Warning: Permanently added '10.128.0.31' (ED25519) to the list of known hosts. 2026/06/22 04:48:17 parsed 1 programs 2026/06/22 04:48:17 serving rpc on tcp://45051 [ 24.546306][ T30] audit: type=1400 audit(1782103697.868:64): avc: denied { node_bind } for pid=293 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 24.567123][ T30] audit: type=1400 audit(1782103697.868:65): avc: denied { module_request } for pid=293 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 25.456826][ T30] audit: type=1400 audit(1782103698.778:66): avc: denied { mounton } for pid=300 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2024 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 25.459850][ T300] cgroup: Unknown subsys name 'net' [ 25.479581][ T30] audit: type=1400 audit(1782103698.778:67): avc: denied { mount } for pid=300 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 25.506854][ T30] audit: type=1400 audit(1782103698.808:68): avc: denied { unmount } for pid=300 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 25.507161][ T300] cgroup: Unknown subsys name 'devices' [ 25.653753][ T300] cgroup: Unknown subsys name 'hugetlb' [ 25.659358][ T300] cgroup: Unknown subsys name 'rlimit' [ 25.803101][ T30] audit: type=1400 audit(1782103699.128:69): avc: denied { setattr } for pid=300 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=254 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 25.826268][ T30] audit: type=1400 audit(1782103699.128:70): avc: denied { create } for pid=300 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 25.846674][ T30] audit: type=1400 audit(1782103699.128:71): avc: denied { write } for pid=300 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 25.862781][ T303] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 25.867063][ T30] audit: type=1400 audit(1782103699.128:72): avc: denied { read } for pid=300 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 25.895748][ T30] audit: type=1400 audit(1782103699.128:73): avc: denied { mounton } for pid=300 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 25.928732][ T300] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 26.308315][ T306] request_module fs-gadgetfs succeeded, but still no fs? [ 26.975923][ T357] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.983446][ T357] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.990820][ T357] device bridge_slave_0 entered promiscuous mode [ 26.997684][ T357] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.004716][ T357] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.012069][ T357] device bridge_slave_1 entered promiscuous mode [ 27.032715][ T353] syz-executor (353) used greatest stack depth: 22176 bytes left [ 27.057643][ T357] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.064697][ T357] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.071991][ T357] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.079019][ T357] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.101827][ T320] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 27.109439][ T320] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.116828][ T320] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.125935][ T320] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 27.134129][ T320] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.141159][ T320] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.154473][ T320] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 27.162714][ T320] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.169720][ T320] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.180689][ T320] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 27.189932][ T320] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 27.207525][ T320] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 27.218201][ T320] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 27.226276][ T320] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 27.233790][ T320] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 27.241967][ T357] device veth0_vlan entered promiscuous mode [ 27.256032][ T320] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 27.264960][ T357] device veth1_macvtap entered promiscuous mode [ 27.273883][ T320] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 27.287432][ T320] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 27.334989][ T357] syz-executor (357) used greatest stack depth: 21600 bytes left 2026/06/22 04:48:20 executed programs: 0 [ 27.466217][ T368] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.473406][ T368] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.480692][ T368] device bridge_slave_0 entered promiscuous mode [ 27.487672][ T368] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.494763][ T368] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.502134][ T368] device bridge_slave_1 entered promiscuous mode [ 27.543216][ T368] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.550236][ T368] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.557517][ T368] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.564574][ T368] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.581876][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 27.589537][ T10] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.597581][ T10] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.613681][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 27.621856][ T10] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.628868][ T10] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.636312][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 27.644451][ T10] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.651507][ T10] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.658895][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 27.674568][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 27.686938][ T368] device veth0_vlan entered promiscuous mode [ 27.693659][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 27.703182][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 27.710604][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 27.718141][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 27.732223][ T368] device veth1_macvtap entered promiscuous mode [ 27.739081][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 27.750344][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 27.768803][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 27.790225][ T373] loop2: detected capacity change from 0 to 512 [ 27.804030][ T373] EXT4-fs: Warning: mounting with data=journal disables delayed allocation, dioread_nolock, O_DIRECT and fast_commit support! [ 27.817896][ T373] EXT4-fs (loop2): encrypted files will use data=ordered instead of data journaling mode [ 27.829647][ T373] EXT4-fs (loop2): 1 truncate cleaned up [ 27.835417][ T373] EXT4-fs (loop2): mounted filesystem without journal. Opts: max_batch_time=0x0000000000000004,max_batch_time=0x0000000000000002,resuid=0x0000000000000000,block_validity,errors=remount-ro,nombcache,. Quota mode: none. [ 27.864823][ T373] ================================================================== [ 27.872912][ T373] BUG: KASAN: use-after-free in ext4_convert_inline_data_nolock+0x313/0xcd0 [ 27.881606][ T373] Read of size 68 at addr ffff888128445c80 by task syz.2.17/373 [ 27.889224][ T373] [ 27.891540][ T373] CPU: 0 PID: 373 Comm: syz.2.17 Not tainted syzkaller #0 [ 27.898629][ T373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 [ 27.908670][ T373] Call Trace: [ 27.911932][ T373] [ 27.914864][ T373] __dump_stack+0x21/0x30 [ 27.919189][ T373] dump_stack_lvl+0x110/0x170 [ 27.923852][ T373] ? show_regs_print_info+0x20/0x20 [ 27.929042][ T373] ? load_image+0x3f0/0x3f0 [ 27.933534][ T373] print_address_description+0x7f/0x2c0 [ 27.939076][ T373] ? ext4_convert_inline_data_nolock+0x313/0xcd0 [ 27.945392][ T373] kasan_report+0x10f/0x150 [ 27.949885][ T373] ? ext4_convert_inline_data_nolock+0x313/0xcd0 [ 27.956200][ T373] kasan_check_range+0x249/0x2a0 [ 27.961129][ T373] ? ext4_convert_inline_data_nolock+0x313/0xcd0 [ 27.967461][ T373] memcpy+0x2d/0x70 [ 27.971295][ T373] ext4_convert_inline_data_nolock+0x313/0xcd0 [ 27.977435][ T373] ? ext4_add_dirent_to_inline+0x4d0/0x4d0 [ 27.983227][ T373] ? ext4_get_inode_loc+0x100/0x130 [ 27.988420][ T373] ext4_try_add_inline_entry+0x737/0xa70 [ 27.994039][ T373] ? __kasan_check_read+0x11/0x20 [ 27.999050][ T373] ? ext4_da_write_inline_data_begin+0xba0/0xba0 [ 28.005365][ T373] ? memset+0x35/0x40 [ 28.009332][ T373] ? ext4_fname_setup_ci_filename+0x69/0x480 [ 28.015295][ T373] ext4_add_entry+0x711/0x1020 [ 28.020053][ T373] ? ext4_inc_count+0x1b0/0x1b0 [ 28.024894][ T373] ? __ext4_mark_inode_dirty+0x40e/0x5e0 [ 28.030532][ T373] ? ext4_init_new_dir+0x789/0x980 [ 28.035633][ T373] ext4_mkdir+0x520/0xc90 [ 28.039950][ T373] ? ext4_symlink+0xcd0/0xcd0 [ 28.044617][ T373] ? selinux_inode_mkdir+0x22/0x30 [ 28.049802][ T373] ? security_inode_mkdir+0xbd/0x110 [ 28.055075][ T373] vfs_mkdir+0x38b/0x590 [ 28.059310][ T373] do_mkdirat+0x174/0x4d0 [ 28.063623][ T373] __x64_sys_mkdirat+0x89/0xa0 [ 28.068389][ T373] x64_sys_call+0x37e/0x9a0 [ 28.072886][ T373] do_syscall_64+0x4c/0xa0 [ 28.077292][ T373] ? clear_bhb_loop+0x50/0xa0 [ 28.081954][ T373] ? clear_bhb_loop+0x50/0xa0 [ 28.086640][ T373] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 28.092520][ T373] RIP: 0033:0x7fe0b6dcfcc7 [ 28.096926][ T373] Code: 00 66 90 48 89 f2 b9 00 01 00 00 48 89 fe bf 9c ff ff ff e9 db f7 ff ff 66 2e 0f 1f 84 00 00 00 00 00 90 b8 02 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 28.116530][ T373] RSP: 002b:00007ffda24ec2c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 [ 28.125023][ T373] RAX: ffffffffffffffda RBX: 00007ffda24ec350 RCX: 00007fe0b6dcfcc7 [ 28.132988][ T373] RDX: 00000000000001ff RSI: 0000200000000080 RDI: 00000000ffffff9c [ 28.140946][ T373] RBP: 0000200000000140 R08: 0000200000000080 R09: 0000000000000000 [ 28.148900][ T373] R10: 0000200000000140 R11: 0000000000000246 R12: 0000200000000080 [ 28.156856][ T373] R13: 00007ffda24ec310 R14: 0000000000000000 R15: 0000000000000000 [ 28.164835][ T373] [ 28.167843][ T373] [ 28.170152][ T373] The buggy address belongs to the page: [ 28.175760][ T373] page:ffffea0004a11140 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x128445 [ 28.185985][ T373] flags: 0x4000000000000000(zone=1) [ 28.191170][ T373] raw: 4000000000000000 ffffea0004a11188 ffffea0004ae4bc8 0000000000000000 [ 28.199735][ T373] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 28.208303][ T373] page dumped because: kasan: bad access detected [ 28.214694][ T373] page_owner tracks the page as freed [ 28.220054][ T373] page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 357, ts 27304209391, free_ts 27333550093 [ 28.234448][ T373] post_alloc_hook+0x192/0x1b0 [ 28.239219][ T373] prep_new_page+0x1c/0x110 [ 28.243713][ T373] get_page_from_freelist+0x2c3a/0x2cd0 [ 28.249252][ T373] __alloc_pages+0x1a2/0x460 [ 28.253845][ T373] wp_page_copy+0x217/0x1890 [ 28.258422][ T373] do_wp_page+0x9e1/0xc90 [ 28.262751][ T373] handle_pte_fault+0x824/0x2770 [ 28.267680][ T373] do_handle_mm_fault+0x1b3b/0x1e30 [ 28.272864][ T373] do_user_addr_fault+0x808/0x11c0 [ 28.277968][ T373] exc_page_fault+0x51/0xb0 [ 28.282450][ T373] asm_exc_page_fault+0x27/0x30 [ 28.287282][ T373] page last free stack trace: [ 28.291932][ T373] free_unref_page_prepare+0x542/0x550 [ 28.297382][ T373] free_unref_page_list+0x138/0x9e0 [ 28.302568][ T373] release_pages+0x1264/0x12c0 [ 28.307320][ T373] free_pages_and_swap_cache+0x86/0xa0 [ 28.312762][ T373] tlb_finish_mmu+0x17e/0x310 [ 28.317423][ T373] exit_mmap+0x43b/0x8b0 [ 28.321698][ T373] __mmput+0x92/0x300 [ 28.325707][ T373] mmput+0x50/0x150 [ 28.329501][ T373] do_exit+0xacc/0x29a0 [ 28.333641][ T373] do_group_exit+0x149/0x310 [ 28.338217][ T373] get_signal+0x64f/0x1430 [ 28.342621][ T373] arch_do_signal_or_restart+0xe2/0x1100 [ 28.348243][ T373] exit_to_user_mode_loop+0xa7/0xe0 [ 28.353431][ T373] exit_to_user_mode_prepare+0x87/0xd0 [ 28.358879][ T373] syscall_exit_to_user_mode+0x1a/0x30 [ 28.364330][ T373] do_syscall_64+0x58/0xa0 [ 28.368738][ T373] [ 28.371045][ T373] Memory state around the buggy address: [ 28.376659][ T373] ffff888128445b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.384706][ T373] ffff888128445c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.392760][ T373] >ffff888128445c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.400802][ T373] ^ [ 28.404975][ T373] ffff888128445d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.413024][ T373] ffff888128445d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.421067][ T373] ================================================================== [ 28.429111][ T373] Disabling lock debugging due to kernel taint [ 28.436917][ T373] EXT4-fs error (device loop2): ext4_check_all_de:667: inode #12: block 7: comm syz.2.17: bad entry in directory: directory entry overrun - offset=0, inode=901261600, rec_len=7976, size=124 fake=0 [ 28.456853][ T373] EXT4-fs (loop2): Remounting filesystem read-only