Warning: Permanently added '10.128.1.0' (ED25519) to the list of known hosts. 2026/06/22 22:18:01 parsed 1 programs 2026/06/22 22:18:01 serving rpc on tcp://34001 [ 24.958995][ T24] audit: type=1400 audit(1782166681.650:64): avc: denied { node_bind } for pid=287 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 24.980271][ T24] audit: type=1400 audit(1782166681.650:65): avc: denied { create } for pid=287 comm="syz-execprog" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rawip_socket permissive=1 [ 25.000080][ T24] audit: type=1400 audit(1782166681.650:66): avc: denied { module_request } for pid=287 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 25.901088][ T24] audit: type=1400 audit(1782166682.590:67): avc: denied { mounton } for pid=293 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2024 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 25.904351][ T293] cgroup: Unknown subsys name 'net' [ 25.923854][ T24] audit: type=1400 audit(1782166682.590:68): avc: denied { mount } for pid=293 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 25.951254][ T24] audit: type=1400 audit(1782166682.620:69): avc: denied { unmount } for pid=293 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 25.951691][ T293] cgroup: Unknown subsys name 'devices' [ 26.119348][ T293] cgroup: Unknown subsys name 'hugetlb' [ 26.125043][ T293] cgroup: Unknown subsys name 'rlimit' [ 26.303881][ T24] audit: type=1400 audit(1782166682.990:70): avc: denied { setattr } for pid=293 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=253 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 26.327036][ T24] audit: type=1400 audit(1782166682.990:71): avc: denied { create } for pid=293 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.347434][ T24] audit: type=1400 audit(1782166682.990:72): avc: denied { write } for pid=293 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.367737][ T24] audit: type=1400 audit(1782166682.990:73): avc: denied { read } for pid=293 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.399053][ T297] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 26.465212][ T293] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 26.869128][ T299] request_module fs-gadgetfs succeeded, but still no fs? [ 26.880041][ T299] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation [ 27.588251][ T352] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.595298][ T352] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.602791][ T352] device bridge_slave_0 entered promiscuous mode [ 27.609687][ T352] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.616707][ T352] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.624140][ T352] device bridge_slave_1 entered promiscuous mode [ 27.663262][ T352] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.670323][ T352] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.677630][ T352] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.684673][ T352] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.703422][ T333] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 27.711354][ T333] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.718545][ T333] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.728336][ T333] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 27.736476][ T333] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.743566][ T333] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.751862][ T333] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 27.760290][ T333] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.767424][ T333] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.779778][ T333] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 27.788994][ T333] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 27.803427][ T333] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 27.814905][ T333] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 27.823340][ T333] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 27.831084][ T333] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 27.839479][ T352] device veth0_vlan entered promiscuous mode [ 27.849619][ T333] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 27.863931][ T352] device veth1_macvtap entered promiscuous mode [ 27.873609][ T333] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 27.889338][ T333] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2026/06/22 22:18:04 executed programs: 0 [ 28.152258][ T363] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.159735][ T363] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.167058][ T363] device bridge_slave_0 entered promiscuous mode [ 28.178557][ T363] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.185591][ T363] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.193183][ T363] device bridge_slave_1 entered promiscuous mode [ 28.238479][ T363] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.245522][ T363] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.269926][ T9] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.277383][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 28.285757][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 28.299724][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 28.313952][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 28.322164][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.329213][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.336582][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 28.344858][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.351891][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.371334][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 28.380426][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 28.394669][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 28.405935][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 28.414303][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 28.422081][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 28.430913][ T363] device veth0_vlan entered promiscuous mode [ 28.441664][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 28.451386][ T363] device veth1_macvtap entered promiscuous mode [ 28.460981][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 28.471133][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 28.493372][ T405] ================================================================== [ 28.501499][ T405] BUG: KASAN: use-after-free in mutex_lock+0x85/0xf0 [ 28.508268][ T405] Write of size 8 at addr ffff888111c22950 by task syz.2.17/405 [ 28.515911][ T405] [ 28.518258][ T405] CPU: 1 PID: 405 Comm: syz.2.17 Not tainted syzkaller #0 [ 28.525370][ T405] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 [ 28.535450][ T405] Call Trace: [ 28.538744][ T405] __dump_stack+0x21/0x24 [ 28.543069][ T405] dump_stack_lvl+0x1a7/0x208 [ 28.547832][ T405] ? show_regs_print_info+0x18/0x18 [ 28.553022][ T405] ? thaw_kernel_threads+0x220/0x220 [ 28.558302][ T405] ? debug_smp_processor_id+0x17/0x20 [ 28.563673][ T405] print_address_description+0x7f/0x2c0 [ 28.569223][ T405] ? mutex_lock+0x85/0xf0 [ 28.573652][ T405] kasan_report+0x100/0x140 [ 28.578177][ T405] ? mutex_lock+0x85/0xf0 [ 28.582501][ T405] kasan_check_range+0x249/0x2a0 [ 28.587531][ T405] __kasan_check_write+0x14/0x20 [ 28.592484][ T405] mutex_lock+0x85/0xf0 [ 28.596631][ T405] ? mutex_trylock+0xb0/0xb0 [ 28.601220][ T405] ? l2tp_session_put+0xb2/0x1a0 [ 28.606151][ T405] ? l2tp_session_delete+0x3a9/0x4a0 [ 28.611427][ T405] pppol2tp_release+0x178/0x2b0 [ 28.616268][ T405] sock_close+0xb8/0x200 [ 28.620508][ T405] ? sock_mmap+0xa0/0xa0 [ 28.624742][ T405] __fput+0x2dc/0x730 [ 28.628719][ T405] ____fput+0x15/0x20 [ 28.632696][ T405] task_work_run+0x127/0x190 [ 28.637299][ T405] exit_to_user_mode_loop+0xcb/0xe0 [ 28.642491][ T405] exit_to_user_mode_prepare+0x76/0xa0 [ 28.647960][ T405] syscall_exit_to_user_mode+0x1d/0x40 [ 28.653414][ T405] do_syscall_64+0x3d/0x40 [ 28.657841][ T405] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 28.663744][ T405] RIP: 0033:0x7f1358657e59 [ 28.668158][ T405] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 28.687757][ T405] RSP: 002b:00007ffefdb60e18 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 [ 28.696173][ T405] RAX: 0000000000000000 RBX: 00007ffefdb60f00 RCX: 00007f1358657e59 [ 28.704247][ T405] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 [ 28.712219][ T405] RBP: 0000000000006f30 R08: 0000000000000001 R09: 0000000000000000 [ 28.720190][ T405] R10: 0000001b32a20000 R11: 0000000000000246 R12: 0000000000000000 [ 28.728176][ T405] R13: 00007f13588d0fac R14: 00007f13588d0fa8 R15: 00007f13588d0fa0 [ 28.736165][ T405] [ 28.738495][ T405] Allocated by task 405: [ 28.742750][ T405] __kasan_kmalloc+0xd4/0x100 [ 28.747621][ T405] __kmalloc+0x19f/0x330 [ 28.752069][ T405] l2tp_session_create+0x39/0xb60 [ 28.757143][ T405] pppol2tp_connect+0xbf5/0x1640 [ 28.762076][ T405] __sys_connect+0x3ce/0x450 [ 28.766711][ T405] __x64_sys_connect+0x7a/0x90 [ 28.771480][ T405] do_syscall_64+0x31/0x40 [ 28.776076][ T405] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 28.781961][ T405] [ 28.784290][ T405] Freed by task 405: [ 28.788179][ T405] kasan_set_track+0x4a/0x70 [ 28.792764][ T405] kasan_set_free_info+0x23/0x40 [ 28.797704][ T405] ____kasan_slab_free+0x125/0x160 [ 28.802827][ T405] __kasan_slab_free+0x11/0x20 [ 28.807585][ T405] slab_free_freelist_hook+0xc5/0x190 [ 28.812949][ T405] kfree+0xc0/0x270 [ 28.816776][ T405] l2tp_session_put+0xb2/0x1a0 [ 28.821537][ T405] l2tp_session_delete+0x3a9/0x4a0 [ 28.826642][ T405] pppol2tp_release+0x169/0x2b0 [ 28.831485][ T405] sock_close+0xb8/0x200 [ 28.835813][ T405] __fput+0x2dc/0x730 [ 28.839797][ T405] ____fput+0x15/0x20 [ 28.843774][ T405] task_work_run+0x127/0x190 [ 28.848364][ T405] exit_to_user_mode_loop+0xcb/0xe0 [ 28.853570][ T405] exit_to_user_mode_prepare+0x76/0xa0 [ 28.859031][ T405] syscall_exit_to_user_mode+0x1d/0x40 [ 28.864584][ T405] do_syscall_64+0x3d/0x40 [ 28.869004][ T405] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 28.874912][ T405] [ 28.877245][ T405] The buggy address belongs to the object at ffff888111c22800 [ 28.877245][ T405] which belongs to the cache kmalloc-512 of size 512 [ 28.891418][ T405] The buggy address is located 336 bytes inside of [ 28.891418][ T405] 512-byte region [ffff888111c22800, ffff888111c22a00) [ 28.904758][ T405] The buggy address belongs to the page: [ 28.910470][ T405] page:ffffea0004470800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x111c20 [ 28.920709][ T405] head:ffffea0004470800 order:2 compound_mapcount:0 compound_pincount:0 [ 28.929051][ T405] flags: 0x4000000000010200(slab|head) [ 28.934519][ T405] raw: 4000000000010200 ffffea00043ef900 0000000400000004 ffff888100043080 [ 28.943112][ T405] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 28.951701][ T405] page dumped because: kasan: bad access detected [ 28.958106][ T405] page_owner tracks the page as allocated [ 28.963885][ T405] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 104, ts 5540872786, free_ts 0 [ 28.981972][ T405] prep_new_page+0x176/0x190 [ 28.986573][ T405] get_page_from_freelist+0x225f/0x23f0 [ 28.992129][ T405] __alloc_pages_nodemask+0x29a/0x640 [ 28.997507][ T405] new_slab+0x84/0x3f0 [ 29.001585][ T405] ___slab_alloc+0x2f8/0x4c0 [ 29.006182][ T405] __slab_alloc+0x63/0xa0 [ 29.010520][ T405] __kmalloc_track_caller+0x1e4/0x310 [ 29.016422][ T405] __alloc_skb+0xdc/0x520 [ 29.020752][ T405] alloc_skb_with_frags+0xa3/0x560 [ 29.025866][ T405] sock_alloc_send_pskb+0x87f/0x9a0 [ 29.031073][ T405] unix_dgram_sendmsg+0x6f3/0x18f0 [ 29.036189][ T405] sock_write_iter+0x2a6/0x3a0 [ 29.040987][ T405] vfs_write+0x770/0xd70 [ 29.045238][ T405] ksys_write+0x14a/0x260 [ 29.049605][ T405] __x64_sys_write+0x7b/0x90 [ 29.054198][ T405] do_syscall_64+0x31/0x40 [ 29.058612][ T405] page_owner free stack trace missing [ 29.063985][ T405] [ 29.066318][ T405] Memory state around the buggy address: [ 29.071983][ T405] ffff888111c22800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.080057][ T405] ffff888111c22880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.088127][ T405] >ffff888111c22900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.096189][ T405] ^ [ 29.102991][ T405] ffff888111c22980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.111076][ T405] ffff888111c22a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.119254][ T405] ================================================================== [ 29.127325][ T405] Disabling lock debugging due to kernel taint