syzkaller syzkaller login: [ 8.230766][ T114] udevd (114) used greatest stack depth: 22888 bytes left [ 13.730727][ T30] kauditd_printk_skb: 48 callbacks suppressed [ 13.730739][ T30] audit: type=1400 audit(1782143301.502:59): avc: denied { transition } for pid=223 comm="sshd-session" path="/bin/sh" dev="sda1" ino=90 scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 13.736903][ T30] audit: type=1400 audit(1782143301.502:60): avc: denied { noatsecure } for pid=223 comm="sshd-session" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 13.740302][ T30] audit: type=1400 audit(1782143301.512:61): avc: denied { write } for pid=223 comm="sh" path="pipe:[14592]" dev="pipefs" ino=14592 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1 [ 13.744228][ T30] audit: type=1400 audit(1782143301.512:62): avc: denied { rlimitinh } for pid=223 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 13.747569][ T30] audit: type=1400 audit(1782143301.512:63): avc: denied { siginh } for pid=223 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 15.243182][ T230] sshd-session (230) used greatest stack depth: 22824 bytes left Warning: Permanently added '10.128.0.219' (ED25519) to the list of known hosts. 2026/06/22 15:48:31 parsed 1 programs 2026/06/22 15:48:31 serving rpc on tcp://33087 [ 23.287155][ T30] audit: type=1400 audit(1782143311.062:64): avc: denied { node_bind } for pid=293 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 23.308246][ T30] audit: type=1400 audit(1782143311.062:65): avc: denied { module_request } for pid=293 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 23.939739][ T30] audit: type=1400 audit(1782143311.712:66): avc: denied { mounton } for pid=299 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2024 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 23.940817][ T299] cgroup: Unknown subsys name 'net' [ 23.962394][ T30] audit: type=1400 audit(1782143311.712:67): avc: denied { mount } for pid=299 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 23.989655][ T30] audit: type=1400 audit(1782143311.752:68): avc: denied { unmount } for pid=299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 23.989840][ T299] cgroup: Unknown subsys name 'devices' [ 24.134737][ T299] cgroup: Unknown subsys name 'hugetlb' [ 24.140346][ T299] cgroup: Unknown subsys name 'rlimit' [ 24.283437][ T30] audit: type=1400 audit(1782143312.062:69): avc: denied { setattr } for pid=299 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=254 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 24.306644][ T30] audit: type=1400 audit(1782143312.062:70): avc: denied { create } for pid=299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 24.327132][ T30] audit: type=1400 audit(1782143312.062:71): avc: denied { write } for pid=299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 24.347417][ T30] audit: type=1400 audit(1782143312.062:72): avc: denied { read } for pid=299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 24.367588][ T30] audit: type=1400 audit(1782143312.062:73): avc: denied { mounton } for pid=299 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 24.414616][ T303] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 24.525392][ T299] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 24.913150][ T305] request_module fs-gadgetfs succeeded, but still no fs? [ 25.407693][ T352] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.414824][ T352] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.422163][ T352] device bridge_slave_0 entered promiscuous mode [ 25.429468][ T352] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.436682][ T352] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.444228][ T352] device bridge_slave_1 entered promiscuous mode [ 25.482552][ T352] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.489629][ T352] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.496916][ T352] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.503948][ T352] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.520080][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 25.527821][ T10] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.535052][ T10] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.544709][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 25.552871][ T10] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.559941][ T10] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.569099][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 25.577412][ T10] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.584472][ T10] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.596612][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 25.605692][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 25.617894][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 25.628241][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 25.636376][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 25.643891][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 25.651826][ T352] device veth0_vlan entered promiscuous mode [ 25.661062][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 25.670128][ T352] device veth1_macvtap entered promiscuous mode [ 25.678743][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 25.688633][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 25.722635][ T352] syz-executor (352) used greatest stack depth: 20920 bytes left 2026/06/22 15:48:33 executed programs: 0 [ 25.926932][ T365] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.934139][ T365] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.941391][ T365] device bridge_slave_0 entered promiscuous mode [ 25.948533][ T365] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.955793][ T365] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.963484][ T365] device bridge_slave_1 entered promiscuous mode [ 26.006820][ T365] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.013885][ T365] bridge0: port 2(bridge_slave_1) entered forwarding state [ 26.021225][ T365] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.028344][ T365] bridge0: port 1(bridge_slave_0) entered forwarding state [ 26.051408][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 26.059112][ T10] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.066371][ T10] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.079790][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 26.087999][ T10] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.095034][ T10] bridge0: port 1(bridge_slave_0) entered forwarding state [ 26.104250][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 26.112403][ T10] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.119451][ T10] bridge0: port 2(bridge_slave_1) entered forwarding state [ 26.134330][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 26.143621][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 26.160932][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 26.171473][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 26.179474][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 26.187155][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 26.195861][ T365] device veth0_vlan entered promiscuous mode [ 26.211571][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 26.220539][ T365] device veth1_macvtap entered promiscuous mode [ 26.229814][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 26.239898][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 26.265353][ T369] ================================================================== [ 26.273449][ T369] BUG: KASAN: use-after-free in mutex_lock+0x8e/0x1c0 [ 26.280209][ T369] Write of size 8 at addr ffff88812a115550 by task syz.2.17/369 [ 26.287904][ T369] [ 26.290216][ T369] CPU: 1 PID: 369 Comm: syz.2.17 Not tainted syzkaller #0 [ 26.297558][ T369] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 [ 26.307595][ T369] Call Trace: [ 26.310853][ T369] [ 26.313762][ T369] __dump_stack+0x21/0x30 [ 26.318071][ T369] dump_stack_lvl+0x110/0x170 [ 26.322720][ T369] ? show_regs_print_info+0x20/0x20 [ 26.327890][ T369] ? load_image+0x3f0/0x3f0 [ 26.332372][ T369] print_address_description+0x7f/0x2c0 [ 26.337891][ T369] ? mutex_lock+0x8e/0x1c0 [ 26.342302][ T369] kasan_report+0x10f/0x150 [ 26.346779][ T369] ? mutex_lock+0x8e/0x1c0 [ 26.351169][ T369] kasan_check_range+0x249/0x2a0 [ 26.356081][ T369] __kasan_check_write+0x14/0x20 [ 26.360995][ T369] mutex_lock+0x8e/0x1c0 [ 26.365210][ T369] ? wait_for_completion_killable_timeout+0x10/0x10 [ 26.371769][ T369] ? l2tp_session_put+0xaf/0x1a0 [ 26.376682][ T369] ? l2tp_session_delete+0x3a9/0x4a0 [ 26.381952][ T369] pppol2tp_release+0x178/0x2b0 [ 26.386798][ T369] sock_close+0xb8/0x200 [ 26.391020][ T369] ? sock_mmap+0xa0/0xa0 [ 26.395235][ T369] __fput+0x22b/0x900 [ 26.399193][ T369] ____fput+0x15/0x20 [ 26.403150][ T369] task_work_run+0x127/0x190 [ 26.407723][ T369] exit_to_user_mode_loop+0xd0/0xe0 [ 26.412912][ T369] exit_to_user_mode_prepare+0x87/0xd0 [ 26.418349][ T369] syscall_exit_to_user_mode+0x1a/0x30 [ 26.423788][ T369] do_syscall_64+0x58/0xa0 [ 26.428180][ T369] ? clear_bhb_loop+0x50/0xa0 [ 26.432831][ T369] ? clear_bhb_loop+0x50/0xa0 [ 26.437760][ T369] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 26.443645][ T369] RIP: 0033:0x7f43388bce59 [ 26.448046][ T369] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 26.467721][ T369] RSP: 002b:00007ffe32276658 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 [ 26.476118][ T369] RAX: 0000000000000000 RBX: 00007ffe32276740 RCX: 00007f43388bce59 [ 26.484079][ T369] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 [ 26.492130][ T369] RBP: 0000000000006681 R08: 0000000000000001 R09: 0000000000000000 [ 26.500105][ T369] R10: 0000001b32c20000 R11: 0000000000000246 R12: 0000000000000000 [ 26.508075][ T369] R13: 00007f4338b35fac R14: 00007f4338b35fa8 R15: 00007f4338b35fa0 [ 26.516037][ T369] [ 26.519039][ T369] [ 26.521370][ T369] Allocated by task 369: [ 26.525596][ T369] __kasan_kmalloc+0xd4/0x100 [ 26.530349][ T369] __kmalloc+0x13d/0x2c0 [ 26.534572][ T369] l2tp_session_create+0x39/0xb60 [ 26.539574][ T369] pppol2tp_connect+0xbf5/0x1640 [ 26.544499][ T369] __sys_connect+0x3cb/0x450 [ 26.549074][ T369] __x64_sys_connect+0x7a/0x90 [ 26.553822][ T369] x64_sys_call+0x7c/0x9a0 [ 26.558216][ T369] do_syscall_64+0x4c/0xa0 [ 26.562627][ T369] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 26.568495][ T369] [ 26.570817][ T369] Freed by task 369: [ 26.574858][ T369] kasan_set_track+0x4a/0x70 [ 26.579426][ T369] kasan_set_free_info+0x23/0x40 [ 26.584341][ T369] ____kasan_slab_free+0x125/0x160 [ 26.589427][ T369] __kasan_slab_free+0x11/0x20 [ 26.594163][ T369] slab_free_freelist_hook+0xc2/0x190 [ 26.599524][ T369] kfree+0xc4/0x270 [ 26.603309][ T369] l2tp_session_put+0xaf/0x1a0 [ 26.608054][ T369] l2tp_session_delete+0x3a9/0x4a0 [ 26.613146][ T369] pppol2tp_release+0x169/0x2b0 [ 26.617976][ T369] sock_close+0xb8/0x200 [ 26.622191][ T369] __fput+0x22b/0x900 [ 26.626147][ T369] ____fput+0x15/0x20 [ 26.630101][ T369] task_work_run+0x127/0x190 [ 26.634753][ T369] exit_to_user_mode_loop+0xd0/0xe0 [ 26.639934][ T369] exit_to_user_mode_prepare+0x87/0xd0 [ 26.645380][ T369] syscall_exit_to_user_mode+0x1a/0x30 [ 26.650826][ T369] do_syscall_64+0x58/0xa0 [ 26.655225][ T369] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 26.661097][ T369] [ 26.663407][ T369] The buggy address belongs to the object at ffff88812a115400 [ 26.663407][ T369] which belongs to the cache kmalloc-512 of size 512 [ 26.677448][ T369] The buggy address is located 336 bytes inside of [ 26.677448][ T369] 512-byte region [ffff88812a115400, ffff88812a115600) [ 26.690705][ T369] The buggy address belongs to the page: [ 26.696329][ T369] page:ffffea0004a84500 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12a114 [ 26.706558][ T369] head:ffffea0004a84500 order:2 compound_mapcount:0 compound_pincount:0 [ 26.714868][ T369] flags: 0x4000000000010200(slab|head|zone=1) [ 26.720938][ T369] raw: 4000000000010200 0000000000000000 dead000000000122 ffff888100042f00 [ 26.729501][ T369] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 26.738058][ T369] page dumped because: kasan: bad access detected [ 26.744451][ T369] page_owner tracks the page as allocated [ 26.750180][ T369] page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 45, ts 26250702583, free_ts 25065558361 [ 26.770475][ T369] post_alloc_hook+0x192/0x1b0 [ 26.775227][ T369] prep_new_page+0x1c/0x110 [ 26.779709][ T369] get_page_from_freelist+0x2c3a/0x2cd0 [ 26.785236][ T369] __alloc_pages+0x1a2/0x460 [ 26.789807][ T369] new_slab+0xa0/0x4d0 [ 26.793856][ T369] ___slab_alloc+0x3ac/0x840 [ 26.798440][ T369] __slab_alloc+0x49/0x90 [ 26.802748][ T369] __kmalloc_track_caller+0x169/0x2c0 [ 26.808256][ T369] __alloc_skb+0x210/0x730 [ 26.812676][ T369] inet_netconf_notify_devconf+0x169/0x220 [ 26.818487][ T369] inetdev_event+0x7b0/0x1060 [ 26.823160][ T369] raw_notifier_call_chain+0x90/0x100 [ 26.828529][ T369] unregister_netdevice_many+0x103d/0x1a00 [ 26.834324][ T369] ip_tunnel_delete_nets+0x343/0x390 [ 26.839593][ T369] ipgre_exit_batch_net+0x22/0x30 [ 26.844691][ T369] cleanup_net+0x605/0xae0 [ 26.849109][ T369] page last free stack trace: [ 26.853767][ T369] free_unref_page_prepare+0x5fa/0x600 [ 26.859216][ T369] free_unref_page+0xae/0x540 [ 26.863871][ T369] __free_pages+0x6c/0x100 [ 26.868265][ T369] __vunmap+0x801/0x980 [ 26.872402][ T369] vfree+0x8b/0xc0 [ 26.876101][ T369] kcov_close+0x2b/0x50 [ 26.880246][ T369] __fput+0x22b/0x900 [ 26.884208][ T369] ____fput+0x15/0x20 [ 26.888169][ T369] task_work_run+0x127/0x190 [ 26.892737][ T369] do_exit+0xb70/0x29a0 [ 26.896873][ T369] do_group_exit+0x149/0x310 [ 26.901442][ T369] get_signal+0x64f/0x1430 [ 26.905838][ T369] arch_do_signal_or_restart+0xe2/0x1100 [ 26.911448][ T369] exit_to_user_mode_loop+0xa7/0xe0 [ 26.916635][ T369] exit_to_user_mode_prepare+0x87/0xd0 [ 26.922070][ T369] syscall_exit_to_user_mode+0x1a/0x30 [ 26.927598][ T369] [ 26.929900][ T369] Memory state around the buggy address: [ 26.935503][ T369] ffff88812a115400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.943549][ T369] ffff88812a115480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.951596][ T369] >ffff88812a115500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.959630][ T369] ^ [ 26.966279][ T369] ffff88812a115580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.974317][ T369] ffff88812a115600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.982353][ T369] ================================================================== [ 26.990388][ T369] Disabling lock debugging due to kernel taint