Warning: Permanently added '10.128.1.181' (ED25519) to the list of known hosts. 2025/05/12 23:10:06 ignoring optional flag "sandboxArg"="0" 2025/05/12 23:10:07 parsed 1 programs [ 27.279277][ T23] audit: type=1400 audit(1747091407.380:81): avc: denied { node_bind } for pid=335 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 28.066707][ T23] audit: type=1400 audit(1747091408.170:82): avc: denied { mounton } for pid=343 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 28.068712][ T343] cgroup1: Unknown subsys name 'net' [ 28.089556][ T23] audit: type=1400 audit(1747091408.170:83): avc: denied { mount } for pid=343 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 28.095615][ T343] cgroup1: Unknown subsys name 'net_prio' [ 28.123708][ T343] cgroup1: Unknown subsys name 'devices' [ 28.130278][ T23] audit: type=1400 audit(1747091408.230:84): avc: denied { unmount } for pid=343 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 28.264820][ T343] cgroup1: Unknown subsys name 'hugetlb' [ 28.270841][ T343] cgroup1: Unknown subsys name 'rlimit' [ 28.441604][ T23] audit: type=1400 audit(1747091408.540:85): avc: denied { setattr } for pid=343 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=10699 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 28.465184][ T23] audit: type=1400 audit(1747091408.540:86): avc: denied { create } for pid=343 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 28.472762][ T346] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 28.485919][ T23] audit: type=1400 audit(1747091408.550:87): avc: denied { write } for pid=343 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 28.514718][ T23] audit: type=1400 audit(1747091408.550:88): avc: denied { read } for pid=343 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 28.535163][ T23] audit: type=1400 audit(1747091408.550:89): avc: denied { module_request } for pid=343 comm="syz-executor" kmod="netdev-wpan0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 28.557161][ T23] audit: type=1400 audit(1747091408.550:90): avc: denied { mounton } for pid=343 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 28.612800][ T343] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 28.931260][ T348] request_module fs-gadgetfs succeeded, but still no fs? [ 29.113256][ T359] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.120292][ T359] bridge0: port 1(bridge_slave_0) entered disabled state [ 29.127940][ T359] device bridge_slave_0 entered promiscuous mode [ 29.134835][ T359] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.141943][ T359] bridge0: port 2(bridge_slave_1) entered disabled state [ 29.149439][ T359] device bridge_slave_1 entered promiscuous mode [ 29.189050][ T359] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.196194][ T359] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.204069][ T359] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.211100][ T359] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.233181][ T7] bridge0: port 1(bridge_slave_0) entered disabled state [ 29.240471][ T7] bridge0: port 2(bridge_slave_1) entered disabled state [ 29.247920][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 29.255499][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.265676][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 29.274599][ T7] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.281613][ T7] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.290586][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 29.299078][ T7] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.306257][ T7] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.320512][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 29.329998][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 29.346075][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 29.357313][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 29.369956][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 29.382849][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 29.393487][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 29.443021][ T359] syz-executor (359) used greatest stack depth: 21184 bytes left [ 30.052049][ T102] device bridge_slave_1 left promiscuous mode [ 30.058638][ T102] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.067577][ T102] device bridge_slave_0 left promiscuous mode [ 30.073946][ T102] bridge0: port 1(bridge_slave_0) entered disabled state 2025/05/12 23:10:10 executed programs: 0 [ 30.251997][ T413] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.259283][ T413] bridge0: port 1(bridge_slave_0) entered disabled state [ 30.266805][ T413] device bridge_slave_0 entered promiscuous mode [ 30.274033][ T413] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.281042][ T413] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.288539][ T413] device bridge_slave_1 entered promiscuous mode [ 30.327785][ T413] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.335130][ T413] bridge0: port 2(bridge_slave_1) entered forwarding state [ 30.342787][ T413] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.350277][ T413] bridge0: port 1(bridge_slave_0) entered forwarding state [ 30.371551][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 30.379340][ T9] bridge0: port 1(bridge_slave_0) entered disabled state [ 30.386694][ T9] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.396250][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 30.404985][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.412005][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 30.433518][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 30.441736][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.448790][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 30.457248][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 30.465608][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 30.480046][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 30.491630][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 30.504592][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 30.517171][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 30.527251][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 45.605083][ T442] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.612260][ T442] bridge0: port 1(bridge_slave_0) entered disabled state [ 45.619615][ T442] device bridge_slave_0 entered promiscuous mode [ 45.626593][ T442] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.633620][ T442] bridge0: port 2(bridge_slave_1) entered disabled state [ 45.640973][ T442] device bridge_slave_1 entered promiscuous mode [ 45.680859][ T442] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.687927][ T442] bridge0: port 2(bridge_slave_1) entered forwarding state [ 45.695202][ T442] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.702231][ T442] bridge0: port 1(bridge_slave_0) entered forwarding state [ 45.722253][ T102] bridge0: port 1(bridge_slave_0) entered disabled state [ 45.729544][ T102] bridge0: port 2(bridge_slave_1) entered disabled state [ 45.737140][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 45.745284][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 45.754882][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 45.763194][ T102] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.770205][ T102] bridge0: port 1(bridge_slave_0) entered forwarding state [ 45.779153][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 45.787417][ T102] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.794445][ T102] bridge0: port 2(bridge_slave_1) entered forwarding state [ 45.807124][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 45.816306][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 45.831425][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 45.842640][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 45.855777][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 45.867752][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready 2025/05/12 23:10:26 executed programs: 3 [ 45.877654][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 45.898844][ T442] ================================================================== [ 45.907038][ T442] BUG: KASAN: use-after-free in __mutex_lock+0xace/0xe30 [ 45.914041][ T442] Read of size 4 at addr ffff8881e98c2f78 by task syz-executor/442 [ 45.921929][ T442] [ 45.924254][ T442] CPU: 1 PID: 442 Comm: syz-executor Not tainted 5.4.292-syzkaller-00021-gcd8e74fa0fa3 #0 [ 45.934118][ T442] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 45.944163][ T442] Call Trace: [ 45.947435][ T442] __dump_stack+0x1e/0x20 [ 45.951749][ T442] dump_stack+0x15b/0x1b8 [ 45.956058][ T442] ? vprintk_default+0x28/0x30 [ 45.960809][ T442] ? show_regs_print_info+0x18/0x18 [ 45.965988][ T442] ? printk+0xcc/0x110 [ 45.970040][ T442] ? __mutex_lock+0xace/0xe30 [ 45.974718][ T442] print_address_description+0x8d/0x4c0 [ 45.980247][ T442] ? __mutex_lock+0xace/0xe30 [ 45.984907][ T442] __kasan_report+0xef/0x120 [ 45.989477][ T442] ? __mutex_lock+0xace/0xe30 [ 45.994140][ T442] kasan_report+0x30/0x60 [ 45.998626][ T442] __asan_report_load4_noabort+0x14/0x20 [ 46.004240][ T442] __mutex_lock+0xace/0xe30 [ 46.008728][ T442] ? __kasan_check_write+0x14/0x20 [ 46.013908][ T442] ? kobject_get_unless_zero+0x15e/0x1e0 [ 46.019523][ T442] ? __ww_mutex_lock_interruptible_slowpath+0x20/0x20 [ 46.026262][ T442] ? mutex_lock+0x8c/0xe0 [ 46.030574][ T442] ? disk_check_events+0x5c0/0x5c0 [ 46.035667][ T442] __mutex_lock_killable_slowpath+0xe/0x10 [ 46.041456][ T442] mutex_lock_killable+0xd3/0xe0 [ 46.046379][ T442] ? __mutex_lock_interruptible_slowpath+0x10/0x10 [ 46.052867][ T442] ? __kasan_check_write+0x14/0x20 [ 46.057965][ T442] ? kobject_get+0xd3/0x120 [ 46.062451][ T442] lo_open+0x1d/0xc0 [ 46.066329][ T442] __blkdev_get+0x610/0x1560 [ 46.070903][ T442] ? blkdev_get+0x380/0x380 [ 46.075388][ T442] ? _raw_spin_lock+0x8e/0xe0 [ 46.080136][ T442] ? _raw_spin_trylock_bh+0x130/0x130 [ 46.085492][ T442] ? __fsnotify_parent+0x310/0x310 [ 46.090587][ T442] blkdev_get+0x68/0x380 [ 46.094989][ T442] ? bd_acquire+0x30a/0x340 [ 46.099475][ T442] blkdev_open+0x1cb/0x2b0 [ 46.103875][ T442] ? block_ioctl+0x100/0x100 [ 46.108450][ T442] do_dentry_open+0x8b5/0x1030 [ 46.113200][ T442] ? finish_open+0xd0/0xd0 [ 46.117643][ T442] ? inode_permission+0xed/0x540 [ 46.122563][ T442] vfs_open+0x73/0x80 [ 46.126529][ T442] path_openat+0x2a5e/0x35c0 [ 46.131110][ T442] ? kmem_cache_alloc+0xe2/0x270 [ 46.136036][ T442] ? getname_flags+0xb9/0x500 [ 46.140694][ T442] ? getname+0x19/0x20 [ 46.144758][ T442] ? do_filp_open+0x3f0/0x3f0 [ 46.149422][ T442] do_filp_open+0x1ae/0x3f0 [ 46.153907][ T442] ? vfs_tmpfile+0x2c0/0x2c0 [ 46.158487][ T442] ? get_unused_fd_flags+0x93/0xa0 [ 46.163584][ T442] do_sys_open+0x2bb/0x5d0 [ 46.167983][ T442] ? file_open_root+0x2b0/0x2b0 [ 46.172818][ T442] ? debug_smp_processor_id+0x1c/0x20 [ 46.178174][ T442] __x64_sys_openat+0xa2/0xb0 [ 46.182837][ T442] do_syscall_64+0xcf/0x170 [ 46.187323][ T442] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 46.193208][ T442] RIP: 0033:0x7fe9c5dc7251 [ 46.197610][ T442] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d fa 72 1f 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25 [ 46.217282][ T442] RSP: 002b:00007ffcacc85f60 EFLAGS: 00000202 ORIG_RAX: 0000000000000101 [ 46.225673][ T442] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fe9c5dc7251 [ 46.233781][ T442] RDX: 0000000000000002 RSI: 00007ffcacc86070 RDI: 00000000ffffff9c [ 46.241749][ T442] RBP: 00007ffcacc86070 R08: 000000000000000a R09: 00007ffcacc85d27 [ 46.249798][ T442] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 46.257756][ T442] R13: 00007fe9c5fb7260 R14: 0000000000000003 R15: 00007ffcacc86070 [ 46.265744][ T442] [ 46.268062][ T442] Allocated by task 423: [ 46.272289][ T442] __kasan_kmalloc+0x162/0x200 [ 46.277033][ T442] kasan_slab_alloc+0x12/0x20 [ 46.281803][ T442] kmem_cache_alloc+0xe2/0x270 [ 46.286550][ T442] dup_task_struct+0x57/0x640 [ 46.291230][ T442] copy_process+0x503/0x2cf0 [ 46.295801][ T442] _do_fork+0x190/0x860 [ 46.299938][ T442] __x64_sys_clone3+0x1de/0x1f0 [ 46.304770][ T442] do_syscall_64+0xcf/0x170 [ 46.309263][ T442] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 46.315129][ T442] [ 46.317438][ T442] Freed by task 10: [ 46.321229][ T442] __kasan_slab_free+0x1c3/0x280 [ 46.326147][ T442] kasan_slab_free+0xe/0x10 [ 46.330636][ T442] slab_free_freelist_hook+0xb7/0x180 [ 46.335990][ T442] kmem_cache_free+0x10c/0x2c0 [ 46.340738][ T442] free_task+0xe9/0x150 [ 46.344875][ T442] __put_task_struct+0x2b7/0x420 [ 46.349796][ T442] delayed_put_task_struct+0x71/0x210 [ 46.355164][ T442] rcu_do_batch+0x446/0x980 [ 46.359646][ T442] rcu_core+0x4bd/0xbd0 [ 46.363794][ T442] rcu_core_si+0x9/0x10 [ 46.368051][ T442] __do_softirq+0x236/0x660 [ 46.372532][ T442] [ 46.374860][ T442] The buggy address belongs to the object at ffff8881e98c2f40 [ 46.374860][ T442] which belongs to the cache task_struct of size 3904 [ 46.388985][ T442] The buggy address is located 56 bytes inside of [ 46.388985][ T442] 3904-byte region [ffff8881e98c2f40, ffff8881e98c3e80) [ 46.402233][ T442] The buggy address belongs to the page: [ 46.407862][ T442] page:ffffea0007a63000 refcount:1 mapcount:0 mapping:ffff8881f5cf5400 index:0x0 compound_mapcount: 0 [ 46.418803][ T442] flags: 0x8000000000010200(slab|head) [ 46.424250][ T442] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5cf5400 [ 46.432823][ T442] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 46.441386][ T442] page dumped because: kasan: bad access detected [ 46.447780][ T442] page_owner tracks the page as allocated [ 46.453506][ T442] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL) [ 46.469889][ T442] prep_new_page+0x35e/0x370 [ 46.474467][ T442] get_page_from_freelist+0x1296/0x1310 [ 46.480100][ T442] __alloc_pages_nodemask+0x202/0x4b0 [ 46.485454][ T442] alloc_slab_page+0x3c/0x3b0 [ 46.490117][ T442] new_slab+0x93/0x420 [ 46.494170][ T442] ___slab_alloc+0x29e/0x420 [ 46.498742][ T442] __slab_alloc+0x63/0xa0 [ 46.503057][ T442] kmem_cache_alloc+0x12c/0x270 [ 46.507889][ T442] dup_task_struct+0x57/0x640 [ 46.512636][ T442] copy_process+0x503/0x2cf0 [ 46.517207][ T442] _do_fork+0x190/0x860 [ 46.521345][ T442] kernel_thread+0x6f/0x90 [ 46.525747][ T442] kthreadd+0x354/0x480 [ 46.529885][ T442] ret_from_fork+0x1f/0x30 [ 46.534279][ T442] page last free stack trace: [ 46.538937][ T442] __free_pages_ok+0x7e4/0x910 [ 46.543681][ T442] __free_pages+0x8c/0x110 [ 46.548084][ T442] __free_slab+0x218/0x2d0 [ 46.552481][ T442] unfreeze_partials+0x165/0x1a0 [ 46.557414][ T442] put_cpu_partial+0xc1/0x180 [ 46.562087][ T442] __slab_free+0x2be/0x380 [ 46.566579][ T442] ___cache_free+0xbb/0xd0 [ 46.570984][ T442] qlink_free+0x23/0x30 [ 46.575138][ T442] qlist_free_all+0x5f/0xb0 [ 46.579624][ T442] quarantine_reduce+0x1a8/0x200 [ 46.584572][ T442] __kasan_kmalloc+0x42/0x200 [ 46.589231][ T442] kasan_slab_alloc+0x12/0x20 [ 46.594061][ T442] kmem_cache_alloc_trace+0xe6/0x290 [ 46.599349][ T442] ____ip_mc_inc_group+0x1a5/0x840 [ 46.604442][ T442] ip_mc_up+0x112/0x1f0 [ 46.608584][ T442] inetdev_event+0xc13/0x1030 [ 46.613236][ T442] [ 46.615543][ T442] Memory state around the buggy address: [ 46.621169][ T442] ffff8881e98c2e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 46.629222][ T442] ffff8881e98c2e80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 46.637267][ T442] >ffff8881e98c2f00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 46.645326][ T442] ^ [ 46.653281][ T442] ffff8881e98c2f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.661320][ T442] ffff8881e98c3000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.669361][ T442] ================================================================== [ 46.677400][ T442] Disabling lock debugging due to kernel taint