./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3811477932
<...>
DUID 00:04:b0:7e:30:9f:4d:11:81:da:bf:2d:3d:77:4c:17:c1:ba
forked to background, child pid 4878
[ 35.487019][ T4879] 8021q: adding VLAN 0 to HW filter on device bond0
[ 35.505472][ T4879] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK
syzkaller
Warning: Permanently added '10.128.0.109' (ECDSA) to the list of known hosts.
execve("./syz-executor3811477932", ["./syz-executor3811477932"], 0x7fff0642ba50 /* 10 vars */) = 0
brk(NULL) = 0x55555600c000
brk(0x55555600cc40) = 0x55555600cc40
arch_prctl(ARCH_SET_FS, 0x55555600c300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor3811477932", 4096) = 28
brk(0x55555602dc40) = 0x55555602dc40
brk(0x55555602e000) = 0x55555602e000
mprotect(0x7f8dcb846000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555600c5d0) = 5305
./strace-static-x86_64: Process 5305 attached
[pid 5305] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5305] setpgid(0, 0) = 0
[pid 5305] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5305] write(3, "1000", 4) = 4
[pid 5305] close(3) = 0
[pid 5305] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3
[pid 5305] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = 0
[pid 5305] exit_group(0) = ?
[pid 5305] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5305, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555600c5d0) = 5307
./strace-static-x86_64: Process 5307 attached
[pid 5307] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5307] setpgid(0, 0) = 0
[pid 5307] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5307] write(3, "1000", 4) = 4
[pid 5307] close(3) = 0
[pid 5307] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3
[pid 5307] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = 0
[pid 5307] exit_group(0) = ?
[pid 5307] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5307, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555600c5d0) = 5309
./strace-static-x86_64: Process 5309 attached
[pid 5309] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5309] setpgid(0, 0) = 0
[pid 5309] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5309] write(3, "1000", 4) = 4
[pid 5309] close(3) = 0
[pid 5309] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3
[pid 5309] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = 0
[pid 5309] exit_group(0) = ?
[pid 5309] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5309, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555600c5d0) = 5311
./strace-static-x86_64: Process 5311 attached
[pid 5311] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5311] setpgid(0, 0) = 0
[pid 5311] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5311] write(3, "1000", 4) = 4
[pid 5311] close(3) = 0
[pid 5311] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3
[pid 5311] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = 0
[pid 5311] exit_group(0) = ?
[pid 5311] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5311, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555600c5d0) = 5313
./strace-static-x86_64: Process 5313 attached
[pid 5313] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5313] setpgid(0, 0) = 0
[pid 5313] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5313] write(3, "1000", 4) = 4
[pid 5313] close(3) = 0
[pid 5313] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3
[pid 5313] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = 0
[pid 5313] exit_group(0) = ?
[pid 5313] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5313, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555600c5d0) = 5315
./strace-static-x86_64: Process 5315 attached
[pid 5315] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5315] setpgid(0, 0) = 0
[pid 5315] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5315] write(3, "1000", 4) = 4
[pid 5315] close(3) = 0
[pid 5315] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3
[pid 5315] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = 0
[pid 5315] exit_group(0) = ?
[pid 5315] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5315, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5317 attached
, child_tidptr=0x55555600c5d0) = 5317
[pid 5317] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5317] setpgid(0, 0) = 0
[pid 5317] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5317] write(3, "1000", 4) = 4
[pid 5317] close(3) = 0
[pid 5317] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3
[pid 5317] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = 0
[pid 5317] exit_group(0) = ?
[pid 5317] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5317, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5319 attached
, child_tidptr=0x55555600c5d0) = 5319
[pid 5319] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5319] setpgid(0, 0) = 0
[pid 5319] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5319] write(3, "1000", 4) = 4
[pid 5319] close(3) = 0
[pid 5319] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3
[pid 5319] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = 0
[pid 5319] exit_group(0) = ?
[pid 5319] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5319, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5321 attached
<unfinished ...>
[pid 5321] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5321] setpgid(0, 0) = 0
[pid 5321] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC <unfinished ...>
[pid 5304] <... clone resumed>, child_tidptr=0x55555600c5d0) = 5321
[pid 5321] <... openat resumed>) = 3
[pid 5321] write(3, "1000", 4) = 4
[pid 5321] close(3) = 0
[pid 5321] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3
[pid 5321] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = -1 EADDRINUSE (Address already in use)
[pid 5321] exit_group(0) = ?
[pid 5321] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5321, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555600c5d0) = 5322
./strace-static-x86_64: Process 5322 attached
[pid 5322] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5322] setpgid(0, 0) = 0
[pid 5322] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5322] write(3, "1000", 4) = 4
[pid 5322] close(3) = 0
[pid 5322] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3
[pid 5322] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = -1 EADDRINUSE (Address already in use)
[pid 5322] exit_group(0) = ?
[pid 5322] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5322, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555600c5d0) = 5323
./strace-static-x86_64: Process 5323 attached
[pid 5323] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5323] setpgid(0, 0) = 0
[pid 5323] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5323] write(3, "1000", 4) = 4
[pid 5323] close(3) = 0
[pid 5323] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3
[pid 5323] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = -1 EADDRINUSE (Address already in use)
[pid 5323] exit_group(0) = ?
[pid 5323] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5323, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555600c5d0) = 5324
./strace-static-x86_64: Process 5324 attached
[pid 5324] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5324] setpgid(0, 0) = 0
[pid 5324] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5324] write(3, "1000", 4) = 4
[pid 5324] close(3) = 0
[pid 5324] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3
[pid 5324] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = -1 EADDRINUSE (Address already in use)
[pid 5324] exit_group(0) = ?
[pid 5324] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5324, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555600c5d0) = 5325
./strace-static-x86_64: Process 5325 attached
[pid 5325] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5325] setpgid(0, 0) = 0
[pid 5325] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5325] write(3, "1000", 4) = 4
[pid 5325] close(3) = 0
[pid 5325] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3
[pid 5325] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = -1 EADDRINUSE (Address already in use)
[pid 5325] exit_group(0) = ?
[pid 5325] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5325, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5326 attached
<unfinished ...>
[pid 5326] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5326] setpgid(0, 0) = 0
[pid 5326] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5326] write(3, "1000", 4) = 4
[pid 5326] close(3) = 0
[pid 5326] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3
[pid 5326] bind(3, {sa_family=AF_RXRPC, srx_service=0 /* ???_SERVICE */, transport_type=SOCK_DGRAM, transport_len=28, transport={sin6={sin6_family=AF_INET6, sin6_port=htons(20004), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}}}, 36) = -1 EADDRINUSE (Address already in use)
[pid 5326] exit_group(0) = ?
[pid 5304] <... clone resumed>, child_tidptr=0x55555600c5d0) = 5326
[pid 5326] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5326, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5327 attached
, child_tidptr=0x55555600c5d0) = 5327
[pid 5327] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5327] setpgid(0, 0) = 0
[pid 5327] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5327] write(3, "1000", 4) = 4
[pid 5327] close(3) = 0
[pid 5327] socket(AF_RXRPC, SOCK_DGRAM, AF_INET6) = 3
syzkaller login: [ 61.080164][ T5327] ==================================================================
[ 61.088267][ T5327] BUG: KASAN: use-after-free in rxrpc_lookup_local+0xdcf/0xfb0
[ 61.095836][ T5327] Read of size 2 at addr ffff88807e64ca1c by task syz-executor381/5327
[ 61.104601][ T5327]
[ 61.106927][ T5327] CPU: 0 PID: 5327 Comm: syz-executor381 Not tainted 6.1.0-syzkaller-07447-gaba5b397cad7 #0
[ 61.117000][ T5327] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 61.127072][ T5327] Call Trace:
[ 61.130483][ T5327] <TASK>
[ 61.134459][ T5327] dump_stack_lvl+0xd1/0x138
[ 61.139077][ T5327] print_report+0x15e/0x45d
[ 61.143609][ T5327] ? __phys_addr+0xc8/0x140
[ 61.148131][ T5327] ? rxrpc_lookup_local+0xdcf/0xfb0
[ 61.153351][ T5327] kasan_report+0xbf/0x1f0
[ 61.157798][ T5327] ? rxrpc_lookup_local+0xdcf/0xfb0
[ 61.163552][ T5327] rxrpc_lookup_local+0xdcf/0xfb0
[ 61.168772][ T5327] rxrpc_bind+0x35e/0x5c0
[ 61.173115][ T5327] __sys_bind+0x1ed/0x260
[ 61.177449][ T5327] ? __ia32_sys_socketpair+0x100/0x100
[ 61.182989][ T5327] ? _raw_spin_unlock_irq+0x23/0x50
[ 61.188216][ T5327] ? lockdep_hardirqs_on+0x7d/0x100
[ 61.193437][ T5327] ? _raw_spin_unlock_irq+0x2e/0x50
[ 61.198640][ T5327] __x64_sys_bind+0x73/0xb0
[ 61.203232][ T5327] do_syscall_64+0x39/0xb0
[ 61.207647][ T5327] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 61.213561][ T5327] RIP: 0033:0x7f8dcb7d9d59
[ 61.217976][ T5327] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 61.237605][ T5327] RSP: 002b:00007ffe3812f4e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
[ 61.246585][ T5327] RAX: ffffffffffffffda RBX: 000000000000ee5b RCX: 00007f8dcb7d9d59
[ 61.254704][ T5327] RDX: 0000000000000024 RSI: 0000000020000080 RDI: 0000000000000003
[ 61.262769][ T5327] RBP: 0000000000000000 R08: 00007ffe3812f688 R09: 00007ffe3812f688
[ 61.270929][ T5327] R10: 00007ffe3812ef60 R11: 0000000000000246 R12: 00007ffe3812f4fc
[ 61.278926][ T5327] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000
[ 61.286911][ T5327] </TASK>
[ 61.289942][ T5327]
[ 61.292262][ T5327] Allocated by task 5319:
[ 61.296575][ T5327] kasan_save_stack+0x22/0x40
[ 61.301279][ T5327] kasan_set_track+0x25/0x30
[ 61.305930][ T5327] __kasan_kmalloc+0xa5/0xb0
[ 61.310633][ T5327] rxrpc_lookup_local+0x4d9/0xfb0
[ 61.315772][ T5327] rxrpc_bind+0x35e/0x5c0
[ 61.320147][ T5327] __sys_bind+0x1ed/0x260
[ 61.325037][ T5327] __x64_sys_bind+0x73/0xb0
[ 61.329581][ T5327] do_syscall_64+0x39/0xb0
[ 61.334030][ T5327] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 61.340001][ T5327]
[ 61.342330][ T5327] Freed by task 0:
[ 61.346236][ T5327] kasan_save_stack+0x22/0x40
[ 61.350941][ T5327] kasan_set_track+0x25/0x30
[ 61.355540][ T5327] kasan_save_free_info+0x2e/0x40
[ 61.360569][ T5327] ____kasan_slab_free+0x160/0x1c0
[ 61.365694][ T5327] slab_free_freelist_hook+0x8b/0x1c0
[ 61.371067][ T5327] __kmem_cache_free+0xaf/0x3b0
[ 61.375929][ T5327] rcu_core+0x81f/0x1980
[ 61.380183][ T5327] __do_softirq+0x1fb/0xadc
[ 61.384684][ T5327]
[ 61.387011][ T5327] Last potentially related work creation:
[ 61.392748][ T5327] kasan_save_stack+0x22/0x40
[ 61.397775][ T5327] __kasan_record_aux_stack+0xbc/0xd0
[ 61.403170][ T5327] __call_rcu_common.constprop.0+0x99/0x820
[ 61.409076][ T5327] rxrpc_put_local.part.0+0x128/0x170
[ 61.414472][ T5327] rxrpc_put_local+0x25/0x30
[ 61.419176][ T5327] rxrpc_release+0x237/0x550
[ 61.424315][ T5327] __sock_release+0xcd/0x280
[ 61.428924][ T5327] sock_close+0x1c/0x20
[ 61.433086][ T5327] __fput+0x27c/0xa90
[ 61.437082][ T5327] task_work_run+0x16f/0x270
[ 61.441709][ T5327] do_exit+0xb3d/0x2a30
[ 61.445874][ T5327] do_group_exit+0xd4/0x2a0
[ 61.450742][ T5327] __x64_sys_exit_group+0x3e/0x50
[ 61.455790][ T5327] do_syscall_64+0x39/0xb0
[ 61.460252][ T5327] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 61.466201][ T5327]
[ 61.468551][ T5327] The buggy address belongs to the object at ffff88807e64c800
[ 61.468551][ T5327] which belongs to the cache kmalloc-1k of size 1024
[ 61.482607][ T5327] The buggy address is located 540 bytes inside of
[ 61.482607][ T5327] 1024-byte region [ffff88807e64c800, ffff88807e64cc00)
[ 61.496078][ T5327]
[ 61.498404][ T5327] The buggy address belongs to the physical page:
[ 61.504912][ T5327] page:ffffea0001f99200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e648
[ 61.515149][ T5327] head:ffffea0001f99200 order:3 compound_mapcount:0 compound_pincount:0
[ 61.523479][ T5327] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 61.531462][ T5327] raw: 00fff00000010200 ffff888012441dc0 dead000000000122 0000000000000000
[ 61.540040][ T5327] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[ 61.549042][ T5327] page dumped because: kasan: bad access detected
[ 61.555453][ T5327] page_owner tracks the page as allocated
[ 61.561157][ T5327] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5299, tgid 5299 (sshd), ts 60992979100, free_ts 55300183714
[ 61.582429][ T5327] get_page_from_freelist+0x10b5/0x2d50
[ 61.587987][ T5327] __alloc_pages+0x1cb/0x5b0
[ 61.592606][ T5327] alloc_pages+0x1aa/0x270
[ 61.597038][ T5327] allocate_slab+0x25f/0x350
[ 61.601636][ T5327] ___slab_alloc+0xa91/0x1400
[ 61.606405][ T5327] __slab_alloc.constprop.0+0x56/0xa0
[ 61.611794][ T5327] __kmem_cache_alloc_node+0x1a4/0x430
[ 61.617431][ T5327] __kmalloc_node_track_caller+0x4b/0xc0
[ 61.623340][ T5327] __alloc_skb+0xe9/0x310
[ 61.627716][ T5327] tcp_stream_alloc_skb+0x3c/0x580
[ 61.632849][ T5327] tcp_sendmsg_locked+0xc4c/0x2960
[ 61.638077][ T5327] tcp_sendmsg+0x2f/0x50
[ 61.642415][ T5327] inet_sendmsg+0x9d/0xe0
[ 61.646777][ T5327] sock_sendmsg+0xd3/0x120
[ 61.651184][ T5327] sock_write_iter+0x295/0x3d0
[ 61.656117][ T5327] vfs_write+0x9ed/0xdd0
[ 61.660522][ T5327] page last free stack trace:
[ 61.665201][ T5327] free_pcp_prepare+0x65c/0xd90
[ 61.671024][ T5327] free_unref_page+0x1d/0x4d0
[ 61.675815][ T5327] __folio_put+0x109/0x140
[ 61.680310][ T5327] skb_release_data+0x522/0x870
[ 61.685159][ T5327] napi_consume_skb+0x14e/0x290
[ 61.690213][ T5327] net_rx_action+0x346/0xde0
[ 61.694904][ T5327] __do_softirq+0x1fb/0xadc
[ 61.699417][ T5327]
[ 61.701822][ T5327] Memory state around the buggy address:
[ 61.707624][ T5327] ffff88807e64c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 61.716284][ T5327] ffff88807e64c980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 61.724504][ T5327] >ffff88807e64ca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 61.732652][ T5327] ^
[ 61.737603][ T5327] ffff88807e64ca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 61.745756][ T5327] ffff88807e64cb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 61.754612][ T5327] ==================================================================
[ 61.764617][ T5327] Kernel panic - not syncing: panic_on_warn set ...
[ 61.771606][ T5327] CPU: 1 PID: 5327 Comm: syz-executor381 Not tainted 6.1.0-syzkaller-07447-gaba5b397cad7 #0
[ 61.782663][ T5327] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 61.793194][ T5327] Call Trace:
[ 61.796727][ T5327] <TASK>
[ 61.799665][ T5327] dump_stack_lvl+0xd1/0x138
[ 61.805316][ T5327] panic+0x2cc/0x626
[ 61.809205][ T5327] ? panic_print_sys_info.part.0+0x110/0x110
[ 61.815266][ T5327] ? preempt_schedule_common+0x59/0xc0
[ 61.820760][ T5327] ? preempt_schedule_thunk+0x1a/0x1c
[ 61.826132][ T5327] end_report.part.0+0x3f/0x7c
[ 61.830888][ T5327] ? rxrpc_lookup_local+0xdcf/0xfb0
[ 61.836965][ T5327] kasan_report.cold+0xa/0xf
[ 61.841567][ T5327] ? rxrpc_lookup_local+0xdcf/0xfb0
[ 61.846850][ T5327] rxrpc_lookup_local+0xdcf/0xfb0
[ 61.851871][ T5327] rxrpc_bind+0x35e/0x5c0
[ 61.856442][ T5327] __sys_bind+0x1ed/0x260
[ 61.860763][ T5327] ? __ia32_sys_socketpair+0x100/0x100
[ 61.866330][ T5327] ? _raw_spin_unlock_irq+0x23/0x50
[ 61.871800][ T5327] ? lockdep_hardirqs_on+0x7d/0x100
[ 61.877022][ T5327] ? _raw_spin_unlock_irq+0x2e/0x50
[ 61.882310][ T5327] __x64_sys_bind+0x73/0xb0
[ 61.886832][ T5327] do_syscall_64+0x39/0xb0
[ 61.891337][ T5327] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 61.897515][ T5327] RIP: 0033:0x7f8dcb7d9d59
[ 61.902036][ T5327] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 61.921995][ T5327] RSP: 002b:00007ffe3812f4e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
[ 61.930412][ T5327] RAX: ffffffffffffffda RBX: 000000000000ee5b RCX: 00007f8dcb7d9d59
[ 61.938553][ T5327] RDX: 0000000000000024 RSI: 0000000020000080 RDI: 0000000000000003
[ 61.946697][ T5327] RBP: 0000000000000000 R08: 00007ffe3812f688 R09: 00007ffe3812f688
[ 61.955099][ T5327] R10: 00007ffe3812ef60 R11: 0000000000000246 R12: 00007ffe3812f4fc
[ 61.963090][ T5327] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000
[ 61.971065][ T5327] </TASK>
[ 61.974239][ T5327] Kernel Offset: disabled
[ 61.978862][ T5327] Rebooting in 86400 seconds..