t tclass=process permissive=1 [ 14.212547][ T30] audit: type=1400 audit(1767135447.186:63): avc: denied { siginh } for pid=223 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 15.636509][ T227] sftp-server (227) used greatest stack depth: 22752 bytes left Warning: Permanently added '10.128.10.36' (ED25519) to the list of known hosts. 2025/12/30 22:57:36 parsed 1 programs [ 23.338615][ T30] audit: type=1400 audit(1767135456.366:64): avc: denied { node_bind } for pid=281 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 23.359323][ T30] audit: type=1400 audit(1767135456.366:65): avc: denied { module_request } for pid=281 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 24.044958][ T30] audit: type=1400 audit(1767135457.066:66): avc: denied { mounton } for pid=289 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2023 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 24.045972][ T289] cgroup: Unknown subsys name 'net' [ 24.067844][ T30] audit: type=1400 audit(1767135457.066:67): avc: denied { mount } for pid=289 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 24.095598][ T30] audit: type=1400 audit(1767135457.106:68): avc: denied { unmount } for pid=289 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 24.095798][ T289] cgroup: Unknown subsys name 'devices' [ 24.270295][ T289] cgroup: Unknown subsys name 'hugetlb' [ 24.276040][ T289] cgroup: Unknown subsys name 'rlimit' [ 24.449216][ T30] audit: type=1400 audit(1767135457.476:69): avc: denied { setattr } for pid=289 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=254 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 24.472982][ T30] audit: type=1400 audit(1767135457.476:70): avc: denied { create } for pid=289 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 24.493363][ T30] audit: type=1400 audit(1767135457.476:71): avc: denied { write } for pid=289 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 24.513742][ T30] audit: type=1400 audit(1767135457.476:72): avc: denied { read } for pid=289 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 24.534102][ T30] audit: type=1400 audit(1767135457.476:73): avc: denied { mounton } for pid=289 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 24.656457][ T292] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 24.690648][ T289] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 25.198631][ T295] request_module fs-gadgetfs succeeded, but still no fs? [ 25.448433][ T308] syz-executor (308) used greatest stack depth: 21760 bytes left [ 25.650808][ T333] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.658057][ T333] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.665762][ T333] device bridge_slave_0 entered promiscuous mode [ 25.672898][ T333] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.680079][ T333] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.687400][ T333] device bridge_slave_1 entered promiscuous mode [ 25.731734][ T333] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.738809][ T333] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.746137][ T333] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.753191][ T333] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.771025][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 25.778600][ T45] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.785733][ T45] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.794989][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 25.803188][ T45] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.810265][ T45] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.819189][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 25.827480][ T45] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.834631][ T45] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.846352][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 25.855863][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 25.869825][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 25.881287][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 25.889460][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 25.897263][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 25.905640][ T333] device veth0_vlan entered promiscuous mode [ 25.915275][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 25.924555][ T333] device veth1_macvtap entered promiscuous mode [ 25.933796][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 25.943895][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 25.972484][ T333] syz-executor (333) used greatest stack depth: 21312 bytes left 2025/12/30 22:57:39 executed programs: 0 [ 26.371863][ T362] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.379206][ T362] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.386596][ T362] device bridge_slave_0 entered promiscuous mode [ 26.393769][ T362] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.400844][ T362] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.408428][ T362] device bridge_slave_1 entered promiscuous mode [ 26.468383][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 26.475888][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 26.485265][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 26.493651][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 26.502730][ T10] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.509779][ T10] bridge0: port 1(bridge_slave_0) entered forwarding state [ 26.517325][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 26.532841][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 26.541495][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 26.550111][ T10] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.557242][ T10] bridge0: port 2(bridge_slave_1) entered forwarding state [ 26.574478][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 26.583059][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 26.597706][ T362] device veth0_vlan entered promiscuous mode [ 26.604584][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 26.613171][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 26.621417][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 26.629377][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 26.641961][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 26.651293][ T362] device veth1_macvtap entered promiscuous mode [ 26.660431][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 26.670098][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 26.695484][ T373] ================================================================== [ 26.703590][ T373] BUG: KASAN: slab-out-of-bounds in xfrm_policy_inexact_list_reinsert+0x620/0x6d0 [ 26.713052][ T373] Read of size 1 at addr ffff8881107a3bf8 by task syz.2.17/373 [ 26.720675][ T373] [ 26.722990][ T373] CPU: 1 PID: 373 Comm: syz.2.17 Not tainted syzkaller #0 [ 26.730098][ T373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 26.740140][ T373] Call Trace: [ 26.743406][ T373] [ 26.746321][ T373] __dump_stack+0x21/0x30 [ 26.750640][ T373] dump_stack_lvl+0xee/0x150 [ 26.755229][ T373] ? show_regs_print_info+0x20/0x20 [ 26.760422][ T373] ? load_image+0x3a0/0x3a0 [ 26.764911][ T373] ? unwind_get_return_address+0x4d/0x90 [ 26.770620][ T373] print_address_description+0x7f/0x2c0 [ 26.776154][ T373] ? xfrm_policy_inexact_list_reinsert+0x620/0x6d0 [ 26.782741][ T373] kasan_report+0xf1/0x140 [ 26.787223][ T373] ? xfrm_policy_inexact_list_reinsert+0x620/0x6d0 [ 26.793843][ T373] __asan_report_load1_noabort+0x14/0x20 [ 26.799506][ T373] xfrm_policy_inexact_list_reinsert+0x620/0x6d0 [ 26.806054][ T373] xfrm_policy_inexact_insert_node+0x938/0xb50 [ 26.812248][ T373] ? xfrm_netlink_rcv+0x72/0x90 [ 26.817242][ T373] ? netlink_unicast+0x876/0xa40 [ 26.822181][ T373] ? netlink_sendmsg+0x86a/0xb70 [ 26.827114][ T373] ? ____sys_sendmsg+0x5a2/0x8c0 [ 26.832044][ T373] ? ___sys_sendmsg+0x1f0/0x260 [ 26.836890][ T373] ? x64_sys_call+0x4b/0x9a0 [ 26.841471][ T373] ? entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 26.847560][ T373] xfrm_policy_inexact_alloc_chain+0x53a/0xb30 [ 26.853707][ T373] xfrm_policy_inexact_insert+0x70/0x1130 [ 26.859507][ T373] ? __get_hash_thresh+0x10c/0x420 [ 26.864607][ T373] ? policy_hash_bysel+0x110/0x4f0 [ 26.869845][ T373] xfrm_policy_insert+0x126/0x9a0 [ 26.874951][ T373] ? xfrm_policy_construct+0x54f/0x1f00 [ 26.880532][ T373] xfrm_add_policy+0x4d1/0x830 [ 26.885584][ T373] ? xfrm_dump_sa_done+0xc0/0xc0 [ 26.890536][ T373] xfrm_user_rcv_msg+0x45c/0x6e0 [ 26.895466][ T373] ? xfrm_netlink_rcv+0x90/0x90 [ 26.900400][ T373] ? avc_has_perm_noaudit+0x460/0x460 [ 26.906572][ T373] ? x64_sys_call+0x4b/0x9a0 [ 26.911178][ T373] ? selinux_nlmsg_lookup+0x237/0x4c0 [ 26.916549][ T373] netlink_rcv_skb+0x1e0/0x430 [ 26.921304][ T373] ? xfrm_netlink_rcv+0x90/0x90 [ 26.926304][ T373] ? netlink_ack+0xb60/0xb60 [ 26.931048][ T373] ? wait_for_completion_killable_timeout+0x10/0x10 [ 26.937637][ T373] ? __netlink_lookup+0x387/0x3b0 [ 26.942654][ T373] xfrm_netlink_rcv+0x72/0x90 [ 26.947327][ T373] netlink_unicast+0x876/0xa40 [ 26.952192][ T373] netlink_sendmsg+0x86a/0xb70 [ 26.957045][ T373] ? netlink_getsockopt+0x530/0x530 [ 26.962318][ T373] ? sock_alloc_file+0xba/0x260 [ 26.967160][ T373] ? security_socket_sendmsg+0x82/0xa0 [ 26.972608][ T373] ? netlink_getsockopt+0x530/0x530 [ 26.978029][ T373] ____sys_sendmsg+0x5a2/0x8c0 [ 26.982897][ T373] ? __sys_sendmsg_sock+0x40/0x40 [ 26.987912][ T373] ? import_iovec+0x7c/0xb0 [ 26.992405][ T373] ___sys_sendmsg+0x1f0/0x260 [ 26.997159][ T373] ? __sys_sendmsg+0x250/0x250 [ 27.001920][ T373] ? __kasan_check_read+0x11/0x20 [ 27.006977][ T373] ? __fdget+0x15b/0x230 [ 27.011330][ T373] __x64_sys_sendmsg+0x1e2/0x2a0 [ 27.016258][ T373] ? ___sys_sendmsg+0x260/0x260 [ 27.021100][ T373] ? fpregs_assert_state_consistent+0xb1/0xe0 [ 27.027161][ T373] x64_sys_call+0x4b/0x9a0 [ 27.031567][ T373] do_syscall_64+0x4c/0xa0 [ 27.035971][ T373] ? clear_bhb_loop+0x50/0xa0 [ 27.040632][ T373] ? clear_bhb_loop+0x50/0xa0 [ 27.045431][ T373] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 27.051351][ T373] RIP: 0033:0x7f62e4c59749 [ 27.055766][ T373] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 27.075916][ T373] RSP: 002b:00007fffa12512b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 27.084510][ T373] RAX: ffffffffffffffda RBX: 00007f62e4eaffa0 RCX: 00007f62e4c59749 [ 27.092607][ T373] RDX: 0000000000000000 RSI: 0000200000000580 RDI: 0000000000000005 [ 27.100758][ T373] RBP: 00007f62e4cddf91 R08: 0000000000000000 R09: 0000000000000000 [ 27.108736][ T373] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 27.116799][ T373] R13: 00007f62e4eaffa0 R14: 00007f62e4eaffa0 R15: 0000000000000003 [ 27.124792][ T373] [ 27.127806][ T373] [ 27.130120][ T373] Allocated by task 373: [ 27.134347][ T373] __kasan_kmalloc+0xda/0x110 [ 27.139302][ T373] __kmalloc+0x13d/0x2c0 [ 27.143558][ T373] sk_prot_alloc+0xed/0x320 [ 27.148073][ T373] sk_alloc+0x38/0x430 [ 27.152123][ T373] pfkey_create+0x12a/0x660 [ 27.156613][ T373] __sock_create+0x38d/0x7a0 [ 27.161191][ T373] __sys_socket+0xec/0x190 [ 27.165915][ T373] __x64_sys_socket+0x7a/0x90 [ 27.170787][ T373] x64_sys_call+0x8c5/0x9a0 [ 27.175897][ T373] do_syscall_64+0x4c/0xa0 [ 27.180301][ T373] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 27.186179][ T373] [ 27.188598][ T373] The buggy address belongs to the object at ffff8881107a3800 [ 27.188598][ T373] which belongs to the cache kmalloc-1k of size 1024 [ 27.202725][ T373] The buggy address is located 1016 bytes inside of [ 27.202725][ T373] 1024-byte region [ffff8881107a3800, ffff8881107a3c00) [ 27.216713][ T373] The buggy address belongs to the page: [ 27.222337][ T373] page:ffffea000441e800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1107a0 [ 27.232565][ T373] head:ffffea000441e800 order:3 compound_mapcount:0 compound_pincount:0 [ 27.240968][ T373] flags: 0x4000000000010200(slab|head|zone=1) [ 27.247038][ T373] raw: 4000000000010200 0000000000000000 0000000100000001 ffff888100043080 [ 27.255844][ T373] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 27.264524][ T373] page dumped because: kasan: bad access detected [ 27.270928][ T373] page_owner tracks the page as allocated [ 27.276819][ T373] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 101, ts 5010772733, free_ts 0 [ 27.295030][ T373] post_alloc_hook+0x192/0x1b0 [ 27.299795][ T373] prep_new_page+0x1c/0x110 [ 27.304284][ T373] get_page_from_freelist+0x2cc5/0x2d50 [ 27.309916][ T373] __alloc_pages+0x18f/0x440 [ 27.314519][ T373] new_slab+0xa1/0x4d0 [ 27.318597][ T373] ___slab_alloc+0x381/0x810 [ 27.323219][ T373] __slab_alloc+0x49/0x90 [ 27.327552][ T373] __kmalloc_track_caller+0x169/0x2c0 [ 27.332929][ T373] __alloc_skb+0x21a/0x740 [ 27.337333][ T373] netlink_sendmsg+0x602/0xb70 [ 27.342083][ T373] ____sys_sendmsg+0x5a2/0x8c0 [ 27.346835][ T373] ___sys_sendmsg+0x1f0/0x260 [ 27.351495][ T373] __x64_sys_sendmsg+0x1e2/0x2a0 [ 27.356429][ T373] x64_sys_call+0x4b/0x9a0 [ 27.360856][ T373] do_syscall_64+0x4c/0xa0 [ 27.365282][ T373] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 27.371164][ T373] page_owner free stack trace missing [ 27.376520][ T373] [ 27.378828][ T373] Memory state around the buggy address: [ 27.384465][ T373] ffff8881107a3a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.392518][ T373] ffff8881107a3b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.400567][ T373] >ffff8881107a3b80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 27.408801][ T373] ^ [ 27.417019][ T373] ffff8881107a3c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.425074][ T373] ffff8881107a3c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.433119][ T373] ================================================================== [ 27.441248][ T373] Disabling lock debugging due to kernel taint