Hello,
syzbot tried to test the proposed patch but the build/boot failed:
=============================
[ 23.523881][ T105] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1909:2
[ 23.531690][ T105] member access within address 000000007d1c1fb7 with insufficient space
[ 23.540107][ T105] for an object of type 'struct sk_buff'
[ 23.545725][ T105] CPU: 0 PID: 105 Comm: kworker/0:2 Not tainted 5.10.0-syzkaller #0
[ 23.553761][ T105] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[ 23.563797][ T105] Workqueue: ipv6_addrconf addrconf_dad_work
[ 23.569747][ T105] Call Trace:
[ 23.573019][ T105] dump_stack+0x19c/0x1e2
[ 23.577323][ T105] ubsan_type_mismatch_common+0x1ed/0x3a0
[ 23.583014][ T105] __ubsan_handle_type_mismatch_v1+0x4b/0x60
[ 23.588979][ T105] wg_xmit+0x48f/0xa60
[ 23.593113][ T105] ? __sanitizer_cov_trace_switch+0x64/0x80
[ 23.599157][ T105] netdev_start_xmit+0x8a/0x160
[ 23.603981][ T105] dev_hard_start_xmit+0x18d/0x2f0
[ 23.609065][ T105] __dev_queue_xmit+0xf16/0x1920
[ 23.613992][ T105] ? __kasan_check_write+0x14/0x20
[ 23.619077][ T105] dev_queue_xmit+0x17/0x20
[ 23.623564][ T105] neigh_connected_output+0x288/0x2b0
[ 23.628935][ T105] ip6_finish_output2+0xc34/0x1020
[ 23.634107][ T105] ? ip6_mtu+0xf1/0x140
[ 23.638238][ T105] __ip6_finish_output+0x279/0x370
[ 23.643349][ T105] ip6_finish_output+0x20b/0x220
[ 23.648290][ T105] ? ip6_output+0x175/0x3f0
[ 23.652788][ T105] ip6_output+0x18c/0x3f0
[ 23.657091][ T105] ? ip6_dst_idev+0x40/0x40
[ 23.661600][ T105] NF_HOOK+0x88/0x210
[ 23.665564][ T105] ? NF_HOOK+0x210/0x210
[ 23.669779][ T105] ndisc_send_skb+0x653/0x9f0
[ 23.674437][ T105] ndisc_send_rs+0x26c/0x360
[ 23.679001][ T105] addrconf_dad_completed+0x493/0x970
[ 23.684357][ T105] addrconf_dad_work+0x9d0/0x12d0
[ 23.689366][ T105] process_one_work+0x3d5/0x640
[ 23.694278][ T105] worker_thread+0x723/0xa60
[ 23.698847][ T105] ? _raw_spin_lock_irqsave+0xa2/0x220
[ 23.704379][ T105] kthread+0x365/0x400
[ 23.708423][ T105] ? pr_cont_work+0x110/0x110
[ 23.713085][ T105] ? __list_add+0xc0/0xc0
[ 23.717391][ T105] ret_from_fork+0x1f/0x30
[ 23.721822][ T105] ================================================================================
[ 23.733016][ T73] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
2022/11/04 06:14:17 building call list...
[ 23.741479][ T73] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 23.749838][ T73] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 23.757824][ T73] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 23.773325][ T373] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation
[ 23.847973][ T373] ==================================================================
[ 23.856242][ T373] BUG: KASAN: use-after-free in task_active_pid_ns+0x9a/0xa0
[ 23.863611][ T373] Read of size 4 at addr ffff88810015a184 by task syz-executor.0/373
[ 23.871674][ T373]
[ 23.874015][ T373] CPU: 0 PID: 373 Comm: syz-executor.0 Not tainted 5.10.0-syzkaller #0
[ 23.882329][ T373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[ 23.892408][ T373] Call Trace:
[ 23.895705][ T373] dump_stack+0x19c/0x1e2
[ 23.900135][ T373] print_address_description+0x7e/0x6a0
[ 23.905973][ T373] ? printk+0x76/0x96
[ 23.910038][ T373] kasan_report+0x16f/0x210
[ 23.914559][ T373] ? task_active_pid_ns+0x9a/0xa0
[ 23.919590][ T373] ? task_active_pid_ns+0x9a/0xa0
[ 23.924603][ T373] __asan_report_load4_noabort+0x14/0x20
[ 23.930306][ T373] task_active_pid_ns+0x9a/0xa0
[ 23.935139][ T373] do_notify_parent+0x2c7/0xa70
[ 23.939975][ T373] ? __kasan_check_write+0x14/0x20
[ 23.945071][ T373] do_exit+0x1a52/0x2190
[ 23.949293][ T373] ? avc_has_perm_noaudit+0xc7/0x1b0
[ 23.954577][ T373] do_group_exit+0x13f/0x310
[ 23.959202][ T373] get_signal+0xbef/0x10c0
[ 23.963611][ T373] arch_do_signal+0x42/0x710
[ 23.968185][ T373] ? __sanitizer_cov_trace_const_cmp4+0x19/0x20
[ 23.974613][ T373] exit_to_user_mode_loop+0xa3/0xe0
[ 23.979891][ T373] syscall_exit_to_user_mode+0x77/0xa0
[ 23.985422][ T373] do_syscall_64+0x40/0x70
[ 23.989823][ T373] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 23.995689][ T373] RIP: 0033:0x7fc85c3f1c4a
[ 24.000074][ T373] Code: Unable to access opcode bytes at RIP 0x7fc85c3f1c20.
[ 24.007417][ T373] RSP: 002b:00007ffd1da024d8 EFLAGS: 00000206 ORIG_RAX: 0000000000000036
[ 24.015807][ T373] RAX: 0000000000000000 RBX: 0000000000000029 RCX: 00007fc85c3f1c4a
[ 24.023762][ T373] RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003
[ 24.031712][ T373] RBP: 00007ffd1da02500 R08: 00000000000003b8 R09: ffffffffffff0000
[ 24.039662][ T373] R10: 00007fc85c4e5bc0 R11: 0000000000000206 R12: 00007ffd1da02560
[ 24.047622][ T373] R13: 0000000000000003 R14: 00007ffd1da024fc R15: 00007fc85c4e5b60
[ 24.055582][ T373]
[ 24.057887][ T373] Allocated by task 0:
[ 24.061935][ T373] __kasan_kmalloc+0x11a/0x150
[ 24.066680][ T373] kasan_slab_alloc+0xe/0x10
[ 24.071378][ T373] slab_post_alloc_hook+0x3f/0x70
[ 24.076465][ T373] kmem_cache_alloc+0x143/0x200
[ 24.081386][ T373] alloc_pid+0x9a/0xb00
[ 24.085521][ T373] copy_process+0xdc0/0x2110
[ 24.090097][ T373] kernel_clone+0x1df/0x690
[ 24.094581][ T373] kernel_thread+0x11b/0x160
[ 24.099162][ T373] rest_init+0x22/0xf0
[ 24.103296][ T373] arch_call_rest_init+0xe/0x10
[ 24.108251][ T373] start_kernel+0x47d/0x518
[ 24.112828][ T373] x86_64_start_reservations+0x2a/0x2c
[ 24.118274][ T373] x86_64_start_kernel+0x7a/0x7d
[ 24.123244][ T373] secondary_startup_64_no_verify+0xb0/0xbb
[ 24.129134][ T373]
[ 24.131529][ T373] Freed by task 371:
[ 24.135406][ T373] kasan_set_track+0x4c/0x80
[ 24.139976][ T373] kasan_set_free_info+0x1b/0x30
[ 24.144887][ T373] __kasan_slab_free+0x11c/0x150
[ 24.149797][ T373] kasan_slab_free+0xe/0x10
[ 24.154439][ T373] slab_free_freelist_hook+0x8b/0x160
[ 24.159786][ T373] kmem_cache_free+0x9a/0x1c0
[ 24.164441][ T373] put_pid+0xb3/0x120
[ 24.168399][ T373] proc_do_cad_pid+0x131/0x1d0
[ 24.173137][ T373] proc_sys_call_handler+0x48d/0x640
[ 24.179609][ T373] proc_sys_write+0x22/0x30
[ 24.184101][ T373] vfs_write+0x466/0x560
[ 24.188516][ T373] ksys_write+0x155/0x260
[ 24.192839][ T373] __x64_sys_write+0x7b/0x90
[ 24.197407][ T373] do_syscall_64+0x34/0x70
[ 24.201826][ T373] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 24.207799][ T373]
[ 24.210116][ T373] The buggy address belongs to the object at ffff88810015a180
[ 24.210116][ T373] which belongs to the cache pid of size 112
[ 24.223541][ T373] The buggy address is located 4 bytes inside of
[ 24.223541][ T373] 112-byte region [ffff88810015a180, ffff88810015a1f0)
[ 24.236706][ T373] The buggy address belongs to the page:
[ 24.242325][ T373] page:00000000f6e03c96 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10015a
[ 24.252629][ T373] flags: 0x8000000000000200(slab)
[ 24.257720][ T373] raw: 8000000000000200 dead000000000100 dead000000000122 ffff888100134c80
[ 24.266434][ T373] raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000
[ 24.275189][ T373] page dumped because: kasan: bad access detected
[ 24.281659][ T373] page_owner tracks the page as allocated
[ 24.287356][ T373] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0()
[ 24.295760][ T373] register_early_stack+0x41/0x80
[ 24.300761][ T373] init_page_owner+0x32/0x4f0
[ 24.305454][ T373] invoke_init_callbacks+0x63/0x6d
[ 24.310715][ T373] page_ext_init+0x348/0x371
[ 24.315273][ T373] page_owner free stack trace missing
[ 24.320614][ T373]
[ 24.322914][ T373] Memory state around the buggy address:
[ 24.328520][ T373] ffff88810015a080: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[ 24.336556][ T373] ffff88810015a100: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 24.344592][ T373] >ffff88810015a180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 24.352644][ T373] ^
[ 24.356686][ T373] ffff88810015a200: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[ 24.364894][ T373] ffff88810015a280: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 24.373013][ T373] ==================================================================
[ 24.381044][ T373] Disabling lock debugging due to kernel taint
[ 24.387287][ T373] BUG: unable to handle page fault for address: ffffed122001c53f
[ 24.394976][ T373] #PF: supervisor read access in kernel mode
[ 24.400925][ T373] #PF: error_code(0x0000) - not-present page
[ 24.406872][ T373] PGD 23fff2067 P4D 23fff2067 PUD 0
[ 24.412232][ T373] Oops: 0000 [#1] PREEMPT SMP KASAN
[ 24.417407][ T373] CPU: 0 PID: 373 Comm: syz-executor.0 Tainted: G B 5.10.0-syzkaller #0
[ 24.427024][ T373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[ 24.437095][ T373] RIP: 0010:task_active_pid_ns+0x69/0xa0
[ 24.442788][ T373] Code: 5d 56 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 28 a7 4c 00 48 8b 03 eb 07 e8 1e
[ 24.462544][ T373] RSP: 0018:ffffc9000033fb40 EFLAGS: 00010806
[ 24.468596][ T373] RAX: 1ffff1122001c53f RBX: ffff8891000e29f8 RCX: 0000000000000002
[ 24.476556][ T373] RDX: 0000000000000000 RSI: 0000000000000086 RDI: 0000000000000001
[ 24.484684][ T373] RBP: ffffc9000033fb50 R08: ffff8881191e2dc0 R09: fffffbfff0bc26f9
[ 24.492658][ T373] R10: fffffbfff0bc26f9 R11: 1ffffffff0bc26f8 R12: dffffc0000000000
[ 24.500704][ T373] R13: ffff8881191e2dc0 R14: dffffc0000000000 R15: ffff8881191e32e0
[ 24.508655][ T373] FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
[ 24.518425][ T373] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 24.525172][ T373] CR2: ffffed122001c53f CR3: 0000000119127000 CR4: 00000000003506b0
[ 24.533212][ T373] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 24.541379][ T373] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 24.549865][ T373] Call Trace:
[ 24.553146][ T373] do_notify_parent+0x2c7/0xa70
[ 24.557975][ T373] ? __kasan_check_write+0x14/0x20
[ 24.563070][ T373] do_exit+0x1a52/0x2190
[ 24.567289][ T373] ? avc_has_perm_noaudit+0xc7/0x1b0
[ 24.572727][ T373] do_group_exit+0x13f/0x310
[ 24.577300][ T373] get_signal+0xbef/0x10c0
[ 24.581875][ T373] arch_do_signal+0x42/0x710
[ 24.586441][ T373] ? __sanitizer_cov_trace_const_cmp4+0x19/0x20
[ 24.592658][ T373] exit_to_user_mode_loop+0xa3/0xe0
[ 24.598004][ T373] syscall_exit_to_user_mode+0x77/0xa0
[ 24.603437][ T373] do_syscall_64+0x40/0x70
[ 24.607832][ T373] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 24.613698][ T373] RIP: 0033:0x7fc85c3f1c4a
[ 24.618260][ T373] Code: Unable to access opcode bytes at RIP 0x7fc85c3f1c20.
[ 24.625784][ T373] RSP: 002b:00007ffd1da024d8 EFLAGS: 00000206 ORIG_RAX: 0000000000000036
[ 24.634447][ T373] RAX: 0000000000000000 RBX: 0000000000000029 RCX: 00007fc85c3f1c4a
[ 24.642392][ T373] RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003
[ 24.650342][ T373] RBP: 00007ffd1da02500 R08: 00000000000003b8 R09: ffffffffffff0000
[ 24.658304][ T373] R10: 00007fc85c4e5bc0 R11: 0000000000000206 R12: 00007ffd1da02560
[ 24.666283][ T373] R13: 0000000000000003 R14: 00007ffd1da024fc R15: 00007fc85c4e5b60
[ 24.674228][ T373] Modules linked in:
[ 24.678101][ T373] CR2: ffffed122001c53f
[ 24.682235][ T373] ---[ end trace a2a7ae788bd15594 ]---
[ 24.687675][ T373] RIP: 0010:task_active_pid_ns+0x69/0xa0
[ 24.693315][ T373] Code: 5d 56 1d 00 48 8d 7b 04 48 89 f8 48 c1 e8 03 42 8a 04 30 84 c0 75 33 8b 43 04 48 c1 e0 04 48 8d 5c 03 68 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 28 a7 4c 00 48 8b 03 eb 07 e8 1e
[ 24.713088][ T373] RSP: 0018:ffffc9000033fb40 EFLAGS: 00010806
[ 24.719129][ T373] RAX: 1ffff1122001c53f RBX: ffff8891000e29f8 RCX: 0000000000000002
[ 24.727075][ T373] RDX: 0000000000000000 RSI: 0000000000000086 RDI: 0000000000000001
[ 24.735022][ T373] RBP: ffffc9000033fb50 R08: ffff8881191e2dc0 R09: fffffbfff0bc26f9
[ 24.743055][ T373] R10: fffffbfff0bc26f9 R11: 1ffffffff0bc26f8 R12: dffffc0000000000
[ 24.751004][ T373] R13: ffff8881191e2dc0 R14: dffffc0000000000 R15: ffff8881191e32e0
[ 24.758962][ T373] FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
[ 24.767866][ T373] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 24.774692][ T373] CR2: ffffed122001c53f CR3: 0000000119127000 CR4: 00000000003506b0
[ 24.782648][ T373] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 24.790600][ T373] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 24.798727][ T373] Kernel panic - not syncing: Fatal exception
[ 25.898607][ T373] Shutting down cpus with NMI
[ 25.903668][ T373] Kernel Offset: disabled
[ 25.908131][ T373] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="
https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="
sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs/linux/gopath/src/
github.com/google/syzkaller/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1775073316=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at c0b80a55c
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33:
https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X
github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X '
github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer
github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X
github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X '
github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog
github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X
github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X '
github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress
github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=114650fa880000
Tested on:
commit: 2c85ebc5 Linux 5.10
git tree:
https://android.googlesource.com/kernel/common
kernel config:
https://syzkaller.appspot.com/x/.config?x=c0a5cf5454641b9e
dashboard link:
https://syzkaller.appspot.com/bug?extid=e00d1302e217068ee641
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.