Warning: Permanently added '10.128.1.52' (ED25519) to the list of known hosts. 2026/02/02 20:00:46 parsed 1 programs [ 23.639666][ T24] audit: type=1400 audit(1770062446.780:64): avc: denied { node_bind } for pid=275 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 23.663393][ T24] audit: type=1400 audit(1770062446.780:65): avc: denied { create } for pid=275 comm="syz-execprog" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rawip_socket permissive=1 [ 23.684747][ T24] audit: type=1400 audit(1770062446.780:66): avc: denied { module_request } for pid=275 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 24.622374][ T24] audit: type=1400 audit(1770062447.760:67): avc: denied { mounton } for pid=281 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2023 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 24.627566][ T281] cgroup: Unknown subsys name 'net' [ 24.646750][ T24] audit: type=1400 audit(1770062447.770:68): avc: denied { mount } for pid=281 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 24.675114][ T24] audit: type=1400 audit(1770062447.790:69): avc: denied { unmount } for pid=281 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 24.675609][ T281] cgroup: Unknown subsys name 'devices' [ 24.785465][ T281] cgroup: Unknown subsys name 'hugetlb' [ 24.791101][ T281] cgroup: Unknown subsys name 'rlimit' [ 24.970573][ T24] audit: type=1400 audit(1770062448.110:70): avc: denied { setattr } for pid=281 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=253 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 24.995256][ T24] audit: type=1400 audit(1770062448.110:71): avc: denied { create } for pid=281 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 25.017255][ T24] audit: type=1400 audit(1770062448.110:72): avc: denied { write } for pid=281 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 25.035169][ T285] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 25.039062][ T24] audit: type=1400 audit(1770062448.110:73): avc: denied { read } for pid=281 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 25.121443][ T281] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 25.533378][ T287] request_module fs-gadgetfs succeeded, but still no fs? [ 25.547134][ T287] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation [ 25.997407][ T319] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.006084][ T319] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.014457][ T319] device bridge_slave_0 entered promiscuous mode [ 26.022919][ T319] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.030631][ T319] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.039079][ T319] device bridge_slave_1 entered promiscuous mode [ 26.080899][ T319] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.088819][ T319] bridge0: port 2(bridge_slave_1) entered forwarding state [ 26.096620][ T319] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.104337][ T319] bridge0: port 1(bridge_slave_0) entered forwarding state [ 26.123975][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 26.132586][ T9] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.140452][ T9] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.149758][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 26.158633][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.166621][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 26.176792][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 26.185400][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.192923][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 26.205066][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 26.219067][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 26.235040][ T319] device veth0_vlan entered promiscuous mode [ 26.241605][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 26.250982][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 26.260155][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 26.268109][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 26.279704][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 26.289585][ T319] device veth1_macvtap entered promiscuous mode [ 26.299843][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 26.310080][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2026/02/02 20:00:49 executed programs: 0 [ 26.787368][ T353] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.794975][ T353] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.802565][ T353] device bridge_slave_0 entered promiscuous mode [ 26.810092][ T353] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.817488][ T353] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.825237][ T353] device bridge_slave_1 entered promiscuous mode [ 26.882195][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 26.891016][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 26.900733][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 26.910099][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 26.918595][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.925968][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 26.934316][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 26.943387][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 26.952861][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 26.962455][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.970237][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 26.987253][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 26.996864][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 27.011060][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 27.023787][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 27.032476][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 27.042440][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 27.051559][ T353] device veth0_vlan entered promiscuous mode [ 27.063736][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 27.073859][ T353] device veth1_macvtap entered promiscuous mode [ 27.084527][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 27.101125][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 27.174868][ T380] EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue [ 27.184741][ T380] ext4 filesystem being mounted at /0/file0 supports timestamps until 2038-01-19 (0x7fffffff) [ 27.228143][ T9] ================================================================== [ 27.236852][ T9] BUG: KASAN: use-after-free in ext4_find_extent+0xbeb/0xe20 [ 27.244657][ T9] Read of size 4 at addr ffff8881263359a4 by task kworker/u4:1/9 [ 27.252818][ T9] [ 27.255166][ T9] CPU: 1 PID: 9 Comm: kworker/u4:1 Not tainted syzkaller #0 [ 27.262550][ T9] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 27.273307][ T9] Workqueue: writeback wb_workfn (flush-7:2) [ 27.279609][ T9] Call Trace: [ 27.283121][ T9] __dump_stack+0x21/0x24 [ 27.287742][ T9] dump_stack_lvl+0x1a7/0x208 [ 27.292678][ T9] ? show_regs_print_info+0x18/0x18 [ 27.298386][ T9] ? thaw_kernel_threads+0x220/0x220 [ 27.303669][ T9] print_address_description+0x7f/0x2c0 [ 27.309788][ T9] ? ext4_find_extent+0xbeb/0xe20 [ 27.315350][ T9] kasan_report+0xe2/0x130 [ 27.319785][ T9] ? __read_extent_tree_block+0x1e8/0x790 [ 27.326042][ T9] ? ext4_find_extent+0xbeb/0xe20 [ 27.331912][ T9] __asan_report_load4_noabort+0x14/0x20 [ 27.337933][ T9] ext4_find_extent+0xbeb/0xe20 [ 27.343046][ T9] ext4_ext_map_blocks+0x20b/0x5dd0 [ 27.348600][ T9] ? _raw_spin_unlock_irqrestore+0x5b/0x80 [ 27.354599][ T9] ? __kasan_slab_alloc+0xcf/0xf0 [ 27.360232][ T9] ? __kasan_slab_alloc+0xbd/0xf0 [ 27.365375][ T9] ? slab_post_alloc_hook+0x5d/0x2f0 [ 27.370846][ T9] ? kmem_cache_alloc+0x162/0x2d0 [ 27.376246][ T9] ? ext4_alloc_io_end_vec+0x2a/0x160 [ 27.381614][ T9] ? ext4_writepages+0x1057/0x2eb0 [ 27.386744][ T9] ? do_writepages+0x128/0x280 [ 27.391594][ T9] ? __writeback_single_inode+0xd5/0xa20 [ 27.397220][ T9] ? writeback_sb_inodes+0x8ca/0x1480 [ 27.403135][ T9] ? worker_thread+0xa6a/0x13c0 [ 27.408000][ T9] ? kthread+0x346/0x3d0 [ 27.412429][ T9] ? ret_from_fork+0x1f/0x30 [ 27.417217][ T9] ? ext4_ext_release+0x10/0x10 [ 27.422154][ T9] ? ext4_es_lookup_extent+0x54c/0x900 [ 27.427702][ T9] ext4_map_blocks+0x985/0x1bd0 [ 27.432917][ T9] ? ext4_issue_zeroout+0x1a0/0x1a0 [ 27.438518][ T9] ? ext4_inode_journal_mode+0x19a/0x480 [ 27.444247][ T9] ext4_writepages+0x136a/0x2eb0 [ 27.449715][ T9] ? ext4_readpage+0x220/0x220 [ 27.455559][ T9] ? enqueue_task_fair+0xaf6/0x2250 [ 27.460854][ T9] ? __update_load_avg_cfs_rq+0xaf/0x2f0 [ 27.466568][ T9] ? ext4_readpage+0x220/0x220 [ 27.471530][ T9] do_writepages+0x128/0x280 [ 27.476210][ T9] ? __writepage+0x130/0x130 [ 27.480887][ T9] ? __kasan_check_write+0x14/0x20 [ 27.486108][ T9] ? __kasan_check_write+0x14/0x20 [ 27.491397][ T9] ? _raw_spin_lock+0x94/0xf0 [ 27.496525][ T9] __writeback_single_inode+0xd5/0xa20 [ 27.502244][ T9] ? wbc_attach_and_unlock_inode+0x171/0x590 [ 27.508397][ T9] writeback_sb_inodes+0x8ca/0x1480 [ 27.513616][ T9] ? __kasan_check_write+0x14/0x20 [ 27.518978][ T9] ? queue_io+0x4c0/0x4c0 [ 27.523585][ T9] ? __kasan_check_read+0x11/0x20 [ 27.528876][ T9] ? queue_io+0x385/0x4c0 [ 27.533938][ T9] wb_writeback+0x403/0xbe0 [ 27.538934][ T9] ? wb_io_lists_depopulated+0x180/0x180 [ 27.544661][ T9] ? set_worker_desc+0x1ba/0x1f0 [ 27.550210][ T9] ? update_load_avg+0x4dc/0x14f0 [ 27.555562][ T9] ? __kasan_check_write+0x14/0x20 [ 27.560947][ T9] wb_workfn+0x3ac/0xf30 [ 27.565446][ T9] ? inode_wait_for_writeback+0x220/0x220 [ 27.571269][ T9] ? _raw_spin_unlock_irq+0x4e/0x70 [ 27.576598][ T9] ? finish_task_switch+0x12e/0x5a0 [ 27.582303][ T9] ? switch_mm_irqs_off+0x75f/0x990 [ 27.588438][ T9] ? __switch_to_asm+0x34/0x60 [ 27.593402][ T9] ? __kasan_check_read+0x11/0x20 [ 27.598751][ T9] ? read_word_at_a_time+0x12/0x20 [ 27.604235][ T9] ? strscpy+0x9b/0x290 [ 27.608384][ T9] process_one_work+0x6e1/0xba0 [ 27.613319][ T9] worker_thread+0xa6a/0x13c0 [ 27.618338][ T9] kthread+0x346/0x3d0 [ 27.622497][ T9] ? worker_clr_flags+0x190/0x190 [ 27.627537][ T9] ? kthread_blkcg+0xd0/0xd0 [ 27.632553][ T9] ret_from_fork+0x1f/0x30 [ 27.637306][ T9] [ 27.639633][ T9] The buggy address belongs to the page: [ 27.645530][ T9] page:ffffea000498cd40 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x126335 [ 27.656139][ T9] flags: 0x4000000000000000() [ 27.660812][ T9] raw: 4000000000000000 ffffea000498cd88 ffffea000498cd08 0000000000000000 [ 27.669918][ T9] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 27.678756][ T9] page dumped because: kasan: bad access detected [ 27.685562][ T9] page_owner tracks the page as freed [ 27.691266][ T9] page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 352, ts 26754713144, free_ts 27226306332 [ 27.705771][ T9] prep_new_page+0x179/0x180 [ 27.710367][ T9] get_page_from_freelist+0x223b/0x23d0 [ 27.715920][ T9] __alloc_pages_nodemask+0x290/0x620 [ 27.721299][ T9] handle_pte_fault+0xf53/0x3750 [ 27.726418][ T9] handle_mm_fault+0xf81/0x1710 [ 27.731462][ T9] do_user_addr_fault+0x5a8/0xc90 [ 27.736582][ T9] exc_page_fault+0x5a/0xc0 [ 27.741095][ T9] asm_exc_page_fault+0x1e/0x30 [ 27.746144][ T9] page last free stack trace: [ 27.750936][ T9] free_unref_page_prepare+0x2b7/0x2d0 [ 27.756505][ T9] free_unref_page_list+0x129/0x9c0 [ 27.762235][ T9] release_pages+0xe52/0xea0 [ 27.767020][ T9] free_pages_and_swap_cache+0x86/0xa0 [ 27.772851][ T9] tlb_finish_mmu+0x17e/0x310 [ 27.777992][ T9] exit_mmap+0x329/0x590 [ 27.782687][ T9] __mmput+0x93/0x2f0 [ 27.786682][ T9] mmput+0x4e/0x150 [ 27.790501][ T9] do_exit+0x9ec/0x2500 [ 27.794754][ T9] do_group_exit+0x141/0x310 [ 27.799352][ T9] get_signal+0xf7d/0x12e0 [ 27.803778][ T9] arch_do_signal_or_restart+0xe2/0x11d0 [ 27.809631][ T9] exit_to_user_mode_loop+0xa2/0xe0 [ 27.815279][ T9] exit_to_user_mode_prepare+0x76/0xa0 [ 27.820942][ T9] syscall_exit_to_user_mode+0x1d/0x40 [ 27.826733][ T9] do_syscall_64+0x3d/0x40 [ 27.831253][ T9] [ 27.833682][ T9] Memory state around the buggy address: [ 27.839540][ T9] ffff888126335880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.847975][ T9] ffff888126335900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.856488][ T9] >ffff888126335980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.865175][ T9] ^ [ 27.870974][ T9] ffff888126335a00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.879432][ T9] ffff888126335a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.888155][ T9] ================================================================== [ 27.896507][ T9] Disabling lock debugging due to kernel taint [ 27.904456][ T9] EXT4-fs error (device loop2): __ext4_get_inode_loc:4444: comm kworker/u4:1: Invalid inode table block 7332508536271504388 in block_group 0