Warning: Permanently added '10.128.1.19' (ED25519) to the list of known hosts. [ 37.370066][ T24] audit: type=1400 audit(1740744800.940:66): avc: denied { execmem } for pid=297 comm="syz-executor103" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 37.389607][ T24] audit: type=1400 audit(1740744800.940:67): avc: denied { mounton } for pid=297 comm="syz-executor103" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 37.414581][ T24] audit: type=1400 audit(1740744800.940:68): avc: denied { mount } for pid=297 comm="syz-executor103" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 37.422518][ T299] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 37.437839][ T24] audit: type=1400 audit(1740744800.940:69): avc: denied { setattr } for pid=297 comm="syz-executor103" name="raw-gadget" dev="devtmpfs" ino=249 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 37.469426][ T24] audit: type=1400 audit(1740744801.010:70): avc: denied { relabelto } for pid=299 comm="mkswap" name="swap-file" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 37.494688][ T24] audit: type=1400 audit(1740744801.010:71): avc: denied { write } for pid=299 comm="mkswap" path="/root/swap-file" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 37.523559][ T24] audit: type=1400 audit(1740744801.100:72): avc: denied { read } for pid=297 comm="syz-executor103" name="swap-file" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 37.549249][ T24] audit: type=1400 audit(1740744801.100:73): avc: denied { open } for pid=297 comm="syz-executor103" path="/root/swap-file" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 37.575273][ T297] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 37.584789][ T24] audit: type=1400 audit(1740744801.150:74): avc: denied { mounton } for pid=300 comm="syz-executor103" path="/" dev="sda1" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 37.606595][ T24] audit: type=1400 audit(1740744801.150:75): avc: denied { module_request } for pid=300 comm="syz-executor103" kmod="netdev-nr0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 37.623962][ T300] bridge0: port 1(bridge_slave_0) entered blocking state [ 37.635045][ T300] bridge0: port 1(bridge_slave_0) entered disabled state [ 37.642434][ T300] device bridge_slave_0 entered promiscuous mode [ 37.649114][ T300] bridge0: port 2(bridge_slave_1) entered blocking state [ 37.655935][ T300] bridge0: port 2(bridge_slave_1) entered disabled state [ 37.663195][ T300] device bridge_slave_1 entered promiscuous mode [ 37.699726][ T300] bridge0: port 2(bridge_slave_1) entered blocking state [ 37.706568][ T300] bridge0: port 2(bridge_slave_1) entered forwarding state [ 37.713691][ T300] bridge0: port 1(bridge_slave_0) entered blocking state [ 37.720476][ T300] bridge0: port 1(bridge_slave_0) entered forwarding state [ 37.738548][ T7] bridge0: port 1(bridge_slave_0) entered disabled state [ 37.745571][ T7] bridge0: port 2(bridge_slave_1) entered disabled state [ 37.752730][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 37.759987][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 37.769513][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 37.777485][ T7] bridge0: port 1(bridge_slave_0) entered blocking state [ 37.784346][ T7] bridge0: port 1(bridge_slave_0) entered forwarding state [ 37.792872][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 37.800961][ T7] bridge0: port 2(bridge_slave_1) entered blocking state [ 37.807809][ T7] bridge0: port 2(bridge_slave_1) entered forwarding state [ 37.819531][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 37.828443][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 37.842148][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 37.853374][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 37.861476][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 37.868766][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 37.876683][ T300] device veth0_vlan entered promiscuous mode [ 37.886571][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 37.895441][ T300] device veth1_macvtap entered promiscuous mode executing program [ 37.905077][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 37.914798][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 37.931532][ T300] request_module fs-gadgetfs succeeded, but still no fs? [ 38.113260][ T300] EXT4-fs error (device loop0): ext4_xattr_inode_iget:404: comm syz-executor103: inode #1: comm syz-executor103: iget: illegal inode # [ 38.127189][ T300] EXT4-fs error (device loop0): ext4_xattr_inode_iget:409: comm syz-executor103: error while reading EA inode 1 err=-117 [ 38.140018][ T300] EXT4-fs (loop0): 1 orphan inode deleted [ 38.145567][ T300] EXT4-fs (loop0): mounted filesystem without journal. Opts: nombcache,noinit_itable,,errors=continue [ 38.158851][ T300] ================================================================== [ 38.166757][ T300] BUG: KASAN: use-after-free in ext4_insert_dentry+0x392/0x710 [ 38.174270][ T300] Write of size 250 at addr ffff88810e864f14 by task syz-executor103/300 [ 38.182501][ T300] [ 38.184697][ T300] CPU: 1 PID: 300 Comm: syz-executor103 Not tainted 5.10.234-syzkaller-00023-g3f5f2283d684 #0 [ 38.194759][ T300] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 38.204644][ T300] Call Trace: [ 38.207789][ T300] dump_stack_lvl+0x1e2/0x24b [ 38.212285][ T300] ? bfq_pos_tree_add_move+0x43b/0x43b [ 38.217572][ T300] ? panic+0x812/0x812 [ 38.221481][ T300] ? __ext4_handle_dirty_metadata+0x2de/0x810 [ 38.227381][ T300] print_address_description+0x81/0x3b0 [ 38.232767][ T300] kasan_report+0x179/0x1c0 [ 38.237103][ T300] ? ext4_insert_dentry+0x392/0x710 [ 38.242144][ T300] ? ext4_insert_dentry+0x392/0x710 [ 38.247170][ T300] kasan_check_range+0x293/0x2a0 [ 38.251948][ T300] ? ext4_insert_dentry+0x392/0x710 [ 38.256975][ T300] memcpy+0x44/0x70 [ 38.260624][ T300] ext4_insert_dentry+0x392/0x710 [ 38.265492][ T300] add_dirent_to_buf+0x3ac/0x780 [ 38.270285][ T300] ? ext4_dx_add_entry+0x1600/0x1600 [ 38.275379][ T300] ? ext4_handle_dirty_dx_node+0x41c/0x580 [ 38.281043][ T300] make_indexed_dir+0xe9f/0x1500 [ 38.285795][ T300] ? add_dirent_to_buf+0x780/0x780 [ 38.290747][ T300] ? add_dirent_to_buf+0x36f/0x780 [ 38.295718][ T300] ? ext4_dx_add_entry+0x1600/0x1600 [ 38.300813][ T300] ? __kasan_check_read+0x11/0x20 [ 38.305674][ T300] ? __ext4_read_dirblock+0x4d8/0x8c0 [ 38.310884][ T300] ext4_add_entry+0xdcf/0x1280 [ 38.315475][ T300] ? ext4_inc_count+0x190/0x190 [ 38.320164][ T300] ? ext4_init_new_dir+0x7c8/0xa20 [ 38.325111][ T300] ? ext4_init_dot_dotdot+0x500/0x500 [ 38.330319][ T300] ext4_mkdir+0x4d2/0xba0 [ 38.334501][ T300] ? ext4_symlink+0xe40/0xe40 [ 38.339008][ T300] ? selinux_inode_mkdir+0x22/0x30 [ 38.343966][ T300] ? security_inode_mkdir+0xbc/0x100 [ 38.349066][ T300] vfs_mkdir+0x4cf/0x6c0 [ 38.353147][ T300] do_mkdirat+0x1a6/0x2c0 [ 38.357314][ T300] ? do_mknodat+0x450/0x450 [ 38.361654][ T300] ? __x64_sys_creat+0x11f/0x160 [ 38.366429][ T300] ? debug_smp_processor_id+0x17/0x20 [ 38.371635][ T300] __x64_sys_mkdirat+0x7b/0x90 [ 38.376234][ T300] do_syscall_64+0x34/0x70 [ 38.380497][ T300] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 38.386212][ T300] RIP: 0033:0x7f4b163ae169 [ 38.390468][ T300] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 38.409920][ T300] RSP: 002b:00007ffd57e9d098 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 [ 38.418155][ T300] RAX: ffffffffffffffda RBX: 00007f4b163f2611 RCX: 00007f4b163ae169 [ 38.425961][ T300] RDX: 0000000000000000 RSI: 00004000000005c0 RDI: 00000000ffffff9c [ 38.433785][ T300] RBP: 00007f4b163f25e1 R08: 00007f4b163f2468 R09: 00007f4b163f2468 [ 38.441586][ T300] R10: 00007f4b163f2468 R11: 0000000000000246 R12: 00007f4b163f2468 [ 38.449397][ T300] R13: 00007f4b163f2562 R14: 0000000000000001 R15: 00007ffd57e9d0f0 [ 38.457208][ T300] [ 38.459374][ T300] The buggy address belongs to the page: [ 38.464867][ T300] page:ffffea00043a1900 refcount:3 mapcount:0 mapping:ffff888109392490 index:0x3f pfn:0x10e864 [ 38.475089][ T300] aops:def_blk_aops ino:0 [ 38.479254][ T300] flags: 0x400000000000202a(referenced|dirty|active|private) [ 38.486462][ T300] raw: 400000000000202a dead000000000100 dead000000000122 ffff888109392490 [ 38.494881][ T300] raw: 000000000000003f ffff88811bf52738 00000003ffffffff ffff88810013e000 [ 38.503291][ T300] page dumped because: kasan: bad access detected [ 38.509540][ T300] page->mem_cgroup:ffff88810013e000 [ 38.514583][ T300] page_owner tracks the page as allocated [ 38.520148][ T300] page last allocated via order 0, migratetype Movable, gfp_mask 0x108c48(GFP_NOFS|__GFP_NOFAIL|__GFP_HARDWALL|__GFP_MOVABLE), pid 300, ts 38158720840, free_ts 31670241395 [ 38.536982][ T300] prep_new_page+0x166/0x180 [ 38.541400][ T300] get_page_from_freelist+0x2d8c/0x2f30 [ 38.546780][ T300] __alloc_pages_nodemask+0x435/0xaf0 [ 38.551994][ T300] pagecache_get_page+0x669/0x950 [ 38.556947][ T300] __getblk_gfp+0x221/0x7e0 [ 38.561280][ T300] ext4_getblk+0x259/0x660 [ 38.565528][ T300] ext4_bread+0x2f/0x1b0 [ 38.569609][ T300] ext4_append+0x29a/0x4d0 [ 38.573866][ T300] make_indexed_dir+0x505/0x1500 [ 38.578643][ T300] ext4_add_entry+0xdcf/0x1280 [ 38.583237][ T300] ext4_mkdir+0x4d2/0xba0 [ 38.587407][ T300] vfs_mkdir+0x4cf/0x6c0 [ 38.591481][ T300] do_mkdirat+0x1a6/0x2c0 [ 38.595650][ T300] __x64_sys_mkdirat+0x7b/0x90 [ 38.600247][ T300] do_syscall_64+0x34/0x70 [ 38.604496][ T300] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 38.610225][ T300] page last free stack trace: [ 38.614745][ T300] free_unref_page_prepare+0x2ae/0x2d0 [ 38.620033][ T300] free_unref_page_list+0x122/0xb20 [ 38.625066][ T300] release_pages+0xea0/0xef0 [ 38.629493][ T300] free_pages_and_swap_cache+0x8a/0xa0 [ 38.634794][ T300] tlb_finish_mmu+0x177/0x320 [ 38.639304][ T300] unmap_region+0x31c/0x370 [ 38.643638][ T300] __do_munmap+0x699/0x8c0 [ 38.647905][ T300] __se_sys_brk+0x3cf/0x730 [ 38.652230][ T300] __x64_sys_brk+0x38/0x40 [ 38.656484][ T300] do_syscall_64+0x34/0x70 [ 38.660742][ T300] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 38.666462][ T300] [ 38.668630][ T300] Memory state around the buggy address: [ 38.674103][ T300] ffff88810e864f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 38.682003][ T300] ffff88810e864f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 38.689901][ T300] >ffff88810e865000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 38.697800][ T300] ^ [ 38.701705][ T300] ffff88810e865080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 38.709601][ T300] ffff88810e865100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 38.717505][ T300] ================================================================== [ 38.725407][ T300] Disabling lock debugging due to kernel taint