[ 447.947260][T10218] device hsr_slave_0 left promiscuous mode [ 447.962170][T10218] device hsr_slave_1 left promiscuous mode [ 447.968677][T10218] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 447.977447][T10218] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 447.987615][T10218] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 447.995547][T10218] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 448.004929][T10218] device bridge_slave_1 left promiscuous mode [ 448.011638][T10218] bridge0: port 2(bridge_slave_1) entered disabled state [ 448.020238][T10218] device bridge_slave_0 left promiscuous mode [ 448.026570][T10218] bridge0: port 1(bridge_slave_0) entered disabled state [ 448.041380][T10218] device veth1_macvtap left promiscuous mode [ 448.047864][T10218] device veth0_macvtap left promiscuous mode [ 448.054201][T10218] device veth1_vlan left promiscuous mode [ 448.061290][T10218] device veth0_vlan left promiscuous mode [ 452.348742][T10218] team0 (unregistering): Port device team_slave_1 removed [ 452.365310][T10218] team0 (unregistering): Port device team_slave_0 removed [ 452.378086][T10218] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 452.396226][T10218] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 452.468748][T10218] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.1.95' (ECDSA) to the list of known hosts. [ 454.028269][T27775] ================================================================== [ 454.036754][T27775] BUG: KASAN: use-after-free in tctx_task_work+0x307/0x310 [ 454.044162][T27775] Read of size 4 at addr ffff888029d66358 by task syz-executor530/27775 [ 454.052495][T27775] [ 454.054821][T27775] CPU: 0 PID: 27775 Comm: syz-executor530 Not tainted 5.14.0-rc5-syzkaller #0 [ 454.063686][T27775] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 454.073747][T27775] Call Trace: [ 454.077030][T27775] dump_stack_lvl+0xcd/0x134 [ 454.081728][T27775] print_address_description.constprop.0.cold+0x6c/0x309 [ 454.088821][T27775] ? tctx_task_work+0x307/0x310 [ 454.093692][T27775] ? tctx_task_work+0x307/0x310 [ 454.098552][T27775] kasan_report.cold+0x83/0xdf [ 454.103334][T27775] ? tctx_task_work+0x307/0x310 [ 454.108460][T27775] tctx_task_work+0x307/0x310 [ 454.113161][T27775] task_work_run+0xdd/0x1a0 [ 454.117839][T27775] do_exit+0xbae/0x2a30 [ 454.122071][T27775] ? mm_update_next_owner+0x7a0/0x7a0 [ 454.127553][T27775] ? lock_downgrade+0x6e0/0x6e0 [ 454.132546][T27775] do_group_exit+0x125/0x310 [ 454.137134][T27775] get_signal+0x47f/0x2160 [ 454.141704][T27775] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 454.147977][T27775] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 454.154217][T27775] ? __do_sys_io_uring_enter+0x476/0x1f10 [ 454.160149][T27775] arch_do_signal_or_restart+0x2a9/0x1c40 [ 454.165917][T27775] ? io_submit_sqes+0x8370/0x8370 [ 454.170938][T27775] ? find_held_lock+0x2d/0x110 [ 454.175700][T27775] ? get_sigframe_size+0x10/0x10 [ 454.180631][T27775] ? __context_tracking_exit+0xb8/0xe0 [ 454.186163][T27775] ? lock_downgrade+0x6e0/0x6e0 [ 454.191006][T27775] ? lock_downgrade+0x6e0/0x6e0 [ 454.195863][T27775] exit_to_user_mode_prepare+0x17d/0x290 [ 454.201533][T27775] syscall_exit_to_user_mode+0x19/0x60 [ 454.206991][T27775] do_syscall_64+0x42/0xb0 [ 454.211490][T27775] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 454.217434][T27775] RIP: 0033:0x446729 [ 454.221323][T27775] Code: Unable to access opcode bytes at RIP 0x4466ff. [ 454.228254][T27775] RSP: 002b:00007fada1a521e8 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa [ 454.236669][T27775] RAX: 00000000000001d2 RBX: 00000000004cb458 RCX: 0000000000446729 [ 454.244728][T27775] RDX: 0000000000000000 RSI: 0000000000006b46 RDI: 0000000000000006 [ 454.252685][T27775] RBP: 00000000004cb450 R08: 0000000000000000 R09: 0000000000000000 [ 454.260652][T27775] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004cb45c [ 454.268613][T27775] R13: 00007ffff39bb49f R14: 00007fada1a52300 R15: 0000000000022000 [ 454.276605][T27775] [ 454.278916][T27775] Allocated by task 27776: [ 454.283315][T27775] kasan_save_stack+0x1b/0x40 [ 454.288089][T27775] __kasan_kmalloc+0x9b/0xd0 [ 454.292667][T27775] io_uring_setup+0x27d/0x2cf0 [ 454.297506][T27775] do_syscall_64+0x35/0xb0 [ 454.301915][T27775] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 454.307813][T27775] [ 454.310128][T27775] Freed by task 10491: [ 454.314174][T27775] kasan_save_stack+0x1b/0x40 [ 454.318844][T27775] kasan_set_track+0x1c/0x30 [ 454.323646][T27775] kasan_set_free_info+0x20/0x30 [ 454.328663][T27775] __kasan_slab_free+0xfb/0x130 [ 454.333506][T27775] slab_free_freelist_hook+0xdf/0x240 [ 454.338870][T27775] kfree+0xe4/0x530 [ 454.342688][T27775] io_ring_exit_work+0x13ba/0x1930 [ 454.347914][T27775] process_one_work+0x98d/0x1630 [ 454.352956][T27775] worker_thread+0x658/0x11f0 [ 454.357634][T27775] kthread+0x3e5/0x4d0 [ 454.361826][T27775] ret_from_fork+0x1f/0x30 [ 454.366277][T27775] [ 454.368597][T27775] Last potentially related work creation: [ 454.374306][T27775] kasan_save_stack+0x1b/0x40 [ 454.379933][T27775] kasan_record_aux_stack+0xe5/0x110 [ 454.385404][T27775] insert_work+0x48/0x370 [ 454.389749][T27775] __queue_work+0x5c1/0xed0 [ 454.394292][T27775] queue_work_on+0xee/0x110 [ 454.398802][T27775] io_ring_ctx_wait_and_kill+0x30a/0x3c0 [ 454.404446][T27775] io_uring_release+0x3e/0x50 [ 454.409137][T27775] __fput+0x288/0x920 [ 454.413213][T27775] task_work_run+0xdd/0x1a0 [ 454.417905][T27775] do_exit+0xbae/0x2a30 [ 454.422055][T27775] do_group_exit+0x125/0x310 [ 454.426650][T27775] get_signal+0x47f/0x2160 [ 454.431061][T27775] arch_do_signal_or_restart+0x2a9/0x1c40 [ 454.436776][T27775] exit_to_user_mode_prepare+0x17d/0x290 [ 454.442400][T27775] syscall_exit_to_user_mode+0x19/0x60 [ 454.447858][T27775] do_syscall_64+0x42/0xb0 [ 454.452267][T27775] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 454.458163][T27775] [ 454.460478][T27775] Second to last potentially related work creation: [ 454.467142][T27775] kasan_save_stack+0x1b/0x40 [ 454.471814][T27775] kasan_record_aux_stack+0xe5/0x110 [ 454.477094][T27775] insert_work+0x48/0x370 [ 454.481511][T27775] __queue_work+0x5c1/0xed0 [ 454.486005][T27775] queue_work_on+0xee/0x110 [ 454.490500][T27775] io_ring_ctx_wait_and_kill+0x30a/0x3c0 [ 454.496298][T27775] io_uring_release+0x3e/0x50 [ 454.500974][T27775] __fput+0x288/0x920 [ 454.504946][T27775] task_work_run+0xdd/0x1a0 [ 454.509442][T27775] do_exit+0xbae/0x2a30 [ 454.513586][T27775] do_group_exit+0x125/0x310 [ 454.518166][T27775] get_signal+0x47f/0x2160 [ 454.522602][T27775] arch_do_signal_or_restart+0x2a9/0x1c40 [ 454.528410][T27775] exit_to_user_mode_prepare+0x17d/0x290 [ 454.534034][T27775] syscall_exit_to_user_mode+0x19/0x60 [ 454.539644][T27775] do_syscall_64+0x42/0xb0 [ 454.544067][T27775] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 454.549958][T27775] [ 454.552287][T27775] The buggy address belongs to the object at ffff888029d66000 [ 454.552287][T27775] which belongs to the cache kmalloc-4k of size 4096 [ 454.566365][T27775] The buggy address is located 856 bytes inside of [ 454.566365][T27775] 4096-byte region [ffff888029d66000, ffff888029d67000) [ 454.579833][T27775] The buggy address belongs to the page: [ 454.585447][T27775] page:ffffea0000a75800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x29d60 [ 454.595945][T27775] head:ffffea0000a75800 order:3 compound_mapcount:0 compound_pincount:0 [ 454.604454][T27775] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 454.612435][T27775] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010842140 [ 454.621024][T27775] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 454.629605][T27775] page dumped because: kasan: bad access detected [ 454.636086][T27775] page_owner tracks the page as allocated [ 454.641983][T27775] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6467, ts 58396905717, free_ts 57689976074 [ 454.660386][T27775] get_page_from_freelist+0xa72/0x2f80 [ 454.665962][T27775] __alloc_pages+0x1b2/0x500 [ 454.670544][T27775] alloc_pages+0x18c/0x2a0 [ 454.675191][T27775] allocate_slab+0x32e/0x4b0 [ 454.679794][T27775] ___slab_alloc+0x4ba/0x820 [ 454.684375][T27775] __slab_alloc.constprop.0+0xa7/0xf0 [ 454.690004][T27775] __kmalloc+0x312/0x330 [ 454.694244][T27775] tomoyo_realpath_from_path+0xc3/0x620 [ 454.699944][T27775] tomoyo_path_perm+0x21b/0x400 [ 454.704785][T27775] security_inode_getattr+0xcf/0x140 [ 454.710205][T27775] vfs_statx+0x164/0x390 [ 454.714462][T27775] __do_sys_newlstat+0x91/0x110 [ 454.719308][T27775] do_syscall_64+0x35/0xb0 [ 454.723719][T27775] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 454.729610][T27775] page last free stack trace: [ 454.734367][T27775] free_pcp_prepare+0x2c5/0x780 [ 454.739218][T27775] free_unref_page+0x19/0x690 [ 454.743894][T27775] qlist_free_all+0x5a/0xc0 [ 454.748479][T27775] kasan_quarantine_reduce+0x180/0x200 [ 454.754120][T27775] __kasan_slab_alloc+0x8e/0xa0 [ 454.758972][T27775] kmem_cache_alloc+0x285/0x4a0 [ 454.763825][T27775] getname_flags.part.0+0x50/0x4f0 [ 454.769072][T27775] getname+0x8e/0xd0 [ 454.772966][T27775] do_sys_openat2+0xf5/0x420 [ 454.777583][T27775] __x64_sys_open+0x119/0x1c0 [ 454.782254][T27775] do_syscall_64+0x35/0xb0 [ 454.786664][T27775] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 454.792767][T27775] [ 454.795090][T27775] Memory state around the buggy address: [ 454.800710][T27775] ffff888029d66200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 454.808868][T27775] ffff888029d66280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 454.817213][T27775] >ffff888029d66300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 454.825274][T27775] ^ [ 454.832289][T27775] ffff888029d66380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 454.840338][T27775] ffff888029d66400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 454.848503][T27775] ================================================================== [ 454.856554][T27775] Disabling lock debugging due to kernel taint [ 455.704499][T27775] Kernel panic - not syncing: panic_on_warn set ... [ 455.711130][T27775] CPU: 0 PID: 27775 Comm: syz-executor530 Tainted: G B 5.14.0-rc5-syzkaller #0 [ 455.721396][T27775] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 455.731462][T27775] Call Trace: [ 455.734745][T27775] dump_stack_lvl+0xcd/0x134 [ 455.739641][T27775] panic+0x306/0x73d [ 455.743694][T27775] ? __warn_printk+0xf3/0xf3 [ 455.748299][T27775] ? preempt_schedule_common+0x59/0xc0 [ 455.753862][T27775] ? tctx_task_work+0x307/0x310 [ 455.758723][T27775] ? preempt_schedule_thunk+0x16/0x18 [ 455.764134][T27775] ? trace_hardirqs_on+0x38/0x1c0 [ 455.769238][T27775] ? trace_hardirqs_on+0x51/0x1c0 [ 455.774289][T27775] ? tctx_task_work+0x307/0x310 [ 455.779144][T27775] ? tctx_task_work+0x307/0x310 [ 455.784000][T27775] end_report.cold+0x5a/0x5a [ 455.788819][T27775] kasan_report.cold+0x71/0xdf [ 455.793605][T27775] ? tctx_task_work+0x307/0x310 [ 455.798552][T27775] tctx_task_work+0x307/0x310 [ 455.803324][T27775] task_work_run+0xdd/0x1a0 [ 455.808183][T27775] do_exit+0xbae/0x2a30 [ 455.812450][T27775] ? mm_update_next_owner+0x7a0/0x7a0 [ 455.817861][T27775] ? lock_downgrade+0x6e0/0x6e0 [ 455.822998][T27775] do_group_exit+0x125/0x310 [ 455.827593][T27775] get_signal+0x47f/0x2160 [ 455.832107][T27775] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 455.838572][T27775] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 455.844819][T27775] ? __do_sys_io_uring_enter+0x476/0x1f10 [ 455.850808][T27775] arch_do_signal_or_restart+0x2a9/0x1c40 [ 455.856573][T27775] ? io_submit_sqes+0x8370/0x8370 [ 455.862303][T27775] ? find_held_lock+0x2d/0x110 [ 455.867117][T27775] ? get_sigframe_size+0x10/0x10 [ 455.872150][T27775] ? __context_tracking_exit+0xb8/0xe0 [ 455.877878][T27775] ? lock_downgrade+0x6e0/0x6e0 [ 455.882738][T27775] ? lock_downgrade+0x6e0/0x6e0 [ 455.887597][T27775] exit_to_user_mode_prepare+0x17d/0x290 [ 455.893409][T27775] syscall_exit_to_user_mode+0x19/0x60 [ 455.898881][T27775] do_syscall_64+0x42/0xb0 [ 455.903398][T27775] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 455.909293][T27775] RIP: 0033:0x446729 [ 455.913271][T27775] Code: Unable to access opcode bytes at RIP 0x4466ff. [ 455.920140][T27775] RSP: 002b:00007fada1a521e8 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa [ 455.928906][T27775] RAX: 00000000000001d2 RBX: 00000000004cb458 RCX: 0000000000446729 [ 455.936873][T27775] RDX: 0000000000000000 RSI: 0000000000006b46 RDI: 0000000000000006 [ 455.944837][T27775] RBP: 00000000004cb450 R08: 0000000000000000 R09: 0000000000000000 [ 455.952933][T27775] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004cb45c [ 455.960894][T27775] R13: 00007ffff39bb49f R14: 00007fada1a52300 R15: 0000000000022000 [ 455.970359][T27775] Kernel Offset: disabled [ 455.974685][T27775] Rebooting in 86400 seconds..