forked to background, child pid 192 Starting sshd: OK syzkaller syzkaller login: [ 17.708253][ T22] kauditd_printk_skb: 60 callbacks suppressed [ 17.708261][ T22] audit: type=1400 audit(1640999212.979:71): avc: denied { transition } for pid=265 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 17.713290][ T22] audit: type=1400 audit(1640999212.979:72): avc: denied { write } for pid=265 comm="sh" path="pipe:[572]" dev="pipefs" ino=572 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1 [ 18.591996][ T269] sshd (269) used greatest stack depth: 26056 bytes left Warning: Permanently added '10.128.0.241' (ECDSA) to the list of known hosts. [ 24.207851][ T22] audit: type=1400 audit(1640999219.479:73): avc: denied { execmem } for pid=298 comm="syz-executor999" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 24.228714][ T22] audit: type=1400 audit(1640999219.509:74): avc: denied { mounton } for pid=298 comm="syz-executor999" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 24.257402][ T22] audit: type=1400 audit(1640999219.509:75): avc: denied { mount } for pid=298 comm="syz-executor999" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 24.280965][ T22] audit: type=1400 audit(1640999219.509:76): avc: denied { setattr } for pid=298 comm="syz-executor999" name="raw-gadget" dev="devtmpfs" ino=114 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 24.304614][ T22] audit: type=1400 audit(1640999219.539:77): avc: denied { mounton } for pid=299 comm="syz-executor999" path="/sys/fs/fuse/connections" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=dir permissive=1 [ 24.310206][ T299] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.328571][ T22] audit: type=1400 audit(1640999219.539:78): avc: denied { mount } for pid=299 comm="syz-executor999" name="/" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=filesystem permissive=1 [ 24.328584][ T22] audit: type=1400 audit(1640999219.539:79): avc: denied { mounton } for pid=299 comm="syz-executor999" path="/" dev="sda1" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 24.328598][ T22] audit: type=1400 audit(1640999219.539:80): avc: denied { module_request } for pid=299 comm="syz-executor999" kmod="netdev-nr0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 24.401579][ T299] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.409104][ T299] device bridge_slave_0 entered promiscuous mode [ 24.416162][ T299] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.423221][ T299] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.430521][ T299] device bridge_slave_1 entered promiscuous mode [ 24.462238][ T22] audit: type=1400 audit(1640999219.729:81): avc: denied { create } for pid=299 comm="syz-executor999" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 24.479469][ T299] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.483013][ T22] audit: type=1400 audit(1640999219.749:82): avc: denied { write } for pid=299 comm="syz-executor999" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 24.490049][ T299] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.518862][ T299] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.525925][ T299] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.546891][ T67] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.554914][ T67] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.562178][ T67] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 24.570068][ T67] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 24.579434][ T118] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 24.587605][ T118] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.594633][ T118] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.603115][ T67] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 24.611288][ T67] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.618314][ T67] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.634318][ T118] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 24.642390][ T118] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready executing program [ 24.663927][ T304] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 24.672262][ T304] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 24.680924][ T304] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 24.690222][ T304] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 24.698815][ T304] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 24.715970][ T306] ================================================================== [ 24.724045][ T306] BUG: KASAN: slab-out-of-bounds in legacy_parse_param+0x4c1/0x720 [ 24.731902][ T306] Write of size 92 at addr ffff8881ddd77000 by task syz-executor999/306 [ 24.740192][ T306] [ 24.742494][ T306] CPU: 1 PID: 306 Comm: syz-executor999 Not tainted 5.4.147-syzkaller-00015-g5b673be0c6b0 #0 [ 24.752607][ T306] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.762903][ T306] Call Trace: [ 24.766171][ T306] dump_stack+0x18e/0x1de [ 24.770470][ T306] ? vprintk_emit+0x385/0x400 [ 24.775115][ T306] print_address_description+0x9b/0x650 [ 24.780629][ T306] ? printk+0x76/0xa4 [ 24.784587][ T306] ? vprintk_emit+0x37c/0x400 [ 24.789243][ T306] __kasan_report+0x182/0x260 [ 24.793893][ T306] ? legacy_parse_param+0x4c1/0x720 [ 24.799065][ T306] kasan_report+0x30/0x60 [ 24.803368][ T306] check_memory_region+0x2a5/0x2e0 [ 24.808470][ T306] ? legacy_parse_param+0x4c1/0x720 [ 24.813723][ T306] memcpy+0x38/0x50 [ 24.817512][ T306] legacy_parse_param+0x4c1/0x720 [ 24.822512][ T306] vfs_parse_fs_param+0x20f/0x430 [ 24.824165][ T299] syz-executor999 (299) used greatest stack depth: 25048 bytes left [ 24.827513][ T306] __se_sys_fsconfig+0xc6b/0xf40 [ 24.840365][ T306] do_syscall_64+0xcb/0x1e0 [ 24.844843][ T306] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 24.850701][ T306] RIP: 0033:0x7fc100c69939 [ 24.855086][ T306] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 24.874654][ T306] RSP: 002b:00007fc100c17208 EFLAGS: 00000246 ORIG_RAX: 00000000000001af [ 24.883041][ T306] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fc100c69939 [ 24.891356][ T306] RDX: 0000000020000280 RSI: 0000000000000001 RDI: 0000000000000003 [ 24.899311][ T306] RBP: 00007fc100cf24a0 R08: 0000000000000000 R09: 00007fc100cf24a8 [ 24.907261][ T306] R10: 00000000200000c0 R11: 0000000000000246 R12: 00007fc100cf24ac [ 24.915229][ T306] R13: 00007ffe217a312f R14: 00007fc100c17300 R15: 0000000000022000 [ 24.923280][ T306] [ 24.925584][ T306] Allocated by task 307: [ 24.929810][ T306] __kasan_kmalloc+0x137/0x1e0 [ 24.934560][ T306] kmem_cache_alloc_trace+0x139/0x2b0 [ 24.939910][ T306] legacy_parse_param+0x421/0x720 [ 24.944919][ T306] vfs_parse_fs_param+0x20f/0x430 [ 24.949925][ T306] __se_sys_fsconfig+0xc6b/0xf40 [ 24.955108][ T306] do_syscall_64+0xcb/0x1e0 [ 24.959588][ T306] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 24.965444][ T306] [ 24.967745][ T306] Freed by task 0: [ 24.971431][ T306] (stack is not available) [ 24.975814][ T306] [ 24.978112][ T306] The buggy address belongs to the object at ffff8881ddd76000 [ 24.978112][ T306] which belongs to the cache kmalloc-4k of size 4096 [ 24.992138][ T306] The buggy address is located 0 bytes to the right of [ 24.992138][ T306] 4096-byte region [ffff8881ddd76000, ffff8881ddd77000) [ 25.006089][ T306] The buggy address belongs to the page: [ 25.011698][ T306] page:ffffea0007775c00 refcount:1 mapcount:0 mapping:ffff8881f5c0c280 index:0x0 compound_mapcount: 0 [ 25.022837][ T306] flags: 0x8000000000010200(slab|head) [ 25.028269][ T306] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5c0c280 [ 25.036826][ T306] raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000 [ 25.045382][ T306] page dumped because: kasan: bad access detected [ 25.051774][ T306] page_owner tracks the page as allocated [ 25.057904][ T306] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC) [ 25.072884][ T306] prep_new_page+0x19a/0x380 [ 25.077468][ T306] get_page_from_freelist+0x550/0x8b0 [ 25.082810][ T306] __alloc_pages_nodemask+0x2d6/0x740 [ 25.088237][ T306] alloc_slab_page+0x39/0x3e0 [ 25.092880][ T306] new_slab+0x97/0x460 [ 25.096933][ T306] ___slab_alloc+0x330/0x4c0 [ 25.101493][ T306] __kmalloc_track_caller+0x1d1/0x2e0 [ 25.106959][ T306] __alloc_skb+0xaf/0x4d0 [ 25.111271][ T306] rtmsg_ifinfo_build_skb+0x81/0x180 [ 25.116531][ T306] rtmsg_ifinfo+0x73/0x120 [ 25.120918][ T306] netdev_state_change+0x11a/0x1a0 [ 25.126007][ T306] linkwatch_do_dev+0xca/0x120 [ 25.130753][ T306] __linkwatch_run_queue+0x49e/0x7a0 [ 25.136013][ T306] linkwatch_event+0x48/0x50 [ 25.140586][ T306] process_one_work+0x679/0x1030 [ 25.145592][ T306] worker_thread+0xa6f/0x1400 [ 25.150239][ T306] page_owner free stack trace missing [ 25.155581][ T306] [ 25.157882][ T306] Memory state around the buggy address: [ 25.163485][ T306] ffff8881ddd76f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.171527][ T306] ffff8881ddd76f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.179652][ T306] >ffff8881ddd77000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.187687][ T306] ^ [ 25.191737][ T306] ffff8881ddd77080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.199961][ T306] ffff8881ddd77100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.207995][ T306] ================================================================== [ 25.216024][ T306] Disabling lock debugging due to kernel taint