Warning: Permanently added '10.128.1.172' (ED25519) to the list of known hosts. Setting up swapspace version 1, size = 127995904 bytes [ 20.857380][ T24] audit: type=1400 audit(1740489492.330:66): avc: denied { execmem } for pid=281 comm="syz-executor110" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 20.863699][ T24] audit: type=1400 audit(1740489492.330:67): avc: denied { mounton } for pid=281 comm="syz-executor110" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 20.872266][ T24] audit: type=1400 audit(1740489492.330:68): avc: denied { mount } for pid=281 comm="syz-executor110" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 20.873391][ T283] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 20.886754][ T24] audit: type=1400 audit(1740489492.330:69): avc: denied { setattr } for pid=281 comm="syz-executor110" name="raw-gadget" dev="devtmpfs" ino=249 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 20.918284][ T24] audit: type=1400 audit(1740489492.370:70): avc: denied { relabelto } for pid=283 comm="mkswap" name="swap-file" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 20.918311][ T281] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 20.943770][ T24] audit: type=1400 audit(1740489492.370:71): avc: denied { write } for pid=283 comm="mkswap" path="/root/swap-file" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 20.977805][ T24] audit: type=1400 audit(1740489492.380:72): avc: denied { read } for pid=281 comm="syz-executor110" name="swap-file" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 21.003504][ T24] audit: type=1400 audit(1740489492.380:73): avc: denied { open } for pid=281 comm="syz-executor110" path="/root/swap-file" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 21.013785][ T284] bridge0: port 1(bridge_slave_0) entered blocking state [ 21.029596][ T24] audit: type=1400 audit(1740489492.450:74): avc: denied { mounton } for pid=284 comm="syz-executor110" path="/" dev="sda1" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 21.029611][ T24] audit: type=1400 audit(1740489492.450:75): avc: denied { module_request } for pid=284 comm="syz-executor110" kmod="netdev-nr0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 21.079541][ T284] bridge0: port 1(bridge_slave_0) entered disabled state [ 21.086890][ T284] device bridge_slave_0 entered promiscuous mode [ 21.093701][ T284] bridge0: port 2(bridge_slave_1) entered blocking state [ 21.100628][ T284] bridge0: port 2(bridge_slave_1) entered disabled state [ 21.107949][ T284] device bridge_slave_1 entered promiscuous mode [ 21.139809][ T284] bridge0: port 2(bridge_slave_1) entered blocking state [ 21.146682][ T284] bridge0: port 2(bridge_slave_1) entered forwarding state [ 21.153799][ T284] bridge0: port 1(bridge_slave_0) entered blocking state [ 21.160711][ T284] bridge0: port 1(bridge_slave_0) entered forwarding state [ 21.176791][ T7] bridge0: port 1(bridge_slave_0) entered disabled state [ 21.183843][ T7] bridge0: port 2(bridge_slave_1) entered disabled state [ 21.190875][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 21.198469][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 21.207419][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 21.215601][ T7] bridge0: port 1(bridge_slave_0) entered blocking state [ 21.222459][ T7] bridge0: port 1(bridge_slave_0) entered forwarding state [ 21.230949][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 21.239180][ T7] bridge0: port 2(bridge_slave_1) entered blocking state [ 21.246031][ T7] bridge0: port 2(bridge_slave_1) entered forwarding state [ 21.257483][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 21.266392][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 21.278535][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 21.289465][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 21.297793][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 21.305421][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 21.313650][ T284] device veth0_vlan entered promiscuous mode [ 21.322981][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 21.332037][ T284] device veth1_macvtap entered promiscuous mode [ 21.340800][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 21.350847][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 21.368368][ T284] request_module fs-gadgetfs succeeded, but still no fs? [ 21.464010][ T284] EXT4-fs (loop0): Ignoring removed orlov option [ 21.471897][ T284] EXT4-fs error (device loop0): ext4_xattr_inode_iget:404: comm syz-executor110: inode #1: comm syz-executor110: iget: illegal inode # [ 21.485918][ T284] EXT4-fs error (device loop0): ext4_xattr_inode_iget:409: comm syz-executor110: error while reading EA inode 1 err=-117 [ 21.498984][ T284] EXT4-fs (loop0): 1 orphan inode deleted [ 21.504789][ T284] EXT4-fs (loop0): mounted filesystem without journal. Opts: journal_ioprio=0x0000000000000005,nogrpid,orlov,minixdf,resgid=0x0000000000000000,stripe=0x0000000000000006,usrjquota=,,errors=continue [ 21.526812][ T284] ================================================================== [ 21.534895][ T284] BUG: KASAN: use-after-free in ext4_insert_dentry+0x392/0x710 [ 21.542407][ T284] Write of size 251 at addr ffff88811c971f14 by task syz-executor110/284 [ 21.550704][ T284] [ 21.552969][ T284] CPU: 1 PID: 284 Comm: syz-executor110 Not tainted 5.10.234-syzkaller-00023-g3f5f2283d684 #0 [ 21.563033][ T284] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 21.573120][ T284] Call Trace: [ 21.576347][ T284] dump_stack_lvl+0x1e2/0x24b [ 21.580860][ T284] ? bfq_pos_tree_add_move+0x43b/0x43b [ 21.586174][ T284] ? panic+0x812/0x812 [ 21.590078][ T284] ? __ext4_handle_dirty_metadata+0x2de/0x810 [ 21.595961][ T284] print_address_description+0x81/0x3b0 [ 21.601359][ T284] kasan_report+0x179/0x1c0 [ 21.605691][ T284] ? ext4_insert_dentry+0x392/0x710 [ 21.610721][ T284] ? ext4_insert_dentry+0x392/0x710 [ 21.615757][ T284] kasan_check_range+0x293/0x2a0 [ 21.620528][ T284] ? ext4_insert_dentry+0x392/0x710 [ 21.625640][ T284] memcpy+0x44/0x70 [ 21.629211][ T284] ext4_insert_dentry+0x392/0x710 [ 21.634075][ T284] add_dirent_to_buf+0x3ac/0x780 [ 21.638863][ T284] ? ext4_dx_add_entry+0x1600/0x1600 [ 21.643968][ T284] ? ext4_handle_dirty_dx_node+0x41c/0x580 [ 21.649713][ T284] make_indexed_dir+0xe9f/0x1500 [ 21.654471][ T284] ? add_dirent_to_buf+0x780/0x780 [ 21.659419][ T284] ? add_dirent_to_buf+0x36f/0x780 [ 21.664453][ T284] ? ext4_dx_add_entry+0x1600/0x1600 [ 21.669580][ T284] ? __kasan_check_read+0x11/0x20 [ 21.674523][ T284] ? __ext4_read_dirblock+0x4d8/0x8c0 [ 21.679734][ T284] ext4_add_entry+0xdcf/0x1280 [ 21.684422][ T284] ? memcpy+0x56/0x70 [ 21.688238][ T284] ? ext4_inc_count+0x190/0x190 [ 21.692933][ T284] ? dquot_initialize+0x20/0x20 [ 21.697618][ T284] ext4_add_nondir+0x97/0x270 [ 21.702222][ T284] ? memcpy+0x56/0x70 [ 21.706041][ T284] ext4_symlink+0x911/0xe40 [ 21.710412][ T284] ? ext4_unlink+0x3f0/0x3f0 [ 21.714818][ T284] ? selinux_inode_symlink+0x22/0x30 [ 21.719937][ T284] ? security_inode_symlink+0xb8/0x100 [ 21.725224][ T284] vfs_symlink+0x367/0x4f0 [ 21.729477][ T284] do_symlinkat+0x19b/0x400 [ 21.734169][ T284] ? do_mkdirat+0x2c0/0x2c0 [ 21.738593][ T284] ? debug_smp_processor_id+0x17/0x20 [ 21.743806][ T284] __x64_sys_symlink+0x60/0x70 [ 21.748573][ T284] do_syscall_64+0x34/0x70 [ 21.753105][ T284] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 21.758820][ T284] RIP: 0033:0x7f52c5e7cc69 [ 21.763070][ T284] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 21.782941][ T284] RSP: 002b:00007ffeaa0734e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000058 [ 21.791184][ T284] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f52c5e7cc69 [ 21.799002][ T284] RDX: 0000000000000000 RSI: 0000400000000cc0 RDI: 0000400000000dc0 [ 21.806825][ T284] RBP: 00007f52c5ec162e R08: 00007f52c5ec165e R09: 00007f52c5ec165e [ 21.814626][ T284] R10: 00007f52c5ec165e R11: 0000000000000246 R12: 00007f52c5ec15af [ 21.822436][ T284] R13: 00007ffeaa073550 R14: 00007f52c5ec147a R15: 00007ffeaa073528 [ 21.830244][ T284] [ 21.832411][ T284] The buggy address belongs to the page: [ 21.837989][ T284] page:ffffea0004725c40 refcount:3 mapcount:0 mapping:ffff8881091a0b10 index:0x3f pfn:0x11c971 [ 21.848217][ T284] aops:def_blk_aops ino:0 [ 21.852382][ T284] flags: 0x400000000000201a(referenced|dirty|lru|private) [ 21.859505][ T284] raw: 400000000000201a ffffea00044b46c8 ffff888100194020 ffff8881091a0b10 [ 21.867923][ T284] raw: 000000000000003f ffff88811bf36930 00000003ffffffff ffff88810013e000 [ 21.876339][ T284] page dumped because: kasan: bad access detected [ 21.882586][ T284] page->mem_cgroup:ffff88810013e000 [ 21.887622][ T284] page_owner tracks the page as allocated [ 21.893188][ T284] page last allocated via order 0, migratetype Movable, gfp_mask 0x108c48(GFP_NOFS|__GFP_NOFAIL|__GFP_HARDWALL|__GFP_MOVABLE), pid 284, ts 21526652651, free_ts 15325588372 [ 21.910295][ T284] prep_new_page+0x166/0x180 [ 21.914717][ T284] get_page_from_freelist+0x2d8c/0x2f30 [ 21.920280][ T284] __alloc_pages_nodemask+0x435/0xaf0 [ 21.925481][ T284] pagecache_get_page+0x669/0x950 [ 21.930340][ T284] __getblk_gfp+0x221/0x7e0 [ 21.934682][ T284] ext4_getblk+0x259/0x660 [ 21.938934][ T284] ext4_bread+0x2f/0x1b0 [ 21.943012][ T284] ext4_append+0x29a/0x4d0 [ 21.947274][ T284] make_indexed_dir+0x505/0x1500 [ 21.952129][ T284] ext4_add_entry+0xdcf/0x1280 [ 21.956740][ T284] ext4_add_nondir+0x97/0x270 [ 21.961412][ T284] ext4_symlink+0x911/0xe40 [ 21.965842][ T284] vfs_symlink+0x367/0x4f0 [ 21.970094][ T284] do_symlinkat+0x19b/0x400 [ 21.974434][ T284] __x64_sys_symlink+0x60/0x70 [ 21.979214][ T284] do_syscall_64+0x34/0x70 [ 21.983459][ T284] page last free stack trace: [ 21.987974][ T284] free_unref_page_prepare+0x2ae/0x2d0 [ 21.993266][ T284] free_unref_page_list+0x122/0xb20 [ 21.998303][ T284] release_pages+0xea0/0xef0 [ 22.002730][ T284] free_pages_and_swap_cache+0x8a/0xa0 [ 22.008112][ T284] tlb_finish_mmu+0x177/0x320 [ 22.012627][ T284] exit_mmap+0x306/0x560 [ 22.016715][ T284] __mmput+0x95/0x2d0 [ 22.020608][ T284] mmput+0x59/0x170 [ 22.024267][ T284] do_exit+0xbda/0x2a50 [ 22.028429][ T284] do_group_exit+0x141/0x310 [ 22.032939][ T284] __x64_sys_exit_group+0x3f/0x40 [ 22.037798][ T284] do_syscall_64+0x34/0x70 [ 22.042052][ T284] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 22.047772][ T284] [ 22.049944][ T284] Memory state around the buggy address: [ 22.055419][ T284] ffff88811c971f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 22.063319][ T284] ffff88811c971f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 22.071330][ T284] >ffff88811c972000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.079244][ T284] ^ [ 22.083134][ T284] ffff88811c972080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.091030][ T284] ffff88811c972100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.099194][ T284] ================================================================== [ 22.107087][ T284] Disabling lock debugging due to kernel taint