Warning: Permanently added '10.128.0.2' (ED25519) to the list of known hosts. 2023/11/15 06:56:50 ignoring optional flag "sandboxArg"="0" 2023/11/15 06:56:50 parsed 1 programs 2023/11/15 06:56:50 executed programs: 0 [ 58.277575][ T1403] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k 2023/11/15 06:56:56 executed programs: 23 [ 67.329250][ T2207] ================================================================== [ 67.337982][ T2207] BUG: KASAN: slab-use-after-free in unix_stream_read_actor+0x8c/0x90 [ 67.347042][ T2207] Read of size 4 at addr ffff88810478e404 by task syz-executor.0/2207 [ 67.361360][ T2207] [ 67.363957][ T2207] CPU: 1 PID: 2207 Comm: syz-executor.0 Not tainted 6.7.0-rc1-syzkaller #0 [ 67.374473][ T2207] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 [ 67.386380][ T2207] Call Trace: [ 67.389677][ T2207] [ 67.392736][ T2207] dump_stack_lvl+0xf4/0x260 [ 67.398301][ T2207] ? nf_tcp_handle_invalid+0x300/0x300 [ 67.404409][ T2207] ? panic+0x500/0x500 [ 67.408961][ T2207] ? _printk+0xca/0x110 [ 67.414368][ T2207] print_report+0x15f/0x540 [ 67.419619][ T2207] ? unix_stream_read_actor+0x8c/0x90 [ 67.425603][ T2207] kasan_report+0x13e/0x170 [ 67.430405][ T2207] ? do_raw_spin_lock+0x149/0x3a0 [ 67.436159][ T2207] ? unix_stream_read_actor+0x8c/0x90 [ 67.443456][ T2207] unix_stream_read_actor+0x8c/0x90 [ 67.448649][ T2207] unix_stream_recv_urg+0x16c/0x2a0 [ 67.455871][ T2207] unix_stream_read_generic+0x1dbc/0x1ec0 [ 67.461792][ T2207] ? aa_sk_perm+0x530/0x530 [ 67.466311][ T2207] ? unix_stream_read_actor+0x90/0x90 [ 67.472035][ T2207] unix_stream_recvmsg+0x161/0x1e0 [ 67.477316][ T2207] ? unix_stream_sendmsg+0x1210/0x1210 [ 67.482875][ T2207] ? __unix_stream_recvmsg+0x210/0x210 [ 67.488497][ T2207] ? security_socket_recvmsg+0x3b/0x90 [ 67.494289][ T2207] ? unix_stream_sendmsg+0x1210/0x1210 [ 67.499891][ T2207] ____sys_recvmsg+0x26f/0x4e0 [ 67.505129][ T2207] ? __sys_recvmsg_sock+0x10/0x10 [ 67.510360][ T2207] ? import_iovec+0x5a/0x90 [ 67.515031][ T2207] ___sys_recvmsg+0x4c1/0x6e0 [ 67.519707][ T2207] ? __sys_recvmsg+0x1d0/0x1d0 [ 67.524568][ T2207] ? __fget_files+0x2e/0x2d0 [ 67.529232][ T2207] ? __fdget+0x13a/0x1b0 [ 67.533578][ T2207] __x64_sys_recvmsg+0x190/0x210 [ 67.538722][ T2207] ? ___sys_recvmsg+0x6e0/0x6e0 [ 67.544375][ T2207] ? __se_sys_rt_sigprocmask+0x222/0x2b0 [ 67.550176][ T2207] ? fpregs_assert_state_consistent+0x43/0x50 [ 67.556906][ T2207] do_syscall_64+0x40/0xe0 [ 67.561354][ T2207] ? syscall_exit_to_user_mode+0x27/0x1c0 [ 67.567397][ T2207] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 67.573381][ T2207] RIP: 0033:0x7fb88031eae9 [ 67.577997][ T2207] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 67.598307][ T2207] RSP: 002b:00007fb87fe5f0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002f [ 67.608175][ T2207] RAX: ffffffffffffffda RBX: 00007fb88043e120 RCX: 00007fb88031eae9 [ 67.616404][ T2207] RDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004 [ 67.624828][ T2207] RBP: 00007fb88036a47a R08: 0000000000000000 R09: 0000000000000000 [ 67.632913][ T2207] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 67.641268][ T2207] R13: 000000000000006e R14: 00007fb88043e120 R15: 00007ffca73cf858 [ 67.649780][ T2207] [ 67.652828][ T2207] [ 67.655226][ T2207] Allocated by task 2206: [ 67.660611][ T2207] kasan_set_track+0x4b/0x70 [ 67.665466][ T2207] __kasan_slab_alloc+0x62/0x70 [ 67.670915][ T2207] slab_post_alloc_hook+0x67/0x3a0 [ 67.676732][ T2207] kmem_cache_alloc_node+0x194/0x330 [ 67.683987][ T2207] __alloc_skb+0x1e0/0x8a0 [ 67.688655][ T2207] alloc_skb_with_frags+0x85/0x570 [ 67.693953][ T2207] sock_alloc_send_pskb+0x7ef/0x8f0 [ 67.699876][ T2207] queue_oob+0xfd/0x7e0 [ 67.704035][ T2207] unix_stream_sendmsg+0xd2d/0x1210 [ 67.709585][ T2207] ____sys_sendmsg+0x4a4/0x770 [ 67.715490][ T2207] ___sys_sendmsg+0x223/0x2a0 [ 67.720742][ T2207] __se_sys_sendmsg+0x146/0x1d0 [ 67.726169][ T2207] do_syscall_64+0x40/0xe0 [ 67.731004][ T2207] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 67.738032][ T2207] [ 67.741113][ T2207] Freed by task 2206: [ 67.745194][ T2207] kasan_set_track+0x4b/0x70 [ 67.750309][ T2207] kasan_save_free_info+0x24/0x40 [ 67.755482][ T2207] ____kasan_slab_free+0x122/0x1e0 [ 67.760681][ T2207] kmem_cache_free+0x2e8/0x4f0 [ 67.765458][ T2207] queue_oob+0x497/0x7e0 [ 67.770245][ T2207] unix_stream_sendmsg+0xd2d/0x1210 [ 67.776772][ T2207] ____sys_sendmsg+0x4a4/0x770 [ 67.781552][ T2207] ___sys_sendmsg+0x223/0x2a0 [ 67.786259][ T2207] __se_sys_sendmsg+0x146/0x1d0 [ 67.791219][ T2207] do_syscall_64+0x40/0xe0 [ 67.795753][ T2207] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 67.801639][ T2207] [ 67.803944][ T2207] The buggy address belongs to the object at ffff88810478e3c0 [ 67.803944][ T2207] which belongs to the cache skbuff_head_cache of size 224 [ 67.818632][ T2207] The buggy address is located 68 bytes inside of [ 67.818632][ T2207] freed 224-byte region [ffff88810478e3c0, ffff88810478e4a0) [ 67.832585][ T2207] [ 67.834974][ T2207] The buggy address belongs to the physical page: [ 67.841359][ T2207] page:ffffea000411e380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10478e [ 67.851851][ T2207] memcg:ffff888115869081 [ 67.856083][ T2207] flags: 0x200000000000800(slab|node=0|zone=2) [ 67.862413][ T2207] page_type: 0xffffffff() [ 67.867467][ T2207] raw: 0200000000000800 ffff888104271640 dead000000000122 0000000000000000 [ 67.876517][ T2207] raw: 0000000000000000 00000000000c000c 00000001ffffffff ffff888115869081 [ 67.885146][ T2207] page dumped because: kasan: bad access detected [ 67.892148][ T2207] page_owner tracks the page as allocated [ 67.898428][ T2207] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 2206, tgid 2204 (syz-executor.0), ts 67328801029, free_ts 67320386266 [ 67.918749][ T2207] post_alloc_hook+0x256/0x280 [ 67.923528][ T2207] get_page_from_freelist+0x32b9/0x3680 [ 67.929505][ T2207] __alloc_pages+0x251/0x640 [ 67.934549][ T2207] alloc_pages_mpol+0x13f/0x320 [ 67.939473][ T2207] alloc_slab_page+0x6a/0x150 [ 67.944239][ T2207] new_slab+0x70/0x250 [ 67.950143][ T2207] ___slab_alloc+0x932/0xeb0 [ 67.955431][ T2207] kmem_cache_alloc_node+0x21e/0x330 [ 67.961731][ T2207] __alloc_skb+0x1e0/0x8a0 [ 67.966249][ T2207] alloc_skb_with_frags+0x85/0x570 [ 67.971523][ T2207] sock_alloc_send_pskb+0x7ef/0x8f0 [ 67.976898][ T2207] queue_oob+0xfd/0x7e0 [ 67.981392][ T2207] unix_stream_sendmsg+0xd2d/0x1210 [ 67.987575][ T2207] ____sys_sendmsg+0x4a4/0x770 [ 67.993006][ T2207] ___sys_sendmsg+0x223/0x2a0 [ 67.998643][ T2207] __se_sys_sendmsg+0x146/0x1d0 [ 68.003766][ T2207] page last free stack trace: [ 68.009142][ T2207] free_unref_page_prepare+0x7c0/0x8d0 [ 68.014592][ T2207] free_unref_page+0x30/0x230 [ 68.019439][ T2207] vfree+0x10a/0x200 [ 68.023484][ T2207] delayed_vfree_work+0x38/0x60 [ 68.028392][ T2207] process_scheduled_works+0x7e2/0xfc0 [ 68.034522][ T2207] worker_thread+0x864/0xc90 [ 68.039172][ T2207] kthread+0x22f/0x280 [ 68.043223][ T2207] ret_from_fork+0x2a/0x60 [ 68.047697][ T2207] ret_from_fork_asm+0x11/0x20 [ 68.052451][ T2207] [ 68.054773][ T2207] Memory state around the buggy address: [ 68.060376][ T2207] ffff88810478e300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 68.068853][ T2207] ffff88810478e380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 68.077323][ T2207] >ffff88810478e400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.085965][ T2207] ^ [ 68.091150][ T2207] ffff88810478e480: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 68.099483][ T2207] ffff88810478e500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 68.108934][ T2207] ================================================================== [ 68.117290][ T2207] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 68.124894][ T2207] Kernel Offset: disabled [ 68.130548][ T2207] Rebooting in 86400 seconds..