Warning: Permanently added '10.128.0.146' (ED25519) to the list of known hosts. 2025/02/14 10:53:47 ignoring optional flag "sandboxArg"="0" 2025/02/14 10:53:48 parsed 1 programs [ 27.232034][ T23] audit: type=1400 audit(1739530427.990:66): avc: denied { node_bind } for pid=352 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 28.059211][ T23] audit: type=1400 audit(1739530428.830:67): avc: denied { mounton } for pid=361 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 28.061858][ T361] cgroup1: Unknown subsys name 'net' [ 28.081697][ T23] audit: type=1400 audit(1739530428.830:68): avc: denied { mount } for pid=361 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 28.088015][ T361] cgroup1: Unknown subsys name 'net_prio' [ 28.114357][ T361] cgroup1: Unknown subsys name 'devices' [ 28.120731][ T23] audit: type=1400 audit(1739530428.880:69): avc: denied { unmount } for pid=361 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 28.256187][ T361] cgroup1: Unknown subsys name 'hugetlb' [ 28.261837][ T361] cgroup1: Unknown subsys name 'rlimit' [ 28.267838][ T23] audit: type=1400 audit(1739530429.040:70): avc: denied { read } for pid=146 comm="syslogd" name="log" dev="sda1" ino=1915 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1 [ 28.430027][ T23] audit: type=1400 audit(1739530429.190:71): avc: denied { setattr } for pid=361 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=267 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 28.453042][ T23] audit: type=1400 audit(1739530429.190:72): avc: denied { create } for pid=361 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 28.473111][ T23] audit: type=1400 audit(1739530429.190:73): avc: denied { write } for pid=361 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 28.493207][ T23] audit: type=1400 audit(1739530429.190:74): avc: denied { read } for pid=361 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 28.500718][ T365] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 28.513172][ T23] audit: type=1400 audit(1739530429.190:75): avc: denied { module_request } for pid=361 comm="syz-executor" kmod="netdev-wpan0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 28.582431][ T361] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 29.039778][ T371] request_module fs-gadgetfs succeeded, but still no fs? [ 29.177063][ T379] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.183933][ T379] bridge0: port 1(bridge_slave_0) entered disabled state [ 29.191282][ T379] device bridge_slave_0 entered promiscuous mode [ 29.198366][ T379] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.205238][ T379] bridge0: port 2(bridge_slave_1) entered disabled state [ 29.212663][ T379] device bridge_slave_1 entered promiscuous mode [ 29.268013][ T379] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.274875][ T379] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.281981][ T379] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.288765][ T379] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.315150][ T103] bridge0: port 1(bridge_slave_0) entered disabled state [ 29.322794][ T103] bridge0: port 2(bridge_slave_1) entered disabled state [ 29.330123][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 29.337634][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.348189][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 29.356256][ T103] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.363119][ T103] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.372251][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 29.380427][ T103] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.387271][ T103] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.401790][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 29.413390][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 29.431076][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 29.444125][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 29.459041][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 29.472407][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 29.483449][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 29.525630][ T379] syz-executor (379) used greatest stack depth: 19960 bytes left [ 30.224977][ T7] device bridge_slave_1 left promiscuous mode [ 30.231046][ T7] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.247047][ T7] device bridge_slave_0 left promiscuous mode [ 30.253031][ T7] bridge0: port 1(bridge_slave_0) entered disabled state 2025/02/14 10:53:51 executed programs: 0 [ 30.688378][ T433] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.695774][ T433] bridge0: port 1(bridge_slave_0) entered disabled state [ 30.703382][ T433] device bridge_slave_0 entered promiscuous mode [ 30.710461][ T433] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.717396][ T433] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.724704][ T433] device bridge_slave_1 entered promiscuous mode [ 30.798578][ T433] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.805559][ T433] bridge0: port 2(bridge_slave_1) entered forwarding state [ 30.812613][ T433] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.819415][ T433] bridge0: port 1(bridge_slave_0) entered forwarding state [ 30.847498][ T380] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 30.854986][ T380] bridge0: port 1(bridge_slave_0) entered disabled state [ 30.861931][ T380] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.872523][ T380] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 30.881558][ T380] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.888420][ T380] bridge0: port 1(bridge_slave_0) entered forwarding state [ 30.898134][ T380] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 30.906226][ T380] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.913087][ T380] bridge0: port 2(bridge_slave_1) entered forwarding state [ 30.927859][ T380] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 30.937873][ T380] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 30.955828][ T380] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 30.968064][ T380] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 30.981940][ T380] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 30.996369][ T380] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 31.006692][ T380] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 46.103950][ T475] bridge0: port 1(bridge_slave_0) entered blocking state [ 46.110782][ T475] bridge0: port 1(bridge_slave_0) entered disabled state [ 46.118346][ T475] device bridge_slave_0 entered promiscuous mode [ 46.125187][ T475] bridge0: port 2(bridge_slave_1) entered blocking state [ 46.132015][ T475] bridge0: port 2(bridge_slave_1) entered disabled state [ 46.139621][ T475] device bridge_slave_1 entered promiscuous mode [ 46.193398][ T475] bridge0: port 2(bridge_slave_1) entered blocking state [ 46.200233][ T475] bridge0: port 2(bridge_slave_1) entered forwarding state [ 46.207398][ T475] bridge0: port 1(bridge_slave_0) entered blocking state [ 46.214440][ T475] bridge0: port 1(bridge_slave_0) entered forwarding state [ 46.239370][ T7] bridge0: port 1(bridge_slave_0) entered disabled state [ 46.246647][ T7] bridge0: port 2(bridge_slave_1) entered disabled state [ 46.254018][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 46.261323][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 46.272591][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 46.280825][ T7] bridge0: port 1(bridge_slave_0) entered blocking state [ 46.287679][ T7] bridge0: port 1(bridge_slave_0) entered forwarding state [ 46.297101][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 46.305328][ T7] bridge0: port 2(bridge_slave_1) entered blocking state [ 46.312142][ T7] bridge0: port 2(bridge_slave_1) entered forwarding state [ 46.327046][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 46.336888][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 46.355231][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 46.367084][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 46.381137][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready 2025/02/14 10:54:07 executed programs: 3 [ 46.395645][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 46.405890][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 46.431461][ T475] ================================================================== [ 46.439391][ T475] BUG: KASAN: use-after-free in __mutex_lock+0xcd7/0x1060 [ 46.446385][ T475] Read of size 4 at addr ffff8881d4dbdeb8 by task syz-executor/475 [ 46.454098][ T475] [ 46.456277][ T475] CPU: 0 PID: 475 Comm: syz-executor Not tainted 5.4.289-syzkaller-00011-g39762b7a60e9 #0 [ 46.466002][ T475] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 46.475886][ T475] Call Trace: [ 46.479022][ T475] dump_stack+0x1d8/0x241 [ 46.483187][ T475] ? nf_ct_l4proto_log_invalid+0x258/0x258 [ 46.488822][ T475] ? printk+0xd1/0x111 [ 46.492731][ T475] ? __mutex_lock+0xcd7/0x1060 [ 46.497339][ T475] print_address_description+0x8c/0x600 [ 46.502727][ T475] ? check_preemption_disabled+0x9f/0x320 [ 46.508267][ T475] ? __unwind_start+0x708/0x890 [ 46.512955][ T475] ? __mutex_lock+0xcd7/0x1060 [ 46.517560][ T475] __kasan_report+0xf3/0x120 [ 46.521986][ T475] ? __mutex_lock+0xcd7/0x1060 [ 46.526579][ T475] kasan_report+0x30/0x60 [ 46.530748][ T475] __mutex_lock+0xcd7/0x1060 [ 46.535173][ T475] ? kobject_get_unless_zero+0x229/0x320 [ 46.540640][ T475] ? __ww_mutex_lock_interruptible_slowpath+0x10/0x10 [ 46.547434][ T475] ? __module_put_and_exit+0x20/0x20 [ 46.552553][ T475] ? up_read+0x6f/0x1b0 [ 46.556546][ T475] mutex_lock_killable+0xd8/0x110 [ 46.561406][ T475] ? __mutex_lock_interruptible_slowpath+0x10/0x10 [ 46.567745][ T475] ? mutex_lock+0xa5/0x110 [ 46.572115][ T475] ? mutex_trylock+0xa0/0xa0 [ 46.576527][ T475] lo_open+0x18/0xc0 [ 46.580263][ T475] __blkdev_get+0x3c8/0x1160 [ 46.584775][ T475] ? blkdev_get+0x3a0/0x3a0 [ 46.589110][ T475] ? _raw_spin_unlock+0x49/0x60 [ 46.593794][ T475] blkdev_get+0x2de/0x3a0 [ 46.597976][ T475] ? blkdev_open+0x173/0x290 [ 46.602398][ T475] ? block_ioctl+0xe0/0xe0 [ 46.606828][ T475] do_dentry_open+0x964/0x1130 [ 46.611423][ T475] ? finish_open+0xd0/0xd0 [ 46.615673][ T475] ? security_inode_permission+0xad/0xf0 [ 46.621222][ T475] ? memcpy+0x38/0x50 [ 46.625040][ T475] path_openat+0x29bf/0x34b0 [ 46.629468][ T475] ? stack_trace_save+0x118/0x1c0 [ 46.634330][ T475] ? do_filp_open+0x450/0x450 [ 46.638837][ T475] ? do_sys_open+0x357/0x810 [ 46.643264][ T475] ? do_syscall_64+0xca/0x1c0 [ 46.647785][ T475] ? entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 46.653696][ T475] do_filp_open+0x20b/0x450 [ 46.658037][ T475] ? vfs_tmpfile+0x2c0/0x2c0 [ 46.662463][ T475] ? _raw_spin_unlock+0x49/0x60 [ 46.667147][ T475] ? __alloc_fd+0x4c5/0x570 [ 46.671483][ T475] do_sys_open+0x39c/0x810 [ 46.675745][ T475] ? check_preemption_disabled+0x153/0x320 [ 46.681385][ T475] ? file_open_root+0x490/0x490 [ 46.686062][ T475] do_syscall_64+0xca/0x1c0 [ 46.690404][ T475] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 46.696234][ T475] RIP: 0033:0x7f664ef476d1 [ 46.700464][ T475] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d 7a 1e 1f 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25 [ 46.719899][ T475] RSP: 002b:00007ffeedd205e0 EFLAGS: 00000202 ORIG_RAX: 0000000000000101 [ 46.728149][ T475] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f664ef476d1 [ 46.735959][ T475] RDX: 0000000000000002 RSI: 00007ffeedd206f0 RDI: 00000000ffffff9c [ 46.743769][ T475] RBP: 00007ffeedd206f0 R08: 000000000000000a R09: 00007ffeedd203a7 [ 46.751670][ T475] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 46.759493][ T475] R13: 00007f664f132260 R14: 0000000000000003 R15: 00007ffeedd206f0 [ 46.767318][ T475] [ 46.769469][ T475] Allocated by task 438: [ 46.773640][ T475] __kasan_kmalloc+0x171/0x210 [ 46.778235][ T475] kmem_cache_alloc+0xd9/0x250 [ 46.782839][ T475] dup_task_struct+0x4f/0x600 [ 46.787350][ T475] copy_process+0x56d/0x3230 [ 46.791776][ T475] _do_fork+0x197/0x900 [ 46.795768][ T475] __x64_sys_clone3+0x2da/0x300 [ 46.800451][ T475] do_syscall_64+0xca/0x1c0 [ 46.804804][ T475] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 46.810520][ T475] [ 46.812684][ T475] Freed by task 17: [ 46.816336][ T475] __kasan_slab_free+0x1b5/0x270 [ 46.821217][ T475] kmem_cache_free+0x10b/0x2c0 [ 46.825815][ T475] rcu_do_batch+0x492/0xa00 [ 46.830152][ T475] rcu_core+0x4c8/0xcb0 [ 46.834144][ T475] __do_softirq+0x23b/0x6b7 [ 46.838479][ T475] [ 46.840653][ T475] The buggy address belongs to the object at ffff8881d4dbde80 [ 46.840653][ T475] which belongs to the cache task_struct of size 3904 [ 46.854638][ T475] The buggy address is located 56 bytes inside of [ 46.854638][ T475] 3904-byte region [ffff8881d4dbde80, ffff8881d4dbedc0) [ 46.867728][ T475] The buggy address belongs to the page: [ 46.873216][ T475] page:ffffea0007536e00 refcount:1 mapcount:0 mapping:ffff8881f5cf0280 index:0x0 compound_mapcount: 0 [ 46.883967][ T475] flags: 0x8000000000010200(slab|head) [ 46.889274][ T475] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5cf0280 [ 46.897688][ T475] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 46.906092][ T475] page dumped because: kasan: bad access detected [ 46.912350][ T475] page_owner tracks the page as allocated [ 46.917903][ T475] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL) [ 46.934137][ T475] prep_new_page+0x18f/0x370 [ 46.938560][ T475] get_page_from_freelist+0x2d13/0x2d90 [ 46.943939][ T475] __alloc_pages_nodemask+0x393/0x840 [ 46.949145][ T475] alloc_slab_page+0x39/0x3c0 [ 46.953664][ T475] new_slab+0x97/0x440 [ 46.957563][ T475] ___slab_alloc+0x2fe/0x490 [ 46.961988][ T475] __slab_alloc+0x62/0xa0 [ 46.966160][ T475] kmem_cache_alloc+0x109/0x250 [ 46.970843][ T475] dup_task_struct+0x4f/0x600 [ 46.975379][ T475] copy_process+0x56d/0x3230 [ 46.979902][ T475] _do_fork+0x197/0x900 [ 46.983982][ T475] __x64_sys_clone+0x26b/0x2c0 [ 46.988578][ T475] do_syscall_64+0xca/0x1c0 [ 46.992920][ T475] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 46.998641][ T475] page last free stack trace: [ 47.003159][ T475] __free_pages_ok+0x847/0x950 [ 47.007764][ T475] __free_pages+0x91/0x140 [ 47.012015][ T475] wg_destruct+0x206/0x2f0 [ 47.016266][ T475] netdev_run_todo+0xb7f/0xdf0 [ 47.020869][ T475] default_device_exit_batch+0x62b/0x680 [ 47.026334][ T475] cleanup_net+0x6e2/0xc90 [ 47.030586][ T475] process_one_work+0x765/0xd20 [ 47.035274][ T475] worker_thread+0xaef/0x1470 [ 47.039899][ T475] kthread+0x2da/0x360 [ 47.043806][ T475] ret_from_fork+0x1f/0x30 [ 47.048051][ T475] [ 47.050280][ T475] Memory state around the buggy address: [ 47.055694][ T475] ffff8881d4dbdd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 47.063596][ T475] ffff8881d4dbde00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.071492][ T475] >ffff8881d4dbde80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.079385][ T475] ^ [ 47.085117][ T475] ffff8881d4dbdf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.093017][ T475] ffff8881d4dbdf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.100912][ T475] ================================================================== [ 47.108808][ T475] Disabling lock debugging due to kernel taint