Warning: Permanently added '10.128.1.155' (ED25519) to the list of known hosts. 2023/11/12 03:45:35 ignoring optional flag "sandboxArg"="0" 2023/11/12 03:45:35 parsed 1 programs [ 41.073464][ T27] audit: type=1400 audit(1699760735.426:156): avc: denied { mounton } for pid=423 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 41.098563][ T27] audit: type=1400 audit(1699760735.426:157): avc: denied { mount } for pid=423 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 41.124963][ T27] audit: type=1400 audit(1699760735.486:158): avc: denied { unlink } for pid=423 comm="syz-executor" name="swap-file" dev="sda1" ino=1929 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" 2023/11/12 03:45:35 executed programs: 0 [ 41.208825][ T423] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 41.246824][ T429] bridge0: port 1(bridge_slave_0) entered blocking state [ 41.253943][ T429] bridge0: port 1(bridge_slave_0) entered disabled state [ 41.262163][ T429] device bridge_slave_0 entered promiscuous mode [ 41.268759][ T429] bridge0: port 2(bridge_slave_1) entered blocking state [ 41.275721][ T429] bridge0: port 2(bridge_slave_1) entered disabled state [ 41.283072][ T429] device bridge_slave_1 entered promiscuous mode [ 41.310599][ T27] audit: type=1400 audit(1699760735.666:159): avc: denied { write } for pid=429 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 41.314428][ T429] bridge0: port 2(bridge_slave_1) entered blocking state [ 41.331314][ T27] audit: type=1400 audit(1699760735.666:160): avc: denied { read } for pid=429 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 41.338396][ T429] bridge0: port 2(bridge_slave_1) entered forwarding state [ 41.338469][ T429] bridge0: port 1(bridge_slave_0) entered blocking state [ 41.374000][ T429] bridge0: port 1(bridge_slave_0) entered forwarding state [ 41.388859][ T376] bridge0: port 1(bridge_slave_0) entered disabled state [ 41.396686][ T376] bridge0: port 2(bridge_slave_1) entered disabled state [ 41.403942][ T376] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 41.412390][ T376] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 41.420740][ T386] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 41.429074][ T386] bridge0: port 1(bridge_slave_0) entered blocking state [ 41.436458][ T386] bridge0: port 1(bridge_slave_0) entered forwarding state [ 41.453642][ T429] device veth0_vlan entered promiscuous mode [ 41.462744][ T376] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 41.471298][ T376] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 41.479002][ T376] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 41.486186][ T376] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 41.493512][ T376] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 41.501955][ T376] bridge0: port 2(bridge_slave_1) entered blocking state [ 41.509207][ T376] bridge0: port 2(bridge_slave_1) entered forwarding state [ 41.516743][ T376] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 41.524928][ T376] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 41.536403][ T429] device veth1_macvtap entered promiscuous mode [ 41.545511][ T376] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 41.553966][ T376] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 41.563612][ T376] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 41.576947][ T27] audit: type=1400 audit(1699760735.936:161): avc: denied { mounton } for pid=429 comm="syz-executor.0" path="/dev/binderfs" dev="devtmpfs" ino=201 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:device_t tclass=dir permissive=1 [ 42.713667][ T510] ================================================================== [ 42.722173][ T510] BUG: KASAN: use-after-free in unix_stream_read_actor+0x87/0xb0 [ 42.730470][ T510] Read of size 4 at addr ffff88812138eb84 by task syz-executor.0/510 [ 42.740143][ T510] [ 42.743944][ T510] CPU: 1 PID: 510 Comm: syz-executor.0 Not tainted 5.14.0-rc5-syzkaller #0 [ 42.760045][ T510] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 42.772691][ T510] Call Trace: [ 42.777045][ T510] dump_stack_lvl+0x38/0x49 [ 42.782396][ T510] print_address_description.constprop.0+0x24/0x150 [ 42.789904][ T510] ? unix_stream_read_actor+0x87/0xb0 [ 42.796141][ T510] kasan_report.cold+0x82/0xdb [ 42.800872][ T510] ? unix_stream_read_actor+0x87/0xb0 [ 42.806827][ T510] __asan_report_load4_noabort+0x14/0x20 [ 42.812631][ T510] unix_stream_read_actor+0x87/0xb0 [ 42.818613][ T510] unix_stream_read_generic+0x1410/0x1d80 [ 42.824667][ T510] ? avc_has_perm_noaudit+0x200/0x200 [ 42.830406][ T510] ? unix_stream_sendmsg+0xe20/0xe20 [ 42.836192][ T510] ? selinux_socket_recvmsg+0x202/0x2f0 [ 42.842486][ T510] ? selinux_socket_sendmsg+0x2f0/0x2f0 [ 42.848598][ T510] unix_stream_recvmsg+0x9d/0xd0 [ 42.854036][ T510] ? unix_stream_splice_read+0x1d0/0x1d0 [ 42.859953][ T510] ? unix_copy_addr+0x110/0x110 [ 42.865856][ T510] ? security_socket_recvmsg+0x56/0xa0 [ 42.871995][ T510] ____sys_recvmsg+0x286/0x700 [ 42.877190][ T510] ? kernel_recvmsg+0x150/0x150 [ 42.882305][ T510] ? __copy_msghdr_from_user+0x92/0x4f0 [ 42.888253][ T510] ? __import_iovec+0x50/0x480 [ 42.892848][ T510] ? import_iovec+0x4a/0x80 [ 42.897275][ T510] ___sys_recvmsg+0x109/0x1d0 [ 42.901985][ T510] ? __copy_msghdr_from_user+0x4f0/0x4f0 [ 42.907430][ T510] ? __fget_files+0x156/0x200 [ 42.912677][ T510] ? __fget_light+0xc5/0x230 [ 42.918400][ T510] ? recalc_sigpending+0x7c/0xb0 [ 42.923325][ T510] ? __fdget+0xe/0x10 [ 42.927134][ T510] ? sockfd_lookup_light+0x1c/0x150 [ 42.932175][ T510] __sys_recvmsg+0xc0/0x160 [ 42.936689][ T510] ? __sys_recvmsg_sock+0x10/0x10 [ 42.941933][ T510] ? debug_smp_processor_id+0x17/0x20 [ 42.947946][ T510] __x64_sys_recvmsg+0x73/0xb0 [ 42.952519][ T510] ? syscall_exit_to_user_mode+0x21/0x40 [ 42.958219][ T510] do_syscall_64+0x35/0x80 [ 42.964502][ T510] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 42.970204][ T510] RIP: 0033:0x7f40f980bae9 [ 42.975072][ T510] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 42.994979][ T510] RSP: 002b:00007f40f934c0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002f [ 43.003696][ T510] RAX: ffffffffffffffda RBX: 00007f40f992b120 RCX: 00007f40f980bae9 [ 43.011811][ T510] RDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004 [ 43.020222][ T510] RBP: 00007f40f985747a R08: 0000000000000000 R09: 0000000000000000 [ 43.028501][ T510] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 43.037298][ T510] R13: 000000000000006e R14: 00007f40f992b120 R15: 00007ffcdebfc348 [ 43.045552][ T510] [ 43.047942][ T510] Allocated by task 509: [ 43.052125][ T510] kasan_save_stack+0x23/0x50 [ 43.057006][ T510] __kasan_slab_alloc+0x8a/0xb0 [ 43.061676][ T510] kmem_cache_alloc+0x2f0/0x480 [ 43.066382][ T510] __alloc_skb+0x14b/0x250 [ 43.070879][ T510] alloc_skb_with_frags+0x76/0x4a0 [ 43.076294][ T510] sock_alloc_send_pskb+0x687/0x840 [ 43.081308][ T510] sock_alloc_send_skb+0x13/0x20 [ 43.086151][ T510] unix_stream_sendmsg+0x9f9/0xe20 [ 43.091704][ T510] sock_sendmsg+0xb5/0xf0 [ 43.096040][ T510] ____sys_sendmsg+0x694/0x990 [ 43.100892][ T510] ___sys_sendmsg+0xfc/0x190 [ 43.105412][ T510] __sys_sendmsg+0xc3/0x160 [ 43.109824][ T510] __x64_sys_sendmsg+0x73/0xb0 [ 43.114509][ T510] do_syscall_64+0x35/0x80 [ 43.118849][ T510] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 43.124864][ T510] [ 43.127294][ T510] Freed by task 509: [ 43.131143][ T510] kasan_save_stack+0x23/0x50 [ 43.136155][ T510] kasan_set_track+0x20/0x30 [ 43.140679][ T510] kasan_set_free_info+0x24/0x40 [ 43.145550][ T510] __kasan_slab_free+0x10d/0x150 [ 43.150783][ T510] slab_free_freelist_hook+0x8f/0x190 [ 43.156082][ T510] kmem_cache_free+0xfa/0x3a0 [ 43.160672][ T510] kfree_skbmem+0x95/0x140 [ 43.165042][ T510] kfree_skb+0xb1/0x1d0 [ 43.169223][ T510] unix_stream_sendmsg+0xaf2/0xe20 [ 43.174537][ T510] sock_sendmsg+0xb5/0xf0 [ 43.178690][ T510] ____sys_sendmsg+0x694/0x990 [ 43.183364][ T510] ___sys_sendmsg+0xfc/0x190 [ 43.188071][ T510] __sys_sendmsg+0xc3/0x160 [ 43.192409][ T510] __x64_sys_sendmsg+0x73/0xb0 [ 43.197261][ T510] do_syscall_64+0x35/0x80 [ 43.202028][ T510] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 43.207760][ T510] [ 43.209926][ T510] The buggy address belongs to the object at ffff88812138eb40 [ 43.209926][ T510] which belongs to the cache skbuff_head_cache of size 224 [ 43.225045][ T510] The buggy address is located 68 bytes inside of [ 43.225045][ T510] 224-byte region [ffff88812138eb40, ffff88812138ec20) [ 43.240744][ T510] The buggy address belongs to the page: [ 43.246752][ T510] page:ffffea000484e380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12138e [ 43.259389][ T510] flags: 0x4000000000000200(slab|zone=1) [ 43.266431][ T510] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081c38c0 [ 43.276855][ T510] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 43.285616][ T510] page dumped because: kasan: bad access detected [ 43.292027][ T510] page_owner tracks the page as allocated [ 43.297941][ T510] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 509, ts 42713417511, free_ts 42655745407 [ 43.314869][ T510] get_page_from_freelist+0x236f/0x32a0 [ 43.320243][ T510] __alloc_pages+0x275/0x5b0 [ 43.324669][ T510] allocate_slab+0x330/0x480 [ 43.329630][ T510] ___slab_alloc.constprop.0+0x2f9/0x700 [ 43.335091][ T510] __slab_alloc.constprop.0+0x3d/0x60 [ 43.340304][ T510] kmem_cache_alloc+0x447/0x480 [ 43.345339][ T510] __alloc_skb+0x14b/0x250 [ 43.349593][ T510] alloc_skb_with_frags+0x76/0x4a0 [ 43.354981][ T510] sock_alloc_send_pskb+0x687/0x840 [ 43.360268][ T510] sock_alloc_send_skb+0x13/0x20 [ 43.365218][ T510] unix_stream_sendmsg+0x9f9/0xe20 [ 43.370281][ T510] sock_sendmsg+0xb5/0xf0 [ 43.374650][ T510] ____sys_sendmsg+0x694/0x990 [ 43.379301][ T510] ___sys_sendmsg+0xfc/0x190 [ 43.384011][ T510] __sys_sendmsg+0xc3/0x160 [ 43.388495][ T510] __x64_sys_sendmsg+0x73/0xb0 [ 43.393378][ T510] page last free stack trace: [ 43.398034][ T510] free_pcp_prepare+0x19c/0x4a0 [ 43.402723][ T510] free_unref_page+0x1c/0x200 [ 43.407318][ T510] __free_pages+0xdc/0xf0 [ 43.411754][ T510] __vunmap+0x4b2/0x7b0 [ 43.416394][ T510] free_work+0x51/0x70 [ 43.420913][ T510] process_one_work+0x61d/0xe70 [ 43.427139][ T510] worker_thread+0x48e/0xdb0 [ 43.432393][ T510] kthread+0x324/0x3e0 [ 43.436956][ T510] ret_from_fork+0x1f/0x30 [ 43.441206][ T510] [ 43.443631][ T510] Memory state around the buggy address: [ 43.449280][ T510] ffff88812138ea80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 43.458112][ T510] ffff88812138eb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 43.466509][ T510] >ffff88812138eb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.474914][ T510] ^ [ 43.479019][ T510] ffff88812138ec00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 43.487267][ T510] ffff88812138ec80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 43.495809][ T510] ================================================================== [ 43.504269][ T510] Disabling lock debugging due to kernel taint 2023/11/12 03:45:40 executed programs: 52 2023/11/12 03:45:45 executed programs: 98