[ 66.550952][ T74] cfg80211: failed to load regulatory.db Warning: Permanently added '10.128.1.185' (ED25519) to the list of known hosts. 2025/02/08 17:54:32 ignoring optional flag "sandboxArg"="0" 2025/02/08 17:54:33 parsed 1 programs [ 68.565105][ T23] audit: type=1400 audit(1739037273.700:66): avc: denied { node_bind } for pid=395 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 69.064037][ T23] audit: type=1400 audit(1739037274.200:67): avc: denied { mounton } for pid=405 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 69.065766][ T405] cgroup1: Unknown subsys name 'net' [ 69.086514][ T23] audit: type=1400 audit(1739037274.200:68): avc: denied { mount } for pid=405 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 69.091925][ T405] cgroup1: Unknown subsys name 'net_prio' [ 69.114205][ T23] audit: type=1400 audit(1739037274.250:69): avc: denied { read } for pid=145 comm="syslogd" name="log" dev="sda1" ino=1915 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1 [ 69.119294][ T405] cgroup1: Unknown subsys name 'devices' [ 69.146776][ T23] audit: type=1400 audit(1739037274.280:70): avc: denied { unmount } for pid=405 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 69.283145][ T405] cgroup1: Unknown subsys name 'hugetlb' [ 69.288757][ T405] cgroup1: Unknown subsys name 'rlimit' [ 69.489880][ T23] audit: type=1400 audit(1739037274.620:71): avc: denied { setattr } for pid=405 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=9542 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 69.513187][ T23] audit: type=1400 audit(1739037274.620:72): avc: denied { create } for pid=405 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 69.518935][ T408] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 69.533767][ T23] audit: type=1400 audit(1739037274.620:73): avc: denied { write } for pid=405 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 69.561782][ T23] audit: type=1400 audit(1739037274.630:74): avc: denied { read } for pid=405 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 69.581841][ T23] audit: type=1400 audit(1739037274.630:75): avc: denied { module_request } for pid=405 comm="syz-executor" kmod="netdev-wpan0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 69.622019][ T405] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 70.043042][ T412] request_module fs-gadgetfs succeeded, but still no fs? [ 70.368395][ T432] bridge0: port 1(bridge_slave_0) entered blocking state [ 70.375380][ T432] bridge0: port 1(bridge_slave_0) entered disabled state [ 70.383628][ T432] device bridge_slave_0 entered promiscuous mode [ 70.390299][ T432] bridge0: port 2(bridge_slave_1) entered blocking state [ 70.397241][ T432] bridge0: port 2(bridge_slave_1) entered disabled state [ 70.404755][ T432] device bridge_slave_1 entered promiscuous mode [ 70.444650][ T432] bridge0: port 2(bridge_slave_1) entered blocking state [ 70.451500][ T432] bridge0: port 2(bridge_slave_1) entered forwarding state [ 70.458568][ T432] bridge0: port 1(bridge_slave_0) entered blocking state [ 70.465390][ T432] bridge0: port 1(bridge_slave_0) entered forwarding state [ 70.485980][ T180] bridge0: port 1(bridge_slave_0) entered disabled state [ 70.493228][ T180] bridge0: port 2(bridge_slave_1) entered disabled state [ 70.500272][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 70.507645][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 70.517392][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 70.525385][ T180] bridge0: port 1(bridge_slave_0) entered blocking state [ 70.532218][ T180] bridge0: port 1(bridge_slave_0) entered forwarding state [ 70.541515][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 70.549699][ T180] bridge0: port 2(bridge_slave_1) entered blocking state [ 70.556551][ T180] bridge0: port 2(bridge_slave_1) entered forwarding state [ 70.570183][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 70.579714][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 70.596133][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 70.607779][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 70.620394][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 70.635128][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 70.646081][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 70.684222][ T432] syz-executor (432) used greatest stack depth: 19544 bytes left 2025/02/08 17:54:36 executed programs: 0 [ 71.204267][ T473] bridge0: port 1(bridge_slave_0) entered blocking state [ 71.211486][ T473] bridge0: port 1(bridge_slave_0) entered disabled state [ 71.218866][ T473] device bridge_slave_0 entered promiscuous mode [ 71.225671][ T473] bridge0: port 2(bridge_slave_1) entered blocking state [ 71.232583][ T473] bridge0: port 2(bridge_slave_1) entered disabled state [ 71.239758][ T473] device bridge_slave_1 entered promiscuous mode [ 71.262689][ T9] device bridge_slave_1 left promiscuous mode [ 71.268633][ T9] bridge0: port 2(bridge_slave_1) entered disabled state [ 71.275889][ T9] device bridge_slave_0 left promiscuous mode [ 71.281905][ T9] bridge0: port 1(bridge_slave_0) entered disabled state [ 71.411249][ T473] bridge0: port 2(bridge_slave_1) entered blocking state [ 71.418087][ T473] bridge0: port 2(bridge_slave_1) entered forwarding state [ 71.425237][ T473] bridge0: port 1(bridge_slave_0) entered blocking state [ 71.431984][ T473] bridge0: port 1(bridge_slave_0) entered forwarding state [ 71.440845][ T180] bridge0: port 1(bridge_slave_0) entered disabled state [ 71.448085][ T180] bridge0: port 2(bridge_slave_1) entered disabled state [ 71.467216][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 71.474563][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 71.484408][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 71.493161][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 71.501196][ T180] bridge0: port 1(bridge_slave_0) entered blocking state [ 71.508009][ T180] bridge0: port 1(bridge_slave_0) entered forwarding state [ 71.517149][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 71.525349][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 71.533374][ T180] bridge0: port 2(bridge_slave_1) entered blocking state [ 71.540192][ T180] bridge0: port 2(bridge_slave_1) entered forwarding state [ 71.552495][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 71.560474][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 71.569857][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 71.577837][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 71.593012][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 71.601481][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 71.616850][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 71.624733][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 71.635393][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 71.643545][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 71.655421][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 71.664254][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 71.680903][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 71.689544][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 86.769888][ T518] bridge0: port 1(bridge_slave_0) entered blocking state [ 86.776881][ T518] bridge0: port 1(bridge_slave_0) entered disabled state [ 86.784722][ T518] device bridge_slave_0 entered promiscuous mode [ 86.792085][ T518] bridge0: port 2(bridge_slave_1) entered blocking state [ 86.799718][ T518] bridge0: port 2(bridge_slave_1) entered disabled state [ 86.807317][ T518] device bridge_slave_1 entered promiscuous mode [ 86.846540][ T518] bridge0: port 2(bridge_slave_1) entered blocking state [ 86.853393][ T518] bridge0: port 2(bridge_slave_1) entered forwarding state [ 86.861039][ T518] bridge0: port 1(bridge_slave_0) entered blocking state [ 86.868233][ T518] bridge0: port 1(bridge_slave_0) entered forwarding state [ 86.889104][ T180] bridge0: port 1(bridge_slave_0) entered disabled state [ 86.896339][ T180] bridge0: port 2(bridge_slave_1) entered disabled state [ 86.903655][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 86.910970][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 86.920053][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 86.928262][ T180] bridge0: port 1(bridge_slave_0) entered blocking state [ 86.935120][ T180] bridge0: port 1(bridge_slave_0) entered forwarding state [ 86.944056][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 86.952194][ T180] bridge0: port 2(bridge_slave_1) entered blocking state [ 86.959008][ T180] bridge0: port 2(bridge_slave_1) entered forwarding state [ 86.972289][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 86.981583][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 86.996943][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 87.008440][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 87.021920][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 87.034304][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready 2025/02/08 17:54:52 executed programs: 3 [ 87.044482][ T180] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 87.065972][ T518] ================================================================== [ 87.073871][ T518] BUG: KASAN: use-after-free in __mutex_lock+0xcd7/0x1060 [ 87.080793][ T518] Read of size 4 at addr ffff8881e952cef8 by task syz-executor/518 [ 87.088519][ T518] [ 87.090709][ T518] CPU: 1 PID: 518 Comm: syz-executor Not tainted 5.4.289-syzkaller-00030-gcb850525fc3e #0 [ 87.100416][ T518] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 87.110298][ T518] Call Trace: [ 87.113446][ T518] dump_stack+0x1d8/0x241 [ 87.117596][ T518] ? nf_ct_l4proto_log_invalid+0x258/0x258 [ 87.123233][ T518] ? printk+0xd1/0x111 [ 87.127140][ T518] ? __mutex_lock+0xcd7/0x1060 [ 87.131825][ T518] print_address_description+0x8c/0x600 [ 87.137220][ T518] ? check_preemption_disabled+0x9f/0x320 [ 87.142765][ T518] ? __unwind_start+0x708/0x890 [ 87.147449][ T518] ? __mutex_lock+0xcd7/0x1060 [ 87.152056][ T518] __kasan_report+0xf3/0x120 [ 87.156609][ T518] ? __mutex_lock+0xcd7/0x1060 [ 87.161198][ T518] kasan_report+0x30/0x60 [ 87.165366][ T518] __mutex_lock+0xcd7/0x1060 [ 87.169789][ T518] ? kobject_get_unless_zero+0x229/0x320 [ 87.175351][ T518] ? __ww_mutex_lock_interruptible_slowpath+0x10/0x10 [ 87.181965][ T518] ? __module_put_and_exit+0x20/0x20 [ 87.187059][ T518] ? up_read+0x6f/0x1b0 [ 87.191052][ T518] mutex_lock_killable+0xd8/0x110 [ 87.196028][ T518] ? __mutex_lock_interruptible_slowpath+0x10/0x10 [ 87.202365][ T518] ? mutex_lock+0xa5/0x110 [ 87.206614][ T518] ? mutex_trylock+0xa0/0xa0 [ 87.211070][ T518] lo_open+0x18/0xc0 [ 87.214775][ T518] __blkdev_get+0x3c8/0x1160 [ 87.219289][ T518] ? blkdev_get+0x3a0/0x3a0 [ 87.223635][ T518] ? _raw_spin_unlock+0x49/0x60 [ 87.228330][ T518] blkdev_get+0x2de/0x3a0 [ 87.232654][ T518] ? blkdev_open+0x173/0x290 [ 87.237203][ T518] ? block_ioctl+0xe0/0xe0 [ 87.241444][ T518] do_dentry_open+0x964/0x1130 [ 87.246041][ T518] ? finish_open+0xd0/0xd0 [ 87.250283][ T518] ? security_inode_permission+0xad/0xf0 [ 87.255753][ T518] ? memcpy+0x38/0x50 [ 87.259583][ T518] path_openat+0x29bf/0x34b0 [ 87.263998][ T518] ? stack_trace_save+0x118/0x1c0 [ 87.268874][ T518] ? do_filp_open+0x450/0x450 [ 87.273392][ T518] ? do_sys_open+0x357/0x810 [ 87.277803][ T518] ? do_syscall_64+0xca/0x1c0 [ 87.282415][ T518] ? entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 87.288321][ T518] do_filp_open+0x20b/0x450 [ 87.292798][ T518] ? vfs_tmpfile+0x2c0/0x2c0 [ 87.297252][ T518] ? _raw_spin_unlock+0x49/0x60 [ 87.301892][ T518] ? __alloc_fd+0x4c5/0x570 [ 87.306233][ T518] do_sys_open+0x39c/0x810 [ 87.310487][ T518] ? check_preemption_disabled+0x153/0x320 [ 87.316236][ T518] ? file_open_root+0x490/0x490 [ 87.320930][ T518] do_syscall_64+0xca/0x1c0 [ 87.325264][ T518] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 87.331017][ T518] RIP: 0033:0x7fae170456d1 [ 87.335252][ T518] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d 7a 1e 1f 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25 [ 87.354683][ T518] RSP: 002b:00007ffd6d2448a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000101 [ 87.362942][ T518] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fae170456d1 [ 87.370742][ T518] RDX: 0000000000000002 RSI: 00007ffd6d2449b0 RDI: 00000000ffffff9c [ 87.378640][ T518] RBP: 00007ffd6d2449b0 R08: 000000000000000a R09: 00007ffd6d244667 [ 87.387145][ T518] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 87.394956][ T518] R13: 00007fae17230260 R14: 0000000000000003 R15: 00007ffd6d2449b0 [ 87.402946][ T518] [ 87.405110][ T518] Allocated by task 494: [ 87.409194][ T518] __kasan_kmalloc+0x171/0x210 [ 87.413796][ T518] kmem_cache_alloc+0xd9/0x250 [ 87.418393][ T518] dup_task_struct+0x4f/0x600 [ 87.422905][ T518] copy_process+0x56d/0x3230 [ 87.427514][ T518] _do_fork+0x197/0x900 [ 87.431505][ T518] __x64_sys_clone3+0x2da/0x300 [ 87.436214][ T518] do_syscall_64+0xca/0x1c0 [ 87.440524][ T518] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 87.446397][ T518] [ 87.448568][ T518] Freed by task 17: [ 87.452250][ T518] __kasan_slab_free+0x1b5/0x270 [ 87.456987][ T518] kmem_cache_free+0x10b/0x2c0 [ 87.461591][ T518] rcu_do_batch+0x492/0xa00 [ 87.465923][ T518] rcu_core+0x4c8/0xcb0 [ 87.469916][ T518] __do_softirq+0x23b/0x6b7 [ 87.474251][ T518] [ 87.476424][ T518] The buggy address belongs to the object at ffff8881e952cec0 [ 87.476424][ T518] which belongs to the cache task_struct of size 3904 [ 87.490408][ T518] The buggy address is located 56 bytes inside of [ 87.490408][ T518] 3904-byte region [ffff8881e952cec0, ffff8881e952de00) [ 87.503616][ T518] The buggy address belongs to the page: [ 87.509091][ T518] page:ffffea0007a54a00 refcount:1 mapcount:0 mapping:ffff8881f5cf0c80 index:0x0 compound_mapcount: 0 [ 87.519846][ T518] flags: 0x8000000000010200(slab|head) [ 87.525144][ T518] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5cf0c80 [ 87.533558][ T518] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 87.541972][ T518] page dumped because: kasan: bad access detected [ 87.548228][ T518] page_owner tracks the page as allocated [ 87.553780][ T518] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL) [ 87.570014][ T518] prep_new_page+0x18f/0x370 [ 87.574438][ T518] get_page_from_freelist+0x2d13/0x2d90 [ 87.579818][ T518] __alloc_pages_nodemask+0x393/0x840 [ 87.585026][ T518] alloc_slab_page+0x39/0x3c0 [ 87.589539][ T518] new_slab+0x97/0x440 [ 87.593452][ T518] ___slab_alloc+0x2fe/0x490 [ 87.597871][ T518] __slab_alloc+0x62/0xa0 [ 87.602041][ T518] kmem_cache_alloc+0x109/0x250 [ 87.606810][ T518] dup_task_struct+0x4f/0x600 [ 87.611325][ T518] copy_process+0x56d/0x3230 [ 87.615752][ T518] _do_fork+0x197/0x900 [ 87.619742][ T518] kernel_thread+0x16a/0x1d0 [ 87.624168][ T518] kthreadd+0x3b1/0x4f0 [ 87.628160][ T518] ret_from_fork+0x1f/0x30 [ 87.632415][ T518] page last free stack trace: [ 87.636928][ T518] __free_pages_ok+0x847/0x950 [ 87.641527][ T518] __free_pages+0x91/0x140 [ 87.645783][ T518] __free_slab+0x221/0x2e0 [ 87.650030][ T518] unfreeze_partials+0x14e/0x180 [ 87.654805][ T518] put_cpu_partial+0x44/0x180 [ 87.659316][ T518] __slab_free+0x297/0x360 [ 87.663570][ T518] qlist_free_all+0x43/0xb0 [ 87.667910][ T518] quarantine_reduce+0x1d9/0x210 [ 87.672694][ T518] __kasan_kmalloc+0x41/0x210 [ 87.677291][ T518] __kmalloc+0x105/0x2e0 [ 87.681366][ T518] qdisc_alloc+0x78/0x7b0 [ 87.685529][ T518] qdisc_create_dflt+0x60/0x250 [ 87.690214][ T518] dev_activate+0x2fc/0xc00 [ 87.694555][ T518] __dev_open+0x302/0x420 [ 87.698722][ T518] __dev_change_flags+0x1db/0x6e0 [ 87.703594][ T518] dev_change_flags+0x87/0x190 [ 87.708175][ T518] [ 87.710345][ T518] Memory state around the buggy address: [ 87.715817][ T518] ffff8881e952cd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 87.723716][ T518] ffff8881e952ce00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 87.731617][ T518] >ffff8881e952ce80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 87.739519][ T518] ^ [ 87.747325][ T518] ffff8881e952cf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 87.755221][ T518] ffff8881e952cf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 87.763117][ T518] ================================================================== [ 87.771014][ T518] Disabling lock debugging due to kernel taint