./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2958588293
<...>
Warning: Permanently added '10.128.0.116' (ED25519) to the list of known hosts.
execve("./syz-executor2958588293", ["./syz-executor2958588293"], 0x7ffdf739fc30 /* 10 vars */) = 0
brk(NULL) = 0x555556a15000
brk(0x555556a15d00) = 0x555556a15d00
arch_prctl(ARCH_SET_FS, 0x555556a15380) = 0
set_tid_address(0x555556a15650) = 297
set_robust_list(0x555556a15660, 24) = 0
rseq(0x555556a15ca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented)
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor2958588293", 4096) = 28
getrandom("\x05\x05\xc8\x5f\x5c\xf0\x77\x06", 8, GRND_NONBLOCK) = 8
brk(NULL) = 0x555556a15d00
brk(0x555556a36d00) = 0x555556a36d00
brk(0x555556a37000) = 0x555556a37000
mprotect(0x7fdbbffa3000, 16384, PROT_READ) = 0
mmap(0x3ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3ffffffff000
mmap(0x400000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x400000000000
mmap(0x400001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x400001000000
write(1, "executing program\n", 18executing program
) = 18
memfd_create("syzkaller", 0) = 3
mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fdbb7af3000
write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144
munmap(0x7fdbb7af3000, 138412032) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[ 23.766272][ T28] audit: type=1400 audit(1741467061.085:66): avc: denied { execmem } for pid=297 comm="syz-executor295" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 23.785946][ T28] audit: type=1400 audit(1741467061.115:67): avc: denied { read write } for pid=297 comm="syz-executor295" name="loop0" dev="devtmpfs" ino=114 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1
[ 23.786726][ T297] loop0: detected capacity change from 0 to 512
ioctl(4, LOOP_SET_FD, 3) = 0
close(3) = 0
close(4) = 0
mkdir("./file2", 0777) = 0
[ 23.810465][ T28] audit: type=1400 audit(1741467061.115:68): avc: denied { open } for pid=297 comm="syz-executor295" path="/dev/loop0" dev="devtmpfs" ino=114 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1
[ 23.829277][ T297] EXT4-fs: Warning: mounting with data=journal disables delayed allocation, dioread_nolock, O_DIRECT and fast_commit support!
[ 23.840134][ T28] audit: type=1400 audit(1741467061.115:69): avc: denied { ioctl } for pid=297 comm="syz-executor295" path="/dev/loop0" dev="devtmpfs" ino=114 ioctlcmd=0x4c00 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1
[ 23.878468][ T297] EXT4-fs (loop0): encrypted files will use data=ordered instead of data journaling mode
[ 23.888294][ T28] audit: type=1400 audit(1741467061.135:70): avc: denied { mounton } for pid=297 comm="syz-executor295" path="/root/file2" dev="sda1" ino=1927 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1
mount("/dev/loop0", "./file2", "ext4", MS_NODEV|MS_NOATIME, "nogrpid,resuid=0x0000000000000000,debug_want_extra_isize=0x0000000000000068,debug,nombcache,quota,,e"...) = 0
openat(AT_FDCWD, "./file2", O_RDONLY|O_DIRECTORY) = 3
chdir("./file2") = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
ioctl(4, LOOP_CLR_FD) = 0
close(4) = 0
lsetxattr("./file1", "trusted.overlay.upper", "\x65\x78\x74\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 65079, 0) = 0
creat("./file2", 0655) = 4
[ 23.888833][ T297] [EXT4 FS bs=1024, gc=1, bpg=8192, ipg=32, mo=a00ec019, mo2=0002]
[ 23.918515][ T297] System zones: 1-12
[ 23.923556][ T297] EXT4-fs warning (device loop0): ext4_expand_extra_isize_ea:2809: Unable to expand inode 15. Delete some EAs or run e2fsck.
[ 23.936745][ T297] EXT4-fs (loop0): 1 truncate cleaned up
[ 23.942360][ T297] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback.
[ 23.951219][ T28] audit: type=1400 audit(1741467061.275:71): avc: denied { mount } for pid=297 comm="syz-executor295" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1
[ 23.969598][ T297] ==================================================================
[ 23.973331][ T28] audit: type=1400 audit(1741467061.285:72): avc: denied { setattr } for pid=297 comm="syz-executor295" name="file1" dev="loop0" ino=15 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1
[ 23.980799][ T297] BUG: KASAN: out-of-bounds in ext4_xattr_set_entry+0x909/0x1fa0
[ 23.980846][ T297] Read of size 18446744073709551572 at addr ffff88810023d050 by task syz-executor295/297
[ 24.003439][ T28] audit: type=1400 audit(1741467061.285:73): avc: denied { write } for pid=297 comm="syz-executor295" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1
[ 24.010741][ T297]
[ 24.010760][ T297] CPU: 0 PID: 297 Comm: syz-executor295 Not tainted 6.1.128-syzkaller-00002-g44db4837f75e #0
[ 24.010783][ T297] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 24.020733][ T28] audit: type=1400 audit(1741467061.285:74): avc: denied { add_name } for pid=297 comm="syz-executor295" name="file2" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1
[ 24.042000][ T297] Call Trace:
[ 24.042015][ T297] <TASK>
[ 24.042023][ T297] dump_stack_lvl+0x151/0x1b7
[ 24.042056][ T297] ? nf_tcp_handle_invalid+0x3f1/0x3f1
[ 24.042082][ T297] ? _printk+0xd1/0x111
[ 24.044790][ T28] audit: type=1400 audit(1741467061.285:75): avc: denied { create } for pid=297 comm="syz-executor295" name="file2" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1
[ 24.054576][ T297] ? __virt_addr_valid+0x242/0x2f0
[ 24.054614][ T297] print_report+0x158/0x4e0
[ 24.134338][ T297] ? __virt_addr_valid+0x242/0x2f0
[ 24.139282][ T297] ? kasan_complete_mode_report_info+0x57/0x1b0
[ 24.145355][ T297] ? ext4_xattr_set_entry+0x909/0x1fa0
[ 24.150648][ T297] kasan_report+0x13c/0x170
[ 24.155159][ T297] ? ext4_xattr_set_entry+0x909/0x1fa0
[ 24.160442][ T297] kasan_check_range+0x294/0x2a0
[ 24.165223][ T297] ? ext4_xattr_set_entry+0x909/0x1fa0
[ 24.170510][ T297] memmove+0x2d/0x70
[ 24.174245][ T297] ext4_xattr_set_entry+0x909/0x1fa0
[ 24.179367][ T297] ? ext4_xattr_inode_lookup_create+0x1a60/0x1a60
[ 24.185726][ T297] ? memcpy+0x56/0x70
[ 24.189542][ T297] ext4_xattr_block_set+0x99c/0x37f0
[ 24.194666][ T297] ? ext4_drop_inode+0x90/0x1a0
[ 24.199435][ T297] ? __getblk_gfp+0x3d/0x7d0
[ 24.203858][ T297] ? ext4_xattr_block_find+0x320/0x320
[ 24.209151][ T297] ? xattr_find_entry+0x23c/0x300
[ 24.214013][ T297] ? ext4_xattr_block_find+0x2ac/0x320
[ 24.219304][ T297] ext4_expand_extra_isize_ea+0x10eb/0x1c40
[ 24.225056][ T297] ? ext4_xattr_set+0x3d0/0x3d0
[ 24.229721][ T297] ? rwsem_write_trylock+0x153/0x340
[ 24.234874][ T297] ? dquot_initialize_needed+0x13d/0x370
[ 24.240308][ T297] __ext4_expand_extra_isize+0x31a/0x420
[ 24.245779][ T297] __ext4_mark_inode_dirty+0x4bb/0x7d0
[ 24.251071][ T297] ? sb_end_intwrite+0x130/0x130
[ 24.255846][ T297] ? current_time+0x1ba/0x300
[ 24.260356][ T297] ? atime_needs_update+0x810/0x810
[ 24.265390][ T297] ? __kasan_check_write+0x14/0x20
[ 24.270336][ T297] ? drop_nlink+0xa9/0x110
[ 24.274590][ T297] __ext4_unlink+0x6ed/0xba0
[ 24.279536][ T297] ? __ext4_read_dirblock+0x8e0/0x8e0
[ 24.284745][ T297] ? rwsem_mark_wake+0x770/0x770
[ 24.289518][ T297] ext4_unlink+0x142/0x3f0
[ 24.293897][ T297] vfs_unlink+0x38c/0x630
[ 24.298047][ T297] do_unlinkat+0x483/0x920
[ 24.302302][ T297] ? fsnotify_link_count+0x100/0x100
[ 24.307422][ T297] ? strncpy_from_user+0x169/0x2b0
[ 24.312368][ T297] ? getname_flags+0x1fd/0x520
[ 24.316968][ T297] __x64_sys_unlink+0x49/0x50
[ 24.321478][ T297] x64_sys_call+0x289/0x9a0
[ 24.325819][ T297] do_syscall_64+0x3b/0xb0
[ 24.330071][ T297] ? clear_bhb_loop+0x55/0xb0
[ 24.334584][ T297] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 24.340320][ T297] RIP: 0033:0x7fdbbff30a39
[ 24.344653][ T297] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 24.364094][ T297] RSP: 002b:00007ffe95b25918 EFLAGS: 00000246 ORIG_RAX: 0000000000000057
[ 24.372337][ T297] RAX: ffffffffffffffda RBX: 0000400000000040 RCX: 00007fdbbff30a39
[ 24.380151][ T297] RDX: 00007fdbbff30a39 RSI: 00007fdbbff30a39 RDI: 0000400000000180
[ 24.387963][ T297] RBP: 0031656c69662f2e R08: 0000000000000000 R09: 0000000000000000
[ 24.395889][ T297] R10: 0000000000000000 R11: 0000000000000246 R12: 0032656c69662f2e
[ 24.403728][ T297] R13: 00007ffe95b25af8 R14: 0000000000000001 R15: 0000000000000001
[ 24.411520][ T297] </TASK>
[ 24.414375][ T297]
[ 24.416548][ T297] Allocated by task 297:
[ 24.420631][ T297] kasan_set_track+0x4b/0x70
[ 24.425046][ T297] kasan_save_alloc_info+0x1f/0x30
[ 24.429998][ T297] __kasan_kmalloc+0x9c/0xb0
[ 24.434424][ T297] __kmalloc_node_track_caller+0xb3/0x1e0
[ 24.440065][ T297] kmemdup+0x29/0x60
[ 24.443795][ T297] ext4_xattr_block_set+0x80f/0x37f0
[ 24.448915][ T297] ext4_expand_extra_isize_ea+0x10eb/0x1c40
[ 24.454644][ T297] __ext4_expand_extra_isize+0x31a/0x420
[ 24.460112][ T297] __ext4_mark_inode_dirty+0x4bb/0x7d0
[ 24.465405][ T297] __ext4_unlink+0x6ed/0xba0
[ 24.469831][ T297] ext4_unlink+0x142/0x3f0
[ 24.474083][ T297] vfs_unlink+0x38c/0x630
[ 24.478249][ T297] do_unlinkat+0x483/0x920
[ 24.482505][ T297] __x64_sys_unlink+0x49/0x50
[ 24.487017][ T297] x64_sys_call+0x289/0x9a0
[ 24.491356][ T297] do_syscall_64+0x3b/0xb0
[ 24.495611][ T297] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 24.501340][ T297]
[ 24.503508][ T297] The buggy address belongs to the object at ffff88810023d000
[ 24.503508][ T297] which belongs to the cache kmalloc-1k of size 1024
[ 24.517394][ T297] The buggy address is located 80 bytes inside of
[ 24.517394][ T297] 1024-byte region [ffff88810023d000, ffff88810023d400)
[ 24.530506][ T297]
[ 24.532670][ T297] The buggy address belongs to the physical page:
[ 24.538924][ T297] page:ffffea0004008e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100238
[ 24.549127][ T297] head:ffffea0004008e00 order:3 compound_mapcount:0 compound_pincount:0
[ 24.557278][ T297] flags: 0x4000000000010200(slab|head|zone=1)
[ 24.563198][ T297] raw: 4000000000010200 0000000000000000 dead000000000122 ffff888100043080
[ 24.571605][ T297] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[ 24.580018][ T297] page dumped because: kasan: bad access detected
[ 24.586276][ T297] page_owner tracks the page as allocated
[ 24.591819][ T297] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 291, tgid 291 (sshd), ts 23954127397, free_ts 23953855578
[ 24.612246][ T297] post_alloc_hook+0x213/0x220
[ 24.616839][ T297] prep_new_page+0x1b/0x110
[ 24.621179][ T297] get_page_from_freelist+0x3a98/0x3b10
[ 24.626568][ T297] __alloc_pages+0x234/0x610
[ 24.630986][ T297] alloc_slab_page+0x6c/0xf0
[ 24.635414][ T297] new_slab+0x90/0x3e0
[ 24.639414][ T297] ___slab_alloc+0x6f9/0xb80
[ 24.643832][ T297] __slab_alloc+0x5d/0xa0
[ 24.647997][ T297] __kmem_cache_alloc_node+0x207/0x2a0
[ 24.653319][ T297] __kmalloc_node_track_caller+0xa2/0x1e0
[ 24.658845][ T297] __alloc_skb+0x125/0x2d0
[ 24.663098][ T297] tcp_stream_alloc_skb+0x46/0x340
[ 24.668063][ T297] tcp_sendmsg_locked+0xda6/0x4000
[ 24.672992][ T297] tcp_sendmsg+0x2f/0x50
[ 24.677073][ T297] inet_sendmsg+0xa1/0xc0
[ 24.681239][ T297] sock_write_iter+0x394/0x4e0
[ 24.685840][ T297] page last free stack trace:
[ 24.690353][ T297] free_unref_page_prepare+0x9f1/0xa00
[ 24.695648][ T297] free_unref_page+0xb2/0x5c0
[ 24.700158][ T297] free_compound_page+0x9d/0xd0
[ 24.704845][ T297] destroy_large_folio+0x56/0x90
[ 24.709618][ T297] __folio_put+0xcf/0xe0
[ 24.713698][ T297] page_to_skb+0x7c1/0xbe0
[ 24.717952][ T297] receive_buf+0x4fc/0x5000
[ 24.722289][ T297] virtnet_poll+0x6d5/0x1450
[ 24.726719][ T297] __napi_poll+0xbe/0x5c0
[ 24.730885][ T297] net_rx_action+0x595/0xdd0
[ 24.735333][ T297] handle_softirqs+0x1db/0x650
[ 24.739916][ T297] __do_softirq+0xb/0xd
[ 24.743903][ T297]
[ 24.746072][ T297] Memory state around the buggy address:
[ 24.751549][ T297] ffff88810023cf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 24.759443][ T297] ffff88810023cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
unlink("./file1") = 0
exit_group(0) = ?
+++ exited with 0 +++
[ 24.767428][ T297] >ffff88810023d000: