Warning: Permanently added '10.128.10.14' (ED25519) to the list of known hosts. 2024/02/27 06:14:19 ignoring optional flag "sandboxArg"="0" 2024/02/27 06:14:19 parsed 1 programs [ 49.922111][ T29] kauditd_printk_skb: 78 callbacks suppressed [ 49.922120][ T29] audit: type=1400 audit(1709014459.763:154): avc: denied { mounton } for pid=345 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 49.953540][ T29] audit: type=1400 audit(1709014459.763:155): avc: denied { mount } for pid=345 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 49.977087][ T29] audit: type=1400 audit(1709014459.763:156): avc: denied { setattr } for pid=345 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=82 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 50.000224][ T29] audit: type=1400 audit(1709014459.763:157): avc: denied { read write } for pid=345 comm="syz-executor" name="swap-file" dev="sda1" ino=1929 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 50.026580][ T29] audit: type=1400 audit(1709014459.763:158): avc: denied { open } for pid=345 comm="syz-executor" path="/root/swap-file" dev="sda1" ino=1929 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" 2024/02/27 06:14:19 executed programs: 0 [ 50.052980][ T29] audit: type=1400 audit(1709014459.893:159): avc: denied { unlink } for pid=345 comm="syz-executor" name="swap-file" dev="sda1" ino=1929 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 50.071119][ T345] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 50.079044][ T29] audit: type=1400 audit(1709014459.903:160): avc: denied { relabelto } for pid=346 comm="mkswap" name="swap-file" dev="sda1" ino=1929 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 50.133352][ T350] bridge0: port 1(bridge_slave_0) entered blocking state [ 50.140286][ T350] bridge0: port 1(bridge_slave_0) entered disabled state [ 50.148051][ T350] device bridge_slave_0 entered promiscuous mode [ 50.154901][ T350] bridge0: port 2(bridge_slave_1) entered blocking state [ 50.161772][ T350] bridge0: port 2(bridge_slave_1) entered disabled state [ 50.169222][ T350] device bridge_slave_1 entered promiscuous mode [ 50.210194][ T350] bridge0: port 2(bridge_slave_1) entered blocking state [ 50.217146][ T350] bridge0: port 2(bridge_slave_1) entered forwarding state [ 50.224245][ T350] bridge0: port 1(bridge_slave_0) entered blocking state [ 50.231112][ T350] bridge0: port 1(bridge_slave_0) entered forwarding state [ 50.248012][ T302] bridge0: port 1(bridge_slave_0) entered disabled state [ 50.255101][ T302] bridge0: port 2(bridge_slave_1) entered disabled state [ 50.262306][ T302] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 50.269447][ T302] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 50.278031][ T38] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 50.285959][ T38] bridge0: port 1(bridge_slave_0) entered blocking state [ 50.292791][ T38] bridge0: port 1(bridge_slave_0) entered forwarding state [ 50.309988][ T350] device veth0_vlan entered promiscuous mode [ 50.316859][ T302] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 50.325133][ T302] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 50.333777][ T302] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 50.341261][ T302] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 50.348820][ T302] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 50.356897][ T302] bridge0: port 2(bridge_slave_1) entered blocking state [ 50.364311][ T302] bridge0: port 2(bridge_slave_1) entered forwarding state [ 50.371567][ T302] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 50.379246][ T302] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 50.391991][ T350] device veth1_macvtap entered promiscuous mode [ 50.400735][ T38] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 50.408925][ T38] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 50.417360][ T38] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 50.703753][ T356] loop0: detected capacity change from 0 to 131072 [ 50.710656][ T29] audit: type=1400 audit(1709014460.553:161): avc: denied { mounton } for pid=354 comm="syz-executor.0" path="/root/syzkaller-testdir2509830605/syzkaller.vRdc6B/0/file2" dev="sda1" ino=1939 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 50.711704][ T356] F2FS-fs (loop0): Invalid log sectors per block(124) log sectorsize(9) [ 50.746673][ T356] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock [ 50.755887][ T356] F2FS-fs (loop0): invalid crc value [ 50.762739][ T356] F2FS-fs (loop0): Disable nat_bits due to incorrect cp_ver (9621037545273099749, 1067266233009637) [ 50.775162][ T356] F2FS-fs (loop0): f2fs_check_nid_range: out-of-range nid=2, run fsck to fix. [ 50.794036][ T356] F2FS-fs (loop0): Try to recover 1th superblock, ret: 0 [ 50.800948][ T356] F2FS-fs (loop0): Mounted with checkpoint version = 48b305e5 [ 50.808425][ T29] audit: type=1400 audit(1709014460.643:162): avc: denied { mount } for pid=354 comm="syz-executor.0" name="/" dev="loop0" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 50.831221][ T29] audit: type=1400 audit(1709014460.653:163): avc: denied { read } for pid=354 comm="syz-executor.0" name="file2" dev="loop0" ino=8 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 [ 50.910633][ T350] ================================================================== [ 50.918605][ T350] BUG: KASAN: use-after-free in _raw_spin_lock+0x78/0x110 [ 50.925545][ T350] Write of size 4 at addr ffff88810bb58088 by task syz-executor.0/350 [ 50.933625][ T350] [ 50.935787][ T350] CPU: 1 PID: 350 Comm: syz-executor.0 Not tainted 5.15.148-syzkaller #0 [ 50.944150][ T350] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 [ 50.954046][ T350] Call Trace: [ 50.957343][ T350] [ 50.960462][ T350] dump_stack_lvl+0x38/0x49 [ 50.964902][ T350] print_address_description.constprop.0+0x24/0x160 [ 50.971506][ T350] ? _raw_spin_lock+0x78/0x110 [ 50.976352][ T350] kasan_report.cold+0x82/0xdb [ 50.981041][ T350] ? _raw_spin_lock+0x78/0x110 [ 50.985648][ T350] kasan_check_range+0x148/0x190 [ 50.990420][ T350] __kasan_check_write+0x14/0x20 [ 50.995288][ T350] _raw_spin_lock+0x78/0x110 [ 50.999798][ T350] ? _raw_spin_lock_bh+0x110/0x110 [ 51.004926][ T350] ? _raw_spin_lock_bh+0x110/0x110 [ 51.009893][ T350] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20 [ 51.015942][ T350] igrab+0x19/0x80 [ 51.019496][ T350] f2fs_sync_inode_meta+0x16e/0x260 [ 51.024543][ T350] f2fs_write_checkpoint+0x693/0x6430 [ 51.029827][ T350] ? __switch_to+0x5cd/0xec0 [ 51.034254][ T350] ? __kasan_check_write+0x14/0x20 [ 51.039415][ T350] ? _raw_spin_lock_irqsave+0x8c/0x120 [ 51.044678][ T350] ? f2fs_get_sectors_written+0x370/0x370 [ 51.050322][ T350] ? __kasan_check_write+0x14/0x20 [ 51.055353][ T350] ? mutex_unlock+0x7e/0x240 [ 51.059781][ T350] f2fs_issue_checkpoint+0x2a6/0x440 [ 51.064910][ T350] ? f2fs_destroy_checkpoint_caches+0x20/0x20 [ 51.070826][ T350] ? sync_inodes_sb+0x569/0x760 [ 51.075663][ T350] ? filemap_fdatawrite_wbc+0x1cf/0x2b0 [ 51.081043][ T350] ? try_to_writeback_inodes_sb+0xb0/0xb0 [ 51.086694][ T350] ? add_page_wait_queue+0x200/0x200 [ 51.091808][ T350] f2fs_sync_fs+0x14c/0x240 [ 51.096148][ T350] sync_filesystem.part.0+0xfc/0x170 [ 51.101278][ T350] sync_filesystem+0x66/0x80 [ 51.106050][ T350] f2fs_quota_off_umount+0x52/0xd0 [ 51.110989][ T350] f2fs_put_super+0xb8/0xd50 [ 51.115767][ T350] ? __kasan_check_read+0x11/0x20 [ 51.120622][ T350] ? fsnotify_sb_delete+0x2aa/0x420 [ 51.125741][ T350] ? __fsnotify_vfsmount_delete+0x20/0x20 [ 51.131482][ T350] ? f2fs_quota_off_umount+0xd0/0xd0 [ 51.136599][ T350] ? dispose_list+0x1a0/0x1a0 [ 51.141114][ T350] ? sync_blockdev+0x5c/0x80 [ 51.146166][ T350] generic_shutdown_super+0x13d/0x340 [ 51.151352][ T350] kill_block_super+0x9a/0xd0 [ 51.155869][ T350] kill_f2fs_super+0x24d/0x360 [ 51.160634][ T350] ? trace_event_raw_event_f2fs_background_gc+0x310/0x310 [ 51.167750][ T350] ? unregister_shrinker+0x1bd/0x2e0 [ 51.172996][ T350] deactivate_locked_super+0x8b/0x130 [ 51.178252][ T350] deactivate_super+0x71/0x80 [ 51.182867][ T350] cleanup_mnt+0x2cf/0x400 [ 51.187290][ T350] ? putname+0xb8/0xf0 [ 51.191201][ T350] __cleanup_mnt+0xd/0x10 [ 51.195696][ T350] task_work_run+0xc2/0x150 [ 51.200182][ T350] exit_to_user_mode_prepare+0x140/0x150 [ 51.205845][ T350] syscall_exit_to_user_mode+0x21/0x40 [ 51.211405][ T350] do_syscall_64+0x42/0xb0 [ 51.215667][ T350] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 51.221382][ T350] RIP: 0033:0x7fcb91f09017 [ 51.225637][ T350] Code: b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b0 ff ff ff f7 d8 64 89 02 b8 [ 51.245281][ T350] RSP: 002b:00007ffeea438398 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [ 51.253494][ T350] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fcb91f09017 [ 51.261312][ T350] RDX: 0000000000000000 RSI: 000000000000000a RDI: 00007ffeea438450 [ 51.269376][ T350] RBP: 00007ffeea438450 R08: 0000000000000000 R09: 0000000000000000 [ 51.277553][ T350] R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffeea439510 [ 51.285431][ T350] R13: 00007fcb91f533b9 R14: 000000000000c4ee R15: 0000000000000003 [ 51.293278][ T350] [ 51.296253][ T350] [ 51.298422][ T350] Allocated by task 356: [ 51.302531][ T350] kasan_save_stack+0x26/0x50 [ 51.307044][ T350] __kasan_slab_alloc+0x94/0xc0 [ 51.311727][ T350] kmem_cache_alloc+0x197/0x480 [ 51.316435][ T350] f2fs_alloc_inode+0x1d/0x370 [ 51.321035][ T350] alloc_inode+0x5c/0x1e0 [ 51.325198][ T350] iget_locked+0x138/0x5f0 [ 51.329435][ T350] f2fs_iget+0x55/0x4c70 [ 51.333515][ T350] f2fs_lookup+0x484/0xbe0 [ 51.337768][ T350] path_openat+0x1196/0x4180 [ 51.342203][ T350] do_filp_open+0x1ab/0x3f0 [ 51.346533][ T350] do_sys_openat2+0x135/0x8e0 [ 51.351137][ T350] __x64_sys_open+0x105/0x1c0 [ 51.356013][ T350] do_syscall_64+0x35/0xb0 [ 51.360266][ T350] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 51.365982][ T350] [ 51.368240][ T350] Freed by task 13: [ 51.371972][ T350] kasan_save_stack+0x26/0x50 [ 51.376483][ T350] kasan_set_track+0x25/0x30 [ 51.380914][ T350] kasan_set_free_info+0x24/0x40 [ 51.385770][ T350] __kasan_slab_free+0x111/0x150 [ 51.390545][ T350] slab_free_freelist_hook+0x94/0x1a0 [ 51.395846][ T350] kmem_cache_free+0x105/0x250 [ 51.400439][ T350] f2fs_free_inode+0x1d/0x30 [ 51.404965][ T350] i_callback+0x3a/0x60 [ 51.408950][ T350] rcu_do_batch+0x340/0xca0 [ 51.413378][ T350] rcu_core+0x56b/0xac0 [ 51.417456][ T350] rcu_core_si+0x9/0x10 [ 51.421533][ T350] __do_softirq+0x1c1/0x5c8 [ 51.425870][ T350] [ 51.428042][ T350] Last potentially related work creation: [ 51.433686][ T350] kasan_save_stack+0x26/0x50 [ 51.438541][ T350] __kasan_record_aux_stack+0xd8/0xf0 [ 51.443748][ T350] kasan_record_aux_stack_noalloc+0xb/0x10 [ 51.449393][ T350] call_rcu+0xe7/0x1420 [ 51.453486][ T350] destroy_inode+0x11f/0x190 [ 51.457896][ T350] evict+0x43c/0x610 [ 51.461628][ T350] dispose_list+0xf5/0x1a0 [ 51.465980][ T350] evict_inodes+0x2e6/0x3d0 [ 51.470422][ T350] generic_shutdown_super+0xa4/0x340 [ 51.475642][ T350] kill_block_super+0x9a/0xd0 [ 51.480143][ T350] kill_f2fs_super+0x24d/0x360 [ 51.485185][ T350] deactivate_locked_super+0x8b/0x130 [ 51.490663][ T350] deactivate_super+0x71/0x80 [ 51.495165][ T350] cleanup_mnt+0x2cf/0x400 [ 51.499418][ T350] __cleanup_mnt+0xd/0x10 [ 51.503757][ T350] task_work_run+0xc2/0x150 [ 51.508195][ T350] exit_to_user_mode_prepare+0x140/0x150 [ 51.513769][ T350] syscall_exit_to_user_mode+0x21/0x40 [ 51.519032][ T350] do_syscall_64+0x42/0xb0 [ 51.523386][ T350] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 51.529189][ T350] [ 51.531359][ T350] The buggy address belongs to the object at ffff88810bb58000 [ 51.531359][ T350] which belongs to the cache f2fs_inode_cache of size 1424 [ 51.546294][ T350] The buggy address is located 136 bytes inside of [ 51.546294][ T350] 1424-byte region [ffff88810bb58000, ffff88810bb58590) [ 51.559675][ T350] The buggy address belongs to the page: [ 51.565915][ T350] page:ffffea00042ed600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10bb58 [ 51.576243][ T350] head:ffffea00042ed600 order:3 compound_mapcount:0 compound_pincount:0 [ 51.584497][ T350] flags: 0x4000000000010200(slab|head|zone=1) [ 51.590395][ T350] raw: 4000000000010200 0000000000000000 dead000000000122 ffff888104de5380 [ 51.598826][ T350] raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000 [ 51.607236][ T350] page dumped because: kasan: bad access detected [ 51.613659][ T350] page_owner tracks the page as allocated [ 51.622094][ T350] page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 356, ts 50813033490, free_ts 0 [ 51.642671][ T350] prep_new_page+0x1a2/0x310 [ 51.647273][ T350] get_page_from_freelist+0x1ce2/0x30a0 [ 51.652653][ T350] __alloc_pages+0x2d1/0x2620 [ 51.657172][ T350] allocate_slab+0x39d/0x530 [ 51.661700][ T350] ___slab_alloc.constprop.0+0x3ca/0x890 [ 51.667146][ T350] __slab_alloc.constprop.0+0x42/0x80 [ 51.672464][ T350] kmem_cache_alloc+0x440/0x480 [ 51.677307][ T350] f2fs_alloc_inode+0x1d/0x370 [ 51.681914][ T350] alloc_inode+0x5c/0x1e0 [ 51.686072][ T350] iget_locked+0x138/0x5f0 [ 51.690362][ T350] f2fs_iget+0x55/0x4c70 [ 51.694401][ T350] f2fs_lookup+0x484/0xbe0 [ 51.698652][ T350] path_openat+0x1196/0x4180 [ 51.703251][ T350] do_filp_open+0x1ab/0x3f0 [ 51.707592][ T350] do_sys_openat2+0x135/0x8e0 [ 51.712106][ T350] __x64_sys_open+0x105/0x1c0 [ 51.716717][ T350] page_owner free stack trace missing [ 51.721917][ T350] [ 51.724080][ T350] Memory state around the buggy address: [ 51.729560][ T350] ffff88810bb57f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 51.737538][ T350] ffff88810bb58000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.745435][ T350] >ffff88810bb58080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.753338][ T350] ^ [ 51.757514][ T350] ffff88810bb58100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.765509][ T350] ffff88810bb58180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.773385][ T350] ================================================================== [ 51.781377][ T350] Disabling lock debugging due to kernel taint