Warning: Permanently added '10.128.0.79' (ED25519) to the list of known hosts. 2025/05/24 20:40:20 ignoring optional flag "sandboxArg"="0" 2025/05/24 20:40:21 parsed 1 programs [ 23.793829][ T23] audit: type=1400 audit(1748119221.860:81): avc: denied { node_bind } for pid=335 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 24.610475][ T23] audit: type=1400 audit(1748119222.680:82): avc: denied { mounton } for pid=343 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 24.612233][ T343] cgroup1: Unknown subsys name 'net' [ 24.633123][ T23] audit: type=1400 audit(1748119222.680:83): avc: denied { mount } for pid=343 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 24.656735][ T343] cgroup1: Unknown subsys name 'net_prio' [ 24.666536][ T343] cgroup1: Unknown subsys name 'devices' [ 24.673095][ T23] audit: type=1400 audit(1748119222.740:84): avc: denied { unmount } for pid=343 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 24.811627][ T343] cgroup1: Unknown subsys name 'hugetlb' [ 24.817714][ T343] cgroup1: Unknown subsys name 'rlimit' [ 24.956245][ T23] audit: type=1400 audit(1748119223.020:85): avc: denied { setattr } for pid=343 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=10551 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 24.979637][ T23] audit: type=1400 audit(1748119223.030:86): avc: denied { create } for pid=343 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 25.000102][ T23] audit: type=1400 audit(1748119223.030:87): avc: denied { write } for pid=343 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 25.020491][ T23] audit: type=1400 audit(1748119223.030:88): avc: denied { read } for pid=343 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 25.025010][ T347] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 25.040838][ T23] audit: type=1400 audit(1748119223.030:89): avc: denied { module_request } for pid=343 comm="syz-executor" kmod="netdev-wpan0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 25.071168][ T23] audit: type=1400 audit(1748119223.030:90): avc: denied { mounton } for pid=343 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 25.179792][ T343] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 25.570677][ T350] request_module fs-gadgetfs succeeded, but still no fs? [ 26.184837][ T385] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.191992][ T385] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.199580][ T385] device bridge_slave_0 entered promiscuous mode [ 26.206613][ T385] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.213630][ T385] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.221130][ T385] device bridge_slave_1 entered promiscuous mode [ 26.261716][ T385] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.268777][ T385] bridge0: port 2(bridge_slave_1) entered forwarding state [ 26.276227][ T385] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.283266][ T385] bridge0: port 1(bridge_slave_0) entered forwarding state [ 26.303363][ T9] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.310933][ T9] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.318618][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 26.326010][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 26.335682][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 26.343933][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.350983][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 26.359995][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 26.368604][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.375618][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 26.392058][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 26.401459][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 26.416840][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 26.431826][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 26.444416][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 26.459998][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 26.470396][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 26.510740][ T385] syz-executor (385) used greatest stack depth: 21184 bytes left 2025/05/24 20:40:24 executed programs: 0 [ 26.890476][ T430] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.898025][ T430] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.905673][ T430] device bridge_slave_0 entered promiscuous mode [ 26.912826][ T430] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.920159][ T430] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.927930][ T430] device bridge_slave_1 entered promiscuous mode [ 26.970478][ T430] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.977547][ T430] bridge0: port 2(bridge_slave_1) entered forwarding state [ 26.984804][ T430] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.991908][ T430] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.014736][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 27.022521][ T9] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.030890][ T9] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.043970][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 27.052294][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.059340][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.068356][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 27.076912][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.083937][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.100711][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 27.110070][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 27.128878][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 27.140252][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 27.157816][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 27.170822][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 27.183504][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 27.192030][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 27.476997][ T102] device bridge_slave_1 left promiscuous mode [ 27.483130][ T102] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.490609][ T102] device bridge_slave_0 left promiscuous mode [ 27.497149][ T102] bridge0: port 1(bridge_slave_0) entered disabled state [ 42.273473][ T443] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.280624][ T443] bridge0: port 1(bridge_slave_0) entered disabled state [ 42.288140][ T443] device bridge_slave_0 entered promiscuous mode [ 42.295331][ T443] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.302412][ T443] bridge0: port 2(bridge_slave_1) entered disabled state [ 42.309826][ T443] device bridge_slave_1 entered promiscuous mode [ 42.348925][ T443] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.355957][ T443] bridge0: port 2(bridge_slave_1) entered forwarding state [ 42.363293][ T443] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.371068][ T443] bridge0: port 1(bridge_slave_0) entered forwarding state [ 42.391250][ T102] bridge0: port 1(bridge_slave_0) entered disabled state [ 42.398574][ T102] bridge0: port 2(bridge_slave_1) entered disabled state [ 42.405951][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 42.413508][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 42.423054][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 42.431264][ T102] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.438306][ T102] bridge0: port 1(bridge_slave_0) entered forwarding state [ 42.447165][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 42.455386][ T102] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.462434][ T102] bridge0: port 2(bridge_slave_1) entered forwarding state [ 42.475508][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 42.484896][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 42.500368][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 42.511886][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 42.524927][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 42.537374][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready 2025/05/24 20:40:40 executed programs: 3 [ 42.547577][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 42.569571][ T443] ================================================================== [ 42.577674][ T443] BUG: KASAN: use-after-free in __mutex_lock+0xace/0xe30 [ 42.584673][ T443] Read of size 4 at addr ffff8881e964af78 by task syz-executor/443 [ 42.592554][ T443] [ 42.594899][ T443] CPU: 0 PID: 443 Comm: syz-executor Not tainted 5.4.292-syzkaller-00021-gcd8e74fa0fa3 #0 [ 42.604763][ T443] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 42.614805][ T443] Call Trace: [ 42.618081][ T443] __dump_stack+0x1e/0x20 [ 42.622406][ T443] dump_stack+0x15b/0x1b8 [ 42.626717][ T443] ? vprintk_default+0x28/0x30 [ 42.631468][ T443] ? show_regs_print_info+0x18/0x18 [ 42.636673][ T443] ? printk+0xcc/0x110 [ 42.640723][ T443] ? __mutex_lock+0xace/0xe30 [ 42.645404][ T443] print_address_description+0x8d/0x4c0 [ 42.650941][ T443] ? __mutex_lock+0xace/0xe30 [ 42.655613][ T443] __kasan_report+0xef/0x120 [ 42.660370][ T443] ? __mutex_lock+0xace/0xe30 [ 42.665222][ T443] kasan_report+0x30/0x60 [ 42.669550][ T443] __asan_report_load4_noabort+0x14/0x20 [ 42.675342][ T443] __mutex_lock+0xace/0xe30 [ 42.679915][ T443] ? __kasan_check_write+0x14/0x20 [ 42.685013][ T443] ? kobject_get_unless_zero+0x15e/0x1e0 [ 42.690648][ T443] ? __ww_mutex_lock_interruptible_slowpath+0x20/0x20 [ 42.697395][ T443] ? mutex_lock+0x8c/0xe0 [ 42.701709][ T443] ? disk_check_events+0x5c0/0x5c0 [ 42.706802][ T443] __mutex_lock_killable_slowpath+0xe/0x10 [ 42.712589][ T443] mutex_lock_killable+0xd3/0xe0 [ 42.717509][ T443] ? __mutex_lock_interruptible_slowpath+0x10/0x10 [ 42.723997][ T443] ? __kasan_check_write+0x14/0x20 [ 42.729091][ T443] ? kobject_get+0xd3/0x120 [ 42.733576][ T443] lo_open+0x1d/0xc0 [ 42.737451][ T443] __blkdev_get+0x610/0x1560 [ 42.742136][ T443] ? blkdev_get+0x380/0x380 [ 42.746619][ T443] ? _raw_spin_lock+0x8e/0xe0 [ 42.751275][ T443] ? _raw_spin_trylock_bh+0x130/0x130 [ 42.756628][ T443] ? __fsnotify_parent+0x310/0x310 [ 42.761722][ T443] blkdev_get+0x68/0x380 [ 42.765952][ T443] ? bd_acquire+0x30a/0x340 [ 42.770514][ T443] blkdev_open+0x1cb/0x2b0 [ 42.774922][ T443] ? block_ioctl+0x100/0x100 [ 42.779508][ T443] do_dentry_open+0x8b5/0x1030 [ 42.784255][ T443] ? finish_open+0xd0/0xd0 [ 42.788666][ T443] ? inode_permission+0xed/0x540 [ 42.793600][ T443] vfs_open+0x73/0x80 [ 42.797624][ T443] path_openat+0x2a5e/0x35c0 [ 42.802227][ T443] ? kmem_cache_alloc+0xe2/0x270 [ 42.807158][ T443] ? getname_flags+0xb9/0x500 [ 42.811848][ T443] ? getname+0x19/0x20 [ 42.815905][ T443] ? do_filp_open+0x3f0/0x3f0 [ 42.820575][ T443] do_filp_open+0x1ae/0x3f0 [ 42.825063][ T443] ? vfs_tmpfile+0x2c0/0x2c0 [ 42.829638][ T443] ? get_unused_fd_flags+0x93/0xa0 [ 42.834726][ T443] do_sys_open+0x2bb/0x5d0 [ 42.839126][ T443] ? file_open_root+0x2b0/0x2b0 [ 42.843979][ T443] ? debug_smp_processor_id+0x1c/0x20 [ 42.849332][ T443] __x64_sys_openat+0xa2/0xb0 [ 42.853990][ T443] do_syscall_64+0xcf/0x170 [ 42.858477][ T443] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 42.864360][ T443] RIP: 0033:0x7fa40d621251 [ 42.868769][ T443] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d fa 72 1f 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25 [ 42.888553][ T443] RSP: 002b:00007fff3ee340f0 EFLAGS: 00000202 ORIG_RAX: 0000000000000101 [ 42.896948][ T443] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fa40d621251 [ 42.904958][ T443] RDX: 0000000000000002 RSI: 00007fff3ee34200 RDI: 00000000ffffff9c [ 42.912913][ T443] RBP: 00007fff3ee34200 R08: 000000000000000a R09: 00007fff3ee33eb7 [ 42.921160][ T443] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 42.929124][ T443] R13: 00007fa40d811260 R14: 0000000000000003 R15: 00007fff3ee34200 [ 42.937252][ T443] [ 42.939558][ T443] Allocated by task 434: [ 42.943798][ T443] __kasan_kmalloc+0x162/0x200 [ 42.948542][ T443] kasan_slab_alloc+0x12/0x20 [ 42.953202][ T443] kmem_cache_alloc+0xe2/0x270 [ 42.957948][ T443] dup_task_struct+0x57/0x640 [ 42.962606][ T443] copy_process+0x503/0x2cf0 [ 42.967174][ T443] _do_fork+0x190/0x860 [ 42.971404][ T443] __x64_sys_clone3+0x1de/0x1f0 [ 42.976237][ T443] do_syscall_64+0xcf/0x170 [ 42.980723][ T443] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 42.986593][ T443] [ 42.988918][ T443] Freed by task 17: [ 42.992811][ T443] __kasan_slab_free+0x1c3/0x280 [ 42.997730][ T443] kasan_slab_free+0xe/0x10 [ 43.002215][ T443] slab_free_freelist_hook+0xb7/0x180 [ 43.007565][ T443] kmem_cache_free+0x10c/0x2c0 [ 43.012331][ T443] free_task+0xe9/0x150 [ 43.016488][ T443] __put_task_struct+0x2b7/0x420 [ 43.021403][ T443] delayed_put_task_struct+0x71/0x210 [ 43.026762][ T443] rcu_do_batch+0x446/0x980 [ 43.031262][ T443] rcu_core+0x4bd/0xbd0 [ 43.035411][ T443] rcu_core_si+0x9/0x10 [ 43.039548][ T443] __do_softirq+0x236/0x660 [ 43.044026][ T443] [ 43.046340][ T443] The buggy address belongs to the object at ffff8881e964af40 [ 43.046340][ T443] which belongs to the cache task_struct of size 3904 [ 43.060549][ T443] The buggy address is located 56 bytes inside of [ 43.060549][ T443] 3904-byte region [ffff8881e964af40, ffff8881e964be80) [ 43.073996][ T443] The buggy address belongs to the page: [ 43.079637][ T443] page:ffffea0007a59200 refcount:1 mapcount:0 mapping:ffff8881f5cf4f00 index:0x0 compound_mapcount: 0 [ 43.090549][ T443] flags: 0x8000000000010200(slab|head) [ 43.095995][ T443] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5cf4f00 [ 43.104651][ T443] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 43.113216][ T443] page dumped because: kasan: bad access detected [ 43.119613][ T443] page_owner tracks the page as allocated [ 43.125318][ T443] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL) [ 43.141721][ T443] prep_new_page+0x35e/0x370 [ 43.146452][ T443] get_page_from_freelist+0x1296/0x1310 [ 43.152003][ T443] __alloc_pages_nodemask+0x202/0x4b0 [ 43.157370][ T443] alloc_slab_page+0x3c/0x3b0 [ 43.162041][ T443] new_slab+0x93/0x420 [ 43.166128][ T443] ___slab_alloc+0x29e/0x420 [ 43.170716][ T443] __slab_alloc+0x63/0xa0 [ 43.175031][ T443] kmem_cache_alloc+0x12c/0x270 [ 43.179860][ T443] dup_task_struct+0x57/0x640 [ 43.184640][ T443] copy_process+0x503/0x2cf0 [ 43.189216][ T443] _do_fork+0x190/0x860 [ 43.193354][ T443] __x64_sys_clone3+0x1de/0x1f0 [ 43.198195][ T443] do_syscall_64+0xcf/0x170 [ 43.202682][ T443] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 43.208554][ T443] page last free stack trace: [ 43.213214][ T443] __free_pages_ok+0x7e4/0x910 [ 43.217958][ T443] __free_pages+0x8c/0x110 [ 43.222357][ T443] __free_slab+0x218/0x2d0 [ 43.226906][ T443] discard_slab+0x29/0x40 [ 43.231223][ T443] __slab_free+0x374/0x380 [ 43.235628][ T443] ___cache_free+0xbb/0xd0 [ 43.240054][ T443] qlink_free+0x23/0x30 [ 43.244342][ T443] qlist_free_all+0x5f/0xb0 [ 43.248835][ T443] quarantine_reduce+0x1a8/0x200 [ 43.253756][ T443] __kasan_kmalloc+0x42/0x200 [ 43.258410][ T443] kasan_slab_alloc+0x12/0x20 [ 43.263105][ T443] __kmalloc+0x106/0x2f0 [ 43.267334][ T443] qdisc_alloc+0x7f/0x7e0 [ 43.271669][ T443] qdisc_create_dflt+0x69/0x270 [ 43.276505][ T443] dev_activate+0x2ec/0xc80 [ 43.280991][ T443] __dev_open+0x2d3/0x3f0 [ 43.285314][ T443] [ 43.287623][ T443] Memory state around the buggy address: [ 43.293234][ T443] ffff8881e964ae00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 43.301274][ T443] ffff8881e964ae80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 43.309316][ T443] >ffff8881e964af00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 43.317374][ T443] ^ [ 43.325327][ T443] ffff8881e964af80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.333367][ T443] ffff8881e964b000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.341428][ T443] ================================================================== [ 43.349468][ T443] Disabling lock debugging due to kernel taint