Warning: Permanently added '10.128.0.205' (ED25519) to the list of known hosts. 2026/06/21 08:03:24 parsed 1 programs 2026/06/21 08:03:24 serving rpc on tcp://46807 [ 25.979248][ T30] audit: type=1400 audit(1782029004.765:64): avc: denied { node_bind } for pid=293 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 25.982939][ T30] audit: type=1400 audit(1782029004.765:65): avc: denied { module_request } for pid=293 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 26.649149][ T30] audit: type=1400 audit(1782029005.435:66): avc: denied { mounton } for pid=300 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2024 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 26.650234][ T300] cgroup: Unknown subsys name 'net' [ 26.671819][ T30] audit: type=1400 audit(1782029005.435:67): avc: denied { mount } for pid=300 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 26.699693][ T30] audit: type=1400 audit(1782029005.465:68): avc: denied { unmount } for pid=300 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 26.699876][ T300] cgroup: Unknown subsys name 'devices' [ 26.849645][ T300] cgroup: Unknown subsys name 'hugetlb' [ 26.855280][ T300] cgroup: Unknown subsys name 'rlimit' [ 26.996841][ T30] audit: type=1400 audit(1782029005.775:69): avc: denied { setattr } for pid=300 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=254 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 27.020428][ T30] audit: type=1400 audit(1782029005.775:70): avc: denied { create } for pid=300 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 27.026725][ T303] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 27.041170][ T30] audit: type=1400 audit(1782029005.775:71): avc: denied { write } for pid=300 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 27.070085][ T30] audit: type=1400 audit(1782029005.775:72): avc: denied { read } for pid=300 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 27.090573][ T30] audit: type=1400 audit(1782029005.775:73): avc: denied { mounton } for pid=300 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 27.096451][ T300] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 27.490568][ T305] request_module fs-gadgetfs succeeded, but still no fs? [ 27.878923][ T331] syz-executor (331) used greatest stack depth: 21880 bytes left [ 27.956504][ T343] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.963863][ T343] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.971384][ T343] device bridge_slave_0 entered promiscuous mode [ 27.978492][ T343] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.985962][ T343] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.993409][ T343] device bridge_slave_1 entered promiscuous mode [ 28.032377][ T343] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.041829][ T343] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.049210][ T343] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.056325][ T343] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.073182][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 28.082298][ T8] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.090033][ T8] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.102068][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 28.110372][ T8] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.117375][ T8] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.125045][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 28.133493][ T8] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.140640][ T8] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.151883][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 28.160975][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 28.173432][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 28.183971][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 28.192322][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 28.200344][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 28.208943][ T343] device veth0_vlan entered promiscuous mode [ 28.218289][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 28.227230][ T343] device veth1_macvtap entered promiscuous mode [ 28.235807][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 28.245343][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 28.272523][ T343] syz-executor (343) used greatest stack depth: 21376 bytes left 2026/06/21 08:03:27 executed programs: 0 [ 28.583106][ T367] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.591194][ T367] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.599509][ T367] device bridge_slave_0 entered promiscuous mode [ 28.606576][ T367] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.613690][ T367] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.621771][ T367] device bridge_slave_1 entered promiscuous mode [ 28.661075][ T367] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.668218][ T367] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.675478][ T367] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.682520][ T367] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.699794][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 28.707391][ T348] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.714762][ T348] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.727260][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 28.736860][ T348] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.743928][ T348] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.752441][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 28.760967][ T348] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.768009][ T348] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.787538][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 28.795594][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 28.804371][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 28.812785][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 28.830974][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 28.839429][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 28.849765][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 28.858392][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 28.866760][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 28.874277][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 28.882621][ T367] device veth0_vlan entered promiscuous mode [ 28.898850][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 28.907731][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 28.922175][ T367] device veth1_macvtap entered promiscuous mode [ 28.933118][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 28.941140][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 28.949918][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 28.968709][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 28.977015][ T348] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 28.996232][ T373] loop2: detected capacity change from 0 to 512 [ 29.011031][ T373] EXT4-fs: Warning: mounting with data=journal disables delayed allocation, dioread_nolock, O_DIRECT and fast_commit support! [ 29.024749][ T373] EXT4-fs (loop2): encrypted files will use data=ordered instead of data journaling mode [ 29.036837][ T373] EXT4-fs (loop2): 1 truncate cleaned up [ 29.042658][ T373] EXT4-fs (loop2): mounted filesystem without journal. Opts: noblock_validity,max_batch_time=0x0000000000000002,resuid=0x0000000000000000,block_validity,stripe=0x0000000000000009,nombcache,,errors=continue. Quota mode: none. [ 29.073311][ T373] ================================================================== [ 29.081468][ T373] BUG: KASAN: use-after-free in ext4_search_dir+0xf8/0x1c0 [ 29.088771][ T373] Read of size 1 at addr ffff88812988cc86 by task syz.2.17/373 [ 29.096312][ T373] [ 29.098661][ T373] CPU: 1 PID: 373 Comm: syz.2.17 Not tainted syzkaller #0 [ 29.105753][ T373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 [ 29.116790][ T373] Call Trace: [ 29.120057][ T373] [ 29.122975][ T373] __dump_stack+0x21/0x30 [ 29.127316][ T373] dump_stack_lvl+0x110/0x170 [ 29.131987][ T373] ? show_regs_print_info+0x20/0x20 [ 29.137191][ T373] ? load_image+0x3f0/0x3f0 [ 29.141677][ T373] ? rwsem_read_trylock+0x2af/0x640 [ 29.146859][ T373] print_address_description+0x7f/0x2c0 [ 29.152406][ T373] ? ext4_search_dir+0xf8/0x1c0 [ 29.157236][ T373] kasan_report+0x10f/0x150 [ 29.161718][ T373] ? ext4_search_dir+0xf8/0x1c0 [ 29.166557][ T373] __asan_report_load1_noabort+0x14/0x20 [ 29.172192][ T373] ext4_search_dir+0xf8/0x1c0 [ 29.176855][ T373] ext4_find_inline_entry+0x4f2/0x630 [ 29.182211][ T373] ? ext4_try_create_inline_dir+0x310/0x310 [ 29.188089][ T373] ? __kasan_check_write+0x14/0x20 [ 29.193201][ T373] ? _raw_spin_lock_irqsave+0xc2/0x130 [ 29.198640][ T373] __ext4_find_entry+0x307/0x1a10 [ 29.203736][ T373] ? _raw_spin_unlock_irqrestore+0x5b/0x80 [ 29.209684][ T373] ? __stack_depot_save+0x441/0x480 [ 29.215006][ T373] ? ext4_ci_compare+0x3f0/0x3f0 [ 29.221718][ T373] ? d_alloc+0x48/0x260 [ 29.225886][ T373] ? lookup_one_qstr_excl+0xcb/0x250 [ 29.231283][ T373] ? filename_create+0x23d/0x440 [ 29.236209][ T373] ? do_mkdirat+0x5c/0x4d0 [ 29.240610][ T373] ? __x64_sys_mkdirat+0x89/0xa0 [ 29.245558][ T373] ? x64_sys_call+0x37e/0x9a0 [ 29.250224][ T373] ? do_syscall_64+0x4c/0xa0 [ 29.254804][ T373] ? entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 29.260885][ T373] ? generic_set_encrypted_ci_d_ops+0xce/0x100 [ 29.267024][ T373] ext4_lookup+0x382/0x930 [ 29.271434][ T373] ? ext4_add_entry+0x1020/0x1020 [ 29.276507][ T373] ? d_alloc+0x1f4/0x260 [ 29.280906][ T373] lookup_one_qstr_excl+0x114/0x250 [ 29.286209][ T373] filename_create+0x23d/0x440 [ 29.291187][ T373] ? kern_path_create+0x1b0/0x1b0 [ 29.296230][ T373] do_mkdirat+0x5c/0x4d0 [ 29.300820][ T373] ? getname_flags+0x205/0x510 [ 29.306175][ T373] __x64_sys_mkdirat+0x89/0xa0 [ 29.311125][ T373] x64_sys_call+0x37e/0x9a0 [ 29.315747][ T373] do_syscall_64+0x4c/0xa0 [ 29.320152][ T373] ? clear_bhb_loop+0x50/0xa0 [ 29.324949][ T373] ? clear_bhb_loop+0x50/0xa0 [ 29.329667][ T373] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 29.335567][ T373] RIP: 0033:0x7f54149c7cc7 [ 29.340055][ T373] Code: 00 66 90 48 89 f2 b9 00 01 00 00 48 89 fe bf 9c ff ff ff e9 db f7 ff ff 66 2e 0f 1f 84 00 00 00 00 00 90 b8 02 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 29.359761][ T373] RSP: 002b:00007fff425b8378 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 [ 29.368162][ T373] RAX: ffffffffffffffda RBX: 00007fff425b8400 RCX: 00007f54149c7cc7 [ 29.376149][ T373] RDX: 00000000000001ff RSI: 0000200000000080 RDI: 00000000ffffff9c [ 29.384139][ T373] RBP: 0000200000000140 R08: 0000200000000080 R09: 0000000000000000 [ 29.392108][ T373] R10: 0000200000000140 R11: 0000000000000246 R12: 0000200000000080 [ 29.400066][ T373] R13: 00007fff425b83c0 R14: 0000000000000000 R15: 0000000000000000 [ 29.408027][ T373] [ 29.411104][ T373] [ 29.413424][ T373] The buggy address belongs to the page: [ 29.419030][ T373] page:ffffea0004a62300 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x12988c [ 29.429259][ T373] flags: 0x4000000000000000(zone=1) [ 29.434461][ T373] raw: 4000000000000000 ffffea0004a62348 ffffea0004a622c8 0000000000000000 [ 29.443023][ T373] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 29.451620][ T373] page dumped because: kasan: bad access detected [ 29.458102][ T373] page_owner tracks the page as freed [ 29.463454][ T373] page last allocated via order 0, migratetype Movable, gfp_mask 0x100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), pid 300, ts 27133422408, free_ts 27161747324 [ 29.481448][ T373] post_alloc_hook+0x192/0x1b0 [ 29.486213][ T373] prep_new_page+0x1c/0x110 [ 29.490697][ T373] get_page_from_freelist+0x2c3a/0x2cd0 [ 29.496221][ T373] __alloc_pages+0x1a2/0x460 [ 29.500816][ T373] handle_pte_fault+0xee5/0x2770 [ 29.505744][ T373] do_handle_mm_fault+0x1b3b/0x1e30 [ 29.510919][ T373] do_user_addr_fault+0x808/0x11c0 [ 29.516014][ T373] exc_page_fault+0x51/0xb0 [ 29.520517][ T373] asm_exc_page_fault+0x27/0x30 [ 29.525482][ T373] page last free stack trace: [ 29.530233][ T373] free_unref_page_prepare+0x542/0x550 [ 29.535676][ T373] free_unref_page_list+0x138/0x9e0 [ 29.541463][ T373] release_pages+0x1264/0x12c0 [ 29.546313][ T373] free_pages_and_swap_cache+0x86/0xa0 [ 29.551757][ T373] tlb_finish_mmu+0x17e/0x310 [ 29.557372][ T373] unmap_region+0x344/0x3b0 [ 29.561856][ T373] __do_munmap+0xa99/0x1090 [ 29.566335][ T373] __vm_munmap+0x14e/0x280 [ 29.571608][ T373] __x64_sys_munmap+0x6b/0x80 [ 29.576275][ T373] x64_sys_call+0xc9/0x9a0 [ 29.580703][ T373] do_syscall_64+0x4c/0xa0 [ 29.585296][ T373] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 29.592766][ T373] [ 29.595503][ T373] Memory state around the buggy address: [ 29.601107][ T373] ffff88812988cb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 29.609143][ T373] ffff88812988cc00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 29.617365][ T373] >ffff88812988cc80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 29.625418][ T373] ^ [ 29.629660][ T373] ffff88812988cd00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 29.637860][ T373] ffff88812988cd80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 29.645908][ T373] ================================================================== [ 29.653978][ T373] Disabling lock debugging due to kernel taint [ 29.663687][ T373] EXT4-fs error (device loop2): ext4_check_all_de:667: inode #12: block 7: comm syz.2.17: bad entry in directory: directory entry overrun - offset=0, inode=901261600, rec_len=7976, size=124 fake=0