./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2786887112
<...>
Warning: Permanently added '10.128.1.77' (ED25519) to the list of known hosts.
execve("./syz-executor2786887112", ["./syz-executor2786887112"], 0x7ffe59b5c070 /* 10 vars */) = 0
brk(NULL) = 0x55555d7da000
brk(0x55555d7dad00) = 0x55555d7dad00
arch_prctl(ARCH_SET_FS, 0x55555d7da380) = 0
set_tid_address(0x55555d7da650) = 295
set_robust_list(0x55555d7da660, 24) = 0
rseq(0x55555d7daca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented)
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor2786887112", 4096) = 28
getrandom("\xf2\x82\xb7\x6c\x7e\x3f\x68\xdf", 8, GRND_NONBLOCK) = 8
brk(NULL) = 0x55555d7dad00
brk(0x55555d7fbd00) = 0x55555d7fbd00
brk(0x55555d7fc000) = 0x55555d7fc000
mprotect(0x7f6288040000, 16384, PROT_READ) = 0
mmap(0x3ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3ffffffff000
mmap(0x400000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x400000000000
mmap(0x400001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x400001000000
write(1, "executing program\n", 18executing program
) = 18
memfd_create("syzkaller", 0) = 3
mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f627fb90000
write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144
munmap(0x7f627fb90000, 138412032) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
ioctl(4, LOOP_SET_FD, 3) = 0
close(3) = 0
[ 21.040566][ T28] audit: type=1400 audit(1740703807.260:66): avc: denied { execmem } for pid=295 comm="syz-executor278" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 21.060312][ T28] audit: type=1400 audit(1740703807.280:67): avc: denied { read write } for pid=295 comm="syz-executor278" name="loop0" dev="devtmpfs" ino=114 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1
[ 21.061050][ T295] loop0: detected capacity change from 0 to 512
close(4) = 0
mkdir("./file2", 0777) = 0
[ 21.084569][ T28] audit: type=1400 audit(1740703807.280:68): avc: denied { open } for pid=295 comm="syz-executor278" path="/dev/loop0" dev="devtmpfs" ino=114 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1
[ 21.098166][ T295] EXT4-fs: Warning: mounting with data=journal disables delayed allocation, dioread_nolock, O_DIRECT and fast_commit support!
[ 21.117537][ T28] audit: type=1400 audit(1740703807.280:69): avc: denied { ioctl } for pid=295 comm="syz-executor278" path="/dev/loop0" dev="devtmpfs" ino=114 ioctlcmd=0x4c00 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1
[ 21.127389][ T295] EXT4-fs (loop0): encrypted files will use data=ordered instead of data journaling mode
[ 21.152582][ T28] audit: type=1400 audit(1740703807.320:70): avc: denied { mounton } for pid=295 comm="syz-executor278" path="/root/file2" dev="sda1" ino=1927 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1
mount("/dev/loop0", "./file2", "ext4", MS_NODEV|MS_NOATIME, "mb_optimize_scan=0x0000000000000000,resuid=0x0000000000000000,debug_want_extra_isize=0x0000000000000"...) = 0
openat(AT_FDCWD, "./file2", O_RDONLY|O_DIRECTORY) = 3
chdir("./file2") = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
ioctl(4, LOOP_CLR_FD) = 0
close(4) = 0
lsetxattr("./file1", "trusted.overlay.upper", "\x65\x78\x74\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 65079, 0) = 0
creat("./file2", 0655) = 4
[ 21.167280][ T295] EXT4-fs warning (device loop0): ext4_expand_extra_isize_ea:2809: Unable to expand inode 15. Delete some EAs or run e2fsck.
[ 21.197428][ T295] EXT4-fs (loop0): 1 truncate cleaned up
[ 21.202861][ T295] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback.
[ 21.211790][ T28] audit: type=1400 audit(1740703807.430:71): avc: denied { mount } for pid=295 comm="syz-executor278" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1
[ 21.232171][ T295] ==================================================================
[ 21.233444][ T28] audit: type=1400 audit(1740703807.440:72): avc: denied { setattr } for pid=295 comm="syz-executor278" name="file1" dev="loop0" ino=15 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1
[ 21.241285][ T295] BUG: KASAN: out-of-bounds in ext4_xattr_set_entry+0x909/0x1fa0
[ 21.241335][ T295] Read of size 18446744073709551572 at addr ffff888110634850 by task syz-executor278/295
[ 21.264101][ T28] audit: type=1400 audit(1740703807.450:73): avc: denied { write } for pid=295 comm="syz-executor278" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1
[ 21.271134][ T295]
[ 21.271153][ T295] CPU: 0 PID: 295 Comm: syz-executor278 Not tainted 6.1.128-syzkaller-00038-gfa3cc11118de #0
[ 21.271171][ T295] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 21.281041][ T28] audit: type=1400 audit(1740703807.450:74): avc: denied { add_name } for pid=295 comm="syz-executor278" name="file2" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1
[ 21.302394][ T295] Call Trace:
[ 21.302404][ T295] <TASK>
[ 21.302411][ T295] dump_stack_lvl+0x151/0x1b7
[ 21.302436][ T295] ? nf_tcp_handle_invalid+0x3f1/0x3f1
[ 21.304953][ T28] audit: type=1400 audit(1740703807.450:75): avc: denied { create } for pid=295 comm="syz-executor278" name="file2" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1
[ 21.314530][ T295] ? _printk+0xd1/0x111
[ 21.314556][ T295] ? __virt_addr_valid+0x242/0x2f0
[ 21.389990][ T295] print_report+0x158/0x4e0
[ 21.394293][ T295] ? __virt_addr_valid+0x242/0x2f0
[ 21.399241][ T295] ? kasan_complete_mode_report_info+0x57/0x1b0
[ 21.405319][ T295] ? ext4_xattr_set_entry+0x909/0x1fa0
[ 21.410609][ T295] kasan_report+0x13c/0x170
[ 21.414949][ T295] ? ext4_xattr_set_entry+0x909/0x1fa0
[ 21.420242][ T295] kasan_check_range+0x294/0x2a0
[ 21.425015][ T295] ? ext4_xattr_set_entry+0x909/0x1fa0
[ 21.430311][ T295] memmove+0x2d/0x70
[ 21.434044][ T295] ext4_xattr_set_entry+0x909/0x1fa0
[ 21.439164][ T295] ? ext4_xattr_inode_lookup_create+0x1a60/0x1a60
[ 21.445412][ T295] ? memcpy+0x56/0x70
[ 21.449232][ T295] ext4_xattr_block_set+0x99c/0x37f0
[ 21.454353][ T295] ? ext4_drop_inode+0x90/0x1a0
[ 21.459041][ T295] ? __getblk_gfp+0x3d/0x7d0
[ 21.463465][ T295] ? ext4_xattr_block_find+0x320/0x320
[ 21.468759][ T295] ? xattr_find_entry+0x23c/0x300
[ 21.473623][ T295] ? ext4_xattr_block_find+0x2ac/0x320
[ 21.478917][ T295] ext4_expand_extra_isize_ea+0x10eb/0x1c40
[ 21.484645][ T295] ? ext4_xattr_set+0x3d0/0x3d0
[ 21.489337][ T295] ? rwsem_write_trylock+0x153/0x340
[ 21.494459][ T295] ? dquot_initialize_needed+0x13d/0x370
[ 21.499921][ T295] __ext4_expand_extra_isize+0x31a/0x420
[ 21.505389][ T295] __ext4_mark_inode_dirty+0x4bb/0x7d0
[ 21.510683][ T295] ? sb_end_intwrite+0x130/0x130
[ 21.515454][ T295] ? current_time+0x1ba/0x300
[ 21.519968][ T295] ? atime_needs_update+0x810/0x810
[ 21.525003][ T295] ? __kasan_check_write+0x14/0x20
[ 21.529949][ T295] ? drop_nlink+0xa9/0x110
[ 21.534202][ T295] __ext4_unlink+0x6ed/0xba0
[ 21.538629][ T295] ? __ext4_read_dirblock+0x8e0/0x8e0
[ 21.543838][ T295] ? rwsem_mark_wake+0x770/0x770
[ 21.548609][ T295] ext4_unlink+0x142/0x3f0
[ 21.552862][ T295] vfs_unlink+0x38c/0x630
[ 21.557032][ T295] do_unlinkat+0x483/0x920
[ 21.561280][ T295] ? __check_object_size+0x48/0x650
[ 21.566316][ T295] ? fsnotify_link_count+0x100/0x100
[ 21.571436][ T295] ? strncpy_from_user+0x169/0x2b0
[ 21.576385][ T295] ? getname_flags+0x1fd/0x520
[ 21.581092][ T295] __x64_sys_unlink+0x49/0x50
[ 21.585604][ T295] x64_sys_call+0x289/0x9a0
[ 21.589943][ T295] do_syscall_64+0x3b/0xb0
[ 21.594197][ T295] ? clear_bhb_loop+0x55/0xb0
[ 21.598710][ T295] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 21.604449][ T295] RIP: 0033:0x7f6287fcda79
[ 21.608701][ T295] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 21.628142][ T295] RSP: 002b:00007fff6a6d61d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000057
[ 21.636379][ T295] RAX: ffffffffffffffda RBX: 0000400000000040 RCX: 00007f6287fcda79
[ 21.644190][ T295] RDX: 00007f6287fcda79 RSI: 00007f6287fcda79 RDI: 0000400000000180
[ 21.652004][ T295] RBP: 0031656c69662f2e R08: 0000000000000000 R09: 0000000000000000
[ 21.659813][ T295] R10: 0000000000000000 R11: 0000000000000246 R12: 0032656c69662f2e
[ 21.667623][ T295] R13: 00007fff6a6d63b8 R14: 0000000000000001 R15: 0000000000000001
[ 21.675440][ T295] </TASK>
[ 21.678301][ T295]
[ 21.680470][ T295] Allocated by task 295:
[ 21.684550][ T295] kasan_set_track+0x4b/0x70
[ 21.688976][ T295] kasan_save_alloc_info+0x1f/0x30
[ 21.693923][ T295] __kasan_kmalloc+0x9c/0xb0
[ 21.698349][ T295] __kmalloc_node_track_caller+0xb3/0x1e0
[ 21.703904][ T295] kmemdup+0x29/0x60
[ 21.707637][ T295] ext4_xattr_block_set+0x80f/0x37f0
[ 21.712757][ T295] ext4_expand_extra_isize_ea+0x10eb/0x1c40
[ 21.718484][ T295] __ext4_expand_extra_isize+0x31a/0x420
[ 21.723954][ T295] __ext4_mark_inode_dirty+0x4bb/0x7d0
[ 21.729248][ T295] __ext4_unlink+0x6ed/0xba0
[ 21.733673][ T295] ext4_unlink+0x142/0x3f0
[ 21.737932][ T295] vfs_unlink+0x38c/0x630
[ 21.742096][ T295] do_unlinkat+0x483/0x920
[ 21.746345][ T295] __x64_sys_unlink+0x49/0x50
[ 21.750860][ T295] x64_sys_call+0x289/0x9a0
[ 21.755197][ T295] do_syscall_64+0x3b/0xb0
[ 21.759459][ T295] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 21.765182][ T295]
[ 21.767349][ T295] The buggy address belongs to the object at ffff888110634800
[ 21.767349][ T295] which belongs to the cache kmalloc-1k of size 1024
[ 21.781239][ T295] The buggy address is located 80 bytes inside of
[ 21.781239][ T295] 1024-byte region [ffff888110634800, ffff888110634c00)
[ 21.794345][ T295]
[ 21.796519][ T295] The buggy address belongs to the physical page:
[ 21.802777][ T295] page:ffffea0004418c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x110630
[ 21.812832][ T295] head:ffffea0004418c00 order:3 compound_mapcount:0 compound_pincount:0
[ 21.821076][ T295] flags: 0x4000000000010200(slab|head|zone=1)
[ 21.826991][ T295] raw: 4000000000010200 0000000000000000 dead000000000122 ffff888100043080
[ 21.835408][ T295] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[ 21.843819][ T295] page dumped because: kasan: bad access detected
[ 21.850072][ T295] page_owner tracks the page as allocated
[ 21.855620][ T295] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 289, tgid 289 (sshd), ts 21213503438, free_ts 17826978057
[ 21.875934][ T295] post_alloc_hook+0x213/0x220
[ 21.880530][ T295] prep_new_page+0x1b/0x110
[ 21.884873][ T295] get_page_from_freelist+0x3a98/0x3b10
[ 21.890251][ T295] __alloc_pages+0x234/0x610
[ 21.894684][ T295] alloc_slab_page+0x6c/0xf0
[ 21.899101][ T295] new_slab+0x90/0x3e0
[ 21.903010][ T295] ___slab_alloc+0x6f9/0xb80
[ 21.907434][ T295] __slab_alloc+0x5d/0xa0
[ 21.911601][ T295] __kmem_cache_alloc_node+0x207/0x2a0
[ 21.916895][ T295] __kmalloc_node_track_caller+0xa2/0x1e0
[ 21.922449][ T295] __alloc_skb+0x125/0x2d0
[ 21.926702][ T295] tcp_stream_alloc_skb+0x46/0x340
[ 21.931649][ T295] tcp_sendmsg_locked+0xda6/0x4000
[ 21.936599][ T295] tcp_sendmsg+0x2f/0x50
[ 21.940676][ T295] inet_sendmsg+0xa1/0xc0
[ 21.944845][ T295] sock_write_iter+0x394/0x4e0
[ 21.949443][ T295] page last free stack trace:
[ 21.953955][ T295] free_unref_page_prepare+0x9f1/0xa00
[ 21.959251][ T295] free_unref_page+0xb2/0x5c0
[ 21.963762][ T295] __free_pages+0x61/0xf0
[ 21.967931][ T295] __free_slab+0xce/0x1a0
[ 21.972097][ T295] __unfreeze_partials+0x165/0x1a0
[ 21.977043][ T295] put_cpu_partial+0xa9/0x100
[ 21.981555][ T295] __slab_free+0x1c8/0x280
[ 21.985818][ T295] ___cache_free+0xc6/0xd0
[ 21.990062][ T295] qlist_free_all+0xc5/0x140
[ 21.994489][ T295] kasan_quarantine_reduce+0x15a/0x180
[ 21.999784][ T295] __kasan_slab_alloc+0x24/0x80
[ 22.004471][ T295] slab_post_alloc_hook+0x53/0x2c0
[ 22.009416][ T295] kmem_cache_alloc_lru+0x102/0x270
[ 22.014451][ T295] sock_alloc_inode+0x28/0xc0
[ 22.018963][ T295] new_inode_pseudo+0x65/0x1d0
[ 22.023564][ T295] __sock_create+0x132/0x7e0
[ 22.027992][ T295]
[ 22.030159][ T295] Memory state around the buggy address:
[ 22.035651][ T295] ffff888110634700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 22.043535][ T295] ffff888110634780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 22.051430][ T295] >ffff888110634800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 22.059324][ T295] ^
[ 22.065836][ T295] ffff888110634880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 22.073734][ T295] ffff888110634900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 22.081634][ T295] ==================================================================
unlink("./file1") = 0
exit_group(0) = ?
+++ exited with 0 +++
[ 22.089843][ T295] Disabling lock debugging due to kernel tain