Warning: Permanently added '10.128.0.134' (ED25519) to the list of known hosts. 2026/02/03 03:10:56 parsed 1 programs [ 26.182104][ T30] audit: type=1400 audit(1770088256.466:64): avc: denied { node_bind } for pid=281 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 26.203709][ T30] audit: type=1400 audit(1770088256.466:65): avc: denied { module_request } for pid=281 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 27.147294][ T30] audit: type=1400 audit(1770088257.436:66): avc: denied { mounton } for pid=288 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2023 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 27.150488][ T288] cgroup: Unknown subsys name 'net' [ 27.169970][ T30] audit: type=1400 audit(1770088257.436:67): avc: denied { mount } for pid=288 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 27.197334][ T30] audit: type=1400 audit(1770088257.466:68): avc: denied { unmount } for pid=288 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 27.197824][ T288] cgroup: Unknown subsys name 'devices' [ 27.368212][ T288] cgroup: Unknown subsys name 'hugetlb' [ 27.373855][ T288] cgroup: Unknown subsys name 'rlimit' [ 27.550300][ T30] audit: type=1400 audit(1770088257.836:69): avc: denied { setattr } for pid=288 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=254 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 27.573513][ T30] audit: type=1400 audit(1770088257.836:70): avc: denied { create } for pid=288 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 27.593974][ T30] audit: type=1400 audit(1770088257.836:71): avc: denied { write } for pid=288 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 27.614356][ T30] audit: type=1400 audit(1770088257.836:72): avc: denied { read } for pid=288 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 27.632882][ T291] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 27.635080][ T30] audit: type=1400 audit(1770088257.836:73): avc: denied { mounton } for pid=288 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 27.731118][ T288] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 28.145773][ T294] request_module fs-gadgetfs succeeded, but still no fs? [ 28.617432][ T327] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.624502][ T327] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.632089][ T327] device bridge_slave_0 entered promiscuous mode [ 28.639455][ T327] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.646622][ T327] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.654007][ T327] device bridge_slave_1 entered promiscuous mode [ 28.699294][ T327] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.706371][ T327] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.713652][ T327] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.720717][ T327] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.743799][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 28.752511][ T10] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.760147][ T10] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.769116][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 28.777349][ T10] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.784387][ T10] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.793716][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 28.802251][ T10] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.809311][ T10] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.821217][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 28.830407][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 28.844893][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 28.856729][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 28.864798][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 28.872572][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 28.886496][ T327] device veth0_vlan entered promiscuous mode [ 28.896314][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 28.910194][ T327] device veth1_macvtap entered promiscuous mode [ 28.919464][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 28.934493][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 28.971012][ T327] syz-executor (327) used greatest stack depth: 20352 bytes left 2026/02/03 03:10:59 executed programs: 0 [ 29.515821][ T363] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.523317][ T363] bridge0: port 1(bridge_slave_0) entered disabled state [ 29.531224][ T363] device bridge_slave_0 entered promiscuous mode [ 29.538269][ T363] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.545413][ T363] bridge0: port 2(bridge_slave_1) entered disabled state [ 29.552939][ T363] device bridge_slave_1 entered promiscuous mode [ 29.604384][ T363] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.611464][ T363] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.618785][ T363] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.625831][ T363] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.644690][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.652485][ T45] bridge0: port 1(bridge_slave_0) entered disabled state [ 29.659837][ T45] bridge0: port 2(bridge_slave_1) entered disabled state [ 29.673003][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 29.681441][ T45] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.688544][ T45] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.697704][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 29.706288][ T45] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.713350][ T45] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.724888][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 29.735751][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 29.753236][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 29.764560][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 29.772816][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 29.780347][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 29.792359][ T363] device veth0_vlan entered promiscuous mode [ 29.802407][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 29.811487][ T363] device veth1_macvtap entered promiscuous mode [ 29.820925][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 29.834744][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 29.863247][ T373] netlink: 12 bytes leftover after parsing attributes in process `syz.2.17'. [ 29.873040][ T373] netlink: 12 bytes leftover after parsing attributes in process `syz.2.17'. [ 29.882179][ T373] ================================================================== [ 29.890342][ T373] BUG: KASAN: slab-out-of-bounds in tc_setup_flow_action+0x870/0x3240 [ 29.898504][ T373] Read of size 8 at addr ffff8881252142c0 by task syz.2.17/373 [ 29.906049][ T373] [ 29.908416][ T373] CPU: 0 PID: 373 Comm: syz.2.17 Not tainted syzkaller #0 [ 29.915542][ T373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 29.925617][ T373] Call Trace: [ 29.928894][ T373] [ 29.931825][ T373] __dump_stack+0x21/0x30 [ 29.936174][ T373] dump_stack_lvl+0x110/0x170 [ 29.940893][ T373] ? show_regs_print_info+0x20/0x20 [ 29.946092][ T373] ? load_image+0x3e0/0x3e0 [ 29.950614][ T373] print_address_description+0x7f/0x2c0 [ 29.956245][ T373] ? tc_setup_flow_action+0x870/0x3240 [ 29.961798][ T373] kasan_report+0xf1/0x140 [ 29.966213][ T373] ? tc_setup_flow_action+0x870/0x3240 [ 29.971666][ T373] __asan_report_load8_noabort+0x14/0x20 [ 29.977297][ T373] tc_setup_flow_action+0x870/0x3240 [ 29.982585][ T373] mall_replace_hw_filter+0x2cc/0x8b0 [ 29.987971][ T373] ? pcpu_block_update_hint_alloc+0x8c4/0xc50 [ 29.994065][ T373] ? mall_set_parms+0x520/0x520 [ 29.998932][ T373] ? tcf_exts_destroy+0xb0/0xb0 [ 30.003792][ T373] ? pcpu_alloc+0x1170/0x16e0 [ 30.008477][ T373] ? mall_set_parms+0x1e8/0x520 [ 30.013335][ T373] mall_change+0x544/0x760 [ 30.017751][ T373] ? __kasan_check_write+0x14/0x20 [ 30.022869][ T373] ? mall_get+0xa0/0xa0 [ 30.027028][ T373] ? tcf_chain_tp_insert_unique+0xac1/0xc10 [ 30.032928][ T373] tc_new_tfilter+0x12e5/0x18e0 [ 30.037787][ T373] ? tcf_gate_entry_destructor+0x20/0x20 [ 30.043451][ T373] ? security_capable+0x87/0xb0 [ 30.048308][ T373] ? ns_capable+0x8c/0xf0 [ 30.052639][ T373] ? netlink_net_capable+0x125/0x160 [ 30.057920][ T373] ? tcf_gate_entry_destructor+0x20/0x20 [ 30.063552][ T373] rtnetlink_rcv_msg+0x871/0xce0 [ 30.068489][ T373] ? rtnetlink_bind+0x80/0x80 [ 30.073252][ T373] ? avc_has_perm_noaudit+0x391/0x490 [ 30.078624][ T373] ? memcpy+0x56/0x70 [ 30.082604][ T373] ? avc_has_perm_noaudit+0x30b/0x490 [ 30.087972][ T373] ? arch_stack_walk+0xee/0x140 [ 30.092845][ T373] ? avc_denied+0x1b0/0x1b0 [ 30.097349][ T373] ? stack_trace_save+0xa6/0xf0 [ 30.102199][ T373] ? avc_has_perm+0x163/0x250 [ 30.106875][ T373] ? avc_has_perm_noaudit+0x490/0x490 [ 30.112259][ T373] ? x64_sys_call+0x4b/0x9a0 [ 30.116857][ T373] ? selinux_nlmsg_lookup+0x416/0x4c0 [ 30.122225][ T373] netlink_rcv_skb+0x1f5/0x440 [ 30.126983][ T373] ? rtnetlink_bind+0x80/0x80 [ 30.131680][ T373] ? netlink_ack+0xb50/0xb50 [ 30.136268][ T373] ? __netlink_lookup+0x387/0x3b0 [ 30.141289][ T373] rtnetlink_rcv+0x1c/0x20 [ 30.145701][ T373] netlink_unicast+0x876/0xa40 [ 30.150460][ T373] netlink_sendmsg+0x879/0xb80 [ 30.155231][ T373] ? netlink_getsockopt+0x530/0x530 [ 30.160423][ T373] ? do_futex+0xde8/0x2800 [ 30.164838][ T373] ? security_socket_sendmsg+0x82/0xa0 [ 30.170291][ T373] ? netlink_getsockopt+0x530/0x530 [ 30.175484][ T373] ____sys_sendmsg+0x5b7/0x8f0 [ 30.180245][ T373] ? __sys_sendmsg_sock+0x40/0x40 [ 30.185283][ T373] ? import_iovec+0x7c/0xb0 [ 30.189790][ T373] ___sys_sendmsg+0x236/0x2e0 [ 30.194469][ T373] ? __sys_sendmsg+0x280/0x280 [ 30.199240][ T373] ? sock_show_fdinfo+0xa0/0xa0 [ 30.204115][ T373] ? __kasan_check_read+0x11/0x20 [ 30.209141][ T373] ? __fdget+0x15b/0x230 [ 30.213384][ T373] __x64_sys_sendmsg+0x206/0x2f0 [ 30.218320][ T373] ? ___sys_sendmsg+0x2e0/0x2e0 [ 30.223173][ T373] ? fpregs_assert_state_consistent+0xb1/0xe0 [ 30.229239][ T373] x64_sys_call+0x4b/0x9a0 [ 30.233651][ T373] do_syscall_64+0x4c/0xa0 [ 30.238062][ T373] ? clear_bhb_loop+0x50/0xa0 [ 30.242745][ T373] ? clear_bhb_loop+0x50/0xa0 [ 30.247417][ T373] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 30.253309][ T373] RIP: 0033:0x7f47ac5d0eb9 [ 30.257827][ T373] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 30.277515][ T373] RSP: 002b:00007ffee0d5a278 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 30.286142][ T373] RAX: ffffffffffffffda RBX: 00007f47ac84bfa0 RCX: 00007f47ac5d0eb9 [ 30.294122][ T373] RDX: 0000000000000000 RSI: 0000200000000580 RDI: 0000000000000004 [ 30.302110][ T373] RBP: 00007f47ac63ec1f R08: 0000000000000000 R09: 0000000000000000 [ 30.310082][ T373] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 30.318049][ T373] R13: 00007f47ac84bfac R14: 00007f47ac84bfa0 R15: 00007f47ac84bfa0 [ 30.326021][ T373] [ 30.329034][ T373] [ 30.331349][ T373] Allocated by task 373: [ 30.335577][ T373] __kasan_kmalloc+0xda/0x110 [ 30.340253][ T373] __kmalloc+0x13d/0x2c0 [ 30.344495][ T373] tcf_idr_create+0x5f/0x790 [ 30.349079][ T373] tcf_idr_create_from_flags+0x61/0x70 [ 30.354532][ T373] tcf_gact_init+0x342/0x570 [ 30.359113][ T373] tcf_action_init_1+0x3ff/0x6b0 [ 30.364044][ T373] tcf_action_init+0x233/0x7a0 [ 30.368807][ T373] tcf_exts_validate+0x24a/0x580 [ 30.373760][ T373] mall_set_parms+0x48/0x520 [ 30.378383][ T373] mall_change+0x478/0x760 [ 30.382796][ T373] tc_new_tfilter+0x12e5/0x18e0 [ 30.387657][ T373] rtnetlink_rcv_msg+0x871/0xce0 [ 30.392588][ T373] netlink_rcv_skb+0x1f5/0x440 [ 30.397341][ T373] rtnetlink_rcv+0x1c/0x20 [ 30.401754][ T373] netlink_unicast+0x876/0xa40 [ 30.406513][ T373] netlink_sendmsg+0x879/0xb80 [ 30.411274][ T373] ____sys_sendmsg+0x5b7/0x8f0 [ 30.416038][ T373] ___sys_sendmsg+0x236/0x2e0 [ 30.420737][ T373] __x64_sys_sendmsg+0x206/0x2f0 [ 30.425759][ T373] x64_sys_call+0x4b/0x9a0 [ 30.430165][ T373] do_syscall_64+0x4c/0xa0 [ 30.434585][ T373] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 30.440475][ T373] [ 30.442794][ T373] The buggy address belongs to the object at ffff888125214200 [ 30.442794][ T373] which belongs to the cache kmalloc-192 of size 192 [ 30.456835][ T373] The buggy address is located 0 bytes to the right of [ 30.456835][ T373] 192-byte region [ffff888125214200, ffff8881252142c0) [ 30.470449][ T373] The buggy address belongs to the page: [ 30.476080][ T373] page:ffffea0004948500 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x125214 [ 30.486361][ T373] flags: 0x4000000000000200(slab|zone=1) [ 30.492009][ T373] raw: 4000000000000200 0000000000000000 dead000000000122 ffff888100042c00 [ 30.500583][ T373] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 30.509152][ T373] page dumped because: kasan: bad access detected [ 30.515549][ T373] page_owner tracks the page as allocated [ 30.521257][ T373] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 101, ts 29857952439, free_ts 29273067170 [ 30.537137][ T373] post_alloc_hook+0x192/0x1b0 [ 30.541899][ T373] prep_new_page+0x1c/0x110 [ 30.546416][ T373] get_page_from_freelist+0x2d3a/0x2dc0 [ 30.551954][ T373] __alloc_pages+0x1a2/0x460 [ 30.556540][ T373] new_slab+0xa1/0x4d0 [ 30.560692][ T373] ___slab_alloc+0x381/0x810 [ 30.565274][ T373] __slab_alloc+0x49/0x90 [ 30.569714][ T373] kmem_cache_alloc_trace+0x146/0x270 [ 30.575106][ T373] kernfs_fop_open+0x343/0xb30 [ 30.579871][ T373] do_dentry_open+0x834/0x1010 [ 30.584647][ T373] vfs_open+0x73/0x80 [ 30.588623][ T373] path_openat+0x26a6/0x2f20 [ 30.593201][ T373] do_filp_open+0x1e2/0x410 [ 30.597692][ T373] do_sys_openat2+0x15e/0x7f0 [ 30.602362][ T373] __x64_sys_openat+0x136/0x160 [ 30.607208][ T373] x64_sys_call+0x219/0x9a0 [ 30.611704][ T373] page last free stack trace: [ 30.616365][ T373] free_unref_page_prepare+0x542/0x550 [ 30.621820][ T373] free_unref_page+0xae/0x540 [ 30.626485][ T373] __free_pages+0x6c/0x100 [ 30.630896][ T373] __vunmap+0x86d/0xa00 [ 30.635043][ T373] vfree+0x8b/0xc0 [ 30.638763][ T373] kcov_close+0x2b/0x50 [ 30.642926][ T373] __fput+0x20b/0x8b0 [ 30.646911][ T373] ____fput+0x15/0x20 [ 30.650888][ T373] task_work_run+0x127/0x190 [ 30.655467][ T373] do_exit+0xa9e/0x27e0 [ 30.659615][ T373] do_group_exit+0x141/0x310 [ 30.664222][ T373] get_signal+0x66a/0x1480 [ 30.668639][ T373] arch_do_signal_or_restart+0xdf/0x11c0 [ 30.674266][ T373] exit_to_user_mode_loop+0xa7/0xe0 [ 30.679461][ T373] exit_to_user_mode_prepare+0x87/0xd0 [ 30.684912][ T373] syscall_exit_to_user_mode+0x1a/0x30 [ 30.690361][ T373] [ 30.692673][ T373] Memory state around the buggy address: [ 30.698291][ T373] ffff888125214180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.706341][ T373] ffff888125214200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.714412][ T373] >ffff888125214280: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 30.722462][ T373] ^ [ 30.728610][ T373] ffff888125214300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.736847][ T373] ffff888125214380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.744907][ T373] ================================================================== [ 30.752962][ T373] Disabling lock debugging due to kernel taint [ 30.936945][ T8] device bridge_slave_1 left promiscuous mode [ 30.943082][ T8] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.950704][ T8] device bridge_slave_0 left promiscuous mode [ 30.956928][ T8] bridge0: port 1(bridge_slave_0) entered disabled state [ 30.964735][ T8] device veth1_macvtap left promiscuous mode [ 30.971050][ T8] device veth0_vlan left promiscuous mode [ 32.716681][ T8] device bridge_slave_1 left promiscuous mode [ 32.723028][ T8] bridge0: port 2(bridge_slave_1) entered disabled state [ 32.730749][ T8] device bridge_slave_0 left promiscuous mode [ 32.736956][ T8] bridge0: port 1(bridge_slave_0) entered disabled state [ 32.745130][ T8] device veth1_macvtap left promiscuous mode [ 32.751266][ T8] device veth0_vlan left promiscuous mode