./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor987400733 <...> Warning: Permanently added '10.128.10.44' (ED25519) to the list of known hosts. execve("./syz-executor987400733", ["./syz-executor987400733"], 0x7ffd72933130 /* 10 vars */) = 0 brk(NULL) = 0x55557183a000 brk(0x55557183ad00) = 0x55557183ad00 arch_prctl(ARCH_SET_FS, 0x55557183a380) = 0 set_tid_address(0x55557183a650) = 294 set_robust_list(0x55557183a660, 24) = 0 rseq(0x55557183aca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor987400733", 4096) = 27 getrandom("\x29\xc6\x53\xea\xe6\x9e\x4b\xec", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55557183ad00 brk(0x55557185bd00) = 0x55557185bd00 brk(0x55557185c000) = 0x55557185c000 mprotect(0x7ff3c6473000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 write(1, "executing program\n", 18executing program ) = 18 socket(AF_INET6, SOCK_DGRAM, IPPROTO_IP) = 3 setsockopt(3, SOL_IPV6, IPV6_XFRM_POLICY, "\xac\x14\x14\xbb\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 232) = 0 socket(AF_KEY, SOCK_RAW, 2) = 4 setsockopt(4, SOL_SOCKET, SO_RCVBUF, [0], 4) = 0 sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x02\x0b\x00\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", iov_len=16}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 16 sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x02\x12\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", iov_len=16}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 16 socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM) = 5 socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM) = 6 sendmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\xb8\x00\x00\x00\x13\x00\xe9\x99\x00\x00\x00\x00\x00\x00\x00\x00\xfc\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xac\x1e\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x60\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=184}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 184 socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM) = 7 sendmsg(7, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\xb8\x00\x00\x00\x13\x00\xe9\x99\x00\x00\x00\x00\x00\x00\x00\x00\xfc\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xac\x1e\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x60\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xee\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=184}], msg_iovlen=1, msg_controllen=0, msg_flags=MSG_EOR}, 0) = 184 [ 27.293470][ T24] audit: type=1400 audit(1745202107.050:66): avc: denied { execmem } for pid=294 comm="syz-executor987" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 27.309056][ T294] ================================================================== [ 27.313248][ T24] audit: type=1400 audit(1745202107.060:67): avc: denied { create } for pid=294 comm="syz-executor987" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=key_socket permissive=1 [ 27.321190][ T294] BUG: KASAN: slab-out-of-bounds in xfrm_policy_inexact_list_reinsert+0x5b0/0x660 [ 27.341495][ T24] audit: type=1400 audit(1745202107.060:68): avc: denied { setopt } for pid=294 comm="syz-executor987" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=key_socket permissive=1 [ 27.350345][ T294] Read of size 1 at addr ffff88811a71cbd8 by task syz-executor987/294 [ 27.350349][ T294] [ 27.350361][ T294] CPU: 0 PID: 294 Comm: syz-executor987 Not tainted 5.10.236-syzkaller #0 [ 27.350367][ T294] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 27.350371][ T294] Call Trace: [ 27.350394][ T294] dump_stack_lvl+0x1e2/0x24b [ 27.350417][ T294] ? printk+0xd1/0x111 [ 27.370486][ T24] audit: type=1400 audit(1745202107.060:69): avc: denied { write } for pid=294 comm="syz-executor987" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=key_socket permissive=1 [ 27.377953][ T294] ? bfq_pos_tree_add_move+0x43b/0x43b [ 27.377964][ T294] ? wake_up_klogd+0xb8/0xf0 [ 27.377981][ T294] ? panic+0x812/0x812 [ 27.380448][ T24] audit: type=1400 audit(1745202107.060:70): avc: denied { create } for pid=294 comm="syz-executor987" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_xfrm_socket permissive=1 [ 27.389817][ T294] print_address_description+0x81/0x3b0 [ 27.389828][ T294] ? stack_trace_save+0x113/0x1c0 [ 27.389837][ T294] kasan_report+0x179/0x1c0 [ 27.389851][ T294] ? xfrm_policy_inexact_list_reinsert+0x5b0/0x660 [ 27.389862][ T294] ? xfrm_policy_inexact_list_reinsert+0x5b0/0x660 [ 27.389880][ T294] __asan_report_load1_noabort+0x14/0x20 [ 27.400525][ T24] audit: type=1400 audit(1745202107.060:71): avc: denied { write } for pid=294 comm="syz-executor987" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_xfrm_socket permissive=1 [ 27.403175][ T294] xfrm_policy_inexact_list_reinsert+0x5b0/0x660 [ 27.403186][ T294] ? ____kasan_kmalloc+0xed/0x110 [ 27.403211][ T294] ? ____kasan_kmalloc+0xdb/0x110 [ 27.408019][ T24] audit: type=1400 audit(1745202107.060:72): avc: denied { nlmsg_write } for pid=294 comm="syz-executor987" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_xfrm_socket permissive=1 [ 27.411779][ T294] ? xfrm_policy_addr_delta+0x20b/0x330 [ 27.566177][ T294] xfrm_policy_inexact_insert_node+0x917/0xb00 [ 27.572149][ T294] ? xfrm_policy_inexact_alloc_bin+0x651/0x1520 [ 27.578347][ T294] xfrm_policy_inexact_alloc_chain+0x4ec/0xaf0 [ 27.584314][ T294] xfrm_policy_inexact_insert+0x6a/0x1160 [ 27.589893][ T294] ? __kasan_check_write+0x14/0x20 [ 27.594902][ T294] ? _raw_spin_lock_bh+0xa4/0x1b0 [ 27.599884][ T294] ? policy_hash_bysel+0x137/0x700 [ 27.605259][ T294] xfrm_policy_insert+0xe7/0x940 [ 27.610232][ T294] xfrm_add_policy+0x4f2/0x980 [ 27.615101][ T294] ? cap_capable+0x1ce/0x270 [ 27.619576][ T294] ? xfrm_dump_sa_done+0xc0/0xc0 [ 27.624347][ T294] xfrm_user_rcv_msg+0x4e7/0x7c0 [ 27.629116][ T294] ? xfrm_netlink_rcv+0x90/0x90 [ 27.633910][ T294] ? stack_trace_save+0x113/0x1c0 [ 27.638773][ T294] ? avc_has_perm_noaudit+0x240/0x240 [ 27.644240][ T294] ? iov_iter_advance+0x258/0xb20 [ 27.649213][ T294] netlink_rcv_skb+0x1cf/0x410 [ 27.653933][ T294] ? xfrm_netlink_rcv+0x90/0x90 [ 27.658945][ T294] ? netlink_ack+0xb30/0xb30 [ 27.663627][ T294] ? mutex_trylock+0xa0/0xa0 [ 27.668105][ T294] ? netlink_autobind+0x190/0x190 [ 27.674051][ T294] ? selinux_vm_enough_memory+0x170/0x170 [ 27.679630][ T294] xfrm_netlink_rcv+0x72/0x90 [ 27.684309][ T294] netlink_unicast+0x8df/0xac0 [ 27.689316][ T294] ? netlink_detachskb+0x90/0x90 [ 27.694090][ T294] ? security_netlink_send+0x7b/0xa0 [ 27.699188][ T294] netlink_sendmsg+0xa46/0xd00 [ 27.703790][ T294] ? netlink_getsockopt+0x5c0/0x5c0 [ 27.708855][ T294] ? check_stack_object+0x114/0x130 [ 27.713941][ T294] ? security_socket_sendmsg+0x82/0xb0 [ 27.719156][ T294] ? netlink_getsockopt+0x5c0/0x5c0 [ 27.724276][ T294] ____sys_sendmsg+0x59e/0x8f0 [ 27.729243][ T294] ? iovec_from_user+0x2d9/0x330 [ 27.734083][ T294] ? __import_iovec+0x253/0x3b0 [ 27.739433][ T294] ? __sys_sendmsg_sock+0x40/0x40 [ 27.744399][ T294] ___sys_sendmsg+0x252/0x2e0 [ 27.748895][ T294] ? __sys_sendmsg+0x280/0x280 [ 27.753496][ T294] ? finish_task_switch+0x130/0x5a0 [ 27.758989][ T294] ? __schedule+0xbee/0x1330 [ 27.763396][ T294] ? __kasan_check_write+0x14/0x20 [ 27.768739][ T294] ? _raw_spin_lock_irq+0xa5/0x1b0 [ 27.773821][ T294] ? __kasan_check_read+0x11/0x20 [ 27.778778][ T294] ? __fdget+0x179/0x240 [ 27.783022][ T294] __se_sys_sendmsg+0x1b1/0x280 [ 27.787690][ T294] ? _raw_spin_unlock_irq+0x4e/0x70 [ 27.793145][ T294] ? __x64_sys_sendmsg+0x90/0x90 [ 27.798082][ T294] ? fpu__clear_all+0x20/0x20 [ 27.802867][ T294] __x64_sys_sendmsg+0x7b/0x90 [ 27.807458][ T294] do_syscall_64+0x31/0x40 [ 27.811777][ T294] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 27.817617][ T294] RIP: 0033:0x7ff3c63ffae9 [ 27.821861][ T294] Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 27.841851][ T294] RSP: 002b:00007ffcc9a31628 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 27.850309][ T294] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff3c63ffae9 [ 27.858137][ T294] RDX: 0000000000004000 RSI: 0000200000000580 RDI: 0000000000000005 [ 27.866475][ T294] RBP: 0000200000000580 R08: 0000200000000017 R09: 0000000000000000 [ 27.874445][ T294] R10: 0000200000000012 R11: 0000000000000246 R12: 0000000000000000 [ 27.882279][ T294] R13: 0000000000000000 R14: 0000000000000000 R15: 000000000000000a [ 27.890175][ T294] [ 27.892693][ T294] Allocated by task 294: [ 27.896771][ T294] ____kasan_kmalloc+0xdb/0x110 [ 27.901543][ T294] __kasan_kmalloc+0x9/0x10 [ 27.906006][ T294] __kmalloc+0x1aa/0x330 [ 27.910140][ T294] sk_prot_alloc+0xbe/0x370 [ 27.914591][ T294] sk_alloc+0x38/0x4d0 [ 27.918452][ T294] pfkey_create+0x12c/0x620 [ 27.922791][ T294] __sock_create+0x3a6/0x760 [ 27.927305][ T294] __sys_socket+0x132/0x370 [ 27.931642][ T294] __x64_sys_socket+0x7a/0x90 [ 27.936160][ T294] do_syscall_64+0x31/0x40 [ 27.940412][ T294] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 27.946139][ T294] [ 27.948310][ T294] The buggy address belongs to the object at ffff88811a71c800 [ 27.948310][ T294] which belongs to the cache kmalloc-1k of size 1024 [ 27.962199][ T294] The buggy address is located 984 bytes inside of [ 27.962199][ T294] 1024-byte region [ffff88811a71c800, ffff88811a71cc00) [ 27.975499][ T294] The buggy address belongs to the page: [ 27.980971][ T294] page:ffffea000469c600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11a718 [ 27.991039][ T294] head:ffffea000469c600 order:3 compound_mapcount:0 compound_pincount:0 [ 27.999307][ T294] flags: 0x4000000000010200(slab|head) [ 28.004782][ T294] raw: 4000000000010200 dead000000000100 dead000000000122 ffff888100042f00 [ 28.013215][ T294] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 28.021697][ T294] page dumped because: kasan: bad access detected [ 28.027947][ T294] page_owner tracks the page as allocated [ 28.033603][ T294] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 288, ts 27302891131, free_ts 27302617546 [ 28.052671][ T294] prep_new_page+0x166/0x180 [ 28.057067][ T294] get_page_from_freelist+0x2d8c/0x2f30 [ 28.062528][ T294] __alloc_pages_nodemask+0x435/0xaf0 [ 28.067729][ T294] new_slab+0x80/0x400 [ 28.071651][ T294] ___slab_alloc+0x302/0x4b0 [ 28.076055][ T294] __slab_alloc+0x63/0xa0 [ 28.080316][ T294] __kmalloc_track_caller+0x1f8/0x320 [ 28.085518][ T294] __alloc_skb+0xbc/0x510 [ 28.089708][ T294] sk_stream_alloc_skb+0x1f8/0xae0 [ 28.094692][ T294] tcp_sendmsg_locked+0xce3/0x3ae0 [ 28.099664][ T294] tcp_sendmsg+0x2f/0x50 [ 28.103987][ T294] inet_sendmsg+0xa1/0xc0 [ 28.108085][ T294] sock_write_iter+0x39b/0x530 [ 28.112688][ T294] vfs_write+0xb4c/0xe70 [ 28.116766][ T294] ksys_write+0x199/0x2c0 [ 28.120929][ T294] __x64_sys_write+0x7b/0x90 [ 28.125365][ T294] page last free stack trace: [ 28.129889][ T294] __free_pages_ok+0x82c/0x850 [ 28.134680][ T294] free_compound_page+0x73/0x90 [ 28.139332][ T294] __put_compound_page+0x73/0xb0 [ 28.144112][ T294] __put_page+0xc0/0xe0 [ 28.148188][ T294] page_to_skb+0x3f6/0x900 [ 28.152440][ T294] receive_buf+0xe79/0x53d0 [ 28.156781][ T294] virtnet_poll+0x5df/0x1240 [ 28.161569][ T294] net_rx_action+0x516/0x10d0 [ 28.166069][ T294] __do_softirq+0x268/0x5bb [ 28.170929][ T294] [ 28.173095][ T294] Memory state around the buggy address: [ 28.178568][ T294] ffff88811a71ca80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.186468][ T294] ffff88811a71cb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sendmsg(5, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\xb8\x00\x00\x00\x13\x00\xe9\x99\x00\x00\x00\x00\x00\x00\x00\x00\xfc\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xac\x1e\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xee\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=184}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, MSG_NOSIGNAL) = 184 exit_group(0) = ? +++ exited with 0 +++ [ 28.194473][ T294] >ffff8881