[ 37.102097][ T47] device bridge_slave_0 left promiscuous mode [ 37.108263][ T47] bridge0: port 1(bridge_slave_0) entered disabled state [ 37.115901][ T47] device veth1_macvtap left promiscuous mode [ 37.121858][ T47] device veth0_vlan left promiscuous mode [ 38.608053][ T47] device bridge_slave_1 left promiscuous mode [ 38.614104][ T47] bridge0: port 2(bridge_slave_1) entered disabled state [ 38.621523][ T47] device bridge_slave_0 left promiscuous mode [ 38.627754][ T47] bridge0: port 1(bridge_slave_0) entered disabled state [ 38.635161][ T47] device veth1_macvtap left promiscuous mode [ 38.641041][ T47] device veth0_vlan left promiscuous mode Warning: Permanently added '10.128.15.207' (ED25519) to the list of known hosts. 2025/03/27 02:39:06 ignoring optional flag "sandboxArg"="0" 2025/03/27 02:39:07 parsed 1 programs [ 55.977578][ T23] kauditd_printk_skb: 31 callbacks suppressed [ 55.977583][ T23] audit: type=1400 audit(1743043147.580:107): avc: denied { module_request } for pid=421 comm="syz-executor" kmod="netdev-wpan0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 56.005338][ T23] audit: type=1400 audit(1743043147.580:108): avc: denied { mounton } for pid=421 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 56.030523][ T23] audit: type=1400 audit(1743043147.580:109): avc: denied { read write } for pid=421 comm="syz-executor" name="swap-file" dev="sda1" ino=1929 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 56.058693][ T23] audit: type=1400 audit(1743043147.580:110): avc: denied { open } for pid=421 comm="syz-executor" path="/root/swap-file" dev="sda1" ino=1929 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 56.084911][ T23] audit: type=1400 audit(1743043147.610:111): avc: denied { unlink } for pid=421 comm="syz-executor" name="swap-file" dev="sda1" ino=1929 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 56.112193][ T23] audit: type=1400 audit(1743043147.610:112): avc: denied { relabelto } for pid=425 comm="mkswap" name="swap-file" dev="sda1" ino=1929 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 56.140270][ T421] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 56.444495][ T23] audit: type=1401 audit(1743043148.040:113): op=setxattr invalid_context="u:object_r:app_data_file:s0:c512,c768" [ 56.587930][ T446] bridge0: port 1(bridge_slave_0) entered blocking state [ 56.594877][ T446] bridge0: port 1(bridge_slave_0) entered disabled state [ 56.602409][ T446] device bridge_slave_0 entered promiscuous mode [ 56.609203][ T446] bridge0: port 2(bridge_slave_1) entered blocking state [ 56.616664][ T446] bridge0: port 2(bridge_slave_1) entered disabled state [ 56.624031][ T446] device bridge_slave_1 entered promiscuous mode [ 56.656631][ T446] bridge0: port 2(bridge_slave_1) entered blocking state [ 56.663850][ T446] bridge0: port 2(bridge_slave_1) entered forwarding state [ 56.671160][ T446] bridge0: port 1(bridge_slave_0) entered blocking state [ 56.678141][ T446] bridge0: port 1(bridge_slave_0) entered forwarding state [ 56.693777][ T339] bridge0: port 1(bridge_slave_0) entered disabled state [ 56.700792][ T339] bridge0: port 2(bridge_slave_1) entered disabled state [ 56.709207][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 56.717368][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 56.726630][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 56.734632][ T339] bridge0: port 1(bridge_slave_0) entered blocking state [ 56.741473][ T339] bridge0: port 1(bridge_slave_0) entered forwarding state [ 56.749472][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 56.757396][ T339] bridge0: port 2(bridge_slave_1) entered blocking state [ 56.764321][ T339] bridge0: port 2(bridge_slave_1) entered forwarding state [ 56.774651][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 56.784665][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 56.796528][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 56.806955][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 56.815223][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 56.823368][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 56.832734][ T446] device veth0_vlan entered promiscuous mode [ 56.842161][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 56.851019][ T446] device veth1_macvtap entered promiscuous mode [ 56.859368][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 56.869929][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2025/03/27 02:39:08 executed programs: 0 [ 57.157064][ T474] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.164278][ T474] bridge0: port 1(bridge_slave_0) entered disabled state [ 57.171583][ T474] device bridge_slave_0 entered promiscuous mode [ 57.178313][ T474] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.185140][ T474] bridge0: port 2(bridge_slave_1) entered disabled state [ 57.193523][ T474] device bridge_slave_1 entered promiscuous mode [ 57.225097][ T474] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.232365][ T474] bridge0: port 2(bridge_slave_1) entered forwarding state [ 57.239778][ T474] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.247349][ T474] bridge0: port 1(bridge_slave_0) entered forwarding state [ 57.264244][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.271779][ T339] bridge0: port 1(bridge_slave_0) entered disabled state [ 57.278911][ T339] bridge0: port 2(bridge_slave_1) entered disabled state [ 57.287372][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 57.295690][ T339] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.302616][ T339] bridge0: port 1(bridge_slave_0) entered forwarding state [ 57.311285][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 57.319326][ T339] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.326398][ T339] bridge0: port 2(bridge_slave_1) entered forwarding state [ 57.342046][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 57.350804][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 57.367151][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 57.378266][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 57.385971][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 57.393364][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 57.402028][ T474] device veth0_vlan entered promiscuous mode [ 57.415903][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 57.425048][ T474] device veth1_macvtap entered promiscuous mode [ 57.434069][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 57.443778][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 57.463655][ T23] audit: type=1400 audit(1743043149.060:114): avc: denied { create } for pid=478 comm="syz.2.16" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_xfrm_socket permissive=1 [ 57.479804][ T479] ================================================================== [ 57.485269][ T23] audit: type=1400 audit(1743043149.080:115): avc: denied { write } for pid=478 comm="syz.2.16" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_xfrm_socket permissive=1 [ 57.492303][ T479] BUG: KASAN: slab-out-of-bounds in xfrm_policy_inexact_list_reinsert.constprop.0+0x3e4/0x560 [ 57.492317][ T479] Read of size 1 at addr ffff8881128a53d8 by task syz.2.16/479 [ 57.492319][ T479] [ 57.492330][ T479] CPU: 0 PID: 479 Comm: syz.2.16 Not tainted 5.10.234-syzkaller #0 [ 57.514884][ T23] audit: type=1400 audit(1743043149.080:116): avc: denied { nlmsg_write } for pid=478 comm="syz.2.16" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_xfrm_socket permissive=1 [ 57.522614][ T479] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 57.522631][ T479] Call Trace: [ 57.522643][ T479] dump_stack_lvl+0x81/0xac [ 57.522652][ T479] print_address_description.constprop.0+0x24/0x160 [ 57.522664][ T479] ? xfrm_policy_inexact_list_reinsert.constprop.0+0x3e4/0x560 [ 57.592077][ T479] kasan_report.cold+0x82/0xdb [ 57.596761][ T479] ? kasan_save_stack+0x20/0x50 [ 57.601443][ T479] ? xfrm_policy_inexact_list_reinsert.constprop.0+0x3e4/0x560 [ 57.608833][ T479] __asan_report_load1_noabort+0x14/0x20 [ 57.614298][ T479] xfrm_policy_inexact_list_reinsert.constprop.0+0x3e4/0x560 [ 57.621712][ T479] ? ____sys_sendmsg+0x694/0x990 [ 57.626489][ T479] ? ___sys_sendmsg+0xfc/0x190 [ 57.631081][ T479] ? __sys_sendmsg+0xc3/0x160 [ 57.635682][ T479] xfrm_policy_inexact_insert_node.constprop.0+0x392/0xb40 [ 57.642710][ T479] xfrm_policy_inexact_alloc_chain.isra.0+0x2a2/0x620 [ 57.649495][ T479] xfrm_policy_inexact_insert+0x63/0xb50 [ 57.655037][ T479] ? __kasan_check_write+0x14/0x20 [ 57.659965][ T479] ? _raw_spin_lock_bh+0x86/0x110 [ 57.664848][ T479] ? _raw_spin_unlock_bh+0x60/0x60 [ 57.669784][ T479] xfrm_policy_insert+0x468/0x770 [ 57.674638][ T479] ? xfrm_policy_construct+0x121/0x7d0 [ 57.680022][ T479] xfrm_add_policy+0x3bf/0x830 [ 57.684611][ T479] ? xfrm_policy_construct+0x7d0/0x7d0 [ 57.690022][ T479] ? selinux_capable+0x44/0x70 [ 57.694681][ T479] ? security_capable+0x56/0xa0 [ 57.699545][ T479] xfrm_user_rcv_msg+0x2d9/0x850 [ 57.704694][ T479] ? unwind_get_return_address+0x58/0xa0 [ 57.710419][ T479] ? create_prof_cpu_mask+0x20/0x20 [ 57.715459][ T479] ? xfrm_user_state_lookup.constprop.0+0x320/0x320 [ 57.721986][ T479] ? ___sys_sendmsg+0xfc/0x190 [ 57.726665][ T479] ? __sys_sendmsg+0xc3/0x160 [ 57.731458][ T479] ? __x64_sys_sendmsg+0x73/0xb0 [ 57.736239][ T479] ? do_syscall_64+0x32/0x80 [ 57.740937][ T479] ? entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 57.747459][ T479] netlink_rcv_skb+0x133/0x3c0 [ 57.752044][ T479] ? memset+0x3c/0x50 [ 57.756198][ T479] ? xfrm_user_state_lookup.constprop.0+0x320/0x320 [ 57.763375][ T479] ? netlink_ack+0xa30/0xa30 [ 57.768007][ T479] ? __mutex_lock_slowpath+0x10/0x10 [ 57.773171][ T479] ? netlink_deliver_tap+0xa4/0x8d0 [ 57.778245][ T479] xfrm_netlink_rcv+0x68/0x90 [ 57.782822][ T479] netlink_unicast+0x4f8/0x810 [ 57.787569][ T479] ? netlink_attachskb+0x740/0x740 [ 57.792466][ T479] netlink_sendmsg+0x815/0xd10 [ 57.797078][ T479] ? netlink_unicast+0x810/0x810 [ 57.801852][ T479] ? netlink_unicast+0x810/0x810 [ 57.807097][ T479] __sock_sendmsg+0xb5/0xf0 [ 57.811860][ T479] ____sys_sendmsg+0x694/0x990 [ 57.818214][ T479] ? kernel_sendmsg+0x30/0x30 [ 57.824199][ T479] ? do_recvmmsg+0x570/0x570 [ 57.829519][ T479] ? __kasan_check_write+0x14/0x20 [ 57.835188][ T479] ___sys_sendmsg+0xfc/0x190 [ 57.839716][ T479] ? sendmsg_copy_msghdr+0x110/0x110 [ 57.844819][ T479] ? __local_bh_enable_ip+0x24/0x60 [ 57.849939][ T479] ? _raw_spin_unlock_bh+0x45/0x60 [ 57.854961][ T479] ? sock_setsockopt+0x29e/0x1f70 [ 57.859844][ T479] ? selinux_socket_setsockopt+0x202/0x2f0 [ 57.865651][ T479] ? futex_exit_release+0x200/0x200 [ 57.871189][ T479] ? __fget_light.part.0+0x19d/0x330 [ 57.876322][ T479] ? __fdget+0x8b/0x1d0 [ 57.880629][ T479] ? sockfd_lookup_light+0x1c/0x150 [ 57.885766][ T479] __sys_sendmsg+0xc3/0x160 [ 57.890095][ T479] ? __sys_sendmsg_sock+0x20/0x20 [ 57.895032][ T479] ? __kasan_check_write+0x14/0x20 [ 57.899981][ T479] ? switch_fpu_return+0xbf/0x1b0 [ 57.904836][ T479] __x64_sys_sendmsg+0x73/0xb0 [ 57.909434][ T479] ? syscall_exit_to_user_mode+0x2c/0x160 [ 57.915133][ T479] do_syscall_64+0x32/0x80 [ 57.919801][ T479] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 57.925538][ T479] RIP: 0033:0x7f4b9bbfcd29 [ 57.929781][ T479] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 57.950305][ T479] RSP: 002b:00007f4b9b66f038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 57.958871][ T479] RAX: ffffffffffffffda RBX: 00007f4b9be15fa0 RCX: 00007f4b9bbfcd29 [ 57.966735][ T479] RDX: 0000000000000000 RSI: 0000000020000580 RDI: 0000000000000003 [ 57.974706][ T479] RBP: 00007f4b9bc7e2a0 R08: 0000000000000000 R09: 0000000000000000 [ 57.982926][ T479] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 57.990863][ T479] R13: 0000000000000000 R14: 00007f4b9be15fa0 R15: 00007ffe199d1f78 [ 57.998667][ T479] [ 58.000825][ T479] Allocated by task 479: [ 58.005161][ T479] kasan_save_stack+0x26/0x50 [ 58.009622][ T479] __kasan_kmalloc+0xae/0xe0 [ 58.014034][ T479] __kmalloc+0x1cd/0x360 [ 58.018685][ T479] sk_prot_alloc+0xdb/0x300 [ 58.023700][ T479] sk_alloc+0x2c/0x550 [ 58.028086][ T479] pfkey_create+0x111/0x600 [ 58.033427][ T479] __sock_create+0x1c8/0x450 [ 58.038224][ T479] __sys_socket+0xdd/0x1d0 [ 58.042902][ T479] __x64_sys_socket+0x6e/0xb0 [ 58.047585][ T479] do_syscall_64+0x32/0x80 [ 58.051837][ T479] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 58.057747][ T479] [ 58.060022][ T479] The buggy address belongs to the object at ffff8881128a5000 [ 58.060022][ T479] which belongs to the cache kmalloc-1k of size 1024 [ 58.074115][ T479] The buggy address is located 984 bytes inside of [ 58.074115][ T479] 1024-byte region [ffff8881128a5000, ffff8881128a5400) [ 58.087491][ T479] The buggy address belongs to the page: [ 58.093001][ T479] page:ffffea00044a2800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1128a0 [ 58.103212][ T479] head:ffffea00044a2800 order:3 compound_mapcount:0 compound_pincount:0 [ 58.112446][ T479] flags: 0x4000000000010200(slab|head) [ 58.120462][ T479] raw: 4000000000010200 dead000000000100 dead000000000122 ffff888100042f00 [ 58.128946][ T479] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 58.138561][ T479] page dumped because: kasan: bad access detected [ 58.144910][ T479] page_owner tracks the page as allocated [ 58.151050][ T479] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 479, ts 57478739423, free_ts 57461476181 [ 58.171381][ T479] get_page_from_freelist+0x1fee/0x2ad0 [ 58.176779][ T479] __alloc_pages_nodemask+0x2ae/0x23d0 [ 58.182140][ T479] allocate_slab+0x30f/0x460 [ 58.186562][ T479] ___slab_alloc.constprop.0+0x32b/0x730 [ 58.192117][ T479] __kmalloc_track_caller+0x325/0x360 [ 58.197317][ T479] __alloc_skb+0x74/0x4d0 [ 58.201566][ T479] xfrm_send_policy_notify+0x47e/0x1470 [ 58.207186][ T479] km_policy_notify+0x5b/0xa0 [ 58.211872][ T479] xfrm_add_policy+0x4c5/0x830 [ 58.217381][ T479] xfrm_user_rcv_msg+0x2d9/0x850 [ 58.224118][ T479] netlink_rcv_skb+0x133/0x3c0 [ 58.229313][ T479] xfrm_netlink_rcv+0x68/0x90 [ 58.234114][ T479] netlink_unicast+0x4f8/0x810 [ 58.238782][ T479] netlink_sendmsg+0x815/0xd10 [ 58.243442][ T479] __sock_sendmsg+0xb5/0xf0 [ 58.248083][ T479] ____sys_sendmsg+0x694/0x990 [ 58.252677][ T479] page last free stack trace: [ 58.257304][ T479] __free_pages_ok+0x44b/0x840 [ 58.262194][ T479] __free_pages+0xda/0xf0 [ 58.266390][ T479] __free_slab+0xde/0x1d0 [ 58.270699][ T479] discard_slab+0x2b/0x40 [ 58.274873][ T479] unfreeze_partials+0x1e1/0x240 [ 58.279636][ T479] put_cpu_partial+0xce/0x120 [ 58.284504][ T479] __slab_free+0x23f/0x560 [ 58.289090][ T479] ___cache_free+0x255/0x2b0 [ 58.293756][ T479] qlist_free_all+0x71/0x150 [ 58.298550][ T479] kasan_quarantine_reduce+0x15f/0x1c0 [ 58.303996][ T479] __kasan_slab_alloc+0xaa/0xc0 [ 58.308684][ T479] kmem_cache_alloc+0x15d/0x4f0 [ 58.313547][ T479] getname_flags.part.0+0x4d/0x480 [ 58.318647][ T479] user_path_at_empty+0x8e/0xf0 [ 58.323363][ T479] do_readlinkat+0xbf/0x2b0 [ 58.327940][ T479] __x64_sys_readlink+0x73/0xb0 [ 58.332628][ T479] [ 58.334868][ T479] Memory state around the buggy address: [ 58.340425][ T479] ffff8881128a5280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.348398][ T479] ffff8881128a5300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.356245][ T479] >ffff8881128a5380: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 58.364214][ T479] ^ [ 58.371152][ T479] ffff8881128a5400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.379132][ T479] ffff8881128a5480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.387242][ T479] ================================================================== [ 58.395114][ T479] Disabling lock debugging due to kernel taint [ 58.620097][ T47] device bridge_slave_1 left promiscuous mode [ 58.626372][ T47] bridge0: port 2(bridge_slave_1) entered disabled state [ 58.633896][ T47] device bridge_slave_0 left promiscuous mode [ 58.640363][ T47] bridge0: port 1(bridge_slave_0) entered disabled state [ 58.648847][ T47] device veth1_macvtap left promiscuous mode [ 58.654675][ T47] device veth0_vlan left promiscuous mode 2025/03/27 02:39:13 executed programs: 225 2025/03/27 02:39:18 executed programs: 525