Warning: Permanently added '10.128.1.33' (ED25519) to the list of known hosts. 2025/04/02 11:28:22 ignoring optional flag "sandboxArg"="0" 2025/04/02 11:28:23 parsed 1 programs [ 23.972890][ T30] audit: type=1400 audit(1743593303.382:66): avc: denied { node_bind } for pid=288 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 24.981188][ T30] audit: type=1400 audit(1743593304.392:67): avc: denied { integrity } for pid=296 comm="syz-executor" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1 [ 25.004934][ T30] audit: type=1400 audit(1743593304.412:68): avc: denied { mounton } for pid=296 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 25.006410][ T296] cgroup: Unknown subsys name 'net' [ 25.028082][ T30] audit: type=1400 audit(1743593304.412:69): avc: denied { mount } for pid=296 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 25.054320][ T30] audit: type=1400 audit(1743593304.442:70): avc: denied { unmount } for pid=296 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 25.054491][ T296] cgroup: Unknown subsys name 'devices' [ 25.259794][ T296] cgroup: Unknown subsys name 'hugetlb' [ 25.265361][ T296] cgroup: Unknown subsys name 'rlimit' [ 25.465671][ T30] audit: type=1400 audit(1743593304.872:71): avc: denied { setattr } for pid=296 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=250 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 25.488662][ T30] audit: type=1400 audit(1743593304.872:72): avc: denied { create } for pid=296 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 25.500131][ T301] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 25.509175][ T30] audit: type=1400 audit(1743593304.872:73): avc: denied { write } for pid=296 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 25.539076][ T30] audit: type=1400 audit(1743593304.872:74): avc: denied { read } for pid=296 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 25.559117][ T30] audit: type=1400 audit(1743593304.872:75): avc: denied { module_request } for pid=296 comm="syz-executor" kmod="netdev-wpan0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 25.594190][ T296] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 25.970492][ T303] request_module fs-gadgetfs succeeded, but still no fs? [ 26.058051][ T303] syz-executor (303) used greatest stack depth: 20176 bytes left [ 26.676407][ T351] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.683300][ T351] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.690692][ T351] device bridge_slave_0 entered promiscuous mode [ 26.697335][ T351] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.704188][ T351] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.711384][ T351] device bridge_slave_1 entered promiscuous mode [ 26.755873][ T351] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.762738][ T351] bridge0: port 2(bridge_slave_1) entered forwarding state [ 26.769864][ T351] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.776695][ T351] bridge0: port 1(bridge_slave_0) entered forwarding state [ 26.797617][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 26.805256][ T10] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.812384][ T10] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.821955][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 26.830107][ T10] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.836960][ T10] bridge0: port 1(bridge_slave_0) entered forwarding state [ 26.845643][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 26.853739][ T10] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.860607][ T10] bridge0: port 2(bridge_slave_1) entered forwarding state [ 26.873337][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 26.887681][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 26.901876][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 26.919049][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 26.926881][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 26.934185][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 26.947161][ T351] device veth0_vlan entered promiscuous mode [ 26.956791][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 26.965941][ T351] device veth1_macvtap entered promiscuous mode [ 26.975053][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 26.989052][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2025/04/02 11:28:26 executed programs: 0 [ 27.198332][ T362] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.205183][ T362] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.212585][ T362] device bridge_slave_0 entered promiscuous mode [ 27.223556][ T362] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.230437][ T362] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.237582][ T362] device bridge_slave_1 entered promiscuous mode [ 27.298626][ T362] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.305498][ T362] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.312664][ T362] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.319531][ T362] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.344527][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 27.352407][ T10] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.359604][ T10] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.377238][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 27.385316][ T10] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.392175][ T10] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.399612][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 27.407576][ T10] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.414468][ T10] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.421776][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 27.434434][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 27.445475][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 27.458610][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 27.466465][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 27.474022][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 27.482296][ T362] device veth0_vlan entered promiscuous mode [ 27.492181][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 27.501100][ T362] device veth1_macvtap entered promiscuous mode [ 27.510178][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 27.519938][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 27.542766][ T367] loop2: detected capacity change from 0 to 128 [ 27.625711][ T367] EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue. Quota mode: none. [ 27.636288][ T367] ext4 filesystem being mounted at /0/file1 supports timestamps until 2038-01-19 (0x7fffffff) [ 27.663788][ T362] ================================================================== [ 27.671686][ T362] BUG: KASAN: slab-out-of-bounds in ext4_htree_fill_tree+0x131b/0x13e0 [ 27.679771][ T362] Read of size 1 at addr ffff8881065efc67 by task syz-executor/362 [ 27.687477][ T362] [ 27.689645][ T362] CPU: 1 PID: 362 Comm: syz-executor Not tainted 5.15.178-syzkaller-00034-g5e1b899f19c3 #0 [ 27.699454][ T362] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 27.709355][ T362] Call Trace: [ 27.712471][ T362] [ 27.715249][ T362] dump_stack_lvl+0x151/0x1c0 [ 27.719761][ T362] ? io_uring_drop_tctx_refs+0x190/0x190 [ 27.725228][ T362] ? panic+0x760/0x760 [ 27.729136][ T362] print_address_description+0x87/0x3b0 [ 27.734518][ T362] kasan_report+0x179/0x1c0 [ 27.738858][ T362] ? ext4_htree_fill_tree+0x131b/0x13e0 [ 27.744243][ T362] ? ext4_htree_fill_tree+0x131b/0x13e0 [ 27.749625][ T362] __asan_report_load1_noabort+0x14/0x20 [ 27.755087][ T362] ext4_htree_fill_tree+0x131b/0x13e0 [ 27.760297][ T362] ? ext4_handle_dirty_dirblock+0x6d0/0x6d0 [ 27.766024][ T362] ? __kasan_kmalloc+0x9/0x10 [ 27.770537][ T362] ? ext4_readdir+0x523/0x3960 [ 27.775136][ T362] ext4_readdir+0x2f75/0x3960 [ 27.779655][ T362] ? down_read_killable+0x1035/0x1b10 [ 27.784867][ T362] ? down_read_interruptible+0x1bf0/0x1bf0 [ 27.790504][ T362] ? numa_migrate_prep+0xe0/0xe0 [ 27.795273][ T362] ? ext4_dir_llseek+0x540/0x540 [ 27.800051][ T362] ? __kasan_check_read+0x11/0x20 [ 27.804907][ T362] ? security_file_permission+0x86/0xb0 [ 27.810291][ T362] iterate_dir+0x265/0x600 [ 27.814543][ T362] ? ext4_dir_llseek+0x540/0x540 [ 27.819316][ T362] __se_sys_getdents64+0x1c1/0x460 [ 27.824437][ T362] ? __x64_sys_getdents64+0x90/0x90 [ 27.829471][ T362] ? filldir+0x680/0x680 [ 27.833552][ T362] __x64_sys_getdents64+0x7b/0x90 [ 27.838422][ T362] x64_sys_call+0x5ae/0x9a0 [ 27.842749][ T362] do_syscall_64+0x3b/0xb0 [ 27.847093][ T362] ? clear_bhb_loop+0x35/0x90 [ 27.851606][ T362] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 27.857338][ T362] RIP: 0033:0x7fbbdc158ad3 [ 27.861585][ T362] Code: c1 66 0f 1f 44 00 00 48 83 c4 08 48 89 ef 5b 5d e9 72 3e f8 ff 66 90 b8 ff ff ff 7f 48 39 c2 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 a8 ff ff ff f7 d8 [ 27.881030][ T362] RSP: 002b:00007ffe8e733aa8 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9 [ 27.889268][ T362] RAX: ffffffffffffffda RBX: 000055556aa094e0 RCX: 00007fbbdc158ad3 [ 27.897080][ T362] RDX: 0000000000008000 RSI: 000055556aa094e0 RDI: 0000000000000005 [ 27.904893][ T362] RBP: 000055556aa094b4 R08: 0000000000028b61 R09: 0000000000000000 [ 27.912704][ T362] R10: 00007fbbdc315ca0 R11: 0000000000000293 R12: ffffffffffffffa8 [ 27.920519][ T362] R13: 0000000000000010 R14: 000055556aa094b0 R15: 00007ffe8e735d60 [ 27.928329][ T362] [ 27.931190][ T362] [ 27.933361][ T362] Allocated by task 0: [ 27.937265][ T362] (stack is not available) [ 27.941524][ T362] [ 27.943705][ T362] The buggy address belongs to the object at ffff8881065efbb8 [ 27.943705][ T362] which belongs to the cache kernfs_node_cache of size 136 [ 27.958097][ T362] The buggy address is located 39 bytes to the right of [ 27.958097][ T362] 136-byte region [ffff8881065efbb8, ffff8881065efc40) [ 27.971737][ T362] The buggy address belongs to the page: [ 27.977215][ T362] page:ffffea0004197bc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1065ef [ 27.987272][ T362] flags: 0x4000000000000200(slab|zone=1) [ 27.992751][ T362] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881001c4d80 [ 28.001166][ T362] raw: 0000000000000000 0000000080140014 00000001ffffffff 0000000000000000 [ 28.009578][ T362] page dumped because: kasan: bad access detected [ 28.015837][ T362] page_owner tracks the page as allocated [ 28.021389][ T362] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 367, ts 27625412756, free_ts 26615933578 [ 28.037096][ T362] post_alloc_hook+0x1a3/0x1b0 [ 28.041693][ T362] prep_new_page+0x1b/0x110 [ 28.046116][ T362] get_page_from_freelist+0x3550/0x35d0 [ 28.051501][ T362] __alloc_pages+0x27e/0x8f0 [ 28.055923][ T362] new_slab+0x9a/0x4e0 [ 28.059832][ T362] ___slab_alloc+0x39e/0x830 [ 28.064256][ T362] __slab_alloc+0x4a/0x90 [ 28.068422][ T362] kmem_cache_alloc+0x139/0x250 [ 28.073110][ T362] __kernfs_new_node+0xdb/0x700 [ 28.077798][ T362] kernfs_new_node+0x130/0x230 [ 28.082398][ T362] __kernfs_create_file+0x4a/0x270 [ 28.087344][ T362] sysfs_add_file_mode_ns+0x273/0x320 [ 28.092552][ T362] internal_create_group+0x573/0xf00 [ 28.097762][ T362] sysfs_create_groups+0x5b/0x130 [ 28.102619][ T362] kobject_add_internal+0x8ce/0xd90 [ 28.107654][ T362] kobject_init_and_add+0x120/0x190 [ 28.112691][ T362] page last free stack trace: [ 28.117202][ T362] free_unref_page_prepare+0x7c8/0x7d0 [ 28.122497][ T362] free_unref_page+0xe8/0x750 [ 28.127007][ T362] __free_pages+0x61/0xf0 [ 28.131175][ T362] free_pages+0x7c/0x90 [ 28.135167][ T362] kasan_depopulate_vmalloc_pte+0x6a/0x90 [ 28.140723][ T362] __apply_to_page_range+0x8dd/0xbe0 [ 28.145842][ T362] apply_to_existing_page_range+0x38/0x50 [ 28.151400][ T362] kasan_release_vmalloc+0x9a/0xb0 [ 28.156344][ T362] __purge_vmap_area_lazy+0x154a/0x1690 [ 28.161727][ T362] _vm_unmap_aliases+0x339/0x3b0 [ 28.166498][ T362] vm_unmap_aliases+0x19/0x20 [ 28.171014][ T362] change_page_attr_set_clr+0x308/0x1050 [ 28.176482][ T362] set_memory_ro+0xa1/0xe0 [ 28.180733][ T362] bpf_int_jit_compile+0xbf21/0xc6b0 [ 28.185853][ T362] bpf_prog_select_runtime+0x724/0xa10 [ 28.191152][ T362] bpf_prepare_filter+0x10d0/0x13d0 [ 28.196187][ T362] [ 28.198354][ T362] Memory state around the buggy address: [ 28.203823][ T362] ffff8881065efb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 28.211981][ T362] ffff8881065efb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.219998][ T362] >ffff8881065efc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.227893][ T362] ^ [ 28.234927][ T362] ffff8881065efc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.242824][ T362] ffff8881065efd00: 00 fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 [ 28.250845][ T362] ================================================================== [ 28.258738][ T362] Disabling lock debugging due to kernel taint