./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor495901934 <...> Warning: Permanently added '10.128.0.136' (ED25519) to the list of known hosts. execve("./syz-executor495901934", ["./syz-executor495901934"], 0x7ffda8c96f50 /* 10 vars */) = 0 brk(NULL) = 0x55557207b000 brk(0x55557207bd00) = 0x55557207bd00 arch_prctl(ARCH_SET_FS, 0x55557207b380) = 0 set_tid_address(0x55557207b650) = 282 set_robust_list(0x55557207b660, 24) = 0 rseq(0x55557207bca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor495901934", 4096) = 27 getrandom("\xfb\xf1\x41\x92\x99\x50\x32\xfb", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55557207bd00 brk(0x55557209cd00) = 0x55557209cd00 brk(0x55557209d000) = 0x55557209d000 mprotect(0x7f02bddac000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 write(1, "executing program\n", 18executing program ) = 18 openat(AT_FDCWD, "/dev/net/tun", O_RDONLY) = 3 ioctl(3, TUNSETIFF, 0x200000000040) = 0 socket(AF_NETLINK, SOCK_RAW, 0) = 4 socket(AF_UNIX, SOCK_STREAM, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="syzkaller0", ifr_ifindex=15}) = 0 sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x38\x00\x00\x00\x24\x00\x41\x65\x10\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x01\x00\xff\xff\xff\xff\x00\x00\x0f\x00\x0b\x00\x01\x00\x6d\x75\x6c\x74\x69\x71\x00\x00\x08\x00\x02\x00\x00\x00\x00\x00", iov_len=56}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 56 [ 21.828307][ T24] audit: type=1400 audit(1749741055.840:64): avc: denied { execmem } for pid=282 comm="syz-executor495" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 21.852534][ T282] ================================================================== [ 21.860653][ T282] BUG: KASAN: slab-out-of-bounds in tc_setup_flow_action+0x842/0x3280 [ 21.867083][ T24] audit: type=1400 audit(1749741055.860:65): avc: denied { read } for pid=134 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_kobject_uevent_socket permissive=1 [ 21.868804][ T282] Read of size 8 at addr ffff8881085f3ec0 by task syz-executor495/282 [ 21.898106][ T282] [ 21.900436][ T282] CPU: 1 PID: 282 Comm: syz-executor495 Not tainted 5.10.238-syzkaller-00282-gd76d4cd0623a #0 [ 21.910895][ T282] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/29/2025 [ 21.921029][ T282] Call Trace: [ 21.924308][ T282] __dump_stack+0x21/0x24 [ 21.928669][ T282] dump_stack_lvl+0x169/0x1d8 [ 21.933334][ T282] ? show_regs_print_info+0x18/0x18 [ 21.938600][ T282] ? thaw_kernel_threads+0x220/0x220 [ 21.943879][ T282] print_address_description+0x7f/0x2c0 [ 21.949692][ T282] ? tc_setup_flow_action+0x842/0x3280 [ 21.955243][ T282] kasan_report+0xe2/0x130 [ 21.959644][ T282] ? flow_action_cookie_create+0x28/0x90 [ 21.965345][ T282] ? tc_setup_flow_action+0x842/0x3280 [ 21.970896][ T282] __asan_report_load8_noabort+0x14/0x20 [ 21.976508][ T282] tc_setup_flow_action+0x842/0x3280 [ 21.981777][ T282] ? __kmalloc+0x1a7/0x330 [ 21.986268][ T282] ? flow_rule_alloc+0x32/0x2c0 [ 21.991136][ T282] mall_replace_hw_filter+0x293/0x810 [ 21.996569][ T282] ? pcpu_block_update_hint_alloc+0x8b5/0xc50 [ 22.002709][ T282] ? mall_set_parms+0x410/0x410 [ 22.007553][ T282] ? tcf_exts_destroy+0xb0/0xb0 [ 22.012398][ T282] ? pcpu_alloc+0xf8a/0x16b0 [ 22.016962][ T282] ? mall_set_parms+0x19d/0x410 [ 22.021795][ T282] mall_change+0x528/0x750 [ 22.026215][ T282] ? __kasan_check_write+0x14/0x20 [ 22.031660][ T282] ? mall_get+0xa0/0xa0 [ 22.036011][ T282] ? tcf_chain_tp_insert_unique+0xac1/0xc10 [ 22.042152][ T282] ? nla_strcmp+0xf4/0x140 [ 22.046565][ T282] tc_new_tfilter+0x13f6/0x1a10 [ 22.051388][ T282] ? mall_get+0xa0/0xa0 [ 22.055716][ T282] ? tcf_gate_entry_destructor+0x20/0x20 [ 22.061407][ T282] ? security_capable+0x87/0xb0 [ 22.066236][ T282] ? ns_capable+0x8c/0xf0 [ 22.070553][ T282] ? netlink_net_capable+0x125/0x160 [ 22.075889][ T282] ? tcf_gate_entry_destructor+0x20/0x20 [ 22.081490][ T282] rtnetlink_rcv_msg+0x800/0xb90 [ 22.086394][ T282] ? rtnetlink_bind+0x80/0x80 [ 22.091047][ T282] ? arch_stack_walk+0xee/0x140 [ 22.095867][ T282] ? stack_trace_save+0x98/0xe0 [ 22.100685][ T282] ? stack_trace_snprint+0xf0/0xf0 [ 22.105779][ T282] ? memcpy+0x56/0x70 [ 22.109734][ T282] ? avc_has_perm+0x234/0x360 [ 22.114397][ T282] ? __kasan_slab_alloc+0xbd/0xf0 [ 22.119406][ T282] ? slab_post_alloc_hook+0x5d/0x2f0 [ 22.124754][ T282] ? ___sys_sendmsg+0x1f0/0x260 [ 22.129602][ T282] ? avc_has_perm_noaudit+0x240/0x240 [ 22.134960][ T282] ? selinux_nlmsg_lookup+0x3fb/0x4a0 [ 22.140310][ T282] netlink_rcv_skb+0x1e0/0x430 [ 22.145042][ T282] ? rtnetlink_bind+0x80/0x80 [ 22.149685][ T282] ? netlink_ack+0xb80/0xb80 [ 22.154242][ T282] ? __netlink_lookup+0x387/0x3b0 [ 22.159231][ T282] rtnetlink_rcv+0x1c/0x20 [ 22.163615][ T282] netlink_unicast+0x87c/0xa40 [ 22.168353][ T282] netlink_sendmsg+0x88d/0xb30 [ 22.173231][ T282] ? netlink_getsockopt+0x530/0x530 [ 22.178543][ T282] ? copy_fpregs_to_fpstate+0x14a/0x1b0 [ 22.184315][ T282] ? security_socket_sendmsg+0x82/0xa0 [ 22.189979][ T282] ? netlink_getsockopt+0x530/0x530 [ 22.195184][ T282] ____sys_sendmsg+0x5a2/0x8c0 [ 22.200136][ T282] ? __sys_sendmsg_sock+0x40/0x40 [ 22.205166][ T282] ? import_iovec+0x7c/0xb0 [ 22.209665][ T282] ___sys_sendmsg+0x1f0/0x260 [ 22.214698][ T282] ? __switch_to_asm+0x34/0x60 [ 22.219458][ T282] ? __sys_sendmsg+0x250/0x250 [ 22.224232][ T282] ? __kasan_check_read+0x11/0x20 [ 22.229236][ T282] ? __fdget+0x15b/0x230 [ 22.233452][ T282] __x64_sys_sendmsg+0x1e2/0x2a0 [ 22.238719][ T282] ? do_notify_parent+0x7e0/0x7e0 [ 22.243883][ T282] ? ___sys_sendmsg+0x260/0x260 [ 22.248746][ T282] ? syscall_trace_enter+0x4b/0x170 [ 22.253945][ T282] do_syscall_64+0x31/0x40 [ 22.258348][ T282] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 22.264436][ T282] RIP: 0033:0x7f02bdd397a9 [ 22.268846][ T282] Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 22.288565][ T282] RSP: 002b:00007ffc470587f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 22.297367][ T282] RAX: ffffffffffffffda RBX: 00007ffc470589c8 RCX: 00007f02bdd397a9 [ 22.305434][ T282] RDX: 0000000000000000 RSI: 0000200000000580 RDI: 0000000000000004 [ 22.313422][ T282] RBP: 00007f02bddac610 R08: 0000000000000004 R09: 00007ffc470589c8 [ 22.321579][ T282] R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000001 [ 22.329551][ T282] R13: 00007ffc470589b8 R14: 0000000000000001 R15: 0000000000000001 [ 22.337514][ T282] [ 22.339825][ T282] Allocated by task 282: [ 22.344043][ T282] __kasan_kmalloc+0xda/0x110 [ 22.348710][ T282] __kmalloc+0x1a7/0x330 [ 22.352920][ T282] tcf_idr_create+0x5f/0x790 [ 22.357476][ T282] tcf_idr_create_from_flags+0x61/0x70 [ 22.362937][ T282] tcf_gact_init+0x2b4/0x520 [ 22.367648][ T282] tcf_action_init_1+0x3e1/0x670 [ 22.372687][ T282] tcf_action_init+0x1e6/0x700 [ 22.377632][ T282] tcf_exts_validate+0x215/0x510 [ 22.382567][ T282] mall_set_parms+0x4b/0x410 [ 22.387328][ T282] mall_change+0x45c/0x750 [ 22.391737][ T282] tc_new_tfilter+0x13f6/0x1a10 [ 22.396600][ T282] rtnetlink_rcv_msg+0x800/0xb90 [ 22.401572][ T282] netlink_rcv_skb+0x1e0/0x430 [ 22.406498][ T282] rtnetlink_rcv+0x1c/0x20 [ 22.410936][ T282] netlink_unicast+0x87c/0xa40 [ 22.415684][ T282] netlink_sendmsg+0x88d/0xb30 [ 22.420534][ T282] ____sys_sendmsg+0x5a2/0x8c0 [ 22.425446][ T282] ___sys_sendmsg+0x1f0/0x260 [ 22.430277][ T282] __x64_sys_sendmsg+0x1e2/0x2a0 [ 22.435201][ T282] do_syscall_64+0x31/0x40 [ 22.439590][ T282] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 22.445463][ T282] [ 22.447787][ T282] The buggy address belongs to the object at ffff8881085f3e00 [ 22.447787][ T282] which belongs to the cache kmalloc-192 of size 192 [ 22.461828][ T282] The buggy address is located 0 bytes to the right of [ 22.461828][ T282] 192-byte region [ffff8881085f3e00, ffff8881085f3ec0) [ 22.475434][ T282] The buggy address belongs to the page: [ 22.481051][ T282] page:ffffea0004217cc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1085f3 [ 22.491272][ T282] flags: 0x4000000000000200(slab) [ 22.496424][ T282] raw: 4000000000000200 ffffea000421f240 0000000500000005 ffff888100043380 [ 22.505002][ T282] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 22.513658][ T282] page dumped because: kasan: bad access detected [ 22.520103][ T282] page_owner tracks the page as allocated [ 22.525813][ T282] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 920328490, free_ts 0 [ 22.540815][ T282] prep_new_page+0x179/0x180 [ 22.545423][ T282] get_page_from_freelist+0x2235/0x23d0 [ 22.550965][ T282] __alloc_pages_nodemask+0x268/0x5f0 [ 22.556420][ T282] new_slab+0x84/0x3f0 [ 22.560491][ T282] ___slab_alloc+0x2a6/0x450 [ 22.565074][ T282] __slab_alloc+0x63/0xa0 [ 22.569375][ T282] __kmalloc_track_caller+0x1ef/0x320 [ 22.574741][ T282] krealloc+0x6a/0x110 [ 22.578799][ T282] add_sysfs_param+0x142/0x830 [ 22.583683][ T282] kernel_add_sysfs_param+0xb3/0x128 [ 22.589078][ T282] param_sysfs_builtin+0x164/0x1d9 [ 22.594195][ T282] param_sysfs_init+0x6a/0x6f [ 22.598948][ T282] do_one_initcall+0x187/0x510 [ 22.603805][ T282] do_initcall_level+0x16f/0x2cf [ 22.608757][ T282] do_initcalls+0x50/0x92 [ 22.613067][ T282] do_basic_setup+0x88/0x8f [ 22.617558][ T282] page_owner free stack trace missing [ 22.623064][ T282] [ 22.625604][ T282] Memory state around the buggy address: [ 22.631233][ T282] ffff8881085f3d80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 22.639446][ T282] ffff8881085f3e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 22.647588][ T282] >ffff8881085f3e80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 22.655666][ T282] ^ [ 22.661953][ T282] ffff8881085f3f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 22.670177][ T282] ffff8881085f3f80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x84\x00\x00\x00\x2c\x00\x27\x0d\x29\xbd\x31\x00\xfd\xdb\xdf\x25\x00\x00\x00\x00\x0f\x00\x00\x00\x0c\x00\x06\x00\x00\x00\x00\x00\x07\x00\xf3\xff\x0d\x00\x01\x00\x6d\x61\x74\x63\x68\x61\x6c\x6c\x00\x00\x00\x00\x50\x00\x02\x00\x4c\x00\x02\x00\x48\x00\x01\x00\x09\x00\x01\x00\x67\x61\x63\x74\x00\x00\x00\x00\x1c\x00\x02\x80\x18\x00\x02\x00\x5c\x65\x00\x00\x02\x00\x00\x00\xfe\xff\xff\x1f\x09\x00\x00\x00"..., iov_len=132}], msg_iovlen=1, msg_controllen=0, msg_flags=MSG_PROBE}, 0) = 132 exit_group(0) = ? [ 22.678466][ T282] ================================================================== [ 22.686524][ T282] Disabling lock debugging due to kernel taint [ 22.699590][ T24] audit: type=1400 audit(1749741056.710:66): avc: denied { read } for pid=77 comm="syslogd" name="log" dev="sda1" ino=2010 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1 [ 22.721554][ T24] audit: type=1400 audit(1749741056.710:67): avc: denied { search } for pid=77 comm="syslogd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1 [ 22.743093][ T24] audit: type=1400 audit(1749741056.710:68): avc: denied { write } for pid=77 comm="syslogd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1 +++ exited with 0 +++ [ 22.764473][ T24] audit: type=1400 audit(1749741056.710:69): avc: denied { add_name } for pid=77 comm="syslogd" name="messages" scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t