Warning: Permanently added '10.128.1.107' (ECDSA) to the list of known hosts. 2022/12/07 02:24:29 ignoring optional flag "sandboxArg"="0" 2022/12/07 02:24:29 parsed 1 programs 2022/12/07 02:24:29 executed programs: 0 [ 36.053254][ T29] kauditd_printk_skb: 65 callbacks suppressed [ 36.053260][ T29] audit: type=1400 audit(1670379869.870:137): avc: denied { mounton } for pid=452 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 36.083946][ T29] audit: type=1400 audit(1670379869.870:138): avc: denied { mount } for pid=452 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 36.111952][ T455] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.119395][ T455] bridge0: port 1(bridge_slave_0) entered disabled state [ 36.126513][ T455] device bridge_slave_0 entered promiscuous mode [ 36.132908][ T455] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.139736][ T455] bridge0: port 2(bridge_slave_1) entered disabled state [ 36.146734][ T455] device bridge_slave_1 entered promiscuous mode [ 36.172124][ T455] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.178953][ T455] bridge0: port 2(bridge_slave_1) entered forwarding state [ 36.186049][ T455] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.192832][ T455] bridge0: port 1(bridge_slave_0) entered forwarding state [ 36.205709][ T412] bridge0: port 1(bridge_slave_0) entered disabled state [ 36.212715][ T412] bridge0: port 2(bridge_slave_1) entered disabled state [ 36.219754][ T412] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 36.227379][ T412] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 36.241078][ T455] device veth0_vlan entered promiscuous mode [ 36.247379][ T412] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 36.255410][ T412] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 36.262907][ T412] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 36.269969][ T412] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 36.277008][ T412] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 36.284747][ T412] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.291570][ T412] bridge0: port 1(bridge_slave_0) entered forwarding state [ 36.298652][ T412] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 36.306500][ T412] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.313250][ T412] bridge0: port 2(bridge_slave_1) entered forwarding state [ 36.320391][ T412] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 36.328016][ T412] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 36.337785][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 36.346056][ T455] device veth1_macvtap entered promiscuous mode [ 36.354976][ T124] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 36.362946][ T124] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 36.373674][ T29] audit: type=1400 audit(1670379870.190:139): avc: denied { mount } for pid=455 comm="syz-executor.0" name="/" dev="binder" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=filesystem permissive=1 [ 36.400095][ T460] loop0: detected capacity change from 0 to 128 [ 36.406800][ T29] audit: type=1400 audit(1670379870.230:140): avc: denied { mounton } for pid=459 comm="syz-executor.0" path="/root/syzkaller-testdir214674335/syzkaller.oLtLDs/0/file0" dev="sda1" ino=1148 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 36.433273][ T29] audit: type=1400 audit(1670379870.230:141): avc: denied { mount } for pid=459 comm="syz-executor.0" name="/" dev="loop0" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dosfs_t tclass=filesystem permissive=1 [ 36.516059][ T29] audit: type=1400 audit(1670379870.340:142): avc: denied { unmount } for pid=455 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dosfs_t tclass=filesystem permissive=1 [ 36.598521][ T464] loop0: detected capacity change from 0 to 128 [ 36.605430][ T464] ================================================================== [ 36.613903][ T464] BUG: KASAN: use-after-free in __list_add_valid+0x4c/0x100 [ 36.621447][ T464] Read of size 8 at addr ffff8881214bc878 by task syz-executor.0/464 [ 36.629341][ T464] [ 36.631527][ T464] CPU: 1 PID: 464 Comm: syz-executor.0 Not tainted 5.15.74-syzkaller #0 [ 36.639758][ T464] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 36.649654][ T464] Call Trace: [ 36.652780][ T464] [ 36.655558][ T464] dump_stack_lvl+0x105/0x148 [ 36.660083][ T464] ? bfq_pos_tree_add_move+0x387/0x387 [ 36.665369][ T464] ? panic+0x4e9/0x4e9 [ 36.669269][ T464] ? mark_page_accessed+0x137/0x7f0 [ 36.674307][ T464] print_address_description+0x87/0x3c0 [ 36.679696][ T464] ? __kasan_check_write+0x14/0x20 [ 36.684631][ T464] kasan_report+0x1a2/0x1f0 [ 36.689061][ T464] ? __list_add_valid+0x4c/0x100 [ 36.693833][ T464] ? __list_add_valid+0x4c/0x100 [ 36.698609][ T464] __asan_report_load8_noabort+0x14/0x20 [ 36.704078][ T464] __list_add_valid+0x4c/0x100 [ 36.708717][ T464] inode_io_list_move_locked+0x163/0x330 [ 36.714144][ T464] __mark_inode_dirty+0x40c/0x700 [ 36.719006][ T464] mark_buffer_dirty+0x152/0x210 [ 36.723781][ T464] fat_set_state+0x1fc/0x2c0 [ 36.728214][ T464] fat_fill_super+0x30f6/0x4660 [ 36.732896][ T464] ? __fat_write_inode+0x930/0x930 [ 36.737844][ T464] ? up_write+0xa1/0x190 [ 36.741921][ T464] ? __kasan_check_write+0x14/0x20 [ 36.746871][ T464] ? down_write+0xdd/0x140 [ 36.751122][ T464] ? snprintf+0xcc/0x110 [ 36.755206][ T464] ? vscnprintf+0x30/0x30 [ 36.759370][ T464] ? mutex_unlock+0xa2/0x110 [ 36.763794][ T464] msdos_fill_super+0x12/0x20 [ 36.768309][ T464] mount_bdev+0x22b/0x330 [ 36.772475][ T464] ? msdos_mount+0x20/0x20 [ 36.776732][ T464] msdos_mount+0x10/0x20 [ 36.780814][ T464] legacy_get_tree+0xe7/0x180 [ 36.785321][ T464] ? vfat_cmp+0x1d0/0x1d0 [ 36.789575][ T464] vfs_get_tree+0x7e/0x220 [ 36.793827][ T464] do_new_mount+0x1df/0x930 [ 36.798167][ T464] ? do_move_mount_old+0x120/0x120 [ 36.803118][ T464] ? security_capable+0x71/0xa0 [ 36.807803][ T464] ? ns_capable+0x5c/0xc0 [ 36.811969][ T464] path_mount+0x677/0xd00 [ 36.816147][ T464] ? user_path_at_empty+0xf6/0x160 [ 36.821084][ T464] __se_sys_mount+0x24a/0x2e0 [ 36.825705][ T464] ? vmacache_find+0x2db/0x300 [ 36.830283][ T464] ? __x64_sys_mount+0xd0/0xd0 [ 36.834886][ T464] ? debug_smp_processor_id+0x17/0x20 [ 36.840091][ T464] ? fpregs_assert_state_consistent+0x54/0xa0 [ 36.845995][ T464] __x64_sys_mount+0xba/0xd0 [ 36.850421][ T464] do_syscall_64+0x44/0xd0 [ 36.854674][ T464] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 36.860403][ T464] RIP: 0033:0x7fdc45f1f60a [ 36.864657][ T464] Code: 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 36.884107][ T464] RSP: 002b:00007fdc45a90f88 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 36.892345][ T464] RAX: ffffffffffffffda RBX: 000000000000023e RCX: 00007fdc45f1f60a [ 36.900165][ T464] RDX: 0000000020000240 RSI: 0000000020000280 RDI: 00007fdc45a90fe0 [ 36.907973][ T464] RBP: 00007fdc45a91020 R08: 00007fdc45a91020 R09: 0000000002800480 [ 36.915782][ T464] R10: 0000000002800480 R11: 0000000000000246 R12: 0000000020000240 [ 36.923593][ T464] R13: 0000000020000280 R14: 00007fdc45a90fe0 R15: 0000000020000080 [ 36.931407][ T464] [ 36.934270][ T464] [ 36.936442][ T464] Allocated by task 460: [ 36.940520][ T464] __kasan_slab_alloc+0xb2/0xe0 [ 36.945212][ T464] kmem_cache_alloc+0x189/0x2f0 [ 36.949894][ T464] fat_alloc_inode+0x18/0x90 [ 36.954323][ T464] new_inode_pseudo+0x5a/0x1d0 [ 36.958924][ T464] new_inode+0x1d/0x1a0 [ 36.962919][ T464] fat_build_inode+0xec/0x2f0 [ 36.967434][ T464] msdos_lookup+0x34a/0x440 [ 36.971771][ T464] path_openat+0xe82/0x2620 [ 36.976126][ T464] do_filp_open+0x24f/0x4a0 [ 36.980451][ T464] do_sys_openat2+0x10b/0x420 [ 36.984969][ T464] __x64_sys_openat+0x209/0x250 [ 36.989739][ T464] do_syscall_64+0x44/0xd0 [ 36.994003][ T464] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 36.999720][ T464] [ 37.001888][ T464] Freed by task 0: [ 37.005460][ T464] kasan_set_track+0x4c/0x80 [ 37.009876][ T464] kasan_set_free_info+0x23/0x40 [ 37.014647][ T464] ____kasan_slab_free+0x126/0x160 [ 37.019597][ T464] __kasan_slab_free+0x11/0x20 [ 37.024196][ T464] slab_free_freelist_hook+0xc9/0x1a0 [ 37.029405][ T464] kmem_cache_free+0x11a/0x2e0 [ 37.034005][ T464] fat_free_inode+0x1a/0x20 [ 37.038348][ T464] i_callback+0x41/0x60 [ 37.042341][ T464] rcu_do_batch+0x55b/0xbe0 [ 37.046677][ T464] rcu_core+0x503/0x1000 [ 37.050758][ T464] rcu_core_si+0x9/0x10 [ 37.054749][ T464] __do_softirq+0x24e/0x5ac [ 37.059436][ T464] [ 37.061608][ T464] Last potentially related work creation: [ 37.067162][ T464] kasan_save_stack+0x36/0x60 [ 37.071864][ T464] kasan_record_aux_stack+0xca/0xf0 [ 37.076898][ T464] call_rcu+0x140/0x1400 [ 37.080978][ T464] evict+0x563/0x5a0 [ 37.084710][ T464] iput+0x484/0x5d0 [ 37.088357][ T464] dentry_unlink_inode+0x2d2/0x3c0 [ 37.093313][ T464] __dentry_kill+0x329/0x4d0 [ 37.097733][ T464] dentry_kill+0xc4/0x1f0 [ 37.101899][ T464] dput+0x10f/0x250 [ 37.105545][ T464] __fput+0x438/0x660 [ 37.109362][ T464] ____fput+0x9/0x10 [ 37.113094][ T464] task_work_run+0xd6/0x150 [ 37.117439][ T464] exit_to_user_mode_loop+0xfd/0x110 [ 37.122555][ T464] syscall_exit_to_user_mode+0x79/0xc0 [ 37.127852][ T464] do_syscall_64+0x50/0xd0 [ 37.132104][ T464] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 37.137832][ T464] [ 37.140002][ T464] The buggy address belongs to the object at ffff8881214bc700 [ 37.140002][ T464] which belongs to the cache fat_inode_cache of size 768 [ 37.154239][ T464] The buggy address is located 376 bytes inside of [ 37.154239][ T464] 768-byte region [ffff8881214bc700, ffff8881214bca00) [ 37.167352][ T464] The buggy address belongs to the page: [ 37.172816][ T464] page:ffffea0004852f00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1214bc [ 37.182885][ T464] head:ffffea0004852f00 order:2 compound_mapcount:0 compound_pincount:0 [ 37.191055][ T464] flags: 0x4000000000010200(slab|head|zone=1) [ 37.196947][ T464] raw: 4000000000010200 0000000000000000 dead000000000122 ffff8881035fc280 [ 37.205367][ T464] raw: 0000000000000000 0000000080120012 00000001ffffffff 0000000000000000 [ 37.213782][ T464] page dumped because: kasan: bad access detected [ 37.220033][ T464] page_owner tracks the page as allocated [ 37.225588][ T464] page last allocated via order 2, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 460, ts 36407218099, free_ts 0 [ 37.245906][ T464] post_alloc_hook+0x15a/0x160 [ 37.250499][ T464] get_page_from_freelist+0x38b/0x400 [ 37.255710][ T464] __alloc_pages+0x3bd/0x850 [ 37.260134][ T464] allocate_slab+0x62/0x580 [ 37.264479][ T464] ___slab_alloc+0x2e2/0x6f0 [ 37.268902][ T464] __slab_alloc+0x4a/0x90 [ 37.273067][ T464] kmem_cache_alloc+0x205/0x2f0 [ 37.277759][ T464] fat_alloc_inode+0x18/0x90 [ 37.282191][ T464] new_inode_pseudo+0x5a/0x1d0 [ 37.286796][ T464] new_inode+0x1d/0x1a0 [ 37.290780][ T464] fat_fill_super+0x2e75/0x4660 [ 37.295465][ T464] msdos_fill_super+0x12/0x20 [ 37.299982][ T464] mount_bdev+0x22b/0x330 [ 37.304145][ T464] msdos_mount+0x10/0x20 [ 37.308225][ T464] legacy_get_tree+0xe7/0x180 [ 37.312737][ T464] vfs_get_tree+0x7e/0x220 [ 37.316991][ T464] page_owner free stack trace missing [ 37.322199][ T464] [ 37.324368][ T464] Memory state around the buggy address: [ 37.329844][ T464] ffff8881214bc700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.337739][ T464] ffff8881214bc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.345637][ T464] >ffff8881214bc800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.353540][ T464] ^ [ 37.361354][ T464] ffff8881214bc880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.369247][ T464] ffff8881214bc900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.377146][ T464] ================================================================== [ 37.385065][ T464] Disabling lock debugging due to kernel taint [ 37.568582][ T467] loop0: detected capacity change from 0 to 128 [ 37.728874][ T469] loop0: detected capacity change from 0 to 128 [ 37.928474][ T471] loop0: detected capacity change from 0 to 128 [ 38.127640][ T473] loop0: detected capacity change from 0 to 128 [ 38.328600][ T475] loop0: detected capacity change from 0 to 128 [ 38.498506][ T478] loop0: detected capacity change from 0 to 128 [ 38.729171][ T480] loop0: detected capacity change from 0 to 128 [ 38.928751][ T482] loop0: detected capacity change from 0 to 128 [ 39.088861][ T484] loop0: detected capacity change from 0 to 128 [ 39.288625][ T486] loop0: detected capacity change from 0 to 128 [ 39.488920][ T489] loop0: detected capacity change from 0 to 128 [ 39.687665][ T491] loop0: detected capacity change from 0 to 128 [ 39.888249][ T493] loop0: detected capacity change from 0 to 128 [ 40.118366][ T495] loop0: detected capacity change from 0 to 128 [ 40.287773][ T497] loop0: detected capacity change from 0 to 128 [ 40.529260][ T500] loop0: detected capacity change from 0 to 128 [ 40.687978][ T502] loop0: detected capacity change from 0 to 128 [ 40.888586][ T504] loop0: detected capacity change from 0 to 128 [ 41.088642][ T506] loop0: detected capacity change from 0 to 128 2022/12/07 02:24:35 executed programs: 21 [ 41.288952][ T508] loop0: detected capacity change from 0 to 128 [ 41.448363][ T510] loop0: detected capacity change from 0 to 128 [ 41.617958][ T513] loop0: detected capacity change from 0 to 128 [ 41.838982][ T515] loop0: detected capacity change from 0 to 128 [ 42.048415][ T517] loop0: detected capacity change from 0 to 128 [ 42.248527][ T519] loop0: detected capacity change from 0 to 128 [ 42.448543][ T521] loop0: detected capacity change from 0 to 128 [ 42.638655][ T524] loop0: detected capacity change from 0 to 128 [ 42.788637][ T526] loop0: detected capacity change from 0 to 128 [ 42.948301][ T528] loop0: detected capacity change from 0 to 128 [ 43.167773][ T530] loop0: detected capacity change from 0 to 128 [ 43.327784][ T532] loop0: detected capacity change from 0 to 128 [ 43.498419][ T535] loop0: detected capacity change from 0 to 128 [ 43.688780][ T537] loop0: detected capacity change from 0 to 128 [ 43.888815][ T539] loop0: detected capacity change from 0 to 128 [ 44.088616][ T541] loop0: detected capacity change from 0 to 128 [ 44.288469][ T543] loop0: detected capacity change from 0 to 128 [ 44.465611][ T546] loop0: detected capacity change from 0 to 128 [ 44.649484][ T548] loop0: detected capacity change from 0 to 128 [ 44.848727][ T550] loop0: detected capacity change from 0 to 128 [ 45.048543][ T552] loop0: detected capacity change from 0 to 128 [ 45.287493][ T554] loop0: detected capacity change from 0 to 128 [ 45.478267][ T557] loop0: detected capacity change from 0 to 128 [ 45.688563][ T559] loop0: detected capacity change from 0 to 128 [ 45.888716][ T561] loop0: detected capacity change from 0 to 128 [ 46.087807][ T563] loop0: detected capacity change from 0 to 128 2022/12/07 02:24:40 executed programs: 47 [ 46.248343][ T565] loop0: detected capacity change from 0 to 128 [ 46.428656][ T567] loop0: detected capacity change from 0 to 128