835240][ T374] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 [ 23.845299][ T374] Call Trace: [ 23.848772][ T374] dump_stack+0x19c/0x1e2 [ 23.853120][ T374] print_address_description+0x7e/0x660 [ 23.858659][ T374] ? printk+0x76/0x96 [ 23.862649][ T374] kasan_report+0x146/0x1e0 [ 23.867143][ T374] ? task_active_pid_ns+0x9b/0xa0 [ 23.872150][ T374] ? task_active_pid_ns+0x9b/0xa0 [ 23.877204][ T374] __asan_report_load4_noabort+0x14/0x20 [ 23.883105][ T374] task_active_pid_ns+0x9b/0xa0 [ 23.887949][ T374] do_notify_parent+0x2cb/0xa90 [ 23.892812][ T374] do_exit+0xe0b/0x2300 [ 23.896971][ T374] do_group_exit+0x146/0x330 [ 23.901555][ T374] ? recalc_sigpending_tsk+0x1a9/0x1e0 [ 23.907009][ T374] get_signal+0xbd0/0x1100 [ 23.911437][ T374] ? wake_up_q+0x111/0x160 [ 23.915953][ T374] arch_do_signal+0x42/0x550 [ 23.920546][ T374] exit_to_user_mode_loop+0x63/0x90 [ 23.925740][ T374] syscall_exit_to_user_mode+0xbc/0x1d0 [ 23.931298][ T374] do_syscall_64+0x40/0x70 [ 23.936025][ T374] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 23.942072][ T374] RIP: 0033:0x7faee3bc0f07 [ 23.946488][ T374] Code: Unable to access opcode bytes at RIP 0x7faee3bc0edd. [ 23.953947][ T374] RSP: 002b:00007ffc5c3655c8 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9 [ 23.962498][ T374] RAX: 0000000000000020 RBX: 00005555560446f0 RCX: 00007faee3bc0f07 [ 23.970551][ T374] RDX: 0000000000008000 RSI: 0000555556044720 RDI: 0000000000000003 [ 23.978518][ T374] RBP: 0000555556044720 R08: 0000000000000030 R09: 00007faee3c98640 [ 23.986488][ T374] R10: 0000000000000231 R11: 0000000000000293 R12: ffffffffffffffb8 [ 23.994553][ T374] R13: 00005555560446f4 R14: 0000000000000016 R15: 00007ffc5c3667c0 [ 24.002512][ T374] [ 24.004920][ T374] Allocated by task 0: [ 24.009219][ T374] __kasan_kmalloc+0x119/0x150 [ 24.013994][ T374] kasan_slab_alloc+0xe/0x10 [ 24.018792][ T374] slab_post_alloc_hook+0x3e/0x280 [ 24.023917][ T374] kmem_cache_alloc+0x11a/0x220 [ 24.028764][ T374] alloc_pid+0x9d/0xad0 [ 24.032919][ T374] copy_process+0xde4/0x2150 [ 24.037638][ T374] kernel_clone+0x1da/0x7b0 [ 24.042153][ T374] kernel_thread+0x11c/0x160 [ 24.046767][ T374] rest_init+0x22/0xf0 [ 24.050953][ T374] arch_call_rest_init+0xe/0x10 [ 24.055808][ T374] start_kernel+0x462/0x4f3 [ 24.060311][ T374] x86_64_start_reservations+0x2a/0x2c [ 24.065757][ T374] x86_64_start_kernel+0x7a/0x7d [ 24.070682][ T374] secondary_startup_64_no_verify+0xb0/0xbb [ 24.076550][ T374] [ 24.078865][ T374] Freed by task 371: [ 24.082755][ T374] kasan_set_track+0x4b/0x80 [ 24.087333][ T374] kasan_set_free_info+0x1b/0x30 [ 24.092266][ T374] __kasan_slab_free+0x11d/0x150 [ 24.097284][ T374] kasan_slab_free+0xe/0x10 [ 24.101864][ T374] slab_free_freelist_hook+0x7c/0x150 [ 24.107233][ T374] kmem_cache_free+0x9a/0x1f0 [ 24.111906][ T374] put_pid+0xb4/0x110 [ 24.115979][ T374] proc_do_cad_pid+0x115/0x190 [ 24.120826][ T374] proc_sys_call_handler+0x406/0x600 [ 24.126099][ T374] proc_sys_write+0x22/0x30 [ 24.130586][ T374] vfs_write+0x459/0x560 [ 24.134815][ T374] ksys_write+0x155/0x260 [ 24.139130][ T374] __x64_sys_write+0x7b/0x90 [ 24.144013][ T374] do_syscall_64+0x34/0x70 [ 24.148431][ T374] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 24.154331][ T374] [ 24.156663][ T374] The buggy address belongs to the object at ffff88810015b900 [ 24.156663][ T374] which belongs to the cache pid of size 112 [ 24.170050][ T374] The buggy address is located 4 bytes inside of [ 24.170050][ T374] 112-byte region [ffff88810015b900, ffff88810015b970) [ 24.183267][ T374] The buggy address belongs to the page: [ 24.188907][ T374] page:0000000040025133 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10015b [ 24.199308][ T374] flags: 0x8000000000000200(slab) [ 24.204337][ T374] raw: 8000000000000200 dead000000000100 dead000000000122 ffff888100135dc0 [ 24.213142][ T374] raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000 [ 24.221815][ T374] page dumped because: kasan: bad access detected [ 24.228215][ T374] page_owner tracks the page as allocated [ 24.234016][ T374] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0() [ 24.242519][ T374] register_early_stack+0x41/0x80 [ 24.247531][ T374] init_page_owner+0x32/0x4a0 [ 24.252573][ T374] invoke_init_callbacks+0x63/0x6d [ 24.257671][ T374] page_ext_init+0x320/0x347 [ 24.262328][ T374] page_owner free stack trace missing [ 24.267688][ T374] [ 24.269992][ T374] Memory state around the buggy address: [ 24.275617][ T374] ffff88810015b800: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 24.284478][ T374] ffff88810015b880: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 24.292529][ T374] >ffff88810015b900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 24.300590][ T374] ^ [ 24.304659][ T374] ffff88810015b980: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 24.312730][ T374] ffff88810015ba00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 24.320795][ T374] ================================================================== [ 24.328851][ T374] Disabling lock debugging due to kernel taint [ 24.335001][ T374] BUG: unable to handle page fault for address: ffffed122001c82f [ 24.342709][ T374] #PF: supervisor read access in kernel mode [ 24.348756][ T374] #PF: error_code(0x0000) - not-present page [ 24.354898][ T374] PGD 23fff2067 P4D 23fff2067 PUD 0 [ 24.360198][ T374] Oops: 0000 [#1] PREEMPT SMP KASAN [ 24.365390][ T374] CPU: 0 PID: 374 Comm: syz-executor.0 Tainted: G B 5.10.0-syzkaller #0 [ 24.374994][ T374] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 [ 24.385054][ T374] RIP: 0010:task_active_pid_ns+0x6a/0xa0 [ 24.390676][ T374] Code: 31 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 0f b6 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 b7 86 4b 00 48 8b 03 eb 07 e8 cd [ 24.410284][ T374] RSP: 0018:ffffc900009c7b48 EFLAGS: 00010802 [ 24.416437][ T374] RAX: 1ffff1122001c82f RBX: ffff8891000e4178 RCX: 0000000000000002 [ 24.424512][ T374] RDX: 0000000000000000 RSI: 0000000000000086 RDI: 0000000000000001 [ 24.432481][ T374] RBP: ffffc900009c7b58 R08: dffffc0000000000 R09: ffff88811c6ec700 [ 24.440442][ T374] R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000 [ 24.448410][ T374] R13: ffff88811c6ec700 R14: dffffc0000000000 R15: ffff88811c6ecc30 [ 24.456459][ T374] FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000 [ 24.465729][ T374] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 24.472333][ T374] CR2: ffffed122001c82f CR3: 000000000520f000 CR4: 00000000003506b0 [ 24.480499][ T374] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 24.488773][ T374] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 24.497015][ T374] Call Trace: [ 24.500507][ T374] do_notify_parent+0x2cb/0xa90 [ 24.505447][ T374] do_exit+0xe0b/0x2300 [ 24.509609][ T374] do_group_exit+0x146/0x330 [ 24.514304][ T374] ? recalc_sigpending_tsk+0x1a9/0x1e0 [ 24.519932][ T374] get_signal+0xbd0/0x1100 [ 24.524563][ T374] ? wake_up_q+0x111/0x160 [ 24.528985][ T374] arch_do_signal+0x42/0x550 [ 24.533588][ T374] exit_to_user_mode_loop+0x63/0x90 [ 24.538986][ T374] syscall_exit_to_user_mode+0xbc/0x1d0 [ 24.544856][ T374] do_syscall_64+0x40/0x70 [ 24.549572][ T374] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 24.555458][ T374] RIP: 0033:0x7faee3bc0f07 [ 24.559894][ T374] Code: Unable to access opcode bytes at RIP 0x7faee3bc0edd. [ 24.567270][ T374] RSP: 002b:00007ffc5c3655c8 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9 [ 24.575805][ T374] RAX: 0000000000000020 RBX: 00005555560446f0 RCX: 00007faee3bc0f07 [ 24.583774][ T374] RDX: 0000000000008000 RSI: 0000555556044720 RDI: 0000000000000003 [ 24.591731][ T374] RBP: 0000555556044720 R08: 0000000000000030 R09: 00007faee3c98640 [ 24.599767][ T374] R10: 0000000000000231 R11: 0000000000000293 R12: ffffffffffffffb8 [ 24.607953][ T374] R13: 00005555560446f4 R14: 0000000000000016 R15: 00007ffc5c3667c0 [ 24.615927][ T374] Modules linked in: [ 24.619823][ T374] CR2: ffffed122001c82f [ 24.623978][ T374] ---[ end trace 4b96f681b570263a ]--- [ 24.629445][ T374] RIP: 0010:task_active_pid_ns+0x6a/0xa0 [ 24.635085][ T374] Code: 31 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 0f b6 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 b7 86 4b 00 48 8b 03 eb 07 e8 cd [ 24.654996][ T374] RSP: 0018:ffffc900009c7b48 EFLAGS: 00010802 [ 24.661052][ T374] RAX: 1ffff1122001c82f RBX: ffff8891000e4178 RCX: 0000000000000002 [ 24.669102][ T374] RDX: 0000000000000000 RSI: 0000000000000086 RDI: 0000000000000001 [ 24.677070][ T374] RBP: ffffc900009c7b58 R08: dffffc0000000000 R09: ffff88811c6ec700 [ 24.685135][ T374] R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000 [ 24.693339][ T374] R13: ffff88811c6ec700 R14: dffffc0000000000 R15: ffff88811c6ecc30 [ 24.701398][ T374] FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000 [ 24.710432][ T374] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 24.717106][ T374] CR2: ffffed122001c82f CR3: 000000000520f000 CR4: 00000000003506b0 [ 24.725227][ T374] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 24.734274][ T374] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 24.742330][ T374] Kernel panic - not syncing: Fatal exception [ 24.748571][ T374] Kernel Offset: disabled [ 24.752927][ T374] Rebooting in 86400 seconds.. syzkaller build log: go env (err=) GO111MODULE="auto" GOARCH="amd64" GOBIN="" GOCACHE="/syzkaller/.cache/go-build" GOENV="/syzkaller/.config/go/env" GOEXE="" GOEXPERIMENT="" GOFLAGS="" GOHOSTARCH="amd64" GOHOSTOS="linux" GOINSECURE="" GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod" GONOPROXY="" GONOSUMDB="" GOOS="linux" GOPATH="/syzkaller/jobs/linux/gopath" GOPRIVATE="" GOPROXY="https://proxy.golang.org,direct" GOROOT="/usr/local/go" GOSUMDB="sum.golang.org" GOTMPDIR="" GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64" GOVCS="" GOVERSION="go1.20.1" GCCGO="gccgo" GOAMD64="v1" AR="ar" CC="gcc" CXX="g++" CGO_ENABLED="1" GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod" GOWORK="" CGO_CFLAGS="-O2 -g" CGO_CPPFLAGS="" CGO_CXXFLAGS="-O2 -g" CGO_FFLAGS="-O2 -g" CGO_LDFLAGS="-O2 -g" PKG_CONFIG="pkg-config" GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1722810292=/tmp/go-build -gno-record-gcc-switches" git status (err=) HEAD detached at 7939252e4 nothing to commit, working tree clean tput: No value for $TERM and no -T specified tput: No value for $TERM and no -T specified Makefile:32: run command via tools/syz-env for best compatibility, see: Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen make .descriptions tput: No value for $TERM and no -T specified tput: No value for $TERM and no -T specified bin/syz-sysgen touch .descriptions GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=7939252e4ddf50bbb9912069a40d32f6c83c4f8e -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230317-174037'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=7939252e4ddf50bbb9912069a40d32f6c83c4f8e -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230317-174037'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=7939252e4ddf50bbb9912069a40d32f6c83c4f8e -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230317-174037'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress mkdir -p ./bin/linux_amd64 gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \ -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \ -DHOSTGOOS_linux=1 -DGIT_REVISION=\"7939252e4ddf50bbb9912069a40d32f6c83c4f8e\"