Warning: Permanently added '10.128.1.97' (ED25519) to the list of known hosts. 2025/03/19 02:12:44 ignoring optional flag "sandboxArg"="0" 2025/03/19 02:12:45 parsed 1 programs [ 23.814794][ T23] audit: type=1400 audit(1742350365.860:66): avc: denied { node_bind } for pid=349 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 24.400604][ T23] audit: type=1400 audit(1742350366.450:67): avc: denied { mounton } for pid=359 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 24.402182][ T359] cgroup1: Unknown subsys name 'net' [ 24.423213][ T23] audit: type=1400 audit(1742350366.450:68): avc: denied { mount } for pid=359 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 24.428474][ T359] cgroup1: Unknown subsys name 'net_prio' [ 24.450779][ T23] audit: type=1400 audit(1742350366.500:69): avc: denied { read } for pid=146 comm="syslogd" name="log" dev="sda1" ino=1915 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1 [ 24.455917][ T359] cgroup1: Unknown subsys name 'devices' [ 24.483493][ T23] audit: type=1400 audit(1742350366.530:70): avc: denied { unmount } for pid=359 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 24.591877][ T359] cgroup1: Unknown subsys name 'hugetlb' [ 24.597717][ T359] cgroup1: Unknown subsys name 'rlimit' [ 24.709423][ T23] audit: type=1400 audit(1742350366.760:71): avc: denied { setattr } for pid=359 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=9599 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 24.732645][ T23] audit: type=1400 audit(1742350366.760:72): avc: denied { create } for pid=359 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 24.752921][ T23] audit: type=1400 audit(1742350366.760:73): avc: denied { write } for pid=359 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 24.769616][ T363] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 24.773210][ T23] audit: type=1400 audit(1742350366.760:74): avc: denied { read } for pid=359 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 24.801562][ T23] audit: type=1400 audit(1742350366.760:75): avc: denied { module_request } for pid=359 comm="syz-executor" kmod="netdev-wpan0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 24.842314][ T359] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 25.322958][ T372] request_module fs-gadgetfs succeeded, but still no fs? [ 25.659454][ T386] syz-executor (386) used greatest stack depth: 19640 bytes left [ 25.790681][ T407] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.797537][ T407] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.805256][ T407] device bridge_slave_0 entered promiscuous mode [ 25.812094][ T407] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.818946][ T407] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.826137][ T407] device bridge_slave_1 entered promiscuous mode [ 25.868668][ T407] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.875527][ T407] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.882681][ T407] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.889513][ T407] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.911841][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 25.919607][ T7] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.926540][ T7] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.935785][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 25.943774][ T7] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.950611][ T7] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.959579][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 25.967637][ T7] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.974483][ T7] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.988272][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 25.997918][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 26.014252][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 26.025743][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 26.038919][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 26.055304][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 26.066172][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 26.105372][ T407] syz-executor (407) used greatest stack depth: 19544 bytes left 2025/03/19 02:12:48 executed programs: 0 [ 26.492521][ T426] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.499420][ T426] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.506585][ T426] device bridge_slave_0 entered promiscuous mode [ 26.513993][ T426] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.520870][ T426] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.528053][ T426] device bridge_slave_1 entered promiscuous mode [ 26.594998][ T426] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.601862][ T426] bridge0: port 2(bridge_slave_1) entered forwarding state [ 26.609017][ T426] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.615836][ T426] bridge0: port 1(bridge_slave_0) entered forwarding state [ 26.630924][ T9] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.639063][ T9] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.665548][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 26.674244][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 26.690047][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 26.698341][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 26.706553][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.713394][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 26.721145][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 26.729483][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 26.737411][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.744262][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 26.759424][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 26.767341][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 26.776509][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 26.785374][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 26.801684][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 26.811225][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 26.823666][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 26.831441][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 26.843826][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 26.852436][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 26.865133][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 26.873557][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 26.883004][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 26.891043][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 27.475094][ T102] device bridge_slave_1 left promiscuous mode [ 27.481106][ T102] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.488170][ T102] device bridge_slave_0 left promiscuous mode [ 27.494538][ T102] bridge0: port 1(bridge_slave_0) entered disabled state [ 41.974548][ T468] bridge0: port 1(bridge_slave_0) entered blocking state [ 41.981412][ T468] bridge0: port 1(bridge_slave_0) entered disabled state [ 41.988599][ T468] device bridge_slave_0 entered promiscuous mode [ 41.995401][ T468] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.002244][ T468] bridge0: port 2(bridge_slave_1) entered disabled state [ 42.009567][ T468] device bridge_slave_1 entered promiscuous mode [ 42.051564][ T468] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.058398][ T468] bridge0: port 2(bridge_slave_1) entered forwarding state [ 42.065554][ T468] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.072302][ T468] bridge0: port 1(bridge_slave_0) entered forwarding state [ 42.093809][ T411] bridge0: port 1(bridge_slave_0) entered disabled state [ 42.100938][ T411] bridge0: port 2(bridge_slave_1) entered disabled state [ 42.108009][ T411] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 42.115384][ T411] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 42.124723][ T411] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 42.132903][ T411] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.139748][ T411] bridge0: port 1(bridge_slave_0) entered forwarding state [ 42.148439][ T411] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 42.156602][ T411] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.163449][ T411] bridge0: port 2(bridge_slave_1) entered forwarding state [ 42.176868][ T411] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 42.186131][ T411] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 42.202041][ T411] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 42.213705][ T411] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 42.227003][ T411] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 42.239903][ T411] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready 2025/03/19 02:13:04 executed programs: 3 [ 42.250622][ T411] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 42.274518][ T468] ================================================================== [ 42.282557][ T468] BUG: KASAN: use-after-free in __mutex_lock+0xcd7/0x1060 [ 42.289482][ T468] Read of size 4 at addr ffff8881ea840ff8 by task syz-executor/468 [ 42.297201][ T468] [ 42.299398][ T468] CPU: 1 PID: 468 Comm: syz-executor Not tainted 5.4.290-syzkaller-00002-g41adfeb3d639 #0 [ 42.309188][ T468] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 42.319260][ T468] Call Trace: [ 42.322392][ T468] dump_stack+0x1d8/0x241 [ 42.326567][ T468] ? nf_ct_l4proto_log_invalid+0x258/0x258 [ 42.332191][ T468] ? printk+0xd1/0x111 [ 42.336102][ T468] ? __mutex_lock+0xcd7/0x1060 [ 42.340719][ T468] print_address_description+0x8c/0x600 [ 42.346084][ T468] ? check_preemption_disabled+0x9f/0x320 [ 42.351648][ T468] ? __unwind_start+0x708/0x890 [ 42.356325][ T468] ? __mutex_lock+0xcd7/0x1060 [ 42.360955][ T468] __kasan_report+0xf3/0x120 [ 42.365351][ T468] ? __mutex_lock+0xcd7/0x1060 [ 42.369953][ T468] kasan_report+0x30/0x60 [ 42.374138][ T468] __mutex_lock+0xcd7/0x1060 [ 42.378548][ T468] ? kobject_get_unless_zero+0x229/0x320 [ 42.384120][ T468] ? __ww_mutex_lock_interruptible_slowpath+0x10/0x10 [ 42.390703][ T468] ? __module_put_and_exit+0x20/0x20 [ 42.395833][ T468] ? up_read+0x6f/0x1b0 [ 42.399811][ T468] mutex_lock_killable+0xd8/0x110 [ 42.404758][ T468] ? __mutex_lock_interruptible_slowpath+0x10/0x10 [ 42.411091][ T468] ? mutex_lock+0xa5/0x110 [ 42.415346][ T468] ? mutex_trylock+0xa0/0xa0 [ 42.419843][ T468] lo_open+0x18/0xc0 [ 42.423518][ T468] __blkdev_get+0x3c8/0x1160 [ 42.428041][ T468] ? blkdev_get+0x3a0/0x3a0 [ 42.432450][ T468] ? _raw_spin_unlock+0x49/0x60 [ 42.437325][ T468] blkdev_get+0x2de/0x3a0 [ 42.441489][ T468] ? blkdev_open+0x173/0x290 [ 42.445903][ T468] ? block_ioctl+0xe0/0xe0 [ 42.450167][ T468] do_dentry_open+0x964/0x1130 [ 42.454790][ T468] ? finish_open+0xd0/0xd0 [ 42.459009][ T468] ? security_inode_permission+0xad/0xf0 [ 42.464474][ T468] ? memcpy+0x38/0x50 [ 42.468294][ T468] path_openat+0x29bf/0x34b0 [ 42.472723][ T468] ? stack_trace_save+0x118/0x1c0 [ 42.477590][ T468] ? do_filp_open+0x450/0x450 [ 42.482181][ T468] ? do_sys_open+0x357/0x810 [ 42.486728][ T468] ? do_syscall_64+0xca/0x1c0 [ 42.491339][ T468] ? entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 42.497236][ T468] do_filp_open+0x20b/0x450 [ 42.501573][ T468] ? vfs_tmpfile+0x2c0/0x2c0 [ 42.506089][ T468] ? _raw_spin_unlock+0x49/0x60 [ 42.510771][ T468] ? __alloc_fd+0x4c5/0x570 [ 42.515108][ T468] do_sys_open+0x39c/0x810 [ 42.519369][ T468] ? check_preemption_disabled+0x153/0x320 [ 42.525002][ T468] ? file_open_root+0x490/0x490 [ 42.529693][ T468] do_syscall_64+0xca/0x1c0 [ 42.534031][ T468] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 42.539772][ T468] RIP: 0033:0x7f7ecb093a51 [ 42.544022][ T468] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d fa 1a 1f 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25 [ 42.563575][ T468] RSP: 002b:00007fff8aee5170 EFLAGS: 00000202 ORIG_RAX: 0000000000000101 [ 42.571817][ T468] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f7ecb093a51 [ 42.579632][ T468] RDX: 0000000000000002 RSI: 00007fff8aee5280 RDI: 00000000ffffff9c [ 42.587448][ T468] RBP: 00007fff8aee5280 R08: 000000000000000a R09: 00007fff8aee4f37 [ 42.595350][ T468] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 42.603158][ T468] R13: 00007f7ecb27e260 R14: 0000000000000003 R15: 00007fff8aee5280 [ 42.610960][ T468] [ 42.613132][ T468] Allocated by task 449: [ 42.618120][ T468] __kasan_kmalloc+0x171/0x210 [ 42.622719][ T468] kmem_cache_alloc+0xd9/0x250 [ 42.627317][ T468] dup_task_struct+0x4f/0x600 [ 42.631837][ T468] copy_process+0x56d/0x3230 [ 42.636264][ T468] _do_fork+0x197/0x900 [ 42.640247][ T468] __x64_sys_clone3+0x2da/0x300 [ 42.644935][ T468] do_syscall_64+0xca/0x1c0 [ 42.649276][ T468] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 42.655001][ T468] [ 42.657168][ T468] Freed by task 17: [ 42.660823][ T468] __kasan_slab_free+0x1b5/0x270 [ 42.665591][ T468] kmem_cache_free+0x10b/0x2c0 [ 42.670196][ T468] rcu_do_batch+0x492/0xa00 [ 42.674533][ T468] rcu_core+0x4c8/0xcb0 [ 42.678524][ T468] __do_softirq+0x23b/0x6b7 [ 42.682873][ T468] [ 42.685035][ T468] The buggy address belongs to the object at ffff8881ea840fc0 [ 42.685035][ T468] which belongs to the cache task_struct of size 3904 [ 42.699016][ T468] The buggy address is located 56 bytes inside of [ 42.699016][ T468] 3904-byte region [ffff8881ea840fc0, ffff8881ea841f00) [ 42.712111][ T468] The buggy address belongs to the page: [ 42.718331][ T468] page:ffffea0007aa1000 refcount:1 mapcount:0 mapping:ffff8881f5cf0500 index:0x0 compound_mapcount: 0 [ 42.729097][ T468] flags: 0x8000000000010200(slab|head) [ 42.734395][ T468] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5cf0500 [ 42.742809][ T468] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 42.751221][ T468] page dumped because: kasan: bad access detected [ 42.757468][ T468] page_owner tracks the page as allocated [ 42.763031][ T468] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL) [ 42.779266][ T468] prep_new_page+0x18f/0x370 [ 42.783685][ T468] get_page_from_freelist+0x2d13/0x2d90 [ 42.789069][ T468] __alloc_pages_nodemask+0x393/0x840 [ 42.794272][ T468] alloc_slab_page+0x39/0x3c0 [ 42.798790][ T468] new_slab+0x97/0x440 [ 42.802694][ T468] ___slab_alloc+0x2fe/0x490 [ 42.807122][ T468] __slab_alloc+0x62/0xa0 [ 42.811293][ T468] kmem_cache_alloc+0x109/0x250 [ 42.815976][ T468] dup_task_struct+0x4f/0x600 [ 42.820486][ T468] copy_process+0x56d/0x3230 [ 42.824911][ T468] _do_fork+0x197/0x900 [ 42.828907][ T468] kernel_thread+0x16a/0x1d0 [ 42.833331][ T468] kthreadd+0x3b1/0x4f0 [ 42.837324][ T468] ret_from_fork+0x1f/0x30 [ 42.841577][ T468] page last free stack trace: [ 42.846179][ T468] __free_pages_ok+0x847/0x950 [ 42.850784][ T468] __free_pages+0x91/0x140 [ 42.855032][ T468] __free_slab+0x221/0x2e0 [ 42.859287][ T468] unfreeze_partials+0x14e/0x180 [ 42.864063][ T468] put_cpu_partial+0x44/0x180 [ 42.868571][ T468] __slab_free+0x297/0x360 [ 42.872827][ T468] qlist_free_all+0x43/0xb0 [ 42.877165][ T468] quarantine_reduce+0x1d9/0x210 [ 42.881940][ T468] __kasan_kmalloc+0x41/0x210 [ 42.886456][ T468] kmem_cache_alloc+0xd9/0x250 [ 42.891056][ T468] __alloc_skb+0x7a/0x4d0 [ 42.895221][ T468] netlink_sendmsg+0x797/0xcf0 [ 42.899821][ T468] __sys_sendto+0x4f3/0x6c0 [ 42.904158][ T468] __x64_sys_sendto+0xda/0xf0 [ 42.908682][ T468] do_syscall_64+0xca/0x1c0 [ 42.913015][ T468] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 42.918740][ T468] [ 42.920907][ T468] Memory state around the buggy address: [ 42.926382][ T468] ffff8881ea840e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 42.934281][ T468] ffff8881ea840f00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 42.942198][ T468] >ffff8881ea840f80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 42.950072][ T468] ^ [ 42.957887][ T468] ffff8881ea841000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.965786][ T468] ffff8881ea841080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.973685][ T468] ================================================================== [ 42.981589][ T468] Disabling lock debugging due to kernel taint