Warning: Permanently added '10.128.1.38' (ED25519) to the list of known hosts. 2025/04/07 00:38:38 ignoring optional flag "sandboxArg"="0" 2025/04/07 00:38:39 parsed 1 programs [ 25.784647][ T23] audit: type=1400 audit(1743986319.590:66): avc: denied { node_bind } for pid=351 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 26.370817][ T23] audit: type=1400 audit(1743986320.180:67): avc: denied { mounton } for pid=360 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 26.372383][ T360] cgroup1: Unknown subsys name 'net' [ 26.393272][ T23] audit: type=1400 audit(1743986320.180:68): avc: denied { mount } for pid=360 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 26.398658][ T360] cgroup1: Unknown subsys name 'net_prio' [ 26.420949][ T23] audit: type=1400 audit(1743986320.230:69): avc: denied { read } for pid=146 comm="syslogd" name="log" dev="sda1" ino=1915 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1 [ 26.426039][ T360] cgroup1: Unknown subsys name 'devices' [ 26.454350][ T23] audit: type=1400 audit(1743986320.260:70): avc: denied { unmount } for pid=360 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 26.622862][ T360] cgroup1: Unknown subsys name 'hugetlb' [ 26.628514][ T360] cgroup1: Unknown subsys name 'rlimit' [ 26.829752][ T23] audit: type=1400 audit(1743986320.640:71): avc: denied { setattr } for pid=360 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=10828 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 26.852955][ T23] audit: type=1400 audit(1743986320.640:72): avc: denied { create } for pid=360 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.873165][ T23] audit: type=1400 audit(1743986320.640:73): avc: denied { write } for pid=360 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.893253][ T23] audit: type=1400 audit(1743986320.640:74): avc: denied { read } for pid=360 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.900070][ T363] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 26.913371][ T23] audit: type=1400 audit(1743986320.640:75): avc: denied { module_request } for pid=360 comm="syz-executor" kmod="netdev-wpan0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 27.046366][ T360] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 27.541300][ T372] request_module fs-gadgetfs succeeded, but still no fs? [ 27.730245][ T380] syz-executor (380) used greatest stack depth: 20024 bytes left [ 28.129107][ T413] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.136713][ T413] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.144139][ T413] device bridge_slave_0 entered promiscuous mode [ 28.150848][ T413] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.157660][ T413] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.165092][ T413] device bridge_slave_1 entered promiscuous mode [ 28.207314][ T413] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.214178][ T413] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.221340][ T413] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.228172][ T413] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.250156][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 28.257609][ T103] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.264716][ T103] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.273906][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 28.282667][ T103] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.289502][ T103] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.298205][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 28.306410][ T103] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.313251][ T103] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.326445][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 28.335953][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 28.352224][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 28.363456][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 28.376331][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 28.388632][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 28.399006][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 28.432676][ T413] syz-executor (413) used greatest stack depth: 19576 bytes left 2025/04/07 00:38:42 executed programs: 0 [ 28.621683][ T431] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.628528][ T431] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.636034][ T431] device bridge_slave_0 entered promiscuous mode [ 28.642936][ T431] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.650263][ T431] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.657611][ T431] device bridge_slave_1 entered promiscuous mode [ 28.721035][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 28.728395][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 28.743749][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 28.751935][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 28.760320][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.767140][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.774512][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 28.787914][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 28.796239][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 28.804405][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.811234][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.824065][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 28.832197][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 28.844137][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 28.859648][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 28.874722][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 28.888114][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 28.903007][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 28.911455][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 28.931042][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 28.939816][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 29.849919][ T7] device bridge_slave_1 left promiscuous mode [ 29.855906][ T7] bridge0: port 2(bridge_slave_1) entered disabled state [ 29.863775][ T7] device bridge_slave_0 left promiscuous mode [ 29.869848][ T7] bridge0: port 1(bridge_slave_0) entered disabled state [ 44.020098][ T464] bridge0: port 1(bridge_slave_0) entered blocking state [ 44.027169][ T464] bridge0: port 1(bridge_slave_0) entered disabled state [ 44.034586][ T464] device bridge_slave_0 entered promiscuous mode [ 44.041264][ T464] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.048075][ T464] bridge0: port 2(bridge_slave_1) entered disabled state [ 44.055461][ T464] device bridge_slave_1 entered promiscuous mode [ 44.097609][ T464] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.104476][ T464] bridge0: port 2(bridge_slave_1) entered forwarding state [ 44.111613][ T464] bridge0: port 1(bridge_slave_0) entered blocking state [ 44.118436][ T464] bridge0: port 1(bridge_slave_0) entered forwarding state [ 44.139625][ T7] bridge0: port 1(bridge_slave_0) entered disabled state [ 44.146712][ T7] bridge0: port 2(bridge_slave_1) entered disabled state [ 44.153965][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 44.161192][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 44.170496][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 44.178495][ T7] bridge0: port 1(bridge_slave_0) entered blocking state [ 44.185341][ T7] bridge0: port 1(bridge_slave_0) entered forwarding state [ 44.194383][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 44.202538][ T7] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.209350][ T7] bridge0: port 2(bridge_slave_1) entered forwarding state [ 44.223354][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 44.232504][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 44.248461][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 44.261028][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 44.274846][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 44.287389][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready 2025/04/07 00:38:58 executed programs: 3 [ 44.297340][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 44.320320][ T464] ================================================================== [ 44.328306][ T464] BUG: KASAN: use-after-free in __mutex_lock+0xcd7/0x1060 [ 44.335248][ T464] Read of size 4 at addr ffff8881eafe9fb8 by task syz-executor/464 [ 44.342950][ T464] [ 44.345126][ T464] CPU: 1 PID: 464 Comm: syz-executor Not tainted 5.4.290-syzkaller-00002-g41adfeb3d639 #0 [ 44.354963][ T464] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 44.364856][ T464] Call Trace: [ 44.367987][ T464] dump_stack+0x1d8/0x241 [ 44.372154][ T464] ? nf_ct_l4proto_log_invalid+0x258/0x258 [ 44.377840][ T464] ? printk+0xd1/0x111 [ 44.381708][ T464] ? __mutex_lock+0xcd7/0x1060 [ 44.386304][ T464] print_address_description+0x8c/0x600 [ 44.391694][ T464] ? check_preemption_disabled+0x9f/0x320 [ 44.397245][ T464] ? __unwind_start+0x708/0x890 [ 44.401940][ T464] ? __mutex_lock+0xcd7/0x1060 [ 44.406660][ T464] __kasan_report+0xf3/0x120 [ 44.411076][ T464] ? __mutex_lock+0xcd7/0x1060 [ 44.415671][ T464] kasan_report+0x30/0x60 [ 44.419844][ T464] __mutex_lock+0xcd7/0x1060 [ 44.424267][ T464] ? kobject_get_unless_zero+0x229/0x320 [ 44.429743][ T464] ? __ww_mutex_lock_interruptible_slowpath+0x10/0x10 [ 44.436331][ T464] ? __module_put_and_exit+0x20/0x20 [ 44.441452][ T464] ? up_read+0x6f/0x1b0 [ 44.445452][ T464] mutex_lock_killable+0xd8/0x110 [ 44.450326][ T464] ? __mutex_lock_interruptible_slowpath+0x10/0x10 [ 44.456643][ T464] ? mutex_lock+0xa5/0x110 [ 44.460898][ T464] ? mutex_trylock+0xa0/0xa0 [ 44.465322][ T464] lo_open+0x18/0xc0 [ 44.469054][ T464] __blkdev_get+0x3c8/0x1160 [ 44.473481][ T464] ? blkdev_get+0x3a0/0x3a0 [ 44.477821][ T464] ? _raw_spin_unlock+0x49/0x60 [ 44.482508][ T464] blkdev_get+0x2de/0x3a0 [ 44.486762][ T464] ? blkdev_open+0x173/0x290 [ 44.491190][ T464] ? block_ioctl+0xe0/0xe0 [ 44.495442][ T464] do_dentry_open+0x964/0x1130 [ 44.500044][ T464] ? finish_open+0xd0/0xd0 [ 44.504302][ T464] ? security_inode_permission+0xad/0xf0 [ 44.509769][ T464] ? memcpy+0x38/0x50 [ 44.513613][ T464] path_openat+0x29bf/0x34b0 [ 44.518012][ T464] ? stack_trace_save+0x118/0x1c0 [ 44.522883][ T464] ? do_filp_open+0x450/0x450 [ 44.527386][ T464] ? do_sys_open+0x357/0x810 [ 44.531835][ T464] ? do_syscall_64+0xca/0x1c0 [ 44.536324][ T464] ? entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 44.542242][ T464] do_filp_open+0x20b/0x450 [ 44.546587][ T464] ? vfs_tmpfile+0x2c0/0x2c0 [ 44.551146][ T464] ? _raw_spin_unlock+0x49/0x60 [ 44.555818][ T464] ? __alloc_fd+0x4c5/0x570 [ 44.560161][ T464] do_sys_open+0x39c/0x810 [ 44.564413][ T464] ? check_preemption_disabled+0x153/0x320 [ 44.570050][ T464] ? file_open_root+0x490/0x490 [ 44.574738][ T464] do_syscall_64+0xca/0x1c0 [ 44.579081][ T464] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 44.584806][ T464] RIP: 0033:0x7f9bbc0ffa51 [ 44.589063][ T464] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d fa 1a 1f 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25 [ 44.608498][ T464] RSP: 002b:00007ffdaf884b70 EFLAGS: 00000202 ORIG_RAX: 0000000000000101 [ 44.616744][ T464] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f9bbc0ffa51 [ 44.624569][ T464] RDX: 0000000000000002 RSI: 00007ffdaf884c80 RDI: 00000000ffffff9c [ 44.632367][ T464] RBP: 00007ffdaf884c80 R08: 000000000000000a R09: 00007ffdaf884937 [ 44.640181][ T464] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 44.648081][ T464] R13: 00007f9bbc2ea260 R14: 0000000000000003 R15: 00007ffdaf884c80 [ 44.655898][ T464] [ 44.658062][ T464] Allocated by task 445: [ 44.662144][ T464] __kasan_kmalloc+0x171/0x210 [ 44.666742][ T464] kmem_cache_alloc+0xd9/0x250 [ 44.671344][ T464] dup_task_struct+0x4f/0x600 [ 44.675858][ T464] copy_process+0x56d/0x3230 [ 44.680283][ T464] _do_fork+0x197/0x900 [ 44.684277][ T464] __x64_sys_clone3+0x2da/0x300 [ 44.688964][ T464] do_syscall_64+0xca/0x1c0 [ 44.693303][ T464] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 44.699030][ T464] [ 44.701208][ T464] Freed by task 17: [ 44.704862][ T464] __kasan_slab_free+0x1b5/0x270 [ 44.709621][ T464] kmem_cache_free+0x10b/0x2c0 [ 44.714222][ T464] rcu_do_batch+0x492/0xa00 [ 44.718564][ T464] rcu_core+0x4c8/0xcb0 [ 44.722576][ T464] __do_softirq+0x23b/0x6b7 [ 44.726894][ T464] [ 44.729066][ T464] The buggy address belongs to the object at ffff8881eafe9f80 [ 44.729066][ T464] which belongs to the cache task_struct of size 3904 [ 44.743044][ T464] The buggy address is located 56 bytes inside of [ 44.743044][ T464] 3904-byte region [ffff8881eafe9f80, ffff8881eafeaec0) [ 44.756144][ T464] The buggy address belongs to the page: [ 44.761617][ T464] page:ffffea0007abfa00 refcount:1 mapcount:0 mapping:ffff8881f5cf0c80 index:0x0 compound_mapcount: 0 [ 44.772376][ T464] flags: 0x8000000000010200(slab|head) [ 44.777682][ T464] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5cf0c80 [ 44.786278][ T464] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 44.794681][ T464] page dumped because: kasan: bad access detected [ 44.800937][ T464] page_owner tracks the page as allocated [ 44.806507][ T464] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL) [ 44.822839][ T464] prep_new_page+0x18f/0x370 [ 44.827254][ T464] get_page_from_freelist+0x2d13/0x2d90 [ 44.832790][ T464] __alloc_pages_nodemask+0x393/0x840 [ 44.837998][ T464] alloc_slab_page+0x39/0x3c0 [ 44.842520][ T464] new_slab+0x97/0x440 [ 44.846419][ T464] ___slab_alloc+0x2fe/0x490 [ 44.850845][ T464] __slab_alloc+0x62/0xa0 [ 44.855011][ T464] kmem_cache_alloc+0x109/0x250 [ 44.859702][ T464] dup_task_struct+0x4f/0x600 [ 44.864210][ T464] copy_process+0x56d/0x3230 [ 44.868640][ T464] _do_fork+0x197/0x900 [ 44.872636][ T464] __x64_sys_clone3+0x2da/0x300 [ 44.877318][ T464] do_syscall_64+0xca/0x1c0 [ 44.881658][ T464] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 44.887387][ T464] page last free stack trace: [ 44.891903][ T464] __free_pages_ok+0x847/0x950 [ 44.896500][ T464] __free_pages+0x91/0x140 [ 44.900755][ T464] __free_slab+0x221/0x2e0 [ 44.905009][ T464] unfreeze_partials+0x14e/0x180 [ 44.909781][ T464] put_cpu_partial+0x44/0x180 [ 44.914296][ T464] __slab_free+0x297/0x360 [ 44.918552][ T464] qlist_free_all+0x43/0xb0 [ 44.922893][ T464] quarantine_reduce+0x1d9/0x210 [ 44.927673][ T464] __kasan_kmalloc+0x41/0x210 [ 44.932184][ T464] kmem_cache_alloc+0xd9/0x250 [ 44.936815][ T464] __alloc_skb+0x7a/0x4d0 [ 44.940948][ T464] inet6_netconf_notify_devconf+0xc9/0x180 [ 44.946597][ T464] addrconf_ifdown+0x17cc/0x1a90 [ 44.951361][ T464] addrconf_notify+0x375/0xe50 [ 44.955971][ T464] raw_notifier_call_chain+0x95/0x110 [ 44.961170][ T464] rollback_registered_many+0xce5/0x1330 [ 44.966633][ T464] [ 44.968914][ T464] Memory state around the buggy address: [ 44.974362][ T464] ffff8881eafe9e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.982262][ T464] ffff8881eafe9f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.990161][ T464] >ffff8881eafe9f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.998065][ T464] ^ [ 45.003872][ T464] ffff8881eafea000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.011771][ T464] ffff8881eafea080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.019666][ T464] ================================================================== [ 45.027574][ T464] Disabling lock debugging due to kernel taint