Warning: Permanently added '10.128.0.255' (ED25519) to the list of known hosts. [ 23.338780][ T24] audit: type=1400 audit(1736251197.290:66): avc: denied { execmem } for pid=284 comm="syz-executor233" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 23.375661][ T24] audit: type=1400 audit(1736251197.330:67): avc: denied { mounton } for pid=284 comm="syz-executor233" path="/syzcgroup/unified" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 23.376788][ T284] cgroup: Unknown subsys name 'net' [ 23.398421][ T24] audit: type=1400 audit(1736251197.330:68): avc: denied { mount } for pid=284 comm="syz-executor233" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 23.425525][ T24] audit: type=1400 audit(1736251197.370:69): avc: denied { unmount } for pid=284 comm="syz-executor233" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 23.425720][ T284] cgroup: Unknown subsys name 'devices' [ 23.570734][ T284] cgroup: Unknown subsys name 'hugetlb' [ 23.576119][ T284] cgroup: Unknown subsys name 'rlimit' [ 23.701524][ T24] audit: type=1400 audit(1736251197.660:70): avc: denied { mounton } for pid=284 comm="syz-executor233" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 23.715687][ T286] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 23.726382][ T24] audit: type=1400 audit(1736251197.660:71): avc: denied { mount } for pid=284 comm="syz-executor233" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 23.757970][ T24] audit: type=1400 audit(1736251197.700:72): avc: denied { relabelto } for pid=286 comm="mkswap" name="swap-file" dev="sda1" ino=1929 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 23.783273][ T24] audit: type=1400 audit(1736251197.700:73): avc: denied { write } for pid=286 comm="mkswap" path="/root/swap-file" dev="sda1" ino=1929 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 23.783325][ T284] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 23.808634][ T24] audit: type=1400 audit(1736251197.730:74): avc: denied { read } for pid=284 comm="syz-executor233" name="swap-file" dev="sda1" ino=1929 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 23.808651][ T24] audit: type=1400 audit(1736251197.730:75): avc: denied { open } for pid=284 comm="syz-executor233" path="/root/swap-file" dev="sda1" ino=1929 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 23.891429][ T287] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.898269][ T287] bridge0: port 1(bridge_slave_0) entered disabled state [ 23.905667][ T287] device bridge_slave_0 entered promiscuous mode [ 23.912367][ T287] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.919184][ T287] bridge0: port 2(bridge_slave_1) entered disabled state [ 23.926622][ T287] device bridge_slave_1 entered promiscuous mode [ 23.955714][ T287] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.962567][ T287] bridge0: port 2(bridge_slave_1) entered forwarding state [ 23.969674][ T287] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.976526][ T287] bridge0: port 1(bridge_slave_0) entered forwarding state [ 23.992341][ T48] bridge0: port 1(bridge_slave_0) entered disabled state [ 23.999429][ T48] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.006460][ T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 24.014395][ T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 24.023553][ T48] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 24.031530][ T48] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.038350][ T48] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.046850][ T48] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 24.054983][ T48] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.061845][ T48] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.072403][ T48] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 24.081267][ T48] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 24.093404][ T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 24.104782][ T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 24.112813][ T48] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 24.120242][ T48] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 24.128074][ T287] device veth0_vlan entered promiscuous mode [ 24.137127][ T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 24.145945][ T287] device veth1_macvtap entered promiscuous mode executing program [ 24.154595][ T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 24.164150][ T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 24.180543][ T287] request_module fs-gadgetfs succeeded, but still no fs? [ 24.190202][ T287] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation [ 24.249527][ T292] ====================================================== [ 24.249527][ T292] WARNING: the mand mount option is being deprecated and [ 24.249527][ T292] will be removed in v5.15! [ 24.249527][ T292] ====================================================== [ 24.299924][ T292] EXT4-fs (loop0): Journaled quota options ignored when QUOTA feature is enabled [ 24.321567][ T292] EXT4-fs (loop0): 1 orphan inode deleted [ 24.327125][ T292] EXT4-fs (loop0): mounted filesystem without journal. Opts: resgid=0x0000000000000000,discard,noblock_validity,grpjquota=./bus,stripe=0x000000000000002e,resgid=0x0000000000000000,sysvgroups,norecovery,nodelalloc,,errors=continue [ 24.349438][ T292] ext4 filesystem being mounted at /0/file1 supports timestamps until 2038-01-19 (0x7fffffff) [ 24.392456][ T287] EXT4-fs warning (device loop0): __ext4_unlink:3447: inode #16: comm syz-executor233: Deleting file 'file3' with no links [ 24.405455][ T287] EXT4-fs error (device loop0): ext4_ext_check_inode:500: inode #17: comm syz-executor233: pblk 0 bad header/extent: invalid magic - magic 0, entries 0, max 0(0), depth 0(0) [ 24.422882][ T287] EXT4-fs error (device loop0): ext4_ext_check_inode:500: inode #17: comm syz-executor233: pblk 0 bad header/extent: invalid magic - magic 0, entries 0, max 0(0), depth 0(0) [ 24.501095][ T287] ================================================================== [ 24.508996][ T287] BUG: KASAN: use-after-free in ext4_ext_remove_space+0x3da3/0x4e10 [ 24.516786][ T287] Read of size 4 at addr ffff8881190014a8 by task syz-executor233/287 [ 24.524768][ T287] [ 24.526954][ T287] CPU: 1 PID: 287 Comm: syz-executor233 Not tainted 5.10.232-syzkaller-00746-g49e8ba0a684f #0 [ 24.537005][ T287] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 24.546908][ T287] Call Trace: [ 24.550030][ T287] dump_stack_lvl+0x1e2/0x24b [ 24.554545][ T287] ? bfq_pos_tree_add_move+0x43b/0x43b [ 24.559834][ T287] ? panic+0x812/0x812 [ 24.563737][ T287] ? __getblk_gfp+0x3d/0x7e0 [ 24.568164][ T287] print_address_description+0x81/0x3b0 [ 24.573545][ T287] kasan_report+0x179/0x1c0 [ 24.577899][ T287] ? ext4_ext_remove_space+0x3da3/0x4e10 [ 24.583366][ T287] ? ext4_ext_remove_space+0x3da3/0x4e10 [ 24.588824][ T287] __asan_report_load4_noabort+0x14/0x20 [ 24.594332][ T287] ext4_ext_remove_space+0x3da3/0x4e10 [ 24.599592][ T287] ? _raw_write_lock+0xa4/0x170 [ 24.604288][ T287] ? _raw_write_trylock+0x1a0/0x1a0 [ 24.609315][ T287] ? __ext4_mark_inode_dirty+0x518/0x7b0 [ 24.614781][ T287] ? ext4_ext_index_trans_blocks+0x120/0x120 [ 24.620592][ T287] ? ext4_es_remove_extent+0x297/0x460 [ 24.625887][ T287] ? ext4_es_lookup_extent+0x940/0x940 [ 24.631182][ T287] ext4_ext_truncate+0x17f/0x200 [ 24.635951][ T287] ext4_truncate+0xb19/0x1220 [ 24.640468][ T287] ? __ext4_mark_inode_dirty+0x7b0/0x7b0 [ 24.645934][ T287] ? __kasan_check_read+0x11/0x20 [ 24.650793][ T287] ext4_evict_inode+0xf07/0x1730 [ 24.655566][ T287] ? ext4_inode_is_fast_symlink+0x360/0x360 [ 24.661296][ T287] ? inode_io_list_del_locked+0x1ad/0x210 [ 24.666851][ T287] ? _raw_spin_unlock+0x4d/0x70 [ 24.671536][ T287] ? ext4_inode_is_fast_symlink+0x360/0x360 [ 24.677264][ T287] evict+0x526/0x9c0 [ 24.681001][ T287] ? mode_strip_sgid+0x140/0x140 [ 24.685775][ T287] ? _raw_spin_lock+0xa4/0x1b0 [ 24.690380][ T287] ? _raw_spin_trylock_bh+0x190/0x190 [ 24.695584][ T287] ? __kasan_check_write+0x14/0x20 [ 24.700552][ T287] ? ext4_drop_inode+0x93/0x1a0 [ 24.705215][ T287] iput+0x632/0x7e0 [ 24.708878][ T287] dentry_unlink_inode+0x2ea/0x3d0 [ 24.713810][ T287] __dentry_kill+0x447/0x650 [ 24.718237][ T287] shrink_dentry_list+0x38a/0x4e0 [ 24.723096][ T287] shrink_dcache_parent+0xc9/0x340 [ 24.728213][ T287] ? d_set_mounted+0x230/0x230 [ 24.732819][ T287] ? ____kasan_slab_free+0x12c/0x160 [ 24.737937][ T287] ? __init_rwsem+0x1c0/0x1c0 [ 24.742451][ T287] ? __kasan_slab_free+0x11/0x20 [ 24.747222][ T287] do_one_tree+0x28/0x4a0 [ 24.751386][ T287] ? shrink_dcache_for_umount+0x36/0x120 [ 24.756859][ T287] shrink_dcache_for_umount+0x7d/0x120 [ 24.762156][ T287] generic_shutdown_super+0x66/0x320 [ 24.767270][ T287] kill_block_super+0x7e/0xe0 [ 24.771814][ T287] deactivate_locked_super+0xad/0x110 [ 24.777005][ T287] deactivate_super+0xbe/0xf0 [ 24.781527][ T287] cleanup_mnt+0x45c/0x510 [ 24.785762][ T287] __cleanup_mnt+0x19/0x20 [ 24.790012][ T287] task_work_run+0x129/0x190 [ 24.794527][ T287] do_exit+0xc83/0x2a50 [ 24.798516][ T287] ? put_task_struct+0x80/0x80 [ 24.803125][ T287] ? down_read_trylock+0x179/0x1d0 [ 24.808074][ T287] ? debug_smp_processor_id+0x17/0x20 [ 24.813277][ T287] ? fpregs_assert_state_consistent+0xb6/0xe0 [ 24.819174][ T287] do_group_exit+0x141/0x310 [ 24.823603][ T287] __x64_sys_exit_group+0x3f/0x40 [ 24.828461][ T287] do_syscall_64+0x34/0x70 [ 24.832715][ T287] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 24.838442][ T287] RIP: 0033:0x7f9c46383b69 [ 24.842692][ T287] Code: Unable to access opcode bytes at RIP 0x7f9c46383b3f. [ 24.849896][ T287] RSP: 002b:00007ffffe425be8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 24.858140][ T287] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f9c46383b69 [ 24.865963][ T287] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 24.873767][ T287] RBP: 00007f9c46402150 R08: ffffffffffffffb8 R09: 0000000000000000 [ 24.881580][ T287] R10: 0000000000000100 R11: 0000000000000246 R12: 00007f9c46402150 [ 24.889392][ T287] R13: 0000000000000000 R14: 00007f9c46404f80 R15: 00007f9c46348a60 [ 24.897200][ T287] [ 24.899375][ T287] Allocated by task 129: [ 24.903479][ T287] __kasan_slab_alloc+0xb1/0xe0 [ 24.908135][ T287] slab_post_alloc_hook+0x61/0x2f0 [ 24.913082][ T287] kmem_cache_alloc+0x168/0x2e0 [ 24.917771][ T287] vm_area_dup+0x26/0x270 [ 24.921942][ T287] __split_vma+0xbd/0x420 [ 24.926100][ T287] split_vma+0x7c/0xd0 [ 24.930008][ T287] mprotect_fixup+0x582/0x860 [ 24.934695][ T287] do_mprotect_pkey+0x731/0x990 [ 24.939386][ T287] __x64_sys_mprotect+0x80/0x90 [ 24.944073][ T287] do_syscall_64+0x34/0x70 [ 24.948323][ T287] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 24.954045][ T287] [ 24.956215][ T287] Freed by task 129: [ 24.959954][ T287] kasan_set_track+0x4b/0x70 [ 24.964378][ T287] kasan_set_free_info+0x23/0x40 [ 24.969150][ T287] ____kasan_slab_free+0x121/0x160 [ 24.974106][ T287] __kasan_slab_free+0x11/0x20 [ 24.978697][ T287] slab_free_freelist_hook+0xc0/0x190 [ 24.983916][ T287] kmem_cache_free+0xa9/0x1e0 [ 24.988425][ T287] vm_area_free+0x52/0xf0 [ 24.992590][ T287] exit_mmap+0x431/0x560 [ 24.996665][ T287] __mmput+0x95/0x2d0 [ 25.000486][ T287] mmput+0x59/0x170 [ 25.004129][ T287] do_exit+0xbda/0x2a50 [ 25.008122][ T287] do_group_exit+0x141/0x310 [ 25.012548][ T287] __x64_sys_exit_group+0x3f/0x40 [ 25.017411][ T287] do_syscall_64+0x34/0x70 [ 25.021672][ T287] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 25.027393][ T287] [ 25.029560][ T287] The buggy address belongs to the object at ffff8881190014a0 [ 25.029560][ T287] which belongs to the cache vm_area_struct of size 232 [ 25.043736][ T287] The buggy address is located 8 bytes inside of [ 25.043736][ T287] 232-byte region [ffff8881190014a0, ffff888119001588) [ 25.056642][ T287] The buggy address belongs to the page: [ 25.062130][ T287] page:ffffea0004640040 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x119001 [ 25.072182][ T287] flags: 0x4000000000000200(slab) [ 25.077040][ T287] raw: 4000000000000200 dead000000000100 dead000000000122 ffff888100188600 [ 25.085462][ T287] raw: 0000000000000000 00000000000d000d 00000001ffffffff 0000000000000000 [ 25.093883][ T287] page dumped because: kasan: bad access detected [ 25.100129][ T287] page_owner tracks the page as allocated [ 25.105683][ T287] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 129, ts 4765381737, free_ts 4763796740 [ 25.121401][ T287] prep_new_page+0x166/0x180 [ 25.125817][ T287] get_page_from_freelist+0x2d8c/0x2f30 [ 25.131197][ T287] __alloc_pages_nodemask+0x435/0xaf0 [ 25.136405][ T287] new_slab+0x80/0x400 [ 25.140312][ T287] ___slab_alloc+0x302/0x4b0 [ 25.144737][ T287] __slab_alloc+0x63/0xa0 [ 25.148903][ T287] kmem_cache_alloc+0x1b9/0x2e0 [ 25.153593][ T287] vm_area_dup+0x26/0x270 [ 25.157756][ T287] __split_vma+0xbd/0x420 [ 25.161925][ T287] __do_munmap+0x412/0x8c0 [ 25.166178][ T287] mmap_region+0xa31/0x1cd0 [ 25.170543][ T287] do_mmap+0x800/0xeb0 [ 25.174421][ T287] vm_mmap_pgoff+0x201/0x390 [ 25.178858][ T287] ksys_mmap_pgoff+0x16f/0x1f0 [ 25.183459][ T287] __x64_sys_mmap+0x103/0x120 [ 25.187974][ T287] do_syscall_64+0x34/0x70 [ 25.192210][ T287] page last free stack trace: [ 25.196730][ T287] free_unref_page_prepare+0x2ae/0x2d0 [ 25.202024][ T287] free_unref_page_list+0x122/0xb20 [ 25.207094][ T287] release_pages+0xea0/0xef0 [ 25.211484][ T287] free_pages_and_swap_cache+0x8a/0xa0 [ 25.216777][ T287] tlb_finish_mmu+0x177/0x320 [ 25.221292][ T287] exit_mmap+0x306/0x560 [ 25.225369][ T287] __mmput+0x95/0x2d0 [ 25.229187][ T287] mmput+0x59/0x170 [ 25.232834][ T287] begin_new_exec+0xb8d/0x2380 [ 25.237437][ T287] load_elf_binary+0x945/0x2750 [ 25.242134][ T287] bprm_execve+0x81b/0x1600 [ 25.246465][ T287] do_execveat_common+0x959/0xac0 [ 25.251321][ T287] __x64_sys_execve+0x92/0xb0 [ 25.255840][ T287] do_syscall_64+0x34/0x70 [ 25.260089][ T287] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 25.265812][ T287] [ 25.267979][ T287] Memory state around the buggy address: [ 25.273453][ T287] ffff888119001380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.281355][ T287] ffff888119001400: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 25.289249][ T287] >ffff888119001480: fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb fb [ 25.297147][ T287] ^ [ 25.302355][ T287] ffff888119001500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.310257][ T287] ffff888119001580: fb fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb [ 25.318147][ T287] ================================================================== [ 25.326058][ T287] Disabling lock debugging due to kernel taint [ 25.335759][ T287] EXT4-fs error (device loop0): ext4_free_blocks:5685: comm syz-executor233: Freeing blocks not in datazone - block = 269380761873296, count = 206 [ 25.350726][ T287] EXT4-fs error (device loop0):