Warning: Permanently added '10.128.0.114' (ED25519) to the list of known hosts.
2023/11/25 03:57:41 ignoring optional flag "sandboxArg"="0"
2023/11/25 03:57:41 parsed 1 programs
[   42.377113][   T30] audit: type=1400 audit(1700884661.428:157): avc:  denied  { mounton } for  pid=342 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1
[   42.402137][   T30] audit: type=1400 audit(1700884661.438:158): avc:  denied  { mount } for  pid=342 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1
[   42.508938][   T30] audit: type=1400 audit(1700884661.568:159): avc:  denied  { unlink } for  pid=342 comm="syz-executor" name="swap-file" dev="sda1" ino=1929 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t"
2023/11/25 03:57:41 executed programs: 0
[   42.551846][  T342] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   42.610548][  T348] bridge0: port 1(bridge_slave_0) entered blocking state
[   42.618839][  T348] bridge0: port 1(bridge_slave_0) entered disabled state
[   42.626451][  T348] device bridge_slave_0 entered promiscuous mode
[   42.633399][  T348] bridge0: port 2(bridge_slave_1) entered blocking state
[   42.640928][  T348] bridge0: port 2(bridge_slave_1) entered disabled state
[   42.648846][  T348] device bridge_slave_1 entered promiscuous mode
[   42.693393][   T30] audit: type=1400 audit(1700884661.748:160): avc:  denied  { write } for  pid=348 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[   42.699417][  T348] bridge0: port 2(bridge_slave_1) entered blocking state
[   42.714169][   T30] audit: type=1400 audit(1700884661.748:161): avc:  denied  { read } for  pid=348 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[   42.721161][  T348] bridge0: port 2(bridge_slave_1) entered forwarding state
[   42.721344][  T348] bridge0: port 1(bridge_slave_0) entered blocking state
[   42.756148][  T348] bridge0: port 1(bridge_slave_0) entered forwarding state
[   42.775646][   T20] bridge0: port 1(bridge_slave_0) entered disabled state
[   42.783064][   T20] bridge0: port 2(bridge_slave_1) entered disabled state
[   42.791041][   T20] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   42.798403][   T20] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   42.807135][   T26] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   42.815292][   T26] bridge0: port 1(bridge_slave_0) entered blocking state
[   42.822516][   T26] bridge0: port 1(bridge_slave_0) entered forwarding state
[   42.838368][   T20] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   42.846372][   T20] bridge0: port 2(bridge_slave_1) entered blocking state
[   42.853281][   T20] bridge0: port 2(bridge_slave_1) entered forwarding state
[   42.860805][   T20] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   42.868990][   T20] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   42.883703][   T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   42.895790][  T348] device veth0_vlan entered promiscuous mode
[   42.903502][   T61] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   42.911721][   T61] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   42.919388][   T61] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   42.931166][   T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   42.941171][  T348] device veth1_macvtap entered promiscuous mode
[   42.950983][   T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   42.963627][   T61] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   42.977014][   T30] audit: type=1400 audit(1700884662.028:162): avc:  denied  { mounton } for  pid=348 comm="syz-executor.0" path="/dev/binderfs" dev="devtmpfs" ino=362 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:device_t tclass=dir permissive=1
2023/11/25 03:57:46 executed programs: 61
[   51.726005][  T877] ==================================================================
[   51.734054][  T877] BUG: KASAN: use-after-free in __skb_datagram_iter+0x6f8/0x760
[   51.741669][  T877] Read of size 4 at addr ffff8881259f7e30 by task syz-executor.0/877
[   51.749973][  T877] 
[   51.752140][  T877] CPU: 0 PID: 877 Comm: syz-executor.0 Not tainted 5.15.137-syzkaller-1068730-g61cfd264993d #0
[   51.763288][  T877] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
[   51.774256][  T877] Call Trace:
[   51.777738][  T877]  <TASK>
[   51.780806][  T877]  dump_stack_lvl+0x151/0x1b7
[   51.786400][  T877]  ? io_uring_drop_tctx_refs+0x190/0x190
[   51.792211][  T877]  ? panic+0x751/0x751
[   51.796701][  T877]  print_address_description+0x87/0x3b0
[   51.802302][  T877]  ? sysvec_apic_timer_interrupt+0x55/0xc0
[   51.808129][  T877]  kasan_report+0x179/0x1c0
[   51.813332][  T877]  ? __skb_datagram_iter+0x6f8/0x760
[   51.818501][  T877]  ? __skb_datagram_iter+0x6f8/0x760
[   51.824271][  T877]  __asan_report_load4_noabort+0x14/0x20
[   51.831289][  T877]  __skb_datagram_iter+0x6f8/0x760
[   51.837572][  T877]  ? skb_copy_datagram_iter+0x170/0x170
[   51.844081][  T877]  ? __kasan_check_write+0x14/0x20
[   51.850484][  T877]  skb_copy_datagram_iter+0x43/0x170
[   51.856111][  T877]  unix_stream_read_actor+0x70/0xb0
[   51.864865][  T877]  unix_stream_recv_urg+0x1b4/0x2f0
[   51.870300][  T877]  unix_stream_read_generic+0x2147/0x2240
[   51.877557][  T877]  ? avc_denied+0x1b0/0x1b0
[   51.882844][  T877]  ? avc_has_perm+0x16f/0x260
[   51.888148][  T877]  ? avc_has_perm_noaudit+0x430/0x430
[   51.893654][  T877]  ? unix_stream_read_actor+0xb0/0xb0
[   51.899381][  T877]  ? selinux_socket_recvmsg+0x243/0x340
[   51.905093][  T877]  ? selinux_socket_sendmsg+0x340/0x340
[   51.910810][  T877]  unix_stream_recvmsg+0x22d/0x2c0
[   51.917745][  T877]  ? unix_stream_sendmsg+0x1060/0x1060
[   51.923792][  T877]  ? __unix_stream_recvmsg+0x210/0x210
[   51.929545][  T877]  ? security_socket_recvmsg+0x87/0xb0
[   51.936914][  T877]  ? unix_stream_sendmsg+0x1060/0x1060
[   51.943437][  T877]  ____sys_recvmsg+0x286/0x530
[   51.949224][  T877]  ? __sys_recvmsg_sock+0x50/0x50
[   51.955515][  T877]  ? import_iovec+0xe5/0x120
[   51.960497][  T877]  ___sys_recvmsg+0x1ec/0x690
[   51.965676][  T877]  ? __sys_recvmsg+0x260/0x260
[   51.970541][  T877]  ? __fdget+0x1bc/0x240
[   51.974718][  T877]  __x64_sys_recvmsg+0x1dc/0x2b0
[   51.979953][  T877]  ? ___sys_recvmsg+0x690/0x690
[   51.984810][  T877]  ? switch_fpu_return+0x1ed/0x3d0
[   51.990252][  T877]  ? fpregs_assert_state_consistent+0xb6/0xe0
[   51.997824][  T877]  ? exit_to_user_mode_prepare+0x39/0xa0
[   52.003474][  T877]  do_syscall_64+0x3d/0xb0
[   52.007771][  T877]  entry_SYSCALL_64_after_hwframe+0x61/0xcb
[   52.013901][  T877] RIP: 0033:0x7ff5cccaaae9
[   52.018145][  T877] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[   52.038767][  T877] RSP: 002b:00007ff5cc7eb0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
[   52.047196][  T877] RAX: ffffffffffffffda RBX: 00007ff5ccdca120 RCX: 00007ff5cccaaae9
[   52.055525][  T877] RDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004
[   52.063856][  T877] RBP: 00007ff5cccf647a R08: 0000000000000000 R09: 0000000000000000
[   52.072618][  T877] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   52.081883][  T877] R13: 000000000000006e R14: 00007ff5ccdca120 R15: 00007ffcc19649a8
[   52.090303][  T877]  </TASK>
[   52.093511][  T877] 
[   52.096005][  T877] Allocated by task 876:
[   52.100071][  T877]  __kasan_slab_alloc+0xb1/0xe0
[   52.104889][  T877]  slab_post_alloc_hook+0x53/0x2c0
[   52.110026][  T877]  kmem_cache_alloc+0xf5/0x200
[   52.115196][  T877]  __alloc_skb+0xbe/0x550
[   52.119353][  T877]  alloc_skb_with_frags+0xa6/0x680
[   52.124698][  T877]  sock_alloc_send_pskb+0x915/0xa50
[   52.130322][  T877]  sock_alloc_send_skb+0x32/0x40
[   52.135085][  T877]  queue_oob+0xfd/0x8c0
[   52.139157][  T877]  unix_stream_sendmsg+0xe06/0x1060
[   52.144310][  T877]  ____sys_sendmsg+0x59e/0x8f0
[   52.149961][  T877]  ___sys_sendmsg+0x252/0x2e0
[   52.154568][  T877]  __se_sys_sendmsg+0x19a/0x260
[   52.160439][  T877]  __x64_sys_sendmsg+0x7b/0x90
[   52.166067][  T877]  do_syscall_64+0x3d/0xb0
[   52.170398][  T877]  entry_SYSCALL_64_after_hwframe+0x61/0xcb
[   52.176229][  T877] 
[   52.178505][  T877] Freed by task 876:
[   52.182552][  T877]  kasan_set_track+0x4b/0x70
[   52.186974][  T877]  kasan_set_free_info+0x23/0x40
[   52.192187][  T877]  ____kasan_slab_free+0x126/0x160
[   52.197628][  T877]  __kasan_slab_free+0x11/0x20
[   52.202552][  T877]  slab_free_freelist_hook+0xbd/0x190
[   52.207864][  T877]  kmem_cache_free+0x116/0x2e0
[   52.212738][  T877]  kfree_skbmem+0x104/0x170
[   52.217087][  T877]  consume_skb+0xb4/0x250
[   52.221508][  T877]  queue_oob+0x522/0x8c0
[   52.225586][  T877]  unix_stream_sendmsg+0xe06/0x1060
[   52.230999][  T877]  ____sys_sendmsg+0x59e/0x8f0
[   52.235617][  T877]  ___sys_sendmsg+0x252/0x2e0
[   52.240138][  T877]  __se_sys_sendmsg+0x19a/0x260
[   52.245353][  T877]  __x64_sys_sendmsg+0x7b/0x90
[   52.249938][  T877]  do_syscall_64+0x3d/0xb0
[   52.254321][  T877]  entry_SYSCALL_64_after_hwframe+0x61/0xcb
[   52.260550][  T877] 
[   52.262790][  T877] The buggy address belongs to the object at ffff8881259f7dc0
[   52.262790][  T877]  which belongs to the cache skbuff_head_cache of size 248
[   52.277646][  T877] The buggy address is located 112 bytes inside of
[   52.277646][  T877]  248-byte region [ffff8881259f7dc0, ffff8881259f7eb8)
[   52.291727][  T877] The buggy address belongs to the page:
[   52.297686][  T877] page:ffffea0004967dc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1259f7
[   52.309172][  T877] flags: 0x4000000000000200(slab|zone=1)
[   52.314868][  T877] raw: 4000000000000200 0000000000000000 dead000000000122 ffff888100350900
[   52.324134][  T877] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[   52.332763][  T877] page dumped because: kasan: bad access detected
[   52.339010][  T877] page_owner tracks the page as allocated
[   52.344559][  T877] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 868, ts 51603901661, free_ts 51485823759
[   52.360536][  T877]  post_alloc_hook+0x1a3/0x1b0
[   52.365129][  T877]  prep_new_page+0x1b/0x110
[   52.369599][  T877]  get_page_from_freelist+0x3550/0x35d0
[   52.375395][  T877]  __alloc_pages+0x206/0x5e0
[   52.379958][  T877]  new_slab+0x9a/0x4e0
[   52.384043][  T877]  ___slab_alloc+0x39e/0x830
[   52.388484][  T877]  __slab_alloc+0x4a/0x90
[   52.392609][  T877]  kmem_cache_alloc+0x134/0x200
[   52.397818][  T877]  __alloc_skb+0xbe/0x550
[   52.401994][  T877]  alloc_skb_with_frags+0xa6/0x680
[   52.406931][  T877]  sock_alloc_send_pskb+0x915/0xa50
[   52.412053][  T877]  sock_alloc_send_skb+0x32/0x40
[   52.417018][  T877]  queue_oob+0xfd/0x8c0
[   52.421045][  T877]  unix_stream_sendmsg+0xe06/0x1060
[   52.426349][  T877]  ____sys_sendmsg+0x59e/0x8f0
[   52.430949][  T877]  ___sys_sendmsg+0x252/0x2e0
[   52.435699][  T877] page last free stack trace:
[   52.440259][  T877]  free_unref_page_prepare+0x7c8/0x7d0
[   52.445551][  T877]  free_unref_page+0xe6/0x730
[   52.450068][  T877]  __free_pages+0x61/0xf0
[   52.454242][  T877]  free_pages+0x7c/0x90
[   52.458219][  T877]  pgd_free+0x17d/0x190
[   52.462613][  T877]  __mmdrop+0xb0/0x410
[   52.466522][  T877]  finish_task_switch+0x2cd/0x7b0
[   52.471479][  T877]  __schedule+0xcc6/0x1580
[   52.476083][  T877]  schedule+0x11f/0x1e0
[   52.480194][  T877]  schedule_hrtimeout_range_clock+0x1ef/0x360
[   52.487093][  T877]  schedule_hrtimeout_range+0x2a/0x40
[   52.492552][  T877]  do_epoll_wait+0x1777/0x1a50
[   52.497280][  T877]  do_epoll_pwait+0x5c/0x1f0
[   52.502198][  T877]  __x64_sys_epoll_pwait+0x2b4/0x300
[   52.507756][  T877]  do_syscall_64+0x3d/0xb0
[   52.512285][  T877]  entry_SYSCALL_64_after_hwframe+0x61/0xcb
[   52.518317][  T877] 
[   52.520481][  T877] Memory state around the buggy address:
[   52.526644][  T877]  ffff8881259f7d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[   52.534831][  T877]  ffff8881259f7d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   52.542720][  T877] >ffff8881259f7e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   52.550940][  T877]                                      ^
[   52.556602][  T877]  ffff8881259f7e80: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[   52.564892][  T877]  ffff8881259f7f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
2023/11/25 03:57:51 executed programs: 129
[   52.573705][  T877] ==================================================================
[   52.582336][  T877] Disabling lock debugging due to kernel taint
2023/11/25 03:57:56 executed programs: 211