Warning: Permanently added '10.128.1.17' (ED25519) to the list of known hosts. 2026/02/26 16:49:45 parsed 1 programs [ 22.775207][ T28] audit: type=1400 audit(1772124585.978:64): avc: denied { node_bind } for pid=283 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 22.796503][ T28] audit: type=1400 audit(1772124585.978:65): avc: denied { module_request } for pid=283 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 23.523451][ T28] audit: type=1400 audit(1772124586.718:66): avc: denied { mounton } for pid=289 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2023 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 23.524662][ T289] cgroup: Unknown subsys name 'net' [ 23.547218][ T28] audit: type=1400 audit(1772124586.718:67): avc: denied { mount } for pid=289 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 23.574656][ T28] audit: type=1400 audit(1772124586.758:68): avc: denied { unmount } for pid=289 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 23.574853][ T289] cgroup: Unknown subsys name 'devices' [ 23.716477][ T289] cgroup: Unknown subsys name 'hugetlb' [ 23.722104][ T289] cgroup: Unknown subsys name 'rlimit' [ 23.863117][ T28] audit: type=1400 audit(1772124587.058:69): avc: denied { setattr } for pid=289 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=258 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 23.887193][ T28] audit: type=1400 audit(1772124587.058:70): avc: denied { create } for pid=289 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 23.902279][ T293] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 23.907895][ T28] audit: type=1400 audit(1772124587.058:71): avc: denied { write } for pid=289 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 23.936778][ T28] audit: type=1400 audit(1772124587.058:72): avc: denied { read } for pid=289 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 23.957076][ T28] audit: type=1400 audit(1772124587.068:73): avc: denied { mounton } for pid=289 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 23.962160][ T289] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 24.691621][ T297] request_module fs-gadgetfs succeeded, but still no fs? [ 24.963965][ T320] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.971086][ T320] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.978679][ T320] device bridge_slave_0 entered promiscuous mode [ 24.985687][ T320] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.992793][ T320] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.000522][ T320] device bridge_slave_1 entered promiscuous mode [ 25.040624][ T320] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.047698][ T320] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.055128][ T320] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.062258][ T320] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.081438][ T43] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.088902][ T43] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.096712][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 25.104465][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 25.113646][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 25.121936][ T43] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.128990][ T43] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.138550][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 25.146783][ T43] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.153794][ T43] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.166832][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 25.176287][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 25.190024][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 25.201460][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 25.209784][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 25.217401][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 25.226877][ T320] device veth0_vlan entered promiscuous mode [ 25.237040][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 25.246368][ T320] device veth1_macvtap entered promiscuous mode [ 25.256112][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 25.271057][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 25.299700][ T320] syz-executor (320) used greatest stack depth: 21536 bytes left 2026/02/26 16:49:49 executed programs: 0 [ 25.908672][ T366] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.916264][ T366] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.923591][ T366] device bridge_slave_0 entered promiscuous mode [ 25.930772][ T366] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.937951][ T366] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.945430][ T366] device bridge_slave_1 entered promiscuous mode [ 26.003300][ T331] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 26.010887][ T331] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 26.019976][ T331] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 26.028565][ T331] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 26.037587][ T331] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.044744][ T331] bridge0: port 1(bridge_slave_0) entered forwarding state [ 26.052283][ T331] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 26.061329][ T8] device bridge_slave_1 left promiscuous mode [ 26.067517][ T8] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.075103][ T8] device bridge_slave_0 left promiscuous mode [ 26.081214][ T8] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.089269][ T8] device veth1_macvtap left promiscuous mode [ 26.095646][ T8] device veth0_vlan left promiscuous mode [ 26.180331][ T331] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 26.189080][ T331] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 26.197614][ T331] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.204753][ T331] bridge0: port 2(bridge_slave_1) entered forwarding state [ 26.217747][ T331] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 26.225956][ T331] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 26.235318][ T331] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 26.243456][ T331] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 26.257417][ T331] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 26.268918][ T331] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 26.277358][ T331] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 26.285033][ T331] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 26.293586][ T366] device veth0_vlan entered promiscuous mode [ 26.303924][ T331] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 26.313715][ T366] device veth1_macvtap entered promiscuous mode [ 26.322999][ T331] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 26.331419][ T331] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 26.341092][ T331] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 26.349649][ T331] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 26.378116][ T376] loop2: detected capacity change from 0 to 1024 [ 26.385000][ T376] ======================================================= [ 26.385000][ T376] WARNING: The mand mount option has been deprecated and [ 26.385000][ T376] and is ignored by this kernel. Remove the mand [ 26.385000][ T376] option from the mount to silence this warning. [ 26.385000][ T376] ======================================================= [ 26.421180][ T376] EXT4-fs: Ignoring removed nobh option [ 26.427441][ T376] EXT4-fs: Warning: mounting with an experimental mount option 'dioread_nolock' for blocksize < PAGE_SIZE [ 26.446573][ T376] EXT4-fs (loop2): mounted filesystem without journal. Quota mode: writeback. [ 26.464398][ T43] ================================================================== [ 26.472497][ T43] BUG: KASAN: use-after-free in ext4_find_extent+0xbeb/0xe20 [ 26.479994][ T43] Read of size 4 at addr ffff88812fd13018 by task kworker/u4:2/43 [ 26.487901][ T43] [ 26.490341][ T43] CPU: 1 PID: 43 Comm: kworker/u4:2 Not tainted syzkaller #0 [ 26.497715][ T43] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 [ 26.507789][ T43] Workqueue: writeback wb_workfn (flush-7:2) [ 26.513823][ T43] Call Trace: [ 26.517104][ T43] [ 26.520298][ T43] __dump_stack+0x21/0x24 [ 26.524640][ T43] dump_stack_lvl+0x110/0x170 [ 26.529323][ T43] ? __cfi_dump_stack_lvl+0x8/0x8 [ 26.534595][ T43] ? ext4_find_extent+0xbeb/0xe20 [ 26.539639][ T43] ? ext4_find_extent+0xbeb/0xe20 [ 26.544681][ T43] print_address_description+0x71/0x200 [ 26.550328][ T43] print_report+0x4a/0x60 [ 26.554766][ T43] kasan_report+0x122/0x150 [ 26.559371][ T43] ? ext4_find_extent+0xbeb/0xe20 [ 26.564430][ T43] __asan_report_load4_noabort+0x14/0x20 [ 26.570153][ T43] ext4_find_extent+0xbeb/0xe20 [ 26.575013][ T43] ? __cfi__raw_spin_lock_irqsave+0x10/0x10 [ 26.581087][ T43] ext4_ext_map_blocks+0x207/0x61d0 [ 26.586421][ T43] ? kasan_set_track+0x60/0x70 [ 26.591345][ T43] ? kasan_set_track+0x4b/0x70 [ 26.596119][ T43] ? kasan_save_alloc_info+0x25/0x30 [ 26.601403][ T43] ? __kasan_slab_alloc+0x72/0x80 [ 26.606416][ T43] ? slab_post_alloc_hook+0x4f/0x2d0 [ 26.611688][ T43] ? kmem_cache_alloc+0x16e/0x330 [ 26.616779][ T43] ? ext4_alloc_io_end_vec+0x2a/0x160 [ 26.622144][ T43] ? ext4_writepages+0x10e9/0x30e0 [ 26.627239][ T43] ? do_writepages+0x3a4/0x5f0 [ 26.631990][ T43] ? __writeback_single_inode+0xc6/0xad0 [ 26.637709][ T43] ? writeback_sb_inodes+0xa10/0x15d0 [ 26.643162][ T43] ? wb_writeback+0x40b/0x9d0 [ 26.647821][ T43] ? wb_workfn+0x378/0xeb0 [ 26.652222][ T43] ? process_one_work+0x71f/0xc40 [ 26.657570][ T43] ? worker_thread+0xa29/0x11e0 [ 26.662409][ T43] ? kthread+0x281/0x320 [ 26.666728][ T43] ? ret_from_fork+0x1f/0x30 [ 26.671327][ T43] ? __cfi_ext4_ext_map_blocks+0x10/0x10 [ 26.676960][ T43] ? ext4_es_lookup_extent+0x54c/0x900 [ 26.682537][ T43] ext4_map_blocks+0x9d8/0x1b70 [ 26.687489][ T43] ? __cfi_ext4_map_blocks+0x10/0x10 [ 26.693042][ T43] ? ext4_inode_journal_mode+0x19a/0x480 [ 26.698683][ T43] ext4_writepages+0x1409/0x30e0 [ 26.703638][ T43] ? debug_smp_processor_id+0x17/0x20 [ 26.709268][ T43] ? loopback_xmit+0x3db/0x570 [ 26.714127][ T43] ? __cfi_ext4_writepages+0x10/0x10 [ 26.719573][ T43] ? __kasan_check_write+0x14/0x20 [ 26.724670][ T43] ? __cfi_ext4_writepages+0x10/0x10 [ 26.729943][ T43] do_writepages+0x3a4/0x5f0 [ 26.734526][ T43] ? __update_load_avg_cfs_rq+0xaf/0x2f0 [ 26.740148][ T43] ? __cfi_do_writepages+0x10/0x10 [ 26.745418][ T43] ? __kasan_check_write+0x14/0x20 [ 26.750516][ T43] ? _raw_spin_lock+0x94/0xf0 [ 26.755277][ T43] __writeback_single_inode+0xc6/0xad0 [ 26.760730][ T43] ? inode_io_list_move_locked+0x366/0x3d0 [ 26.766698][ T43] writeback_sb_inodes+0xa10/0x15d0 [ 26.771886][ T43] ? queue_io+0x4c0/0x4c0 [ 26.776213][ T43] ? __kasan_check_read+0x11/0x20 [ 26.781226][ T43] ? queue_io+0x382/0x4c0 [ 26.785550][ T43] wb_writeback+0x40b/0x9d0 [ 26.790040][ T43] ? inode_cgwb_move_to_attached+0x3e0/0x3e0 [ 26.796049][ T43] ? set_worker_desc+0x1ba/0x1f0 [ 26.801101][ T43] ? __kasan_check_write+0x14/0x20 [ 26.806308][ T43] ? kvm_sched_clock_read+0x18/0x40 [ 26.811521][ T43] wb_workfn+0x378/0xeb0 [ 26.815756][ T43] ? save_fpregs_to_fpstate+0x192/0x220 [ 26.821375][ T43] ? __cfi_wb_workfn+0x10/0x10 [ 26.826217][ T43] ? kthread_data+0x50/0xc0 [ 26.830902][ T43] ? _raw_spin_unlock+0x4c/0x70 [ 26.835762][ T43] ? finish_task_switch+0x16b/0x7b0 [ 26.841146][ T43] ? __switch_to_asm+0x3a/0x60 [ 26.846185][ T43] ? __schedule+0xbae/0x1500 [ 26.850769][ T43] ? __cfi__raw_spin_lock_irq+0x10/0x10 [ 26.856304][ T43] process_one_work+0x71f/0xc40 [ 26.861137][ T43] worker_thread+0xa29/0x11e0 [ 26.865794][ T43] ? _raw_spin_lock_irqsave+0xc2/0x130 [ 26.871429][ T43] kthread+0x281/0x320 [ 26.875490][ T43] ? __cfi_worker_thread+0x10/0x10 [ 26.880584][ T43] ? __cfi_kthread+0x10/0x10 [ 26.885151][ T43] ret_from_fork+0x1f/0x30 [ 26.889571][ T43] [ 26.892800][ T43] [ 26.895101][ T43] The buggy address belongs to the physical page: [ 26.901489][ T43] page:ffffea0004bf44c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12fd13 [ 26.911717][ T43] flags: 0x4000000000000000(zone=1) [ 26.916913][ T43] raw: 4000000000000000 ffffea0004bf44c8 ffffea0004bf44c8 0000000000000000 [ 26.925476][ T43] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 26.934041][ T43] page dumped because: kasan: bad access detected [ 26.940527][ T43] page_owner info is not present (never set?) [ 26.946704][ T43] [ 26.949038][ T43] Memory state around the buggy address: [ 26.954651][ T43] ffff88812fd12f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.962693][ T43] ffff88812fd12f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.970757][ T43] >ffff88812fd13000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.978901][ T43] ^ [ 26