[ 25.676132][ T58] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 25.721492][ T298] syz-executor.0 (298) used greatest stack depth: 23064 bytes left [ 26.371451][ T112] device bridge_slave_1 left promiscuous mode [ 26.377468][ T112] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.385253][ T112] device bridge_slave_0 left promiscuous mode [ 26.391488][ T112] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.399638][ T112] device veth1_macvtap left promiscuous mode [ 26.405885][ T112] device veth0_vlan left promiscuous mode [ 36.893480][ T29] kauditd_printk_skb: 19 callbacks suppressed [ 36.893490][ T29] audit: type=1400 audit(1717939903.716:95): avc: denied { read } for pid=77 comm="syslogd" name="log" dev="sda1" ino=1915 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1 Warning: Permanently added '10.128.0.68' (ED25519) to the list of known hosts. 2024/06/09 13:31:49 ignoring optional flag "sandboxArg"="0" 2024/06/09 13:31:50 parsed 1 programs [ 43.380406][ T29] audit: type=1400 audit(1717939910.206:96): avc: denied { mounton } for pid=342 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 43.405144][ T29] audit: type=1400 audit(1717939910.206:97): avc: denied { read write } for pid=342 comm="syz-executor" name="swap-file" dev="sda1" ino=1930 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 43.431389][ T29] audit: type=1400 audit(1717939910.206:98): avc: denied { open } for pid=342 comm="syz-executor" path="/root/swap-file" dev="sda1" ino=1930 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" 2024/06/09 13:31:50 executed programs: 0 [ 43.459038][ T29] audit: type=1400 audit(1717939910.276:99): avc: denied { unlink } for pid=342 comm="syz-executor" name="swap-file" dev="sda1" ino=1930 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 43.477914][ T342] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 43.485600][ T29] audit: type=1400 audit(1717939910.286:100): avc: denied { relabelto } for pid=343 comm="mkswap" name="swap-file" dev="sda1" ino=1930 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 43.543203][ T347] bridge0: port 1(bridge_slave_0) entered blocking state [ 43.550328][ T347] bridge0: port 1(bridge_slave_0) entered disabled state [ 43.557494][ T347] device bridge_slave_0 entered promiscuous mode [ 43.564944][ T347] bridge0: port 2(bridge_slave_1) entered blocking state [ 43.572081][ T347] bridge0: port 2(bridge_slave_1) entered disabled state [ 43.580189][ T347] device bridge_slave_1 entered promiscuous mode [ 43.625182][ T347] bridge0: port 2(bridge_slave_1) entered blocking state [ 43.632643][ T347] bridge0: port 2(bridge_slave_1) entered forwarding state [ 43.639803][ T347] bridge0: port 1(bridge_slave_0) entered blocking state [ 43.646754][ T347] bridge0: port 1(bridge_slave_0) entered forwarding state [ 43.663502][ T38] bridge0: port 1(bridge_slave_0) entered disabled state [ 43.671038][ T38] bridge0: port 2(bridge_slave_1) entered disabled state [ 43.678307][ T38] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 43.686029][ T38] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 43.695204][ T304] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 43.703533][ T304] bridge0: port 1(bridge_slave_0) entered blocking state [ 43.710401][ T304] bridge0: port 1(bridge_slave_0) entered forwarding state [ 43.721048][ T304] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 43.729527][ T304] bridge0: port 2(bridge_slave_1) entered blocking state [ 43.736988][ T304] bridge0: port 2(bridge_slave_1) entered forwarding state [ 43.753324][ T347] device veth0_vlan entered promiscuous mode [ 43.760595][ T304] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 43.769082][ T304] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 43.777020][ T304] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 43.784735][ T304] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 43.792195][ T304] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 43.799930][ T304] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 43.811562][ T38] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 43.821016][ T347] device veth1_macvtap entered promiscuous mode [ 43.830903][ T302] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 43.839745][ T302] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 44.115867][ T352] loop0: detected capacity change from 0 to 131072 [ 44.170713][ T29] audit: type=1400 audit(1717939910.996:101): avc: denied { mounton } for pid=351 comm="syz-executor.0" path="/root/syzkaller-testdir3877510369/syzkaller.REFO5E/0/file0" dev="sda1" ino=1939 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 44.215345][ T352] F2FS-fs (loop0): Found nat_bits in checkpoint [ 44.244474][ T352] F2FS-fs (loop0): Mounted with checkpoint version = 48b305e5 [ 44.252786][ T29] audit: type=1400 audit(1717939911.076:102): avc: denied { mount } for pid=351 comm="syz-executor.0" name="/" dev="loop0" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 44.275905][ T29] audit: type=1400 audit(1717939911.096:103): avc: denied { read } for pid=351 comm="syz-executor.0" name="file1" dev="loop0" ino=7 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 [ 44.298675][ T29] audit: type=1400 audit(1717939911.096:104): avc: denied { open } for pid=351 comm="syz-executor.0" path="/root/syzkaller-testdir3877510369/syzkaller.REFO5E/0/file0/file1" dev="loop0" ino=7 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 [ 44.326907][ T29] audit: type=1400 audit(1717939911.096:105): avc: denied { ioctl } for pid=351 comm="syz-executor.0" path="/root/syzkaller-testdir3877510369/syzkaller.REFO5E/0/file0/file1" dev="loop0" ino=7 ioctlcmd=0xf519 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 [ 44.380444][ T347] ================================================================== [ 44.388453][ T347] BUG: KASAN: use-after-free in _raw_spin_lock+0x78/0x110 [ 44.395517][ T347] Write of size 4 at addr ffff88812800f3b8 by task syz-executor.0/347 [ 44.403581][ T347] [ 44.405997][ T347] CPU: 1 PID: 347 Comm: syz-executor.0 Not tainted 5.15.149-syzkaller #0 [ 44.414930][ T347] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 44.425344][ T347] Call Trace: [ 44.428500][ T347] [ 44.431585][ T347] dump_stack_lvl+0x38/0x49 [ 44.436017][ T347] print_address_description.constprop.0+0x24/0x160 [ 44.442925][ T347] ? _raw_spin_lock+0x78/0x110 [ 44.447913][ T347] kasan_report.cold+0x82/0xdb [ 44.452781][ T347] ? _raw_spin_lock+0x78/0x110 [ 44.457659][ T347] kasan_check_range+0x148/0x190 [ 44.462432][ T347] __kasan_check_write+0x14/0x20 [ 44.467458][ T347] _raw_spin_lock+0x78/0x110 [ 44.471889][ T347] ? _raw_spin_lock_bh+0x110/0x110 [ 44.477085][ T347] ? _raw_spin_lock_bh+0x110/0x110 [ 44.482221][ T347] igrab+0x19/0x80 [ 44.485878][ T347] f2fs_sync_inode_meta+0x16e/0x260 [ 44.491233][ T347] f2fs_write_checkpoint+0x693/0x6430 [ 44.496421][ T347] ? __switch_to+0x5cd/0xec0 [ 44.500847][ T347] ? __kasan_check_write+0x14/0x20 [ 44.506021][ T347] ? _raw_spin_lock_irqsave+0x8c/0x120 [ 44.511397][ T347] ? f2fs_get_sectors_written+0x370/0x370 [ 44.517422][ T347] ? __kasan_check_write+0x14/0x20 [ 44.522606][ T347] ? mutex_unlock+0x7e/0x240 [ 44.527345][ T347] f2fs_issue_checkpoint+0x2a6/0x440 [ 44.532496][ T347] ? f2fs_destroy_checkpoint_caches+0x20/0x20 [ 44.538539][ T347] ? sync_inodes_sb+0x569/0x760 [ 44.543190][ T347] ? filemap_fdatawrite_wbc+0x1cf/0x2b0 [ 44.548799][ T347] ? try_to_writeback_inodes_sb+0xb0/0xb0 [ 44.554369][ T347] ? filemap_fdatawrite+0xd0/0xd0 [ 44.559466][ T347] f2fs_sync_fs+0x14c/0x240 [ 44.564503][ T347] sync_filesystem.part.0+0xfc/0x170 [ 44.570055][ T347] sync_filesystem+0x66/0x80 [ 44.574594][ T347] f2fs_quota_off_umount+0x52/0xd0 [ 44.580007][ T347] f2fs_put_super+0xb8/0xd50 [ 44.584805][ T347] ? __kasan_check_read+0x11/0x20 [ 44.589764][ T347] ? fsnotify_sb_delete+0x2aa/0x420 [ 44.595426][ T347] ? __fsnotify_vfsmount_delete+0x20/0x20 [ 44.601047][ T347] ? f2fs_quota_off_umount+0xd0/0xd0 [ 44.606161][ T347] ? dispose_list+0x1a0/0x1a0 [ 44.610886][ T347] ? sync_blockdev+0x5c/0x80 [ 44.615277][ T347] generic_shutdown_super+0x13d/0x340 [ 44.620922][ T347] kill_block_super+0x9a/0xd0 [ 44.626483][ T347] kill_f2fs_super+0x24d/0x360 [ 44.631086][ T347] ? trace_event_raw_event_f2fs_background_gc+0x310/0x310 [ 44.638770][ T347] ? unregister_shrinker+0x1bd/0x2e0 [ 44.643891][ T347] deactivate_locked_super+0x8b/0x130 [ 44.649222][ T347] deactivate_super+0x71/0x80 [ 44.653827][ T347] cleanup_mnt+0x2cf/0x400 [ 44.658295][ T347] ? putname+0xb8/0xf0 [ 44.662305][ T347] __cleanup_mnt+0xd/0x10 [ 44.666454][ T347] task_work_run+0xc2/0x150 [ 44.670877][ T347] exit_to_user_mode_prepare+0x140/0x150 [ 44.676707][ T347] syscall_exit_to_user_mode+0x21/0x40 [ 44.682448][ T347] do_syscall_64+0x42/0xb0 [ 44.686699][ T347] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 44.692602][ T347] RIP: 0033:0x7fb247eed197 [ 44.697048][ T347] Code: b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b0 ff ff ff f7 d8 64 89 02 b8 [ 44.716638][ T347] RSP: 002b:00007ffc08cea108 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [ 44.725264][ T347] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fb247eed197 [ 44.733865][ T347] RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffc08cea1c0 [ 44.742425][ T347] RBP: 00007ffc08cea1c0 R08: 0000000000000000 R09: 0000000000000000 [ 44.750676][ T347] R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffc08ceb280 [ 44.758608][ T347] R13: 00007fb247f373b9 R14: 000000000000ab3e R15: 0000000000000003 [ 44.766545][ T347] [ 44.769395][ T347] [ 44.771726][ T347] Allocated by task 352: [ 44.775902][ T347] kasan_save_stack+0x26/0x50 [ 44.780425][ T347] __kasan_slab_alloc+0x94/0xc0 [ 44.785097][ T347] kmem_cache_alloc+0x197/0x480 [ 44.789920][ T347] f2fs_alloc_inode+0x1d/0x370 [ 44.794597][ T347] alloc_inode+0x5c/0x1e0 [ 44.798838][ T347] iget_locked+0x138/0x5f0 [ 44.803527][ T347] f2fs_iget+0x55/0x4c70 [ 44.807597][ T347] f2fs_lookup+0x484/0xbe0 [ 44.811866][ T347] path_openat+0x1196/0x4180 [ 44.816292][ T347] do_filp_open+0x1ab/0x3f0 [ 44.820704][ T347] do_sys_openat2+0x135/0x8e0 [ 44.825220][ T347] __x64_sys_openat+0x124/0x200 [ 44.829893][ T347] do_syscall_64+0x35/0xb0 [ 44.834164][ T347] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 44.840047][ T347] [ 44.842303][ T347] Freed by task 0: [ 44.845865][ T347] kasan_save_stack+0x26/0x50 [ 44.850572][ T347] kasan_set_track+0x25/0x30 [ 44.855099][ T347] kasan_set_free_info+0x24/0x40 [ 44.859861][ T347] __kasan_slab_free+0x111/0x150 [ 44.864631][ T347] slab_free_freelist_hook+0x94/0x1a0 [ 44.869929][ T347] kmem_cache_free+0x105/0x250 [ 44.874615][ T347] f2fs_free_inode+0x1d/0x30 [ 44.879147][ T347] i_callback+0x3a/0x60 [ 44.883210][ T347] rcu_do_batch+0x340/0xca0 [ 44.887848][ T347] rcu_core+0x56b/0xac0 [ 44.892405][ T347] rcu_core_si+0x9/0x10 [ 44.896484][ T347] __do_softirq+0x1c1/0x5c8 [ 44.901037][ T347] [ 44.903169][ T347] Last potentially related work creation: [ 44.909011][ T347] kasan_save_stack+0x26/0x50 [ 44.913696][ T347] __kasan_record_aux_stack+0xd8/0xf0 [ 44.919443][ T347] kasan_record_aux_stack_noalloc+0xb/0x10 [ 44.925073][ T347] __call_rcu_common.constprop.0+0xd7/0x11c0 [ 44.930991][ T347] call_rcu+0x9/0x10 [ 44.934721][ T347] destroy_inode+0x11f/0x190 [ 44.939175][ T347] evict+0x43c/0x610 [ 44.942966][ T347] dispose_list+0xf5/0x1a0 [ 44.947229][ T347] evict_inodes+0x2e6/0x3d0 [ 44.951563][ T347] generic_shutdown_super+0xa4/0x340 [ 44.956940][ T347] kill_block_super+0x9a/0xd0 [ 44.961547][ T347] kill_f2fs_super+0x24d/0x360 [ 44.966233][ T347] deactivate_locked_super+0x8b/0x130 [ 44.971442][ T347] deactivate_super+0x71/0x80 [ 44.976042][ T347] cleanup_mnt+0x2cf/0x400 [ 44.980319][ T347] __cleanup_mnt+0xd/0x10 [ 44.984465][ T347] task_work_run+0xc2/0x150 [ 44.988812][ T347] exit_to_user_mode_prepare+0x140/0x150 [ 44.994268][ T347] syscall_exit_to_user_mode+0x21/0x40 [ 44.999657][ T347] do_syscall_64+0x42/0xb0 [ 45.003997][ T347] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 45.009912][ T347] [ 45.012081][ T347] The buggy address belongs to the object at ffff88812800f330 [ 45.012081][ T347] which belongs to the cache f2fs_inode_cache of size 1424 [ 45.026654][ T347] The buggy address is located 136 bytes inside of [ 45.026654][ T347] 1424-byte region [ffff88812800f330, ffff88812800f8c0) [ 45.039933][ T347] The buggy address belongs to the page: [ 45.045486][ T347] page:ffffea0004a00200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x128008 [ 45.055656][ T347] head:ffffea0004a00200 order:3 compound_mapcount:0 compound_pincount:0 [ 45.063798][ T347] flags: 0x4000000000010200(slab|head|zone=1) [ 45.069964][ T347] raw: 4000000000010200 0000000000000000 dead000000000122 ffff8881083ca780 [ 45.078412][ T347] raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000 [ 45.087367][ T347] page dumped because: kasan: bad access detected [ 45.093614][ T347] page_owner tracks the page as allocated [ 45.099588][ T347] page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 352, ts 44275499577, free_ts 0 [ 45.121219][ T347] prep_new_page+0x1a2/0x310 [ 45.125653][ T347] get_page_from_freelist+0x1ce2/0x30a0 [ 45.131281][ T347] __alloc_pages+0x2d1/0x2620 [ 45.135910][ T347] allocate_slab+0x39d/0x530 [ 45.140487][ T347] ___slab_alloc.constprop.0+0x3ca/0x890 [ 45.145959][ T347] __slab_alloc.constprop.0+0x42/0x80 [ 45.151158][ T347] kmem_cache_alloc+0x440/0x480 [ 45.156194][ T347] f2fs_alloc_inode+0x1d/0x370 [ 45.160805][ T347] alloc_inode+0x5c/0x1e0 [ 45.165253][ T347] iget_locked+0x138/0x5f0 [ 45.169502][ T347] f2fs_iget+0x55/0x4c70 [ 45.173791][ T347] f2fs_lookup+0x484/0xbe0 [ 45.178044][ T347] path_openat+0x1196/0x4180 [ 45.182461][ T347] do_filp_open+0x1ab/0x3f0 [ 45.186820][ T347] do_sys_openat2+0x135/0x8e0 [ 45.191333][ T347] __x64_sys_openat+0x124/0x200 [ 45.196186][ T347] page_owner free stack trace missing [ 45.201699][ T347] [ 45.204216][ T347] Memory state around the buggy address: [ 45.209883][ T347] ffff88812800f280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.217768][ T347] ffff88812800f300: fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb fb [ 45.225680][ T347] >ffff88812800f380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.234076][ T347] ^ [ 45.240097][ T347] ffff88812800f400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.247994][ T347] ffff88812800f480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.255972][ T347] ================================================================== [ 45.264150][ T347] Disabling lock debugging due to kernel taint