Warning: Permanently added '10.128.1.82' (ED25519) to the list of known hosts. 2026/03/09 20:27:24 parsed 1 programs [ 44.132257][ T28] audit: type=1400 audit(1773088044.876:106): avc: denied { unlink } for pid=397 comm="syz-executor" name="swap-file" dev="sda1" ino=2026 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 44.174418][ T397] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 44.759049][ T28] audit: type=1400 audit(1773088045.496:107): avc: denied { create } for pid=402 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1 [ 44.925109][ T417] bridge0: port 1(bridge_slave_0) entered blocking state [ 44.932680][ T417] bridge0: port 1(bridge_slave_0) entered disabled state [ 44.944159][ T417] device bridge_slave_0 entered promiscuous mode [ 44.952830][ T417] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.960668][ T417] bridge0: port 2(bridge_slave_1) entered disabled state [ 44.968686][ T417] device bridge_slave_1 entered promiscuous mode [ 45.006773][ T417] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.014434][ T417] bridge0: port 2(bridge_slave_1) entered forwarding state [ 45.022360][ T417] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.029933][ T417] bridge0: port 1(bridge_slave_0) entered forwarding state [ 45.046129][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 45.053683][ T43] bridge0: port 1(bridge_slave_0) entered disabled state [ 45.061251][ T43] bridge0: port 2(bridge_slave_1) entered disabled state [ 45.072048][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 45.080341][ T43] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.087841][ T43] bridge0: port 1(bridge_slave_0) entered forwarding state [ 45.097601][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 45.106550][ T43] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.113823][ T43] bridge0: port 2(bridge_slave_1) entered forwarding state [ 45.125770][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 45.135491][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 45.162348][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 45.178376][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 45.187227][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 45.195829][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 45.205300][ T417] device veth0_vlan entered promiscuous mode [ 45.224144][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 45.234773][ T417] device veth1_macvtap entered promiscuous mode [ 45.244511][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 45.255454][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 45.429813][ T28] audit: type=1401 audit(1773088046.166:108): op=setxattr invalid_context="u:object_r:app_data_file:s0:c512,c768" 2026/03/09 20:27:26 executed programs: 0 [ 45.931261][ T465] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.938865][ T465] bridge0: port 1(bridge_slave_0) entered disabled state [ 45.947514][ T465] device bridge_slave_0 entered promiscuous mode [ 45.957601][ T465] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.965083][ T465] bridge0: port 2(bridge_slave_1) entered disabled state [ 45.973060][ T465] device bridge_slave_1 entered promiscuous mode [ 46.021666][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 46.029637][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 46.041626][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 46.050528][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 46.059087][ T43] bridge0: port 1(bridge_slave_0) entered blocking state [ 46.066454][ T43] bridge0: port 1(bridge_slave_0) entered forwarding state [ 46.074359][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 46.083893][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 46.092736][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 46.101121][ T43] bridge0: port 2(bridge_slave_1) entered blocking state [ 46.108477][ T43] bridge0: port 2(bridge_slave_1) entered forwarding state [ 46.122140][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 46.131472][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 46.144652][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 46.155043][ T324] device bridge_slave_1 left promiscuous mode [ 46.161280][ T324] bridge0: port 2(bridge_slave_1) entered disabled state [ 46.169044][ T324] device bridge_slave_0 left promiscuous mode [ 46.175617][ T324] bridge0: port 1(bridge_slave_0) entered disabled state [ 46.183610][ T324] device veth1_macvtap left promiscuous mode [ 46.189613][ T324] device veth0_vlan left promiscuous mode [ 46.267262][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 46.275755][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 46.284337][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 46.293613][ T465] device veth0_vlan entered promiscuous mode [ 46.303343][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 46.313408][ T465] device veth1_macvtap entered promiscuous mode [ 46.322788][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 46.331653][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 46.341391][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 46.350037][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 46.377744][ T476] loop2: detected capacity change from 0 to 1024 [ 46.384828][ T476] ======================================================= [ 46.384828][ T476] WARNING: The mand mount option has been deprecated and [ 46.384828][ T476] and is ignored by this kernel. Remove the mand [ 46.384828][ T476] option from the mount to silence this warning. [ 46.384828][ T476] ======================================================= [ 46.433582][ T476] EXT4-fs (loop2): mounted filesystem without journal. Quota mode: none. [ 46.442811][ T28] audit: type=1400 audit(1773088047.186:109): avc: denied { mount } for pid=475 comm="syz.2.16" name="/" dev="loop2" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 46.463779][ T476] EXT4-fs error (device loop2): ext4_mb_mark_diskspace_used:3852: comm syz.2.16: Allocating blocks 497-513 which overlap fs metadata [ 46.465330][ T28] audit: type=1400 audit(1773088047.186:110): avc: denied { write } for pid=475 comm="syz.2.16" name="/" dev="loop2" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 46.480545][ T476] EXT4-fs (loop2): pa ffff88811153adc8: logic 256, phys. 385, len 8 [ 46.502868][ T28] audit: type=1400 audit(1773088047.186:111): avc: denied { add_name } for pid=475 comm="syz.2.16" name="memory.stat" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 46.511197][ T476] EXT4-fs error (device loop2): ext4_mb_release_inode_pa:4892: group 0, free 0, pa_free 1 [ 46.544379][ T28] audit: type=1400 audit(1773088047.186:112): avc: denied { create } for pid=475 comm="syz.2.16" name="memory.stat" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 46.566993][ T28] audit: type=1400 audit(1773088047.186:113): avc: denied { read append open } for pid=475 comm="syz.2.16" path="/0/file1/memory.stat" dev="loop2" ino=18 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 46.593983][ T28] audit: type=1400 audit(1773088047.316:114): avc: denied { write } for pid=475 comm="syz.2.16" name="memory.stat" dev="loop2" ino=18 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 46.617447][ T28] audit: type=1400 audit(1773088047.316:115): avc: denied { mounton } for pid=475 comm="syz.2.16" path="/0/file1/bus" dev="loop2" ino=19 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 46.641917][ T465] EXT4-fs (loop2): unmounting filesystem. [ 46.658306][ T482] loop2: detected capacity change from 0 to 1024 [ 46.675821][ T482] EXT4-fs (loop2): mounted filesystem without journal. Quota mode: none. [ 46.695416][ T482] EXT4-fs error (device loop2): ext4_mb_mark_diskspace_used:3852: comm syz.2.17: Allocating blocks 497-513 which overlap fs metadata [ 46.710323][ T482] EXT4-fs (loop2): pa ffff888122a67c78: logic 256, phys. 385, len 8 [ 46.718862][ T482] EXT4-fs error (device loop2): ext4_mb_release_inode_pa:4892: group 0, free 0, pa_free 1 [ 46.735723][ T465] ================================================================== [ 46.744336][ T465] BUG: KASAN: use-after-free in ext4_ext_remove_space+0x348b/0x40d0 [ 46.752872][ T465] Read of size 4 at addr ffff88812687adb8 by task syz-executor/465 [ 46.761113][ T465] [ 46.763629][ T465] CPU: 1 PID: 465 Comm: syz-executor Not tainted syzkaller #0 [ 46.771253][ T465] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 [ 46.781756][ T465] Call Trace: [ 46.785370][ T465] [ 46.788375][ T465] __dump_stack+0x21/0x24 [ 46.792805][ T465] dump_stack_lvl+0x110/0x170 [ 46.797769][ T465] ? __cfi_dump_stack_lvl+0x8/0x8 [ 46.803052][ T465] ? ext4_inode_block_valid+0x2d7/0x3f0 [ 46.808581][ T465] ? ext4_ext_remove_space+0x348b/0x40d0 [ 46.814346][ T465] print_address_description+0x71/0x200 [ 46.820156][ T465] print_report+0x4a/0x60 [ 46.824666][ T465] kasan_report+0x122/0x150 [ 46.829251][ T465] ? ext4_ext_remove_space+0x348b/0x40d0 [ 46.835230][ T465] __asan_report_load4_noabort+0x14/0x20 [ 46.841206][ T465] ext4_ext_remove_space+0x348b/0x40d0 [ 46.847074][ T465] ? memset+0x35/0x40 [ 46.851361][ T465] ? ext4_es_insert_extent+0x2d60/0x2d60 [ 46.857430][ T465] ? _raw_write_lock+0x94/0xf0 [ 46.862357][ T465] ? ext4_da_release_space+0x1d6/0x480 [ 46.867894][ T465] ? __cfi_ext4_ext_remove_space+0x10/0x10 [ 46.874199][ T465] ? ext4_es_remove_extent+0x1d9/0x330 [ 46.879723][ T465] ext4_ext_truncate+0x200/0x320 [ 46.884828][ T465] ext4_truncate+0x9be/0xfb0 [ 46.889852][ T465] ? __cfi_ext4_truncate+0x10/0x10 [ 46.894973][ T465] ext4_evict_inode+0xccf/0x1470 [ 46.900103][ T465] ? _raw_spin_unlock+0x4c/0x70 [ 46.904958][ T465] ? __cfi_ext4_evict_inode+0x10/0x10 [ 46.910926][ T465] ? _raw_spin_unlock+0x4c/0x70 [ 46.915941][ T465] ? inode_io_list_del+0x19b/0x1b0 [ 46.921075][ T465] ? __cfi_ext4_evict_inode+0x10/0x10 [ 46.926584][ T465] evict+0x4d7/0x8f0 [ 46.930556][ T465] ? proc_nr_inodes+0x2f0/0x2f0 [ 46.936050][ T465] ? lockref_put_return+0x152/0x1d0 [ 46.941343][ T465] ? __cfi_lockref_put_return+0x10/0x10 [ 46.947009][ T465] ? __kasan_check_write+0x14/0x20 [ 46.952113][ T465] iput+0x620/0x670 [ 46.956307][ T465] do_unlinkat+0x380/0x6d0 [ 46.960782][ T465] ? __cfi_do_unlinkat+0x10/0x10 [ 46.966142][ T465] ? getname_flags+0x206/0x500 [ 46.971530][ T465] __x64_sys_unlink+0x49/0x50 [ 46.976998][ T465] x64_sys_call+0x958/0x9a0 [ 46.981675][ T465] do_syscall_64+0x4c/0xa0 [ 46.986260][ T465] ? clear_bhb_loop+0x30/0x80 [ 46.991273][ T465] ? clear_bhb_loop+0x30/0x80 [ 46.995928][ T465] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 47.001801][ T465] RIP: 0033:0x7fe2041991e7 [ 47.006299][ T465] Code: 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 57 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 e8 ff ff ff f7 d8 64 89 02 b8 [ 47.026505][ T465] RSP: 002b:00007ffd9a3bc9c8 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 [ 47.035349][ T465] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe2041991e7 [ 47.043822][ T465] RDX: 00007ffd9a3bc9f0 RSI: 00007ffd9a3bca80 RDI: 00007ffd9a3bca80 [ 47.052035][ T465] RBP: 00007ffd9a3bca80 R08: 00007ffd9a3bda80 R09: 00000000ffffffff [ 47.060640][ T465] R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffd9a3bdb70 [ 47.068607][ T465] R13: 00007fe20422c113 R14: 000000000000b651 R15: 00007ffd9a3bec40 [ 47.076803][ T465] [ 47.080015][ T465] [ 47.082367][ T465] The buggy address belongs to the physical page: [ 47.089028][ T465] page:ffffea00049a1e80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x12687a [ 47.099247][ T465] flags: 0x4000000000000000(zone=1) [ 47.104637][ T465] raw: 4000000000000000 dead000000000100 dead000000000122 0000000000000000 [ 47.113470][ T465] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 47.122294][ T465] page dumped because: kasan: bad access detected [ 47.128867][ T465] page_owner tracks the page as freed [ 47.134432][ T465] page last allocated via order 0, migratetype Movable, gfp_mask 0x8140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO|__GFP_CMA), pid 397, tgid 397 (syz-executor), ts 43821225987, free_ts 44737269069 [ 47.154327][ T465] post_alloc_hook+0x1f5/0x210 [ 47.159610][ T465] prep_new_page+0x1c/0x110 [ 47.164312][ T465] get_page_from_freelist+0x2d12/0x2d80 [ 47.170050][ T465] __alloc_pages+0x1d9/0x480 [ 47.174842][ T465] __folio_alloc+0x12/0x40 [ 47.179263][ T465] handle_mm_fault+0x1972/0x26c0 [ 47.184388][ T465] do_user_addr_fault+0x905/0x1050 [ 47.189995][ T465] exc_page_fault+0x51/0xb0 [ 47.194597][ T465] asm_exc_page_fault+0x27/0x30 [ 47.199550][ T465] page last free stack trace: [ 47.204418][ T465] free_unref_page_prepare+0x742/0x750 [ 47.210249][ T465] free_unref_page_list+0x117/0x8c0 [ 47.215472][ T465] release_pages+0xaf2/0xb50 [ 47.220355][ T465] free_pages_and_swap_cache+0x86/0xa0 [ 47.226072][ T465] tlb_finish_mmu+0x1aa/0x370 [ 47.230751][ T465] unmap_region+0x2b7/0x320 [ 47.235433][ T465] do_mas_align_munmap+0xbed/0x1320 [ 47.240730][ T465] do_mas_munmap+0x241/0x2b0 [ 47.245406][ T465] __vm_munmap+0x1bd/0x330 [ 47.249914][ T465] __x64_sys_munmap+0x6b/0x80 [ 47.254855][ T465] x64_sys_call+0x8a/0x9a0 [ 47.259362][ T465] do_syscall_64+0x4c/0xa0 [ 47.263782][ T465] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 47.269766][ T465] [ 47.272170][ T465] Memory state around the buggy address: [ 47.278062][ T465] ffff88812687ac80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 47.286375][ T465] ffff88812687ad00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 47.294793][ T465] >ffff88812687ad80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 47.303413][ T465] ^ [ 47.309671][ T465] ffff88812687ae00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 47.318160][ T465] ffff88812687ae80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 47.326583][ T465] ================================================================== [ 47.335939][ T465] Disabling lock debugging due to kernel taint [ 47.343144][ T465] EXT4-fs error (device loop2): ext4_free_blocks:6221: comm syz-executor: Freeing blocks not in datazone - block = 62011667224720, count = 16 [ 47.358765][ T465] EXT4-fs error (device loop2): ext4_free_blocks:6221: comm syz-executor: Freeing blocks not in datazone - block = 62011667198513, count = 26214 [ 47.374518][ T465] EXT4-fs error (device loop2): ext4_free_blocks:6221: comm syz-executor: Freeing blocks not in datazone - block = 62011667198512, count = 16 [ 47.389503][ T465] EXT4-fs error (device loop2): ext4_free_blocks:6221: comm syz-executor: Freeing blocks not in datazone - block = 119182759484608, count = 16 [ 47.405271][ T465] EXT4-fs error (device loop2): ext4_free_blocks:6221: comm syz-executor: Freeing blocks not in datazone - block = 119182759457636, count = 26982 [ 47.420505][ T465] EXT4-fs error (device loop2): ext4_free_blocks:6221: comm syz-executor: Freeing blocks not in datazone - block = 119182759457632, count = 16 [ 47.435948][ T465] EXT4-fs error (device loop2): ext4_free_blocks:6221: comm syz-executor: Freeing blocks not in datazone - block = 104936342709607, count = 25183 [ 47.452151][ T465] EXT4-fs error (device loop2): ext4_free_blocks:6221: comm syz-executor: Freeing blocks not in datazone - block = 104936342709600, count = 16 [ 51.702051][ T465] EXT4-fs error: 26401 callbacks suppressed [ 51.702070][ T465] EXT4-fs error (device loop2): ext4_free_blocks:6221: comm syz-executor: Freeing blocks not in datazone - block = 112589990684256, count = 16 [ 51.723265][ T465] EXT4-fs error (device loop2): ext4_free_blocks:6221: comm syz-executor: Freeing blocks not in datazone - block = 110433799599201, count = 30047 [ 51.738960][ T465] EXT4-fs error (device loop2): ext4_free_blocks:6221: comm syz-executor: Freeing blocks not in datazone - block = 110433799599200, count = 16 [ 51.754618][ T465] EXT4-fs error (device loop2): ext4_free_blocks:6221: comm syz-executor: Freeing blocks not in datazone - block = 104906177240256, count = 16 [ 51.769850][ T465] EXT4-fs error (device loop2): ext4_free_blocks:6221: comm syz-executor: Freeing blocks not in datazone - block = 104906177214059, count = 26211 [ 51.785635][ T465] EXT4-fs error (device loop2): ext4_free_blocks:6221: comm syz-executor: Freeing blocks not in datazone - block = 104906177214048, count = 16 [ 51.801342][ T465] EXT4-fs error (device loop2): ext4_free_blocks:6221: comm syz-executor: Freeing blocks not in datazone - block = 61805119432288, count = 16 [ 51.816635][ T465] EXT4-fs error (device loop2): ext4_free_blocks:6221: comm syz-executor: Freeing blocks not in datazone - block = 61805119419700, count = 12593 [ 51.831871][ T465] EXT4-fs error (device loop2): ext4_free_blocks:6221: comm syz-executor: Freeing blocks not in datazone - block = 61805119419696, count = 16 [ 51.846900][ T465] EXT4-fs error (device loop2): ext4_free_blocks:6221: comm syz-executor: Freeing blocks not in datazone - block = 112194853722320, count = 16 [ 56.711814][ T465] EXT4-fs error: 28614 callbacks suppressed [ 56.711830][ T465] EXT4-fs error (device loop2): ext4_free_blocks:6221: comm syz-executor: Freeing blocks not in datazone - block = 114844842489711, count = 24368 [ 56.733953][ T465] EXT4-fs error (device loop2): ext4_free_blocks:6221: comm syz-executor: Freeing blocks not in datazone - block = 114844842489696, count = 16