Warning: Permanently added '10.128.0.112' (ED25519) to the list of known hosts. 2024/08/03 22:04:29 ignoring optional flag "sandboxArg"="0" 2024/08/03 22:04:29 parsed 1 programs [ 44.363869][ T29] audit: type=1400 audit(1722722669.565:96): avc: denied { mounton } for pid=343 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 44.388880][ T29] audit: type=1400 audit(1722722669.565:97): avc: denied { read write } for pid=343 comm="syz-executor" name="swap-file" dev="sda1" ino=1930 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 44.415168][ T29] audit: type=1400 audit(1722722669.565:98): avc: denied { open } for pid=343 comm="syz-executor" path="/root/swap-file" dev="sda1" ino=1930 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" 2024/08/03 22:04:29 executed programs: 0 [ 44.442365][ T29] audit: type=1400 audit(1722722669.645:99): avc: denied { unlink } for pid=343 comm="syz-executor" name="swap-file" dev="sda1" ino=1930 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 44.475294][ T29] audit: type=1400 audit(1722722669.675:100): avc: denied { relabelto } for pid=344 comm="mkswap" name="swap-file" dev="sda1" ino=1930 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 44.487723][ T343] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 44.614195][ T356] bridge0: port 1(bridge_slave_0) entered blocking state [ 44.621327][ T356] bridge0: port 1(bridge_slave_0) entered disabled state [ 44.628560][ T356] device bridge_slave_0 entered promiscuous mode [ 44.636609][ T356] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.643508][ T356] bridge0: port 2(bridge_slave_1) entered disabled state [ 44.650967][ T356] device bridge_slave_1 entered promiscuous mode [ 44.698402][ T355] bridge0: port 1(bridge_slave_0) entered blocking state [ 44.705600][ T355] bridge0: port 1(bridge_slave_0) entered disabled state [ 44.713013][ T355] device bridge_slave_0 entered promiscuous mode [ 44.725993][ T355] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.733022][ T355] bridge0: port 2(bridge_slave_1) entered disabled state [ 44.740153][ T355] device bridge_slave_1 entered promiscuous mode [ 44.762266][ T353] bridge0: port 1(bridge_slave_0) entered blocking state [ 44.769159][ T353] bridge0: port 1(bridge_slave_0) entered disabled state [ 44.776516][ T353] device bridge_slave_0 entered promiscuous mode [ 44.784952][ T353] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.791847][ T353] bridge0: port 2(bridge_slave_1) entered disabled state [ 44.799212][ T353] device bridge_slave_1 entered promiscuous mode [ 44.878091][ T359] bridge0: port 1(bridge_slave_0) entered blocking state [ 44.885219][ T359] bridge0: port 1(bridge_slave_0) entered disabled state [ 44.892493][ T359] device bridge_slave_0 entered promiscuous mode [ 44.908215][ T361] bridge0: port 1(bridge_slave_0) entered blocking state [ 44.915338][ T361] bridge0: port 1(bridge_slave_0) entered disabled state [ 44.923024][ T361] device bridge_slave_0 entered promiscuous mode [ 44.929567][ T359] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.936796][ T359] bridge0: port 2(bridge_slave_1) entered disabled state [ 44.944251][ T359] device bridge_slave_1 entered promiscuous mode [ 44.966129][ T361] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.973539][ T361] bridge0: port 2(bridge_slave_1) entered disabled state [ 44.981502][ T361] device bridge_slave_1 entered promiscuous mode [ 45.090205][ T356] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.097342][ T356] bridge0: port 2(bridge_slave_1) entered forwarding state [ 45.143047][ T359] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.150140][ T359] bridge0: port 2(bridge_slave_1) entered forwarding state [ 45.157857][ T359] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.164804][ T359] bridge0: port 1(bridge_slave_0) entered forwarding state [ 45.178688][ T355] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.185574][ T355] bridge0: port 2(bridge_slave_1) entered forwarding state [ 45.192858][ T355] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.199842][ T355] bridge0: port 1(bridge_slave_0) entered forwarding state [ 45.223001][ T353] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.230178][ T353] bridge0: port 2(bridge_slave_1) entered forwarding state [ 45.237378][ T353] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.244202][ T353] bridge0: port 1(bridge_slave_0) entered forwarding state [ 45.252234][ T293] bridge0: port 2(bridge_slave_1) entered disabled state [ 45.259570][ T293] bridge0: port 1(bridge_slave_0) entered disabled state [ 45.267528][ T293] bridge0: port 2(bridge_slave_1) entered disabled state [ 45.274709][ T293] bridge0: port 1(bridge_slave_0) entered disabled state [ 45.282148][ T293] bridge0: port 2(bridge_slave_1) entered disabled state [ 45.289735][ T293] bridge0: port 1(bridge_slave_0) entered disabled state [ 45.297573][ T293] bridge0: port 2(bridge_slave_1) entered disabled state [ 45.305568][ T293] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 45.313428][ T293] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 45.351759][ T293] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 45.361322][ T293] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 45.369496][ T293] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 45.377758][ T293] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.384637][ T293] bridge0: port 1(bridge_slave_0) entered forwarding state [ 45.392174][ T293] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 45.400393][ T293] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.407250][ T293] bridge0: port 2(bridge_slave_1) entered forwarding state [ 45.414992][ T293] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 45.423979][ T293] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.430848][ T293] bridge0: port 1(bridge_slave_0) entered forwarding state [ 45.438452][ T293] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 45.446739][ T293] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 45.455922][ T293] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.463001][ T293] bridge0: port 2(bridge_slave_1) entered forwarding state [ 45.470264][ T293] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 45.488438][ T359] device veth0_vlan entered promiscuous mode [ 45.507135][ T356] device veth0_vlan entered promiscuous mode [ 45.514501][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 45.527333][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 45.541378][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 45.551789][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 45.562349][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 45.573901][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 45.583183][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 45.591067][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 45.599246][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 45.607554][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 45.631321][ T38] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 45.638771][ T38] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 45.646679][ T38] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 45.656191][ T38] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 45.664282][ T38] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.671289][ T38] bridge0: port 1(bridge_slave_0) entered forwarding state [ 45.682652][ T359] device veth1_macvtap entered promiscuous mode [ 45.695934][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 45.704148][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 45.712637][ T299] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.719716][ T299] bridge0: port 2(bridge_slave_1) entered forwarding state [ 45.727135][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 45.736179][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 45.745959][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 45.757837][ T356] device veth1_macvtap entered promiscuous mode [ 45.772023][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 45.780379][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 45.788964][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 45.797049][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 45.806242][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 45.816254][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 45.824333][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 45.833634][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 45.842004][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 45.865412][ T293] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 45.876454][ T293] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 45.885904][ T293] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 45.893991][ T293] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 45.902538][ T293] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 45.911166][ T293] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 45.919207][ T293] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.926956][ T293] bridge0: port 1(bridge_slave_0) entered forwarding state [ 45.934546][ T293] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 45.944939][ T293] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 45.953498][ T293] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.960610][ T293] bridge0: port 2(bridge_slave_1) entered forwarding state [ 45.970675][ T38] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 45.979658][ T38] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 46.000126][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 46.011983][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 46.016162][ T29] audit: type=1400 audit(1722722671.215:101): avc: denied { create } for pid=379 comm="syz-executor.3" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=vsock_socket permissive=1 [ 46.022569][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 46.044512][ T29] audit: type=1400 audit(1722722671.215:102): avc: denied { bind } for pid=379 comm="syz-executor.3" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=vsock_socket permissive=1 [ 46.069920][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 46.081008][ T29] audit: type=1400 audit(1722722671.215:103): avc: denied { listen } for pid=379 comm="syz-executor.3" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=vsock_socket permissive=1 [ 46.082898][ T37] bridge0: port 1(bridge_slave_0) entered blocking state [ 46.109257][ T37] bridge0: port 1(bridge_slave_0) entered forwarding state [ 46.117747][ T29] audit: type=1400 audit(1722722671.215:104): avc: denied { connect } for pid=379 comm="syz-executor.3" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=vsock_socket permissive=1 [ 46.141262][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 46.150810][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 46.159291][ T37] bridge0: port 2(bridge_slave_1) entered blocking state [ 46.166903][ T37] bridge0: port 2(bridge_slave_1) entered forwarding state [ 46.203370][ T303] ================================================================== [ 46.211270][ T303] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x78/0x110 [ 46.218479][ T303] Write of size 4 at addr ffff888105396408 by task kworker/1:3/303 [ 46.226819][ T303] [ 46.228933][ T303] CPU: 1 PID: 303 Comm: kworker/1:3 Not tainted 5.15.152-syzkaller #0 [ 46.237004][ T303] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 [ 46.247099][ T303] Workqueue: vsock-loopback vsock_loopback_work [ 46.253374][ T303] Call Trace: [ 46.256656][ T303] [ 46.259698][ T303] dump_stack_lvl+0x38/0x49 [ 46.264040][ T303] print_address_description.constprop.0+0x24/0x160 [ 46.270460][ T303] ? _raw_spin_lock_bh+0x78/0x110 [ 46.274354][ T355] device veth0_vlan entered promiscuous mode [ 46.275433][ T303] kasan_report.cold+0x82/0xdb [ 46.286222][ T303] ? _raw_spin_lock_bh+0x78/0x110 [ 46.291271][ T303] kasan_check_range+0x148/0x190 [ 46.296000][ T303] __kasan_check_write+0x14/0x20 [ 46.301207][ T303] _raw_spin_lock_bh+0x78/0x110 [ 46.305981][ T303] ? _raw_write_lock_irq+0xd0/0xd0 [ 46.308902][ T355] device veth1_macvtap entered promiscuous mode [ 46.311152][ T303] ? __local_bh_enable_ip+0x28/0x60 [ 46.311177][ T303] ? _raw_spin_unlock_bh+0x45/0x60 [ 46.311189][ T303] virtio_transport_recv_pkt+0x391/0x2040 [ 46.333409][ T303] ? virtio_transport_reset_no_sock.isra.0+0x380/0x380 [ 46.340087][ T303] ? __kasan_check_write+0x14/0x20 [ 46.345118][ T303] ? virtio_transport_do_socket_init+0x320/0x320 [ 46.351608][ T303] ? vsock_deliver_tap+0x30/0x240 [ 46.356584][ T303] vsock_loopback_work+0x233/0x450 [ 46.362157][ T303] ? vsock_loopback_send_pkt+0x130/0x130 [ 46.367720][ T303] ? __kasan_check_read+0x11/0x20 [ 46.372886][ T303] ? strscpy+0x94/0x280 [ 46.376871][ T303] process_one_work+0x62c/0xec0 [ 46.381934][ T303] ? mutex_unlock+0x7e/0x240 [ 46.386333][ T303] worker_thread+0x48e/0xdb0 [ 46.391241][ T303] ? rescuer_thread+0xc30/0xc30 [ 46.395926][ T303] kthread+0x324/0x3e0 [ 46.399816][ T303] ? set_kthread_struct+0x100/0x100 [ 46.405061][ T303] ret_from_fork+0x1f/0x30 [ 46.410159][ T303] [ 46.413590][ T303] [ 46.416030][ T303] Allocated by task 382: [ 46.420510][ T303] kasan_save_stack+0x26/0x50 [ 46.425461][ T303] __kasan_kmalloc+0xae/0xe0 [ 46.430512][ T303] kmem_cache_alloc_trace+0xbb/0x490 [ 46.435859][ T303] virtio_transport_do_socket_init+0x46/0x320 [ 46.442447][ T303] vsock_assign_transport+0x385/0x5b0 [ 46.448650][ T303] vsock_connect+0x285/0xba0 [ 46.454408][ T303] __sys_connect_file+0x136/0x190 [ 46.460094][ T303] __sys_connect+0x101/0x130 [ 46.465355][ T303] __x64_sys_connect+0x6e/0xb0 [ 46.471083][ T303] do_syscall_64+0x35/0xb0 [ 46.476786][ T303] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 46.483767][ T303] [ 46.486233][ T303] Freed by task 382: [ 46.490382][ T303] kasan_save_stack+0x26/0x50 [ 46.495592][ T303] kasan_set_track+0x25/0x30 [ 46.500393][ T303] kasan_set_free_info+0x24/0x40 [ 46.505637][ T303] __kasan_slab_free+0x111/0x150 [ 46.510653][ T303] slab_free_freelist_hook+0x94/0x1a0 [ 46.516408][ T303] kfree+0xc2/0x260 [ 46.520119][ T303] virtio_transport_destruct+0x32/0x40 [ 46.525645][ T303] vsock_assign_transport+0x285/0x5b0 [ 46.531014][ T303] vsock_connect+0x285/0xba0 [ 46.535733][ T303] __sys_connect_file+0x136/0x190 [ 46.540916][ T303] __sys_connect+0x101/0x130 [ 46.545452][ T303] __x64_sys_connect+0x6e/0xb0 [ 46.550043][ T303] do_syscall_64+0x35/0xb0 [ 46.554475][ T303] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 46.560982][ T303] [ 46.563241][ T303] The buggy address belongs to the object at ffff888105396400 [ 46.563241][ T303] which belongs to the cache kmalloc-96 of size 96 [ 46.577936][ T303] The buggy address is located 8 bytes inside of [ 46.577936][ T303] 96-byte region [ffff888105396400, ffff888105396460) [ 46.591055][ T303] The buggy address belongs to the page: [ 46.597358][ T303] page:ffffea000414e580 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105396 [ 46.607500][ T303] flags: 0x4000000000000200(slab|zone=1) [ 46.613638][ T303] raw: 4000000000000200 ffffea000421fa80 0000000300000003 ffff888100042900 [ 46.622965][ T303] raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 [ 46.631365][ T303] page dumped because: kasan: bad access detected [ 46.637906][ T303] page_owner tracks the page as allocated [ 46.643439][ T303] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 1724075790, free_ts 0 [ 46.658229][ T303] prep_new_page+0x1a2/0x310 [ 46.662763][ T303] get_page_from_freelist+0x1ce2/0x30a0 [ 46.668117][ T303] __alloc_pages+0x2d1/0x2620 [ 46.672889][ T303] allocate_slab+0x39d/0x530 [ 46.677877][ T303] ___slab_alloc.constprop.0+0x3ca/0x890 [ 46.683571][ T303] __slab_alloc.constprop.0+0x42/0x80 [ 46.689096][ T303] kmem_cache_alloc_trace+0x456/0x490 [ 46.694299][ T303] acpi_ut_evaluate_object+0x65/0x430 [ 46.699606][ T303] acpi_rs_get_method_data+0x67/0xc0 [ 46.704711][ T303] acpi_walk_resources+0xf0/0x180 [ 46.709890][ T303] pnpacpi_parse_allocated_resource+0xb2/0x100 [ 46.716034][ T303] pnpacpi_add_device_handler+0x4ba/0x62c [ 46.721982][ T303] acpi_ns_get_device_callback+0x254/0x440 [ 46.727630][ T303] acpi_ns_walk_namespace+0x1c6/0x4c0 [ 46.733085][ T303] acpi_get_devices+0xf6/0x120 [ 46.737661][ T303] pnpacpi_init+0x7e/0xd2 [ 46.741880][ T303] page_owner free stack trace missing [ 46.747161][ T303] [ 46.749328][ T303] Memory state around the buggy address: [ 46.756245][ T303] ffff888105396300: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 46.764464][ T303] ffff888105396380: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 46.772951][ T303] >ffff888105396400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 46.781074][ T303] ^ [ 46.785363][ T303] ffff888105396480: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 46.793230][ T303] ffff888105396500: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 46.801645][ T303] ================================================================== [ 46.809630][ T303] Disabling lock debugging due to kernel taint