Warning: Permanently added '10.128.0.73' (ED25519) to the list of known hosts. [ 28.216398][ T23] audit: type=1400 audit(1743125562.280:66): avc: denied { execmem } for pid=355 comm="syz-executor364" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 28.235841][ T23] audit: type=1400 audit(1743125562.280:67): avc: denied { mounton } for pid=355 comm="syz-executor364" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 28.260836][ T23] audit: type=1400 audit(1743125562.280:68): avc: denied { mount } for pid=355 comm="syz-executor364" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 28.267542][ T357] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 28.293231][ T23] audit: type=1400 audit(1743125562.360:69): avc: denied { relabelto } for pid=357 comm="mkswap" name="swap-file" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 28.319035][ T23] audit: type=1400 audit(1743125562.360:70): avc: denied { write } for pid=357 comm="mkswap" path="/root/swap-file" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 28.348063][ T23] audit: type=1400 audit(1743125562.420:71): avc: denied { read } for pid=355 comm="syz-executor364" name="swap-file" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 28.374277][ T23] audit: type=1400 audit(1743125562.420:72): avc: denied { open } for pid=355 comm="syz-executor364" path="/root/swap-file" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 28.400618][ T355] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 28.415771][ T23] audit: type=1400 audit(1743125562.480:73): avc: denied { mounton } for pid=365 comm="syz-executor364" path="/" dev="sda1" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 28.459648][ T23] audit: type=1400 audit(1743125562.480:74): avc: denied { module_request } for pid=365 comm="syz-executor364" kmod="netdev-nr2" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 28.564612][ T365] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.571475][ T365] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.579029][ T365] device bridge_slave_0 entered promiscuous mode [ 28.588115][ T365] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.595129][ T365] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.602662][ T365] device bridge_slave_1 entered promiscuous mode [ 28.675874][ T364] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.682728][ T364] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.689927][ T364] device bridge_slave_0 entered promiscuous mode [ 28.712579][ T364] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.719422][ T364] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.726914][ T364] device bridge_slave_1 entered promiscuous mode [ 28.737188][ T368] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.744074][ T368] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.751396][ T368] device bridge_slave_0 entered promiscuous mode [ 28.761539][ T368] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.768373][ T368] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.775759][ T368] device bridge_slave_1 entered promiscuous mode [ 28.838976][ T369] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.846105][ T369] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.853419][ T369] device bridge_slave_0 entered promiscuous mode [ 28.863213][ T367] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.870082][ T367] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.877478][ T367] device bridge_slave_0 entered promiscuous mode [ 28.892267][ T369] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.899189][ T369] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.906563][ T369] device bridge_slave_1 entered promiscuous mode [ 28.913086][ T367] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.919905][ T367] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.927355][ T367] device bridge_slave_1 entered promiscuous mode [ 29.006193][ T23] audit: type=1400 audit(1743125563.070:75): avc: denied { create } for pid=365 comm="syz-executor364" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 29.087481][ T364] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.094378][ T364] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.101495][ T364] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.108313][ T364] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.119470][ T365] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.126324][ T365] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.133461][ T365] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.140283][ T365] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.155839][ T368] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.162791][ T368] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.169977][ T368] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.176777][ T368] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.191475][ T369] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.198304][ T369] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.205461][ T369] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.212214][ T369] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.270190][ T9] bridge0: port 1(bridge_slave_0) entered disabled state [ 29.278121][ T9] bridge0: port 2(bridge_slave_1) entered disabled state [ 29.285260][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.292748][ T9] bridge0: port 1(bridge_slave_0) entered disabled state [ 29.299701][ T9] bridge0: port 2(bridge_slave_1) entered disabled state [ 29.306666][ T9] bridge0: port 1(bridge_slave_0) entered disabled state [ 29.313762][ T9] bridge0: port 2(bridge_slave_1) entered disabled state [ 29.320721][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.327986][ T9] bridge0: port 1(bridge_slave_0) entered disabled state [ 29.335171][ T9] bridge0: port 2(bridge_slave_1) entered disabled state [ 29.362276][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 29.369574][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.376998][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 29.385747][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.392586][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.399947][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 29.408379][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.415216][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.422365][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 29.430320][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.437156][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.444436][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 29.452539][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.459351][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.484233][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.492309][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 29.501418][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.508253][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.515507][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 29.523640][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.530487][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.537753][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 29.545902][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 29.573285][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 29.583398][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 29.591620][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.598446][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.605967][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 29.614766][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 29.622620][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 29.630846][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 29.638779][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.645620][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.670612][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 29.678772][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 29.687009][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 29.695744][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 29.704135][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 29.712137][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 29.723860][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 29.731951][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 29.769294][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 29.778054][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 29.787285][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 29.795476][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 29.803361][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 29.810869][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.818349][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 29.826740][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 29.835269][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 29.843607][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 29.851736][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.858685][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.866281][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 29.874762][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 29.883009][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.889820][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.897118][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 29.904955][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 29.912802][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 29.920695][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 29.928536][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 29.950887][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 29.959227][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 29.967507][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 29.977791][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 29.986853][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 29.994813][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 30.002752][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 30.010820][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 30.020194][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 30.028362][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 30.048481][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 30.056677][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 30.065394][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 30.073478][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 30.084784][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 30.104296][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 30.112691][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 30.120309][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 30.128974][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 30.153204][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 30.161368][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 30.169255][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 30.177891][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 30.186411][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 30.194652][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 30.202932][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 30.210722][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready executing program [ 30.230704][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 30.238983][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 30.239115][ T365] request_module fs-gadgetfs succeeded, but still no fs? [ 30.267283][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready executing program [ 30.275721][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 30.284345][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 30.293474][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 30.302055][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 30.310259][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 30.738985][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 30.747656][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 30.755903][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 30.764238][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 30.772743][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 32.206575][ C0] hrtimer: interrupt took 102936 ns [ 36.067163][ T23] kauditd_printk_skb: 17 callbacks suppressed [ 36.067173][ T23] audit: type=1400 audit(1743125570.130:93): avc: denied { mounton } for pid=368 comm="syz-executor364" path="/root/syzkaller.YUw6ZX/syz-tmp" dev="sda1" ino=1935 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 executing program [ 36.333717][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 36.945055][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready executing program executing program [ 38.154067][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 38.183473][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 44.116827][ T13] ================================================================== [ 44.124730][ T13] BUG: KASAN: use-after-free in enqueue_timer+0xb7/0x300 [ 44.131575][ T13] Write of size 8 at addr ffff8881d7fbf1c8 by task kworker/0:1/13 [ 44.139210][ T13] [ 44.141386][ T13] CPU: 0 PID: 13 Comm: kworker/0:1 Not tainted 5.4.290-syzkaller-00002-g41adfeb3d639 #0 [ 44.150928][ T13] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 44.160860][ T13] Workqueue: ipv6_addrconf addrconf_dad_work [ 44.166637][ T13] Call Trace: [ 44.169780][ T13] dump_stack+0x1d8/0x241 [ 44.173938][ T13] ? debug_smp_processor_id+0x20/0x20 [ 44.179145][ T13] ? nf_ct_l4proto_log_invalid+0x258/0x258 [ 44.184794][ T13] ? printk+0xd1/0x111 [ 44.188702][ T13] ? enqueue_timer+0xb7/0x300 [ 44.193205][ T13] ? wake_up_klogd+0xb2/0xf0 [ 44.197631][ T13] ? enqueue_timer+0xb7/0x300 [ 44.202145][ T13] print_address_description+0x8c/0x600 [ 44.207528][ T13] ? panic+0x89d/0x89d [ 44.211435][ T13] ? enqueue_timer+0xb7/0x300 [ 44.215945][ T13] __kasan_report+0xf3/0x120 [ 44.220377][ T13] ? enqueue_timer+0xb7/0x300 [ 44.224885][ T13] kasan_report+0x30/0x60 [ 44.229052][ T13] enqueue_timer+0xb7/0x300 [ 44.233398][ T13] internal_add_timer+0x240/0x430 [ 44.238255][ T13] __mod_timer+0x6f1/0x13e0 [ 44.242600][ T13] ? mod_timer_pending+0x20/0x20 [ 44.247376][ T13] ? try_to_grab_pending+0x1de/0x5b0 [ 44.252492][ T13] ? mod_delayed_work_on+0x190/0x190 [ 44.257623][ T13] ? __ww_mutex_lock_interruptible_slowpath+0x10/0x10 [ 44.264208][ T13] ? __queue_delayed_work+0x15f/0x200 [ 44.269418][ T13] mod_delayed_work_on+0xff/0x190 [ 44.274274][ T13] ? __queue_delayed_work+0x200/0x200 [ 44.279481][ T13] ? _raw_spin_lock+0xa4/0x1b0 [ 44.284088][ T13] ? _raw_spin_trylock_bh+0x190/0x190 [ 44.289292][ T13] ? __perf_event_task_sched_in+0x219/0x2a0 [ 44.295025][ T13] addrconf_mod_dad_work+0x79/0x120 [ 44.300054][ T13] addrconf_dad_work+0xa80/0x16f0 [ 44.304915][ T13] ? finish_task_switch+0x130/0x590 [ 44.309949][ T13] ? ipv6_get_saddr_eval+0xea0/0xea0 [ 44.315072][ T13] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 44.320017][ T13] ? _raw_spin_lock_irqsave+0x210/0x210 [ 44.325401][ T13] ? read_word_at_a_time+0xe/0x20 [ 44.330256][ T13] ? strscpy+0x89/0x220 [ 44.334275][ T13] process_one_work+0x765/0xd20 [ 44.338950][ T13] worker_thread+0xaef/0x1470 [ 44.343457][ T13] kthread+0x2da/0x360 [ 44.347360][ T13] ? worker_clr_flags+0x170/0x170 [ 44.352219][ T13] ? kthread_blkcg+0xd0/0xd0 [ 44.356646][ T13] ret_from_fork+0x1f/0x30 [ 44.360897][ T13] [ 44.363063][ T13] The buggy address belongs to the page: [ 44.368541][ T13] page:ffffea00075fefc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 [ 44.377475][ T13] flags: 0x8000000000000000() [ 44.381994][ T13] raw: 8000000000000000 0000000000000000 dead000000000122 0000000000000000 [ 44.390414][ T13] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 44.398914][ T13] page dumped because: kasan: bad access detected [ 44.405163][ T13] page_owner tracks the page as freed [ 44.410375][ T13] page last allocated via order 2, migratetype Unmovable, gfp_mask 0x46dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP|__GFP_ZERO) [ 44.424699][ T13] prep_new_page+0x18f/0x370 [ 44.429209][ T13] get_page_from_freelist+0x2d13/0x2d90 [ 44.434590][ T13] __alloc_pages_nodemask+0x393/0x840 [ 44.439977][ T13] kmalloc_order_trace+0x2a/0x100 [ 44.444835][ T13] kvmalloc_node+0x7e/0xf0 [ 44.449088][ T13] alloc_netdev_mqs+0x85/0xc70 [ 44.453685][ T13] tun_set_iff+0x51f/0xdc0 [ 44.457941][ T13] __tun_chr_ioctl+0x8a9/0x1d00 [ 44.462628][ T13] do_vfs_ioctl+0x742/0x1720 [ 44.467234][ T13] __x64_sys_ioctl+0xd4/0x110 [ 44.471745][ T13] do_syscall_64+0xca/0x1c0 [ 44.476080][ T13] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 44.481808][ T13] page last free stack trace: [ 44.486322][ T13] __free_pages_ok+0x847/0x950 [ 44.490923][ T13] __free_pages+0x91/0x140 [ 44.495178][ T13] device_release+0x6b/0x190 [ 44.499603][ T13] kobject_put+0x1e6/0x2f0 [ 44.503855][ T13] tun_set_iff+0x870/0xdc0 [ 44.508112][ T13] __tun_chr_ioctl+0x8a9/0x1d00 [ 44.513148][ T13] do_vfs_ioctl+0x742/0x1720 [ 44.517573][ T13] __x64_sys_ioctl+0xd4/0x110 [ 44.522085][ T13] do_syscall_64+0xca/0x1c0 [ 44.526423][ T13] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 44.532148][ T13] [ 44.534320][ T13] Memory state around the buggy address: [ 44.539879][ T13] ffff8881d7fbf080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 44.547780][ T13] ffff8881d7fbf100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 44.555682][ T13] >ffff8881d7fbf180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 44.563665][ T13] ^ [ 44.569922][ T13] ffff8881d7fbf200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 44.577811][ T13] ffff8881d7fbf280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 44.585704][ T13] ================================================================== [ 44.593604][ T13] Disabling lock debugging due to kernel taint executing program executing program [ 44.778192][ T23] audit: type=1400 audit(1743125578.840:94): avc: denied { map_read map_write } for pid=400 comm="syz-executor364" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bpf permissive=1 executing program [ 45.180406][ C0] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 45.188031][ C0] #PF: supervisor instruction fetch in kernel mode [ 45.194368][ C0] #PF: error_code(0x0010) - not-present page [ 45.200180][ C0] PGD 0 P4D 0 [ 45.203395][ C0] Oops: 0010 [#1] PREEMPT SMP KASAN [ 45.208433][ C0] CPU: 0 PID: 409 Comm: syz-executor364 Tainted: G B 5.4.290-syzkaller-00002-g41adfeb3d639 #0 [ 45.219893][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 45.229798][ C0] RIP: 0010:0x0 [ 45.233092][ C0] Code: Bad RIP value. [ 45.236995][ C0] RSP: 0018:ffff8881f6e09d18 EFLAGS: 00010206 [ 45.242901][ C0] RAX: ffffffff8154e8ca RBX: 0000000000000100 RCX: ffff8881eccd0fc0 [ 45.250707][ C0] RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffff8881d7fbf1c0 [ 45.258608][ C0] RBP: ffff8881f6e09ec8 R08: ffffffff8154e50e R09: 0000000000000003 [ 45.266445][ C0] R10: ffffffffffffffff R11: dffffc0000000001 R12: 00000000ffff9ba8 [ 45.274319][ C0] R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881d7fbf1c0 [ 45.282135][ C0] FS: 0000555579e41480(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000 [ 45.290895][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 45.297411][ C0] CR2: ffffffffffffffd6 CR3: 00000001eaf10000 CR4: 00000000003406b0 [ 45.305220][ C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 45.313030][ C0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 45.320837][ C0] Call Trace: [ 45.323965][ C0] [ 45.326663][ C0] ? __die+0xb4/0x100 [ 45.330481][ C0] ? no_context+0xac7/0xd20 [ 45.334818][ C0] ? debug_smp_processor_id+0x20/0x20 [ 45.340024][ C0] ? check_preemption_disabled+0x9f/0x320 [ 45.345583][ C0] ? is_prefetch+0x4b0/0x4b0 [ 45.350007][ C0] ? check_preemption_disabled+0x9f/0x320 [ 45.355561][ C0] ? debug_smp_processor_id+0x20/0x20 [ 45.360772][ C0] ? __do_page_fault+0xa72/0xbb0 [ 45.365545][ C0] ? debug_smp_processor_id+0x20/0x20 [ 45.370761][ C0] ? __bad_area_nosemaphore+0xc0/0x470 [ 45.376052][ C0] ? page_fault+0x2f/0x40 [ 45.380218][ C0] ? __run_timers+0x84e/0xbe0 [ 45.384728][ C0] ? call_timer_fn+0x2a/0x390 [ 45.389242][ C0] call_timer_fn+0x36/0x390 [ 45.393582][ C0] __run_timers+0x879/0xbe0 [ 45.397923][ C0] ? enqueue_timer+0x300/0x300 [ 45.402522][ C0] ? check_preemption_disabled+0x9f/0x320 [ 45.408075][ C0] ? debug_smp_processor_id+0x20/0x20 [ 45.413287][ C0] ? lapic_next_event+0x5b/0x70 [ 45.418058][ C0] run_timer_softirq+0x63/0xf0 [ 45.422661][ C0] __do_softirq+0x23b/0x6b7 [ 45.427010][ C0] irq_exit+0x195/0x1c0 [ 45.431087][ C0] smp_apic_timer_interrupt+0x11a/0x490 [ 45.436466][ C0] apic_timer_interrupt+0xf/0x20 [ 45.441239][ C0] [ 45.444024][ C0] RIP: 0010:is_module_text_address+0x0/0x140 [ 45.449845][ C0] Code: 48 89 c3 bf 01 00 00 00 e8 9d 95 ea ff 65 8b 05 52 31 a8 7e 85 c0 74 08 48 85 db 0f 95 c0 5b c3 e8 d5 f7 a5 ff eb f1 0f 1f 00 <41> 57 41 56 41 55 41 54 53 49 89 fe bf 01 00 00 00 e8 ea 93 ea ff [ 45.469366][ C0] RSP: 0018:ffff8881eb12f438 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff13 [ 45.477615][ C0] RAX: 0000000000000001 RBX: 00007fbb92437899 RCX: ffffffff81517c5b [ 45.485426][ C0] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 00007fbb92437899 [ 45.493320][ C0] RBP: 0000000000000001 R08: dffffc0000000000 R09: ffffed103edcb135 [ 45.501132][ C0] R10: 0000000000000000 R11: dffffc0000000001 R12: ffff8881eccd0fc0 [ 45.508942][ C0] R13: ffffffff8153c430 R14: dffffc0000000000 R15: 1ffff1103d625e99 [ 45.516761][ C0] ? stack_trace_save+0x1c0/0x1c0 [ 45.521621][ C0] ? rcu_is_watching+0x5b/0xc0 [ 45.526220][ C0] __kernel_text_address+0x82/0x100 [ 45.531255][ C0] unwind_get_return_address+0x49/0x80 [ 45.536550][ C0] arch_stack_walk+0xf5/0x140 [ 45.541065][ C0] stack_trace_save+0x118/0x1c0 [ 45.545749][ C0] ? stack_trace_snprint+0x170/0x170 [ 45.550870][ C0] __kasan_kmalloc+0x171/0x210 [ 45.555469][ C0] ? __kasan_kmalloc+0x171/0x210 [ 45.560243][ C0] ? kmem_cache_alloc_trace+0xdc/0x260 [ 45.565540][ C0] ? htab_map_alloc+0x94/0x930 [ 45.570139][ C0] ? __se_sys_bpf+0x3291/0xbcb0 [ 45.574828][ C0] ? do_syscall_64+0xca/0x1c0 [ 45.579338][ C0] ? entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 45.585250][ C0] kmem_cache_alloc_trace+0xdc/0x260 [ 45.590366][ C0] ? htab_map_alloc+0x94/0x930 [ 45.594962][ C0] htab_map_alloc+0x94/0x930 [ 45.599391][ C0] ? htab_map_alloc_check+0x3ac/0x490 [ 45.604598][ C0] __se_sys_bpf+0x3291/0xbcb0 [ 45.609111][ C0] ? __mutex_unlock_slowpath+0x203/0x240 [ 45.614583][ C0] ? mutex_unlock+0x40/0x40 [ 45.618920][ C0] ? register_netdevice+0xfee/0x12a0 [ 45.624051][ C0] ? __rtnl_unlock+0x73/0x80 [ 45.628476][ C0] ? netdev_run_todo+0xd95/0xdf0 [ 45.633244][ C0] ? apic_timer_interrupt+0xa/0x20 [ 45.638189][ C0] ? __x64_sys_bpf+0x80/0x80 [ 45.642618][ C0] ? netdev_refcnt_read+0x1c0/0x1c0 [ 45.647652][ C0] ? _copy_to_user+0x71/0xb0 [ 45.652080][ C0] ? copy_user_generic_unrolled+0x8c/0xc0 [ 45.657636][ C0] ? __tun_chr_ioctl+0xad4/0x1d00 [ 45.662498][ C0] ? tun_flow_create+0x250/0x250 [ 45.667268][ C0] ? apic_timer_interrupt+0xa/0x20 [ 45.672219][ C0] ? do_vfs_ioctl+0xde/0x1720 [ 45.676733][ C0] ? do_vfs_ioctl+0x28b/0x1720 [ 45.681327][ C0] ? do_vfs_ioctl+0x733/0x1720 [ 45.685946][ C0] ? tun_chr_poll+0x670/0x670 [ 45.690465][ C0] ? do_vfs_ioctl+0x75b/0x1720 [ 45.695136][ C0] ? ioctl_preallocate+0x250/0x250 [ 45.700083][ C0] ? check_preemption_disabled+0x153/0x320 [ 45.705722][ C0] ? debug_smp_processor_id+0x20/0x20 [ 45.710942][ C0] ? up_read+0x6f/0x1b0 [ 45.714938][ C0] ? down_write_trylock+0x130/0x130 [ 45.719963][ C0] ? check_preemption_disabled+0x153/0x320 [ 45.725691][ C0] ? security_file_ioctl+0x7d/0xa0 [ 45.730737][ C0] do_syscall_64+0xca/0x1c0 [ 45.735079][ C0] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 45.740805][ C0] RIP: 0033:0x7fbb92437899 [ 45.745062][ C0] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 45.764507][ C0] RSP: 002b:00007ffebcb1d278 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 [ 45.772745][ C0] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fbb92437899 [ 45.780651][ C0] RDX: 0000000000000048 RSI: 0000200000000840 RDI: 0000000000000000 [ 45.788481][ C0] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000003 [ 45.796268][ C0] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffebcb1d2a8 [ 45.804084][ C0] R13: 00007ffebcb1d2e0 R14: 0000000000000002 R15: 431bde82d7b634db [ 45.811893][ C0] Modules linked in: [ 45.815625][ C0] CR2: 0000000000000000 [ 45.819616][ C0] ---[ end trace 456e3f53cdd9e012 ]--- [ 45.824913][ C0] RIP: 0010:0x0 [ 45.828222][ C0] Code: Bad RIP value. [ 45.832113][ C0] RSP: 0018:ffff8881f6e09d18 EFLAGS: 00010206 [ 45.838018][ C0] RAX: ffffffff8154e8ca RBX: 0000000000000100 RCX: ffff8881eccd0fc0 [ 45.845830][ C0] RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffff8881d7fbf1c0 [ 45.853643][ C0] RBP: ffff8881f6e09ec8 R08: ffffffff8154e50e R09: 0000000000000003 [ 45.861462][ C0] R10: ffffffffffffffff R11: dffffc0000000001 R12: 00000000ffff9ba8 [ 45.869349][ C0] R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881d7fbf1c0 [ 45.877166][ C0] FS: 0000555579e41480(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000 [ 45.885931][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 45.892459][ C0] CR2: ffffffffffffffd6 CR3: 00000001eaf10000 CR4: 00000000003406b0 [ 45.900276][ C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 45.908170][ C0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 45.915983][ C0] Kernel panic - not syncing: Fatal exception in interrupt [ 45.923199][ C0] Kernel Offset: disabled [ 45.927322][ C0] Rebooting in 86400 seconds..