Warning: Permanently added '10.128.0.80' (ED25519) to the list of known hosts. 2026/02/17 13:00:07 parsed 1 programs [ 22.299352][ T30] audit: type=1400 audit(1771333207.915:64): avc: denied { node_bind } for pid=281 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 22.320073][ T30] audit: type=1400 audit(1771333207.915:65): avc: denied { module_request } for pid=281 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 22.916388][ T30] audit: type=1400 audit(1771333208.525:66): avc: denied { mounton } for pid=287 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2023 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 22.917412][ T287] cgroup: Unknown subsys name 'net' [ 22.939039][ T30] audit: type=1400 audit(1771333208.525:67): avc: denied { mount } for pid=287 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 22.966231][ T30] audit: type=1400 audit(1771333208.555:68): avc: denied { unmount } for pid=287 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 22.966357][ T287] cgroup: Unknown subsys name 'devices' [ 23.110427][ T287] cgroup: Unknown subsys name 'hugetlb' [ 23.116008][ T287] cgroup: Unknown subsys name 'rlimit' [ 23.287202][ T30] audit: type=1400 audit(1771333208.895:69): avc: denied { setattr } for pid=287 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=254 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 23.310416][ T30] audit: type=1400 audit(1771333208.895:70): avc: denied { create } for pid=287 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 23.315575][ T291] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 23.330977][ T30] audit: type=1400 audit(1771333208.895:71): avc: denied { write } for pid=287 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 23.359559][ T30] audit: type=1400 audit(1771333208.895:72): avc: denied { read } for pid=287 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 23.379774][ T30] audit: type=1400 audit(1771333208.895:73): avc: denied { mounton } for pid=287 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 23.411995][ T287] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 23.867922][ T294] request_module fs-gadgetfs succeeded, but still no fs? [ 24.050152][ T307] syz-executor (307) used greatest stack depth: 21696 bytes left [ 24.372182][ T340] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.379263][ T340] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.386513][ T340] device bridge_slave_0 entered promiscuous mode [ 24.393330][ T340] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.400366][ T340] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.407568][ T340] device bridge_slave_1 entered promiscuous mode [ 24.442200][ T340] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.449230][ T340] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.456450][ T340] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.463464][ T340] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.478782][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 24.486337][ T8] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.493463][ T8] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.503110][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 24.511245][ T8] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.518241][ T8] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.526419][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 24.534544][ T8] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.541566][ T8] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.552462][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 24.561163][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 24.573090][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 24.583422][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 24.591533][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 24.598903][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 24.606728][ T340] device veth0_vlan entered promiscuous mode [ 24.615565][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 24.624190][ T340] device veth1_macvtap entered promiscuous mode [ 24.632439][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 24.641796][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 24.667422][ T340] syz-executor (340) used greatest stack depth: 20672 bytes left 2026/02/17 13:00:10 executed programs: 0 [ 24.899316][ T362] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.906346][ T362] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.913637][ T362] device bridge_slave_0 entered promiscuous mode [ 24.920376][ T362] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.927391][ T362] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.934909][ T362] device bridge_slave_1 entered promiscuous mode [ 24.967933][ T362] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.974959][ T362] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.982203][ T362] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.989222][ T362] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.999422][ T351] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.006733][ T351] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.024264][ T351] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 25.032031][ T351] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 25.040632][ T351] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 25.048914][ T351] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 25.056964][ T351] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.063981][ T351] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.072238][ T351] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 25.080716][ T351] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 25.088769][ T351] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.095783][ T351] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.113301][ T351] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 25.121286][ T351] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 25.129956][ T351] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 25.137941][ T351] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 25.157013][ T351] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 25.165307][ T351] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 25.175474][ T351] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 25.183473][ T351] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 25.191333][ T351] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 25.198697][ T351] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 25.206830][ T362] device veth0_vlan entered promiscuous mode [ 25.219516][ T351] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 25.227591][ T351] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 25.236563][ T362] device veth1_macvtap entered promiscuous mode [ 25.244683][ T351] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 25.252401][ T351] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 25.260689][ T351] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 25.274520][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 25.282808][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 25.434119][ T372] ================================================================== [ 25.442183][ T372] BUG: KASAN: slab-out-of-bounds in hci_sock_setsockopt+0x7f1/0x820 [ 25.450151][ T372] Read of size 4 at addr ffff88810f84734b by task syz.2.17/372 [ 25.457671][ T372] [ 25.459982][ T372] CPU: 1 PID: 372 Comm: syz.2.17 Not tainted syzkaller #0 [ 25.467066][ T372] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 [ 25.477111][ T372] Call Trace: [ 25.480371][ T372] [ 25.483278][ T372] __dump_stack+0x21/0x30 [ 25.487580][ T372] dump_stack_lvl+0x110/0x170 [ 25.492227][ T372] ? show_regs_print_info+0x20/0x20 [ 25.497400][ T372] ? load_image+0x3e0/0x3e0 [ 25.501874][ T372] ? lock_sock_nested+0x21c/0x2a0 [ 25.506873][ T372] print_address_description+0x7f/0x2c0 [ 25.512389][ T372] ? hci_sock_setsockopt+0x7f1/0x820 [ 25.517645][ T372] kasan_report+0xf1/0x140 [ 25.522031][ T372] ? hci_sock_setsockopt+0x7f1/0x820 [ 25.527287][ T372] __asan_report_load_n_noabort+0xf/0x20 [ 25.532886][ T372] hci_sock_setsockopt+0x7f1/0x820 [ 25.537967][ T372] ? hci_sock_compat_ioctl+0x50/0x50 [ 25.543225][ T372] ? security_socket_setsockopt+0x82/0xa0 [ 25.548919][ T372] ? hci_sock_compat_ioctl+0x50/0x50 [ 25.554175][ T372] __sys_setsockopt+0x2e9/0x470 [ 25.558998][ T372] ? __ia32_sys_recv+0xb0/0xb0 [ 25.563732][ T372] ? ____fput+0x15/0x20 [ 25.567860][ T372] __x64_sys_setsockopt+0xbf/0xd0 [ 25.572855][ T372] x64_sys_call+0x982/0x9a0 [ 25.577331][ T372] do_syscall_64+0x4c/0xa0 [ 25.581721][ T372] ? clear_bhb_loop+0x50/0xa0 [ 25.586370][ T372] ? clear_bhb_loop+0x50/0xa0 [ 25.591014][ T372] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 25.596877][ T372] RIP: 0033:0x7fe7ebd17f79 [ 25.601260][ T372] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 25.620837][ T372] RSP: 002b:00007ffe4832d908 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 25.629224][ T372] RAX: ffffffffffffffda RBX: 00007fe7ebf91fa0 RCX: 00007fe7ebd17f79 [ 25.637167][ T372] RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000008 [ 25.645111][ T372] RBP: 00007fe7ebdae7e0 R08: 0000000000000001 R09: 0000000000000000 [ 25.653052][ T372] R10: 0000200000000000 R11: 0000000000000246 R12: 0000000000000000 [ 25.660997][ T372] R13: 00007fe7ebf91fac R14: 00007fe7ebf91fa0 R15: 00007fe7ebf91fa0 [ 25.668946][ T372] [ 25.671939][ T372] [ 25.674236][ T372] Allocated by task 372: [ 25.678441][ T372] __kasan_kmalloc+0xda/0x110 [ 25.683088][ T372] __kmalloc+0x13d/0x2c0 [ 25.687299][ T372] __cgroup_bpf_run_filter_setsockopt+0x8e7/0xaa0 [ 25.693681][ T372] __sys_setsockopt+0x40e/0x470 [ 25.698501][ T372] __x64_sys_setsockopt+0xbf/0xd0 [ 25.703498][ T372] x64_sys_call+0x982/0x9a0 [ 25.707972][ T372] do_syscall_64+0x4c/0xa0 [ 25.712361][ T372] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 25.718228][ T372] [ 25.720524][ T372] The buggy address belongs to the object at ffff88810f847348 [ 25.720524][ T372] which belongs to the cache kmalloc-8 of size 8 [ 25.734196][ T372] The buggy address is located 3 bytes inside of [ 25.734196][ T372] 8-byte region [ffff88810f847348, ffff88810f847350) [ 25.747090][ T372] The buggy address belongs to the page: [ 25.752688][ T372] page:ffffea00043e11c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10f847 [ 25.762906][ T372] flags: 0x4000000000000200(slab|zone=1) [ 25.768514][ T372] raw: 4000000000000200 0000000000000000 0000000100000001 ffff888100042300 [ 25.777065][ T372] raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000 [ 25.785613][ T372] page dumped because: kasan: bad access detected [ 25.791994][ T372] page_owner tracks the page as allocated [ 25.797676][ T372] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 102, ts 3675379702, free_ts 3675348632 [ 25.813448][ T372] post_alloc_hook+0x192/0x1b0 [ 25.818184][ T372] prep_new_page+0x1c/0x110 [ 25.822655][ T372] get_page_from_freelist+0x2d3a/0x2dc0 [ 25.828170][ T372] __alloc_pages+0x1a2/0x460 [ 25.832726][ T372] new_slab+0xa1/0x4d0 [ 25.836764][ T372] ___slab_alloc+0x381/0x810 [ 25.841323][ T372] __slab_alloc+0x49/0x90 [ 25.845632][ T372] __kmalloc+0x16a/0x2c0 [ 25.849843][ T372] kernfs_fop_write_iter+0x156/0x400 [ 25.855095][ T372] vfs_write+0x835/0xfd0 [ 25.859308][ T372] ksys_write+0x149/0x250 [ 25.863603][ T372] __x64_sys_write+0x7b/0x90 [ 25.868163][ T372] x64_sys_call+0x8ef/0x9a0 [ 25.872636][ T372] do_syscall_64+0x4c/0xa0 [ 25.877025][ T372] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 25.882887][ T372] page last free stack trace: [ 25.887527][ T372] free_unref_page_prepare+0x542/0x550 [ 25.892954][ T372] free_unref_page+0xae/0x540 [ 25.897598][ T372] __free_pages+0x6c/0x100 [ 25.901981][ T372] free_pages+0x82/0x90 [ 25.906107][ T372] selinux_genfs_get_sid+0x20b/0x250 [ 25.911360][ T372] inode_doinit_with_dentry+0x87a/0xd80 [ 25.916873][ T372] selinux_d_instantiate+0x27/0x40 [ 25.921953][ T372] security_d_instantiate+0x9e/0xf0 [ 25.927121][ T372] d_splice_alias+0x6d/0x390 [ 25.931683][ T372] kernfs_iop_lookup+0x2c2/0x310 [ 25.936589][ T372] path_openat+0xfc9/0x2f20 [ 25.941063][ T372] do_filp_open+0x1e2/0x410 [ 25.945539][ T372] do_sys_openat2+0x15e/0x7f0 [ 25.950187][ T372] __x64_sys_openat+0x136/0x160 [ 25.955014][ T372] x64_sys_call+0x219/0x9a0 [ 25.959486][ T372] do_syscall_64+0x4c/0xa0 [ 25.963871][ T372] [ 25.966166][ T372] Memory state around the buggy address: [ 25.971763][ T372] ffff88810f847200: fc fb fc fc fc fc 05 fc fc fc fc 05 fc fc fc fc [ 25.979791][ T372] ffff88810f847280: 05 fc fc fc fc 05 fc fc fc fc 05 fc fc fc fc fb [ 25.987818][ T372] >ffff88810f847300: fc fc fc fc 05 fc fc fc fc 01 fc fc fc fc fb fc [ 25.995843][ T372] ^ [ 26.002220][ T372] ffff88810f847380: fc fc fc fb fc fc fc fc 05 fc fc fc fc fb fc fc [ 26.010248][ T372] ffff88810f847400: fc fc 05 fc fc fc fc fb fc fc fc fc 05 fc fc fc [ 26.018277][ T372] ================================================================== [ 26.026303][ T372] Disabling lock debugging due to kernel taint