Warning: Permanently added '10.128.1.84' (ED25519) to the list of known hosts. 2024/09/27 13:17:31 ignoring optional flag "sandboxArg"="0" 2024/09/27 13:17:31 parsed 1 programs [ 26.129283][ T24] audit: type=1400 audit(1727443051.440:66): avc: denied { node_bind } for pid=285 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 26.825239][ T24] audit: type=1400 audit(1727443052.130:67): avc: denied { mounton } for pid=291 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 26.826199][ T291] cgroup: Unknown subsys name 'net' [ 26.847698][ T24] audit: type=1400 audit(1727443052.130:68): avc: denied { mount } for pid=291 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 26.874735][ T24] audit: type=1400 audit(1727443052.160:69): avc: denied { unmount } for pid=291 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 26.875198][ T291] cgroup: Unknown subsys name 'devices' [ 27.048458][ T291] cgroup: Unknown subsys name 'hugetlb' [ 27.053846][ T291] cgroup: Unknown subsys name 'rlimit' [ 27.245267][ T24] audit: type=1400 audit(1727443052.550:70): avc: denied { setattr } for pid=291 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=161 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 27.268279][ T24] audit: type=1400 audit(1727443052.550:71): avc: denied { create } for pid=291 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 27.288468][ T24] audit: type=1400 audit(1727443052.550:72): avc: denied { write } for pid=291 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 27.293431][ T297] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 27.308474][ T24] audit: type=1400 audit(1727443052.550:73): avc: denied { read } for pid=291 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 27.336858][ T24] audit: type=1400 audit(1727443052.550:74): avc: denied { module_request } for pid=291 comm="syz-executor" kmod="netdev-wpan0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 27.358503][ T24] audit: type=1400 audit(1727443052.550:75): avc: denied { mounton } for pid=291 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 27.385851][ T291] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 27.772399][ T299] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation [ 28.044580][ T326] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.051758][ T326] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.058970][ T326] device bridge_slave_0 entered promiscuous mode [ 28.066306][ T326] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.073219][ T326] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.080325][ T326] device bridge_slave_1 entered promiscuous mode [ 28.109437][ T326] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.116260][ T326] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.123393][ T326] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.130173][ T326] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.145254][ T327] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 28.152864][ T327] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.160334][ T327] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.169755][ T327] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 28.177771][ T327] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.184664][ T327] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.192953][ T327] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 28.201115][ T327] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.208042][ T327] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.221648][ T327] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 28.229444][ T327] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 28.242589][ T327] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 28.252975][ T327] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 28.260742][ T327] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 28.268159][ T327] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 28.275982][ T326] device veth0_vlan entered promiscuous mode [ 28.284831][ T327] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 28.293852][ T326] device veth1_macvtap entered promiscuous mode [ 28.302881][ T327] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 28.312533][ T327] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2024/09/27 13:17:33 executed programs: 0 [ 28.544376][ T358] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.551287][ T358] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.558852][ T358] device bridge_slave_0 entered promiscuous mode [ 28.565470][ T358] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.572424][ T358] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.579453][ T358] device bridge_slave_1 entered promiscuous mode [ 28.613347][ T358] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.620197][ T358] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.627284][ T358] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.634065][ T358] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.651858][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 28.659457][ T9] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.666371][ T9] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.678160][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 28.686142][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.692984][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.701264][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 28.709445][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.716266][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.729466][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 28.738206][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 28.750304][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 28.764853][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 28.773099][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 28.780580][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 28.788658][ T358] device veth0_vlan entered promiscuous mode [ 28.797749][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 28.810515][ T358] device veth1_macvtap entered promiscuous mode [ 28.819420][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 28.829110][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 28.878144][ T364] EXT4-fs (loop0): Ignoring removed mblk_io_submit option [ 28.885108][ T364] EXT4-fs (loop0): mounting ext3 file system using the ext4 subsystem [ 28.893801][ T364] [EXT4 FS bs=1024, gc=1, bpg=8192, ipg=32, mo=b016c118, mo2=0002] [ 28.901661][ T364] System zones: 1-12 [ 28.906612][ T364] EXT4-fs error (device loop0): ext4_xattr_ibody_find:2210: inode #15: comm syz.0.15: corrupted in-inode xattr [ 28.918662][ T364] EXT4-fs error (device loop0): ext4_orphan_get:1396: comm syz.0.15: couldn't read orphan inode 15 (err -117) [ 28.930288][ T364] EXT4-fs (loop0): mounted filesystem without journal. Opts: jqfmt=vfsold,data_err=abort,debug,noload,mblk_io_submit,commit=0x0000000000000005,init_itable=0x0000000000000601,grpquota,,errors=continue [ 28.954904][ T358] ================================================================== [ 28.962792][ T358] BUG: KASAN: slab-out-of-bounds in ext4_htree_fill_tree+0x1316/0x13e0 [ 28.970852][ T358] Read of size 1 at addr ffff88810d6f2a67 by task syz-executor/358 [ 28.978563][ T358] [ 28.980743][ T358] CPU: 1 PID: 358 Comm: syz-executor Not tainted 5.10.225-syzkaller-00513-g8d23314f588a #0 [ 28.990543][ T358] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 [ 29.000449][ T358] Call Trace: [ 29.003576][ T358] dump_stack_lvl+0x1e2/0x24b [ 29.008090][ T358] ? bfq_pos_tree_add_move+0x43b/0x43b [ 29.013407][ T358] ? panic+0x812/0x812 [ 29.017285][ T358] print_address_description+0x81/0x3b0 [ 29.022662][ T358] ? ext4_htree_store_dirent+0x19c/0x590 [ 29.028139][ T358] kasan_report+0x179/0x1c0 [ 29.032472][ T358] ? ext4_htree_fill_tree+0x1316/0x13e0 [ 29.037853][ T358] ? ext4_htree_fill_tree+0x1316/0x13e0 [ 29.043234][ T358] __asan_report_load1_noabort+0x14/0x20 [ 29.048790][ T358] ext4_htree_fill_tree+0x1316/0x13e0 [ 29.054431][ T358] ? ext4_handle_dirty_dirblock+0x6e0/0x6e0 [ 29.060163][ T358] ? __kasan_kmalloc+0x9/0x10 [ 29.064758][ T358] ? ext4_readdir+0x4df/0x37c0 [ 29.069966][ T358] ext4_readdir+0x2dde/0x37c0 [ 29.074489][ T358] ? handle_pte_fault+0x1472/0x3e30 [ 29.079536][ T358] ? ext4_dir_llseek+0x4c0/0x4c0 [ 29.084300][ T358] ? __kasan_check_write+0x14/0x20 [ 29.089240][ T358] ? down_read_killable+0x101/0x220 [ 29.094269][ T358] ? down_read_interruptible+0x220/0x220 [ 29.099741][ T358] ? security_file_permission+0x86/0xb0 [ 29.105116][ T358] iterate_dir+0x265/0x580 [ 29.109379][ T358] ? ext4_dir_llseek+0x4c0/0x4c0 [ 29.114230][ T358] __se_sys_getdents64+0x1c1/0x460 [ 29.119178][ T358] ? __x64_sys_getdents64+0x90/0x90 [ 29.124209][ T358] ? filldir+0x680/0x680 [ 29.128291][ T358] ? debug_smp_processor_id+0x17/0x20 [ 29.133500][ T358] ? fpregs_assert_state_consistent+0xb6/0xe0 [ 29.139402][ T358] ? irqentry_exit_to_user_mode+0x41/0x80 [ 29.144956][ T358] __x64_sys_getdents64+0x7b/0x90 [ 29.149819][ T358] do_syscall_64+0x34/0x70 [ 29.154159][ T358] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 29.159884][ T358] RIP: 0033:0x7f995efa30d3 [ 29.164136][ T358] Code: c1 66 0f 1f 44 00 00 48 83 c4 08 48 89 ef 5b 5d e9 52 43 f8 ff 66 90 b8 ff ff ff 7f 48 39 c2 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 a8 ff ff ff f7 d8 [ 29.183577][ T358] RSP: 002b:00007fff5c501378 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9 [ 29.191820][ T358] RAX: ffffffffffffffda RBX: 0000555571aae4e0 RCX: 00007f995efa30d3 [ 29.199632][ T358] RDX: 0000000000008000 RSI: 0000555571aae4e0 RDI: 0000000000000005 [ 29.207444][ T358] RBP: 0000555571aae4b4 R08: 0000000000028b61 R09: 0000000000000000 [ 29.215257][ T358] R10: 00007f995f0fdca0 R11: 0000000000000293 R12: ffffffffffffffa8 [ 29.223074][ T358] R13: 0000000000000010 R14: 0000555571aae4b0 R15: 00007fff5c503620 [ 29.230875][ T358] [ 29.233045][ T358] Allocated by task 358: [ 29.237133][ T358] __kasan_slab_alloc+0xb1/0xe0 [ 29.241842][ T358] slab_post_alloc_hook+0x61/0x2f0 [ 29.246854][ T358] kmem_cache_alloc+0x168/0x2e0 [ 29.251538][ T358] __alloc_file+0x29/0x330 [ 29.255789][ T358] alloc_empty_file+0x95/0x180 [ 29.260392][ T358] alloc_file+0x5a/0x4e0 [ 29.264469][ T358] alloc_file_pseudo+0x259/0x2f0 [ 29.269244][ T358] sock_alloc_file+0xbb/0x260 [ 29.273753][ T358] __sys_socket+0x194/0x370 [ 29.278094][ T358] __x64_sys_socket+0x7a/0x90 [ 29.282611][ T358] do_syscall_64+0x34/0x70 [ 29.286862][ T358] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 29.292586][ T358] [ 29.294759][ T358] Freed by task 358: [ 29.298496][ T358] kasan_set_track+0x4b/0x70 [ 29.302917][ T358] kasan_set_free_info+0x23/0x40 [ 29.307699][ T358] ____kasan_slab_free+0x121/0x160 [ 29.312638][ T358] __kasan_slab_free+0x11/0x20 [ 29.317238][ T358] slab_free_freelist_hook+0xc0/0x190 [ 29.322445][ T358] kmem_cache_free+0xa9/0x1e0 [ 29.326959][ T358] file_free_rcu+0x9f/0xb0 [ 29.331214][ T358] rcu_do_batch+0x597/0xc40 [ 29.335725][ T358] rcu_core+0x5ad/0xe40 [ 29.339720][ T358] rcu_core_si+0x9/0x10 [ 29.343708][ T358] __do_softirq+0x268/0x5bb [ 29.348043][ T358] [ 29.350215][ T358] Last potentially related work creation: [ 29.355775][ T358] kasan_save_stack+0x3b/0x60 [ 29.360290][ T358] __kasan_record_aux_stack+0xd3/0x100 [ 29.365583][ T358] kasan_record_aux_stack_noalloc+0xb/0x10 [ 29.371225][ T358] call_rcu+0x135/0x11f0 [ 29.375311][ T358] __fput+0x5e4/0x7b0 [ 29.379121][ T358] ____fput+0x15/0x20 [ 29.382940][ T358] task_work_run+0x129/0x190 [ 29.387372][ T358] exit_to_user_mode_loop+0xbf/0xd0 [ 29.392405][ T358] syscall_exit_to_user_mode+0xa2/0x1a0 [ 29.397783][ T358] do_syscall_64+0x40/0x70 [ 29.402037][ T358] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 29.407756][ T358] [ 29.409929][ T358] Second to last potentially related work creation: [ 29.416359][ T358] kasan_save_stack+0x3b/0x60 [ 29.420872][ T358] __kasan_record_aux_stack+0xd3/0x100 [ 29.426166][ T358] kasan_record_aux_stack+0xe/0x10 [ 29.431112][ T358] task_work_add+0x27/0x1d0 [ 29.435451][ T358] fput_many+0xef/0x1b0 [ 29.439442][ T358] fput+0x1a/0x20 [ 29.442936][ T358] filp_close+0x106/0x150 [ 29.447092][ T358] __close_fd+0x33/0x50 [ 29.451078][ T358] __x64_sys_close+0x68/0xc0 [ 29.455502][ T358] do_syscall_64+0x34/0x70 [ 29.459758][ T358] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 29.465475][ T358] [ 29.467651][ T358] The buggy address belongs to the object at ffff88810d6f2900 [ 29.467651][ T358] which belongs to the cache filp of size 296 [ 29.480933][ T358] The buggy address is located 63 bytes to the right of [ 29.480933][ T358] 296-byte region [ffff88810d6f2900, ffff88810d6f2a28) [ 29.494469][ T358] The buggy address belongs to the page: [ 29.499953][ T358] page:ffffea000435bc80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10d6f2 [ 29.510267][ T358] head:ffffea000435bc80 order:1 compound_mapcount:0 [ 29.516679][ T358] flags: 0x4000000000010200(slab|head) [ 29.521977][ T358] raw: 4000000000010200 ffffea0004356b80 0000000900000009 ffff888100192600 [ 29.530397][ T358] raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000 [ 29.538803][ T358] page dumped because: kasan: bad access detected [ 29.545060][ T358] page_owner tracks the page as allocated [ 29.550650][ T358] page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 94, ts 3741595793, free_ts 0 [ 29.568599][ T358] prep_new_page+0x166/0x180 [ 29.573007][ T358] get_page_from_freelist+0x2d8c/0x2f30 [ 29.578390][ T358] __alloc_pages_nodemask+0x435/0xaf0 [ 29.583591][ T358] new_slab+0x80/0x400 [ 29.587499][ T358] ___slab_alloc+0x302/0x4b0 [ 29.592013][ T358] __slab_alloc+0x63/0xa0 [ 29.596179][ T358] kmem_cache_alloc+0x1b9/0x2e0 [ 29.600882][ T358] __alloc_file+0x29/0x330 [ 29.605119][ T358] alloc_empty_file+0x95/0x180 [ 29.609718][ T358] alloc_file+0x5a/0x4e0 [ 29.613797][ T358] alloc_file_pseudo+0x259/0x2f0 [ 29.618572][ T358] __anon_inode_getfd+0x2aa/0x430 [ 29.623432][ T358] anon_inode_getfd+0x33/0x40 [ 29.627944][ T358] do_inotify_init+0x35b/0x4b0 [ 29.632545][ T358] __x64_sys_inotify_init1+0x37/0x40 [ 29.637667][ T358] do_syscall_64+0x34/0x70 [ 29.641916][ T358] page_owner free stack trace missing [ 29.647119][ T358] [ 29.649289][ T358] Memory state around the buggy address: [ 29.654765][ T358] ffff88810d6f2900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.662661][ T358] ffff88810d6f2980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.670561][ T358] >ffff88810d6f2a00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 29.678455][ T358] ^ [ 29.685488][ T358] ffff88810d6f2a80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.693385][ T358] ffff88810d6f2b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.701466][ T358] ================================================================== [ 29.709359][ T358] Disabling lock debugging due to kernel taint