it: type=1400 audit(1743438325.931:63): avc:  denied  { write } for  pid=226 comm="sh" path="pipe:[14441]" dev="pipefs" ino=14441 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1
[   17.754140][   T30] audit: type=1400 audit(1743438325.931:64): avc:  denied  { rlimitinh } for  pid=226 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   17.774751][   T30] audit: type=1400 audit(1743438325.931:65): avc:  denied  { siginh } for  pid=226 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
Warning: Permanently added '10.128.0.208' (ED25519) to the list of known hosts.
[   27.241215][   T30] audit: type=1400 audit(1743438335.471:66): avc:  denied  { execmem } for  pid=289 comm="syz-executor382" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   27.262682][   T30] audit: type=1400 audit(1743438335.471:67): avc:  denied  { integrity } for  pid=289 comm="syz-executor382" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1
executing program
executing program
executing program
executing program
executing program
[   27.290824][   T30] audit: type=1400 audit(1743438335.521:68): avc:  denied  { read write } for  pid=292 comm="syz-executor382" name="loop0" dev="devtmpfs" ino=112 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1
[   27.302655][  T300] loop2: detected capacity change from 0 to 1024
[   27.334416][  T304] loop1: detected capacity change from 0 to 1024
[   27.342299][   T30] audit: type=1400 audit(1743438335.521:69): avc:  denied  { open } for  pid=296 comm="syz-executor382" path="/dev/loop4" dev="devtmpfs" ino=116 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1
[   27.348055][  T306] loop0: detected capacity change from 0 to 1024
[   27.374474][   T30] audit: type=1400 audit(1743438335.521:70): avc:  denied  { ioctl } for  pid=296 comm="syz-executor382" path="/dev/loop4" dev="devtmpfs" ino=116 ioctlcmd=0x4c01 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1
[   27.378294][  T303] loop4: detected capacity change from 0 to 1024
[   27.407550][  T305] loop3: detected capacity change from 0 to 1024
[   27.426238][  T304] =======================================================
[   27.426238][  T304] WARNING: The mand mount option has been deprecated and
[   27.426238][  T304]          and is ignored by this kernel. Remove the mand
[   27.426238][  T304]          option from the mount to silence this warning.
[   27.426238][  T304] =======================================================
[   27.426278][   T30] audit: type=1400 audit(1743438335.661:71): avc:  denied  { mounton } for  pid=299 comm="syz-executor382" path="/root/file1" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1
[   27.466345][  T300] EXT4-fs (loop2): Ignoring removed nobh option
[   27.492330][  T303] EXT4-fs (loop4): Ignoring removed nobh option
[   27.497690][  T300] EXT4-fs (loop2): Ignoring removed bh option
[   27.504629][  T306] EXT4-fs (loop0): Ignoring removed nobh option
[   27.511150][  T300] EXT4-fs (loop2): Warning: mounting with an experimental mount option 'dioread_nolock' for blocksize < PAGE_SIZE
[   27.517586][  T303] EXT4-fs (loop4): Ignoring removed bh option
[   27.530732][  T306] EXT4-fs (loop0): Ignoring removed bh option
[   27.541034][  T305] EXT4-fs (loop3): Ignoring removed nobh option
[   27.545735][  T304] EXT4-fs (loop1): Ignoring removed nobh option
[   27.562079][  T305] EXT4-fs (loop3): Ignoring removed bh option
[   27.563889][  T306] EXT4-fs (loop0): Warning: mounting with an experimental mount option 'dioread_nolock' for blocksize < PAGE_SIZE
[   27.581840][  T305] EXT4-fs (loop3): Warning: mounting with an experimental mount option 'dioread_nolock' for blocksize < PAGE_SIZE
[   27.582170][  T304] EXT4-fs (loop1): Ignoring removed bh option
[   27.594728][  T303] EXT4-fs (loop4): Warning: mounting with an experimental mount option 'dioread_nolock' for blocksize < PAGE_SIZE
[   27.607666][  T304] EXT4-fs (loop1): Warning: mounting with an experimental mount option 'dioread_nolock' for blocksize < PAGE_SIZE
[   27.622266][  T300] EXT4-fs (loop2): mounted filesystem without journal. Opts: delalloc,data_err=abort,barrier=0x0000000000000002,dioread_lock,data_err=ignore,max_dir_size_kb=0x00000000004007b1,data_err=ignore,grpquota,nobh,user_xattr,bh,dioread_nolock,,errors=continue. Quota mode: writeback.
[   27.661201][   T30] audit: type=1400 audit(1743438335.891:72): avc:  denied  { mount } for  pid=298 comm="syz-executor382" name="/" dev="loop2" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1
[   27.687751][  T306] EXT4-fs (loop0): mounted filesystem without journal. Opts: delalloc,data_err=abort,barrier=0x0000000000000002,dioread_lock,data_err=ignore,max_dir_size_kb=0x00000000004007b1,data_err=ignore,grpquota,nobh,user_xattr,bh,dioread_nolock,,errors=continue. Quota mode: writeback.
[   27.699591][  T300] EXT4-fs error (device loop2): ext4_mb_mark_diskspace_used:3876: comm syz-executor382: Allocating blocks 497-513 which overlap fs metadata
[   27.718158][  T305] EXT4-fs (loop3): mounted filesystem without journal. Opts: delalloc,data_err=abort,barrier=0x0000000000000002,dioread_lock,data_err=ignore,max_dir_size_kb=0x00000000004007b1,data_err=ignore,grpquota,nobh,user_xattr,bh,dioread_nolock,,errors=continue. Quota mode: writeback.
[   27.732713][  T300] EXT4-fs (loop2): pa ffff888110d9ec78: logic 128, phys. 385, len 8
[   27.761964][  T322] SELinux:  Context system_u:object_r:fsadm_exec_t:s0 is not valid (left unmapped).
[   27.772851][  T300] EXT4-fs error (device loop2): ext4_mb_release_inode_pa:4893: group 0, free 0, pa_free 1
[   27.796850][   T30] audit: type=1400 audit(1743438335.921:73): avc:  denied  { write } for  pid=298 comm="syz-executor382" name="/" dev="loop2" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1
[   27.822100][  T322] SELinux:  Context system_u:object_r:man_t:s0 is not valid (left unmapped).
[   27.823362][  T304] EXT4-fs (loop1): mounted filesystem without journal. Opts: delalloc,data_err=abort,barrier=0x0000000000000002,dioread_lock,data_err=ignore,max_dir_size_kb=0x00000000004007b1,data_err=ignore,grpquota,nobh,user_xattr,bh,dioread_nolock,,errors=continue. Quota mode: writeback.
[   27.840829][  T306] EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:3876: comm syz-executor382: Allocating blocks 497-513 which overlap fs metadata
[   27.861539][  T303] EXT4-fs (loop4): mounted filesystem without journal. Opts: delalloc,data_err=abort,barrier=0x0000000000000002,dioread_lock,data_err=ignore,max_dir_size_kb=0x00000000004007b1,data_err=ignore,grpquota,nobh,user_xattr,bh,dioread_nolock,,errors=continue. Quota mode: writeback.
[   27.904748][  T306] EXT4-fs (loop0): pa ffff88812115f5e8: logic 128, phys. 385, len 8
[   27.912826][  T306] EXT4-fs error (device loop0): ext4_mb_release_inode_pa:4893: group 0, free 0, pa_free 1
executing program
[   27.925260][   T30] audit: type=1400 audit(1743438335.921:74): avc:  denied  { add_name } for  pid=298 comm="syz-executor382" name="blkio.bfq.io_wait_time_recursive" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1
[   27.952758][   T30] audit: type=1400 audit(1743438335.921:75): avc:  denied  { create } for  pid=298 comm="syz-executor382" name="blkio.bfq.io_wait_time_recursive" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1
[   27.969277][  T304] EXT4-fs error (device loop1): ext4_mb_mark_diskspace_used:3876: comm syz-executor382: Allocating blocks 497-513 which overlap fs metadata
[   28.003231][  T303] EXT4-fs error (device loop4): ext4_mb_mark_diskspace_used:3876: comm syz-executor382: Allocating blocks 497-513 which overlap fs metadata
[   28.014263][  T304] EXT4-fs (loop1): pa ffff8881210cd150: logic 128, phys. 385, len 8
[   28.027014][  T304] EXT4-fs error (device loop1): ext4_mb_release_inode_pa:4893: group 0, free 0, pa_free 1
executing program
executing program
executing program
executing program
[   28.027597][  T327] EXT4-fs error (device loop3): ext4_mb_mark_diskspace_used:3876: comm syz-executor382: Allocating blocks 497-513 which overlap fs metadata
[   28.050857][  T303] EXT4-fs (loop4): pa ffff88812115fdc8: logic 128, phys. 385, len 8
[   28.063711][  T303] EXT4-fs error (device loop4): ext4_mb_release_inode_pa:4893: group 0, free 0, pa_free 1
[   28.084836][  T327] EXT4-fs (loop3): pa ffff8881210cdbd0: logic 128, phys. 385, len 8
[   28.093373][  T327] EXT4-fs error (device loop3): ext4_mb_release_inode_pa:4893: group 0, free 0, pa_free 1
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   32.429457][  T710] syz-executor382 (710) used greatest stack depth: 21136 bytes left
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   32.863394][    T8] ==================================================================
[   32.873181][    T8] BUG: KASAN: use-after-free in ext4_find_extent+0xbea/0xe30
[   32.881836][    T8] Read of size 4 at addr ffff88812324ec14 by task kworker/u4:0/8
[   32.890521][    T8] 
[   32.892649][    T8] CPU: 0 PID: 8 Comm: kworker/u4:0 Not tainted 5.15.178-syzkaller-00034-g5e1b899f19c3 #0
[   32.904000][    T8] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[   32.915647][    T8] Workqueue: writeback wb_workfn (flush-7:4)
[   32.922491][    T8] Call Trace:
[   32.926584][    T8]  <TASK>
[   32.930511][    T8]  dump_stack_lvl+0x151/0x1c0
[   32.936062][    T8]  ? io_uring_drop_tctx_refs+0x190/0x190
[   32.942449][    T8]  ? __wake_up_klogd+0xd5/0x110
[   32.947731][    T8]  ? panic+0x760/0x760
[   32.952030][    T8]  print_address_description+0x87/0x3b0
[   32.959397][    T8]  kasan_report+0x179/0x1c0
[   32.964236][    T8]  ? __read_extent_tree_block+0x1e0/0x7b0
[   32.970929][    T8]  ? ext4_find_extent+0xbea/0xe30
[   32.976746][    T8]  ? ext4_find_extent+0xbea/0xe30
[   32.982050][    T8]  __asan_report_load4_noabort+0x14/0x20
[   32.990029][    T8]  ext4_find_extent+0xbea/0xe30
[   32.994985][    T8]  ext4_ext_map_blocks+0x269/0x7450
[   33.001732][    T8]  ? ret_from_fork+0x1f/0x30
[   33.006338][    T8]  ? stack_trace_save+0x113/0x1c0
[   33.012049][    T8]  ? __stack_depot_save+0x34/0x470
[   33.017245][    T8]  ? find_get_entry+0x3d3/0x3e0
[   33.022532][    T8]  ? ext4_ext_release+0x10/0x10
[   33.028667][    T8]  ? __kasan_slab_alloc+0xc3/0xe0
[   33.034289][    T8]  ? __kasan_slab_alloc+0xb1/0xe0
[   33.039623][    T8]  ? slab_post_alloc_hook+0x53/0x2c0
[   33.045870][    T8]  ? kmem_cache_alloc+0xf5/0x250
[   33.051076][    T8]  ? ext4_alloc_io_end_vec+0x2a/0x170
[   33.057649][    T8]  ? ext4_writepages+0x13b4/0x4000
[   33.062838][    T8]  ? do_writepages+0x40e/0x670
[   33.067818][    T8]  ? __writeback_single_inode+0xdf/0xa70
[   33.073393][    T8]  ? writeback_sb_inodes+0xb2a/0x1920
[   33.079265][    T8]  ? __writeback_inodes_wb+0x118/0x3f0
[   33.085030][    T8]  ? wb_writeback+0x3da/0x9f0
[   33.089817][    T8]  ? wb_workfn+0xc12/0x1110
[   33.094884][    T8]  ? process_one_work+0x6bb/0xc10
[   33.100172][    T8]  ? worker_thread+0xad5/0x12a0
[   33.105182][    T8]  ? kthread+0x421/0x510
[   33.109672][    T8]  ? ret_from_fork+0x1f/0x30
[   33.114443][    T8]  ? _raw_read_unlock+0x25/0x40
[   33.119831][    T8]  ? ext4_es_lookup_extent+0x33b/0x940
[   33.126961][    T8]  ext4_map_blocks+0xa60/0x1c70
[   33.133151][    T8]  ? ext4_issue_zeroout+0x250/0x250
[   33.139140][    T8]  ? ext4_inode_journal_mode+0x1a5/0x470
[   33.145368][    T8]  ext4_writepages+0x1628/0x4000
[   33.150250][    T8]  ? ext4_readpage+0x230/0x230
[   33.155281][    T8]  ? blk_finish_plug+0x4c/0x80
[   33.160939][    T8]  ? __kasan_check_write+0x14/0x20
[   33.167832][    T8]  ? ext4_readpage+0x230/0x230
[   33.172532][    T8]  do_writepages+0x40e/0x670
[   33.178252][    T8]  ? __writepage+0x130/0x130
[   33.183416][    T8]  ? __kasan_check_write+0x14/0x20
[   33.189212][    T8]  ? _raw_spin_lock_irqsave+0xf9/0x210
[   33.195635][    T8]  ? __kasan_check_write+0x14/0x20
[   33.201858][    T8]  __writeback_single_inode+0xdf/0xa70
[   33.211177][    T8]  writeback_sb_inodes+0xb2a/0x1920
[   33.217064][    T8]  ? queue_io+0x520/0x520
[   33.222291][    T8]  ? down_read_trylock+0x3d6/0x7d0
[   33.227767][    T8]  ? __writeback_inodes_wb+0x3f0/0x3f0
[   33.233528][    T8]  __writeback_inodes_wb+0x118/0x3f0
[   33.239238][    T8]  ? queue_io+0x3d0/0x520
[   33.244400][    T8]  wb_writeback+0x3da/0x9f0
[   33.249172][    T8]  ? inode_cgwb_move_to_attached+0x3c0/0x3c0
[   33.255674][    T8]  ? __kasan_check_write+0x14/0x20
[   33.262064][    T8]  ? cpumask_next+0x8a/0xb0
[   33.266700][    T8]  wb_workfn+0xc12/0x1110
[   33.271915][    T8]  ? inode_wait_for_writeback+0x280/0x280
[   33.278305][    T8]  ? _raw_spin_unlock_irqrestore+0x5c/0x80
[   33.286342][    T8]  ? try_to_wake_up+0x697/0x1160
[   33.295747][    T8]  ? finish_task_switch+0x167/0x7b0
[   33.301214][    T8]  ? try_invoke_on_locked_down_task+0x2a0/0x2a0
[   33.308893][    T8]  ? __kasan_check_read+0x11/0x20
[   33.313923][    T8]  ? read_word_at_a_time+0x12/0x20
[   33.319488][    T8]  ? strscpy+0x9c/0x260
[   33.324359][    T8]  process_one_work+0x6bb/0xc10
[   33.329667][    T8]  worker_thread+0xad5/0x12a0
[   33.335519][    T8]  kthread+0x421/0x510
[   33.340094][    T8]  ? worker_clr_flags+0x180/0x180
[   33.345352][    T8]  ? kthread_blkcg+0xd0/0xd0
[   33.350860][    T8]  ret_from_fork+0x1f/0x30
[   33.355374][    T8]  </TASK>
[   33.358811][    T8] 
[   33.361149][    T8] The buggy address belongs to the page:
[   33.367380][    T8] page:ffffea00048c9380 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x12324e
[   33.378644][    T8] flags: 0x4000000000000000(zone=1)
[   33.384435][    T8] raw: 4000000000000000 ffffea00048c93c8 ffffea00048c9348 0000000000000000
[   33.394331][    T8] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[   33.404713][    T8] page dumped because: kasan: bad access detected
[   33.415914][    T8] page_owner tracks the page as freed
[   33.422490][    T8] page last allocated via order 0, migratetype Movable, gfp_mask 0x101cca(GFP_HIGHUSER_MOVABLE|__GFP_WRITE), pid 538, ts 30453639745, free_ts 30574608672
[   33.442532][    T8]  post_alloc_hook+0x1a3/0x1b0
[   33.448881][    T8]  prep_new_page+0x1b/0x110
[   33.454616][    T8]  get_page_from_freelist+0x3550/0x35d0
[   33.462019][    T8]  __alloc_pages+0x27e/0x8f0
[   33.467835][    T8]  pagecache_get_page+0xb18/0xeb0
[   33.473267][    T8]  grab_cache_page_write_begin+0x5d/0xa0
[   33.479322][    T8]  ext4_da_write_begin+0x5ae/0xc30
[   33.485438][    T8]  generic_perform_write+0x2de/0x750
[   33.491242][    T8]  ext4_buffered_write_iter+0x48a/0x610
[   33.497117][    T8]  ext4_file_write_iter+0x454/0x1660
[   33.502189][    T8]  vfs_write+0xd5d/0x1110
[   33.507858][    T8]  ksys_write+0x199/0x2c0
[   33.512295][    T8]  __x64_sys_write+0x7b/0x90
[   33.516791][    T8]  x64_sys_call+0x2f/0x9a0
[   33.521802][    T8]  do_syscall_64+0x3b/0xb0
[   33.526606][    T8]  entry_SYSCALL_64_after_hwframe+0x66/0xd0
[   33.534156][    T8] page last free stack trace:
[   33.539760][    T8]  free_unref_page_prepare+0x7c8/0x7d0
[   33.545551][    T8]  free_unref_page_list+0x14b/0xa60
[   33.552794][    T8]  release_pages+0x1310/0x1370
[   33.557709][    T8]  __pagevec_release+0x84/0x100
[   33.562404][    T8]  truncate_inode_pages_range+0x482/0x1160
[   33.568115][    T8]  truncate_pagecache+0x6c/0x90
[   33.573517][    T8]  ext4_setattr+0xe4a/0x1940
[   33.581388][    T8]  notify_change+0xc7a/0xf30
[   33.586096][    T8]  do_truncate+0x21c/0x300
[   33.591905][    T8]  path_openat+0x28ed/0x2f40
[   33.597211][    T8]  do_filp_open+0x21c/0x460
[   33.601953][    T8]  do_sys_openat2+0x13f/0x820
[   33.608192][    T8]  __x64_sys_openat+0x243/0x290
[   33.613341][    T8]  x64_sys_call+0x6bf/0x9a0
[   33.617866][    T8]  do_syscall_64+0x3b/0xb0
[   33.622969][    T8]  entry_SYSCALL_64_after_hwframe+0x66/0xd0
[   33.629372][    T8] 
[   33.632511][    T8] Memory state around the buggy address:
[   33.638160][    T8]  ffff88812324eb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   33.647072][    T8]  ffff88812324eb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   33.655929][    T8] >ffff88812324ec00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   33.665263][    T8]                          ^
[   33.669949][    T8]  ffff88812324ec80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   33.679960][    T8]  ffff88812324ed00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   33.688329][    T8] ==================================================================
[   33.696787][    T8] Disabling lock debugging due to kernel taint
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program