[ 32.148701][ T8] device bridge_slave_0 left promiscuous mode [ 32.154931][ T8] bridge0: port 1(bridge_slave_0) entered disabled state [ 32.163291][ T8] device veth1_macvtap left promiscuous mode [ 32.169841][ T8] device veth0_vlan left promiscuous mode [ 33.522226][ T8] device bridge_slave_1 left promiscuous mode [ 33.528359][ T8] bridge0: port 2(bridge_slave_1) entered disabled state [ 33.535867][ T8] device bridge_slave_0 left promiscuous mode [ 33.542214][ T8] bridge0: port 1(bridge_slave_0) entered disabled state [ 33.550309][ T8] device veth1_macvtap left promiscuous mode [ 33.556531][ T8] device veth0_vlan left promiscuous mode Warning: Permanently added '10.128.1.20' (ED25519) to the list of known hosts. 2025/05/08 15:03:48 ignoring optional flag "sandboxArg"="0" 2025/05/08 15:03:48 parsed 1 programs [ 51.652346][ T30] kauditd_printk_skb: 30 callbacks suppressed [ 51.652363][ T30] audit: type=1400 audit(1746716629.958:104): avc: denied { unlink } for pid=379 comm="syz-executor" name="swap-file" dev="sda1" ino=2026 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 51.724847][ T379] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 52.354409][ T30] audit: type=1401 audit(1746716630.658:105): op=setxattr invalid_context="u:object_r:app_data_file:s0:c512,c768" [ 52.540390][ T410] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.547878][ T410] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.555408][ T410] device bridge_slave_0 entered promiscuous mode [ 52.562764][ T410] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.571822][ T410] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.580653][ T410] device bridge_slave_1 entered promiscuous mode [ 52.631991][ T410] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.639650][ T410] bridge0: port 2(bridge_slave_1) entered forwarding state [ 52.647621][ T410] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.654702][ T410] bridge0: port 1(bridge_slave_0) entered forwarding state [ 52.676220][ T305] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.684860][ T305] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.694478][ T305] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 52.702952][ T305] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 52.713599][ T305] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 52.722531][ T305] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.729902][ T305] bridge0: port 1(bridge_slave_0) entered forwarding state [ 52.739487][ T305] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 52.749004][ T305] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.758716][ T305] bridge0: port 2(bridge_slave_1) entered forwarding state [ 52.772000][ T305] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 52.782037][ T305] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 52.796607][ T305] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 52.809006][ T305] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 52.817282][ T305] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 52.825133][ T305] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 52.837334][ T410] device veth0_vlan entered promiscuous mode [ 52.847824][ T305] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 52.857299][ T410] device veth1_macvtap entered promiscuous mode [ 52.872046][ T305] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 52.888809][ T305] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 52.930581][ T30] audit: type=1400 audit(1746716631.228:106): avc: denied { create } for pid=417 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1 2025/05/08 15:03:51 executed programs: 0 [ 53.599797][ T30] audit: type=1400 audit(1746716631.898:107): avc: denied { write } for pid=371 comm="syz-execprog" path="pipe:[15467]" dev="pipefs" ino=15467 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1 [ 53.654387][ T441] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.662095][ T441] bridge0: port 1(bridge_slave_0) entered disabled state [ 53.670336][ T441] device bridge_slave_0 entered promiscuous mode [ 53.678159][ T441] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.686072][ T441] bridge0: port 2(bridge_slave_1) entered disabled state [ 53.693886][ T441] device bridge_slave_1 entered promiscuous mode [ 53.747864][ T441] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.755728][ T441] bridge0: port 2(bridge_slave_1) entered forwarding state [ 53.763405][ T441] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.770850][ T441] bridge0: port 1(bridge_slave_0) entered forwarding state [ 53.797323][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 53.805735][ T45] bridge0: port 1(bridge_slave_0) entered disabled state [ 53.813902][ T45] bridge0: port 2(bridge_slave_1) entered disabled state [ 53.825460][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 53.833982][ T45] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.841182][ T45] bridge0: port 1(bridge_slave_0) entered forwarding state [ 53.851103][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 53.860292][ T45] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.868025][ T45] bridge0: port 2(bridge_slave_1) entered forwarding state [ 53.883199][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 53.896614][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 53.913311][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 53.925203][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 53.933786][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 53.942162][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 53.954607][ T441] device veth0_vlan entered promiscuous mode [ 53.965263][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 53.975786][ T441] device veth1_macvtap entered promiscuous mode [ 53.989513][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 53.999856][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 54.027668][ T30] audit: type=1400 audit(1746716632.328:108): avc: denied { create } for pid=445 comm="syz.2.16" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=key_socket permissive=1 [ 54.033770][ T446] ================================================================== [ 54.048400][ T30] audit: type=1400 audit(1746716632.328:109): avc: denied { setopt } for pid=445 comm="syz.2.16" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=key_socket permissive=1 [ 54.057450][ T446] BUG: KASAN: slab-out-of-bounds in xfrm_policy_inexact_list_reinsert+0x620/0x6d0 [ 54.057511][ T446] Read of size 1 at addr ffff8881181c3bf8 by task syz.2.16/446 [ 54.057672][ T446] [ 54.057689][ T446] CPU: 0 PID: 446 Comm: syz.2.16 Not tainted 5.15.180-syzkaller-1080241-g57b1420d5e49 #0 [ 54.057710][ T446] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/19/2025 [ 54.057731][ T446] Call Trace: [ 54.079782][ T30] audit: type=1400 audit(1746716632.328:110): avc: denied { write } for pid=445 comm="syz.2.16" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=key_socket permissive=1 [ 54.088284][ T446] [ 54.088298][ T446] __dump_stack+0x21/0x30 [ 54.088326][ T446] dump_stack_lvl+0xee/0x150 [ 54.088347][ T446] ? show_regs_print_info+0x20/0x20 [ 54.096636][ T30] audit: type=1400 audit(1746716632.328:111): avc: denied { create } for pid=445 comm="syz.2.16" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_xfrm_socket permissive=1 [ 54.108392][ T446] ? load_image+0x3a0/0x3a0 [ 54.108428][ T446] ? unwind_get_return_address+0x4d/0x90 [ 54.108453][ T446] print_address_description+0x7f/0x2c0 [ 54.108482][ T446] ? xfrm_policy_inexact_list_reinsert+0x620/0x6d0 [ 54.122775][ T30] audit: type=1400 audit(1746716632.328:112): avc: denied { write } for pid=445 comm="syz.2.16" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_xfrm_socket permissive=1 [ 54.135798][ T446] kasan_report+0xf1/0x140 [ 54.135831][ T446] ? xfrm_policy_inexact_list_reinsert+0x620/0x6d0 [ 54.135857][ T446] __asan_report_load1_noabort+0x14/0x20 [ 54.135877][ T446] xfrm_policy_inexact_list_reinsert+0x620/0x6d0 [ 54.135900][ T446] xfrm_policy_inexact_insert_node+0x938/0xb50 [ 54.140644][ T30] audit: type=1400 audit(1746716632.328:113): avc: denied { nlmsg_write } for pid=445 comm="syz.2.16" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_xfrm_socket permissive=1 [ 54.159922][ T446] ? netlink_unicast+0x87c/0xa40 [ 54.159956][ T446] ? netlink_sendmsg+0x86a/0xb70 [ 54.159974][ T446] ? ____sys_sendmsg+0x5a2/0x8c0 [ 54.159994][ T446] ? ___sys_sendmsg+0x1f0/0x260 [ 54.160010][ T446] ? __x64_sys_sendmsg+0x1e2/0x2a0 [ 54.160048][ T446] ? do_syscall_64+0x4c/0xa0 [ 54.327770][ T446] xfrm_policy_inexact_alloc_chain+0x53a/0xb30 [ 54.333933][ T446] xfrm_policy_inexact_insert+0x70/0x1130 [ 54.339733][ T446] ? __get_hash_thresh+0x10c/0x420 [ 54.344832][ T446] ? policy_hash_bysel+0x110/0x4f0 [ 54.349939][ T446] xfrm_policy_insert+0xe0/0x930 [ 54.354873][ T446] xfrm_add_policy+0x4d1/0x830 [ 54.359928][ T446] ? xfrm_dump_sa_done+0xc0/0xc0 [ 54.364939][ T446] xfrm_user_rcv_msg+0x45c/0x6e0 [ 54.370156][ T446] ? xfrm_netlink_rcv+0x90/0x90 [ 54.375110][ T446] ? avc_has_perm_noaudit+0x460/0x460 [ 54.380755][ T446] ? x64_sys_call+0x4b/0x9a0 [ 54.385439][ T446] ? selinux_nlmsg_lookup+0x237/0x4c0 [ 54.391079][ T446] netlink_rcv_skb+0x1e0/0x430 [ 54.396241][ T446] ? xfrm_netlink_rcv+0x90/0x90 [ 54.401813][ T446] ? netlink_ack+0xb60/0xb60 [ 54.407502][ T446] ? wait_for_completion_killable_timeout+0x10/0x10 [ 54.414348][ T446] ? __netlink_lookup+0x387/0x3b0 [ 54.419583][ T446] xfrm_netlink_rcv+0x72/0x90 [ 54.424467][ T446] netlink_unicast+0x87c/0xa40 [ 54.429619][ T446] netlink_sendmsg+0x86a/0xb70 [ 54.434739][ T446] ? netlink_getsockopt+0x530/0x530 [ 54.440957][ T446] ? sock_alloc_file+0xba/0x260 [ 54.446356][ T446] ? security_socket_sendmsg+0x82/0xa0 [ 54.451944][ T446] ? netlink_getsockopt+0x530/0x530 [ 54.457516][ T446] ____sys_sendmsg+0x5a2/0x8c0 [ 54.462975][ T446] ? __sys_sendmsg_sock+0x40/0x40 [ 54.468284][ T446] ? import_iovec+0x7c/0xb0 [ 54.473120][ T446] ___sys_sendmsg+0x1f0/0x260 [ 54.478265][ T446] ? __sys_sendmsg+0x250/0x250 [ 54.483508][ T446] ? __fdget+0x1a1/0x230 [ 54.487870][ T446] __x64_sys_sendmsg+0x1e2/0x2a0 [ 54.492825][ T446] ? ___sys_sendmsg+0x260/0x260 [ 54.498267][ T446] ? __kasan_check_write+0x14/0x20 [ 54.503394][ T446] ? switch_fpu_return+0x15d/0x2c0 [ 54.508752][ T446] x64_sys_call+0x4b/0x9a0 [ 54.513257][ T446] do_syscall_64+0x4c/0xa0 [ 54.517833][ T446] ? clear_bhb_loop+0x35/0x90 [ 54.522880][ T446] ? clear_bhb_loop+0x35/0x90 [ 54.527818][ T446] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 54.534140][ T446] RIP: 0033:0x7f1a7982dda9 [ 54.538728][ T446] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 54.559962][ T446] RSP: 002b:00007f1a792a0038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 54.569279][ T446] RAX: ffffffffffffffda RBX: 00007f1a79a46fa0 RCX: 00007f1a7982dda9 [ 54.577446][ T446] RDX: 0000000000004000 RSI: 0000000020000580 RDI: 0000000000000005 [ 54.585921][ T446] RBP: 00007f1a798af2a0 R08: 0000000000000000 R09: 0000000000000000 [ 54.594455][ T446] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 54.603828][ T446] R13: 0000000000000000 R14: 00007f1a79a46fa0 R15: 00007fff382db448 [ 54.612519][ T446] [ 54.615989][ T446] [ 54.618911][ T446] Allocated by task 446: [ 54.623935][ T446] __kasan_kmalloc+0xda/0x110 [ 54.628895][ T446] __kmalloc+0x13d/0x2c0 [ 54.633399][ T446] sk_prot_alloc+0xed/0x320 [ 54.639244][ T446] sk_alloc+0x38/0x430 [ 54.643327][ T446] pfkey_create+0x12a/0x660 [ 54.647826][ T446] __sock_create+0x38d/0x7a0 [ 54.652402][ T446] __sys_socket+0xec/0x190 [ 54.656814][ T446] __x64_sys_socket+0x7a/0x90 [ 54.661698][ T446] x64_sys_call+0x8c5/0x9a0 [ 54.666297][ T446] do_syscall_64+0x4c/0xa0 [ 54.670710][ T446] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 54.676804][ T446] [ 54.679130][ T446] The buggy address belongs to the object at ffff8881181c3800 [ 54.679130][ T446] which belongs to the cache kmalloc-1k of size 1024 [ 54.693266][ T446] The buggy address is located 1016 bytes inside of [ 54.693266][ T446] 1024-byte region [ffff8881181c3800, ffff8881181c3c00) [ 54.706821][ T446] The buggy address belongs to the page: [ 54.712498][ T446] page:ffffea0004607000 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8881181c4800 pfn:0x1181c0 [ 54.724331][ T446] head:ffffea0004607000 order:3 compound_mapcount:0 compound_pincount:0 [ 54.732757][ T446] flags: 0x4000000000010200(slab|head|zone=1) [ 54.738853][ T446] raw: 4000000000010200 0000000000000000 0000000100000001 ffff888100043080 [ 54.747708][ T446] raw: ffff8881181c4800 000000008010000c 00000001ffffffff 0000000000000000 [ 54.756406][ T446] page dumped because: kasan: bad access detected [ 54.762811][ T446] page_owner tracks the page as allocated [ 54.768788][ T446] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 101, ts 5980278489, free_ts 0 [ 54.789929][ T446] post_alloc_hook+0x192/0x1b0 [ 54.794790][ T446] prep_new_page+0x1c/0x110 [ 54.799501][ T446] get_page_from_freelist+0x2cc5/0x2d50 [ 54.805301][ T446] __alloc_pages+0x18f/0x440 [ 54.809894][ T446] new_slab+0xa1/0x4d0 [ 54.814046][ T446] ___slab_alloc+0x381/0x810 [ 54.818725][ T446] __slab_alloc+0x49/0x90 [ 54.823322][ T446] __kmalloc_track_caller+0x169/0x2c0 [ 54.829077][ T446] __alloc_skb+0x21a/0x740 [ 54.833643][ T446] netlink_sendmsg+0x602/0xb70 [ 54.838916][ T446] ____sys_sendmsg+0x5a2/0x8c0 [ 54.843898][ T446] ___sys_sendmsg+0x1f0/0x260 [ 54.848670][ T446] __x64_sys_sendmsg+0x1e2/0x2a0 [ 54.854470][ T446] x64_sys_call+0x4b/0x9a0 [ 54.859221][ T446] do_syscall_64+0x4c/0xa0 [ 54.863797][ T446] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 54.869837][ T446] page_owner free stack trace missing [ 54.875919][ T446] [ 54.878332][ T446] Memory state around the buggy address: [ 54.884063][ T446] ffff8881181c3a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 54.892684][ T446] ffff8881181c3b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 54.902310][ T446] >ffff8881181c3b80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 54.913624][ T446] ^ [ 54.922611][ T446] ffff8881181c3c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.931320][ T446] ffff8881181c3c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.940035][ T446] ================================================================== [ 54.948686][ T446] Disabling lock debugging due to kernel taint [ 54.983469][ T8] device bridge_slave_1 left promiscuous mode [ 54.989794][ T8] bridge0: port 2(bridge_slave_1) entered disabled state [ 54.997889][ T8] device bridge_slave_0 left promiscuous mode [ 55.004184][ T8] bridge0: port 1(bridge_slave_0) entered disabled state [ 55.013262][ T8] device veth1_macvtap left promiscuous mode [ 55.019954][ T8] device veth0_vlan left promiscuous mode 2025/05/08 15:03:56 executed programs: 219 2025/05/08 15:04:01 executed programs: 519