d  { noatsecure } for  pid=219 comm="sshd" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   12.852194][   T24] audit: type=1400 audit(1730043626.929:63): avc:  denied  { write } for  pid=219 comm="sh" path="pipe:[13789]" dev="pipefs" ino=13789 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1
[   12.855382][   T24] audit: type=1400 audit(1730043626.929:64): avc:  denied  { rlimitinh } for  pid=219 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   12.858070][   T24] audit: type=1400 audit(1730043626.929:65): avc:  denied  { siginh } for  pid=219 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
Warning: Permanently added '10.128.1.117' (ED25519) to the list of known hosts.
[   23.772333][   T24] audit: type=1400 audit(1730043637.849:66): avc:  denied  { execmem } for  pid=284 comm="syz-executor372" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   23.775678][   T24] audit: type=1400 audit(1730043637.849:67): avc:  denied  { mounton } for  pid=284 comm="syz-executor372" path="/syzcgroup/unified" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[   23.776683][  T284] cgroup: Unknown subsys name 'net'
[   23.778945][   T24] audit: type=1400 audit(1730043637.849:68): avc:  denied  { mount } for  pid=284 comm="syz-executor372" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[   23.782657][   T24] audit: type=1400 audit(1730043637.859:69): avc:  denied  { unmount } for  pid=284 comm="syz-executor372" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[   23.782807][  T284] cgroup: Unknown subsys name 'devices'
[   23.899021][  T284] cgroup: Unknown subsys name 'hugetlb'
[   23.904410][  T284] cgroup: Unknown subsys name 'rlimit'
[   24.089359][   T24] audit: type=1400 audit(1730043638.169:70): avc:  denied  { mounton } for  pid=284 comm="syz-executor372" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1
[   24.102055][  T286] SELinux:  Context root:object_r:swapfile_t is not valid (left unmapped).
Setting up swapspace version 1, size = 127995904 bytes
[   24.114494][   T24] audit: type=1400 audit(1730043638.169:71): avc:  denied  { mount } for  pid=284 comm="syz-executor372" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1
[   24.146278][   T24] audit: type=1400 audit(1730043638.169:72): avc:  denied  { setattr } for  pid=284 comm="syz-executor372" name="raw-gadget" dev="devtmpfs" ino=249 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   24.169703][   T24] audit: type=1400 audit(1730043638.199:73): avc:  denied  { relabelto } for  pid=286 comm="mkswap" name="swap-file" dev="sda1" ino=1929 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t"
[   24.169815][  T284] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   24.194984][   T24] audit: type=1400 audit(1730043638.199:74): avc:  denied  { write } for  pid=286 comm="mkswap" path="/root/swap-file" dev="sda1" ino=1929 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t"
[   24.228951][   T24] audit: type=1400 audit(1730043638.229:75): avc:  denied  { read } for  pid=284 comm="syz-executor372" name="swap-file" dev="sda1" ino=1929 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t"
[   24.258489][  T287] bridge0: port 1(bridge_slave_0) entered blocking state
[   24.265341][  T287] bridge0: port 1(bridge_slave_0) entered disabled state
[   24.272596][  T287] device bridge_slave_0 entered promiscuous mode
[   24.279182][  T287] bridge0: port 2(bridge_slave_1) entered blocking state
[   24.286010][  T287] bridge0: port 2(bridge_slave_1) entered disabled state
[   24.293320][  T287] device bridge_slave_1 entered promiscuous mode
[   24.322720][  T287] bridge0: port 2(bridge_slave_1) entered blocking state
[   24.329572][  T287] bridge0: port 2(bridge_slave_1) entered forwarding state
[   24.336624][  T287] bridge0: port 1(bridge_slave_0) entered blocking state
[   24.343483][  T287] bridge0: port 1(bridge_slave_0) entered forwarding state
[   24.359441][   T48] bridge0: port 1(bridge_slave_0) entered disabled state
[   24.366442][   T48] bridge0: port 2(bridge_slave_1) entered disabled state
[   24.373566][   T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   24.381292][   T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   24.389960][   T48] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   24.397912][   T48] bridge0: port 1(bridge_slave_0) entered blocking state
[   24.404736][   T48] bridge0: port 1(bridge_slave_0) entered forwarding state
[   24.413146][   T48] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   24.421111][   T48] bridge0: port 2(bridge_slave_1) entered blocking state
[   24.427949][   T48] bridge0: port 2(bridge_slave_1) entered forwarding state
[   24.438878][   T48] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   24.447633][   T48] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   24.459655][   T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   24.470206][   T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   24.478215][   T48] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   24.485499][   T48] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   24.493443][  T287] device veth0_vlan entered promiscuous mode
[   24.502306][   T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   24.510933][  T287] device veth1_macvtap entered promiscuous mode
[   24.519730][   T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   24.529183][   T48] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
executing program
[   24.546750][  T287] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation
[   24.564856][  T293] EXT4-fs: Warning: mounting with data=journal disables delayed allocation, dioread_nolock, O_DIRECT and fast_commit support!
[   24.577980][  T293] EXT4-fs (loop0): encrypted files will use data=ordered instead of data journaling mode
[   24.588742][  T293] [EXT4 FS bs=1024, gc=1, bpg=8192, ipg=32, mo=a00ec019, mo2=0002]
[   24.596470][  T293] System zones: 1-12
[   24.601225][  T293] EXT4-fs warning (device loop0): ext4_expand_extra_isize_ea:2806: Unable to expand inode 15. Delete some EAs or run e2fsck.
[   24.614155][  T293] EXT4-fs (loop0): 1 truncate cleaned up
[   24.619646][  T293] EXT4-fs (loop0): mounted filesystem without journal. Opts: nogrpid,resuid=0x000000000000ee01,debug_want_extra_isize=0x0000000000000068,debug,nombcache,quota,,errors=continue
[   24.643295][  T293] ==================================================================
[   24.651189][  T293] BUG: KASAN: use-after-free in ext4_search_dir+0xf7/0x1b0
[   24.658199][  T293] Read of size 1 at addr ffff88810d4cb900 by task syz-executor372/293
[   24.666179][  T293] 
[   24.668356][  T293] CPU: 1 PID: 293 Comm: syz-executor372 Not tainted 5.10.226-syzkaller #0
[   24.676689][  T293] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[   24.686675][  T293] Call Trace:
[   24.689800][  T293]  dump_stack_lvl+0x1e2/0x24b
[   24.694306][  T293]  ? bfq_pos_tree_add_move+0x43b/0x43b
[   24.699602][  T293]  ? panic+0x812/0x812
[   24.703503][  T293]  print_address_description+0x81/0x3b0
[   24.708893][  T293]  kasan_report+0x179/0x1c0
[   24.713235][  T293]  ? ext4_search_dir+0xf7/0x1b0
[   24.717936][  T293]  ? ext4_search_dir+0xf7/0x1b0
[   24.722599][  T293]  __asan_report_load1_noabort+0x14/0x20
[   24.728070][  T293]  ext4_search_dir+0xf7/0x1b0
[   24.732666][  T293]  ext4_find_inline_entry+0x4b6/0x5e0
[   24.737874][  T293]  ? __kasan_check_write+0x14/0x20
[   24.742824][  T293]  ? ext4_try_create_inline_dir+0x320/0x320
[   24.748556][  T293]  ? stack_trace_save+0x113/0x1c0
[   24.753674][  T293]  __ext4_find_entry+0x2b0/0x1990
[   24.758542][  T293]  ? __kasan_slab_alloc+0xc3/0xe0
[   24.763397][  T293]  ? __kasan_slab_alloc+0xb1/0xe0
[   24.768257][  T293]  ? __d_alloc+0x2d/0x6c0
[   24.772419][  T293]  ? d_alloc+0x4b/0x1d0
[   24.776412][  T293]  ? __lookup_hash+0xe7/0x290
[   24.781098][  T293]  ? do_syscall_64+0x34/0x70
[   24.785526][  T293]  ? entry_SYSCALL_64_after_hwframe+0x61/0xcb
[   24.791877][  T293]  ? ext4_ci_compare+0x660/0x660
[   24.796728][  T293]  ? generic_set_encrypted_ci_d_ops+0x91/0xf0
[   24.802627][  T293]  ext4_lookup+0x3c6/0xaa0
[   24.806878][  T293]  ? ext4_add_entry+0x1280/0x1280
[   24.811769][  T293]  ? __kasan_check_write+0x14/0x20
[   24.816694][  T293]  ? _raw_spin_lock+0xa4/0x1b0
[   24.821394][  T293]  ? __d_alloc+0x4dd/0x6c0
[   24.825630][  T293]  ? _raw_spin_unlock+0x4d/0x70
[   24.830318][  T293]  ? d_alloc+0x199/0x1d0
[   24.834406][  T293]  __lookup_hash+0x143/0x290
[   24.838826][  T293]  filename_create+0x202/0x750
[   24.843432][  T293]  ? __check_object_size+0x2e6/0x3c0
[   24.848547][  T293]  ? kern_path_create+0x40/0x40
[   24.853226][  T293]  do_mknodat+0x187/0x450
[   24.857417][  T293]  ? may_open+0x3f0/0x3f0
[   24.861574][  T293]  ? debug_smp_processor_id+0x17/0x20
[   24.866944][  T293]  __x64_sys_mknod+0x80/0x90
[   24.871392][  T293]  do_syscall_64+0x34/0x70
[   24.875713][  T293]  entry_SYSCALL_64_after_hwframe+0x61/0xcb
[   24.881651][  T293] RIP: 0033:0x7f1b23f9d119
[   24.885893][  T293] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[   24.905334][  T293] RSP: 002b:00007fffcb015fc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000085
[   24.913577][  T293] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1b23f9d119
[   24.921389][  T293] RDX: 0000000000000701 RSI: 0000000000000000 RDI: 0000000020000000
[   24.929203][  T293] RBP: 00007f1b24013488 R08: 0000000000001501 R09: 00007fffcb016050
[   24.937124][  T293] R10: 0000000000001505 R11: 0000000000000246 R12: 00007fffcb016050
[   24.945624][  T293] R13: 00007fffcb016010 R14: 0000000000000003 R15: 0000000000000000
[   24.953444][  T293] 
[   24.955604][  T293] Allocated by task 133:
[   24.959694][  T293]  __kasan_slab_alloc+0xb1/0xe0
[   24.964371][  T293]  slab_post_alloc_hook+0x61/0x2f0
[   24.969333][  T293]  kmem_cache_alloc+0x168/0x2e0
[   24.974004][  T293]  __alloc_skb+0x80/0x510
[   24.978167][  T293]  alloc_skb_with_frags+0xa1/0x570
[   24.983128][  T293]  sock_alloc_send_pskb+0x915/0xa50
[   24.988153][  T293]  unix_dgram_sendmsg+0x700/0x1f90
[   24.993096][  T293]  sock_write_iter+0x39b/0x530
[   24.997697][  T293]  do_iter_readv_writev+0x58e/0x790
[   25.002730][  T293]  do_iter_write+0x183/0x640
[   25.007157][  T293]  vfs_writev+0x26e/0x510
[   25.011328][  T293]  do_writev+0x1aa/0x340
[   25.015403][  T293]  __x64_sys_writev+0x7d/0x90
[   25.019919][  T293]  do_syscall_64+0x34/0x70
[   25.024170][  T293]  entry_SYSCALL_64_after_hwframe+0x61/0xcb
[   25.029984][  T293] 
[   25.032150][  T293] Freed by task 132:
[   25.035886][  T293]  kasan_set_track+0x4b/0x70
[   25.040318][  T293]  kasan_set_free_info+0x23/0x40
[   25.045088][  T293]  ____kasan_slab_free+0x121/0x160
[   25.050035][  T293]  __kasan_slab_free+0x11/0x20
[   25.054645][  T293]  slab_free_freelist_hook+0xc0/0x190
[   25.059849][  T293]  kmem_cache_free+0xa9/0x1e0
[   25.064356][  T293]  kfree_skbmem+0x104/0x170
[   25.068695][  T293]  consume_skb+0xb4/0x250
[   25.072864][  T293]  skb_free_datagram+0x28/0xe0
[   25.077464][  T293]  unix_dgram_recvmsg+0xc97/0x1240
[   25.082421][  T293]  sock_read_iter+0x353/0x480
[   25.086925][  T293]  do_iter_readv_writev+0x58e/0x790
[   25.091959][  T293]  do_iter_read+0x177/0x650
[   25.096301][  T293]  do_readv+0x268/0x460
[   25.100299][  T293]  __x64_sys_readv+0x7d/0x90
[   25.105500][  T293]  do_syscall_64+0x34/0x70
[   25.109760][  T293]  entry_SYSCALL_64_after_hwframe+0x61/0xcb
[   25.115475][  T293] 
[   25.117646][  T293] The buggy address belongs to the object at ffff88810d4cb8c0
[   25.117646][  T293]  which belongs to the cache skbuff_head_cache of size 248
[   25.132145][  T293] The buggy address is located 64 bytes inside of
[   25.132145][  T293]  248-byte region [ffff88810d4cb8c0, ffff88810d4cb9b8)
[   25.145160][  T293] The buggy address belongs to the page:
[   25.150654][  T293] page:ffffea00043532c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10d4cb
[   25.160818][  T293] flags: 0x4000000000000200(slab)
[   25.165657][  T293] raw: 4000000000000200 dead000000000100 dead000000000122 ffff888107d9cf00
[   25.174077][  T293] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[   25.182575][  T293] page dumped because: kasan: bad access detected
[   25.188828][  T293] page_owner tracks the page as allocated
[   25.194379][  T293] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 133, ts 5135146807, free_ts 5125660724
[   25.210003][  T293]  prep_new_page+0x166/0x180
[   25.214426][  T293]  get_page_from_freelist+0x2d8c/0x2f30
[   25.220015][  T293]  __alloc_pages_nodemask+0x435/0xaf0
[   25.225209][  T293]  new_slab+0x80/0x400
[   25.229116][  T293]  ___slab_alloc+0x302/0x4b0
[   25.233539][  T293]  __slab_alloc+0x63/0xa0
[   25.237708][  T293]  kmem_cache_alloc+0x1b9/0x2e0
[   25.242393][  T293]  __alloc_skb+0x80/0x510
[   25.246657][  T293]  inet6_rt_notify+0x2db/0x550
[   25.251361][  T293]  fib6_add+0x233e/0x3d20
[   25.255514][  T293]  ip6_route_add+0x8a/0x130
[   25.259859][  T293]  addrconf_add_dev+0x415/0x610
[   25.264552][  T293]  addrconf_dev_config+0x231/0x5a0
[   25.269498][  T293]  addrconf_notify+0x8c5/0xe90
[   25.274091][  T293]  raw_notifier_call_chain+0x8c/0xf0
[   25.279212][  T293]  __dev_notify_flags+0x304/0x610
[   25.284068][  T293] page last free stack trace:
[   25.288596][  T293]  free_unref_page_prepare+0x2ae/0x2d0
[   25.293893][  T293]  free_the_page+0x9e/0x370
[   25.298225][  T293]  __free_pages+0x67/0xc0
[   25.302380][  T293]  free_pages+0x7c/0x90
[   25.306376][  T293]  pgd_free+0x17d/0x190
[   25.310369][  T293]  __mmdrop+0xb0/0x490
[   25.314279][  T293]  finish_task_switch+0x1e6/0x5a0
[   25.319136][  T293]  __schedule+0xbee/0x1330
[   25.323384][  T293]  preempt_schedule_irq+0xc7/0x140
[   25.328347][  T293]  irqentry_exit+0x4f/0x60
[   25.332602][  T293]  sysvec_reschedule_ipi+0x83/0x160
[   25.337619][  T293]  asm_sysvec_reschedule_ipi+0x12/0x20
[   25.342910][  T293] 
[   25.345077][  T293] Memory state around the buggy address:
[   25.350550][  T293]  ffff88810d4cb800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[   25.358452][  T293]  ffff88810d4cb880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   25.366422][  T293] >ffff88810d4cb900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.374279][  T293]                    ^
[   25.378162][  T293]  ffff88810d4cb980: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[   25.386067][  T293]  ffff88810d4cba00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.394040][  T293] ==================================================================
[   25.401948][  T293] Disabling lock debugging due to kernel taint
[   25.411082][  T293] EXT4-fs error (device loop0): ext4_find_dest_de:2077: inode #12: block 7: comm syz-executor372: bad entry in directory: directory entry overrun - offset=0, inode=1793120026, rec_len=34652, size=56 fake=0
[   25.441317][  T287] EXT4-fs error (device loop0): ext4_lookup:1828: inode #11: comm syz-executor372: iget: bad