Warning: Permanently added '10.128.10.33' (ED25519) to the list of known hosts. 2023/11/12 16:52:49 ignoring optional flag "sandboxArg"="0" 2023/11/12 16:52:49 parsed 1 programs 2023/11/12 16:52:49 executed programs: 0 [ 51.511739][ T1391] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k 2023/11/12 16:52:54 executed programs: 40 2023/11/12 16:52:59 executed programs: 109 2023/11/12 16:53:04 executed programs: 191 2023/11/12 16:53:09 executed programs: 273 2023/11/12 16:53:14 executed programs: 355 [ 76.846688][ T3278] ================================================================== [ 76.854874][ T3278] BUG: KASAN: slab-use-after-free in unix_stream_read_actor+0x90/0xa0 [ 76.863011][ T3278] Read of size 4 at addr ffff88810a625404 by task syz-executor.0/3278 [ 76.871360][ T3278] [ 76.873769][ T3278] CPU: 0 PID: 3278 Comm: syz-executor.0 Not tainted 6.6.0-syzkaller #0 [ 76.882090][ T3278] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 76.892152][ T3278] Call Trace: [ 76.895762][ T3278] [ 76.898709][ T3278] dump_stack_lvl+0xf8/0x260 [ 76.903367][ T3278] ? nf_tcp_handle_invalid+0x300/0x300 [ 76.908888][ T3278] ? panic+0x500/0x500 [ 76.912926][ T3278] ? _printk+0xce/0x110 [ 76.917051][ T3278] print_report+0x163/0x540 [ 76.921612][ T3278] ? unix_stream_read_actor+0x90/0xa0 [ 76.926977][ T3278] kasan_report+0x142/0x170 [ 76.931465][ T3278] ? do_raw_spin_lock+0x14d/0x3a0 [ 76.936473][ T3278] ? unix_stream_read_actor+0x90/0xa0 [ 76.941921][ T3278] unix_stream_read_actor+0x90/0xa0 [ 76.947129][ T3278] unix_stream_recv_urg+0x16c/0x2a0 [ 76.952504][ T3278] unix_stream_read_generic+0x1dc0/0x1ed0 [ 76.958578][ T3278] ? aa_sk_perm+0x530/0x530 [ 76.963150][ T3278] ? unix_stream_read_actor+0xa0/0xa0 [ 76.968583][ T3278] unix_stream_recvmsg+0x165/0x1e0 [ 76.974138][ T3278] ? unix_stream_sendmsg+0x1210/0x1210 [ 76.979943][ T3278] ? __unix_stream_recvmsg+0x210/0x210 [ 76.985496][ T3278] ? security_socket_recvmsg+0x3f/0x90 [ 76.991033][ T3278] ? unix_stream_sendmsg+0x1210/0x1210 [ 76.996563][ T3278] ____sys_recvmsg+0x273/0x4f0 [ 77.001309][ T3278] ? __sys_recvmsg_sock+0x10/0x10 [ 77.006306][ T3278] ? import_iovec+0x5e/0x90 [ 77.010777][ T3278] ___sys_recvmsg+0x4c5/0x6e0 [ 77.015424][ T3278] ? __sys_recvmsg+0x1d0/0x1d0 [ 77.020155][ T3278] ? __fget_files+0x2e/0x2d0 [ 77.024750][ T3278] ? __fdget+0x13e/0x1c0 [ 77.028958][ T3278] __x64_sys_recvmsg+0x194/0x220 [ 77.033864][ T3278] ? ___sys_recvmsg+0x6e0/0x6e0 [ 77.038704][ T3278] ? __se_sys_rt_sigprocmask+0x226/0x2b0 [ 77.044308][ T3278] ? __ct_user_exit+0x60/0x80 [ 77.048956][ T3278] ? trace_user_exit+0x25/0xd0 [ 77.053777][ T3278] ? __ct_user_exit+0x65/0x80 [ 77.059396][ T3278] ? syscall_enter_from_user_mode+0x188/0x1f0 [ 77.065467][ T3278] do_syscall_64+0x44/0xe0 [ 77.070042][ T3278] ? syscall_exit_to_user_mode+0x166/0x1c0 [ 77.075820][ T3278] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 77.081878][ T3278] RIP: 0033:0x7fd1a0b20ae9 [ 77.086465][ T3278] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 77.106064][ T3278] RSP: 002b:00007fd1a06610c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002f [ 77.114705][ T3278] RAX: ffffffffffffffda RBX: 00007fd1a0c40120 RCX: 00007fd1a0b20ae9 [ 77.122761][ T3278] RDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004 [ 77.130803][ T3278] RBP: 00007fd1a0b6c47a R08: 0000000000000000 R09: 0000000000000000 [ 77.138758][ T3278] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 77.146732][ T3278] R13: 000000000000006e R14: 00007fd1a0c40120 R15: 00007ffecacad648 [ 77.154712][ T3278] [ 77.157718][ T3278] [ 77.160104][ T3278] Allocated by task 3277: [ 77.164424][ T3278] kasan_set_track+0x4f/0x70 [ 77.169000][ T3278] __kasan_slab_alloc+0x4b/0x60 [ 77.173948][ T3278] slab_post_alloc_hook+0x6d/0x3d0 [ 77.179082][ T3278] kmem_cache_alloc_node+0x186/0x2c0 [ 77.184438][ T3278] __alloc_skb+0x1a7/0x870 [ 77.188858][ T3278] alloc_skb_with_frags+0x89/0x570 [ 77.193971][ T3278] sock_alloc_send_pskb+0x7f3/0x8f0 [ 77.199189][ T3278] queue_oob+0x101/0x7f0 [ 77.203512][ T3278] unix_stream_sendmsg+0xd31/0x1210 [ 77.208772][ T3278] ____sys_sendmsg+0x4a8/0x780 [ 77.213527][ T3278] ___sys_sendmsg+0x227/0x2a0 [ 77.218215][ T3278] __se_sys_sendmsg+0x14a/0x1d0 [ 77.223145][ T3278] do_syscall_64+0x44/0xe0 [ 77.227555][ T3278] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 77.233782][ T3278] [ 77.236169][ T3278] Freed by task 3277: [ 77.240205][ T3278] kasan_set_track+0x4f/0x70 [ 77.244770][ T3278] kasan_save_free_info+0x28/0x40 [ 77.250475][ T3278] ____kasan_slab_free+0xf8/0x1c0 [ 77.255500][ T3278] kmem_cache_free+0x26f/0x480 [ 77.260428][ T3278] queue_oob+0x49b/0x7f0 [ 77.264652][ T3278] unix_stream_sendmsg+0xd31/0x1210 [ 77.269943][ T3278] ____sys_sendmsg+0x4a8/0x780 [ 77.274876][ T3278] ___sys_sendmsg+0x227/0x2a0 [ 77.279628][ T3278] __se_sys_sendmsg+0x14a/0x1d0 [ 77.284916][ T3278] do_syscall_64+0x44/0xe0 [ 77.289344][ T3278] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 77.295214][ T3278] [ 77.297611][ T3278] The buggy address belongs to the object at ffff88810a6253c0 [ 77.297611][ T3278] which belongs to the cache skbuff_head_cache of size 224 [ 77.312577][ T3278] The buggy address is located 68 bytes inside of [ 77.312577][ T3278] freed 224-byte region [ffff88810a6253c0, ffff88810a6254a0) [ 77.326556][ T3278] [ 77.328864][ T3278] The buggy address belongs to the physical page: [ 77.335248][ T3278] page:ffffea0004298940 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10a625 [ 77.345555][ T3278] memcg:ffff88810c02e601 [ 77.349814][ T3278] flags: 0x200000000000800(slab|node=0|zone=2) [ 77.355974][ T3278] page_type: 0xffffffff() [ 77.360301][ T3278] raw: 0200000000000800 ffff8881088ec640 dead000000000122 0000000000000000 [ 77.368954][ T3278] raw: 0000000000000000 00000000000c000c 00000001ffffffff ffff88810c02e601 [ 77.377994][ T3278] page dumped because: kasan: bad access detected [ 77.384588][ T3278] page_owner tracks the page as allocated [ 77.390471][ T3278] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 3277, tgid 3275 (syz-executor.0), ts 76846435247, free_ts 76547468977 [ 77.409304][ T3278] get_page_from_freelist+0x32c9/0x3680 [ 77.415558][ T3278] __alloc_pages+0x255/0x650 [ 77.420154][ T3278] alloc_pages_mpol+0x13d/0x310 [ 77.425009][ T3278] alloc_slab_page+0x6a/0x160 [ 77.429792][ T3278] new_slab+0x70/0x260 [ 77.433851][ T3278] ___slab_alloc+0x8f3/0xe60 [ 77.438411][ T3278] kmem_cache_alloc_node+0x200/0x2c0 [ 77.443678][ T3278] __alloc_skb+0x1a7/0x870 [ 77.448311][ T3278] alloc_skb_with_frags+0x89/0x570 [ 77.453488][ T3278] sock_alloc_send_pskb+0x7f3/0x8f0 [ 77.458690][ T3278] queue_oob+0x101/0x7f0 [ 77.462915][ T3278] unix_stream_sendmsg+0xd31/0x1210 [ 77.468085][ T3278] ____sys_sendmsg+0x4a8/0x780 [ 77.472855][ T3278] ___sys_sendmsg+0x227/0x2a0 [ 77.477510][ T3278] __se_sys_sendmsg+0x14a/0x1d0 [ 77.482329][ T3278] do_syscall_64+0x44/0xe0 [ 77.486804][ T3278] page last free stack trace: [ 77.491452][ T3278] free_unref_page_prepare+0x7db/0x8e0 [ 77.496879][ T3278] free_unref_page_list+0xae/0x620 [ 77.501959][ T3278] release_pages+0x174d/0x18f0 [ 77.506886][ T3278] tlb_flush_mmu+0x273/0x3d0 [ 77.511465][ T3278] tlb_finish_mmu+0xb6/0x1c0 [ 77.516029][ T3278] exit_mmap+0x411/0x960 [ 77.520247][ T3278] __mmput+0x61/0x290 [ 77.524200][ T3278] exit_mm+0x113/0x1b0 [ 77.528245][ T3278] do_exit+0x7ea/0x23f0 [ 77.532456][ T3278] do_group_exit+0x1b9/0x280 [ 77.537219][ T3278] get_signal+0x114b/0x12a0 [ 77.541725][ T3278] arch_do_signal_or_restart+0x91/0x600 [ 77.547282][ T3278] exit_to_user_mode_loop+0x63/0xb0 [ 77.552551][ T3278] exit_to_user_mode_prepare+0x5c/0xa0 [ 77.558096][ T3278] syscall_exit_to_user_mode+0x2b/0x1c0 [ 77.563615][ T3278] do_syscall_64+0x50/0xe0 [ 77.568002][ T3278] [ 77.570308][ T3278] Memory state around the buggy address: [ 77.575925][ T3278] ffff88810a625300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 77.584134][ T3278] ffff88810a625380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 77.592376][ T3278] >ffff88810a625400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.600411][ T3278] ^ [ 77.604458][ T3278] ffff88810a625480: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 77.612513][ T3278] ffff88810a625500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 77.620736][ T3278] ================================================================== [ 77.628907][ T3278] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 77.636666][ T3278] Kernel Offset: disabled [ 77.640987][ T3278] Rebooting in 86400 seconds..