Warning: Permanently added '10.128.0.215' (ED25519) to the list of known hosts. 2026/05/17 00:02:13 parsed 1 programs [ 25.300368][ T30] audit: type=1400 audit(1778976133.770:64): avc: denied { node_bind } for pid=293 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 25.321074][ T30] audit: type=1400 audit(1778976133.770:65): avc: denied { module_request } for pid=293 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 26.195142][ T30] audit: type=1400 audit(1778976134.660:66): avc: denied { mounton } for pid=299 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2024 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 26.198133][ T299] cgroup: Unknown subsys name 'net' [ 26.217778][ T30] audit: type=1400 audit(1778976134.670:67): avc: denied { mount } for pid=299 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 26.245101][ T30] audit: type=1400 audit(1778976134.690:68): avc: denied { unmount } for pid=299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 26.245417][ T299] cgroup: Unknown subsys name 'devices' [ 26.387086][ T299] cgroup: Unknown subsys name 'hugetlb' [ 26.392690][ T299] cgroup: Unknown subsys name 'rlimit' [ 26.537824][ T30] audit: type=1400 audit(1778976135.010:69): avc: denied { setattr } for pid=299 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=254 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 26.560991][ T30] audit: type=1400 audit(1778976135.010:70): avc: denied { create } for pid=299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.577895][ T303] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 26.581756][ T30] audit: type=1400 audit(1778976135.010:71): avc: denied { write } for pid=299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.610153][ T30] audit: type=1400 audit(1778976135.010:72): avc: denied { read } for pid=299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 26.630331][ T30] audit: type=1400 audit(1778976135.010:73): avc: denied { mounton } for pid=299 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 26.676756][ T299] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 27.074261][ T305] request_module fs-gadgetfs succeeded, but still no fs? [ 27.225601][ T314] syz-executor (314) used greatest stack depth: 21696 bytes left [ 27.532802][ T343] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.539946][ T343] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.547390][ T343] device bridge_slave_0 entered promiscuous mode [ 27.554244][ T343] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.561340][ T343] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.568828][ T343] device bridge_slave_1 entered promiscuous mode [ 27.614765][ T343] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.621852][ T343] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.629179][ T343] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.636223][ T343] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.655298][ T319] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 27.662952][ T319] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.670528][ T319] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.679499][ T319] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 27.688065][ T319] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.695096][ T319] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.703338][ T319] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 27.711663][ T319] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.718706][ T319] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.730443][ T319] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 27.738401][ T319] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 27.750946][ T319] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 27.761892][ T319] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 27.769859][ T319] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 27.777376][ T319] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 27.785083][ T343] device veth0_vlan entered promiscuous mode [ 27.794638][ T319] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 27.803533][ T343] device veth1_macvtap entered promiscuous mode [ 27.811996][ T319] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 27.821838][ T319] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 27.857747][ T343] syz-executor (343) used greatest stack depth: 21344 bytes left 2026/05/17 00:02:16 executed programs: 0 [ 28.224221][ T367] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.231543][ T367] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.239149][ T367] device bridge_slave_0 entered promiscuous mode [ 28.246379][ T367] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.253421][ T367] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.260901][ T367] device bridge_slave_1 entered promiscuous mode [ 28.308664][ T367] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.315757][ T367] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.323018][ T367] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.330071][ T367] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.349039][ T319] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 28.357141][ T319] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.364460][ T319] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.374105][ T319] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 28.382677][ T319] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.389760][ T319] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.406950][ T319] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 28.415149][ T319] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.422215][ T319] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.429708][ T319] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 28.438122][ T319] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 28.451210][ T319] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 28.462732][ T319] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 28.470789][ T319] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 28.478652][ T319] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 28.487228][ T367] device veth0_vlan entered promiscuous mode [ 28.498251][ T319] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 28.507489][ T367] device veth1_macvtap entered promiscuous mode [ 28.518057][ T319] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 28.531825][ T319] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 28.555035][ T374] loop2: detected capacity change from 0 to 1024 [ 28.638601][ T374] EXT4-fs (loop2): Ignoring removed nomblk_io_submit option [ 28.646021][ T374] EXT4-fs (loop2): Warning: mounting with an experimental mount option 'dioread_nolock' for blocksize < PAGE_SIZE [ 28.659333][ T374] [EXT4 FS bs=1024, gc=1, bpg=131072, ipg=32, mo=e855c01c, mo2=0003] [ 28.667558][ T374] System zones: 0-1, 3-36 [ 28.673512][ T374] EXT4-fs (loop2): mounted filesystem without journal. Opts: grpquota,delalloc,resuid=0x0000000000000000,debug,dioread_nolock,bsddf,nomblk_io_submit,noauto_da_alloc,,errors=continue. Quota mode: writeback. [ 28.702107][ T374] ================================================================== [ 28.710189][ T374] BUG: KASAN: use-after-free in ext4_get_inode_usage+0x3a1/0x520 [ 28.717942][ T374] Read of size 4 at addr ffff888124dbb070 by task syz.2.17/374 [ 28.725510][ T374] [ 28.727844][ T374] CPU: 1 PID: 374 Comm: syz.2.17 Not tainted syzkaller #0 [ 28.734954][ T374] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 [ 28.745018][ T374] Call Trace: [ 28.748298][ T374] [ 28.751240][ T374] __dump_stack+0x21/0x30 [ 28.755577][ T374] dump_stack_lvl+0x110/0x170 [ 28.760259][ T374] ? show_regs_print_info+0x20/0x20 [ 28.765464][ T374] ? load_image+0x3e0/0x3e0 [ 28.769993][ T374] ? ext4_getblk+0x24a/0x660 [ 28.774595][ T374] print_address_description+0x7f/0x2c0 [ 28.780147][ T374] ? ext4_get_inode_usage+0x3a1/0x520 [ 28.785539][ T374] kasan_report+0xf1/0x140 [ 28.789972][ T374] ? ext4_get_inode_usage+0x3a1/0x520 [ 28.795354][ T374] __asan_report_load4_noabort+0x14/0x20 [ 28.800991][ T374] ext4_get_inode_usage+0x3a1/0x520 [ 28.806188][ T374] ? ext4_listxattr+0xc50/0xc50 [ 28.811041][ T374] ? ext4_quota_read+0x3b0/0x3b0 [ 28.815979][ T374] __dquot_transfer+0x192/0x2150 [ 28.820915][ T374] ? __kasan_check_write+0x14/0x20 [ 28.826050][ T374] ? mutex_unlock+0x8f/0x230 [ 28.830653][ T374] ? __mutex_lock_slowpath+0x10/0x10 [ 28.835934][ T374] ? dquot_free_inode+0x900/0x900 [ 28.840962][ T374] ? dquot_acquire+0x263/0x530 [ 28.845733][ T374] ? __ext4_journal_stop+0x36/0x1a0 [ 28.850939][ T374] ? ext4_acquire_dquot+0x36d/0x4a0 [ 28.856134][ T374] ? dqget+0xb68/0xf30 [ 28.860206][ T374] dquot_transfer+0x2f1/0x460 [ 28.864883][ T374] ? __dquot_transfer+0x2150/0x2150 [ 28.870087][ T374] ? down_read+0xab/0x100 [ 28.874418][ T374] ? ext4_journal_check_start+0x172/0x240 [ 28.880150][ T374] ? ext4_setattr+0x6cc/0x1ac0 [ 28.884917][ T374] ? __ext4_journal_start_sb+0x154/0x2b0 [ 28.890548][ T374] ext4_setattr+0x700/0x1ac0 [ 28.895134][ T374] ? make_kgid+0x660/0x660 [ 28.899575][ T374] ? ext4_write_inode+0x5b0/0x5b0 [ 28.904608][ T374] notify_change+0xbca/0xe90 [ 28.909204][ T374] chown_common+0x4b8/0x680 [ 28.913710][ T374] ? __ia32_sys_chmod+0x70/0x70 [ 28.918565][ T374] ? mnt_want_write_file+0x243/0x420 [ 28.923854][ T374] ksys_fchown+0xef/0x160 [ 28.928185][ T374] __x64_sys_fchown+0x7a/0x90 [ 28.932861][ T374] x64_sys_call+0x95f/0x9a0 [ 28.937363][ T374] do_syscall_64+0x4c/0xa0 [ 28.941783][ T374] ? clear_bhb_loop+0x50/0xa0 [ 28.946465][ T374] ? clear_bhb_loop+0x50/0xa0 [ 28.951157][ T374] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 28.957056][ T374] RIP: 0033:0x7fef4971fe59 [ 28.961476][ T374] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 28.981093][ T374] RSP: 002b:00007fef49582028 EFLAGS: 00000246 ORIG_RAX: 000000000000005d [ 28.989519][ T374] RAX: ffffffffffffffda RBX: 00007fef49998fa0 RCX: 00007fef4971fe59 [ 28.997505][ T374] RDX: 000000000000ee01 RSI: 0000000000000000 RDI: 0000000000000005 [ 29.005489][ T374] RBP: 00007fef497b5d6f R08: 0000000000000000 R09: 0000000000000000 [ 29.013464][ T374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 29.021435][ T374] R13: 00007fef49999038 R14: 00007fef49998fa0 R15: 00007ffeae0673d8 [ 29.029420][ T374] [ 29.032446][ T374] [ 29.034776][ T374] Allocated by task 245: [ 29.039012][ T374] __kasan_slab_alloc+0xbd/0xf0 [ 29.043868][ T374] slab_post_alloc_hook+0x4f/0x2b0 [ 29.048983][ T374] kmem_cache_alloc_bulk+0x27b/0x340 [ 29.054266][ T374] __alloc_skb+0x526/0x740 [ 29.058705][ T374] __napi_alloc_skb+0x162/0x2e0 [ 29.063583][ T374] page_to_skb+0x287/0xb60 [ 29.067996][ T374] receive_buf+0xcc7/0x4c50 [ 29.072494][ T374] virtnet_poll+0x570/0xf40 [ 29.076989][ T374] __napi_poll+0xbe/0x590 [ 29.081323][ T374] net_rx_action+0x389/0x900 [ 29.085903][ T374] handle_softirqs+0x250/0x560 [ 29.090660][ T374] __irq_exit_rcu+0x52/0xf0 [ 29.095161][ T374] irq_exit_rcu+0x9/0x10 [ 29.099397][ T374] common_interrupt+0xbe/0xe0 [ 29.104073][ T374] asm_common_interrupt+0x27/0x40 [ 29.109086][ T374] [ 29.111407][ T374] Freed by task 244: [ 29.115302][ T374] kasan_set_track+0x4a/0x70 [ 29.119891][ T374] kasan_set_free_info+0x23/0x40 [ 29.124831][ T374] ____kasan_slab_free+0x125/0x160 [ 29.129935][ T374] __kasan_slab_free+0x11/0x20 [ 29.134691][ T374] slab_free_freelist_hook+0xc2/0x190 [ 29.140180][ T374] kmem_cache_free+0x100/0x320 [ 29.144939][ T374] kfree_skbmem+0x10c/0x180 [ 29.149438][ T374] __kfree_skb+0x58/0x70 [ 29.153683][ T374] tcp_recvmsg_locked+0x14cd/0x26f0 [ 29.158881][ T374] tcp_recvmsg+0x23c/0x770 [ 29.163308][ T374] inet_recvmsg+0x13a/0x480 [ 29.167811][ T374] sock_read_iter+0x2b8/0x380 [ 29.172500][ T374] vfs_read+0x6c9/0xc40 [ 29.176658][ T374] ksys_read+0x149/0x250 [ 29.180905][ T374] __x64_sys_read+0x7b/0x90 [ 29.185411][ T374] x64_sys_call+0x96d/0x9a0 [ 29.189914][ T374] do_syscall_64+0x4c/0xa0 [ 29.194340][ T374] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 29.200240][ T374] [ 29.202563][ T374] The buggy address belongs to the object at ffff888124dbb000 [ 29.202563][ T374] which belongs to the cache skbuff_head_cache of size 248 [ 29.217156][ T374] The buggy address is located 112 bytes inside of [ 29.217156][ T374] 248-byte region [ffff888124dbb000, ffff888124dbb0f8) [ 29.230429][ T374] The buggy address belongs to the page: [ 29.236081][ T374] page:ffffea0004936ec0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x124dbb [ 29.246320][ T374] flags: 0x4000000000000200(slab|zone=1) [ 29.251975][ T374] raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081aa780 [ 29.260568][ T374] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 29.269144][ T374] page dumped because: kasan: bad access detected [ 29.275555][ T374] page_owner tracks the page as allocated [ 29.281263][ T374] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 245, ts 17669815962, free_ts 17669742792 [ 29.297225][ T374] post_alloc_hook+0x192/0x1b0 [ 29.301987][ T374] prep_new_page+0x1c/0x110 [ 29.306498][ T374] get_page_from_freelist+0x2d3a/0x2dc0 [ 29.312051][ T374] __alloc_pages+0x1a2/0x460 [ 29.316653][ T374] new_slab+0xa1/0x4d0 [ 29.320730][ T374] ___slab_alloc+0x381/0x810 [ 29.325323][ T374] kmem_cache_alloc_bulk+0xf7/0x340 [ 29.330521][ T374] __alloc_skb+0x526/0x740 [ 29.334944][ T374] __napi_alloc_skb+0x162/0x2e0 [ 29.339793][ T374] page_to_skb+0x287/0xb60 [ 29.344222][ T374] receive_buf+0xcc7/0x4c50 [ 29.348732][ T374] virtnet_poll+0x570/0xf40 [ 29.353236][ T374] __napi_poll+0xbe/0x590 [ 29.357576][ T374] net_rx_action+0x389/0x900 [ 29.362179][ T374] handle_softirqs+0x250/0x560 [ 29.366948][ T374] __irq_exit_rcu+0x52/0xf0 [ 29.371456][ T374] page last free stack trace: [ 29.376125][ T374] free_unref_page_prepare+0x542/0x550 [ 29.381578][ T374] free_unref_page+0xae/0x540 [ 29.386251][ T374] __put_page+0xad/0xe0 [ 29.390402][ T374] anon_pipe_buf_release+0x183/0x200 [ 29.395687][ T374] pipe_read+0x53b/0x1010 [ 29.400015][ T374] vfs_read+0x6c9/0xc40 [ 29.404169][ T374] ksys_read+0x149/0x250 [ 29.408413][ T374] __x64_sys_read+0x7b/0x90 [ 29.412915][ T374] x64_sys_call+0x96d/0x9a0 [ 29.417423][ T374] do_syscall_64+0x4c/0xa0 [ 29.421840][ T374] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 29.427733][ T374] [ 29.430056][ T374] Memory state around the buggy address: [ 29.435681][ T374] ffff888124dbaf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.443742][ T374] ffff888124dbaf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.451809][ T374] >ffff888124dbb000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.459874][ T374] ^ [ 29.467587][ T374] ffff888124dbb080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc [ 29.475645][ T374] ffff888124dbb100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 29.483704][ T374] ================================================================== [ 29.491760][ T374] Disabling lock debugging due to kernel taint