Warning: Permanently added '10.128.0.195' (ED25519) to the list of known hosts. [ 22.158096][ T24] audit: type=1400 audit(1742281984.520:66): avc: denied { execmem } for pid=282 comm="syz-executor314" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 22.165119][ T24] audit: type=1400 audit(1742281984.520:67): avc: denied { mounton } for pid=282 comm="syz-executor314" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 22.171767][ T24] audit: type=1400 audit(1742281984.520:68): avc: denied { mount } for pid=282 comm="syz-executor314" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 22.210836][ T284] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 22.219605][ T24] audit: type=1400 audit(1742281984.590:69): avc: denied { relabelto } for pid=284 comm="mkswap" name="swap-file" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" Setting up swapspace version 1, size = 127995904 bytes [ 22.245102][ T24] audit: type=1400 audit(1742281984.590:70): avc: denied { write } for pid=284 comm="mkswap" path="/root/swap-file" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 22.272182][ T24] audit: type=1400 audit(1742281984.640:71): avc: denied { read } for pid=282 comm="syz-executor314" name="swap-file" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 22.298118][ T24] audit: type=1400 audit(1742281984.640:72): avc: denied { open } for pid=282 comm="syz-executor314" path="/root/swap-file" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 22.324680][ T282] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 22.334336][ T24] audit: type=1400 audit(1742281984.690:73): avc: denied { mounton } for pid=285 comm="syz-executor314" path="/" dev="sda1" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 22.356177][ T24] audit: type=1400 audit(1742281984.690:74): avc: denied { module_request } for pid=285 comm="syz-executor314" kmod="netdev-nr0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 22.378898][ T285] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.385856][ T285] bridge0: port 1(bridge_slave_0) entered disabled state [ 22.393038][ T285] device bridge_slave_0 entered promiscuous mode [ 22.399796][ T285] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.406963][ T285] bridge0: port 2(bridge_slave_1) entered disabled state [ 22.414104][ T285] device bridge_slave_1 entered promiscuous mode [ 22.448030][ T24] audit: type=1400 audit(1742281984.810:75): avc: denied { create } for pid=285 comm="syz-executor314" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 22.455266][ T285] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.475547][ T285] bridge0: port 2(bridge_slave_1) entered forwarding state [ 22.482674][ T285] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.489507][ T285] bridge0: port 1(bridge_slave_0) entered forwarding state [ 22.508064][ T111] bridge0: port 1(bridge_slave_0) entered disabled state [ 22.515280][ T111] bridge0: port 2(bridge_slave_1) entered disabled state [ 22.522428][ T111] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 22.530481][ T111] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 22.539719][ T111] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 22.548023][ T111] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.555002][ T111] bridge0: port 1(bridge_slave_0) entered forwarding state [ 22.563536][ T111] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 22.571799][ T111] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.578672][ T111] bridge0: port 2(bridge_slave_1) entered forwarding state [ 22.590841][ T111] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 22.600125][ T111] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 22.613350][ T111] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 22.625426][ T111] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 22.633237][ T111] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 22.640778][ T111] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 22.648728][ T285] device veth0_vlan entered promiscuous mode executing program [ 22.658750][ T111] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 22.667766][ T285] device veth1_macvtap entered promiscuous mode [ 22.677123][ T111] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 22.686831][ T111] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 22.704880][ T285] request_module fs-gadgetfs succeeded, but still no fs? [ 22.759396][ T285] EXT4-fs error (device loop0): ext4_xattr_inode_iget:404: comm syz-executor314: inode #1: comm syz-executor314: iget: illegal inode # [ 22.773606][ T285] EXT4-fs error (device loop0): ext4_xattr_inode_iget:409: comm syz-executor314: error while reading EA inode 1 err=-117 [ 22.787578][ T285] EXT4-fs (loop0): 1 orphan inode deleted [ 22.793515][ T285] EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue [ 22.805494][ T285] ================================================================== [ 22.813409][ T285] BUG: KASAN: use-after-free in ext4_insert_dentry+0x392/0x710 [ 22.821764][ T285] Write of size 250 at addr ffff88811d603f18 by task syz-executor314/285 [ 22.829987][ T285] [ 22.832177][ T285] CPU: 0 PID: 285 Comm: syz-executor314 Not tainted 5.10.234-syzkaller-00033-g094fc3778d6b #0 [ 22.842671][ T285] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 22.852589][ T285] Call Trace: [ 22.855710][ T285] dump_stack_lvl+0x1e2/0x24b [ 22.860538][ T285] ? bfq_pos_tree_add_move+0x43b/0x43b [ 22.865809][ T285] ? panic+0x812/0x812 [ 22.869715][ T285] ? __ext4_handle_dirty_metadata+0x36e/0x810 [ 22.875617][ T285] print_address_description+0x81/0x3b0 [ 22.880996][ T285] kasan_report+0x179/0x1c0 [ 22.885357][ T285] ? ext4_insert_dentry+0x392/0x710 [ 22.890397][ T285] ? ext4_insert_dentry+0x392/0x710 [ 22.895437][ T285] kasan_check_range+0x293/0x2a0 [ 22.900181][ T285] ? ext4_insert_dentry+0x392/0x710 [ 22.905215][ T285] memcpy+0x44/0x70 [ 22.908858][ T285] ext4_insert_dentry+0x392/0x710 [ 22.913722][ T285] add_dirent_to_buf+0x3ac/0x780 [ 22.918493][ T285] ? ext4_dx_add_entry+0x1600/0x1600 [ 22.923614][ T285] ? ext4_handle_dirty_dx_node+0x41c/0x580 [ 22.929432][ T285] make_indexed_dir+0xe9f/0x1500 [ 22.934295][ T285] ? add_dirent_to_buf+0x780/0x780 [ 22.939233][ T285] ? add_dirent_to_buf+0x36f/0x780 [ 22.944185][ T285] ? ext4_dx_add_entry+0x1600/0x1600 [ 22.949307][ T285] ? __kasan_check_read+0x11/0x20 [ 22.954163][ T285] ? __ext4_read_dirblock+0x4d8/0x8c0 [ 22.959377][ T285] ext4_add_entry+0xdcf/0x1280 [ 22.964616][ T285] ? ext4_inc_count+0x190/0x190 [ 22.969302][ T285] ? ext4_init_new_dir+0x7c8/0xa20 [ 22.974238][ T285] ? ext4_init_dot_dotdot+0x500/0x500 [ 22.979460][ T285] ext4_mkdir+0x4d2/0xba0 [ 22.983622][ T285] ? ext4_symlink+0xe40/0xe40 [ 22.988601][ T285] ? selinux_inode_mkdir+0x22/0x30 [ 22.993533][ T285] ? security_inode_mkdir+0xbc/0x100 [ 22.998726][ T285] vfs_mkdir+0x4cf/0x6c0 [ 23.002836][ T285] do_mkdirat+0x1a6/0x2c0 [ 23.006987][ T285] ? do_mknodat+0x450/0x450 [ 23.011576][ T285] ? fpu__clear_all+0x20/0x20 [ 23.016170][ T285] ? __kasan_check_read+0x11/0x20 [ 23.021024][ T285] __x64_sys_mkdirat+0x7b/0x90 [ 23.025704][ T285] do_syscall_64+0x34/0x70 [ 23.029902][ T285] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 23.035596][ T285] RIP: 0033:0x7f5f11093679 [ 23.039846][ T285] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 23.059294][ T285] RSP: 002b:00007ffcf1946798 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 [ 23.067542][ T285] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f5f11093679 [ 23.075442][ T285] RDX: 0000000000000000 RSI: 00004000000005c0 RDI: 00000000ffffff9c [ 23.083249][ T285] RBP: 00007f5f110d7614 R08: 00007f5f110d7644 R09: 00007f5f110d7644 [ 23.091058][ T285] R10: 00007f5f110d7644 R11: 0000000000000246 R12: 00007f5f110d7595 [ 23.098962][ T285] R13: 00007ffcf19467f0 R14: 00007f5f110d7470 R15: 00007ffcf19467dc [ 23.106771][ T285] [ 23.108926][ T285] The buggy address belongs to the page: [ 23.114510][ T285] page:ffffea00047580c0 refcount:3 mapcount:0 mapping:ffff888109341390 index:0x3f pfn:0x11d603 [ 23.125173][ T285] aops:def_blk_aops ino:0 [ 23.129331][ T285] flags: 0x400000000000202a(referenced|dirty|active|private) [ 23.136549][ T285] raw: 400000000000202a dead000000000100 dead000000000122 ffff888109341390 [ 23.144959][ T285] raw: 000000000000003f ffff88811bf52f18 00000003ffffffff ffff888100138000 [ 23.153383][ T285] page dumped because: kasan: bad access detected [ 23.159620][ T285] page->mem_cgroup:ffff888100138000 [ 23.164657][ T285] page_owner tracks the page as allocated [ 23.170243][ T285] page last allocated via order 0, migratetype Movable, gfp_mask 0x108c48(GFP_NOFS|__GFP_NOFAIL|__GFP_HARDWALL|__GFP_MOVABLE), pid 285, ts 22805010929, free_ts 16587653139 [ 23.187059][ T285] prep_new_page+0x166/0x180 [ 23.191571][ T285] get_page_from_freelist+0x2d8c/0x2f30 [ 23.196943][ T285] __alloc_pages_nodemask+0x435/0xaf0 [ 23.202149][ T285] pagecache_get_page+0x669/0x950 [ 23.207011][ T285] __getblk_gfp+0x221/0x7e0 [ 23.211352][ T285] ext4_getblk+0x259/0x660 [ 23.215610][ T285] ext4_bread+0x2f/0x1b0 [ 23.219685][ T285] ext4_append+0x29a/0x4d0 [ 23.223931][ T285] make_indexed_dir+0x505/0x1500 [ 23.228708][ T285] ext4_add_entry+0xdcf/0x1280 [ 23.233309][ T285] ext4_mkdir+0x4d2/0xba0 [ 23.237473][ T285] vfs_mkdir+0x4cf/0x6c0 [ 23.241550][ T285] do_mkdirat+0x1a6/0x2c0 [ 23.245717][ T285] __x64_sys_mkdirat+0x7b/0x90 [ 23.250321][ T285] do_syscall_64+0x34/0x70 [ 23.254572][ T285] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 23.260295][ T285] page last free stack trace: [ 23.264819][ T285] free_unref_page_prepare+0x2ae/0x2d0 [ 23.270106][ T285] free_unref_page_list+0x122/0xb20 [ 23.275148][ T285] release_pages+0xea0/0xef0 [ 23.279580][ T285] free_pages_and_swap_cache+0x8a/0xa0 [ 23.285088][ T285] tlb_finish_mmu+0x177/0x320 [ 23.289684][ T285] unmap_region+0x31c/0x370 [ 23.294017][ T285] __do_munmap+0x699/0x8c0 [ 23.298362][ T285] __se_sys_brk+0x3cf/0x730 [ 23.302784][ T285] __x64_sys_brk+0x38/0x40 [ 23.307120][ T285] do_syscall_64+0x34/0x70 [ 23.311396][ T285] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 23.317100][ T285] [ 23.319267][ T285] Memory state around the buggy address: [ 23.324743][ T285] ffff88811d603f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 23.332642][ T285] ffff88811d603f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 23.340711][ T285] >ffff88811d604000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.348605][ T285] ^ [ 23.352599][ T285] ffff88811d604080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.360511][ T285] ffff88811d604100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 23.368403][ T285] ================================================================== [ 23.376467][ T285] Disabling lock debugging due to kernel taint