Warning: Permanently added '10.128.0.37' (ED25519) to the list of known hosts. [ 24.548836][ T30] audit: type=1400 audit(1740442834.385:66): avc: denied { execmem } for pid=290 comm="syz-executor404" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 24.568061][ T30] audit: type=1400 audit(1740442834.385:67): avc: denied { integrity } for pid=290 comm="syz-executor404" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1 [ 24.589963][ T292] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 24.599095][ T30] audit: type=1400 audit(1740442834.445:68): avc: denied { relabelto } for pid=292 comm="mkswap" name="swap-file" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 24.624396][ T30] audit: type=1400 audit(1740442834.445:69): avc: denied { write } for pid=292 comm="mkswap" path="/root/swap-file" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 24.631413][ T290] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 24.650113][ T30] audit: type=1400 audit(1740442834.465:70): avc: denied { read } for pid=290 comm="syz-executor404" name="swap-file" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 24.683944][ T30] audit: type=1400 audit(1740442834.465:71): avc: denied { open } for pid=290 comm="syz-executor404" path="/root/swap-file" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 24.710173][ T30] audit: type=1400 audit(1740442834.515:72): avc: denied { mounton } for pid=293 comm="syz-executor404" path="/" dev="sda1" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 24.731721][ T30] audit: type=1400 audit(1740442834.525:73): avc: denied { module_request } for pid=293 comm="syz-executor404" kmod="netdev-nr0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 24.764055][ T293] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.770941][ T293] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.778287][ T293] device bridge_slave_0 entered promiscuous mode [ 24.784971][ T293] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.791836][ T293] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.799028][ T293] device bridge_slave_1 entered promiscuous mode [ 24.841846][ T30] audit: type=1400 audit(1740442834.675:74): avc: denied { create } for pid=293 comm="syz-executor404" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 24.848573][ T293] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.862353][ T30] audit: type=1400 audit(1740442834.675:75): avc: denied { write } for pid=293 comm="syz-executor404" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 24.869119][ T293] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.869237][ T293] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.903321][ T293] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.923820][ T8] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.931186][ T8] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.938794][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 24.946022][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 24.955055][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 24.963059][ T8] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.969920][ T8] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.979162][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 24.987241][ T8] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.994073][ T8] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.006249][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 25.015488][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 25.029110][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 25.040502][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 25.048670][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 25.055911][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 25.064059][ T293] device veth0_vlan entered promiscuous mode [ 25.074332][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 25.083335][ T293] device veth1_macvtap entered promiscuous mode executing program [ 25.092827][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 25.102621][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 25.121325][ T293] request_module fs-gadgetfs succeeded, but still no fs? [ 25.131750][ T293] loop0: detected capacity change from 0 to 512 [ 25.270468][ T293] EXT4-fs (loop0): 1 truncate cleaned up [ 25.275968][ T293] EXT4-fs (loop0): mounted filesystem without journal. Opts: noauto_da_alloc,grpquota,errors=continue,noauto_da_alloc,nolazytime,errors=continue,grpjquota=,errors=remount-ro,nobarrier,. Quota mode: writeback. [ 25.299403][ T293] ================================================================== [ 25.307293][ T293] BUG: KASAN: use-after-free in ext4_insert_dentry+0x392/0x710 [ 25.314667][ T293] Write of size 254 at addr ffff88811d437f10 by task syz-executor404/293 [ 25.322915][ T293] [ 25.325086][ T293] CPU: 1 PID: 293 Comm: syz-executor404 Not tainted 5.15.178-syzkaller-00013-g7d1f9b5c2ff5 #0 [ 25.335158][ T293] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 25.345233][ T293] Call Trace: [ 25.348338][ T293] [ 25.351116][ T293] dump_stack_lvl+0x151/0x1c0 [ 25.355629][ T293] ? io_uring_drop_tctx_refs+0x190/0x190 [ 25.361107][ T293] ? panic+0x760/0x760 [ 25.365002][ T293] ? __ext4_handle_dirty_metadata+0x2fe/0x830 [ 25.370905][ T293] print_address_description+0x87/0x3b0 [ 25.376295][ T293] kasan_report+0x179/0x1c0 [ 25.380665][ T293] ? ext4_insert_dentry+0x392/0x710 [ 25.385662][ T293] ? ext4_insert_dentry+0x392/0x710 [ 25.390698][ T293] kasan_check_range+0x293/0x2a0 [ 25.395477][ T293] ? ext4_insert_dentry+0x392/0x710 [ 25.400504][ T293] memcpy+0x44/0x70 [ 25.404157][ T293] ext4_insert_dentry+0x392/0x710 [ 25.409018][ T293] add_dirent_to_buf+0x384/0x7d0 [ 25.413784][ T293] ? ext4_dx_add_entry+0x1620/0x1620 [ 25.418906][ T293] ? ext4_handle_dirty_dx_node+0x41c/0x580 [ 25.424557][ T293] make_indexed_dir+0xf34/0x15a0 [ 25.429321][ T293] ? add_dirent_to_buf+0x7d0/0x7d0 [ 25.434264][ T293] ? add_dirent_to_buf+0x54e/0x7d0 [ 25.439216][ T293] ? ext4_dx_add_entry+0x1620/0x1620 [ 25.444335][ T293] ? __kasan_check_read+0x11/0x20 [ 25.449194][ T293] ? __ext4_read_dirblock+0x56f/0x8e0 [ 25.454405][ T293] ext4_add_entry+0xde2/0x12b0 [ 25.459001][ T293] ? ext4_inc_count+0x190/0x190 [ 25.463701][ T293] ? atime_needs_update+0x810/0x810 [ 25.468729][ T293] __ext4_link+0x4e9/0x790 [ 25.472979][ T293] ? ext4_update_dx_flag+0x200/0x200 [ 25.478537][ T293] ? rwsem_mark_wake+0x770/0x770 [ 25.483306][ T293] ext4_link+0x1f3/0x290 [ 25.487386][ T293] vfs_link+0x645/0x7f0 [ 25.491384][ T293] do_linkat+0x34d/0x9f0 [ 25.495456][ T293] ? fsnotify_link+0x240/0x240 [ 25.500058][ T293] ? getname_flags+0x1fd/0x520 [ 25.504779][ T293] ? fpregs_assert_state_consistent+0xb6/0xe0 [ 25.510678][ T293] __x64_sys_link+0x86/0x90 [ 25.515019][ T293] x64_sys_call+0x282/0x9a0 [ 25.519358][ T293] do_syscall_64+0x3b/0xb0 [ 25.523610][ T293] ? clear_bhb_loop+0x35/0x90 [ 25.528127][ T293] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 25.533866][ T293] RIP: 0033:0x7f2d760c0669 [ 25.538106][ T293] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 25.557551][ T293] RSP: 002b:00007ffd198ecba8 EFLAGS: 00000246 ORIG_RAX: 0000000000000056 [ 25.565794][ T293] RAX: ffffffffffffffda RBX: 00007f2d761045d2 RCX: 00007f2d760c0669 [ 25.573693][ T293] RDX: 0000000000000000 RSI: 0000400000000bc0 RDI: 0000400000000100 [ 25.581502][ T293] RBP: 00007f2d761045a2 R08: 00007f2d761043da R09: 00007f2d761043da [ 25.589314][ T293] R10: 00007f2d761045a2 R11: 0000000000000246 R12: 00007f2d7610450a [ 25.597128][ T293] R13: 00007ffd198ecc00 R14: 0000000000000001 R15: 0000000000000003 [ 25.604941][ T293] [ 25.607805][ T293] [ 25.609971][ T293] The buggy address belongs to the page: [ 25.615452][ T293] page:ffffea0004750dc0 refcount:3 mapcount:0 mapping:ffff8881092c05d8 index:0x3f pfn:0x11d437 [ 25.625597][ T293] memcg:ffff888100248000 [ 25.629675][ T293] aops:def_blk_aops ino:700000 [ 25.634277][ T293] flags: 0x400000000000202a(referenced|dirty|active|private|zone=1) [ 25.642097][ T293] raw: 400000000000202a 0000000000000000 dead000000000122 ffff8881092c05d8 [ 25.650601][ T293] raw: 000000000000003f ffff888120cf3a80 00000003ffffffff ffff888100248000 [ 25.659009][ T293] page dumped because: kasan: bad access detected [ 25.665269][ T293] page_owner tracks the page as allocated [ 25.670814][ T293] page last allocated via order 0, migratetype Movable, gfp_mask 0x108c48(GFP_NOFS|__GFP_NOFAIL|__GFP_HARDWALL|__GFP_MOVABLE), pid 293, ts 25299215236, free_ts 18963071374 [ 25.687658][ T293] post_alloc_hook+0x1a3/0x1b0 [ 25.692254][ T293] prep_new_page+0x1b/0x110 [ 25.696592][ T293] get_page_from_freelist+0x3550/0x35d0 [ 25.701974][ T293] __alloc_pages+0x27e/0x8f0 [ 25.706399][ T293] pagecache_get_page+0xb18/0xeb0 [ 25.711260][ T293] __getblk_gfp+0x21e/0x7c0 [ 25.715602][ T293] ext4_getblk+0x259/0x700 [ 25.719853][ T293] ext4_bread+0x2f/0x180 [ 25.723931][ T293] ext4_append+0x31f/0x5b0 [ 25.728184][ T293] make_indexed_dir+0x515/0x15a0 [ 25.732958][ T293] ext4_add_entry+0xde2/0x12b0 [ 25.737559][ T293] __ext4_link+0x4e9/0x790 [ 25.741814][ T293] ext4_link+0x1f3/0x290 [ 25.745891][ T293] vfs_link+0x645/0x7f0 [ 25.749883][ T293] do_linkat+0x34d/0x9f0 [ 25.753965][ T293] __x64_sys_link+0x86/0x90 [ 25.758307][ T293] page last free stack trace: [ 25.762818][ T293] free_unref_page_prepare+0x7c8/0x7d0 [ 25.768112][ T293] free_unref_page_list+0x14b/0xa60 [ 25.773145][ T293] release_pages+0x1310/0x1370 [ 25.777747][ T293] free_pages_and_swap_cache+0x8a/0xa0 [ 25.783042][ T293] tlb_finish_mmu+0x177/0x320 [ 25.787555][ T293] unmap_region+0x304/0x350 [ 25.791895][ T293] __do_munmap+0x13e4/0x19d0 [ 25.796320][ T293] __vm_munmap+0x166/0x2a0 [ 25.800571][ T293] __x64_sys_munmap+0x6b/0x80 [ 25.805085][ T293] x64_sys_call+0x75/0x9a0 [ 25.809341][ T293] do_syscall_64+0x3b/0xb0 [ 25.813593][ T293] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 25.819323][ T293] [ 25.821490][ T293] Memory state around the buggy address: [ 25.826961][ T293] ffff88811d437f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.834862][ T293] ffff88811d437f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.842760][ T293] >ffff88811d438000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.850653][ T293] ^ [ 25.854563][ T293] ffff88811d438080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.862460][ T293] ffff88811d438100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.870357][ T293] ===========