Warning: Permanently added '10.128.0.14' (ED25519) to the list of known hosts. 2026/06/22 20:44:55 parsed 1 programs 2026/06/22 20:44:55 serving rpc on tcp://39935 [ 25.160281][ T24] audit: type=1400 audit(1782161095.910:64): avc: denied { node_bind } for pid=287 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 25.182150][ T24] audit: type=1400 audit(1782161095.910:65): avc: denied { create } for pid=287 comm="syz-execprog" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rawip_socket permissive=1 [ 25.202487][ T24] audit: type=1400 audit(1782161095.920:66): avc: denied { module_request } for pid=287 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 25.843005][ T24] audit: type=1400 audit(1782161096.600:67): avc: denied { mounton } for pid=293 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2024 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 25.843962][ T293] cgroup: Unknown subsys name 'net' [ 25.866052][ T24] audit: type=1400 audit(1782161096.600:68): avc: denied { mount } for pid=293 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 25.894452][ T24] audit: type=1400 audit(1782161096.630:69): avc: denied { unmount } for pid=293 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 25.894632][ T293] cgroup: Unknown subsys name 'devices' [ 26.012514][ T293] cgroup: Unknown subsys name 'hugetlb' [ 26.018348][ T293] cgroup: Unknown subsys name 'rlimit' [ 26.131614][ T24] audit: type=1400 audit(1782161096.890:70): avc: denied { setattr } for pid=293 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=253 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 26.155390][ T24] audit: type=1400 audit(1782161096.890:71): avc: denied { create } for pid=293 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 26.177072][ T24] audit: type=1400 audit(1782161096.890:72): avc: denied { write } for pid=293 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.183519][ T297] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 26.197732][ T24] audit: type=1400 audit(1782161096.890:73): avc: denied { read } for pid=293 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.227650][ T293] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 26.664460][ T299] request_module fs-gadgetfs succeeded, but still no fs? [ 26.674941][ T299] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation [ 26.880780][ T321] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.888040][ T321] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.895581][ T321] device bridge_slave_0 entered promiscuous mode [ 26.902610][ T321] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.909818][ T321] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.917920][ T321] device bridge_slave_1 entered promiscuous mode [ 26.952587][ T321] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.959765][ T321] bridge0: port 2(bridge_slave_1) entered forwarding state [ 26.967616][ T321] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.975121][ T321] bridge0: port 1(bridge_slave_0) entered forwarding state [ 26.993038][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 27.001486][ T7] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.008749][ T7] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.019848][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 27.028573][ T7] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.035627][ T7] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.044541][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 27.053125][ T7] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.060368][ T7] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.073594][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 27.083485][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 27.096671][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 27.107802][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 27.116442][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 27.124115][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 27.133524][ T321] device veth0_vlan entered promiscuous mode [ 27.143200][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 27.152496][ T321] device veth1_macvtap entered promiscuous mode [ 27.163034][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 27.174200][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2026/06/22 20:44:58 executed programs: 0 [ 27.728672][ T362] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.735924][ T362] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.743714][ T362] device bridge_slave_0 entered promiscuous mode [ 27.753757][ T362] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.760780][ T362] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.768660][ T362] device bridge_slave_1 entered promiscuous mode [ 27.820458][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 27.828252][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 27.841994][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 27.850297][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 27.858791][ T7] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.865838][ T7] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.874964][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 27.886881][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 27.895470][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 27.903636][ T7] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.910671][ T7] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.921798][ T48] device bridge_slave_1 left promiscuous mode [ 27.928374][ T48] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.936020][ T48] device bridge_slave_0 left promiscuous mode [ 27.942336][ T48] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.950490][ T48] device veth1_macvtap left promiscuous mode [ 27.957774][ T48] device veth0_vlan left promiscuous mode [ 28.017139][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 28.026496][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 28.041118][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 28.051999][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 28.060128][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 28.068361][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 28.077650][ T362] device veth0_vlan entered promiscuous mode [ 28.087979][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 28.097401][ T362] device veth1_macvtap entered promiscuous mode [ 28.107857][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 28.117784][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 28.140766][ T366] ================================================================== [ 28.148884][ T366] BUG: KASAN: use-after-free in mutex_lock+0x85/0xf0 [ 28.155743][ T366] Write of size 8 at addr ffff888110ea6950 by task syz.2.17/366 [ 28.163483][ T366] [ 28.166021][ T366] CPU: 1 PID: 366 Comm: syz.2.17 Not tainted syzkaller #0 [ 28.173141][ T366] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 [ 28.183229][ T366] Call Trace: [ 28.186533][ T366] __dump_stack+0x21/0x24 [ 28.190911][ T366] dump_stack_lvl+0x1a7/0x208 [ 28.195605][ T366] ? show_regs_print_info+0x18/0x18 [ 28.200806][ T366] ? thaw_kernel_threads+0x220/0x220 [ 28.206093][ T366] ? debug_smp_processor_id+0x17/0x20 [ 28.211468][ T366] print_address_description+0x7f/0x2c0 [ 28.217009][ T366] ? mutex_lock+0x85/0xf0 [ 28.221338][ T366] kasan_report+0x100/0x140 [ 28.225857][ T366] ? mutex_lock+0x85/0xf0 [ 28.230574][ T366] kasan_check_range+0x249/0x2a0 [ 28.235528][ T366] __kasan_check_write+0x14/0x20 [ 28.240464][ T366] mutex_lock+0x85/0xf0 [ 28.244747][ T366] ? mutex_trylock+0xb0/0xb0 [ 28.249486][ T366] ? l2tp_session_put+0xb2/0x1a0 [ 28.254461][ T366] ? l2tp_session_delete+0x3a9/0x4a0 [ 28.260210][ T366] pppol2tp_release+0x178/0x2b0 [ 28.265148][ T366] sock_close+0xb8/0x200 [ 28.269480][ T366] ? sock_mmap+0xa0/0xa0 [ 28.273805][ T366] __fput+0x2dc/0x730 [ 28.277783][ T366] ____fput+0x15/0x20 [ 28.281761][ T366] task_work_run+0x127/0x190 [ 28.286499][ T366] exit_to_user_mode_loop+0xcb/0xe0 [ 28.291687][ T366] exit_to_user_mode_prepare+0x76/0xa0 [ 28.297239][ T366] syscall_exit_to_user_mode+0x1d/0x40 [ 28.302691][ T366] do_syscall_64+0x3d/0x40 [ 28.307216][ T366] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 28.313277][ T366] RIP: 0033:0x7f335a469e59 [ 28.317783][ T366] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 28.337570][ T366] RSP: 002b:00007ffeb5c14c38 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 [ 28.345988][ T366] RAX: 0000000000000000 RBX: 00007ffeb5c14d20 RCX: 00007f335a469e59 [ 28.354177][ T366] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 [ 28.362332][ T366] RBP: 0000000000006dcb R08: 0000000000000001 R09: 0000000000000000 [ 28.370302][ T366] R10: 0000001b32920000 R11: 0000000000000246 R12: 0000000000000000 [ 28.378266][ T366] R13: 00007f335a6e2fac R14: 00007f335a6e2fa8 R15: 00007f335a6e2fa0 [ 28.386336][ T366] [ 28.388661][ T366] Allocated by task 366: [ 28.392902][ T366] __kasan_kmalloc+0xd4/0x100 [ 28.397595][ T366] __kmalloc+0x19f/0x330 [ 28.401849][ T366] l2tp_session_create+0x39/0xb60 [ 28.407024][ T366] pppol2tp_connect+0xbf5/0x1640 [ 28.411971][ T366] __sys_connect+0x3ce/0x450 [ 28.416665][ T366] __x64_sys_connect+0x7a/0x90 [ 28.421739][ T366] do_syscall_64+0x31/0x40 [ 28.426325][ T366] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 28.432226][ T366] [ 28.434644][ T366] Freed by task 366: [ 28.438742][ T366] kasan_set_track+0x4a/0x70 [ 28.443836][ T366] kasan_set_free_info+0x23/0x40 [ 28.448874][ T366] ____kasan_slab_free+0x125/0x160 [ 28.454109][ T366] __kasan_slab_free+0x11/0x20 [ 28.458885][ T366] slab_free_freelist_hook+0xc5/0x190 [ 28.464267][ T366] kfree+0xc0/0x270 [ 28.469571][ T366] l2tp_session_put+0xb2/0x1a0 [ 28.474525][ T366] l2tp_session_delete+0x3a9/0x4a0 [ 28.479722][ T366] pppol2tp_release+0x169/0x2b0 [ 28.484856][ T366] sock_close+0xb8/0x200 [ 28.489836][ T366] __fput+0x2dc/0x730 [ 28.493852][ T366] ____fput+0x15/0x20 [ 28.497830][ T366] task_work_run+0x127/0x190 [ 28.502502][ T366] exit_to_user_mode_loop+0xcb/0xe0 [ 28.507873][ T366] exit_to_user_mode_prepare+0x76/0xa0 [ 28.513436][ T366] syscall_exit_to_user_mode+0x1d/0x40 [ 28.519060][ T366] do_syscall_64+0x3d/0x40 [ 28.523534][ T366] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 28.529413][ T366] [ 28.531743][ T366] The buggy address belongs to the object at ffff888110ea6800 [ 28.531743][ T366] which belongs to the cache kmalloc-512 of size 512 [ 28.545877][ T366] The buggy address is located 336 bytes inside of [ 28.545877][ T366] 512-byte region [ffff888110ea6800, ffff888110ea6a00) [ 28.559442][ T366] The buggy address belongs to the page: [ 28.565399][ T366] page:ffffea000443a900 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x110ea4 [ 28.575733][ T366] head:ffffea000443a900 order:2 compound_mapcount:0 compound_pincount:0 [ 28.584058][ T366] flags: 0x4000000000010200(slab|head) [ 28.589604][ T366] raw: 4000000000010200 dead000000000100 dead000000000122 ffff888100043080 [ 28.598294][ T366] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 28.606868][ T366] page dumped because: kasan: bad access detected [ 28.613270][ T366] page_owner tracks the page as allocated [ 28.619076][ T366] page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 366, ts 28139248458, free_ts 28138100736 [ 28.639505][ T366] prep_new_page+0x176/0x190 [ 28.644110][ T366] get_page_from_freelist+0x225f/0x23f0 [ 28.649743][ T366] __alloc_pages_nodemask+0x29a/0x640 [ 28.655108][ T366] new_slab+0x84/0x3f0 [ 28.659187][ T366] ___slab_alloc+0x2f8/0x4c0 [ 28.663788][ T366] __slab_alloc+0x63/0xa0 [ 28.668202][ T366] __kmalloc+0x1f9/0x330 [ 28.672446][ T366] l2tp_session_create+0x39/0xb60 [ 28.677608][ T366] pppol2tp_connect+0xbf5/0x1640 [ 28.682700][ T366] __sys_connect+0x3ce/0x450 [ 28.687306][ T366] __x64_sys_connect+0x7a/0x90 [ 28.692097][ T366] do_syscall_64+0x31/0x40 [ 28.696522][ T366] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 28.702410][ T366] page last free stack trace: [ 28.707088][ T366] __free_pages_ok+0x80b/0x830 [ 28.711848][ T366] __free_pages+0xd8/0x390 [ 28.716256][ T366] free_pages+0x82/0x90 [ 28.720496][ T366] __stack_depot_save+0x492/0x4c0 [ 28.725630][ T366] kasan_set_track+0x5b/0x70 [ 28.730393][ T366] kasan_set_free_info+0x23/0x40 [ 28.735415][ T366] ____kasan_slab_free+0x125/0x160 [ 28.740603][ T366] __kasan_slab_free+0x11/0x20 [ 28.745447][ T366] slab_free_freelist_hook+0xc5/0x190 [ 28.750811][ T366] kfree+0xc0/0x270 [ 28.754701][ T366] skb_release_data+0x53b/0x690 [ 28.759543][ T366] consume_skb+0xab/0x1f0 [ 28.763885][ T366] tun_do_read+0x12d9/0x1cf0 [ 28.768644][ T366] tun_chr_read_iter+0x1d0/0x2b0 [ 28.773573][ T366] vfs_read+0x62a/0xa50 [ 28.777719][ T366] ksys_read+0x14a/0x260 [ 28.781957][ T366] [ 28.784374][ T366] Memory state around the buggy address: [ 28.790015][ T366] ffff888110ea6800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.798662][ T366] ffff888110ea6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.806732][ T366] >ffff888110ea6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.814784][ T366] ^ [ 28.821455][ T366] ffff888110ea6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.830215][ T366] ffff888110ea6a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.838265][ T366] ================================================================== [ 28.846315][ T366] Disabling lock debugging due to kernel taint