./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3391365127 <...> Warning: Permanently added '10.128.0.133' (ED25519) to the list of known hosts. execve("./syz-executor3391365127", ["./syz-executor3391365127"], 0x7ffe0a5595c0 /* 10 vars */) = 0 brk(NULL) = 0x5555560bc000 brk(0x5555560bcd00) = 0x5555560bcd00 arch_prctl(ARCH_SET_FS, 0x5555560bc380) = 0 set_tid_address(0x5555560bc650) = 294 set_robust_list(0x5555560bc660, 24) = 0 rseq(0x5555560bcca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3391365127", 4096) = 28 getrandom("\xc3\x01\x06\x2f\x94\x39\xbe\x21", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x5555560bcd00 brk(0x5555560ddd00) = 0x5555560ddd00 brk(0x5555560de000) = 0x5555560de000 mprotect(0x7f7e5b63b000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 write(1, "executing program\n", 18executing program ) = 18 openat(AT_FDCWD, "/dev/net/tun", O_RDONLY) = 3 ioctl(3, TUNSETIFF, 0x200000000040) = 0 socket(AF_NETLINK, SOCK_RAW, 0) = 4 socket(AF_UNIX, SOCK_STREAM, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="syzkaller0", ifr_ifindex=15}) = 0 sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x38\x00\x00\x00\x24\x00\x41\x65\x10\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x01\x00\xff\xff\xff\xff\x00\x00\x0f\x00\x0b\x00\x01\x00\x6d\x75\x6c\x74\x69\x71\x00\x00\x08\x00\x02\x00\x00\x00\x00\x00", iov_len=56}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 56 [ 22.739589][ T30] audit: type=1400 audit(1744723531.019:66): avc: denied { execmem } for pid=294 comm="syz-executor339" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 22.763646][ T294] ================================================================== [ 22.767310][ T30] audit: type=1400 audit(1744723531.039:67): avc: denied { read } for pid=139 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_kobject_uevent_socket permissive=1 [ 22.771528][ T294] BUG: KASAN: slab-out-of-bounds in tc_setup_flow_action+0xb9d/0x3430 [ 22.771570][ T294] Read of size 8 at addr ffff88810c65a1c0 by task syz-executor339/294 [ 22.808158][ T294] [ 22.810323][ T294] CPU: 1 PID: 294 Comm: syz-executor339 Not tainted 5.15.178-syzkaller-00496-g610bd6013c81 #0 [ 22.820396][ T294] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 22.830301][ T294] Call Trace: [ 22.833423][ T294] [ 22.836195][ T294] dump_stack_lvl+0x151/0x1c0 [ 22.840705][ T294] ? io_uring_drop_tctx_refs+0x190/0x190 [ 22.846177][ T294] ? panic+0x760/0x760 [ 22.850118][ T294] print_address_description+0x87/0x3b0 [ 22.855464][ T294] kasan_report+0x179/0x1c0 [ 22.859798][ T294] ? tc_setup_flow_action+0xb9d/0x3430 [ 22.865095][ T294] ? tc_setup_flow_action+0xb9d/0x3430 [ 22.870388][ T294] __asan_report_load8_noabort+0x14/0x20 [ 22.875854][ T294] tc_setup_flow_action+0xb9d/0x3430 [ 22.880980][ T294] mall_replace_hw_filter+0x394/0xc20 [ 22.886183][ T294] ? mall_set_parms+0x4b0/0x4b0 [ 22.890867][ T294] ? tcf_exts_destroy+0xb0/0xb0 [ 22.895554][ T294] ? pcpu_memcg_post_alloc_hook+0x1b1/0x260 [ 22.901284][ T294] ? pcpu_alloc+0xda0/0x13e0 [ 22.905709][ T294] ? mall_set_parms+0x1c3/0x4b0 [ 22.910404][ T294] mall_change+0x56e/0x780 [ 22.914660][ T294] ? mall_get+0xb0/0xb0 [ 22.918655][ T294] ? tcf_chain_tp_insert_unique+0xa90/0xbb0 [ 22.924371][ T294] ? nla_strcmp+0xed/0x120 [ 22.928624][ T294] ? mall_get+0xb0/0xb0 [ 22.932621][ T294] tc_new_tfilter+0x151a/0x1c00 [ 22.937307][ T294] ? tcf_gate_entry_destructor+0x20/0x20 [ 22.942774][ T294] ? security_capable+0x87/0xb0 [ 22.947474][ T294] ? ns_capable+0x89/0xe0 [ 22.951625][ T294] ? netlink_net_capable+0x125/0x160 [ 22.956743][ T294] ? tcf_gate_entry_destructor+0x20/0x20 [ 22.962212][ T294] rtnetlink_rcv_msg+0x776/0xc40 [ 22.966988][ T294] ? rtnetlink_bind+0x80/0x80 [ 22.971498][ T294] ? stack_trace_save+0x1c0/0x1c0 [ 22.976357][ T294] ? __kernel_text_address+0x9b/0x110 [ 22.981567][ T294] ? unwind_get_return_address+0x4d/0x90 [ 22.987062][ T294] ? avc_has_perm_noaudit+0x348/0x430 [ 22.992243][ T294] ? memcpy+0x56/0x70 [ 22.996060][ T294] ? avc_has_perm_noaudit+0x2dd/0x430 [ 23.001268][ T294] ? avc_denied+0x1b0/0x1b0 [ 23.005702][ T294] ? avc_has_perm+0x16f/0x260 [ 23.010222][ T294] ? ____kasan_kmalloc+0xed/0x110 [ 23.015069][ T294] ? avc_has_perm_noaudit+0x430/0x430 [ 23.020278][ T294] ? x64_sys_call+0x16a/0x9a0 [ 23.024799][ T294] netlink_rcv_skb+0x1cf/0x410 [ 23.029391][ T294] ? rtnetlink_bind+0x80/0x80 [ 23.033904][ T294] ? netlink_ack+0xb10/0xb10 [ 23.038338][ T294] ? __netlink_lookup+0x4af/0x510 [ 23.043190][ T294] ? netlink_autobind+0x1a0/0x1a0 [ 23.048052][ T294] ? selinux_vm_enough_memory+0x170/0x170 [ 23.053605][ T294] rtnetlink_rcv+0x1c/0x20 [ 23.057857][ T294] netlink_unicast+0x8df/0xac0 [ 23.062458][ T294] ? netlink_detachskb+0x90/0x90 [ 23.067234][ T294] ? security_netlink_send+0x7b/0xa0 [ 23.072353][ T294] netlink_sendmsg+0xa0a/0xd20 [ 23.076954][ T294] ? netlink_getsockopt+0x560/0x560 [ 23.081985][ T294] ? security_socket_sendmsg+0x82/0xb0 [ 23.087282][ T294] ? netlink_getsockopt+0x560/0x560 [ 23.092313][ T294] ____sys_sendmsg+0x59e/0x8f0 [ 23.096916][ T294] ? __sys_sendmsg_sock+0x40/0x40 [ 23.101775][ T294] ? import_iovec+0xe5/0x120 [ 23.106202][ T294] ___sys_sendmsg+0x252/0x2e0 [ 23.110715][ T294] ? __sys_sendmsg+0x260/0x260 [ 23.115672][ T294] ? cgroup_leave_frozen+0x164/0x2c0 [ 23.120783][ T294] ? __kasan_check_read+0x11/0x20 [ 23.125641][ T294] ? __fdget+0x179/0x240 [ 23.129722][ T294] __se_sys_sendmsg+0x19a/0x260 [ 23.134415][ T294] ? __x64_sys_sendmsg+0x90/0x90 [ 23.139182][ T294] ? ptrace_notify+0x24c/0x350 [ 23.143786][ T294] ? __kasan_check_write+0x14/0x20 [ 23.148838][ T294] __x64_sys_sendmsg+0x7b/0x90 [ 23.153442][ T294] x64_sys_call+0x16a/0x9a0 [ 23.157773][ T294] do_syscall_64+0x3b/0xb0 [ 23.162037][ T294] ? clear_bhb_loop+0x35/0x90 [ 23.166545][ T294] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 23.172270][ T294] RIP: 0033:0x7f7e5b5c87a9 [ 23.176525][ T294] Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 23.195964][ T294] RSP: 002b:00007ffe6d62ff08 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 23.204209][ T294] RAX: ffffffffffffffda RBX: 00007ffe6d6300d8 RCX: 00007f7e5b5c87a9 [ 23.212019][ T294] RDX: 0000000000000000 RSI: 0000200000000580 RDI: 0000000000000004 [ 23.219938][ T294] RBP: 00007f7e5b63b610 R08: 0000000000000004 R09: 00007ffe6d6300d8 [ 23.227750][ T294] R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000001 [ 23.235562][ T294] R13: 00007ffe6d6300c8 R14: 0000000000000001 R15: 0000000000000001 [ 23.243378][ T294] [ 23.246326][ T294] [ 23.248495][ T294] Allocated by task 294: [ 23.252572][ T294] ____kasan_kmalloc+0xdb/0x110 [ 23.257267][ T294] __kasan_kmalloc+0x9/0x10 [ 23.261598][ T294] __kmalloc+0x13f/0x2c0 [ 23.265679][ T294] tcf_idr_create+0x5f/0x780 [ 23.270106][ T294] tcf_idr_create_from_flags+0x5f/0x70 [ 23.275400][ T294] tcf_gact_init+0x3cd/0x6e0 [ 23.279825][ T294] tcf_action_init_1+0x50f/0x7f0 [ 23.284600][ T294] tcf_action_init+0x306/0x840 [ 23.289200][ T294] tcf_exts_validate+0x236/0x520 [ 23.293978][ T294] mall_set_parms+0x44/0x4b0 [ 23.298399][ T294] mall_change+0x495/0x780 [ 23.302652][ T294] tc_new_tfilter+0x151a/0x1c00 [ 23.307337][ T294] rtnetlink_rcv_msg+0x776/0xc40 [ 23.312113][ T294] netlink_rcv_skb+0x1cf/0x410 [ 23.316714][ T294] rtnetlink_rcv+0x1c/0x20 [ 23.320965][ T294] netlink_unicast+0x8df/0xac0 [ 23.325575][ T294] netlink_sendmsg+0xa0a/0xd20 [ 23.330168][ T294] ____sys_sendmsg+0x59e/0x8f0 [ 23.334773][ T294] ___sys_sendmsg+0x252/0x2e0 [ 23.339278][ T294] __se_sys_sendmsg+0x19a/0x260 [ 23.343987][ T294] __x64_sys_sendmsg+0x7b/0x90 [ 23.348565][ T294] x64_sys_call+0x16a/0x9a0 [ 23.352903][ T294] do_syscall_64+0x3b/0xb0 [ 23.357156][ T294] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 23.362886][ T294] [ 23.365056][ T294] The buggy address belongs to the object at ffff88810c65a100 [ 23.365056][ T294] which belongs to the cache kmalloc-192 of size 192 [ 23.378941][ T294] The buggy address is located 0 bytes to the right of [ 23.378941][ T294] 192-byte region [ffff88810c65a100, ffff88810c65a1c0) [ 23.392396][ T294] The buggy address belongs to the page: [ 23.397894][ T294] page:ffffea0004319680 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10c65a [ 23.407931][ T294] flags: 0x4000000000000200(slab|zone=1) [ 23.413407][ T294] raw: 4000000000000200 ffffea00042b4000 0000000b0000000b ffff888100042c00 [ 23.421823][ T294] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 23.430238][ T294] page dumped because: kasan: bad access detected [ 23.436496][ T294] page_owner tracks the page as allocated [ 23.442046][ T294] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 3718510070, free_ts 0 [ 23.456710][ T294] post_alloc_hook+0x1a3/0x1b0 [ 23.461310][ T294] prep_new_page+0x1b/0x110 [ 23.465648][ T294] get_page_from_freelist+0x3550/0x35d0 [ 23.471030][ T294] __alloc_pages+0x27e/0x8f0 [ 23.475453][ T294] new_slab+0x9a/0x4e0 [ 23.479360][ T294] ___slab_alloc+0x39e/0x830 [ 23.483786][ T294] __slab_alloc+0x4a/0x90 [ 23.487954][ T294] __kmalloc+0x172/0x2c0 [ 23.492031][ T294] security_get_permissions+0x9f/0x370 [ 23.497325][ T294] sel_make_policy_nodes+0x116a/0x1b30 [ 23.502621][ T294] sel_write_load+0x3b0/0x5a0 [ 23.507137][ T294] vfs_write+0x406/0x1110 [ 23.511300][ T294] ksys_write+0x199/0x2c0 [ 23.515467][ T294] __x64_sys_write+0x7b/0x90 [ 23.519893][ T294] x64_sys_call+0x2f/0x9a0 [ 23.524144][ T294] do_syscall_64+0x3b/0xb0 [ 23.528398][ T294] page_owner free stack trace missing [ 23.533735][ T294] [ 23.535896][ T294] Memory state around the buggy address: [ 23.541374][ T294] ffff88810c65a080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.549268][ T294] ffff88810c65a100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 23.557167][ T294] >ffff88810c65a180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 23.565059][ T294] ^ [ 23.571056][ T294] ffff88810c65a200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 23.578958][ T294] ffff88810c65a280: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x84\x00\x00\x00\x2c\x00\x27\x0d\x29\xbd\x31\x00\xfd\xdb\xdf\x25\x00\x00\x00\x00\x0f\x00\x00\x00\x0c\x00\x06\x00\x00\x00\x00\x00\x07\x00\xf3\xff\x0d\x00\x01\x00\x6d\x61\x74\x63\x68\x61\x6c\x6c\x00\x00\x00\x00\x50\x00\x02\x00\x4c\x00\x02\x00\x48\x00\x01\x00\x09\x00\x01\x00\x67\x61\x63\x74\x00\x00\x00\x00\x1c\x00\x02\x80\x18\x00\x02\x00\x5c\x65\x00\x00\x02\x00\x00\x00\xfe\xff\xff\x1f\x09\x00\x00\x00"..., iov_len=132}], msg_iovlen=1, msg_controllen=0, msg_flags=MSG_PROBE}, 0) = 132 exit_group(0) = ? +++ exited with 0 +++ [ 23.586846][ T294] =======================================================