Warning: Permanently added '10.128.1.38' (ED25519) to the list of known hosts.
2025/04/07 00:38:38 ignoring optional flag "sandboxArg"="0"
2025/04/07 00:38:39 parsed 1 programs
[ 25.784647][ T23] audit: type=1400 audit(1743986319.590:66): avc: denied { node_bind } for pid=351 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1
[ 26.370817][ T23] audit: type=1400 audit(1743986320.180:67): avc: denied { mounton } for pid=360 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 26.372383][ T360] cgroup1: Unknown subsys name 'net'
[ 26.393272][ T23] audit: type=1400 audit(1743986320.180:68): avc: denied { mount } for pid=360 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 26.398658][ T360] cgroup1: Unknown subsys name 'net_prio'
[ 26.420949][ T23] audit: type=1400 audit(1743986320.230:69): avc: denied { read } for pid=146 comm="syslogd" name="log" dev="sda1" ino=1915 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1
[ 26.426039][ T360] cgroup1: Unknown subsys name 'devices'
[ 26.454350][ T23] audit: type=1400 audit(1743986320.260:70): avc: denied { unmount } for pid=360 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 26.622862][ T360] cgroup1: Unknown subsys name 'hugetlb'
[ 26.628514][ T360] cgroup1: Unknown subsys name 'rlimit'
[ 26.829752][ T23] audit: type=1400 audit(1743986320.640:71): avc: denied { setattr } for pid=360 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=10828 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 26.852955][ T23] audit: type=1400 audit(1743986320.640:72): avc: denied { create } for pid=360 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 26.873165][ T23] audit: type=1400 audit(1743986320.640:73): avc: denied { write } for pid=360 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 26.893253][ T23] audit: type=1400 audit(1743986320.640:74): avc: denied { read } for pid=360 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 26.900070][ T363] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped).
[ 26.913371][ T23] audit: type=1400 audit(1743986320.640:75): avc: denied { module_request } for pid=360 comm="syz-executor" kmod="netdev-wpan0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1
[ 27.046366][ T360] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 27.541300][ T372] request_module fs-gadgetfs succeeded, but still no fs?
[ 27.730245][ T380] syz-executor (380) used greatest stack depth: 20024 bytes left
[ 28.129107][ T413] bridge0: port 1(bridge_slave_0) entered blocking state
[ 28.136713][ T413] bridge0: port 1(bridge_slave_0) entered disabled state
[ 28.144139][ T413] device bridge_slave_0 entered promiscuous mode
[ 28.150848][ T413] bridge0: port 2(bridge_slave_1) entered blocking state
[ 28.157660][ T413] bridge0: port 2(bridge_slave_1) entered disabled state
[ 28.165092][ T413] device bridge_slave_1 entered promiscuous mode
[ 28.207314][ T413] bridge0: port 2(bridge_slave_1) entered blocking state
[ 28.214178][ T413] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 28.221340][ T413] bridge0: port 1(bridge_slave_0) entered blocking state
[ 28.228172][ T413] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 28.250156][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 28.257609][ T103] bridge0: port 1(bridge_slave_0) entered disabled state
[ 28.264716][ T103] bridge0: port 2(bridge_slave_1) entered disabled state
[ 28.273906][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 28.282667][ T103] bridge0: port 1(bridge_slave_0) entered blocking state
[ 28.289502][ T103] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 28.298205][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 28.306410][ T103] bridge0: port 2(bridge_slave_1) entered blocking state
[ 28.313251][ T103] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 28.326445][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 28.335953][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 28.352224][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 28.363456][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 28.376331][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 28.388632][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 28.399006][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 28.432676][ T413] syz-executor (413) used greatest stack depth: 19576 bytes left
2025/04/07 00:38:42 executed programs: 0
[ 28.621683][ T431] bridge0: port 1(bridge_slave_0) entered blocking state
[ 28.628528][ T431] bridge0: port 1(bridge_slave_0) entered disabled state
[ 28.636034][ T431] device bridge_slave_0 entered promiscuous mode
[ 28.642936][ T431] bridge0: port 2(bridge_slave_1) entered blocking state
[ 28.650263][ T431] bridge0: port 2(bridge_slave_1) entered disabled state
[ 28.657611][ T431] device bridge_slave_1 entered promiscuous mode
[ 28.721035][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[ 28.728395][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 28.743749][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[ 28.751935][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 28.760320][ T9] bridge0: port 1(bridge_slave_0) entered blocking state
[ 28.767140][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 28.774512][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[ 28.787914][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[ 28.796239][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 28.804405][ T9] bridge0: port 2(bridge_slave_1) entered blocking state
[ 28.811234][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 28.824065][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[ 28.832197][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 28.844137][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 28.859648][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 28.874722][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 28.888114][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 28.903007][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[ 28.911455][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 28.931042][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[ 28.939816][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 29.849919][ T7] device bridge_slave_1 left promiscuous mode
[ 29.855906][ T7] bridge0: port 2(bridge_slave_1) entered disabled state
[ 29.863775][ T7] device bridge_slave_0 left promiscuous mode
[ 29.869848][ T7] bridge0: port 1(bridge_slave_0) entered disabled state
[ 44.020098][ T464] bridge0: port 1(bridge_slave_0) entered blocking state
[ 44.027169][ T464] bridge0: port 1(bridge_slave_0) entered disabled state
[ 44.034586][ T464] device bridge_slave_0 entered promiscuous mode
[ 44.041264][ T464] bridge0: port 2(bridge_slave_1) entered blocking state
[ 44.048075][ T464] bridge0: port 2(bridge_slave_1) entered disabled state
[ 44.055461][ T464] device bridge_slave_1 entered promiscuous mode
[ 44.097609][ T464] bridge0: port 2(bridge_slave_1) entered blocking state
[ 44.104476][ T464] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 44.111613][ T464] bridge0: port 1(bridge_slave_0) entered blocking state
[ 44.118436][ T464] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 44.139625][ T7] bridge0: port 1(bridge_slave_0) entered disabled state
[ 44.146712][ T7] bridge0: port 2(bridge_slave_1) entered disabled state
[ 44.153965][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[ 44.161192][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 44.170496][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 44.178495][ T7] bridge0: port 1(bridge_slave_0) entered blocking state
[ 44.185341][ T7] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 44.194383][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 44.202538][ T7] bridge0: port 2(bridge_slave_1) entered blocking state
[ 44.209350][ T7] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 44.223354][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 44.232504][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 44.248461][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 44.261028][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 44.274846][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 44.287389][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
2025/04/07 00:38:58 executed programs: 3
[ 44.297340][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 44.320320][ T464] ==================================================================
[ 44.328306][ T464] BUG: KASAN: use-after-free in __mutex_lock+0xcd7/0x1060
[ 44.335248][ T464] Read of size 4 at addr ffff8881eafe9fb8 by task syz-executor/464
[ 44.342950][ T464]
[ 44.345126][ T464] CPU: 1 PID: 464 Comm: syz-executor Not tainted 5.4.290-syzkaller-00002-g41adfeb3d639 #0
[ 44.354963][ T464] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 44.364856][ T464] Call Trace:
[ 44.367987][ T464] dump_stack+0x1d8/0x241
[ 44.372154][ T464] ? nf_ct_l4proto_log_invalid+0x258/0x258
[ 44.377840][ T464] ? printk+0xd1/0x111
[ 44.381708][ T464] ? __mutex_lock+0xcd7/0x1060
[ 44.386304][ T464] print_address_description+0x8c/0x600
[ 44.391694][ T464] ? check_preemption_disabled+0x9f/0x320
[ 44.397245][ T464] ? __unwind_start+0x708/0x890
[ 44.401940][ T464] ? __mutex_lock+0xcd7/0x1060
[ 44.406660][ T464] __kasan_report+0xf3/0x120
[ 44.411076][ T464] ? __mutex_lock+0xcd7/0x1060
[ 44.415671][ T464] kasan_report+0x30/0x60
[ 44.419844][ T464] __mutex_lock+0xcd7/0x1060
[ 44.424267][ T464] ? kobject_get_unless_zero+0x229/0x320
[ 44.429743][ T464] ? __ww_mutex_lock_interruptible_slowpath+0x10/0x10
[ 44.436331][ T464] ? __module_put_and_exit+0x20/0x20
[ 44.441452][ T464] ? up_read+0x6f/0x1b0
[ 44.445452][ T464] mutex_lock_killable+0xd8/0x110
[ 44.450326][ T464] ? __mutex_lock_interruptible_slowpath+0x10/0x10
[ 44.456643][ T464] ? mutex_lock+0xa5/0x110
[ 44.460898][ T464] ? mutex_trylock+0xa0/0xa0
[ 44.465322][ T464] lo_open+0x18/0xc0
[ 44.469054][ T464] __blkdev_get+0x3c8/0x1160
[ 44.473481][ T464] ? blkdev_get+0x3a0/0x3a0
[ 44.477821][ T464] ? _raw_spin_unlock+0x49/0x60
[ 44.482508][ T464] blkdev_get+0x2de/0x3a0
[ 44.486762][ T464] ? blkdev_open+0x173/0x290
[ 44.491190][ T464] ? block_ioctl+0xe0/0xe0
[ 44.495442][ T464] do_dentry_open+0x964/0x1130
[ 44.500044][ T464] ? finish_open+0xd0/0xd0
[ 44.504302][ T464] ? security_inode_permission+0xad/0xf0
[ 44.509769][ T464] ? memcpy+0x38/0x50
[ 44.513613][ T464] path_openat+0x29bf/0x34b0
[ 44.518012][ T464] ? stack_trace_save+0x118/0x1c0
[ 44.522883][ T464] ? do_filp_open+0x450/0x450
[ 44.527386][ T464] ? do_sys_open+0x357/0x810
[ 44.531835][ T464] ? do_syscall_64+0xca/0x1c0
[ 44.536324][ T464] ? entry_SYSCALL_64_after_hwframe+0x5c/0xc1
[ 44.542242][ T464] do_filp_open+0x20b/0x450
[ 44.546587][ T464] ? vfs_tmpfile+0x2c0/0x2c0
[ 44.551146][ T464] ? _raw_spin_unlock+0x49/0x60
[ 44.555818][ T464] ? __alloc_fd+0x4c5/0x570
[ 44.560161][ T464] do_sys_open+0x39c/0x810
[ 44.564413][ T464] ? check_preemption_disabled+0x153/0x320
[ 44.570050][ T464] ? file_open_root+0x490/0x490
[ 44.574738][ T464] do_syscall_64+0xca/0x1c0
[ 44.579081][ T464] entry_SYSCALL_64_after_hwframe+0x5c/0xc1
[ 44.584806][ T464] RIP: 0033:0x7f9bbc0ffa51
[ 44.589063][ T464] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d fa 1a 1f 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25
[ 44.608498][ T464] RSP: 002b:00007ffdaf884b70 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
[ 44.616744][ T464] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f9bbc0ffa51
[ 44.624569][ T464] RDX: 0000000000000002 RSI: 00007ffdaf884c80 RDI: 00000000ffffff9c
[ 44.632367][ T464] RBP: 00007ffdaf884c80 R08: 000000000000000a R09: 00007ffdaf884937
[ 44.640181][ T464] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
[ 44.648081][ T464] R13: 00007f9bbc2ea260 R14: 0000000000000003 R15: 00007ffdaf884c80
[ 44.655898][ T464]
[ 44.658062][ T464] Allocated by task 445:
[ 44.662144][ T464] __kasan_kmalloc+0x171/0x210
[ 44.666742][ T464] kmem_cache_alloc+0xd9/0x250
[ 44.671344][ T464] dup_task_struct+0x4f/0x600
[ 44.675858][ T464] copy_process+0x56d/0x3230
[ 44.680283][ T464] _do_fork+0x197/0x900
[ 44.684277][ T464] __x64_sys_clone3+0x2da/0x300
[ 44.688964][ T464] do_syscall_64+0xca/0x1c0
[ 44.693303][ T464] entry_SYSCALL_64_after_hwframe+0x5c/0xc1
[ 44.699030][ T464]
[ 44.701208][ T464] Freed by task 17:
[ 44.704862][ T464] __kasan_slab_free+0x1b5/0x270
[ 44.709621][ T464] kmem_cache_free+0x10b/0x2c0
[ 44.714222][ T464] rcu_do_batch+0x492/0xa00
[ 44.718564][ T464] rcu_core+0x4c8/0xcb0
[ 44.722576][ T464] __do_softirq+0x23b/0x6b7
[ 44.726894][ T464]
[ 44.729066][ T464] The buggy address belongs to the object at ffff8881eafe9f80
[ 44.729066][ T464] which belongs to the cache task_struct of size 3904
[ 44.743044][ T464] The buggy address is located 56 bytes inside of
[ 44.743044][ T464] 3904-byte region [ffff8881eafe9f80, ffff8881eafeaec0)
[ 44.756144][ T464] The buggy address belongs to the page:
[ 44.761617][ T464] page:ffffea0007abfa00 refcount:1 mapcount:0 mapping:ffff8881f5cf0c80 index:0x0 compound_mapcount: 0
[ 44.772376][ T464] flags: 0x8000000000010200(slab|head)
[ 44.777682][ T464] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5cf0c80
[ 44.786278][ T464] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
[ 44.794681][ T464] page dumped because: kasan: bad access detected
[ 44.800937][ T464] page_owner tracks the page as allocated
[ 44.806507][ T464] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL)
[ 44.822839][ T464] prep_new_page+0x18f/0x370
[ 44.827254][ T464] get_page_from_freelist+0x2d13/0x2d90
[ 44.832790][ T464] __alloc_pages_nodemask+0x393/0x840
[ 44.837998][ T464] alloc_slab_page+0x39/0x3c0
[ 44.842520][ T464] new_slab+0x97/0x440
[ 44.846419][ T464] ___slab_alloc+0x2fe/0x490
[ 44.850845][ T464] __slab_alloc+0x62/0xa0
[ 44.855011][ T464] kmem_cache_alloc+0x109/0x250
[ 44.859702][ T464] dup_task_struct+0x4f/0x600
[ 44.864210][ T464] copy_process+0x56d/0x3230
[ 44.868640][ T464] _do_fork+0x197/0x900
[ 44.872636][ T464] __x64_sys_clone3+0x2da/0x300
[ 44.877318][ T464] do_syscall_64+0xca/0x1c0
[ 44.881658][ T464] entry_SYSCALL_64_after_hwframe+0x5c/0xc1
[ 44.887387][ T464] page last free stack trace:
[ 44.891903][ T464] __free_pages_ok+0x847/0x950
[ 44.896500][ T464] __free_pages+0x91/0x140
[ 44.900755][ T464] __free_slab+0x221/0x2e0
[ 44.905009][ T464] unfreeze_partials+0x14e/0x180
[ 44.909781][ T464] put_cpu_partial+0x44/0x180
[ 44.914296][ T464] __slab_free+0x297/0x360
[ 44.918552][ T464] qlist_free_all+0x43/0xb0
[ 44.922893][ T464] quarantine_reduce+0x1d9/0x210
[ 44.927673][ T464] __kasan_kmalloc+0x41/0x210
[ 44.932184][ T464] kmem_cache_alloc+0xd9/0x250
[ 44.936815][ T464] __alloc_skb+0x7a/0x4d0
[ 44.940948][ T464] inet6_netconf_notify_devconf+0xc9/0x180
[ 44.946597][ T464] addrconf_ifdown+0x17cc/0x1a90
[ 44.951361][ T464] addrconf_notify+0x375/0xe50
[ 44.955971][ T464] raw_notifier_call_chain+0x95/0x110
[ 44.961170][ T464] rollback_registered_many+0xce5/0x1330
[ 44.966633][ T464]
[ 44.968914][ T464] Memory state around the buggy address:
[ 44.974362][ T464] ffff8881eafe9e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 44.982262][ T464] ffff8881eafe9f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 44.990161][ T464] >ffff8881eafe9f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 44.998065][ T464] ^
[ 45.003872][ T464] ffff8881eafea000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 45.011771][ T464] ffff8881eafea080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 45.019666][ T464] ==================================================================
[ 45.027574][ T464] Disabling lock debugging due to kernel taint