Warning: Permanently added '10.128.0.188' (ED25519) to the list of known hosts. 2025/03/22 07:42:07 ignoring optional flag "sandboxArg"="0" 2025/03/22 07:42:08 parsed 1 programs [ 44.345986][ T23] audit: type=1400 audit(1742629328.370:66): avc: denied { node_bind } for pid=370 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 44.935138][ T23] audit: type=1400 audit(1742629328.960:67): avc: denied { mounton } for pid=380 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 44.936307][ T380] cgroup1: Unknown subsys name 'net' [ 44.963167][ T380] cgroup1: Unknown subsys name 'net_prio' [ 44.963197][ T23] audit: type=1400 audit(1742629328.960:68): avc: denied { mount } for pid=380 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 44.969006][ T380] cgroup1: Unknown subsys name 'devices' [ 44.991565][ T23] audit: type=1400 audit(1742629329.020:69): avc: denied { read } for pid=146 comm="syslogd" name="log" dev="sda1" ino=1915 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1 [ 45.018448][ T23] audit: type=1400 audit(1742629329.040:70): avc: denied { unmount } for pid=380 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 45.216360][ T380] cgroup1: Unknown subsys name 'hugetlb' [ 45.222006][ T380] cgroup1: Unknown subsys name 'rlimit' [ 45.423525][ T23] audit: type=1400 audit(1742629329.450:71): avc: denied { setattr } for pid=380 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=9546 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 45.440525][ T384] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 45.446615][ T23] audit: type=1400 audit(1742629329.450:72): avc: denied { create } for pid=380 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 45.475207][ T23] audit: type=1400 audit(1742629329.450:73): avc: denied { write } for pid=380 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 45.496049][ T23] audit: type=1400 audit(1742629329.450:74): avc: denied { read } for pid=380 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 45.516099][ T23] audit: type=1400 audit(1742629329.450:75): avc: denied { module_request } for pid=380 comm="syz-executor" kmod="netdev-wpan0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 45.556914][ T380] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 45.905065][ T387] request_module fs-gadgetfs succeeded, but still no fs? [ 46.329844][ T407] bridge0: port 1(bridge_slave_0) entered blocking state [ 46.336708][ T407] bridge0: port 1(bridge_slave_0) entered disabled state [ 46.344271][ T407] device bridge_slave_0 entered promiscuous mode [ 46.351670][ T407] bridge0: port 2(bridge_slave_1) entered blocking state [ 46.358607][ T407] bridge0: port 2(bridge_slave_1) entered disabled state [ 46.365869][ T407] device bridge_slave_1 entered promiscuous mode [ 46.409090][ T407] bridge0: port 2(bridge_slave_1) entered blocking state [ 46.415938][ T407] bridge0: port 2(bridge_slave_1) entered forwarding state [ 46.423041][ T407] bridge0: port 1(bridge_slave_0) entered blocking state [ 46.429841][ T407] bridge0: port 1(bridge_slave_0) entered forwarding state [ 46.451199][ T9] bridge0: port 1(bridge_slave_0) entered disabled state [ 46.458308][ T9] bridge0: port 2(bridge_slave_1) entered disabled state [ 46.465600][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 46.472806][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 46.483074][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 46.491203][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 46.498037][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 46.507032][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 46.515200][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 46.522020][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 46.544425][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 46.561180][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 46.574221][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 46.586161][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 46.599219][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 46.612024][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 46.622708][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 46.654810][ T407] syz-executor (407) used greatest stack depth: 20344 bytes left 2025/03/22 07:42:11 executed programs: 0 [ 47.241591][ T453] bridge0: port 1(bridge_slave_0) entered blocking state [ 47.248750][ T453] bridge0: port 1(bridge_slave_0) entered disabled state [ 47.256350][ T453] device bridge_slave_0 entered promiscuous mode [ 47.263166][ T453] bridge0: port 2(bridge_slave_1) entered blocking state [ 47.270158][ T453] bridge0: port 2(bridge_slave_1) entered disabled state [ 47.277765][ T453] device bridge_slave_1 entered promiscuous mode [ 47.346202][ T453] bridge0: port 2(bridge_slave_1) entered blocking state [ 47.353048][ T453] bridge0: port 2(bridge_slave_1) entered forwarding state [ 47.360218][ T453] bridge0: port 1(bridge_slave_0) entered blocking state [ 47.367062][ T453] bridge0: port 1(bridge_slave_0) entered forwarding state [ 47.383770][ T9] bridge0: port 1(bridge_slave_0) entered disabled state [ 47.390873][ T9] bridge0: port 2(bridge_slave_1) entered disabled state [ 47.408735][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 47.416627][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 47.426114][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 47.434392][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 47.442412][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 47.449258][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 47.458568][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 47.466834][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 47.474926][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 47.481746][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 47.495954][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 47.503999][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 47.512938][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 47.521272][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 47.536664][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 47.544932][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 47.556096][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 47.563993][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 47.576869][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 47.584983][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 47.597196][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 47.605288][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 47.614894][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 47.622960][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 48.306023][ T103] device bridge_slave_1 left promiscuous mode [ 48.311971][ T103] bridge0: port 2(bridge_slave_1) entered disabled state [ 48.319273][ T103] device bridge_slave_0 left promiscuous mode [ 48.325367][ T103] bridge0: port 1(bridge_slave_0) entered disabled state [ 62.705828][ T490] bridge0: port 1(bridge_slave_0) entered blocking state [ 62.712671][ T490] bridge0: port 1(bridge_slave_0) entered disabled state [ 62.720074][ T490] device bridge_slave_0 entered promiscuous mode [ 62.726778][ T490] bridge0: port 2(bridge_slave_1) entered blocking state [ 62.733626][ T490] bridge0: port 2(bridge_slave_1) entered disabled state [ 62.740922][ T490] device bridge_slave_1 entered promiscuous mode [ 62.783402][ T490] bridge0: port 2(bridge_slave_1) entered blocking state [ 62.790251][ T490] bridge0: port 2(bridge_slave_1) entered forwarding state [ 62.797386][ T490] bridge0: port 1(bridge_slave_0) entered blocking state [ 62.804176][ T490] bridge0: port 1(bridge_slave_0) entered forwarding state [ 62.825267][ T413] bridge0: port 1(bridge_slave_0) entered disabled state [ 62.832378][ T413] bridge0: port 2(bridge_slave_1) entered disabled state [ 62.839769][ T413] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 62.847785][ T413] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 62.858038][ T413] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 62.866235][ T413] bridge0: port 1(bridge_slave_0) entered blocking state [ 62.873134][ T413] bridge0: port 1(bridge_slave_0) entered forwarding state [ 62.882102][ T413] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 62.890421][ T413] bridge0: port 2(bridge_slave_1) entered blocking state [ 62.897274][ T413] bridge0: port 2(bridge_slave_1) entered forwarding state [ 62.910231][ T413] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 62.919660][ T413] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 62.935392][ T413] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 62.946662][ T413] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 62.959875][ T413] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 62.972304][ T413] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready 2025/03/22 07:42:27 executed programs: 3 [ 62.982449][ T413] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 63.005287][ T490] ================================================================== [ 63.013174][ T490] BUG: KASAN: use-after-free in __mutex_lock+0xcd7/0x1060 [ 63.020105][ T490] Read of size 4 at addr ffff8881f37c8ff8 by task syz-executor/490 [ 63.027826][ T490] [ 63.030002][ T490] CPU: 1 PID: 490 Comm: syz-executor Not tainted 5.4.290-syzkaller-00002-g41adfeb3d639 #0 [ 63.039722][ T490] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 63.049612][ T490] Call Trace: [ 63.052746][ T490] dump_stack+0x1d8/0x241 [ 63.056912][ T490] ? nf_ct_l4proto_log_invalid+0x258/0x258 [ 63.062576][ T490] ? printk+0xd1/0x111 [ 63.066458][ T490] ? __mutex_lock+0xcd7/0x1060 [ 63.071058][ T490] print_address_description+0x8c/0x600 [ 63.076442][ T490] ? check_preemption_disabled+0x9f/0x320 [ 63.082012][ T490] ? __unwind_start+0x708/0x890 [ 63.086686][ T490] ? __mutex_lock+0xcd7/0x1060 [ 63.091284][ T490] __kasan_report+0xf3/0x120 [ 63.095711][ T490] ? __mutex_lock+0xcd7/0x1060 [ 63.100311][ T490] kasan_report+0x30/0x60 [ 63.104478][ T490] __mutex_lock+0xcd7/0x1060 [ 63.108904][ T490] ? kobject_get_unless_zero+0x229/0x320 [ 63.114372][ T490] ? __ww_mutex_lock_interruptible_slowpath+0x10/0x10 [ 63.120969][ T490] ? __module_put_and_exit+0x20/0x20 [ 63.126090][ T490] ? up_read+0x6f/0x1b0 [ 63.130080][ T490] mutex_lock_killable+0xd8/0x110 [ 63.134960][ T490] ? __mutex_lock_interruptible_slowpath+0x10/0x10 [ 63.141279][ T490] ? mutex_lock+0xa5/0x110 [ 63.145545][ T490] ? mutex_trylock+0xa0/0xa0 [ 63.149960][ T490] lo_open+0x18/0xc0 [ 63.153698][ T490] __blkdev_get+0x3c8/0x1160 [ 63.158121][ T490] ? blkdev_get+0x3a0/0x3a0 [ 63.162460][ T490] ? _raw_spin_unlock+0x49/0x60 [ 63.167145][ T490] blkdev_get+0x2de/0x3a0 [ 63.171315][ T490] ? blkdev_open+0x173/0x290 [ 63.175739][ T490] ? block_ioctl+0xe0/0xe0 [ 63.179994][ T490] do_dentry_open+0x964/0x1130 [ 63.184592][ T490] ? finish_open+0xd0/0xd0 [ 63.188846][ T490] ? security_inode_permission+0xad/0xf0 [ 63.194314][ T490] ? memcpy+0x38/0x50 [ 63.198130][ T490] path_openat+0x29bf/0x34b0 [ 63.202559][ T490] ? stack_trace_save+0x118/0x1c0 [ 63.207424][ T490] ? do_filp_open+0x450/0x450 [ 63.211929][ T490] ? do_sys_open+0x357/0x810 [ 63.216358][ T490] ? do_syscall_64+0xca/0x1c0 [ 63.220871][ T490] ? entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 63.226773][ T490] do_filp_open+0x20b/0x450 [ 63.231116][ T490] ? vfs_tmpfile+0x2c0/0x2c0 [ 63.235544][ T490] ? _raw_spin_unlock+0x49/0x60 [ 63.240261][ T490] ? __alloc_fd+0x4c5/0x570 [ 63.244570][ T490] do_sys_open+0x39c/0x810 [ 63.248822][ T490] ? check_preemption_disabled+0x153/0x320 [ 63.254465][ T490] ? file_open_root+0x490/0x490 [ 63.259152][ T490] do_syscall_64+0xca/0x1c0 [ 63.263497][ T490] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 63.269225][ T490] RIP: 0033:0x7f9ae6854a51 [ 63.273487][ T490] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d fa 1a 1f 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25 [ 63.292916][ T490] RSP: 002b:00007ffe456cead0 EFLAGS: 00000202 ORIG_RAX: 0000000000000101 [ 63.301165][ T490] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f9ae6854a51 [ 63.308974][ T490] RDX: 0000000000000002 RSI: 00007ffe456cebe0 RDI: 00000000ffffff9c [ 63.316798][ T490] RBP: 00007ffe456cebe0 R08: 000000000000000a R09: 00007ffe456ce897 [ 63.324597][ T490] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 63.332408][ T490] R13: 00007f9ae6a3f260 R14: 0000000000000003 R15: 00007ffe456cebe0 [ 63.340341][ T490] [ 63.342494][ T490] Allocated by task 459: [ 63.346669][ T490] __kasan_kmalloc+0x171/0x210 [ 63.351262][ T490] kmem_cache_alloc+0xd9/0x250 [ 63.356048][ T490] dup_task_struct+0x4f/0x600 [ 63.360519][ T490] copy_process+0x56d/0x3230 [ 63.364948][ T490] _do_fork+0x197/0x900 [ 63.368982][ T490] __x64_sys_clone3+0x2da/0x300 [ 63.373629][ T490] do_syscall_64+0xca/0x1c0 [ 63.377964][ T490] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 63.383694][ T490] [ 63.385860][ T490] Freed by task 10: [ 63.389513][ T490] __kasan_slab_free+0x1b5/0x270 [ 63.394398][ T490] kmem_cache_free+0x10b/0x2c0 [ 63.399009][ T490] rcu_do_batch+0x492/0xa00 [ 63.403348][ T490] rcu_core+0x4c8/0xcb0 [ 63.407343][ T490] __do_softirq+0x23b/0x6b7 [ 63.411677][ T490] [ 63.414103][ T490] The buggy address belongs to the object at ffff8881f37c8fc0 [ 63.414103][ T490] which belongs to the cache task_struct of size 3904 [ 63.428088][ T490] The buggy address is located 56 bytes inside of [ 63.428088][ T490] 3904-byte region [ffff8881f37c8fc0, ffff8881f37c9f00) [ 63.441198][ T490] The buggy address belongs to the page: [ 63.446660][ T490] page:ffffea0007cdf200 refcount:1 mapcount:0 mapping:ffff8881f5cf0f00 index:0x0 compound_mapcount: 0 [ 63.457540][ T490] flags: 0x8000000000010200(slab|head) [ 63.462827][ T490] raw: 8000000000010200 0000000000000000 0000000100000001 ffff8881f5cf0f00 [ 63.471236][ T490] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 63.479651][ T490] page dumped because: kasan: bad access detected [ 63.485901][ T490] page_owner tracks the page as allocated [ 63.491548][ T490] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC) [ 63.506394][ T490] prep_new_page+0x18f/0x370 [ 63.510815][ T490] get_page_from_freelist+0x2d13/0x2d90 [ 63.516213][ T490] __alloc_pages_nodemask+0x393/0x840 [ 63.521404][ T490] alloc_slab_page+0x39/0x3c0 [ 63.525917][ T490] new_slab+0x97/0x440 [ 63.529825][ T490] ___slab_alloc+0x2fe/0x490 [ 63.534249][ T490] __slab_alloc+0x62/0xa0 [ 63.538417][ T490] kmem_cache_alloc+0x109/0x250 [ 63.543107][ T490] dup_task_struct+0x4f/0x600 [ 63.547625][ T490] copy_process+0x56d/0x3230 [ 63.552051][ T490] _do_fork+0x197/0x900 [ 63.556045][ T490] kernel_thread+0x16a/0x1d0 [ 63.560463][ T490] kthreadd+0x3b1/0x4f0 [ 63.564456][ T490] ret_from_fork+0x1f/0x30 [ 63.568707][ T490] page last free stack trace: [ 63.573532][ T490] __free_pages_ok+0x847/0x950 [ 63.578122][ T490] __free_pages+0x91/0x140 [ 63.582372][ T490] put_task_stack+0x212/0x260 [ 63.586883][ T490] finish_task_switch+0x24a/0x590 [ 63.591746][ T490] __schedule+0xb0d/0x1320 [ 63.595999][ T490] schedule_idle+0x50/0x80 [ 63.600248][ T490] do_idle+0x609/0x660 [ 63.604157][ T490] cpu_startup_entry+0x14/0x20 [ 63.608754][ T490] start_secondary+0x3a5/0x460 [ 63.613355][ T490] secondary_startup_64+0xa4/0xb0 [ 63.618213][ T490] [ 63.620387][ T490] Memory state around the buggy address: [ 63.625856][ T490] ffff8881f37c8e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 63.633755][ T490] ffff8881f37c8f00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 63.641656][ T490] >ffff8881f37c8f80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 63.649722][ T490] ^ [ 63.657536][ T490] ffff8881f37c9000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.665436][ T490] ffff8881f37c9080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.673330][ T490] ================================================================== [ 63.681227][ T490] Disabling lock debugging due to kernel taint [ 66.583783][ T74] cfg80211: failed to load regulatory.db