Warning: Permanently added '10.128.1.14' (ED25519) to the list of known hosts. 2023/10/12 20:21:15 ignoring optional flag "sandboxArg"="0" 2023/10/12 20:21:16 parsed 1 programs 2023/10/12 20:21:16 executed programs: 0 [ 40.662951][ T27] audit: type=1400 audit(1697142076.012:152): avc: denied { mounton } for pid=338 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 40.688214][ T27] audit: type=1400 audit(1697142076.012:153): avc: denied { mount } for pid=338 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 40.725836][ T342] bridge0: port 1(bridge_slave_0) entered blocking state [ 40.732871][ T342] bridge0: port 1(bridge_slave_0) entered disabled state [ 40.739984][ T342] device bridge_slave_0 entered promiscuous mode [ 40.746603][ T342] bridge0: port 2(bridge_slave_1) entered blocking state [ 40.753544][ T342] bridge0: port 2(bridge_slave_1) entered disabled state [ 40.761552][ T342] device bridge_slave_1 entered promiscuous mode [ 40.791571][ T27] audit: type=1400 audit(1697142076.142:154): avc: denied { write } for pid=342 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 40.795454][ T342] bridge0: port 2(bridge_slave_1) entered blocking state [ 40.812787][ T27] audit: type=1400 audit(1697142076.142:155): avc: denied { read } for pid=342 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 40.819605][ T342] bridge0: port 2(bridge_slave_1) entered forwarding state [ 40.847246][ T342] bridge0: port 1(bridge_slave_0) entered blocking state [ 40.854087][ T342] bridge0: port 1(bridge_slave_0) entered forwarding state [ 40.870263][ T299] bridge0: port 1(bridge_slave_0) entered disabled state [ 40.877311][ T299] bridge0: port 2(bridge_slave_1) entered disabled state [ 40.884523][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 40.892687][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 40.901289][ T295] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 40.909346][ T295] bridge0: port 1(bridge_slave_0) entered blocking state [ 40.916254][ T295] bridge0: port 1(bridge_slave_0) entered forwarding state [ 40.930837][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 40.938953][ T299] bridge0: port 2(bridge_slave_1) entered blocking state [ 40.945743][ T299] bridge0: port 2(bridge_slave_1) entered forwarding state [ 40.953462][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 40.962545][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 40.971076][ T295] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 40.981451][ T35] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 40.989142][ T35] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 40.996522][ T35] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 41.004197][ T342] device veth0_vlan entered promiscuous mode [ 41.013517][ T342] device veth1_macvtap entered promiscuous mode [ 41.020389][ T301] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 41.030504][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 41.038835][ T299] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 41.051646][ T27] audit: type=1400 audit(1697142076.402:156): avc: denied { mounton } for pid=342 comm="syz-executor.0" path="/dev/binderfs" dev="devtmpfs" ino=207 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:device_t tclass=dir permissive=1 [ 41.288024][ T349] loop0: detected capacity change from 0 to 131072 [ 41.294881][ T27] audit: type=1400 audit(1697142076.642:157): avc: denied { mounton } for pid=348 comm="syz-executor.0" path="/root/syzkaller-testdir3328534463/syzkaller.MMstp3/0/file0" dev="sda1" ino=1937 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 41.301280][ T349] F2FS-fs (loop0): invalid crc value [ 41.327921][ T349] F2FS-fs (loop0): Found nat_bits in checkpoint [ 41.345878][ T349] F2FS-fs (loop0): Mounted with checkpoint version = 48b305e4 [ 41.354177][ T27] audit: type=1400 audit(1697142076.712:158): avc: denied { mount } for pid=348 comm="syz-executor.0" name="/" dev="loop0" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 41.376454][ T27] audit: type=1400 audit(1697142076.712:159): avc: denied { read } for pid=348 comm="syz-executor.0" name="file2" dev="loop0" ino=8 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 [ 41.398977][ T27] audit: type=1400 audit(1697142076.712:160): avc: denied { open } for pid=348 comm="syz-executor.0" path="/root/syzkaller-testdir3328534463/syzkaller.MMstp3/0/file0/file2" dev="loop0" ino=8 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 [ 41.427054][ T27] audit: type=1400 audit(1697142076.712:161): avc: denied { ioctl } for pid=348 comm="syz-executor.0" path="/root/syzkaller-testdir3328534463/syzkaller.MMstp3/0/file0/file2" dev="loop0" ino=8 ioctlcmd=0xf519 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 [ 41.490189][ T342] ================================================================== [ 41.498758][ T342] BUG: KASAN: use-after-free in _raw_spin_lock+0x97/0x1b0 [ 41.505728][ T342] Write of size 4 at addr ffff88810ae04078 by task syz-executor.0/342 [ 41.513737][ T342] [ 41.515883][ T342] CPU: 0 PID: 342 Comm: syz-executor.0 Not tainted 6.1.25-syzkaller #0 [ 41.524019][ T342] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023 [ 41.534271][ T342] Call Trace: [ 41.537929][ T342] [ 41.540888][ T342] dump_stack_lvl+0x105/0x148 [ 41.545404][ T342] ? panic+0x3b4/0x3b4 [ 41.549393][ T342] ? nf_tcp_handle_invalid+0x30b/0x30b [ 41.554689][ T342] ? _printk+0xca/0x10a [ 41.558684][ T342] print_report+0x158/0x4e0 [ 41.563020][ T342] ? kasan_complete_mode_report_info+0x90/0x1b0 [ 41.569097][ T342] ? _raw_spin_lock+0x97/0x1b0 [ 41.573785][ T342] kasan_report+0x13c/0x170 [ 41.578121][ T342] ? _raw_spin_lock+0x97/0x1b0 [ 41.582722][ T342] kasan_check_range+0x294/0x2a0 [ 41.587582][ T342] __kasan_check_write+0x14/0x20 [ 41.592356][ T342] _raw_spin_lock+0x97/0x1b0 [ 41.596868][ T342] ? _raw_spin_trylock_bh+0x190/0x190 [ 41.603553][ T342] ? _raw_spin_lock+0xa4/0x1b0 [ 41.608152][ T342] ? _raw_spin_trylock_bh+0x190/0x190 [ 41.613361][ T342] igrab+0x1b/0x80 [ 41.616920][ T342] f2fs_write_checkpoint+0xb9f/0x2050 [ 41.622124][ T342] ? f2fs_get_sectors_written+0x430/0x430 [ 41.627770][ T342] ? __kasan_check_write+0x14/0x20 [ 41.632798][ T342] ? mutex_unlock+0xb2/0x260 [ 41.637400][ T342] ? __kasan_check_write+0x14/0x20 [ 41.642358][ T342] f2fs_issue_checkpoint+0x2fb/0x460 [ 41.647475][ T342] ? f2fs_destroy_checkpoint_caches+0x20/0x20 [ 41.653641][ T342] ? sync_inodes_sb+0x711/0x7d0 [ 41.658415][ T342] ? try_to_writeback_inodes_sb+0x370/0x370 [ 41.664188][ T342] f2fs_sync_fs+0x109/0x200 [ 41.668476][ T342] sync_filesystem+0x16d/0x1b0 [ 41.673072][ T342] f2fs_quota_off_umount+0x1ba/0x1d0 [ 41.678377][ T342] f2fs_put_super+0xb8/0xc20 [ 41.682905][ T342] ? __kasan_check_read+0x11/0x20 [ 41.687830][ T342] ? fsnotify_sb_delete+0x302/0x410 [ 41.692861][ T342] ? f2fs_drop_inode+0x7f0/0x7f0 [ 41.697634][ T342] ? __fsnotify_vfsmount_delete+0x20/0x20 [ 41.704924][ T342] ? clear_inode+0x100/0x100 [ 41.709347][ T342] ? sync_blockdev+0x64/0x70 [ 41.713872][ T342] generic_shutdown_super+0x113/0x2d0 [ 41.719084][ T342] kill_block_super+0x79/0xb0 [ 41.723583][ T342] kill_f2fs_super+0x252/0x320 [ 41.728184][ T342] ? f2fs_mount+0x20/0x20 [ 41.732434][ T342] ? up_write+0x79/0x1f0 [ 41.736517][ T342] ? unregister_shrinker+0x1f7/0x290 [ 41.741723][ T342] deactivate_locked_super+0x7d/0xe0 [ 41.746931][ T342] deactivate_super+0x5d/0x80 [ 41.751441][ T342] cleanup_mnt+0x31e/0x390 [ 41.755783][ T342] ? path_umount+0x1c5/0xc00 [ 41.760215][ T342] __cleanup_mnt+0xd/0x10 [ 41.764375][ T342] task_work_run+0x208/0x260 [ 41.768804][ T342] ? task_work_cancel+0x2a0/0x2a0 [ 41.773840][ T342] ? __x64_sys_umount+0xe4/0x120 [ 41.778658][ T342] exit_to_user_mode_loop+0x8b/0xa0 [ 41.783654][ T342] exit_to_user_mode_prepare+0x5a/0xa0 [ 41.788948][ T342] syscall_exit_to_user_mode+0x26/0x130 [ 41.794507][ T342] do_syscall_64+0x49/0xb0 [ 41.798757][ T342] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 41.804488][ T342] RIP: 0033:0x7f1bb887dc87 [ 41.808750][ T342] Code: b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b0 ff ff ff f7 d8 64 89 02 b8 [ 41.828266][ T342] RSP: 002b:00007ffdcc390bd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [ 41.836509][ T342] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f1bb887dc87 [ 41.844421][ T342] RDX: 0000000000000000 RSI: 000000000000000a RDI: 00007ffdcc390c90 [ 41.852573][ T342] RBP: 00007ffdcc390c90 R08: 0000000000000000 R09: 0000000000000000 [ 41.860376][ T342] R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffdcc391d50 [ 41.868361][ T342] R13: 00007f1bb88d7c5a R14: 000000000000a065 R15: 0000000000000003 [ 41.876958][ T342] [ 41.880600][ T342] [ 41.882777][ T342] Allocated by task 349: [ 41.886850][ T342] kasan_set_track+0x4b/0x70 [ 41.891276][ T342] kasan_save_alloc_info+0x1f/0x30 [ 41.896227][ T342] __kasan_slab_alloc+0x6c/0x80 [ 41.900920][ T342] slab_post_alloc_hook+0x59/0x270 [ 41.905945][ T342] kmem_cache_alloc_lru+0x102/0x220 [ 41.911063][ T342] f2fs_alloc_inode+0x28/0x340 [ 41.915668][ T342] iget_locked+0x16d/0x750 [ 41.920004][ T342] f2fs_iget+0x50/0x4250 [ 41.924084][ T342] f2fs_lookup+0x28f/0xa10 [ 41.928351][ T342] path_openat+0xe15/0x2440 [ 41.932851][ T342] do_filp_open+0x226/0x430 [ 41.937188][ T342] do_sys_openat2+0x103/0x6c0 [ 41.941801][ T342] __x64_sys_open+0x1eb/0x240 [ 41.946389][ T342] do_syscall_64+0x3d/0xb0 [ 41.950644][ T342] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 41.956552][ T342] [ 41.958833][ T342] Freed by task 13: [ 41.962477][ T342] kasan_set_track+0x4b/0x70 [ 41.966909][ T342] kasan_save_free_info+0x2b/0x40 [ 41.971764][ T342] ____kasan_slab_free+0x131/0x180 [ 41.976797][ T342] __kasan_slab_free+0x11/0x20 [ 41.981398][ T342] kmem_cache_free+0x264/0x450 [ 41.986004][ T342] f2fs_free_inode+0x1c/0x20 [ 41.990622][ T342] i_callback+0x41/0x60 [ 41.994687][ T342] rcu_do_batch+0x505/0xb20 [ 41.999028][ T342] rcu_core+0x4ae/0xe50 [ 42.003119][ T342] rcu_core_si+0x9/0x10 [ 42.007277][ T342] __do_softirq+0x1d2/0x5f2 [ 42.011619][ T342] [ 42.013784][ T342] Last potentially related work creation: [ 42.019356][ T342] kasan_save_stack+0x3b/0x60 [ 42.023875][ T342] __kasan_record_aux_stack+0xb4/0xc0 [ 42.029189][ T342] kasan_record_aux_stack_noalloc+0xb/0x10 [ 42.035005][ T342] call_rcu+0xd4/0x1010 [ 42.039076][ T342] evict+0x5e0/0x620 [ 42.042919][ T342] evict_inodes+0x522/0x590 [ 42.047233][ T342] generic_shutdown_super+0x92/0x2d0 [ 42.052399][ T342] kill_block_super+0x79/0xb0 [ 42.057060][ T342] kill_f2fs_super+0x252/0x320 [ 42.061727][ T342] deactivate_locked_super+0x7d/0xe0 [ 42.066946][ T342] deactivate_super+0x5d/0x80 [ 42.071462][ T342] cleanup_mnt+0x31e/0x390 [ 42.075698][ T342] __cleanup_mnt+0xd/0x10 [ 42.081774][ T342] task_work_run+0x208/0x260 [ 42.086462][ T342] exit_to_user_mode_loop+0x8b/0xa0 [ 42.091494][ T342] exit_to_user_mode_prepare+0x5a/0xa0 [ 42.096825][ T342] syscall_exit_to_user_mode+0x26/0x130 [ 42.102264][ T342] do_syscall_64+0x49/0xb0 [ 42.106516][ T342] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 42.112239][ T342] [ 42.114496][ T342] The buggy address belongs to the object at ffff88810ae03ff0 [ 42.114496][ T342] which belongs to the cache f2fs_inode_cache of size 1360 [ 42.129184][ T342] The buggy address is located 136 bytes inside of [ 42.129184][ T342] 1360-byte region [ffff88810ae03ff0, ffff88810ae04540) [ 42.142750][ T342] [ 42.145247][ T342] The buggy address belongs to the physical page: [ 42.152101][ T342] page:ffffea00042b8000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10ae00 [ 42.162278][ T342] head:ffffea00042b8000 order:3 compound_mapcount:0 compound_pincount:0 [ 42.170732][ T342] flags: 0x4000000000010200(slab|head|zone=1) [ 42.176672][ T342] raw: 4000000000010200 0000000000000000 dead000000000122 ffff888100280900 [ 42.185160][ T342] raw: 0000000000000000 0000000080160016 00000001ffffffff 0000000000000000 [ 42.193550][ T342] page dumped because: kasan: bad access detected [ 42.199886][ T342] page_owner tracks the page as allocated [ 42.205438][ T342] page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 349, tgid 348 (syz-executor.0), ts 41301174342, free_ts 0 [ 42.228698][ T342] prep_new_page+0x512/0x5e0 [ 42.233119][ T342] get_page_from_freelist+0x273d/0x27d0 [ 42.238500][ T342] __alloc_pages+0x39f/0x780 [ 42.242938][ T342] new_slab+0xcb/0x440 [ 42.246834][ T342] ___slab_alloc+0x611/0x9a0 [ 42.251270][ T342] __slab_alloc+0x52/0x90 [ 42.255448][ T342] kmem_cache_alloc_lru+0x144/0x220 [ 42.260563][ T342] f2fs_alloc_inode+0x28/0x340 [ 42.265422][ T342] iget_locked+0x16d/0x750 [ 42.269665][ T342] f2fs_iget+0x50/0x4250 [ 42.274183][ T342] f2fs_fill_super+0x4141/0x6b90 [ 42.278946][ T342] mount_bdev+0x265/0x340 [ 42.283378][ T342] f2fs_mount+0x10/0x20 [ 42.287384][ T342] legacy_get_tree+0xeb/0x180 [ 42.292317][ T342] vfs_get_tree+0x7c/0x170 [ 42.296580][ T342] do_new_mount+0x1e1/0x8f0 [ 42.300916][ T342] page_owner free stack trace missing [ 42.306132][ T342] [ 42.308287][ T342] Memory state around the buggy address: [ 42.314114][ T342] ffff88810ae03f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.322459][ T342] ffff88810ae03f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fa fb [ 42.330373][ T342] >ffff88810ae04000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.338529][ T342] ^ [ 42.346650][ T342] ffff88810ae04080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.354496][ T342] ffff88810ae04100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.362499][ T342] ================================================================== [ 42.370742][ T342] Disabling lock debugging due to kernel taint