./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3769691613 <...> Warning: Permanently added '10.128.0.244' (ED25519) to the list of known hosts. execve("./syz-executor3769691613", ["./syz-executor3769691613"], 0x7ffc8a397840 /* 10 vars */) = 0 brk(NULL) = 0x55556fb55000 brk(0x55556fb55d00) = 0x55556fb55d00 arch_prctl(ARCH_SET_FS, 0x55556fb55380) = 0 set_tid_address(0x55556fb55650) = 297 set_robust_list(0x55556fb55660, 24) = 0 rseq(0x55556fb55ca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3769691613", 4096) = 28 getrandom("\xb0\xd8\x2b\x63\x81\xcb\x85\xc8", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55556fb55d00 brk(0x55556fb76d00) = 0x55556fb76d00 brk(0x55556fb77000) = 0x55556fb77000 mprotect(0x7f9ae4f2b000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0executing program ) = 0x200001000000 write(1, "executing program\n", 18) = 18 openat(AT_FDCWD, "/dev/kvm", O_RDONLY) = 3 [ 28.100081][ T36] audit: type=1400 audit(1752643949.260:64): avc: denied { execmem } for pid=297 comm="syz-executor376" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 28.102391][ T297] kvm_intel: L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. ioctl(3, KVM_CREATE_VM, 0) = 4 [ 28.119918][ T36] audit: type=1400 audit(1752643949.260:65): avc: denied { read } for pid=297 comm="syz-executor376" name="kvm" dev="devtmpfs" ino=13 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 [ 28.159602][ T36] audit: type=1400 audit(1752643949.260:66): avc: denied { open } for pid=297 comm="syz-executor376" path="/dev/kvm" dev="devtmpfs" ino=13 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 ioctl(4, KVM_CREATE_IRQCHIP, 0) = 0 ioctl(4, KVM_CREATE_VCPU, 0) = 5 ioctl(5, KVM_SET_MSRS, 0x200000000040) = 0 ioctl(5, KVM_SET_LAPIC, 0x200000001240) = 0 ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=0, flags=0, guest_phys_addr=0, memory_size=4096, userspace_addr=0x200000448000}) = 0 ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=1, flags=0, guest_phys_addr=0x1000, memory_size=4096, userspace_addr=0x200000449000}) = 0 ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=2, flags=0, guest_phys_addr=0x2000, memory_size=4096, userspace_addr=0x20000044a000}) = 0 ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=3, flags=0, guest_phys_addr=0x3000, memory_size=4096, userspace_addr=0x20000044b000}) = 0 ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=4, flags=0, guest_phys_addr=0x4000, memory_size=4096, userspace_addr=0x20000044c000}) = 0 ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=5, flags=0, guest_phys_addr=0x5000, memory_size=4096, userspace_addr=0x20000044d000}) = 0 ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=6, flags=0, guest_phys_addr=0x6000, memory_size=4096, userspace_addr=0x20000044e000}) = 0 ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=7, flags=0, guest_phys_addr=0x7000, memory_size=4096, userspace_addr=0x20000044f000}) = 0 ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=8, flags=0, guest_phys_addr=0x8000, memory_size=4096, userspace_addr=0x200000450000}) = 0 ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=9, flags=0, guest_phys_addr=0x9000, memory_size=4096, userspace_addr=0x200000451000}) = 0 ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=10, flags=0, guest_phys_addr=0xfec00000, memory_size=4096, userspace_addr=0x200000452000}) = 0 ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=11, flags=0, guest_phys_addr=0xb000, memory_size=4096, userspace_addr=0x200000453000}) = 0 ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=12, flags=0, guest_phys_addr=0xc000, memory_size=4096, userspace_addr=0x200000454000}) = 0 ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=13, flags=0, guest_phys_addr=0xd000, memory_size=4096, userspace_addr=0x200000455000}) = 0 ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=14, flags=0, guest_phys_addr=0xe000, memory_size=4096, userspace_addr=0x200000456000}) = 0 ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=15, flags=0, guest_phys_addr=0xf000, memory_size=4096, userspace_addr=0x200000457000}) = 0 ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=16, flags=0, guest_phys_addr=0x10000, memory_size=4096, userspace_addr=0x200000458000}) = 0 ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=17, flags=0, guest_phys_addr=0x11000, memory_size=4096, userspace_addr=0x200000459000}) = 0 ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=18, flags=0, guest_phys_addr=0x12000, memory_size=4096, userspace_addr=0x20000045a000}) = 0 ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=19, flags=0, guest_phys_addr=0x13000, memory_size=4096, userspace_addr=0x20000045b000}) = 0 ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=20, flags=0, guest_phys_addr=0x14000, memory_size=4096, userspace_addr=0x20000045c000}) = 0 ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=21, flags=0, guest_phys_addr=0x15000, memory_size=4096, userspace_addr=0x20000045d000}) = 0 ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=22, flags=0, guest_phys_addr=0x16000, memory_size=4096, userspace_addr=0x20000045e000}) = 0 ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=23, flags=0, guest_phys_addr=0x17000, memory_size=4096, userspace_addr=0x20000045f000}) = 0 ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=65537, flags=0, guest_phys_addr=0x30000, memory_size=65536, userspace_addr=0x200000448000}) = 0 ioctl(5, KVM_GET_SREGS, {cs={base=0xffff0000, limit=65535, selector=61440, type=11, present=1, dpl=0, db=0, s=1, l=0, g=0, avl=0}, ...}) = 0 [ 28.183045][ T36] audit: type=1400 audit(1752643949.260:67): avc: denied { ioctl } for pid=297 comm="syz-executor376" path="/dev/kvm" dev="devtmpfs" ino=13 ioctlcmd=0xae01 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 [ 28.214817][ T297] kvm: vcpu 0: requested lapic timer restore with starting count register 0x390=2249738109 (287966477952 ns) > initial count (248453880064 ns). Using initial count to start timer. openat(AT_FDCWD, "/dev/kvm", O_RDWR) = 6 ioctl(6, KVM_GET_SUPPORTED_CPUID, {nent=31, entries=[...]}) = 0 ioctl(5, KVM_SET_CPUID2, {nent=31, entries=[...]}) = 0 close(6) = 0 ioctl(5, KVM_SET_SREGS, {cs={base=0, limit=65535, selector=0, type=11, present=1, dpl=0, db=0, s=1, l=0, g=0, avl=0}, ...}) = 0 ioctl(5, KVM_SET_REGS, {rax=0, ..., rsp=0xf80, rbp=0, ..., rip=0, rflags=0x245202}) = 0 madvise(0x200000000000, 6291459, 0x66 /* MADV_??? */) = 0 [ 28.263415][ T36] audit: type=1400 audit(1752643949.420:68): avc: denied { write } for pid=297 comm="syz-executor376" name="kvm" dev="devtmpfs" ino=13 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 [ 28.298321][ T297] ------------[ cut here ]------------ [ 28.303843][ T297] WARNING: CPU: 1 PID: 297 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:3574 kvm_read_guest_offset_cached+0x26d/0x2a0 [ 28.316354][ T297] Modules linked in: [ 28.320391][ T297] CPU: 1 UID: 0 PID: 297 Comm: syz-executor376 Not tainted 6.12.30-syzkaller-g603af016e4a8 #0 c515e79d845c5a778cd5838f9063bc4edcb1333e [ 28.334329][ T297] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 28.344466][ T297] RIP: 0010:kvm_read_guest_offset_cached+0x26d/0x2a0 [ 28.351276][ T297] Code: bb f2 ff ff ff 0f 44 d8 31 ff e8 9e ab 71 00 89 d8 48 83 c4 28 5b 41 5c 41 5d 41 5e 41 5f 5d e9 49 06 74 04 cc e8 a3 a6 71 00 <0f> 0b b8 ea ff ff ff eb de 4c 8b 75 c0 4c 03 75 d0 e8 8d a6 71 00 [ 28.370938][ T297] RSP: 0018:ffffc9000121f3a0 EFLAGS: 00010293 [ 28.377078][ T297] RAX: ffffffff8114045d RBX: 0000000000000004 RCX: ffff88810378b900 [ 28.385237][ T297] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000008 [ 28.393232][ T297] RBP: ffffc9000121f3f0 R08: 0000000000000004 R09: 1ffff11023fae007 [ 28.401252][ T297] R10: dffffc0000000000 R11: ffffed1023fae008 R12: ffff88811fd71128 [ 28.409310][ T297] R13: 0000000000000000 R14: ffffc90000d194a8 R15: 0000000000000008 [ 28.417404][ T297] FS: 000055556fb55380(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000 [ 28.426438][ T297] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 28.433069][ T297] CR2: 0000000000000000 CR3: 0000000129096000 CR4: 00000000003526b0 [ 28.441124][ T297] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 28.449176][ T297] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 28.457213][ T297] Call Trace: [ 28.460512][ T297] [ 28.463538][ T297] kvm_arch_can_dequeue_async_page_present+0x142/0x300 [ 28.470538][ T297] ? __cfi_kvm_arch_can_dequeue_async_page_present+0x10/0x10 [ 28.477995][ T297] ? kvm_vcpu_has_events+0x49/0x630 [ 28.483242][ T297] kvm_check_async_pf_completion+0xf9/0x3d0 [ 28.489237][ T297] vcpu_run+0x2eab/0x7260 [ 28.493611][ T297] ? signal_pending+0xc0/0xc0 [ 28.498358][ T297] ? __kasan_check_write+0x18/0x20 [ 28.503498][ T297] ? xfd_validate_state+0x68/0x150 [ 28.508660][ T297] ? fpu_swap_kvm_fpstate+0x93/0x5f0 [ 28.514041][ T297] ? __kasan_check_write+0x18/0x20 [ 28.519229][ T297] ? fpregs_mark_activate+0x69/0x160 [ 28.524583][ T297] ? fpu_swap_kvm_fpstate+0x44d/0x5f0 [ 28.529992][ T297] kvm_arch_vcpu_ioctl_run+0x101a/0x1aa0 [ 28.535681][ T297] ? __cfi_kvm_arch_vcpu_ioctl_run+0x10/0x10 [ 28.541687][ T297] ? __cfi___switch_to+0x10/0x10 [ 28.546680][ T297] ? ioctl_has_perm+0x1aa/0x4d0 [ 28.551569][ T297] ? __asan_memcpy+0x5a/0x80 [ 28.556213][ T297] ? ioctl_has_perm+0x3e0/0x4d0 [ 28.561137][ T297] ? has_cap_mac_admin+0xd0/0xd0 [ 28.566151][ T297] ? __kasan_check_write+0x18/0x20 [ 28.571286][ T297] ? mutex_lock_killable+0x92/0x1c0 [ 28.576528][ T297] ? __cfi_mutex_lock_killable+0x10/0x10 [ 28.582199][ T297] kvm_vcpu_ioctl+0x96f/0xee0 [ 28.586933][ T297] ? __cfi_kvm_vcpu_ioctl+0x10/0x10 [ 28.592159][ T297] ? _raw_spin_lock_irq+0x8d/0x120 [ 28.597316][ T297] ? __cfi__raw_spin_lock_irq+0x10/0x10 [ 28.602885][ T297] ? __asan_memset+0x39/0x50 [ 28.607518][ T297] ? ptrace_stop+0x6c9/0x8c0 [ 28.612149][ T297] ? _raw_spin_unlock_irq+0x45/0x70 [ 28.617438][ T297] ? ptrace_notify+0x1e8/0x270 [ 28.622326][ T297] ? bpf_lsm_file_ioctl+0xd/0x20 [ 28.627346][ T297] ? security_file_ioctl+0x34/0xd0 [ 28.632502][ T297] ? __cfi_kvm_vcpu_ioctl+0x10/0x10 [ 28.637802][ T297] __se_sys_ioctl+0x135/0x1b0 [ 28.642529][ T297] __x64_sys_ioctl+0x7f/0xa0 [ 28.647202][ T297] x64_sys_call+0x1878/0x2ee0 [ 28.651919][ T297] do_syscall_64+0x58/0xf0 [ 28.656388][ T297] ? clear_bhb_loop+0x50/0xa0 [ 28.661111][ T297] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 28.667137][ T297] RIP: 0033:0x7f9ae4eb81f9 [ 28.671594][ T297] Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 28.691269][ T297] RSP: 002b:00007fff7d2c7378 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 28.699770][ T297] RAX: ffffffffffffffda RBX: 0000200000000000 RCX: 00007f9ae4eb81f9 [ 28.707827][ T297] RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005 [ 28.715859][ T297] RBP: 00007f9ae4f2b610 R08: 00007fff7d2c7548 R09: 00007fff7d2c7548 [ 28.723904][ T297] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 28.731902][ T297] R13: 00007fff7d2c7538 R14: 0000000000000001 R15: 0000000000000001 [ 28.739960][ T297] [ 28.742995][ T297] ---[ end trace 0000000000000000 ]---