Warning: Permanently added '10.128.0.109' (ED25519) to the list of known hosts. 2025/05/03 06:22:59 ignoring optional flag "sandboxArg"="0" 2025/05/03 06:23:00 parsed 1 programs [ 28.620419][ T23] audit: type=1400 audit(1746253380.160:81): avc: denied { node_bind } for pid=335 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 29.188219][ T23] audit: type=1400 audit(1746253380.730:82): avc: denied { mounton } for pid=343 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 29.189544][ T343] cgroup1: Unknown subsys name 'net' [ 29.216799][ T23] audit: type=1400 audit(1746253380.730:83): avc: denied { mount } for pid=343 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 29.217258][ T343] cgroup1: Unknown subsys name 'net_prio' [ 29.245654][ T343] cgroup1: Unknown subsys name 'devices' [ 29.251910][ T23] audit: type=1400 audit(1746253380.790:84): avc: denied { unmount } for pid=343 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 29.415524][ T343] cgroup1: Unknown subsys name 'hugetlb' [ 29.421623][ T343] cgroup1: Unknown subsys name 'rlimit' [ 29.588763][ T23] audit: type=1400 audit(1746253381.130:85): avc: denied { setattr } for pid=343 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=9546 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 29.613330][ T23] audit: type=1400 audit(1746253381.130:86): avc: denied { create } for pid=343 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 29.619082][ T345] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 29.634263][ T23] audit: type=1400 audit(1746253381.130:87): avc: denied { write } for pid=343 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 29.665257][ T23] audit: type=1400 audit(1746253381.130:88): avc: denied { read } for pid=343 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 29.686593][ T23] audit: type=1400 audit(1746253381.130:89): avc: denied { module_request } for pid=343 comm="syz-executor" kmod="netdev-wpan0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 29.709162][ T23] audit: type=1400 audit(1746253381.130:90): avc: denied { mounton } for pid=343 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 29.754636][ T343] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 30.188293][ T349] request_module fs-gadgetfs succeeded, but still no fs? [ 30.425781][ T367] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.433363][ T367] bridge0: port 1(bridge_slave_0) entered disabled state [ 30.440889][ T367] device bridge_slave_0 entered promiscuous mode [ 30.447970][ T367] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.455034][ T367] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.462540][ T367] device bridge_slave_1 entered promiscuous mode [ 30.498072][ T367] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.505218][ T367] bridge0: port 2(bridge_slave_1) entered forwarding state [ 30.512609][ T367] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.519784][ T367] bridge0: port 1(bridge_slave_0) entered forwarding state [ 30.539243][ T9] bridge0: port 1(bridge_slave_0) entered disabled state [ 30.546556][ T9] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.554747][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 30.562148][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 30.571446][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 30.579732][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.586856][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 30.596569][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 30.605062][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.612152][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 30.624929][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 30.634899][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 30.649106][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 30.659762][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 30.673824][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 30.685754][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 30.696611][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 30.743660][ T367] syz-executor (367) used greatest stack depth: 21184 bytes left 2025/05/03 06:23:02 executed programs: 0 [ 31.302834][ T409] bridge0: port 1(bridge_slave_0) entered blocking state [ 31.310377][ T409] bridge0: port 1(bridge_slave_0) entered disabled state [ 31.318463][ T409] device bridge_slave_0 entered promiscuous mode [ 31.325571][ T409] bridge0: port 2(bridge_slave_1) entered blocking state [ 31.333023][ T409] bridge0: port 2(bridge_slave_1) entered disabled state [ 31.340707][ T409] device bridge_slave_1 entered promiscuous mode [ 31.373490][ T409] bridge0: port 2(bridge_slave_1) entered blocking state [ 31.380534][ T409] bridge0: port 2(bridge_slave_1) entered forwarding state [ 31.387922][ T409] bridge0: port 1(bridge_slave_0) entered blocking state [ 31.395706][ T409] bridge0: port 1(bridge_slave_0) entered forwarding state [ 31.405808][ T7] device bridge_slave_1 left promiscuous mode [ 31.412332][ T7] bridge0: port 2(bridge_slave_1) entered disabled state [ 31.420237][ T7] device bridge_slave_0 left promiscuous mode [ 31.426807][ T7] bridge0: port 1(bridge_slave_0) entered disabled state [ 31.505658][ T362] bridge0: port 1(bridge_slave_0) entered disabled state [ 31.513217][ T362] bridge0: port 2(bridge_slave_1) entered disabled state [ 31.531081][ T362] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 31.539035][ T362] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 31.549502][ T362] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 31.559204][ T362] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 31.568031][ T362] bridge0: port 1(bridge_slave_0) entered blocking state [ 31.575842][ T362] bridge0: port 1(bridge_slave_0) entered forwarding state [ 31.585302][ T362] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 31.593591][ T362] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 31.601852][ T362] bridge0: port 2(bridge_slave_1) entered blocking state [ 31.609001][ T362] bridge0: port 2(bridge_slave_1) entered forwarding state [ 31.619998][ T362] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 31.628637][ T362] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 31.638160][ T362] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 31.646719][ T362] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 31.660531][ T362] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 31.669238][ T362] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 31.686070][ T362] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 31.694263][ T362] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 31.712871][ T362] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 31.721698][ T362] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 31.731076][ T362] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 31.740698][ T362] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 31.749626][ T362] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 31.758581][ T362] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 46.831947][ T442] bridge0: port 1(bridge_slave_0) entered blocking state [ 46.839247][ T442] bridge0: port 1(bridge_slave_0) entered disabled state [ 46.847127][ T442] device bridge_slave_0 entered promiscuous mode [ 46.854606][ T442] bridge0: port 2(bridge_slave_1) entered blocking state [ 46.861749][ T442] bridge0: port 2(bridge_slave_1) entered disabled state [ 46.869407][ T442] device bridge_slave_1 entered promiscuous mode [ 46.902488][ T442] bridge0: port 2(bridge_slave_1) entered blocking state [ 46.909569][ T442] bridge0: port 2(bridge_slave_1) entered forwarding state [ 46.916917][ T442] bridge0: port 1(bridge_slave_0) entered blocking state [ 46.923958][ T442] bridge0: port 1(bridge_slave_0) entered forwarding state [ 46.943544][ T7] bridge0: port 1(bridge_slave_0) entered disabled state [ 46.952036][ T7] bridge0: port 2(bridge_slave_1) entered disabled state [ 46.959838][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 46.967786][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 46.977976][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 46.987004][ T7] bridge0: port 1(bridge_slave_0) entered blocking state [ 46.995643][ T7] bridge0: port 1(bridge_slave_0) entered forwarding state [ 47.005417][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 47.014205][ T7] bridge0: port 2(bridge_slave_1) entered blocking state [ 47.021581][ T7] bridge0: port 2(bridge_slave_1) entered forwarding state [ 47.035168][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 47.045167][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 47.059926][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 47.071050][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 47.083266][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 47.095471][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready 2025/05/03 06:23:18 executed programs: 3 [ 47.105771][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 47.126358][ T442] ================================================================== [ 47.135047][ T442] BUG: KASAN: use-after-free in __mutex_lock+0xace/0xe30 [ 47.142053][ T442] Read of size 4 at addr ffff8881ee9e6e78 by task syz-executor/442 [ 47.150201][ T442] [ 47.152897][ T442] CPU: 1 PID: 442 Comm: syz-executor Not tainted 5.4.292-syzkaller-00021-gcd8e74fa0fa3 #0 [ 47.163355][ T442] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 47.173916][ T442] Call Trace: [ 47.177313][ T442] __dump_stack+0x1e/0x20 [ 47.182116][ T442] dump_stack+0x15b/0x1b8 [ 47.186428][ T442] ? vprintk_default+0x28/0x30 [ 47.191170][ T442] ? show_regs_print_info+0x18/0x18 [ 47.196768][ T442] ? printk+0xcc/0x110 [ 47.201012][ T442] ? __mutex_lock+0xace/0xe30 [ 47.205954][ T442] print_address_description+0x8d/0x4c0 [ 47.211966][ T442] ? __mutex_lock+0xace/0xe30 [ 47.216802][ T442] __kasan_report+0xef/0x120 [ 47.221405][ T442] ? __mutex_lock+0xace/0xe30 [ 47.226066][ T442] kasan_report+0x30/0x60 [ 47.230377][ T442] __asan_report_load4_noabort+0x14/0x20 [ 47.236017][ T442] __mutex_lock+0xace/0xe30 [ 47.240503][ T442] ? __kasan_check_write+0x14/0x20 [ 47.245681][ T442] ? kobject_get_unless_zero+0x15e/0x1e0 [ 47.251378][ T442] ? __ww_mutex_lock_interruptible_slowpath+0x20/0x20 [ 47.258119][ T442] ? mutex_lock+0x8c/0xe0 [ 47.262519][ T442] ? disk_check_events+0x5c0/0x5c0 [ 47.267812][ T442] __mutex_lock_killable_slowpath+0xe/0x10 [ 47.273730][ T442] mutex_lock_killable+0xd3/0xe0 [ 47.279092][ T442] ? __mutex_lock_interruptible_slowpath+0x10/0x10 [ 47.286371][ T442] ? __kasan_check_write+0x14/0x20 [ 47.291842][ T442] ? kobject_get+0xd3/0x120 [ 47.296326][ T442] lo_open+0x1d/0xc0 [ 47.300200][ T442] __blkdev_get+0x610/0x1560 [ 47.305159][ T442] ? blkdev_get+0x380/0x380 [ 47.309925][ T442] ? _raw_spin_lock+0x8e/0xe0 [ 47.314595][ T442] ? _raw_spin_trylock_bh+0x130/0x130 [ 47.320171][ T442] ? __fsnotify_parent+0x310/0x310 [ 47.325444][ T442] blkdev_get+0x68/0x380 [ 47.329671][ T442] ? bd_acquire+0x30a/0x340 [ 47.334310][ T442] blkdev_open+0x1cb/0x2b0 [ 47.338711][ T442] ? block_ioctl+0x100/0x100 [ 47.343446][ T442] do_dentry_open+0x8b5/0x1030 [ 47.348408][ T442] ? finish_open+0xd0/0xd0 [ 47.353077][ T442] ? inode_permission+0xed/0x540 [ 47.358185][ T442] vfs_open+0x73/0x80 [ 47.362417][ T442] path_openat+0x2a5e/0x35c0 [ 47.367265][ T442] ? kmem_cache_alloc+0xe2/0x270 [ 47.372358][ T442] ? getname_flags+0xb9/0x500 [ 47.377030][ T442] ? getname+0x19/0x20 [ 47.381110][ T442] ? do_filp_open+0x3f0/0x3f0 [ 47.386217][ T442] do_filp_open+0x1ae/0x3f0 [ 47.390918][ T442] ? vfs_tmpfile+0x2c0/0x2c0 [ 47.395678][ T442] ? get_unused_fd_flags+0x93/0xa0 [ 47.400798][ T442] do_sys_open+0x2bb/0x5d0 [ 47.405301][ T442] ? file_open_root+0x2b0/0x2b0 [ 47.410230][ T442] ? debug_smp_processor_id+0x1c/0x20 [ 47.415709][ T442] __x64_sys_openat+0xa2/0xb0 [ 47.420675][ T442] do_syscall_64+0xcf/0x170 [ 47.425257][ T442] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 47.431142][ T442] RIP: 0033:0x7f0229120251 [ 47.435824][ T442] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d fa 72 1f 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25 [ 47.456471][ T442] RSP: 002b:00007ffd73e4ecd0 EFLAGS: 00000202 ORIG_RAX: 0000000000000101 [ 47.464903][ T442] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f0229120251 [ 47.472863][ T442] RDX: 0000000000000002 RSI: 00007ffd73e4ede0 RDI: 00000000ffffff9c [ 47.481235][ T442] RBP: 00007ffd73e4ede0 R08: 000000000000000a R09: 00007ffd73e4ea97 [ 47.489225][ T442] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 47.497853][ T442] R13: 00007f0229310260 R14: 0000000000000003 R15: 00007ffd73e4ede0 [ 47.506169][ T442] [ 47.508494][ T442] Allocated by task 424: [ 47.513033][ T442] __kasan_kmalloc+0x162/0x200 [ 47.517893][ T442] kasan_slab_alloc+0x12/0x20 [ 47.522570][ T442] kmem_cache_alloc+0xe2/0x270 [ 47.527328][ T442] dup_task_struct+0x57/0x640 [ 47.532037][ T442] copy_process+0x503/0x2cf0 [ 47.536655][ T442] _do_fork+0x190/0x860 [ 47.540809][ T442] __x64_sys_clone3+0x1de/0x1f0 [ 47.545821][ T442] do_syscall_64+0xcf/0x170 [ 47.550921][ T442] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 47.557078][ T442] [ 47.559428][ T442] Freed by task 10: [ 47.563574][ T442] __kasan_slab_free+0x1c3/0x280 [ 47.568799][ T442] kasan_slab_free+0xe/0x10 [ 47.573402][ T442] slab_free_freelist_hook+0xb7/0x180 [ 47.579159][ T442] kmem_cache_free+0x10c/0x2c0 [ 47.584333][ T442] free_task+0xe9/0x150 [ 47.588570][ T442] __put_task_struct+0x2b7/0x420 [ 47.593590][ T442] delayed_put_task_struct+0x71/0x210 [ 47.599035][ T442] rcu_do_batch+0x446/0x980 [ 47.603908][ T442] rcu_core+0x4bd/0xbd0 [ 47.608047][ T442] rcu_core_si+0x9/0x10 [ 47.612209][ T442] __do_softirq+0x236/0x660 [ 47.616697][ T442] [ 47.619026][ T442] The buggy address belongs to the object at ffff8881ee9e6e40 [ 47.619026][ T442] which belongs to the cache task_struct of size 3904 [ 47.633239][ T442] The buggy address is located 56 bytes inside of [ 47.633239][ T442] 3904-byte region [ffff8881ee9e6e40, ffff8881ee9e7d80) [ 47.646532][ T442] The buggy address belongs to the page: [ 47.652181][ T442] page:ffffea0007ba7800 refcount:1 mapcount:0 mapping:ffff8881f5cf5180 index:0x0 compound_mapcount: 0 [ 47.663647][ T442] flags: 0x8000000000010200(slab|head) [ 47.669115][ T442] raw: 8000000000010200 ffffea0007b63e00 0000000200000002 ffff8881f5cf5180 [ 47.677915][ T442] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 47.686877][ T442] page dumped because: kasan: bad access detected [ 47.693633][ T442] page_owner tracks the page as allocated [ 47.699351][ T442] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC) [ 47.715187][ T442] prep_new_page+0x35e/0x370 [ 47.719861][ T442] get_page_from_freelist+0x1296/0x1310 [ 47.725482][ T442] __alloc_pages_nodemask+0x202/0x4b0 [ 47.731213][ T442] alloc_slab_page+0x3c/0x3b0 [ 47.736053][ T442] new_slab+0x93/0x420 [ 47.740231][ T442] ___slab_alloc+0x29e/0x420 [ 47.744812][ T442] __slab_alloc+0x63/0xa0 [ 47.749679][ T442] kmem_cache_alloc+0x12c/0x270 [ 47.754781][ T442] dup_task_struct+0x57/0x640 [ 47.759445][ T442] copy_process+0x503/0x2cf0 [ 47.764438][ T442] _do_fork+0x190/0x860 [ 47.768579][ T442] kernel_thread+0x6f/0x90 [ 47.773262][ T442] kthreadd+0x354/0x480 [ 47.777495][ T442] ret_from_fork+0x1f/0x30 [ 47.782432][ T442] page_owner free stack trace missing [ 47.788305][ T442] [ 47.791087][ T442] Memory state around the buggy address: [ 47.796991][ T442] ffff8881ee9e6d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.805412][ T442] ffff8881ee9e6d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 47.813642][ T442] >ffff8881ee9e6e00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 47.821788][ T442] ^ [ 47.829866][ T442] ffff8881ee9e6e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.837914][ T442] ffff8881ee9e6f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.845964][ T442] ================================================================== [ 47.854010][ T442] Disabling lock debugging due to kernel taint