syzkaller syzkaller login: [ 11.949163][ T30] kauditd_printk_skb: 48 callbacks suppressed [ 11.949178][ T30] audit: type=1400 audit(1775214800.877:59): avc: denied { transition } for pid=221 comm="sshd-session" path="/bin/sh" dev="sda1" ino=90 scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 11.959039][ T30] audit: type=1400 audit(1775214800.877:60): avc: denied { noatsecure } for pid=221 comm="sshd-session" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 11.967371][ T30] audit: type=1400 audit(1775214800.887:61): avc: denied { write } for pid=221 comm="sh" path="pipe:[14842]" dev="pipefs" ino=14842 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1 [ 11.985904][ T30] audit: type=1400 audit(1775214800.887:62): avc: denied { rlimitinh } for pid=221 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 12.006247][ T30] audit: type=1400 audit(1775214800.887:63): avc: denied { siginh } for pid=221 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 Warning: Permanently added '10.128.1.144' (ED25519) to the list of known hosts. 2026/04/03 11:13:29 parsed 1 programs [ 20.892679][ T30] audit: type=1400 audit(1775214809.827:64): avc: denied { node_bind } for pid=281 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 20.913885][ T30] audit: type=1400 audit(1775214809.827:65): avc: denied { module_request } for pid=281 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 21.606960][ T30] audit: type=1400 audit(1775214810.537:66): avc: denied { mounton } for pid=287 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2023 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 21.608406][ T287] cgroup: Unknown subsys name 'net' [ 21.629850][ T30] audit: type=1400 audit(1775214810.537:67): avc: denied { mount } for pid=287 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 21.657261][ T30] audit: type=1400 audit(1775214810.567:68): avc: denied { unmount } for pid=287 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 21.657402][ T287] cgroup: Unknown subsys name 'devices' [ 21.831878][ T287] cgroup: Unknown subsys name 'hugetlb' [ 21.837577][ T287] cgroup: Unknown subsys name 'rlimit' [ 22.010059][ T30] audit: type=1400 audit(1775214810.947:69): avc: denied { setattr } for pid=287 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=254 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 22.033429][ T30] audit: type=1400 audit(1775214810.947:70): avc: denied { create } for pid=287 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 22.039459][ T291] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 22.054420][ T30] audit: type=1400 audit(1775214810.947:71): avc: denied { write } for pid=287 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 22.083684][ T30] audit: type=1400 audit(1775214810.947:72): avc: denied { read } for pid=287 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 22.104305][ T30] audit: type=1400 audit(1775214810.947:73): avc: denied { mounton } for pid=287 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 22.132952][ T287] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 22.612824][ T295] request_module fs-gadgetfs succeeded, but still no fs? [ 22.893164][ T309] syz-executor (309) used greatest stack depth: 22144 bytes left [ 22.907794][ T319] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.914887][ T319] bridge0: port 1(bridge_slave_0) entered disabled state [ 22.922479][ T319] device bridge_slave_0 entered promiscuous mode [ 22.930353][ T319] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.937516][ T319] bridge0: port 2(bridge_slave_1) entered disabled state [ 22.945360][ T319] device bridge_slave_1 entered promiscuous mode [ 22.982698][ T319] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.989749][ T319] bridge0: port 2(bridge_slave_1) entered forwarding state [ 22.997062][ T319] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.004131][ T319] bridge0: port 1(bridge_slave_0) entered forwarding state [ 23.021075][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 23.028840][ T308] bridge0: port 1(bridge_slave_0) entered disabled state [ 23.036119][ T308] bridge0: port 2(bridge_slave_1) entered disabled state [ 23.045909][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 23.054289][ T308] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.061354][ T308] bridge0: port 1(bridge_slave_0) entered forwarding state [ 23.071023][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 23.079224][ T308] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.086273][ T308] bridge0: port 2(bridge_slave_1) entered forwarding state [ 23.097372][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 23.107656][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 23.121787][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 23.132803][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 23.141047][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 23.148397][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 23.156738][ T319] device veth0_vlan entered promiscuous mode [ 23.168808][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 23.178263][ T319] device veth1_macvtap entered promiscuous mode [ 23.187947][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 23.197694][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 23.241093][ T319] syz-executor (319) used greatest stack depth: 21536 bytes left 2026/04/03 11:13:32 executed programs: 0 [ 23.774829][ T356] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.782245][ T356] bridge0: port 1(bridge_slave_0) entered disabled state [ 23.789498][ T356] device bridge_slave_0 entered promiscuous mode [ 23.796397][ T356] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.803522][ T356] bridge0: port 2(bridge_slave_1) entered disabled state [ 23.810979][ T356] device bridge_slave_1 entered promiscuous mode [ 23.856817][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 23.864231][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 23.873104][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 23.881497][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 23.889602][ T308] bridge0: port 1(bridge_slave_0) entered blocking state [ 23.896817][ T308] bridge0: port 1(bridge_slave_0) entered forwarding state [ 23.904307][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 23.913006][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 23.921410][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 23.929479][ T308] bridge0: port 2(bridge_slave_1) entered blocking state [ 23.936515][ T308] bridge0: port 2(bridge_slave_1) entered forwarding state [ 23.947822][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 23.957163][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 23.971461][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 23.982415][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 23.990488][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 23.997993][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 24.006245][ T356] device veth0_vlan entered promiscuous mode [ 24.015734][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 24.025294][ T356] device veth1_macvtap entered promiscuous mode [ 24.033992][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 24.044023][ T308] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 24.067845][ T360] loop2: detected capacity change from 0 to 512 [ 24.116156][ T360] EXT4-fs: Warning: mounting with data=journal disables delayed allocation, dioread_nolock, O_DIRECT and fast_commit support! [ 24.130056][ T360] EXT4-fs (loop2): encrypted files will use data=ordered instead of data journaling mode [ 24.141569][ T360] EXT4-fs (loop2): 1 truncate cleaned up [ 24.147210][ T360] EXT4-fs (loop2): mounted filesystem without journal. Opts: barrier=0x0000000000000006,resuid=0x0000000000000000,barrier=0x0000000000000003,norecovery,block_validity,data_err=abort,,errors=continue. Quota mode: none. [ 24.173983][ T360] ================================================================== [ 24.182083][ T360] BUG: KASAN: slab-out-of-bounds in do_split+0x132f/0x1fb0 [ 24.189623][ T360] Write of size 24923 at addr ffff88812e156c2a by task syz.2.17/360 [ 24.197581][ T360] [ 24.199898][ T360] CPU: 1 PID: 360 Comm: syz.2.17 Not tainted syzkaller #0 [ 24.207100][ T360] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 [ 24.217141][ T360] Call Trace: [ 24.220404][ T360] [ 24.223322][ T360] __dump_stack+0x21/0x30 [ 24.227646][ T360] dump_stack_lvl+0x110/0x170 [ 24.232312][ T360] ? show_regs_print_info+0x20/0x20 [ 24.237530][ T360] ? load_image+0x3e0/0x3e0 [ 24.242016][ T360] print_address_description+0x7f/0x2c0 [ 24.247638][ T360] ? do_split+0x132f/0x1fb0 [ 24.252134][ T360] kasan_report+0xf1/0x140 [ 24.256558][ T360] ? do_split+0x132f/0x1fb0 [ 24.261132][ T360] kasan_check_range+0x249/0x2a0 [ 24.266107][ T360] memset+0x23/0x40 [ 24.269900][ T360] do_split+0x132f/0x1fb0 [ 24.274218][ T360] ? ext4_handle_dirty_dx_node+0x560/0x560 [ 24.280010][ T360] ext4_dx_add_entry+0x54f/0x1620 [ 24.285043][ T360] ? __kasan_check_write+0x14/0x20 [ 24.290146][ T360] ? ext4_dx_csum+0x460/0x460 [ 24.294821][ T360] ? memset+0x35/0x40 [ 24.298785][ T360] ? ext4_fname_setup_ci_filename+0x70/0x470 [ 24.304748][ T360] ext4_add_entry+0xa9c/0x1030 [ 24.309496][ T360] ? __kasan_check_write+0x14/0x20 [ 24.314589][ T360] ? ext4_inc_count+0x1b0/0x1b0 [ 24.319429][ T360] ? ext4_has_group_desc_csum+0x1f0/0x1f0 [ 24.325129][ T360] ? dquot_initialize+0x20/0x20 [ 24.329969][ T360] ? selinux_determine_inode_label+0x290/0x3e0 [ 24.336299][ T360] ext4_add_nondir+0x97/0x270 [ 24.340962][ T360] ext4_create+0x2e6/0x470 [ 24.345358][ T360] ? ext4_lookup+0x960/0x960 [ 24.349929][ T360] ? selinux_inode_create+0x22/0x30 [ 24.355117][ T360] ? security_inode_create+0xbd/0x110 [ 24.360560][ T360] vfs_create+0x342/0x520 [ 24.365034][ T360] do_mknodat+0x334/0x7a0 [ 24.369375][ T360] __x64_sys_mknod+0x8e/0xa0 [ 24.373972][ T360] x64_sys_call+0x886/0x9a0 [ 24.378470][ T360] do_syscall_64+0x4c/0xa0 [ 24.382894][ T360] ? clear_bhb_loop+0x50/0xa0 [ 24.387560][ T360] ? clear_bhb_loop+0x50/0xa0 [ 24.392245][ T360] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 24.398248][ T360] RIP: 0033:0x7ff07c7f0819 [ 24.402664][ T360] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 24.422254][ T360] RSP: 002b:00007fffb8874a58 EFLAGS: 00000246 ORIG_RAX: 0000000000000085 [ 24.430660][ T360] RAX: ffffffffffffffda RBX: 00007ff07ca69fa0 RCX: 00007ff07c7f0819 [ 24.438709][ T360] RDX: 0000000000000247 RSI: 0000000000000010 RDI: 0000200000000340 [ 24.447048][ T360] RBP: 00007ff07c886c91 R08: 0000000000000000 R09: 0000000000000000 [ 24.455021][ T360] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 24.462983][ T360] R13: 00007ff07ca69fac R14: 00007ff07ca69fa0 R15: 00007ff07ca69fa0 [ 24.471121][ T360] [ 24.474140][ T360] [ 24.476468][ T360] The buggy address belongs to the page: [ 24.482096][ T360] page:ffffea0004b85580 refcount:2 mapcount:0 mapping:ffff88810930ac98 index:0x8 pfn:0x12e156 [ 24.492333][ T360] memcg:ffff888100256780 [ 24.496562][ T360] aops:def_blk_aops ino:700002 [ 24.501310][ T360] flags: 0x400000000002203e(referenced|uptodate|dirty|lru|active|private|mappedtodisk|zone=1) [ 24.511644][ T360] raw: 400000000002203e ffffea0004b855c8 ffffea0004b85548 ffff88810930ac98 [ 24.520223][ T360] raw: 0000000000000008 ffff8881092bf348 00000002ffffffff ffff888100256780 [ 24.528892][ T360] page dumped because: kasan: bad access detected [ 24.535307][ T360] page_owner tracks the page as allocated [ 24.541009][ T360] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 296, ts 24120551797, free_ts 23405833838 [ 24.558273][ T360] post_alloc_hook+0x192/0x1b0 [ 24.563134][ T360] prep_new_page+0x1c/0x110 [ 24.567800][ T360] get_page_from_freelist+0x2d3a/0x2dc0 [ 24.573511][ T360] __alloc_pages+0x1a2/0x460 [ 24.578108][ T360] page_cache_ra_unbounded+0x2d5/0x9a0 [ 24.583563][ T360] force_page_cache_ra+0x3fd/0x460 [ 24.588654][ T360] page_cache_sync_ra+0x2b4/0x430 [ 24.593748][ T360] filemap_read+0x694/0x2040 [ 24.598326][ T360] generic_file_read_iter+0xac/0x400 [ 24.603593][ T360] blkdev_read_iter+0x12f/0x160 [ 24.608431][ T360] vfs_read+0x6c9/0xc40 [ 24.612569][ T360] ksys_read+0x149/0x250 [ 24.616797][ T360] __x64_sys_read+0x7b/0x90 [ 24.621370][ T360] x64_sys_call+0x96d/0x9a0 [ 24.626051][ T360] do_syscall_64+0x4c/0xa0 [ 24.630453][ T360] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 24.636334][ T360] page last free stack trace: [ 24.640996][ T360] free_unref_page_prepare+0x542/0x550 [ 24.646451][ T360] free_unref_page+0xae/0x540 [ 24.651271][ T360] __free_pages+0x6c/0x100 [ 24.656019][ T360] __vunmap+0x86d/0xa00 [ 24.660163][ T360] vfree+0x8b/0xc0 [ 24.663870][ T360] kcov_close+0x2b/0x50 [ 24.668490][ T360] __fput+0x20b/0x8b0 [ 24.672481][ T360] ____fput+0x15/0x20 [ 24.676473][ T360] task_work_run+0x127/0x190 [ 24.681105][ T360] do_exit+0xa9e/0x27e0 [ 24.685433][ T360] do_group_exit+0x141/0x310 [ 24.690113][ T360] get_signal+0x66a/0x1480 [ 24.694526][ T360] arch_do_signal_or_restart+0xdf/0x11c0 [ 24.700166][ T360] exit_to_user_mode_loop+0xa7/0xe0 [ 24.705360][ T360] exit_to_user_mode_prepare+0x87/0xd0 [ 24.710815][ T360] syscall_exit_to_user_mode+0x1a/0x30 [ 24.716274][ T360] [ 24.718604][ T360] Memory state around the buggy address: [ 24.724229][ T360] ffff88812e159f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.732465][ T360] ffff88812e159f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.740607][ T360] >ffff88812e15a000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.748755][ T360] ^ [ 24.752814][ T360] ffff88812e15a080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.760876][ T360] ffff88812e15a100: fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb [ 24.769101][ T360] ================================================================== [ 24.777415][ T360] Disabling lock debugging due to kernel taint