last executing test programs: 277.298237ms ago: executing program 0 (id=1): openat2$dir(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', &(0x7f00000000c0)={0x2afc0, 0x1c1, 0x6}, 0x18) r0 = inotify_init1(0x0) pipe(&(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) fcntl$setpipe(r1, 0x407, 0x7000001) pipe2$9p(&(0x7f0000001540), 0x0) inotify_add_watch(r0, &(0x7f0000000080)='./file0\x00', 0x10000006) r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) r4 = openat$udambuf(0xffffffffffffff9c, &(0x7f0000000040), 0x2) r5 = memfd_create(&(0x7f0000000140)='y\x105\xfb\xf7u\x83%:r\xc2\xb9x\xa4q\xc1\xea_\x8cZ7\xcda\x9b\x11X\x0e\xa1\xcf\x1a\x98S7\xc9\x00'/47, 0x2) ftruncate(r5, 0xffff) getsockopt$bt_sco_SCO_CONNINFO(r2, 0x11, 0x2, &(0x7f0000000180)=""/35, &(0x7f0000000200)=0x23) fcntl$addseals(r5, 0x409, 0x7) r6 = ioctl$UDMABUF_CREATE(r4, 0x40187542, &(0x7f0000000000)={r5, 0x0, 0x0, 0x8000}) ioctl$DMA_BUF_IOCTL_SYNC(r6, 0x40086200, &(0x7f00000001c0)=0x1) close_range(r3, 0xffffffffffffffff, 0x0) creat(&(0x7f0000000100)='./file0\x00', 0x8) 274.494237ms ago: executing program 3 (id=4): r0 = gettid() r1 = socket$netlink(0x10, 0x3, 0x4) r2 = socket$inet6_udp(0xa, 0x2, 0x0) capset(&(0x7f0000000040)={0x20080522}, &(0x7f0000000080)={0x0, 0xfffffffc}) sendmmsg$inet6(r2, &(0x7f00000010c0)=[{{0x0, 0x0, 0x0}}], 0x1, 0x4001) writev(r1, &(0x7f0000000280)=[{&(0x7f0000000340)="580000001400192340834b80040d8c560a117436c379000000000000000058000b4824ca945f6400940f6a0325010ebc000000000000008000f0fffeffe809005300fff5dd000000100001000c0c100000000000204e0000", 0x58}], 0x1) syz_genetlink_get_family_id$mptcp(&(0x7f0000000240), r1) timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc)=0x0) timer_settime(r3, 0x0, &(0x7f0000000040)={{0x77359400}, {0x77359400}}, 0x0) r4 = openat$full(0xffffffffffffff9c, &(0x7f0000000080), 0x121000, 0x0) r5 = openat$cgroup(r4, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0) openat$cgroup_ro(r5, &(0x7f00000000c0)='net_prio.prioidx\x00', 0x0, 0x0) read$FUSE(r4, &(0x7f0000002a80)={0x2020}, 0xfffffffe) gettid() (async) socket$netlink(0x10, 0x3, 0x4) (async) socket$inet6_udp(0xa, 0x2, 0x0) (async) capset(&(0x7f0000000040)={0x20080522}, &(0x7f0000000080)={0x0, 0xfffffffc}) (async) sendmmsg$inet6(r2, &(0x7f00000010c0)=[{{0x0, 0x0, 0x0}}], 0x1, 0x4001) (async) writev(r1, &(0x7f0000000280)=[{&(0x7f0000000340)="580000001400192340834b80040d8c560a117436c379000000000000000058000b4824ca945f6400940f6a0325010ebc000000000000008000f0fffeffe809005300fff5dd000000100001000c0c100000000000204e0000", 0x58}], 0x1) (async) syz_genetlink_get_family_id$mptcp(&(0x7f0000000240), r1) (async) timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc)) (async) timer_settime(r3, 0x0, &(0x7f0000000040)={{0x77359400}, {0x77359400}}, 0x0) (async) openat$full(0xffffffffffffff9c, &(0x7f0000000080), 0x121000, 0x0) (async) openat$cgroup(r4, &(0x7f0000000000)='syz1\x00', 0x200002, 0x0) (async) openat$cgroup_ro(r5, &(0x7f00000000c0)='net_prio.prioidx\x00', 0x0, 0x0) (async) read$FUSE(r4, &(0x7f0000002a80)={0x2020}, 0xfffffffe) (async) 222.253798ms ago: executing program 1 (id=2): mkdir(&(0x7f0000000000)='./file0\x00', 0x73) mkdir(&(0x7f00000000c0)='./bus\x00', 0x11e) mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) chdir(&(0x7f00000001c0)='./bus\x00') mkdir(&(0x7f0000000000)='./file0\x00', 0x0) r0 = open$dir(&(0x7f0000000040)='./bus\x00', 0x183020, 0x60) fspick(r0, &(0x7f0000000100)='./bus\x00', 0x0) mount$overlay(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000b80), 0x0, &(0x7f0000000a80)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file0'}}]}) (fail_nth: 17) mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, 0x0) 215.954777ms ago: executing program 2 (id=3): r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) lstat(0x0, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r1, r2, &(0x7f0000fe3000/0x18000)=nil, &(0x7f0000000100)=[@text64={0x40, 0x0}], 0x1, 0x51, 0x0, 0x0) r3 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000040)={0x1, &(0x7f0000000000)=[{0x6, 0x0, 0x2, 0x7fff7ffc}]}) close_range(r3, 0xffffffffffffffff, 0x200000000000000) read$hidraw(0xffffffffffffffff, &(0x7f0000000100)=""/97, 0x61) setsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f0000000000)={{{@in=@initdev={0xac, 0x1e, 0x0, 0x0}, @in6=@ipv4={'\x00', '\xff\xff', @empty}, 0x4e23, 0x6, 0x4e22, 0x0, 0x2, 0x20, 0x20, 0x1d}, {0x7, 0x7, 0x5, 0x95d, 0xfffffffffffffffb, 0x2, 0x0, 0x5c2}, {0xe, 0x5, 0xb1b}, 0x401, 0x0, 0x2, 0x1, 0x2, 0x2}, {{@in6=@empty, 0x4d4, 0x2a}, 0x39573c4e467c4e, @in=@initdev={0xac, 0x1e, 0x0, 0x0}, 0x3502, 0x4, 0x0, 0x40, 0x9, 0x33, 0x7}}, 0xe8) r4 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/power/wake_lock', 0x202, 0xc4) openat$binderfs(0xffffffffffffff9c, &(0x7f0000000480)='./binderfs/binder0\x00', 0x0, 0x0) openat$ttynull(0xffffffffffffff9c, 0x0, 0x123100, 0x0) close(0x3) sendfile(r4, r4, &(0x7f0000000280)=0xffffffff, 0x5) sendmsg$netlink(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000080)=ANY=[@ANYBLOB="280000002100010002000000000000000a00000000000001016200000c0018"], 0x28}], 0x1, 0x0, 0x0, 0x8000}, 0x0) r5 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$netlink(r5, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000080)=ANY=[], 0x28}], 0x1, 0x0, 0x0, 0x8000}, 0x10) ioctl$EXT4_IOC_PRECACHE_EXTENTS(r5, 0x6612) 115.780429ms ago: executing program 0 (id=5): r0 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) sendmsg$NL802154_CMD_SET_MAX_CSMA_BACKOFFS(r0, &(0x7f0000000140)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x800000}, 0xc, &(0x7f0000000100)={&(0x7f00000000c0)={0x1c, 0x0, 0x4, 0x70bd2d, 0x25dfdbff, {}, [@NL802154_ATTR_MAX_CSMA_BACKOFFS={0x5, 0x12, 0x4}]}, 0x1c}, 0x1, 0x0, 0x0, 0x4}, 0x4) mkdirat(0xffffffffffffff9c, &(0x7f0000000280)='./file0\x00', 0x0) mount$bind(&(0x7f0000000c40)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101090, 0x0) chroot(&(0x7f0000000300)='./file0/../file0/../file0/file0\x00') mount(0x0, &(0x7f0000000d40)='./file0/../file0\x00', &(0x7f0000000080)='sysfs\x00', 0x200010, 0x0) pivot_root(&(0x7f0000000000)='./file0/../file0\x00', 0x0) 0s ago: executing program 0 (id=6): r0 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) r2 = dup(r1) ioctl$SIOCSIFHWADDR(r2, 0x8914, &(0x7f0000000140)={'syzkaller1\x00', @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}}) write$tun(r0, &(0x7f0000000880)={@val={0xa, 0xb3f0}, @void, @eth={@broadcast, @local, @void, {@ipv6={0x86dd, @icmpv6={0x9, 0x6, "4fd2cd", 0x8, 0x3a, 0xff, @remote, @mcast2, {[], @mlv2_report={0x8f, 0x0, 0x0, 0x903e}}}}}}}, 0x42) r3 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) r4 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r4, 0x6, 0x13, &(0x7f0000000240)=0x100000001, 0x4) io_setup(0x4, &(0x7f0000000080)) connect$inet6(r4, &(0x7f0000000200)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_tcp_TCP_ULP(r4, 0x6, 0x1f, &(0x7f0000000540), 0x3c) setsockopt$inet6_tcp_int(r4, 0x11a, 0x3, &(0x7f0000000100)=0x304, 0x4) r5 = socket$inet6_tcp(0xa, 0x1, 0x0) read$FUSE(r2, &(0x7f0000000900)={0x2020, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x2020) write$cgroup_pid(r2, &(0x7f0000002940)=r6, 0x12) timer_create(0xb, 0x0, &(0x7f00000000c0)=0x0) timer_settime(r7, 0x0, &(0x7f0000000080)={{}, {0x77359400}}, 0x0) timer_settime(r7, 0x1, &(0x7f0000000040)={{0x77359400}}, &(0x7f0000000080)) r8 = dup(r5) ioctl$SIOCSIFHWADDR(r8, 0x8914, &(0x7f0000000000)={'syzkaller1\x00', @multicast}) write$tun(r3, &(0x7f0000000700)={@void, @void, @eth={@multicast, @random="000000154600", @val={@void}, {@ipv4={0x800, @icmp={{0x5, 0x4, 0x2, 0x7, 0x38, 0x6c, 0x4000, 0x7, 0x1, 0x0, @rand_addr=0x64010103, @local}, @redirect={0x5, 0x3, 0x0, @broadcast, {0x5, 0x4, 0x0, 0x4, 0x6, 0x65, 0xe, 0x8, 0xff, 0xf, @local, @loopback}, "9ffcf61a9c5c5f25"}}}}}}, 0x4a) ioctl$EXT4_IOC_GROUP_ADD(r2, 0x40286608, &(0x7f0000000040)={0x6, 0x7, 0x5, 0x10000, 0x5, 0x4}) kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.0.62' (ED25519) to the list of known hosts. [ 20.670809][ T36] audit: type=1400 audit(1781402463.259:64): avc: denied { mounton } for pid=286 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2023 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 20.671956][ T286] cgroup: Unknown subsys name 'net' [ 20.693494][ T36] audit: type=1400 audit(1781402463.259:65): avc: denied { mount } for pid=286 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 20.720711][ T36] audit: type=1400 audit(1781402463.279:66): avc: denied { unmount } for pid=286 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 20.720903][ T286] cgroup: Unknown subsys name 'devices' [ 20.842605][ T286] cgroup: Unknown subsys name 'hugetlb' [ 20.848220][ T286] cgroup: Unknown subsys name 'rlimit' [ 20.940444][ T36] audit: type=1400 audit(1781402463.529:67): avc: denied { setattr } for pid=286 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=190 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 20.963606][ T36] audit: type=1400 audit(1781402463.529:68): avc: denied { mounton } for pid=286 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 20.988646][ T36] audit: type=1400 audit(1781402463.529:69): avc: denied { mount } for pid=286 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 20.997441][ T288] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 21.020510][ T36] audit: type=1400 audit(1781402463.609:70): avc: denied { relabelto } for pid=288 comm="mkswap" name="swap-file" dev="sda1" ino=2026 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 21.046033][ T36] audit: type=1400 audit(1781402463.609:71): avc: denied { write } for pid=288 comm="mkswap" path="/root/swap-file" dev="sda1" ino=2026 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 21.080072][ T36] audit: type=1400 audit(1781402463.659:72): avc: denied { read } for pid=286 comm="syz-executor" name="swap-file" dev="sda1" ino=2026 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 21.105635][ T36] audit: type=1400 audit(1781402463.659:73): avc: denied { open } for pid=286 comm="syz-executor" path="/root/swap-file" dev="sda1" ino=2026 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 21.105990][ T286] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 21.895821][ T293] bridge0: port 1(bridge_slave_0) entered blocking state [ 21.903027][ T293] bridge0: port 1(bridge_slave_0) entered disabled state [ 21.910183][ T293] bridge_slave_0: entered allmulticast mode [ 21.916516][ T293] bridge_slave_0: entered promiscuous mode [ 21.925709][ T293] bridge0: port 2(bridge_slave_1) entered blocking state [ 21.932807][ T293] bridge0: port 2(bridge_slave_1) entered disabled state [ 21.939891][ T293] bridge_slave_1: entered allmulticast mode [ 21.946209][ T293] bridge_slave_1: entered promiscuous mode [ 21.978980][ T294] bridge0: port 1(bridge_slave_0) entered blocking state [ 21.986318][ T294] bridge0: port 1(bridge_slave_0) entered disabled state [ 21.993981][ T294] bridge_slave_0: entered allmulticast mode [ 22.000192][ T294] bridge_slave_0: entered promiscuous mode [ 22.009464][ T294] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.016574][ T294] bridge0: port 2(bridge_slave_1) entered disabled state [ 22.023705][ T294] bridge_slave_1: entered allmulticast mode [ 22.029993][ T294] bridge_slave_1: entered promiscuous mode [ 22.044585][ T296] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.051702][ T296] bridge0: port 1(bridge_slave_0) entered disabled state [ 22.058781][ T296] bridge_slave_0: entered allmulticast mode [ 22.065161][ T296] bridge_slave_0: entered promiscuous mode [ 22.071395][ T295] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.078438][ T295] bridge0: port 1(bridge_slave_0) entered disabled state [ 22.085568][ T295] bridge_slave_0: entered allmulticast mode [ 22.091784][ T295] bridge_slave_0: entered promiscuous mode [ 22.098158][ T295] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.105231][ T295] bridge0: port 2(bridge_slave_1) entered disabled state [ 22.112322][ T295] bridge_slave_1: entered allmulticast mode [ 22.118453][ T295] bridge_slave_1: entered promiscuous mode [ 22.133038][ T296] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.140091][ T296] bridge0: port 2(bridge_slave_1) entered disabled state [ 22.147190][ T296] bridge_slave_1: entered allmulticast mode [ 22.153358][ T296] bridge_slave_1: entered promiscuous mode [ 22.297469][ T293] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.304546][ T293] bridge0: port 2(bridge_slave_1) entered forwarding state [ 22.312743][ T293] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.319800][ T293] bridge0: port 1(bridge_slave_0) entered forwarding state [ 22.329970][ T296] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.337046][ T296] bridge0: port 2(bridge_slave_1) entered forwarding state [ 22.344330][ T296] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.351371][ T296] bridge0: port 1(bridge_slave_0) entered forwarding state [ 22.386948][ T295] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.394031][ T295] bridge0: port 2(bridge_slave_1) entered forwarding state [ 22.401312][ T295] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.408337][ T295] bridge0: port 1(bridge_slave_0) entered forwarding state [ 22.424500][ T294] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.431578][ T294] bridge0: port 2(bridge_slave_1) entered forwarding state [ 22.438841][ T294] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.445885][ T294] bridge0: port 1(bridge_slave_0) entered forwarding state [ 22.456250][ T46] bridge0: port 1(bridge_slave_0) entered disabled state [ 22.464021][ T46] bridge0: port 2(bridge_slave_1) entered disabled state [ 22.471521][ T46] bridge0: port 1(bridge_slave_0) entered disabled state [ 22.478801][ T46] bridge0: port 2(bridge_slave_1) entered disabled state [ 22.486237][ T46] bridge0: port 1(bridge_slave_0) entered disabled state [ 22.493603][ T46] bridge0: port 1(bridge_slave_0) entered disabled state [ 22.501011][ T46] bridge0: port 2(bridge_slave_1) entered disabled state [ 22.508179][ T46] bridge0: port 2(bridge_slave_1) entered disabled state [ 22.526162][ T46] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.533236][ T46] bridge0: port 1(bridge_slave_0) entered forwarding state [ 22.543041][ T46] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.550196][ T46] bridge0: port 2(bridge_slave_1) entered forwarding state [ 22.561008][ T46] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.568060][ T46] bridge0: port 1(bridge_slave_0) entered forwarding state [ 22.576949][ T12] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.584016][ T12] bridge0: port 2(bridge_slave_1) entered forwarding state [ 22.624771][ T12] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.631852][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state [ 22.642540][ T12] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.649595][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state [ 22.657706][ T12] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.664768][ T12] bridge0: port 2(bridge_slave_1) entered forwarding state [ 22.675204][ T46] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.682268][ T46] bridge0: port 2(bridge_slave_1) entered forwarding state [ 22.717182][ T293] veth0_vlan: entered promiscuous mode [ 22.724552][ T296] veth0_vlan: entered promiscuous mode [ 22.739308][ T293] veth1_macvtap: entered promiscuous mode [ 22.763857][ T296] veth1_macvtap: entered promiscuous mode [ 22.772493][ T294] veth0_vlan: entered promiscuous mode [ 22.784674][ T295] veth0_vlan: entered promiscuous mode [ 22.805848][ T294] veth1_macvtap: entered promiscuous mode [ 22.816744][ T296] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 22.842480][ T295] veth1_macvtap: entered promiscuous mode [ 22.872860][ T315] SELinux: unrecognized netlink message: protocol=4 nlmsg_type=16 sclass=netlink_tcpdiag_socket pid=315 comm=syz.3.4 [ 22.923005][ T317] FAULT_INJECTION: forcing a failure. [ 22.923005][ T317] name failslab, interval 1, probability 0, space 0, times 1 [ 22.931018][ T320] kvm_intel: L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. [ 22.951775][ T317] CPU: 0 UID: 0 PID: 317 Comm: syz.1.2 Not tainted syzkaller #0 471281939cd7bfdfff4c6b6074d5d68627c837ba [ 22.951809][ T317] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 [ 22.951829][ T317] Call Trace: [ 22.951835][ T317] [ 22.951842][ T317] __dump_stack+0x21/0x30 [ 22.951877][ T317] dump_stack_lvl+0x140/0x1c0 [ 22.951904][ T317] ? __cfi_dump_stack_lvl+0x10/0x10 [ 22.951929][ T317] dump_stack+0x19/0x20 [ 22.951952][ T317] should_fail_ex+0x3d7/0x530 [ 22.951974][ T317] should_failslab+0xac/0x100 [ 22.951996][ T317] __kmalloc_cache_noprof+0x41/0x470 [ 22.952014][ T317] ? kasan_save_alloc_info+0x40/0x50 [ 22.952031][ T317] ? ovl_init_fs_context+0xbc/0x750 [ 22.952052][ T317] ovl_init_fs_context+0xbc/0x750 [ 22.952071][ T317] alloc_fs_context+0x5f0/0x820 [ 22.952093][ T317] fs_context_for_mount+0x26/0x40 [ 22.952115][ T317] do_new_mount+0x116/0xb30 [ 22.952133][ T317] ? security_capable+0x44/0x130 [ 22.952153][ T317] path_mount+0x682/0x1010 [ 22.952171][ T317] __se_sys_mount+0x2bf/0x480 [ 22.952189][ T317] ? ksys_write+0x1f3/0x260 [ 22.952207][ T317] ? __x64_sys_mount+0xf0/0xf0 [ 22.952226][ T317] __x64_sys_mount+0xc3/0xf0 [ 22.952245][ T317] x64_sys_call+0x2021/0x2ee0 [ 22.952261][ T317] do_syscall_64+0x57/0xf0 [ 22.952285][ T317] ? clear_bhb_loop+0x50/0xa0 [ 22.952301][ T317] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 22.952327][ T317] RIP: 0033:0x7f567479ce59 [ 22.952350][ T317] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 22.952364][ T317] RSP: 002b:00007f56756cf028 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 22.952391][ T317] RAX: ffffffffffffffda RBX: 00007f5674a15fa0 RCX: 00007f567479ce59 [ 22.952411][ T317] RDX: 0000200000000b80 RSI: 0000200000000000 RDI: 0000000000000000 [ 22.952423][ T317] RBP: 00007f56756cf090 R08: 0000200000000a80 R09: 0000000000000000 [ 22.952435][ T317] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002 [ 22.952446][ T317] R13: 00007f5674a16038 R14: 00007f5674a15fa0 R15: 00007ffdf388b398 [ 22.952461][ T317] [ 22.952760][ T317] overlayfs: missing 'lowerdir' [ 23.091516][ T315] SELinux: unrecognized netlink message: protocol=4 nlmsg_type=16 sclass=netlink_tcpdiag_socket pid=315 comm=syz.3.4 [ 23.201573][ T295] ------------[ cut here ]------------ [ 23.207080][ T295] WARNING: CPU: 1 PID: 295 at fs/inode.c:340 drop_nlink+0xce/0x110 [ 23.215073][ T295] Modules linked in: [ 23.218975][ T295] CPU: 1 UID: 0 PID: 295 Comm: syz-executor Not tainted syzkaller #0 471281939cd7bfdfff4c6b6074d5d68627c837ba [ 23.230698][ T295] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 [ 23.240819][ T295] RIP: 0010:drop_nlink+0xce/0x110 [ 23.245889][ T295] Code: 04 00 00 be 08 00 00 00 e8 6f 06 ee ff f0 48 ff 83 b8 04 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc e8 f2 4f 95 ff <0f> 0b eb 81 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 59 ff ff ff 4c [ 23.265591][ T295] RSP: 0018:ffffc9000b77fc60 EFLAGS: 00010293 [ 23.271715][ T295] RAX: ffffffff81f271be RBX: ffff88810fb447e0 RCX: ffff888101ffcc00 [ 23.279801][ T295] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 23.287842][ T295] RBP: ffffc9000b77fc88 R08: 0000000000000003 R09: 0000000000000004 [ 23.295897][ T295] R10: dffffc0000000000 R11: fffff520016eff7c R12: dffffc0000000000 [ 23.303918][ T295] R13: 1ffff11021f68905 R14: ffff88810fb44828 R15: 0000000000000000 [ 23.311955][ T295] FS: 000055556fe54500(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000 [ 23.320974][ T295] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 23.327566][ T295] CR2: 00007ffcf99ba058 CR3: 00000001313dc000 CR4: 00000000003526b0 [ 23.335606][ T295] Call Trace: [ 23.338892][ T295] [ 23.341928][ T295] shmem_rmdir+0x5f/0x90 [ 23.346194][ T295] vfs_rmdir+0x3e3/0x560 [ 23.350478][ T295] incfs_kill_sb+0x109/0x230 [ 23.355083][ T295] deactivate_locked_super+0xd5/0x2a0 [ 23.360570][ T295] deactivate_super+0xb8/0xe0 [ 23.365260][ T295] cleanup_mnt+0x406/0x4a0 [ 23.369670][ T295] __cleanup_mnt+0x1d/0x40 [ 23.374107][ T295] task_work_run+0x1e5/0x260 [ 23.378716][ T295] ? __cfi_task_work_run+0x10/0x10 [ 23.383865][ T295] ? __x64_sys_umount+0x12e/0x180 [ 23.388902][ T295] ? __cfi___x64_sys_umount+0x10/0x10 [ 23.394303][ T295] ? __kasan_check_read+0x15/0x20 [ 23.399331][ T295] resume_user_mode_work+0x35/0x50 [ 23.404456][ T295] syscall_exit_to_user_mode+0x63/0xb0 [ 23.409929][ T295] do_syscall_64+0x63/0xf0 [ 23.414369][ T295] ? clear_bhb_loop+0x50/0xa0 [ 23.419048][ T295] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 23.425041][ T295] RIP: 0033:0x7f567479e097 [ 23.429462][ T295] Code: a2 c7 05 5c 06 25 00 00 00 00 00 eb 96 e8 e1 12 00 00 90 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 e8 ff ff ff f7 d8 64 89 02 b8 [ 23.449131][ T295] RSP: 002b:00007ffdf388a608 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [ 23.457572][ T295] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f567479e097 [ 23.465577][ T295] RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffdf388a6c0 [ 23.473605][ T295] RBP: 00007ffdf388a6c0 R08: 00007ffdf388b6c0 R09: 00000000ffffffff [ 23.481604][ T295] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdf388b750 [ 23.489579][ T295] R13: 00007f56748321ca R14: 00000000000059f6 R15: 00007ffdf388b790 [ 23.497571][ T295] [ 23.500673][ T295] ---[ end trace 0000000000000000 ]--- [ 23.507417][ T295] ================================================================== [ 23.515509][ T295] BUG: KASAN: null-ptr-deref in ihold+0x24/0x70 [ 23.521768][ T295] Write of size 4 at addr 0000000000000168 by task syz-executor/295 [ 23.529727][ T295] [ 23.532041][ T295] CPU: 0 UID: 0 PID: 295 Comm: syz-executor Tainted: G W syzkaller #0 471281939cd7bfdfff4c6b6074d5d68627c837ba [ 23.532061][ T295] Tainted: [W]=WARN [ 23.532065][ T295] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 [ 23.532071][ T295] Call Trace: [ 23.532076][ T295] [ 23.532082][ T295] __dump_stack+0x21/0x30 [ 23.532100][ T295] dump_stack_lvl+0x140/0x1c0 [ 23.532114][ T295] ? __cfi_dump_stack_lvl+0x10/0x10 [ 23.532129][ T295] print_report+0x3d/0x70 [ 23.532142][ T295] kasan_report+0x162/0x1a0 [ 23.532155][ T295] ? ihold+0x24/0x70 [ 23.532168][ T295] ? _raw_spin_unlock+0x45/0x60 [ 23.532182][ T295] ? ihold+0x24/0x70 [ 23.532193][ T295] kasan_check_range+0x25a/0x2b0 [ 23.532206][ T295] __kasan_check_write+0x18/0x20 [ 23.532216][ T295] ihold+0x24/0x70 [ 23.532227][ T295] vfs_rmdir+0x26a/0x560 [ 23.532241][ T295] incfs_kill_sb+0x109/0x230 [ 23.532253][ T295] deactivate_locked_super+0xd5/0x2a0 [ 23.532267][ T295] deactivate_super+0xb8/0xe0 [ 23.532280][ T295] cleanup_mnt+0x406/0x4a0 [ 23.532298][ T295] __cleanup_mnt+0x1d/0x40 [ 23.532319][ T295] task_work_run+0x1e5/0x260 [ 23.532343][ T295] ? __cfi_task_work_run+0x10/0x10 [ 23.532356][ T295] ? __x64_sys_umount+0x12e/0x180 [ 23.532365][ T295] ? __cfi___x64_sys_umount+0x10/0x10 [ 23.532375][ T295] ? __kasan_check_read+0x15/0x20 [ 23.532384][ T295] resume_user_mode_work+0x35/0x50 [ 23.532395][ T295] syscall_exit_to_user_mode+0x63/0xb0 [ 23.532407][ T295] do_syscall_64+0x63/0xf0 [ 23.532421][ T295] ? clear_bhb_loop+0x50/0xa0 [ 23.532431][ T295] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 23.532447][ T295] RIP: 0033:0x7f567479e097 [ 23.532457][ T295] Code: a2 c7 05 5c 06 25 00 00 00 00 00 eb 96 e8 e1 12 00 00 90 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 e8 ff ff ff f7 d8 64 89 02 b8 [ 23.532466][ T295] RSP: 002b:00007ffdf388a608 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [ 23.532478][ T295] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f567479e097 [ 23.532486][ T295] RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffdf388a6c0 [ 23.532493][ T295] RBP: 00007ffdf388a6c0 R08: 00007ffdf388b6c0 R09: 00000000ffffffff [ 23.532501][ T295] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdf388b750 [ 23.532509][ T295] R13: 00007f56748321ca R14: 00000000000059f6 R15: 00007ffdf388b790 [ 23.532517][ T295] [ 23.532521][ T295] ================================================================== [ 23.776913][ T295] Disabling lock debugging due to kernel taint [ 23.783146][ T295] BUG: kernel NULL pointer dereference, address: 0000000000000168 [ 23.790948][ T295] #PF: supervisor write access in kernel mode [ 23.797004][ T295] #PF: error_code(0x0002) - not-present page [ 23.802963][ T295] PGD 800000010ef23067 P4D 800000010ef23067 PUD 0 [ 23.809492][ T295] Oops: Oops: 0002 [#1] PREEMPT SMP KASAN PTI [ 23.815571][ T295] CPU: 0 UID: 0 PID: 295 Comm: syz-executor Tainted: G B W syzkaller #0 471281939cd7bfdfff4c6b6074d5d68627c837ba [ 23.828676][ T295] Tainted: [B]=BAD_PAGE, [W]=WARN [ 23.833680][ T295] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 [ 23.843717][ T295] RIP: 0010:ihold+0x2a/0x70 [ 23.848214][ T295] Code: f3 0f 1e fa 55 48 89 e5 41 56 53 48 89 fb e8 dd 46 95 ff 48 8d bb 68 01 00 00 be 04 00 00 00 e8 2c fd ed ff 41 be 01 00 00 00 44 0f c1 b3 68 01 00 00 41 ff c6 bf 02 00 00 00 44 89 f6 e8 ed [ 23.867814][ T295] RSP: 0018:ffffc9000b77fca0 EFLAGS: 00010246 [ 23.873879][ T295] RAX: ffff888101ffcc00 RBX: 0000000000000000 RCX: ffff888101ffcc00 [ 23.881842][ T295] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 23.889838][ T295] RBP: ffffc9000b77fcb0 R08: ffffffff88bbe947 R09: 1ffffffff1177d28 [ 23.897883][ T295] R10: dffffc0000000000 R11: fffffbfff1177d29 R12: ffff88810fb447ec [ 23.905858][ T295] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000 [ 23.913816][ T295] FS: 000055556fe54500(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000 [ 23.922741][ T295] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 23.929314][ T295] CR2: 0000000000000168 CR3: 00000001313dc000 CR4: 00000000003526b0 [ 23.937283][ T295] Call Trace: [ 23.940567][ T295] [ 23.943496][ T295] vfs_rmdir+0x26a/0x560 [ 23.947740][ T295] incfs_kill_sb+0x109/0x230 [ 23.952317][ T295] deactivate_locked_super+0xd5/0x2a0 [ 23.957678][ T295] deactivate_super+0xb8/0xe0 [ 23.962349][ T295] cleanup_mnt+0x406/0x4a0 [ 23.966762][ T295] __cleanup_mnt+0x1d/0x40 [ 23.971190][ T295] task_work_run+0x1e5/0x260 [ 23.975775][ T295] ? __cfi_task_work_run+0x10/0x10 [ 23.980891][ T295] ? __x64_sys_umount+0x12e/0x180 [ 23.985899][ T295] ? __cfi___x64_sys_umount+0x10/0x10 [ 23.991261][ T295] ? __kasan_check_read+0x15/0x20 [ 23.996297][ T295] resume_user_mode_work+0x35/0x50 [ 24.001398][ T295] syscall_exit_to_user_mode+0x63/0xb0 [ 24.006853][ T295] do_syscall_64+0x63/0xf0 [ 24.011256][ T295] ? clear_bhb_loop+0x50/0xa0 [ 24.015921][ T295] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 24.021808][ T295] RIP: 0033:0x7f567479e097 [ 24.026241][ T295] Code: a2 c7 05 5c 06 25 00 00 00 00 00 eb 96 e8 e1 12 00 00 90 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 e8 ff ff ff f7 d8 64 89 02 b8 [ 24.045837][ T295] RSP: 002b:00007ffdf388a608 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [ 24.054244][ T295] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f567479e097 [ 24.062218][ T295] RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffdf388a6c0 [ 24.070202][ T295] RBP: 00007ffdf388a6c0 R08: 00007ffdf388b6c0 R09: 00000000ffffffff [ 24.078175][ T295] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdf388b750 [ 24.086134][ T295] R13: 00007f56748321ca R14: 00000000000059f6 R15: 00007ffdf388b790 [ 24.094096][ T295] [ 24.097100][ T295] Modules linked in: [ 24.100990][ T295] CR2: 0000000000000168 [ 24.105148][ T295] ---[ end trace 0000000000000000 ]--- [ 24.110586][ T295] RIP: 0010:ihold+0x2a/0x70 [ 24.115079][ T295] Code: f3 0f 1e fa 55 48 89 e5 41 56 53 48 89 fb e8 dd 46 95 ff 48 8d bb 68 01 00 00 be 04 00 00 00 e8 2c fd ed ff 41 be 01 00 00 00 44 0f c1 b3 68 01 00 00 41 ff c6 bf 02 00 00 00 44 89 f6 e8 ed [ 24.134672][ T295] RSP: 0018:ffffc9000b77fca0 EFLAGS: 00010246 [ 24.140731][ T295] RAX: ffff888101ffcc00 RBX: 0000000000000000 RCX: ffff888101ffcc00 [ 24.148692][ T295] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 24.156648][ T295] RBP: ffffc9000b77fcb0 R08: ffffffff88bbe947 R09: 1ffffffff1177d28 [ 24.164616][ T295] R10: dffffc0000000000 R11: fffffbfff1177d29 R12: ffff88810fb447ec [ 24.172579][ T295] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000 [ 24.180541][ T295] FS: 000055556fe54500(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000 [ 24.189460][ T295] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 24.196143][ T295] CR2: 0000000000000168 CR3: 00000001313dc000 CR4: 00000000003526b0 [ 24.204113][ T295] Kernel panic - not syncing: Fatal exception [ 24.210419][ T295] Kernel Offset: disabled [ 24.214736][ T295] Rebooting in 86400 seconds..