./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor4225089855 <...> Warning: Permanently added '10.128.1.132' (ED25519) to the list of known hosts. execve("./syz-executor4225089855", ["./syz-executor4225089855"], 0x7fff5968ccb0 /* 10 vars */) = 0 brk(NULL) = 0x555571e1d000 brk(0x555571e1dd00) = 0x555571e1dd00 arch_prctl(ARCH_SET_FS, 0x555571e1d380) = 0 set_tid_address(0x555571e1d650) = 294 set_robust_list(0x555571e1d660, 24) = 0 rseq(0x555571e1dca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor4225089855", 4096) = 28 getrandom("\xa8\x9d\x03\xd9\xea\xff\xf0\x47", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555571e1dd00 brk(0x555571e3ed00) = 0x555571e3ed00 brk(0x555571e3f000) = 0x555571e3f000 mprotect(0x7ff9eb4fa000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 write(1, "executing program\n", 18executing program ) = 18 socket(AF_INET6, SOCK_DGRAM, IPPROTO_IP) = 3 setsockopt(3, SOL_IPV6, IPV6_XFRM_POLICY, "\xac\x14\x14\xbb\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 232) = 0 socket(AF_KEY, SOCK_RAW, 2) = 4 setsockopt(4, SOL_SOCKET, SO_RCVBUF, [0], 4) = 0 sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x02\x0b\x00\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", iov_len=16}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 16 sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x02\x12\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", iov_len=16}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 16 socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM) = 5 socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM) = 6 sendmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\xb8\x00\x00\x00\x13\x00\xe9\x99\x00\x00\x00\x00\x00\x00\x00\x00\xfc\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xac\x1e\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x60\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=184}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 184 socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM) = 7 sendmsg(7, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\xb8\x00\x00\x00\x13\x00\xe9\x99\x00\x00\x00\x00\x00\x00\x00\x00\xfc\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xac\x1e\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x60\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xee\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=184}], msg_iovlen=1, msg_controllen=0, msg_flags=MSG_EOR}, 0) = 184 [ 27.909754][ T30] audit: type=1400 audit(1738306445.213:66): avc: denied { execmem } for pid=294 comm="syz-executor422" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 27.924213][ T294] ================================================================== [ 27.931276][ T30] audit: type=1400 audit(1738306445.223:67): avc: denied { create } for pid=294 comm="syz-executor422" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=key_socket permissive=1 [ 27.939067][ T294] BUG: KASAN: slab-out-of-bounds in xfrm_policy_inexact_list_reinsert+0x5b0/0x660 [ 27.960397][ T30] audit: type=1400 audit(1738306445.223:68): avc: denied { setopt } for pid=294 comm="syz-executor422" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=key_socket permissive=1 [ 27.970223][ T294] Read of size 1 at addr ffff88810cd843f8 by task syz-executor422/294 [ 27.970251][ T294] [ 27.970257][ T294] CPU: 1 PID: 294 Comm: syz-executor422 Not tainted 5.15.176-syzkaller-00066-gd1a25a6a4b3b #0 [ 27.970278][ T294] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 27.991604][ T30] audit: type=1400 audit(1738306445.223:69): avc: denied { write } for pid=294 comm="syz-executor422" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=key_socket permissive=1 [ 27.998972][ T294] Call Trace: [ 27.998982][ T294] [ 27.998990][ T294] dump_stack_lvl+0x151/0x1c0 [ 27.999017][ T294] ? io_uring_drop_tctx_refs+0x190/0x190 [ 27.999037][ T294] ? panic+0x760/0x760 [ 28.001801][ T30] audit: type=1400 audit(1738306445.223:70): avc: denied { create } for pid=294 comm="syz-executor422" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_xfrm_socket permissive=1 [ 28.013350][ T294] print_address_description+0x87/0x3b0 [ 28.013386][ T294] ? stack_trace_save+0x113/0x1c0 [ 28.013408][ T294] ? ___sys_sendmsg+0x252/0x2e0 [ 28.025687][ T30] audit: type=1400 audit(1738306445.223:71): avc: denied { write } for pid=294 comm="syz-executor422" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_xfrm_socket permissive=1 [ 28.045546][ T294] kasan_report+0x179/0x1c0 [ 28.045582][ T294] ? xfrm_policy_inexact_list_reinsert+0x5b0/0x660 [ 28.049139][ T30] audit: type=1400 audit(1738306445.223:72): avc: denied { nlmsg_write } for pid=294 comm="syz-executor422" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_xfrm_socket permissive=1 [ 28.051683][ T294] ? xfrm_policy_inexact_list_reinsert+0x5b0/0x660 [ 28.178114][ T294] __asan_report_load1_noabort+0x14/0x20 [ 28.184240][ T294] xfrm_policy_inexact_list_reinsert+0x5b0/0x660 [ 28.191005][ T294] ? ____kasan_kmalloc+0xed/0x110 [ 28.197816][ T294] ? ____kasan_kmalloc+0xdb/0x110 [ 28.203429][ T294] ? xfrm_policy_addr_delta+0x23b/0x370 [ 28.209946][ T294] xfrm_policy_inexact_insert_node+0x917/0xb00 [ 28.216615][ T294] ? entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 28.222777][ T294] ? xfrm_policy_inexact_alloc_bin+0x5ad/0x13f0 [ 28.229898][ T294] xfrm_policy_inexact_alloc_chain+0x4ec/0xaf0 [ 28.236221][ T294] xfrm_policy_inexact_insert+0x6a/0x1160 [ 28.242041][ T294] ? __kasan_check_write+0x14/0x20 [ 28.247283][ T294] ? _raw_spin_lock_bh+0xa4/0x1b0 [ 28.252283][ T294] ? policy_hash_bysel+0x137/0x700 [ 28.258369][ T294] xfrm_policy_insert+0xe7/0x940 [ 28.263512][ T294] xfrm_add_policy+0x4f2/0x980 [ 28.268205][ T294] ? cap_capable+0x1d2/0x270 [ 28.272888][ T294] ? xfrm_dump_sa_done+0xc0/0xc0 [ 28.278432][ T294] xfrm_user_rcv_msg+0x4f3/0x7d0 [ 28.283616][ T294] ? xfrm_netlink_rcv+0x90/0x90 [ 28.289329][ T294] ? avc_has_perm+0x16f/0x260 [ 28.294162][ T294] ? ____kasan_kmalloc+0xed/0x110 [ 28.299296][ T294] ? avc_has_perm_noaudit+0x430/0x430 [ 28.304871][ T294] ? x64_sys_call+0x16a/0x9a0 [ 28.309743][ T294] netlink_rcv_skb+0x1cf/0x410 [ 28.314486][ T294] ? xfrm_netlink_rcv+0x90/0x90 [ 28.319368][ T294] ? netlink_ack+0xb10/0xb10 [ 28.324281][ T294] ? mutex_lock+0xb6/0x1e0 [ 28.328946][ T294] ? wait_for_completion_killable_timeout+0x10/0x10 [ 28.335672][ T294] ? __netlink_lookup+0x37b/0x3a0 [ 28.340793][ T294] xfrm_netlink_rcv+0x72/0x90 [ 28.345439][ T294] netlink_unicast+0x8df/0xac0 [ 28.351174][ T294] ? netlink_detachskb+0x90/0x90 [ 28.356169][ T294] ? security_netlink_send+0x7b/0xa0 [ 28.361659][ T294] netlink_sendmsg+0xa0a/0xd20 [ 28.366688][ T294] ? netlink_getsockopt+0x560/0x560 [ 28.373047][ T294] ? security_socket_sendmsg+0x82/0xb0 [ 28.379390][ T294] ? netlink_getsockopt+0x560/0x560 [ 28.385047][ T294] ____sys_sendmsg+0x59e/0x8f0 [ 28.390702][ T294] ? __sys_sendmsg_sock+0x40/0x40 [ 28.396454][ T294] ? import_iovec+0xe5/0x120 [ 28.400986][ T294] ___sys_sendmsg+0x252/0x2e0 [ 28.405796][ T294] ? __sys_sendmsg+0x260/0x260 [ 28.410736][ T294] ? cgroup_leave_frozen+0x164/0x2c0 [ 28.416466][ T294] ? __kasan_check_read+0x11/0x20 [ 28.421529][ T294] ? __fdget+0x179/0x240 [ 28.426692][ T294] __se_sys_sendmsg+0x19a/0x260 [ 28.431823][ T294] ? __x64_sys_sendmsg+0x90/0x90 [ 28.437237][ T294] ? ptrace_notify+0x24c/0x350 [ 28.442106][ T294] ? __kasan_check_write+0x14/0x20 [ 28.447063][ T294] __x64_sys_sendmsg+0x7b/0x90 [ 28.451921][ T294] x64_sys_call+0x16a/0x9a0 [ 28.456597][ T294] do_syscall_64+0x3b/0xb0 [ 28.462195][ T294] ? clear_bhb_loop+0x35/0x90 [ 28.468026][ T294] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 28.474535][ T294] RIP: 0033:0x7ff9eb486be9 [ 28.478885][ T294] Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 28.502527][ T294] RSP: 002b:00007ffe43d221e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 28.511399][ T294] RAX: ffffffffffffffda RBX: 00007ffe43d223b8 RCX: 00007ff9eb486be9 [ 28.521082][ T294] RDX: 0000000000004000 RSI: 0000000020000580 RDI: 0000000000000005 [ 28.529842][ T294] RBP: 00007ff9eb4fa610 R08: 00007ffe43d223b8 R09: 00007ffe43d223b8 [ 28.539019][ T294] R10: 000000000000000a R11: 0000000000000246 R12: 0000000000000001 [ 28.547977][ T294] R13: 00007ffe43d223a8 R14: 0000000000000001 R15: 0000000000000001 [ 28.558823][ T294] [ 28.562912][ T294] [ 28.565500][ T294] Allocated by task 294: [ 28.569749][ T294] ____kasan_kmalloc+0xdb/0x110 [ 28.576055][ T294] __kasan_kmalloc+0x9/0x10 [ 28.581714][ T294] __kmalloc+0x13f/0x2c0 [ 28.586818][ T294] sk_prot_alloc+0xf9/0x330 [ 28.591351][ T294] sk_alloc+0x38/0x430 [ 28.595956][ T294] pfkey_create+0x12c/0x620 [ 28.600427][ T294] __sock_create+0x3be/0x7e0 [ 28.605289][ T294] __sys_socket+0x132/0x370 [ 28.609882][ T294] __x64_sys_socket+0x7a/0x90 [ 28.614996][ T294] x64_sys_call+0x147/0x9a0 [ 28.619302][ T294] do_syscall_64+0x3b/0xb0 [ 28.623695][ T294] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 28.629420][ T294] [ 28.631838][ T294] The buggy address belongs to the object at ffff88810cd84000 [ 28.631838][ T294] which belongs to the cache kmalloc-1k of size 1024 [ 28.646743][ T294] The buggy address is located 1016 bytes inside of [ 28.646743][ T294] 1024-byte region [ffff88810cd84000, ffff88810cd84400) [ 28.661504][ T294] The buggy address belongs to the page: [ 28.667566][ T294] page:ffffea0004336000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10cd80 [ 28.680680][ T294] head:ffffea0004336000 order:3 compound_mapcount:0 compound_pincount:0 [ 28.689427][ T294] flags: 0x4000000000010200(slab|head|zone=1) [ 28.695880][ T294] raw: 4000000000010200 0000000000000000 dead000000000122 ffff888100043080 [ 28.705795][ T294] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 28.716010][ T294] page dumped because: kasan: bad access detected [ 28.724201][ T294] page_owner tracks the page as allocated [ 28.731797][ T294] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 294, ts 27915850716, free_ts 27650513746 [ 28.752076][ T294] post_alloc_hook+0x1a3/0x1b0 [ 28.756934][ T294] prep_new_page+0x1b/0x110 [ 28.761497][ T294] get_page_from_freelist+0x3550/0x35d0 [ 28.767262][ T294] __alloc_pages+0x27e/0x8f0 [ 28.771950][ T294] new_slab+0x9a/0x4e0 [ 28.776839][ T294] ___slab_alloc+0x39e/0x830 [ 28.781492][ T294] __slab_alloc+0x4a/0x90 [ 28.786003][ T294] __kmalloc_track_caller+0x171/0x2c0 [ 28.791613][ T294] __alloc_skb+0x10c/0x550 [ 28.796586][ T294] __napi_alloc_skb+0x167/0x2e0 [ 28.802817][ T294] page_to_skb+0x2a5/0xb40 [ 28.809199][ T294] receive_buf+0xed9/0x5860 [ 28.814778][ T294] virtnet_poll+0x615/0x1250 [ 28.820845][ T294] __napi_poll+0xc4/0x5a0 [ 28.825943][ T294] net_rx_action+0x47d/0xc50 [ 28.831895][ T294] handle_softirqs+0x25e/0x5c0 [ 28.836983][ T294] page last free stack trace: [ 28.842637][ T294] free_unref_page_prepare+0x7c8/0x7d0 [ 28.848513][ T294] free_unref_page+0xe8/0x750 [ 28.853554][ T294] __free_pages+0x61/0xf0 [ 28.858408][ T294] __free_slab+0xec/0x1d0 [ 28.865391][ T294] __unfreeze_partials+0x165/0x1a0 [ 28.871567][ T294] put_cpu_partial+0xc4/0x120 [ 28.877932][ T294] __slab_free+0x1c8/0x290 [ 28.884213][ T294] ___cache_free+0x109/0x120 [ 28.890480][ T294] qlink_free+0x4d/0x90 [ 28.895808][ T294] qlist_free_all+0x44/0xb0 [ 28.900965][ T294] kasan_quarantine_reduce+0x15a/0x180 [ 28.907333][ T294] __kasan_slab_alloc+0x2f/0xe0 [ 28.913633][ T294] slab_post_alloc_hook+0x53/0x2c0 [ 28.919290][ T294] kmem_cache_alloc+0xf5/0x250 [ 28.924941][ T294] getname_flags+0xba/0x520 [ 28.930077][ T294] getname+0x19/0x20 [ 28.935117][ T294] [ 28.938181][ T294] Memory state around the buggy address: [ 28.945517][ T294] ffff88810cd84280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.954690][ T294] ffff88810cd84300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.965232][ T294] >ffff88810cd84380: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 28.976113][ T294] ^ [ 28.984929][ T294] ffff88810cd84400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.994616][ T294] ffff88810cd84480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.004062][ T294] ================================================================== sendmsg(5, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\xb8\x00\x00\x00\x13\x00\xe9\x99\x00\x00\x00\x00\x00\x00\x00\x00\xfc\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xac\x1e\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xee\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=184}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, MSG_NOSIGNAL) = 184 exit_group(0) = ? +++ exited with 0 +++ [ 29.012972][ T294] Disablin