syzkaller syzkaller login: [ 16.109252][ T807] sftp-server (807) used greatest stack depth: 24552 bytes left [ 16.587163][ T808] sshd (808) used greatest stack depth: 24456 bytes left [ 22.404080][ T821] cgroup: Unknown subsys name 'net' [ 22.532460][ T821] cgroup: Unknown subsys name 'rlimit' [ 22.677740][ T821] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 26.213237][ T816] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 26.374226][ T816] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list Warning: Permanently added '10.128.10.33' (ED25519) to the list of known hosts. 2023/12/17 10:48:11 ignoring optional flag "sandboxArg"="0" 2023/12/17 10:48:11 parsed 1 programs 2023/12/17 10:48:11 executed programs: 0 [ 45.171738][ T1403] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 48.207193][ T1863] ================================================================== [ 48.215462][ T1863] BUG: KASAN: slab-out-of-bounds in nla_find+0xb2/0xe0 [ 48.222375][ T1863] Read of size 2 at addr ffff888104eafca0 by task syz-executor.0/1863 [ 48.230681][ T1863] [ 48.232978][ T1863] CPU: 0 PID: 1863 Comm: syz-executor.0 Not tainted 6.7.0-rc4-syzkaller #0 [ 48.241625][ T1863] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 48.251758][ T1863] Call Trace: [ 48.255065][ T1863] [ 48.258153][ T1863] dump_stack_lvl+0x3d/0x60 [ 48.262740][ T1863] print_report+0xc4/0x620 [ 48.267157][ T1863] kasan_report+0xda/0x110 [ 48.271572][ T1863] ? nla_find+0xb2/0xe0 [ 48.275727][ T1863] ? nla_find+0xb2/0xe0 [ 48.280200][ T1863] nla_find+0xb2/0xe0 [ 48.284202][ T1863] bpf_skb_get_nlattr_nest+0x101/0x1d0 [ 48.289731][ T1863] ? __alloc_skb+0x10b/0x270 [ 48.294307][ T1863] ? bpf_skb_get_nlattr+0x140/0x140 [ 48.299482][ T1863] ___bpf_prog_run+0x3910/0x9c10 [ 48.304446][ T1863] ? __kernel_text_address+0xd/0x30 [ 48.309743][ T1863] __bpf_prog_run32+0xb1/0xf0 [ 48.314404][ T1863] ? __bpf_prog_run64+0xe0/0xe0 [ 48.319234][ T1863] ? __lock_acquire.constprop.0+0x486/0xf50 [ 48.325204][ T1863] ? migrate_disable+0xfd/0x150 [ 48.330104][ T1863] sk_filter_trim_cap+0x241/0x670 [ 48.335156][ T1863] ? sk_select_reuseport+0x3f0/0x3f0 [ 48.340433][ T1863] ? skb_copy_datagram_from_iter+0xfa/0x5f0 [ 48.346346][ T1863] unix_dgram_sendmsg+0x858/0x1850 [ 48.351621][ T1863] ? stack_trace_save+0x96/0xd0 [ 48.356509][ T1863] ? unix_stream_recvmsg+0xd0/0xd0 [ 48.361601][ T1863] ? aa_af_perm+0x220/0x220 [ 48.366121][ T1863] ? unix_dgram_sendmsg+0x1850/0x1850 [ 48.371505][ T1863] __sock_sendmsg+0xbc/0x150 [ 48.376198][ T1863] sock_write_iter+0x225/0x390 [ 48.380944][ T1863] ? __sock_sendmsg+0x150/0x150 [ 48.385776][ T1863] ? aa_file_perm+0x39f/0xca0 [ 48.390440][ T1863] ? try_to_wake_up+0x639/0x1380 [ 48.395381][ T1863] do_iter_readv_writev+0x1a8/0x2f0 [ 48.400571][ T1863] ? generic_copy_file_range+0x190/0x190 [ 48.406186][ T1863] ? apparmor_file_permission+0x166/0x320 [ 48.412402][ T1863] do_iter_write+0x132/0x7a0 [ 48.416968][ T1863] ? import_iovec+0x47/0x90 [ 48.421461][ T1863] vfs_writev+0x1e0/0x4e0 [ 48.425819][ T1863] ? vfs_iter_write+0xc0/0xc0 [ 48.430476][ T1863] ? find_held_lock+0x2d/0x110 [ 48.435215][ T1863] ? __fget_light+0x1e1/0x410 [ 48.439886][ T1863] ? __fget_light+0x1e6/0x410 [ 48.444710][ T1863] ? do_writev+0x200/0x2b0 [ 48.449098][ T1863] do_writev+0x200/0x2b0 [ 48.453312][ T1863] ? vfs_writev+0x4e0/0x4e0 [ 48.457896][ T1863] ? fpregs_restore_userregs+0x121/0x220 [ 48.463615][ T1863] do_syscall_64+0x40/0xe0 [ 48.468024][ T1863] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 48.473894][ T1863] RIP: 0033:0x7f4878cb7ba9 [ 48.478382][ T1863] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 48.498086][ T1863] RSP: 002b:00007f487883a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 [ 48.506496][ T1863] RAX: ffffffffffffffda RBX: 00007f4878dd6f80 RCX: 00007f4878cb7ba9 [ 48.514460][ T1863] RDX: 0000000000000004 RSI: 0000000020000140 RDI: 0000000000000003 [ 48.522422][ T1863] RBP: 00007f4878d0347a R08: 0000000000000000 R09: 0000000000000000 [ 48.530401][ T1863] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 48.538369][ T1863] R13: 0000000000000006 R14: 00007f4878dd6f80 R15: 00007ffe36e33378 [ 48.546343][ T1863] [ 48.549344][ T1863] [ 48.551644][ T1863] Allocated by task 811: [ 48.555852][ T1863] kasan_save_stack+0x33/0x50 [ 48.560500][ T1863] kasan_set_track+0x25/0x30 [ 48.565063][ T1863] __kasan_kmalloc+0xa2/0xb0 [ 48.569636][ T1863] __kmalloc+0x60/0x160 [ 48.573758][ T1863] alloc_pipe_info+0x15e/0x460 [ 48.578495][ T1863] create_pipe_files+0x82/0x730 [ 48.583313][ T1863] do_pipe2+0x93/0x170 [ 48.587360][ T1863] __x64_sys_pipe2+0x4f/0x70 [ 48.591920][ T1863] do_syscall_64+0x40/0xe0 [ 48.596308][ T1863] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 48.602181][ T1863] [ 48.604483][ T1863] The buggy address belongs to the object at ffff888104eaf800 [ 48.604483][ T1863] which belongs to the cache kmalloc-cg-1k of size 1024 [ 48.618772][ T1863] The buggy address is located 160 bytes to the right of [ 48.618772][ T1863] allocated 1024-byte region [ffff888104eaf800, ffff888104eafc00) [ 48.633616][ T1863] [ 48.635932][ T1863] The buggy address belongs to the physical page: [ 48.642315][ T1863] page:ffffea000413aa00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888104eab800 pfn:0x104ea8 [ 48.653839][ T1863] head:ffffea000413aa00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 48.662834][ T1863] memcg:ffff8881033ce001 [ 48.667062][ T1863] anon flags: 0x200000000000840(slab|head|node=0|zone=2) [ 48.674516][ T1863] page_type: 0xffffffff() [ 48.678828][ T1863] raw: 0200000000000840 ffff88810004f280 0000000000000000 0000000000000001 [ 48.687726][ T1863] raw: ffff888104eab800 000000008010000b 00000001ffffffff ffff8881033ce001 [ 48.696465][ T1863] page dumped because: kasan: bad access detected [ 48.702849][ T1863] page_owner tracks the page as allocated [ 48.708583][ T1863] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 757, tgid 757 (dhcpcd), ts 5848167548, free_ts 5333610876 [ 48.729335][ T1863] post_alloc_hook+0x27f/0x2f0 [ 48.734168][ T1863] get_page_from_freelist+0xeb8/0x36a0 [ 48.739600][ T1863] __alloc_pages+0x342/0x5e0 [ 48.744440][ T1863] alloc_pages_mpol+0xbf/0x370 [ 48.749280][ T1863] allocate_slab+0x24b/0x360 [ 48.753976][ T1863] ___slab_alloc+0x8ce/0x10e0 [ 48.758624][ T1863] __slab_alloc.constprop.0+0x4d/0x90 [ 48.763983][ T1863] __kmem_cache_alloc_node+0x150/0x350 [ 48.769436][ T1863] __kmalloc_node_track_caller+0x50/0x160 [ 48.775128][ T1863] kmalloc_reserve+0xbb/0x1e0 [ 48.779773][ T1863] __alloc_skb+0xd4/0x270 [ 48.784086][ T1863] alloc_skb_with_frags+0x83/0x620 [ 48.789166][ T1863] sock_alloc_send_pskb+0x6a3/0x840 [ 48.794343][ T1863] unix_dgram_sendmsg+0x36a/0x1850 [ 48.799597][ T1863] __sock_sendmsg+0xbc/0x150 [ 48.804312][ T1863] sock_write_iter+0x225/0x390 [ 48.809070][ T1863] page last free stack trace: [ 48.813719][ T1863] free_unref_page_prepare+0x562/0xbd0 [ 48.819295][ T1863] free_unref_page+0x33/0x2a0 [ 48.824044][ T1863] qlist_free_all+0x6a/0x170 [ 48.828696][ T1863] kasan_quarantine_reduce+0x180/0x1b0 [ 48.834131][ T1863] __kasan_slab_alloc+0x65/0x90 [ 48.838952][ T1863] __kmem_cache_alloc_node+0x1bd/0x350 [ 48.844416][ T1863] __kmalloc+0x4f/0x160 [ 48.848631][ T1863] tomoyo_supervisor+0xa94/0xc40 [ 48.853544][ T1863] tomoyo_path_permission+0x23d/0x330 [ 48.858974][ T1863] tomoyo_path_perm+0x2af/0x350 [ 48.863909][ T1863] security_inode_getattr+0xc6/0x110 [ 48.869171][ T1863] vfs_fstat+0x36/0x80 [ 48.873216][ T1863] __do_sys_newfstatat+0x85/0xe0 [ 48.878156][ T1863] do_syscall_64+0x40/0xe0 [ 48.882719][ T1863] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 48.888880][ T1863] [ 48.891223][ T1863] Memory state around the buggy address: [ 48.896831][ T1863] ffff888104eafb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.904913][ T1863] ffff888104eafc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.912964][ T1863] >ffff888104eafc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.921006][ T1863] ^ [ 48.926098][ T1863] ffff888104eafd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.934489][ T1863] ffff888104eafd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.942609][ T1863] ================================================================== [ 48.950896][ T1863] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 48.958293][ T1863] Kernel Offset: disabled [ 48.962606][ T1863] Rebooting in 86400 seconds..