Warning: Permanently added '10.128.1.55' (ED25519) to the list of known hosts. 2025/11/23 14:42:23 parsed 1 programs [ 25.541216][ T30] audit: type=1400 audit(1763908943.400:64): avc: denied { node_bind } for pid=281 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 25.561861][ T30] audit: type=1400 audit(1763908943.400:65): avc: denied { module_request } for pid=281 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 26.165194][ T30] audit: type=1400 audit(1763908944.020:66): avc: denied { mounton } for pid=290 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2023 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 26.166186][ T290] cgroup: Unknown subsys name 'net' [ 26.187857][ T30] audit: type=1400 audit(1763908944.020:67): avc: denied { mount } for pid=290 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 26.215070][ T30] audit: type=1400 audit(1763908944.060:68): avc: denied { unmount } for pid=290 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 26.215259][ T290] cgroup: Unknown subsys name 'devices' [ 26.390285][ T290] cgroup: Unknown subsys name 'hugetlb' [ 26.395868][ T290] cgroup: Unknown subsys name 'rlimit' [ 26.655980][ T30] audit: type=1400 audit(1763908944.510:69): avc: denied { setattr } for pid=290 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=254 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 26.678108][ T292] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 26.679144][ T30] audit: type=1400 audit(1763908944.510:70): avc: denied { create } for pid=290 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.708010][ T30] audit: type=1400 audit(1763908944.510:71): avc: denied { write } for pid=290 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.720382][ T290] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 26.728460][ T30] audit: type=1400 audit(1763908944.510:72): avc: denied { read } for pid=290 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.757053][ T30] audit: type=1400 audit(1763908944.510:73): avc: denied { mounton } for pid=290 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 27.145190][ T294] request_module fs-gadgetfs succeeded, but still no fs? [ 27.260610][ T307] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.267639][ T307] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.275083][ T307] device bridge_slave_0 entered promiscuous mode [ 27.282853][ T307] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.289885][ T307] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.297077][ T307] device bridge_slave_1 entered promiscuous mode [ 27.332491][ T307] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.339526][ T307] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.346746][ T307] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.353757][ T307] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.369551][ T10] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.376769][ T10] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.384161][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 27.391673][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 27.401126][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 27.409290][ T10] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.416286][ T10] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.425520][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 27.433799][ T10] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.440815][ T10] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.452090][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 27.462041][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 27.474302][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 27.484546][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 27.492679][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 27.500047][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 27.509076][ T307] device veth0_vlan entered promiscuous mode [ 27.517760][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 27.526491][ T307] device veth1_macvtap entered promiscuous mode [ 27.535040][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 27.545147][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 27.574825][ T307] syz-executor (307) used greatest stack depth: 21216 bytes left 2025/11/23 14:42:26 executed programs: 0 [ 28.233070][ T362] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.240312][ T362] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.247524][ T362] device bridge_slave_0 entered promiscuous mode [ 28.254301][ T362] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.261334][ T362] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.268550][ T362] device bridge_slave_1 entered promiscuous mode [ 28.309858][ T45] device bridge_slave_1 left promiscuous mode [ 28.315952][ T45] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.323484][ T45] device bridge_slave_0 left promiscuous mode [ 28.329695][ T45] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.337460][ T45] device veth1_macvtap left promiscuous mode [ 28.343581][ T45] device veth0_vlan left promiscuous mode [ 28.442472][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 28.449896][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 28.458588][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 28.466907][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 28.476061][ T308] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.483107][ T308] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.490854][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 28.499475][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 28.507793][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 28.515990][ T308] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.523009][ T308] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.533378][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 28.541391][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 28.549995][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 28.558020][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 28.570285][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 28.578641][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 28.590567][ T362] device veth0_vlan entered promiscuous mode [ 28.596645][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 28.604503][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 28.612748][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 28.620426][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 28.630966][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 28.640155][ T362] device veth1_macvtap entered promiscuous mode [ 28.650035][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 28.658164][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 28.666802][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 28.675122][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 28.704078][ T373] loop2: detected capacity change from 0 to 1024 [ 28.711956][ T373] ======================================================= [ 28.711956][ T373] WARNING: The mand mount option has been deprecated and [ 28.711956][ T373] and is ignored by this kernel. Remove the mand [ 28.711956][ T373] option from the mount to silence this warning. [ 28.711956][ T373] ======================================================= [ 28.779759][ T373] EXT4-fs (loop2): Ignoring removed nobh option [ 28.786045][ T373] EXT4-fs (loop2): Ignoring removed bh option [ 28.792161][ T373] EXT4-fs (loop2): Warning: mounting with an experimental mount option 'dioread_nolock' for blocksize < PAGE_SIZE [ 28.820939][ T373] EXT4-fs (loop2): mounted filesystem without journal. Opts: delalloc,data_err=abort,barrier=0x0000000000000002,dioread_lock,data_err=ignore,max_dir_size_kb=0x00000000004007b1,data_err=ignore,grpquota,nobh,user_xattr,bh,dioread_nolock,,errors=continue. Quota mode: writeback. [ 28.853980][ T8] ================================================================== [ 28.862039][ T8] BUG: KASAN: use-after-free in ext4_find_extent+0xbeb/0xe20 [ 28.869400][ T8] Read of size 4 at addr ffff888128a23e54 by task kworker/u4:0/8 [ 28.877118][ T8] [ 28.879459][ T8] CPU: 0 PID: 8 Comm: kworker/u4:0 Not tainted syzkaller #0 [ 28.886731][ T8] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 [ 28.896774][ T8] Workqueue: writeback wb_workfn (flush-7:2) [ 28.902771][ T8] Call Trace: [ 28.906038][ T8] [ 28.908959][ T8] __dump_stack+0x21/0x30 [ 28.913281][ T8] dump_stack_lvl+0xee/0x150 [ 28.917861][ T8] ? show_regs_print_info+0x20/0x20 [ 28.923051][ T8] ? load_image+0x3a0/0x3a0 [ 28.927545][ T8] print_address_description+0x7f/0x2c0 [ 28.933081][ T8] ? ext4_find_extent+0xbeb/0xe20 [ 28.938099][ T8] kasan_report+0xf1/0x140 [ 28.942508][ T8] ? __read_extent_tree_block+0x1e8/0x790 [ 28.948222][ T8] ? ext4_find_extent+0xbeb/0xe20 [ 28.953238][ T8] __asan_report_load4_noabort+0x14/0x20 [ 28.958861][ T8] ext4_find_extent+0xbeb/0xe20 [ 28.963703][ T8] ext4_ext_map_blocks+0x1db/0x6270 [ 28.968895][ T8] ? _raw_spin_unlock_irqrestore+0x5b/0x80 [ 28.974692][ T8] ? __stack_depot_save+0x442/0x480 [ 28.979874][ T8] ? __kasan_slab_alloc+0xcf/0xf0 [ 28.984877][ T8] ? __kasan_slab_alloc+0xbd/0xf0 [ 28.989875][ T8] ? slab_post_alloc_hook+0x4f/0x2b0 [ 28.995139][ T8] ? kmem_cache_alloc+0xf7/0x260 [ 29.000054][ T8] ? ext4_alloc_io_end_vec+0x2a/0x160 [ 29.005402][ T8] ? ext4_writepages+0xec8/0x2f90 [ 29.010407][ T8] ? do_writepages+0x48a/0x6c0 [ 29.015153][ T8] ? wb_workfn+0x38f/0xe20 [ 29.019552][ T8] ? process_one_work+0x6be/0xba0 [ 29.024556][ T8] ? worker_thread+0xa59/0x1200 [ 29.029382][ T8] ? ext4_ext_release+0x10/0x10 [ 29.034212][ T8] ? ext4_es_lookup_extent+0x54c/0x900 [ 29.039649][ T8] ext4_map_blocks+0x97b/0x1b20 [ 29.044487][ T8] ? slab_post_alloc_hook+0x6d/0x2b0 [ 29.049752][ T8] ? should_failslab+0x9/0x20 [ 29.054410][ T8] ? ext4_issue_zeroout+0x250/0x250 [ 29.059585][ T8] ? ext4_inode_journal_mode+0x19a/0x480 [ 29.065200][ T8] ext4_writepages+0x11e7/0x2f90 [ 29.070119][ T8] ? blk_mq_get_driver_tag+0x920/0x920 [ 29.075557][ T8] ? __sbitmap_queue_get+0x15/0x20 [ 29.080645][ T8] ? ext4_readpage+0x220/0x220 [ 29.085387][ T8] ? dd_has_work+0x362/0x390 [ 29.089955][ T8] ? blk_mq_do_dispatch_sched+0xc2c/0xc40 [ 29.095653][ T8] ? __kasan_check_write+0x14/0x20 [ 29.100743][ T8] ? ext4_readpage+0x220/0x220 [ 29.105492][ T8] do_writepages+0x48a/0x6c0 [ 29.110072][ T8] ? update_curr+0x2f3/0x5b0 [ 29.114642][ T8] ? __writepage+0x130/0x130 [ 29.119213][ T8] ? enqueue_task_fair+0xaa7/0x2120 [ 29.124394][ T8] ? __kasan_check_write+0x14/0x20 [ 29.129486][ T8] ? _raw_spin_lock+0x8e/0xe0 [ 29.134142][ T8] __writeback_single_inode+0xd5/0x9c0 [ 29.139587][ T8] ? wbc_attach_and_unlock_inode+0x194/0x5f0 [ 29.145547][ T8] writeback_sb_inodes+0x9c0/0x1590 [ 29.150724][ T8] ? psi_task_change+0x212/0x370 [ 29.155645][ T8] ? queue_io+0x4c0/0x4c0 [ 29.159952][ T8] ? __kasan_check_read+0x11/0x20 [ 29.164953][ T8] ? queue_io+0x382/0x4c0 [ 29.169259][ T8] wb_writeback+0x3f1/0x980 [ 29.173742][ T8] ? inode_cgwb_move_to_attached+0x3e0/0x3e0 [ 29.179699][ T8] ? set_worker_desc+0x155/0x1c0 [ 29.184618][ T8] ? __kasan_check_write+0x14/0x20 [ 29.189709][ T8] wb_workfn+0x38f/0xe20 [ 29.193930][ T8] ? psi_task_change+0x212/0x370 [ 29.198849][ T8] ? inode_wait_for_writeback+0x200/0x200 [ 29.204547][ T8] ? kvm_sched_clock_read+0x18/0x40 [ 29.209721][ T8] ? __kasan_check_read+0x11/0x20 [ 29.214743][ T8] ? ttwu_do_wakeup+0xf9/0x470 [ 29.219484][ T8] ? ttwu_do_activate+0x174/0x280 [ 29.224487][ T8] ? _raw_spin_unlock_irqrestore+0x5b/0x80 [ 29.230283][ T8] ? try_to_wake_up+0x611/0x1160 [ 29.235203][ T8] process_one_work+0x6be/0xba0 [ 29.240032][ T8] worker_thread+0xa59/0x1200 [ 29.244687][ T8] kthread+0x411/0x500 [ 29.248732][ T8] ? worker_clr_flags+0x190/0x190 [ 29.253732][ T8] ? kthread_blkcg+0xd0/0xd0 [ 29.258300][ T8] ret_from_fork+0x1f/0x30 [ 29.262694][ T8] [ 29.265690][ T8] [ 29.267997][ T8] The buggy address belongs to the page: [ 29.273596][ T8] page:ffffea0004a288c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x100 pfn:0x128a23 [ 29.283990][ T8] flags: 0x4000000000000000(zone=1) [ 29.289168][ T8] raw: 4000000000000000 dead000000000100 dead000000000122 0000000000000000 [ 29.297730][ T8] raw: 0000000000000100 0000000000000000 00000000ffffffff 0000000000000000 [ 29.306280][ T8] page dumped because: kasan: bad access detected [ 29.312663][ T8] page_owner tracks the page as freed [ 29.318001][ T8] page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 358, ts 28027392556, free_ts 28201357806 [ 29.332380][ T8] post_alloc_hook+0x192/0x1b0 [ 29.337124][ T8] prep_new_page+0x1c/0x110 [ 29.341600][ T8] get_page_from_freelist+0x2cc5/0x2d50 [ 29.347121][ T8] __alloc_pages+0x18f/0x440 [ 29.351686][ T8] handle_pte_fault+0x98a/0x2680 [ 29.356597][ T8] do_handle_mm_fault+0x1a6d/0x1d50 [ 29.361767][ T8] do_user_addr_fault+0x841/0x1180 [ 29.366857][ T8] exc_page_fault+0x51/0xb0 [ 29.371332][ T8] asm_exc_page_fault+0x27/0x30 [ 29.376160][ T8] page last free stack trace: [ 29.380807][ T8] free_unref_page_prepare+0x542/0x550 [ 29.386240][ T8] free_unref_page_list+0x134/0x9d0 [ 29.391414][ T8] release_pages+0xfda/0x1030 [ 29.396067][ T8] free_pages_and_swap_cache+0x86/0xa0 [ 29.401502][ T8] tlb_finish_mmu+0x175/0x300 [ 29.406170][ T8] exit_mmap+0x40f/0x860 [ 29.410412][ T8] __mmput+0x93/0x320 [ 29.414384][ T8] mmput+0x50/0x150 [ 29.418185][ T8] do_exit+0x9d2/0x27a0 [ 29.422317][ T8] do_group_exit+0x141/0x310 [ 29.426885][ T8] get_signal+0x66a/0x1480 [ 29.431277][ T8] arch_do_signal_or_restart+0xc1/0x10f0 [ 29.436887][ T8] exit_to_user_mode_loop+0xa7/0xe0 [ 29.442064][ T8] exit_to_user_mode_prepare+0x87/0xd0 [ 29.447512][ T8] syscall_exit_to_user_mode+0x1a/0x30 [ 29.452955][ T8] do_syscall_64+0x58/0xa0 [ 29.457353][ T8] [ 29.459653][ T8] Memory state around the buggy address: [ 29.465259][ T8] ffff888128a23d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 29.473319][ T8] ffff888128a23d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 29.481359][ T8] >ffff888128a23e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 29.489395][ T8] ^ [ 29.496052][ T8] ffff888128a23e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 29.504093][ T8] ffff888128a23f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 29.512132][ T8] ================================================================== [ 29.520170][ T8] Disabling lock debuggi