Warning: Permanently added '10.128.0.57' (ED25519) to the list of known hosts. 2025/02/21 15:05:10 ignoring optional flag "sandboxArg"="0" 2025/02/21 15:05:11 parsed 1 programs [ 27.215224][ T23] audit: type=1400 audit(1740150311.769:66): avc: denied { node_bind } for pid=353 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 27.722515][ T23] audit: type=1400 audit(1740150312.269:67): avc: denied { mounton } for pid=362 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 27.724005][ T362] cgroup1: Unknown subsys name 'net' [ 27.744944][ T23] audit: type=1400 audit(1740150312.269:68): avc: denied { mount } for pid=362 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 27.750237][ T362] cgroup1: Unknown subsys name 'net_prio' [ 27.772549][ T23] audit: type=1400 audit(1740150312.319:69): avc: denied { read } for pid=145 comm="syslogd" name="log" dev="sda1" ino=1915 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1 [ 27.777660][ T362] cgroup1: Unknown subsys name 'devices' [ 27.805709][ T23] audit: type=1400 audit(1740150312.359:70): avc: denied { unmount } for pid=362 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 27.947455][ T362] cgroup1: Unknown subsys name 'hugetlb' [ 27.953037][ T362] cgroup1: Unknown subsys name 'rlimit' [ 28.123519][ T23] audit: type=1400 audit(1740150312.669:71): avc: denied { setattr } for pid=362 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=10769 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 28.146651][ T23] audit: type=1400 audit(1740150312.669:72): avc: denied { create } for pid=362 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 28.160674][ T367] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 28.167173][ T23] audit: type=1400 audit(1740150312.669:73): avc: denied { write } for pid=362 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 28.195207][ T23] audit: type=1400 audit(1740150312.669:74): avc: denied { read } for pid=362 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 28.215179][ T23] audit: type=1400 audit(1740150312.669:75): avc: denied { module_request } for pid=362 comm="syz-executor" kmod="netdev-wpan0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 28.248826][ T362] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 28.592967][ T369] request_module fs-gadgetfs succeeded, but still no fs? [ 28.905377][ T391] syz-executor (391) used greatest stack depth: 20152 bytes left [ 29.152270][ T415] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.159138][ T415] bridge0: port 1(bridge_slave_0) entered disabled state [ 29.166407][ T415] device bridge_slave_0 entered promiscuous mode [ 29.172987][ T415] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.179853][ T415] bridge0: port 2(bridge_slave_1) entered disabled state [ 29.186985][ T415] device bridge_slave_1 entered promiscuous mode [ 29.238242][ T415] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.245085][ T415] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.252165][ T415] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.258978][ T415] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.278950][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.286549][ T9] bridge0: port 1(bridge_slave_0) entered disabled state [ 29.293499][ T9] bridge0: port 2(bridge_slave_1) entered disabled state [ 29.303562][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 29.311773][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.318604][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.327831][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 29.336013][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.342822][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.355426][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 29.364490][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 29.379972][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 29.391056][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 29.403385][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 29.415711][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 29.425678][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 29.455595][ T415] syz-executor (415) used greatest stack depth: 19416 bytes left 2025/02/21 15:05:14 executed programs: 0 [ 29.750683][ T432] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.757984][ T432] bridge0: port 1(bridge_slave_0) entered disabled state [ 29.765637][ T432] device bridge_slave_0 entered promiscuous mode [ 29.774541][ T432] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.781456][ T432] bridge0: port 2(bridge_slave_1) entered disabled state [ 29.788691][ T432] device bridge_slave_1 entered promiscuous mode [ 29.833842][ T432] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.840672][ T432] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.847803][ T432] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.854542][ T432] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.865308][ T9] bridge0: port 1(bridge_slave_0) entered disabled state [ 29.872332][ T9] bridge0: port 2(bridge_slave_1) entered disabled state [ 29.893415][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 29.900962][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.911820][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 29.919976][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 29.928007][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.934809][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.943314][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 29.951497][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 29.959500][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.966319][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.981730][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 29.989557][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 29.998943][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 30.007704][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 30.026878][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 30.035422][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 30.046142][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 30.053839][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 30.071943][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 30.080254][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 30.091991][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 30.100272][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 30.110053][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 30.118422][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 31.015266][ T180] device bridge_slave_1 left promiscuous mode [ 31.021216][ T180] bridge0: port 2(bridge_slave_1) entered disabled state [ 31.028391][ T180] device bridge_slave_0 left promiscuous mode [ 31.034821][ T180] bridge0: port 1(bridge_slave_0) entered disabled state [ 45.202228][ T475] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.209119][ T475] bridge0: port 1(bridge_slave_0) entered disabled state [ 45.216319][ T475] device bridge_slave_0 entered promiscuous mode [ 45.222843][ T475] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.229668][ T475] bridge0: port 2(bridge_slave_1) entered disabled state [ 45.236897][ T475] device bridge_slave_1 entered promiscuous mode [ 45.275036][ T475] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.281868][ T475] bridge0: port 2(bridge_slave_1) entered forwarding state [ 45.288998][ T475] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.295766][ T475] bridge0: port 1(bridge_slave_0) entered forwarding state [ 45.314877][ T7] bridge0: port 1(bridge_slave_0) entered disabled state [ 45.321892][ T7] bridge0: port 2(bridge_slave_1) entered disabled state [ 45.329194][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 45.337086][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 45.346004][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 45.353979][ T7] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.360802][ T7] bridge0: port 1(bridge_slave_0) entered forwarding state [ 45.370178][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 45.378212][ T7] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.385014][ T7] bridge0: port 2(bridge_slave_1) entered forwarding state [ 45.397332][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 45.406280][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 45.420750][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 45.432056][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 45.444315][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 45.456760][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 45.466621][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2025/02/21 15:05:30 executed programs: 3 [ 45.487481][ T475] ================================================================== [ 45.495357][ T475] BUG: KASAN: use-after-free in __mutex_lock+0xcd7/0x1060 [ 45.502281][ T475] Read of size 4 at addr ffff8881ea206e78 by task syz-executor/475 [ 45.510002][ T475] [ 45.512175][ T475] CPU: 0 PID: 475 Comm: syz-executor Not tainted 5.4.289-syzkaller-00011-g39762b7a60e9 #0 [ 45.521893][ T475] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 45.531787][ T475] Call Trace: [ 45.534921][ T475] dump_stack+0x1d8/0x241 [ 45.539085][ T475] ? nf_ct_l4proto_log_invalid+0x258/0x258 [ 45.544724][ T475] ? printk+0xd1/0x111 [ 45.548630][ T475] ? __mutex_lock+0xcd7/0x1060 [ 45.553232][ T475] print_address_description+0x8c/0x600 [ 45.558613][ T475] ? check_preemption_disabled+0x9f/0x320 [ 45.564166][ T475] ? __unwind_start+0x708/0x890 [ 45.568854][ T475] ? __mutex_lock+0xcd7/0x1060 [ 45.573449][ T475] __kasan_report+0xf3/0x120 [ 45.577878][ T475] ? __mutex_lock+0xcd7/0x1060 [ 45.582477][ T475] kasan_report+0x30/0x60 [ 45.586645][ T475] __mutex_lock+0xcd7/0x1060 [ 45.591072][ T475] ? kobject_get_unless_zero+0x229/0x320 [ 45.596540][ T475] ? __ww_mutex_lock_interruptible_slowpath+0x10/0x10 [ 45.603134][ T475] ? __module_put_and_exit+0x20/0x20 [ 45.608256][ T475] ? up_read+0x6f/0x1b0 [ 45.612245][ T475] mutex_lock_killable+0xd8/0x110 [ 45.617107][ T475] ? __mutex_lock_interruptible_slowpath+0x10/0x10 [ 45.623440][ T475] ? mutex_lock+0xa5/0x110 [ 45.627696][ T475] ? mutex_trylock+0xa0/0xa0 [ 45.632120][ T475] lo_open+0x18/0xc0 [ 45.635860][ T475] __blkdev_get+0x3c8/0x1160 [ 45.640281][ T475] ? blkdev_get+0x3a0/0x3a0 [ 45.644621][ T475] ? _raw_spin_unlock+0x49/0x60 [ 45.649306][ T475] blkdev_get+0x2de/0x3a0 [ 45.653471][ T475] ? blkdev_open+0x173/0x290 [ 45.657900][ T475] ? block_ioctl+0xe0/0xe0 [ 45.662152][ T475] do_dentry_open+0x964/0x1130 [ 45.666750][ T475] ? finish_open+0xd0/0xd0 [ 45.671003][ T475] ? security_inode_permission+0xad/0xf0 [ 45.676471][ T475] ? memcpy+0x38/0x50 [ 45.680290][ T475] path_openat+0x29bf/0x34b0 [ 45.684717][ T475] ? stack_trace_save+0x118/0x1c0 [ 45.689581][ T475] ? do_filp_open+0x450/0x450 [ 45.694090][ T475] ? do_sys_open+0x357/0x810 [ 45.698519][ T475] ? do_syscall_64+0xca/0x1c0 [ 45.703030][ T475] ? entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 45.708934][ T475] do_filp_open+0x20b/0x450 [ 45.713270][ T475] ? vfs_tmpfile+0x2c0/0x2c0 [ 45.717704][ T475] ? _raw_spin_unlock+0x49/0x60 [ 45.722384][ T475] ? __alloc_fd+0x4c5/0x570 [ 45.726728][ T475] do_sys_open+0x39c/0x810 [ 45.730977][ T475] ? check_preemption_disabled+0x153/0x320 [ 45.736620][ T475] ? file_open_root+0x490/0x490 [ 45.741305][ T475] do_syscall_64+0xca/0x1c0 [ 45.745647][ T475] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 45.751385][ T475] RIP: 0033:0x7ff2a474a991 [ 45.755627][ T475] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d ba 1b 1f 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25 [ 45.775070][ T475] RSP: 002b:00007ffc5ce12750 EFLAGS: 00000202 ORIG_RAX: 0000000000000101 [ 45.783311][ T475] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007ff2a474a991 [ 45.791121][ T475] RDX: 0000000000000002 RSI: 00007ffc5ce12860 RDI: 00000000ffffff9c [ 45.798932][ T475] RBP: 00007ffc5ce12860 R08: 000000000000000a R09: 00007ffc5ce12517 [ 45.806741][ T475] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 45.814555][ T475] R13: 00007ff2a4935260 R14: 0000000000000003 R15: 00007ffc5ce12860 [ 45.822366][ T475] [ 45.824536][ T475] Allocated by task 449: [ 45.828619][ T475] __kasan_kmalloc+0x171/0x210 [ 45.833215][ T475] kmem_cache_alloc+0xd9/0x250 [ 45.837819][ T475] dup_task_struct+0x4f/0x600 [ 45.842329][ T475] copy_process+0x56d/0x3230 [ 45.846758][ T475] _do_fork+0x197/0x900 [ 45.850747][ T475] __x64_sys_clone3+0x2da/0x300 [ 45.855438][ T475] do_syscall_64+0xca/0x1c0 [ 45.859774][ T475] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 45.865498][ T475] [ 45.867669][ T475] Freed by task 10: [ 45.871318][ T475] __kasan_slab_free+0x1b5/0x270 [ 45.876092][ T475] kmem_cache_free+0x10b/0x2c0 [ 45.880690][ T475] rcu_do_batch+0x492/0xa00 [ 45.885029][ T475] rcu_core+0x4c8/0xcb0 [ 45.889023][ T475] __do_softirq+0x23b/0x6b7 [ 45.893359][ T475] [ 45.895531][ T475] The buggy address belongs to the object at ffff8881ea206e40 [ 45.895531][ T475] which belongs to the cache task_struct of size 3904 [ 45.909509][ T475] The buggy address is located 56 bytes inside of [ 45.909509][ T475] 3904-byte region [ffff8881ea206e40, ffff8881ea207d80) [ 45.922610][ T475] The buggy address belongs to the page: [ 45.928092][ T475] page:ffffea0007a88000 refcount:1 mapcount:0 mapping:ffff8881f5cf1400 index:0x0 compound_mapcount: 0 [ 45.938843][ T475] flags: 0x8000000000010200(slab|head) [ 45.944139][ T475] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5cf1400 [ 45.952558][ T475] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 45.960971][ T475] page dumped because: kasan: bad access detected [ 45.967225][ T475] page_owner tracks the page as allocated [ 45.972777][ T475] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL) [ 45.989011][ T475] prep_new_page+0x18f/0x370 [ 45.993433][ T475] get_page_from_freelist+0x2d13/0x2d90 [ 45.998820][ T475] __alloc_pages_nodemask+0x393/0x840 [ 46.004022][ T475] alloc_slab_page+0x39/0x3c0 [ 46.008537][ T475] new_slab+0x97/0x440 [ 46.012444][ T475] ___slab_alloc+0x2fe/0x490 [ 46.016870][ T475] __slab_alloc+0x62/0xa0 [ 46.021030][ T475] kmem_cache_alloc+0x109/0x250 [ 46.025721][ T475] dup_task_struct+0x4f/0x600 [ 46.030235][ T475] copy_process+0x56d/0x3230 [ 46.034659][ T475] _do_fork+0x197/0x900 [ 46.038652][ T475] kernel_thread+0x16a/0x1d0 [ 46.043076][ T475] kthreadd+0x3b1/0x4f0 [ 46.047068][ T475] ret_from_fork+0x1f/0x30 [ 46.051320][ T475] page last free stack trace: [ 46.055839][ T475] __free_pages_ok+0x847/0x950 [ 46.060435][ T475] __free_pages+0x91/0x140 [ 46.064687][ T475] __free_slab+0x221/0x2e0 [ 46.068944][ T475] unfreeze_partials+0x14e/0x180 [ 46.073715][ T475] put_cpu_partial+0x44/0x180 [ 46.078230][ T475] __slab_free+0x297/0x360 [ 46.082479][ T475] qlist_free_all+0x43/0xb0 [ 46.086821][ T475] quarantine_reduce+0x1d9/0x210 [ 46.091593][ T475] __kasan_kmalloc+0x41/0x210 [ 46.096107][ T475] kmem_cache_alloc+0xd9/0x250 [ 46.100706][ T475] sock_alloc_inode+0x17/0xb0 [ 46.105219][ T475] new_inode_pseudo+0x60/0x210 [ 46.109820][ T475] __sock_create+0x124/0x7a0 [ 46.114246][ T475] __sys_socket+0x132/0x370 [ 46.118587][ T475] __x64_sys_socket+0x76/0x80 [ 46.123097][ T475] do_syscall_64+0xca/0x1c0 [ 46.127437][ T475] [ 46.129605][ T475] Memory state around the buggy address: [ 46.135079][ T475] ffff8881ea206d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 46.142982][ T475] ffff8881ea206d80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 46.150873][ T475] >ffff8881ea206e00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 46.158771][ T475] ^ [ 46.166584][ T475] ffff8881ea206e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.174481][ T475] ffff8881ea206f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.182375][ T475] ================================================================== [ 46.190275][ T475] Disabling lock debugging due to kernel taint