Warning: Permanently added '10.128.1.157' (ED25519) to the list of known hosts. 2026/05/15 10:59:00 parsed 1 programs [ 24.990378][ T30] audit: type=1400 audit(1778842740.325:64): avc: denied { node_bind } for pid=293 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 25.011275][ T30] audit: type=1400 audit(1778842740.325:65): avc: denied { module_request } for pid=293 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 25.959102][ T30] audit: type=1400 audit(1778842741.295:66): avc: denied { mounton } for pid=300 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2024 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 25.962550][ T300] cgroup: Unknown subsys name 'net' [ 25.981891][ T30] audit: type=1400 audit(1778842741.295:67): avc: denied { mount } for pid=300 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 26.009214][ T30] audit: type=1400 audit(1778842741.325:68): avc: denied { unmount } for pid=300 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 26.009595][ T300] cgroup: Unknown subsys name 'devices' [ 26.150096][ T300] cgroup: Unknown subsys name 'hugetlb' [ 26.155700][ T300] cgroup: Unknown subsys name 'rlimit' [ 26.273566][ T30] audit: type=1400 audit(1778842741.605:69): avc: denied { setattr } for pid=300 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=254 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 26.296776][ T30] audit: type=1400 audit(1778842741.605:70): avc: denied { create } for pid=300 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.317319][ T30] audit: type=1400 audit(1778842741.605:71): avc: denied { write } for pid=300 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.335248][ T303] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 26.337778][ T30] audit: type=1400 audit(1778842741.605:72): avc: denied { read } for pid=300 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 26.366450][ T30] audit: type=1400 audit(1778842741.615:73): avc: denied { mounton } for pid=300 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 26.430443][ T300] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 26.850167][ T306] request_module fs-gadgetfs succeeded, but still no fs? [ 27.072198][ T320] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.079319][ T320] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.086653][ T320] device bridge_slave_0 entered promiscuous mode [ 27.093590][ T320] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.100757][ T320] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.108259][ T320] device bridge_slave_1 entered promiscuous mode [ 27.151327][ T320] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.158387][ T320] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.165647][ T320] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.172736][ T320] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.191813][ T311] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.199056][ T311] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.206286][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 27.214135][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 27.224095][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 27.232389][ T311] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.239476][ T311] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.248079][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 27.256208][ T311] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.263266][ T311] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.275339][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 27.284511][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 27.299853][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 27.310605][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 27.318915][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 27.326281][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 27.335507][ T320] device veth0_vlan entered promiscuous mode [ 27.345410][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 27.354933][ T320] device veth1_macvtap entered promiscuous mode [ 27.365845][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 27.377270][ T311] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 27.422525][ T320] syz-executor (320) used greatest stack depth: 21280 bytes left [ 27.918635][ T8] device bridge_slave_1 left promiscuous mode [ 27.924820][ T8] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.933140][ T8] device bridge_slave_0 left promiscuous mode [ 27.939517][ T8] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.947398][ T8] device veth1_macvtap left promiscuous mode [ 27.953516][ T8] device veth0_vlan left promiscuous mode 2026/05/15 10:59:03 executed programs: 0 [ 28.228697][ T370] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.235737][ T370] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.243311][ T370] device bridge_slave_0 entered promiscuous mode [ 28.250557][ T370] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.257615][ T370] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.265098][ T370] device bridge_slave_1 entered promiscuous mode [ 28.319544][ T370] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.326591][ T370] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.333956][ T370] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.341009][ T370] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.360128][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 28.367674][ T10] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.375072][ T10] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.383931][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 28.392540][ T10] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.399621][ T10] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.409694][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 28.418271][ T10] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.425318][ T10] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.438356][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 28.447254][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 28.461582][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 28.472626][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 28.480736][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 28.488601][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 28.496754][ T370] device veth0_vlan entered promiscuous mode [ 28.506619][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 28.515775][ T370] device veth1_macvtap entered promiscuous mode [ 28.524739][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 28.534615][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 28.564258][ T374] loop2: detected capacity change from 0 to 2048 [ 28.679366][ T374] EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue. Quota mode: none. [ 28.690144][ T374] ext4 filesystem being mounted at /0/file0 supports timestamps until 2038-01-19 (0x7fffffff) [ 28.724313][ T329] ================================================================== [ 28.732414][ T329] BUG: KASAN: use-after-free in ext4_find_extent+0xbeb/0xe20 [ 28.739839][ T329] Read of size 4 at addr ffff888128544d64 by task kworker/u4:4/329 [ 28.747750][ T329] [ 28.750104][ T329] CPU: 0 PID: 329 Comm: kworker/u4:4 Not tainted syzkaller #0 [ 28.757581][ T329] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 [ 28.767642][ T329] Workqueue: writeback wb_workfn (flush-7:2) [ 28.773790][ T329] Call Trace: [ 28.777090][ T329] [ 28.780041][ T329] __dump_stack+0x21/0x30 [ 28.784431][ T329] dump_stack_lvl+0x110/0x170 [ 28.789143][ T329] ? show_regs_print_info+0x20/0x20 [ 28.794368][ T329] ? load_image+0x3e0/0x3e0 [ 28.798897][ T329] print_address_description+0x7f/0x2c0 [ 28.804466][ T329] ? ext4_find_extent+0xbeb/0xe20 [ 28.809661][ T329] kasan_report+0xf1/0x140 [ 28.814110][ T329] ? __read_extent_tree_block+0x1e8/0x790 [ 28.819862][ T329] ? ext4_find_extent+0xbeb/0xe20 [ 28.824915][ T329] __asan_report_load4_noabort+0x14/0x20 [ 28.830673][ T329] ext4_find_extent+0xbeb/0xe20 [ 28.835558][ T329] ext4_ext_map_blocks+0x207/0x6230 [ 28.840780][ T329] ? _raw_spin_unlock_irqrestore+0x5b/0x80 [ 28.846609][ T329] ? __stack_depot_save+0x442/0x480 [ 28.851841][ T329] ? __kasan_slab_alloc+0xcf/0xf0 [ 28.856889][ T329] ? __kasan_slab_alloc+0xbd/0xf0 [ 28.861942][ T329] ? slab_post_alloc_hook+0x4f/0x2b0 [ 28.867253][ T329] ? kmem_cache_alloc+0xf7/0x260 [ 28.872217][ T329] ? ext4_alloc_io_end_vec+0x2a/0x160 [ 28.877621][ T329] ? ext4_writepages+0xf20/0x3090 [ 28.882668][ T329] ? do_writepages+0x473/0x6c0 [ 28.887476][ T329] ? wb_workfn+0x3ac/0xf30 [ 28.891937][ T329] ? process_one_work+0x6be/0xba0 [ 28.896989][ T329] ? worker_thread+0xa59/0x1200 [ 28.901868][ T329] ? ext4_ext_release+0x10/0x10 [ 28.906751][ T329] ? ext4_es_lookup_extent+0x54c/0x900 [ 28.912245][ T329] ext4_map_blocks+0x988/0x1b30 [ 28.917126][ T329] ? slab_post_alloc_hook+0x6d/0x2b0 [ 28.922443][ T329] ? should_failslab+0x9/0x20 [ 28.927153][ T329] ? ext4_issue_zeroout+0x250/0x250 [ 28.932374][ T329] ? ext4_inode_journal_mode+0x19a/0x480 [ 28.938038][ T329] ext4_writepages+0x123f/0x3090 [ 28.943007][ T329] ? ext4_readpage+0x220/0x220 [ 28.947792][ T329] ? __this_cpu_preempt_check+0x13/0x20 [ 28.953357][ T329] ? __pv_queued_spin_lock_slowpath+0x7e6/0x9c0 [ 28.959637][ T329] ? __kasan_check_write+0x14/0x20 [ 28.964771][ T329] ? __update_load_avg_cfs_rq+0xaf/0x2f0 [ 28.970423][ T329] ? ext4_readpage+0x220/0x220 [ 28.975215][ T329] do_writepages+0x473/0x6c0 [ 28.979830][ T329] ? __writepage+0x130/0x130 [ 28.984443][ T329] ? __kasan_check_write+0x14/0x20 [ 28.989574][ T329] ? _raw_spin_lock+0x94/0xf0 [ 28.994279][ T329] __writeback_single_inode+0xd5/0x9c0 [ 28.999759][ T329] ? wbc_attach_and_unlock_inode+0x194/0x5f0 [ 29.005765][ T329] writeback_sb_inodes+0xa10/0x1610 [ 29.010986][ T329] ? unwind_next_frame+0x3d5/0x700 [ 29.016125][ T329] ? queue_io+0x4c0/0x4c0 [ 29.020476][ T329] ? __kasan_check_read+0x11/0x20 [ 29.025523][ T329] ? queue_io+0x382/0x4c0 [ 29.029875][ T329] wb_writeback+0x40b/0x9d0 [ 29.034408][ T329] ? inode_cgwb_move_to_attached+0x3e0/0x3e0 [ 29.040408][ T329] ? set_worker_desc+0x1ba/0x1f0 [ 29.045364][ T329] ? sched_clock+0x9/0x10 [ 29.049745][ T329] ? sched_clock_cpu+0x18/0x3c0 [ 29.054622][ T329] ? __kasan_check_write+0x14/0x20 [ 29.059783][ T329] ? sched_balance_newidle+0x879/0xc60 [ 29.065269][ T329] wb_workfn+0x3ac/0xf30 [ 29.069535][ T329] ? inode_wait_for_writeback+0x220/0x220 [ 29.075271][ T329] ? compat_start_thread+0x20/0x20 [ 29.080413][ T329] ? kvm_sched_clock_read+0x18/0x40 [ 29.085632][ T329] ? _raw_spin_unlock+0x4d/0x70 [ 29.090510][ T329] ? finish_task_switch+0x16b/0x780 [ 29.095721][ T329] ? __switch_to_asm+0x3a/0x60 [ 29.100628][ T329] ? __schedule+0xb76/0x14c0 [ 29.105229][ T329] process_one_work+0x6be/0xba0 [ 29.110099][ T329] worker_thread+0xa59/0x1200 [ 29.114793][ T329] ? _raw_spin_lock_irqsave+0xc2/0x130 [ 29.120271][ T329] ? __kthread_parkme+0xac/0x200 [ 29.125233][ T329] kthread+0x411/0x500 [ 29.129316][ T329] ? worker_clr_flags+0x190/0x190 [ 29.134368][ T329] ? kthread_blkcg+0xd0/0xd0 [ 29.139004][ T329] ret_from_fork+0x1f/0x30 [ 29.143454][ T329] [ 29.146491][ T329] [ 29.148827][ T329] The buggy address belongs to the page: [ 29.154481][ T329] page:ffffea0004a15100 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x128544 [ 29.164737][ T329] flags: 0x4000000000000000(zone=1) [ 29.169942][ T329] raw: 4000000000000000 ffffea0004a15188 ffffea0004a155c