Warning: Permanently added '10.128.0.50' (ED25519) to the list of known hosts. 2026/01/18 08:50:21 parsed 1 programs [ 22.545169][ T28] audit: type=1400 audit(1768726221.276:64): avc: denied { node_bind } for pid=284 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 22.566038][ T28] audit: type=1400 audit(1768726221.276:65): avc: denied { module_request } for pid=284 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 23.668560][ T28] audit: type=1400 audit(1768726222.396:66): avc: denied { mounton } for pid=292 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2023 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 23.671714][ T292] cgroup: Unknown subsys name 'net' [ 23.696592][ T28] audit: type=1400 audit(1768726222.396:67): avc: denied { mount } for pid=292 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 23.718780][ T28] audit: type=1400 audit(1768726222.426:68): avc: denied { unmount } for pid=292 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 23.719621][ T292] cgroup: Unknown subsys name 'devices' [ 23.836109][ T292] cgroup: Unknown subsys name 'hugetlb' [ 23.841823][ T292] cgroup: Unknown subsys name 'rlimit' [ 23.984918][ T28] audit: type=1400 audit(1768726222.716:69): avc: denied { setattr } for pid=292 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=258 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 24.008186][ T28] audit: type=1400 audit(1768726222.716:70): avc: denied { create } for pid=292 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 24.028700][ T28] audit: type=1400 audit(1768726222.716:71): avc: denied { write } for pid=292 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 24.049035][ T28] audit: type=1400 audit(1768726222.716:72): avc: denied { read } for pid=292 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 24.061667][ T295] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 24.069983][ T28] audit: type=1400 audit(1768726222.716:73): avc: denied { mounton } for pid=292 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 24.111332][ T292] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 24.783483][ T297] request_module fs-gadgetfs succeeded, but still no fs? [ 24.933366][ T306] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.942138][ T306] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.949840][ T306] device bridge_slave_0 entered promiscuous mode [ 24.957927][ T306] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.965046][ T306] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.972442][ T306] device bridge_slave_1 entered promiscuous mode [ 25.020658][ T306] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.027722][ T306] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.035041][ T306] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.042086][ T306] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.062463][ T10] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.069934][ T10] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.077385][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 25.084974][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 25.104986][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 25.113184][ T10] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.120468][ T10] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.127879][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 25.136295][ T10] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.143346][ T10] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.150777][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 25.158851][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 25.170769][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 25.182336][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 25.190503][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 25.198252][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 25.208013][ T306] device veth0_vlan entered promiscuous mode [ 25.218523][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 25.227748][ T306] device veth1_macvtap entered promiscuous mode [ 25.237707][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 25.247810][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 25.278616][ T306] syz-executor (306) used greatest stack depth: 21632 bytes left 2026/01/18 08:50:24 executed programs: 0 [ 26.041441][ T362] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.048745][ T362] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.056217][ T362] device bridge_slave_0 entered promiscuous mode [ 26.062995][ T362] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.070123][ T362] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.077786][ T362] device bridge_slave_1 entered promiscuous mode [ 26.088488][ T43] device bridge_slave_1 left promiscuous mode [ 26.094753][ T43] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.102268][ T43] device bridge_slave_0 left promiscuous mode [ 26.108545][ T43] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.116542][ T43] device veth1_macvtap left promiscuous mode [ 26.122561][ T43] device veth0_vlan left promiscuous mode [ 26.235805][ T362] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.242882][ T362] bridge0: port 2(bridge_slave_1) entered forwarding state [ 26.250205][ T362] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.257268][ T362] bridge0: port 1(bridge_slave_0) entered forwarding state [ 26.277650][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 26.285430][ T10] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.292796][ T10] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.302870][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 26.311082][ T10] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.318238][ T10] bridge0: port 1(bridge_slave_0) entered forwarding state [ 26.327239][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 26.335780][ T10] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.342845][ T10] bridge0: port 2(bridge_slave_1) entered forwarding state [ 26.356081][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 26.365527][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 26.380224][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 26.391696][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 26.399860][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 26.408136][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 26.416554][ T362] device veth0_vlan entered promiscuous mode [ 26.428379][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 26.437865][ T362] device veth1_macvtap entered promiscuous mode [ 26.448659][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 26.458860][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 26.489712][ T373] loop2: detected capacity change from 0 to 1024 [ 26.496594][ T373] ======================================================= [ 26.496594][ T373] WARNING: The mand mount option has been deprecated and [ 26.496594][ T373] and is ignored by this kernel. Remove the mand [ 26.496594][ T373] option from the mount to silence this warning. [ 26.496594][ T373] ======================================================= [ 26.532301][ T373] EXT4-fs: Ignoring removed oldalloc option [ 26.538639][ T373] EXT4-fs: Ignoring removed orlov option [ 26.556281][ T373] EXT4-fs (loop2): mounted filesystem without journal. Quota mode: writeback. [ 26.572090][ T373] ================================================================== [ 26.580172][ T373] BUG: KASAN: use-after-free in ext4_ext_remove_space+0x348b/0x40d0 [ 26.588211][ T373] Read of size 4 at addr ffff888129381c18 by task syz.2.17/373 [ 26.595754][ T373] [ 26.598078][ T373] CPU: 1 PID: 373 Comm: syz.2.17 Not tainted syzkaller #0 [ 26.605177][ T373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 26.615350][ T373] Call Trace: [ 26.618634][ T373] [ 26.621558][ T373] __dump_stack+0x21/0x24 [ 26.625884][ T373] dump_stack_lvl+0x110/0x170 [ 26.630560][ T373] ? __cfi_dump_stack_lvl+0x8/0x8 [ 26.635580][ T373] ? ext4_inode_block_valid+0x2d7/0x3f0 [ 26.641121][ T373] ? ext4_ext_remove_space+0x348b/0x40d0 [ 26.646748][ T373] print_address_description+0x71/0x200 [ 26.652325][ T373] print_report+0x4a/0x60 [ 26.656650][ T373] kasan_report+0x122/0x150 [ 26.661155][ T373] ? ext4_ext_remove_space+0x348b/0x40d0 [ 26.666787][ T373] __asan_report_load4_noabort+0x14/0x20 [ 26.672428][ T373] ext4_ext_remove_space+0x348b/0x40d0 [ 26.677926][ T373] ? __kasan_check_write+0x14/0x20 [ 26.683127][ T373] ? ext4_es_insert_extent+0x2d60/0x2d60 [ 26.688790][ T373] ? _raw_write_lock+0x94/0xf0 [ 26.693582][ T373] ? ext4_da_release_space+0x1d6/0x480 [ 26.699040][ T373] ? __cfi_ext4_ext_remove_space+0x10/0x10 [ 26.704867][ T373] ? ext4_es_remove_extent+0x1d9/0x330 [ 26.710337][ T373] ext4_ext_truncate+0x200/0x320 [ 26.715280][ T373] ext4_truncate+0x9be/0xfb0 [ 26.719891][ T373] ? __cfi_ext4_truncate+0x10/0x10 [ 26.725001][ T373] ? unmap_mapping_range+0x90/0x100 [ 26.730199][ T373] ext4_setattr+0x10f1/0x1a60 [ 26.734873][ T373] ? __cfi_ext4_setattr+0x10/0x10 [ 26.739897][ T373] notify_change+0xcc3/0xf80 [ 26.744533][ T373] do_truncate+0x1ac/0x240 [ 26.748963][ T373] ? inode_to_bdi+0x69/0xf0 [ 26.753476][ T373] ? __cfi_do_truncate+0x10/0x10 [ 26.758412][ T373] path_openat+0x28f0/0x2f80 [ 26.763003][ T373] ? __kasan_slab_alloc+0x72/0x80 [ 26.768068][ T373] ? do_filp_open+0x430/0x430 [ 26.772751][ T373] do_filp_open+0x1f1/0x430 [ 26.777262][ T373] ? __cfi_do_filp_open+0x10/0x10 [ 26.782285][ T373] ? alloc_fd+0x4e6/0x590 [ 26.786644][ T373] do_sys_openat2+0x15e/0x810 [ 26.791318][ T373] ? __se_sys_futex+0x136/0x310 [ 26.796184][ T373] ? do_sys_open+0xe0/0xe0 [ 26.800600][ T373] ? __x64_sys_futex+0x100/0x100 [ 26.805533][ T373] __x64_sys_creat+0x8e/0xb0 [ 26.810149][ T373] x64_sys_call+0x116/0x9a0 [ 26.814656][ T373] do_syscall_64+0x4c/0xa0 [ 26.819089][ T373] ? clear_bhb_loop+0x30/0x80 [ 26.823779][ T373] ? clear_bhb_loop+0x30/0x80 [ 26.828464][ T373] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 26.834373][ T373] RIP: 0033:0x7f0bf539acb9 [ 26.838813][ T373] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 26.858426][ T373] RSP: 002b:00007ffc62a8bcf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 [ 26.866850][ T373] RAX: ffffffffffffffda RBX: 00007f0bf5615fa0 RCX: 00007f0bf539acb9 [ 26.874827][ T373] RDX: 0000000000000000 RSI: 0000000000000108 RDI: 0000200000000680 [ 26.882954][ T373] RBP: 00007f0bf5408bf7 R08: 0000000000000000 R09: 0000000000000000 [ 26.890926][ T373] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 26.898915][ T373] R13: 00007f0bf5615fac R14: 00007f0bf5615fa0 R15: 00007f0bf5615fa0 [ 26.906897][ T373] [ 26.910001][ T373] [ 26.912318][ T373] The buggy address belongs to the physical page: [ 26.918754][ T373] page:ffffea0004a4e040 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x129381 [ 26.928990][ T373] flags: 0x4000000000000000(zone=1) [ 26.934196][ T373] raw: 4000000000000000 dead000000000100 dead000000000122 0000000000000000 [ 26.942780][ T373] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 26.951354][ T373] page dumped because: kasan: bad access detected [ 26.957773][ T373] page_owner tracks the page as freed [ 26.963141][ T373] page last allocated via order 0, migratetype Movable, gfp_mask 0x8140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO|__GFP_CMA), pid 292, tgid 292 (syz-executor), ts 23190005450, free_ts 24742831008 [ 26.982583][ T373] post_alloc_hook+0x1f5/0x210 [ 26.987353][ T373] prep_new_page+0x1c/0x110 [ 26.991869][ T373] get_page_from_freelist+0x2d12/0x2d80 [ 26.997442][ T373] __alloc_pages+0x1d9/0x480 [ 27.002030][ T373] __folio_alloc+0x12/0x40 [ 27.006445][ T373] handle_mm_fault+0x1972/0x26c0 [ 27.011387][ T373] do_user_addr_fault+0x905/0x1050 [ 27.016497][ T373] exc_page_fault+0x51/0xb0 [ 27.021002][ T373] asm_exc_page_fault+0x27/0x30 [ 27.025848][ T373] page last free stack trace: [ 27.030513][ T373] free_unref_page_prepare+0x742/0x750 [ 27.035975][ T373] free_unref_page_list+0x117/0x8c0 [ 27.041173][ T373] release_pages+0xaf2/0xb50 [ 27.045766][ T373] free_pages_and_swap_cache+0x86/0xa0 [ 27.051250][ T373] tlb_finish_mmu+0x1aa/0x370 [ 27.055948][ T373] unmap_region+0x2b7/0x320 [ 27.060465][ T373] do_mas_align_munmap+0xbed/0x1320 [ 27.065670][ T373] do_mas_munmap+0x241/0x2b0 [ 27.070260][ T373] __vm_munmap+0x1bd/0x330 [ 27.074678][ T373] __x64_sys_munmap+0x6b/0x80 [ 27.079350][ T373] x64_sys_call+0x8a/0x9a0 [ 27.083763][ T373] do_syscall_64+0x4c/0xa0 [ 27.088173][ T373] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 27.094070][ T373] [ 27.096388][ T373] Memory state around the buggy address: [ 27.102090][ T373] ffff888129381b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.110168][ T373] ffff888129381b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.118221][ T373] >ffff888129381c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.126274][ T373] ^ [ 27.131110][ T373] ffff888129381c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.139163][ T373] ffff888129381d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.147213][ T373] ================================================================== [ 27.160390][ T373] Disabling lock debugging due to kernel taint [ 27.167211][ T373] EXT4-fs error (device loop2): ext4_free_blocks:6205: comm syz.2.17: Freeing blocks not in datazone - block = 55183558011280, count = 16 [ 27.181682][ T373] EXT4-fs error (device loop2): ext4_free_blocks:6205: comm syz.2.17: Freeing blocks not in datazone - block = 55183557996849, count = 14437 [ 27.196430][ T373] EXT4-fs error (device loop2): ext4_free_blocks:6205: comm syz.2.17: Freeing blocks not in datazone - block = 55183557996848, count = 16 [ 27.210934][ T373] EXT4-fs error (device loop2): ext4_free_blocks:6205: comm syz.2.17: Freeing blocks not in datazone - block = 104592811931504, count = 16 [ 27.225430][ T373] EXT4-fs error (device loop2): ext4_free_blocks:6205: comm syz.2.17: Freeing blocks not in datazone - block = 104592811909983, count = 21536 [ 27.240121][ T373] EXT4-fs error (device loop2): ext4_free_blocks:6205: comm syz.2.17: Freeing blocks not in datazone - block = 104592811909968, count = 16 [ 27.254593][ T373] EXT4-fs error (device loop2): ext4_free_blocks:6205: comm syz.2.17: Freeing blocks not in datazone - block = 112589185194640, count = 16 [ 27.269021][ T373] EXT4-fs error (device loop2): ext4_free_blocks:6205: comm syz.2.17: Freeing blocks not in datazone - block = 112589185168440, count = 26214 [ 27.283776][ T373] EXT4-fs error (device loop2): ext4_free_blocks:6205: comm syz.2.17: Freeing blocks not in datazone - block = 112589185168432, count = 16 [ 27.299722][ T373] EXT4-fs error (device loop2): ext4_free_blocks:6205: comm syz.2.17: Freeing blocks not in datazone - block = 119254237302208, count = 16 [ 32.174098][ T373] EXT4-fs error: 33014 callbacks suppressed [ 32.174116][ T373] EXT4-fs error (device loop2): ext4_free_blocks:6205: comm syz.2.17: Freeing blocks not in datazone - block = 62012422014864, count = 16 [ 32.194560][ T373] EXT4-fs error (device loop2): ext4_free_blocks:6205: comm syz.2.17: Freeing blocks not in datazone - block = 62012421988660, count = 26214 [ 32.209244][ T373] EXT4-fs error (device loop2): ext4_free_blocks:6205: comm syz.2.17: Freeing blocks not in datazone - block = 62012421988656, count = 16 [ 32.223679][ T373] EXT4-fs error (device loop2): ext4_free_blocks:6205: comm syz.2.17: Freeing blocks not in datazone - block = 119251478963920, count = 16 [ 32.238339][ T373] EXT4-fs error (device loop2): ext4_free_blocks:6205: comm syz.2.17: Freeing blocks not in datazone - block = 119251478934388, count = 29541 [ 32.253321][ T373] EXT4-fs error (device loop2): ext4_free_blocks:6205: comm syz.2.17: Freeing blocks not in datazone - block = 119251478934384, count = 16 [ 32.267775][ T373] EXT4-fs error (device loop2): ext4_free_blocks:6205: comm syz.2.17: Freeing blocks not in datazone - block = 111499019535056, count = 16 [ 32.282253][ T373] EXT4-fs error (device loop2): ext4_free_blocks:6205: comm syz.2.17: Freeing blocks not in datazone - block = 111499019509604, count = 25459 [ 32.296981][ T373] EXT4-fs error (device loop2): ext4_free_blocks:6205: comm syz.2.17: Freeing blocks not in datazone - block = 111499019509600, count = 16 [ 32.311455][ T373] EXT4-fs error (device loop2): ext4_free_blocks:6205: comm syz.2.17: Freeing blocks not in datazone - block = 109260482075072, count = 16