syzkaller syzkaller login: [ 17.461259][ T28] kauditd_printk_skb: 31 callbacks suppressed [ 17.461274][ T28] audit: type=1400 audit(1769309451.420:59): avc: denied { transition } for pid=226 comm="sshd-session" path="/bin/sh" dev="sda1" ino=90 scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 17.465934][ T28] audit: type=1400 audit(1769309451.420:60): avc: denied { noatsecure } for pid=226 comm="sshd-session" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 17.470734][ T28] audit: type=1400 audit(1769309451.430:61): avc: denied { write } for pid=226 comm="sh" path="pipe:[14378]" dev="pipefs" ino=14378 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1 [ 17.474417][ T28] audit: type=1400 audit(1769309451.430:62): avc: denied { rlimitinh } for pid=226 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 17.477255][ T28] audit: type=1400 audit(1769309451.430:63): avc: denied { siginh } for pid=226 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 Warning: Permanently added '10.128.1.246' (ED25519) to the list of known hosts. 2026/01/25 02:51:00 parsed 1 programs [ 26.694644][ T28] audit: type=1400 audit(1769309460.650:64): avc: denied { node_bind } for pid=284 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 26.715744][ T28] audit: type=1400 audit(1769309460.650:65): avc: denied { module_request } for pid=284 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 27.827053][ T28] audit: type=1400 audit(1769309461.780:66): avc: denied { mounton } for pid=291 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2023 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 27.830533][ T291] cgroup: Unknown subsys name 'net' [ 27.849744][ T28] audit: type=1400 audit(1769309461.790:67): avc: denied { mount } for pid=291 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 27.877139][ T28] audit: type=1400 audit(1769309461.810:68): avc: denied { unmount } for pid=291 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 27.877694][ T291] cgroup: Unknown subsys name 'devices' [ 28.019602][ T291] cgroup: Unknown subsys name 'hugetlb' [ 28.025243][ T291] cgroup: Unknown subsys name 'rlimit' [ 28.168638][ T28] audit: type=1400 audit(1769309462.130:69): avc: denied { setattr } for pid=291 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=258 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 28.191916][ T28] audit: type=1400 audit(1769309462.130:70): avc: denied { create } for pid=291 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 28.212449][ T28] audit: type=1400 audit(1769309462.130:71): avc: denied { write } for pid=291 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 28.232816][ T28] audit: type=1400 audit(1769309462.130:72): avc: denied { read } for pid=291 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 28.253052][ T28] audit: type=1400 audit(1769309462.130:73): avc: denied { mounton } for pid=291 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 28.262114][ T294] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 28.353064][ T291] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 29.132097][ T299] request_module fs-gadgetfs succeeded, but still no fs? [ 29.603194][ T331] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.610302][ T331] bridge0: port 1(bridge_slave_0) entered disabled state [ 29.617859][ T331] device bridge_slave_0 entered promiscuous mode [ 29.624743][ T331] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.631826][ T331] bridge0: port 2(bridge_slave_1) entered disabled state [ 29.639295][ T331] device bridge_slave_1 entered promiscuous mode [ 29.686781][ T331] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.693849][ T331] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.701186][ T331] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.708456][ T331] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.729161][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.736853][ T43] bridge0: port 1(bridge_slave_0) entered disabled state [ 29.744235][ T43] bridge0: port 2(bridge_slave_1) entered disabled state [ 29.754276][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 29.762534][ T43] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.769621][ T43] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.778822][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 29.787112][ T43] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.794186][ T43] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.811263][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 29.820654][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 29.835234][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 29.852310][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 29.860592][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 29.868439][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 29.876667][ T331] device veth0_vlan entered promiscuous mode [ 29.891839][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 29.901337][ T331] device veth1_macvtap entered promiscuous mode [ 29.911084][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 29.921266][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 29.956143][ T331] syz-executor (331) used greatest stack depth: 22016 bytes left 2026/01/25 02:51:04 executed programs: 0 [ 30.403034][ T363] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.410158][ T363] bridge0: port 1(bridge_slave_0) entered disabled state [ 30.417647][ T363] device bridge_slave_0 entered promiscuous mode [ 30.424871][ T363] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.432110][ T363] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.439649][ T363] device bridge_slave_1 entered promiscuous mode [ 30.486498][ T363] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.493572][ T363] bridge0: port 2(bridge_slave_1) entered forwarding state [ 30.500891][ T363] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.508050][ T363] bridge0: port 1(bridge_slave_0) entered forwarding state [ 30.529215][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 30.536859][ T43] bridge0: port 1(bridge_slave_0) entered disabled state [ 30.544288][ T43] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.553577][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 30.561918][ T43] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.568982][ T43] bridge0: port 1(bridge_slave_0) entered forwarding state [ 30.578617][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 30.586965][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 30.595330][ T43] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.602417][ T43] bridge0: port 2(bridge_slave_1) entered forwarding state [ 30.614065][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 30.622328][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 30.631376][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 30.639828][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 30.660636][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 30.669084][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 30.680452][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 30.688914][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 30.701267][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 30.709229][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 30.717171][ T363] device veth0_vlan entered promiscuous mode [ 30.728164][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 30.736391][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 30.750486][ T363] device veth1_macvtap entered promiscuous mode [ 30.760197][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 30.767938][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 30.776148][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 30.785956][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 30.794489][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 30.824469][ T373] loop2: detected capacity change from 0 to 512 [ 30.831348][ T373] EXT4-fs: Ignoring removed mblk_io_submit option [ 30.839255][ T373] EXT4-fs (loop2): mounting ext3 file system using the ext4 subsystem [ 30.852451][ T373] [EXT4 FS bs=1024, gc=1, bpg=8192, ipg=32, mo=a003c11c, mo2=0002] [ 30.860889][ T373] System zones: 1-12 [ 30.865856][ T373] EXT4-fs error (device loop2): ext4_xattr_ibody_find:2196: inode #15: comm syz.2.17: corrupted in-inode xattr [ 30.878074][ T373] EXT4-fs error (device loop2): ext4_orphan_get:1405: comm syz.2.17: couldn't read orphan inode 15 (err -117) [ 30.890275][ T373] EXT4-fs (loop2): mounted filesystem without journal. Quota mode: none. [ 30.907225][ T373] EXT4-fs warning (device loop2): dx_probe:833: inode #2: comm syz.2.17: Unrecognised inode hash code 4 [ 30.918574][ T373] EXT4-fs warning (device loop2): dx_probe:966: inode #2: comm syz.2.17: Corrupt directory, running e2fsck is recommended [ 30.931845][ T373] ================================================================== [ 30.939992][ T373] BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x7c2/0x970 [ 30.947902][ T373] Read of size 2 at addr ffff88812ed99003 by task syz.2.17/373 [ 30.955464][ T373] [ 30.957792][ T373] CPU: 1 PID: 373 Comm: syz.2.17 Not tainted syzkaller #0 [ 30.964921][ T373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 30.974986][ T373] Call Trace: [ 30.978275][ T373] [ 30.981226][ T373] __dump_stack+0x21/0x24 [ 30.985561][ T373] dump_stack_lvl+0x110/0x170 [ 30.990241][ T373] ? __cfi_dump_stack_lvl+0x8/0x8 [ 30.995272][ T373] ? __cfi__printk+0x8/0x8 [ 30.999698][ T373] ? __getblk_gfp+0x3b/0x7d0 [ 31.004324][ T373] ? __ext4_check_dir_entry+0x7c2/0x970 [ 31.009872][ T373] print_address_description+0x71/0x200 [ 31.015448][ T373] print_report+0x4a/0x60 [ 31.019807][ T373] kasan_report+0x122/0x150 [ 31.024318][ T373] ? __ext4_check_dir_entry+0x7c2/0x970 [ 31.029977][ T373] __asan_report_load2_noabort+0x14/0x20 [ 31.035640][ T373] __ext4_check_dir_entry+0x7c2/0x970 [ 31.041039][ T373] ext4_readdir+0x1315/0x3e10 [ 31.045720][ T373] ? __cfi_ext4_readdir+0x10/0x10 [ 31.050750][ T373] ? downgrade_write+0x370/0x370 [ 31.055714][ T373] ? __kasan_slab_free+0x11/0x20 [ 31.060655][ T373] ? avc_policy_seqno+0x1b/0x70 [ 31.065515][ T373] ? down_read_killable+0xbc/0x110 [ 31.070728][ T373] ? __cfi_down_read_killable+0x10/0x10 [ 31.076288][ T373] ? fsnotify_perm+0x269/0x5b0 [ 31.081063][ T373] ? security_file_permission+0x94/0xb0 [ 31.086619][ T373] iterate_dir+0x271/0x610 [ 31.091038][ T373] ? __cfi_ext4_readdir+0x10/0x10 [ 31.096066][ T373] __se_sys_getdents64+0xf2/0x250 [ 31.101099][ T373] ? __x64_sys_getdents64+0x90/0x90 [ 31.106303][ T373] ? mutex_unlock+0x8f/0x230 [ 31.110904][ T373] ? __cfi_filldir64+0x10/0x10 [ 31.115670][ T373] ? debug_smp_processor_id+0x17/0x20 [ 31.121048][ T373] __x64_sys_getdents64+0x7b/0x90 [ 31.126075][ T373] x64_sys_call+0x15c/0x9a0 [ 31.130587][ T373] do_syscall_64+0x4c/0xa0 [ 31.135034][ T373] ? clear_bhb_loop+0x30/0x80 [ 31.139774][ T373] ? clear_bhb_loop+0x30/0x80 [ 31.144467][ T373] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 31.150372][ T373] RIP: 0033:0x7f49c7d9acb9 [ 31.154791][ T373] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 31.174405][ T373] RSP: 002b:00007ffdb9abeaa8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 31.182824][ T373] RAX: ffffffffffffffda RBX: 00007f49c8015fa0 RCX: 00007f49c7d9acb9 [ 31.190807][ T373] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006 [ 31.198780][ T373] RBP: 00007f49c7e08bf7 R08: 0000000000000000 R09: 0000000000000000 [ 31.206750][ T373] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 31.214721][ T373] R13: 00007f49c8015fac R14: 00007f49c8015fa0 R15: 00007f49c8015fa0 [ 31.222701][ T373] [ 31.225720][ T373] [ 31.228040][ T373] The buggy address belongs to the physical page: [ 31.234442][ T373] page:ffffea0004bb6640 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x12ed99 [ 31.244683][ T373] flags: 0x4000000000000000(zone=1) [ 31.249918][ T373] raw: 4000000000000000 ffffea0004bb6688 ffff8881f703c868 0000000000000000 [ 31.258500][ T373] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 31.267111][ T373] page dumped because: kasan: bad access detected [ 31.273512][ T373] page_owner tracks the page as freed [ 31.278925][ T373] page last allocated via order 0, migratetype Movable, gfp_mask 0x8140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO|__GFP_CMA), pid 373, tgid 373 (syz.2.17), ts 30822434765, free_ts 30824271870 [ 31.298043][ T373] post_alloc_hook+0x1f5/0x210 [ 31.302834][ T373] prep_new_page+0x1c/0x110 [ 31.307353][ T373] get_page_from_freelist+0x2d12/0x2d80 [ 31.312928][ T373] __alloc_pages+0x1d9/0x480 [ 31.317529][ T373] __folio_alloc+0x12/0x40 [ 31.321950][ T373] wp_page_copy+0x27d/0x15a0 [ 31.326535][ T373] do_wp_page+0x9f2/0xfc0 [ 31.330877][ T373] handle_mm_fault+0x1124/0x26c0 [ 31.335816][ T373] do_user_addr_fault+0x905/0x1050 [ 31.340925][ T373] exc_page_fault+0x51/0xb0 [ 31.345433][ T373] asm_exc_page_fault+0x27/0x30 [ 31.350287][ T373] page last free stack trace: [ 31.354955][ T373] free_unref_page_prepare+0x742/0x750 [ 31.360415][ T373] free_unref_page_list+0x117/0x8c0 [ 31.365613][ T373] release_pages+0xaf2/0xb50 [ 31.370204][ T373] free_pages_and_swap_cache+0x86/0xa0 [ 31.375685][ T373] tlb_finish_mmu+0x1aa/0x370 [ 31.380366][ T373] unmap_region+0x2b7/0x320 [ 31.384871][ T373] do_mas_align_munmap+0xbed/0x1320 [ 31.390074][ T373] do_mas_munmap+0x241/0x2b0 [ 31.394671][ T373] __vm_munmap+0x1bd/0x330 [ 31.399119][ T373] __x64_sys_munmap+0x6b/0x80 [ 31.403798][ T373] x64_sys_call+0x8a/0x9a0 [ 31.408221][ T373] do_syscall_64+0x4c/0xa0 [ 31.412657][ T373] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 31.418571][ T373] [ 31.420906][ T373] Memory state around the buggy address: [ 31.426548][ T373] ffff88812ed98f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.434617][ T373] ffff88812ed98f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.442699][ T373] >ffff88812ed99000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.450771][ T373] ^ [ 31.454850][ T373] ffff88812ed99080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.462924][ T373] ffff88812ed99100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.471022][ T373] ================================================================== [ 31.479578][ T373] Disabling lock debugging due to kernel taint [ 31.485780][ T373] EXT4-fs error (device loop2): ext4_readdir:263: inode #2: block 255: comm syz.2.17: path (unknown): bad entry in directory: rec_len is smaller than minimal - offset=1023, inode=0, rec_len=0, size=1024 fake=0 [ 31.516651][ T363] EXT4-fs (loop2): unmounting filesystem.