Warning: Permanently added '10.128.1.163' (ED25519) to the list of known hosts.
2025/03/01 05:24:07 ignoring optional flag "sandboxArg"="0"
2025/03/01 05:24:08 parsed 1 programs
[   22.514510][   T23] audit: type=1400 audit(1740806648.250:66): avc:  denied  { node_bind } for  pid=348 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1
[   23.085071][   T23] audit: type=1400 audit(1740806648.820:67): avc:  denied  { mounton } for  pid=358 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[   23.086633][  T358] cgroup1: Unknown subsys name 'net'
[   23.107643][   T23] audit: type=1400 audit(1740806648.820:68): avc:  denied  { mount } for  pid=358 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[   23.113030][  T358] cgroup1: Unknown subsys name 'net_prio'
[   23.140315][  T358] cgroup1: Unknown subsys name 'devices'
[   23.146628][   T23] audit: type=1400 audit(1740806648.880:69): avc:  denied  { unmount } for  pid=358 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[   23.315673][  T358] cgroup1: Unknown subsys name 'hugetlb'
[   23.321852][  T358] cgroup1: Unknown subsys name 'rlimit'
[   23.328804][   T23] audit: type=1400 audit(1740806649.070:70): avc:  denied  { read } for  pid=145 comm="syslogd" name="log" dev="sda1" ino=1915 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1
[   23.552449][   T23] audit: type=1400 audit(1740806649.280:71): avc:  denied  { setattr } for  pid=358 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=10810 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   23.576485][   T23] audit: type=1400 audit(1740806649.290:72): avc:  denied  { create } for  pid=358 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[   23.582462][  T362] SELinux:  Context root:object_r:swapfile_t is not valid (left unmapped).
[   23.597011][   T23] audit: type=1400 audit(1740806649.290:73): avc:  denied  { write } for  pid=358 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[   23.626973][   T23] audit: type=1400 audit(1740806649.290:74): avc:  denied  { read } for  pid=358 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[   23.647750][   T23] audit: type=1400 audit(1740806649.290:75): avc:  denied  { module_request } for  pid=358 comm="syz-executor" kmod="netdev-wpan0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1
[   23.690480][  T358] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   24.075360][  T367] request_module fs-gadgetfs succeeded, but still no fs?
[   24.154485][  T367] syz-executor (367) used greatest stack depth: 19992 bytes left
[   24.649011][  T410] bridge0: port 1(bridge_slave_0) entered blocking state
[   24.655995][  T410] bridge0: port 1(bridge_slave_0) entered disabled state
[   24.663408][  T410] device bridge_slave_0 entered promiscuous mode
[   24.670137][  T410] bridge0: port 2(bridge_slave_1) entered blocking state
[   24.676998][  T410] bridge0: port 2(bridge_slave_1) entered disabled state
[   24.684178][  T410] device bridge_slave_1 entered promiscuous mode
[   24.727182][  T410] bridge0: port 2(bridge_slave_1) entered blocking state
[   24.734064][  T410] bridge0: port 2(bridge_slave_1) entered forwarding state
[   24.741456][  T410] bridge0: port 1(bridge_slave_0) entered blocking state
[   24.748393][  T410] bridge0: port 1(bridge_slave_0) entered forwarding state
[   24.769522][  T409] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   24.777099][  T409] bridge0: port 1(bridge_slave_0) entered disabled state
[   24.785120][  T409] bridge0: port 2(bridge_slave_1) entered disabled state
[   24.794344][  T409] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   24.802675][  T409] bridge0: port 1(bridge_slave_0) entered blocking state
[   24.809494][  T409] bridge0: port 1(bridge_slave_0) entered forwarding state
[   24.818492][  T409] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   24.826579][  T409] bridge0: port 2(bridge_slave_1) entered blocking state
[   24.833439][  T409] bridge0: port 2(bridge_slave_1) entered forwarding state
[   24.846802][  T409] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   24.856213][  T409] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   24.873209][  T409] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   24.884518][  T409] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   24.898218][  T409] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   24.910996][  T409] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   24.921167][  T409] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   24.955397][  T410] syz-executor (410) used greatest stack depth: 19640 bytes left
2025/03/01 05:24:10 executed programs: 0
[   25.275770][  T426] bridge0: port 1(bridge_slave_0) entered blocking state
[   25.282670][  T426] bridge0: port 1(bridge_slave_0) entered disabled state
[   25.289828][  T426] device bridge_slave_0 entered promiscuous mode
[   25.296983][  T426] bridge0: port 2(bridge_slave_1) entered blocking state
[   25.303860][  T426] bridge0: port 2(bridge_slave_1) entered disabled state
[   25.311724][  T426] device bridge_slave_1 entered promiscuous mode
[   25.359912][  T426] bridge0: port 2(bridge_slave_1) entered blocking state
[   25.367401][  T426] bridge0: port 2(bridge_slave_1) entered forwarding state
[   25.375087][  T426] bridge0: port 1(bridge_slave_0) entered blocking state
[   25.382082][  T426] bridge0: port 1(bridge_slave_0) entered forwarding state
[   25.407417][  T409] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   25.415361][  T409] bridge0: port 1(bridge_slave_0) entered disabled state
[   25.423065][  T409] bridge0: port 2(bridge_slave_1) entered disabled state
[   25.432943][  T409] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   25.441043][  T409] bridge0: port 1(bridge_slave_0) entered blocking state
[   25.447928][  T409] bridge0: port 1(bridge_slave_0) entered forwarding state
[   25.456960][  T409] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   25.465380][  T409] bridge0: port 2(bridge_slave_1) entered blocking state
[   25.472228][  T409] bridge0: port 2(bridge_slave_1) entered forwarding state
[   25.488951][  T409] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   25.502803][  T409] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   25.524127][  T409] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   25.543597][  T409] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   25.555754][  T409] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   25.573159][  T409] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   25.581694][  T409] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   26.462818][  T180] device bridge_slave_1 left promiscuous mode
[   26.469307][  T180] bridge0: port 2(bridge_slave_1) entered disabled state
[   26.476669][  T180] device bridge_slave_0 left promiscuous mode
[   26.482659][  T180] bridge0: port 1(bridge_slave_0) entered disabled state
[   40.672589][  T465] bridge0: port 1(bridge_slave_0) entered blocking state
[   40.679678][  T465] bridge0: port 1(bridge_slave_0) entered disabled state
[   40.687115][  T465] device bridge_slave_0 entered promiscuous mode
[   40.694605][  T465] bridge0: port 2(bridge_slave_1) entered blocking state
[   40.701810][  T465] bridge0: port 2(bridge_slave_1) entered disabled state
[   40.709468][  T465] device bridge_slave_1 entered promiscuous mode
[   40.753051][  T465] bridge0: port 2(bridge_slave_1) entered blocking state
[   40.760098][  T465] bridge0: port 2(bridge_slave_1) entered forwarding state
[   40.767414][  T465] bridge0: port 1(bridge_slave_0) entered blocking state
[   40.774435][  T465] bridge0: port 1(bridge_slave_0) entered forwarding state
[   40.798625][    T9] bridge0: port 1(bridge_slave_0) entered disabled state
[   40.806488][    T9] bridge0: port 2(bridge_slave_1) entered disabled state
[   40.814246][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   40.821527][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   40.831311][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   40.839614][    T9] bridge0: port 1(bridge_slave_0) entered blocking state
[   40.846477][    T9] bridge0: port 1(bridge_slave_0) entered forwarding state
[   40.855871][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   40.864188][    T9] bridge0: port 2(bridge_slave_1) entered blocking state
[   40.871340][    T9] bridge0: port 2(bridge_slave_1) entered forwarding state
[   40.885257][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   40.894752][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   40.912104][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   40.925610][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   40.939110][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   40.953646][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
2025/03/01 05:24:26 executed programs: 3
[   40.964117][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   40.988137][  T465] ==================================================================
[   40.996162][  T465] BUG: KASAN: use-after-free in __mutex_lock+0xcd7/0x1060
[   41.003172][  T465] Read of size 4 at addr ffff8881ea5e0038 by task syz-executor/465
[   41.010911][  T465] 
[   41.013074][  T465] CPU: 1 PID: 465 Comm: syz-executor Not tainted 5.4.290-syzkaller-00017-g6b07fcd94a6a #0
[   41.022902][  T465] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[   41.033006][  T465] Call Trace:
[   41.036115][  T465]  dump_stack+0x1d8/0x241
[   41.040284][  T465]  ? nf_ct_l4proto_log_invalid+0x258/0x258
[   41.045923][  T465]  ? printk+0xd1/0x111
[   41.049908][  T465]  ? __mutex_lock+0xcd7/0x1060
[   41.054511][  T465]  print_address_description+0x8c/0x600
[   41.059906][  T465]  ? check_preemption_disabled+0x9f/0x320
[   41.065465][  T465]  ? __unwind_start+0x708/0x890
[   41.070150][  T465]  ? __mutex_lock+0xcd7/0x1060
[   41.074740][  T465]  __kasan_report+0xf3/0x120
[   41.079168][  T465]  ? __mutex_lock+0xcd7/0x1060
[   41.083774][  T465]  kasan_report+0x30/0x60
[   41.088044][  T465]  __mutex_lock+0xcd7/0x1060
[   41.092471][  T465]  ? kobject_get_unless_zero+0x229/0x320
[   41.097938][  T465]  ? __ww_mutex_lock_interruptible_slowpath+0x10/0x10
[   41.104529][  T465]  ? __module_put_and_exit+0x20/0x20
[   41.109647][  T465]  ? up_read+0x6f/0x1b0
[   41.113640][  T465]  mutex_lock_killable+0xd8/0x110
[   41.118609][  T465]  ? __mutex_lock_interruptible_slowpath+0x10/0x10
[   41.124948][  T465]  ? mutex_lock+0xa5/0x110
[   41.129195][  T465]  ? mutex_trylock+0xa0/0xa0
[   41.133722][  T465]  lo_open+0x18/0xc0
[   41.137465][  T465]  __blkdev_get+0x3c8/0x1160
[   41.141888][  T465]  ? blkdev_get+0x3a0/0x3a0
[   41.146215][  T465]  ? _raw_spin_unlock+0x49/0x60
[   41.151295][  T465]  blkdev_get+0x2de/0x3a0
[   41.155419][  T465]  ? blkdev_open+0x173/0x290
[   41.159943][  T465]  ? block_ioctl+0xe0/0xe0
[   41.164307][  T465]  do_dentry_open+0x964/0x1130
[   41.169045][  T465]  ? finish_open+0xd0/0xd0
[   41.173478][  T465]  ? security_inode_permission+0xad/0xf0
[   41.179111][  T465]  ? memcpy+0x38/0x50
[   41.182934][  T465]  path_openat+0x29bf/0x34b0
[   41.187451][  T465]  ? stack_trace_save+0x118/0x1c0
[   41.192228][  T465]  ? do_filp_open+0x450/0x450
[   41.196730][  T465]  ? do_sys_open+0x357/0x810
[   41.201156][  T465]  ? do_syscall_64+0xca/0x1c0
[   41.205676][  T465]  ? entry_SYSCALL_64_after_hwframe+0x5c/0xc1
[   41.211575][  T465]  do_filp_open+0x20b/0x450
[   41.215916][  T465]  ? vfs_tmpfile+0x2c0/0x2c0
[   41.220432][  T465]  ? _raw_spin_unlock+0x49/0x60
[   41.225130][  T465]  ? __alloc_fd+0x4c5/0x570
[   41.229719][  T465]  do_sys_open+0x39c/0x810
[   41.234163][  T465]  ? check_preemption_disabled+0x153/0x320
[   41.240066][  T465]  ? file_open_root+0x490/0x490
[   41.245037][  T465]  do_syscall_64+0xca/0x1c0
[   41.249550][  T465]  entry_SYSCALL_64_after_hwframe+0x5c/0xc1
[   41.255392][  T465] RIP: 0033:0x7fd98abdca51
[   41.259711][  T465] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d fa 1a 1f 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25
[   41.279771][  T465] RSP: 002b:00007ffeccc65120 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
[   41.288143][  T465] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fd98abdca51
[   41.295938][  T465] RDX: 0000000000000002 RSI: 00007ffeccc65230 RDI: 00000000ffffff9c
[   41.303836][  T465] RBP: 00007ffeccc65230 R08: 000000000000000a R09: 00007ffeccc64ee7
[   41.311731][  T465] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
[   41.319570][  T465] R13: 00007fd98adc7260 R14: 0000000000000003 R15: 00007ffeccc65230
[   41.327354][  T465] 
[   41.329525][  T465] Allocated by task 445:
[   41.333610][  T465]  __kasan_kmalloc+0x171/0x210
[   41.338206][  T465]  kmem_cache_alloc+0xd9/0x250
[   41.342902][  T465]  dup_task_struct+0x4f/0x600
[   41.347409][  T465]  copy_process+0x56d/0x3230
[   41.351843][  T465]  _do_fork+0x197/0x900
[   41.355853][  T465]  __x64_sys_clone3+0x2da/0x300
[   41.360666][  T465]  do_syscall_64+0xca/0x1c0
[   41.364994][  T465]  entry_SYSCALL_64_after_hwframe+0x5c/0xc1
[   41.370989][  T465] 
[   41.373162][  T465] Freed by task 17:
[   41.376996][  T465]  __kasan_slab_free+0x1b5/0x270
[   41.381765][  T465]  kmem_cache_free+0x10b/0x2c0
[   41.386360][  T465]  rcu_do_batch+0x492/0xa00
[   41.390699][  T465]  rcu_core+0x4c8/0xcb0
[   41.394866][  T465]  __do_softirq+0x23b/0x6b7
[   41.399196][  T465] 
[   41.401373][  T465] The buggy address belongs to the object at ffff8881ea5e0000
[   41.401373][  T465]  which belongs to the cache task_struct of size 3904
[   41.415348][  T465] The buggy address is located 56 bytes inside of
[   41.415348][  T465]  3904-byte region [ffff8881ea5e0000, ffff8881ea5e0f40)
[   41.428561][  T465] The buggy address belongs to the page:
[   41.434112][  T465] page:ffffea0007a97800 refcount:1 mapcount:0 mapping:ffff8881f5cf0c80 index:0x0 compound_mapcount: 0
[   41.445072][  T465] flags: 0x8000000000010200(slab|head)
[   41.450369][  T465] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5cf0c80
[   41.458781][  T465] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
[   41.467207][  T465] page dumped because: kasan: bad access detected
[   41.473457][  T465] page_owner tracks the page as allocated
[   41.479185][  T465] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL)
[   41.495417][  T465]  prep_new_page+0x18f/0x370
[   41.499837][  T465]  get_page_from_freelist+0x2d13/0x2d90
[   41.505227][  T465]  __alloc_pages_nodemask+0x393/0x840
[   41.510427][  T465]  alloc_slab_page+0x39/0x3c0
[   41.515039][  T465]  new_slab+0x97/0x440
[   41.518940][  T465]  ___slab_alloc+0x2fe/0x490
[   41.523435][  T465]  __slab_alloc+0x62/0xa0
[   41.527685][  T465]  kmem_cache_alloc+0x109/0x250
[   41.532352][  T465]  dup_task_struct+0x4f/0x600
[   41.537084][  T465]  copy_process+0x56d/0x3230
[   41.541572][  T465]  _do_fork+0x197/0x900
[   41.545567][  T465]  kernel_thread+0x16a/0x1d0
[   41.549995][  T465]  kthreadd+0x3b1/0x4f0
[   41.553983][  T465]  ret_from_fork+0x1f/0x30
[   41.558666][  T465] page last free stack trace:
[   41.563187][  T465]  __free_pages_ok+0x847/0x950
[   41.567791][  T465]  __free_pages+0x91/0x140
[   41.572224][  T465]  __free_slab+0x221/0x2e0
[   41.576551][  T465]  unfreeze_partials+0x14e/0x180
[   41.581681][  T465]  put_cpu_partial+0x44/0x180
[   41.586202][  T465]  __slab_free+0x297/0x360
[   41.590610][  T465]  qlist_free_all+0x43/0xb0
[   41.595022][  T465]  quarantine_reduce+0x1d9/0x210
[   41.599940][  T465]  __kasan_kmalloc+0x41/0x210
[   41.604431][  T465]  kmem_cache_alloc+0xd9/0x250
[   41.609046][  T465]  __alloc_skb+0x7a/0x4d0
[   41.613207][  T465]  inet6_netconf_notify_devconf+0xc9/0x180
[   41.618843][  T465]  addrconf_exit_net+0xd6/0x200
[   41.623633][  T465]  cleanup_net+0x665/0xc90
[   41.627932][  T465]  process_one_work+0x765/0xd20
[   41.632570][  T465]  worker_thread+0xaef/0x1470
[   41.637074][  T465] 
[   41.639330][  T465] Memory state around the buggy address:
[   41.644915][  T465]  ffff8881ea5dff00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[   41.652810][  T465]  ffff8881ea5dff80: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[   41.660734][  T465] >ffff8881ea5e0000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.668902][  T465]                                         ^
[   41.674591][  T465]  ffff8881ea5e0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.682489][  T465]  ffff8881ea5e0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.690386][  T465] ==================================================================
[   41.698456][  T465] Disabling lock debugging due to kernel taint