Warning: Permanently added '10.128.10.21' (ED25519) to the list of known hosts. 2025/03/24 14:07:38 ignoring optional flag "sandboxArg"="0" 2025/03/24 14:07:40 parsed 1 programs [ 85.652785][ T23] audit: type=1400 audit(1742825260.100:66): avc: denied { node_bind } for pid=405 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 88.248694][ T23] audit: type=1400 audit(1742825262.700:67): avc: denied { mounton } for pid=414 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 88.253092][ T414] cgroup1: Unknown subsys name 'net' [ 88.276891][ T23] audit: type=1400 audit(1742825262.700:68): avc: denied { mount } for pid=414 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 88.300215][ T414] cgroup1: Unknown subsys name 'net_prio' [ 88.306233][ T414] cgroup1: Unknown subsys name 'devices' [ 88.314273][ T23] audit: type=1400 audit(1742825262.760:69): avc: denied { unmount } for pid=414 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 88.459384][ T414] cgroup1: Unknown subsys name 'hugetlb' [ 88.465511][ T414] cgroup1: Unknown subsys name 'rlimit' [ 88.748437][ T23] audit: type=1400 audit(1742825263.190:70): avc: denied { setattr } for pid=414 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=10754 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 88.776679][ T23] audit: type=1400 audit(1742825263.190:71): avc: denied { create } for pid=414 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 88.797655][ T23] audit: type=1400 audit(1742825263.190:72): avc: denied { write } for pid=414 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 88.817846][ T23] audit: type=1400 audit(1742825263.190:73): avc: denied { read } for pid=414 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 88.838046][ T23] audit: type=1400 audit(1742825263.200:74): avc: denied { module_request } for pid=414 comm="syz-executor" kmod="netdev-wpan0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 88.859904][ T23] audit: type=1400 audit(1742825263.200:75): avc: denied { mounton } for pid=414 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 88.888409][ T421] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 88.999796][ T414] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 89.858540][ T425] request_module fs-gadgetfs succeeded, but still no fs? [ 90.258188][ T436] bridge0: port 1(bridge_slave_0) entered blocking state [ 90.265098][ T436] bridge0: port 1(bridge_slave_0) entered disabled state [ 90.273342][ T436] device bridge_slave_0 entered promiscuous mode [ 90.281149][ T436] bridge0: port 2(bridge_slave_1) entered blocking state [ 90.288093][ T436] bridge0: port 2(bridge_slave_1) entered disabled state [ 90.296038][ T436] device bridge_slave_1 entered promiscuous mode [ 90.424787][ T436] bridge0: port 2(bridge_slave_1) entered blocking state [ 90.431664][ T436] bridge0: port 2(bridge_slave_1) entered forwarding state [ 90.439234][ T436] bridge0: port 1(bridge_slave_0) entered blocking state [ 90.446135][ T436] bridge0: port 1(bridge_slave_0) entered forwarding state [ 90.499798][ T338] bridge0: port 1(bridge_slave_0) entered disabled state [ 90.507627][ T338] bridge0: port 2(bridge_slave_1) entered disabled state [ 90.515314][ T338] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 90.523013][ T338] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 90.537540][ T338] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 90.546304][ T338] bridge0: port 1(bridge_slave_0) entered blocking state [ 90.553338][ T338] bridge0: port 1(bridge_slave_0) entered forwarding state [ 90.565785][ T338] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 90.574605][ T338] bridge0: port 2(bridge_slave_1) entered blocking state [ 90.581451][ T338] bridge0: port 2(bridge_slave_1) entered forwarding state [ 90.608323][ T338] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 90.621125][ T338] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 90.655038][ T338] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 90.675631][ T338] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 90.705917][ T338] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 90.736999][ T338] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 90.751528][ T338] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 90.838111][ T436] syz-executor (436) used greatest stack depth: 19480 bytes left [ 91.513092][ T7] device bridge_slave_1 left promiscuous mode [ 91.519635][ T7] bridge0: port 2(bridge_slave_1) entered disabled state [ 91.528394][ T7] device bridge_slave_0 left promiscuous mode [ 91.535349][ T7] bridge0: port 1(bridge_slave_0) entered disabled state [ 91.874983][ T23] kauditd_printk_skb: 25 callbacks suppressed [ 91.875013][ T23] audit: type=1400 audit(1742825266.320:101): avc: denied { sys_admin } for pid=469 comm="syz-executor" capability=21 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=cap_userns permissive=1 [ 91.964984][ T23] audit: type=1400 audit(1742825266.410:102): avc: denied { sys_chroot } for pid=470 comm="syz-executor" capability=18 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=cap_userns permissive=1 [ 92.567187][ T23] audit: type=1401 audit(1742825267.010:103): op=setxattr invalid_context="u:object_r:app_data_file:s0:c512,c768" 2025/03/24 14:07:47 executed programs: 0 [ 93.236521][ T489] bridge0: port 1(bridge_slave_0) entered blocking state [ 93.243598][ T489] bridge0: port 1(bridge_slave_0) entered disabled state [ 93.251529][ T489] device bridge_slave_0 entered promiscuous mode [ 93.259640][ T489] bridge0: port 2(bridge_slave_1) entered blocking state [ 93.266832][ T489] bridge0: port 2(bridge_slave_1) entered disabled state [ 93.274767][ T489] device bridge_slave_1 entered promiscuous mode [ 93.472331][ T437] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 93.481044][ T437] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 93.500313][ T437] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 93.509719][ T437] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 93.518634][ T437] bridge0: port 1(bridge_slave_0) entered blocking state [ 93.525551][ T437] bridge0: port 1(bridge_slave_0) entered forwarding state [ 93.541285][ T437] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 93.549960][ T437] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 93.559424][ T437] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 93.568847][ T437] bridge0: port 2(bridge_slave_1) entered blocking state [ 93.575756][ T437] bridge0: port 2(bridge_slave_1) entered forwarding state [ 93.598215][ T437] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 93.615482][ T437] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 93.657659][ T437] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 93.677624][ T437] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 93.707073][ T437] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 93.737589][ T437] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 93.752931][ T437] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 93.793155][ T23] audit: type=1400 audit(1742825268.240:104): avc: denied { mounton } for pid=489 comm="syz-executor" path="/dev/gadgetfs" dev="devtmpfs" ino=11573 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:device_t tclass=dir permissive=1 [ 109.010743][ T523] bridge0: port 1(bridge_slave_0) entered blocking state [ 109.018411][ T523] bridge0: port 1(bridge_slave_0) entered disabled state [ 109.026575][ T523] device bridge_slave_0 entered promiscuous mode [ 109.034837][ T523] bridge0: port 2(bridge_slave_1) entered blocking state [ 109.041834][ T523] bridge0: port 2(bridge_slave_1) entered disabled state [ 109.050797][ T523] device bridge_slave_1 entered promiscuous mode [ 109.182910][ T523] bridge0: port 2(bridge_slave_1) entered blocking state [ 109.192144][ T523] bridge0: port 2(bridge_slave_1) entered forwarding state [ 109.200467][ T523] bridge0: port 1(bridge_slave_0) entered blocking state [ 109.210675][ T523] bridge0: port 1(bridge_slave_0) entered forwarding state [ 109.264704][ T7] bridge0: port 1(bridge_slave_0) entered disabled state [ 109.273268][ T7] bridge0: port 2(bridge_slave_1) entered disabled state [ 109.281076][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 109.289451][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 109.302664][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 109.311225][ T7] bridge0: port 1(bridge_slave_0) entered blocking state [ 109.318155][ T7] bridge0: port 1(bridge_slave_0) entered forwarding state [ 109.330559][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 109.339332][ T7] bridge0: port 2(bridge_slave_1) entered blocking state [ 109.349076][ T7] bridge0: port 2(bridge_slave_1) entered forwarding state [ 109.376238][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 109.393454][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 109.434615][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 109.453737][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 109.478126][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 109.500235][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 109.514791][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2025/03/24 14:08:04 executed programs: 3 [ 109.565594][ T523] ================================================================== [ 109.574917][ T523] BUG: KASAN: use-after-free in __mutex_lock+0xcd7/0x1060 [ 109.581928][ T523] Read of size 4 at addr ffff8881edf73f38 by task syz-executor/523 [ 109.590967][ T523] [ 109.593346][ T523] CPU: 1 PID: 523 Comm: syz-executor Not tainted 5.4.290-syzkaller-00002-g41adfeb3d639 #0 [ 109.603717][ T523] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 109.614828][ T523] Call Trace: [ 109.618595][ T523] dump_stack+0x1d8/0x241 [ 109.622942][ T523] ? nf_ct_l4proto_log_invalid+0x258/0x258 [ 109.628843][ T523] ? printk+0xd1/0x111 [ 109.632901][ T523] ? __mutex_lock+0xcd7/0x1060 [ 109.638001][ T523] print_address_description+0x8c/0x600 [ 109.643688][ T523] ? check_preemption_disabled+0x9f/0x320 [ 109.649312][ T523] ? __unwind_start+0x708/0x890 [ 109.654260][ T523] ? __mutex_lock+0xcd7/0x1060 [ 109.659394][ T523] __kasan_report+0xf3/0x120 [ 109.664368][ T523] ? __mutex_lock+0xcd7/0x1060 [ 109.669167][ T523] kasan_report+0x30/0x60 [ 109.674658][ T523] __mutex_lock+0xcd7/0x1060 [ 109.680361][ T523] ? kobject_get_unless_zero+0x229/0x320 [ 109.689383][ T523] ? __ww_mutex_lock_interruptible_slowpath+0x10/0x10 [ 109.696070][ T523] ? __module_put_and_exit+0x20/0x20 [ 109.701279][ T523] ? up_read+0x6f/0x1b0 [ 109.705278][ T523] mutex_lock_killable+0xd8/0x110 [ 109.710242][ T523] ? __mutex_lock_interruptible_slowpath+0x10/0x10 [ 109.717014][ T523] ? mutex_lock+0xa5/0x110 [ 109.721374][ T523] ? mutex_trylock+0xa0/0xa0 [ 109.725897][ T523] lo_open+0x18/0xc0 [ 109.730109][ T523] __blkdev_get+0x3c8/0x1160 [ 109.734717][ T523] ? blkdev_get+0x3a0/0x3a0 [ 109.739944][ T523] ? _raw_spin_unlock+0x49/0x60 [ 109.745978][ T523] blkdev_get+0x2de/0x3a0 [ 109.751878][ T523] ? blkdev_open+0x173/0x290 [ 109.763640][ T523] ? block_ioctl+0xe0/0xe0 [ 109.777947][ T523] do_dentry_open+0x964/0x1130 [ 109.785385][ T523] ? finish_open+0xd0/0xd0 [ 109.791082][ T523] ? security_inode_permission+0xad/0xf0 [ 109.797763][ T523] ? memcpy+0x38/0x50 [ 109.806955][ T523] path_openat+0x29bf/0x34b0 [ 109.812155][ T523] ? stack_trace_save+0x118/0x1c0 [ 109.818154][ T523] ? do_filp_open+0x450/0x450 [ 109.823258][ T523] ? do_sys_open+0x357/0x810 [ 109.829255][ T523] ? do_syscall_64+0xca/0x1c0 [ 109.834748][ T523] ? entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 109.842353][ T523] do_filp_open+0x20b/0x450 [ 109.847250][ T523] ? vfs_tmpfile+0x2c0/0x2c0 [ 109.852420][ T523] ? _raw_spin_unlock+0x49/0x60 [ 109.858081][ T523] ? __alloc_fd+0x4c5/0x570 [ 109.863548][ T523] do_sys_open+0x39c/0x810 [ 109.868305][ T523] ? file_open_root+0x490/0x490 [ 109.873838][ T523] ? switch_fpu_return+0x1d4/0x410 [ 109.881168][ T523] do_syscall_64+0xca/0x1c0 [ 109.886311][ T523] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 109.892974][ T523] RIP: 0033:0x7fd273e35a51 [ 109.897244][ T523] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d fa 1a 1f 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25 [ 109.920322][ T523] RSP: 002b:00007fff26b91640 EFLAGS: 00000202 ORIG_RAX: 0000000000000101 [ 109.929779][ T523] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fd273e35a51 [ 109.937618][ T523] RDX: 0000000000000002 RSI: 00007fff26b91750 RDI: 00000000ffffff9c [ 109.945884][ T523] RBP: 00007fff26b91750 R08: 000000000000000a R09: 00007fff26b91407 [ 109.954202][ T523] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 109.962408][ T523] R13: 00007fd274020260 R14: 0000000000000003 R15: 00007fff26b91750 [ 109.970860][ T523] [ 109.973138][ T523] Allocated by task 502: [ 109.977316][ T523] __kasan_kmalloc+0x171/0x210 [ 109.982028][ T523] kmem_cache_alloc+0xd9/0x250 [ 109.987029][ T523] dup_task_struct+0x4f/0x600 [ 109.992083][ T523] copy_process+0x56d/0x3230 [ 109.996526][ T523] _do_fork+0x197/0x900 [ 110.000504][ T523] __x64_sys_clone3+0x2da/0x300 [ 110.005177][ T523] do_syscall_64+0xca/0x1c0 [ 110.009614][ T523] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 110.015586][ T523] [ 110.017761][ T523] Freed by task 10: [ 110.021839][ T523] __kasan_slab_free+0x1b5/0x270 [ 110.026797][ T523] kmem_cache_free+0x10b/0x2c0 [ 110.031780][ T523] rcu_do_batch+0x492/0xa00 [ 110.036462][ T523] rcu_core+0x4c8/0xcb0 [ 110.040987][ T523] __do_softirq+0x23b/0x6b7 [ 110.045482][ T523] [ 110.047799][ T523] The buggy address belongs to the object at ffff8881edf73f00 [ 110.047799][ T523] which belongs to the cache task_struct of size 3904 [ 110.062793][ T523] The buggy address is located 56 bytes inside of [ 110.062793][ T523] 3904-byte region [ffff8881edf73f00, ffff8881edf74e40) [ 110.075966][ T523] The buggy address belongs to the page: [ 110.081543][ T523] page:ffffea0007b7dc00 refcount:1 mapcount:0 mapping:ffff8881f5cf0000 index:0x0 compound_mapcount: 0 [ 110.092614][ T523] flags: 0x8000000000010200(slab|head) [ 110.098074][ T523] raw: 8000000000010200 ffffea0007b7c200 0000000300000003 ffff8881f5cf0000 [ 110.106487][ T523] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 110.115544][ T523] page dumped because: kasan: bad access detected [ 110.121980][ T523] page_owner tracks the page as allocated [ 110.127510][ T523] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC) [ 110.142718][ T523] prep_new_page+0x18f/0x370 [ 110.147127][ T523] get_page_from_freelist+0x2d13/0x2d90 [ 110.152496][ T523] __alloc_pages_nodemask+0x393/0x840 [ 110.157962][ T523] alloc_slab_page+0x39/0x3c0 [ 110.162700][ T523] new_slab+0x97/0x440 [ 110.166719][ T523] ___slab_alloc+0x2fe/0x490 [ 110.171334][ T523] __slab_alloc+0x62/0xa0 [ 110.175603][ T523] kmem_cache_alloc+0x109/0x250 [ 110.180404][ T523] dup_task_struct+0x4f/0x600 [ 110.185200][ T523] copy_process+0x56d/0x3230 [ 110.189656][ T523] _do_fork+0x197/0x900 [ 110.194006][ T523] kernel_thread+0x16a/0x1d0 [ 110.198573][ T523] kthreadd+0x3b1/0x4f0 [ 110.202633][ T523] ret_from_fork+0x1f/0x30 [ 110.206875][ T523] page last free stack trace: [ 110.211399][ T523] __free_pages_ok+0x847/0x950 [ 110.216373][ T523] __free_pages+0x91/0x140 [ 110.220715][ T523] put_task_stack+0x212/0x260 [ 110.225191][ T523] finish_task_switch+0x24a/0x590 [ 110.230083][ T523] __schedule+0xb0d/0x1320 [ 110.234644][ T523] schedule_idle+0x50/0x80 [ 110.239687][ T523] do_idle+0x609/0x660 [ 110.243785][ T523] cpu_startup_entry+0x14/0x20 [ 110.248468][ T523] start_secondary+0x3a5/0x460 [ 110.253184][ T523] secondary_startup_64+0xa4/0xb0 [ 110.258133][ T523] [ 110.260301][ T523] Memory state around the buggy address: [ 110.266121][ T523] ffff8881edf73e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 110.274307][ T523] ffff8881edf73e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 110.282455][ T523] >ffff8881edf73f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 110.290788][ T523] ^ [ 110.296464][ T523] ffff8881edf73f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 110.304581][ T523] ffff8881edf74000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 110.313156][ T523] ================================================================== [ 110.321680][ T523] Disabling lock debugging due to kernel taint