[ 14.947160][ T30] audit: type=1400 audit(1782553980.951:62): avc: denied { rlimitinh } for pid=224 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 14.966649][ T30] audit: type=1400 audit(1782553980.951:63): avc: denied { siginh } for pid=224 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 Warning: Permanently added '10.128.0.134' (ED25519) to the list of known hosts. 2026/06/27 09:53:11 parsed 1 programs 2026/06/27 09:53:11 serving rpc on tcp://41899 [ 24.990079][ T30] audit: type=1400 audit(1782553991.021:64): avc: denied { node_bind } for pid=294 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 25.010933][ T30] audit: type=1400 audit(1782553991.021:65): avc: denied { module_request } for pid=294 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 26.063983][ T30] audit: type=1400 audit(1782553992.101:66): avc: denied { mounton } for pid=301 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2024 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 26.068056][ T301] cgroup: Unknown subsys name 'net' [ 26.086789][ T30] audit: type=1400 audit(1782553992.101:67): avc: denied { mount } for pid=301 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 26.114262][ T30] audit: type=1400 audit(1782553992.131:68): avc: denied { unmount } for pid=301 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 26.114941][ T301] cgroup: Unknown subsys name 'devices' [ 26.205736][ T301] cgroup: Unknown subsys name 'hugetlb' [ 26.211374][ T301] cgroup: Unknown subsys name 'rlimit' [ 26.360023][ T30] audit: type=1400 audit(1782553992.391:69): avc: denied { setattr } for pid=301 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=254 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 26.383349][ T30] audit: type=1400 audit(1782553992.391:70): avc: denied { create } for pid=301 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.403787][ T30] audit: type=1400 audit(1782553992.391:71): avc: denied { write } for pid=301 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.424386][ T30] audit: type=1400 audit(1782553992.391:72): avc: denied { read } for pid=301 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.443088][ T304] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 26.445165][ T30] audit: type=1400 audit(1782553992.391:73): avc: denied { mounton } for pid=301 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 26.505129][ T301] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 26.949307][ T306] request_module fs-gadgetfs succeeded, but still no fs? [ 27.037124][ T311] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.044329][ T311] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.051952][ T311] device bridge_slave_0 entered promiscuous mode [ 27.059451][ T311] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.066703][ T311] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.074645][ T311] device bridge_slave_1 entered promiscuous mode [ 27.124408][ T311] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.131469][ T311] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.138876][ T311] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.146131][ T311] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.164430][ T10] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.171895][ T10] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.179343][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 27.187209][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 27.197113][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 27.205422][ T10] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.212460][ T10] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.221129][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 27.229455][ T10] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.236553][ T10] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.249786][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 27.260006][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 27.273920][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 27.286796][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 27.294940][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 27.302366][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 27.310760][ T311] device veth0_vlan entered promiscuous mode [ 27.320867][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 27.330201][ T311] device veth1_macvtap entered promiscuous mode [ 27.340680][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 27.350815][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 27.383283][ T311] syz-executor (311) used greatest stack depth: 20864 bytes left [ 28.094085][ T55] device bridge_slave_1 left promiscuous mode [ 28.100355][ T55] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.108194][ T55] device bridge_slave_0 left promiscuous mode [ 28.114629][ T55] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.123880][ T55] device veth1_macvtap left promiscuous mode [ 28.129937][ T55] device veth0_vlan left promiscuous mode 2026/06/27 09:53:14 executed programs: 0 [ 28.341824][ T367] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.349355][ T367] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.357304][ T367] device bridge_slave_0 entered promiscuous mode [ 28.364486][ T367] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.371552][ T367] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.379202][ T367] device bridge_slave_1 entered promiscuous mode [ 28.433884][ T367] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.440991][ T367] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.448364][ T367] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.455574][ T367] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.479364][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 28.487441][ T10] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.494779][ T10] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.505039][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 28.513441][ T10] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.520506][ T10] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.534791][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 28.543047][ T10] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.550139][ T10] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.563622][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 28.572628][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 28.586568][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 28.597982][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 28.606326][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 28.614185][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 28.622651][ T367] device veth0_vlan entered promiscuous mode [ 28.632692][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 28.641941][ T367] device veth1_macvtap entered promiscuous mode [ 28.651478][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 28.661559][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 28.685272][ T374] ================================================================== [ 28.693406][ T374] BUG: KASAN: use-after-free in mutex_lock+0x8e/0x1c0 [ 28.700311][ T374] Write of size 8 at addr ffff8881105f1150 by task syz.2.17/374 [ 28.707964][ T374] [ 28.710319][ T374] CPU: 1 PID: 374 Comm: syz.2.17 Not tainted syzkaller #0 [ 28.717454][ T374] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 [ 28.727519][ T374] Call Trace: [ 28.730799][ T374] [ 28.733733][ T374] __dump_stack+0x21/0x30 [ 28.738069][ T374] dump_stack_lvl+0x110/0x170 [ 28.742744][ T374] ? show_regs_print_info+0x20/0x20 [ 28.747948][ T374] ? load_image+0x3f0/0x3f0 [ 28.752465][ T374] print_address_description+0x7f/0x2c0 [ 28.758038][ T374] ? mutex_lock+0x8e/0x1c0 [ 28.762566][ T374] kasan_report+0x10f/0x150 [ 28.767161][ T374] ? mutex_lock+0x8e/0x1c0 [ 28.771581][ T374] kasan_check_range+0x249/0x2a0 [ 28.776522][ T374] __kasan_check_write+0x14/0x20 [ 28.781472][ T374] mutex_lock+0x8e/0x1c0 [ 28.785806][ T374] ? wait_for_completion_killable_timeout+0x10/0x10 [ 28.792396][ T374] ? l2tp_session_put+0xaf/0x1a0 [ 28.797340][ T374] ? l2tp_session_delete+0x3a9/0x4a0 [ 28.802625][ T374] pppol2tp_release+0x178/0x2b0 [ 28.807503][ T374] sock_close+0xb8/0x200 [ 28.811746][ T374] ? sock_mmap+0xa0/0xa0 [ 28.815989][ T374] __fput+0x22b/0x900 [ 28.820003][ T374] ____fput+0x15/0x20 [ 28.824139][ T374] task_work_run+0x127/0x190 [ 28.828731][ T374] exit_to_user_mode_loop+0xd0/0xe0 [ 28.833934][ T374] exit_to_user_mode_prepare+0x87/0xd0 [ 28.839393][ T374] syscall_exit_to_user_mode+0x1a/0x30 [ 28.844853][ T374] do_syscall_64+0x58/0xa0 [ 28.849477][ T374] ? clear_bhb_loop+0x50/0xa0 [ 28.854163][ T374] ? clear_bhb_loop+0x50/0xa0 [ 28.858859][ T374] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 28.864780][ T374] RIP: 0033:0x7f23072d9e59 [ 28.869218][ T374] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 28.888848][ T374] RSP: 002b:00007ffc4ad6e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 [ 28.897303][ T374] RAX: 0000000000000000 RBX: 00007ffc4ad6ea90 RCX: 00007f23072d9e59 [ 28.905291][ T374] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 [ 28.913273][ T374] RBP: 0000000000006fea R08: 0000000000000001 R09: 0000000000000000 [ 28.921250][ T374] R10: 0000001b32e20000 R11: 0000000000000246 R12: 0000000000000000 [ 28.929315][ T374] R13: 00007f2307552fac R14: 00007f2307552fa8 R15: 00007f2307552fa0 [ 28.937297][ T374] [ 28.940320][ T374] [ 28.942646][ T374] Allocated by task 374: [ 28.946889][ T374] __kasan_kmalloc+0xd4/0x100 [ 28.951664][ T374] __kmalloc+0x13d/0x2c0 [ 28.955936][ T374] l2tp_session_create+0x39/0xb60 [ 28.960971][ T374] pppol2tp_connect+0xbf5/0x1640 [ 28.965945][ T374] __sys_connect+0x3cb/0x450 [ 28.970543][ T374] __x64_sys_connect+0x7a/0x90 [ 28.975312][ T374] x64_sys_call+0x7c/0x9a0 [ 28.979739][ T374] do_syscall_64+0x4c/0xa0 [ 28.984169][ T374] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 28.990094][ T374] [ 28.992423][ T374] Freed by task 374: [ 28.996347][ T374] kasan_set_track+0x4a/0x70 [ 29.000945][ T374] kasan_set_free_info+0x23/0x40 [ 29.005889][ T374] ____kasan_slab_free+0x125/0x160 [ 29.011025][ T374] __kasan_slab_free+0x11/0x20 [ 29.015796][ T374] slab_free_freelist_hook+0xc2/0x190 [ 29.021201][ T374] kfree+0xc4/0x270 [ 29.025197][ T374] l2tp_session_put+0xaf/0x1a0 [ 29.029971][ T374] l2tp_session_delete+0x3a9/0x4a0 [ 29.035096][ T374] pppol2tp_release+0x169/0x2b0 [ 29.039954][ T374] sock_close+0xb8/0x200 [ 29.044204][ T374] __fput+0x22b/0x900 [ 29.048192][ T374] ____fput+0x15/0x20 [ 29.052184][ T374] task_work_run+0x127/0x190 [ 29.056779][ T374] exit_to_user_mode_loop+0xd0/0xe0 [ 29.061979][ T374] exit_to_user_mode_prepare+0x87/0xd0 [ 29.067444][ T374] syscall_exit_to_user_mode+0x1a/0x30 [ 29.072910][ T374] do_syscall_64+0x58/0xa0 [ 29.077332][ T374] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 29.083233][ T374] [ 29.085718][ T374] The buggy address belongs to the object at ffff8881105f1000 [ 29.085718][ T374] which belongs to the cache kmalloc-512 of size 512 [ 29.099804][ T374] The buggy address is located 336 bytes inside of [ 29.099804][ T374] 512-byte region [ffff8881105f1000, ffff8881105f1200) [ 29.113084][ T374] The buggy address belongs to the page: [ 29.118748][ T374] page:ffffea0004417c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1105f0 [ 29.128990][ T374] head:ffffea0004417c00 order:2 compound_mapcount:0 compound_pincount:0 [ 29.137318][ T374] flags: 0x4000000000010200(slab|head|zone=1) [ 29.143389][ T374] raw: 4000000000010200 0000000000000000 dead000000000122 ffff888100042f00 [ 29.151980][ T374] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 29.160560][ T374] page dumped because: kasan: bad access detected [ 29.166972][ T374] page_owner tracks the page as allocated [ 29.172742][ T374] page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 315, ts 28676123121, free_ts 28152608718 [ 29.192557][ T374] post_alloc_hook+0x192/0x1b0 [ 29.197490][ T374] prep_new_page+0x1c/0x110 [ 29.202010][ T374] get_page_from_freelist+0x2c3a/0x2cd0 [ 29.207674][ T374] __alloc_pages+0x1a2/0x460 [ 29.212283][ T374] new_slab+0xa0/0x4d0 [ 29.216367][ T374] ___slab_alloc+0x3ac/0x840 [ 29.220970][ T374] __slab_alloc+0x49/0x90 [ 29.225316][ T374] __kmalloc_track_caller+0x169/0x2c0 [ 29.230706][ T374] __alloc_skb+0x210/0x730 [ 29.235154][ T374] __ipv6_ifa_notify+0x200/0xe70 [ 29.240118][ T374] addrconf_dad_completed+0x182/0xe20 [ 29.245938][ T374] addrconf_dad_work+0xc4c/0x1510 [ 29.251027][ T374] process_one_work+0x6c8/0xbb0 [ 29.255905][ T374] worker_thread+0xaa0/0x1250 [ 29.260609][ T374] kthread+0x3f5/0x4f0 [ 29.264712][ T374] ret_from_fork+0x1f/0x30 [ 29.269146][ T374] page last free stack trace: [ 29.273824][ T374] free_unref_page_prepare+0x5fa/0x600 [ 29.279334][ T374] free_unref_page+0xae/0x540 [ 29.284032][ T374] __free_pages+0x6c/0x100 [ 29.288466][ T374] __free_slab+0xe5/0x1e0 [ 29.292814][ T374] __unfreeze_partials+0x15a/0x190 [ 29.298129][ T374] put_cpu_partial+0xc6/0x120 [ 29.303009][ T374] __slab_free+0x1d4/0x290 [ 29.307631][ T374] ___cache_free+0x104/0x120 [ 29.312247][ T374] qlink_free+0x4d/0x90 [ 29.316437][ T374] qlist_free_all+0x5f/0xb0 [ 29.321635][ T374] kasan_quarantine_reduce+0x14a/0x170 [ 29.327126][ T374] __kasan_slab_alloc+0x2f/0xe0 [ 29.332179][ T374] slab_post_alloc_hook+0x4f/0x2b0 [ 29.337338][ T374] kmem_cache_alloc+0xf7/0x260 [ 29.342118][ T374] __alloc_skb+0xe4/0x730 [ 29.346474][ T374] rtmsg_ifinfo_build_skb+0x75/0x180 [ 29.351785][ T374] [ 29.354135][ T374] Memory state around the buggy address: [ 29.359786][ T374] ffff8881105f1000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.367865][ T374] ffff8881105f1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.375970][ T374] >ffff8881105f1100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.384388][ T374] ^ [ 29.391197][ T374] ffff8881105f1180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.399270][ T374] ffff8881105f1200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.407341][ T374] ================================================================== [ 29.415504][ T374] Disabling lock debugging due to kernel taint