Warning: Permanently added '10.128.1.107' (ED25519) to the list of known hosts. 2025/07/20 14:55:08 ignoring optional flag "sandboxArg"="0" 2025/07/20 14:55:09 parsed 1 programs [ 48.872949][ T24] kauditd_printk_skb: 27 callbacks suppressed [ 48.872958][ T24] audit: type=1400 audit(1753023309.969:101): avc: denied { create } for pid=406 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 48.899596][ T24] audit: type=1400 audit(1753023309.969:102): avc: denied { write } for pid=406 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 48.919946][ T24] audit: type=1400 audit(1753023309.969:103): avc: denied { read } for pid=406 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 48.940564][ T24] audit: type=1400 audit(1753023309.999:104): avc: denied { unlink } for pid=406 comm="syz-executor" name="swap-file" dev="sda1" ino=2026 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 48.940585][ T406] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 49.469556][ T24] audit: type=1401 audit(1753023310.569:105): op=setxattr invalid_context="u:object_r:app_data_file:s0:c512,c768" [ 49.508985][ T24] audit: type=1400 audit(1753023310.609:106): avc: denied { create } for pid=424 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1 [ 49.844770][ T450] bridge0: port 1(bridge_slave_0) entered blocking state [ 49.851862][ T450] bridge0: port 1(bridge_slave_0) entered disabled state [ 49.859182][ T450] device bridge_slave_0 entered promiscuous mode [ 49.865807][ T450] bridge0: port 2(bridge_slave_1) entered blocking state [ 49.872952][ T450] bridge0: port 2(bridge_slave_1) entered disabled state [ 49.880235][ T450] device bridge_slave_1 entered promiscuous mode [ 49.915215][ T450] bridge0: port 2(bridge_slave_1) entered blocking state [ 49.922252][ T450] bridge0: port 2(bridge_slave_1) entered forwarding state [ 49.929509][ T450] bridge0: port 1(bridge_slave_0) entered blocking state [ 49.936516][ T450] bridge0: port 1(bridge_slave_0) entered forwarding state [ 49.951124][ T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 49.959173][ T49] bridge0: port 1(bridge_slave_0) entered disabled state [ 49.966281][ T49] bridge0: port 2(bridge_slave_1) entered disabled state [ 49.976114][ T49] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 49.984210][ T49] bridge0: port 1(bridge_slave_0) entered blocking state [ 49.991228][ T49] bridge0: port 1(bridge_slave_0) entered forwarding state [ 49.999480][ T49] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 50.007597][ T49] bridge0: port 2(bridge_slave_1) entered blocking state [ 50.014621][ T49] bridge0: port 2(bridge_slave_1) entered forwarding state [ 50.025228][ T49] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 50.034425][ T49] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 50.046591][ T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 50.056834][ T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 50.064761][ T49] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 50.072255][ T49] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 50.080311][ T450] device veth0_vlan entered promiscuous mode [ 50.089435][ T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 50.098115][ T450] device veth1_macvtap entered promiscuous mode [ 50.106590][ T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 50.115978][ T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2025/07/20 14:55:11 executed programs: 0 [ 50.337909][ T466] bridge0: port 1(bridge_slave_0) entered blocking state [ 50.345058][ T466] bridge0: port 1(bridge_slave_0) entered disabled state [ 50.353048][ T466] device bridge_slave_0 entered promiscuous mode [ 50.359924][ T466] bridge0: port 2(bridge_slave_1) entered blocking state [ 50.367025][ T466] bridge0: port 2(bridge_slave_1) entered disabled state [ 50.374440][ T466] device bridge_slave_1 entered promiscuous mode [ 50.404612][ T466] bridge0: port 2(bridge_slave_1) entered blocking state [ 50.411659][ T466] bridge0: port 2(bridge_slave_1) entered forwarding state [ 50.418911][ T466] bridge0: port 1(bridge_slave_0) entered blocking state [ 50.425911][ T466] bridge0: port 1(bridge_slave_0) entered forwarding state [ 50.444881][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 50.452562][ T9] bridge0: port 1(bridge_slave_0) entered disabled state [ 50.459887][ T9] bridge0: port 2(bridge_slave_1) entered disabled state [ 50.468178][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 50.476500][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 50.483532][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 50.492296][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 50.500443][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 50.507437][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 50.523276][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 50.532225][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 50.547684][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 50.558325][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 50.566552][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 50.574127][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 50.582357][ T466] device veth0_vlan entered promiscuous mode [ 50.596490][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 50.605359][ T466] device veth1_macvtap entered promiscuous mode [ 50.614049][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 50.629679][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 50.650586][ T24] audit: type=1400 audit(1753023311.749:107): avc: denied { create } for pid=470 comm="syz.2.16" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=key_socket permissive=1 [ 50.659711][ T471] ================================================================== [ 50.670096][ T24] audit: type=1400 audit(1753023311.749:108): avc: denied { setopt } for pid=470 comm="syz.2.16" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=key_socket permissive=1 [ 50.677668][ T471] BUG: KASAN: slab-out-of-bounds in xfrm_policy_inexact_list_reinsert+0x620/0x6d0 [ 50.696881][ T24] audit: type=1400 audit(1753023311.749:109): avc: denied { write } for pid=470 comm="syz.2.16" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=key_socket permissive=1 [ 50.705775][ T471] Read of size 1 at addr ffff8881176fa3d8 by task syz.2.16/471 [ 50.705778][ T471] [ 50.705795][ T471] CPU: 1 PID: 471 Comm: syz.2.16 Not tainted 5.10.239-syzkaller-1007860-g6de38b5f6c2b #0 [ 50.705807][ T471] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 50.724909][ T24] audit: type=1400 audit(1753023311.759:110): avc: denied { create } for pid=470 comm="syz.2.16" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_xfrm_socket permissive=1 [ 50.732204][ T471] Call Trace: [ 50.732218][ T471] __dump_stack+0x21/0x24 [ 50.732232][ T471] dump_stack_lvl+0x169/0x1d8 [ 50.786325][ T471] ? show_regs_print_info+0x18/0x18 [ 50.791499][ T471] ? thaw_kernel_threads+0x220/0x220 [ 50.796758][ T471] ? unwind_get_return_address+0x4d/0x90 [ 50.802364][ T471] print_address_description+0x7f/0x2c0 [ 50.807884][ T471] ? xfrm_policy_inexact_list_reinsert+0x620/0x6d0 [ 50.814354][ T471] kasan_report+0xe2/0x130 [ 50.818751][ T471] ? xfrm_policy_inexact_list_reinsert+0x620/0x6d0 [ 50.825222][ T471] __asan_report_load1_noabort+0x14/0x20 [ 50.830825][ T471] xfrm_policy_inexact_list_reinsert+0x620/0x6d0 [ 50.837123][ T471] xfrm_policy_inexact_insert_node+0x938/0xb50 [ 50.843248][ T471] ? xfrm_netlink_rcv+0x72/0x90 [ 50.848069][ T471] ? netlink_unicast+0x87c/0xa40 [ 50.852993][ T471] ? netlink_sendmsg+0x88d/0xb30 [ 50.857910][ T471] ? ____sys_sendmsg+0x5a2/0x8c0 [ 50.862826][ T471] ? ___sys_sendmsg+0x1f0/0x260 [ 50.867654][ T471] ? do_syscall_64+0x31/0x40 [ 50.872223][ T471] xfrm_policy_inexact_alloc_chain+0x53a/0xb30 [ 50.878351][ T471] xfrm_policy_inexact_insert+0x70/0x1130 [ 50.884042][ T471] ? __get_hash_thresh+0x10c/0x420 [ 50.889123][ T471] ? policy_hash_bysel+0x110/0x4f0 [ 50.894208][ T471] xfrm_policy_insert+0x126/0x9a0 [ 50.899205][ T471] ? xfrm_policy_construct+0x54f/0x1f00 [ 50.904719][ T471] xfrm_add_policy+0x4d1/0x830 [ 50.909453][ T471] ? xfrm_dump_sa_done+0xc0/0xc0 [ 50.914363][ T471] xfrm_user_rcv_msg+0x450/0x6d0 [ 50.919274][ T471] ? xfrm_netlink_rcv+0x90/0x90 [ 50.924098][ T471] ? selinux_nlmsg_lookup+0x219/0x4a0 [ 50.929442][ T471] netlink_rcv_skb+0x1e0/0x430 [ 50.934175][ T471] ? xfrm_netlink_rcv+0x90/0x90 [ 50.938996][ T471] ? netlink_ack+0xb80/0xb80 [ 50.943557][ T471] ? mutex_trylock+0xa0/0xa0 [ 50.948118][ T471] ? __netlink_lookup+0x387/0x3b0 [ 50.953116][ T471] xfrm_netlink_rcv+0x72/0x90 [ 50.957768][ T471] netlink_unicast+0x87c/0xa40 [ 50.962505][ T471] netlink_sendmsg+0x88d/0xb30 [ 50.967240][ T471] ? netlink_getsockopt+0x530/0x530 [ 50.972411][ T471] ? security_socket_sendmsg+0x82/0xa0 [ 50.977841][ T471] ? netlink_getsockopt+0x530/0x530 [ 50.983015][ T471] ____sys_sendmsg+0x5a2/0x8c0 [ 50.987748][ T471] ? __sys_sendmsg_sock+0x40/0x40 [ 50.992745][ T471] ? import_iovec+0x7c/0xb0 [ 50.997221][ T471] ___sys_sendmsg+0x1f0/0x260 [ 51.001871][ T471] ? __sys_sendmsg+0x250/0x250 [ 51.006609][ T471] ? __fdget+0x1a1/0x230 [ 51.010822][ T471] __x64_sys_sendmsg+0x1e2/0x2a0 [ 51.015730][ T471] ? ___sys_sendmsg+0x260/0x260 [ 51.020553][ T471] ? switch_fpu_return+0x197/0x340 [ 51.025638][ T471] do_syscall_64+0x31/0x40 [ 51.030025][ T471] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 51.035886][ T471] RIP: 0033:0x7f08c062d169 [ 51.040276][ T471] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 51.059871][ T471] RSP: 002b:00007f08c009e038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 51.068264][ T471] RAX: ffffffffffffffda RBX: 00007f08c0854fa0 RCX: 00007f08c062d169 [ 51.076210][ T471] RDX: 0000000000004000 RSI: 0000200000000580 RDI: 0000000000000005 [ 51.084156][ T471] RBP: 00007f08c06afa68 R08: 0000000000000000 R09: 0000000000000000 [ 51.092107][ T471] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 51.100053][ T471] R13: 0000000000000000 R14: 00007f08c0854fa0 R15: 00007ffc94c0bce8 [ 51.108001][ T471] [ 51.110303][ T471] Allocated by task 471: [ 51.114523][ T471] __kasan_kmalloc+0xda/0x110 [ 51.119174][ T471] __kmalloc+0x1a7/0x330 [ 51.123389][ T471] sk_prot_alloc+0xb2/0x340 [ 51.127868][ T471] sk_alloc+0x38/0x4e0 [ 51.131908][ T471] pfkey_create+0x12a/0x660 [ 51.136381][ T471] __sock_create+0x38d/0x770 [ 51.140942][ T471] __sys_socket+0xec/0x190 [ 51.145329][ T471] __x64_sys_socket+0x7a/0x90 [ 51.149980][ T471] do_syscall_64+0x31/0x40 [ 51.154372][ T471] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 51.160229][ T471] [ 51.162532][ T471] The buggy address belongs to the object at ffff8881176fa000 [ 51.162532][ T471] which belongs to the cache kmalloc-1k of size 1024 [ 51.176553][ T471] The buggy address is located 984 bytes inside of [ 51.176553][ T471] 1024-byte region [ffff8881176fa000, ffff8881176fa400) [ 51.189879][ T471] The buggy address belongs to the page: [ 51.195497][ T471] page:ffffea00045dbe00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1176f8 [ 51.205701][ T471] head:ffffea00045dbe00 order:3 compound_mapcount:0 compound_pincount:0 [ 51.214002][ T471] flags: 0x4000000000010200(slab|head) [ 51.219436][ T471] raw: 4000000000010200 dead000000000100 dead000000000122 ffff888100042f00 [ 51.227991][ T471] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 51.236542][ T471] page dumped because: kasan: bad access detected [ 51.242925][ T471] page_owner tracks the page as allocated [ 51.248622][ T471] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 95, ts 50647194488, free_ts 50644216772 [ 51.268900][ T471] prep_new_page+0x179/0x180 [ 51.273464][ T471] get_page_from_freelist+0x2235/0x23d0 [ 51.278986][ T471] __alloc_pages_nodemask+0x268/0x5f0 [ 51.284326][ T471] new_slab+0x84/0x3f0 [ 51.288369][ T471] ___slab_alloc+0x2a6/0x450 [ 51.292928][ T471] __slab_alloc+0x63/0xa0 [ 51.297259][ T471] __kmalloc_track_caller+0x1ef/0x320 [ 51.302604][ T471] __alloc_skb+0xdc/0x520 [ 51.306904][ T471] alloc_uevent_skb+0x85/0x240 [ 51.311641][ T471] kobject_uevent_net_broadcast+0x335/0x5a0 [ 51.317508][ T471] kobject_uevent_env+0x52e/0x700 [ 51.322501][ T471] kobject_synth_uevent+0x520/0xaf0 [ 51.327669][ T471] uevent_store+0x25/0x60 [ 51.331972][ T471] dev_attr_store+0x5e/0x80 [ 51.336454][ T471] sysfs_kf_write+0x129/0x150 [ 51.341103][ T471] kernfs_fop_write_iter+0x2c5/0x400 [ 51.346358][ T471] page last free stack trace: [ 51.351016][ T471] __free_pages_ok+0x7fc/0x820 [ 51.355761][ T471] __free_pages+0xdd/0x380 [ 51.360146][ T471] __free_slab+0xcf/0x190 [ 51.364449][ T471] unfreeze_partials+0x15f/0x190 [ 51.369357][ T471] put_cpu_partial+0xc1/0x180 [ 51.374004][ T471] __slab_free+0x2c9/0x3a0 [ 51.378393][ T471] ___cache_free+0x111/0x130 [ 51.382955][ T471] qlink_free+0x50/0x90 [ 51.387088][ T471] qlist_free_all+0x5f/0xb0 [ 51.391563][ T471] kasan_quarantine_reduce+0x14a/0x160 [ 51.396989][ T471] __kasan_slab_alloc+0x2f/0xf0 [ 51.401810][ T471] slab_post_alloc_hook+0x5d/0x2f0 [ 51.406891][ T471] __kmalloc+0x183/0x330 [ 51.411105][ T471] kernfs_fop_write_iter+0x156/0x400 [ 51.416360][ T471] vfs_write+0x725/0xd60 [ 51.420572][ T471] ksys_write+0x140/0x240 [ 51.424868][ T471] [ 51.427168][ T471] Memory state around the buggy address: [ 51.432770][ T471] ffff8881176fa280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 51.440800][ T471] ffff8881176fa300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 51.448830][ T471] >ffff8881176fa380: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 51.456857][ T471] ^ [ 51.463773][ T471] ffff8881176fa400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 51.471804][ T471] ffff8881176fa480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 51.479836][ T471] ================================================================== [ 51.487863][ T471] Disabling lock debugging due to kernel taint [ 52.319304][ T7] device bridge_slave_1 left promiscuous mode [ 52.325402][ T7] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.333034][ T7] device bridge_slave_0 left promiscuous mode [ 52.339447][ T7] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.346936][ T7] device veth1_macvtap left promiscuous mode [ 52.353084][ T7] device veth0_vlan left promiscuous mode 2025/07/20 14:55:16 executed programs: 231 [ 55.359524][ T24] kauditd_printk_skb: 9 callbacks suppressed [ 55.359533][ T24] audit: type=1400 audit(1753023316.459:120): avc: denied { write } for pid=397 comm="syz-execprog" path="pipe:[15814]" dev="pipefs" ino=15814 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1 2025/07/20 14:55:21 executed programs: 531