Warning: Permanently added '10.128.10.29' (ECDSA) to the list of known hosts. 2023/01/03 12:01:14 ignoring optional flag "sandboxArg"="0" 2023/01/03 12:01:14 parsed 1 programs 2023/01/03 12:01:14 executed programs: 0 [ 38.090479][ T28] kauditd_printk_skb: 64 callbacks suppressed [ 38.090488][ T28] audit: type=1400 audit(1672747274.540:136): avc: denied { mounton } for pid=379 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 38.121590][ T28] audit: type=1400 audit(1672747274.540:137): avc: denied { mount } for pid=379 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 38.158488][ T382] bridge0: port 1(bridge_slave_0) entered blocking state [ 38.165654][ T382] bridge0: port 1(bridge_slave_0) entered disabled state [ 38.173081][ T382] device bridge_slave_0 entered promiscuous mode [ 38.179861][ T382] bridge0: port 2(bridge_slave_1) entered blocking state [ 38.186695][ T382] bridge0: port 2(bridge_slave_1) entered disabled state [ 38.193965][ T382] device bridge_slave_1 entered promiscuous mode [ 38.224772][ T382] bridge0: port 2(bridge_slave_1) entered blocking state [ 38.231642][ T382] bridge0: port 2(bridge_slave_1) entered forwarding state [ 38.238696][ T382] bridge0: port 1(bridge_slave_0) entered blocking state [ 38.245564][ T382] bridge0: port 1(bridge_slave_0) entered forwarding state [ 38.260760][ T335] bridge0: port 1(bridge_slave_0) entered disabled state [ 38.267762][ T335] bridge0: port 2(bridge_slave_1) entered disabled state [ 38.275140][ T335] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 38.282732][ T335] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 38.291245][ T54] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 38.299415][ T54] bridge0: port 1(bridge_slave_0) entered blocking state [ 38.306241][ T54] bridge0: port 1(bridge_slave_0) entered forwarding state [ 38.322027][ T382] device veth0_vlan entered promiscuous mode [ 38.329963][ T335] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 38.338037][ T335] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 38.346372][ T335] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 38.353662][ T335] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 38.361240][ T335] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 38.369310][ T335] bridge0: port 2(bridge_slave_1) entered blocking state [ 38.376156][ T335] bridge0: port 2(bridge_slave_1) entered forwarding state [ 38.383385][ T335] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 38.391412][ T335] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 38.401320][ T54] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 38.410264][ T382] device veth1_macvtap entered promiscuous mode [ 38.419440][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 38.427524][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 38.440388][ T28] audit: type=1400 audit(1672747274.890:138): avc: denied { mount } for pid=382 comm="syz-executor.0" name="/" dev="binder" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=filesystem permissive=1 [ 38.467894][ T388] netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. [ 38.478510][ T28] audit: type=1400 audit(1672747274.920:139): avc: denied { write } for pid=387 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_xfrm_socket permissive=1 [ 38.495925][ T391] netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. [ 38.499085][ C0] ================================================================== [ 38.516093][ C0] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x429b/0x4a00 [ 38.523894][ C0] Read of size 4 at addr ffffc90002e6f980 by task udevd/389 [ 38.531007][ C0] [ 38.533179][ C0] CPU: 0 PID: 389 Comm: udevd Not tainted 6.2.0-rc2-syzkaller-00127-g69b41ac87e4a #0 [ 38.542473][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 38.552461][ C0] Call Trace: [ 38.555593][ C0] [ 38.558384][ C0] dump_stack_lvl+0x151/0x1c0 [ 38.562876][ C0] ? nf_tcp_handle_invalid+0x400/0x400 [ 38.568655][ C0] ? _printk+0xcf/0x110 [ 38.572640][ C0] ? __virt_addr_valid+0xc2/0x2e0 [ 38.577505][ C0] print_report+0x164/0x510 [ 38.581842][ C0] ? __virt_addr_valid+0xc2/0x2e0 [ 38.586698][ C0] ? kasan_addr_to_slab+0xd/0x80 [ 38.591472][ C0] ? xfrm_state_find+0x429b/0x4a00 [ 38.596425][ C0] kasan_report+0x13f/0x170 [ 38.600761][ C0] ? xfrm_state_find+0x429b/0x4a00 [ 38.605708][ C0] __asan_report_load4_noabort+0x14/0x20 [ 38.611378][ C0] xfrm_state_find+0x429b/0x4a00 [ 38.616149][ C0] ? xfrm_sad_getinfo+0x170/0x170 [ 38.621003][ C0] ? xfrm4_get_saddr+0x183/0x290 [ 38.625791][ C0] ? xfrm4_dst_lookup+0x280/0x280 [ 38.630637][ C0] ? __xfrm_policy_inexact_prune_bin+0xa00/0xa00 [ 38.636797][ C0] ? kasan_save_alloc_info+0x1f/0x30 [ 38.641918][ C0] xfrm_resolve_and_create_bundle+0x66d/0x2cb0 [ 38.647924][ C0] ? xfrm_lookup_with_ifid+0x2640/0x2640 [ 38.653389][ C0] ? _raw_spin_unlock_bh+0x50/0x60 [ 38.658326][ C0] xfrm_lookup_with_ifid+0xa1c/0x2640 [ 38.663540][ C0] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20 [ 38.669522][ C0] ? __xfrm_sk_clone_policy+0xa90/0xa90 [ 38.674920][ C0] ? ip_route_output_key_hash_rcu+0xa03/0xed0 [ 38.680805][ C0] xfrm_lookup_route+0x3b/0x160 [ 38.685494][ C0] ip_route_output_flow+0x20d/0x330 [ 38.690526][ C0] ? ipv4_sk_update_pmtu+0x1d40/0x1d40 [ 38.695908][ C0] ? make_kuid+0x20a/0x700 [ 38.700162][ C0] ? __put_user_ns+0x60/0x60 [ 38.704588][ C0] ? __alloc_skb+0x1be/0x2d0 [ 38.709016][ C0] igmpv3_newpack+0x3b6/0x1010 [ 38.713617][ C0] ? igmpv3_sendpack+0x190/0x190 [ 38.718391][ C0] add_grhead+0x84/0x320 [ 38.722469][ C0] add_grec+0x12f5/0x1600 [ 38.726636][ C0] ? update_load_avg+0xed/0xb00 [ 38.732973][ C0] ? debug_smp_processor_id+0x17/0x20 [ 38.738181][ C0] ? _raw_spin_lock_bh+0xa3/0x1b0 [ 38.743127][ C0] ? igmpv3_send_report+0x460/0x460 [ 38.748161][ C0] ? run_posix_cpu_timers+0x29d/0x5c0 [ 38.753372][ C0] igmp_ifc_timer_expire+0x89a/0xf80 [ 38.758516][ C0] ? timerqueue_add+0x25c/0x280 [ 38.763274][ C0] ? igmp_gq_timer_expire+0xe0/0xe0 [ 38.768307][ C0] call_timer_fn+0x35/0x270 [ 38.773335][ C0] ? igmp_gq_timer_expire+0xe0/0xe0 [ 38.778368][ C0] expire_timers+0x22a/0x3c0 [ 38.782839][ C0] __run_timers+0x598/0x6f0 [ 38.787144][ C0] ? enqueue_timer+0x470/0x470 [ 38.791736][ C0] ? sched_clock+0x9/0x10 [ 38.796053][ C0] run_timer_softirq+0x69/0xf0 [ 38.800588][ C0] __do_softirq+0x1a5/0x5a3 [ 38.804929][ C0] invoke_softirq+0x70/0xd0 [ 38.809267][ C0] __irq_exit_rcu+0x4f/0xb0 [ 38.813696][ C0] irq_exit_rcu+0x9/0x10 [ 38.817785][ C0] sysvec_apic_timer_interrupt+0x49/0xc0 [ 38.823348][ C0] asm_sysvec_apic_timer_interrupt+0x1b/0x20 [ 38.829150][ C0] RIP: 0033:0x7f085b6b7052 [ 38.833407][ C0] Code: 48 89 6b 20 48 89 6b 18 48 89 6b 08 4c 89 6b 10 48 89 6b 28 44 89 e0 48 89 6b 30 48 83 c4 08 5b 5d 41 5c 41 5d c3 66 90 41 57 <49> 89 cf 41 56 49 89 d6 41 55 41 54 55 53 44 89 c3 48 81 ec 48 01 [ 38.852965][ C0] RSP: 002b:00007ffd336a5db0 EFLAGS: 00000246 [ 38.858862][ C0] RAX: 00007ffd336a5de0 RBX: 000000000000007a RCX: 00007ffd336a5dc8 [ 38.866676][ C0] RDX: 000055ba2586c0f9 RSI: 0000000000000020 RDI: 00007ffd336a5ea8 [ 38.874498][ C0] RBP: 00007ffd336a648e R08: 0000000000000000 R09: 0000000000000000 [ 38.882321][ C0] R10: 00007f085b7a2ac0 R11: 00007f085b7a33c0 R12: 000055ba26e2e880 [ 38.890198][ C0] R13: 00007ffd336a5ea8 R14: 00007ffd336a648e R15: 0000000000000001 [ 38.898106][ C0] [ 38.900962][ C0] [ 38.903133][ C0] The buggy address belongs to stack of task udevd/389 [ 38.909813][ C0] and is located at offset 96 in frame: [ 38.915295][ C0] igmpv3_newpack+0x0/0x1010 [ 38.919711][ C0] [ 38.921881][ C0] This frame has 1 object: [ 38.926135][ C0] [32, 96) 'fl4' [ 38.926143][ C0] [ 38.931778][ C0] The buggy address belongs to the virtual mapping at [ 38.931778][ C0] [ffffc90002e68000, ffffc90002e71000) created by: [ 38.931778][ C0] dup_task_struct+0x95/0x4a0 [ 38.949742][ C0] [ 38.951912][ C0] The buggy address belongs to the physical page: [ 38.958169][ C0] page:ffffea000484d280 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12134a [ 38.968316][ C0] flags: 0x4000000000000000(zone=1) [ 38.973534][ C0] raw: 4000000000000000 0000000000000000 dead000000000122 0000000000000000 [ 38.981956][ C0] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 38.990367][ C0] page dumped because: kasan: bad access detected [ 38.996907][ C0] page_owner tracks the page as allocated [ 39.002778][ C0] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 95, tgid 95 (udevd), ts 38467798656, free_ts 32094489781 [ 39.020744][ C0] post_alloc_hook+0x1eb/0x1f0 [ 39.025432][ C0] get_page_from_freelist+0x375/0x3f0 [ 39.030730][ C0] __alloc_pages+0x3d1/0x7c0 [ 39.035152][ C0] __vmalloc_node_range+0x8c7/0x1390 [ 39.040368][ C0] alloc_thread_stack_node+0x320/0x540 [ 39.045933][ C0] dup_task_struct+0x95/0x4a0 [ 39.050428][ C0] copy_process+0x51a/0x3350 [ 39.054856][ C0] kernel_clone+0x22d/0x840 [ 39.059220][ C0] __x64_sys_clone+0x276/0x2e0 [ 39.063988][ C0] do_syscall_64+0x2f/0x50 [ 39.068223][ C0] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 39.073954][ C0] page last free stack trace: [ 39.078646][ C0] free_pcp_prepare+0x4c0/0x4d0 [ 39.083425][ C0] free_unref_page+0x1c/0x420 [ 39.087926][ C0] __folio_put+0x7b/0xa0 [ 39.092005][ C0] anon_pipe_buf_release+0x178/0x1e0 [ 39.097131][ C0] pipe_read+0x5c1/0x1060 [ 39.101313][ C0] vfs_read+0x740/0xb00 [ 39.105378][ C0] ksys_read+0x198/0x2c0 [ 39.109470][ C0] __x64_sys_read+0x7b/0x90 [ 39.113791][ C0] do_syscall_64+0x2f/0x50 [ 39.118047][ C0] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 39.123784][ C0] [ 39.126031][ C0] Memory state around the buggy address: [ 39.131599][ C0] ffffc90002e6f880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 39.139489][ C0] ffffc90002e6f900: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 [ 39.147572][ C0] >ffffc90002e6f980: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 [ 39.155643][ C0] ^ [ 39.159544][ C0] ffffc90002e6fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 39.167614][ C0] ffffc90002e6fa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 39.175525][ C0] ================================================================== [ 39.183618][ C0] Disabling lock debugging due to kernel taint [ 39.184996][ T28] audit: type=1400 audit(1672747274.920:140): avc: denied { nlmsg_write } for pid=387 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_xfrm_socket permissive=1 [ 39.212273][ T28] audit: type=1400 audit(1672747274.920:141): avc: denied { bpf } for pid=387 comm="syz-executor.0" capability=39 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability2 permissive=1 [ 39.232914][ T28] audit: type=1400 audit(1672747274.920:142): avc: denied { prog_load } for pid=387 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1 [ 39.258729][ T395] netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. [ 39.305502][ T397] netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. [ 39.372139][ T400] netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. [ 39.431099][ T402] netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. [ 39.481538][ T404] netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. [ 39.560935][ T407] netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. [ 39.611005][ T409] netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. [ 39.660966][ T411] netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. 2023/01/03 12:01:19 executed programs: 78 [ 43.486246][ T591] __nla_validate_parse: 75 callbacks suppressed [ 43.486256][ T591] netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. [ 43.534098][ T593] netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. [ 43.601191][ T596] netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. [ 43.657033][ T598] netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. [ 43.710965][ T600] netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. [ 43.763821][ T602] netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. [ 43.803928][ T604] netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. [ 43.864828][ T607] netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. [ 43.940984][ T610] netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. [ 43.984211][ T612] netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. 2023/01/03 12:01:24 executed programs: 173