syzkaller syzkaller login: [ 14.832422][ T28] kauditd_printk_skb: 31 callbacks suppressed [ 14.832437][ T28] audit: type=1400 audit(1779645261.241:59): avc: denied { transition } for pid=226 comm="sshd-session" path="/bin/sh" dev="sda1" ino=90 scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 14.837018][ T28] audit: type=1400 audit(1779645261.241:60): avc: denied { noatsecure } for pid=226 comm="sshd-session" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 14.841025][ T28] audit: type=1400 audit(1779645261.241:61): avc: denied { write } for pid=226 comm="sh" path="pipe:[14810]" dev="pipefs" ino=14810 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1 [ 14.844534][ T28] audit: type=1400 audit(1779645261.251:62): avc: denied { rlimitinh } for pid=226 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 14.847564][ T28] audit: type=1400 audit(1779645261.251:63): avc: denied { siginh } for pid=226 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 Warning: Permanently added '10.128.10.15' (ED25519) to the list of known hosts. 2026/05/24 17:54:31 parsed 1 programs [ 25.028157][ T28] audit: type=1400 audit(1779645271.431:64): avc: denied { node_bind } for pid=296 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 25.048901][ T28] audit: type=1400 audit(1779645271.431:65): avc: denied { module_request } for pid=296 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 26.167127][ T28] audit: type=1400 audit(1779645272.571:66): avc: denied { mounton } for pid=304 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2024 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 26.171075][ T304] cgroup: Unknown subsys name 'net' [ 26.189996][ T28] audit: type=1400 audit(1779645272.571:67): avc: denied { mount } for pid=304 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 26.217220][ T28] audit: type=1400 audit(1779645272.611:68): avc: denied { unmount } for pid=304 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 26.217797][ T304] cgroup: Unknown subsys name 'devices' [ 26.363072][ T304] cgroup: Unknown subsys name 'hugetlb' [ 26.368809][ T304] cgroup: Unknown subsys name 'rlimit' [ 26.483237][ T28] audit: type=1400 audit(1779645272.891:69): avc: denied { setattr } for pid=304 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=258 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 26.506701][ T28] audit: type=1400 audit(1779645272.891:70): avc: denied { create } for pid=304 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.527216][ T28] audit: type=1400 audit(1779645272.891:71): avc: denied { write } for pid=304 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 26.547539][ T28] audit: type=1400 audit(1779645272.891:72): avc: denied { read } for pid=304 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 26.567942][ T28] audit: type=1400 audit(1779645272.891:73): avc: denied { mounton } for pid=304 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 26.571038][ T307] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 26.619868][ T304] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 27.348192][ T312] request_module fs-gadgetfs succeeded, but still no fs? [ 27.750093][ T346] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.757432][ T346] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.757936][ T335] syz-executor (335) used greatest stack depth: 21120 bytes left [ 27.766321][ T346] device bridge_slave_0 entered promiscuous mode [ 27.779289][ T346] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.786373][ T346] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.793871][ T346] device bridge_slave_1 entered promiscuous mode [ 27.842710][ T346] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.849780][ T346] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.857116][ T346] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.864189][ T346] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.889007][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 27.896668][ T10] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.904399][ T10] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.913571][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 27.922027][ T10] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.929079][ T10] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.937841][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 27.946360][ T10] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.953437][ T10] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.967418][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 27.976982][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 27.991786][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 28.004199][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 28.012409][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 28.019936][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 28.028388][ T346] device veth0_vlan entered promiscuous mode [ 28.039121][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 28.048327][ T346] device veth1_macvtap entered promiscuous mode [ 28.058541][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 28.069038][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2026/05/24 17:54:34 executed programs: 0 [ 28.596352][ T371] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.604200][ T371] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.611799][ T371] device bridge_slave_0 entered promiscuous mode [ 28.624758][ T371] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.631998][ T371] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.639393][ T371] device bridge_slave_1 entered promiscuous mode [ 28.689206][ T371] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.696363][ T371] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.703740][ T371] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.710853][ T371] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.719663][ T10] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.727129][ T10] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.749970][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 28.757581][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 28.767289][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 28.775847][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 28.784228][ T10] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.791305][ T10] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.800661][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 28.809448][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 28.817902][ T10] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.825032][ T10] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.836724][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 28.844966][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 28.857113][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 28.865269][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 28.879459][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 28.888962][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 28.900443][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 28.908604][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 28.917362][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 28.925097][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 28.933343][ T371] device veth0_vlan entered promiscuous mode [ 28.944066][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 28.952386][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 28.962357][ T371] device veth1_macvtap entered promiscuous mode [ 28.971769][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 28.979542][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 28.987860][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 29.003156][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 29.011524][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 29.160657][ C0] ================================================================== [ 29.168793][ C0] BUG: KASAN: slab-out-of-bounds in __bpf_get_stackid+0x6fa/0x960 [ 29.176647][ C0] Write of size 48 at addr ffff88810e07e760 by task syz.2.25/383 [ 29.184411][ C0] [ 29.186762][ C0] CPU: 0 PID: 383 Comm: syz.2.25 Not tainted syzkaller #0 [ 29.193882][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 [ 29.204123][ C0] Call Trace: [ 29.207413][ C0] [ 29.210350][ C0] __dump_stack+0x21/0x24 [ 29.214710][ C0] dump_stack_lvl+0x110/0x170 [ 29.219412][ C0] ? __cfi_dump_stack_lvl+0x8/0x8 [ 29.224441][ C0] ? __bpf_get_stackid+0x6fa/0x960 [ 29.229561][ C0] print_address_description+0x71/0x200 [ 29.235114][ C0] print_report+0x4a/0x60 [ 29.239453][ C0] kasan_report+0x122/0x150 [ 29.243995][ C0] ? __bpf_get_stackid+0x6fa/0x960 [ 29.249135][ C0] kasan_check_range+0x249/0x2a0 [ 29.254081][ C0] ? __bpf_get_stackid+0x6fa/0x960 [ 29.259195][ C0] memcpy+0x44/0x70 [ 29.263024][ C0] __bpf_get_stackid+0x6fa/0x960 [ 29.267967][ C0] bpf_get_stackid_pe+0x350/0x400 [ 29.272998][ C0] bpf_prog_644fb7c94e15512a+0x2b/0x40 [ 29.278481][ C0] bpf_overflow_handler+0x3d0/0x5e0 [ 29.283689][ C0] ? __cfi_bpf_overflow_handler+0x10/0x10 [ 29.289426][ C0] ? kvm_sched_clock_read+0x18/0x40 [ 29.294635][ C0] ? __this_cpu_preempt_check+0x13/0x20 [ 29.300184][ C0] ? __perf_event_account_interrupt+0x1a4/0x2c0 [ 29.306439][ C0] __perf_event_overflow+0x437/0x620 [ 29.311741][ C0] perf_swevent_hrtimer+0x400/0x5b0 [ 29.316954][ C0] ? irqentry_exit+0x37/0x40 [ 29.321551][ C0] ? __cfi_perf_swevent_hrtimer+0x10/0x10 [ 29.327299][ C0] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20 [ 29.333500][ C0] ? timerqueue_add+0x20e/0x230 [ 29.338382][ C0] ? timerqueue_del+0xd3/0x120 [ 29.343148][ C0] ? __cfi_perf_swevent_hrtimer+0x10/0x10 [ 29.348900][ C0] __hrtimer_run_queues+0x3bb/0x8e0 [ 29.354112][ C0] ? hrtimer_interrupt+0x8c0/0x8c0 [ 29.359232][ C0] ? ktime_get_update_offsets_now+0x30c/0x320 [ 29.365308][ C0] hrtimer_interrupt+0x3c7/0x8c0 [ 29.370263][ C0] __sysvec_apic_timer_interrupt+0x11e/0x440 [ 29.376252][ C0] sysvec_apic_timer_interrupt+0x53/0xc0 [ 29.381898][ C0] asm_sysvec_apic_timer_interrupt+0x1b/0x20 [ 29.387890][ C0] RIP: 0033:0x7faa88065715 [ 29.392311][ C0] Code: e8 60 52 ff ff 48 8b 05 69 00 ee 00 83 05 52 00 ee 00 01 be 08 00 00 00 48 89 ef 48 8d 50 ff 48 89 15 4f 00 ee 00 44 88 78 ff <44> 8b 3d 34 00 ee 00 e8 2f 52 ff ff 48 8b 05 40 00 ee 00 44 89 38 [ 29.411925][ C0] RSP: 002b:00007ffe035190a0 EFLAGS: 00000202 [ 29.418013][ C0] RAX: 0000001b33e63fbc RBX: 0000000000000000 RCX: 0000000000000000 [ 29.425995][ C0] RDX: 0000001b33e63fbb RSI: 0000000000000008 RDI: 00007faa88f45720 [ 29.433978][ C0] RBP: 00007faa88f45720 R08: 0000000000000000 R09: 00007faa88416038 [ 29.441961][ C0] R10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000 [ 29.449981][ C0] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000003 [ 29.457960][ C0] [ 29.460986][ C0] [ 29.463317][ C0] Allocated by task 383: [ 29.467559][ C0] kasan_set_track+0x4b/0x70 [ 29.472165][ C0] kasan_save_alloc_info+0x25/0x30 [ 29.477291][ C0] __kasan_kmalloc+0x95/0xb0 [ 29.481986][ C0] __kmalloc_node+0xb2/0x1e0 [ 29.486581][ C0] bpf_map_area_alloc+0x4b/0xe0 [ 29.491436][ C0] prealloc_elems_and_freelist+0x8a/0x1e0 [ 29.497164][ C0] stack_map_alloc+0x3a7/0x530 [ 29.501929][ C0] map_create+0x49c/0xd80 [ 29.506261][ C0] __sys_bpf+0x34e/0x850 [ 29.510502][ C0] __x64_sys_bpf+0x7c/0x90 [ 29.514917][ C0] x64_sys_call+0x488/0x9a0 [ 29.519420][ C0] do_syscall_64+0x4c/0xa0 [ 29.523842][ C0] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 29.529751][ C0] [ 29.532076][ C0] The buggy address belongs to the object at ffff88810e07e700 [ 29.532076][ C0] which belongs to the cache kmalloc-128 of size 128 [ 29.546125][ C0] The buggy address is located 96 bytes inside of [ 29.546125][ C0] 128-byte region [ffff88810e07e700, ffff88810e07e780) [ 29.559330][ C0] [ 29.561656][ C0] The buggy address belongs to the physical page: [ 29.568060][ C0] page:ffffea0004381f80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10e07e [ 29.578311][ C0] flags: 0x4000000000000200(slab|zone=1) [ 29.583960][ C0] raw: 4000000000000200 0000000000000000 dead000000000001 ffff888100042a80 [ 29.592540][ C0] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 29.601165][ C0] page dumped because: kasan: bad access detected [ 29.607599][ C0] page_owner tracks the page as allocated [ 29.613307][ C0] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, tgid 1 (swapper/0), ts 3274660348, free_ts 0 [ 29.629889][ C0] post_alloc_hook+0x1f5/0x210 [ 29.634663][ C0] prep_new_page+0x1c/0x110 [ 29.639175][ C0] get_page_from_freelist+0x2d12/0x2d80 [ 29.644722][ C0] __alloc_pages+0x1fa/0x610 [ 29.649313][ C0] alloc_slab_page+0x6e/0xf0 [ 29.653897][ C0] new_slab+0x98/0x3d0 [ 29.657962][ C0] ___slab_alloc+0x6bd/0xb20 [ 29.662557][ C0] __slab_alloc+0x5e/0xa0 [ 29.666896][ C0] __kmem_cache_alloc_node+0x203/0x2c0 [ 29.672361][ C0] kmalloc_trace+0x29/0xb0 [ 29.676796][ C0] get_device_parent+0x2f3/0x410 [ 29.681743][ C0] device_add+0x322/0xef0 [ 29.686094][ C0] device_create+0x26c/0x300 [ 29.690858][ C0] mon_bin_add+0xb6/0x130 [ 29.695215][ C0] mon_bus_init+0x156/0x2a0 [ 29.699723][ C0] mon_notify+0x11b/0x420 [ 29.704062][ C0] page_owner free stack trace missing [ 29.709427][ C0] [ 29.711791][ C0] Memory state around the buggy address: [ 29.717419][ C0] ffff88810e07e600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.725599][ C0] ffff88810e07e680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.733677][ C0] >ffff88810e07e700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 29.741739][ C0] ^ [ 29.749714][ C0] ffff88810e07e780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.757783][ C0] ffff88810e07e800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.765848][ C0] ================================================================== [ 29.773907][ C0] Disabling lock debugging due to kernel taint [ 29.908017][ C0] hrtimer: interrupt took 36024 ns [ 30.042670][ T8] device bridge_slave_1 left promiscuous mode [ 30.048893][ T8] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.056702][ T8] device bridge_slave_0 left promiscuous mode [ 30.064196][ T8] bridge0: port 1(bridge_slave_0) entered disabled state [ 30.072599][ T8] device veth1_macvtap left promiscuous mode [ 30.078660][ T8] device veth0_vlan left promiscuous mode 2026/05/24 17:54:39 executed programs: 233 [ 33.561944][ T28] kauditd_printk_skb: 47 callbacks suppressed [ 33.561975][ T28] audit: type=1400 audit(1779645279.971:121): avc: denied { write } for pid=296 comm="syz-execprog" path="pipe:[11028]" dev="pipefs" ino=11028 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1 2026/05/24 17:54:45 executed programs: 533