Warning: Permanently added '10.128.10.7' (ED25519) to the list of known hosts. 2023/10/05 21:18:46 ignoring optional flag "sandboxArg"="0" 2023/10/05 21:18:46 parsed 1 programs [ 50.403484][ T23] kauditd_printk_skb: 72 callbacks suppressed [ 50.403490][ T23] audit: type=1400 audit(1696540726.830:148): avc: denied { mounton } for pid=412 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 50.436211][ T23] audit: type=1400 audit(1696540726.870:149): avc: denied { mount } for pid=412 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 50.460055][ T23] audit: type=1400 audit(1696540726.870:150): avc: denied { unlink } for pid=412 comm="syz-executor" name="swap-file" dev="sda1" ino=1929 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" 2023/10/05 21:18:46 executed programs: 0 [ 50.519104][ T412] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 50.573309][ T419] bridge0: port 1(bridge_slave_0) entered blocking state [ 50.580346][ T419] bridge0: port 1(bridge_slave_0) entered disabled state [ 50.587439][ T419] device bridge_slave_0 entered promiscuous mode [ 50.594570][ T419] bridge0: port 2(bridge_slave_1) entered blocking state [ 50.601731][ T419] bridge0: port 2(bridge_slave_1) entered disabled state [ 50.608953][ T419] device bridge_slave_1 entered promiscuous mode [ 50.643254][ T23] audit: type=1400 audit(1696540727.070:151): avc: denied { create } for pid=419 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 50.650017][ T419] bridge0: port 2(bridge_slave_1) entered blocking state [ 50.664546][ T23] audit: type=1400 audit(1696540727.070:152): avc: denied { write } for pid=419 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 50.671651][ T419] bridge0: port 2(bridge_slave_1) entered forwarding state [ 50.671767][ T419] bridge0: port 1(bridge_slave_0) entered blocking state [ 50.692004][ T23] audit: type=1400 audit(1696540727.070:153): avc: denied { read } for pid=419 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 50.699038][ T419] bridge0: port 1(bridge_slave_0) entered forwarding state [ 50.745398][ T365] bridge0: port 1(bridge_slave_0) entered disabled state [ 50.752586][ T365] bridge0: port 2(bridge_slave_1) entered disabled state [ 50.760796][ T365] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 50.767964][ T365] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 50.777108][ T107] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 50.785702][ T107] bridge0: port 1(bridge_slave_0) entered blocking state [ 50.792623][ T107] bridge0: port 1(bridge_slave_0) entered forwarding state [ 50.809778][ T365] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 50.817786][ T365] bridge0: port 2(bridge_slave_1) entered blocking state [ 50.824536][ T365] bridge0: port 2(bridge_slave_1) entered forwarding state [ 50.831682][ T365] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 50.839844][ T365] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 50.850908][ T107] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 50.869931][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 50.878186][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 50.886686][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 50.894953][ T74] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 50.908909][ T23] audit: type=1400 audit(1696540727.330:154): avc: denied { mounton } for pid=419 comm="syz-executor.0" path="/dev/binderfs" dev="devtmpfs" ino=10701 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:device_t tclass=dir permissive=1 [ 50.941064][ T425] kernel profiling enabled (shift: 7) [ 52.599287][ C1] ================================================================== [ 52.607174][ C1] BUG: KASAN: stack-out-of-bounds in profile_pc+0xa4/0xe0 [ 52.614122][ C1] Read of size 8 at addr ffff8881da537500 by task syz-executor.0/896 [ 52.622095][ C1] [ 52.624264][ C1] CPU: 1 PID: 896 Comm: syz-executor.0 Not tainted 5.4.254-syzkaller-04732-g5f1cbd78af59 #0 [ 52.634242][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023 [ 52.644145][ C1] Call Trace: [ 52.647262][ C1] [ 52.649965][ C1] dump_stack+0x1d8/0x241 [ 52.654120][ C1] ? nf_ct_l4proto_log_invalid+0x258/0x258 [ 52.659773][ C1] ? printk+0xd1/0x111 [ 52.663679][ C1] ? profile_pc+0xa4/0xe0 [ 52.667844][ C1] ? wake_up_klogd+0xb2/0xf0 [ 52.672262][ C1] ? profile_pc+0xa4/0xe0 [ 52.676641][ C1] print_address_description+0x8c/0x600 [ 52.682007][ C1] ? panic+0x896/0x896 [ 52.685921][ C1] ? profile_pc+0xa4/0xe0 [ 52.690090][ C1] __kasan_report+0xf3/0x120 [ 52.694503][ C1] ? profile_pc+0xa4/0xe0 [ 52.698714][ C1] ? _raw_spin_lock+0xc0/0x1b0 [ 52.703277][ C1] kasan_report+0x30/0x60 [ 52.707756][ C1] profile_pc+0xa4/0xe0 [ 52.711761][ C1] profile_tick+0xb9/0x100 [ 52.716040][ C1] tick_sched_timer+0x237/0x3c0 [ 52.720822][ C1] ? tick_setup_sched_timer+0x460/0x460 [ 52.726202][ C1] __hrtimer_run_queues+0x3e9/0xb90 [ 52.731325][ C1] ? hrtimer_interrupt+0x890/0x890 [ 52.736516][ C1] ? kvm_sched_clock_read+0x14/0x40 [ 52.741540][ C1] ? sched_clock+0x36/0x40 [ 52.745952][ C1] ? ktime_get+0xf9/0x130 [ 52.750210][ C1] ? ktime_get_update_offsets_now+0x26c/0x280 [ 52.756240][ C1] hrtimer_interrupt+0x38a/0x890 [ 52.761020][ C1] smp_apic_timer_interrupt+0x110/0x460 [ 52.766478][ C1] apic_timer_interrupt+0xf/0x20 [ 52.771164][ C1] [ 52.773948][ C1] ? _raw_spin_lock+0xc0/0x1b0 [ 52.778549][ C1] ? _raw_spin_trylock_bh+0x190/0x190 [ 52.783750][ C1] ? __tlb_remove_page_size+0x112/0x2f0 [ 52.789232][ C1] ? unmap_page_range+0xaf4/0x2620 [ 52.795071][ C1] ? copy_page_range+0x26f0/0x26f0 [ 52.800106][ C1] ? lru_add_page_tail+0x770/0x770 [ 52.805048][ C1] ? unmap_vmas+0x355/0x4b0 [ 52.809389][ C1] ? cputime_adjust+0x34/0x270 [ 52.813980][ C1] ? unmap_page_range+0x2620/0x2620 [ 52.819102][ C1] ? tlb_gather_mmu+0x273/0x340 [ 52.823796][ C1] ? exit_mmap+0x2bc/0x520 [ 52.828160][ C1] ? vm_brk+0x20/0x20 [ 52.831975][ C1] ? mutex_unlock+0x18/0x40 [ 52.836311][ C1] ? uprobe_clear_state+0x297/0x300 [ 52.841341][ C1] ? mm_update_next_owner+0x4f7/0x5d0 [ 52.846647][ C1] ? __mmput+0x8e/0x2c0 [ 52.850713][ C1] ? do_exit+0xc08/0x2bc0 [ 52.854879][ C1] ? put_task_struct+0x80/0x80 [ 52.859486][ C1] ? _raw_spin_lock_irqsave+0x210/0x210 [ 52.864861][ C1] ? do_group_exit+0x138/0x300 [ 52.869458][ C1] ? get_signal+0xdb1/0x1440 [ 52.873889][ C1] ? do_signal+0xb0/0x11f0 [ 52.878141][ C1] ? debug_smp_processor_id+0x20/0x20 [ 52.883781][ C1] ? selinux_file_permission+0x2be/0x530 [ 52.889449][ C1] ? signal_fault+0x1e0/0x1e0 [ 52.894145][ C1] ? __se_sys_futex+0x355/0x470 [ 52.899018][ C1] ? __x64_sys_futex+0xf0/0xf0 [ 52.903781][ C1] ? __ia32_sys_read+0x80/0x80 [ 52.908383][ C1] ? exit_to_usermode_loop+0xc0/0x1a0 [ 52.913957][ C1] ? prepare_exit_to_usermode+0x199/0x200 [ 52.919674][ C1] ? entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 52.925778][ C1] [ 52.927945][ C1] The buggy address belongs to the page: [ 52.933679][ C1] page:ffffea0007694dc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 [ 52.942814][ C1] flags: 0x8000000000000000() [ 52.947492][ C1] raw: 8000000000000000 0000000000000000 ffffea0007694dc8 0000000000000000 [ 52.956120][ C1] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 52.964525][ C1] page dumped because: kasan: bad access detected [ 52.970870][ C1] page_owner tracks the page as allocated [ 52.976679][ C1] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x500dc0(GFP_USER|__GFP_ZERO|__GFP_ACCOUNT) [ 52.988466][ C1] prep_new_page+0x18f/0x370 [ 52.992850][ C1] get_page_from_freelist+0x2d13/0x2d90 [ 52.998333][ C1] __alloc_pages_nodemask+0x393/0x840 [ 53.003629][ C1] dup_task_struct+0x85/0x600 [ 53.008142][ C1] copy_process+0x56d/0x3230 [ 53.012671][ C1] _do_fork+0x197/0x900 [ 53.016836][ C1] __x64_sys_clone3+0x2da/0x300 [ 53.021565][ C1] do_syscall_64+0xca/0x1c0 [ 53.025865][ C1] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 53.031592][ C1] page last free stack trace: [ 53.036128][ C1] __free_pages_ok+0x847/0x950 [ 53.040879][ C1] __free_pages+0x91/0x140 [ 53.045138][ C1] __free_slab+0x221/0x2e0 [ 53.049680][ C1] unfreeze_partials+0x14e/0x180 [ 53.054442][ C1] put_cpu_partial+0x44/0x180 [ 53.058944][ C1] __slab_free+0x297/0x360 [ 53.063381][ C1] qlist_free_all+0x43/0xb0 [ 53.067802][ C1] quarantine_reduce+0x1d9/0x210 [ 53.072657][ C1] __kasan_kmalloc+0x41/0x210 [ 53.077519][ C1] kmem_cache_alloc+0xd9/0x250 [ 53.082289][ C1] getname_flags+0xb8/0x4e0 [ 53.086630][ C1] user_path_at_empty+0x28/0x50 [ 53.091318][ C1] vfs_statx+0x115/0x210 [ 53.095404][ C1] __se_sys_newfstatat+0xce/0x770 [ 53.100605][ C1] do_syscall_64+0xca/0x1c0 [ 53.105032][ C1] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 53.111039][ C1] [ 53.113294][ C1] addr ffff8881da537500 is located in stack of task syz-executor.0/896 at offset 0 in frame: [ 53.123481][ C1] _raw_spin_lock+0x0/0x1b0 [ 53.128053][ C1] [ 53.130224][ C1] this frame has 1 object: [ 53.134485][ C1] [32, 36) 'val.i.i.i' [ 53.134486][ C1] [ 53.140638][ C1] Memory state around the buggy address: [ 53.146292][ C1] ffff8881da537400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 53.154264][ C1] ffff8881da537480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 53.162166][ C1] >ffff8881da537500: f1 f1 f1 f1 04 f3 f3 f3 00 00 00 00 00 00 00 00 [ 53.170158][ C1] ^ [ 53.174507][ C1] ffff8881da537580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 53.182410][ C1] ffff8881da537600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 53.191014][ C1] ================================================================== [ 53.199249][ C1] Disabling lock debugging due to kernel taint 2023/10/05 21:18:51 executed programs: 569 2023/10/05 21:18:56 executed programs: 1296