Warning: Permanently added '10.128.0.99' (ED25519) to the list of known hosts. 2023/10/05 21:03:26 ignoring optional flag "sandboxArg"="0" 2023/10/05 21:03:26 parsed 1 programs [ 42.904684][ T23] kauditd_printk_skb: 72 callbacks suppressed [ 42.904691][ T23] audit: type=1400 audit(1696539806.279:148): avc: denied { mounton } for pid=405 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 42.935446][ T23] audit: type=1400 audit(1696539806.289:149): avc: denied { mount } for pid=405 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 42.959566][ T23] audit: type=1400 audit(1696539806.309:150): avc: denied { unlink } for pid=405 comm="syz-executor" name="swap-file" dev="sda1" ino=1929 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" 2023/10/05 21:03:26 executed programs: 0 [ 43.023518][ T405] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 43.077069][ T410] bridge0: port 1(bridge_slave_0) entered blocking state [ 43.084130][ T410] bridge0: port 1(bridge_slave_0) entered disabled state [ 43.091404][ T410] device bridge_slave_0 entered promiscuous mode [ 43.097969][ T410] bridge0: port 2(bridge_slave_1) entered blocking state [ 43.104921][ T410] bridge0: port 2(bridge_slave_1) entered disabled state [ 43.112083][ T410] device bridge_slave_1 entered promiscuous mode [ 43.146570][ T23] audit: type=1400 audit(1696539806.519:151): avc: denied { create } for pid=410 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 43.165857][ T410] bridge0: port 2(bridge_slave_1) entered blocking state [ 43.166995][ T23] audit: type=1400 audit(1696539806.539:152): avc: denied { write } for pid=410 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 43.173992][ T410] bridge0: port 2(bridge_slave_1) entered forwarding state [ 43.174087][ T410] bridge0: port 1(bridge_slave_0) entered blocking state [ 43.194791][ T23] audit: type=1400 audit(1696539806.539:153): avc: denied { read } for pid=410 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 43.201425][ T410] bridge0: port 1(bridge_slave_0) entered forwarding state [ 43.235984][ T13] bridge0: port 1(bridge_slave_0) entered disabled state [ 43.243347][ T13] bridge0: port 2(bridge_slave_1) entered disabled state [ 43.251115][ T13] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 43.258305][ T13] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 43.281080][ T13] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 43.289464][ T13] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 43.297439][ T13] bridge0: port 1(bridge_slave_0) entered blocking state [ 43.305006][ T13] bridge0: port 1(bridge_slave_0) entered forwarding state [ 43.312596][ T13] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 43.320710][ T13] bridge0: port 2(bridge_slave_1) entered blocking state [ 43.327704][ T13] bridge0: port 2(bridge_slave_1) entered forwarding state [ 43.335045][ T13] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 43.342906][ T13] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 43.352505][ T364] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 43.369564][ T364] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 43.378026][ T364] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 43.387035][ T364] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 43.402125][ T23] audit: type=1400 audit(1696539806.779:154): avc: denied { mounton } for pid=410 comm="syz-executor.0" path="/dev/binderfs" dev="devtmpfs" ino=778 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:device_t tclass=dir permissive=1 [ 43.433516][ T416] kernel profiling enabled (shift: 0) [ 47.139328][ C1] ================================================================== [ 47.147214][ C1] BUG: KASAN: stack-out-of-bounds in profile_pc+0xa4/0xe0 [ 47.154243][ C1] Read of size 8 at addr ffff8881e1b6f960 by task syz-executor.0/1368 [ 47.162410][ C1] [ 47.164564][ C1] CPU: 1 PID: 1368 Comm: syz-executor.0 Not tainted 5.4.254-syzkaller-04732-g5f1cbd78af59 #0 [ 47.174686][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023 [ 47.184558][ C1] Call Trace: [ 47.187682][ C1] [ 47.190385][ C1] dump_stack+0x1d8/0x241 [ 47.194744][ C1] ? nf_ct_l4proto_log_invalid+0x258/0x258 [ 47.200703][ C1] ? printk+0xd1/0x111 [ 47.204617][ C1] ? profile_pc+0xa4/0xe0 [ 47.208811][ C1] ? wake_up_klogd+0xb2/0xf0 [ 47.213211][ C1] ? profile_pc+0xa4/0xe0 [ 47.217374][ C1] print_address_description+0x8c/0x600 [ 47.222750][ C1] ? panic+0x896/0x896 [ 47.226743][ C1] ? profile_pc+0xa4/0xe0 [ 47.231194][ C1] __kasan_report+0xf3/0x120 [ 47.235619][ C1] ? profile_pc+0xa4/0xe0 [ 47.239885][ C1] ? _raw_spin_lock+0xc0/0x1b0 [ 47.244830][ C1] kasan_report+0x30/0x60 [ 47.248997][ C1] profile_pc+0xa4/0xe0 [ 47.252984][ C1] profile_tick+0xb9/0x100 [ 47.257266][ C1] tick_sched_timer+0x237/0x3c0 [ 47.262013][ C1] ? tick_setup_sched_timer+0x460/0x460 [ 47.267570][ C1] __hrtimer_run_queues+0x3e9/0xb90 [ 47.272614][ C1] ? hrtimer_interrupt+0x890/0x890 [ 47.277541][ C1] ? debug_smp_processor_id+0x20/0x20 [ 47.282747][ C1] ? ktime_get+0xf9/0x130 [ 47.286912][ C1] ? ktime_get_update_offsets_now+0x26c/0x280 [ 47.292847][ C1] hrtimer_interrupt+0x38a/0x890 [ 47.297771][ C1] smp_apic_timer_interrupt+0x110/0x460 [ 47.303144][ C1] apic_timer_interrupt+0xf/0x20 [ 47.307923][ C1] [ 47.310714][ C1] ? _raw_spin_lock+0xc0/0x1b0 [ 47.315298][ C1] ? _raw_spin_trylock_bh+0x190/0x190 [ 47.320644][ C1] ? selinux_capable+0x1d9/0x430 [ 47.325412][ C1] ? selinux_capable+0x29b/0x430 [ 47.330280][ C1] ? tun_do_read+0x1e1/0x1ec0 [ 47.334795][ C1] ? entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 47.340700][ C1] ? tun_chr_show_fdinfo+0x2c0/0x2c0 [ 47.345819][ C1] ? stack_trace_snprint+0x170/0x170 [ 47.351109][ C1] ? do_task_dead+0x90/0x90 [ 47.355461][ C1] ? __kasan_slab_free+0x233/0x270 [ 47.360569][ C1] ? __kasan_slab_free+0x1b5/0x270 [ 47.365573][ C1] ? kmem_cache_free+0x10b/0x2c0 [ 47.370306][ C1] ? task_work_run+0x140/0x170 [ 47.375066][ C1] ? exit_to_usermode_loop+0x190/0x1a0 [ 47.380360][ C1] ? prepare_exit_to_usermode+0x199/0x200 [ 47.386014][ C1] ? entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 47.391967][ C1] ? tun_chr_read_iter+0x1d0/0x2d0 [ 47.396862][ C1] ? __vfs_read+0x5cd/0x730 [ 47.401233][ C1] ? rw_verify_area+0x360/0x360 [ 47.405902][ C1] ? __fsnotify_update_child_dentry_flags+0x290/0x290 [ 47.412496][ C1] ? security_file_permission+0x1dc/0x2f0 [ 47.418149][ C1] ? vfs_read+0x148/0x360 [ 47.422318][ C1] ? ksys_read+0x199/0x2c0 [ 47.426575][ C1] ? debug_smp_processor_id+0x20/0x20 [ 47.431895][ C1] ? vfs_write+0x4e0/0x4e0 [ 47.436136][ C1] ? do_syscall_64+0xca/0x1c0 [ 47.440735][ C1] ? entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 47.446629][ C1] [ 47.448797][ C1] The buggy address belongs to the page: [ 47.454274][ C1] page:ffffea000786dbc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 [ 47.463217][ C1] flags: 0x8000000000000000() [ 47.467819][ C1] raw: 8000000000000000 0000000000000000 ffffea000786dbc8 0000000000000000 [ 47.476240][ C1] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 47.484746][ C1] page dumped because: kasan: bad access detected [ 47.491023][ C1] page_owner tracks the page as allocated [ 47.496721][ C1] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x500dc0(GFP_USER|__GFP_ZERO|__GFP_ACCOUNT) [ 47.508372][ C1] prep_new_page+0x18f/0x370 [ 47.512778][ C1] get_page_from_freelist+0x2d13/0x2d90 [ 47.518249][ C1] __alloc_pages_nodemask+0x393/0x840 [ 47.523548][ C1] dup_task_struct+0x85/0x600 [ 47.528165][ C1] copy_process+0x56d/0x3230 [ 47.532573][ C1] _do_fork+0x197/0x900 [ 47.536772][ C1] __x64_sys_clone+0x26b/0x2c0 [ 47.541426][ C1] do_syscall_64+0xca/0x1c0 [ 47.545858][ C1] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 47.551691][ C1] page last free stack trace: [ 47.556216][ C1] __free_pages_ok+0x847/0x950 [ 47.560816][ C1] __free_pages+0x91/0x140 [ 47.565158][ C1] __free_slab+0x221/0x2e0 [ 47.569406][ C1] unfreeze_partials+0x14e/0x180 [ 47.574262][ C1] put_cpu_partial+0x44/0x180 [ 47.578783][ C1] __slab_free+0x297/0x360 [ 47.583042][ C1] qlist_free_all+0x43/0xb0 [ 47.587364][ C1] quarantine_reduce+0x1d9/0x210 [ 47.592143][ C1] __kasan_kmalloc+0x41/0x210 [ 47.596652][ C1] kmem_cache_alloc_trace+0xdc/0x260 [ 47.601782][ C1] __get_vm_area_node+0x183/0x310 [ 47.606630][ C1] __vmalloc_node_range+0xee/0x710 [ 47.611580][ C1] vzalloc+0x70/0x80 [ 47.615310][ C1] alloc_counters+0x66/0x550 [ 47.619744][ C1] do_ipt_get_ctl+0x5b8/0xb60 [ 47.624258][ C1] nf_getsockopt+0x28c/0x2b0 [ 47.628674][ C1] [ 47.630856][ C1] addr ffff8881e1b6f960 is located in stack of task syz-executor.0/1368 at offset 0 in frame: [ 47.641186][ C1] _raw_spin_lock+0x0/0x1b0 [ 47.645552][ C1] [ 47.647692][ C1] this frame has 1 object: [ 47.652077][ C1] [32, 36) 'val.i.i.i' [ 47.652079][ C1] [ 47.658306][ C1] Memory state around the buggy address: [ 47.663779][ C1] ffff8881e1b6f800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 47.671680][ C1] ffff8881e1b6f880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 47.679577][ C1] >ffff8881e1b6f900: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 [ 47.687501][ C1] ^ [ 47.694494][ C1] ffff8881e1b6f980: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 [ 47.702501][ C1] ffff8881e1b6fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 47.710374][ C1] ================================================================== [ 47.718448][ C1] Disabling lock debugging due to kernel taint 2023/10/05 21:03:31 executed programs: 510 2023/10/05 21:03:36 executed programs: 1233