Warning: Permanently added '10.128.1.35' (ED25519) to the list of known hosts. 2026/04/27 05:36:04 parsed 1 programs Setting up swapspace version 1, size = 127995904 bytes [ 46.305891][ T30] audit: type=1400 audit(1777268165.846:105): avc: denied { unlink } for pid=383 comm="syz-executor" name="swap-file" dev="sda1" ino=2026 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 46.354084][ T383] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 47.073573][ T30] audit: type=1401 audit(1777268166.606:106): op=setxattr invalid_context="u:object_r:app_data_file:s0:c512,c768" [ 47.163239][ T30] audit: type=1400 audit(1777268166.696:107): avc: denied { create } for pid=416 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1 [ 47.536101][ T438] bridge0: port 1(bridge_slave_0) entered blocking state [ 47.543414][ T438] bridge0: port 1(bridge_slave_0) entered disabled state [ 47.551434][ T438] device bridge_slave_0 entered promiscuous mode [ 47.558498][ T438] bridge0: port 2(bridge_slave_1) entered blocking state [ 47.565622][ T438] bridge0: port 2(bridge_slave_1) entered disabled state [ 47.573776][ T438] device bridge_slave_1 entered promiscuous mode [ 47.622357][ T438] bridge0: port 2(bridge_slave_1) entered blocking state [ 47.629575][ T438] bridge0: port 2(bridge_slave_1) entered forwarding state [ 47.637529][ T438] bridge0: port 1(bridge_slave_0) entered blocking state [ 47.644588][ T438] bridge0: port 1(bridge_slave_0) entered forwarding state [ 47.667991][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 47.676230][ T311] bridge0: port 1(bridge_slave_0) entered disabled state [ 47.683945][ T311] bridge0: port 2(bridge_slave_1) entered disabled state [ 47.697651][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 47.705912][ T311] bridge0: port 1(bridge_slave_0) entered blocking state [ 47.713226][ T311] bridge0: port 1(bridge_slave_0) entered forwarding state [ 47.722354][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 47.730678][ T311] bridge0: port 2(bridge_slave_1) entered blocking state [ 47.737774][ T311] bridge0: port 2(bridge_slave_1) entered forwarding state [ 47.757154][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 47.767096][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 47.787275][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 47.799218][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 47.807489][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 47.815085][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 47.827606][ T438] device veth0_vlan entered promiscuous mode [ 47.838285][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 47.851506][ T438] device veth1_macvtap entered promiscuous mode [ 47.860778][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 47.871055][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2026/04/27 05:36:07 executed programs: 0 [ 48.118618][ T448] bridge0: port 1(bridge_slave_0) entered blocking state [ 48.125796][ T448] bridge0: port 1(bridge_slave_0) entered disabled state [ 48.133169][ T448] device bridge_slave_0 entered promiscuous mode [ 48.141188][ T448] bridge0: port 2(bridge_slave_1) entered blocking state [ 48.148356][ T448] bridge0: port 2(bridge_slave_1) entered disabled state [ 48.155727][ T448] device bridge_slave_1 entered promiscuous mode [ 48.208094][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 48.215792][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 48.224427][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 48.233139][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 48.242198][ T10] bridge0: port 1(bridge_slave_0) entered blocking state [ 48.249404][ T10] bridge0: port 1(bridge_slave_0) entered forwarding state [ 48.258248][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 48.272135][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 48.280608][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 48.289382][ T10] bridge0: port 2(bridge_slave_1) entered blocking state [ 48.296487][ T10] bridge0: port 2(bridge_slave_1) entered forwarding state [ 48.312870][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 48.322680][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 48.341863][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 48.353408][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 48.361838][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 48.369798][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 48.378482][ T448] device veth0_vlan entered promiscuous mode [ 48.392619][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 48.401961][ T448] device veth1_macvtap entered promiscuous mode [ 48.411616][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 48.423239][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 48.452085][ T453] loop2: detected capacity change from 0 to 512 [ 48.496793][ T453] EXT4-fs: Warning: mounting with data=journal disables delayed allocation, dioread_nolock, O_DIRECT and fast_commit support! [ 48.510354][ T453] EXT4-fs (loop2): encrypted files will use data=ordered instead of data journaling mode [ 48.522522][ T453] EXT4-fs (loop2): 1 truncate cleaned up [ 48.528537][ T453] EXT4-fs (loop2): mounted filesystem without journal. Opts: barrier=0x0000000000000006,resuid=0x0000000000000000,barrier=0x0000000000000003,norecovery,block_validity,data_err=abort,,errors=continue. Quota mode: none. [ 48.550192][ T30] audit: type=1400 audit(1777268168.096:108): avc: denied { mount } for pid=452 comm="syz.2.17" name="/" dev="loop2" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 48.573639][ T30] audit: type=1400 audit(1777268168.116:109): avc: denied { write } for pid=452 comm="syz.2.17" name="/" dev="loop2" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 48.593414][ T453] ================================================================== [ 48.596870][ T30] audit: type=1400 audit(1777268168.116:110): avc: denied { add_name } for pid=452 comm="syz.2.17" name="file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 48.603529][ T453] BUG: KASAN: use-after-free in do_split+0x132f/0x1fb0 [ 48.647045][ T30] audit: type=1400 audit(1777268168.116:111): avc: denied { create } for pid=452 comm="syz.2.17" name="file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 48.652417][ T453] Write of size 24923 at addr ffff888111f1bc2a by task syz.2.17/453 [ 48.696130][ T30] audit: type=1400 audit(1777268168.116:112): avc: denied { write open } for pid=452 comm="syz.2.17" path="/0/file0/file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" dev="loop2" ino=18 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 48.701728][ T453] [ 48.701771][ T453] CPU: 1 PID: 453 Comm: syz.2.17 Not tainted syzkaller #0 [ 48.749005][ T30] audit: type=1400 audit(1777268168.116:113): avc: denied { create } for pid=452 comm="syz.2.17" name="file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=dir permissive=1 [ 48.755584][ T453] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 [ 48.755614][ T453] Call Trace: [ 48.755620][ T453] [ 48.755627][ T453] __dump_stack+0x21/0x30 [ 48.799896][ T30] audit: type=1400 audit(1777268168.116:114): avc: denied { write } for pid=452 comm="syz.2.17" name="file2" dev="loop2" ino=16 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 [ 48.807738][ T453] dump_stack_lvl+0x110/0x170 [ 48.807765][ T453] ? show_regs_print_info+0x20/0x20 [ 48.807786][ T453] ? load_image+0x3e0/0x3e0 [ 48.854555][ T453] print_address_description+0x7f/0x2c0 [ 48.860218][ T453] ? do_split+0x132f/0x1fb0 [ 48.864903][ T453] kasan_report+0xf1/0x140 [ 48.869317][ T453] ? do_split+0x132f/0x1fb0 [ 48.873847][ T453] kasan_check_range+0x249/0x2a0 [ 48.878785][ T453] memset+0x23/0x40 [ 48.882591][ T453] do_split+0x132f/0x1fb0 [ 48.887047][ T453] ? ext4_handle_dirty_dx_node+0x560/0x560 [ 48.893278][ T453] ext4_dx_add_entry+0x54f/0x1620 [ 48.898318][ T453] ? __kasan_check_write+0x14/0x20 [ 48.903526][ T453] ? ext4_dx_csum+0x460/0x460 [ 48.908419][ T453] ? memset+0x35/0x40 [ 48.912534][ T453] ? ext4_fname_setup_ci_filename+0x70/0x470 [ 48.918538][ T453] ext4_add_entry+0xa9c/0x1030 [ 48.923466][ T453] ? __kasan_check_write+0x14/0x20 [ 48.928600][ T453] ? ext4_inc_count+0x1b0/0x1b0 [ 48.933668][ T453] ? ext4_has_group_desc_csum+0x1f0/0x1f0 [ 48.939482][ T453] ? dquot_initialize+0x20/0x20 [ 48.944349][ T453] ? selinux_determine_inode_label+0x290/0x3e0 [ 48.950722][ T453] ext4_add_nondir+0x97/0x270 [ 48.955422][ T453] ext4_create+0x2e6/0x470 [ 48.959883][ T453] ? ext4_lookup+0x960/0x960 [ 48.964475][ T453] ? selinux_inode_create+0x22/0x30 [ 48.969697][ T453] ? security_inode_create+0xbd/0x110 [ 48.975079][ T453] vfs_create+0x342/0x520 [ 48.979420][ T453] do_mknodat+0x334/0x7a0 [ 48.983757][ T453] __x64_sys_mknod+0x8e/0xa0 [ 48.988381][ T453] x64_sys_call+0x886/0x9a0 [ 48.992889][ T453] do_syscall_64+0x4c/0xa0 [ 48.997307][ T453] ? clear_bhb_loop+0x50/0xa0 [ 49.001983][ T453] ? clear_bhb_loop+0x50/0xa0 [ 49.006658][ T453] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 49.012556][ T453] RIP: 0033:0x7f893c51d819 [ 49.017325][ T453] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 49.037648][ T453] RSP: 002b:00007f893c380028 EFLAGS: 00000246 ORIG_RAX: 0000000000000085 [ 49.046263][ T453] RAX: ffffffffffffffda RBX: 00007f893c796fa0 RCX: 00007f893c51d819 [ 49.054517][ T453] RDX: 0000000000000247 RSI: 0000000000000010 RDI: 0000200000000340 [ 49.062518][ T453] RBP: 00007f893c5b3c91 R08: 0000000000000000 R09: 0000000000000000 [ 49.070594][ T453] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 49.078674][ T453] R13: 00007f893c797038 R14: 00007f893c796fa0 R15: 00007ffe28426928 [ 49.086666][ T453] [ 49.089701][ T453] [ 49.092023][ T453] The buggy address belongs to the page: [ 49.097644][ T453] page:ffffea000447c6c0 refcount:2 mapcount:0 mapping:ffff88810928e2d8 index:0x8 pfn:0x111f1b [ 49.107913][ T453] memcg:ffff888100251140 [ 49.112143][ T453] aops:def_blk_aops ino:700002 [ 49.116907][ T453] flags: 0x400000000002203e(referenced|uptodate|dirty|lru|active|private|mappedtodisk|zone=1) [ 49.127162][ T453] raw: 400000000002203e ffffea000447c708 ffffea000447c688 ffff88810928e2d8 [ 49.135828][ T453] raw: 0000000000000008 ffff88812e433000 00000002ffffffff ffff888100251140 [ 49.144502][ T453] page dumped because: kasan: bad access detected [ 49.151360][ T453] page_owner tracks the page as allocated [ 49.157159][ T453] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 389, ts 48520730891, free_ts 47487707184 [ 49.174355][ T453] post_alloc_hook+0x192/0x1b0 [ 49.179136][ T453] prep_new_page+0x1c/0x110 [ 49.183922][ T453] get_page_from_freelist+0x2d3a/0x2dc0 [ 49.189467][ T453] __alloc_pages+0x1a2/0x460 [ 49.194083][ T453] page_cache_ra_unbounded+0x2d5/0x9a0 [ 49.199555][ T453] force_page_cache_ra+0x3fd/0x460 [ 49.204667][ T453] page_cache_sync_ra+0x2b4/0x430 [ 49.209697][ T453] filemap_read+0x694/0x2040 [ 49.214370][ T453] generic_file_read_iter+0xac/0x400 [ 49.219648][ T453] blkdev_read_iter+0x12f/0x160 [ 49.224583][ T453] vfs_read+0x6c9/0xc40 [ 49.228826][ T453] ksys_read+0x149/0x250 [ 49.233087][ T453] __x64_sys_read+0x7b/0x90 [ 49.237804][ T453] x64_sys_call+0x96d/0x9a0 [ 49.242312][ T453] do_syscall_64+0x4c/0xa0 [ 49.246756][ T453] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 49.252676][ T453] page last free stack trace: [ 49.257556][ T453] free_unref_page_prepare+0x542/0x550 [ 49.263036][ T453] free_unref_page+0xae/0x540 [ 49.267710][ T453] __free_pages+0x6c/0x100 [ 49.272142][ T453] __vunmap+0x86d/0xa00 [ 49.276402][ T453] vfree+0x8b/0xc0 [ 49.280118][ T453] kcov_close+0x2b/0x50 [ 49.284358][ T453] __fput+0x20b/0x8b0 [ 49.288335][ T453] ____fput+0x15/0x20 [ 49.292313][ T453] task_work_run+0x127/0x190 [ 49.296898][ T453] do_exit+0xa9e/0x27e0 [ 49.301060][ T453] do_group_exit+0x141/0x310 [ 49.305659][ T453] get_signal+0x66a/0x1480 [ 49.310112][ T453] arch_do_signal_or_restart+0xdf/0x11c0 [ 49.315749][ T453] exit_to_user_mode_loop+0xa7/0xe0 [ 49.320978][ T453] exit_to_user_mode_prepare+0x87/0xd0 [ 49.326453][ T453] syscall_exit_to_user_mode+0x1a/0x30 [ 49.332197][ T453] [ 49.334607][ T453] Memory state around the buggy address: [ 49.340265][ T453] ffff888111f1ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 49.348435][ T453] ffff888111f1ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 49.356591][ T453] >ffff888111f1f000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.364648][ T453] ^ [ 49.368722][ T453] ffff888111f1f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc [ 49.377009][ T453] ffff888111f1f100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 49.385347][ T453] ================================================================== [ 49.393424][ T453] Disabling lock debugging due to kernel taint [ 49.453370][ T458] loop2: detected capacity change from 0 to 512 [ 49.509007][ T458] EXT4-fs (loop2): encrypted files will use data=ordered instead of data journaling mode [ 49.519549][ T43] device bridge_slave_1 left promiscuous mode [ 49.526354][ T43] bridge0: port 2(bridge_slave_1) entered disabled state [ 49.527941][ T458] EXT4-fs (loop2): 1 truncate cleaned up [ 49.539293][ T458] EXT4-fs (loop2): mounted filesystem without journal. Opts: barrier=0x0000000000000006,resuid=0x0000000000000000,barrier=0x0000000000000003,norecovery,block_validity,data_err=abort,,errors=continue. Quota mode: none. [ 49.539759][ T43] device bridge_slave_0 left promiscuous mode [ 49.569261][ T43] bridge0: port 1(bridge_slave_0) entered disabled state [ 49.577699][ T43] device veth1_macvtap left promiscuous mode [ 49.583745][ T43] device veth0_vlan left promiscuous mode