Warning: Permanently added '10.128.10.30' (ED25519) to the list of known hosts. 2024/09/18 05:56:51 ignoring optional flag "sandboxArg"="0" 2024/09/18 05:56:51 parsed 1 programs [ 35.709199][ T29] kauditd_printk_skb: 20 callbacks suppressed [ 35.709207][ T29] audit: type=1400 audit(1726639011.753:96): avc: denied { mounton } for pid=331 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 35.743075][ T29] audit: type=1400 audit(1726639011.753:97): avc: denied { read write } for pid=331 comm="syz-executor" name="swap-file" dev="sda1" ino=1930 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 35.770961][ T29] audit: type=1400 audit(1726639011.753:98): avc: denied { open } for pid=331 comm="syz-executor" path="/root/swap-file" dev="sda1" ino=1930 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 35.800336][ T29] audit: type=1400 audit(1726639011.843:99): avc: denied { unlink } for pid=331 comm="syz-executor" name="swap-file" dev="sda1" ino=1930 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 35.826612][ T29] audit: type=1400 audit(1726639011.843:100): avc: denied { relabelto } for pid=332 comm="mkswap" name="swap-file" dev="sda1" ino=1930 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" 2024/09/18 05:56:51 executed programs: 0 [ 35.861939][ T331] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 35.909103][ T337] bridge0: port 1(bridge_slave_0) entered blocking state [ 35.916571][ T337] bridge0: port 1(bridge_slave_0) entered disabled state [ 35.924209][ T337] device bridge_slave_0 entered promiscuous mode [ 35.931182][ T337] bridge0: port 2(bridge_slave_1) entered blocking state [ 35.938798][ T337] bridge0: port 2(bridge_slave_1) entered disabled state [ 35.946991][ T337] device bridge_slave_1 entered promiscuous mode [ 35.992055][ T337] bridge0: port 2(bridge_slave_1) entered blocking state [ 35.999595][ T337] bridge0: port 2(bridge_slave_1) entered forwarding state [ 36.007207][ T337] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.014289][ T337] bridge0: port 1(bridge_slave_0) entered forwarding state [ 36.032026][ T57] bridge0: port 1(bridge_slave_0) entered disabled state [ 36.039469][ T57] bridge0: port 2(bridge_slave_1) entered disabled state [ 36.047476][ T57] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 36.055740][ T57] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 36.071658][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 36.081184][ T37] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.088332][ T37] bridge0: port 1(bridge_slave_0) entered forwarding state [ 36.095670][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 36.104306][ T37] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.111357][ T37] bridge0: port 2(bridge_slave_1) entered forwarding state [ 36.119521][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 36.128246][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 36.139463][ T337] device veth0_vlan entered promiscuous mode [ 36.146856][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 36.155052][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 36.163438][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 36.171312][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 36.183279][ T38] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 36.192413][ T337] device veth1_macvtap entered promiscuous mode [ 36.201545][ T57] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 36.212911][ T37] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 36.472848][ T344] loop0: detected capacity change from 0 to 131072 [ 36.511621][ T29] audit: type=1400 audit(1726639012.563:101): avc: denied { mounton } for pid=342 comm="syz-executor.0" path="/root/syzkaller-testdir79910310/syzkaller.6l5Iem/0/file0" dev="sda1" ino=1939 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 36.565182][ T344] F2FS-fs (loop0): Found nat_bits in checkpoint [ 36.594608][ T344] F2FS-fs (loop0): Mounted with checkpoint version = 48b305e5 [ 36.603011][ T29] audit: type=1400 audit(1726639012.653:102): avc: denied { mount } for pid=342 comm="syz-executor.0" name="/" dev="loop0" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 36.627178][ T29] audit: type=1400 audit(1726639012.653:103): avc: denied { read } for pid=342 comm="syz-executor.0" name="file1" dev="loop0" ino=7 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 [ 36.650724][ T29] audit: type=1400 audit(1726639012.653:104): avc: denied { open } for pid=342 comm="syz-executor.0" path="/root/syzkaller-testdir79910310/syzkaller.6l5Iem/0/file0/file1" dev="loop0" ino=7 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 [ 36.680639][ T29] audit: type=1400 audit(1726639012.653:105): avc: denied { ioctl } for pid=342 comm="syz-executor.0" path="/root/syzkaller-testdir79910310/syzkaller.6l5Iem/0/file0/file1" dev="loop0" ino=7 ioctlcmd=0xf519 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 [ 36.760884][ T337] ================================================================== [ 36.769059][ T337] BUG: KASAN: use-after-free in igrab+0x7c/0x80 [ 36.775459][ T337] Read of size 8 at addr ffff8881176673c8 by task syz-executor.0/337 [ 36.784219][ T337] [ 36.786868][ T337] CPU: 1 PID: 337 Comm: syz-executor.0 Not tainted 5.15.161-syzkaller #0 [ 36.795385][ T337] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 [ 36.805979][ T337] Call Trace: [ 36.809268][ T337] [ 36.812249][ T337] dump_stack_lvl+0x38/0x49 [ 36.816646][ T337] print_address_description.constprop.0+0x24/0x160 [ 36.823057][ T337] ? igrab+0x7c/0x80 [ 36.826958][ T337] kasan_report.cold+0x82/0xdb [ 36.831678][ T337] ? _raw_spin_lock_bh+0xd0/0x110 [ 36.836546][ T337] ? igrab+0x7c/0x80 [ 36.840524][ T337] __asan_report_load8_noabort+0x14/0x20 [ 36.846398][ T337] igrab+0x7c/0x80 [ 36.849955][ T337] f2fs_sync_inode_meta+0x16e/0x260 [ 36.854994][ T337] f2fs_write_checkpoint+0x693/0x6430 [ 36.860375][ T337] ? __switch_to+0x5cd/0xec0 [ 36.864732][ T337] ? __kasan_check_write+0x14/0x20 [ 36.870145][ T337] ? _raw_spin_lock_irqsave+0x8c/0x120 [ 36.875443][ T337] ? f2fs_get_sectors_written+0x370/0x370 [ 36.880992][ T337] ? __kasan_check_write+0x14/0x20 [ 36.886035][ T337] f2fs_issue_checkpoint+0x2a6/0x440 [ 36.891337][ T337] ? f2fs_destroy_checkpoint_caches+0x20/0x20 [ 36.898011][ T337] ? sync_inodes_sb+0x569/0x760 [ 36.903248][ T337] ? filemap_fdatawrite_wbc+0x1cf/0x2b0 [ 36.909504][ T337] ? try_to_writeback_inodes_sb+0xb0/0xb0 [ 36.915791][ T337] ? filemap_fdatawrite+0xd0/0xd0 [ 36.920923][ T337] f2fs_sync_fs+0x14c/0x240 [ 36.925440][ T337] sync_filesystem.part.0+0xfc/0x170 [ 36.930901][ T337] sync_filesystem+0x66/0x80 [ 36.935926][ T337] f2fs_quota_off_umount+0x52/0xd0 [ 36.941817][ T337] f2fs_put_super+0xb8/0xd50 [ 36.946650][ T337] ? __kasan_check_read+0x11/0x20 [ 36.953514][ T337] ? fsnotify_sb_delete+0x2aa/0x420 [ 36.958532][ T337] ? __fsnotify_vfsmount_delete+0x20/0x20 [ 36.964578][ T337] ? f2fs_quota_off_umount+0xd0/0xd0 [ 36.970000][ T337] ? dispose_list+0x1a0/0x1a0 [ 36.975116][ T337] ? sync_blockdev+0x5c/0x80 [ 36.979627][ T337] generic_shutdown_super+0x13d/0x340 [ 36.985010][ T337] kill_block_super+0x9a/0xd0 [ 36.989748][ T337] kill_f2fs_super+0x24d/0x360 [ 36.994648][ T337] ? trace_event_raw_event_f2fs_background_gc+0x310/0x310 [ 37.001955][ T337] ? unregister_shrinker+0x1bd/0x2e0 [ 37.007095][ T337] deactivate_locked_super+0x8b/0x130 [ 37.012294][ T337] deactivate_super+0x71/0x80 [ 37.017064][ T337] cleanup_mnt+0x2cf/0x400 [ 37.021479][ T337] __cleanup_mnt+0xd/0x10 [ 37.025711][ T337] task_work_run+0xc2/0x150 [ 37.030756][ T337] exit_to_user_mode_prepare+0x143/0x150 [ 37.036579][ T337] syscall_exit_to_user_mode+0x21/0x40 [ 37.042140][ T337] ? x64_sys_call+0x506/0x990 [ 37.047088][ T337] do_syscall_64+0x40/0xb0 [ 37.051420][ T337] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 37.057255][ T337] RIP: 0033:0x7f4005d24197 [ 37.061550][ T337] Code: b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b0 ff ff ff f7 d8 64 89 02 b8 [ 37.082338][ T337] RSP: 002b:00007ffcaa693d28 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [ 37.091142][ T337] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f4005d24197 [ 37.099029][ T337] RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffcaa693de0 [ 37.107372][ T337] RBP: 00007ffcaa693de0 R08: 0000000000000000 R09: 0000000000000000 [ 37.115994][ T337] R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffcaa694ea0 [ 37.124536][ T337] R13: 00007f4005d6e3b9 R14: 0000000000008d73 R15: 0000000000000003 [ 37.132806][ T337] [ 37.135852][ T337] [ 37.138104][ T337] Allocated by task 344: [ 37.142440][ T337] kasan_save_stack+0x26/0x50 [ 37.147122][ T337] __kasan_slab_alloc+0x94/0xc0 [ 37.151994][ T337] kmem_cache_alloc+0x197/0x480 [ 37.156880][ T337] f2fs_alloc_inode+0x1d/0x370 [ 37.161627][ T337] alloc_inode+0x5c/0x1e0 [ 37.165793][ T337] iget_locked+0x138/0x5f0 [ 37.170042][ T337] f2fs_iget+0x52/0x4df0 [ 37.174384][ T337] f2fs_lookup+0x484/0xbe0 [ 37.178650][ T337] path_openat+0x1196/0x4180 [ 37.183151][ T337] do_filp_open+0x1ab/0x3f0 [ 37.187496][ T337] do_sys_openat2+0x135/0x8e0 [ 37.192097][ T337] __x64_sys_openat+0x124/0x200 [ 37.196959][ T337] x64_sys_call+0x2eb/0x990 [ 37.201707][ T337] do_syscall_64+0x33/0xb0 [ 37.205913][ T337] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 37.211772][ T337] [ 37.214122][ T337] Freed by task 337: [ 37.218740][ T337] kasan_save_stack+0x26/0x50 [ 37.223719][ T337] kasan_set_track+0x25/0x30 [ 37.228569][ T337] kasan_set_free_info+0x24/0x40 [ 37.233869][ T337] __kasan_slab_free+0x111/0x150 [ 37.238928][ T337] slab_free_freelist_hook+0x94/0x1a0 [ 37.244212][ T337] kmem_cache_free+0x105/0x250 [ 37.249428][ T337] f2fs_free_inode+0x1d/0x30 [ 37.254036][ T337] i_callback+0x3a/0x60 [ 37.258391][ T337] rcu_do_batch+0x340/0xca0 [ 37.263492][ T337] rcu_core+0x56b/0xac0 [ 37.267658][ T337] rcu_core_si+0x9/0x10 [ 37.271732][ T337] handle_softirqs+0x1c5/0x510 [ 37.276512][ T337] irq_exit_rcu+0x66/0x110 [ 37.280842][ T337] sysvec_apic_timer_interrupt+0x9d/0xc0 [ 37.287503][ T337] asm_sysvec_apic_timer_interrupt+0x1b/0x20 [ 37.294016][ T337] [ 37.296183][ T337] Last potentially related work creation: [ 37.301918][ T337] kasan_save_stack+0x26/0x50 [ 37.306877][ T337] __kasan_record_aux_stack+0xd8/0xf0 [ 37.312757][ T337] kasan_record_aux_stack_noalloc+0xb/0x10 [ 37.318606][ T337] __call_rcu_common.constprop.0+0xd7/0x11c0 [ 37.325156][ T337] call_rcu+0x9/0x10 [ 37.329413][ T337] destroy_inode+0x11f/0x190 [ 37.333997][ T337] evict+0x43c/0x610 [ 37.337732][ T337] dispose_list+0xf5/0x1a0 [ 37.342245][ T337] evict_inodes+0x2e6/0x3d0 [ 37.346674][ T337] generic_shutdown_super+0xa4/0x340 [ 37.351786][ T337] kill_block_super+0x9a/0xd0 [ 37.356423][ T337] kill_f2fs_super+0x24d/0x360 [ 37.361267][ T337] deactivate_locked_super+0x8b/0x130 [ 37.366653][ T337] deactivate_super+0x71/0x80 [ 37.371329][ T337] cleanup_mnt+0x2cf/0x400 [ 37.375754][ T337] __cleanup_mnt+0xd/0x10 [ 37.380224][ T337] task_work_run+0xc2/0x150 [ 37.384777][ T337] exit_to_user_mode_prepare+0x143/0x150 [ 37.390656][ T337] syscall_exit_to_user_mode+0x21/0x40 [ 37.396274][ T337] do_syscall_64+0x40/0xb0 [ 37.400556][ T337] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 37.406322][ T337] [ 37.408436][ T337] The buggy address belongs to the object at ffff888117667330 [ 37.408436][ T337] which belongs to the cache f2fs_inode_cache of size 1424 [ 37.423104][ T337] The buggy address is located 152 bytes inside of [ 37.423104][ T337] 1424-byte region [ffff888117667330, ffff8881176678c0) [ 37.436732][ T337] The buggy address belongs to the page: [ 37.442284][ T337] page:ffffea00045d9800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x117660 [ 37.452907][ T337] head:ffffea00045d9800 order:3 compound_mapcount:0 compound_pincount:0 [ 37.461134][ T337] flags: 0x4000000000010200(slab|head|zone=1) [ 37.467124][ T337] raw: 4000000000010200 0000000000000000 dead000000000122 ffff8881083bad80 [ 37.475764][ T337] raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000 [ 37.484427][ T337] page dumped because: kasan: bad access detected [ 37.490687][ T337] page_owner tracks the page as allocated [ 37.496244][ T337] page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 344, ts 36623616843, free_ts 0 [ 37.517534][ T337] prep_new_page+0x1a2/0x310 [ 37.521947][ T337] get_page_from_freelist+0x1ce2/0x30a0 [ 37.527946][ T337] __alloc_pages+0x2d5/0x2620 [ 37.532707][ T337] allocate_slab+0x39d/0x530 [ 37.537202][ T337] ___slab_alloc.constprop.0+0x3ca/0x890 [ 37.542947][ T337] __slab_alloc.constprop.0+0x42/0x80 [ 37.548158][ T337] kmem_cache_alloc+0x440/0x480 [ 37.552967][ T337] f2fs_alloc_inode+0x1d/0x370 [ 37.557552][ T337] alloc_inode+0x5c/0x1e0 [ 37.562157][ T337] iget_locked+0x138/0x5f0 [ 37.566625][ T337] f2fs_iget+0x52/0x4df0 [ 37.571075][ T337] f2fs_lookup+0x484/0xbe0 [ 37.575616][ T337] path_openat+0x1196/0x4180 [ 37.580385][ T337] do_filp_open+0x1ab/0x3f0 [ 37.585813][ T337] do_sys_openat2+0x135/0x8e0 [ 37.591746][ T337] __x64_sys_openat+0x124/0x200 [ 37.596815][ T337] page_owner free stack trace missing [ 37.602382][ T337] [ 37.604893][ T337] Memory state around the buggy address: [ 37.611242][ T337] ffff888117667280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.619732][ T337] ffff888117667300: fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb fb [ 37.627892][ T337] >ffff888117667380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.636655][ T337] ^ [ 37.643221][ T337] ffff888117667400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.651688][ T337] ffff888117667480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.660297][ T337] ================================================================== [ 37.668283][ T337] Disabling lock debugging due to kernel taint