23-Feb-2026 22:25:33: starting attempt #0
23-Feb-2026 22:26:44: attempt failed: "KASAN: vmalloc-out-of-bounds Write in swap_cluster_setup_bad_slot"
23-Feb-2026 22:26:44: starting attempt #1
23-Feb-2026 22:27:56: attempt failed: "KASAN: vmalloc-out-of-bounds Write in swap_cluster_setup_bad_slot"
23-Feb-2026 22:27:56: starting attempt #2
23-Feb-2026 22:29:07: attempt failed: "KASAN: vmalloc-out-of-bounds Write in swap_cluster_setup_bad_slot"
23-Feb-2026 22:29:07: report:
cgroup: Unknown subsys name 'cpuset'
cgroup: Unknown subsys name 'rlimit'
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in swap_cluster_setup_bad_slot+0x4f4/0x5b0
Write of size 1 at addr ffffc90005c80a12 by task syz-executor/5795

CPU: 0 UID: 0 PID: 5795 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150
 print_report+0xba/0x230
 kasan_report+0x117/0x150
 swap_cluster_setup_bad_slot+0x4f4/0x5b0
 setup_swap_clusters_info+0x621/0x1120
 __se_sys_swapon+0x1353/0x2120
 do_syscall_64+0x14d/0xf80
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd81b19c5e7
Code: 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a7 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdbc9c9928 EFLAGS: 00000246 ORIG_RAX: 00000000000000a7
RAX: ffffffffffffffda RBX: 0000000000000008 RCX: 00007fd81b19c5e7
RDX: 0000000000000000 RSI: 0000000000008000 RDI: 00007fd81b232d03
RBP: 00007fd81b232d03 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000008 R11: 0000000000000246 R12: 00007fd81b3e53e0
R13: 00007fd81b24d924 R14: ffffffffffa6d9e7 R15: 00007fd81b3e53a0
 </TASK>

The buggy address belongs to a vmalloc virtual mapping
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x113baf
flags: 0x17ff00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 017ff00000000000 0000000000000000 ffffea00044eebc8 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x29c2(GFP_NOWAIT|__GFP_HIGHMEM|__GFP_IO|__GFP_FS|__GFP_ZERO), pid 5795, tgid 5795 (syz-executor), ts 58298311539, free_ts 57176911943
 post_alloc_hook+0x231/0x280
 get_page_from_freelist+0x24dc/0x2580
 __alloc_frozen_pages_noprof+0x18d/0x380
 alloc_pages_mpol+0x232/0x4a0
 alloc_pages_noprof+0xa8/0x190
 __vmalloc_node_range_noprof+0x79b/0x1730
 vzalloc_noprof+0xb2/0xe0
 __se_sys_swapon+0x130b/0x2120
 do_syscall_64+0x14d/0xf80
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5798 tgid 5798 stack trace:
 __free_frozen_pages+0xc2b/0xdb0
 __slab_free+0x263/0x2b0
 qlist_free_all+0x97/0x100
 kasan_quarantine_reduce+0x148/0x160
 __kasan_slab_alloc+0x22/0x80
 kmem_cache_alloc_noprof+0x2bc/0x650
 ima_inode_get+0xea/0x4e0
 process_measurement+0x46a/0x1c80
 ima_bprm_check+0x121/0x180
 security_bprm_check+0xcd/0x240
 bprm_execve+0x896/0x1460
 do_execveat_common+0x50d/0x690
 __x64_sys_execve+0x97/0xc0
 do_syscall_64+0x14d/0xf80
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffffc90005c80900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90005c80980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc90005c80a00: 00 00 02 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                         ^
 ffffc90005c80a80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90005c80b00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================

23-Feb-2026 22:29:07: output:
last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '[localhost]:33015' (ED25519) to the list of known hosts.
syzkaller login: [   56.896163][ T5795] cgroup: Unknown subsys name 'net'
[   56.986779][ T5795] cgroup: Unknown subsys name 'cpuset'
[   56.992443][ T5795] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   58.298425][ T5795] ==================================================================
[   58.300896][ T5795] BUG: KASAN: vmalloc-out-of-bounds in swap_cluster_setup_bad_slot+0x4f4/0x5b0
[   58.303633][ T5795] Write of size 1 at addr ffffc90005c80a12 by task syz-executor/5795
[   58.306746][ T5795] 
[   58.307508][ T5795] CPU: 0 UID: 0 PID: 5795 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full) 
[   58.307518][ T5795] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[   58.307522][ T5795] Call Trace:
[   58.307527][ T5795]  <TASK>
[   58.307530][ T5795]  dump_stack_lvl+0xe8/0x150
[   58.307542][ T5795]  print_report+0xba/0x230
[   58.307550][ T5795]  ? swap_cluster_setup_bad_slot+0x4f4/0x5b0
[   58.307558][ T5795]  kasan_report+0x117/0x150
[   58.307566][ T5795]  ? swap_cluster_setup_bad_slot+0x4f4/0x5b0
[   58.307575][ T5795]  swap_cluster_setup_bad_slot+0x4f4/0x5b0
[   58.307584][ T5795]  setup_swap_clusters_info+0x621/0x1120
[   58.307591][ T5795]  ? __se_sys_swapon+0x130b/0x2120
[   58.307598][ T5795]  ? vzalloc_noprof+0xb2/0xe0
[   58.307605][ T5795]  __se_sys_swapon+0x1353/0x2120
[   58.307613][ T5795]  ? __pfx___se_sys_swapon+0x10/0x10
[   58.307621][ T5795]  do_syscall_64+0x14d/0xf80
[   58.307631][ T5795]  ? trace_irq_disable+0x3b/0x150
[   58.307641][ T5795]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   58.307648][ T5795]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   58.307655][ T5795] RIP: 0033:0x7fd81b19c5e7
[   58.307662][ T5795] Code: 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a7 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[   58.307668][ T5795] RSP: 002b:00007ffdbc9c9928 EFLAGS: 00000246 ORIG_RAX: 00000000000000a7
[   58.307676][ T5795] RAX: ffffffffffffffda RBX: 0000000000000008 RCX: 00007fd81b19c5e7
[   58.307681][ T5795] RDX: 0000000000000000 RSI: 0000000000008000 RDI: 00007fd81b232d03
[   58.307685][ T5795] RBP: 00007fd81b232d03 R08: 0000000000000000 R09: 0000000000000000
[   58.307690][ T5795] R10: 0000000000000008 R11: 0000000000000246 R12: 00007fd81b3e53e0
[   58.307694][ T5795] R13: 00007fd81b24d924 R14: ffffffffffa6d9e7 R15: 00007fd81b3e53a0
[   58.307701][ T5795]  </TASK>
[   58.307703][ T5795] 
[   58.363262][ T5795] The buggy address belongs to a vmalloc virtual mapping
[   58.365403][ T5795] The buggy address belongs to the physical page:
[   58.367356][ T5795] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x113baf
[   58.370038][ T5795] flags: 0x17ff00000000000(node=0|zone=2|lastcpupid=0x7ff)
[   58.372252][ T5795] raw: 017ff00000000000 0000000000000000 ffffea00044eebc8 0000000000000000
[   58.374863][ T5795] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[   58.377489][ T5795] page dumped because: kasan: bad access detected
[   58.379448][ T5795] page_owner tracks the page as allocated
[   58.381191][ T5795] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x29c2(GFP_NOWAIT|__GFP_HIGHMEM|__GFP_IO|__GFP_FS|__GFP_ZERO), pid 5795, tgid 5795 (syz-executor), ts 58298311539, free_ts 57176911943
[   58.387267][ T5795]  post_alloc_hook+0x231/0x280
[   58.388858][ T5795]  get_page_from_freelist+0x24dc/0x2580
[   58.390809][ T5795]  __alloc_frozen_pages_noprof+0x18d/0x380
[   58.393046][ T5795]  alloc_pages_mpol+0x232/0x4a0
[   58.395135][ T5795]  alloc_pages_noprof+0xa8/0x190
[   58.396880][ T5795]  __vmalloc_node_range_noprof+0x79b/0x1730
[   58.398943][ T5795]  vzalloc_noprof+0xb2/0xe0
[   58.400711][ T5795]  __se_sys_swapon+0x130b/0x2120
[   58.402615][ T5795]  do_syscall_64+0x14d/0xf80
[   58.404331][ T5795]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   58.406627][ T5795] page last free pid 5798 tgid 5798 stack trace:
[   58.408860][ T5795]  __free_frozen_pages+0xc2b/0xdb0
[   58.410822][ T5795]  __slab_free+0x263/0x2b0
[   58.412400][ T5795]  qlist_free_all+0x97/0x100
[   58.414026][ T5795]  kasan_quarantine_reduce+0x148/0x160
[   58.416097][ T5795]  __kasan_slab_alloc+0x22/0x80
[   58.417965][ T5795]  kmem_cache_alloc_noprof+0x2bc/0x650
[   58.420025][ T5795]  ima_inode_get+0xea/0x4e0
[   58.421743][ T5795]  process_measurement+0x46a/0x1c80
[   58.423727][ T5795]  ima_bprm_check+0x121/0x180
[   58.425559][ T5795]  security_bprm_check+0xcd/0x240
[   58.427478][ T5795]  bprm_execve+0x896/0x1460
[   58.428898][ T5795]  do_execveat_common+0x50d/0x690
[   58.430460][ T5795]  __x64_sys_execve+0x97/0xc0
[   58.431904][ T5795]  do_syscall_64+0x14d/0xf80
[   58.433355][ T5795]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   58.435163][ T5795] 
[   58.435918][ T5795] Memory state around the buggy address:
[   58.437644][ T5795]  ffffc90005c80900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   58.440083][ T5795]  ffffc90005c80980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   58.442635][ T5795] >ffffc90005c80a00: 00 00 02 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[   58.445155][ T5795]                          ^
[   58.446595][ T5795]  ffffc90005c80a80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[   58.449078][ T5795]  ffffc90005c80b00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[   58.451532][ T5795] ==================================================================
[   58.454258][ T5795] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   58.456459][ T5795] CPU: 0 UID: 0 PID: 5795 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full) 
[   58.459339][ T5795] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[   58.462402][ T5795] Call Trace:
[   58.463476][ T5795]  <TASK>
[   58.464411][ T5795]  vpanic+0x56c/0xa60
[   58.465667][ T5795]  ? __pfx_vpanic+0x10/0x10
[   58.467069][ T5795]  panic+0xc5/0xd0
[   58.468243][ T5795]  ? __pfx_panic+0x10/0x10
[   58.469623][ T5795]  ? swap_cluster_setup_bad_slot+0x4f4/0x5b0
[   58.471483][ T5795]  ? swap_cluster_setup_bad_slot+0x4f4/0x5b0
[   58.473331][ T5795]  check_panic_on_warn+0x89/0xb0
[   58.474851][ T5795]  ? swap_cluster_setup_bad_slot+0x4f4/0x5b0
[   58.476693][ T5795]  end_report+0x73/0x180
[   58.477998][ T5795]  ? swap_cluster_setup_bad_slot+0x4f4/0x5b0
[   58.479828][ T5795]  kasan_report+0x128/0x150
[   58.481241][ T5795]  ? swap_cluster_setup_bad_slot+0x4f4/0x5b0
[   58.483075][ T5795]  swap_cluster_setup_bad_slot+0x4f4/0x5b0
[   58.484880][ T5795]  setup_swap_clusters_info+0x621/0x1120
[   58.486623][ T5795]  ? __se_sys_swapon+0x130b/0x2120
[   58.488209][ T5795]  ? vzalloc_noprof+0xb2/0xe0
[   58.489662][ T5795]  __se_sys_swapon+0x1353/0x2120
[   58.491198][ T5795]  ? __pfx___se_sys_swapon+0x10/0x10
[   58.492815][ T5795]  do_syscall_64+0x14d/0xf80
[   58.494253][ T5795]  ? trace_irq_disable+0x3b/0x150
[   58.495804][ T5795]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   58.497693][ T5795]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   58.499524][ T5795] RIP: 0033:0x7fd81b19c5e7
[   58.500897][ T5795] Code: 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a7 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[   58.506786][ T5795] RSP: 002b:00007ffdbc9c9928 EFLAGS: 00000246 ORIG_RAX: 00000000000000a7
[   58.509353][ T5795] RAX: ffffffffffffffda RBX: 0000000000000008 RCX: 00007fd81b19c5e7
[   58.511752][ T5795] RDX: 0000000000000000 RSI: 0000000000008000 RDI: 00007fd81b232d03
[   58.514169][ T5795] RBP: 00007fd81b232d03 R08: 0000000000000000 R09: 0000000000000000
[   58.516582][ T5795] R10: 0000000000000008 R11: 0000000000000246 R12: 00007fd81b3e53e0
[   58.518993][ T5795] R13: 00007fd81b24d924 R14: ffffffffffa6d9e7 R15: 00007fd81b3e53a0
[   58.521416][ T5795]  </TASK>
[   58.523013][ T5795] Kernel Offset: disabled
[   58.524384][ T5795] Rebooting in 86400 seconds..

VM DIAGNOSIS:
22:28:57  Registers:
info registers vcpu 0

CPU#0
RAX=0000000000000020 RBX=0000000000000020 RCX=0000000000000000 RDX=00000000000003f8
RSI=0000000000000000 RDI=0000000000000020 RBP=00000000000003f8 RSP=ffffc90004c776b0
R8 =ffff888105f50237 R9 =1ffff11020bea046 R10=dffffc0000000000 R11=ffffffff853fce70
R12=dffffc0000000000 R13=ffffffff9a2afa65 R14=ffffffff9a5c7860 R15=0000000000000000
RIP=ffffffff853fceec RFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 ffffffff 00c00000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS   [-WA]
DS =0000 0000000000000000 ffffffff 00c00000
FS =0000 000055555981f500 ffffffff 00c00000
GS =0000 ffff88818de67000 ffffffff 00c00000
LDT=0000 0000000000000000 ffffffff 00c00000
TR =0040 fffffe0000003000 00004087 00008b00 DPL=0 TSS64-busy
GDT=     fffffe0000001000 0000007f
IDT=     fffffe0000000000 00000fff
CR0=80050033 CR2=00007f3d21df4440 CR3=000000016bed8000 CR4=000006f0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=0000000600000000 65fd1b8e768d7000 XMM01=0000000000000000 00007fd81b24e926
XMM02=0000000000000000 00007fd81bf48600 XMM03=0000000000000000 0000000000000000
XMM04=0000000000ff0000 00000000000000ff XMM05=0000000000000000 00007fd81b235ef3
XMM06=0000000000000000 00007fd81b23202a XMM07=0000000000000000 00007ffdbc9c9860
XMM08=62097665646f6e0a 7366746567646167 XMM09=0000000000000000 0000000000000000
XMM10=0000000000000000 0000000000000000 XMM11=0000000000000000 0000000000000000
XMM12=0000000000000000 0000000000000000 XMM13=0000000000000000 0000000000000000
XMM14=0000000000000000 0000000000000000 XMM15=0000000000000000 0000000000000000
info registers vcpu 1

CPU#1
RAX=00000000000400b7 RBX=ffffffff819a80dd RCX=0000000080000001 RDX=0000000000000001
RSI=ffffffff8def2879 RDI=ffffffff8c27b180 RBP=ffffc90000197f10 RSP=ffffc90000197e20
R8 =ffff88823c63395b R9 =1ffff110478c672b R10=dffffc0000000000 R11=ffffed10478c672c
R12=ffffffff901179b0 R13=1ffff1102c096000 R14=0000000000000001 R15=0000000000000001
RIP=ffffffff8bacee9f RFL=00000206 [-----P-] CPL=0 II=0 A20=1 SMM=0 HLT=1
ES =0000 0000000000000000 ffffffff 00c00000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS   [-WA]
DS =0000 0000000000000000 ffffffff 00c00000
FS =0000 0000000000000000 ffffffff 00c00000
GS =0000 ffff8882a9467000 ffffffff 00c00000
LDT=0000 0000000000000000 ffffffff 00c00000
TR =0040 fffffe000004a000 00004087 00008b00 DPL=0 TSS64-busy
GDT=     fffffe0000048000 0000007f
IDT=     fffffe0000000000 00000fff
CR0=80050033 CR2=00007fe052fdc870 CR3=000000010ef78000 CR4=000006f0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=00000000000000ff 0000000000000000 XMM01=6f6c2f7261762f00 6469756e69676f6c
XMM02=0000ffffffffff00 0000000000000000 XMM03=0000000000000000 000000000000002f
XMM04=74772f676f6c2f72 61762f00706d7475 XMM05=3f3f3f3f3f3f3f3f 3f3f3f3f3f3f3f3f
XMM06=9999999999999999 9999999999999999 XMM07=2020202020202020 2020202020202020
XMM08=0020202000000000 0000000000000000 XMM09=0000000000000000 0000000000000000
XMM10=0000000000000000 0000000000000000 XMM11=0000000000000000 0000000000000000
XMM12=0000000000000000 0000000000000000 XMM13=0000000000000000 0000000000000000
XMM14=0000000000000000 0000000000000000 XMM15=0000000000000000 0000000000000000