Warning: Permanently added '10.128.1.38' (ED25519) to the list of known hosts.
2025/04/07 00:38:38 ignoring optional flag "sandboxArg"="0"
2025/04/07 00:38:39 parsed 1 programs
[   25.784647][   T23] audit: type=1400 audit(1743986319.590:66): avc:  denied  { node_bind } for  pid=351 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1
[   26.370817][   T23] audit: type=1400 audit(1743986320.180:67): avc:  denied  { mounton } for  pid=360 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[   26.372383][  T360] cgroup1: Unknown subsys name 'net'
[   26.393272][   T23] audit: type=1400 audit(1743986320.180:68): avc:  denied  { mount } for  pid=360 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[   26.398658][  T360] cgroup1: Unknown subsys name 'net_prio'
[   26.420949][   T23] audit: type=1400 audit(1743986320.230:69): avc:  denied  { read } for  pid=146 comm="syslogd" name="log" dev="sda1" ino=1915 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1
[   26.426039][  T360] cgroup1: Unknown subsys name 'devices'
[   26.454350][   T23] audit: type=1400 audit(1743986320.260:70): avc:  denied  { unmount } for  pid=360 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[   26.622862][  T360] cgroup1: Unknown subsys name 'hugetlb'
[   26.628514][  T360] cgroup1: Unknown subsys name 'rlimit'
[   26.829752][   T23] audit: type=1400 audit(1743986320.640:71): avc:  denied  { setattr } for  pid=360 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=10828 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   26.852955][   T23] audit: type=1400 audit(1743986320.640:72): avc:  denied  { create } for  pid=360 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[   26.873165][   T23] audit: type=1400 audit(1743986320.640:73): avc:  denied  { write } for  pid=360 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[   26.893253][   T23] audit: type=1400 audit(1743986320.640:74): avc:  denied  { read } for  pid=360 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[   26.900070][  T363] SELinux:  Context root:object_r:swapfile_t is not valid (left unmapped).
[   26.913371][   T23] audit: type=1400 audit(1743986320.640:75): avc:  denied  { module_request } for  pid=360 comm="syz-executor" kmod="netdev-wpan0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1
[   27.046366][  T360] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   27.541300][  T372] request_module fs-gadgetfs succeeded, but still no fs?
[   27.730245][  T380] syz-executor (380) used greatest stack depth: 20024 bytes left
[   28.129107][  T413] bridge0: port 1(bridge_slave_0) entered blocking state
[   28.136713][  T413] bridge0: port 1(bridge_slave_0) entered disabled state
[   28.144139][  T413] device bridge_slave_0 entered promiscuous mode
[   28.150848][  T413] bridge0: port 2(bridge_slave_1) entered blocking state
[   28.157660][  T413] bridge0: port 2(bridge_slave_1) entered disabled state
[   28.165092][  T413] device bridge_slave_1 entered promiscuous mode
[   28.207314][  T413] bridge0: port 2(bridge_slave_1) entered blocking state
[   28.214178][  T413] bridge0: port 2(bridge_slave_1) entered forwarding state
[   28.221340][  T413] bridge0: port 1(bridge_slave_0) entered blocking state
[   28.228172][  T413] bridge0: port 1(bridge_slave_0) entered forwarding state
[   28.250156][  T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   28.257609][  T103] bridge0: port 1(bridge_slave_0) entered disabled state
[   28.264716][  T103] bridge0: port 2(bridge_slave_1) entered disabled state
[   28.273906][  T103] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   28.282667][  T103] bridge0: port 1(bridge_slave_0) entered blocking state
[   28.289502][  T103] bridge0: port 1(bridge_slave_0) entered forwarding state
[   28.298205][  T103] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   28.306410][  T103] bridge0: port 2(bridge_slave_1) entered blocking state
[   28.313251][  T103] bridge0: port 2(bridge_slave_1) entered forwarding state
[   28.326445][  T103] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   28.335953][  T103] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   28.352224][  T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   28.363456][  T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   28.376331][  T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   28.388632][  T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   28.399006][  T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   28.432676][  T413] syz-executor (413) used greatest stack depth: 19576 bytes left
2025/04/07 00:38:42 executed programs: 0
[   28.621683][  T431] bridge0: port 1(bridge_slave_0) entered blocking state
[   28.628528][  T431] bridge0: port 1(bridge_slave_0) entered disabled state
[   28.636034][  T431] device bridge_slave_0 entered promiscuous mode
[   28.642936][  T431] bridge0: port 2(bridge_slave_1) entered blocking state
[   28.650263][  T431] bridge0: port 2(bridge_slave_1) entered disabled state
[   28.657611][  T431] device bridge_slave_1 entered promiscuous mode
[   28.721035][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   28.728395][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   28.743749][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   28.751935][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   28.760320][    T9] bridge0: port 1(bridge_slave_0) entered blocking state
[   28.767140][    T9] bridge0: port 1(bridge_slave_0) entered forwarding state
[   28.774512][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[   28.787914][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   28.796239][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   28.804405][    T9] bridge0: port 2(bridge_slave_1) entered blocking state
[   28.811234][    T9] bridge0: port 2(bridge_slave_1) entered forwarding state
[   28.824065][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[   28.832197][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   28.844137][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   28.859648][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   28.874722][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   28.888114][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   28.903007][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   28.911455][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   28.931042][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   28.939816][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   29.849919][    T7] device bridge_slave_1 left promiscuous mode
[   29.855906][    T7] bridge0: port 2(bridge_slave_1) entered disabled state
[   29.863775][    T7] device bridge_slave_0 left promiscuous mode
[   29.869848][    T7] bridge0: port 1(bridge_slave_0) entered disabled state
[   44.020098][  T464] bridge0: port 1(bridge_slave_0) entered blocking state
[   44.027169][  T464] bridge0: port 1(bridge_slave_0) entered disabled state
[   44.034586][  T464] device bridge_slave_0 entered promiscuous mode
[   44.041264][  T464] bridge0: port 2(bridge_slave_1) entered blocking state
[   44.048075][  T464] bridge0: port 2(bridge_slave_1) entered disabled state
[   44.055461][  T464] device bridge_slave_1 entered promiscuous mode
[   44.097609][  T464] bridge0: port 2(bridge_slave_1) entered blocking state
[   44.104476][  T464] bridge0: port 2(bridge_slave_1) entered forwarding state
[   44.111613][  T464] bridge0: port 1(bridge_slave_0) entered blocking state
[   44.118436][  T464] bridge0: port 1(bridge_slave_0) entered forwarding state
[   44.139625][    T7] bridge0: port 1(bridge_slave_0) entered disabled state
[   44.146712][    T7] bridge0: port 2(bridge_slave_1) entered disabled state
[   44.153965][    T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   44.161192][    T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   44.170496][    T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   44.178495][    T7] bridge0: port 1(bridge_slave_0) entered blocking state
[   44.185341][    T7] bridge0: port 1(bridge_slave_0) entered forwarding state
[   44.194383][    T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   44.202538][    T7] bridge0: port 2(bridge_slave_1) entered blocking state
[   44.209350][    T7] bridge0: port 2(bridge_slave_1) entered forwarding state
[   44.223354][    T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   44.232504][    T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   44.248461][    T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   44.261028][    T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   44.274846][    T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   44.287389][    T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
2025/04/07 00:38:58 executed programs: 3
[   44.297340][    T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   44.320320][  T464] ==================================================================
[   44.328306][  T464] BUG: KASAN: use-after-free in __mutex_lock+0xcd7/0x1060
[   44.335248][  T464] Read of size 4 at addr ffff8881eafe9fb8 by task syz-executor/464
[   44.342950][  T464] 
[   44.345126][  T464] CPU: 1 PID: 464 Comm: syz-executor Not tainted 5.4.290-syzkaller-00002-g41adfeb3d639 #0
[   44.354963][  T464] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[   44.364856][  T464] Call Trace:
[   44.367987][  T464]  dump_stack+0x1d8/0x241
[   44.372154][  T464]  ? nf_ct_l4proto_log_invalid+0x258/0x258
[   44.377840][  T464]  ? printk+0xd1/0x111
[   44.381708][  T464]  ? __mutex_lock+0xcd7/0x1060
[   44.386304][  T464]  print_address_description+0x8c/0x600
[   44.391694][  T464]  ? check_preemption_disabled+0x9f/0x320
[   44.397245][  T464]  ? __unwind_start+0x708/0x890
[   44.401940][  T464]  ? __mutex_lock+0xcd7/0x1060
[   44.406660][  T464]  __kasan_report+0xf3/0x120
[   44.411076][  T464]  ? __mutex_lock+0xcd7/0x1060
[   44.415671][  T464]  kasan_report+0x30/0x60
[   44.419844][  T464]  __mutex_lock+0xcd7/0x1060
[   44.424267][  T464]  ? kobject_get_unless_zero+0x229/0x320
[   44.429743][  T464]  ? __ww_mutex_lock_interruptible_slowpath+0x10/0x10
[   44.436331][  T464]  ? __module_put_and_exit+0x20/0x20
[   44.441452][  T464]  ? up_read+0x6f/0x1b0
[   44.445452][  T464]  mutex_lock_killable+0xd8/0x110
[   44.450326][  T464]  ? __mutex_lock_interruptible_slowpath+0x10/0x10
[   44.456643][  T464]  ? mutex_lock+0xa5/0x110
[   44.460898][  T464]  ? mutex_trylock+0xa0/0xa0
[   44.465322][  T464]  lo_open+0x18/0xc0
[   44.469054][  T464]  __blkdev_get+0x3c8/0x1160
[   44.473481][  T464]  ? blkdev_get+0x3a0/0x3a0
[   44.477821][  T464]  ? _raw_spin_unlock+0x49/0x60
[   44.482508][  T464]  blkdev_get+0x2de/0x3a0
[   44.486762][  T464]  ? blkdev_open+0x173/0x290
[   44.491190][  T464]  ? block_ioctl+0xe0/0xe0
[   44.495442][  T464]  do_dentry_open+0x964/0x1130
[   44.500044][  T464]  ? finish_open+0xd0/0xd0
[   44.504302][  T464]  ? security_inode_permission+0xad/0xf0
[   44.509769][  T464]  ? memcpy+0x38/0x50
[   44.513613][  T464]  path_openat+0x29bf/0x34b0
[   44.518012][  T464]  ? stack_trace_save+0x118/0x1c0
[   44.522883][  T464]  ? do_filp_open+0x450/0x450
[   44.527386][  T464]  ? do_sys_open+0x357/0x810
[   44.531835][  T464]  ? do_syscall_64+0xca/0x1c0
[   44.536324][  T464]  ? entry_SYSCALL_64_after_hwframe+0x5c/0xc1
[   44.542242][  T464]  do_filp_open+0x20b/0x450
[   44.546587][  T464]  ? vfs_tmpfile+0x2c0/0x2c0
[   44.551146][  T464]  ? _raw_spin_unlock+0x49/0x60
[   44.555818][  T464]  ? __alloc_fd+0x4c5/0x570
[   44.560161][  T464]  do_sys_open+0x39c/0x810
[   44.564413][  T464]  ? check_preemption_disabled+0x153/0x320
[   44.570050][  T464]  ? file_open_root+0x490/0x490
[   44.574738][  T464]  do_syscall_64+0xca/0x1c0
[   44.579081][  T464]  entry_SYSCALL_64_after_hwframe+0x5c/0xc1
[   44.584806][  T464] RIP: 0033:0x7f9bbc0ffa51
[   44.589063][  T464] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d fa 1a 1f 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25
[   44.608498][  T464] RSP: 002b:00007ffdaf884b70 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
[   44.616744][  T464] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f9bbc0ffa51
[   44.624569][  T464] RDX: 0000000000000002 RSI: 00007ffdaf884c80 RDI: 00000000ffffff9c
[   44.632367][  T464] RBP: 00007ffdaf884c80 R08: 000000000000000a R09: 00007ffdaf884937
[   44.640181][  T464] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
[   44.648081][  T464] R13: 00007f9bbc2ea260 R14: 0000000000000003 R15: 00007ffdaf884c80
[   44.655898][  T464] 
[   44.658062][  T464] Allocated by task 445:
[   44.662144][  T464]  __kasan_kmalloc+0x171/0x210
[   44.666742][  T464]  kmem_cache_alloc+0xd9/0x250
[   44.671344][  T464]  dup_task_struct+0x4f/0x600
[   44.675858][  T464]  copy_process+0x56d/0x3230
[   44.680283][  T464]  _do_fork+0x197/0x900
[   44.684277][  T464]  __x64_sys_clone3+0x2da/0x300
[   44.688964][  T464]  do_syscall_64+0xca/0x1c0
[   44.693303][  T464]  entry_SYSCALL_64_after_hwframe+0x5c/0xc1
[   44.699030][  T464] 
[   44.701208][  T464] Freed by task 17:
[   44.704862][  T464]  __kasan_slab_free+0x1b5/0x270
[   44.709621][  T464]  kmem_cache_free+0x10b/0x2c0
[   44.714222][  T464]  rcu_do_batch+0x492/0xa00
[   44.718564][  T464]  rcu_core+0x4c8/0xcb0
[   44.722576][  T464]  __do_softirq+0x23b/0x6b7
[   44.726894][  T464] 
[   44.729066][  T464] The buggy address belongs to the object at ffff8881eafe9f80
[   44.729066][  T464]  which belongs to the cache task_struct of size 3904
[   44.743044][  T464] The buggy address is located 56 bytes inside of
[   44.743044][  T464]  3904-byte region [ffff8881eafe9f80, ffff8881eafeaec0)
[   44.756144][  T464] The buggy address belongs to the page:
[   44.761617][  T464] page:ffffea0007abfa00 refcount:1 mapcount:0 mapping:ffff8881f5cf0c80 index:0x0 compound_mapcount: 0
[   44.772376][  T464] flags: 0x8000000000010200(slab|head)
[   44.777682][  T464] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5cf0c80
[   44.786278][  T464] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
[   44.794681][  T464] page dumped because: kasan: bad access detected
[   44.800937][  T464] page_owner tracks the page as allocated
[   44.806507][  T464] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL)
[   44.822839][  T464]  prep_new_page+0x18f/0x370
[   44.827254][  T464]  get_page_from_freelist+0x2d13/0x2d90
[   44.832790][  T464]  __alloc_pages_nodemask+0x393/0x840
[   44.837998][  T464]  alloc_slab_page+0x39/0x3c0
[   44.842520][  T464]  new_slab+0x97/0x440
[   44.846419][  T464]  ___slab_alloc+0x2fe/0x490
[   44.850845][  T464]  __slab_alloc+0x62/0xa0
[   44.855011][  T464]  kmem_cache_alloc+0x109/0x250
[   44.859702][  T464]  dup_task_struct+0x4f/0x600
[   44.864210][  T464]  copy_process+0x56d/0x3230
[   44.868640][  T464]  _do_fork+0x197/0x900
[   44.872636][  T464]  __x64_sys_clone3+0x2da/0x300
[   44.877318][  T464]  do_syscall_64+0xca/0x1c0
[   44.881658][  T464]  entry_SYSCALL_64_after_hwframe+0x5c/0xc1
[   44.887387][  T464] page last free stack trace:
[   44.891903][  T464]  __free_pages_ok+0x847/0x950
[   44.896500][  T464]  __free_pages+0x91/0x140
[   44.900755][  T464]  __free_slab+0x221/0x2e0
[   44.905009][  T464]  unfreeze_partials+0x14e/0x180
[   44.909781][  T464]  put_cpu_partial+0x44/0x180
[   44.914296][  T464]  __slab_free+0x297/0x360
[   44.918552][  T464]  qlist_free_all+0x43/0xb0
[   44.922893][  T464]  quarantine_reduce+0x1d9/0x210
[   44.927673][  T464]  __kasan_kmalloc+0x41/0x210
[   44.932184][  T464]  kmem_cache_alloc+0xd9/0x250
[   44.936815][  T464]  __alloc_skb+0x7a/0x4d0
[   44.940948][  T464]  inet6_netconf_notify_devconf+0xc9/0x180
[   44.946597][  T464]  addrconf_ifdown+0x17cc/0x1a90
[   44.951361][  T464]  addrconf_notify+0x375/0xe50
[   44.955971][  T464]  raw_notifier_call_chain+0x95/0x110
[   44.961170][  T464]  rollback_registered_many+0xce5/0x1330
[   44.966633][  T464] 
[   44.968914][  T464] Memory state around the buggy address:
[   44.974362][  T464]  ffff8881eafe9e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   44.982262][  T464]  ffff8881eafe9f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   44.990161][  T464] >ffff8881eafe9f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   44.998065][  T464]                                         ^
[   45.003872][  T464]  ffff8881eafea000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   45.011771][  T464]  ffff8881eafea080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   45.019666][  T464] ==================================================================
[   45.027574][  T464] Disabling lock debugging due to kernel taint