Warning: Permanently added '10.128.0.15' (ED25519) to the list of known hosts.
2025/02/21 00:16:19 ignoring optional flag "sandboxArg"="0"
2025/02/21 00:16:19 parsed 1 programs
[ 24.533771][ T23] audit: type=1400 audit(1740096979.939:66): avc: denied { node_bind } for pid=350 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1
[ 25.034592][ T23] audit: type=1400 audit(1740096980.439:67): avc: denied { mounton } for pid=359 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 25.036113][ T359] cgroup1: Unknown subsys name 'net'
[ 25.057035][ T23] audit: type=1400 audit(1740096980.439:68): avc: denied { mount } for pid=359 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 25.062295][ T359] cgroup1: Unknown subsys name 'net_prio'
[ 25.089791][ T359] cgroup1: Unknown subsys name 'devices'
[ 25.095255][ T23] audit: type=1400 audit(1740096980.509:69): avc: denied { read } for pid=146 comm="syslogd" name="log" dev="sda1" ino=1915 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1
[ 25.117304][ T23] audit: type=1400 audit(1740096980.539:70): avc: denied { unmount } for pid=359 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 25.258753][ T359] cgroup1: Unknown subsys name 'hugetlb'
[ 25.264344][ T359] cgroup1: Unknown subsys name 'rlimit'
[ 25.495340][ T23] audit: type=1400 audit(1740096980.899:71): avc: denied { setattr } for pid=359 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=9592 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 25.518380][ T23] audit: type=1400 audit(1740096980.899:72): avc: denied { create } for pid=359 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 25.538506][ T23] audit: type=1400 audit(1740096980.899:73): avc: denied { write } for pid=359 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 25.556129][ T363] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped).
[ 25.558537][ T23] audit: type=1400 audit(1740096980.899:74): avc: denied { read } for pid=359 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 25.586920][ T23] audit: type=1400 audit(1740096980.909:75): avc: denied { module_request } for pid=359 comm="syz-executor" kmod="netdev-wpan0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1
[ 25.638419][ T359] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 25.993108][ T365] request_module fs-gadgetfs succeeded, but still no fs?
[ 26.167568][ T374] syz-executor (374) used greatest stack depth: 20088 bytes left
[ 26.638952][ T408] bridge0: port 1(bridge_slave_0) entered blocking state
[ 26.645798][ T408] bridge0: port 1(bridge_slave_0) entered disabled state
[ 26.653253][ T408] device bridge_slave_0 entered promiscuous mode
[ 26.660639][ T408] bridge0: port 2(bridge_slave_1) entered blocking state
[ 26.667511][ T408] bridge0: port 2(bridge_slave_1) entered disabled state
[ 26.674726][ T408] device bridge_slave_1 entered promiscuous mode
[ 26.713360][ T408] bridge0: port 2(bridge_slave_1) entered blocking state
[ 26.720199][ T408] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 26.727341][ T408] bridge0: port 1(bridge_slave_0) entered blocking state
[ 26.734076][ T408] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 26.753905][ T385] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 26.761303][ T385] bridge0: port 1(bridge_slave_0) entered disabled state
[ 26.768315][ T385] bridge0: port 2(bridge_slave_1) entered disabled state
[ 26.777313][ T385] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 26.785471][ T385] bridge0: port 1(bridge_slave_0) entered blocking state
[ 26.792296][ T385] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 26.801150][ T385] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 26.809496][ T385] bridge0: port 2(bridge_slave_1) entered blocking state
[ 26.816368][ T385] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 26.829168][ T385] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 26.838322][ T385] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 26.853968][ T385] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 26.864939][ T385] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 26.878007][ T385] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 26.892198][ T385] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 26.902191][ T385] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 26.939683][ T408] syz-executor (408) used greatest stack depth: 18552 bytes left
2025/02/21 00:16:22 executed programs: 0
[ 27.224365][ T433] bridge0: port 1(bridge_slave_0) entered blocking state
[ 27.231226][ T433] bridge0: port 1(bridge_slave_0) entered disabled state
[ 27.239229][ T433] device bridge_slave_0 entered promiscuous mode
[ 27.248310][ T433] bridge0: port 2(bridge_slave_1) entered blocking state
[ 27.255468][ T433] bridge0: port 2(bridge_slave_1) entered disabled state
[ 27.262845][ T433] device bridge_slave_1 entered promiscuous mode
[ 27.307571][ T433] bridge0: port 2(bridge_slave_1) entered blocking state
[ 27.314400][ T433] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 27.321539][ T433] bridge0: port 1(bridge_slave_0) entered blocking state
[ 27.328296][ T433] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 27.357613][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 27.365296][ T7] bridge0: port 1(bridge_slave_0) entered disabled state
[ 27.373061][ T7] bridge0: port 2(bridge_slave_1) entered disabled state
[ 27.389470][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 27.397538][ T7] bridge0: port 1(bridge_slave_0) entered blocking state
[ 27.404349][ T7] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 27.412109][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 27.420768][ T7] bridge0: port 2(bridge_slave_1) entered blocking state
[ 27.427604][ T7] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 27.443075][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 27.450836][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 27.467117][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 27.479659][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 27.493235][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 27.505010][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 27.515256][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 28.158712][ T103] device bridge_slave_1 left promiscuous mode
[ 28.164681][ T103] bridge0: port 2(bridge_slave_1) entered disabled state
[ 28.171844][ T103] device bridge_slave_0 left promiscuous mode
[ 28.177802][ T103] bridge0: port 1(bridge_slave_0) entered disabled state
[ 42.592061][ T472] bridge0: port 1(bridge_slave_0) entered blocking state
[ 42.598945][ T472] bridge0: port 1(bridge_slave_0) entered disabled state
[ 42.606059][ T472] device bridge_slave_0 entered promiscuous mode
[ 42.612923][ T472] bridge0: port 2(bridge_slave_1) entered blocking state
[ 42.619774][ T472] bridge0: port 2(bridge_slave_1) entered disabled state
[ 42.627235][ T472] device bridge_slave_1 entered promiscuous mode
[ 42.665895][ T472] bridge0: port 2(bridge_slave_1) entered blocking state
[ 42.672742][ T472] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 42.679860][ T472] bridge0: port 1(bridge_slave_0) entered blocking state
[ 42.686620][ T472] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 42.706101][ T103] bridge0: port 1(bridge_slave_0) entered disabled state
[ 42.713141][ T103] bridge0: port 2(bridge_slave_1) entered disabled state
[ 42.720454][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[ 42.728408][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 42.737387][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 42.745376][ T103] bridge0: port 1(bridge_slave_0) entered blocking state
[ 42.752206][ T103] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 42.761649][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 42.769693][ T103] bridge0: port 2(bridge_slave_1) entered blocking state
[ 42.776520][ T103] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 42.789070][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 42.798197][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 42.813358][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 42.824361][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 42.837721][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 42.850208][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
2025/02/21 00:16:38 executed programs: 3
[ 42.860051][ T103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 42.881154][ T472] ==================================================================
[ 42.889038][ T472] BUG: KASAN: use-after-free in __mutex_lock+0xcd7/0x1060
[ 42.895961][ T472] Read of size 4 at addr ffff8881ea69af78 by task syz-executor/472
[ 42.903680][ T472]
[ 42.905863][ T472] CPU: 0 PID: 472 Comm: syz-executor Not tainted 5.4.289-syzkaller-00011-g39762b7a60e9 #0
[ 42.915577][ T472] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[ 42.925471][ T472] Call Trace:
[ 42.928600][ T472] dump_stack+0x1d8/0x241
[ 42.932760][ T472] ? nf_ct_l4proto_log_invalid+0x258/0x258
[ 42.938401][ T472] ? printk+0xd1/0x111
[ 42.942308][ T472] ? __mutex_lock+0xcd7/0x1060
[ 42.946908][ T472] print_address_description+0x8c/0x600
[ 42.952291][ T472] ? check_preemption_disabled+0x9f/0x320
[ 42.957845][ T472] ? __unwind_start+0x708/0x890
[ 42.962529][ T472] ? __mutex_lock+0xcd7/0x1060
[ 42.967135][ T472] __kasan_report+0xf3/0x120
[ 42.971561][ T472] ? __mutex_lock+0xcd7/0x1060
[ 42.976156][ T472] kasan_report+0x30/0x60
[ 42.980327][ T472] __mutex_lock+0xcd7/0x1060
[ 42.984750][ T472] ? kobject_get_unless_zero+0x229/0x320
[ 42.990223][ T472] ? __ww_mutex_lock_interruptible_slowpath+0x10/0x10
[ 42.996814][ T472] ? __module_put_and_exit+0x20/0x20
[ 43.001938][ T472] ? up_read+0x6f/0x1b0
[ 43.005928][ T472] mutex_lock_killable+0xd8/0x110
[ 43.010790][ T472] ? __mutex_lock_interruptible_slowpath+0x10/0x10
[ 43.017123][ T472] ? mutex_lock+0xa5/0x110
[ 43.021372][ T472] ? mutex_trylock+0xa0/0xa0
[ 43.025804][ T472] lo_open+0x18/0xc0
[ 43.029534][ T472] __blkdev_get+0x3c8/0x1160
[ 43.033964][ T472] ? blkdev_get+0x3a0/0x3a0
[ 43.038304][ T472] ? _raw_spin_unlock+0x49/0x60
[ 43.042985][ T472] blkdev_get+0x2de/0x3a0
[ 43.047152][ T472] ? blkdev_open+0x173/0x290
[ 43.051579][ T472] ? block_ioctl+0xe0/0xe0
[ 43.055830][ T472] do_dentry_open+0x964/0x1130
[ 43.060436][ T472] ? finish_open+0xd0/0xd0
[ 43.064685][ T472] ? security_inode_permission+0xad/0xf0
[ 43.070156][ T472] ? memcpy+0x38/0x50
[ 43.073972][ T472] path_openat+0x29bf/0x34b0
[ 43.078399][ T472] ? stack_trace_save+0x118/0x1c0
[ 43.083259][ T472] ? do_filp_open+0x450/0x450
[ 43.087770][ T472] ? do_sys_open+0x357/0x810
[ 43.092197][ T472] ? do_syscall_64+0xca/0x1c0
[ 43.096714][ T472] ? entry_SYSCALL_64_after_hwframe+0x5c/0xc1
[ 43.102613][ T472] do_filp_open+0x20b/0x450
[ 43.106955][ T472] ? vfs_tmpfile+0x2c0/0x2c0
[ 43.111381][ T472] ? _raw_spin_unlock+0x49/0x60
[ 43.116067][ T472] ? __alloc_fd+0x4c5/0x570
[ 43.120404][ T472] do_sys_open+0x39c/0x810
[ 43.124659][ T472] ? check_preemption_disabled+0x153/0x320
[ 43.130297][ T472] ? file_open_root+0x490/0x490
[ 43.134989][ T472] do_syscall_64+0xca/0x1c0
[ 43.139328][ T472] entry_SYSCALL_64_after_hwframe+0x5c/0xc1
[ 43.145064][ T472] RIP: 0033:0x7f9493f70991
[ 43.149308][ T472] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d ba 1b 1f 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25
[ 43.168837][ T472] RSP: 002b:00007ffef6371d90 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
[ 43.177080][ T472] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f9493f70991
[ 43.184887][ T472] RDX: 0000000000000002 RSI: 00007ffef6371ea0 RDI: 00000000ffffff9c
[ 43.192700][ T472] RBP: 00007ffef6371ea0 R08: 000000000000000a R09: 00007ffef6371b57
[ 43.200513][ T472] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
[ 43.208322][ T472] R13: 00007f949415b260 R14: 0000000000000003 R15: 00007ffef6371ea0
[ 43.216135][ T472]
[ 43.218303][ T472] Allocated by task 446:
[ 43.222390][ T472] __kasan_kmalloc+0x171/0x210
[ 43.226988][ T472] kmem_cache_alloc+0xd9/0x250
[ 43.231585][ T472] dup_task_struct+0x4f/0x600
[ 43.236207][ T472] copy_process+0x56d/0x3230
[ 43.240649][ T472] _do_fork+0x197/0x900
[ 43.244633][ T472] __x64_sys_clone3+0x2da/0x300
[ 43.249317][ T472] do_syscall_64+0xca/0x1c0
[ 43.253654][ T472] entry_SYSCALL_64_after_hwframe+0x5c/0xc1
[ 43.259386][ T472]
[ 43.261548][ T472] Freed by task 10:
[ 43.265199][ T472] __kasan_slab_free+0x1b5/0x270
[ 43.269971][ T472] kmem_cache_free+0x10b/0x2c0
[ 43.274570][ T472] rcu_do_batch+0x492/0xa00
[ 43.278909][ T472] rcu_core+0x4c8/0xcb0
[ 43.282909][ T472] __do_softirq+0x23b/0x6b7
[ 43.287237][ T472]
[ 43.289411][ T472] The buggy address belongs to the object at ffff8881ea69af40
[ 43.289411][ T472] which belongs to the cache task_struct of size 3904
[ 43.303386][ T472] The buggy address is located 56 bytes inside of
[ 43.303386][ T472] 3904-byte region [ffff8881ea69af40, ffff8881ea69be80)
[ 43.316487][ T472] The buggy address belongs to the page:
[ 43.321962][ T472] page:ffffea0007a9a600 refcount:1 mapcount:0 mapping:ffff8881f5cf1900 index:0x0 compound_mapcount: 0
[ 43.332725][ T472] flags: 0x8000000000010200(slab|head)
[ 43.338017][ T472] raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5cf1900
[ 43.346436][ T472] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
[ 43.354849][ T472] page dumped because: kasan: bad access detected
[ 43.361104][ T472] page_owner tracks the page as allocated
[ 43.366656][ T472] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL)
[ 43.382890][ T472] prep_new_page+0x18f/0x370
[ 43.387344][ T472] get_page_from_freelist+0x2d13/0x2d90
[ 43.393474][ T472] __alloc_pages_nodemask+0x393/0x840
[ 43.398684][ T472] alloc_slab_page+0x39/0x3c0
[ 43.403195][ T472] new_slab+0x97/0x440
[ 43.407126][ T472] ___slab_alloc+0x2fe/0x490
[ 43.411526][ T472] __slab_alloc+0x62/0xa0
[ 43.415692][ T472] kmem_cache_alloc+0x109/0x250
[ 43.420384][ T472] dup_task_struct+0x4f/0x600
[ 43.424892][ T472] copy_process+0x56d/0x3230
[ 43.429320][ T472] _do_fork+0x197/0x900
[ 43.433310][ T472] kernel_thread+0x16a/0x1d0
[ 43.437737][ T472] kthreadd+0x3b1/0x4f0
[ 43.441729][ T472] ret_from_fork+0x1f/0x30
[ 43.445978][ T472] page last free stack trace:
[ 43.450498][ T472] __free_pages_ok+0x847/0x950
[ 43.455097][ T472] __free_pages+0x91/0x140
[ 43.459349][ T472] __free_slab+0x221/0x2e0
[ 43.463601][ T472] unfreeze_partials+0x14e/0x180
[ 43.468377][ T472] put_cpu_partial+0x44/0x180
[ 43.472887][ T472] __slab_free+0x297/0x360
[ 43.477146][ T472] qlist_free_all+0x43/0xb0
[ 43.481479][ T472] quarantine_reduce+0x1d9/0x210
[ 43.486253][ T472] __kasan_kmalloc+0x41/0x210
[ 43.490767][ T472] __kmalloc+0x105/0x2e0
[ 43.494858][ T472] kvmalloc_node+0x7e/0xf0
[ 43.499102][ T472] __nf_hook_entries_try_shrink+0x330/0x750
[ 43.504832][ T472] __nf_unregister_net_hook+0x41c/0x5d0
[ 43.510209][ T472] nf_unregister_net_hooks+0x91/0xe0
[ 43.515330][ T472] ip6t_unregister_table+0x5d/0x210
[ 43.520364][ T472] ip6table_raw_net_exit+0x58/0x80
[ 43.525308][ T472]
[ 43.527477][ T472] Memory state around the buggy address:
[ 43.532947][ T472] ffff8881ea69ae00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 43.540845][ T472] ffff8881ea69ae80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[ 43.548754][ T472] >ffff8881ea69af00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 43.556640][ T472] ^
[ 43.564460][ T472] ffff8881ea69af80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 43.572351][ T472] ffff8881ea69b000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 43.580249][ T472] ==================================================================
[ 43.588148][ T472] Disabling lock debugging due to kernel taint