Warning: Permanently added '10.128.1.15' (ED25519) to the list of known hosts. 2026/06/24 07:06:17 parsed 1 programs 2026/06/24 07:06:17 serving rpc on tcp://40559 [ 24.894966][ T30] audit: type=1400 audit(1782284777.981:64): avc: denied { node_bind } for pid=294 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 24.915897][ T30] audit: type=1400 audit(1782284777.981:65): avc: denied { module_request } for pid=294 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 25.921097][ T30] audit: type=1400 audit(1782284779.001:66): avc: denied { mounton } for pid=300 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2024 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 25.924565][ T300] cgroup: Unknown subsys name 'net' [ 25.943974][ T30] audit: type=1400 audit(1782284779.001:67): avc: denied { mount } for pid=300 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 25.971239][ T30] audit: type=1400 audit(1782284779.041:68): avc: denied { unmount } for pid=300 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 25.971580][ T300] cgroup: Unknown subsys name 'devices' [ 26.116710][ T300] cgroup: Unknown subsys name 'hugetlb' [ 26.122337][ T300] cgroup: Unknown subsys name 'rlimit' [ 26.300484][ T30] audit: type=1400 audit(1782284779.381:69): avc: denied { setattr } for pid=300 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=254 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 26.323971][ T30] audit: type=1400 audit(1782284779.381:70): avc: denied { create } for pid=300 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.344415][ T30] audit: type=1400 audit(1782284779.381:71): avc: denied { write } for pid=300 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.364817][ T30] audit: type=1400 audit(1782284779.381:72): avc: denied { read } for pid=300 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.382600][ T304] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 26.385627][ T30] audit: type=1400 audit(1782284779.381:73): avc: denied { mounton } for pid=300 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 26.428383][ T300] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 26.952072][ T309] request_module fs-gadgetfs succeeded, but still no fs? [ 27.355251][ T338] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.362330][ T338] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.370108][ T338] device bridge_slave_0 entered promiscuous mode [ 27.377412][ T338] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.384492][ T338] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.392147][ T338] device bridge_slave_1 entered promiscuous mode [ 27.436528][ T338] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.443575][ T338] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.450946][ T338] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.458031][ T338] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.478515][ T290] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.485727][ T290] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.493008][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 27.500616][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 27.509673][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 27.517972][ T290] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.525020][ T290] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.533865][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 27.542410][ T290] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.549506][ T290] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.562192][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 27.571636][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 27.590377][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 27.601763][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 27.610098][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 27.617848][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 27.626067][ T338] device veth0_vlan entered promiscuous mode [ 27.635930][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 27.648355][ T338] device veth1_macvtap entered promiscuous mode [ 27.657784][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 27.672068][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 27.703204][ T338] syz-executor (338) used greatest stack depth: 21032 bytes left 2026/06/24 07:06:21 executed programs: 0 [ 28.121853][ T367] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.128952][ T367] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.136487][ T367] device bridge_slave_0 entered promiscuous mode [ 28.143253][ T367] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.150454][ T367] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.157985][ T367] device bridge_slave_1 entered promiscuous mode [ 28.201148][ T367] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.208199][ T367] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.215491][ T367] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.222529][ T367] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.241595][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 28.250271][ T290] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.257589][ T290] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.267930][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 28.276182][ T290] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.283201][ T290] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.291736][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 28.300028][ T290] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.307107][ T290] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.318640][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 28.327899][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 28.341472][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 28.353474][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 28.361686][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 28.369804][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 28.377347][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 28.390997][ T367] device veth0_vlan entered promiscuous mode [ 28.400943][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 28.409157][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 28.418673][ T367] device veth1_macvtap entered promiscuous mode [ 28.433060][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 28.440757][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 28.449070][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 28.458592][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 28.467048][ T290] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 28.491700][ T372] ================================================================== [ 28.499930][ T372] BUG: KASAN: use-after-free in mutex_lock+0x8e/0x1c0 [ 28.506733][ T372] Write of size 8 at addr ffff888110073550 by task syz.2.17/372 [ 28.514355][ T372] [ 28.516683][ T372] CPU: 1 PID: 372 Comm: syz.2.17 Not tainted syzkaller #0 [ 28.523783][ T372] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 [ 28.533838][ T372] Call Trace: [ 28.537114][ T372] [ 28.540044][ T372] __dump_stack+0x21/0x30 [ 28.544368][ T372] dump_stack_lvl+0x110/0x170 [ 28.549041][ T372] ? show_regs_print_info+0x20/0x20 [ 28.554236][ T372] ? load_image+0x3f0/0x3f0 [ 28.558735][ T372] print_address_description+0x7f/0x2c0 [ 28.564277][ T372] ? mutex_lock+0x8e/0x1c0 [ 28.568687][ T372] kasan_report+0x10f/0x150 [ 28.573188][ T372] ? mutex_lock+0x8e/0x1c0 [ 28.577598][ T372] kasan_check_range+0x249/0x2a0 [ 28.582532][ T372] __kasan_check_write+0x14/0x20 [ 28.587467][ T372] mutex_lock+0x8e/0x1c0 [ 28.591713][ T372] ? wait_for_completion_killable_timeout+0x10/0x10 [ 28.598298][ T372] ? l2tp_session_put+0xaf/0x1a0 [ 28.603233][ T372] ? l2tp_session_delete+0x3a9/0x4a0 [ 28.608522][ T372] pppol2tp_release+0x178/0x2b0 [ 28.613373][ T372] sock_close+0xb8/0x200 [ 28.617612][ T372] ? sock_mmap+0xa0/0xa0 [ 28.621854][ T372] __fput+0x22b/0x900 [ 28.625860][ T372] ____fput+0x15/0x20 [ 28.629843][ T372] task_work_run+0x127/0x190 [ 28.634433][ T372] exit_to_user_mode_loop+0xd0/0xe0 [ 28.639642][ T372] exit_to_user_mode_prepare+0x87/0xd0 [ 28.645102][ T372] syscall_exit_to_user_mode+0x1a/0x30 [ 28.650559][ T372] do_syscall_64+0x58/0xa0 [ 28.654975][ T372] ? clear_bhb_loop+0x50/0xa0 [ 28.659661][ T372] ? clear_bhb_loop+0x50/0xa0 [ 28.664335][ T372] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 28.670227][ T372] RIP: 0033:0x7f18cc87be59 [ 28.674665][ T372] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 28.694294][ T372] RSP: 002b:00007fff71470bd8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 [ 28.702711][ T372] RAX: 0000000000000000 RBX: 00007fff71470cc0 RCX: 00007f18cc87be59 [ 28.710682][ T372] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 [ 28.718654][ T372] RBP: 0000000000006f31 R08: 0000000000000001 R09: 0000000000000000 [ 28.726634][ T372] R10: 0000001b32e20000 R11: 0000000000000246 R12: 0000000000000000 [ 28.734623][ T372] R13: 00007f18ccaf4fac R14: 00007f18ccaf4fa8 R15: 00007f18ccaf4fa0 [ 28.742598][ T372] [ 28.745617][ T372] [ 28.747939][ T372] Allocated by task 372: [ 28.752169][ T372] __kasan_kmalloc+0xd4/0x100 [ 28.756848][ T372] __kmalloc+0x13d/0x2c0 [ 28.761092][ T372] l2tp_session_create+0x39/0xb60 [ 28.766112][ T372] pppol2tp_connect+0xbf5/0x1640 [ 28.771049][ T372] __sys_connect+0x3cb/0x450 [ 28.775642][ T372] __x64_sys_connect+0x7a/0x90 [ 28.780430][ T372] x64_sys_call+0x7c/0x9a0 [ 28.787083][ T372] do_syscall_64+0x4c/0xa0 [ 28.791509][ T372] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 28.797423][ T372] [ 28.799748][ T372] Freed by task 372: [ 28.803639][ T372] kasan_set_track+0x4a/0x70 [ 28.808232][ T372] kasan_set_free_info+0x23/0x40 [ 28.813170][ T372] ____kasan_slab_free+0x125/0x160 [ 28.818283][ T372] __kasan_slab_free+0x11/0x20 [ 28.823050][ T372] slab_free_freelist_hook+0xc2/0x190 [ 28.828444][ T372] kfree+0xc4/0x270 [ 28.832286][ T372] l2tp_session_put+0xaf/0x1a0 [ 28.837050][ T372] l2tp_session_delete+0x3a9/0x4a0 [ 28.842182][ T372] pppol2tp_release+0x169/0x2b0 [ 28.847029][ T372] sock_close+0xb8/0x200 [ 28.851275][ T372] __fput+0x22b/0x900 [ 28.855260][ T372] ____fput+0x15/0x20 [ 28.859379][ T372] task_work_run+0x127/0x190 [ 28.863983][ T372] exit_to_user_mode_loop+0xd0/0xe0 [ 28.869176][ T372] exit_to_user_mode_prepare+0x87/0xd0 [ 28.874637][ T372] syscall_exit_to_user_mode+0x1a/0x30 [ 28.880097][ T372] do_syscall_64+0x58/0xa0 [ 28.884511][ T372] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 28.890402][ T372] [ 28.892724][ T372] The buggy address belongs to the object at ffff888110073400 [ 28.892724][ T372] which belongs to the cache kmalloc-512 of size 512 [ 28.906770][ T372] The buggy address is located 336 bytes inside of [ 28.906770][ T372] 512-byte region [ffff888110073400, ffff888110073600) [ 28.920147][ T372] The buggy address belongs to the page: [ 28.925789][ T372] page:ffffea0004401c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x110070 [ 28.936033][ T372] head:ffffea0004401c00 order:2 compound_mapcount:0 compound_pincount:0 [ 28.944373][ T372] flags: 0x4000000000010200(slab|head|zone=1) [ 28.950445][ T372] raw: 4000000000010200 ffffea0004401b00 0000000300000003 ffff888100042f00 [ 28.959024][ T372] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 28.967599][ T372] page dumped because: kasan: bad access detected [ 28.974001][ T372] page_owner tracks the page as allocated [ 28.979713][ T372] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 102, ts 5642150321, free_ts 0 [ 28.997768][ T372] post_alloc_hook+0x192/0x1b0 [ 29.002536][ T372] prep_new_page+0x1c/0x110 [ 29.007049][ T372] get_page_from_freelist+0x2c3a/0x2cd0 [ 29.012601][ T372] __alloc_pages+0x1a2/0x460 [ 29.017194][ T372] new_slab+0xa0/0x4d0 [ 29.021267][ T372] ___slab_alloc+0x3ac/0x840 [ 29.025853][ T372] __slab_alloc+0x49/0x90 [ 29.030190][ T372] __kmalloc_track_caller+0x169/0x2c0 [ 29.035559][ T372] __alloc_skb+0x210/0x730 [ 29.039972][ T372] alloc_uevent_skb+0x85/0x240 [ 29.044746][ T372] kobject_uevent_net_broadcast+0x335/0x5a0 [ 29.050656][ T372] kobject_uevent_env+0x52b/0x700 [ 29.055676][ T372] kobject_synth_uevent+0x457/0x940 [ 29.060872][ T372] store_uevent+0x16/0x30 [ 29.065198][ T372] module_attr_store+0x5f/0x80 [ 29.069954][ T372] sysfs_kf_write+0x129/0x150 [ 29.074625][ T372] page_owner free stack trace missing [ 29.079983][ T372] [ 29.082299][ T372] Memory state around the buggy address: [ 29.087920][ T372] ffff888110073400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.095978][ T372] ffff888110073480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.104048][ T372] >ffff888110073500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.112100][ T372] ^ [ 29.118767][ T372] ffff888110073580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.126834][ T372] ffff888110073600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.134883][ T372] ================================================================== [ 29.142931][ T372] Disabling lock debugging due to kernel taint