Warning: Permanently added '10.128.10.45' (ED25519) to the list of known hosts. 2024/01/24 09:42:57 ignoring optional flag "sandboxArg"="0" 2024/01/24 09:42:57 parsed 1 programs [ 47.063041][ T27] audit: type=1400 audit(1706089377.584:156): avc: denied { mounton } for pid=345 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 47.088290][ T27] audit: type=1400 audit(1706089377.584:157): avc: denied { mount } for pid=345 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 2024/01/24 09:42:57 executed programs: 0 [ 47.111902][ T27] audit: type=1400 audit(1706089377.634:158): avc: denied { unlink } for pid=345 comm="syz-executor" name="swap-file" dev="sda1" ino=1929 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 47.143778][ T345] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 47.189019][ T351] bridge0: port 1(bridge_slave_0) entered blocking state [ 47.196081][ T351] bridge0: port 1(bridge_slave_0) entered disabled state [ 47.203668][ T351] device bridge_slave_0 entered promiscuous mode [ 47.210308][ T351] bridge0: port 2(bridge_slave_1) entered blocking state [ 47.217242][ T351] bridge0: port 2(bridge_slave_1) entered disabled state [ 47.224755][ T351] device bridge_slave_1 entered promiscuous mode [ 47.260875][ T27] audit: type=1400 audit(1706089377.774:159): avc: denied { write } for pid=351 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 47.265622][ T351] bridge0: port 2(bridge_slave_1) entered blocking state [ 47.281360][ T27] audit: type=1400 audit(1706089377.774:160): avc: denied { read } for pid=351 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 47.288130][ T351] bridge0: port 2(bridge_slave_1) entered forwarding state [ 47.288207][ T351] bridge0: port 1(bridge_slave_0) entered blocking state [ 47.322591][ T351] bridge0: port 1(bridge_slave_0) entered forwarding state [ 47.339622][ T61] bridge0: port 1(bridge_slave_0) entered disabled state [ 47.347119][ T61] bridge0: port 2(bridge_slave_1) entered disabled state [ 47.354618][ T61] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 47.361824][ T61] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 47.370192][ T35] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 47.378153][ T35] bridge0: port 1(bridge_slave_0) entered blocking state [ 47.385192][ T35] bridge0: port 1(bridge_slave_0) entered forwarding state [ 47.402318][ T35] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 47.410796][ T35] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 47.419059][ T35] bridge0: port 2(bridge_slave_1) entered blocking state [ 47.425978][ T35] bridge0: port 2(bridge_slave_1) entered forwarding state [ 47.433302][ T35] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 47.440951][ T35] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 47.451205][ T61] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 47.458952][ T61] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 47.466281][ T61] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 47.474276][ T351] device veth0_vlan entered promiscuous mode [ 47.483511][ T35] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 47.492198][ T351] device veth1_macvtap entered promiscuous mode [ 47.502068][ T307] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 47.510151][ T307] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 47.522638][ T27] audit: type=1400 audit(1706089378.044:161): avc: denied { mounton } for pid=351 comm="syz-executor.0" path="/dev/binderfs" dev="devtmpfs" ino=207 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:device_t tclass=dir permissive=1 [ 48.684906][ T381] ================================================================== [ 48.692970][ T381] BUG: KASAN: use-after-free in __skb_datagram_iter+0x96/0x5b0 [ 48.700354][ T381] Read of size 8 at addr ffff888124ed9d60 by task syz-executor.0/381 [ 48.708417][ T381] [ 48.710583][ T381] CPU: 0 PID: 381 Comm: syz-executor.0 Not tainted 6.1.57-syzkaller #0 [ 48.718806][ T381] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 48.728647][ T381] Call Trace: [ 48.731936][ T381] [ 48.735037][ T381] dump_stack_lvl+0x105/0x148 [ 48.739540][ T381] ? panic+0x3b4/0x3b4 [ 48.743530][ T381] ? nf_tcp_handle_invalid+0x30b/0x30b [ 48.748841][ T381] ? _printk+0xca/0x10a [ 48.752976][ T381] print_report+0x158/0x4e0 [ 48.757414][ T381] ? kasan_complete_mode_report_info+0x90/0x1b0 [ 48.763533][ T381] ? __skb_datagram_iter+0x96/0x5b0 [ 48.768612][ T381] kasan_report+0x13c/0x170 [ 48.773032][ T381] ? __skb_datagram_iter+0x96/0x5b0 [ 48.778063][ T381] __asan_report_load8_noabort+0x14/0x20 [ 48.783530][ T381] __skb_datagram_iter+0x96/0x5b0 [ 48.788479][ T381] ? skb_copy_datagram_iter+0x100/0x100 [ 48.793963][ T381] skb_copy_datagram_iter+0x38/0x100 [ 48.799089][ T381] unix_stream_read_actor+0x68/0xa0 [ 48.804205][ T381] unix_stream_recv_urg+0x16a/0x2a0 [ 48.809237][ T381] unix_stream_read_generic+0x1e29/0x1f10 [ 48.814794][ T381] ? avc_has_perm+0xcb/0x210 [ 48.819305][ T381] ? avc_has_perm_noaudit+0x380/0x380 [ 48.824521][ T381] ? unix_stream_read_actor+0xa0/0xa0 [ 48.829821][ T381] ? selinux_socket_recvmsg+0x250/0x380 [ 48.835190][ T381] ? selinux_socket_sendmsg+0x380/0x380 [ 48.840579][ T381] unix_stream_recvmsg+0x20c/0x2a0 [ 48.845626][ T381] ? unix_stream_sendmsg+0xf50/0xf50 [ 48.850747][ T381] ? __unix_stream_recvmsg+0x210/0x210 [ 48.856042][ T381] ? security_socket_recvmsg+0x3c/0x90 [ 48.861334][ T381] ? unix_stream_sendmsg+0xf50/0xf50 [ 48.866464][ T381] ____sys_recvmsg+0x263/0x450 [ 48.871051][ T381] ? __sys_recvmsg_sock+0x10/0x10 [ 48.876171][ T381] ___sys_recvmsg+0x4c1/0x6e0 [ 48.880682][ T381] ? __sys_recvmsg+0x1d0/0x1d0 [ 48.885387][ T381] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 48.890407][ T381] ? _raw_spin_lock_irqsave+0x210/0x210 [ 48.895800][ T381] ? __fget_files+0x24b/0x280 [ 48.900336][ T381] ? __fdget+0x13f/0x1c0 [ 48.904384][ T381] __x64_sys_recvmsg+0x18d/0x210 [ 48.909153][ T381] ? ___sys_recvmsg+0x6e0/0x6e0 [ 48.913841][ T381] ? debug_smp_processor_id+0x17/0x20 [ 48.919050][ T381] ? exit_to_user_mode_prepare+0x39/0xa0 [ 48.924516][ T381] do_syscall_64+0x3d/0xb0 [ 48.928853][ T381] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 48.934588][ T381] RIP: 0033:0x7f318087cae9 [ 48.938920][ T381] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 48.958679][ T381] RSP: 002b:00007f31816650c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002f [ 48.967087][ T381] RAX: ffffffffffffffda RBX: 00007f318099c120 RCX: 00007f318087cae9 [ 48.974908][ T381] RDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004 [ 48.982720][ T381] RBP: 00007f31808c847a R08: 0000000000000000 R09: 0000000000000000 [ 48.990518][ T381] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 48.998446][ T381] R13: 000000000000006e R14: 00007f318099c120 R15: 00007ffcc3f224d8 [ 49.006562][ T381] [ 49.009791][ T381] [ 49.011937][ T381] Allocated by task 380: [ 49.016012][ T381] kasan_set_track+0x4b/0x70 [ 49.020534][ T381] kasan_save_alloc_info+0x1f/0x30 [ 49.025646][ T381] __kasan_slab_alloc+0x6c/0x80 [ 49.030335][ T381] slab_post_alloc_hook+0x59/0x270 [ 49.035437][ T381] kmem_cache_alloc_node+0x18a/0x2d0 [ 49.040586][ T381] __alloc_skb+0x12c/0x700 [ 49.044806][ T381] alloc_skb_with_frags+0x7f/0x520 [ 49.049747][ T381] sock_alloc_send_pskb+0x7ef/0x8f0 [ 49.054930][ T381] queue_oob+0xfd/0x7e0 [ 49.059001][ T381] unix_stream_sendmsg+0xb55/0xf50 [ 49.063950][ T381] ____sys_sendmsg+0x495/0x7c0 [ 49.068632][ T381] ___sys_sendmsg+0x223/0x2a0 [ 49.073153][ T381] __se_sys_sendmsg+0x143/0x1d0 [ 49.077837][ T381] __x64_sys_sendmsg+0x76/0x80 [ 49.082615][ T381] do_syscall_64+0x3d/0xb0 [ 49.086946][ T381] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 49.092684][ T381] [ 49.094843][ T381] Freed by task 380: [ 49.098612][ T381] kasan_set_track+0x4b/0x70 [ 49.103088][ T381] kasan_save_free_info+0x2b/0x40 [ 49.108138][ T381] ____kasan_slab_free+0x131/0x180 [ 49.113084][ T381] __kasan_slab_free+0x11/0x20 [ 49.117772][ T381] kmem_cache_free+0x264/0x450 [ 49.122545][ T381] kfree_skbmem+0xb6/0x110 [ 49.126887][ T381] consume_skb+0x86/0x180 [ 49.131312][ T381] queue_oob+0x497/0x7e0 [ 49.135590][ T381] unix_stream_sendmsg+0xb55/0xf50 [ 49.140542][ T381] ____sys_sendmsg+0x495/0x7c0 [ 49.145135][ T381] ___sys_sendmsg+0x223/0x2a0 [ 49.149777][ T381] __se_sys_sendmsg+0x143/0x1d0 [ 49.154463][ T381] __x64_sys_sendmsg+0x76/0x80 [ 49.159063][ T381] do_syscall_64+0x3d/0xb0 [ 49.163321][ T381] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 49.169099][ T381] [ 49.171220][ T381] The buggy address belongs to the object at ffff888124ed9c80 [ 49.171220][ T381] which belongs to the cache skbuff_head_cache of size 248 [ 49.185890][ T381] The buggy address is located 224 bytes inside of [ 49.185890][ T381] 248-byte region [ffff888124ed9c80, ffff888124ed9d78) [ 49.199132][ T381] [ 49.201240][ T381] The buggy address belongs to the physical page: [ 49.207493][ T381] page:ffffea000493b640 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x124ed9 [ 49.217664][ T381] flags: 0x4000000000000200(slab|zone=1) [ 49.223132][ T381] raw: 4000000000000200 0000000000000000 dead000000000122 ffff888100217b00 [ 49.231808][ T381] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 49.240478][ T381] page dumped because: kasan: bad access detected [ 49.246674][ T381] page_owner tracks the page as allocated [ 49.252225][ T381] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 23, tgid 23 (kworker/1:0), ts 48681628590, free_ts 0 [ 49.270816][ T381] prep_new_page+0x512/0x5e0 [ 49.275238][ T381] get_page_from_freelist+0x288b/0x2910 [ 49.280619][ T381] __alloc_pages+0x39f/0x780 [ 49.285653][ T381] alloc_slab_page+0x6c/0xf0 [ 49.290075][ T381] new_slab+0x7b/0x370 [ 49.294080][ T381] ___slab_alloc+0x611/0x9a0 [ 49.298499][ T381] __slab_alloc+0x52/0x90 [ 49.302755][ T381] kmem_cache_alloc_node+0x1c9/0x2d0 [ 49.307979][ T381] __alloc_skb+0x12c/0x700 [ 49.312208][ T381] __ipv6_ifa_notify+0x292/0xf90 [ 49.316993][ T381] addrconf_dad_completed+0x13a/0xaf0 [ 49.322279][ T381] addrconf_dad_work+0x80b/0x1360 [ 49.327224][ T381] process_one_work+0x6de/0xd00 [ 49.331938][ T381] worker_thread+0x892/0xf20 [ 49.336424][ T381] kthread+0x215/0x270 [ 49.340329][ T381] ret_from_fork+0x1f/0x30 [ 49.344606][ T381] page_owner free stack trace missing [ 49.349903][ T381] [ 49.352168][ T381] Memory state around the buggy address: [ 49.357810][ T381] ffff888124ed9c00: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 49.365788][ T381] ffff888124ed9c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.373685][ T381] >ffff888124ed9d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc [ 49.381587][ T381] ^ [ 49.388707][ T381] ffff888124ed9d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 49.396952][ T381] ffff888124ed9e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.404852][ T381] ================================================================== [ 49.412953][ T381] Disabling lock debugging due to kernel taint 2024/01/24 09:43:02 executed programs: 40 2024/01/24 09:43:07 executed programs: 98