Warning: Permanently added '10.128.0.38' (ED25519) to the list of known hosts.
[ 21.993251][ T24] audit: type=1400 audit(1728154638.279:66): avc: denied { execmem } for pid=283 comm="syz-executor191" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 21.995897][ T24] audit: type=1400 audit(1728154638.279:67): avc: denied { mounton } for pid=284 comm="syz-executor191" path="/" dev="sda1" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1
[ 21.999033][ T24] audit: type=1400 audit(1728154638.279:68): avc: denied { module_request } for pid=284 comm="syz-executor191" kmod="netdev-nr0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1
[ 22.016999][ T284] bridge0: port 1(bridge_slave_0) entered blocking state
[ 22.023860][ T284] bridge0: port 1(bridge_slave_0) entered disabled state
[ 22.031273][ T284] device bridge_slave_0 entered promiscuous mode
[ 22.037773][ T284] bridge0: port 2(bridge_slave_1) entered blocking state
[ 22.044643][ T284] bridge0: port 2(bridge_slave_1) entered disabled state
[ 22.051676][ T284] device bridge_slave_1 entered promiscuous mode
[ 22.077171][ T24] audit: type=1400 audit(1728154638.359:69): avc: denied { create } for pid=284 comm="syz-executor191" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 22.081507][ T284] bridge0: port 2(bridge_slave_1) entered blocking state
[ 22.097622][ T24] audit: type=1400 audit(1728154638.359:70): avc: denied { write } for pid=284 comm="syz-executor191" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 22.104424][ T284] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 22.104534][ T284] bridge0: port 1(bridge_slave_0) entered blocking state
[ 22.125119][ T24] audit: type=1400 audit(1728154638.359:71): avc: denied { read } for pid=284 comm="syz-executor191" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 22.131755][ T284] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 22.160179][ T284] device veth0_vlan entered promiscuous mode
[ 22.172870][ T48] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 22.180970][ T48] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 22.189877][ T48] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 22.197555][ T48] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 22.205466][ T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 22.213749][ T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 22.221576][ T48] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 22.228889][ T48] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 22.236131][ T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[ 22.243299][ T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 22.253462][ T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 22.262068][ T284] device veth1_macvtap entered promiscuous mode
[ 22.270599][ T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 22.280331][ T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
executing program
[ 22.294107][ T24] audit: type=1400 audit(1728154638.579:72): avc: denied { mounton } for pid=284 comm="syz-executor191" path="/root/syzkaller.00ITsD/syz-tmp" dev="sda1" ino=1927 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1
[ 22.318822][ T24] audit: type=1400 audit(1728154638.579:73): avc: denied { mount } for pid=284 comm="syz-executor191" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1
[ 22.341287][ T24] audit: type=1400 audit(1728154638.579:74): avc: denied { mounton } for pid=284 comm="syz-executor191" path="/root/syzkaller.00ITsD/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1
[ 22.366536][ T24] audit: type=1400 audit(1728154638.579:75): avc: denied { mount } for pid=284 comm="syz-executor191" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1
[ 22.512420][ T289] EXT4-fs (loop0): 1 truncate cleaned up
[ 22.517876][ T289] EXT4-fs (loop0): mounted filesystem without journal. Opts: noauto_da_alloc,grpquota,errors=continue,data_err=ignore,nolazytime,errors=continue,grpjquota=,errors=remount-ro,nobarrier,
[ 22.539316][ T289] ==================================================================
[ 22.547209][ T289] BUG: KASAN: use-after-free in ext4_search_dir+0xf7/0x1b0
[ 22.554220][ T289] Read of size 1 at addr ffff888106fb5504 by task syz-executor191/289
[ 22.562198][ T289]
[ 22.564374][ T289] CPU: 0 PID: 289 Comm: syz-executor191 Not tainted 5.10.226-syzkaller-00709-ge5e5644ea27f #0
[ 22.574501][ T289] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
[ 22.584341][ T289] Call Trace:
[ 22.587477][ T289] dump_stack_lvl+0x1e2/0x24b
[ 22.591985][ T289] ? bfq_pos_tree_add_move+0x43b/0x43b
[ 22.597270][ T289] ? panic+0x812/0x812
[ 22.601185][ T289] print_address_description+0x81/0x3b0
[ 22.606554][ T289] kasan_report+0x179/0x1c0
[ 22.610895][ T289] ? ext4_search_dir+0xf7/0x1b0
[ 22.615583][ T289] ? ext4_search_dir+0xf7/0x1b0
[ 22.620269][ T289] __asan_report_load1_noabort+0x14/0x20
[ 22.625732][ T289] ext4_search_dir+0xf7/0x1b0
[ 22.630262][ T289] ext4_find_inline_entry+0x4b6/0x5e0
[ 22.635454][ T289] ? lookup_slow+0x5a/0x80
[ 22.639706][ T289] ? walk_component+0x48c/0x610
[ 22.644395][ T289] ? ext4_try_create_inline_dir+0x320/0x320
[ 22.650125][ T289] __ext4_find_entry+0x2b0/0x1990
[ 22.654997][ T289] ? ext4_ci_compare+0x660/0x660
[ 22.659758][ T289] ? slab_post_alloc_hook+0x80/0x2f0
[ 22.664888][ T289] ? __d_lookup_rcu+0x604/0x650
[ 22.669578][ T289] ? __kasan_check_write+0x14/0x20
[ 22.674522][ T289] ? generic_set_encrypted_ci_d_ops+0x91/0xf0
[ 22.680418][ T289] ext4_lookup+0x3c6/0xaa0
[ 22.684666][ T289] ? ext4_add_entry+0x1280/0x1280
[ 22.689529][ T289] ? __kasan_check_write+0x14/0x20
[ 22.694483][ T289] __lookup_slow+0x2b9/0x400
[ 22.698899][ T289] ? lookup_one_len+0x2c0/0x2c0
[ 22.703585][ T289] ? lookup_fast+0x340/0x7d0
[ 22.708026][ T289] ? security_inode_permission+0xb0/0xf0
[ 22.713664][ T289] ? handle_dots+0x1030/0x1030
[ 22.718350][ T289] ? inode_permission+0xf1/0x500
[ 22.723124][ T289] lookup_slow+0x5a/0x80
[ 22.727191][ T289] walk_component+0x48c/0x610
[ 22.731798][ T289] ? nd_alloc_stack+0xf0/0xf0
[ 22.736307][ T289] ? handle_lookup_down+0x130/0x130
[ 22.741342][ T289] path_lookupat+0x16d/0x450
[ 22.745763][ T289] filename_lookup+0x26a/0x6f0
[ 22.750367][ T289] ? hashlen_string+0x120/0x120
[ 22.755062][ T289] ? getname_flags+0x1fd/0x520
[ 22.759651][ T289] user_path_at_empty+0x40/0x50
[ 22.764338][ T289] __se_sys_mount+0x285/0x3b0
[ 22.768855][ T289] ? __x64_sys_mount+0xd0/0xd0
[ 22.773451][ T289] ? debug_smp_processor_id+0x17/0x20
[ 22.778666][ T289] ? irqentry_exit_to_user_mode+0x41/0x80
[ 22.784217][ T289] __x64_sys_mount+0xbf/0xd0
[ 22.788644][ T289] do_syscall_64+0x34/0x70
[ 22.792904][ T289] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 22.798624][ T289] RIP: 0033:0x7f92f19b8e79
[ 22.802875][ T289] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[ 22.822329][ T289] RSP: 002b:00007f92f1971168 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 22.830560][ T289] RAX: ffffffffffffffda RBX: 00007f92f1a426e8 RCX: 00007f92f19b8e79
[ 22.838371][ T289] RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000000
[ 22.846353][ T289] RBP: 00007f92f1a426e0 R08: 0000000000000000 R09: 0000000000000000
[ 22.854158][ T289] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f92f1a426ec
[ 22.861969][ T289] R13: 0000000000000010 R14: 00007ffeb720bb30 R15: 00007ffeb720bc18
[ 22.869782][ T289]
[ 22.871944][ T289] Allocated by task 0:
[ 22.875847][ T289] (stack is not available)
[ 22.880101][ T289]
[ 22.882277][ T289] The buggy address belongs to the object at ffff888106fb5500
[ 22.882277][ T289] which belongs to the cache skbuff_head_cache of size 248
[ 22.896688][ T289] The buggy address is located 4 bytes inside of
[ 22.896688][ T289] 248-byte region [ffff888106fb5500, ffff888106fb55f8)
[ 22.909609][ T289] The buggy address belongs to the page:
[ 22.915187][ T289] page:ffffea00041bed40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106fb5
[ 22.925249][ T289] flags: 0x4000000000000200(slab)
[ 22.930107][ T289] raw: 4000000000000200 dead000000000100 dead000000000122 ffff888107d9c180
[ 22.938518][ T289] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 22.946971][ T289] page dumped because: kasan: bad access detected
[ 22.953190][ T289] page_owner tracks the page as allocated
[ 22.958750][ T289] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 25, ts 22868843471, free_ts 22279139937
[ 22.974635][ T289] prep_new_page+0x166/0x180
[ 22.979051][ T289] get_page_from_freelist+0x2d8c/0x2f30
[ 22.984437][ T289] __alloc_pages_nodemask+0x435/0xaf0
[ 22.989659][ T289] new_slab+0x80/0x400
[ 22.993545][ T289] ___slab_alloc+0x302/0x4b0
[ 22.997978][ T289] __slab_alloc+0x63/0xa0
[ 23.002138][ T289] kmem_cache_alloc+0x1b9/0x2e0
[ 23.006909][ T289] __alloc_skb+0x80/0x510
[ 23.011072][ T289] ndisc_alloc_skb+0xf3/0x2d0
[ 23.015591][ T289] ndisc_send_ns+0x29d/0x830
[ 23.020016][ T289] addrconf_dad_work+0xb9b/0x1700
[ 23.024873][ T289] process_one_work+0x6dc/0xbd0
[ 23.029591][ T289] worker_thread+0xaea/0x1510
[ 23.034085][ T289] kthread+0x34b/0x3d0
[ 23.037982][ T289] ret_from_fork+0x1f/0x30
[ 23.042317][ T289] page last free stack trace:
[ 23.046837][ T289] __free_pages_ok+0x82c/0x850
[ 23.051430][ T289] free_the_page+0x76/0x370
[ 23.055770][ T289] __free_pages+0x67/0xc0
[ 23.059947][ T289] __free_slab+0xcf/0x190
[ 23.064108][ T289] unfreeze_partials+0x15e/0x190
[ 23.068886][ T289] put_cpu_partial+0xbf/0x180
[ 23.073392][ T289] __slab_free+0x2c8/0x3a0
[ 23.077641][ T289] ___cache_free+0x111/0x130
[ 23.082074][ T289] qlink_free+0x50/0x90
[ 23.086064][ T289] qlist_free_all+0x47/0xb0
[ 23.090408][ T289] kasan_quarantine_reduce+0x15a/0x170
[ 23.095690][ T289] __kasan_slab_alloc+0x2f/0xe0
[ 23.100381][ T289] slab_post_alloc_hook+0x61/0x2f0
[ 23.105329][ T289] kmem_cache_alloc+0x168/0x2e0
[ 23.110015][ T289] __alloc_skb+0x80/0x510
[ 23.114178][ T289] rtmsg_ifinfo_build_skb+0x7f/0x180
[ 23.119301][ T289]
[ 23.121462][ T289] Memory state around the buggy address:
[ 23.126956][ T289] ffff888106fb5400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 23.134863][ T289] ffff888106fb5480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 23.142733][ T289] >ffff888106fb5500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 23.150625][ T289] ^
[ 23.154533][ T289] ffff888106fb5580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 23.162436][ T289] ffff888106fb5600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 23.170325][ T289] ==================================================================
[ 23.178224][ T289] Disabling lock debugging due to kernel taint