Warning: Permanently added '10.128.0.234' (ED25519) to the list of known hosts. 2026/06/27 09:04:38 parsed 1 programs 2026/06/27 09:04:38 serving rpc on tcp://37945 [ 32.176581][ T30] audit: type=1400 audit(1782551078.826:64): avc: denied { node_bind } for pid=293 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 32.208196][ T30] audit: type=1400 audit(1782551078.826:65): avc: denied { module_request } for pid=293 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 33.364513][ T30] audit: type=1400 audit(1782551080.016:66): avc: denied { mounton } for pid=299 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2024 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 33.368670][ T299] cgroup: Unknown subsys name 'net' [ 33.397405][ T30] audit: type=1400 audit(1782551080.016:67): avc: denied { mount } for pid=299 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 33.438055][ T30] audit: type=1400 audit(1782551080.056:68): avc: denied { unmount } for pid=299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 33.438423][ T299] cgroup: Unknown subsys name 'devices' [ 33.625378][ T299] cgroup: Unknown subsys name 'hugetlb' [ 33.631674][ T299] cgroup: Unknown subsys name 'rlimit' [ 33.843806][ T30] audit: type=1400 audit(1782551080.496:69): avc: denied { setattr } for pid=299 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=254 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 33.876806][ T30] audit: type=1400 audit(1782551080.496:70): avc: denied { create } for pid=299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 33.908397][ T30] audit: type=1400 audit(1782551080.496:71): avc: denied { write } for pid=299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 33.915480][ T304] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 33.936808][ T30] audit: type=1400 audit(1782551080.496:72): avc: denied { read } for pid=299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 33.988607][ T30] audit: type=1400 audit(1782551080.496:73): avc: denied { mounton } for pid=299 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 34.054186][ T299] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 34.626460][ T306] request_module fs-gadgetfs succeeded, but still no fs? [ 34.797294][ T315] bridge0: port 1(bridge_slave_0) entered blocking state [ 34.806730][ T315] bridge0: port 1(bridge_slave_0) entered disabled state [ 34.816903][ T315] device bridge_slave_0 entered promiscuous mode [ 34.827798][ T315] bridge0: port 2(bridge_slave_1) entered blocking state [ 34.835937][ T315] bridge0: port 2(bridge_slave_1) entered disabled state [ 34.850668][ T315] device bridge_slave_1 entered promiscuous mode [ 34.905722][ T315] bridge0: port 2(bridge_slave_1) entered blocking state [ 34.913378][ T315] bridge0: port 2(bridge_slave_1) entered forwarding state [ 34.929743][ T315] bridge0: port 1(bridge_slave_0) entered blocking state [ 34.940841][ T315] bridge0: port 1(bridge_slave_0) entered forwarding state [ 34.966269][ T8] bridge0: port 1(bridge_slave_0) entered disabled state [ 34.975457][ T8] bridge0: port 2(bridge_slave_1) entered disabled state [ 34.987504][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 35.000944][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 35.016429][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 35.029402][ T8] bridge0: port 1(bridge_slave_0) entered blocking state [ 35.039692][ T8] bridge0: port 1(bridge_slave_0) entered forwarding state [ 35.051971][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 35.067164][ T8] bridge0: port 2(bridge_slave_1) entered blocking state [ 35.076413][ T8] bridge0: port 2(bridge_slave_1) entered forwarding state [ 35.092570][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 35.105973][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 35.125523][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 35.145235][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 35.154466][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 35.169950][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 35.183878][ T315] device veth0_vlan entered promiscuous mode [ 35.195995][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 35.208043][ T315] device veth1_macvtap entered promiscuous mode [ 35.227940][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 35.248080][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 35.290786][ T315] syz-executor (315) used greatest stack depth: 20576 bytes left [ 36.004625][ T10] device bridge_slave_1 left promiscuous mode [ 36.027769][ T10] bridge0: port 2(bridge_slave_1) entered disabled state [ 36.042629][ T10] device bridge_slave_0 left promiscuous mode [ 36.057913][ T10] bridge0: port 1(bridge_slave_0) entered disabled state [ 36.070084][ T10] device veth1_macvtap left promiscuous mode [ 36.079144][ T10] device veth0_vlan left promiscuous mode 2026/06/27 09:04:43 executed programs: 0 [ 36.461379][ T368] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.474621][ T368] bridge0: port 1(bridge_slave_0) entered disabled state [ 36.485673][ T368] device bridge_slave_0 entered promiscuous mode [ 36.495176][ T368] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.503498][ T368] bridge0: port 2(bridge_slave_1) entered disabled state [ 36.513123][ T368] device bridge_slave_1 entered promiscuous mode [ 36.574149][ T368] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.588674][ T368] bridge0: port 2(bridge_slave_1) entered forwarding state [ 36.599957][ T368] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.614632][ T368] bridge0: port 1(bridge_slave_0) entered forwarding state [ 36.646273][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 36.655629][ T8] bridge0: port 1(bridge_slave_0) entered disabled state [ 36.667976][ T8] bridge0: port 2(bridge_slave_1) entered disabled state [ 36.684336][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 36.696985][ T8] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.708113][ T8] bridge0: port 1(bridge_slave_0) entered forwarding state [ 36.720441][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 36.730508][ T8] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.741299][ T8] bridge0: port 2(bridge_slave_1) entered forwarding state [ 36.756355][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 36.772360][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 36.790911][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 36.806950][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 36.821500][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 36.833156][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 36.843646][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 36.855833][ T368] device veth0_vlan entered promiscuous mode [ 36.872267][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 36.886588][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 36.908850][ T368] device veth1_macvtap entered promiscuous mode [ 36.924228][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 36.932576][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 36.946663][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 36.960062][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 36.971033][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 37.022814][ T372] ================================================================== [ 37.033055][ T372] BUG: KASAN: use-after-free in mutex_lock+0x8e/0x1c0 [ 37.046206][ T372] Write of size 8 at addr ffff88811f2a2950 by task syz.2.17/372 [ 37.055535][ T372] [ 37.061424][ T372] CPU: 1 PID: 372 Comm: syz.2.17 Not tainted syzkaller #0 [ 37.073049][ T372] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 [ 37.089328][ T372] Call Trace: [ 37.094201][ T372] [ 37.097888][ T372] __dump_stack+0x21/0x30 [ 37.105654][ T372] dump_stack_lvl+0x110/0x170 [ 37.112176][ T372] ? show_regs_print_info+0x20/0x20 [ 37.118810][ T372] ? load_image+0x3f0/0x3f0 [ 37.126908][ T372] print_address_description+0x7f/0x2c0 [ 37.133753][ T372] ? mutex_lock+0x8e/0x1c0 [ 37.144990][ T372] kasan_report+0x10f/0x150 [ 37.151662][ T372] ? mutex_lock+0x8e/0x1c0 [ 37.157769][ T372] kasan_check_range+0x249/0x2a0 [ 37.165478][ T372] __kasan_check_write+0x14/0x20 [ 37.174092][ T372] mutex_lock+0x8e/0x1c0 [ 37.181460][ T372] ? wait_for_completion_killable_timeout+0x10/0x10 [ 37.192324][ T372] ? l2tp_session_put+0xaf/0x1a0 [ 37.205482][ T372] ? l2tp_session_delete+0x3a9/0x4a0 [ 37.211406][ T372] pppol2tp_release+0x178/0x2b0 [ 37.219043][ T372] sock_close+0xb8/0x200 [ 37.226211][ T372] ? sock_mmap+0xa0/0xa0 [ 37.231191][ T372] __fput+0x22b/0x900 [ 37.238542][ T372] ____fput+0x15/0x20 [ 37.247193][ T372] task_work_run+0x127/0x190 [ 37.254553][ T372] exit_to_user_mode_loop+0xd0/0xe0 [ 37.263891][ T372] exit_to_user_mode_prepare+0x87/0xd0 [ 37.271140][ T372] syscall_exit_to_user_mode+0x1a/0x30 [ 37.282364][ T372] do_syscall_64+0x58/0xa0 [ 37.289287][ T372] ? clear_bhb_loop+0x50/0xa0 [ 37.303279][ T372] ? clear_bhb_loop+0x50/0xa0 [ 37.311422][ T372] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 37.319346][ T372] RIP: 0033:0x7f7d47556e59 [ 37.328179][ T372] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 37.363469][ T372] RSP: 002b:00007fff454e1108 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 [ 37.379105][ T372] RAX: 0000000000000000 RBX: 00007fff454e11f0 RCX: 00007f7d47556e59 [ 37.391668][ T372] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 [ 37.409047][ T372] RBP: 0000000000009069 R08: 0000000000000001 R09: 0000000000000000 [ 37.420645][ T372] R10: 0000001b32f20000 R11: 0000000000000246 R12: 0000000000000000 [ 37.430904][ T372] R13: 00007f7d477cffac R14: 00007f7d477cffa8 R15: 00007f7d477cffa0 [ 37.446344][ T372] [ 37.450644][ T372] [ 37.454660][ T372] Allocated by task 372: [ 37.463830][ T372] __kasan_kmalloc+0xd4/0x100 [ 37.469554][ T372] __kmalloc+0x13d/0x2c0 [ 37.474112][ T372] l2tp_session_create+0x39/0xb60 [ 37.485771][ T372] pppol2tp_connect+0xbf5/0x1640 [ 37.493563][ T372] __sys_connect+0x3cb/0x450 [ 37.502981][ T372] __x64_sys_connect+0x7a/0x90 [ 37.510143][ T372] x64_sys_call+0x7c/0x9a0 [ 37.514958][ T372] do_syscall_64+0x4c/0xa0 [ 37.521328][ T372] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 37.529486][ T372] [ 37.532994][ T372] Freed by task 372: [ 37.538178][ T372] kasan_set_track+0x4a/0x70 [ 37.546253][ T372] kasan_set_free_info+0x23/0x40 [ 37.552637][ T372] ____kasan_slab_free+0x125/0x160 [ 37.559880][ T372] __kasan_slab_free+0x11/0x20 [ 37.567692][ T372] slab_free_freelist_hook+0xc2/0x190 [ 37.574533][ T372] kfree+0xc4/0x270 [ 37.579790][ T372] l2tp_session_put+0xaf/0x1a0 [ 37.587227][ T372] l2tp_session_delete+0x3a9/0x4a0 [ 37.597280][ T372] pppol2tp_release+0x169/0x2b0 [ 37.604176][ T372] sock_close+0xb8/0x200 [ 37.609769][ T372] __fput+0x22b/0x900 [ 37.614636][ T372] ____fput+0x15/0x20 [ 37.624657][ T372] task_work_run+0x127/0x190 [ 37.631597][ T372] exit_to_user_mode_loop+0xd0/0xe0 [ 37.638329][ T372] exit_to_user_mode_prepare+0x87/0xd0 [ 37.648526][ T372] syscall_exit_to_user_mode+0x1a/0x30 [ 37.656272][ T372] do_syscall_64+0x58/0xa0 [ 37.662869][ T372] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 37.670782][ T372] [ 37.673133][ T372] The buggy address belongs to the object at ffff88811f2a2800 [ 37.673133][ T372] which belongs to the cache kmalloc-512 of size 512 [ 37.696172][ T372] The buggy address is located 336 bytes inside of [ 37.696172][ T372] 512-byte region [ffff88811f2a2800, ffff88811f2a2a00) [ 37.716899][ T372] The buggy address belongs to the page: [ 37.729823][ T372] page:ffffea00047ca800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11f2a0 [ 37.745925][ T372] head:ffffea00047ca800 order:2 compound_mapcount:0 compound_pincount:0 [ 37.756774][ T372] flags: 0x4000000000010200(slab|head|zone=1) [ 37.766076][ T372] raw: 4000000000010200 0000000000000000 dead000000000122 ffff888100042f00 [ 37.777829][ T372] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 37.789766][ T372] page dumped because: kasan: bad access detected [ 37.798803][ T372] page_owner tracks the page as allocated [ 37.808572][ T372] page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 368, ts 37003049093, free_ts 23151506233 [ 37.832070][ T372] post_alloc_hook+0x192/0x1b0 [ 37.838430][ T372] prep_new_page+0x1c/0x110 [ 37.845202][ T372] get_page_from_freelist+0x2c3a/0x2cd0 [ 37.851610][ T372] __alloc_pages+0x1a2/0x460 [ 37.859699][ T372] new_slab+0xa0/0x4d0 [ 37.866380][ T372] ___slab_alloc+0x3ac/0x840 [ 37.871636][ T372] __slab_alloc+0x49/0x90 [ 37.876951][ T372] __kmalloc+0x16a/0x2c0 [ 37.881926][ T372] fib6_info_alloc+0x34/0xe0 [ 37.887366][ T372] ip6_route_info_create+0x51b/0x14d0 [ 37.896536][ T372] ip6_route_add+0x27/0x130 [ 37.902648][ T372] addrconf_add_dev+0x385/0x4c0 [ 37.908283][ T372] addrconf_init_auto_addrs+0x7ae/0xbd0 [ 37.918747][ T372] addrconf_notify+0x95d/0xe00 [ 37.924170][ T372] raw_notifier_call_chain+0x90/0x100 [ 37.930508][ T372] __dev_notify_flags+0x2f4/0x5b0 [ 37.939310][ T372] page last free stack trace: [ 37.948327][ T372] free_unref_page_prepare+0x5fa/0x600 [ 37.958042][ T372] free_unref_page+0xae/0x540 [ 37.966762][ T372] free_compound_page+0x78/0xa0 [ 37.973326][ T372] __put_compound_page+0x77/0xb0 [ 37.979577][ T372] __put_page+0xbc/0xe0 [ 37.986116][ T372] skb_release_data+0x37c/0xa20 [ 37.992717][ T372] __kfree_skb+0x50/0x70 [ 37.998853][ T372] tcp_recvmsg_locked+0x13d1/0x24f0 [ 38.008466][ T372] tcp_recvmsg+0x233/0x770 [ 38.014032][ T372] inet_recvmsg+0x13a/0x470 [ 38.022870][ T372] sock_read_iter+0x2c2/0x380 [ 38.028293][ T372] vfs_read+0x6c0/0xc20 [ 38.034030][ T372] ksys_read+0x14a/0x260 [ 38.039163][ T372] __x64_sys_read+0x7b/0x90 [ 38.045795][ T372] x64_sys_call+0x96d/0x9a0 [ 38.052615][ T372] do_syscall_64+0x4c/0xa0 [ 38.059755][ T372] [ 38.062456][ T372] Memory state around the buggy address: [ 38.069509][ T372] ffff88811f2a2800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.081373][ T372] ffff88811f2a2880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.093946][ T372] >ffff88811f2a2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.105208][ T372] ^ [ 38.113356][ T372] ffff88811f2a2980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.124920][ T372] ffff88811f2a2a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.135209][ T372] ================================================================== [ 38.149306][ T372] Disabling lock debugging due to kernel taint [ 38.178241][ T30] kauditd_printk_skb: 33 callbacks suppressed [ 38.178259][ T30] audit: type=1400 audit(1782551084.826:107): avc: denied { read } for pid=83 comm="syslogd" name="log" dev="sda1" ino=2010 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1 [ 38.221152][ T30] audit: type=1400 audit(1782551084.826:108): avc: denied { search } for pid=83 comm="syslogd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1 [ 38.250853][ T30] audit: type=1400 audit(1782551084.826:109): avc: denied { write } for pid=83 comm="syslogd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1 [ 38.287548][ T30] audit: type=1400 audit(1782551084.826:110): avc: denied { add_name } for pid=83 comm="syslogd" name="messages" scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1 [ 38.325438][ T30] audit: type=1400 audit(1782551084.826:111): avc: denied { create } for pid=83 comm="syslogd" name="messages" scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1 [ 38.356425][ T30] audit: type=1400 audit(1782551084.826:112): avc: denied { append open } for pid=83 comm="syslogd" path="/tmp/messages" dev="tmpfs" ino=5 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1 [ 38.387750][ T30] audit: type=1400 audit(1782551084.826:113): avc: denied { getattr } for pid=83 comm="syslogd" path="/tmp/messages" dev="tmpfs" ino=5 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1