Warning: Permanently added '10.128.0.21' (ED25519) to the list of known hosts. 2026/02/27 10:10:14 parsed 1 programs [ 22.679782][ T30] audit: type=1400 audit(1772187014.903:64): avc: denied { node_bind } for pid=281 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 22.700499][ T30] audit: type=1400 audit(1772187014.903:65): avc: denied { module_request } for pid=281 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 23.307221][ T30] audit: type=1400 audit(1772187015.533:66): avc: denied { mounton } for pid=290 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2023 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 23.308296][ T290] cgroup: Unknown subsys name 'net' [ 23.329882][ T30] audit: type=1400 audit(1772187015.533:67): avc: denied { mount } for pid=290 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 23.357127][ T30] audit: type=1400 audit(1772187015.573:68): avc: denied { unmount } for pid=290 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 23.357280][ T290] cgroup: Unknown subsys name 'devices' [ 23.532384][ T290] cgroup: Unknown subsys name 'hugetlb' [ 23.537972][ T290] cgroup: Unknown subsys name 'rlimit' [ 23.739110][ T30] audit: type=1400 audit(1772187015.963:69): avc: denied { setattr } for pid=290 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=254 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 23.762303][ T30] audit: type=1400 audit(1772187015.963:70): avc: denied { create } for pid=290 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 23.767770][ T292] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 23.782814][ T30] audit: type=1400 audit(1772187015.963:71): avc: denied { write } for pid=290 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 23.811436][ T30] audit: type=1400 audit(1772187015.963:72): avc: denied { read } for pid=290 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 23.831787][ T30] audit: type=1400 audit(1772187015.963:73): avc: denied { mounton } for pid=290 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 23.866410][ T290] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 24.330187][ T294] request_module fs-gadgetfs succeeded, but still no fs? [ 24.470289][ T303] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.477381][ T303] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.484882][ T303] device bridge_slave_0 entered promiscuous mode [ 24.492481][ T303] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.499499][ T303] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.506865][ T303] device bridge_slave_1 entered promiscuous mode [ 24.539089][ T303] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.546139][ T303] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.553415][ T303] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.560426][ T303] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.577537][ T10] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.585165][ T10] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.592786][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 24.600153][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 24.609826][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 24.618095][ T10] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.625137][ T10] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.633528][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 24.641762][ T10] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.648773][ T10] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.660151][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 24.669169][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 24.681520][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 24.693206][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 24.701218][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 24.708564][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 24.717772][ T303] device veth0_vlan entered promiscuous mode [ 24.726766][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 24.735780][ T303] device veth1_macvtap entered promiscuous mode [ 24.744143][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 24.754547][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 24.780000][ T303] syz-executor (303) used greatest stack depth: 20672 bytes left 2026/02/27 10:10:17 executed programs: 0 [ 25.373553][ T356] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.381006][ T356] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.388257][ T356] device bridge_slave_0 entered promiscuous mode [ 25.395376][ T356] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.402456][ T356] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.409807][ T356] device bridge_slave_1 entered promiscuous mode [ 25.448036][ T356] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.455086][ T356] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.462382][ T356] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.469411][ T356] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.486032][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 25.493704][ T8] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.501034][ T8] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.509056][ T45] device bridge_slave_1 left promiscuous mode [ 25.515839][ T45] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.523284][ T45] device bridge_slave_0 left promiscuous mode [ 25.529377][ T45] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.537272][ T45] device veth1_macvtap left promiscuous mode [ 25.543311][ T45] device veth0_vlan left promiscuous mode [ 25.633887][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 25.642183][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 25.650261][ T8] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.657296][ T8] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.665972][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 25.674305][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 25.682573][ T8] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.689664][ T8] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.701192][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 25.709265][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 25.718250][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 25.726457][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 25.738503][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 25.746845][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 25.757199][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 25.765286][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 25.773295][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 25.780839][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 25.788957][ T356] device veth0_vlan entered promiscuous mode [ 25.797762][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 25.805895][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 25.815003][ T356] device veth1_macvtap entered promiscuous mode [ 25.824146][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 25.832265][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 25.840447][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 25.850214][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 25.858794][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 25.884820][ T361] ================================================================== [ 25.892892][ T361] BUG: KASAN: slab-out-of-bounds in xfrm_policy_inexact_list_reinsert+0x606/0x6c0 [ 25.902081][ T361] Read of size 1 at addr ffff888110b1f3f8 by task syz.2.17/361 [ 25.909599][ T361] [ 25.911909][ T361] CPU: 1 PID: 361 Comm: syz.2.17 Not tainted syzkaller #0 [ 25.918995][ T361] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 [ 25.929037][ T361] Call Trace: [ 25.932303][ T361] [ 25.935212][ T361] __dump_stack+0x21/0x30 [ 25.939522][ T361] dump_stack_lvl+0x110/0x170 [ 25.944178][ T361] ? show_regs_print_info+0x20/0x20 [ 25.949374][ T361] ? load_image+0x3e0/0x3e0 [ 25.953915][ T361] ? unwind_get_return_address+0x4d/0x90 [ 25.959539][ T361] print_address_description+0x7f/0x2c0 [ 25.965071][ T361] ? xfrm_policy_inexact_list_reinsert+0x606/0x6c0 [ 25.971570][ T361] kasan_report+0xf1/0x140 [ 25.975967][ T361] ? xfrm_policy_inexact_list_reinsert+0x606/0x6c0 [ 25.982443][ T361] __asan_report_load1_noabort+0x14/0x20 [ 25.988056][ T361] xfrm_policy_inexact_list_reinsert+0x606/0x6c0 [ 25.994362][ T361] xfrm_policy_inexact_insert_node+0x938/0xb50 [ 26.000496][ T361] ? xfrm_netlink_rcv+0x72/0x90 [ 26.005324][ T361] ? netlink_unicast+0x876/0xa40 [ 26.010241][ T361] ? netlink_sendmsg+0x879/0xb80 [ 26.015154][ T361] ? ____sys_sendmsg+0x5b7/0x8f0 [ 26.020071][ T361] ? ___sys_sendmsg+0x236/0x2e0 [ 26.024900][ T361] ? x64_sys_call+0x4b/0x9a0 [ 26.029469][ T361] ? entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 26.035518][ T361] xfrm_policy_inexact_alloc_chain+0x53d/0xb30 [ 26.041651][ T361] xfrm_policy_inexact_insert+0x70/0x1130 [ 26.047349][ T361] ? __kasan_check_write+0x14/0x20 [ 26.052446][ T361] ? _raw_spin_lock_bh+0x94/0xf0 [ 26.057363][ T361] ? policy_hash_bysel+0x13f/0x6f0 [ 26.062459][ T361] xfrm_policy_insert+0x126/0x9a0 [ 26.067459][ T361] ? xfrm_policy_construct+0x54f/0x1f00 [ 26.072983][ T361] xfrm_add_policy+0x4ed/0x850 [ 26.077728][ T361] ? xfrm_dump_sa_done+0xc0/0xc0 [ 26.082645][ T361] xfrm_user_rcv_msg+0x4dc/0x7b0 [ 26.087564][ T361] ? xfrm_netlink_rcv+0x90/0x90 [ 26.092398][ T361] ? avc_has_perm_noaudit+0x490/0x490 [ 26.097747][ T361] ? x64_sys_call+0x4b/0x9a0 [ 26.102314][ T361] ? selinux_nlmsg_lookup+0x237/0x4c0 [ 26.107664][ T361] netlink_rcv_skb+0x1f5/0x440 [ 26.112405][ T361] ? xfrm_netlink_rcv+0x90/0x90 [ 26.117233][ T361] ? netlink_ack+0xb50/0xb50 [ 26.121800][ T361] ? wait_for_completion_killable_timeout+0x10/0x10 [ 26.128369][ T361] ? __netlink_lookup+0x387/0x3b0 [ 26.133376][ T361] xfrm_netlink_rcv+0x72/0x90 [ 26.138030][ T361] netlink_unicast+0x876/0xa40 [ 26.142771][ T361] netlink_sendmsg+0x879/0xb80 [ 26.147513][ T361] ? netlink_getsockopt+0x530/0x530 [ 26.152686][ T361] ? do_futex+0xde8/0x2800 [ 26.157080][ T361] ? security_socket_sendmsg+0x82/0xa0 [ 26.162516][ T361] ? netlink_getsockopt+0x530/0x530 [ 26.167691][ T361] ____sys_sendmsg+0x5b7/0x8f0 [ 26.172437][ T361] ? __sys_sendmsg_sock+0x40/0x40 [ 26.177440][ T361] ? import_iovec+0x7c/0xb0 [ 26.181927][ T361] ___sys_sendmsg+0x236/0x2e0 [ 26.186583][ T361] ? __sys_sendmsg+0x280/0x280 [ 26.191330][ T361] ? __kasan_check_read+0x11/0x20 [ 26.196338][ T361] ? __fdget+0x15b/0x230 [ 26.200575][ T361] __x64_sys_sendmsg+0x206/0x2f0 [ 26.205494][ T361] ? ___sys_sendmsg+0x2e0/0x2e0 [ 26.210330][ T361] ? fpregs_assert_state_consistent+0xb1/0xe0 [ 26.216378][ T361] x64_sys_call+0x4b/0x9a0 [ 26.220770][ T361] do_syscall_64+0x4c/0xa0 [ 26.225168][ T361] ? clear_bhb_loop+0x50/0xa0 [ 26.229821][ T361] ? clear_bhb_loop+0x50/0xa0 [ 26.234473][ T361] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 26.240345][ T361] RIP: 0033:0x7f6a50995799 [ 26.244742][ T361] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 26.264325][ T361] RSP: 002b:00007ffc444db368 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 26.272720][ T361] RAX: ffffffffffffffda RBX: 00007f6a50c0efa0 RCX: 00007f6a50995799 [ 26.280669][ T361] RDX: 0000000000000000 RSI: 0000200000000580 RDI: 0000000000000006 [ 26.288615][ T361] RBP: 00007f6a50a2bbd9 R08: 0000000000000000 R09: 0000000000000000 [ 26.296563][ T361] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 26.304509][ T361] R13: 00007f6a50c0efac R14: 00007f6a50c0efa0 R15: 00007f6a50c0efa0 [ 26.312459][ T361] [ 26.315459][ T361] [ 26.317759][ T361] Allocated by task 361: [ 26.321972][ T361] __kasan_kmalloc+0xda/0x110 [ 26.326628][ T361] __kmalloc+0x13d/0x2c0 [ 26.330847][ T361] sk_prot_alloc+0xed/0x320 [ 26.335330][ T361] sk_alloc+0x38/0x430 [ 26.339377][ T361] pfkey_create+0x12a/0x660 [ 26.343854][ T361] __sock_create+0x38d/0x7a0 [ 26.348422][ T361] __sys_socket+0xec/0x190 [ 26.352813][ T361] __x64_sys_socket+0x7a/0x90 [ 26.357471][ T361] x64_sys_call+0x8c5/0x9a0 [ 26.361951][ T361] do_syscall_64+0x4c/0xa0 [ 26.366348][ T361] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 26.372218][ T361] [ 26.374518][ T361] The buggy address belongs to the object at ffff888110b1f000 [ 26.374518][ T361] which belongs to the cache kmalloc-1k of size 1024 [ 26.388549][ T361] The buggy address is located 1016 bytes inside of [ 26.388549][ T361] 1024-byte region [ffff888110b1f000, ffff888110b1f400) [ 26.401975][ T361] The buggy address belongs to the page: [ 26.407580][ T361] page:ffffea000442c600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x110b18 [ 26.417802][ T361] head:ffffea000442c600 order:3 compound_mapcount:0 compound_pincount:0 [ 26.426100][ T361] flags: 0x4000000000010200(slab|head|zone=1) [ 26.432159][ T361] raw: 4000000000010200 0000000000000000 dead000000000122 ffff888100043080 [ 26.440717][ T361] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 26.449274][ T361] page dumped because: kasan: bad access detected [ 26.455667][ T361] page_owner tracks the page as allocated [ 26.461358][ T361] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 356, ts 25878999275, free_ts 25851536158 [ 26.481741][ T361] post_alloc_hook+0x192/0x1b0 [ 26.486487][ T361] prep_new_page+0x1c/0x110 [ 26.490964][ T361] get_page_from_freelist+0x2d3a/0x2dc0 [ 26.496485][ T361] __alloc_pages+0x1a2/0x460 [ 26.501052][ T361] new_slab+0xa1/0x4d0 [ 26.505100][ T361] ___slab_alloc+0x381/0x810 [ 26.509664][ T361] __slab_alloc+0x49/0x90 [ 26.513970][ T361] __kmalloc+0x16a/0x2c0 [ 26.518190][ T361] kvmalloc_node+0x211/0x320 [ 26.522757][ T361] xt_alloc_table_info+0x3b/0xa0 [ 26.527672][ T361] ipt_register_table+0xce/0x800 [ 26.532585][ T361] iptable_security_table_init+0x41/0x60 [ 26.538193][ T361] xt_find_table_lock+0x2a5/0x400 [ 26.543192][ T361] xt_request_find_table_lock+0x27/0x100 [ 26.548803][ T361] do_ipt_get_ctl+0x6ce/0x1100 [ 26.553544][ T361] nf_getsockopt+0x26d/0x290 [ 26.558111][ T361] page last free stack trace: [ 26.562756][ T361] free_unref_page_prepare+0x542/0x550 [ 26.568210][ T361] free_unref_page+0xae/0x540 [ 26.572861][ T361] __free_pages+0x6c/0x100 [ 26.577258][ T361] __free_slab+0xe8/0x1e0 [ 26.581565][ T361] __unfreeze_partials+0x160/0x190 [ 26.586653][ T361] put_cpu_partial+0xc6/0x120 [ 26.591305][ T361] __slab_free+0x1d4/0x290 [ 26.595709][ T361] ___cache_free+0x104/0x120 [ 26.600286][ T361] qlink_free+0x4d/0x90 [ 26.604417][ T361] qlist_free_all+0x5f/0xb0 [ 26.608896][ T361] kasan_quarantine_reduce+0x14a/0x170 [ 26.614333][ T361] __kasan_slab_alloc+0x2f/0xf0 [ 26.619157][ T361] slab_post_alloc_hook+0x4f/0x2b0 [ 26.624247][ T361] kmem_cache_alloc+0xf7/0x260 [ 26.628987][ T361] __alloc_skb+0xe0/0x740 [ 26.633293][ T361] netlink_ack+0x372/0xb50 [ 26.637687][ T361] [ 26.639986][ T361] Memory state around the buggy address: [ 26.645589][ T361] ffff888110b1f280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.653625][ T361] ffff888110b1f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.661658][ T361] >ffff888110b1f380: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 26.669689][ T361] ^ [ 26.677637][ T361] ffff888110b1f400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.685672][ T361] ffff888110b1f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.693705][ T361] ================================================================== [ 26.701748][ T361] Disabling lock debugging due to kernel taint