syzkaller syzkaller login: [ 12.971055][ T28] kauditd_printk_skb: 48 callbacks suppressed [ 12.971068][ T28] audit: type=1400 audit(1761273332.058:59): avc: denied { transition } for pid=225 comm="sshd-session" path="/bin/sh" dev="sda1" ino=90 scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 12.974868][ T28] audit: type=1400 audit(1761273332.058:60): avc: denied { noatsecure } for pid=225 comm="sshd-session" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 12.977484][ T28] audit: type=1400 audit(1761273332.058:61): avc: denied { write } for pid=225 comm="sh" path="pipe:[14570]" dev="pipefs" ino=14570 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1 [ 12.980726][ T28] audit: type=1400 audit(1761273332.058:62): avc: denied { rlimitinh } for pid=225 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 12.983231][ T28] audit: type=1400 audit(1761273332.058:63): avc: denied { siginh } for pid=225 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 Warning: Permanently added '10.128.1.92' (ED25519) to the list of known hosts. 2025/10/24 02:35:40 parsed 1 programs [ 21.571841][ T28] audit: type=1400 audit(1761273340.658:64): avc: denied { node_bind } for pid=283 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 21.592504][ T28] audit: type=1400 audit(1761273340.658:65): avc: denied { module_request } for pid=283 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 22.323274][ T28] audit: type=1400 audit(1761273341.408:66): avc: denied { mounton } for pid=292 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2023 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 22.324269][ T292] cgroup: Unknown subsys name 'net' [ 22.345926][ T28] audit: type=1400 audit(1761273341.408:67): avc: denied { mount } for pid=292 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 22.373184][ T28] audit: type=1400 audit(1761273341.448:68): avc: denied { unmount } for pid=292 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 22.373356][ T292] cgroup: Unknown subsys name 'devices' [ 22.490176][ T292] cgroup: Unknown subsys name 'hugetlb' [ 22.495778][ T292] cgroup: Unknown subsys name 'rlimit' [ 22.602261][ T28] audit: type=1400 audit(1761273341.688:69): avc: denied { setattr } for pid=292 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=258 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 22.625430][ T28] audit: type=1400 audit(1761273341.688:70): avc: denied { create } for pid=292 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 22.645780][ T28] audit: type=1400 audit(1761273341.688:71): avc: denied { write } for pid=292 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 22.666043][ T28] audit: type=1400 audit(1761273341.688:72): avc: denied { read } for pid=292 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 22.672818][ T294] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 22.686233][ T28] audit: type=1400 audit(1761273341.688:73): avc: denied { mounton } for pid=292 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 22.724027][ T292] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 23.356981][ T296] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.364358][ T296] bridge0: port 1(bridge_slave_0) entered disabled state [ 23.371970][ T296] device bridge_slave_0 entered promiscuous mode [ 23.379020][ T296] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.386041][ T296] bridge0: port 2(bridge_slave_1) entered disabled state [ 23.393573][ T296] device bridge_slave_1 entered promiscuous mode [ 23.460361][ T296] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.467394][ T296] bridge0: port 2(bridge_slave_1) entered forwarding state [ 23.474676][ T296] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.481709][ T296] bridge0: port 1(bridge_slave_0) entered forwarding state [ 23.498385][ T43] bridge0: port 1(bridge_slave_0) entered disabled state [ 23.505579][ T43] bridge0: port 2(bridge_slave_1) entered disabled state [ 23.512973][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 23.520733][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 23.529984][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 23.538130][ T43] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.545158][ T43] bridge0: port 1(bridge_slave_0) entered forwarding state [ 23.553654][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 23.561851][ T43] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.568868][ T43] bridge0: port 2(bridge_slave_1) entered forwarding state [ 23.583984][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 23.591895][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 23.601808][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 23.612498][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 23.620359][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 23.627675][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 23.635629][ T296] device veth0_vlan entered promiscuous mode [ 23.644805][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 23.653693][ T296] device veth1_macvtap entered promiscuous mode [ 23.662448][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 23.672659][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 23.688487][ T296] request_module fs-gadgetfs succeeded, but still no fs? [ 23.713606][ T296] syz-executor (296) used greatest stack depth: 22272 bytes left [ 24.209588][ T43] device bridge_slave_1 left promiscuous mode [ 24.215738][ T43] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.229322][ T43] device bridge_slave_0 left promiscuous mode [ 24.235446][ T43] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.243569][ T43] device veth1_macvtap left promiscuous mode [ 24.249659][ T43] device veth0_vlan left promiscuous mode 2025/10/24 02:35:43 executed programs: 0 [ 24.559081][ T364] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.566128][ T364] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.573452][ T364] device bridge_slave_0 entered promiscuous mode [ 24.580218][ T364] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.587233][ T364] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.594544][ T364] device bridge_slave_1 entered promiscuous mode [ 24.631698][ T364] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.638725][ T364] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.645944][ T364] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.652959][ T364] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.669300][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 24.676769][ T10] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.684243][ T10] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.692810][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 24.701141][ T10] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.708146][ T10] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.719782][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 24.728091][ T10] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.735125][ T10] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.745472][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 24.754851][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 24.767339][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 24.777808][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 24.785794][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 24.793227][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 24.801472][ T364] device veth0_vlan entered promiscuous mode [ 24.810687][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 24.819534][ T364] device veth1_macvtap entered promiscuous mode [ 24.828044][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 24.837525][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 24.861594][ T374] loop2: detected capacity change from 0 to 1024 [ 24.868116][ T374] ======================================================= [ 24.868116][ T374] WARNING: The mand mount option has been deprecated and [ 24.868116][ T374] and is ignored by this kernel. Remove the mand [ 24.868116][ T374] option from the mount to silence this warning. [ 24.868116][ T374] ======================================================= [ 24.903717][ T374] EXT4-fs: Ignoring removed bh option [ 24.909376][ T374] EXT4-fs: Warning: mounting with an experimental mount option 'dioread_nolock' for blocksize < PAGE_SIZE [ 24.930022][ T374] EXT4-fs (loop2): mounted filesystem without journal. Quota mode: writeback. [ 24.948555][ T374] EXT4-fs error (device loop2): ext4_mb_mark_diskspace_used:3836: comm syz.2.17: Allocating blocks 497-513 which overlap fs metadata [ 24.962847][ T374] EXT4-fs (loop2): pa ffff8881238ed1f8: logic 64, phys. 193, len 20 [ 24.970862][ T374] EXT4-fs error (device loop2): ext4_mb_release_inode_pa:4876: group 0, free 0, pa_free 1 [ 24.982379][ T10] ================================================================== [ 24.990439][ T10] BUG: KASAN: use-after-free in ext4_find_extent+0xbeb/0xe20 [ 24.997797][ T10] Read of size 4 at addr ffff888129308c94 by task kworker/u4:1/10 [ 25.005577][ T10] [ 25.007878][ T10] CPU: 1 PID: 10 Comm: kworker/u4:1 Not tainted syzkaller #0 [ 25.015233][ T10] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 [ 25.025264][ T10] Workqueue: writeback wb_workfn (flush-7:2) [ 25.031241][ T10] Call Trace: [ 25.034500][ T10] [ 25.037403][ T10] __dump_stack+0x21/0x24 [ 25.041711][ T10] dump_stack_lvl+0xee/0x150 [ 25.046297][ T10] ? __cfi_dump_stack_lvl+0x8/0x8 [ 25.051314][ T10] ? ext4_find_extent+0xbeb/0xe20 [ 25.056331][ T10] print_address_description+0x71/0x200 [ 25.061902][ T10] print_report+0x4a/0x60 [ 25.066236][ T10] kasan_report+0x122/0x150 [ 25.070739][ T10] ? ext4_find_extent+0xbeb/0xe20 [ 25.075757][ T10] __asan_report_load4_noabort+0x14/0x20 [ 25.081388][ T10] ext4_find_extent+0xbeb/0xe20 [ 25.086230][ T10] ? __cfi__raw_spin_lock_irqsave+0x10/0x10 [ 25.092120][ T10] ext4_ext_map_blocks+0x1dc/0x6060 [ 25.097315][ T10] ? _raw_spin_unlock_irqrestore+0x5a/0x80 [ 25.103120][ T10] ? __stack_depot_save+0x445/0x480 [ 25.108312][ T10] ? kasan_set_track+0x60/0x70 [ 25.113068][ T10] ? kasan_set_track+0x4b/0x70 [ 25.117822][ T10] ? kasan_save_alloc_info+0x25/0x30 [ 25.123106][ T10] ? __kasan_slab_alloc+0x72/0x80 [ 25.128123][ T10] ? slab_post_alloc_hook+0x4f/0x2d0 [ 25.133401][ T10] ? kmem_cache_alloc+0x16e/0x330 [ 25.138421][ T10] ? ext4_alloc_io_end_vec+0x2a/0x160 [ 25.143787][ T10] ? ext4_writepages+0xf42/0x3020 [ 25.148798][ T10] ? do_writepages+0x3a9/0x5e0 [ 25.153543][ T10] ? __writeback_single_inode+0xc6/0xad0 [ 25.159154][ T10] ? writeback_sb_inodes+0x9b8/0x1550 [ 25.164526][ T10] ? wb_writeback+0x3f1/0x980 [ 25.169182][ T10] ? wb_workfn+0x350/0xda0 [ 25.173575][ T10] ? process_one_work+0x71f/0xc40 [ 25.178578][ T10] ? worker_thread+0xa29/0x11f0 [ 25.183408][ T10] ? kthread+0x281/0x320 [ 25.187631][ T10] ? __cfi_ext4_ext_map_blocks+0x10/0x10 [ 25.193245][ T10] ? ext4_es_lookup_extent+0x32d/0x8c0 [ 25.198687][ T10] ext4_map_blocks+0x9cb/0x1b60 [ 25.203519][ T10] ? __cfi_ext4_map_blocks+0x10/0x10 [ 25.208783][ T10] ? ext4_inode_journal_mode+0x19a/0x480 [ 25.214392][ T10] ext4_writepages+0x1260/0x3020 [ 25.219316][ T10] ? xas_load+0x39e/0x3b0 [ 25.223629][ T10] ? __cfi_ext4_writepages+0x10/0x10 [ 25.228894][ T10] ? __kasan_check_write+0x14/0x20 [ 25.233984][ T10] ? __filemap_get_folio+0x81c/0x980 [ 25.239249][ T10] ? __kasan_check_read+0x11/0x20 [ 25.244251][ T10] ? folio_mark_accessed+0x1b8/0x4d0 [ 25.249520][ T10] ? __kasan_check_write+0x14/0x20 [ 25.254613][ T10] ? __cfi_ext4_writepages+0x10/0x10 [ 25.259881][ T10] do_writepages+0x3a9/0x5e0 [ 25.264450][ T10] ? __update_load_avg_cfs_rq+0xaf/0x2f0 [ 25.270067][ T10] ? __cfi_do_writepages+0x10/0x10 [ 25.275158][ T10] ? __kasan_check_write+0x14/0x20 [ 25.280244][ T10] ? _raw_spin_lock+0x8e/0xe0 [ 25.284898][ T10] __writeback_single_inode+0xc6/0xad0 [ 25.290336][ T10] ? inode_io_list_move_locked+0x366/0x3d0 [ 25.296120][ T10] writeback_sb_inodes+0x9b8/0x1550 [ 25.301299][ T10] ? check_preempt_wakeup+0x7fd/0xbc0 [ 25.306647][ T10] ? queue_io+0x4c0/0x4c0 [ 25.310956][ T10] ? __kasan_check_read+0x11/0x20 [ 25.315956][ T10] ? queue_io+0x382/0x4c0 [ 25.320263][ T10] wb_writeback+0x3f1/0x980 [ 25.324747][ T10] ? inode_cgwb_move_to_attached+0x3e0/0x3e0 [ 25.330706][ T10] ? set_worker_desc+0x155/0x1c0 [ 25.335628][ T10] ? update_load_avg+0x4c2/0x13f0 [ 25.340641][ T10] ? __kasan_check_write+0x14/0x20 [ 25.345728][ T10] ? __this_cpu_preempt_check+0x13/0x20 [ 25.351257][ T10] wb_workfn+0x350/0xda0 [ 25.355482][ T10] ? __cfi_wb_workfn+0x10/0x10 [ 25.360223][ T10] ? kthread_data+0x50/0xc0 [ 25.364705][ T10] ? _raw_spin_unlock+0x4c/0x70 [ 25.369533][ T10] ? finish_task_switch+0x16b/0x7b0 [ 25.374714][ T10] ? __switch_to_asm+0x3a/0x60 [ 25.379460][ T10] ? __schedule+0xb8f/0x14e0 [ 25.384028][ T10] ? __cfi__raw_spin_lock_irq+0x10/0x10 [ 25.389571][ T10] process_one_work+0x71f/0xc40 [ 25.394490][ T10] worker_thread+0xa29/0x11f0 [ 25.399145][ T10] kthread+0x281/0x320 [ 25.403193][ T10] ? __cfi_worker_thread+0x10/0x10 [ 25.408317][ T10] ? __cfi_kthread+0x10/0x10 [ 25.412888][ T10] ret_from_fork+0x1f/0x30 [ 25.417284][ T10] [ 25.420281][ T10] [ 25.422583][ T10] The buggy address belongs to the physical page: [ 25.428966][ T10] page:ffffea0004a4c200 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x129308 [ 25.439184][ T10] flags: 0x4000000000000000(zone=1) [ 25.444373][ T10] raw: 4000000000000000 ffffea0004a4c248 ffffea0004a4c1c8 0000000000000000 [ 25.452935][ T10] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 25.461502][ T10] page dumped because: kasan: bad access detected [ 25.467894][ T10] page_owner tracks the page as freed [ 25.473234][ T10] page last allocated via order 0, migratetype Movable, gfp_mask 0x8140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO|__GFP_CMA), pid 292, tgid 292 (syz-executor), ts 22049915825, free_ts 23306570840 [ 25.492659][ T10] post_alloc_hook+0x1f5/0x210 [ 25.497408][ T10] prep_new_page+0x1c/0x110 [ 25.501889][ T10] get_page_from_freelist+0x2c7b/0x2cf0 [ 25.507416][ T10] __alloc_pages+0x1c3/0x450 [ 25.511986][ T10] __folio_alloc+0x12/0x40 [ 25.516382][ T10] handle_mm_fault+0x18ef/0x2640 [ 25.521298][ T10] do_user_addr_fault+0x905/0x1050 [ 25.526390][ T10] exc_page_fault+0x51/0xb0 [ 25.530872][ T10] asm_exc_page_fault+0x27/0x30 [ 25.535706][ T10] page last free stack trace: [ 25.540359][ T10] free_unref_page_prepare+0x742/0x750 [ 25.545798][ T10] free_unref_page_list+0x112/0x8b0 [ 25.550977][ T10] release_pages+0xad1/0xb20 [ 25.555574][ T10] free_pages_and_swap_cache+0x86/0xa0 [ 25.561013][ T10] tlb_finish_mmu+0x1aa/0x370 [ 25.565664][ T10] unmap_region+0x28d/0x2e0 [ 25.570148][ T10] do_mas_align_munmap+0xb9b/0x1230 [ 25.575325][ T10] do_mas_munmap+0x241/0x2b0 [ 25.579893][ T10] __vm_munmap+0x19f/0x2f0 [ 25.584287][ T10] __x64_sys_munmap+0x6b/0x80 [ 25.588943][ T10] x64_sys_call+0x8a/0x9a0 [ 25.593341][ T10] do_syscall_64+0x4c/0xa0 [ 25.597733][ T10] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 25.603608][ T10] [ 25.605910][ T10] Memory state around the buggy address: [ 25.611512][ T10] ffff888129308b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.619547][ T10] ffff888129308c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.627582][ T10] >ffff888129308c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.635616][ T10] ^ [ 25.640176][ T10] ffff888129308d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.648209][ T10] ffff888129308d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.656240][ T10] ================================================================== [ 25.667051][ T10] Disabling lock debugging due to kernel taint [ 25.683918][ T364] EXT4-f