Warning: Permanently added '10.128.1.0' (ED25519) to the list of known hosts. 2023/11/25 02:17:25 ignoring optional flag "sandboxArg"="0" 2023/11/25 02:17:25 parsed 1 programs [ 43.972522][ T28] audit: type=1400 audit(1700878645.304:156): avc: denied { mounton } for pid=344 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 43.999542][ T28] audit: type=1400 audit(1700878645.324:157): avc: denied { mount } for pid=344 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 44.062032][ T28] audit: type=1400 audit(1700878645.394:158): avc: denied { unlink } for pid=344 comm="syz-executor" name="swap-file" dev="sda1" ino=1929 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" 2023/11/25 02:17:25 executed programs: 0 [ 44.116877][ T344] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 44.175101][ T349] bridge0: port 1(bridge_slave_0) entered blocking state [ 44.182774][ T349] bridge0: port 1(bridge_slave_0) entered disabled state [ 44.190400][ T349] device bridge_slave_0 entered promiscuous mode [ 44.197348][ T349] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.204871][ T349] bridge0: port 2(bridge_slave_1) entered disabled state [ 44.212316][ T349] device bridge_slave_1 entered promiscuous mode [ 44.257328][ T28] audit: type=1400 audit(1700878645.584:159): avc: denied { write } for pid=349 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 44.263833][ T349] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.278935][ T28] audit: type=1400 audit(1700878645.584:160): avc: denied { read } for pid=349 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 44.285898][ T349] bridge0: port 2(bridge_slave_1) entered forwarding state [ 44.286009][ T349] bridge0: port 1(bridge_slave_0) entered blocking state [ 44.321936][ T349] bridge0: port 1(bridge_slave_0) entered forwarding state [ 44.342533][ T19] bridge0: port 1(bridge_slave_0) entered disabled state [ 44.349699][ T19] bridge0: port 2(bridge_slave_1) entered disabled state [ 44.358533][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 44.365976][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 44.374979][ T24] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 44.383122][ T24] bridge0: port 1(bridge_slave_0) entered blocking state [ 44.389976][ T24] bridge0: port 1(bridge_slave_0) entered forwarding state [ 44.412578][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 44.421360][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 44.429305][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 44.437514][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 44.445316][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 44.453589][ T19] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.460653][ T19] bridge0: port 2(bridge_slave_1) entered forwarding state [ 44.468736][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 44.477384][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 44.486224][ T349] device veth0_vlan entered promiscuous mode [ 44.497680][ T349] device veth1_macvtap entered promiscuous mode [ 44.504897][ T60] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 44.519072][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 44.528161][ T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 44.541725][ T28] audit: type=1400 audit(1700878645.874:161): avc: denied { mounton } for pid=349 comm="syz-executor.0" path="/dev/binderfs" dev="devtmpfs" ino=370 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:device_t tclass=dir permissive=1 2023/11/25 02:17:30 executed programs: 62 2023/11/25 02:17:35 executed programs: 106 2023/11/25 02:17:40 executed programs: 137 2023/11/25 02:17:45 executed programs: 207 [ 66.512836][ T1353] ================================================================== [ 66.521269][ T1353] BUG: KASAN: use-after-free in unix_stream_read_actor+0xa3/0xb0 [ 66.529439][ T1353] Read of size 4 at addr ffff88810fffb044 by task syz-executor.0/1353 [ 66.537680][ T1353] [ 66.539900][ T1353] CPU: 1 PID: 1353 Comm: syz-executor.0 Not tainted 6.1.43-syzkaller-1150379-gd2c0f4c4502a #0 [ 66.551668][ T1353] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 66.562326][ T1353] Call Trace: [ 66.565537][ T1353] [ 66.568560][ T1353] dump_stack_lvl+0x151/0x1b7 [ 66.573158][ T1353] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 66.578529][ T1353] ? _printk+0xd1/0x111 [ 66.582788][ T1353] ? __virt_addr_valid+0x242/0x2f0 [ 66.588177][ T1353] print_report+0x158/0x4e0 [ 66.592772][ T1353] ? __virt_addr_valid+0x242/0x2f0 [ 66.597848][ T1353] ? kasan_complete_mode_report_info+0x90/0x1b0 [ 66.604023][ T1353] ? unix_stream_read_actor+0xa3/0xb0 [ 66.609455][ T1353] kasan_report+0x13c/0x170 [ 66.613792][ T1353] ? unix_stream_read_actor+0xa3/0xb0 [ 66.619107][ T1353] __asan_report_load4_noabort+0x14/0x20 [ 66.626698][ T1353] unix_stream_read_actor+0xa3/0xb0 [ 66.632179][ T1353] unix_stream_recv_urg+0x1b4/0x300 [ 66.637201][ T1353] unix_stream_read_generic+0x2140/0x2220 [ 66.642869][ T1353] ? avc_denied+0x1b0/0x1b0 [ 66.647390][ T1353] ? avc_has_perm+0x16f/0x260 [ 66.652244][ T1353] ? avc_has_perm_noaudit+0x430/0x430 [ 66.657718][ T1353] ? unix_stream_read_actor+0xb0/0xb0 [ 66.662927][ T1353] ? selinux_socket_recvmsg+0x243/0x340 [ 66.668406][ T1353] ? selinux_socket_sendmsg+0x340/0x340 [ 66.673824][ T1353] unix_stream_recvmsg+0x222/0x2b0 [ 66.678821][ T1353] ? unix_stream_sendmsg+0x1070/0x1070 [ 66.684100][ T1353] ? __unix_stream_recvmsg+0x210/0x210 [ 66.689396][ T1353] ? __import_iovec+0x24f/0x430 [ 66.694184][ T1353] ? security_socket_recvmsg+0x87/0xb0 [ 66.699474][ T1353] ? unix_stream_sendmsg+0x1070/0x1070 [ 66.705120][ T1353] ____sys_recvmsg+0x285/0x530 [ 66.710033][ T1353] ? __sys_recvmsg_sock+0x50/0x50 [ 66.715287][ T1353] __sys_recvmsg+0x2e9/0x3d0 [ 66.719756][ T1353] ? __kasan_check_write+0x14/0x20 [ 66.724800][ T1353] ? ____sys_recvmsg+0x530/0x530 [ 66.729653][ T1353] ? __set_current_blocked+0x2a5/0x2f0 [ 66.735136][ T1353] ? __kasan_check_write+0x14/0x20 [ 66.740331][ T1353] ? __se_sys_rt_sigprocmask+0x30a/0x380 [ 66.745966][ T1353] ? debug_smp_processor_id+0x17/0x20 [ 66.751766][ T1353] ? fpregs_assert_state_consistent+0xb6/0xe0 [ 66.757947][ T1353] __x64_sys_recvmsg+0x7f/0x90 [ 66.762609][ T1353] do_syscall_64+0x3d/0xb0 [ 66.767186][ T1353] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 66.773321][ T1353] RIP: 0033:0x7f149bc7cae9 [ 66.777932][ T1353] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 66.799404][ T1353] RSP: 002b:00007f149c9050c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002f [ 66.807815][ T1353] RAX: ffffffffffffffda RBX: 00007f149bd9c120 RCX: 00007f149bc7cae9 [ 66.816092][ T1353] RDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004 [ 66.824268][ T1353] RBP: 00007f149bcc847a R08: 0000000000000000 R09: 0000000000000000 [ 66.832364][ T1353] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 66.841108][ T1353] R13: 000000000000006e R14: 00007f149bd9c120 R15: 00007ffec5e760a8 [ 66.850318][ T1353] [ 66.853307][ T1353] [ 66.856034][ T1353] Allocated by task 1352: [ 66.861405][ T1353] kasan_set_track+0x4b/0x70 [ 66.866702][ T1353] kasan_save_alloc_info+0x1f/0x30 [ 66.871733][ T1353] __kasan_slab_alloc+0x6c/0x80 [ 66.876970][ T1353] slab_post_alloc_hook+0x53/0x2c0 [ 66.882838][ T1353] kmem_cache_alloc_node+0x18a/0x2d0 [ 66.888052][ T1353] __alloc_skb+0xcc/0x2e0 [ 66.892213][ T1353] alloc_skb_with_frags+0xa6/0x680 [ 66.897422][ T1353] sock_alloc_send_pskb+0x915/0xa50 [ 66.903163][ T1353] queue_oob+0x102/0x8e0 [ 66.907640][ T1353] unix_stream_sendmsg+0xe10/0x1070 [ 66.912995][ T1353] ____sys_sendmsg+0x5dc/0x9d0 [ 66.918080][ T1353] __sys_sendmsg+0x2a9/0x390 [ 66.922781][ T1353] __x64_sys_sendmsg+0x7f/0x90 [ 66.927482][ T1353] do_syscall_64+0x3d/0xb0 [ 66.932294][ T1353] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 66.937982][ T1353] [ 66.940180][ T1353] Freed by task 1352: [ 66.944049][ T1353] kasan_set_track+0x4b/0x70 [ 66.949195][ T1353] kasan_save_free_info+0x2b/0x40 [ 66.954306][ T1353] ____kasan_slab_free+0x131/0x180 [ 66.960862][ T1353] __kasan_slab_free+0x11/0x20 [ 66.966333][ T1353] kmem_cache_free+0x291/0x510 [ 66.971666][ T1353] kfree_skbmem+0x104/0x170 [ 66.976030][ T1353] consume_skb+0xb4/0x250 [ 66.980873][ T1353] queue_oob+0x52c/0x8e0 [ 66.985175][ T1353] unix_stream_sendmsg+0xe10/0x1070 [ 66.990697][ T1353] ____sys_sendmsg+0x5dc/0x9d0 [ 66.995561][ T1353] __sys_sendmsg+0x2a9/0x390 [ 67.000594][ T1353] __x64_sys_sendmsg+0x7f/0x90 [ 67.005204][ T1353] do_syscall_64+0x3d/0xb0 [ 67.009894][ T1353] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 67.015829][ T1353] [ 67.017992][ T1353] The buggy address belongs to the object at ffff88810fffb000 [ 67.017992][ T1353] which belongs to the cache skbuff_head_cache of size 256 [ 67.032852][ T1353] The buggy address is located 68 bytes inside of [ 67.032852][ T1353] 256-byte region [ffff88810fffb000, ffff88810fffb100) [ 67.047611][ T1353] [ 67.049946][ T1353] The buggy address belongs to the physical page: [ 67.056387][ T1353] page:ffffea00043ffec0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10fffb [ 67.066536][ T1353] flags: 0x4000000000000200(slab|zone=1) [ 67.072027][ T1353] raw: 4000000000000200 ffffea0004443700 dead000000000006 ffff888100233080 [ 67.080772][ T1353] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 67.089379][ T1353] page dumped because: kasan: bad access detected [ 67.095764][ T1353] page_owner tracks the page as allocated [ 67.101279][ T1353] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 103, tgid 103 (udevadm), ts 4176884751, free_ts 4176816638 [ 67.118963][ T1353] post_alloc_hook+0x213/0x220 [ 67.123554][ T1353] prep_new_page+0x1b/0x110 [ 67.127908][ T1353] get_page_from_freelist+0x2878/0x2910 [ 67.133360][ T1353] __alloc_pages+0x3a1/0x780 [ 67.137792][ T1353] alloc_slab_page+0x6c/0xf0 [ 67.142261][ T1353] new_slab+0x90/0x3e0 [ 67.146224][ T1353] ___slab_alloc+0x6f9/0xb80 [ 67.150722][ T1353] __slab_alloc+0x5d/0xa0 [ 67.154889][ T1353] kmem_cache_alloc+0x1b9/0x2c0 [ 67.159664][ T1353] skb_clone+0x1f8/0x380 [ 67.163743][ T1353] netlink_broadcast+0x62d/0x1140 [ 67.168702][ T1353] kobject_uevent_net_broadcast+0x3a1/0x590 [ 67.174601][ T1353] kobject_uevent_env+0x53c/0x720 [ 67.179895][ T1353] kobject_synth_uevent+0x4eb/0xae0 [ 67.185105][ T1353] uevent_store+0x4b/0x70 [ 67.189264][ T1353] drv_attr_store+0x78/0xa0 [ 67.193635][ T1353] page last free stack trace: [ 67.198223][ T1353] free_unref_page_prepare+0x83d/0x850 [ 67.203498][ T1353] free_unref_page+0xbc/0x650 [ 67.208015][ T1353] __free_pages+0x61/0xf0 [ 67.212180][ T1353] free_pages+0x7c/0x90 [ 67.216221][ T1353] selinux_genfs_get_sid+0x24d/0x2a0 [ 67.221324][ T1353] inode_doinit_with_dentry+0x8d2/0x1070 [ 67.226847][ T1353] selinux_d_instantiate+0x27/0x40 [ 67.231881][ T1353] security_d_instantiate+0x9f/0x100 [ 67.237093][ T1353] d_splice_alias+0x6d/0x390 [ 67.241688][ T1353] kernfs_iop_lookup+0x29e/0x2f0 [ 67.246561][ T1353] path_openat+0x10fd/0x2d60 [ 67.251237][ T1353] do_filp_open+0x230/0x480 [ 67.255595][ T1353] do_sys_openat2+0x13f/0x850 [ 67.260190][ T1353] __x64_sys_openat+0x243/0x290 [ 67.265044][ T1353] do_syscall_64+0x3d/0xb0 [ 67.269839][ T1353] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 67.275639][ T1353] [ 67.277890][ T1353] Memory state around the buggy address: [ 67.283542][ T1353] ffff88810fffaf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 67.291978][ T1353] ffff88810fffaf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 67.300148][ T1353] >ffff88810fffb000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.308807][ T1353] ^ [ 67.314904][ T1353] ffff88810fffb080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.324023][ T1353] ffff88810fffb100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 67.332640][ T1353] ================================================================== [ 67.342650][ T1353] Disabling lock debugging due to kernel taint 2023/11/25 02:17:50 executed programs: 269 2023/11/25 02:17:56 executed programs: 351