pid=5663 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 43.790781][ T29] audit: type=1400 audit(1733935716.023:83): avc: denied { read } for pid=5171 comm="syslogd" name="log" dev="sda1" ino=1915 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1
[ 44.097682][ T29] audit: type=1400 audit(1733935716.333:84): avc: denied { write } for pid=5666 comm="sftp-server" path="pipe:[4613]" dev="pipefs" ino=4613 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1
[ 44.945055][ T29] audit: type=1400 audit(1733935717.183:85): avc: denied { append } for pid=5171 comm="syslogd" name="messages" dev="tmpfs" ino=3 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[ 44.988902][ T29] audit: type=1400 audit(1733935717.183:86): avc: denied { open } for pid=5171 comm="syslogd" path="/tmp/messages" dev="tmpfs" ino=3 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[ 45.039897][ T29] audit: type=1400 audit(1733935717.183:87): avc: denied { getattr } for pid=5171 comm="syslogd" path="/tmp/messages" dev="tmpfs" ino=3 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
Warning: Permanently added '10.128.1.70' (ED25519) to the list of known hosts.
[ 57.329753][ T29] audit: type=1400 audit(1733935729.563:88): avc: denied { execmem } for pid=5807 comm="syz-executor148" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 57.339134][ T5807] cgroup: Unknown subsys name 'net'
[ 57.349491][ T29] audit: type=1400 audit(1733935729.563:89): avc: denied { mounton } for pid=5807 comm="syz-executor148" path="/syzcgroup/unified" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 57.377555][ T29] audit: type=1400 audit(1733935729.563:90): avc: denied { mount } for pid=5807 comm="syz-executor148" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 57.400087][ T29] audit: type=1400 audit(1733935729.593:91): avc: denied { unmount } for pid=5807 comm="syz-executor148" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 57.584815][ T5807] cgroup: Unknown subsys name 'cpuset'
[ 57.592405][ T5807] cgroup: Unknown subsys name 'rlimit'
[ 57.715574][ T29] audit: type=1400 audit(1733935729.953:92): avc: denied { mounton } for pid=5807 comm="syz-executor148" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1
[ 57.741384][ T29] audit: type=1400 audit(1733935729.953:93): avc: denied { mount } for pid=5807 comm="syz-executor148" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1
[ 57.766297][ T29] audit: type=1400 audit(1733935729.963:94): avc: denied { create } for pid=5808 comm="syz-executor148" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1
[ 57.766819][ T5128] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 57.786735][ T29] audit: type=1400 audit(1733935729.963:95): avc: denied { read write } for pid=5808 comm="syz-executor148" name="vhci" dev="devtmpfs" ino=1268 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:vhost_device_t tclass=chr_file permissive=1
[ 57.795496][ T5128] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 57.817716][ T29] audit: type=1400 audit(1733935729.963:96): avc: denied { open } for pid=5808 comm="syz-executor148" path="/dev/vhci" dev="devtmpfs" ino=1268 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:vhost_device_t tclass=chr_file permissive=1
[ 57.825266][ T5128] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 57.848530][ T29] audit: type=1400 audit(1733935729.973:97): avc: denied { ioctl } for pid=5808 comm="syz-executor148" path="socket:[4090]" dev="sockfs" ino=4090 ioctlcmd=0x48c9 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1
[ 57.856335][ T5128] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 57.888946][ T5128] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 57.896262][ T5128] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
executing program
[ 57.962818][ T5808] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[ 58.199197][ T5816] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[ 58.283091][ T5817] ubi0: attaching mtd0
[ 58.292545][ T5817] ubi0: scanning is finished
[ 58.297221][ T5817] ubi0: empty MTD device detected
executing program
[ 58.504648][ T5817] ubi0 error: ubi_attach_mtd_dev: cannot spawn "ubi_bgt0d", error -4
[ 58.818977][ T5823] ubi0: attaching mtd0
[ 58.828391][ T5823] ubi0: scanning is finished
[ 58.835871][ T5823] ==================================================================
[ 58.843936][ T5823] BUG: KASAN: slab-use-after-free in notifier_chain_register+0x3ac/0x420
[ 58.852355][ T5823] Read of size 4 at addr ffff88802b6598d8 by task syz-executor148/5823
[ 58.860589][ T5823]
[ 58.862926][ T5823] CPU: 0 UID: 0 PID: 5823 Comm: syz-executor148 Not tainted 6.13.0-rc2-syzkaller-00031-gf92f4749861b #0
[ 58.874029][ T5823] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 58.884090][ T5823] Call Trace:
[ 58.887369][ T5823]
[ 58.890295][ T5823] dump_stack_lvl+0x116/0x1f0
[ 58.894986][ T5823] print_report+0xc3/0x620
[ 58.899404][ T5823] ? __virt_addr_valid+0x5e/0x590
[ 58.904429][ T5823] ? __phys_addr+0xc6/0x150
[ 58.908937][ T5823] kasan_report+0xd9/0x110
[ 58.913355][ T5823] ? notifier_chain_register+0x3ac/0x420
[ 58.919078][ T5823] ? notifier_chain_register+0x3ac/0x420
[ 58.924718][ T5823] notifier_chain_register+0x3ac/0x420
[ 58.930184][ T5823] blocking_notifier_chain_register+0x76/0xd0
[ 58.936262][ T5823] ubi_wl_init+0x1018/0x17b0
[ 58.940859][ T5823] ubi_attach+0x1b92/0x4c00
[ 58.945363][ T5823] ? __pfx___vmalloc_node_range_noprof+0x10/0x10
[ 58.951692][ T5823] ? __pfx_ubi_attach+0x10/0x10
[ 58.956538][ T5823] ? ubi_attach_mtd_dev+0x1543/0x3590
[ 58.961909][ T5823] ubi_attach_mtd_dev+0x158f/0x3590
[ 58.967109][ T5823] ? __pfx_ubi_attach_mtd_dev+0x10/0x10
[ 58.972650][ T5823] ? __pfx_get_mtd_device+0x10/0x10
[ 58.977855][ T5823] ctrl_cdev_ioctl+0x339/0x3d0
[ 58.982621][ T5823] ? __pfx_ctrl_cdev_ioctl+0x10/0x10
[ 58.987906][ T5823] ? selinux_file_ioctl+0x180/0x270
[ 58.993105][ T5823] ? selinux_file_ioctl+0xb4/0x270
[ 58.998216][ T5823] ? __pfx_ctrl_cdev_ioctl+0x10/0x10
[ 59.003499][ T5823] __x64_sys_ioctl+0x190/0x200
[ 59.008267][ T5823] do_syscall_64+0xcd/0x250
[ 59.012788][ T5823] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 59.018700][ T5823] RIP: 0033:0x7fb196cf7659
[ 59.023129][ T5823] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 1c 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[ 59.042735][ T5823] RSP: 002b:00007fb196443208 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 59.051141][ T5823] RAX: ffffffffffffffda RBX: 00007fb196d801f8 RCX: 00007fb196cf7659
[ 59.059104][ T5823] RDX: 0000000020000502 RSI: 0000000040186f40 RDI: 0000000000000009
[ 59.067062][ T5823] RBP: 00007fb196d801f0 R08: 0000000000000000 R09: 0000000000000000
[ 59.075020][ T5823] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb196d46454
[ 59.082979][ T5823] R13: 000000000000006e R14: 00007fff298cec20 R15: 00007fff298ced08
[ 59.090945][ T5823]
[ 59.093947][ T5823]
[ 59.096254][ T5823] Allocated by task 5817:
[ 59.100561][ T5823] kasan_save_stack+0x33/0x60
[ 59.105227][ T5823] kasan_save_track+0x14/0x30
[ 59.109893][ T5823] __kasan_kmalloc+0xaa/0xb0
[ 59.114469][ T5823] ubi_attach_mtd_dev+0x3ce/0x3590
[ 59.119566][ T5823] ctrl_cdev_ioctl+0x339/0x3d0
[ 59.124316][ T5823] __x64_sys_ioctl+0x190/0x200
[ 59.129069][ T5823] do_syscall_64+0xcd/0x250
[ 59.133563][ T5823] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 59.139457][ T5823]
[ 59.141767][ T5823] Freed by task 5817:
[ 59.145730][ T5823] kasan_save_stack+0x33/0x60
[ 59.150407][ T5823] kasan_save_track+0x14/0x30
[ 59.155231][ T5823] kasan_save_free_info+0x3b/0x60
[ 59.160261][ T5823] __kasan_slab_free+0x51/0x70
[ 59.165020][ T5823] kfree+0x14f/0x4b0
[ 59.168915][ T5823] device_release+0xa1/0x240
[ 59.173499][ T5823] kobject_put+0x1e4/0x5a0
[ 59.177908][ T5823] put_device+0x1f/0x30
[ 59.182059][ T5823] ubi_attach_mtd_dev+0xe25/0x3590
[ 59.187158][ T5823] ctrl_cdev_ioctl+0x339/0x3d0
[ 59.191912][ T5823] __x64_sys_ioctl+0x190/0x200
[ 59.196671][ T5823] do_syscall_64+0xcd/0x250
[ 59.201177][ T5823] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 59.207069][ T5823]
[ 59.209381][ T5823] The buggy address belongs to the object at ffff88802b658000
[ 59.209381][ T5823] which belongs to the cache kmalloc-8k of size 8192
[ 59.223428][ T5823] The buggy address is located 6360 bytes inside of
[ 59.223428][ T5823] freed 8192-byte region [ffff88802b658000, ffff88802b65a000)
[ 59.237396][ T5823]
[ 59.239705][ T5823] The buggy address belongs to the physical page:
[ 59.246104][ T5823] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b658
[ 59.254849][ T5823] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 59.263331][ T5823] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[ 59.270861][ T5823] page_type: f5(slab)
[ 59.274830][ T5823] raw: 00fff00000000040 ffff88801b042280 dead000000000122 0000000000000000
[ 59.283395][ T5823] raw: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
[ 59.291961][ T5823] head: 00fff00000000040 ffff88801b042280 dead000000000122 0000000000000000
[ 59.300619][ T5823] head: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
[ 59.309278][ T5823] head: 00fff00000000003 ffffea0000ad9601 ffffffffffffffff 0000000000000000
[ 59.317929][ T5823] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[ 59.326578][ T5823] page dumped because: kasan: bad access detected
[ 59.332976][ T5823] page_owner tracks the page as allocated
[ 59.338669][ T5823] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5817, tgid 5813 (syz-executor148), ts 58282851673, free_ts 57979838552
[ 59.360271][ T5823] post_alloc_hook+0x2d1/0x350
[ 59.365022][ T5823] get_page_from_freelist+0xfce/0x2f80
[ 59.370467][ T5823] __alloc_pages_noprof+0x223/0x25b0
[ 59.375737][ T5823] alloc_pages_mpol_noprof+0x2c9/0x610
[ 59.381183][ T5823] new_slab+0x2c9/0x410
[ 59.385324][ T5823] ___slab_alloc+0xdac/0x1870
[ 59.389982][ T5823] __slab_alloc.constprop.0+0x56/0xb0
[ 59.395337][ T5823] __kmalloc_cache_noprof+0xfa/0x410
[ 59.400608][ T5823] ubi_attach_mtd_dev+0x3ce/0x3590
[ 59.405704][ T5823] ctrl_cdev_ioctl+0x339/0x3d0
[ 59.410452][ T5823] __x64_sys_ioctl+0x190/0x200
[ 59.415206][ T5823] do_syscall_64+0xcd/0x250
[ 59.419697][ T5823] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 59.425580][ T5823] page last free pid 5808 tgid 5808 stack trace:
[ 59.431886][ T5823] free_unref_page+0x661/0x1080
[ 59.436722][ T5823] __put_partials+0x14c/0x170
[ 59.441384][ T5823] qlist_free_all+0x4e/0x120
[ 59.445955][ T5823] kasan_quarantine_reduce+0x195/0x1e0
[ 59.451397][ T5823] __kasan_slab_alloc+0x69/0x90
[ 59.456233][ T5823] __kmalloc_cache_noprof+0x243/0x410
[ 59.461602][ T5823] kernfs_fop_open+0x28b/0xdb0
[ 59.466361][ T5823] do_dentry_open+0xf59/0x1ea0
[ 59.471111][ T5823] vfs_open+0x82/0x3f0
[ 59.475169][ T5823] path_openat+0x1e6a/0x2d60
[ 59.479750][ T5823] do_filp_open+0x20c/0x470
[ 59.484254][ T5823] do_sys_openat2+0x17a/0x1e0
[ 59.488921][ T5823] __x64_sys_openat+0x175/0x210
[ 59.493763][ T5823] do_syscall_64+0xcd/0x250
[ 59.498271][ T5823] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 59.504159][ T5823]
[ 59.506467][ T5823] Memory state around the buggy address:
[ 59.512080][ T5823] ffff88802b659780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 59.520135][ T5823] ffff88802b659800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 59.528185][ T5823] >ffff88802b659880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 59.536227][ T5823] ^
[ 59.543141][ T5823] ffff88802b659900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 59.551184][ T5823] ffff88802b659980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 59.559231][ T5823] ==================================================================
[ 59.567622][ T5823] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 59.574831][ T5823] CPU: 1 UID: 0 PID: 5823 Comm: syz-executor148 Not tainted 6.13.0-rc2-syzkaller-00031-gf92f4749861b #0
[ 59.585936][ T5823] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 59.595991][ T5823] Call Trace:
[ 59.599255][ T5823]
[ 59.602172][ T5823] dump_stack_lvl+0x3d/0x1f0
[ 59.606756][ T5823] panic+0x71d/0x800
[ 59.610646][ T5823] ? __pfx_panic+0x10/0x10
[ 59.615055][ T5823] ? irqentry_exit+0x3b/0x90
[ 59.619635][ T5823] ? lockdep_hardirqs_on+0x7c/0x110
[ 59.624823][ T5823] ? preempt_schedule_thunk+0x1a/0x30
[ 59.630183][ T5823] ? preempt_schedule_common+0x44/0xc0
[ 59.635630][ T5823] ? check_panic_on_warn+0x1f/0xb0
[ 59.640741][ T5823] check_panic_on_warn+0xab/0xb0
[ 59.645674][ T5823] end_report+0x117/0x180
[ 59.649993][ T5823] kasan_report+0xe9/0x110
[ 59.654398][ T5823] ? notifier_chain_register+0x3ac/0x420
[ 59.660025][ T5823] ? notifier_chain_register+0x3ac/0x420
[ 59.665653][ T5823] notifier_chain_register+0x3ac/0x420
[ 59.671104][ T5823] blocking_notifier_chain_register+0x76/0xd0
[ 59.677165][ T5823] ubi_wl_init+0x1018/0x17b0
[ 59.681754][ T5823] ubi_attach+0x1b92/0x4c00
[ 59.686246][ T5823] ? __pfx___vmalloc_node_range_noprof+0x10/0x10
[ 59.692566][ T5823] ? __pfx_ubi_attach+0x10/0x10
[ 59.697401][ T5823] ? ubi_attach_mtd_dev+0x1543/0x3590
[ 59.702762][ T5823] ubi_attach_mtd_dev+0x158f/0x3590
[ 59.707959][ T5823] ? __pfx_ubi_attach_mtd_dev+0x10/0x10
[ 59.713490][ T5823] ? __pfx_get_mtd_device+0x10/0x10
[ 59.718683][ T5823] ctrl_cdev_ioctl+0x339/0x3d0
[ 59.723435][ T5823] ? __pfx_ctrl_cdev_ioctl+0x10/0x10
[ 59.728708][ T5823] ? selinux_file_ioctl+0x180/0x270
[ 59.733896][ T5823] ? selinux_file_ioctl+0xb4/0x270
[ 59.738996][ T5823] ? __pfx_ctrl_cdev_ioctl+0x10/0x10
[ 59.744267][ T5823] __x64_sys_ioctl+0x190/0x200
[ 59.749026][ T5823] do_syscall_64+0xcd/0x250
[ 59.753524][ T5823] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 59.759413][ T5823] RIP: 0033:0x7fb196cf7659
[ 59.763814][ T5823] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 1c 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[ 59.783406][ T5823] RSP: 002b:00007fb196443208 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 59.791806][ T5823] RAX: ffffffffffffffda RBX: 00007fb196d801f8 RCX: 00007fb196cf7659
[ 59.799761][ T5823] RDX: 0000000020000502 RSI: 0000000040186f40 RDI: 0000000000000009
[ 59.807718][ T5823] RBP: 00007fb196d801f0 R08: 0000000000000000 R09: 0000000000000000
[ 59.815675][ T5823] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb196d46454
[ 59.823633][ T5823] R13: 000000000000006e R14: 00007fff298cec20 R15: 00007fff298ced08
[ 59.831600][ T5823]
[ 59.834809][ T5823] Kernel Offset: disabled
[ 59.839113][ T5823] Rebooting in 86400 seconds..