Warning: Permanently added '10.128.0.145' (ED25519) to the list of known hosts. 2026/06/05 19:05:49 parsed 1 programs [ 23.807024][ T28] audit: type=1400 audit(1780686349.798:64): avc: denied { node_bind } for pid=295 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 23.810322][ T28] audit: type=1400 audit(1780686349.798:65): avc: denied { module_request } for pid=295 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 24.506605][ T28] audit: type=1400 audit(1780686350.498:66): avc: denied { mounton } for pid=302 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2024 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 24.507638][ T302] cgroup: Unknown subsys name 'net' [ 24.534478][ T28] audit: type=1400 audit(1780686350.498:67): avc: denied { mount } for pid=302 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 24.556700][ T28] audit: type=1400 audit(1780686350.528:68): avc: denied { unmount } for pid=302 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 24.556859][ T302] cgroup: Unknown subsys name 'devices' [ 24.701706][ T302] cgroup: Unknown subsys name 'hugetlb' [ 24.707365][ T302] cgroup: Unknown subsys name 'rlimit' [ 24.815656][ T28] audit: type=1400 audit(1780686350.808:69): avc: denied { setattr } for pid=302 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=258 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 24.838933][ T28] audit: type=1400 audit(1780686350.808:70): avc: denied { create } for pid=302 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 24.847800][ T306] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 24.859538][ T28] audit: type=1400 audit(1780686350.808:71): avc: denied { write } for pid=302 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 24.888108][ T28] audit: type=1400 audit(1780686350.808:72): avc: denied { read } for pid=302 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 24.908350][ T28] audit: type=1400 audit(1780686350.808:73): avc: denied { mounton } for pid=302 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 24.941112][ T302] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 25.524186][ T308] request_module fs-gadgetfs succeeded, but still no fs? [ 25.669874][ T322] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.677211][ T322] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.684602][ T322] device bridge_slave_0 entered promiscuous mode [ 25.691561][ T322] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.698601][ T322] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.705976][ T322] device bridge_slave_1 entered promiscuous mode [ 25.730384][ T318] syz-executor (318) used greatest stack depth: 22144 bytes left [ 25.743980][ T322] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.751031][ T322] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.758261][ T322] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.765293][ T322] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.783668][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 25.791357][ T317] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.798496][ T317] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.808359][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 25.816683][ T317] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.823814][ T317] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.833328][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 25.841557][ T317] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.848568][ T317] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.860346][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 25.869571][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 25.883634][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 25.894443][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 25.902749][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 25.910497][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 25.919242][ T322] device veth0_vlan entered promiscuous mode [ 25.928792][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 25.937938][ T322] device veth1_macvtap entered promiscuous mode [ 25.946997][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 25.957422][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 25.985084][ T322] syz-executor (322) used greatest stack depth: 21760 bytes left 2026/06/05 19:05:52 executed programs: 0 [ 26.669099][ T370] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.676172][ T370] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.684160][ T370] device bridge_slave_0 entered promiscuous mode [ 26.694498][ T370] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.701644][ T370] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.708934][ T370] device bridge_slave_1 entered promiscuous mode [ 26.754107][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 26.761762][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 26.773195][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 26.782233][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 26.790461][ T317] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.797470][ T317] bridge0: port 1(bridge_slave_0) entered forwarding state [ 26.805159][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 26.813530][ T8] device bridge_slave_1 left promiscuous mode [ 26.819655][ T8] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.827316][ T8] device bridge_slave_0 left promiscuous mode [ 26.833495][ T8] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.841432][ T8] device veth1_macvtap left promiscuous mode [ 26.847438][ T8] device veth0_vlan left promiscuous mode [ 26.955050][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 26.963713][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 26.971921][ T317] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.978935][ T317] bridge0: port 2(bridge_slave_1) entered forwarding state [ 26.989928][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 26.999259][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 27.012204][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 27.023081][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 27.031147][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 27.038606][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 27.046946][ T370] device veth0_vlan entered promiscuous mode [ 27.056708][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 27.066290][ T370] device veth1_macvtap entered promiscuous mode [ 27.075558][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 27.085329][ T317] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 27.111175][ T374] loop2: detected capacity change from 0 to 512 [ 27.124982][ T374] EXT4-fs (loop2): revision level too high, forcing read-only mode [ 27.133046][ T374] [EXT4 FS bs=1024, gc=1, bpg=8192, ipg=32, mo=8802c01c, mo2=0002] [ 27.141491][ T374] EXT4-fs (loop2): orphan cleanup on readonly fs [ 27.148088][ T374] EXT4-fs error (device loop2): ext4_orphan_get:1405: inode #13: comm syz.2.17: iget: bad i_size value: 12154761577498 [ 27.161093][ T374] EXT4-fs error (device loop2): ext4_orphan_get:1410: comm syz.2.17: couldn't read orphan inode 13 (err -117) [ 27.173182][ T374] EXT4-fs (loop2): mounted filesystem without journal. Quota mode: none. [ 27.182228][ T374] EXT4-fs warning (device loop2): dx_probe:893: inode #2: comm syz.2.17: dx entry: limit 65535 != root limit 120 [ 27.194749][ T374] EXT4-fs warning (device loop2): dx_probe:966: inode #2: comm syz.2.17: Corrupt directory, running e2fsck is recommended [ 27.207789][ T374] ================================================================== [ 27.215860][ T374] BUG: KASAN: slab-out-of-bounds in __ext4_check_dir_entry+0x7c2/0x970 [ 27.224105][ T374] Read of size 2 at addr ffff88812f294003 by task syz.2.17/374 [ 27.231670][ T374] [ 27.233987][ T374] CPU: 0 PID: 374 Comm: syz.2.17 Not tainted syzkaller #0 [ 27.241068][ T374] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 [ 27.251110][ T374] Call Trace: [ 27.254372][ T374] [ 27.257291][ T374] __dump_stack+0x21/0x24 [ 27.261605][ T374] dump_stack_lvl+0x110/0x170 [ 27.266352][ T374] ? __cfi_dump_stack_lvl+0x8/0x8 [ 27.271351][ T374] ? __cfi__printk+0x8/0x8 [ 27.275739][ T374] ? __getblk_gfp+0x3b/0x7d0 [ 27.280304][ T374] ? __ext4_check_dir_entry+0x7c2/0x970 [ 27.285826][ T374] print_address_description+0x71/0x200 [ 27.291349][ T374] print_report+0x4a/0x60 [ 27.295660][ T374] kasan_report+0x122/0x150 [ 27.300147][ T374] ? __ext4_check_dir_entry+0x7c2/0x970 [ 27.305672][ T374] __asan_report_load2_noabort+0x14/0x20 [ 27.311283][ T374] __ext4_check_dir_entry+0x7c2/0x970 [ 27.316645][ T374] ext4_readdir+0x1315/0x3e10 [ 27.321318][ T374] ? __cfi_ext4_readdir+0x10/0x10 [ 27.326333][ T374] ? downgrade_write+0x370/0x370 [ 27.331260][ T374] ? __kasan_slab_free+0x11/0x20 [ 27.336200][ T374] ? avc_policy_seqno+0x1b/0x70 [ 27.341029][ T374] ? down_read_killable+0xbc/0x110 [ 27.346117][ T374] ? __cfi_down_read_killable+0x10/0x10 [ 27.351635][ T374] ? fsnotify_perm+0x269/0x5b0 [ 27.356379][ T374] ? security_file_permission+0x94/0xb0 [ 27.361934][ T374] iterate_dir+0x271/0x610 [ 27.366333][ T374] ? __cfi_ext4_readdir+0x10/0x10 [ 27.371333][ T374] __se_sys_getdents64+0xf2/0x250 [ 27.376333][ T374] ? __x64_sys_getdents64+0x90/0x90 [ 27.381504][ T374] ? mutex_unlock+0x8f/0x230 [ 27.386078][ T374] ? __cfi_filldir64+0x10/0x10 [ 27.390820][ T374] ? debug_smp_processor_id+0x17/0x20 [ 27.396170][ T374] __x64_sys_getdents64+0x7b/0x90 [ 27.401180][ T374] x64_sys_call+0x15c/0x9a0 [ 27.405659][ T374] do_syscall_64+0x4c/0xa0 [ 27.410057][ T374] ? clear_bhb_loop+0x30/0x80 [ 27.414728][ T374] ? clear_bhb_loop+0x30/0x80 [ 27.419385][ T374] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 27.425255][ T374] RIP: 0033:0x7f032199ce59 [ 27.429656][ T374] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 27.449239][ T374] RSP: 002b:00007ffe2a6d78a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 27.457647][ T374] RAX: ffffffffffffffda RBX: 00007f0321c15fa0 RCX: 00007f032199ce59 [ 27.465600][ T374] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 27.473546][ T374] RBP: 00007f0321a32d6f R08: 0000000000000000 R09: 0000000000000000 [ 27.481494][ T374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 27.489445][ T374] R13: 00007f0321c15fac R14: 00007f0321c15fa0 R15: 00007f0321c15fa0 [ 27.497399][ T374] [ 27.500407][ T374] [ 27.502707][ T374] The buggy address belongs to the object at ffff88812f294000 [ 27.502707][ T374] which belongs to the cache kmalloc-16 of size 16 [ 27.516562][ T374] The buggy address is located 3 bytes inside of [ 27.516562][ T374] 16-byte region [ffff88812f294000, ffff88812f294010) [ 27.529556][ T374] [ 27.531861][ T374] The buggy address belongs to the physical page: [ 27.538245][ T374] page:ffffea0004bca500 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12f294 [ 27.548468][ T374] flags: 0x4000000000000200(slab|zone=1) [ 27.554090][ T374] raw: 4000000000000200 0000000000000000 dead000000000122 ffff888100042480 [ 27.562663][ T374] raw: 0000000000000000 0000000080800080 00000001ffffffff 0000000000000000 [ 27.571225][ T374] page dumped because: kasan: bad access detected [ 27.577650][ T374] page_owner tracks the page as allocated [ 27.583341][ T374] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 374, tgid 374 (syz.2.17), ts 27118736912, free_ts 27110966533 [ 27.601026][ T374] post_alloc_hook+0x1f5/0x210 [ 27.605817][ T374] prep_new_page+0x1c/0x110 [ 27.610567][ T374] get_page_from_freelist+0x2d12/0x2d80 [ 27.616094][ T374] __alloc_pages+0x1fa/0x610 [ 27.620662][ T374] alloc_slab_page+0x6e/0xf0 [ 27.625225][ T374] new_slab+0x98/0x3d0 [ 27.629263][ T374] ___slab_alloc+0x6bd/0xb20 [ 27.633828][ T374] __slab_alloc+0x5e/0xa0 [ 27.638137][ T374] __kmem_cache_alloc_node+0x203/0x2c0 [ 27.643568][ T374] __kmalloc_node_track_caller+0xa0/0x1e0 [ 27.649272][ T374] kmemdup_nul+0x31/0xa0 [ 27.653485][ T374] generic_parse_monolithic+0x24d/0x360 [ 27.659006][ T374] parse_monolithic_mount_data+0x7a/0x90 [ 27.664616][ T374] do_new_mount+0x222/0xb30 [ 27.669097][ T374] path_mount+0x659/0xfc0 [ 27.673400][ T374] __se_sys_mount+0x320/0x390 [ 27.678059][ T374] page last free stack trace: [ 27.682703][ T374] free_unref_page_prepare+0x7f8/0x800 [ 27.688139][ T374] free_unref_page_list+0x117/0x8c0 [ 27.693311][ T374] release_pages+0xc93/0xcf0 [ 27.697872][ T374] free_pages_and_swap_cache+0x86/0xa0 [ 27.703309][ T374] tlb_finish_mmu+0x1aa/0x370 [ 27.707956][ T374] unmap_region+0x2b7/0x320 [ 27.712439][ T374] do_mas_align_munmap+0xbed/0x1320 [ 27.717621][ T374] do_mas_munmap+0x241/0x2b0 [ 27.722193][ T374] __vm_munmap+0x1bd/0x330 [ 27.726596][ T374] __x64_sys_munmap+0x6b/0x80 [ 27.731252][ T374] x64_sys_call+0x8a/0x9a0 [ 27.735649][ T374] do_syscall_64+0x4c/0xa0 [ 27.740050][ T374] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 27.745927][ T374] [ 27.748231][ T374] Memory state around the buggy address: [ 27.753838][ T374] ffff88812f293f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.761886][ T374] ffff88812f293f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.769924][ T374] >ffff88812f294000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.777964][ T374] ^ [ 27.782008][ T374] ffff88812f294080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.790052][ T374] ffff88812f294100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.798089][ T374] ================================================================== [ 27.807649][ T374] Disabling lock debugging due to kernel taint [ 27.814976][ T374] EXT4-fs error (device loop2): ext4_readdir:263: inode #2: block 3: comm syz.2.17: path /0/file0: bad entry in directory: rec_len is smaller than minimal - offset=1023, inode=255, rec_len=0, size=1024 fake=0 [ 27.837207][ T370] EXT4-fs (loop2): unmounting filesystem.