syzkaller syzkaller login: [ 14.815424][ T28] kauditd_printk_skb: 31 callbacks suppressed [ 14.815441][ T28] audit: type=1400 audit(1779397866.886:59): avc: denied { transition } for pid=223 comm="sshd-session" path="/bin/sh" dev="sda1" ino=90 scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 14.820357][ T28] audit: type=1400 audit(1779397866.886:60): avc: denied { noatsecure } for pid=223 comm="sshd-session" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 14.824534][ T28] audit: type=1400 audit(1779397866.896:61): avc: denied { write } for pid=223 comm="sh" path="pipe:[14618]" dev="pipefs" ino=14618 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1 [ 14.828578][ T28] audit: type=1400 audit(1779397866.896:62): avc: denied { rlimitinh } for pid=223 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 14.831644][ T28] audit: type=1400 audit(1779397866.896:63): avc: denied { siginh } for pid=223 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 16.976959][ T233] scp (233) used greatest stack depth: 21696 bytes left Warning: Permanently added '10.128.0.229' (ED25519) to the list of known hosts. 2026/05/21 21:11:31 parsed 1 programs [ 39.110757][ T28] audit: type=1400 audit(1779397891.186:64): avc: denied { node_bind } for pid=295 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 39.131722][ T28] audit: type=1400 audit(1779397891.186:65): avc: denied { module_request } for pid=295 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 40.261019][ T28] audit: type=1400 audit(1779397892.336:66): avc: denied { mounton } for pid=303 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2024 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 40.265400][ T303] cgroup: Unknown subsys name 'net' [ 40.283740][ T28] audit: type=1400 audit(1779397892.336:67): avc: denied { mount } for pid=303 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 40.312018][ T28] audit: type=1400 audit(1779397892.376:68): avc: denied { unmount } for pid=303 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 40.312670][ T303] cgroup: Unknown subsys name 'devices' [ 40.490206][ T303] cgroup: Unknown subsys name 'hugetlb' [ 40.495884][ T303] cgroup: Unknown subsys name 'rlimit' [ 40.612264][ T28] audit: type=1400 audit(1779397892.686:69): avc: denied { setattr } for pid=303 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=258 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 40.635529][ T28] audit: type=1400 audit(1779397892.686:70): avc: denied { create } for pid=303 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 40.656106][ T28] audit: type=1400 audit(1779397892.686:71): avc: denied { write } for pid=303 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 40.676515][ T28] audit: type=1400 audit(1779397892.686:72): avc: denied { read } for pid=303 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 40.697036][ T28] audit: type=1400 audit(1779397892.686:73): avc: denied { mounton } for pid=303 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 40.707979][ T306] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 40.773701][ T303] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 41.453488][ T308] request_module fs-gadgetfs succeeded, but still no fs? [ 42.114519][ T349] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.122278][ T349] bridge0: port 1(bridge_slave_0) entered disabled state [ 42.129970][ T349] device bridge_slave_0 entered promiscuous mode [ 42.137114][ T349] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.144343][ T349] bridge0: port 2(bridge_slave_1) entered disabled state [ 42.151793][ T349] device bridge_slave_1 entered promiscuous mode [ 42.198664][ T349] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.205821][ T349] bridge0: port 2(bridge_slave_1) entered forwarding state [ 42.213268][ T349] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.220362][ T349] bridge0: port 1(bridge_slave_0) entered forwarding state [ 42.241716][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 42.249583][ T8] bridge0: port 1(bridge_slave_0) entered disabled state [ 42.257198][ T8] bridge0: port 2(bridge_slave_1) entered disabled state [ 42.267005][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 42.275426][ T8] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.282516][ T8] bridge0: port 1(bridge_slave_0) entered forwarding state [ 42.291690][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 42.300065][ T8] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.307132][ T8] bridge0: port 2(bridge_slave_1) entered forwarding state [ 42.320152][ T42] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 42.329953][ T42] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 42.345067][ T42] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 42.362672][ T42] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 42.371207][ T42] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 42.378942][ T42] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 42.387610][ T349] device veth0_vlan entered promiscuous mode [ 42.404505][ T42] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 42.413608][ T349] device veth1_macvtap entered promiscuous mode [ 42.423429][ T42] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 42.433610][ T42] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 42.476804][ T349] syz-executor (349) used greatest stack depth: 21184 bytes left 2026/05/21 21:11:34 executed programs: 0 [ 42.889607][ T370] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.896762][ T370] bridge0: port 1(bridge_slave_0) entered disabled state [ 42.904410][ T370] device bridge_slave_0 entered promiscuous mode [ 42.911608][ T370] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.918971][ T370] bridge0: port 2(bridge_slave_1) entered disabled state [ 42.926392][ T370] device bridge_slave_1 entered promiscuous mode [ 42.975462][ T370] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.982861][ T370] bridge0: port 2(bridge_slave_1) entered forwarding state [ 42.990295][ T370] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.997461][ T370] bridge0: port 1(bridge_slave_0) entered forwarding state [ 43.017926][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 43.025861][ T8] bridge0: port 1(bridge_slave_0) entered disabled state [ 43.033922][ T8] bridge0: port 2(bridge_slave_1) entered disabled state [ 43.042956][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 43.051250][ T8] bridge0: port 1(bridge_slave_0) entered blocking state [ 43.058396][ T8] bridge0: port 1(bridge_slave_0) entered forwarding state [ 43.067530][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 43.075982][ T8] bridge0: port 2(bridge_slave_1) entered blocking state [ 43.083132][ T8] bridge0: port 2(bridge_slave_1) entered forwarding state [ 43.097256][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 43.105718][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 43.114904][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 43.123503][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 43.137672][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 43.146109][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 43.159557][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 43.167624][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 43.175736][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 43.183491][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 43.191810][ T370] device veth0_vlan entered promiscuous mode [ 43.208806][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 43.217080][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 43.226602][ T370] device veth1_macvtap entered promiscuous mode [ 43.236241][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 43.244659][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 43.253080][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 43.268063][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 43.276587][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 43.574837][ C1] ================================================================== [ 43.582958][ C1] BUG: KASAN: slab-out-of-bounds in __bpf_get_stackid+0x6fa/0x960 [ 43.590794][ C1] Write of size 48 at addr ffff88810e508560 by task syz.2.33/391 [ 43.598504][ C1] [ 43.600835][ C1] CPU: 1 PID: 391 Comm: syz.2.33 Not tainted syzkaller #0 [ 43.607942][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 [ 43.618026][ C1] Call Trace: [ 43.621305][ C1] [ 43.624231][ C1] __dump_stack+0x21/0x24 [ 43.628570][ C1] dump_stack_lvl+0x110/0x170 [ 43.633252][ C1] ? __cfi_dump_stack_lvl+0x8/0x8 [ 43.638307][ C1] ? __bpf_get_stackid+0x6fa/0x960 [ 43.643509][ C1] print_address_description+0x71/0x200 [ 43.649072][ C1] print_report+0x4a/0x60 [ 43.653396][ C1] kasan_report+0x122/0x150 [ 43.657906][ C1] ? __bpf_get_stackid+0x6fa/0x960 [ 43.663030][ C1] kasan_check_range+0x249/0x2a0 [ 43.667972][ C1] ? __bpf_get_stackid+0x6fa/0x960 [ 43.673081][ C1] memcpy+0x44/0x70 [ 43.676883][ C1] __bpf_get_stackid+0x6fa/0x960 [ 43.681860][ C1] bpf_get_stackid_pe+0x350/0x400 [ 43.686887][ C1] bpf_prog_644fb7c94e15512a+0x2b/0x40 [ 43.692356][ C1] bpf_overflow_handler+0x3d0/0x5e0 [ 43.697559][ C1] ? __cfi_bpf_overflow_handler+0x10/0x10 [ 43.703276][ C1] ? kvm_sched_clock_read+0x18/0x40 [ 43.708485][ C1] ? __this_cpu_preempt_check+0x13/0x20 [ 43.714033][ C1] ? __perf_event_account_interrupt+0x1a4/0x2c0 [ 43.720278][ C1] __perf_event_overflow+0x437/0x620 [ 43.725567][ C1] perf_swevent_hrtimer+0x400/0x5b0 [ 43.730791][ C1] ? should_fail+0xb/0x10 [ 43.735117][ C1] ? get_futex_key+0x641/0xb10 [ 43.739885][ C1] ? __cfi_perf_swevent_hrtimer+0x10/0x10 [ 43.745623][ C1] ? timerqueue_add+0x20e/0x230 [ 43.750521][ C1] ? timerqueue_del+0xd3/0x120 [ 43.755296][ C1] ? __cfi_perf_swevent_hrtimer+0x10/0x10 [ 43.761130][ C1] __hrtimer_run_queues+0x3bb/0x8e0 [ 43.766371][ C1] ? hrtimer_interrupt+0x8c0/0x8c0 [ 43.771492][ C1] ? ktime_get_update_offsets_now+0x30c/0x320 [ 43.777578][ C1] hrtimer_interrupt+0x3c7/0x8c0 [ 43.782629][ C1] __sysvec_apic_timer_interrupt+0x11e/0x440 [ 43.788975][ C1] sysvec_apic_timer_interrupt+0x53/0xc0 [ 43.794618][ C1] asm_sysvec_apic_timer_interrupt+0x1b/0x20 [ 43.800605][ C1] RIP: 0033:0x7fc504c6ec02 [ 43.805023][ C1] Code: fa 48 29 ca 66 3b 32 73 10 0f b7 f6 0f b7 14 32 66 85 d2 74 04 48 8b 04 17 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 41 57 <41> 56 41 55 41 54 55 53 48 83 ec 28 80 7f 60 00 0f 84 ba 02 00 00 [ 43.824647][ C1] RSP: 002b:00007ffec91021a0 EFLAGS: 00000246 [ 43.830774][ C1] RAX: 0000001b33d2422c RBX: 0000000000000000 RCX: 0000000000000000 [ 43.838848][ C1] RDX: 0000001b33d24224 RSI: 0000000000000044 RDI: 00007fc505b45720 [ 43.847281][ C1] RBP: 00007fc505b45720 R08: 0000000000000000 R09: 00007fc505016038 [ 43.856771][ C1] R10: 0000000000000003 R11: 0000000000000004 R12: 0000000000000000 [ 43.865112][ C1] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000004 [ 43.873389][ C1] [ 43.876716][ C1] [ 43.879057][ C1] Allocated by task 391: [ 43.883482][ C1] kasan_set_track+0x4b/0x70 [ 43.888102][ C1] kasan_save_alloc_info+0x25/0x30 [ 43.893228][ C1] __kasan_kmalloc+0x95/0xb0 [ 43.897845][ C1] __kmalloc_node+0xb2/0x1e0 [ 43.902448][ C1] bpf_map_area_alloc+0x4b/0xe0 [ 43.907313][ C1] prealloc_elems_and_freelist+0x8a/0x1e0 [ 43.913048][ C1] stack_map_alloc+0x3a7/0x530 [ 43.917824][ C1] map_create+0x49c/0xd80 [ 43.922190][ C1] __sys_bpf+0x34e/0x850 [ 43.926500][ C1] __x64_sys_bpf+0x7c/0x90 [ 43.930939][ C1] x64_sys_call+0x488/0x9a0 [ 43.935469][ C1] do_syscall_64+0x4c/0xa0 [ 43.939905][ C1] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 43.945821][ C1] [ 43.948163][ C1] The buggy address belongs to the object at ffff88810e508500 [ 43.948163][ C1] which belongs to the cache kmalloc-128 of size 128 [ 43.962237][ C1] The buggy address is located 96 bytes inside of [ 43.962237][ C1] 128-byte region [ffff88810e508500, ffff88810e508580) [ 43.975440][ C1] [ 43.977798][ C1] The buggy address belongs to the physical page: [ 43.984221][ C1] page:ffffea0004394200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10e508 [ 43.994573][ C1] flags: 0x4000000000000200(slab|zone=1) [ 44.000234][ C1] raw: 4000000000000200 ffffea00043961c0 dead000000000004 ffff888100042a80 [ 44.008829][ C1] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 44.017415][ C1] page dumped because: kasan: bad access detected [ 44.023876][ C1] page_owner tracks the page as allocated [ 44.029603][ C1] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, tgid 1 (swapper/0), ts 4101664840, free_ts 0 [ 44.046285][ C1] post_alloc_hook+0x1f5/0x210 [ 44.051085][ C1] prep_new_page+0x1c/0x110 [ 44.055620][ C1] get_page_from_freelist+0x2d12/0x2d80 [ 44.061190][ C1] __alloc_pages+0x1fa/0x610 [ 44.065808][ C1] alloc_slab_page+0x6e/0xf0 [ 44.070407][ C1] new_slab+0x98/0x3d0 [ 44.074514][ C1] ___slab_alloc+0x6bd/0xb20 [ 44.079226][ C1] __slab_alloc+0x5e/0xa0 [ 44.083580][ C1] __kmem_cache_alloc_node+0x203/0x2c0 [ 44.089058][ C1] kmalloc_trace+0x29/0xb0 [ 44.093495][ C1] call_usermodehelper_setup+0x8e/0x210 [ 44.099061][ C1] kobject_uevent_env+0x66c/0x730 [ 44.104110][ C1] kobject_uevent+0x1d/0x30 [ 44.108637][ C1] driver_register+0x3f4/0x440 [ 44.113420][ C1] __platform_driver_register+0x68/0x80 [ 44.118985][ C1] i8042_init+0x99/0x1d2 [ 44.123330][ C1] page_owner free stack trace missing [ 44.128711][ C1] [ 44.131052][ C1] Memory state around the buggy address: [ 44.136724][ C1] ffff88810e508400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 44.144811][ C1] ffff88810e508480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.152887][ C1] >ffff88810e508500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 44.160955][ C1] ^ [ 44.168940][ C1] ffff88810e508580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.177016][ C1] ffff88810e508600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 44.185084][ C1] ================================================================== [ 44.193241][ C1] Disabling lock debugging due to kernel taint [ 44.206085][ T28] kauditd_printk_skb: 40 callbacks suppressed [ 44.206102][ T28] audit: type=1400 audit(1779397896.276:114): avc: denied { read } for pid=84 comm="syslogd" name="log" dev="sda1" ino=2010 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1 [ 44.206403][ C1] hrtimer: interrupt took 151973 ns [ 44.215533][ T28] audit: type=1400 audit(1779397896.276:115): avc: denied { search } for pid=84 comm="syslogd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1 [ 44.264836][ T28] audit: type=1400 audit(1779397896.276:116): avc: denied { write } for pid=84 comm="syslogd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1 [ 44.287086][ T28] audit: type=1400 audit(1779397896.276:117): avc: denied { add_name } for pid=84 comm="syslogd" name="messages" scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1 [ 44.311249][ T28] audit: type=1400 audit(1779397896.276:118): avc: denied { create } for pid=84 comm="syslogd" name="messages" scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1 [ 44.334089][ T28] audit: type=1400 audit(1779397896.276:119): avc: denied { append open } for pid=84 comm="syslogd" path="/tmp/messages" dev="tmpfs" ino=5 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1 [ 44.364329][ T28] audit: type=1400 audit(1779397896.276:120): avc: denied { getattr } for pid=84 comm="syslogd" path="/tmp/messages" dev="tmpfs" ino=5 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1 [ 44.468505][ T10] device bridge_slave_1 left promiscuous mode [ 44.474694][ T10] bridge0: port 2(bridge_slave_1) entered disabled state [ 44.482694][ T10] device bridge_slave_0 left promiscuous mode [ 44.489505][ T10] bridge0: port 1(bridge_slave_0) entered disabled state [ 44.498384][ T10] device veth1_macvtap left promiscuous mode [ 44.504518][ T10] device veth0_vlan left promiscuous mode 2026/05/21 21:11:39 executed programs: 223 [ 47.828896][ T28] audit: type=1400 audit(1779397899.906:121): avc: denied { write } for pid=295 comm="syz-execprog" path="pipe:[14752]" dev="pipefs" ino=14752 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1 2026/05/21 21:11:44 executed programs: 520