Warning: Permanently added '10.128.0.197' (ED25519) to the list of known hosts. 2026/03/07 16:00:29 parsed 1 programs [ 24.405164][ T30] audit: type=1400 audit(1772899229.350:64): avc: denied { node_bind } for pid=281 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 24.426116][ T30] audit: type=1400 audit(1772899229.350:65): avc: denied { module_request } for pid=281 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 25.104617][ T30] audit: type=1400 audit(1772899230.050:66): avc: denied { mounton } for pid=287 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2023 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 25.105622][ T287] cgroup: Unknown subsys name 'net' [ 25.127827][ T30] audit: type=1400 audit(1772899230.050:67): avc: denied { mount } for pid=287 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 25.156111][ T30] audit: type=1400 audit(1772899230.080:68): avc: denied { unmount } for pid=287 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 25.156293][ T287] cgroup: Unknown subsys name 'devices' [ 25.303383][ T287] cgroup: Unknown subsys name 'hugetlb' [ 25.309013][ T287] cgroup: Unknown subsys name 'rlimit' [ 25.510031][ T30] audit: type=1400 audit(1772899230.450:69): avc: denied { setattr } for pid=287 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=254 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 25.524730][ T291] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 25.534249][ T30] audit: type=1400 audit(1772899230.450:70): avc: denied { create } for pid=287 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 25.563560][ T30] audit: type=1400 audit(1772899230.450:71): avc: denied { write } for pid=287 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 25.571261][ T287] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 25.584207][ T30] audit: type=1400 audit(1772899230.450:72): avc: denied { read } for pid=287 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 25.614061][ T30] audit: type=1400 audit(1772899230.460:73): avc: denied { mounton } for pid=287 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 26.079220][ T293] request_module fs-gadgetfs succeeded, but still no fs? [ 26.242057][ T303] syz-executor (303) used greatest stack depth: 21664 bytes left [ 26.459538][ T328] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.466650][ T328] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.474122][ T328] device bridge_slave_0 entered promiscuous mode [ 26.480961][ T328] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.488291][ T328] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.495889][ T328] device bridge_slave_1 entered promiscuous mode [ 26.532909][ T328] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.540185][ T328] bridge0: port 2(bridge_slave_1) entered forwarding state [ 26.547695][ T328] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.554850][ T328] bridge0: port 1(bridge_slave_0) entered forwarding state [ 26.577436][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 26.585891][ T45] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.593486][ T45] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.602649][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 26.610971][ T45] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.618312][ T45] bridge0: port 1(bridge_slave_0) entered forwarding state [ 26.626867][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 26.635262][ T45] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.642408][ T45] bridge0: port 2(bridge_slave_1) entered forwarding state [ 26.656254][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 26.665703][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 26.678995][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 26.689813][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 26.698015][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 26.705540][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 26.713780][ T328] device veth0_vlan entered promiscuous mode [ 26.723156][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 26.732368][ T328] device veth1_macvtap entered promiscuous mode [ 26.743479][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 26.754422][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 26.783873][ T328] syz-executor (328) used greatest stack depth: 21080 bytes left 2026/03/07 16:00:32 executed programs: 0 [ 27.222327][ T354] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.229755][ T354] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.237647][ T354] device bridge_slave_0 entered promiscuous mode [ 27.245130][ T354] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.252508][ T354] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.259826][ T354] device bridge_slave_1 entered promiscuous mode [ 27.304706][ T354] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.311775][ T354] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.319020][ T354] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.326073][ T354] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.344482][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 27.352636][ T10] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.360054][ T10] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.371730][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 27.380239][ T10] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.387521][ T10] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.395480][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 27.404184][ T10] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.411234][ T10] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.426536][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 27.434932][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 27.449327][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 27.461630][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 27.469707][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 27.477556][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 27.488659][ T354] device veth0_vlan entered promiscuous mode [ 27.499720][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 27.508692][ T354] device veth1_macvtap entered promiscuous mode [ 27.517643][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 27.528653][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 27.553801][ T359] ================================================================== [ 27.561984][ T359] BUG: KASAN: slab-out-of-bounds in xfrm_policy_inexact_list_reinsert+0x606/0x6c0 [ 27.571188][ T359] Read of size 1 at addr ffff888110784bf8 by task syz.2.17/359 [ 27.578715][ T359] [ 27.581027][ T359] CPU: 1 PID: 359 Comm: syz.2.17 Not tainted syzkaller #0 [ 27.588224][ T359] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 [ 27.598281][ T359] Call Trace: [ 27.601564][ T359] [ 27.604591][ T359] __dump_stack+0x21/0x30 [ 27.609051][ T359] dump_stack_lvl+0x110/0x170 [ 27.613769][ T359] ? show_regs_print_info+0x20/0x20 [ 27.619195][ T359] ? load_image+0x3e0/0x3e0 [ 27.623876][ T359] ? unwind_get_return_address+0x4d/0x90 [ 27.629502][ T359] print_address_description+0x7f/0x2c0 [ 27.635245][ T359] ? xfrm_policy_inexact_list_reinsert+0x606/0x6c0 [ 27.642760][ T359] kasan_report+0xf1/0x140 [ 27.647186][ T359] ? xfrm_policy_inexact_list_reinsert+0x606/0x6c0 [ 27.653976][ T359] __asan_report_load1_noabort+0x14/0x20 [ 27.659607][ T359] xfrm_policy_inexact_list_reinsert+0x606/0x6c0 [ 27.665929][ T359] xfrm_policy_inexact_insert_node+0x938/0xb50 [ 27.672330][ T359] ? xfrm_netlink_rcv+0x72/0x90 [ 27.677175][ T359] ? netlink_unicast+0x876/0xa40 [ 27.682315][ T359] ? netlink_sendmsg+0x879/0xb80 [ 27.687443][ T359] ? ____sys_sendmsg+0x5b7/0x8f0 [ 27.692481][ T359] ? ___sys_sendmsg+0x236/0x2e0 [ 27.697329][ T359] ? x64_sys_call+0x4b/0x9a0 [ 27.701920][ T359] ? entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 27.707985][ T359] xfrm_policy_inexact_alloc_chain+0x53d/0xb30 [ 27.714326][ T359] xfrm_policy_inexact_insert+0x70/0x1130 [ 27.720044][ T359] ? __kasan_check_write+0x14/0x20 [ 27.725297][ T359] ? _raw_spin_lock_bh+0x94/0xf0 [ 27.730329][ T359] ? policy_hash_bysel+0x13f/0x6f0 [ 27.735429][ T359] xfrm_policy_insert+0x126/0x9a0 [ 27.740450][ T359] ? xfrm_policy_construct+0x54f/0x1f00 [ 27.746305][ T359] xfrm_add_policy+0x4ed/0x850 [ 27.751253][ T359] ? xfrm_dump_sa_done+0xc0/0xc0 [ 27.756210][ T359] xfrm_user_rcv_msg+0x4dc/0x7b0 [ 27.761229][ T359] ? xfrm_netlink_rcv+0x90/0x90 [ 27.766241][ T359] ? avc_has_perm_noaudit+0x490/0x490 [ 27.771731][ T359] ? x64_sys_call+0x4b/0x9a0 [ 27.776414][ T359] ? selinux_nlmsg_lookup+0x237/0x4c0 [ 27.781954][ T359] netlink_rcv_skb+0x1f5/0x440 [ 27.786707][ T359] ? xfrm_netlink_rcv+0x90/0x90 [ 27.791651][ T359] ? netlink_ack+0xb50/0xb50 [ 27.796226][ T359] ? wait_for_completion_killable_timeout+0x10/0x10 [ 27.802894][ T359] ? __netlink_lookup+0x387/0x3b0 [ 27.808187][ T359] xfrm_netlink_rcv+0x72/0x90 [ 27.812865][ T359] netlink_unicast+0x876/0xa40 [ 27.817766][ T359] netlink_sendmsg+0x879/0xb80 [ 27.822530][ T359] ? netlink_getsockopt+0x530/0x530 [ 27.827799][ T359] ? do_futex+0xde8/0x2800 [ 27.832637][ T359] ? security_socket_sendmsg+0x82/0xa0 [ 27.838359][ T359] ? netlink_getsockopt+0x530/0x530 [ 27.843553][ T359] ____sys_sendmsg+0x5b7/0x8f0 [ 27.848404][ T359] ? __sys_sendmsg_sock+0x40/0x40 [ 27.853416][ T359] ? import_iovec+0x7c/0xb0 [ 27.857906][ T359] ___sys_sendmsg+0x236/0x2e0 [ 27.862664][ T359] ? __sys_sendmsg+0x280/0x280 [ 27.867420][ T359] ? __kasan_check_read+0x11/0x20 [ 27.872447][ T359] ? __fdget+0x15b/0x230 [ 27.876691][ T359] __x64_sys_sendmsg+0x206/0x2f0 [ 27.882111][ T359] ? ___sys_sendmsg+0x2e0/0x2e0 [ 27.886974][ T359] ? fpregs_assert_state_consistent+0xb1/0xe0 [ 27.893047][ T359] x64_sys_call+0x4b/0x9a0 [ 27.897452][ T359] do_syscall_64+0x4c/0xa0 [ 27.901980][ T359] ? clear_bhb_loop+0x50/0xa0 [ 27.906648][ T359] ? clear_bhb_loop+0x50/0xa0 [ 27.911317][ T359] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 27.917226][ T359] RIP: 0033:0x7f9cb956a799 [ 27.921631][ T359] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 27.941522][ T359] RSP: 002b:00007ffd5960a0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 27.950628][ T359] RAX: ffffffffffffffda RBX: 00007f9cb97e3fa0 RCX: 00007f9cb956a799 [ 27.958720][ T359] RDX: 0000000000000000 RSI: 0000200000000580 RDI: 0000000000000006 [ 27.966695][ T359] RBP: 00007f9cb9600bd9 R08: 0000000000000000 R09: 0000000000000000 [ 27.974780][ T359] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 27.982745][ T359] R13: 00007f9cb97e3fac R14: 00007f9cb97e3fa0 R15: 00007f9cb97e3fa0 [ 27.990707][ T359] [ 27.993734][ T359] [ 27.996053][ T359] Allocated by task 359: [ 28.000293][ T359] __kasan_kmalloc+0xda/0x110 [ 28.004983][ T359] __kmalloc+0x13d/0x2c0 [ 28.009305][ T359] sk_prot_alloc+0xed/0x320 [ 28.013921][ T359] sk_alloc+0x38/0x430 [ 28.018005][ T359] pfkey_create+0x12a/0x660 [ 28.022509][ T359] __sock_create+0x38d/0x7a0 [ 28.027087][ T359] __sys_socket+0xec/0x190 [ 28.031649][ T359] __x64_sys_socket+0x7a/0x90 [ 28.036439][ T359] x64_sys_call+0x8c5/0x9a0 [ 28.041221][ T359] do_syscall_64+0x4c/0xa0 [ 28.045806][ T359] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 28.051976][ T359] [ 28.054296][ T359] The buggy address belongs to the object at ffff888110784800 [ 28.054296][ T359] which belongs to the cache kmalloc-1k of size 1024 [ 28.068444][ T359] The buggy address is located 1016 bytes inside of [ 28.068444][ T359] 1024-byte region [ffff888110784800, ffff888110784c00) [ 28.081878][ T359] The buggy address belongs to the page: [ 28.087490][ T359] page:ffffea000441e000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x110780 [ 28.097815][ T359] head:ffffea000441e000 order:3 compound_mapcount:0 compound_pincount:0 [ 28.106235][ T359] flags: 0x4000000000010200(slab|head|zone=1) [ 28.112492][ T359] raw: 4000000000010200 0000000000000000 dead000000000122 ffff888100043080 [ 28.121351][ T359] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 28.130096][ T359] page dumped because: kasan: bad access detected [ 28.136496][ T359] page_owner tracks the page as allocated [ 28.142418][ T359] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 39, ts 27541735133, free_ts 27497666981 [ 28.162558][ T359] post_alloc_hook+0x192/0x1b0 [ 28.167329][ T359] prep_new_page+0x1c/0x110 [ 28.171821][ T359] get_page_from_freelist+0x2d3a/0x2dc0 [ 28.177354][ T359] __alloc_pages+0x1a2/0x460 [ 28.182025][ T359] new_slab+0xa1/0x4d0 [ 28.186092][ T359] ___slab_alloc+0x381/0x810 [ 28.190670][ T359] __slab_alloc+0x49/0x90 [ 28.194993][ T359] __kmalloc_track_caller+0x169/0x2c0 [ 28.200412][ T359] __alloc_skb+0x21a/0x740 [ 28.204830][ T359] ndisc_send_rs+0x2ce/0x960 [ 28.209413][ T359] addrconf_dad_completed+0x934/0xe20 [ 28.214882][ T359] addrconf_dad_work+0xc91/0x1560 [ 28.219893][ T359] process_one_work+0x6be/0xba0 [ 28.224763][ T359] worker_thread+0xa59/0x1200 [ 28.229608][ T359] kthread+0x411/0x500 [ 28.233835][ T359] ret_from_fork+0x1f/0x30 [ 28.238240][ T359] page last free stack trace: [ 28.242891][ T359] free_unref_page_prepare+0x542/0x550 [ 28.248410][ T359] free_unref_page+0xae/0x540 [ 28.253123][ T359] __free_pages+0x6c/0x100 [ 28.257541][ T359] __free_slab+0xe8/0x1e0 [ 28.261863][ T359] __unfreeze_partials+0x160/0x190 [ 28.266964][ T359] put_cpu_partial+0xc6/0x120 [ 28.271626][ T359] __slab_free+0x1d4/0x290 [ 28.276179][ T359] ___cache_free+0x104/0x120 [ 28.280751][ T359] qlink_free+0x4d/0x90 [ 28.285042][ T359] qlist_free_all+0x5f/0xb0 [ 28.289568][ T359] kasan_quarantine_reduce+0x14a/0x170 [ 28.295128][ T359] __kasan_slab_alloc+0x2f/0xf0 [ 28.299971][ T359] slab_post_alloc_hook+0x4f/0x2b0 [ 28.305286][ T359] kmem_cache_alloc+0xf7/0x260 [ 28.310051][ T359] sock_alloc_inode+0x1b/0xb0 [ 28.314718][ T359] new_inode_pseudo+0x62/0x210 [ 28.319880][ T359] [ 28.322208][ T359] Memory state around the buggy address: [ 28.327831][ T359] ffff888110784a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.335886][ T359] ffff888110784b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.344217][ T359] >ffff888110784b80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 28.352467][ T359] ^ [ 28.360518][ T359] ffff888110784c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.368793][ T359] ffff888110784c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.376946][ T359] ================================================================== [ 28.384995][ T359] Disabling lock debugging due to kernel taint