Warning: Permanently added '10.128.1.35' (ED25519) to the list of known hosts. [ 23.256216][ T28] audit: type=1400 audit(1722310936.130:66): avc: denied { execmem } for pid=290 comm="syz-executor601" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 23.275557][ T28] audit: type=1400 audit(1722310936.130:67): avc: denied { setattr } for pid=290 comm="syz-executor601" name="raw-gadget" dev="devtmpfs" ino=166 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 23.298769][ T28] audit: type=1400 audit(1722310936.130:68): avc: denied { mounton } for pid=292 comm="syz-executor601" path="/sys/fs/fuse/connections" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=dir permissive=1 [ 23.322438][ T28] audit: type=1400 audit(1722310936.130:69): avc: denied { mount } for pid=292 comm="syz-executor601" name="/" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=filesystem permissive=1 [ 23.344613][ T28] audit: type=1400 audit(1722310936.130:70): avc: denied { mounton } for pid=292 comm="syz-executor601" path="/" dev="sda1" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 23.365932][ T28] audit: type=1400 audit(1722310936.130:71): avc: denied { module_request } for pid=292 comm="syz-executor601" kmod="netdev-nr0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 23.388152][ T292] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.394980][ T292] bridge0: port 1(bridge_slave_0) entered disabled state [ 23.402278][ T292] device bridge_slave_0 entered promiscuous mode [ 23.408875][ T292] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.415695][ T292] bridge0: port 2(bridge_slave_1) entered disabled state [ 23.422934][ T292] device bridge_slave_1 entered promiscuous mode [ 23.459814][ T28] audit: type=1400 audit(1722310936.340:72): avc: denied { create } for pid=292 comm="syz-executor601" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 23.464744][ T292] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.480288][ T28] audit: type=1400 audit(1722310936.340:73): avc: denied { write } for pid=292 comm="syz-executor601" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 23.487060][ T292] bridge0: port 2(bridge_slave_1) entered forwarding state [ 23.507734][ T28] audit: type=1400 audit(1722310936.340:74): avc: denied { read } for pid=292 comm="syz-executor601" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 23.514491][ T292] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.541512][ T292] bridge0: port 1(bridge_slave_0) entered forwarding state [ 23.566314][ T39] bridge0: port 1(bridge_slave_0) entered disabled state [ 23.573745][ T39] bridge0: port 2(bridge_slave_1) entered disabled state [ 23.582513][ T39] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 23.589989][ T39] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 23.609285][ T39] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 23.618572][ T39] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.625449][ T39] bridge0: port 1(bridge_slave_0) entered forwarding state [ 23.633011][ T39] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 23.641402][ T39] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.648271][ T39] bridge0: port 2(bridge_slave_1) entered forwarding state [ 23.655807][ T39] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 23.663660][ T39] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 23.675193][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 23.685817][ T39] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 23.693846][ T39] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 23.701564][ T39] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 23.709805][ T292] device veth0_vlan entered promiscuous mode [ 23.720274][ T292] device veth1_macvtap entered promiscuous mode [ 23.728935][ T293] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 23.738692][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 23.748232][ T60] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 23.763355][ T28] audit: type=1400 audit(1722310936.640:75): avc: denied { mounton } for pid=292 comm="syz-executor601" path="/root/syzkaller.4TOszM/syz-tmp" dev="sda1" ino=1927 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 23.794183][ T292] loop0: detected capacity change from 0 to 2048 [ 23.800608][ T292] ======================================================= [ 23.800608][ T292] WARNING: The mand mount option has been deprecated and [ 23.800608][ T292] and is ignored by this kernel. Remove the mand [ 23.800608][ T292] option from the mount to silence this warning. [ 23.800608][ T292] ======================================================= [ 23.840306][ T292] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [ 23.854876][ T292] ================================================================== [ 23.862751][ T292] BUG: KASAN: use-after-free in ext4_search_dir+0xf7/0x1b0 [ 23.869781][ T292] Read of size 1 at addr ffff88811fb3ed0b by task syz-executor601/292 [ 23.877761][ T292] [ 23.879941][ T292] CPU: 1 PID: 292 Comm: syz-executor601 Not tainted 6.1.90-syzkaller-00122-g7fa70ede91bb #0 [ 23.889826][ T292] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 [ 23.899731][ T292] Call Trace: [ 23.902847][ T292] [ 23.905622][ T292] dump_stack_lvl+0x151/0x1b7 [ 23.910138][ T292] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 23.915430][ T292] ? _printk+0xd1/0x111 [ 23.919422][ T292] ? __virt_addr_valid+0x242/0x2f0 [ 23.924368][ T292] print_report+0x158/0x4e0 [ 23.928709][ T292] ? __virt_addr_valid+0x242/0x2f0 [ 23.933654][ T292] ? kasan_addr_to_slab+0xd/0x80 [ 23.938486][ T292] ? ext4_search_dir+0xf7/0x1b0 [ 23.943116][ T292] kasan_report+0x13c/0x170 [ 23.947458][ T292] ? ext4_search_dir+0xf7/0x1b0 [ 23.952147][ T292] __asan_report_load1_noabort+0x14/0x20 [ 23.957611][ T292] ext4_search_dir+0xf7/0x1b0 [ 23.962125][ T292] ext4_find_inline_entry+0x4b6/0x5e0 [ 23.967329][ T292] ? x64_sys_call+0x49d/0x9a0 [ 23.971844][ T292] ? do_syscall_64+0x3b/0xb0 [ 23.976272][ T292] ? ext4_try_create_inline_dir+0x320/0x320 [ 23.982000][ T292] __ext4_find_entry+0x2b0/0x1af0 [ 23.986862][ T292] ? ext4_fname_setup_ci_filename+0x70/0x480 [ 23.992676][ T292] ? ext4_ci_compare+0x660/0x660 [ 23.997448][ T292] ? memcpy+0x56/0x70 [ 24.001268][ T292] ? ext4_fname_prepare_lookup+0x3b5/0x4e0 [ 24.006910][ T292] ? d_alloc_parallel+0x116c/0x12e0 [ 24.011944][ T292] ? generic_set_encrypted_ci_d_ops+0x91/0xf0 [ 24.017846][ T292] ext4_lookup+0x176/0x740 [ 24.022105][ T292] ? ext4_add_entry+0xed0/0xed0 [ 24.026786][ T292] ? __down_common+0x690/0x690 [ 24.031392][ T292] ? lockref_get_not_dead+0x248/0x340 [ 24.036597][ T292] ? lockref_mark_dead+0xb0/0xb0 [ 24.041377][ T292] __lookup_slow+0x2b9/0x3e0 [ 24.045792][ T292] ? lookup_one_len+0x2c0/0x2c0 [ 24.050484][ T292] lookup_slow+0x5a/0x80 [ 24.054579][ T292] walk_component+0x2e7/0x410 [ 24.059078][ T292] path_lookupat+0x16d/0x450 [ 24.063502][ T292] filename_lookup+0x251/0x600 [ 24.068098][ T292] ? hashlen_string+0x120/0x120 [ 24.072787][ T292] ? strncpy_from_user+0x169/0x2b0 [ 24.077731][ T292] ? getname_flags+0x1fd/0x520 [ 24.082330][ T292] user_path_at_empty+0x43/0x1a0 [ 24.087104][ T292] __se_sys_mount+0x285/0x3b0 [ 24.091619][ T292] ? __x64_sys_mount+0xd0/0xd0 [ 24.096217][ T292] ? fpregs_restore_userregs+0x130/0x290 [ 24.101775][ T292] __x64_sys_mount+0xbf/0xd0 [ 24.106196][ T292] x64_sys_call+0x49d/0x9a0 [ 24.110538][ T292] do_syscall_64+0x3b/0xb0 [ 24.114875][ T292] ? clear_bhb_loop+0x55/0xb0 [ 24.119391][ T292] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 24.125134][ T292] RIP: 0033:0x7f4dfd601579 [ 24.129383][ T292] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 1c 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 24.148815][ T292] RSP: 002b:00007ffef9e73bc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 24.157057][ T292] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f4dfd601579 [ 24.164869][ T292] RDX: 0000000000000000 RSI: 0000000020002ac0 RDI: 0000000000000000 [ 24.173029][ T292] RBP: 00007f4dfd645576 R08: 0000000000000000 R09: 00007f4dfd645598 [ 24.180840][ T292] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4dfd645536 [ 24.188656][ T292] R13: 00007ffef9e73c30 R14: 0000000000000003 R15: 00007ffef9e73c08 [ 24.196553][ T292] [ 24.199414][ T292] [ 24.201584][ T292] The buggy address belongs to the physical page: [ 24.207833][ T292] page:ffffea00047ecf80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x11fb3e [ 24.217902][ T292] flags: 0x4000000000000000(zone=1) [ 24.222937][ T292] raw: 4000000000000000 ffffea00047ecfc8 ffffea00047ecf48 0000000000000000 [ 24.231369][ T292] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 24.239771][ T292] page dumped because: kasan: bad access detected [ 24.246026][ T292] page_owner tracks the page as freed [ 24.251234][ T292] page last allocated via order 0, migratetype Movable, gfp_mask 0x8140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO|__GFP_CMA), pid 292, tgid 292 (syz-executor601), ts 23789364802, free_ts 23793739376 [ 24.270757][ T292] post_alloc_hook+0x213/0x220 [ 24.275354][ T292] prep_new_page+0x1b/0x110 [ 24.279694][ T292] get_page_from_freelist+0x27ea/0x2870 [ 24.285076][ T292] __alloc_pages+0x3a1/0x780 [ 24.289519][ T292] __folio_alloc+0x15/0x40 [ 24.293754][ T292] wp_page_copy+0x23b/0x1690 [ 24.298186][ T292] do_wp_page+0xc5c/0xf30 [ 24.302351][ T292] handle_mm_fault+0x15e0/0x30e0 [ 24.307123][ T292] exc_page_fault+0x3b3/0x700 [ 24.311637][ T292] asm_exc_page_fault+0x27/0x30 [ 24.316322][ T292] page last free stack trace: [ 24.320834][ T292] free_unref_page_prepare+0x83d/0x850 [ 24.326169][ T292] free_unref_page_list+0xf1/0x7b0 [ 24.331075][ T292] release_pages+0xf7f/0xfe0 [ 24.335501][ T292] free_pages_and_swap_cache+0x8a/0xa0 [ 24.340797][ T292] tlb_finish_mmu+0x1e0/0x3f0 [ 24.345314][ T292] unmap_region+0x2c1/0x310 [ 24.349651][ T292] do_mas_align_munmap+0xd05/0x1400 [ 24.354683][ T292] do_mas_munmap+0x23e/0x2b0 [ 24.359110][ T292] __vm_munmap+0x263/0x3a0 [ 24.363360][ T292] __x64_sys_munmap+0x6b/0x80 [ 24.367874][ T292] x64_sys_call+0x75/0x9a0 [ 24.372127][ T292] do_syscall_64+0x3b/0xb0 [ 24.376379][ T292] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 24.382114][ T292] [ 24.384276][ T292] Memory state around the buggy address: [ 24.389748][ T292] ffff88811fb3ec00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.397647][ T292] ffff88811fb3ec80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.405552][ T292] >ffff88811fb3ed00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.413445][ T292] ^ [ 24.417608][ T292] ffff88811fb3ed80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.425508][ T292] ffff88811fb3ee00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.433406][ T292] ================================================================== [ 24.444656][ T292] Disabling lock debugging due to kernel taint [ 24.452258][ T292] EXT4-fs (loop0): unmounting filesystem. [