Warning: Permanently added '10.128.10.29' (ED25519) to the list of known hosts. 2025/07/06 16:07:18 ignoring optional flag "sandboxArg"="0" 2025/07/06 16:07:19 parsed 1 programs [ 56.317768][ T27] kauditd_printk_skb: 31 callbacks suppressed [ 56.317776][ T27] audit: type=1400 audit(1751818039.525:91): avc: denied { unlink } for pid=416 comm="syz-executor" name="swap-file" dev="sda1" ino=2026 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 56.347401][ T416] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 57.019407][ T440] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.026247][ T440] bridge0: port 1(bridge_slave_0) entered disabled state [ 57.033582][ T440] device bridge_slave_0 entered promiscuous mode [ 57.040836][ T440] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.047699][ T440] bridge0: port 2(bridge_slave_1) entered disabled state [ 57.054755][ T440] device bridge_slave_1 entered promiscuous mode [ 57.086011][ T440] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.092865][ T440] bridge0: port 2(bridge_slave_1) entered forwarding state [ 57.099955][ T440] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.106734][ T440] bridge0: port 1(bridge_slave_0) entered forwarding state [ 57.122324][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.129695][ T10] bridge0: port 1(bridge_slave_0) entered disabled state [ 57.136643][ T10] bridge0: port 2(bridge_slave_1) entered disabled state [ 57.144939][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 57.153024][ T10] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.159881][ T10] bridge0: port 1(bridge_slave_0) entered forwarding state [ 57.169238][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 57.177228][ T10] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.184062][ T10] bridge0: port 2(bridge_slave_1) entered forwarding state [ 57.194235][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 57.203102][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 57.214649][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 57.225183][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 57.232854][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 57.240217][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 57.249124][ T440] device veth0_vlan entered promiscuous mode [ 57.257519][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 57.266088][ T440] device veth1_macvtap entered promiscuous mode [ 57.274342][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 57.284187][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 57.361250][ T27] audit: type=1401 audit(1751818040.565:92): op=setxattr invalid_context="u:object_r:app_data_file:s0:c512,c768" 2025/07/06 16:07:20 executed programs: 0 [ 57.586146][ T467] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.593155][ T467] bridge0: port 1(bridge_slave_0) entered disabled state [ 57.600283][ T467] device bridge_slave_0 entered promiscuous mode [ 57.606922][ T467] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.613785][ T467] bridge0: port 2(bridge_slave_1) entered disabled state [ 57.621192][ T467] device bridge_slave_1 entered promiscuous mode [ 57.654208][ T467] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.661061][ T467] bridge0: port 2(bridge_slave_1) entered forwarding state [ 57.668149][ T467] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.674936][ T467] bridge0: port 1(bridge_slave_0) entered forwarding state [ 57.689395][ T451] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.696854][ T451] bridge0: port 1(bridge_slave_0) entered disabled state [ 57.703894][ T451] bridge0: port 2(bridge_slave_1) entered disabled state [ 57.712746][ T451] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 57.720749][ T451] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.727582][ T451] bridge0: port 1(bridge_slave_0) entered forwarding state [ 57.735989][ T451] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 57.744340][ T451] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.751275][ T451] bridge0: port 2(bridge_slave_1) entered forwarding state [ 57.761617][ T451] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 57.770291][ T451] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 57.781947][ T451] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 57.792136][ T451] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 57.799923][ T451] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 57.807103][ T451] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 57.820791][ T467] device veth0_vlan entered promiscuous mode [ 57.829654][ T451] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 57.838576][ T467] device veth1_macvtap entered promiscuous mode [ 57.847002][ T451] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 57.859668][ T451] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 58.111320][ T472] loop2: detected capacity change from 0 to 131072 [ 58.118706][ T472] F2FS-fs (loop2): Wrong CP boundary, start(512) end(198144) blocks(1024) [ 58.127051][ T472] F2FS-fs (loop2): Can't find valid F2FS filesystem in 2th superblock [ 58.138261][ T472] F2FS-fs (loop2): invalid crc value [ 58.144758][ T472] F2FS-fs (loop2): Found nat_bits in checkpoint [ 58.164167][ T472] F2FS-fs (loop2): Try to recover 2th superblock, ret: 0 [ 58.171165][ T472] F2FS-fs (loop2): Mounted with checkpoint version = 48b305e4 [ 58.179399][ T27] audit: type=1400 audit(1751818041.385:93): avc: denied { mount } for pid=471 comm="syz.2.16" name="/" dev="loop2" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 58.200726][ T27] audit: type=1400 audit(1751818041.385:94): avc: denied { write } for pid=471 comm="syz.2.16" name="/" dev="loop2" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 58.206765][ T467] F2FS-fs (loop2): dec_valid_node_count: inconsistent i_blocks, ino:7, iblocks:0 [ 58.222972][ T27] audit: type=1400 audit(1751818041.385:95): avc: denied { remove_name } for pid=471 comm="syz.2.16" name="file0" dev="loop2" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 58.253664][ T27] audit: type=1400 audit(1751818041.385:96): avc: denied { rename } for pid=471 comm="syz.2.16" name="file0" dev="loop2" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 58.275435][ T27] audit: type=1400 audit(1751818041.385:97): avc: denied { add_name } for pid=471 comm="syz.2.16" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 58.295679][ T27] audit: type=1400 audit(1751818041.415:98): avc: denied { unlink } for pid=467 comm="syz-executor" name="file1" dev="loop2" ino=7 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 [ 58.327396][ T477] ================================================================== [ 58.335275][ T477] BUG: KASAN: use-after-free in _raw_spin_lock+0x81/0x110 [ 58.342214][ T477] Write of size 4 at addr ffff888112e5a938 by task syz.2.16/477 [ 58.349676][ T477] [ 58.351849][ T477] CPU: 0 PID: 477 Comm: syz.2.16 Not tainted 6.1.141-syzkaller #0 [ 58.359482][ T477] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 58.369394][ T477] Call Trace: [ 58.372501][ T477] [ 58.375279][ T477] __dump_stack+0x19/0x1c [ 58.379454][ T477] dump_stack_lvl+0xa3/0xec [ 58.383784][ T477] ? __cfi_dump_stack_lvl+0x8/0x8 [ 58.388648][ T477] ? preempt_schedule_common+0xbe/0xf0 [ 58.393941][ T477] print_address_description+0x71/0x210 [ 58.399320][ T477] print_report+0x4a/0x60 [ 58.403487][ T477] kasan_report+0x122/0x150 [ 58.407827][ T477] ? _raw_spin_lock+0x81/0x110 [ 58.412426][ T477] kasan_check_range+0x280/0x290 [ 58.417202][ T477] __kasan_check_write+0x14/0x20 [ 58.421974][ T477] _raw_spin_lock+0x81/0x110 [ 58.426405][ T477] ? __cfi__raw_spin_lock+0x10/0x10 [ 58.431435][ T477] ? _raw_spin_lock+0x8e/0x110 [ 58.436035][ T477] ? __cfi__raw_spin_lock+0x10/0x10 [ 58.441074][ T477] igrab+0x1b/0x80 [ 58.444626][ T477] f2fs_write_checkpoint+0xbcb/0x20e0 [ 58.449839][ T477] ? __cfi_f2fs_write_checkpoint+0x10/0x10 [ 58.455477][ T477] ? __kasan_check_write+0x14/0x20 [ 58.460511][ T477] ? kthread_stop+0xd2/0x270 [ 58.464936][ T477] ? memcpy+0x56/0x70 [ 58.468755][ T477] kill_f2fs_super+0x1d7/0x310 [ 58.473355][ T477] ? __cfi_kill_f2fs_super+0x10/0x10 [ 58.478564][ T477] ? up_write+0x7b/0x290 [ 58.482641][ T477] ? unregister_shrinker+0x1b6/0x240 [ 58.487763][ T477] deactivate_locked_super+0x92/0xf0 [ 58.492893][ T477] deactivate_super+0x5f/0x80 [ 58.497396][ T477] cleanup_mnt+0x159/0x340 [ 58.501650][ T477] ? __kasan_slab_free+0x11/0x20 [ 58.506423][ T477] ? slab_free_freelist_hook+0xc2/0x190 [ 58.511899][ T477] __cleanup_mnt+0xd/0x10 [ 58.516126][ T477] task_work_run+0x153/0x1e0 [ 58.520573][ T477] ? __cfi_task_work_run+0x10/0x10 [ 58.525521][ T477] do_exit+0x81e/0x1fe0 [ 58.529514][ T477] ? __schedule+0xb5b/0x1530 [ 58.533935][ T477] ? __cfi_do_exit+0x10/0x10 [ 58.538367][ T477] ? __kasan_check_write+0x14/0x20 [ 58.543312][ T477] ? _raw_spin_lock_irq+0x8f/0x120 [ 58.548286][ T477] do_group_exit+0x1a1/0x280 [ 58.552689][ T477] ? __kasan_check_write+0x14/0x20 [ 58.557632][ T477] ? recalc_sigpending+0x110/0x150 [ 58.562587][ T477] get_signal+0xeb4/0xfc0 [ 58.566757][ T477] arch_do_signal_or_restart+0xb0/0x1030 [ 58.572218][ T477] ? hrtimer_nanosleep+0x10a/0x2a0 [ 58.577176][ T477] ? __cfi_hrtimer_nanosleep+0x10/0x10 [ 58.582456][ T477] ? __cfi_hrtimer_wakeup+0x10/0x10 [ 58.587488][ T477] ? _copy_from_user+0x54/0x80 [ 58.592089][ T477] ? __cfi_arch_do_signal_or_restart+0x10/0x10 [ 58.598077][ T477] ? __x64_sys_clock_nanosleep+0xb0/0xb0 [ 58.603546][ T477] exit_to_user_mode_loop+0x7a/0xb0 [ 58.608582][ T477] exit_to_user_mode_prepare+0x5a/0xa0 [ 58.613873][ T477] syscall_exit_to_user_mode+0x1a/0x30 [ 58.619168][ T477] do_syscall_64+0x58/0xa0 [ 58.623419][ T477] ? clear_bhb_loop+0x30/0x80 [ 58.627933][ T477] ? clear_bhb_loop+0x30/0x80 [ 58.632459][ T477] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 58.638188][ T477] RIP: 0033:0x7fdda6fc0a25 [ 58.642714][ T477] Code: Unable to access opcode bytes at 0x7fdda6fc09fb. [ 58.649563][ T477] RSP: 002b:00007fdda7d2df80 EFLAGS: 00000293 ORIG_RAX: 00000000000000e6 [ 58.657812][ T477] RAX: fffffffffffffdfc RBX: 00007fdda71b5fa0 RCX: 00007fdda6fc0a25 [ 58.665629][ T477] RDX: 00007fdda7d2dfc0 RSI: 0000000000000000 RDI: 0000000000000000 [ 58.673429][ T477] RBP: 00007fdda7010a68 R08: 0000000000000000 R09: 0000000000000000 [ 58.681242][ T477] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 [ 58.689053][ T477] R13: 0000000000000000 R14: 00007fdda71b5fa0 R15: 00007ffe2cceae18 [ 58.696866][ T477] [ 58.699728][ T477] [ 58.701895][ T477] Allocated by task 472: [ 58.705972][ T477] kasan_set_track+0x4b/0x70 [ 58.710401][ T477] kasan_save_alloc_info+0x25/0x30 [ 58.715348][ T477] __kasan_slab_alloc+0x72/0x80 [ 58.720040][ T477] slab_post_alloc_hook+0x4f/0x280 [ 58.724984][ T477] kmem_cache_alloc_lru+0x104/0x280 [ 58.730193][ T477] f2fs_alloc_inode+0x28/0x330 [ 58.734740][ T477] iget_locked+0x168/0x6e0 [ 58.738988][ T477] f2fs_iget+0x53/0x47a0 [ 58.743068][ T477] f2fs_lookup+0x1f2/0x800 [ 58.747318][ T477] __lookup_slow+0x24e/0x330 [ 58.751752][ T477] lookup_slow+0x52/0x70 [ 58.755822][ T477] walk_component+0x261/0x370 [ 58.760339][ T477] path_lookupat+0x85/0x320 [ 58.764686][ T477] filename_lookup+0x1bc/0x420 [ 58.769280][ T477] vfs_statx+0xf4/0x580 [ 58.773269][ T477] __se_sys_newlstat+0xd2/0x320 [ 58.777954][ T477] __x64_sys_newlstat+0x56/0x60 [ 58.782641][ T477] x64_sys_call+0x393/0x9a0 [ 58.786981][ T477] do_syscall_64+0x4c/0xa0 [ 58.791234][ T477] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 58.796962][ T477] [ 58.799132][ T477] Freed by task 477: [ 58.802867][ T477] kasan_set_track+0x4b/0x70 [ 58.807293][ T477] kasan_save_free_info+0x31/0x50 [ 58.812149][ T477] ____kasan_slab_free+0x132/0x180 [ 58.817141][ T477] __kasan_slab_free+0x11/0x20 [ 58.821697][ T477] slab_free_freelist_hook+0xc2/0x190 [ 58.826904][ T477] kmem_cache_free+0x12f/0x2a0 [ 58.831593][ T477] f2fs_free_inode+0x1c/0x20 [ 58.836027][ T477] i_callback+0x4f/0x70 [ 58.840021][ T477] rcu_do_batch+0x512/0xb50 [ 58.844349][ T477] rcu_core+0x547/0xe30 [ 58.848346][ T477] rcu_core_si+0x9/0x10 [ 58.852334][ T477] handle_softirqs+0x1d7/0x5b0 [ 58.856934][ T477] __irq_exit_rcu+0x52/0xf0 [ 58.861276][ T477] irq_exit_rcu+0x9/0x10 [ 58.865354][ T477] sysvec_apic_timer_interrupt+0xa9/0xc0 [ 58.870823][ T477] asm_sysvec_apic_timer_interrupt+0x1b/0x20 [ 58.876649][ T477] [ 58.878820][ T477] Last potentially related work creation: [ 58.884363][ T477] kasan_save_stack+0x3a/0x60 [ 58.888961][ T477] __kasan_record_aux_stack+0xb6/0xc0 [ 58.894169][ T477] kasan_record_aux_stack_noalloc+0xb/0x10 [ 58.899809][ T477] call_rcu+0xd0/0xfb0 [ 58.903719][ T477] evict+0x7a9/0x820 [ 58.907457][ T477] iput+0x4c1/0x4f0 [ 58.911104][ T477] do_unlinkat+0x36a/0x5d0 [ 58.915352][ T477] __x64_sys_unlink+0x44/0x50 [ 58.919859][ T477] x64_sys_call+0x958/0x9a0 [ 58.924200][ T477] do_syscall_64+0x4c/0xa0 [ 58.928454][ T477] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 58.934182][ T477] [ 58.936351][ T477] The buggy address belongs to the object at ffff888112e5a8b0 [ 58.936351][ T477] which belongs to the cache f2fs_inode_cache of size 1360 [ 58.950761][ T477] The buggy address is located 136 bytes inside of [ 58.950761][ T477] 1360-byte region [ffff888112e5a8b0, ffff888112e5ae00) [ 58.964104][ T477] [ 58.966396][ T477] The buggy address belongs to the physical page: [ 58.972631][ T477] page:ffffea00044b9600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112e58 [ 58.982705][ T477] head:ffffea00044b9600 order:3 compound_mapcount:0 compound_pincount:0 [ 58.990851][ T477] flags: 0x4000000000010200(slab|head|zone=1) [ 58.996757][ T477] raw: 4000000000010200 0000000000000000 dead000000000122 ffff888111e5c480 [ 59.005180][ T477] raw: 0000000000000000 0000000080160016 00000001ffffffff 0000000000000000 [ 59.013590][ T477] page dumped because: kasan: bad access detected [ 59.019979][ T477] page_owner tracks the page as allocated [ 59.025668][ T477] page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 472, tgid 471 (syz.2.16), ts 58138015528, free_ts 0 [ 59.047885][ T477] prep_new_page+0x58c/0x650 [ 59.052308][ T477] get_page_from_freelist+0x2f0f/0x2f80 [ 59.057689][ T477] __alloc_pages+0x19e/0x3a0 [ 59.062124][ T477] alloc_slab_page+0x6e/0xf0 [ 59.066543][ T477] new_slab+0x7c/0x360 [ 59.070535][ T477] ___slab_alloc+0x5d2/0x970 [ 59.074961][ T477] __slab_alloc+0x53/0x90 [ 59.079140][ T477] kmem_cache_alloc_lru+0x144/0x280 [ 59.084164][ T477] f2fs_alloc_inode+0x28/0x330 [ 59.088761][ T477] iget_locked+0x168/0x6e0 [ 59.093013][ T477] f2fs_iget+0x53/0x47a0 [ 59.097094][ T477] f2fs_fill_super+0x3c4b/0x65e0 [ 59.101874][ T477] mount_bdev+0x265/0x340 [ 59.106059][ T477] f2fs_mount+0x10/0x20 [ 59.110025][ T477] legacy_get_tree+0xf9/0x190 [ 59.114539][ T477] vfs_get_tree+0x8f/0x190 [ 59.118793][ T477] page_owner free stack trace missing [ 59.124001][ T477] [ 59.126167][ T477] Memory state around the buggy address: [ 59.131640][ T477] ffff888112e5a800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.139545][ T477] ffff888112e5a880: fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb fb [ 59.147439][ T477] >ffff888112e5a900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.155332][ T477] ^ [ 59.161061][ T477] ffff888112e5a980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.168960][ T477] ffff888112e5aa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.176857][ T477] ================================================================== [ 59.185206][ T477] Disabling lock debugging due to kernel taint [ 59.199685][ T27] audit: type=1400 audit(1751818042.405:99): avc: denied { read } for pid=80 comm="syslogd" name="log" dev="sda1" ino=2010 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1 [ 59.224350][ T27] audit: type=1400 audit(1751818042.405:100): avc: denied { search } for pid=80 comm="syslogd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1 [ 59.269288][ T8] device bridge_slave_1 left promiscuous mode [ 59.275410][ T8] bridge0: port 2(bridge_slave_1) entered disabled state [ 59.283154][ T8] device bridge_slave_0 left promiscuous mode [ 59.289143][ T8] bridge0: port 1(bridge_slave_0) entered disabled state [ 59.296706][ T8] device veth1_macvtap left promiscuous mode [ 59.302732][ T8] device veth0_vlan left promiscuous mode