Warning: Permanently added '10.128.1.20' (ED25519) to the list of known hosts. executing program [ 50.637012][ T24] audit: type=1400 audit(1727487163.950:66): avc: denied { execmem } for pid=310 comm="syz-executor344" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 50.656292][ T24] audit: type=1400 audit(1727487163.950:67): avc: denied { read write } for pid=310 comm="syz-executor344" name="loop0" dev="devtmpfs" ino=111 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 50.680190][ T24] audit: type=1400 audit(1727487163.950:68): avc: denied { open } for pid=310 comm="syz-executor344" path="/dev/loop0" dev="devtmpfs" ino=111 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 50.704182][ T24] audit: type=1400 audit(1727487163.950:69): avc: denied { ioctl } for pid=310 comm="syz-executor344" path="/dev/loop0" dev="devtmpfs" ino=111 ioctlcmd=0x4c01 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 50.746216][ T24] audit: type=1400 audit(1727487164.060:70): avc: denied { mounton } for pid=311 comm="syz-executor344" path="/root/syzkaller.klR20E/0/file0" dev="sda1" ino=1929 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 50.858676][ T311] EXT4-fs (loop0): Ignoring removed mblk_io_submit option [ 50.865714][ T311] EXT4-fs (loop0): mounting ext3 file system using the ext4 subsystem [ 50.874120][ T311] [EXT4 FS bs=1024, gc=1, bpg=8192, ipg=32, mo=b016c118, mo2=0002] [ 50.881852][ T311] System zones: 1-12 [ 50.886493][ T311] EXT4-fs error (device loop0): ext4_xattr_ibody_find:2210: inode #15: comm syz-executor344: corrupted in-inode xattr [ 50.899011][ T311] EXT4-fs error (device loop0): ext4_orphan_get:1396: comm syz-executor344: couldn't read orphan inode 15 (err -117) [ 50.911351][ T311] EXT4-fs (loop0): mounted filesystem without journal. Opts: jqfmt=vfsold,data_err=abort,debug,noload,mblk_io_submit,commit=0x0000000000000005,init_itable=0x0000000000000601,grpquota,,errors=continue [ 50.930887][ T24] audit: type=1400 audit(1727487164.240:71): avc: denied { mount } for pid=311 comm="syz-executor344" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 50.952555][ T24] audit: type=1400 audit(1727487164.240:72): avc: denied { write } for pid=311 comm="syz-executor344" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 50.953168][ T310] ================================================================== [ 50.974118][ T24] audit: type=1400 audit(1727487164.240:73): avc: denied { add_name } for pid=311 comm="syz-executor344" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 50.981993][ T310] BUG: KASAN: use-after-free in ext4_htree_fill_tree+0x1316/0x13e0 [ 50.982013][ T310] Read of size 1 at addr ffff88811a778a67 by task syz-executor344/310 [ 51.002480][ T24] audit: type=1400 audit(1727487164.240:74): avc: denied { create } for pid=311 comm="syz-executor344" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 51.010168][ T310] [ 51.010192][ T310] CPU: 0 PID: 310 Comm: syz-executor344 Not tainted 5.10.225-syzkaller-00513-g8d23314f588a #0 [ 51.010203][ T310] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 [ 51.018239][ T24] audit: type=1400 audit(1727487164.240:75): avc: denied { write open } for pid=311 comm="syz-executor344" path="/root/syzkaller.klR20E/0/file0/bus" dev="loop0" ino=18 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 51.038213][ T310] Call Trace: [ 51.038227][ T310] dump_stack_lvl+0x1e2/0x24b [ 51.038244][ T310] ? bfq_pos_tree_add_move+0x43b/0x43b [ 51.098275][ T310] ? panic+0x812/0x812 [ 51.102179][ T310] print_address_description+0x81/0x3b0 [ 51.107554][ T310] ? ext4_htree_store_dirent+0x19c/0x590 [ 51.113020][ T310] kasan_report+0x179/0x1c0 [ 51.117362][ T310] ? ext4_htree_fill_tree+0x1316/0x13e0 [ 51.122742][ T310] ? ext4_htree_fill_tree+0x1316/0x13e0 [ 51.128123][ T310] __asan_report_load1_noabort+0x14/0x20 [ 51.133591][ T310] ext4_htree_fill_tree+0x1316/0x13e0 [ 51.138802][ T310] ? ext4_handle_dirty_dirblock+0x6e0/0x6e0 [ 51.144529][ T310] ? __kasan_kmalloc+0x9/0x10 [ 51.149038][ T310] ? ext4_readdir+0x4df/0x37c0 [ 51.153638][ T310] ext4_readdir+0x2dde/0x37c0 [ 51.158157][ T310] ? handle_pte_fault+0x1472/0x3e30 [ 51.163188][ T310] ? ext4_dir_llseek+0x4c0/0x4c0 [ 51.167961][ T310] ? __kasan_check_write+0x14/0x20 [ 51.172908][ T310] ? down_read_killable+0x101/0x220 [ 51.177943][ T310] ? down_read_interruptible+0x220/0x220 [ 51.183413][ T310] ? security_file_permission+0x86/0xb0 [ 51.188789][ T310] iterate_dir+0x265/0x580 [ 51.193043][ T310] ? ext4_dir_llseek+0x4c0/0x4c0 [ 51.197824][ T310] __se_sys_getdents64+0x1c1/0x460 [ 51.202765][ T310] ? __x64_sys_getdents64+0x90/0x90 [ 51.207796][ T310] ? filldir+0x680/0x680 [ 51.211884][ T310] ? debug_smp_processor_id+0x17/0x20 [ 51.217088][ T310] ? fpregs_assert_state_consistent+0xb6/0xe0 [ 51.222987][ T310] ? irqentry_exit_to_user_mode+0x41/0x80 [ 51.228542][ T310] __x64_sys_getdents64+0x7b/0x90 [ 51.233401][ T310] do_syscall_64+0x34/0x70 [ 51.237657][ T310] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 51.243382][ T310] RIP: 0033:0x7fd2f4f7fd63 [ 51.247635][ T310] Code: c1 66 0f 1f 44 00 00 48 83 c4 08 48 89 ef 5b 5d e9 b2 4a fb ff 66 90 b8 ff ff ff 7f 48 39 c2 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 b8 ff ff ff f7 d8 [ 51.267076][ T310] RSP: 002b:00007fff0bb7fdd8 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9 [ 51.275319][ T310] RAX: ffffffffffffffda RBX: 0000555592327830 RCX: 00007fd2f4f7fd63 [ 51.283132][ T310] RDX: 0000000000008000 RSI: 0000555592327830 RDI: 0000000000000004 [ 51.290942][ T310] RBP: 0000555592327804 R08: 0000000000000000 R09: 0000000000000000 [ 51.298755][ T310] R10: 0000000000001000 R11: 0000000000000293 R12: ffffffffffffffb8 [ 51.306566][ T310] R13: 0000000000000010 R14: 0000555592327800 R15: 00007fff0bb82050 [ 51.314401][ T310] [ 51.316546][ T310] Allocated by task 0: [ 51.320448][ T310] (stack is not available) [ 51.324702][ T310] [ 51.326872][ T310] Freed by task 290: [ 51.330610][ T310] kasan_set_track+0x4b/0x70 [ 51.335037][ T310] kasan_set_free_info+0x23/0x40 [ 51.339808][ T310] ____kasan_slab_free+0x121/0x160 [ 51.344846][ T310] __kasan_slab_free+0x11/0x20 [ 51.349441][ T310] slab_free_freelist_hook+0xc0/0x190 [ 51.354649][ T310] kfree+0xc3/0x270 [ 51.358296][ T310] skb_release_data+0x5c6/0x6f0 [ 51.362983][ T310] napi_consume_skb+0x18b/0x490 [ 51.367668][ T310] free_old_xmit_skbs+0x119/0x290 [ 51.372532][ T310] virtnet_poll+0x317/0x11f0 [ 51.376958][ T310] net_rx_action+0x516/0x10d0 [ 51.381474][ T310] __do_softirq+0x268/0x5bb [ 51.385802][ T310] [ 51.387977][ T310] The buggy address belongs to the object at ffff88811a778800 [ 51.387977][ T310] which belongs to the cache kmalloc-1k of size 1024 [ 51.401869][ T310] The buggy address is located 615 bytes inside of [ 51.401869][ T310] 1024-byte region [ffff88811a778800, ffff88811a778c00) [ 51.415053][ T310] The buggy address belongs to the page: [ 51.420540][ T310] page:ffffea000469de00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11a778 [ 51.430591][ T310] head:ffffea000469de00 order:3 compound_mapcount:0 compound_pincount:0 [ 51.438754][ T310] flags: 0x4000000000010200(slab|head) [ 51.444052][ T310] raw: 4000000000010200 dead000000000100 dead000000000122 ffff888100042f00 [ 51.452470][ T310] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 51.460881][ T310] page dumped because: kasan: bad access detected [ 51.467222][ T310] page_owner tracks the page as allocated [ 51.472781][ T310] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 290, ts 43527880184, free_ts 43526389499 [ 51.491003][ T310] prep_new_page+0x166/0x180 [ 51.495430][ T310] get_page_from_freelist+0x2d8c/0x2f30 [ 51.500809][ T310] __alloc_pages_nodemask+0x435/0xaf0 [ 51.506016][ T310] new_slab+0x80/0x400 [ 51.509922][ T310] ___slab_alloc+0x302/0x4b0 [ 51.514348][ T310] __slab_alloc+0x63/0xa0 [ 51.518515][ T310] __kmalloc_track_caller+0x1f8/0x320 [ 51.523719][ T310] __alloc_skb+0xbc/0x510 [ 51.527887][ T310] __napi_alloc_skb+0x15d/0x2e0 [ 51.532591][ T310] page_to_skb+0x3d/0x900 [ 51.536739][ T310] receive_buf+0xe79/0x53d0 [ 51.541078][ T310] virtnet_poll+0x5cf/0x11f0 [ 51.545505][ T310] net_rx_action+0x516/0x10d0 [ 51.550029][ T310] __do_softirq+0x268/0x5bb [ 51.554354][ T310] page last free stack trace: [ 51.558876][ T310] __free_pages_ok+0x82c/0x850 [ 51.563471][ T310] free_compound_page+0x73/0x90 [ 51.568160][ T310] __put_compound_page+0x73/0xb0 [ 51.572954][ T310] __put_page+0xc0/0xe0 [ 51.576927][ T310] skb_release_data+0x240/0x6f0 [ 51.581615][ T310] __kfree_skb+0x50/0x70 [ 51.585698][ T310] tcp_recvmsg+0x1765/0x3590 [ 51.590117][ T310] inet_recvmsg+0x158/0x500 [ 51.594458][ T310] sock_read_iter+0x353/0x480 [ 51.598969][ T310] vfs_read+0x990/0xba0 [ 51.602961][ T310] ksys_read+0x199/0x2c0 [ 51.607041][ T310] __x64_sys_read+0x7b/0x90 [ 51.611382][ T310] do_syscall_64+0x34/0x70 [ 51.615638][ T310] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 51.621359][ T310] [ 51.623527][ T310] Memory state around the buggy address: [ 51.629000][ T310] ffff88811a778900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.636900][ T310] ffff88811a778980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.644911][ T310] >ffff88811a778a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.652806][ T310] ^ [ 51.659838][ T310] ffff88811a778a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.667737][ T310] ffff88811a778b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.675727][ T310] ================================================================== [ 51.683620][ T310] Disabling lock debugging due to kernel taint