Warning: Permanently added '10.128.0.195' (ED25519) to the list of known hosts. 2026/03/07 07:22:25 parsed 1 programs [ 21.379073][ T30] audit: type=1400 audit(1772868145.037:64): avc: denied { node_bind } for pid=281 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 21.399914][ T30] audit: type=1400 audit(1772868145.037:65): avc: denied { module_request } for pid=281 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 21.991981][ T30] audit: type=1400 audit(1772868145.657:66): avc: denied { mounton } for pid=288 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2023 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 21.993110][ T288] cgroup: Unknown subsys name 'net' [ 22.014679][ T30] audit: type=1400 audit(1772868145.657:67): avc: denied { mount } for pid=288 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 22.041978][ T30] audit: type=1400 audit(1772868145.677:68): avc: denied { unmount } for pid=288 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 22.042132][ T288] cgroup: Unknown subsys name 'devices' [ 22.213175][ T288] cgroup: Unknown subsys name 'hugetlb' [ 22.218788][ T288] cgroup: Unknown subsys name 'rlimit' [ 22.450941][ T30] audit: type=1400 audit(1772868146.107:69): avc: denied { setattr } for pid=288 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=254 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 22.474277][ T30] audit: type=1400 audit(1772868146.117:70): avc: denied { create } for pid=288 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 22.479751][ T291] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 22.494915][ T30] audit: type=1400 audit(1772868146.117:71): avc: denied { write } for pid=288 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 22.523596][ T30] audit: type=1400 audit(1772868146.117:72): avc: denied { read } for pid=288 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 22.531743][ T288] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 22.544390][ T30] audit: type=1400 audit(1772868146.117:73): avc: denied { mounton } for pid=288 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 22.974257][ T293] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.981406][ T293] bridge0: port 1(bridge_slave_0) entered disabled state [ 22.988987][ T293] device bridge_slave_0 entered promiscuous mode [ 22.996583][ T293] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.003892][ T293] bridge0: port 2(bridge_slave_1) entered disabled state [ 23.011814][ T293] device bridge_slave_1 entered promiscuous mode [ 23.065353][ T293] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.072440][ T293] bridge0: port 2(bridge_slave_1) entered forwarding state [ 23.079700][ T293] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.086742][ T293] bridge0: port 1(bridge_slave_0) entered forwarding state [ 23.102460][ T8] bridge0: port 1(bridge_slave_0) entered disabled state [ 23.109732][ T8] bridge0: port 2(bridge_slave_1) entered disabled state [ 23.117182][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 23.124594][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 23.133195][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 23.141374][ T8] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.148392][ T8] bridge0: port 1(bridge_slave_0) entered forwarding state [ 23.156604][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 23.164936][ T8] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.171987][ T8] bridge0: port 2(bridge_slave_1) entered forwarding state [ 23.183216][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 23.192525][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 23.205088][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 23.215613][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 23.223856][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 23.231255][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 23.239449][ T293] device veth0_vlan entered promiscuous mode [ 23.248745][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 23.257701][ T293] device veth1_macvtap entered promiscuous mode [ 23.266538][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 23.276102][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 23.292863][ T293] request_module fs-gadgetfs succeeded, but still no fs? [ 23.315555][ T293] syz-executor (293) used greatest stack depth: 21056 bytes left [ 23.693026][ T8] device bridge_slave_1 left promiscuous mode [ 23.699237][ T8] bridge0: port 2(bridge_slave_1) entered disabled state [ 23.707796][ T8] device bridge_slave_0 left promiscuous mode [ 23.714027][ T8] bridge0: port 1(bridge_slave_0) entered disabled state [ 23.722086][ T8] device veth1_macvtap left promiscuous mode [ 23.728068][ T8] device veth0_vlan left promiscuous mode 2026/03/07 07:22:27 executed programs: 0 [ 24.157763][ T355] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.164830][ T355] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.172198][ T355] device bridge_slave_0 entered promiscuous mode [ 24.178900][ T355] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.186058][ T355] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.193460][ T355] device bridge_slave_1 entered promiscuous mode [ 24.225613][ T355] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.232681][ T355] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.239936][ T355] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.246999][ T355] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.262985][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 24.270539][ T10] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.277805][ T10] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.286725][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 24.295011][ T10] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.302236][ T10] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.310846][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 24.319175][ T10] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.326433][ T10] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.337546][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 24.346683][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 24.359249][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 24.369802][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 24.377965][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 24.385782][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 24.393885][ T355] device veth0_vlan entered promiscuous mode [ 24.403081][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 24.412389][ T355] device veth1_macvtap entered promiscuous mode [ 24.420856][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 24.430574][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 24.452306][ T360] ================================================================== [ 24.460396][ T360] BUG: KASAN: slab-out-of-bounds in tc_setup_flow_action+0x870/0x3240 [ 24.468579][ T360] Read of size 8 at addr ffff88810e03f0c0 by task syz.2.17/360 [ 24.476121][ T360] [ 24.478445][ T360] CPU: 1 PID: 360 Comm: syz.2.17 Not tainted syzkaller #0 [ 24.485542][ T360] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 [ 24.495595][ T360] Call Trace: [ 24.498872][ T360] [ 24.501793][ T360] __dump_stack+0x21/0x30 [ 24.506116][ T360] dump_stack_lvl+0x110/0x170 [ 24.510781][ T360] ? show_regs_print_info+0x20/0x20 [ 24.515965][ T360] ? load_image+0x3e0/0x3e0 [ 24.520552][ T360] print_address_description+0x7f/0x2c0 [ 24.526087][ T360] ? tc_setup_flow_action+0x870/0x3240 [ 24.531534][ T360] kasan_report+0xf1/0x140 [ 24.535938][ T360] ? tc_setup_flow_action+0x870/0x3240 [ 24.541386][ T360] __asan_report_load8_noabort+0x14/0x20 [ 24.547012][ T360] tc_setup_flow_action+0x870/0x3240 [ 24.552295][ T360] mall_replace_hw_filter+0x2cc/0x8b0 [ 24.557658][ T360] ? pcpu_block_update_hint_alloc+0x8c4/0xc50 [ 24.563723][ T360] ? mall_set_parms+0x520/0x520 [ 24.568565][ T360] ? tcf_exts_destroy+0xb0/0xb0 [ 24.573417][ T360] ? pcpu_alloc+0x1170/0x16e0 [ 24.578090][ T360] ? mall_set_parms+0x1e8/0x520 [ 24.582932][ T360] mall_change+0x544/0x760 [ 24.587338][ T360] ? __kasan_check_write+0x14/0x20 [ 24.592579][ T360] ? mall_get+0xa0/0xa0 [ 24.596737][ T360] ? tcf_chain_tp_insert_unique+0xac1/0xc10 [ 24.602624][ T360] tc_new_tfilter+0x12e5/0x18e0 [ 24.607470][ T360] ? tcf_gate_entry_destructor+0x20/0x20 [ 24.613093][ T360] ? security_capable+0x87/0xb0 [ 24.617934][ T360] ? ns_capable+0x8c/0xf0 [ 24.622338][ T360] ? netlink_net_capable+0x125/0x160 [ 24.627725][ T360] ? tcf_gate_entry_destructor+0x20/0x20 [ 24.633390][ T360] rtnetlink_rcv_msg+0x871/0xce0 [ 24.638334][ T360] ? rtnetlink_bind+0x80/0x80 [ 24.643009][ T360] ? avc_has_perm_noaudit+0x391/0x490 [ 24.648376][ T360] ? memcpy+0x56/0x70 [ 24.652352][ T360] ? avc_has_perm_noaudit+0x30b/0x490 [ 24.657712][ T360] ? arch_stack_walk+0xee/0x140 [ 24.662563][ T360] ? avc_denied+0x1b0/0x1b0 [ 24.667057][ T360] ? stack_trace_save+0xa6/0xf0 [ 24.671897][ T360] ? avc_has_perm+0x163/0x250 [ 24.676565][ T360] ? avc_has_perm_noaudit+0x490/0x490 [ 24.681928][ T360] ? x64_sys_call+0x4b/0x9a0 [ 24.686511][ T360] ? selinux_nlmsg_lookup+0x416/0x4c0 [ 24.691885][ T360] netlink_rcv_skb+0x1f5/0x440 [ 24.696660][ T360] ? rtnetlink_bind+0x80/0x80 [ 24.701420][ T360] ? netlink_ack+0xb50/0xb50 [ 24.705999][ T360] ? __netlink_lookup+0x387/0x3b0 [ 24.711061][ T360] rtnetlink_rcv+0x1c/0x20 [ 24.715465][ T360] netlink_unicast+0x876/0xa40 [ 24.720215][ T360] netlink_sendmsg+0x879/0xb80 [ 24.724967][ T360] ? netlink_getsockopt+0x530/0x530 [ 24.730154][ T360] ? do_futex+0xde8/0x2800 [ 24.734564][ T360] ? security_socket_sendmsg+0x82/0xa0 [ 24.740009][ T360] ? netlink_getsockopt+0x530/0x530 [ 24.745223][ T360] ____sys_sendmsg+0x5b7/0x8f0 [ 24.750089][ T360] ? __sys_sendmsg_sock+0x40/0x40 [ 24.755117][ T360] ? import_iovec+0x7c/0xb0 [ 24.759616][ T360] ___sys_sendmsg+0x236/0x2e0 [ 24.764285][ T360] ? __sys_sendmsg+0x280/0x280 [ 24.769050][ T360] ? up_read+0x56/0x1d0 [ 24.773216][ T360] ? __kasan_check_read+0x11/0x20 [ 24.778240][ T360] ? __fdget+0x15b/0x230 [ 24.782483][ T360] __x64_sys_sendmsg+0x206/0x2f0 [ 24.787413][ T360] ? ___sys_sendmsg+0x2e0/0x2e0 [ 24.792255][ T360] ? fpregs_assert_state_consistent+0xb1/0xe0 [ 24.798315][ T360] x64_sys_call+0x4b/0x9a0 [ 24.802724][ T360] do_syscall_64+0x4c/0xa0 [ 24.807134][ T360] ? clear_bhb_loop+0x50/0xa0 [ 24.811795][ T360] ? clear_bhb_loop+0x50/0xa0 [ 24.816459][ T360] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 24.822357][ T360] RIP: 0033:0x7f215bb50799 [ 24.826769][ T360] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 24.846390][ T360] RSP: 002b:00007ffe6ac68358 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 24.855501][ T360] RAX: ffffffffffffffda RBX: 00007f215bdc9fa0 RCX: 00007f215bb50799 [ 24.863463][ T360] RDX: 0000000000000000 RSI: 0000200000000580 RDI: 0000000000000004 [ 24.871465][ T360] RBP: 00007f215bbe6bd9 R08: 0000000000000000 R09: 0000000000000000 [ 24.879436][ T360] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 24.887412][ T360] R13: 00007f215bdc9fac R14: 00007f215bdc9fa0 R15: 00007f215bdc9fa0 [ 24.895395][ T360] [ 24.898559][ T360] [ 24.900879][ T360] Allocated by task 360: [ 24.905220][ T360] __kasan_kmalloc+0xda/0x110 [ 24.909909][ T360] __kmalloc+0x13d/0x2c0 [ 24.914147][ T360] tcf_idr_create+0x5f/0x790 [ 24.918733][ T360] tcf_idr_create_from_flags+0x61/0x70 [ 24.924208][ T360] tcf_gact_init+0x342/0x570 [ 24.928793][ T360] tcf_action_init_1+0x3ff/0x6b0 [ 24.933716][ T360] tcf_action_init+0x233/0x7a0 [ 24.938470][ T360] tcf_exts_validate+0x24a/0x580 [ 24.943386][ T360] mall_set_parms+0x48/0x520 [ 24.947956][ T360] mall_change+0x478/0x760 [ 24.952352][ T360] tc_new_tfilter+0x12e5/0x18e0 [ 24.957270][ T360] rtnetlink_rcv_msg+0x871/0xce0 [ 24.962192][ T360] netlink_rcv_skb+0x1f5/0x440 [ 24.966937][ T360] rtnetlink_rcv+0x1c/0x20 [ 24.971335][ T360] netlink_unicast+0x876/0xa40 [ 24.976077][ T360] netlink_sendmsg+0x879/0xb80 [ 24.980819][ T360] ____sys_sendmsg+0x5b7/0x8f0 [ 24.985565][ T360] ___sys_sendmsg+0x236/0x2e0 [ 24.990221][ T360] __x64_sys_sendmsg+0x206/0x2f0 [ 24.995139][ T360] x64_sys_call+0x4b/0x9a0 [ 24.999534][ T360] do_syscall_64+0x4c/0xa0 [ 25.003931][ T360] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 25.009811][ T360] [ 25.012113][ T360] The buggy address belongs to the object at ffff88810e03f000 [ 25.012113][ T360] which belongs to the cache kmalloc-192 of size 192 [ 25.026241][ T360] The buggy address is located 0 bytes to the right of [ 25.026241][ T360] 192-byte region [ffff88810e03f000, ffff88810e03f0c0) [ 25.040365][ T360] The buggy address belongs to the page: [ 25.045984][ T360] page:ffffea0004380fc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10e03f [ 25.056219][ T360] flags: 0x4000000000000200(slab|zone=1) [ 25.061866][ T360] raw: 4000000000000200 0000000000000000 0000000100000001 ffff888100042c00 [ 25.070432][ T360] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 25.078990][ T360] page dumped because: kasan: bad access detected [ 25.085377][ T360] page_owner tracks the page as allocated [ 25.091068][ T360] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 102, ts 3897857950, free_ts 3897694864 [ 25.106859][ T360] post_alloc_hook+0x192/0x1b0 [ 25.111623][ T360] prep_new_page+0x1c/0x110 [ 25.116124][ T360] get_page_from_freelist+0x2d3a/0x2dc0 [ 25.121653][ T360] __alloc_pages+0x1a2/0x460 [ 25.126241][ T360] new_slab+0xa1/0x4d0 [ 25.130293][ T360] ___slab_alloc+0x381/0x810 [ 25.134871][ T360] __slab_alloc+0x49/0x90 [ 25.139180][ T360] kmem_cache_alloc_trace+0x146/0x270 [ 25.144542][ T360] kernfs_fop_open+0x343/0xb30 [ 25.149293][ T360] do_dentry_open+0x834/0x1010 [ 25.154037][ T360] vfs_open+0x73/0x80 [ 25.157998][ T360] path_openat+0x26a6/0x2f20 [ 25.162567][ T360] do_filp_open+0x1e2/0x410 [ 25.167056][ T360] do_sys_openat2+0x15e/0x7f0 [ 25.171714][ T360] __x64_sys_openat+0x136/0x160 [ 25.176556][ T360] x64_sys_call+0x219/0x9a0 [ 25.181152][ T360] page last free stack trace: [ 25.185803][ T360] free_unref_page_prepare+0x542/0x550 [ 25.191241][ T360] free_unref_page+0xae/0x540 [ 25.195897][ T360] __free_pages+0x6c/0x100 [ 25.200293][ T360] free_pages+0x82/0x90 [ 25.204438][ T360] selinux_genfs_get_sid+0x20b/0x250 [ 25.209706][ T360] inode_doinit_with_dentry+0x87a/0xd80 [ 25.215230][ T360] selinux_d_instantiate+0x27/0x40 [ 25.220326][ T360] security_d_instantiate+0x9e/0xf0 [ 25.225505][ T360] d_splice_alias+0x6d/0x390 [ 25.230077][ T360] kernfs_iop_lookup+0x2c2/0x310 [ 25.235002][ T360] path_openat+0xfc9/0x2f20 [ 25.239508][ T360] do_filp_open+0x1e2/0x410 [ 25.244010][ T360] do_sys_openat2+0x15e/0x7f0 [ 25.248681][ T360] __x64_sys_openat+0x136/0x160 [ 25.253515][ T360] x64_sys_call+0x219/0x9a0 [ 25.257998][ T360] do_syscall_64+0x4c/0xa0 [ 25.262400][ T360] [ 25.264794][ T360] Memory state around the buggy address: [ 25.270788][ T360] ffff88810e03ef80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 25.278825][ T360] ffff88810e03f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.286881][ T360] >ffff88810e03f080: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 25.294937][ T360] ^ [ 25.301078][ T360] ffff88810e03f100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.309218][ T360] ffff88810e03f180: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.317265][ T360] ================================================================== [ 25.325301][ T360] Disabling lock debugging due to kernel taint