Warning: Permanently added '10.128.1.188' (ED25519) to the list of known hosts. 2024/01/23 12:17:00 ignoring optional flag "sandboxArg"="0" 2024/01/23 12:17:00 parsed 1 programs [ 44.423378][ T29] kauditd_printk_skb: 78 callbacks suppressed [ 44.423386][ T29] audit: type=1400 audit(1706012220.985:154): avc: denied { mounton } for pid=341 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 44.457717][ T29] audit: type=1400 audit(1706012221.005:155): avc: denied { mount } for pid=341 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 44.488785][ T29] audit: type=1400 audit(1706012221.005:156): avc: denied { setattr } for pid=341 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=82 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 44.517105][ T29] audit: type=1400 audit(1706012221.005:157): avc: denied { read write } for pid=341 comm="syz-executor" name="swap-file" dev="sda1" ino=1929 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" 2024/01/23 12:17:01 executed programs: 0 [ 44.547996][ T29] audit: type=1400 audit(1706012221.005:158): avc: denied { open } for pid=341 comm="syz-executor" path="/root/swap-file" dev="sda1" ino=1929 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 44.576386][ T29] audit: type=1400 audit(1706012221.135:159): avc: denied { unlink } for pid=341 comm="syz-executor" name="swap-file" dev="sda1" ino=1929 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 44.597421][ T341] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 44.605421][ T29] audit: type=1400 audit(1706012221.135:160): avc: denied { relabelto } for pid=342 comm="mkswap" name="swap-file" dev="sda1" ino=1929 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 44.664996][ T346] bridge0: port 1(bridge_slave_0) entered blocking state [ 44.673006][ T346] bridge0: port 1(bridge_slave_0) entered disabled state [ 44.681695][ T346] device bridge_slave_0 entered promiscuous mode [ 44.689514][ T346] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.697632][ T346] bridge0: port 2(bridge_slave_1) entered disabled state [ 44.705289][ T346] device bridge_slave_1 entered promiscuous mode [ 44.753253][ T346] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.761110][ T346] bridge0: port 2(bridge_slave_1) entered forwarding state [ 44.769087][ T346] bridge0: port 1(bridge_slave_0) entered blocking state [ 44.777650][ T346] bridge0: port 1(bridge_slave_0) entered forwarding state [ 44.796037][ T297] bridge0: port 1(bridge_slave_0) entered disabled state [ 44.803466][ T297] bridge0: port 2(bridge_slave_1) entered disabled state [ 44.811280][ T297] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 44.819231][ T297] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 44.829509][ T38] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 44.838225][ T38] bridge0: port 1(bridge_slave_0) entered blocking state [ 44.845870][ T38] bridge0: port 1(bridge_slave_0) entered forwarding state [ 44.863203][ T297] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 44.871999][ T297] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 44.882078][ T297] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.889377][ T297] bridge0: port 2(bridge_slave_1) entered forwarding state [ 44.898084][ T297] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 44.908839][ T297] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 44.922721][ T38] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 44.931225][ T38] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 44.939756][ T38] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 44.949393][ T346] device veth0_vlan entered promiscuous mode [ 44.961720][ T297] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 44.972472][ T346] device veth1_macvtap entered promiscuous mode [ 44.986635][ T38] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 44.998031][ T38] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 45.304339][ T352] loop0: detected capacity change from 0 to 131072 [ 45.312661][ T29] audit: type=1400 audit(1706012221.875:161): avc: denied { mounton } for pid=351 comm="syz-executor.0" path="/root/syzkaller-testdir273203220/syzkaller.CZrSQD/0/file2" dev="sda1" ino=1939 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 45.314383][ T352] F2FS-fs (loop0): Invalid log sectors per block(124) log sectorsize(9) [ 45.351240][ T352] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock [ 45.360411][ T352] F2FS-fs (loop0): invalid crc value [ 45.367406][ T352] F2FS-fs (loop0): Disable nat_bits due to incorrect cp_ver (9621037545273099749, 1067266233009637) [ 45.380060][ T352] F2FS-fs (loop0): f2fs_check_nid_range: out-of-range nid=2, run fsck to fix. [ 45.400921][ T352] F2FS-fs (loop0): Try to recover 1th superblock, ret: 0 [ 45.408668][ T352] F2FS-fs (loop0): Mounted with checkpoint version = 48b305e5 [ 45.417579][ T29] audit: type=1400 audit(1706012221.975:162): avc: denied { mount } for pid=351 comm="syz-executor.0" name="/" dev="loop0" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 45.443398][ T29] audit: type=1400 audit(1706012221.975:163): avc: denied { read } for pid=351 comm="syz-executor.0" name="file2" dev="loop0" ino=8 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 [ 45.512405][ T346] ================================================================== [ 45.521571][ T346] BUG: KASAN: use-after-free in _raw_spin_lock+0x78/0x110 [ 45.528888][ T346] Write of size 4 at addr ffff88810b7592b8 by task syz-executor.0/346 [ 45.537648][ T346] [ 45.540093][ T346] CPU: 0 PID: 346 Comm: syz-executor.0 Not tainted 5.15.147-syzkaller #0 [ 45.548862][ T346] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 45.560219][ T346] Call Trace: [ 45.563393][ T346] [ 45.566656][ T346] dump_stack_lvl+0x38/0x49 [ 45.571028][ T346] print_address_description.constprop.0+0x24/0x160 [ 45.578835][ T346] ? _raw_spin_lock+0x78/0x110 [ 45.583801][ T346] kasan_report.cold+0x82/0xdb [ 45.588723][ T346] ? _raw_spin_lock+0x78/0x110 [ 45.594520][ T346] kasan_check_range+0x148/0x190 [ 45.600404][ T346] __kasan_check_write+0x14/0x20 [ 45.606361][ T346] _raw_spin_lock+0x78/0x110 [ 45.611912][ T346] ? _raw_spin_lock_bh+0x110/0x110 [ 45.617438][ T346] ? _raw_spin_lock_bh+0x110/0x110 [ 45.623031][ T346] igrab+0x19/0x80 [ 45.626721][ T346] f2fs_sync_inode_meta+0x16e/0x260 [ 45.631911][ T346] f2fs_write_checkpoint+0x693/0x6430 [ 45.637232][ T346] ? __switch_to+0x5cd/0xec0 [ 45.641652][ T346] ? __kasan_check_write+0x14/0x20 [ 45.646606][ T346] ? _raw_spin_lock_irqsave+0x8c/0x120 [ 45.651889][ T346] ? f2fs_get_sectors_written+0x370/0x370 [ 45.657954][ T346] ? __kasan_check_write+0x14/0x20 [ 45.662893][ T346] ? mutex_unlock+0x7e/0x240 [ 45.667730][ T346] f2fs_issue_checkpoint+0x2a6/0x440 [ 45.673143][ T346] ? f2fs_destroy_checkpoint_caches+0x20/0x20 [ 45.680540][ T346] ? sync_inodes_sb+0x569/0x760 [ 45.685386][ T346] ? filemap_fdatawrite_wbc+0x1cf/0x2b0 [ 45.690759][ T346] ? try_to_writeback_inodes_sb+0xb0/0xb0 [ 45.696508][ T346] ? add_page_wait_queue+0x200/0x200 [ 45.701788][ T346] f2fs_sync_fs+0x14c/0x240 [ 45.706479][ T346] sync_filesystem.part.0+0xfc/0x170 [ 45.712349][ T346] sync_filesystem+0x66/0x80 [ 45.718259][ T346] f2fs_quota_off_umount+0x52/0xd0 [ 45.723587][ T346] f2fs_put_super+0xb8/0xd50 [ 45.727988][ T346] ? __kasan_check_read+0x11/0x20 [ 45.733616][ T346] ? fsnotify_sb_delete+0x2aa/0x420 [ 45.739458][ T346] ? __fsnotify_vfsmount_delete+0x20/0x20 [ 45.745612][ T346] ? f2fs_quota_off_umount+0xd0/0xd0 [ 45.751164][ T346] ? dispose_list+0x1a0/0x1a0 [ 45.756114][ T346] ? sync_blockdev+0x5c/0x80 [ 45.761728][ T346] generic_shutdown_super+0x13d/0x340 [ 45.767776][ T346] kill_block_super+0x9a/0xd0 [ 45.773711][ T346] kill_f2fs_super+0x24d/0x360 [ 45.778635][ T346] ? trace_event_raw_event_f2fs_background_gc+0x310/0x310 [ 45.786284][ T346] ? unregister_shrinker+0x1bd/0x2e0 [ 45.792451][ T346] deactivate_locked_super+0x8b/0x130 [ 45.798858][ T346] deactivate_super+0x71/0x80 [ 45.803969][ T346] cleanup_mnt+0x2cf/0x400 [ 45.808371][ T346] ? putname+0xb8/0xf0 [ 45.812537][ T346] __cleanup_mnt+0xd/0x10 [ 45.817174][ T346] task_work_run+0xc2/0x150 [ 45.821468][ T346] exit_to_user_mode_prepare+0x140/0x150 [ 45.827296][ T346] syscall_exit_to_user_mode+0x21/0x40 [ 45.832805][ T346] do_syscall_64+0x42/0xb0 [ 45.837609][ T346] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 45.844101][ T346] RIP: 0033:0x7f694cb52017 [ 45.849780][ T346] Code: b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b0 ff ff ff f7 d8 64 89 02 b8 [ 45.874208][ T346] RSP: 002b:00007fffbe7c0d18 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [ 45.884266][ T346] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f694cb52017 [ 45.892985][ T346] RDX: 0000000000000000 RSI: 000000000000000a RDI: 00007fffbe7c0dd0 [ 45.901611][ T346] RBP: 00007fffbe7c0dd0 R08: 0000000000000000 R09: 0000000000000000 [ 45.910150][ T346] R10: 00000000ffffffff R11: 0000000000000246 R12: 00007fffbe7c1e90 [ 45.918835][ T346] R13: 00007f694cb9c3b9 R14: 000000000000afc3 R15: 0000000000000003 [ 45.927017][ T346] [ 45.929974][ T346] [ 45.932572][ T346] Allocated by task 352: [ 45.937332][ T346] kasan_save_stack+0x26/0x50 [ 45.941940][ T346] __kasan_slab_alloc+0x94/0xc0 [ 45.947002][ T346] kmem_cache_alloc+0x197/0x480 [ 45.952169][ T346] f2fs_alloc_inode+0x1d/0x370 [ 45.957174][ T346] alloc_inode+0x5c/0x1e0 [ 45.962060][ T346] iget_locked+0x138/0x5f0 [ 45.967743][ T346] f2fs_iget+0x55/0x4c70 [ 45.973279][ T346] f2fs_lookup+0x484/0xbe0 [ 45.979439][ T346] path_openat+0x1196/0x4180 [ 45.985588][ T346] do_filp_open+0x1ab/0x3f0 [ 45.990308][ T346] do_sys_openat2+0x135/0x8e0 [ 45.995568][ T346] __x64_sys_open+0x105/0x1c0 [ 46.000261][ T346] do_syscall_64+0x35/0xb0 [ 46.004515][ T346] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 46.010549][ T346] [ 46.012671][ T346] Freed by task 346: [ 46.016413][ T346] kasan_save_stack+0x26/0x50 [ 46.021729][ T346] kasan_set_track+0x25/0x30 [ 46.026085][ T346] kasan_set_free_info+0x24/0x40 [ 46.031282][ T346] __kasan_slab_free+0x111/0x150 [ 46.036069][ T346] slab_free_freelist_hook+0x94/0x1a0 [ 46.041540][ T346] kmem_cache_free+0x105/0x250 [ 46.046220][ T346] f2fs_free_inode+0x1d/0x30 [ 46.050710][ T346] i_callback+0x3a/0x60 [ 46.054816][ T346] rcu_do_batch+0x340/0xca0 [ 46.059719][ T346] rcu_core+0x56b/0xac0 [ 46.063730][ T346] rcu_core_si+0x9/0x10 [ 46.067949][ T346] __do_softirq+0x1c1/0x5c8 [ 46.072435][ T346] [ 46.074868][ T346] Last potentially related work creation: [ 46.080603][ T346] kasan_save_stack+0x26/0x50 [ 46.086992][ T346] __kasan_record_aux_stack+0xd8/0xf0 [ 46.092769][ T346] kasan_record_aux_stack_noalloc+0xb/0x10 [ 46.098759][ T346] call_rcu+0xe7/0x1420 [ 46.103023][ T346] destroy_inode+0x11f/0x190 [ 46.108118][ T346] evict+0x43c/0x610 [ 46.114062][ T346] dispose_list+0xf5/0x1a0 [ 46.119062][ T346] evict_inodes+0x2e6/0x3d0 [ 46.124239][ T346] generic_shutdown_super+0xa4/0x340 [ 46.130390][ T346] kill_block_super+0x9a/0xd0 [ 46.135330][ T346] kill_f2fs_super+0x24d/0x360 [ 46.140008][ T346] deactivate_locked_super+0x8b/0x130 [ 46.145581][ T346] deactivate_super+0x71/0x80 [ 46.150935][ T346] cleanup_mnt+0x2cf/0x400 [ 46.155416][ T346] __cleanup_mnt+0xd/0x10 [ 46.160026][ T346] task_work_run+0xc2/0x150 [ 46.164580][ T346] exit_to_user_mode_prepare+0x140/0x150 [ 46.171380][ T346] syscall_exit_to_user_mode+0x21/0x40 [ 46.177772][ T346] do_syscall_64+0x42/0xb0 [ 46.182327][ T346] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 46.191523][ T346] [ 46.193775][ T346] The buggy address belongs to the object at ffff88810b759230 [ 46.193775][ T346] which belongs to the cache f2fs_inode_cache of size 1424 [ 46.217301][ T346] The buggy address is located 136 bytes inside of [ 46.217301][ T346] 1424-byte region [ffff88810b759230, ffff88810b7597c0) [ 46.234991][ T346] The buggy address belongs to the page: [ 46.240877][ T346] page:ffffea00042dd600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10b758 [ 46.252377][ T346] head:ffffea00042dd600 order:3 compound_mapcount:0 compound_pincount:0 [ 46.268629][ T346] flags: 0x4000000000010200(slab|head|zone=1) [ 46.275477][ T346] raw: 4000000000010200 0000000000000000 dead000000000122 ffff888104de1b00 [ 46.284569][ T346] raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000 [ 46.293575][ T346] page dumped because: kasan: bad access detected [ 46.300427][ T346] page_owner tracks the page as allocated [ 46.306594][ T346] page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 352, ts 45360120560, free_ts 0 [ 46.327433][ T346] prep_new_page+0x1a2/0x310 [ 46.332037][ T346] get_page_from_freelist+0x1ce2/0x30a0 [ 46.337664][ T346] __alloc_pages+0x2d1/0x2620 [ 46.342561][ T346] allocate_slab+0x39d/0x530 [ 46.347347][ T346] ___slab_alloc.constprop.0+0x3ca/0x890 [ 46.353182][ T346] __slab_alloc.constprop.0+0x42/0x80 [ 46.358833][ T346] kmem_cache_alloc+0x440/0x480 [ 46.364344][ T346] f2fs_alloc_inode+0x1d/0x370 [ 46.369197][ T346] alloc_inode+0x5c/0x1e0 [ 46.374062][ T346] iget_locked+0x138/0x5f0 [ 46.378601][ T346] f2fs_iget+0x55/0x4c70 [ 46.382720][ T346] f2fs_fill_super+0x30d3/0x6280 [ 46.387695][ T346] mount_bdev+0x2b7/0x390 [ 46.392408][ T346] f2fs_mount+0x10/0x20 [ 46.396868][ T346] legacy_get_tree+0xf5/0x1d0 [ 46.401466][ T346] vfs_get_tree+0x81/0x1b0 [ 46.405825][ T346] page_owner free stack trace missing [ 46.411301][ T346] [ 46.413999][ T346] Memory state around the buggy address: [ 46.420901][ T346] ffff88810b759180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 46.429937][ T346] ffff88810b759200: fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb fb [ 46.438344][ T346] >ffff88810b759280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.448926][ T346] ^ [ 46.456134][ T346] ffff88810b759300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.468283][ T346] ffff88810b759380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.478993][ T346] ================================================================== [ 46.489819][ T346] Disabling lock debugging due to kernel taint