Warning: Permanently added '10.128.0.99' (ED25519) to the list of known hosts. 2026/06/15 19:10:09 parsed 1 programs [ 26.002486][ T30] audit: type=1400 audit(1781550609.391:64): avc: denied { node_bind } for pid=293 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 26.024178][ T30] audit: type=1400 audit(1781550609.391:65): avc: denied { module_request } for pid=293 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 27.028284][ T30] audit: type=1400 audit(1781550610.421:66): avc: denied { mounton } for pid=299 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2024 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 27.032049][ T299] cgroup: Unknown subsys name 'net' [ 27.051163][ T30] audit: type=1400 audit(1781550610.421:67): avc: denied { mount } for pid=299 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 27.078597][ T30] audit: type=1400 audit(1781550610.451:68): avc: denied { unmount } for pid=299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 27.079093][ T299] cgroup: Unknown subsys name 'devices' [ 27.227596][ T299] cgroup: Unknown subsys name 'hugetlb' [ 27.233248][ T299] cgroup: Unknown subsys name 'rlimit' [ 27.381302][ T30] audit: type=1400 audit(1781550610.771:69): avc: denied { setattr } for pid=299 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=254 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 27.404641][ T30] audit: type=1400 audit(1781550610.771:70): avc: denied { create } for pid=299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 27.425092][ T30] audit: type=1400 audit(1781550610.771:71): avc: denied { write } for pid=299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 27.445477][ T30] audit: type=1400 audit(1781550610.771:72): avc: denied { read } for pid=299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 27.460457][ T304] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 27.466474][ T30] audit: type=1400 audit(1781550610.781:73): avc: denied { mounton } for pid=299 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 27.526309][ T299] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 27.994498][ T307] request_module fs-gadgetfs succeeded, but still no fs? [ 28.587392][ T351] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.594489][ T351] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.602401][ T351] device bridge_slave_0 entered promiscuous mode [ 28.609696][ T351] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.616847][ T351] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.624319][ T351] device bridge_slave_1 entered promiscuous mode [ 28.667048][ T351] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.674111][ T351] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.681463][ T351] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.688553][ T351] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.708277][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 28.716178][ T10] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.723468][ T10] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.733178][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 28.741487][ T10] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.748570][ T10] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.757473][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 28.765805][ T10] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.772833][ T10] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.785279][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 28.795161][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 28.809946][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 28.821968][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 28.830385][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 28.838011][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 28.846701][ T351] device veth0_vlan entered promiscuous mode [ 28.857400][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 28.866719][ T351] device veth1_macvtap entered promiscuous mode [ 28.883412][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 28.893732][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 28.926518][ T351] syz-executor (351) used greatest stack depth: 22024 bytes left 2026/06/15 19:10:12 executed programs: 0 [ 29.239713][ T368] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.247015][ T368] bridge0: port 1(bridge_slave_0) entered disabled state [ 29.254406][ T368] device bridge_slave_0 entered promiscuous mode [ 29.261864][ T368] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.269113][ T368] bridge0: port 2(bridge_slave_1) entered disabled state [ 29.276839][ T368] device bridge_slave_1 entered promiscuous mode [ 29.336301][ T368] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.343486][ T368] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.350877][ T368] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.357985][ T368] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.382296][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.390025][ T8] bridge0: port 1(bridge_slave_0) entered disabled state [ 29.397535][ T8] bridge0: port 2(bridge_slave_1) entered disabled state [ 29.407068][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 29.415316][ T8] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.422396][ T8] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.437496][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 29.445857][ T8] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.452892][ T8] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.460489][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 29.469986][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 29.486989][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 29.498924][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 29.507158][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 29.514865][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 29.523758][ T368] device veth0_vlan entered promiscuous mode [ 29.535794][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 29.545027][ T368] device veth1_macvtap entered promiscuous mode [ 29.554910][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 29.565285][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 29.590338][ T373] ================================================================== [ 29.598550][ T373] BUG: KASAN: slab-out-of-bounds in tc_setup_flow_action+0x88e/0x3200 [ 29.606749][ T373] Read of size 8 at addr ffff888120de46c0 by task syz.2.17/373 [ 29.614292][ T373] [ 29.616625][ T373] CPU: 1 PID: 373 Comm: syz.2.17 Not tainted syzkaller #0 [ 29.623730][ T373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 [ 29.633791][ T373] Call Trace: [ 29.637068][ T373] [ 29.640005][ T373] __dump_stack+0x21/0x30 [ 29.644340][ T373] dump_stack_lvl+0x110/0x170 [ 29.649027][ T373] ? show_regs_print_info+0x20/0x20 [ 29.654228][ T373] ? load_image+0x3f0/0x3f0 [ 29.658740][ T373] print_address_description+0x7f/0x2c0 [ 29.664325][ T373] ? tc_setup_flow_action+0x88e/0x3200 [ 29.669787][ T373] kasan_report+0x10f/0x150 [ 29.674292][ T373] ? tc_setup_flow_action+0x88e/0x3200 [ 29.679757][ T373] __asan_report_load8_noabort+0x14/0x20 [ 29.685404][ T373] tc_setup_flow_action+0x88e/0x3200 [ 29.690707][ T373] mall_replace_hw_filter+0x2db/0x8d0 [ 29.696077][ T373] ? pcpu_block_update_hint_alloc+0x8bc/0xc50 [ 29.702336][ T373] ? mall_set_parms+0x520/0x520 [ 29.707187][ T373] ? tcf_exts_destroy+0xb0/0xb0 [ 29.712057][ T373] ? pcpu_alloc+0x1118/0x16f0 [ 29.716740][ T373] ? mall_set_parms+0x1e4/0x520 [ 29.721596][ T373] mall_change+0x544/0x760 [ 29.726042][ T373] ? __kasan_check_write+0x14/0x20 [ 29.731158][ T373] ? mall_get+0xa0/0xa0 [ 29.735311][ T373] ? tcf_chain_tp_insert_unique+0x946/0xa70 [ 29.741229][ T373] ? mall_get+0xa0/0xa0 [ 29.745403][ T373] tc_new_tfilter+0x13df/0x1990 [ 29.750276][ T373] ? tcf_gate_entry_destructor+0x20/0x20 [ 29.755919][ T373] ? security_capable+0x87/0xb0 [ 29.760807][ T373] ? ns_capable+0x8c/0xf0 [ 29.765152][ T373] ? netlink_net_capable+0x125/0x160 [ 29.770452][ T373] ? tcf_gate_entry_destructor+0x20/0x20 [ 29.776107][ T373] rtnetlink_rcv_msg+0x83c/0xcb0 [ 29.781060][ T373] ? rtnetlink_bind+0x80/0x80 [ 29.785768][ T373] ? avc_has_perm_noaudit+0x390/0x490 [ 29.791158][ T373] ? memcpy+0x56/0x70 [ 29.795145][ T373] ? avc_has_perm_noaudit+0x30a/0x490 [ 29.800526][ T373] ? arch_stack_walk+0xee/0x140 [ 29.805421][ T373] ? avc_denied+0x1b0/0x1b0 [ 29.809949][ T373] ? stack_trace_save+0xa6/0xf0 [ 29.814802][ T373] ? avc_has_perm+0x163/0x250 [ 29.819481][ T373] ? avc_has_perm_noaudit+0x490/0x490 [ 29.824881][ T373] ? x64_sys_call+0x4b/0x9a0 [ 29.829475][ T373] ? selinux_nlmsg_lookup+0x39d/0x440 [ 29.834858][ T373] netlink_rcv_skb+0x1e9/0x430 [ 29.839650][ T373] ? rtnetlink_bind+0x80/0x80 [ 29.844330][ T373] ? netlink_ack+0xb10/0xb10 [ 29.848923][ T373] ? _copy_from_iter+0x4a4/0x10a0 [ 29.853952][ T373] ? __netlink_lookup+0x387/0x3b0 [ 29.858980][ T373] rtnetlink_rcv+0x1c/0x20 [ 29.863401][ T373] netlink_unicast+0x86c/0xa30 [ 29.868171][ T373] netlink_sendmsg+0x879/0xb80 [ 29.872937][ T373] ? netlink_getsockopt+0x530/0x530 [ 29.878139][ T373] ? security_socket_sendmsg+0x82/0xa0 [ 29.883604][ T373] ? netlink_getsockopt+0x530/0x530 [ 29.888808][ T373] ____sys_sendmsg+0x5be/0x8f0 [ 29.893581][ T373] ? __sys_sendmsg_sock+0x40/0x40 [ 29.898608][ T373] ? import_iovec+0x7c/0xb0 [ 29.903122][ T373] ___sys_sendmsg+0x236/0x2e0 [ 29.907805][ T373] ? __sys_sendmsg+0x280/0x280 [ 29.912840][ T373] ? do_user_addr_fault+0x9e5/0x11c0 [ 29.918146][ T373] ? __kasan_check_read+0x11/0x20 [ 29.923182][ T373] ? __fdget+0x15b/0x230 [ 29.927512][ T373] __x64_sys_sendmsg+0x201/0x2d0 [ 29.932448][ T373] ? ___sys_sendmsg+0x2e0/0x2e0 [ 29.937307][ T373] ? fpregs_assert_state_consistent+0xb1/0xe0 [ 29.943395][ T373] x64_sys_call+0x4b/0x9a0 [ 29.947810][ T373] do_syscall_64+0x4c/0xa0 [ 29.952234][ T373] ? clear_bhb_loop+0x50/0xa0 [ 29.956934][ T373] ? clear_bhb_loop+0x50/0xa0 [ 29.961613][ T373] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 29.967593][ T373] RIP: 0033:0x7fc5ce68ae59 [ 29.972012][ T373] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 29.991616][ T373] RSP: 002b:00007ffd3c922b38 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 30.000052][ T373] RAX: ffffffffffffffda RBX: 00007fc5ce903fa0 RCX: 00007fc5ce68ae59 [ 30.008213][ T373] RDX: 0000000020000000 RSI: 0000200000000040 RDI: 0000000000000003 [ 30.016184][ T373] RBP: 00007fc5ce720d6f R08: 0000000000000000 R09: 0000000000000000 [ 30.024274][ T373] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 30.032252][ T373] R13: 00007fc5ce903fac R14: 00007fc5ce903fa0 R15: 00007fc5ce903fa0 [ 30.040325][ T373] [ 30.043348][ T373] [ 30.045667][ T373] Allocated by task 373: [ 30.049905][ T373] __kasan_kmalloc+0xd4/0x100 [ 30.054584][ T373] __kmalloc+0x13d/0x2c0 [ 30.058833][ T373] tcf_idr_create+0x5f/0x790 [ 30.063456][ T373] tcf_idr_create_from_flags+0x61/0x70 [ 30.069156][ T373] tcf_gact_init+0x342/0x570 [ 30.073763][ T373] tcf_action_init_1+0x3fd/0x6b0 [ 30.078708][ T373] tcf_action_init+0x233/0x7a0 [ 30.083566][ T373] tcf_exts_validate+0x24a/0x580 [ 30.088500][ T373] mall_set_parms+0x48/0x520 [ 30.093103][ T373] mall_change+0x478/0x760 [ 30.097529][ T373] tc_new_tfilter+0x13df/0x1990 [ 30.102382][ T373] rtnetlink_rcv_msg+0x83c/0xcb0 [ 30.107486][ T373] netlink_rcv_skb+0x1e9/0x430 [ 30.112263][ T373] rtnetlink_rcv+0x1c/0x20 [ 30.116702][ T373] netlink_unicast+0x86c/0xa30 [ 30.121476][ T373] netlink_sendmsg+0x879/0xb80 [ 30.126250][ T373] ____sys_sendmsg+0x5be/0x8f0 [ 30.131015][ T373] ___sys_sendmsg+0x236/0x2e0 [ 30.135693][ T373] __x64_sys_sendmsg+0x201/0x2d0 [ 30.140640][ T373] x64_sys_call+0x4b/0x9a0 [ 30.145054][ T373] do_syscall_64+0x4c/0xa0 [ 30.149480][ T373] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 30.155414][ T373] [ 30.157752][ T373] The buggy address belongs to the object at ffff888120de4600 [ 30.157752][ T373] which belongs to the cache kmalloc-192 of size 192 [ 30.171802][ T373] The buggy address is located 0 bytes to the right of [ 30.171802][ T373] 192-byte region [ffff888120de4600, ffff888120de46c0) [ 30.185435][ T373] The buggy address belongs to the page: [ 30.191163][ T373] page:ffffea0004837900 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x120de4 [ 30.201524][ T373] flags: 0x4000000000000200(slab|zone=1) [ 30.207168][ T373] raw: 4000000000000200 0000000000000000 dead000000000122 ffff888100042c00 [ 30.215755][ T373] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 30.224349][ T373] page dumped because: kasan: bad access detected [ 30.230756][ T373] page_owner tracks the page as allocated [ 30.236481][ T373] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 368, ts 29577257350, free_ts 28457570908 [ 30.252453][ T373] post_alloc_hook+0x192/0x1b0 [ 30.257247][ T373] prep_new_page+0x1c/0x110 [ 30.261754][ T373] get_page_from_freelist+0x2c3a/0x2cd0 [ 30.267470][ T373] __alloc_pages+0x1a2/0x460 [ 30.272072][ T373] new_slab+0xa0/0x4d0 [ 30.276164][ T373] ___slab_alloc+0x3ac/0x840 [ 30.280754][ T373] __slab_alloc+0x49/0x90 [ 30.285081][ T373] kmem_cache_alloc_trace+0x146/0x270 [ 30.290450][ T373] ____ip_mc_inc_group+0x1a5/0x7f0 [ 30.295562][ T373] ip_mc_up+0x112/0x1f0 [ 30.299737][ T373] inetdev_event+0xc39/0x1060 [ 30.304421][ T373] raw_notifier_call_chain+0x90/0x100 [ 30.309937][ T373] __dev_notify_flags+0x2f4/0x5b0 [ 30.315097][ T373] dev_change_flags+0xe3/0x1a0 [ 30.319889][ T373] do_setlink+0xc95/0x2970 [ 30.324322][ T373] rtnl_newlink+0x1598/0x1900 [ 30.329016][ T373] page last free stack trace: [ 30.333691][ T373] free_unref_page_prepare+0x542/0x550 [ 30.339150][ T373] free_unref_page+0xae/0x540 [ 30.343828][ T373] __free_pages+0x6c/0x100 [ 30.348247][ T373] __vunmap+0x801/0x980 [ 30.352399][ T373] vfree+0x8b/0xc0 [ 30.356138][ T373] kcov_close+0x2b/0x50 [ 30.360293][ T373] __fput+0x22b/0x900 [ 30.364279][ T373] ____fput+0x15/0x20 [ 30.368258][ T373] task_work_run+0x127/0x190 [ 30.372968][ T373] do_exit+0xb70/0x29a0 [ 30.377207][ T373] do_group_exit+0x149/0x310 [ 30.381805][ T373] get_signal+0x64f/0x1430 [ 30.386221][ T373] arch_do_signal_or_restart+0xe2/0x1100 [ 30.391848][ T373] exit_to_user_mode_loop+0xa7/0xe0 [ 30.397041][ T373] exit_to_user_mode_prepare+0x87/0xd0 [ 30.402497][ T373] syscall_exit_to_user_mode+0x1a/0x30 [ 30.407961][ T373] [ 30.410278][ T373] Memory state around the buggy address: [ 30.415902][ T373] ffff888120de4580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.423958][ T373] ffff888120de4600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.432018][ T373] >ffff888120de4680: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 30.440073][ T373] ^ [ 30.446230][ T373] ffff888120de4700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.454287][ T373] ffff888120de4780: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 30.462361][ T373] ================================================================== [ 30.470427][ T373] Disabling lock debugging due to kernel taint