cess permissive=1 [ 11.251880][ T24] audit: type=1400 audit(1782161089.329:63): avc: denied { siginh } for pid=215 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 Warning: Permanently added '10.128.0.144' (ED25519) to the list of known hosts. 2026/06/22 20:44:58 parsed 1 programs 2026/06/22 20:44:58 serving rpc on tcp://39853 [ 20.295036][ T24] audit: type=1400 audit(1782161098.399:64): avc: denied { node_bind } for pid=287 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 20.315987][ T24] audit: type=1400 audit(1782161098.399:65): avc: denied { create } for pid=287 comm="syz-execprog" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rawip_socket permissive=1 [ 20.335519][ T24] audit: type=1400 audit(1782161098.399:66): avc: denied { module_request } for pid=287 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 20.897595][ T24] audit: type=1400 audit(1782161098.999:67): avc: denied { mounton } for pid=293 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2024 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 20.898579][ T293] cgroup: Unknown subsys name 'net' [ 20.920254][ T24] audit: type=1400 audit(1782161098.999:68): avc: denied { mount } for pid=293 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 20.947498][ T24] audit: type=1400 audit(1782161099.039:69): avc: denied { unmount } for pid=293 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 20.947674][ T293] cgroup: Unknown subsys name 'devices' [ 21.055131][ T293] cgroup: Unknown subsys name 'hugetlb' [ 21.060732][ T293] cgroup: Unknown subsys name 'rlimit' [ 21.202676][ T24] audit: type=1400 audit(1782161099.299:70): avc: denied { setattr } for pid=293 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=253 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 21.225855][ T24] audit: type=1400 audit(1782161099.299:71): avc: denied { create } for pid=293 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 21.229928][ T298] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 21.246429][ T24] audit: type=1400 audit(1782161099.299:72): avc: denied { write } for pid=293 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 21.274973][ T24] audit: type=1400 audit(1782161099.299:73): avc: denied { read } for pid=293 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 21.295374][ T293] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 21.650623][ T300] request_module fs-gadgetfs succeeded, but still no fs? [ 21.660943][ T300] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation [ 22.005656][ T337] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.012777][ T337] bridge0: port 1(bridge_slave_0) entered disabled state [ 22.020643][ T337] device bridge_slave_0 entered promiscuous mode [ 22.028443][ T337] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.035521][ T337] bridge0: port 2(bridge_slave_1) entered disabled state [ 22.042762][ T337] device bridge_slave_1 entered promiscuous mode [ 22.075193][ T337] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.082275][ T337] bridge0: port 2(bridge_slave_1) entered forwarding state [ 22.089557][ T337] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.096584][ T337] bridge0: port 1(bridge_slave_0) entered forwarding state [ 22.111668][ T233] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 22.119194][ T233] bridge0: port 1(bridge_slave_0) entered disabled state [ 22.126542][ T233] bridge0: port 2(bridge_slave_1) entered disabled state [ 22.136459][ T233] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 22.144628][ T233] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.151635][ T233] bridge0: port 1(bridge_slave_0) entered forwarding state [ 22.160075][ T233] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 22.168368][ T233] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.175411][ T233] bridge0: port 2(bridge_slave_1) entered forwarding state [ 22.186446][ T233] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 22.196190][ T233] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 22.208486][ T233] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 22.218798][ T233] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 22.227238][ T233] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 22.234744][ T233] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 22.242719][ T337] device veth0_vlan entered promiscuous mode [ 22.254059][ T233] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 22.263189][ T337] device veth1_macvtap entered promiscuous mode [ 22.272356][ T233] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 22.282006][ T233] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2026/06/22 20:45:00 executed programs: 0 [ 22.642278][ T366] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.649412][ T366] bridge0: port 1(bridge_slave_0) entered disabled state [ 22.657033][ T366] device bridge_slave_0 entered promiscuous mode [ 22.664071][ T366] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.671095][ T366] bridge0: port 2(bridge_slave_1) entered disabled state [ 22.678440][ T366] device bridge_slave_1 entered promiscuous mode [ 22.715695][ T366] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.722727][ T366] bridge0: port 2(bridge_slave_1) entered forwarding state [ 22.730046][ T366] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.737076][ T366] bridge0: port 1(bridge_slave_0) entered forwarding state [ 22.752253][ T341] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 22.759924][ T341] bridge0: port 1(bridge_slave_0) entered disabled state [ 22.767380][ T341] bridge0: port 2(bridge_slave_1) entered disabled state [ 22.781751][ T341] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 22.789984][ T341] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.797019][ T341] bridge0: port 1(bridge_slave_0) entered forwarding state [ 22.805577][ T341] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 22.813988][ T341] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.821010][ T341] bridge0: port 2(bridge_slave_1) entered forwarding state [ 22.837934][ T341] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 22.846077][ T341] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 22.855157][ T341] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 22.863171][ T341] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 22.878648][ T341] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 22.886981][ T341] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 22.897242][ T341] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 22.905309][ T341] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 22.913187][ T341] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 22.920694][ T341] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 22.928843][ T366] device veth0_vlan entered promiscuous mode [ 22.944007][ T341] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 22.952123][ T341] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 22.960916][ T366] device veth1_macvtap entered promiscuous mode [ 22.969158][ T341] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 22.977402][ T341] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 22.985795][ T341] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 22.998730][ T341] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 23.006937][ T341] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 23.026291][ T370] ================================================================== [ 23.034387][ T370] BUG: KASAN: use-after-free in mutex_lock+0x85/0xf0 [ 23.041038][ T370] Write of size 8 at addr ffff888110b3b550 by task syz.2.17/370 [ 23.048641][ T370] [ 23.050979][ T370] CPU: 0 PID: 370 Comm: syz.2.17 Not tainted syzkaller #0 [ 23.058067][ T370] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 [ 23.068105][ T370] Call Trace: [ 23.071373][ T370] __dump_stack+0x21/0x24 [ 23.075681][ T370] dump_stack_lvl+0x1a7/0x208 [ 23.080331][ T370] ? show_regs_print_info+0x18/0x18 [ 23.085505][ T370] ? thaw_kernel_threads+0x220/0x220 [ 23.090768][ T370] ? debug_smp_processor_id+0x17/0x20 [ 23.096120][ T370] print_address_description+0x7f/0x2c0 [ 23.101638][ T370] ? mutex_lock+0x85/0xf0 [ 23.105943][ T370] kasan_report+0x100/0x140 [ 23.110418][ T370] ? mutex_lock+0x85/0xf0 [ 23.114730][ T370] kasan_check_range+0x249/0x2a0 [ 23.119641][ T370] __kasan_check_write+0x14/0x20 [ 23.124565][ T370] mutex_lock+0x85/0xf0 [ 23.128692][ T370] ? mutex_trylock+0xb0/0xb0 [ 23.133694][ T370] ? l2tp_session_put+0xb2/0x1a0 [ 23.138696][ T370] ? l2tp_session_delete+0x3a9/0x4a0 [ 23.143961][ T370] pppol2tp_release+0x178/0x2b0 [ 23.148795][ T370] sock_close+0xb8/0x200 [ 23.153015][ T370] ? sock_mmap+0xa0/0xa0 [ 23.157231][ T370] __fput+0x2dc/0x730 [ 23.161186][ T370] ____fput+0x15/0x20 [ 23.165144][ T370] task_work_run+0x127/0x190 [ 23.169712][ T370] exit_to_user_mode_loop+0xcb/0xe0 [ 23.174883][ T370] exit_to_user_mode_prepare+0x76/0xa0 [ 23.180330][ T370] syscall_exit_to_user_mode+0x1d/0x40 [ 23.185765][ T370] do_syscall_64+0x3d/0x40 [ 23.190154][ T370] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 23.196017][ T370] RIP: 0033:0x7f82747b3e59 [ 23.200407][ T370] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 23.220099][ T370] RSP: 002b:00007ffc63cf0118 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 [ 23.228498][ T370] RAX: 0000000000000000 RBX: 00007ffc63cf0200 RCX: 00007f82747b3e59 [ 23.236454][ T370] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 [ 23.244421][ T370] RBP: 00000000000059d9 R08: 0000000000000001 R09: 0000000000000000 [ 23.252372][ T370] R10: 0000001b32d20000 R11: 0000000000000246 R12: 0000000000000000 [ 23.260326][ T370] R13: 00007f8274a2cfac R14: 00007f8274a2cfa8 R15: 00007f8274a2cfa0 [ 23.268288][ T370] [ 23.270604][ T370] Allocated by task 370: [ 23.274827][ T370] __kasan_kmalloc+0xd4/0x100 [ 23.279478][ T370] __kmalloc+0x19f/0x330 [ 23.283701][ T370] l2tp_session_create+0x39/0xb60 [ 23.288707][ T370] pppol2tp_connect+0xbf5/0x1640 [ 23.293622][ T370] __sys_connect+0x3ce/0x450 [ 23.298192][ T370] __x64_sys_connect+0x7a/0x90 [ 23.302954][ T370] do_syscall_64+0x31/0x40 [ 23.307365][ T370] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 23.313230][ T370] [ 23.315532][ T370] Freed by task 370: [ 23.319408][ T370] kasan_set_track+0x4a/0x70 [ 23.323973][ T370] kasan_set_free_info+0x23/0x40 [ 23.328878][ T370] ____kasan_slab_free+0x125/0x160 [ 23.333960][ T370] __kasan_slab_free+0x11/0x20 [ 23.338694][ T370] slab_free_freelist_hook+0xc5/0x190 [ 23.344074][ T370] kfree+0xc0/0x270 [ 23.347876][ T370] l2tp_session_put+0xb2/0x1a0 [ 23.352615][ T370] l2tp_session_delete+0x3a9/0x4a0 [ 23.357704][ T370] pppol2tp_release+0x169/0x2b0 [ 23.362574][ T370] sock_close+0xb8/0x200 [ 23.366886][ T370] __fput+0x2dc/0x730 [ 23.370848][ T370] ____fput+0x15/0x20 [ 23.374808][ T370] task_work_run+0x127/0x190 [ 23.379378][ T370] exit_to_user_mode_loop+0xcb/0xe0 [ 23.384992][ T370] exit_to_user_mode_prepare+0x76/0xa0 [ 23.390435][ T370] syscall_exit_to_user_mode+0x1d/0x40 [ 23.395869][ T370] do_syscall_64+0x3d/0x40 [ 23.400261][ T370] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 23.406125][ T370] [ 23.408446][ T370] The buggy address belongs to the object at ffff888110b3b400 [ 23.408446][ T370] which belongs to the cache kmalloc-512 of size 512 [ 23.422500][ T370] The buggy address is located 336 bytes inside of [ 23.422500][ T370] 512-byte region [ffff888110b3b400, ffff888110b3b600) [ 23.435750][ T370] The buggy address belongs to the page: [ 23.441378][ T370] page:ffffea000442ce00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x110b38 [ 23.451585][ T370] head:ffffea000442ce00 order:2 compound_mapcount:0 compound_pincount:0 [ 23.459899][ T370] flags: 0x4000000000010200(slab|head) [ 23.465340][ T370] raw: 4000000000010200 dead000000000100 dead000000000122 ffff888100043080 [ 23.473901][ T370] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 23.482453][ T370] page dumped because: kasan: bad access detected [ 23.488838][ T370] page_owner tracks the page as allocated [ 23.494571][ T370] page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 366, ts 23018568992, free_ts 23015165799 [ 23.514942][ T370] prep_new_page+0x176/0x190 [ 23.519506][ T370] get_page_from_freelist+0x225f/0x23f0 [ 23.525024][ T370] __alloc_pages_nodemask+0x29a/0x640 [ 23.530366][ T370] new_slab+0x84/0x3f0 [ 23.534417][ T370] ___slab_alloc+0x2f8/0x4c0 [ 23.538977][ T370] __slab_alloc+0x63/0xa0 [ 23.543277][ T370] __kmalloc+0x1f9/0x330 [ 23.547502][ T370] qdisc_alloc+0x79/0x720 [ 23.551801][ T370] qdisc_create_dflt+0x6b/0x390 [ 23.556627][ T370] dev_activate+0x292/0x11c0 [ 23.561187][ T370] __dev_open+0x3e9/0x500 [ 23.565491][ T370] __dev_change_flags+0x1e4/0x6a0 [ 23.570486][ T370] dev_change_flags+0x80/0x1a0 [ 23.575252][ T370] do_setlink+0xb19/0x29a0 [ 23.579653][ T370] rtnl_newlink+0x13e6/0x1830 [ 23.584301][ T370] rtnetlink_rcv_msg+0x9e9/0xca0 [ 23.589209][ T370] page last free stack trace: [ 23.593892][ T370] __free_pages_ok+0x80b/0x830 [ 23.598633][ T370] __free_pages+0xd8/0x390 [ 23.603018][ T370] __free_slab+0xcf/0x190 [ 23.607324][ T370] unfreeze_partials+0x150/0x180 [ 23.612232][ T370] put_cpu_partial+0xc1/0x180 [ 23.616884][ T370] __slab_free+0x2c9/0x3a0 [ 23.621276][ T370] ___cache_free+0x10e/0x130 [ 23.625845][ T370] qlink_free+0x50/0x90 [ 23.629979][ T370] qlist_free_all+0x5f/0xb0 [ 23.634892][ T370] kasan_quarantine_reduce+0x14a/0x160 [ 23.640324][ T370] __kasan_slab_alloc+0x2f/0xe0 [ 23.645153][ T370] slab_post_alloc_hook+0x5d/0x2f0 [ 23.650238][ T370] __kmalloc+0x17b/0x330 [ 23.654458][ T370] fib6_info_alloc+0x34/0xe0 [ 23.659027][ T370] ip6_route_info_create+0x4c7/0x1450 [ 23.664373][ T370] ip6_route_add+0x27/0x130 [ 23.668847][ T370] [ 23.671149][ T370] Memory state around the buggy address: [ 23.676756][ T370] ffff888110b3b400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.684789][ T370] ffff888110b3b480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.692821][ T370] >ffff888110b3b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.700855][ T370] ^ [ 23.707505][ T370] ffff888110b3b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.715675][ T370] ffff888110b3b600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.723712][ T370] ================================================================== [ 23.731752][ T370] Disabling lock debugging due to kernel taint