Warning: Permanently added '10.128.1.45' (ED25519) to the list of known hosts. 2025/06/06 12:30:01 ignoring optional flag "sandboxArg"="0" 2025/06/06 12:30:02 parsed 1 programs [ 54.909721][ T27] kauditd_printk_skb: 30 callbacks suppressed [ 54.909729][ T27] audit: type=1400 audit(1749213002.792:90): avc: denied { unlink } for pid=415 comm="syz-executor" name="swap-file" dev="sda1" ino=2026 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 54.954529][ T415] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 55.517937][ T27] audit: type=1401 audit(1749213003.392:91): op=setxattr invalid_context="u:object_r:app_data_file:s0:c512,c768" [ 55.618954][ T431] bridge0: port 1(bridge_slave_0) entered blocking state [ 55.625904][ T431] bridge0: port 1(bridge_slave_0) entered disabled state [ 55.633217][ T431] device bridge_slave_0 entered promiscuous mode [ 55.639810][ T431] bridge0: port 2(bridge_slave_1) entered blocking state [ 55.646630][ T431] bridge0: port 2(bridge_slave_1) entered disabled state [ 55.653890][ T431] device bridge_slave_1 entered promiscuous mode [ 55.696013][ T431] bridge0: port 2(bridge_slave_1) entered blocking state [ 55.703524][ T431] bridge0: port 2(bridge_slave_1) entered forwarding state [ 55.710657][ T431] bridge0: port 1(bridge_slave_0) entered blocking state [ 55.717505][ T431] bridge0: port 1(bridge_slave_0) entered forwarding state [ 55.735318][ T41] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 55.742714][ T41] bridge0: port 1(bridge_slave_0) entered disabled state [ 55.749974][ T41] bridge0: port 2(bridge_slave_1) entered disabled state [ 55.759699][ T41] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 55.767637][ T41] bridge0: port 1(bridge_slave_0) entered blocking state [ 55.774479][ T41] bridge0: port 1(bridge_slave_0) entered forwarding state [ 55.783180][ T41] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 55.791716][ T41] bridge0: port 2(bridge_slave_1) entered blocking state [ 55.798542][ T41] bridge0: port 2(bridge_slave_1) entered forwarding state [ 55.810159][ T41] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 55.818992][ T41] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 55.831933][ T41] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 55.843199][ T41] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 55.850900][ T41] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 55.858060][ T41] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 55.866144][ T431] device veth0_vlan entered promiscuous mode [ 55.875708][ T41] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 55.885396][ T431] device veth1_macvtap entered promiscuous mode [ 55.894298][ T41] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 55.903774][ T41] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2025/06/06 12:30:04 executed programs: 0 [ 56.292431][ T465] bridge0: port 1(bridge_slave_0) entered blocking state [ 56.299524][ T465] bridge0: port 1(bridge_slave_0) entered disabled state [ 56.306697][ T465] device bridge_slave_0 entered promiscuous mode [ 56.313491][ T465] bridge0: port 2(bridge_slave_1) entered blocking state [ 56.320554][ T465] bridge0: port 2(bridge_slave_1) entered disabled state [ 56.327573][ T465] device bridge_slave_1 entered promiscuous mode [ 56.368018][ T465] bridge0: port 2(bridge_slave_1) entered blocking state [ 56.374881][ T465] bridge0: port 2(bridge_slave_1) entered forwarding state [ 56.381974][ T465] bridge0: port 1(bridge_slave_0) entered blocking state [ 56.388873][ T465] bridge0: port 1(bridge_slave_0) entered forwarding state [ 56.407143][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 56.414742][ T10] bridge0: port 1(bridge_slave_0) entered disabled state [ 56.421972][ T10] bridge0: port 2(bridge_slave_1) entered disabled state [ 56.437102][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 56.445218][ T10] bridge0: port 1(bridge_slave_0) entered blocking state [ 56.452065][ T10] bridge0: port 1(bridge_slave_0) entered forwarding state [ 56.460284][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 56.468420][ T10] bridge0: port 2(bridge_slave_1) entered blocking state [ 56.475353][ T10] bridge0: port 2(bridge_slave_1) entered forwarding state [ 56.486764][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 56.501177][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 56.514431][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 56.525098][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 56.532983][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 56.540454][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 56.552846][ T465] device veth0_vlan entered promiscuous mode [ 56.562269][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 56.571723][ T465] device veth1_macvtap entered promiscuous mode [ 56.580916][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 56.588930][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 56.602955][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 56.611792][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 56.880121][ T329] device bridge_slave_1 left promiscuous mode [ 56.886159][ T329] bridge0: port 2(bridge_slave_1) entered disabled state [ 56.893778][ T329] device bridge_slave_0 left promiscuous mode [ 56.899795][ T329] bridge0: port 1(bridge_slave_0) entered disabled state [ 56.907042][ T470] loop2: detected capacity change from 0 to 131072 [ 56.914070][ T329] device veth1_macvtap left promiscuous mode [ 56.916185][ T470] F2FS-fs (loop2): Wrong CP boundary, start(512) end(198144) blocks(1024) [ 56.920256][ T329] device veth0_vlan left promiscuous mode [ 56.928548][ T470] F2FS-fs (loop2): Can't find valid F2FS filesystem in 2th superblock [ 56.949108][ T470] F2FS-fs (loop2): invalid crc value [ 56.955711][ T470] F2FS-fs (loop2): Found nat_bits in checkpoint [ 56.989610][ T470] F2FS-fs (loop2): Try to recover 2th superblock, ret: 0 [ 56.996503][ T470] F2FS-fs (loop2): Mounted with checkpoint version = 48b305e4 [ 57.004551][ T27] audit: type=1400 audit(1749213004.882:92): avc: denied { mount } for pid=469 comm="syz.2.16" name="/" dev="loop2" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 57.026119][ T27] audit: type=1400 audit(1749213004.902:93): avc: denied { write } for pid=469 comm="syz.2.16" name="/" dev="loop2" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 57.028065][ T465] F2FS-fs (loop2): dec_valid_node_count: inconsistent i_blocks, ino:7, iblocks:0 [ 57.047407][ T27] audit: type=1400 audit(1749213004.902:94): avc: denied { remove_name } for pid=469 comm="syz.2.16" name="file0" dev="loop2" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 57.078400][ T27] audit: type=1400 audit(1749213004.902:95): avc: denied { rename } for pid=469 comm="syz.2.16" name="file0" dev="loop2" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 57.100188][ T27] audit: type=1400 audit(1749213004.902:96): avc: denied { add_name } for pid=469 comm="syz.2.16" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 57.121217][ T27] audit: type=1400 audit(1749213004.902:97): avc: denied { unlink } for pid=465 comm="syz-executor" name="file1" dev="loop2" ino=7 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 [ 57.145074][ T476] ================================================================== [ 57.152952][ T476] BUG: KASAN: use-after-free in _raw_spin_lock+0x81/0x110 [ 57.159912][ T476] Write of size 4 at addr ffff8881226b4648 by task syz.2.16/476 [ 57.167475][ T476] [ 57.169633][ T476] CPU: 0 PID: 476 Comm: syz.2.16 Not tainted 6.1.138-syzkaller #0 [ 57.177380][ T476] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 57.187265][ T476] Call Trace: [ 57.190380][ T476] [ 57.193160][ T476] __dump_stack+0x19/0x1c [ 57.197357][ T476] dump_stack_lvl+0xa3/0xec [ 57.201765][ T476] ? __cfi_dump_stack_lvl+0x8/0x8 [ 57.206636][ T476] ? writeback_single_inode+0x547/0x6c0 [ 57.212020][ T476] print_address_description+0x71/0x210 [ 57.217388][ T476] print_report+0x4a/0x60 [ 57.221556][ T476] kasan_report+0x122/0x150 [ 57.225892][ T476] ? _raw_spin_lock+0x81/0x110 [ 57.230504][ T476] kasan_check_range+0x280/0x290 [ 57.235364][ T476] __kasan_check_write+0x14/0x20 [ 57.240141][ T476] _raw_spin_lock+0x81/0x110 [ 57.244682][ T476] ? __cfi__raw_spin_lock+0x10/0x10 [ 57.249892][ T476] ? _raw_spin_lock+0x8e/0x110 [ 57.254577][ T476] ? __cfi__raw_spin_lock+0x10/0x10 [ 57.259631][ T476] igrab+0x1b/0x80 [ 57.263175][ T476] f2fs_write_checkpoint+0xbcb/0x20e0 [ 57.268390][ T476] ? __cfi_f2fs_write_checkpoint+0x10/0x10 [ 57.274018][ T476] ? __kasan_check_write+0x14/0x20 [ 57.278963][ T476] ? kthread_stop+0xd2/0x270 [ 57.283415][ T476] ? memcpy+0x56/0x70 [ 57.287300][ T476] kill_f2fs_super+0x1d7/0x310 [ 57.291902][ T476] ? __cfi_kill_f2fs_super+0x10/0x10 [ 57.297022][ T476] ? up_write+0x7b/0x290 [ 57.301103][ T476] ? unregister_shrinker+0x1b6/0x240 [ 57.306224][ T476] deactivate_locked_super+0x92/0xf0 [ 57.311400][ T476] deactivate_super+0x5f/0x80 [ 57.315855][ T476] cleanup_mnt+0x159/0x340 [ 57.320311][ T476] ? __kasan_slab_free+0x11/0x20 [ 57.325086][ T476] ? slab_free_freelist_hook+0xc2/0x190 [ 57.330469][ T476] __cleanup_mnt+0xd/0x10 [ 57.334626][ T476] task_work_run+0x153/0x1e0 [ 57.339055][ T476] ? __cfi_task_work_run+0x10/0x10 [ 57.344010][ T476] do_exit+0x81e/0x1fe0 [ 57.347995][ T476] ? _raw_spin_unlock+0x4c/0x70 [ 57.352779][ T476] ? __schedule+0xb5b/0x1530 [ 57.357288][ T476] ? __cfi_do_exit+0x10/0x10 [ 57.361751][ T476] ? __kasan_check_write+0x14/0x20 [ 57.366666][ T476] ? _raw_spin_lock_irq+0x8f/0x120 [ 57.371713][ T476] do_group_exit+0x1a1/0x280 [ 57.376140][ T476] ? __kasan_check_write+0x14/0x20 [ 57.381088][ T476] ? recalc_sigpending+0x110/0x150 [ 57.386033][ T476] get_signal+0xeb4/0xfc0 [ 57.390202][ T476] arch_do_signal_or_restart+0xb0/0x1030 [ 57.395666][ T476] ? hrtimer_nanosleep+0x10a/0x2a0 [ 57.400885][ T476] ? __cfi_hrtimer_nanosleep+0x10/0x10 [ 57.406439][ T476] ? __cfi_hrtimer_wakeup+0x10/0x10 [ 57.411477][ T476] ? _copy_from_user+0x54/0x80 [ 57.416072][ T476] ? __cfi_arch_do_signal_or_restart+0x10/0x10 [ 57.422064][ T476] ? __x64_sys_clock_nanosleep+0xb0/0xb0 [ 57.427615][ T476] exit_to_user_mode_loop+0x7a/0xb0 [ 57.432761][ T476] exit_to_user_mode_prepare+0x5a/0xa0 [ 57.438148][ T476] syscall_exit_to_user_mode+0x1a/0x30 [ 57.443665][ T476] do_syscall_64+0x58/0xa0 [ 57.447914][ T476] ? clear_bhb_loop+0x15/0x70 [ 57.452518][ T476] ? clear_bhb_loop+0x15/0x70 [ 57.457028][ T476] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 57.462840][ T476] RIP: 0033:0x7fa7c7bc0a25 [ 57.467101][ T476] Code: Unable to access opcode bytes at 0x7fa7c7bc09fb. [ 57.474286][ T476] RSP: 002b:00007fa7c8a99f80 EFLAGS: 00000293 ORIG_RAX: 00000000000000e6 [ 57.482530][ T476] RAX: fffffffffffffdfc RBX: 00007fa7c7db5fa0 RCX: 00007fa7c7bc0a25 [ 57.490466][ T476] RDX: 00007fa7c8a99fc0 RSI: 0000000000000000 RDI: 0000000000000000 [ 57.498233][ T476] RBP: 00007fa7c7c10a68 R08: 0000000000000000 R09: 0000000000000000 [ 57.506043][ T476] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 [ 57.513854][ T476] R13: 0000000000000000 R14: 00007fa7c7db5fa0 R15: 00007fff26833db8 [ 57.521756][ T476] [ 57.524623][ T476] [ 57.526799][ T476] Allocated by task 470: [ 57.530869][ T476] kasan_set_track+0x4b/0x70 [ 57.535290][ T476] kasan_save_alloc_info+0x25/0x30 [ 57.540252][ T476] __kasan_slab_alloc+0x72/0x80 [ 57.544928][ T476] slab_post_alloc_hook+0x4f/0x280 [ 57.549871][ T476] kmem_cache_alloc_lru+0x104/0x280 [ 57.554907][ T476] f2fs_alloc_inode+0x28/0x330 [ 57.559513][ T476] iget_locked+0x168/0x6e0 [ 57.563852][ T476] f2fs_iget+0x53/0x47a0 [ 57.567935][ T476] f2fs_lookup+0x1f2/0x800 [ 57.572278][ T476] __lookup_slow+0x24e/0x330 [ 57.576690][ T476] lookup_slow+0x52/0x70 [ 57.580769][ T476] walk_component+0x261/0x370 [ 57.585293][ T476] path_lookupat+0x85/0x320 [ 57.589624][ T476] filename_lookup+0x1bc/0x420 [ 57.594223][ T476] vfs_statx+0xf4/0x580 [ 57.598324][ T476] __se_sys_newlstat+0xd2/0x320 [ 57.602989][ T476] __x64_sys_newlstat+0x56/0x60 [ 57.607676][ T476] x64_sys_call+0x393/0x9a0 [ 57.612106][ T476] do_syscall_64+0x4c/0xa0 [ 57.616440][ T476] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 57.622171][ T476] [ 57.624353][ T476] Freed by task 35: [ 57.627984][ T476] kasan_set_track+0x4b/0x70 [ 57.632415][ T476] kasan_save_free_info+0x31/0x50 [ 57.637274][ T476] ____kasan_slab_free+0x132/0x180 [ 57.642219][ T476] __kasan_slab_free+0x11/0x20 [ 57.646921][ T476] slab_free_freelist_hook+0xc2/0x190 [ 57.652233][ T476] kmem_cache_free+0x12f/0x2a0 [ 57.656823][ T476] f2fs_free_inode+0x1c/0x20 [ 57.661252][ T476] i_callback+0x4f/0x70 [ 57.665240][ T476] rcu_do_batch+0x512/0xb50 [ 57.669589][ T476] rcu_core+0x547/0xe30 [ 57.673571][ T476] rcu_core_si+0x9/0x10 [ 57.677567][ T476] handle_softirqs+0x1d7/0x5b0 [ 57.682168][ T476] __do_softirq+0xb/0xd [ 57.686160][ T476] [ 57.688336][ T476] Last potentially related work creation: [ 57.693889][ T476] kasan_save_stack+0x3a/0x60 [ 57.698397][ T476] __kasan_record_aux_stack+0xb6/0xc0 [ 57.703611][ T476] kasan_record_aux_stack_noalloc+0xb/0x10 [ 57.709447][ T476] call_rcu+0xd0/0xfb0 [ 57.713346][ T476] evict+0x7a9/0x820 [ 57.717251][ T476] iput+0x4c1/0x4f0 [ 57.720904][ T476] do_unlinkat+0x36a/0x5d0 [ 57.725149][ T476] __x64_sys_unlink+0x44/0x50 [ 57.729672][ T476] x64_sys_call+0x958/0x9a0 [ 57.734001][ T476] do_syscall_64+0x4c/0xa0 [ 57.738256][ T476] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 57.743985][ T476] [ 57.746163][ T476] The buggy address belongs to the object at ffff8881226b45c0 [ 57.746163][ T476] which belongs to the cache f2fs_inode_cache of size 1360 [ 57.760644][ T476] The buggy address is located 136 bytes inside of [ 57.760644][ T476] 1360-byte region [ffff8881226b45c0, ffff8881226b4b10) [ 57.773931][ T476] [ 57.776092][ T476] The buggy address belongs to the physical page: [ 57.782429][ T476] page:ffffea000489ac00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1226b0 [ 57.792585][ T476] head:ffffea000489ac00 order:3 compound_mapcount:0 compound_pincount:0 [ 57.800915][ T476] flags: 0x4000000000010200(slab|head|zone=1) [ 57.806816][ T476] raw: 4000000000010200 0000000000000000 dead000000000122 ffff888100287500 [ 57.815232][ T476] raw: 0000000000000000 0000000080160016 00000001ffffffff 0000000000000000 [ 57.823644][ T476] page dumped because: kasan: bad access detected [ 57.829901][ T476] page_owner tracks the page as allocated [ 57.835480][ T476] page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 470, tgid 469 (syz.2.16), ts 56942603269, free_ts 0 [ 57.857746][ T476] prep_new_page+0x58c/0x650 [ 57.862174][ T476] get_page_from_freelist+0x2f02/0x2f70 [ 57.867550][ T476] __alloc_pages+0x19e/0x3a0 [ 57.871986][ T476] alloc_slab_page+0x6e/0xf0 [ 57.876403][ T476] new_slab+0x7c/0x360 [ 57.880395][ T476] ___slab_alloc+0x5d2/0x970 [ 57.884834][ T476] __slab_alloc+0x53/0x90 [ 57.888999][ T476] kmem_cache_alloc_lru+0x144/0x280 [ 57.894026][ T476] f2fs_alloc_inode+0x28/0x330 [ 57.898622][ T476] iget_locked+0x168/0x6e0 [ 57.902877][ T476] f2fs_iget+0x53/0x47a0 [ 57.906953][ T476] f2fs_fill_super+0x3c4b/0x65e0 [ 57.911727][ T476] mount_bdev+0x265/0x340 [ 57.915894][ T476] f2fs_mount+0x10/0x20 [ 57.919888][ T476] legacy_get_tree+0xf9/0x190 [ 57.924496][ T476] vfs_get_tree+0x8f/0x190 [ 57.928749][ T476] page_owner free stack trace missing [ 57.933955][ T476] [ 57.936163][ T476] Memory state around the buggy address: [ 57.941607][ T476] ffff8881226b4500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 57.949734][ T476] ffff8881226b4580: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 57.957626][ T476] >ffff8881226b4600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.965519][ T476] ^ [ 57.971769][ T476] ffff8881226b4680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.979668][ T476] ffff8881226b4700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.987656][ T476] ================================================================== [ 57.995847][ T476] Disabling lock debugging due to kernel taint [ 58.008721][ T27] audit: type=1400 audit(1749213005.882:98): avc: denied { read } for pid=81 comm="syslogd" name="log" dev="sda1" ino=2010 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1 [ 58.032174][ T27] audit: type=1400 audit(1749213005.912:99): avc: denied { search } for pid=81 comm="syslogd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1