cess permissive=1 [ 15.372274][ T28] audit: type=1400 audit(1774234110.046:63): avc: denied { siginh } for pid=225 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 16.983090][ T228] sshd-session (228) used greatest stack depth: 21344 bytes left Warning: Permanently added '10.128.0.199' (ED25519) to the list of known hosts. 2026/03/23 02:48:39 parsed 1 programs [ 24.782737][ T28] audit: type=1400 audit(1774234119.466:64): avc: denied { node_bind } for pid=283 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 24.803676][ T28] audit: type=1400 audit(1774234119.466:65): avc: denied { module_request } for pid=283 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 25.916009][ T28] audit: type=1400 audit(1774234120.596:66): avc: denied { mounton } for pid=290 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2023 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 25.919244][ T290] cgroup: Unknown subsys name 'net' [ 25.938875][ T28] audit: type=1400 audit(1774234120.606:67): avc: denied { mount } for pid=290 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 25.966127][ T28] audit: type=1400 audit(1774234120.626:68): avc: denied { unmount } for pid=290 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 25.986208][ T290] cgroup: Unknown subsys name 'devices' [ 26.078957][ T290] cgroup: Unknown subsys name 'hugetlb' [ 26.084578][ T290] cgroup: Unknown subsys name 'rlimit' [ 26.196959][ T28] audit: type=1400 audit(1774234120.886:69): avc: denied { setattr } for pid=290 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=258 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 26.220455][ T28] audit: type=1400 audit(1774234120.886:70): avc: denied { create } for pid=290 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.240919][ T28] audit: type=1400 audit(1774234120.886:71): avc: denied { write } for pid=290 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.261242][ T28] audit: type=1400 audit(1774234120.886:72): avc: denied { read } for pid=290 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.274613][ T293] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 26.282174][ T28] audit: type=1400 audit(1774234120.886:73): avc: denied { mounton } for pid=290 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 26.329248][ T290] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 27.038821][ T295] request_module fs-gadgetfs succeeded, but still no fs? [ 27.201340][ T308] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.208436][ T308] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.215885][ T308] device bridge_slave_0 entered promiscuous mode [ 27.223043][ T308] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.230117][ T308] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.237580][ T308] device bridge_slave_1 entered promiscuous mode [ 27.284696][ T308] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.291795][ T308] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.299145][ T308] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.306219][ T308] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.327902][ T309] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.335193][ T309] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.342651][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 27.350206][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 27.360153][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 27.368451][ T309] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.375492][ T309] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.384482][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 27.392764][ T309] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.400281][ T309] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.412815][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 27.423045][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 27.437264][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 27.449488][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 27.457842][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 27.465430][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 27.474580][ T308] device veth0_vlan entered promiscuous mode [ 27.484709][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 27.493803][ T308] device veth1_macvtap entered promiscuous mode [ 27.503182][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 27.513677][ T309] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 28.317187][ T8] device bridge_slave_1 left promiscuous mode [ 28.323433][ T8] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.331280][ T8] device bridge_slave_0 left promiscuous mode [ 28.338100][ T8] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.347126][ T8] device veth1_macvtap left promiscuous mode [ 28.353230][ T8] device veth0_vlan left promiscuous mode 2026/03/23 02:48:43 executed programs: 0 [ 28.501097][ T357] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.508172][ T357] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.515546][ T357] device bridge_slave_0 entered promiscuous mode [ 28.522502][ T357] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.529576][ T357] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.537165][ T357] device bridge_slave_1 entered promiscuous mode [ 28.581771][ T357] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.588829][ T357] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.596140][ T357] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.603188][ T357] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.623988][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 28.631625][ T10] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.638933][ T10] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.649191][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 28.657633][ T10] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.664816][ T10] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.673633][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 28.681988][ T10] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.689055][ T10] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.701549][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 28.711024][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 28.725106][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 28.740836][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 28.748996][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 28.757060][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 28.765584][ T357] device veth0_vlan entered promiscuous mode [ 28.776244][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 28.785351][ T357] device veth1_macvtap entered promiscuous mode [ 28.794958][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 28.807580][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 28.835121][ T362] loop2: detected capacity change from 0 to 512 [ 28.845321][ T362] EXT4-fs (loop2): mounting ext3 file system using the ext4 subsystem [ 28.854980][ T362] [EXT4 FS bs=1024, gc=1, bpg=8192, ipg=32, mo=a003c11c, mo2=0002] [ 28.863188][ T362] System zones: 1-12 [ 28.868596][ T362] EXT4-fs error (device loop2): ext4_iget_extra_inode:4758: inode #15: comm syz.2.17: corrupted in-inode xattr [ 28.880954][ T362] EXT4-fs error (device loop2): ext4_orphan_get:1404: comm syz.2.17: couldn't read orphan inode 15 (err -117) [ 28.892930][ T362] EXT4-fs (loop2): mounted filesystem without journal. Quota mode: none. [ 28.903654][ T362] EXT4-fs warning (device loop2): dx_probe:833: inode #2: comm syz.2.17: Unrecognised inode hash code 4 [ 28.915073][ T362] EXT4-fs warning (device loop2): dx_probe:966: inode #2: comm syz.2.17: Corrupt directory, running e2fsck is recommended [ 28.927951][ T362] ================================================================== [ 28.936032][ T362] BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x7c2/0x970 [ 28.944004][ T362] Read of size 2 at addr ffff888130200003 by task syz.2.17/362 [ 28.951545][ T362] [ 28.954054][ T362] CPU: 1 PID: 362 Comm: syz.2.17 Not tainted syzkaller #0 [ 28.961163][ T362] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 [ 28.971217][ T362] Call Trace: [ 28.974501][ T362] [ 28.977433][ T362] __dump_stack+0x21/0x24 [ 28.981807][ T362] dump_stack_lvl+0x110/0x170 [ 28.986489][ T362] ? __cfi_dump_stack_lvl+0x8/0x8 [ 28.991518][ T362] ? __cfi__printk+0x8/0x8 [ 28.995934][ T362] ? __getblk_gfp+0x3b/0x7d0 [ 29.000519][ T362] ? __ext4_check_dir_entry+0x7c2/0x970 [ 29.006061][ T362] print_address_description+0x71/0x200 [ 29.011623][ T362] print_report+0x4a/0x60 [ 29.015947][ T362] kasan_report+0x122/0x150 [ 29.020469][ T362] ? __ext4_check_dir_entry+0x7c2/0x970 [ 29.026012][ T362] __asan_report_load2_noabort+0x14/0x20 [ 29.031641][ T362] __ext4_check_dir_entry+0x7c2/0x970 [ 29.037017][ T362] ext4_readdir+0x1315/0x3e10 [ 29.041693][ T362] ? __cfi_ext4_readdir+0x10/0x10 [ 29.046714][ T362] ? downgrade_write+0x370/0x370 [ 29.051674][ T362] ? __kasan_slab_free+0x11/0x20 [ 29.056700][ T362] ? avc_policy_seqno+0x1b/0x70 [ 29.061561][ T362] ? down_read_killable+0xbc/0x110 [ 29.066677][ T362] ? __cfi_down_read_killable+0x10/0x10 [ 29.072228][ T362] ? fsnotify_perm+0x269/0x5b0 [ 29.077037][ T362] ? security_file_permission+0x94/0xb0 [ 29.082618][ T362] iterate_dir+0x271/0x610 [ 29.087033][ T362] ? __cfi_ext4_readdir+0x10/0x10 [ 29.092054][ T362] __se_sys_getdents64+0xf2/0x250 [ 29.097081][ T362] ? __x64_sys_getdents64+0x90/0x90 [ 29.102306][ T362] ? mutex_unlock+0x8f/0x230 [ 29.106911][ T362] ? __cfi_filldir64+0x10/0x10 [ 29.111684][ T362] ? debug_smp_processor_id+0x17/0x20 [ 29.117058][ T362] __x64_sys_getdents64+0x7b/0x90 [ 29.122079][ T362] x64_sys_call+0x15c/0x9a0 [ 29.126590][ T362] do_syscall_64+0x4c/0xa0 [ 29.131150][ T362] ? clear_bhb_loop+0x30/0x80 [ 29.135827][ T362] ? clear_bhb_loop+0x30/0x80 [ 29.140509][ T362] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 29.146405][ T362] RIP: 0033:0x7fa88359c799 [ 29.150831][ T362] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 29.170540][ T362] RSP: 002b:00007fff7d686be8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 29.179045][ T362] RAX: ffffffffffffffda RBX: 00007fa883815fa0 RCX: 00007fa88359c799 [ 29.187053][ T362] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006 [ 29.195029][ T362] RBP: 00007fa883632c99 R08: 0000000000000000 R09: 0000000000000000 [ 29.203092][ T362] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 29.211066][ T362] R13: 00007fa883815fac R14: 00007fa883815fa0 R15: 00007fa883815fa0 [ 29.219053][ T362] [ 29.222073][ T362] [ 29.224400][ T362] The buggy address belongs to the physical page: [ 29.230809][ T362] page:ffffea0004c08000 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x130200 [ 29.241404][ T362] flags: 0x4000000000000000(zone=1) [ 29.246639][ T362] raw: 4000000000000000 ffffffff878e7438 ffffffff878e7438 0000000000000000 [ 29.255219][ T362] raw: 0000000000000000 0000000000000009 00000000ffffff7f 0000000000000000 [ 29.263792][ T362] page dumped because: kasan: bad access detected [ 29.270484][ T362] page_owner info is not present (never set?) [ 29.276541][ T362] [ 29.278884][ T362] Memory state around the buggy address: [ 29.284511][ T362] ffff8881301fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.292573][ T362] ffff8881301fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.300656][ T362] >ffff888130200000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 29.308734][ T362] ^ [ 29.312801][ T362] ffff888130200080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 29.320857][ T362] ffff888130200100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 29.328943][ T362] ================================================================== [ 29.339622][ T362] Disabling lock debugging due to kernel taint [ 29.346325][ T362] EXT4-fs error (device loop2): ext4_readdir:263: inode #2: block 255: comm syz.2.17: path /0/file0: bad entry in directory: rec_len is smaller than minimal - offset=1023, inode=0, rec_len=0, size=1024 fake=0 [ 29.369633][ T357] EXT4-fs (loop2): unmounting filesystem.