Warning: Permanently added '10.128.0.232' (ED25519) to the list of known hosts. 2024/12/15 19:46:20 ignoring optional flag "sandboxArg"="0" 2024/12/15 19:46:20 parsed 1 programs [ 51.050549][ T3193] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SS [ 51.806375][ T3229] bridge0: port 1(bridge_slave_0) entered blocking state [ 51.808559][ T3229] bridge0: port 1(bridge_slave_0) entered disabled state [ 51.810229][ T3229] device bridge_slave_0 entered promiscuous mode [ 51.811974][ T3229] bridge0: port 2(bridge_slave_1) entered blocking state [ 51.813365][ T3229] bridge0: port 2(bridge_slave_1) entered disabled state [ 51.814969][ T3229] device bridge_slave_1 entered promiscuous mode [ 51.926721][ T3229] bridge0: port 2(bridge_slave_1) entered blocking state [ 51.928183][ T3229] bridge0: port 2(bridge_slave_1) entered forwarding state [ 51.929698][ T3229] bridge0: port 1(bridge_slave_0) entered blocking state [ 51.931066][ T3229] bridge0: port 1(bridge_slave_0) entered forwarding state [ 52.113907][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 52.115861][ T11] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.117568][ T11] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.144522][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 52.146247][ T11] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.147531][ T11] bridge0: port 1(bridge_slave_0) entered forwarding state [ 52.154369][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 52.156142][ T11] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.157536][ T11] bridge0: port 2(bridge_slave_1) entered forwarding state [ 52.159423][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 52.161282][ T11] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 52.368933][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 52.395984][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 52.397901][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 52.399827][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 52.402016][ T3229] device veth0_vlan entered promiscuous mode [ 52.404325][ T3229] device veth1_vlan entered promiscuous mode [ 52.410156][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 52.411804][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 52.413778][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 52.416201][ T3229] device veth0_macvtap entered promiscuous mode [ 52.447002][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 52.449297][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 52.451969][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2024/12/15 19:46:22 executed programs: 0 [ 53.006678][ T3423] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.008119][ T3423] bridge0: port 1(bridge_slave_0) entered disabled state [ 53.009854][ T3423] device bridge_slave_0 entered promiscuous mode [ 53.011503][ T3423] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.013120][ T3423] bridge0: port 2(bridge_slave_1) entered disabled state [ 53.014736][ T3423] device bridge_slave_1 entered promiscuous mode [ 53.048403][ T1347] device bridge_slave_1 left promiscuous mode [ 53.049653][ T1347] bridge0: port 2(bridge_slave_1) entered disabled state [ 53.088089][ T1347] device bridge_slave_0 left promiscuous mode [ 53.089305][ T1347] bridge0: port 1(bridge_slave_0) entered disabled state [ 53.129216][ T1347] device veth0_macvtap left promiscuous mode [ 53.130435][ T1347] device veth1_vlan left promiscuous mode [ 53.131632][ T1347] device veth0_vlan left promiscuous mode [ 55.905033][ T1342] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 55.906767][ T1342] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 55.930731][ T1342] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 55.932388][ T1342] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 55.934065][ T1342] bridge0: port 1(bridge_slave_0) entered blocking state [ 55.935385][ T1342] bridge0: port 1(bridge_slave_0) entered forwarding state [ 55.937073][ T1342] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 55.941448][ T1342] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 55.943161][ T1342] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 55.944916][ T1342] bridge0: port 2(bridge_slave_1) entered blocking state [ 55.946412][ T1342] bridge0: port 2(bridge_slave_1) entered forwarding state [ 55.952032][ T1342] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 55.953701][ T1342] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 56.169663][ T1347] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 56.196427][ T1342] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 56.198660][ T1342] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 56.200340][ T1342] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 56.202560][ T3423] device veth0_vlan entered promiscuous mode [ 56.204934][ T3423] device veth1_vlan entered promiscuous mode [ 56.209154][ T1342] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 56.210761][ T1342] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 56.212411][ T1342] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 56.214745][ T3423] device veth0_macvtap entered promiscuous mode [ 56.246313][ T1342] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 56.248476][ T1342] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 56.251255][ T1342] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 56.427298][ T3600] FAULT_INJECTION: forcing a failure. [ 56.427298][ T3600] name failslab, interval 1, probability 0, space 0, times 1 [ 56.430037][ T3600] CPU: 0 PID: 3600 Comm: syz.2.15 Not tainted 6.1.120-syzkaller #0 [ 56.431793][ T3600] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 56.433984][ T3600] Call trace: [ 56.434585][ T3600] dump_backtrace+0x100/0x150 [ 56.435504][ T3600] show_stack+0x18/0x24 [ 56.436314][ T3600] dump_stack_lvl+0x78/0xa4 [ 56.437199][ T3600] dump_stack+0x18/0x4c [ 56.437996][ T3600] should_fail_ex+0x3c0/0x51c [ 56.438966][ T3600] __should_failslab+0xc8/0x128 [ 56.439900][ T3600] should_failslab+0x10/0x28 [ 56.440923][ T3600] __kmem_cache_alloc_node+0x6c/0x354 [ 56.442008][ T3600] kmalloc_trace+0x40/0x68 [ 56.442812][ T3600] dccp_feat_entry_new+0x140/0x2d4 [ 56.443897][ T3600] dccp_feat_parse_options+0x984/0x1e2c [ 56.444998][ T3600] dccp_parse_options+0x2f4/0xed0 [ 56.445942][ T3600] dccp_rcv_established+0x48/0x228 [ 56.446954][ T3600] dccp_v6_do_rcv+0x1a0/0x690 [ 56.447769][ T3600] __release_sock+0x124/0x318 [ 56.448729][ T3600] release_sock+0x5c/0x17c [ 56.449581][ T3600] dccp_sendmsg+0x278/0x630 [ 56.450394][ T3600] inet_sendmsg+0x98/0xb8 [ 56.451212][ T3600] ____sys_sendmsg+0x41c/0x6ac [ 56.452098][ T3600] __sys_sendmmsg+0x2b8/0x5b4 [ 56.453024][ T3600] __arm64_sys_sendmmsg+0x9c/0xb8 [ 56.454091][ T3600] invoke_syscall+0x7c/0x254 [ 56.454999][ T3600] el0_svc_common+0x15c/0x1d8 [ 56.455925][ T3600] do_el0_svc+0x4c/0xec [ 56.456777][ T3600] el0_svc+0x34/0x100 [ 56.457485][ T3600] el0t_64_sync_handler+0x84/0xf0 [ 56.458446][ T3600] el0t_64_sync+0x18c/0x190 [ 56.459900][ T3600] dccp_parse_options: DCCP(00000000851b2767): Option 32 (len=7) error=9 [ 56.461733][ T3600] ================================================================== [ 56.463305][ T3600] BUG: KASAN: use-after-free in ccid2_hc_tx_packet_recv+0x1410/0x194c [ 56.464843][ T3600] Read of size 1 at addr ffff0000d7467434 by task syz.2.15/3600 [ 56.466298][ T3600] [ 56.466723][ T3600] CPU: 0 PID: 3600 Comm: syz.2.15 Not tainted 6.1.120-syzkaller #0 [ 56.468177][ T3600] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 56.470247][ T3600] Call trace: [ 56.470891][ T3600] dump_backtrace+0x100/0x150 [ 56.471759][ T3600] show_stack+0x18/0x24 [ 56.472574][ T3600] dump_stack_lvl+0x78/0xa4 [ 56.473431][ T3600] print_report+0x174/0x4c0 [ 56.474317][ T3600] kasan_report+0xcc/0x124 [ 56.475186][ T3600] __asan_report_load1_noabort+0x2c/0x38 [ 56.476284][ T3600] ccid2_hc_tx_packet_recv+0x1410/0x194c [ 56.477376][ T3600] dccp_rcv_established+0x1cc/0x228 [ 56.478407][ T3600] dccp_v6_do_rcv+0x1a0/0x690 [ 56.479382][ T3600] __release_sock+0x124/0x318 [ 56.480440][ T3600] release_sock+0x5c/0x17c [ 56.481376][ T3600] dccp_sendmsg+0x278/0x630 [ 56.482249][ T3600] inet_sendmsg+0x98/0xb8 [ 56.483162][ T3600] ____sys_sendmsg+0x41c/0x6ac [ 56.484048][ T3600] __sys_sendmmsg+0x2b8/0x5b4 [ 56.485084][ T3600] __arm64_sys_sendmmsg+0x9c/0xb8 [ 56.486044][ T3600] invoke_syscall+0x7c/0x254 [ 56.486983][ T3600] el0_svc_common+0x15c/0x1d8 [ 56.487907][ T3600] do_el0_svc+0x4c/0xec [ 56.488743][ T3600] el0_svc+0x34/0x100 [ 56.489555][ T3600] el0t_64_sync_handler+0x84/0xf0 [ 56.490496][ T3600] el0t_64_sync+0x18c/0x190 [ 56.491378][ T3600] [ 56.491821][ T3600] Allocated by task 3600: [ 56.492590][ T3600] kasan_set_track+0x4c/0x80 [ 56.493489][ T3600] kasan_save_alloc_info+0x24/0x30 [ 56.494504][ T3600] __kasan_kmalloc+0xac/0xc4 [ 56.495315][ T3600] __kmalloc_node_track_caller+0xb0/0x100 [ 56.496455][ T3600] __alloc_skb+0x1b4/0x5d8 [ 56.497449][ T3600] dccp_send_ack+0x8c/0x29c [ 56.498409][ T3600] ccid2_hc_rx_packet_recv+0xc8/0x16c [ 56.499590][ T3600] dccp_rcv_established+0x144/0x228 [ 56.500614][ T3600] dccp_v6_do_rcv+0x1a0/0x690 [ 56.501580][ T3600] __sk_receive_skb+0x2a8/0x738 [ 56.502624][ T3600] dccp_v6_rcv+0xd50/0xe4c [ 56.503554][ T3600] ip6_protocol_deliver_rcu+0xab0/0x10e4 [ 56.504632][ T3600] ip6_input+0x140/0x358 [ 56.505418][ T3600] ip6_rcv_finish+0x150/0x170 [ 56.506483][ T3600] ipv6_rcv+0xe0/0x258 [ 56.507244][ T3600] __netif_receive_skb+0x180/0x3d4 [ 56.508308][ T3600] process_backlog+0x27c/0x520 [ 56.509211][ T3600] __napi_poll+0x9c/0x320 [ 56.510135][ T3600] net_rx_action+0x44c/0xa08 [ 56.511056][ T3600] handle_softirqs+0x204/0x674 [ 56.512069][ T3600] __do_softirq+0x14/0x20 [ 56.512965][ T3600] [ 56.513396][ T3600] Freed by task 3600: [ 56.514176][ T3600] kasan_set_track+0x4c/0x80 [ 56.515402][ T3600] kasan_save_free_info+0x38/0x5c [ 56.516492][ T3600] ____kasan_slab_free+0x144/0x1c0 [ 56.517603][ T3600] __kasan_slab_free+0x18/0x28 [ 56.518529][ T3600] __kmem_cache_free+0x2ac/0x470 [ 56.519426][ T3600] kfree+0x88/0xb8 [ 56.520331][ T3600] skb_release_data+0x30c/0x52c [ 56.521245][ T3600] kfree_skb_reason+0x80/0xc8 [ 56.522195][ T3600] dccp_v6_do_rcv+0xd8/0x690 [ 56.523159][ T3600] __release_sock+0x124/0x318 [ 56.524044][ T3600] release_sock+0x5c/0x17c [ 56.524836][ T3600] dccp_sendmsg+0x278/0x630 [ 56.525776][ T3600] inet_sendmsg+0x98/0xb8 [ 56.526560][ T3600] ____sys_sendmsg+0x41c/0x6ac [ 56.527503][ T3600] __sys_sendmmsg+0x2b8/0x5b4 [ 56.528534][ T3600] __arm64_sys_sendmmsg+0x9c/0xb8 [ 56.529573][ T3600] invoke_syscall+0x7c/0x254 [ 56.530447][ T3600] el0_svc_common+0x15c/0x1d8 [ 56.531343][ T3600] do_el0_svc+0x4c/0xec [ 56.532236][ T3600] el0_svc+0x34/0x100 [ 56.533010][ T3600] el0t_64_sync_handler+0x84/0xf0 [ 56.533938][ T3600] el0t_64_sync+0x18c/0x190 [ 56.534843][ T3600] [ 56.535326][ T3600] Last potentially related work creation: [ 56.536440][ T3600] kasan_save_stack+0x40/0x70 [ 56.537341][ T3600] __kasan_record_aux_stack+0xcc/0xe8 [ 56.538454][ T3600] kasan_record_aux_stack_noalloc+0x14/0x20 [ 56.539599][ T3600] call_rcu+0xf0/0x6b0 [ 56.540342][ T3600] netlink_release+0xbf8/0x1190 [ 56.541330][ T3600] sock_release+0x7c/0x120 [ 56.542181][ T3600] netlink_kernel_release+0x40/0x50 [ 56.543178][ T3600] rdma_nl_net_exit+0x38/0x48 [ 56.544153][ T3600] rdma_dev_exit_net+0x250/0x2f0 [ 56.545120][ T3600] cleanup_net+0x4d4/0x924 [ 56.546075][ T3600] process_one_work+0x5dc/0xb1c [ 56.547038][ T3600] worker_thread+0x754/0xd08 [ 56.547939][ T3600] kthread+0x1d0/0x228 [ 56.548758][ T3600] ret_from_fork+0x10/0x20 [ 56.549629][ T3600] [ 56.550137][ T3600] The buggy address belongs to the object at ffff0000d7467000 [ 56.550137][ T3600] which belongs to the cache kmalloc-2k of size 2048 [ 56.552969][ T3600] The buggy address is located 1076 bytes inside of [ 56.552969][ T3600] 2048-byte region [ffff0000d7467000, ffff0000d7467800) [ 56.555660][ T3600] [ 56.556165][ T3600] The buggy address belongs to the physical page: [ 56.557388][ T3600] page:0000000062cbd180 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x117460 [ 56.559396][ T3600] head:0000000062cbd180 order:3 compound_mapcount:0 compound_pincount:0 [ 56.561002][ T3600] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 56.562546][ T3600] raw: 05ffc00000010200 dead000000000100 dead000000000122 ffff0000c0002900 [ 56.564219][ T3600] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 56.565914][ T3600] page dumped because: kasan: bad access detected [ 56.567179][ T3600] [ 56.567646][ T3600] Memory state around the buggy address: [ 56.568712][ T3600] ffff0000d7467300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.570268][ T3600] ffff0000d7467380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.571818][ T3600] >ffff0000d7467400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.573388][ T3600] ^ [ 56.574445][ T3600] ffff0000d7467480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.575946][ T3600] ffff0000d7467500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.577472][ T3600] ================================================================== [ 56.579448][ T3600] Disabling lock debugging due to kernel taint 2024/12/15 19:46:27 executed programs: 72 2024/12/15 19:46:32 executed programs: 366