Warning: Permanently added '10.128.1.135' (ED25519) to the list of known hosts. 2025/04/04 05:47:31 ignoring optional flag "sandboxArg"="0" 2025/04/04 05:47:32 parsed 1 programs [ 22.343063][ T23] audit: type=1400 audit(1743745652.330:66): avc: denied { node_bind } for pid=348 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 22.935804][ T23] audit: type=1400 audit(1743745652.930:67): avc: denied { mounton } for pid=358 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 22.937426][ T358] cgroup1: Unknown subsys name 'net' [ 22.958414][ T23] audit: type=1400 audit(1743745652.930:68): avc: denied { mount } for pid=358 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 22.963775][ T358] cgroup1: Unknown subsys name 'net_prio' [ 22.991187][ T358] cgroup1: Unknown subsys name 'devices' [ 22.997445][ T23] audit: type=1400 audit(1743745652.980:69): avc: denied { unmount } for pid=358 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 23.021858][ T23] audit: type=1400 audit(1743745653.010:70): avc: denied { read } for pid=146 comm="syslogd" name="log" dev="sda1" ino=1915 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1 [ 23.133900][ T358] cgroup1: Unknown subsys name 'hugetlb' [ 23.139557][ T358] cgroup1: Unknown subsys name 'rlimit' [ 23.311306][ T23] audit: type=1400 audit(1743745653.300:71): avc: denied { setattr } for pid=358 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=10755 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 23.334856][ T23] audit: type=1400 audit(1743745653.300:72): avc: denied { create } for pid=358 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 23.341085][ T362] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 23.355332][ T23] audit: type=1400 audit(1743745653.300:73): avc: denied { write } for pid=358 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 23.383538][ T23] audit: type=1400 audit(1743745653.300:74): avc: denied { read } for pid=358 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 23.403590][ T23] audit: type=1400 audit(1743745653.300:75): avc: denied { module_request } for pid=358 comm="syz-executor" kmod="netdev-wpan0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 23.445698][ T358] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 23.844526][ T364] request_module fs-gadgetfs succeeded, but still no fs? [ 24.021446][ T370] syz-executor (370) used greatest stack depth: 19992 bytes left [ 24.614809][ T410] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.621711][ T410] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.629051][ T410] device bridge_slave_0 entered promiscuous mode [ 24.635925][ T410] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.642808][ T410] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.650092][ T410] device bridge_slave_1 entered promiscuous mode [ 24.692708][ T410] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.699547][ T410] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.706700][ T410] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.713538][ T410] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.735240][ T375] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 24.742753][ T375] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.750145][ T375] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.759637][ T375] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 24.768524][ T375] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.775531][ T375] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.784640][ T375] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 24.792866][ T375] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.799705][ T375] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.813269][ T375] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 24.822972][ T375] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 24.838668][ T375] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 24.849799][ T375] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 24.867261][ T375] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 24.880020][ T375] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 24.890304][ T375] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 24.928259][ T410] syz-executor (410) used greatest stack depth: 19416 bytes left 2025/04/04 05:47:35 executed programs: 0 [ 25.176044][ T431] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.183191][ T431] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.190503][ T431] device bridge_slave_0 entered promiscuous mode [ 25.197524][ T431] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.204391][ T431] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.212621][ T431] device bridge_slave_1 entered promiscuous mode [ 25.260770][ T431] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.267625][ T431] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.274750][ T431] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.281605][ T431] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.307244][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 25.315614][ T102] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.322871][ T102] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.334040][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 25.342627][ T102] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.350333][ T102] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.366354][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 25.374453][ T102] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.381294][ T102] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.398374][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 25.406568][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 25.423351][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 25.442364][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 25.456904][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 25.471187][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 25.481409][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 26.372383][ T9] device bridge_slave_1 left promiscuous mode [ 26.378382][ T9] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.385619][ T9] device bridge_slave_0 left promiscuous mode [ 26.391641][ T9] bridge0: port 1(bridge_slave_0) entered disabled state [ 40.570142][ T469] bridge0: port 1(bridge_slave_0) entered blocking state [ 40.577045][ T469] bridge0: port 1(bridge_slave_0) entered disabled state [ 40.584330][ T469] device bridge_slave_0 entered promiscuous mode [ 40.591090][ T469] bridge0: port 2(bridge_slave_1) entered blocking state [ 40.597911][ T469] bridge0: port 2(bridge_slave_1) entered disabled state [ 40.605246][ T469] device bridge_slave_1 entered promiscuous mode [ 40.647480][ T469] bridge0: port 2(bridge_slave_1) entered blocking state [ 40.654328][ T469] bridge0: port 2(bridge_slave_1) entered forwarding state [ 40.661467][ T469] bridge0: port 1(bridge_slave_0) entered blocking state [ 40.668202][ T469] bridge0: port 1(bridge_slave_0) entered forwarding state [ 40.689573][ T102] bridge0: port 1(bridge_slave_0) entered disabled state [ 40.696933][ T102] bridge0: port 2(bridge_slave_1) entered disabled state [ 40.704150][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 40.711519][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 40.720882][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 40.729085][ T102] bridge0: port 1(bridge_slave_0) entered blocking state [ 40.735927][ T102] bridge0: port 1(bridge_slave_0) entered forwarding state [ 40.745028][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 40.753168][ T102] bridge0: port 2(bridge_slave_1) entered blocking state [ 40.759978][ T102] bridge0: port 2(bridge_slave_1) entered forwarding state [ 40.773599][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 40.782862][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 40.798583][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 40.810231][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 40.823302][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 40.835945][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready 2025/04/04 05:47:50 executed programs: 3 [ 40.846203][ T102] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 40.869291][ T469] ================================================================== [ 40.877184][ T469] BUG: KASAN: use-after-free in __mutex_lock+0xcd7/0x1060 [ 40.884380][ T469] Read of size 4 at addr ffff8881ea972f78 by task syz-executor/469 [ 40.892204][ T469] [ 40.894383][ T469] CPU: 1 PID: 469 Comm: syz-executor Not tainted 5.4.290-syzkaller-00002-g41adfeb3d639 #0 [ 40.904181][ T469] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 40.914162][ T469] Call Trace: [ 40.917295][ T469] dump_stack+0x1d8/0x241 [ 40.921458][ T469] ? nf_ct_l4proto_log_invalid+0x258/0x258 [ 40.927096][ T469] ? printk+0xd1/0x111 [ 40.931010][ T469] ? __mutex_lock+0xcd7/0x1060 [ 40.935605][ T469] print_address_description+0x8c/0x600 [ 40.941081][ T469] ? check_preemption_disabled+0x9f/0x320 [ 40.946628][ T469] ? __unwind_start+0x708/0x890 [ 40.951316][ T469] ? __mutex_lock+0xcd7/0x1060 [ 40.955911][ T469] __kasan_report+0xf3/0x120 [ 40.960338][ T469] ? __mutex_lock+0xcd7/0x1060 [ 40.964941][ T469] kasan_report+0x30/0x60 [ 40.969106][ T469] __mutex_lock+0xcd7/0x1060 [ 40.973538][ T469] ? kobject_get_unless_zero+0x229/0x320 [ 40.979004][ T469] ? __ww_mutex_lock_interruptible_slowpath+0x10/0x10 [ 40.985604][ T469] ? __module_put_and_exit+0x20/0x20 [ 40.990718][ T469] ? up_read+0x6f/0x1b0 [ 40.994715][ T469] mutex_lock_killable+0xd8/0x110 [ 40.999577][ T469] ? __mutex_lock_interruptible_slowpath+0x10/0x10 [ 41.005999][ T469] ? mutex_lock+0xa5/0x110 [ 41.010248][ T469] ? mutex_trylock+0xa0/0xa0 [ 41.014764][ T469] lo_open+0x18/0xc0 [ 41.018495][ T469] __blkdev_get+0x3c8/0x1160 [ 41.022925][ T469] ? blkdev_get+0x3a0/0x3a0 [ 41.027262][ T469] ? _raw_spin_unlock+0x49/0x60 [ 41.031952][ T469] blkdev_get+0x2de/0x3a0 [ 41.036116][ T469] ? blkdev_open+0x173/0x290 [ 41.040545][ T469] ? block_ioctl+0xe0/0xe0 [ 41.044797][ T469] do_dentry_open+0x964/0x1130 [ 41.049397][ T469] ? finish_open+0xd0/0xd0 [ 41.053657][ T469] ? security_inode_permission+0xad/0xf0 [ 41.059116][ T469] ? memcpy+0x38/0x50 [ 41.062942][ T469] path_openat+0x29bf/0x34b0 [ 41.067368][ T469] ? stack_trace_save+0x118/0x1c0 [ 41.072232][ T469] ? do_filp_open+0x450/0x450 [ 41.076825][ T469] ? do_sys_open+0x357/0x810 [ 41.081347][ T469] ? do_syscall_64+0xca/0x1c0 [ 41.085856][ T469] ? entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 41.091761][ T469] do_filp_open+0x20b/0x450 [ 41.096093][ T469] ? vfs_tmpfile+0x2c0/0x2c0 [ 41.100535][ T469] ? _raw_spin_unlock+0x49/0x60 [ 41.105210][ T469] ? __alloc_fd+0x4c5/0x570 [ 41.109549][ T469] do_sys_open+0x39c/0x810 [ 41.113802][ T469] ? check_preemption_disabled+0x153/0x320 [ 41.119529][ T469] ? file_open_root+0x490/0x490 [ 41.124220][ T469] do_syscall_64+0xca/0x1c0 [ 41.128590][ T469] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 41.134311][ T469] RIP: 0033:0x7fc74b2e2a51 [ 41.138544][ T469] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d fa 1a 1f 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25 [ 41.157983][ T469] RSP: 002b:00007ffcbcb35a30 EFLAGS: 00000202 ORIG_RAX: 0000000000000101 [ 41.166239][ T469] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fc74b2e2a51 [ 41.174045][ T469] RDX: 0000000000000002 RSI: 00007ffcbcb35b40 RDI: 00000000ffffff9c [ 41.181850][ T469] RBP: 00007ffcbcb35b40 R08: 000000000000000a R09: 00007ffcbcb357f7 [ 41.189660][ T469] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 41.197574][ T469] R13: 00007fc74b4cd260 R14: 0000000000000003 R15: 00007ffcbcb35b40 [ 41.205471][ T469] [ 41.207638][ T469] Allocated by task 445: [ 41.211724][ T469] __kasan_kmalloc+0x171/0x210 [ 41.216324][ T469] kmem_cache_alloc+0xd9/0x250 [ 41.221182][ T469] dup_task_struct+0x4f/0x600 [ 41.225695][ T469] copy_process+0x56d/0x3230 [ 41.230118][ T469] _do_fork+0x197/0x900 [ 41.234116][ T469] __x64_sys_clone3+0x2da/0x300 [ 41.238800][ T469] do_syscall_64+0xca/0x1c0 [ 41.243141][ T469] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 41.248862][ T469] [ 41.251034][ T469] Freed by task 17: [ 41.254686][ T469] __kasan_slab_free+0x1b5/0x270 [ 41.259458][ T469] kmem_cache_free+0x10b/0x2c0 [ 41.264058][ T469] rcu_do_batch+0x492/0xa00 [ 41.268399][ T469] rcu_core+0x4c8/0xcb0 [ 41.272390][ T469] __do_softirq+0x23b/0x6b7 [ 41.276724][ T469] [ 41.279003][ T469] The buggy address belongs to the object at ffff8881ea972f40 [ 41.279003][ T469] which belongs to the cache task_struct of size 3904 [ 41.292974][ T469] The buggy address is located 56 bytes inside of [ 41.292974][ T469] 3904-byte region [ffff8881ea972f40, ffff8881ea973e80) [ 41.306076][ T469] The buggy address belongs to the page: [ 41.311559][ T469] page:ffffea0007aa5c00 refcount:1 mapcount:0 mapping:ffff8881f5cf0f00 index:0x0 compound_mapcount: 0 [ 41.322411][ T469] flags: 0x8000000000010200(slab|head) [ 41.327723][ T469] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5cf0f00 [ 41.336128][ T469] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 41.344526][ T469] page dumped because: kasan: bad access detected [ 41.350775][ T469] page_owner tracks the page as allocated [ 41.356343][ T469] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL) [ 41.372571][ T469] prep_new_page+0x18f/0x370 [ 41.376995][ T469] get_page_from_freelist+0x2d13/0x2d90 [ 41.382374][ T469] __alloc_pages_nodemask+0x393/0x840 [ 41.387586][ T469] alloc_slab_page+0x39/0x3c0 [ 41.392101][ T469] new_slab+0x97/0x440 [ 41.396001][ T469] ___slab_alloc+0x2fe/0x490 [ 41.400425][ T469] __slab_alloc+0x62/0xa0 [ 41.404616][ T469] kmem_cache_alloc+0x109/0x250 [ 41.409284][ T469] dup_task_struct+0x4f/0x600 [ 41.413815][ T469] copy_process+0x56d/0x3230 [ 41.418352][ T469] _do_fork+0x197/0x900 [ 41.422304][ T469] __x64_sys_clone+0x26b/0x2c0 [ 41.426907][ T469] do_syscall_64+0xca/0x1c0 [ 41.431254][ T469] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 41.436969][ T469] page last free stack trace: [ 41.441498][ T469] __free_pages_ok+0x847/0x950 [ 41.446084][ T469] __free_pages+0x91/0x140 [ 41.450369][ T469] __free_slab+0x221/0x2e0 [ 41.454591][ T469] unfreeze_partials+0x14e/0x180 [ 41.459368][ T469] put_cpu_partial+0x44/0x180 [ 41.463891][ T469] __slab_free+0x297/0x360 [ 41.468217][ T469] qlist_free_all+0x43/0xb0 [ 41.472570][ T469] quarantine_reduce+0x1d9/0x210 [ 41.477331][ T469] __kasan_kmalloc+0x41/0x210 [ 41.481946][ T469] kmem_cache_alloc_trace+0xdc/0x260 [ 41.487054][ T469] kthread+0x94/0x360 [ 41.490870][ T469] ret_from_fork+0x1f/0x30 [ 41.495124][ T469] [ 41.497290][ T469] Memory state around the buggy address: [ 41.502763][ T469] ffff8881ea972e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 41.510662][ T469] ffff8881ea972e80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 41.518616][ T469] >ffff8881ea972f00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 41.526473][ T469] ^ [ 41.534279][ T469] ffff8881ea972f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.542167][ T469] ffff8881ea973000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.550154][ T469] ================================================================== [ 41.558050][ T469] Disabling lock debugging due to kernel taint