Warning: Permanently added '10.128.0.224' (ED25519) to the list of known hosts. 2026/06/22 23:01:41 parsed 1 programs 2026/06/22 23:01:41 serving rpc on tcp://38837 [ 27.125311][ T24] audit: type=1400 audit(1782169301.969:64): avc: denied { node_bind } for pid=287 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 27.146065][ T24] audit: type=1400 audit(1782169301.969:65): avc: denied { create } for pid=287 comm="syz-execprog" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rawip_socket permissive=1 [ 27.165774][ T24] audit: type=1400 audit(1782169301.969:66): avc: denied { module_request } for pid=287 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 27.723330][ T24] audit: type=1400 audit(1782169302.569:67): avc: denied { mounton } for pid=293 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2024 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 27.724384][ T293] cgroup: Unknown subsys name 'net' [ 27.745989][ T24] audit: type=1400 audit(1782169302.569:68): avc: denied { mount } for pid=293 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 27.773215][ T24] audit: type=1400 audit(1782169302.599:69): avc: denied { unmount } for pid=293 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 27.773384][ T293] cgroup: Unknown subsys name 'devices' [ 27.889568][ T293] cgroup: Unknown subsys name 'hugetlb' [ 27.895350][ T293] cgroup: Unknown subsys name 'rlimit' [ 28.037507][ T24] audit: type=1400 audit(1782169302.879:70): avc: denied { setattr } for pid=293 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=253 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 28.060696][ T24] audit: type=1400 audit(1782169302.879:71): avc: denied { create } for pid=293 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 28.071608][ T297] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 28.081182][ T24] audit: type=1400 audit(1782169302.879:72): avc: denied { write } for pid=293 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 28.109851][ T24] audit: type=1400 audit(1782169302.879:73): avc: denied { read } for pid=293 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 28.135121][ T293] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 28.493508][ T299] request_module fs-gadgetfs succeeded, but still no fs? [ 28.504035][ T299] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation [ 28.664166][ T312] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.671486][ T312] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.678874][ T312] device bridge_slave_0 entered promiscuous mode [ 28.686303][ T312] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.693387][ T312] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.700763][ T312] device bridge_slave_1 entered promiscuous mode [ 28.732307][ T312] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.739365][ T312] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.746596][ T312] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.753717][ T312] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.768519][ T311] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.775734][ T311] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.783369][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 28.790762][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 28.800428][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 28.808598][ T311] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.815598][ T311] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.825064][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 28.833299][ T311] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.840526][ T311] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.852502][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 28.861495][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 28.873841][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 28.885252][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 28.893366][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 28.900877][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 28.910159][ T312] device veth0_vlan entered promiscuous mode [ 28.919576][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 28.928587][ T312] device veth1_macvtap entered promiscuous mode [ 28.937084][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 28.946722][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2026/06/22 23:01:44 executed programs: 0 [ 29.473852][ T363] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.480943][ T363] bridge0: port 1(bridge_slave_0) entered disabled state [ 29.488448][ T363] device bridge_slave_0 entered promiscuous mode [ 29.495148][ T363] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.502542][ T363] bridge0: port 2(bridge_slave_1) entered disabled state [ 29.510115][ T363] device bridge_slave_1 entered promiscuous mode [ 29.521728][ T49] device bridge_slave_1 left promiscuous mode [ 29.527865][ T49] bridge0: port 2(bridge_slave_1) entered disabled state [ 29.535512][ T49] device bridge_slave_0 left promiscuous mode [ 29.541685][ T49] bridge0: port 1(bridge_slave_0) entered disabled state [ 29.549510][ T49] device veth1_macvtap left promiscuous mode [ 29.555502][ T49] device veth0_vlan left promiscuous mode [ 29.689511][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 29.698157][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.707129][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 29.715782][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 29.723954][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.730986][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.738504][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 29.747042][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 29.755436][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 29.763630][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.770753][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.781406][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 29.790416][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 29.802323][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 29.813145][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 29.821540][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 29.829037][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 29.836938][ T363] device veth0_vlan entered promiscuous mode [ 29.846105][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 29.855683][ T363] device veth1_macvtap entered promiscuous mode [ 29.865346][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 29.879372][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 29.897659][ T377] ================================================================== [ 29.905779][ T377] BUG: KASAN: use-after-free in mutex_lock+0x85/0xf0 [ 29.912440][ T377] Write of size 8 at addr ffff888110db7950 by task syz.2.17/377 [ 29.920036][ T377] [ 29.922351][ T377] CPU: 0 PID: 377 Comm: syz.2.17 Not tainted syzkaller #0 [ 29.929450][ T377] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 [ 29.939480][ T377] Call Trace: [ 29.942743][ T377] __dump_stack+0x21/0x24 [ 29.947043][ T377] dump_stack_lvl+0x1a7/0x208 [ 29.951699][ T377] ? show_regs_print_info+0x18/0x18 [ 29.956874][ T377] ? thaw_kernel_threads+0x220/0x220 [ 29.962143][ T377] ? debug_smp_processor_id+0x17/0x20 [ 29.967486][ T377] print_address_description+0x7f/0x2c0 [ 29.973012][ T377] ? mutex_lock+0x85/0xf0 [ 29.977312][ T377] kasan_report+0x100/0x140 [ 29.981795][ T377] ? mutex_lock+0x85/0xf0 [ 29.986097][ T377] kasan_check_range+0x249/0x2a0 [ 29.991005][ T377] __kasan_check_write+0x14/0x20 [ 29.995917][ T377] mutex_lock+0x85/0xf0 [ 30.000051][ T377] ? mutex_trylock+0xb0/0xb0 [ 30.004612][ T377] ? l2tp_session_put+0xb2/0x1a0 [ 30.009524][ T377] ? l2tp_session_delete+0x3a9/0x4a0 [ 30.014788][ T377] pppol2tp_release+0x178/0x2b0 [ 30.019614][ T377] sock_close+0xb8/0x200 [ 30.023827][ T377] ? sock_mmap+0xa0/0xa0 [ 30.028133][ T377] __fput+0x2dc/0x730 [ 30.032091][ T377] ____fput+0x15/0x20 [ 30.036057][ T377] task_work_run+0x127/0x190 [ 30.040618][ T377] exit_to_user_mode_loop+0xcb/0xe0 [ 30.045792][ T377] exit_to_user_mode_prepare+0x76/0xa0 [ 30.051251][ T377] syscall_exit_to_user_mode+0x1d/0x40 [ 30.056690][ T377] do_syscall_64+0x3d/0x40 [ 30.061108][ T377] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 30.066975][ T377] RIP: 0033:0x7f71871ade59 [ 30.071366][ T377] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 30.090946][ T377] RSP: 002b:00007ffc40fd7818 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 [ 30.099334][ T377] RAX: 0000000000000000 RBX: 00007ffc40fd7900 RCX: 00007f71871ade59 [ 30.107281][ T377] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 [ 30.115235][ T377] RBP: 00000000000074b6 R08: 0000000000000001 R09: 0000000000000000 [ 30.123187][ T377] R10: 0000001b32a20000 R11: 0000000000000246 R12: 0000000000000000 [ 30.131140][ T377] R13: 00007f7187426fac R14: 00007f7187426fa8 R15: 00007f7187426fa0 [ 30.139085][ T377] [ 30.141389][ T377] Allocated by task 377: [ 30.145603][ T377] __kasan_kmalloc+0xd4/0x100 [ 30.150254][ T377] __kmalloc+0x19f/0x330 [ 30.154471][ T377] l2tp_session_create+0x39/0xb60 [ 30.159465][ T377] pppol2tp_connect+0xbf5/0x1640 [ 30.164374][ T377] __sys_connect+0x3ce/0x450 [ 30.168938][ T377] __x64_sys_connect+0x7a/0x90 [ 30.173676][ T377] do_syscall_64+0x31/0x40 [ 30.178064][ T377] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 30.183925][ T377] [ 30.186223][ T377] Freed by task 377: [ 30.190088][ T377] kasan_set_track+0x4a/0x70 [ 30.194649][ T377] kasan_set_free_info+0x23/0x40 [ 30.199556][ T377] ____kasan_slab_free+0x125/0x160 [ 30.204638][ T377] __kasan_slab_free+0x11/0x20 [ 30.209402][ T377] slab_free_freelist_hook+0xc5/0x190 [ 30.214766][ T377] kfree+0xc0/0x270 [ 30.218546][ T377] l2tp_session_put+0xb2/0x1a0 [ 30.223282][ T377] l2tp_session_delete+0x3a9/0x4a0 [ 30.228365][ T377] pppol2tp_release+0x169/0x2b0 [ 30.233189][ T377] sock_close+0xb8/0x200 [ 30.237404][ T377] __fput+0x2dc/0x730 [ 30.241366][ T377] ____fput+0x15/0x20 [ 30.245322][ T377] task_work_run+0x127/0x190 [ 30.249881][ T377] exit_to_user_mode_loop+0xcb/0xe0 [ 30.255050][ T377] exit_to_user_mode_prepare+0x76/0xa0 [ 30.260480][ T377] syscall_exit_to_user_mode+0x1d/0x40 [ 30.265907][ T377] do_syscall_64+0x3d/0x40 [ 30.270295][ T377] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 30.276154][ T377] [ 30.278633][ T377] The buggy address belongs to the object at ffff888110db7800 [ 30.278633][ T377] which belongs to the cache kmalloc-512 of size 512 [ 30.292658][ T377] The buggy address is located 336 bytes inside of [ 30.292658][ T377] 512-byte region [ffff888110db7800, ffff888110db7a00) [ 30.305985][ T377] The buggy address belongs to the page: [ 30.311750][ T377] page:ffffea0004436d00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x110db4 [ 30.321962][ T377] head:ffffea0004436d00 order:2 compound_mapcount:0 compound_pincount:0 [ 30.330360][ T377] flags: 0x4000000000010200(slab|head) [ 30.335799][ T377] raw: 4000000000010200 dead000000000100 dead000000000122 ffff888100043080 [ 30.344359][ T377] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 30.353005][ T377] page dumped because: kasan: bad access detected [ 30.359390][ T377] page_owner tracks the page as allocated [ 30.365089][ T377] page last allocated via order 2, migratetype Unmovable, gfp_mask 0x152a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 372, ts 29888135450, free_ts 29873869024 [ 30.383379][ T377] prep_new_page+0x176/0x190 [ 30.387948][ T377] get_page_from_freelist+0x225f/0x23f0 [ 30.393475][ T377] __alloc_pages_nodemask+0x29a/0x640 [ 30.398820][ T377] new_slab+0x84/0x3f0 [ 30.402874][ T377] ___slab_alloc+0x2f8/0x4c0 [ 30.407463][ T377] __slab_alloc+0x63/0xa0 [ 30.411763][ T377] __kmalloc+0x1f9/0x330 [ 30.415980][ T377] ___neigh_create+0x6ec/0x1a70 [ 30.420826][ T377] __neigh_create+0x31/0x40 [ 30.425311][ T377] ip6_finish_output2+0x8fe/0x1540 [ 30.430392][ T377] __ip6_finish_output+0x5fd/0x790 [ 30.435478][ T377] ip6_finish_output+0x33/0x1e0 [ 30.440299][ T377] ip6_output+0x1fa/0x420 [ 30.444688][ T377] ndisc_send_skb+0x721/0xbc0 [ 30.449337][ T377] ndisc_send_ns+0x879/0xb10 [ 30.453899][ T377] addrconf_dad_work+0xa40/0x1480 [ 30.458889][ T377] page last free stack trace: [ 30.463625][ T377] __free_pages_ok+0x80b/0x830 [ 30.468358][ T377] __free_pages+0xd8/0x390 [ 30.472831][ T377] __free_slab+0xcf/0x190 [ 30.477149][ T377] unfreeze_partials+0x150/0x180 [ 30.482056][ T377] put_cpu_partial+0xc1/0x180 [ 30.486806][ T377] __slab_free+0x2c9/0x3a0 [ 30.491209][ T377] ___cache_free+0x10e/0x130 [ 30.495780][ T377] qlink_free+0x50/0x90 [ 30.499916][ T377] qlist_free_all+0x5f/0xb0 [ 30.504394][ T377] kasan_quarantine_reduce+0x14a/0x160 [ 30.509823][ T377] __kasan_slab_alloc+0x2f/0xe0 [ 30.514698][ T377] slab_post_alloc_hook+0x5d/0x2f0 [ 30.519785][ T377] kmem_cache_alloc+0x15a/0x2d0 [ 30.524630][ T377] __alloc_skb+0x9e/0x520 [ 30.528935][ T377] rtmsg_ifinfo_build_skb+0x75/0x180 [ 30.534192][ T377] rtmsg_ifinfo+0x7a/0x130 [ 30.538575][ T377] [ 30.540880][ T377] Memory state around the buggy address: [ 30.546503][ T377] ffff888110db7800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.554714][ T377] ffff888110db7880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.562748][ T377] >ffff888110db7900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.570785][ T377] ^ [ 30.577444][ T377] ffff888110db7980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.585482][ T377] ffff888110db7a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.593520][ T377] ================================================================== [ 30.601560][ T377] Disabling lock debugging due to kernel taint