Warning: Permanently added '10.128.0.38' (ED25519) to the list of known hosts.
[   21.993251][   T24] audit: type=1400 audit(1728154638.279:66): avc:  denied  { execmem } for  pid=283 comm="syz-executor191" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   21.995897][   T24] audit: type=1400 audit(1728154638.279:67): avc:  denied  { mounton } for  pid=284 comm="syz-executor191" path="/" dev="sda1" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1
[   21.999033][   T24] audit: type=1400 audit(1728154638.279:68): avc:  denied  { module_request } for  pid=284 comm="syz-executor191" kmod="netdev-nr0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1
[   22.016999][  T284] bridge0: port 1(bridge_slave_0) entered blocking state
[   22.023860][  T284] bridge0: port 1(bridge_slave_0) entered disabled state
[   22.031273][  T284] device bridge_slave_0 entered promiscuous mode
[   22.037773][  T284] bridge0: port 2(bridge_slave_1) entered blocking state
[   22.044643][  T284] bridge0: port 2(bridge_slave_1) entered disabled state
[   22.051676][  T284] device bridge_slave_1 entered promiscuous mode
[   22.077171][   T24] audit: type=1400 audit(1728154638.359:69): avc:  denied  { create } for  pid=284 comm="syz-executor191" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[   22.081507][  T284] bridge0: port 2(bridge_slave_1) entered blocking state
[   22.097622][   T24] audit: type=1400 audit(1728154638.359:70): avc:  denied  { write } for  pid=284 comm="syz-executor191" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[   22.104424][  T284] bridge0: port 2(bridge_slave_1) entered forwarding state
[   22.104534][  T284] bridge0: port 1(bridge_slave_0) entered blocking state
[   22.125119][   T24] audit: type=1400 audit(1728154638.359:71): avc:  denied  { read } for  pid=284 comm="syz-executor191" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[   22.131755][  T284] bridge0: port 1(bridge_slave_0) entered forwarding state
[   22.160179][  T284] device veth0_vlan entered promiscuous mode
[   22.172870][   T48] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   22.180970][   T48] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   22.189877][   T48] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   22.197555][   T48] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   22.205466][   T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   22.213749][   T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   22.221576][   T48] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   22.228889][   T48] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   22.236131][   T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   22.243299][   T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   22.253462][   T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   22.262068][  T284] device veth1_macvtap entered promiscuous mode
[   22.270599][   T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   22.280331][   T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
executing program
[   22.294107][   T24] audit: type=1400 audit(1728154638.579:72): avc:  denied  { mounton } for  pid=284 comm="syz-executor191" path="/root/syzkaller.00ITsD/syz-tmp" dev="sda1" ino=1927 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1
[   22.318822][   T24] audit: type=1400 audit(1728154638.579:73): avc:  denied  { mount } for  pid=284 comm="syz-executor191" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1
[   22.341287][   T24] audit: type=1400 audit(1728154638.579:74): avc:  denied  { mounton } for  pid=284 comm="syz-executor191" path="/root/syzkaller.00ITsD/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1
[   22.366536][   T24] audit: type=1400 audit(1728154638.579:75): avc:  denied  { mount } for  pid=284 comm="syz-executor191" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1
[   22.512420][  T289] EXT4-fs (loop0): 1 truncate cleaned up
[   22.517876][  T289] EXT4-fs (loop0): mounted filesystem without journal. Opts: noauto_da_alloc,grpquota,errors=continue,data_err=ignore,nolazytime,errors=continue,grpjquota=,errors=remount-ro,nobarrier,
[   22.539316][  T289] ==================================================================
[   22.547209][  T289] BUG: KASAN: use-after-free in ext4_search_dir+0xf7/0x1b0
[   22.554220][  T289] Read of size 1 at addr ffff888106fb5504 by task syz-executor191/289
[   22.562198][  T289] 
[   22.564374][  T289] CPU: 0 PID: 289 Comm: syz-executor191 Not tainted 5.10.226-syzkaller-00709-ge5e5644ea27f #0
[   22.574501][  T289] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
[   22.584341][  T289] Call Trace:
[   22.587477][  T289]  dump_stack_lvl+0x1e2/0x24b
[   22.591985][  T289]  ? bfq_pos_tree_add_move+0x43b/0x43b
[   22.597270][  T289]  ? panic+0x812/0x812
[   22.601185][  T289]  print_address_description+0x81/0x3b0
[   22.606554][  T289]  kasan_report+0x179/0x1c0
[   22.610895][  T289]  ? ext4_search_dir+0xf7/0x1b0
[   22.615583][  T289]  ? ext4_search_dir+0xf7/0x1b0
[   22.620269][  T289]  __asan_report_load1_noabort+0x14/0x20
[   22.625732][  T289]  ext4_search_dir+0xf7/0x1b0
[   22.630262][  T289]  ext4_find_inline_entry+0x4b6/0x5e0
[   22.635454][  T289]  ? lookup_slow+0x5a/0x80
[   22.639706][  T289]  ? walk_component+0x48c/0x610
[   22.644395][  T289]  ? ext4_try_create_inline_dir+0x320/0x320
[   22.650125][  T289]  __ext4_find_entry+0x2b0/0x1990
[   22.654997][  T289]  ? ext4_ci_compare+0x660/0x660
[   22.659758][  T289]  ? slab_post_alloc_hook+0x80/0x2f0
[   22.664888][  T289]  ? __d_lookup_rcu+0x604/0x650
[   22.669578][  T289]  ? __kasan_check_write+0x14/0x20
[   22.674522][  T289]  ? generic_set_encrypted_ci_d_ops+0x91/0xf0
[   22.680418][  T289]  ext4_lookup+0x3c6/0xaa0
[   22.684666][  T289]  ? ext4_add_entry+0x1280/0x1280
[   22.689529][  T289]  ? __kasan_check_write+0x14/0x20
[   22.694483][  T289]  __lookup_slow+0x2b9/0x400
[   22.698899][  T289]  ? lookup_one_len+0x2c0/0x2c0
[   22.703585][  T289]  ? lookup_fast+0x340/0x7d0
[   22.708026][  T289]  ? security_inode_permission+0xb0/0xf0
[   22.713664][  T289]  ? handle_dots+0x1030/0x1030
[   22.718350][  T289]  ? inode_permission+0xf1/0x500
[   22.723124][  T289]  lookup_slow+0x5a/0x80
[   22.727191][  T289]  walk_component+0x48c/0x610
[   22.731798][  T289]  ? nd_alloc_stack+0xf0/0xf0
[   22.736307][  T289]  ? handle_lookup_down+0x130/0x130
[   22.741342][  T289]  path_lookupat+0x16d/0x450
[   22.745763][  T289]  filename_lookup+0x26a/0x6f0
[   22.750367][  T289]  ? hashlen_string+0x120/0x120
[   22.755062][  T289]  ? getname_flags+0x1fd/0x520
[   22.759651][  T289]  user_path_at_empty+0x40/0x50
[   22.764338][  T289]  __se_sys_mount+0x285/0x3b0
[   22.768855][  T289]  ? __x64_sys_mount+0xd0/0xd0
[   22.773451][  T289]  ? debug_smp_processor_id+0x17/0x20
[   22.778666][  T289]  ? irqentry_exit_to_user_mode+0x41/0x80
[   22.784217][  T289]  __x64_sys_mount+0xbf/0xd0
[   22.788644][  T289]  do_syscall_64+0x34/0x70
[   22.792904][  T289]  entry_SYSCALL_64_after_hwframe+0x61/0xcb
[   22.798624][  T289] RIP: 0033:0x7f92f19b8e79
[   22.802875][  T289] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[   22.822329][  T289] RSP: 002b:00007f92f1971168 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   22.830560][  T289] RAX: ffffffffffffffda RBX: 00007f92f1a426e8 RCX: 00007f92f19b8e79
[   22.838371][  T289] RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000000
[   22.846353][  T289] RBP: 00007f92f1a426e0 R08: 0000000000000000 R09: 0000000000000000
[   22.854158][  T289] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f92f1a426ec
[   22.861969][  T289] R13: 0000000000000010 R14: 00007ffeb720bb30 R15: 00007ffeb720bc18
[   22.869782][  T289] 
[   22.871944][  T289] Allocated by task 0:
[   22.875847][  T289] (stack is not available)
[   22.880101][  T289] 
[   22.882277][  T289] The buggy address belongs to the object at ffff888106fb5500
[   22.882277][  T289]  which belongs to the cache skbuff_head_cache of size 248
[   22.896688][  T289] The buggy address is located 4 bytes inside of
[   22.896688][  T289]  248-byte region [ffff888106fb5500, ffff888106fb55f8)
[   22.909609][  T289] The buggy address belongs to the page:
[   22.915187][  T289] page:ffffea00041bed40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106fb5
[   22.925249][  T289] flags: 0x4000000000000200(slab)
[   22.930107][  T289] raw: 4000000000000200 dead000000000100 dead000000000122 ffff888107d9c180
[   22.938518][  T289] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[   22.946971][  T289] page dumped because: kasan: bad access detected
[   22.953190][  T289] page_owner tracks the page as allocated
[   22.958750][  T289] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 25, ts 22868843471, free_ts 22279139937
[   22.974635][  T289]  prep_new_page+0x166/0x180
[   22.979051][  T289]  get_page_from_freelist+0x2d8c/0x2f30
[   22.984437][  T289]  __alloc_pages_nodemask+0x435/0xaf0
[   22.989659][  T289]  new_slab+0x80/0x400
[   22.993545][  T289]  ___slab_alloc+0x302/0x4b0
[   22.997978][  T289]  __slab_alloc+0x63/0xa0
[   23.002138][  T289]  kmem_cache_alloc+0x1b9/0x2e0
[   23.006909][  T289]  __alloc_skb+0x80/0x510
[   23.011072][  T289]  ndisc_alloc_skb+0xf3/0x2d0
[   23.015591][  T289]  ndisc_send_ns+0x29d/0x830
[   23.020016][  T289]  addrconf_dad_work+0xb9b/0x1700
[   23.024873][  T289]  process_one_work+0x6dc/0xbd0
[   23.029591][  T289]  worker_thread+0xaea/0x1510
[   23.034085][  T289]  kthread+0x34b/0x3d0
[   23.037982][  T289]  ret_from_fork+0x1f/0x30
[   23.042317][  T289] page last free stack trace:
[   23.046837][  T289]  __free_pages_ok+0x82c/0x850
[   23.051430][  T289]  free_the_page+0x76/0x370
[   23.055770][  T289]  __free_pages+0x67/0xc0
[   23.059947][  T289]  __free_slab+0xcf/0x190
[   23.064108][  T289]  unfreeze_partials+0x15e/0x190
[   23.068886][  T289]  put_cpu_partial+0xbf/0x180
[   23.073392][  T289]  __slab_free+0x2c8/0x3a0
[   23.077641][  T289]  ___cache_free+0x111/0x130
[   23.082074][  T289]  qlink_free+0x50/0x90
[   23.086064][  T289]  qlist_free_all+0x47/0xb0
[   23.090408][  T289]  kasan_quarantine_reduce+0x15a/0x170
[   23.095690][  T289]  __kasan_slab_alloc+0x2f/0xe0
[   23.100381][  T289]  slab_post_alloc_hook+0x61/0x2f0
[   23.105329][  T289]  kmem_cache_alloc+0x168/0x2e0
[   23.110015][  T289]  __alloc_skb+0x80/0x510
[   23.114178][  T289]  rtmsg_ifinfo_build_skb+0x7f/0x180
[   23.119301][  T289] 
[   23.121462][  T289] Memory state around the buggy address:
[   23.126956][  T289]  ffff888106fb5400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.134863][  T289]  ffff888106fb5480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.142733][  T289] >ffff888106fb5500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.150625][  T289]                    ^
[   23.154533][  T289]  ffff888106fb5580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[   23.162436][  T289]  ffff888106fb5600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   23.170325][  T289] ==================================================================
[   23.178224][  T289] Disabling lock debugging due to kernel taint