Warning: Permanently added '10.128.1.98' (ED25519) to the list of known hosts. 2026/06/22 16:06:04 parsed 1 programs 2026/06/22 16:06:04 serving rpc on tcp://43561 [ 20.954975][ T30] audit: type=1400 audit(1782144364.586:64): avc: denied { node_bind } for pid=293 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 20.962273][ T30] audit: type=1400 audit(1782144364.586:65): avc: denied { module_request } for pid=293 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 21.843288][ T30] audit: type=1400 audit(1782144365.466:66): avc: denied { mounton } for pid=299 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2024 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 21.846138][ T299] cgroup: Unknown subsys name 'net' [ 21.866081][ T30] audit: type=1400 audit(1782144365.476:67): avc: denied { mount } for pid=299 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 21.893236][ T30] audit: type=1400 audit(1782144365.496:68): avc: denied { unmount } for pid=299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 21.893587][ T299] cgroup: Unknown subsys name 'devices' [ 22.035715][ T299] cgroup: Unknown subsys name 'hugetlb' [ 22.041428][ T299] cgroup: Unknown subsys name 'rlimit' [ 22.245478][ T30] audit: type=1400 audit(1782144365.876:69): avc: denied { setattr } for pid=299 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=254 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 22.268943][ T30] audit: type=1400 audit(1782144365.876:70): avc: denied { create } for pid=299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 22.289426][ T30] audit: type=1400 audit(1782144365.876:71): avc: denied { write } for pid=299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 22.293819][ T303] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 22.309989][ T30] audit: type=1400 audit(1782144365.876:72): avc: denied { read } for pid=299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 22.338419][ T30] audit: type=1400 audit(1782144365.876:73): avc: denied { mounton } for pid=299 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 22.357311][ T299] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 22.768015][ T305] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.775302][ T305] bridge0: port 1(bridge_slave_0) entered disabled state [ 22.782906][ T305] device bridge_slave_0 entered promiscuous mode [ 22.790025][ T305] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.797216][ T305] bridge0: port 2(bridge_slave_1) entered disabled state [ 22.804780][ T305] device bridge_slave_1 entered promiscuous mode [ 22.858567][ T305] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.865630][ T305] bridge0: port 2(bridge_slave_1) entered forwarding state [ 22.873307][ T305] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.880365][ T305] bridge0: port 1(bridge_slave_0) entered forwarding state [ 22.902922][ T45] bridge0: port 1(bridge_slave_0) entered disabled state [ 22.910155][ T45] bridge0: port 2(bridge_slave_1) entered disabled state [ 22.918051][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 22.925580][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 22.945013][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 22.953233][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 22.961407][ T45] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.968434][ T45] bridge0: port 1(bridge_slave_0) entered forwarding state [ 22.976408][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 22.984602][ T45] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.991643][ T45] bridge0: port 2(bridge_slave_1) entered forwarding state [ 22.999034][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 23.006929][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 23.017347][ T305] device veth0_vlan entered promiscuous mode [ 23.024380][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 23.032509][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 23.039896][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 23.050154][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 23.059665][ T305] device veth1_macvtap entered promiscuous mode [ 23.068413][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 23.078102][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 23.095309][ T305] request_module fs-gadgetfs succeeded, but still no fs? [ 23.118142][ T305] syz-executor (305) used greatest stack depth: 21184 bytes left [ 23.515629][ T45] device bridge_slave_1 left promiscuous mode [ 23.521888][ T45] bridge0: port 2(bridge_slave_1) entered disabled state [ 23.529597][ T45] device bridge_slave_0 left promiscuous mode [ 23.535856][ T45] bridge0: port 1(bridge_slave_0) entered disabled state [ 23.544029][ T45] device veth1_macvtap left promiscuous mode [ 23.550049][ T45] device veth0_vlan left promiscuous mode 2026/06/22 16:06:07 executed programs: 0 [ 24.066330][ T368] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.073375][ T368] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.080860][ T368] device bridge_slave_0 entered promiscuous mode [ 24.087748][ T368] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.094903][ T368] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.102204][ T368] device bridge_slave_1 entered promiscuous mode [ 24.141766][ T368] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.148816][ T368] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.156115][ T368] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.163144][ T368] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.180586][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 24.188535][ T339] bridge0: port 1(bridge_slave_0) entered disabled state [ 24.195794][ T339] bridge0: port 2(bridge_slave_1) entered disabled state [ 24.209937][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 24.218309][ T339] bridge0: port 1(bridge_slave_0) entered blocking state [ 24.225434][ T339] bridge0: port 1(bridge_slave_0) entered forwarding state [ 24.233933][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 24.242155][ T339] bridge0: port 2(bridge_slave_1) entered blocking state [ 24.249211][ T339] bridge0: port 2(bridge_slave_1) entered forwarding state [ 24.260979][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 24.270016][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 24.282267][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 24.299630][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 24.307552][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 24.315108][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 24.323027][ T368] device veth0_vlan entered promiscuous mode [ 24.333115][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 24.348316][ T368] device veth1_macvtap entered promiscuous mode [ 24.356961][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 24.366543][ T339] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 24.387799][ T372] ================================================================== [ 24.395885][ T372] BUG: KASAN: use-after-free in mutex_lock+0x8e/0x1c0 [ 24.402669][ T372] Write of size 8 at addr ffff888122042550 by task syz.2.17/372 [ 24.410329][ T372] [ 24.412656][ T372] CPU: 1 PID: 372 Comm: syz.2.17 Not tainted syzkaller #0 [ 24.419756][ T372] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 [ 24.429796][ T372] Call Trace: [ 24.433073][ T372] [ 24.435996][ T372] __dump_stack+0x21/0x30 [ 24.440316][ T372] dump_stack_lvl+0x110/0x170 [ 24.444987][ T372] ? show_regs_print_info+0x20/0x20 [ 24.450175][ T372] ? load_image+0x3f0/0x3f0 [ 24.454669][ T372] print_address_description+0x7f/0x2c0 [ 24.460215][ T372] ? mutex_lock+0x8e/0x1c0 [ 24.464616][ T372] kasan_report+0x10f/0x150 [ 24.469128][ T372] ? mutex_lock+0x8e/0x1c0 [ 24.473535][ T372] kasan_check_range+0x249/0x2a0 [ 24.478463][ T372] __kasan_check_write+0x14/0x20 [ 24.483386][ T372] mutex_lock+0x8e/0x1c0 [ 24.487613][ T372] ? wait_for_completion_killable_timeout+0x10/0x10 [ 24.494194][ T372] ? l2tp_session_put+0xaf/0x1a0 [ 24.499124][ T372] ? l2tp_session_delete+0x3a9/0x4a0 [ 24.504399][ T372] pppol2tp_release+0x178/0x2b0 [ 24.509238][ T372] sock_close+0xb8/0x200 [ 24.513468][ T372] ? sock_mmap+0xa0/0xa0 [ 24.517697][ T372] __fput+0x22b/0x900 [ 24.521670][ T372] ____fput+0x15/0x20 [ 24.525642][ T372] task_work_run+0x127/0x190 [ 24.530218][ T372] exit_to_user_mode_loop+0xd0/0xe0 [ 24.535404][ T372] exit_to_user_mode_prepare+0x87/0xd0 [ 24.540848][ T372] syscall_exit_to_user_mode+0x1a/0x30 [ 24.546296][ T372] do_syscall_64+0x58/0xa0 [ 24.550713][ T372] ? clear_bhb_loop+0x50/0xa0 [ 24.555378][ T372] ? clear_bhb_loop+0x50/0xa0 [ 24.560038][ T372] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 24.565921][ T372] RIP: 0033:0x7f5a4a1abe59 [ 24.570334][ T372] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 24.589921][ T372] RSP: 002b:00007ffe67a84638 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 [ 24.598330][ T372] RAX: 0000000000000000 RBX: 00007ffe67a84720 RCX: 00007f5a4a1abe59 [ 24.606302][ T372] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 [ 24.614295][ T372] RBP: 0000000000005f2a R08: 0000000000000001 R09: 0000000000000000 [ 24.622283][ T372] R10: 0000001b32f20000 R11: 0000000000000246 R12: 0000000000000000 [ 24.630264][ T372] R13: 00007f5a4a424fac R14: 00007f5a4a424fa8 R15: 00007f5a4a424fa0 [ 24.638237][ T372] [ 24.641257][ T372] [ 24.643589][ T372] Allocated by task 372: [ 24.647826][ T372] __kasan_kmalloc+0xd4/0x100 [ 24.652505][ T372] __kmalloc+0x13d/0x2c0 [ 24.656750][ T372] l2tp_session_create+0x39/0xb60 [ 24.661784][ T372] pppol2tp_connect+0xbf5/0x1640 [ 24.666725][ T372] __sys_connect+0x3cb/0x450 [ 24.671326][ T372] __x64_sys_connect+0x7a/0x90 [ 24.676089][ T372] x64_sys_call+0x7c/0x9a0 [ 24.680509][ T372] do_syscall_64+0x4c/0xa0 [ 24.684921][ T372] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 24.690822][ T372] [ 24.693144][ T372] Freed by task 372: [ 24.697028][ T372] kasan_set_track+0x4a/0x70 [ 24.701636][ T372] kasan_set_free_info+0x23/0x40 [ 24.706577][ T372] ____kasan_slab_free+0x125/0x160 [ 24.711686][ T372] __kasan_slab_free+0x11/0x20 [ 24.716452][ T372] slab_free_freelist_hook+0xc2/0x190 [ 24.721822][ T372] kfree+0xc4/0x270 [ 24.725641][ T372] l2tp_session_put+0xaf/0x1a0 [ 24.730409][ T372] l2tp_session_delete+0x3a9/0x4a0 [ 24.735518][ T372] pppol2tp_release+0x169/0x2b0 [ 24.740366][ T372] sock_close+0xb8/0x200 [ 24.744603][ T372] __fput+0x22b/0x900 [ 24.748586][ T372] ____fput+0x15/0x20 [ 24.752567][ T372] task_work_run+0x127/0x190 [ 24.757161][ T372] exit_to_user_mode_loop+0xd0/0xe0 [ 24.762361][ T372] exit_to_user_mode_prepare+0x87/0xd0 [ 24.767819][ T372] syscall_exit_to_user_mode+0x1a/0x30 [ 24.773272][ T372] do_syscall_64+0x58/0xa0 [ 24.777716][ T372] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 24.783606][ T372] [ 24.785921][ T372] The buggy address belongs to the object at ffff888122042400 [ 24.785921][ T372] which belongs to the cache kmalloc-512 of size 512 [ 24.799971][ T372] The buggy address is located 336 bytes inside of [ 24.799971][ T372] 512-byte region [ffff888122042400, ffff888122042600) [ 24.813251][ T372] The buggy address belongs to the page: [ 24.818897][ T372] page:ffffea0004881000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x122040 [ 24.829129][ T372] head:ffffea0004881000 order:2 compound_mapcount:0 compound_pincount:0 [ 24.837461][ T372] flags: 0x4000000000010200(slab|head|zone=1) [ 24.843526][ T372] raw: 4000000000010200 0000000000000000 dead000000000122 ffff888100042f00 [ 24.852112][ T372] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 24.860694][ T372] page dumped because: kasan: bad access detected [ 24.867101][ T372] page_owner tracks the page as allocated [ 24.872823][ T372] page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 368, ts 24378383241, free_ts 23318092697 [ 24.893215][ T372] post_alloc_hook+0x192/0x1b0 [ 24.898031][ T372] prep_new_page+0x1c/0x110 [ 24.902534][ T372] get_page_from_freelist+0x2c3a/0x2cd0 [ 24.908085][ T372] __alloc_pages+0x1a2/0x460 [ 24.912700][ T372] new_slab+0xa0/0x4d0 [ 24.916776][ T372] ___slab_alloc+0x3ac/0x840 [ 24.921370][ T372] __slab_alloc+0x49/0x90 [ 24.925695][ T372] __kmalloc+0x16a/0x2c0 [ 24.929931][ T372] fib6_info_alloc+0x34/0xe0 [ 24.934532][ T372] ip6_route_info_create+0x51b/0x14d0 [ 24.939904][ T372] addrconf_f6i_alloc+0x19c/0x3f0 [ 24.944924][ T372] ipv6_add_addr+0x442/0xd90 [ 24.949510][ T372] inet6_addr_add+0x446/0x9d0 [ 24.954191][ T372] inet6_rtm_newaddr+0x6e7/0x9c0 [ 24.959143][ T372] rtnetlink_rcv_msg+0x9fd/0xcb0 [ 24.964077][ T372] netlink_rcv_skb+0x1e9/0x430 [ 24.968832][ T372] page last free stack trace: [ 24.973501][ T372] free_unref_page_prepare+0x5fa/0x600 [ 24.978961][ T372] free_unref_page+0xae/0x540 [ 24.983646][ T372] __free_pages+0x6c/0x100 [ 24.988059][ T372] __vunmap+0x801/0x980 [ 24.992216][ T372] vfree+0x8b/0xc0 [ 24.995937][ T372] kcov_close+0x2b/0x50 [ 25.000095][ T372] __fput+0x22b/0x900 [ 25.004075][ T372] ____fput+0x15/0x20 [ 25.008055][ T372] task_work_run+0x127/0x190 [ 25.012651][ T372] do_exit+0xb70/0x29a0 [ 25.016812][ T372] do_group_exit+0x149/0x310 [ 25.021406][ T372] get_signal+0x64f/0x1430 [ 25.025831][ T372] arch_do_signal_or_restart+0xe2/0x1100 [ 25.031456][ T372] exit_to_user_mode_loop+0xa7/0xe0 [ 25.036646][ T372] exit_to_user_mode_prepare+0x87/0xd0 [ 25.042105][ T372] syscall_exit_to_user_mode+0x1a/0x30 [ 25.047580][ T372] [ 25.049898][ T372] Memory state around the buggy address: [ 25.055525][ T372] ffff888122042400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.063583][ T372] ffff888122042480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.071643][ T372] >ffff888122042500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.079703][ T372] ^ [ 25.086371][ T372] ffff888122042580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.094520][ T372] ffff888122042600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.102654][ T372] ================================================================== [ 25.110715][ T372] Disabling lock debugging due to kernel taint