[ 23.453498][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 23.473635][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 23.482020][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 23.495143][ T360] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 23.509981][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 23.575421][ T358] syz-executor.2 (358) used greatest stack depth: 18552 bytes left [ 24.283593][ T9] device bridge_slave_1 left promiscuous mode [ 24.290673][ T9] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.298453][ T9] device bridge_slave_0 left promiscuous mode [ 24.305931][ T9] bridge0: port 1(bridge_slave_0) entered disabled state Warning: Permanently added '10.128.0.94' (ED25519) to the list of known hosts. 2024/06/09 00:24:39 ignoring optional flag "sandboxArg"="0" 2024/06/09 00:24:39 parsed 1 programs 2024/06/09 00:24:39 executed programs: 0 [ 41.776228][ T413] bridge0: port 1(bridge_slave_0) entered blocking state [ 41.783178][ T413] bridge0: port 1(bridge_slave_0) entered disabled state [ 41.790666][ T413] device bridge_slave_0 entered promiscuous mode [ 41.799964][ T413] bridge0: port 2(bridge_slave_1) entered blocking state [ 41.807081][ T413] bridge0: port 2(bridge_slave_1) entered disabled state [ 41.814855][ T413] device bridge_slave_1 entered promiscuous mode [ 42.047469][ T422] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.054337][ T422] bridge0: port 1(bridge_slave_0) entered disabled state [ 42.062486][ T422] device bridge_slave_0 entered promiscuous mode [ 42.077257][ T421] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.084134][ T421] bridge0: port 1(bridge_slave_0) entered disabled state [ 42.091598][ T421] device bridge_slave_0 entered promiscuous mode [ 42.107497][ T422] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.114750][ T422] bridge0: port 2(bridge_slave_1) entered disabled state [ 42.122724][ T422] device bridge_slave_1 entered promiscuous mode [ 42.129455][ T418] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.136325][ T418] bridge0: port 1(bridge_slave_0) entered disabled state [ 42.143704][ T418] device bridge_slave_0 entered promiscuous mode [ 42.150440][ T421] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.158161][ T421] bridge0: port 2(bridge_slave_1) entered disabled state [ 42.165794][ T421] device bridge_slave_1 entered promiscuous mode [ 42.174654][ T419] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.181581][ T419] bridge0: port 1(bridge_slave_0) entered disabled state [ 42.189252][ T419] device bridge_slave_0 entered promiscuous mode [ 42.200399][ T419] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.207526][ T419] bridge0: port 2(bridge_slave_1) entered disabled state [ 42.215244][ T419] device bridge_slave_1 entered promiscuous mode [ 42.234154][ T418] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.241007][ T418] bridge0: port 2(bridge_slave_1) entered disabled state [ 42.248822][ T418] device bridge_slave_1 entered promiscuous mode [ 42.356177][ T420] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.363433][ T420] bridge0: port 1(bridge_slave_0) entered disabled state [ 42.370795][ T420] device bridge_slave_0 entered promiscuous mode [ 42.378627][ T420] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.386212][ T420] bridge0: port 2(bridge_slave_1) entered disabled state [ 42.393605][ T420] device bridge_slave_1 entered promiscuous mode [ 42.467033][ T413] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.473894][ T413] bridge0: port 2(bridge_slave_1) entered forwarding state [ 42.481395][ T413] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.488379][ T413] bridge0: port 1(bridge_slave_0) entered forwarding state [ 42.546465][ T419] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.553326][ T419] bridge0: port 2(bridge_slave_1) entered forwarding state [ 42.560440][ T419] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.567660][ T419] bridge0: port 1(bridge_slave_0) entered forwarding state [ 42.643292][ T364] bridge0: port 1(bridge_slave_0) entered disabled state [ 42.650583][ T364] bridge0: port 2(bridge_slave_1) entered disabled state [ 42.658051][ T364] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 42.666878][ T364] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 42.675567][ T364] bridge0: port 2(bridge_slave_1) entered disabled state [ 42.713682][ T364] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 42.721973][ T364] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.728825][ T364] bridge0: port 2(bridge_slave_1) entered forwarding state [ 42.754473][ T364] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 42.762417][ T364] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 42.803574][ T360] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 42.811219][ T360] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 42.818792][ T360] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 42.827497][ T360] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 42.834962][ T360] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 42.843270][ T360] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 42.851325][ T360] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.858613][ T360] bridge0: port 1(bridge_slave_0) entered forwarding state [ 42.865977][ T360] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 42.875109][ T360] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 42.883226][ T360] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.890049][ T360] bridge0: port 2(bridge_slave_1) entered forwarding state [ 42.897568][ T360] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 42.905778][ T360] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 42.913702][ T360] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 42.943854][ T364] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 42.952363][ T364] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 42.960633][ T364] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.967510][ T364] bridge0: port 1(bridge_slave_0) entered forwarding state [ 42.988215][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 42.996505][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 43.004998][ T5] bridge0: port 2(bridge_slave_1) entered blocking state [ 43.011882][ T5] bridge0: port 2(bridge_slave_1) entered forwarding state [ 43.019514][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 43.027051][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 43.034444][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 43.062960][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 43.070436][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 43.078490][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 43.088162][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 43.098326][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 43.107220][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 43.115613][ T74] bridge0: port 1(bridge_slave_0) entered blocking state [ 43.122441][ T74] bridge0: port 1(bridge_slave_0) entered forwarding state [ 43.130126][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 43.138911][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 43.147090][ T74] bridge0: port 2(bridge_slave_1) entered blocking state [ 43.154120][ T74] bridge0: port 2(bridge_slave_1) entered forwarding state [ 43.161320][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 43.169940][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 43.178041][ T74] bridge0: port 1(bridge_slave_0) entered blocking state [ 43.184986][ T74] bridge0: port 1(bridge_slave_0) entered forwarding state [ 43.192525][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 43.201024][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 43.209391][ T74] bridge0: port 2(bridge_slave_1) entered blocking state [ 43.216328][ T74] bridge0: port 2(bridge_slave_1) entered forwarding state [ 43.223726][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 43.231368][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 43.263899][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 43.272280][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 43.281366][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 43.291868][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 43.300310][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 43.308392][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 43.316804][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 43.324886][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 43.333264][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 43.375821][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 43.384733][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 43.392535][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 43.400849][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 43.409179][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 43.417437][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 43.425672][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 43.434123][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 43.442344][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 43.450922][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 43.459678][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 43.486963][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 43.529287][ T360] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 43.538568][ T360] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 43.549632][ T360] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 43.558152][ T23] kauditd_printk_skb: 15 callbacks suppressed [ 43.558163][ T23] audit: type=1400 audit(1717892681.360:91): avc: denied { sys_admin } for pid=444 comm="syz-executor.1" capability=21 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=cap_userns permissive=1 [ 43.586144][ T360] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 43.593558][ T360] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 43.600985][ T360] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 43.609429][ T360] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 43.617953][ T360] bridge0: port 1(bridge_slave_0) entered blocking state [ 43.625168][ T360] bridge0: port 1(bridge_slave_0) entered forwarding state [ 43.632730][ T360] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 43.642454][ T360] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 43.650472][ T360] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 43.659063][ T360] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 43.667553][ T360] bridge0: port 2(bridge_slave_1) entered blocking state [ 43.674557][ T360] bridge0: port 2(bridge_slave_1) entered forwarding state [ 43.693052][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 43.701093][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 43.709691][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 43.718119][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 43.726622][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 43.742868][ T369] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 43.750951][ T369] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 43.772381][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 43.781260][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 43.806136][ T23] audit: type=1400 audit(1717892681.610:92): avc: denied { mounton } for pid=421 comm="syz-executor.4" path="/dev/binderfs" dev="devtmpfs" ino=10928 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:device_t tclass=dir permissive=1 [ 43.854581][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 43.865339][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 43.875280][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 43.884078][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 43.892392][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 43.900405][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 43.908571][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 43.916887][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 43.925079][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 43.933042][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 43.940834][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 43.948857][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 44.007591][ T18] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 44.016514][ T18] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 44.025384][ T18] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 44.033805][ T18] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 44.042125][ T18] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 44.050931][ T18] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 44.059424][ T18] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 44.068042][ T18] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 44.076498][ T18] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 44.085206][ T18] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 44.093438][ T18] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 44.101917][ T18] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 44.134174][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 44.149045][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 44.160304][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 44.169547][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 44.177953][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 44.188116][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 44.215104][ T369] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 44.240742][ T369] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2024/06/09 00:24:44 executed programs: 170 2024/06/09 00:24:49 executed programs: 528 [ 51.863400][ T2946] ================================================================== [ 51.871606][ T2946] BUG: KASAN: use-after-free in detach_if_pending+0x188/0x360 [ 51.878883][ T2946] Write of size 8 at addr ffff8881dccab1c8 by task syz-executor.4/2946 [ 51.887415][ T2946] [ 51.889612][ T2946] CPU: 0 PID: 2946 Comm: syz-executor.4 Not tainted 5.4.274-syzkaller-04909-gdd432c37afcd #0 [ 51.899891][ T2946] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 51.910128][ T2946] Call Trace: [ 51.913267][ T2946] dump_stack+0x1d8/0x241 [ 51.917393][ T2946] ? nf_ct_l4proto_log_invalid+0x258/0x258 [ 51.923040][ T2946] ? printk+0xd1/0x111 [ 51.926937][ T2946] ? detach_if_pending+0x188/0x360 [ 51.931989][ T2946] ? wake_up_klogd+0xb2/0xf0 [ 51.936404][ T2946] ? detach_if_pending+0x188/0x360 [ 51.941364][ T2946] print_address_description+0x8c/0x600 [ 51.946798][ T2946] ? panic+0x89d/0x89d [ 51.950814][ T2946] ? detach_if_pending+0x188/0x360 [ 51.955954][ T2946] __kasan_report+0xf3/0x120 [ 51.960524][ T2946] ? detach_if_pending+0x188/0x360 [ 51.965459][ T2946] kasan_report+0x30/0x60 [ 51.969812][ T2946] detach_if_pending+0x188/0x360 [ 51.974588][ T2946] del_timer_sync+0x13c/0x230 [ 51.979099][ T2946] ? find_next_bit+0x7b/0x100 [ 51.983786][ T2946] ? try_to_del_timer_sync+0x150/0x150 [ 51.989080][ T2946] ? pcpu_chunk_relocate+0xdc/0x3a0 [ 51.994202][ T2946] tun_flow_uninit+0x2c/0x280 [ 51.998697][ T2946] ? free_percpu+0x359/0x910 [ 52.003210][ T2946] tun_free_netdev+0x77/0x190 [ 52.008018][ T2946] ? tun_xdp+0x3f0/0x3f0 [ 52.012269][ T2946] netdev_run_todo+0xb7f/0xdf0 [ 52.017221][ T2946] ? netdev_refcnt_read+0x1c0/0x1c0 [ 52.022282][ T2946] ? kfree+0x123/0x370 [ 52.026587][ T2946] tun_chr_close+0xc1/0x130 [ 52.030877][ T2946] ? tun_chr_open+0x500/0x500 [ 52.035630][ T2946] __fput+0x262/0x680 [ 52.039662][ T2946] task_work_run+0x140/0x170 [ 52.044480][ T2946] exit_to_usermode_loop+0x190/0x1a0 [ 52.049742][ T2946] prepare_exit_to_usermode+0x199/0x200 [ 52.055131][ T2946] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 52.060967][ T2946] RIP: 0033:0x7f3ff1d6ca4a [ 52.065338][ T2946] Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 f3 7b 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 53 7c 02 00 8b 44 24 [ 52.085057][ T2946] RSP: 002b:00007ffcc6145200 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 52.093511][ T2946] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f3ff1d6ca4a [ 52.101606][ T2946] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 52.109636][ T2946] RBP: 00007f3ff1e81980 R08: 0000001b2d560000 R09: 00007ffcc61c80b0 [ 52.117640][ T2946] R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000cd52 [ 52.125618][ T2946] R13: 00007f3ff1e80120 R14: 000000000000ca15 R15: 00007f3ff2284000 [ 52.133639][ T2946] [ 52.135794][ T2946] The buggy address belongs to the page: [ 52.141299][ T2946] page:ffffea0007732ac0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 [ 52.150329][ T2946] flags: 0x8000000000000000() [ 52.154823][ T2946] raw: 8000000000000000 0000000000000000 ffffea0007a3d5c8 0000000000000000 [ 52.163534][ T2946] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 52.172212][ T2946] page dumped because: kasan: bad access detected [ 52.178513][ T2946] page_owner tracks the page as freed [ 52.184121][ T2946] page last allocated via order 2, migratetype Unmovable, gfp_mask 0x146dc0(GFP_USER|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP|__GFP_ZERO) [ 52.203308][ T2946] prep_new_page+0x18f/0x370 [ 52.208060][ T2946] get_page_from_freelist+0x2d13/0x2d90 [ 52.214213][ T2946] __alloc_pages_nodemask+0x393/0x840 [ 52.219412][ T2946] kmalloc_order_trace+0x2a/0x100 [ 52.224761][ T2946] kvmalloc_node+0x7e/0xf0 [ 52.229154][ T2946] alloc_netdev_mqs+0x85/0xc70 [ 52.233985][ T2946] tun_set_iff+0x51f/0xdc0 [ 52.238661][ T2946] __tun_chr_ioctl+0x8a9/0x1d00 [ 52.243474][ T2946] do_vfs_ioctl+0x742/0x1720 [ 52.248048][ T2946] __x64_sys_ioctl+0xd4/0x110 [ 52.252650][ T2946] do_syscall_64+0xca/0x1c0 [ 52.257163][ T2946] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 52.263061][ T2946] page last free stack trace: [ 52.267754][ T2946] __free_pages_ok+0x847/0x950 [ 52.272745][ T2946] __free_pages+0x91/0x140 [ 52.277202][ T2946] device_release+0x6b/0x190 [ 52.281804][ T2946] kobject_put+0x1e6/0x2f0 [ 52.286071][ T2946] netdev_run_todo+0xc44/0xdf0 [ 52.291206][ T2946] tun_chr_close+0xc1/0x130 [ 52.295686][ T2946] __fput+0x262/0x680 [ 52.299593][ T2946] task_work_run+0x140/0x170 [ 52.304198][ T2946] exit_to_usermode_loop+0x190/0x1a0 [ 52.309602][ T2946] prepare_exit_to_usermode+0x199/0x200 [ 52.315242][ T2946] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 52.321054][ T2946] [ 52.323239][ T2946] Memory state around the buggy address: [ 52.329730][ T2946] ffff8881dccab080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 52.339992][ T2946] ffff8881dccab100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 52.348600][ T2946] >ffff8881dccab180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 52.357424][ T2946] ^ [ 52.364057][ T2946] ffff8881dccab200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 52.372495][ T2946] ffff8881dccab280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 52.380595][ T2946] ================================================================== [ 52.389048][ T2946] Disabling lock debugging due to kernel taint [ 55.002837][ C1] kasan: CONFIG_KASAN_INLINE enabled [ 55.007977][ C1] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 55.016068][ C1] general protection fault: 0000 [#1] PREEMPT SMP KASAN [ 55.022998][ C1] CPU: 1 PID: 163 Comm: udevd Tainted: G B 5.4.274-syzkaller-04909-gdd432c37afcd #0 [ 55.034111][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 55.044268][ C1] RIP: 0010:__run_timers+0x7b0/0xbe0 [ 55.049372][ C1] Code: 89 e7 e8 f3 4d 3f 00 4d 89 2c 24 4d 85 ed 74 2e e8 e5 68 0f 00 49 83 c5 08 4c 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 ef e8 c2 4d 3f 00 4d 89 65 00 eb 05 e8 b7 [ 55.068996][ C1] RSP: 0018:ffff8881f6f09d60 EFLAGS: 00010802 [ 55.074912][ C1] RAX: 1bd5a00000000025 RBX: 1ffff1103b995639 RCX: dffffc0000000000 [ 55.082816][ C1] RDX: 0000000000000101 RSI: 0000000000000008 RDI: ffff8881dccab1c8 [ 55.090721][ C1] RBP: ffff8881f6f09ec8 R08: dffffc0000000000 R09: 0000000000000003 [ 55.098528][ C1] R10: ffffffffffffffff R11: dffffc0000000001 R12: ffff8881f6f09e20 [ 55.106600][ C1] R13: dead00000000012a R14: 1ffff1103b995638 R15: ffff8881dccab1c8 [ 55.114502][ C1] FS: 00007f7751d5dc80(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000 [ 55.123540][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 55.130400][ C1] CR2: 00007ffd3ac9acf8 CR3: 00000001ed1cf000 CR4: 00000000003406a0 [ 55.138671][ C1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 55.146790][ C1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 55.154696][ C1] Call Trace: [ 55.157989][ C1] [ 55.160688][ C1] ? __die+0xb4/0x100 [ 55.164501][ C1] ? die+0x26/0x50 [ 55.168057][ C1] ? do_general_protection+0x266/0x3c0 [ 55.173351][ C1] ? do_trap+0x340/0x340 [ 55.177430][ C1] ? check_preemption_disabled+0x9f/0x320 [ 55.183094][ C1] ? round_jiffies+0x99/0xb0 [ 55.187585][ C1] ? general_protection+0x28/0x30 [ 55.192480][ C1] ? __run_timers+0x7b0/0xbe0 [ 55.197420][ C1] ? enqueue_timer+0x300/0x300 [ 55.202118][ C1] ? check_preemption_disabled+0x9f/0x320 [ 55.207938][ C1] ? debug_smp_processor_id+0x20/0x20 [ 55.213698][ C1] ? lapic_next_event+0x5b/0x70 [ 55.218718][ C1] run_timer_softirq+0x63/0xf0 [ 55.223427][ C1] __do_softirq+0x23b/0x6b7 [ 55.228019][ C1] irq_exit+0x195/0x1c0 [ 55.232228][ C1] smp_apic_timer_interrupt+0x11a/0x460 [ 55.237729][ C1] apic_timer_interrupt+0xf/0x20 [ 55.242571][ C1] [ 55.245297][ C1] RIP: 0010:selinux_inode_permission+0x376/0x6a0 [ 55.251928][ C1] Code: c1 e8 03 42 0f b6 04 20 84 c0 0f 85 b8 02 00 00 41 0f b7 0f 41 c1 e9 05 48 c7 c7 40 cd 8f 86 8b 74 24 04 89 da 44 8b 7c 24 08 <45> 89 f8 41 55 e8 e0 d6 fe ff 48 83 c4 08 89 44 24 04 4c 89 e8 48 [ 55.273020][ C1] RSP: 0018:ffff8881ec957740 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 [ 55.281558][ C1] RAX: 0000000000000000 RBX: 0000000000000034 RCX: 0000000000000008 [ 55.289560][ C1] RDX: 0000000000000034 RSI: 0000000000000048 RDI: ffffffff868fcd40 [ 55.297510][ C1] RBP: ffff8881ec957818 R08: ffffffff820a1c8e R09: 0000000000000000 [ 55.305495][ C1] R10: ffffffffffffffff R11: dffffc0000000001 R12: dffffc0000000000 [ 55.313297][ C1] R13: ffff8881ec957780 R14: ffff8881edf8c350 R15: 0000000010000000 [ 55.321385][ C1] ? selinux_inode_permission+0x2ae/0x6a0 [ 55.327470][ C1] ? selinux_inode_follow_link+0x3c0/0x3c0 [ 55.333264][ C1] ? kernfs_refresh_inode+0x2b3/0x3d0 [ 55.338708][ C1] ? generic_permission+0x141/0x3e0 [ 55.344008][ C1] ? mutex_unlock+0x18/0x40 [ 55.348676][ C1] security_inode_permission+0x9d/0xf0 [ 55.354530][ C1] link_path_walk+0x22a/0x1040 [ 55.359816][ C1] ? set_root+0x30e/0x370 [ 55.364044][ C1] ? handle_lookup_down+0x5b0/0x5b0 [ 55.369635][ C1] ? path_init+0x217/0xee0 [ 55.374618][ C1] path_openat+0x1a3/0x34b0 [ 55.379029][ C1] ? stack_trace_save+0x118/0x1c0 [ 55.384730][ C1] ? stack_trace_snprint+0x170/0x170 [ 55.390561][ C1] ? hashlen_string+0x110/0x110 [ 55.395410][ C1] ? __kasan_kmalloc+0x1d9/0x210 [ 55.401617][ C1] ? do_filp_open+0x450/0x450 [ 55.406136][ C1] ? do_sys_open+0x357/0x810 [ 55.410737][ C1] ? do_syscall_64+0xca/0x1c0 [ 55.415740][ C1] ? entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 55.421796][ C1] do_filp_open+0x20b/0x450 [ 55.426684][ C1] ? vfs_tmpfile+0x2c0/0x2c0 [ 55.431089][ C1] ? _raw_spin_unlock+0x49/0x60 [ 55.436067][ C1] ? __alloc_fd+0x4c1/0x560 [ 55.441274][ C1] do_sys_open+0x39c/0x810 [ 55.446393][ C1] ? check_preemption_disabled+0x153/0x320 [ 55.452252][ C1] ? file_open_root+0x490/0x490 [ 55.457070][ C1] do_syscall_64+0xca/0x1c0 [ 55.461387][ C1] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 55.467375][ C1] RIP: 0033:0x7f7751e8c477 [ 55.471810][ C1] Code: 10 00 00 00 44 8b 54 24 e0 48 89 44 24 c0 48 8d 44 24 d0 48 89 44 24 c8 44 89 c2 4c 89 ce bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 10 48 8b 15 82 69 0d 00 f7 d8 64 89 02 48 83 [ 55.491780][ C1] RSP: 002b:00007ffe1a814988 EFLAGS: 00000287 ORIG_RAX: 0000000000000101 [ 55.500461][ C1] RAX: ffffffffffffffda RBX: 00005558bec373e0 RCX: 00007f7751e8c477 [ 55.509859][ C1] RDX: 0000000000090800 RSI: 00005558bec1cf00 RDI: 00000000ffffff9c [ 55.518343][ C1] RBP: 00005558bec47240 R08: 0000000000090800 R09: 00005558bec1cf00 [ 55.527721][ C1] R10: 0000000000000000 R11: 0000000000000287 R12: 00005558bec1cf00 [ 55.536208][ C1] R13: 00000000000000ff R14: 00005558bea9b1c4 R15: 0000000000000000 [ 55.544198][ C1] Modules linked in: [ 55.548122][ C1] ---[ end trace e073f28619bb9690 ]--- [ 55.553576][ C1] RIP: 0010:__run_timers+0x7b0/0xbe0 [ 55.559433][ C1] Code: 89 e7 e8 f3 4d 3f 00 4d 89 2c 24 4d 85 ed 74 2e e8 e5 68 0f 00 49 83 c5 08 4c 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 ef e8 c2 4d 3f 00 4d 89 65 00 eb 05 e8 b7 [ 55.579413][ C1] RSP: 0018:ffff8881f6f09d60 EFLAGS: 00010802 [ 55.585738][ C1] RAX: 1bd5a00000000025 RBX: 1ffff1103b995639 RCX: dffffc0000000000 [ 55.593648][ C1] RDX: 0000000000000101 RSI: 0000000000000008 RDI: ffff8881dccab1c8 [ 55.601632][ C1] RBP: ffff8881f6f09ec8 R08: dffffc0000000000 R09: 0000000000000003 [ 55.610220][ C1] R10: ffffffffffffffff R11: dffffc0000000001 R12: ffff8881f6f09e20 [ 55.618212][ C1] R13: dead00000000012a R14: 1ffff1103b995638 R15: ffff8881dccab1c8 [ 55.626366][ C1] FS: 00007f7751d5dc80(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000 [ 55.635116][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 55.641626][ C1] CR2: 00007ffd3ac9acf8 CR3: 00000001ed1cf000 CR4: 00000000003406a0 [ 55.649442][ C1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 55.657599][ C1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 55.665593][ C1] Kernel panic - not syncing: Fatal exception in interrupt [ 55.672838][ C1] Kernel Offset: disabled [ 55.676987][ C1] Rebooting in 86400 seconds..