Warning: Permanently added '10.128.0.188' (ED25519) to the list of known hosts. 2025/10/26 01:06:22 parsed 1 programs [ 25.140756][ T30] audit: type=1400 audit(1761440782.070:64): avc: denied { node_bind } for pid=281 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 25.161805][ T30] audit: type=1400 audit(1761440782.070:65): avc: denied { module_request } for pid=281 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 26.144174][ T30] audit: type=1400 audit(1761440783.070:66): avc: denied { mounton } for pid=290 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2023 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 26.145528][ T290] cgroup: Unknown subsys name 'net' [ 26.167429][ T30] audit: type=1400 audit(1761440783.070:67): avc: denied { mount } for pid=290 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 26.194728][ T30] audit: type=1400 audit(1761440783.110:68): avc: denied { unmount } for pid=290 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 26.194985][ T290] cgroup: Unknown subsys name 'devices' [ 26.341281][ T290] cgroup: Unknown subsys name 'hugetlb' [ 26.346916][ T290] cgroup: Unknown subsys name 'rlimit' [ 26.524760][ T30] audit: type=1400 audit(1761440783.450:69): avc: denied { setattr } for pid=290 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=254 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 26.548215][ T30] audit: type=1400 audit(1761440783.450:70): avc: denied { create } for pid=290 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.568611][ T30] audit: type=1400 audit(1761440783.450:71): avc: denied { write } for pid=290 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.588952][ T30] audit: type=1400 audit(1761440783.450:72): avc: denied { read } for pid=290 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.596662][ T292] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 26.609607][ T30] audit: type=1400 audit(1761440783.450:73): avc: denied { mounton } for pid=290 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 26.709948][ T290] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 27.145818][ T294] request_module fs-gadgetfs succeeded, but still no fs? [ 27.400183][ T304] syz-executor (304) used greatest stack depth: 21856 bytes left [ 27.548206][ T317] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.555381][ T317] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.563134][ T317] device bridge_slave_0 entered promiscuous mode [ 27.570050][ T317] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.577079][ T317] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.584571][ T317] device bridge_slave_1 entered promiscuous mode [ 27.638907][ T317] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.646014][ T317] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.653350][ T317] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.660834][ T317] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.679611][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 27.687317][ T315] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.694722][ T315] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.705039][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 27.713402][ T315] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.720491][ T315] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.729598][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 27.737821][ T315] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.744899][ T315] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.758405][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 27.768160][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 27.782009][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 27.793135][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 27.801522][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 27.808904][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 27.817138][ T317] device veth0_vlan entered promiscuous mode [ 27.827459][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 27.836550][ T317] device veth1_macvtap entered promiscuous mode [ 27.845737][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 27.855874][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 27.894276][ T317] syz-executor (317) used greatest stack depth: 21408 bytes left 2025/10/26 01:06:25 executed programs: 0 [ 28.483361][ T364] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.490621][ T364] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.497972][ T364] device bridge_slave_0 entered promiscuous mode [ 28.505096][ T364] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.512218][ T364] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.519851][ T364] device bridge_slave_1 entered promiscuous mode [ 28.567175][ T364] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.574279][ T364] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.581579][ T364] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.588609][ T364] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.614189][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 28.621965][ T315] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.629508][ T315] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.638395][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 28.647103][ T315] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.654198][ T315] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.671503][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 28.679681][ T315] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.686699][ T315] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.699542][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 28.707545][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 28.726612][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 28.738824][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 28.747158][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 28.754939][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 28.763659][ T364] device veth0_vlan entered promiscuous mode [ 28.778918][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 28.788193][ T364] device veth1_macvtap entered promiscuous mode [ 28.797744][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 28.810335][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 28.836305][ T374] ================================================================== [ 28.844757][ T374] BUG: KASAN: slab-out-of-bounds in tc_setup_flow_action+0x870/0x3240 [ 28.852953][ T374] Read of size 8 at addr ffff88810ddb0dc0 by task syz.2.17/374 [ 28.860843][ T374] [ 28.863193][ T374] CPU: 1 PID: 374 Comm: syz.2.17 Not tainted syzkaller #0 [ 28.870327][ T374] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 [ 28.880523][ T374] Call Trace: [ 28.883808][ T374] [ 28.886742][ T374] __dump_stack+0x21/0x30 [ 28.891081][ T374] dump_stack_lvl+0xee/0x150 [ 28.895672][ T374] ? show_regs_print_info+0x20/0x20 [ 28.901012][ T374] ? load_image+0x3a0/0x3a0 [ 28.905554][ T374] print_address_description+0x7f/0x2c0 [ 28.911465][ T374] ? tc_setup_flow_action+0x870/0x3240 [ 28.916941][ T374] kasan_report+0xf1/0x140 [ 28.921365][ T374] ? tc_setup_flow_action+0x870/0x3240 [ 28.926925][ T374] __asan_report_load8_noabort+0x14/0x20 [ 28.932753][ T374] tc_setup_flow_action+0x870/0x3240 [ 28.938054][ T374] mall_replace_hw_filter+0x293/0x820 [ 28.943435][ T374] ? pcpu_block_update_hint_alloc+0x8c1/0xc50 [ 28.949861][ T374] ? mall_set_parms+0x520/0x520 [ 28.954835][ T374] ? tcf_exts_destroy+0xb0/0xb0 [ 28.959690][ T374] ? mall_set_parms+0x1e8/0x520 [ 28.964726][ T374] mall_change+0x526/0x740 [ 28.969156][ T374] ? __kasan_check_write+0x14/0x20 [ 28.974297][ T374] ? mall_get+0xa0/0xa0 [ 28.978476][ T374] ? tcf_chain_tp_insert_unique+0xac1/0xc10 [ 28.984457][ T374] tc_new_tfilter+0x12a2/0x1870 [ 28.989305][ T374] ? tcf_gate_entry_destructor+0x20/0x20 [ 28.995372][ T374] ? security_capable+0x87/0xb0 [ 29.000217][ T374] ? ns_capable+0x8c/0xf0 [ 29.004552][ T374] ? netlink_net_capable+0x125/0x160 [ 29.009830][ T374] ? tcf_gate_entry_destructor+0x20/0x20 [ 29.015576][ T374] rtnetlink_rcv_msg+0x81b/0xb90 [ 29.020516][ T374] ? rtnetlink_bind+0x80/0x80 [ 29.025188][ T374] ? memcpy+0x56/0x70 [ 29.029173][ T374] ? avc_has_perm_noaudit+0x2f4/0x460 [ 29.034855][ T374] ? arch_stack_walk+0xee/0x140 [ 29.040045][ T374] ? avc_denied+0x1b0/0x1b0 [ 29.044580][ T374] ? stack_trace_save+0x98/0xe0 [ 29.049437][ T374] ? avc_has_perm+0x158/0x240 [ 29.054114][ T374] ? avc_has_perm_noaudit+0x460/0x460 [ 29.059483][ T374] ? x64_sys_call+0x4b/0x9a0 [ 29.064504][ T374] ? selinux_nlmsg_lookup+0x416/0x4c0 [ 29.069890][ T374] netlink_rcv_skb+0x1e0/0x430 [ 29.074651][ T374] ? rtnetlink_bind+0x80/0x80 [ 29.079422][ T374] ? netlink_ack+0xb60/0xb60 [ 29.084093][ T374] ? __netlink_lookup+0x387/0x3b0 [ 29.089210][ T374] rtnetlink_rcv+0x1c/0x20 [ 29.093623][ T374] netlink_unicast+0x876/0xa40 [ 29.098383][ T374] netlink_sendmsg+0x86a/0xb70 [ 29.103144][ T374] ? netlink_getsockopt+0x530/0x530 [ 29.108339][ T374] ? security_socket_sendmsg+0x82/0xa0 [ 29.113790][ T374] ? netlink_getsockopt+0x530/0x530 [ 29.118995][ T374] ____sys_sendmsg+0x5a2/0x8c0 [ 29.123804][ T374] ? __sys_sendmsg_sock+0x40/0x40 [ 29.128825][ T374] ? import_iovec+0x7c/0xb0 [ 29.133502][ T374] ___sys_sendmsg+0x1f0/0x260 [ 29.138178][ T374] ? __sys_sendmsg+0x250/0x250 [ 29.142940][ T374] ? up_read+0x56/0x1d0 [ 29.147097][ T374] ? __kasan_check_read+0x11/0x20 [ 29.152169][ T374] ? __fdget+0x15b/0x230 [ 29.156411][ T374] __x64_sys_sendmsg+0x1e2/0x2a0 [ 29.161357][ T374] ? ___sys_sendmsg+0x260/0x260 [ 29.166205][ T374] ? fpregs_assert_state_consistent+0xb1/0xe0 [ 29.172272][ T374] x64_sys_call+0x4b/0x9a0 [ 29.176688][ T374] do_syscall_64+0x4c/0xa0 [ 29.181104][ T374] ? clear_bhb_loop+0x50/0xa0 [ 29.185771][ T374] ? clear_bhb_loop+0x50/0xa0 [ 29.190442][ T374] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 29.196331][ T374] RIP: 0033:0x7efd4c323fc9 [ 29.200762][ T374] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 29.220383][ T374] RSP: 002b:00007fff48e69bd8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 29.228930][ T374] RAX: ffffffffffffffda RBX: 00007efd4c57afa0 RCX: 00007efd4c323fc9 [ 29.236938][ T374] RDX: 0000000000000000 RSI: 0000200000000580 RDI: 0000000000000004 [ 29.244922][ T374] RBP: 00007efd4c3a6f91 R08: 0000000000000000 R09: 0000000000000000 [ 29.252908][ T374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 29.260906][ T374] R13: 00007efd4c57afa0 R14: 00007efd4c57afa0 R15: 0000000000000003 [ 29.268896][ T374] [ 29.271918][ T374] [ 29.274379][ T374] Allocated by task 374: [ 29.278650][ T374] __kasan_kmalloc+0xda/0x110 [ 29.283327][ T374] __kmalloc+0x13d/0x2c0 [ 29.287569][ T374] tcf_idr_create+0x5f/0x790 [ 29.292174][ T374] tcf_idr_create_from_flags+0x61/0x70 [ 29.297628][ T374] tcf_gact_init+0x346/0x580 [ 29.302216][ T374] tcf_action_init_1+0x3f7/0x6a0 [ 29.307171][ T374] tcf_action_init+0x1e9/0x710 [ 29.311932][ T374] tcf_exts_validate+0x217/0x520 [ 29.317180][ T374] mall_set_parms+0x48/0x520 [ 29.321777][ T374] mall_change+0x45a/0x740 [ 29.326198][ T374] tc_new_tfilter+0x12a2/0x1870 [ 29.331060][ T374] rtnetlink_rcv_msg+0x81b/0xb90 [ 29.335992][ T374] netlink_rcv_skb+0x1e0/0x430 [ 29.340796][ T374] rtnetlink_rcv+0x1c/0x20 [ 29.345314][ T374] netlink_unicast+0x876/0xa40 [ 29.350194][ T374] netlink_sendmsg+0x86a/0xb70 [ 29.354959][ T374] ____sys_sendmsg+0x5a2/0x8c0 [ 29.359737][ T374] ___sys_sendmsg+0x1f0/0x260 [ 29.364412][ T374] __x64_sys_sendmsg+0x1e2/0x2a0 [ 29.369347][ T374] x64_sys_call+0x4b/0x9a0 [ 29.373774][ T374] do_syscall_64+0x4c/0xa0 [ 29.378193][ T374] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 29.384085][ T374] [ 29.386411][ T374] The buggy address belongs to the object at ffff88810ddb0d00 [ 29.386411][ T374] which belongs to the cache kmalloc-192 of size 192 [ 29.400642][ T374] The buggy address is located 0 bytes to the right of [ 29.400642][ T374] 192-byte region [ffff88810ddb0d00, ffff88810ddb0dc0) [ 29.414280][ T374] The buggy address belongs to the page: [ 29.419901][ T374] page:ffffea0004376c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10ddb0 [ 29.430142][ T374] flags: 0x4000000000000200(slab|zone=1) [ 29.435780][ T374] raw: 4000000000000200 0000000000000000 0000000100000001 ffff888100042c00 [ 29.444354][ T374] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 29.452923][ T374] page dumped because: kasan: bad access detected [ 29.459455][ T374] page_owner tracks the page as allocated [ 29.465195][ T374] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 102, ts 6003496045, free_ts 6003475015 [ 29.480998][ T374] post_alloc_hook+0x192/0x1b0 [ 29.485889][ T374] prep_new_page+0x1c/0x110 [ 29.490397][ T374] get_page_from_freelist+0x2cc5/0x2d50 [ 29.495939][ T374] __alloc_pages+0x18f/0x440 [ 29.500683][ T374] new_slab+0xa1/0x4d0 [ 29.504757][ T374] ___slab_alloc+0x381/0x810 [ 29.509342][ T374] __slab_alloc+0x49/0x90 [ 29.513670][ T374] kmem_cache_alloc_trace+0x146/0x270 [ 29.519138][ T374] kernfs_fop_open+0x343/0xb30 [ 29.523892][ T374] do_dentry_open+0x834/0x1010 [ 29.528650][ T374] vfs_open+0x73/0x80 [ 29.532650][ T374] path_openat+0x2646/0x2f10 [ 29.537240][ T374] do_filp_open+0x1b3/0x3e0 [ 29.541740][ T374] do_sys_openat2+0x14c/0x7b0 [ 29.546529][ T374] __x64_sys_openat+0x136/0x160 [ 29.551375][ T374] x64_sys_call+0x219/0x9a0 [ 29.556323][ T374] page last free stack trace: [ 29.560993][ T374] free_unref_page_prepare+0x542/0x550 [ 29.566453][ T374] free_unref_page+0xa2/0x550 [ 29.571226][ T374] __free_pages+0x6c/0x100 [ 29.575643][ T374] free_pages+0x82/0x90 [ 29.579796][ T374] selinux_genfs_get_sid+0x20b/0x250 [ 29.585077][ T374] inode_doinit_with_dentry+0x86e/0xd70 [ 29.590701][ T374] selinux_d_instantiate+0x27/0x40 [ 29.595807][ T374] security_d_instantiate+0x9e/0xf0 [ 29.601001][ T374] d_splice_alias+0x6d/0x390 [ 29.605813][ T374] kernfs_iop_lookup+0x2c2/0x310 [ 29.610759][ T374] path_openat+0xfcf/0x2f10 [ 29.615262][ T374] do_filp_open+0x1b3/0x3e0 [ 29.619777][ T374] do_sys_openat2+0x14c/0x7b0 [ 29.624477][ T374] __x64_sys_openat+0x136/0x160 [ 29.629332][ T374] x64_sys_call+0x219/0x9a0 [ 29.633889][ T374] do_syscall_64+0x4c/0xa0 [ 29.638311][ T374] [ 29.640651][ T374] Memory state around the buggy address: [ 29.646268][ T374] ffff88810ddb0c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.654321][ T374] ffff88810ddb0d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.662385][ T374] >ffff88810ddb0d80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 29.670471][ T374] ^ [ 29.676836][ T374] ffff88810ddb0e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.685071][ T374] ffff88810ddb0e80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.693241][ T374] ================================================================== [ 29.701316][ T374] Disabling lock debugging due to kernel taint