last executing test programs: 1.244761879s ago: executing program 1 (id=279): flistxattr(0xffffffffffffffff, &(0x7f0000000000), 0x0) 1.089533928s ago: executing program 1 (id=280): truncate(&(0x7f0000000000), 0x0) 999.865173ms ago: executing program 1 (id=282): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ttyprintk', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ttyprintk', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ttyprintk', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ttyprintk', 0x800, 0x0) 869.416021ms ago: executing program 0 (id=283): getpid() 868.949331ms ago: executing program 1 (id=284): socket$l2tp(0x2, 0x2, 0x73) 769.207776ms ago: executing program 0 (id=285): syz_open_dev$vim2m(&(0x7f0000000040), 0x0, 0x0) syz_open_dev$vim2m(&(0x7f0000000080), 0x0, 0x1) syz_open_dev$vim2m(&(0x7f00000000c0), 0x0, 0x2) syz_open_dev$vim2m(&(0x7f0000000100), 0x0, 0x800) syz_open_dev$vim2m(&(0x7f0000000140), 0x1, 0x0) syz_open_dev$vim2m(&(0x7f0000000180), 0x1, 0x1) syz_open_dev$vim2m(&(0x7f00000001c0), 0x1, 0x2) syz_open_dev$vim2m(&(0x7f0000000200), 0x1, 0x800) syz_open_dev$vim2m(&(0x7f0000000240), 0x2, 0x0) syz_open_dev$vim2m(&(0x7f0000000280), 0x2, 0x1) syz_open_dev$vim2m(&(0x7f00000002c0), 0x2, 0x2) syz_open_dev$vim2m(&(0x7f0000000300), 0x2, 0x800) syz_open_dev$vim2m(&(0x7f0000000340), 0x3, 0x0) syz_open_dev$vim2m(&(0x7f0000000380), 0x3, 0x1) syz_open_dev$vim2m(&(0x7f00000003c0), 0x3, 0x2) syz_open_dev$vim2m(&(0x7f0000000400), 0x3, 0x800) syz_open_dev$vim2m(&(0x7f0000000440), 0x4, 0x0) syz_open_dev$vim2m(&(0x7f0000000480), 0x4, 0x1) syz_open_dev$vim2m(&(0x7f00000004c0), 0x4, 0x2) syz_open_dev$vim2m(&(0x7f0000000500), 0x4, 0x800) 660.304843ms ago: executing program 1 (id=286): tkill(0x0, 0x0) 587.348127ms ago: executing program 0 (id=287): set_mempolicy_home_node(0x0, 0x0, 0x0, 0x0) 473.903044ms ago: executing program 0 (id=288): syz_open_dev$sndmidi(&(0x7f0000000040), 0x0, 0x0) syz_open_dev$sndmidi(&(0x7f0000000080), 0x0, 0x1) syz_open_dev$sndmidi(&(0x7f00000000c0), 0x0, 0x2) syz_open_dev$sndmidi(&(0x7f0000000100), 0x0, 0x800) syz_open_dev$sndmidi(&(0x7f0000000140), 0xa, 0x0) syz_open_dev$sndmidi(&(0x7f0000000180), 0xa, 0x1) syz_open_dev$sndmidi(&(0x7f00000001c0), 0xa, 0x2) syz_open_dev$sndmidi(&(0x7f0000000200), 0xa, 0x800) syz_open_dev$sndmidi(&(0x7f0000000240), 0x14, 0x0) syz_open_dev$sndmidi(&(0x7f0000000280), 0x14, 0x1) syz_open_dev$sndmidi(&(0x7f00000002c0), 0x14, 0x2) syz_open_dev$sndmidi(&(0x7f0000000300), 0x14, 0x800) syz_open_dev$sndmidi(&(0x7f0000000340), 0x1e, 0x0) syz_open_dev$sndmidi(&(0x7f0000000380), 0x1e, 0x1) syz_open_dev$sndmidi(&(0x7f00000003c0), 0x1e, 0x2) syz_open_dev$sndmidi(&(0x7f0000000400), 0x1e, 0x800) syz_open_dev$sndmidi(&(0x7f0000000440), 0x28, 0x0) syz_open_dev$sndmidi(&(0x7f0000000480), 0x28, 0x1) syz_open_dev$sndmidi(&(0x7f00000004c0), 0x28, 0x2) syz_open_dev$sndmidi(&(0x7f0000000500), 0x28, 0x800) 399.466937ms ago: executing program 1 (id=289): syz_open_dev$vcsn(&(0x7f0000000040), 0x0, 0x0) syz_open_dev$vcsn(&(0x7f0000000080), 0x0, 0x1) syz_open_dev$vcsn(&(0x7f00000000c0), 0x0, 0x2) syz_open_dev$vcsn(&(0x7f0000000100), 0x0, 0x800) syz_open_dev$vcsn(&(0x7f0000000140), 0x1, 0x0) syz_open_dev$vcsn(&(0x7f0000000180), 0x1, 0x1) syz_open_dev$vcsn(&(0x7f00000001c0), 0x1, 0x2) syz_open_dev$vcsn(&(0x7f0000000200), 0x1, 0x800) syz_open_dev$vcsn(&(0x7f0000000240), 0x2, 0x0) syz_open_dev$vcsn(&(0x7f0000000280), 0x2, 0x1) syz_open_dev$vcsn(&(0x7f00000002c0), 0x2, 0x2) syz_open_dev$vcsn(&(0x7f0000000300), 0x2, 0x800) syz_open_dev$vcsn(&(0x7f0000000340), 0x3, 0x0) syz_open_dev$vcsn(&(0x7f0000000380), 0x3, 0x1) syz_open_dev$vcsn(&(0x7f00000003c0), 0x3, 0x2) syz_open_dev$vcsn(&(0x7f0000000400), 0x3, 0x800) syz_open_dev$vcsn(&(0x7f0000000440), 0x4, 0x0) syz_open_dev$vcsn(&(0x7f0000000480), 0x4, 0x1) syz_open_dev$vcsn(&(0x7f00000004c0), 0x4, 0x2) syz_open_dev$vcsn(&(0x7f0000000500), 0x4, 0x800) 230.377487ms ago: executing program 0 (id=290): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/video2', 0x2, 0x0) 0s ago: executing program 0 (id=292): fchdir(0xffffffffffffffff) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:32337' (ED25519) to the list of known hosts. [ 126.381531][ T30] audit: type=1400 audit(126.160:48): avc: denied { name_bind } for pid=3306 comm="sshd-session" src=30003 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:tcs_port_t tclass=tcp_socket permissive=1 [ 126.709586][ T30] audit: type=1400 audit(126.490:49): avc: denied { execute } for pid=3307 comm="sh" name="syz-executor" dev="vda" ino=1867 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 126.716941][ T30] audit: type=1400 audit(126.500:50): avc: denied { execute_no_trans } for pid=3307 comm="sh" path="/syz-executor" dev="vda" ino=1867 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 130.241783][ T30] audit: type=1400 audit(130.020:51): avc: denied { mounton } for pid=3307 comm="syz-executor" path="/syzcgroup/unified" dev="vda" ino=1868 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 130.247666][ T30] audit: type=1400 audit(130.030:52): avc: denied { mount } for pid=3307 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 130.281875][ T3307] cgroup: Unknown subsys name 'net' [ 130.299251][ T30] audit: type=1400 audit(130.080:53): avc: denied { unmount } for pid=3307 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 130.673216][ T3307] cgroup: Unknown subsys name 'cpuset' [ 130.706679][ T3307] cgroup: Unknown subsys name 'rlimit' [ 131.040161][ T30] audit: type=1400 audit(130.820:54): avc: denied { setattr } for pid=3307 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=701 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 131.043373][ T30] audit: type=1400 audit(130.830:55): avc: denied { create } for pid=3307 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 131.046557][ T30] audit: type=1400 audit(130.830:56): avc: denied { write } for pid=3307 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 131.051487][ T30] audit: type=1400 audit(130.830:57): avc: denied { module_request } for pid=3307 comm="syz-executor" kmod="net-pf-16-proto-16-family-nl802154" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 131.551569][ T3310] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 131.555599][ T30] kauditd_printk_skb: 3 callbacks suppressed [ 131.556248][ T30] audit: type=1400 audit(131.340:61): avc: denied { relabelto } for pid=3310 comm="mkswap" name="swap-file" dev="vda" ino=1871 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 131.560583][ T30] audit: type=1400 audit(131.340:62): avc: denied { write } for pid=3310 comm="mkswap" path="/swap-file" dev="vda" ino=1871 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" Setting up swapspace version 1, size = 127995904 bytes [ 131.625373][ T30] audit: type=1400 audit(131.410:63): avc: denied { read } for pid=3307 comm="syz-executor" name="swap-file" dev="vda" ino=1871 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 131.627513][ T30] audit: type=1400 audit(131.410:64): avc: denied { open } for pid=3307 comm="syz-executor" path="/swap-file" dev="vda" ino=1871 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 131.638292][ T3307] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 136.862593][ T30] audit: type=1400 audit(136.650:65): avc: denied { execmem } for pid=3311 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 136.915485][ T30] audit: type=1400 audit(136.700:66): avc: denied { read } for pid=3313 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 136.919197][ T30] audit: type=1400 audit(136.700:67): avc: denied { open } for pid=3313 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 136.933284][ T30] audit: type=1400 audit(136.720:68): avc: denied { mounton } for pid=3313 comm="syz-executor" path="/" dev="vda" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 137.503334][ T30] audit: type=1400 audit(137.290:69): avc: denied { mount } for pid=3313 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1 [ 137.516028][ T30] audit: type=1400 audit(137.300:70): avc: denied { mounton } for pid=3313 comm="syz-executor" path="/syzkaller.gize3l/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 137.532937][ T30] audit: type=1400 audit(137.310:71): avc: denied { mount } for pid=3313 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 137.554109][ T30] audit: type=1400 audit(137.340:72): avc: denied { mounton } for pid=3313 comm="syz-executor" path="/syzkaller.gize3l/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1 [ 137.563282][ T30] audit: type=1400 audit(137.350:73): avc: denied { mounton } for pid=3313 comm="syz-executor" path="/syzkaller.gize3l/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=2446 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 [ 137.584805][ T30] audit: type=1400 audit(137.370:74): avc: denied { unmount } for pid=3313 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 143.648133][ T30] kauditd_printk_skb: 21 callbacks suppressed [ 143.648727][ T30] audit: type=1400 audit(143.430:96): avc: denied { write } for pid=3379 comm="syz.1.63" name="hwrng" dev="devtmpfs" ino=83 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:random_device_t tclass=chr_file permissive=1 [ 143.983163][ T30] audit: type=1400 audit(143.730:97): avc: denied { create } for pid=3383 comm="syz.1.67" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=can_socket permissive=1 [ 145.308011][ T30] audit: type=1400 audit(145.090:98): avc: denied { create } for pid=3399 comm="syz.0.83" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rawip_socket permissive=1 [ 146.663728][ T30] audit: type=1400 audit(146.450:99): avc: denied { create } for pid=3415 comm="syz.0.99" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=pppox_socket permissive=1 [ 146.779593][ T30] audit: type=1400 audit(146.560:100): avc: denied { create } for pid=3418 comm="syz.1.101" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1 [ 147.354805][ T30] audit: type=1400 audit(147.130:101): avc: denied { create } for pid=3423 comm="syz.0.105" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=nfc_socket permissive=1 [ 147.689274][ T3428] mmap: syz.0.109 (3428) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst. [ 148.988440][ T30] audit: type=1400 audit(148.770:102): avc: denied { read } for pid=3444 comm="syz.1.126" name="fuse" dev="devtmpfs" ino=92 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fuse_device_t tclass=chr_file permissive=1 [ 148.996594][ T30] audit: type=1400 audit(148.780:103): avc: denied { open } for pid=3444 comm="syz.1.126" path="/dev/fuse" dev="devtmpfs" ino=92 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fuse_device_t tclass=chr_file permissive=1 [ 149.001307][ T30] audit: type=1400 audit(148.780:104): avc: denied { write } for pid=3444 comm="syz.1.126" name="fuse" dev="devtmpfs" ino=92 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fuse_device_t tclass=chr_file permissive=1 [ 149.638666][ T30] audit: type=1400 audit(149.420:105): avc: denied { write } for pid=3452 comm="syz.0.134" name="urandom" dev="devtmpfs" ino=9 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file permissive=1 [ 150.212145][ T30] audit: type=1400 audit(149.990:106): avc: denied { read } for pid=3459 comm="syz.0.141" name="snapshot" dev="devtmpfs" ino=85 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:acpi_bios_t tclass=chr_file permissive=1 [ 150.212802][ T30] audit: type=1400 audit(149.990:107): avc: denied { open } for pid=3459 comm="syz.0.141" path="/dev/snapshot" dev="devtmpfs" ino=85 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:acpi_bios_t tclass=chr_file permissive=1 [ 150.297420][ T30] audit: type=1400 audit(150.080:108): avc: denied { write } for pid=3459 comm="syz.0.141" name="snapshot" dev="devtmpfs" ino=85 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:acpi_bios_t tclass=chr_file permissive=1 [ 152.196546][ T30] audit: type=1400 audit(151.980:109): avc: denied { read } for pid=3483 comm="syz.1.164" name="event0" dev="devtmpfs" ino=747 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 [ 152.202596][ T30] audit: type=1400 audit(151.990:110): avc: denied { open } for pid=3483 comm="syz.1.164" path="/dev/input/event0" dev="devtmpfs" ino=747 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 [ 152.206703][ T30] audit: type=1400 audit(151.990:111): avc: denied { write } for pid=3483 comm="syz.1.164" name="event0" dev="devtmpfs" ino=747 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 [ 154.659513][ T30] kauditd_printk_skb: 4 callbacks suppressed [ 154.660139][ T30] audit: type=1400 audit(154.440:116): avc: denied { create } for pid=3508 comm="syz.0.186" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netrom_socket permissive=1 [ 157.008464][ T3532] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 157.829499][ T30] audit: type=1400 audit(157.610:117): avc: denied { create } for pid=3542 comm="syz.0.215" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=ieee802154_socket permissive=1 [ 157.927592][ T30] audit: type=1400 audit(157.710:118): avc: denied { create } for pid=3544 comm="syz.1.216" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=tipc_socket permissive=1 [ 158.301874][ T30] audit: type=1400 audit(158.080:119): avc: denied { read } for pid=3547 comm="syz.0.217" name="autofs" dev="devtmpfs" ino=91 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:autofs_device_t tclass=chr_file permissive=1 [ 158.302479][ T30] audit: type=1400 audit(158.090:120): avc: denied { open } for pid=3547 comm="syz.0.217" path="/dev/autofs" dev="devtmpfs" ino=91 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:autofs_device_t tclass=chr_file permissive=1 [ 158.307679][ T30] audit: type=1400 audit(158.090:121): avc: denied { write } for pid=3547 comm="syz.0.217" name="autofs" dev="devtmpfs" ino=91 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:autofs_device_t tclass=chr_file permissive=1 [ 159.024858][ T30] audit: type=1400 audit(158.810:122): avc: denied { create } for pid=3556 comm="syz.1.227" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=phonet_socket permissive=1 [ 159.275547][ T30] audit: type=1400 audit(159.060:123): avc: denied { create } for pid=3559 comm="syz.0.229" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=sctp_socket permissive=1 [ 160.144728][ T30] audit: type=1400 audit(159.920:124): avc: denied { read } for pid=3569 comm="syz.1.239" name="fb0" dev="devtmpfs" ino=619 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:framebuf_device_t tclass=chr_file permissive=1 [ 160.172404][ T30] audit: type=1400 audit(159.950:125): avc: denied { open } for pid=3569 comm="syz.1.239" path="/dev/fb0" dev="devtmpfs" ino=619 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:framebuf_device_t tclass=chr_file permissive=1 [ 160.173001][ T30] audit: type=1400 audit(159.950:126): avc: denied { write } for pid=3569 comm="syz.1.239" name="fb0" dev="devtmpfs" ino=619 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:framebuf_device_t tclass=chr_file permissive=1 [ 161.029600][ T30] audit: type=1400 audit(160.810:127): avc: denied { create } for pid=3580 comm="syz.1.250" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=ax25_socket permissive=1 [ 161.872076][ T30] audit: type=1400 audit(161.660:128): avc: denied { read } for pid=3586 comm="syz.1.255" name="card0" dev="devtmpfs" ino=617 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dri_device_t tclass=chr_file permissive=1 [ 161.873963][ T30] audit: type=1400 audit(161.660:129): avc: denied { open } for pid=3586 comm="syz.1.255" path="/dev/dri/card0" dev="devtmpfs" ino=617 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dri_device_t tclass=chr_file permissive=1 [ 161.885181][ T30] audit: type=1400 audit(161.670:130): avc: denied { write } for pid=3586 comm="syz.1.255" name="card0" dev="devtmpfs" ino=617 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dri_device_t tclass=chr_file permissive=1 [ 162.824022][ T30] audit: type=1400 audit(162.610:131): avc: denied { read } for pid=3594 comm="syz.1.262" name="kvm" dev="devtmpfs" ino=84 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 [ 162.826066][ T30] audit: type=1400 audit(162.610:132): avc: denied { open } for pid=3594 comm="syz.1.262" path="/dev/kvm" dev="devtmpfs" ino=84 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 [ 162.830072][ T30] audit: type=1400 audit(162.610:133): avc: denied { write } for pid=3594 comm="syz.1.262" name="kvm" dev="devtmpfs" ino=84 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 [ 165.913405][ T3313] ================================================================== [ 165.914159][ T3313] BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x2ac/0x2b4 [ 165.914969][ T3313] Write of size 8 at addr ffff000016715008 by task syz-executor/3313 [ 165.915065][ T3313] [ 165.915859][ T3313] CPU: 0 UID: 0 PID: 3313 Comm: syz-executor Not tainted 6.15.0-rc5-syzkaller-00123-g2c89c1b655c0 #0 PREEMPT [ 165.916066][ T3313] Hardware name: linux,dummy-virt (DT) [ 165.916360][ T3313] Call trace: [ 165.916538][ T3313] show_stack+0x18/0x24 (C) [ 165.916685][ T3313] dump_stack_lvl+0xa4/0xf4 [ 165.916751][ T3313] print_report+0xf4/0x60c [ 165.916799][ T3313] kasan_report+0xc8/0x108 [ 165.916842][ T3313] __asan_report_store8_noabort+0x20/0x2c [ 165.916882][ T3313] binderfs_evict_inode+0x2ac/0x2b4 [ 165.916923][ T3313] evict+0x2c0/0x67c [ 165.916963][ T3313] iput+0x3b0/0x6b4 [ 165.916998][ T3313] dentry_unlink_inode+0x208/0x46c [ 165.917039][ T3313] __dentry_kill+0x150/0x52c [ 165.917078][ T3313] shrink_dentry_list+0x114/0x3a4 [ 165.917118][ T3313] shrink_dcache_parent+0x158/0x354 [ 165.917158][ T3313] shrink_dcache_for_umount+0x88/0x304 [ 165.917199][ T3313] generic_shutdown_super+0x60/0x2e8 [ 165.917243][ T3313] kill_litter_super+0x68/0xa4 [ 165.917284][ T3313] binderfs_kill_super+0x38/0x88 [ 165.917325][ T3313] deactivate_locked_super+0x98/0x17c [ 165.917366][ T3313] deactivate_super+0xb0/0xd4 [ 165.917407][ T3313] cleanup_mnt+0x198/0x424 [ 165.917447][ T3313] __cleanup_mnt+0x14/0x20 [ 165.917486][ T3313] task_work_run+0x128/0x210 [ 165.917535][ T3313] do_exit+0x7ac/0x1f68 [ 165.917579][ T3313] do_group_exit+0xa4/0x208 [ 165.917617][ T3313] get_signal+0x1b00/0x1ba8 [ 165.917659][ T3313] do_signal+0x1f4/0x620 [ 165.917732][ T3313] do_notify_resume+0x18c/0x258 [ 165.917775][ T3313] el0_svc+0x100/0x180 [ 165.917812][ T3313] el0t_64_sync_handler+0x10c/0x138 [ 165.917850][ T3313] el0t_64_sync+0x198/0x19c [ 165.918037][ T3313] [ 165.918847][ T3313] Allocated by task 3314: [ 165.919088][ T3313] kasan_save_stack+0x3c/0x64 [ 165.919201][ T3313] kasan_save_track+0x20/0x3c [ 165.919285][ T3313] kasan_save_alloc_info+0x40/0x54 [ 165.919361][ T3313] __kasan_kmalloc+0xb8/0xbc [ 165.919439][ T3313] __kmalloc_cache_noprof+0x1b0/0x3cc [ 165.919528][ T3313] binderfs_binder_device_create.isra.0+0x140/0x9a0 [ 165.919610][ T3313] binderfs_fill_super+0x69c/0xed4 [ 165.919690][ T3313] get_tree_nodev+0xac/0x148 [ 165.919763][ T3313] binderfs_fs_context_get_tree+0x18/0x24 [ 165.919848][ T3313] vfs_get_tree+0x74/0x280 [ 165.919928][ T3313] path_mount+0xe54/0x1808 [ 165.920008][ T3313] __arm64_sys_mount+0x304/0x3dc [ 165.920087][ T3313] invoke_syscall+0x6c/0x258 [ 165.920163][ T3313] el0_svc_common.constprop.0+0xac/0x230 [ 165.920238][ T3313] do_el0_svc+0x40/0x58 [ 165.920311][ T3313] el0_svc+0x50/0x180 [ 165.920385][ T3313] el0t_64_sync_handler+0x10c/0x138 [ 165.920460][ T3313] el0t_64_sync+0x198/0x19c [ 165.920574][ T3313] [ 165.920704][ T3313] Freed by task 3314: [ 165.920813][ T3313] kasan_save_stack+0x3c/0x64 [ 165.920900][ T3313] kasan_save_track+0x20/0x3c [ 165.920979][ T3313] kasan_save_free_info+0x4c/0x74 [ 165.921096][ T3313] __kasan_slab_free+0x50/0x6c [ 165.921181][ T3313] kfree+0x1bc/0x444 [ 165.921256][ T3313] binderfs_evict_inode+0x238/0x2b4 [ 165.921335][ T3313] evict+0x2c0/0x67c [ 165.921408][ T3313] iput+0x3b0/0x6b4 [ 165.921481][ T3313] dentry_unlink_inode+0x208/0x46c [ 165.921566][ T3313] __dentry_kill+0x150/0x52c [ 165.921646][ T3313] shrink_dentry_list+0x114/0x3a4 [ 165.921761][ T3313] shrink_dcache_parent+0x158/0x354 [ 165.921841][ T3313] shrink_dcache_for_umount+0x88/0x304 [ 165.921920][ T3313] generic_shutdown_super+0x60/0x2e8 [ 165.921999][ T3313] kill_litter_super+0x68/0xa4 [ 165.922078][ T3313] binderfs_kill_super+0x38/0x88 [ 165.922157][ T3313] deactivate_locked_super+0x98/0x17c [ 165.922237][ T3313] deactivate_super+0xb0/0xd4 [ 165.922317][ T3313] cleanup_mnt+0x198/0x424 [ 165.922396][ T3313] __cleanup_mnt+0x14/0x20 [ 165.922474][ T3313] task_work_run+0x128/0x210 [ 165.922556][ T3313] do_exit+0x7ac/0x1f68 [ 165.922633][ T3313] do_group_exit+0xa4/0x208 [ 165.922709][ T3313] get_signal+0x1b00/0x1ba8 [ 165.922787][ T3313] do_signal+0x160/0x620 [ 165.922868][ T3313] do_notify_resume+0x18c/0x258 [ 165.922946][ T3313] el0_svc+0x100/0x180 [ 165.923023][ T3313] el0t_64_sync_handler+0x10c/0x138 [ 165.923098][ T3313] el0t_64_sync+0x198/0x19c [ 165.923186][ T3313] [ 165.923302][ T3313] The buggy address belongs to the object at ffff000016715000 [ 165.923302][ T3313] which belongs to the cache kmalloc-512 of size 512 [ 165.923446][ T3313] The buggy address is located 8 bytes inside of [ 165.923446][ T3313] freed 512-byte region [ffff000016715000, ffff000016715200) [ 165.923546][ T3313] [ 165.923675][ T3313] The buggy address belongs to the physical page: [ 165.924068][ T3313] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff000016714000 pfn:0x56714 [ 165.924580][ T3313] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 165.924734][ T3313] flags: 0x1ffc00000000240(workingset|head|node=0|zone=0|lastcpupid=0x7ff) [ 165.925179][ T3313] page_type: f5(slab) [ 165.925567][ T3313] raw: 01ffc00000000240 ffff00000dc01c80 fffffdffc060cf10 fffffdffc05d6b10 [ 165.925692][ T3313] raw: ffff000016714000 0000000000100005 00000000f5000000 0000000000000000 [ 165.925843][ T3313] head: 01ffc00000000240 ffff00000dc01c80 fffffdffc060cf10 fffffdffc05d6b10 [ 165.925924][ T3313] head: ffff000016714000 0000000000100005 00000000f5000000 0000000000000000 [ 165.926009][ T3313] head: 01ffc00000000002 fffffdffc059c501 00000000ffffffff 00000000ffffffff [ 165.926083][ T3313] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 165.926200][ T3313] page dumped because: kasan: bad access detected [ 165.926284][ T3313] [ 165.926354][ T3313] Memory state around the buggy address: [ 165.926682][ T3313] ffff000016714f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 165.926798][ T3313] ffff000016714f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 165.926895][ T3313] >ffff000016715000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 165.926990][ T3313] ^ [ 165.927120][ T3313] ffff000016715080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 165.927192][ T3313] ffff000016715100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 165.927323][ T3313] ================================================================== [ 166.018825][ T3313] Disabling lock debugging due to kernel taint SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) VM DIAGNOSIS: 18:08:05 Registers: info registers vcpu 0 CPU#0 PC=ffff800085461fdc X00=ffff800085461fd8 X01=0000000000000000 X02=0000000000000000 X03=1fffe00001ee5001 X04=1fffe00001ee5001 X05=ffff8000800068c0 X06=ffff700010000d18 X07=0000000000000001 X08=0000000000000003 X09=dfff800000000000 X10=ffff700010000d18 X11=1ffff00010000d18 X12=ffff700010000d19 X13=0000000000000000 X14=1fffe0000d417876 X15=1850271f2e330af5 X16=d514000041d5ffff X17=e04b6008e9fa063f X18=ffff000017a0dc80 X19=ffff8000873008b0 X20=ffff00000f728000 X21=0000000000000003 X22=0000000000000028 X23=dfff800000000000 X24=ffff800087300880 X25=0000000000000000 X26=0000000000000004 X27=ffff8000873008b0 X28=ffff00006a0b2af0 X29=ffff800080006860 X30=ffff800080428634 SP=ffff800080006860 PSTATE=100000c5 ---V EL1h FPCR=00000000 FPSR=00000000 Q00=2525252525252525:2525252525252525 Q01=6572207265767265:730073250a0d0a0d Q02=6c6c696b5f736672:65646e696220205d Q03=0000000000000000:00ff00ff00000000 Q04=0000000000000000:000000000f0f0000 Q05=72656c6c616b7a79:732d3563722d302e Q06=203a29323a303539:2e38322874696475 Q07=2035393237363934:3932343d64697561 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000ffffe564d740:0000ffffe564d740 Q17=ffffff80ffffffd8:0000ffffe564d710 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff80008003328c X00=ffff8000a01a73c0 X01=0000000000000000 X02=ffff7fffe3066000 X03=1fffe000030b3001 X04=0000000000000005 X05=ffff8000a01a7378 X06=ffff8000a01a7390 X07=ffff8000a01a7440 X08=ffff8000a01a7338 X09=dfff800000000000 X10=ffff700014034e66 X11=1fffe000029c6ab4 X12=ffff6000029c6ab5 X13=0000000000000000 X14=00004c4b40000000 X15=0000000000000000 X16=ffff80008d440000 X17=ffff7fffe3066000 X18=0000000000000000 X19=ffff8000803072e0 X20=ffff00000e1638e0 X21=ffff000018598000 X22=0000000000000000 X23=ffff8000854617f8 X24=0000000000000000 X25=ffff800080c75648 X26=0000000000000000 X27=00000000000000a0 X28=0000000000000004 X29=ffff8000a01a7380 X30=ffff80008031104c SP=ffff8000a01a7410 PSTATE=100000c5 ---V EL1h FPCR=00000000 FPSR=00000000 Q00=372f6b636f6c622f:7665642f7379732f Q01=00303a372f6b636f:6c622f7665642f73 Q02=0000000000000000:ffffff0000000000 Q03=ffffffff00000000:ffffffff00ff0000 Q04=0000000000000000:ffff0000ffff0f00 Q05=0000000000000000:00c00000cccccccc Q06=63627c2a6476787c:2a64767c2a72737c Q07=7361647c2a737369:63637c2a65686361 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000ffffe4304030:0000ffffe4304030 Q17=ffffff80ffffffd8:0000ffffe4304000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000