rocess permissive=1 [ 14.121532][ T30] audit: type=1400 audit(1769323193.001:63): avc: denied { siginh } for pid=223 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 Warning: Permanently added '10.128.1.149' (ED25519) to the list of known hosts. 2026/01/25 06:40:02 parsed 1 programs [ 23.370870][ T30] audit: type=1400 audit(1769323202.301:64): avc: denied { node_bind } for pid=281 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 23.391717][ T30] audit: type=1400 audit(1769323202.301:65): avc: denied { module_request } for pid=281 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 24.357228][ T30] audit: type=1400 audit(1769323203.281:66): avc: denied { mounton } for pid=287 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2023 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 24.360822][ T287] cgroup: Unknown subsys name 'net' [ 24.380059][ T30] audit: type=1400 audit(1769323203.291:67): avc: denied { mount } for pid=287 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 24.407274][ T30] audit: type=1400 audit(1769323203.311:68): avc: denied { unmount } for pid=287 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 24.407872][ T287] cgroup: Unknown subsys name 'devices' [ 24.609994][ T287] cgroup: Unknown subsys name 'hugetlb' [ 24.615618][ T287] cgroup: Unknown subsys name 'rlimit' [ 24.763817][ T30] audit: type=1400 audit(1769323203.691:69): avc: denied { setattr } for pid=287 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=254 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 24.787049][ T30] audit: type=1400 audit(1769323203.691:70): avc: denied { create } for pid=287 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 24.807848][ T30] audit: type=1400 audit(1769323203.691:71): avc: denied { write } for pid=287 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 24.828303][ T30] audit: type=1400 audit(1769323203.691:72): avc: denied { read } for pid=287 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 24.847006][ T291] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 24.848875][ T30] audit: type=1400 audit(1769323203.701:73): avc: denied { mounton } for pid=287 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 24.951710][ T287] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 25.391502][ T293] request_module fs-gadgetfs succeeded, but still no fs? [ 25.520055][ T302] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.527666][ T302] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.535285][ T302] device bridge_slave_0 entered promiscuous mode [ 25.542457][ T302] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.549565][ T302] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.556937][ T302] device bridge_slave_1 entered promiscuous mode [ 25.601759][ T302] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.608838][ T302] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.616116][ T302] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.623206][ T302] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.641991][ T303] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.649273][ T303] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.656560][ T303] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 25.664647][ T303] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 25.673766][ T303] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 25.682025][ T303] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.689145][ T303] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.699008][ T303] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 25.707222][ T303] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.714343][ T303] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.726915][ T303] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 25.736238][ T303] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 25.751844][ T303] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 25.762897][ T303] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 25.771164][ T303] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 25.778820][ T303] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 25.787835][ T302] device veth0_vlan entered promiscuous mode [ 25.797446][ T303] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 25.806684][ T302] device veth1_macvtap entered promiscuous mode [ 25.815896][ T303] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 25.826879][ T303] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 25.856426][ T302] syz-executor (302) used greatest stack depth: 21088 bytes left [ 26.401865][ T8] device bridge_slave_1 left promiscuous mode [ 26.408109][ T8] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.416011][ T8] device bridge_slave_0 left promiscuous mode [ 26.422529][ T8] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.431113][ T8] device veth1_macvtap left promiscuous mode [ 26.437178][ T8] device veth0_vlan left promiscuous mode 2026/01/25 06:40:05 executed programs: 0 [ 26.738459][ T359] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.745542][ T359] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.753052][ T359] device bridge_slave_0 entered promiscuous mode [ 26.760029][ T359] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.767092][ T359] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.774639][ T359] device bridge_slave_1 entered promiscuous mode [ 26.829978][ T359] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.837122][ T359] bridge0: port 2(bridge_slave_1) entered forwarding state [ 26.844488][ T359] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.851686][ T359] bridge0: port 1(bridge_slave_0) entered forwarding state [ 26.870114][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 26.878658][ T10] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.885835][ T10] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.897803][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 26.905981][ T10] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.913075][ T10] bridge0: port 1(bridge_slave_0) entered forwarding state [ 26.920897][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 26.930178][ T10] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.937250][ T10] bridge0: port 2(bridge_slave_1) entered forwarding state [ 26.948368][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 26.957885][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 26.972210][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 26.983761][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 26.992179][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 26.999652][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 27.008127][ T359] device veth0_vlan entered promiscuous mode [ 27.018045][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 27.027098][ T359] device veth1_macvtap entered promiscuous mode [ 27.036652][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 27.046807][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 27.073470][ T369] loop2: detected capacity change from 0 to 512 [ 27.105858][ T369] EXT4-fs (loop2): 1 truncate cleaned up [ 27.111636][ T369] EXT4-fs (loop2): mounted filesystem without journal. Opts: errors=remount-ro,. Quota mode: none. [ 27.125938][ T369] EXT4-fs error (device loop2): ext4_validate_block_bitmap:438: comm syz.2.17: bg 0: block 465: padding at end of block bitmap is not set [ 27.140327][ T369] EXT4-fs (loop2): Remounting filesystem read-only [ 27.153791][ T369] ================================================================== [ 27.161906][ T369] BUG: KASAN: use-after-free in ext4_inlinedir_to_tree+0x508/0xfe0 [ 27.169857][ T369] Read of size 52 at addr ffff88812a6e4b97 by task syz.2.17/369 [ 27.177551][ T369] [ 27.179935][ T369] CPU: 0 PID: 369 Comm: syz.2.17 Not tainted syzkaller #0 [ 27.187043][ T369] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 27.197119][ T369] Call Trace: [ 27.200400][ T369] [ 27.203328][ T369] __dump_stack+0x21/0x30 [ 27.207686][ T369] dump_stack_lvl+0x110/0x170 [ 27.212379][ T369] ? show_regs_print_info+0x20/0x20 [ 27.217580][ T369] ? load_image+0x3e0/0x3e0 [ 27.222098][ T369] print_address_description+0x7f/0x2c0 [ 27.227656][ T369] ? ext4_inlinedir_to_tree+0x508/0xfe0 [ 27.233221][ T369] kasan_report+0xf1/0x140 [ 27.237667][ T369] ? ext4_inlinedir_to_tree+0x508/0xfe0 [ 27.243255][ T369] kasan_check_range+0x249/0x2a0 [ 27.248196][ T369] ? ext4_inlinedir_to_tree+0x508/0xfe0 [ 27.253790][ T369] memcpy+0x2d/0x70 [ 27.257595][ T369] ext4_inlinedir_to_tree+0x508/0xfe0 [ 27.262980][ T369] ? is_bpf_text_address+0x177/0x190 [ 27.268267][ T369] ? ext4_convert_inline_data_nolock+0xcd0/0xcd0 [ 27.274624][ T369] ? __kasan_kmalloc+0xec/0x110 [ 27.279478][ T369] ? ext4_readdir+0x4a8/0x3b20 [ 27.284242][ T369] ? iterate_dir+0x260/0x600 [ 27.288848][ T369] ? __se_sys_getdents+0xf2/0x250 [ 27.293886][ T369] ? __x64_sys_getdents+0x7b/0x90 [ 27.298915][ T369] ext4_htree_fill_tree+0x508/0x1160 [ 27.304221][ T369] ? ext4_handle_dirty_dirblock+0x670/0x670 [ 27.310117][ T369] ? ext4_readdir+0x4a8/0x3b20 [ 27.314879][ T369] ext4_readdir+0x2cdb/0x3b20 [ 27.319558][ T369] ? __kasan_check_write+0x14/0x20 [ 27.324667][ T369] ? rwsem_read_trylock+0x2ae/0x640 [ 27.329860][ T369] ? ext4_dir_llseek+0x4a0/0x4a0 [ 27.334793][ T369] ? downgrade_write+0x430/0x430 [ 27.339743][ T369] ? __kasan_slab_free+0x11/0x20 [ 27.344679][ T369] ? slab_free_freelist_hook+0xc2/0x190 [ 27.350224][ T369] ? avc_policy_seqno+0x1b/0x70 [ 27.355083][ T369] ? down_read_killable+0xc1/0x110 [ 27.360202][ T369] ? down_read_interruptible+0x110/0x110 [ 27.365830][ T369] ? fsnotify_perm+0x269/0x5b0 [ 27.370594][ T369] ? security_file_permission+0x83/0xa0 [ 27.376139][ T369] iterate_dir+0x260/0x600 [ 27.380563][ T369] ? ext4_dir_llseek+0x4a0/0x4a0 [ 27.385503][ T369] __se_sys_getdents+0xf2/0x250 [ 27.390353][ T369] ? __x64_sys_getdents+0x90/0x90 [ 27.395374][ T369] ? fillonedir+0x450/0x450 [ 27.399878][ T369] ? debug_smp_processor_id+0x17/0x20 [ 27.405246][ T369] __x64_sys_getdents+0x7b/0x90 [ 27.410107][ T369] x64_sys_call+0xb4/0x9a0 [ 27.414536][ T369] do_syscall_64+0x4c/0xa0 [ 27.418961][ T369] ? clear_bhb_loop+0x50/0xa0 [ 27.423634][ T369] ? clear_bhb_loop+0x50/0xa0 [ 27.428328][ T369] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 27.434219][ T369] RIP: 0033:0x7f2d7c2dccb9 [ 27.438635][ T369] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 27.458245][ T369] RSP: 002b:00007ffe32011708 EFLAGS: 00000246 ORIG_RAX: 000000000000004e [ 27.466678][ T369] RAX: ffffffffffffffda RBX: 00007f2d7c557fa0 RCX: 00007f2d7c2dccb9 [ 27.474649][ T369] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005 [ 27.482616][ T369] RBP: 00007f2d7c34abf7 R08: 0000000000000000 R09: 0000000000000000 [ 27.490583][ T369] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 27.498558][ T369] R13: 00007f2d7c557fac R14: 00007f2d7c557fa0 R15: 00007f2d7c557fa0 [ 27.506528][ T369] [ 27.509541][ T369] [ 27.511857][ T369] The buggy address belongs to the page: [ 27.517481][ T369] page:ffffea0004a9b900 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x12a6e4 [ 27.527724][ T369] flags: 0x4000000000000000(zone=1) [ 27.532946][ T369] raw: 4000000000000000 ffffea0004a9b988 ffff8881f713c580 0000000000000000 [ 27.541529][ T369] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 27.550110][ T369] page dumped because: kasan: bad access detected [ 27.556533][ T369] page_owner tracks the page as freed [ 27.561911][ T369] page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 295, ts 27167099229, free_ts 27169630803 [ 27.576330][ T369] post_alloc_hook+0x192/0x1b0 [ 27.581096][ T369] prep_new_page+0x1c/0x110 [ 27.585592][ T369] get_page_from_freelist+0x2d3a/0x2dc0 [ 27.591166][ T369] __alloc_pages+0x1a2/0x460 [ 27.595755][ T369] shmem_alloc_and_acct_page+0x4a2/0x8d0 [ 27.601388][ T369] shmem_getpage_gfp+0xfe5/0x2310 [ 27.606407][ T369] shmem_write_begin+0xce/0x1b0 [ 27.611251][ T369] generic_perform_write+0x2b7/0x690 [ 27.616530][ T369] __generic_file_write_iter+0x268/0x480 [ 27.622159][ T369] generic_file_write_iter+0xa9/0x1d0 [ 27.627534][ T369] vfs_write+0x835/0xfd0 [ 27.631775][ T369] ksys_write+0x149/0x250 [ 27.636105][ T369] __x64_sys_write+0x7b/0x90 [ 27.640692][ T369] x64_sys_call+0x8ef/0x9a0 [ 27.645188][ T369] do_syscall_64+0x4c/0xa0 [ 27.649622][ T369] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 27.655526][ T369] page last free stack trace: [ 27.660195][ T369] free_unref_page_prepare+0x542/0x550 [ 27.665676][ T369] free_unref_page_list+0x13a/0x9d0 [ 27.670893][ T369] release_pages+0x1006/0x1060 [ 27.675653][ T369] __pagevec_release+0x71/0xe0 [ 27.680413][ T369] shmem_undo_range+0x595/0x1470 [ 27.685349][ T369] shmem_evict_inode+0x21a/0xa10 [ 27.690314][ T369] evict+0x4c9/0x8d0 [ 27.694210][ T369] iput+0x635/0x7c0 [ 27.698014][ T369] dentry_unlink_inode+0x32f/0x3e0 [ 27.703117][ T369] __dentry_kill+0x44f/0x650 [ 27.707696][ T369] dentry_kill+0xc0/0x2a0 [ 27.712016][ T369] dput+0x47/0x90 [ 27.715639][ T369] do_renameat2+0x8f4/0xfd0 [ 27.720136][ T369] __x64_sys_rename+0x86/0x90 [ 27.724814][ T369] x64_sys_call+0x680/0x9a0 [ 27.729324][ T369] do_syscall_64+0x4c/0xa0 [ 27.733742][ T369] [ 27.736055][ T369] Memory state around the buggy address: [ 27.741674][ T369] ffff88812a6e4a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.749727][ T369] ffff88812a6e4b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.757798][ T369] >ffff88812a6e4b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.765845][ T369] ^ [ 27.770427][ T369] ffff88812a6e4c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.778478][ T369] ffff88812a6e4c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.786538][ T369] ================================================================== [ 27.794590][ T369] Disabling lock debugging due to kernel taint [ 27.802114][ T369] EXT4-fs error (device loop2): ext4_inlinedir_to_tree:1471: inode #12: block 7: comm syz.2.17: path /0/file1/file0: bad entry in directory: rec_len % 4 != 0 - offset=35110, inode=3517778242, rec_len=35106, size=112 fake=0 [ 27.824938][ T369] EXT4-fs (loop2): Remounting filesystem read-only