syzkaller syzkaller login: [ 15.824690][ T24] kauditd_printk_skb: 31 callbacks suppressed [ 15.824702][ T24] audit: type=1400 audit(1782159934.280:59): avc: denied { transition } for pid=217 comm="sshd-session" path="/bin/sh" dev="sda1" ino=90 scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 15.836646][ T24] audit: type=1400 audit(1782159934.280:60): avc: denied { noatsecure } for pid=217 comm="sshd-session" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 15.845644][ T24] audit: type=1400 audit(1782159934.290:61): avc: denied { write } for pid=217 comm="sh" path="pipe:[14025]" dev="pipefs" ino=14025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1 [ 15.868584][ T24] audit: type=1400 audit(1782159934.290:62): avc: denied { rlimitinh } for pid=217 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 15.887512][ T24] audit: type=1400 audit(1782159934.290:63): avc: denied { siginh } for pid=217 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 Warning: Permanently added '10.128.0.104' (ED25519) to the list of known hosts. 2026/06/22 20:25:44 parsed 1 programs 2026/06/22 20:25:44 serving rpc on tcp://35365 [ 25.834149][ T24] audit: type=1400 audit(1782159944.290:64): avc: denied { node_bind } for pid=287 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 25.855551][ T24] audit: type=1400 audit(1782159944.290:65): avc: denied { create } for pid=287 comm="syz-execprog" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rawip_socket permissive=1 [ 25.876053][ T24] audit: type=1400 audit(1782159944.290:66): avc: denied { module_request } for pid=287 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 26.789987][ T24] audit: type=1400 audit(1782159945.240:67): avc: denied { mounton } for pid=293 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2024 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 26.793489][ T293] cgroup: Unknown subsys name 'net' [ 26.812840][ T24] audit: type=1400 audit(1782159945.240:68): avc: denied { mount } for pid=293 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 26.840288][ T24] audit: type=1400 audit(1782159945.270:69): avc: denied { unmount } for pid=293 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 26.840815][ T293] cgroup: Unknown subsys name 'devices' [ 26.983172][ T293] cgroup: Unknown subsys name 'hugetlb' [ 26.989358][ T293] cgroup: Unknown subsys name 'rlimit' [ 27.139262][ T24] audit: type=1400 audit(1782159945.590:70): avc: denied { setattr } for pid=293 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=253 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 27.162593][ T24] audit: type=1400 audit(1782159945.590:71): avc: denied { create } for pid=293 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 27.183232][ T24] audit: type=1400 audit(1782159945.600:72): avc: denied { write } for pid=293 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 27.201705][ T297] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 27.204097][ T24] audit: type=1400 audit(1782159945.600:73): avc: denied { read } for pid=293 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 27.258962][ T293] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 27.693047][ T299] request_module fs-gadgetfs succeeded, but still no fs? [ 27.704135][ T299] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation [ 28.007568][ T322] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.015407][ T322] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.023546][ T322] device bridge_slave_0 entered promiscuous mode [ 28.030524][ T322] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.038294][ T322] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.045887][ T322] device bridge_slave_1 entered promiscuous mode [ 28.088385][ T322] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.095494][ T322] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.103398][ T322] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.110542][ T322] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.129655][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 28.137697][ T7] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.145639][ T7] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.155683][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 28.164125][ T7] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.171358][ T7] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.180815][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 28.189322][ T7] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.196707][ T7] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.209752][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 28.220523][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 28.234556][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 28.247003][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 28.255465][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 28.263049][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 28.271502][ T322] device veth0_vlan entered promiscuous mode [ 28.281403][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 28.290963][ T322] device veth1_macvtap entered promiscuous mode [ 28.301602][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 28.315324][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2026/06/22 20:25:47 executed programs: 0 [ 28.950373][ T365] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.957845][ T365] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.965736][ T365] device bridge_slave_0 entered promiscuous mode [ 28.972866][ T365] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.979938][ T365] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.987512][ T365] device bridge_slave_1 entered promiscuous mode [ 28.999729][ T9] device bridge_slave_1 left promiscuous mode [ 29.005974][ T9] bridge0: port 2(bridge_slave_1) entered disabled state [ 29.013554][ T9] device bridge_slave_0 left promiscuous mode [ 29.019810][ T9] bridge0: port 1(bridge_slave_0) entered disabled state [ 29.027761][ T9] device veth1_macvtap left promiscuous mode [ 29.034012][ T9] device veth0_vlan left promiscuous mode [ 29.167206][ T365] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.174307][ T365] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.181694][ T365] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.188751][ T365] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.207336][ T112] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.215142][ T112] bridge0: port 1(bridge_slave_0) entered disabled state [ 29.223328][ T112] bridge0: port 2(bridge_slave_1) entered disabled state [ 29.233051][ T112] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 29.241422][ T112] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.248476][ T112] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.257129][ T112] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 29.265612][ T112] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.272748][ T112] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.285310][ T112] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 29.294917][ T112] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 29.309071][ T112] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 29.320224][ T112] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 29.328624][ T112] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 29.336526][ T112] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 29.345077][ T365] device veth0_vlan entered promiscuous mode [ 29.356163][ T112] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 29.366053][ T365] device veth1_macvtap entered promiscuous mode [ 29.376828][ T112] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 29.392739][ T112] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 29.415211][ T385] ================================================================== [ 29.423445][ T385] BUG: KASAN: use-after-free in mutex_lock+0x85/0xf0 [ 29.430636][ T385] Write of size 8 at addr ffff888111165d50 by task syz.2.17/385 [ 29.438274][ T385] [ 29.440648][ T385] CPU: 0 PID: 385 Comm: syz.2.17 Not tainted syzkaller #0 [ 29.447897][ T385] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 [ 29.458065][ T385] Call Trace: [ 29.461485][ T385] __dump_stack+0x21/0x24 [ 29.465812][ T385] dump_stack_lvl+0x1a7/0x208 [ 29.470490][ T385] ? show_regs_print_info+0x18/0x18 [ 29.475689][ T385] ? thaw_kernel_threads+0x220/0x220 [ 29.480967][ T385] ? debug_smp_processor_id+0x17/0x20 [ 29.486338][ T385] print_address_description+0x7f/0x2c0 [ 29.491881][ T385] ? mutex_lock+0x85/0xf0 [ 29.496233][ T385] kasan_report+0x100/0x140 [ 29.500731][ T385] ? mutex_lock+0x85/0xf0 [ 29.505055][ T385] kasan_check_range+0x249/0x2a0 [ 29.509987][ T385] __kasan_check_write+0x14/0x20 [ 29.514921][ T385] mutex_lock+0x85/0xf0 [ 29.519159][ T385] ? mutex_trylock+0xb0/0xb0 [ 29.523751][ T385] ? l2tp_session_put+0xb2/0x1a0 [ 29.528788][ T385] ? l2tp_session_delete+0x3a9/0x4a0 [ 29.534074][ T385] pppol2tp_release+0x178/0x2b0 [ 29.538928][ T385] sock_close+0xb8/0x200 [ 29.543172][ T385] ? sock_mmap+0xa0/0xa0 [ 29.547525][ T385] __fput+0x2dc/0x730 [ 29.551594][ T385] ____fput+0x15/0x20 [ 29.555587][ T385] task_work_run+0x127/0x190 [ 29.560374][ T385] exit_to_user_mode_loop+0xcb/0xe0 [ 29.565783][ T385] exit_to_user_mode_prepare+0x76/0xa0 [ 29.571247][ T385] syscall_exit_to_user_mode+0x1d/0x40 [ 29.576745][ T385] do_syscall_64+0x3d/0x40 [ 29.581170][ T385] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 29.587066][ T385] RIP: 0033:0x7fe59e20de59 [ 29.591744][ T385] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 29.611371][ T385] RSP: 002b:00007ffcf4f0a488 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 [ 29.620057][ T385] RAX: 0000000000000000 RBX: 00007ffcf4f0a570 RCX: 00007fe59e20de59 [ 29.628120][ T385] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 [ 29.636112][ T385] RBP: 00000000000072d0 R08: 0000000000000001 R09: 0000000000000000 [ 29.644083][ T385] R10: 0000001b32c20000 R11: 0000000000000246 R12: 0000000000000000 [ 29.652193][ T385] R13: 00007fe59e486fac R14: 00007fe59e486fa8 R15: 00007fe59e486fa0 [ 29.660311][ T385] [ 29.662778][ T385] Allocated by task 385: [ 29.667117][ T385] __kasan_kmalloc+0xd4/0x100 [ 29.671955][ T385] __kmalloc+0x19f/0x330 [ 29.676305][ T385] l2tp_session_create+0x39/0xb60 [ 29.681439][ T385] pppol2tp_connect+0xbf5/0x1640 [ 29.686652][ T385] __sys_connect+0x3ce/0x450 [ 29.691337][ T385] __x64_sys_connect+0x7a/0x90 [ 29.696945][ T385] do_syscall_64+0x31/0x40 [ 29.702034][ T385] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 29.708592][ T385] [ 29.710937][ T385] Freed by task 385: [ 29.714947][ T385] kasan_set_track+0x4a/0x70 [ 29.719579][ T385] kasan_set_free_info+0x23/0x40 [ 29.724618][ T385] ____kasan_slab_free+0x125/0x160 [ 29.729929][ T385] __kasan_slab_free+0x11/0x20 [ 29.735145][ T385] slab_free_freelist_hook+0xc5/0x190 [ 29.740717][ T385] kfree+0xc0/0x270 [ 29.744699][ T385] l2tp_session_put+0xb2/0x1a0 [ 29.749752][ T385] l2tp_session_delete+0x3a9/0x4a0 [ 29.755314][ T385] pppol2tp_release+0x169/0x2b0 [ 29.760992][ T385] sock_close+0xb8/0x200 [ 29.765969][ T385] __fput+0x2dc/0x730 [ 29.770803][ T385] ____fput+0x15/0x20 [ 29.775342][ T385] task_work_run+0x127/0x190 [ 29.780336][ T385] exit_to_user_mode_loop+0xcb/0xe0 [ 29.785653][ T385] exit_to_user_mode_prepare+0x76/0xa0 [ 29.791135][ T385] syscall_exit_to_user_mode+0x1d/0x40 [ 29.796605][ T385] do_syscall_64+0x3d/0x40 [ 29.801040][ T385] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 29.807112][ T385] [ 29.809540][ T385] The buggy address belongs to the object at ffff888111165c00 [ 29.809540][ T385] which belongs to the cache kmalloc-512 of size 512 [ 29.823806][ T385] The buggy address is located 336 bytes inside of [ 29.823806][ T385] 512-byte region [ffff888111165c00, ffff888111165e00) [ 29.837185][ T385] The buggy address belongs to the page: [ 29.842845][ T385] page:ffffea0004445900 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x111164 [ 29.853088][ T385] head:ffffea0004445900 order:2 compound_mapcount:0 compound_pincount:0 [ 29.861421][ T385] flags: 0x4000000000010200(slab|head) [ 29.866892][ T385] raw: 4000000000010200 dead000000000100 dead000000000122 ffff888100043080 [ 29.875490][ T385] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 29.884081][ T385] page dumped because: kasan: bad access detected [ 29.890518][ T385] page_owner tracks the page as allocated [ 29.896340][ T385] page last allocated via order 2, migratetype Unmovable, gfp_mask 0x152a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 365, ts 29392067531, free_ts 29374088557 [ 29.914780][ T385] prep_new_page+0x176/0x190 [ 29.919468][ T385] get_page_from_freelist+0x225f/0x23f0 [ 29.925107][ T385] __alloc_pages_nodemask+0x29a/0x640 [ 29.930489][ T385] new_slab+0x84/0x3f0 [ 29.934577][ T385] ___slab_alloc+0x2f8/0x4c0 [ 29.939171][ T385] __slab_alloc+0x63/0xa0 [ 29.943513][ T385] __kmalloc+0x1f9/0x330 [ 29.947879][ T385] fib6_info_alloc+0x34/0xe0 [ 29.952483][ T385] ip6_route_info_create+0x4c7/0x1450 [ 29.957864][ T385] ip6_route_add+0x27/0x130 [ 29.962381][ T385] addrconf_permanent_addr+0x635/0x940 [ 29.967883][ T385] addrconf_notify+0x752/0xea0 [ 29.972744][ T385] raw_notifier_call_chain+0x90/0x100 [ 29.978145][ T385] __dev_notify_flags+0x2f4/0x5b0 [ 29.983179][ T385] dev_change_flags+0xe3/0x1a0 [ 29.987955][ T385] do_setlink+0xb19/0x29a0 [ 29.992504][ T385] page last free stack trace: [ 29.997227][ T385] __free_pages_ok+0x80b/0x830 [ 30.002104][ T385] __free_pages+0xd8/0x390 [ 30.006656][ T385] __free_slab+0xcf/0x190 [ 30.011014][ T385] unfreeze_partials+0x150/0x180 [ 30.016198][ T385] put_cpu_partial+0xc1/0x180 [ 30.020897][ T385] __slab_free+0x2c9/0x3a0 [ 30.025336][ T385] ___cache_free+0x10e/0x130 [ 30.030049][ T385] qlink_free+0x50/0x90 [ 30.034220][ T385] qlist_free_all+0x5f/0xb0 [ 30.038859][ T385] kasan_quarantine_reduce+0x14a/0x160 [ 30.044326][ T385] __kasan_slab_alloc+0x2f/0xe0 [ 30.049188][ T385] slab_post_alloc_hook+0x5d/0x2f0 [ 30.054340][ T385] kmem_cache_alloc+0x15a/0x2d0 [ 30.059289][ T385] __alloc_skb+0x9e/0x520 [ 30.063630][ T385] netlink_sendmsg+0x693/0xb70 [ 30.068408][ T385] __sys_sendto+0x467/0x620 [ 30.073030][ T385] [ 30.075364][ T385] Memory state around the buggy address: [ 30.081011][ T385] ffff888111165c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.089090][ T385] ffff888111165c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.097426][ T385] >ffff888111165d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.105951][ T385] ^ [ 30.112640][ T385] ffff888111165d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.120710][ T385] ffff888111165e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.128776][ T385] ================================================================== [ 30.137735][ T385] Disabling lock debugging due to kernel taint