Warning: Permanently added '10.128.1.63' (ED25519) to the list of known hosts. 2025/10/19 21:07:55 parsed 1 programs [ 22.567050][ T30] audit: type=1400 audit(1760908075.175:64): avc: denied { node_bind } for pid=281 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 22.575062][ T30] audit: type=1400 audit(1760908075.175:65): avc: denied { module_request } for pid=281 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 23.525620][ T30] audit: type=1400 audit(1760908076.135:66): avc: denied { mounton } for pid=290 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2023 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 23.526966][ T290] cgroup: Unknown subsys name 'net' [ 23.548737][ T30] audit: type=1400 audit(1760908076.135:67): avc: denied { mount } for pid=290 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 23.576154][ T30] audit: type=1400 audit(1760908076.165:68): avc: denied { unmount } for pid=290 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 23.576419][ T290] cgroup: Unknown subsys name 'devices' [ 23.721058][ T290] cgroup: Unknown subsys name 'hugetlb' [ 23.726684][ T290] cgroup: Unknown subsys name 'rlimit' [ 23.933635][ T30] audit: type=1400 audit(1760908076.545:69): avc: denied { setattr } for pid=290 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=254 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 23.957069][ T30] audit: type=1400 audit(1760908076.545:70): avc: denied { create } for pid=290 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 23.973906][ T292] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 23.977838][ T30] audit: type=1400 audit(1760908076.545:71): avc: denied { write } for pid=290 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 24.006434][ T30] audit: type=1400 audit(1760908076.545:72): avc: denied { read } for pid=290 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 24.026662][ T30] audit: type=1400 audit(1760908076.545:73): avc: denied { mounton } for pid=290 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 24.031505][ T290] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 24.506702][ T296] request_module fs-gadgetfs succeeded, but still no fs? [ 24.850023][ T313] syz-executor (313) used greatest stack depth: 21728 bytes left [ 25.204285][ T341] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.211437][ T341] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.219220][ T341] device bridge_slave_0 entered promiscuous mode [ 25.226222][ T341] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.233330][ T341] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.240876][ T341] device bridge_slave_1 entered promiscuous mode [ 25.292478][ T341] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.299548][ T341] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.306909][ T341] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.313957][ T341] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.332256][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 25.340357][ T340] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.347597][ T340] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.360207][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 25.368447][ T340] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.375509][ T340] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.384707][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 25.392998][ T340] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.400158][ T340] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.417054][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 25.426379][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 25.444662][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 25.459652][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 25.467680][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 25.475175][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 25.483425][ T341] device veth0_vlan entered promiscuous mode [ 25.497200][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 25.506289][ T341] device veth1_macvtap entered promiscuous mode [ 25.515408][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 25.525545][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 25.578844][ T341] syz-executor (341) used greatest stack depth: 21256 bytes left 2025/10/19 21:07:58 executed programs: 0 [ 25.771354][ T362] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.778405][ T362] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.785896][ T362] device bridge_slave_0 entered promiscuous mode [ 25.792886][ T362] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.800044][ T362] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.807674][ T362] device bridge_slave_1 entered promiscuous mode [ 25.864471][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 25.872271][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 25.881108][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 25.889566][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 25.897770][ T340] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.904879][ T340] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.912491][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 25.921349][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 25.929763][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 25.937941][ T340] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.945132][ T340] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.962961][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 25.971118][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 25.980364][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 25.988449][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 26.006817][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 26.015244][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 26.026434][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 26.034765][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 26.042527][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 26.051400][ T362] device veth0_vlan entered promiscuous mode [ 26.066341][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 26.080214][ T362] device veth1_macvtap entered promiscuous mode [ 26.089642][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 26.097958][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 26.109234][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 26.117505][ T340] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 26.147616][ T372] loop2: detected capacity change from 0 to 1024 [ 26.155680][ T372] ======================================================= [ 26.155680][ T372] WARNING: The mand mount option has been deprecated and [ 26.155680][ T372] and is ignored by this kernel. Remove the mand [ 26.155680][ T372] option from the mount to silence this warning. [ 26.155680][ T372] ======================================================= [ 26.212560][ T372] EXT4-fs (loop2): Ignoring removed nobh option [ 26.218936][ T372] EXT4-fs (loop2): Ignoring removed bh option [ 26.225212][ T372] EXT4-fs (loop2): Warning: mounting with an experimental mount option 'dioread_nolock' for blocksize < PAGE_SIZE [ 26.240610][ T372] EXT4-fs (loop2): mounted filesystem without journal. Opts: delalloc,data_err=abort,barrier=0x0000000000000002,dioread_lock,data_err=ignore,max_dir_size_kb=0x00000000004007b1,data_err=ignore,acl,nobh,user_xattr,bh,dioread_nolock,,errors=continue. Quota mode: none. [ 26.284179][ T8] ================================================================== [ 26.292365][ T8] BUG: KASAN: use-after-free in ext4_find_extent+0xbeb/0xe20 [ 26.299783][ T8] Read of size 4 at addr ffff88811deb4018 by task kworker/u4:0/8 [ 26.307520][ T8] [ 26.309870][ T8] CPU: 1 PID: 8 Comm: kworker/u4:0 Not tainted syzkaller #0 [ 26.317166][ T8] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 [ 26.327240][ T8] Workqueue: writeback wb_workfn (flush-7:2) [ 26.333270][ T8] Call Trace: [ 26.336668][ T8] [ 26.339614][ T8] __dump_stack+0x21/0x30 [ 26.343964][ T8] dump_stack_lvl+0xee/0x150 [ 26.348583][ T8] ? show_regs_print_info+0x20/0x20 [ 26.353803][ T8] ? load_image+0x3a0/0x3a0 [ 26.358333][ T8] print_address_description+0x7f/0x2c0 [ 26.363892][ T8] ? ext4_find_extent+0xbeb/0xe20 [ 26.368936][ T8] kasan_report+0xf1/0x140 [ 26.373385][ T8] ? __read_extent_tree_block+0x1e8/0x790 [ 26.379123][ T8] ? ext4_find_extent+0xbeb/0xe20 [ 26.384179][ T8] __asan_report_load4_noabort+0x14/0x20 [ 26.389830][ T8] ext4_find_extent+0xbeb/0xe20 [ 26.394703][ T8] ext4_ext_map_blocks+0x1de/0x6280 [ 26.399924][ T8] ? __stack_depot_save+0x34/0x480 [ 26.405059][ T8] ? __mem_cgroup_uncharge_list+0x39/0xc0 [ 26.410798][ T8] ? __kasan_slab_alloc+0xcf/0xf0 [ 26.415862][ T8] ? __kasan_slab_alloc+0xbd/0xf0 [ 26.420898][ T8] ? slab_post_alloc_hook+0x4f/0x2b0 [ 26.426198][ T8] ? kmem_cache_alloc+0xf7/0x260 [ 26.431154][ T8] ? ext4_alloc_io_end_vec+0x2a/0x160 [ 26.436552][ T8] ? ext4_writepages+0xec8/0x2f90 [ 26.441593][ T8] ? do_writepages+0x48a/0x6c0 [ 26.446362][ T8] ? wb_workfn+0x38f/0xe20 [ 26.450813][ T8] ? process_one_work+0x6be/0xba0 [ 26.455845][ T8] ? worker_thread+0xa59/0x1200 [ 26.460697][ T8] ? ext4_ext_release+0x10/0x10 [ 26.465552][ T8] ? ext4_es_lookup_extent+0x32d/0x8c0 [ 26.471014][ T8] ext4_map_blocks+0x97b/0x1b20 [ 26.475871][ T8] ? slab_post_alloc_hook+0x6d/0x2b0 [ 26.481163][ T8] ? should_failslab+0x9/0x20 [ 26.485848][ T8] ? ext4_issue_zeroout+0x250/0x250 [ 26.491051][ T8] ? ext4_inode_journal_mode+0x19a/0x480 [ 26.496859][ T8] ext4_writepages+0x11e7/0x2f90 [ 26.501803][ T8] ? ext4_readpage+0x220/0x220 [ 26.506570][ T8] ? __kasan_check_write+0x14/0x20 [ 26.511688][ T8] ? pagecache_get_page+0xcb6/0xda0 [ 26.516928][ T8] ? ext4_readpage+0x220/0x220 [ 26.521696][ T8] do_writepages+0x48a/0x6c0 [ 26.526287][ T8] ? update_load_avg+0x410/0x1110 [ 26.531320][ T8] ? update_curr+0x2f3/0x5b0 [ 26.535927][ T8] ? __writepage+0x130/0x130 [ 26.540544][ T8] ? __update_load_avg_cfs_rq+0xaf/0x2f0 [ 26.546284][ T8] ? __kasan_check_write+0x14/0x20 [ 26.551418][ T8] ? _raw_spin_lock+0x8e/0xe0 [ 26.556116][ T8] __writeback_single_inode+0xd5/0x9c0 [ 26.561591][ T8] ? wbc_attach_and_unlock_inode+0x194/0x5f0 [ 26.567695][ T8] writeback_sb_inodes+0x9c0/0x1590 [ 26.572919][ T8] ? update_load_avg+0x410/0x1110 [ 26.577974][ T8] ? queue_io+0x4c0/0x4c0 [ 26.582329][ T8] ? __kasan_check_read+0x11/0x20 [ 26.587383][ T8] ? queue_io+0x382/0x4c0 [ 26.592332][ T8] wb_writeback+0x3f1/0x980 [ 26.596845][ T8] ? inode_cgwb_move_to_attached+0x3e0/0x3e0 [ 26.602881][ T8] ? set_worker_desc+0x155/0x1c0 [ 26.607828][ T8] ? __kasan_check_write+0x14/0x20 [ 26.612946][ T8] wb_workfn+0x38f/0xe20 [ 26.617193][ T8] ? inode_wait_for_writeback+0x200/0x200 [ 26.622926][ T8] ? compat_start_thread+0x20/0x20 [ 26.628047][ T8] ? _raw_spin_unlock+0x4d/0x70 [ 26.632910][ T8] ? finish_task_switch+0x16b/0x780 [ 26.638112][ T8] ? __switch_to_asm+0x3a/0x60 [ 26.642879][ T8] ? __schedule+0xb76/0x14c0 [ 26.647478][ T8] process_one_work+0x6be/0xba0 [ 26.652340][ T8] worker_thread+0xa59/0x1200 [ 26.657024][ T8] kthread+0x411/0x500 [ 26.661092][ T8] ? worker_clr_flags+0x190/0x190 [ 26.666145][ T8] ? kthread_blkcg+0xd0/0xd0 [ 26.670835][ T8] ret_from_fork+0x1f/0x30 [ 26.675252][ T8] [ 26.678284][ T8] [ 26.680627][ T8] The buggy address belongs to the page: [ 26.686340][ T8] page:ffffea000477ad00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11deb4 [ 26.696609][ T8] flags: 0x4000000000000000(zone=1) [ 26.701825][ T8] raw: 4000000000000000 ffffea000477ad48 ffffea000477acc8 0000000000000000 [ 26.710407][ T8] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 26.718982][ T8] page dumped because: kasan: bad access detected [ 26.725385][ T8] page_owner tracks the page as freed [ 26.730775][ T8] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 331, ts 25045003450, free_ts 25134731491 [ 26.746750][ T8] post_alloc_hook+0x192/0x1b0 [ 26.751536][ T8] prep_new_page+0x1c/0x110 [ 26.756053][ T8] get_page_from_freelist+0x2cc5/0x2d50 [ 26.761598][ T8] __alloc_pages+0x18f/0x440 [ 26.766187][ T8] __vmalloc_node_range+0x505/0xaf0 [ 26.771383][ T8] vmalloc_user+0x73/0x80 [ 26.775711][ T8] kcov_mmap+0x2b/0x130 [ 26.779952][ T8] mmap_file+0x60/0xb0 [ 26.784018][ T8] mmap_region+0x101c/0x1800 [ 26.788608][ T8] do_mmap+0x812/0xf10 [ 26.792677][ T8] vm_mmap_pgoff+0x1ce/0x410 [ 26.797265][ T8] ksys_mmap_pgoff+0x161/0x1d0 [ 26.802025][ T8] __x64_sys_mmap+0xfa/0x110 [ 26.806612][ T8] x64_sys_call+0x83/0x9a0 [ 26.811027][ T8] do_syscall_64+0x4c/0xa0 [ 26.815445][ T8] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 26.821498][ T8] page last free stack trace: [ 26.826273][ T8] free_unref_page_prepare+0x542/0x550 [ 26.831750][ T8] free_unref_page+0xa2/0x550 [ 26.836456][ T8] __free_pages+0x6c/0x100 [ 26.840880][ T8] __vunmap+0x84d/0x9e0 [ 26.845048][ T8] vfree+0x8b/0xc0 [ 26.848780][ T8] kcov_close+0x2b/0x50 [ 26.852943][ T8] __fput+0x20b/0x8b0 [ 26.856923][ T8] ____fput+0x15/0x20 [ 26.860903][ T8] task_work_run+0x127/0x190 [ 26.865492][ T8] do_exit+0xa7e/0x27a0 [ 26.869657][ T8] do_group_exit+0x141/0x310 [ 26.874247][ T8] get_signal+0x66a/0x1480 [ 26.878759][ T8] arch_do_signal_or_restart+0xc1/0x10f0 [ 26.884390][ T8] exit_to_user_mode_loop+0xa7/0xe0 [ 26.889583][ T8] exit_to_user_mode_prepare+0x87/0xd0 [ 26.895042][ T8] syscall_exit_to_user_mode+0x1a/0x30 [ 26.900501][ T8] [ 26.902818][ T8] Memory state around the buggy address: [ 26.908441][ T8] ffff88811deb3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.916507][ T8] ffff88811deb3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.924564][ T8] >ffff88811deb4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.932619][ T8] ^ [ 26.937467][ T8] ffff88811deb4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.945526][ T8] ffff88811deb4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.953580][ T8] ================================================================== [ 26.961631][ T8] Disabling lock debugging due to kernel taint [ 26.975324][ T8] EXT4-fs error (device loop2): ext4_map_blocks:740: inode #15: block 4177066316: comm kworker/u4:0: lblock 84 mapped