Warning: Permanently added '10.128.1.228' (ED25519) to the list of known hosts. 2024/07/02 09:50:43 ignoring optional flag "sandboxArg"="0" 2024/07/02 09:50:43 parsed 1 programs [ 58.805623][ T2672] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k 2024/07/02 09:50:48 executed programs: 0 2024/07/02 09:51:01 executed programs: 5 [ 76.502708][ T943] ================================================================== [ 76.510817][ T943] BUG: KASAN: slab-use-after-free in l2tp_session_delete+0x23/0x830 [ 76.518824][ T943] Write of size 8 at addr ffff88807d2a9808 by task kworker/u8:7/943 [ 76.526795][ T943] [ 76.529136][ T943] CPU: 1 PID: 943 Comm: kworker/u8:7 Not tainted 6.10.0-rc4-syzkaller #0 [ 76.537545][ T943] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 76.547859][ T943] Workqueue: l2tp l2tp_tunnel_del_work [ 76.553355][ T943] Call Trace: [ 76.556632][ T943] [ 76.559655][ T943] dump_stack_lvl+0x108/0x280 [ 76.564328][ T943] ? __pfx_dump_stack_lvl+0x10/0x10 [ 76.569613][ T943] ? __pfx__printk+0x10/0x10 [ 76.574298][ T943] ? _printk+0xce/0x120 [ 76.578538][ T943] ? __virt_addr_valid+0x141/0x260 [ 76.583660][ T943] ? __virt_addr_valid+0x219/0x260 [ 76.588857][ T943] print_report+0x169/0x550 [ 76.593361][ T943] ? __virt_addr_valid+0x141/0x260 [ 76.598470][ T943] ? __virt_addr_valid+0x219/0x260 [ 76.603583][ T943] ? l2tp_session_delete+0x23/0x830 [ 76.608783][ T943] kasan_report+0x143/0x180 [ 76.613386][ T943] ? l2tp_session_delete+0x23/0x830 [ 76.618584][ T943] kasan_check_range+0x282/0x290 [ 76.623522][ T943] l2tp_session_delete+0x23/0x830 [ 76.628637][ T943] l2tp_tunnel_del_work+0xf3/0x3a0 [ 76.633838][ T943] ? process_scheduled_works+0x855/0x1320 [ 76.639556][ T943] process_scheduled_works+0x8cf/0x1320 [ 76.645106][ T943] ? __pfx_process_scheduled_works+0x10/0x10 [ 76.651093][ T943] ? assign_work+0x23f/0x350 [ 76.655684][ T943] worker_thread+0x869/0xca0 [ 76.660284][ T943] ? __pfx_worker_thread+0x10/0x10 [ 76.665401][ T943] kthread+0x268/0x2c0 [ 76.669459][ T943] ? __pfx_worker_thread+0x10/0x10 [ 76.674653][ T943] ? __pfx_kthread+0x10/0x10 [ 76.679248][ T943] ret_from_fork+0x32/0x60 [ 76.683665][ T943] ? __pfx_kthread+0x10/0x10 [ 76.688259][ T943] ret_from_fork_asm+0x1a/0x30 [ 76.693030][ T943] [ 76.696052][ T943] [ 76.698378][ T943] Allocated by task 5173: [ 76.702714][ T943] kasan_save_track+0x3f/0x80 [ 76.707408][ T943] __kasan_kmalloc+0x98/0xb0 [ 76.712006][ T943] __kmalloc_noprof+0x1d5/0x440 [ 76.716861][ T943] l2tp_session_create+0x34/0xb90 [ 76.721883][ T943] pppol2tp_connect+0xb4e/0x1650 [ 76.726822][ T943] __sys_connect+0x318/0x390 [ 76.731418][ T943] __x64_sys_connect+0x75/0x90 [ 76.736200][ T943] do_syscall_64+0x8d/0x170 [ 76.740871][ T943] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.746767][ T943] [ 76.749090][ T943] Freed by task 5177: [ 76.753059][ T943] kasan_save_track+0x3f/0x80 [ 76.757735][ T943] kasan_save_free_info+0x40/0x50 [ 76.762757][ T943] poison_slab_object+0xe0/0x150 [ 76.767712][ T943] __kasan_slab_free+0x37/0x60 [ 76.772470][ T943] kfree+0x12f/0x310 [ 76.776378][ T943] __sk_destruct+0x4b/0x550 [ 76.780971][ T943] rcu_core+0xc3c/0x1470 [ 76.785218][ T943] handle_softirqs+0x1b7/0x570 [ 76.789978][ T943] __irq_exit_rcu+0x45/0xe0 [ 76.794480][ T943] sysvec_apic_timer_interrupt+0x92/0xb0 [ 76.800132][ T943] asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 76.806114][ T943] [ 76.808440][ T943] Last potentially related work creation: [ 76.814164][ T943] kasan_save_stack+0x3f/0x60 [ 76.818861][ T943] __kasan_record_aux_stack+0xac/0xc0 [ 76.824246][ T943] call_rcu+0x159/0x8e0 [ 76.828458][ T943] pppol2tp_release+0x1c5/0x250 [ 76.833403][ T943] sock_close+0xb4/0x220 [ 76.837744][ T943] __fput+0x337/0x700 [ 76.841814][ T943] task_work_run+0x20f/0x290 [ 76.846404][ T943] syscall_exit_to_user_mode+0xb5/0x1c0 [ 76.852033][ T943] do_syscall_64+0x9a/0x170 [ 76.856713][ T943] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.862609][ T943] [ 76.864928][ T943] The buggy address belongs to the object at ffff88807d2a9800 [ 76.864928][ T943] which belongs to the cache kmalloc-1k of size 1024 [ 76.879325][ T943] The buggy address is located 8 bytes inside of [ 76.879325][ T943] freed 1024-byte region [ffff88807d2a9800, ffff88807d2a9c00) [ 76.893144][ T943] [ 76.895481][ T943] The buggy address belongs to the physical page: [ 76.901986][ T943] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7d2a8 [ 76.911005][ T943] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 76.919654][ T943] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 76.927180][ T943] page_type: 0xffffefff(slab) [ 76.931830][ T943] raw: 00fff00000000040 ffff888009841dc0 dead000000000100 dead000000000122 [ 76.940393][ T943] raw: 0000000000000000 0000000000100010 00000001ffffefff 0000000000000000 [ 76.949124][ T943] head: 00fff00000000040 ffff888009841dc0 dead000000000100 dead000000000122 [ 76.957793][ T943] head: 0000000000000000 0000000000100010 00000001ffffefff 0000000000000000 [ 76.966442][ T943] head: 00fff00000000003 ffffea0001f4aa01 ffffffffffffffff 0000000000000000 [ 76.975112][ T943] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 76.983762][ T943] page dumped because: kasan: bad access detected [ 76.990164][ T943] page_owner tracks the page as allocated [ 76.995959][ T943] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 1904, tgid 1904 (kworker/u8:8), ts 33284139939, free_ts 33283193987 [ 77.019141][ T943] post_alloc_hook+0x10f/0x130 [ 77.023978][ T943] get_page_from_freelist+0x2c3f/0x2cf0 [ 77.029519][ T943] __alloc_pages_noprof+0x256/0x670 [ 77.034705][ T943] alloc_slab_page+0x5f/0x120 [ 77.039462][ T943] allocate_slab+0x5d/0x290 [ 77.043957][ T943] ___slab_alloc+0xa7f/0x11d0 [ 77.048619][ T943] __kmalloc_noprof+0x25a/0x440 [ 77.053482][ T943] load_elf_binary+0x292/0x2390 [ 77.058303][ T943] bprm_execve+0x891/0x12f0 [ 77.062773][ T943] kernel_execve+0x532/0x610 [ 77.067341][ T943] call_usermodehelper_exec_async+0x204/0x320 [ 77.073388][ T943] ret_from_fork+0x32/0x60 [ 77.077863][ T943] ret_from_fork_asm+0x1a/0x30 [ 77.082705][ T943] page last free pid 1809 tgid 1809 stack trace: [ 77.089003][ T943] free_unref_page+0xb6f/0xca0 [ 77.093746][ T943] __slab_free+0x2e9/0x3a0 [ 77.098171][ T943] qlist_free_all+0x9e/0x140 [ 77.103016][ T943] kasan_quarantine_reduce+0x14f/0x170 [ 77.108607][ T943] __kasan_slab_alloc+0x23/0x80 [ 77.113536][ T943] kmem_cache_alloc_node_noprof+0x154/0x390 [ 77.119500][ T943] __alloc_skb+0x25e/0x940 [ 77.124102][ T943] netlink_ack+0x11a/0xa50 [ 77.128510][ T943] netlink_rcv_skb+0x234/0x390 [ 77.133268][ T943] netlink_unicast+0x5b0/0x7d0 [ 77.138006][ T943] netlink_sendmsg+0x72d/0xaf0 [ 77.142838][ T943] __sock_sendmsg+0x1ec/0x230 [ 77.147488][ T943] __sys_sendto+0x3b7/0x510 [ 77.151970][ T943] __x64_sys_sendto+0xd9/0xf0 [ 77.156792][ T943] do_syscall_64+0x8d/0x170 [ 77.161280][ T943] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 77.167161][ T943] [ 77.169479][ T943] Memory state around the buggy address: [ 77.175083][ T943] ffff88807d2a9700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 77.183154][ T943] ffff88807d2a9780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 77.191299][ T943] >ffff88807d2a9800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.199337][ T943] ^ [ 77.203895][ T943] ffff88807d2a9880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.212122][ T943] ffff88807d2a9900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.220191][ T943] ================================================================== [ 77.230368][ T943] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 77.237838][ T943] Kernel Offset: disabled [ 77.242161][ T943] Rebooting in 86400 seconds..