./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor167060417 <...> Warning: Permanently added '10.128.1.174' (ED25519) to the list of known hosts. execve("./syz-executor167060417", ["./syz-executor167060417"], 0x7ffcde99fb00 /* 10 vars */) = 0 brk(NULL) = 0x555569c3f000 brk(0x555569c3fd00) = 0x555569c3fd00 arch_prctl(ARCH_SET_FS, 0x555569c3f380) = 0 set_tid_address(0x555569c3f650) = 298 set_robust_list(0x555569c3f660, 24) = 0 rseq(0x555569c3fca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor167060417", 4096) = 27 getrandom("\x81\x3a\x18\x00\x2e\x8e\xb0\x71", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555569c3fd00 brk(0x555569c60d00) = 0x555569c60d00 brk(0x555569c61000) = 0x555569c61000 mprotect(0x7f8e8650e000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555569c3f650) = 299 openat(AT_FDCWD, "/sys/kernel/debug/x86/nmi_longest_ns", O_WRONLY|O_CLOEXEC) = 3 write(3, "10000000000", 11) = 11 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/hung_task_check_interval_secs", O_WRONLY|O_CLOEXEC) = 3 write(3, "20", 2) = 2 close(3) = 0 openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_kallsyms", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_harden", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/kptr_restrict", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/softlockup_all_cpu_backtrace", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3 write(3, "100", 3) = 3 close(3) = 0 openat(AT_FDCWD, "/proc/sys/vm/oom_dump_tasks", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/debug/exception-trace", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/printk", O_WRONLY|O_CLOEXEC) = 3 write(3, "7 4 1 3", 7) = 7 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/keys/gc_delay", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/vm/oom_kill_allocating_task", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/ctrl-alt-del", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/cad_pid", O_WRONLY|O_CLOEXEC) = 3 write(3, "299", 3) = 3 close(3) = 0 kill(299, SIGKILL) = 0 executing program ./strace-static-x86_64: Process 299 attached [pid 299] +++ killed by SIGKILL +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=299, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=0} --- write(1, "executing program\n", 18) = 18 memfd_create("syzkaller", 0) = 3 mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8e7e05c000 write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 munmap(0x7f8e7e05c000, 138412032) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 ioctl(4, LOOP_SET_FD, 3) = 0 close(3) = 0 close(4) = 0 mkdir("\xe9\x1f\x71\x89\x59\x1e\x92\x33\x61\x4b", 0777) = 0 [ 24.413178][ T28] audit: type=1400 audit(1732981138.147:66): avc: denied { execmem } for pid=298 comm="syz-executor167" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 24.427452][ T298] loop0: detected capacity change from 0 to 512 [ 24.433049][ T28] audit: type=1400 audit(1732981138.147:67): avc: denied { read write } for pid=298 comm="syz-executor167" name="loop0" dev="devtmpfs" ino=114 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 24.457846][ T298] EXT4-fs error (device loop0): ext4_xattr_inode_iget:404: comm syz-executor167: inode #1: comm syz-executor167: iget: illegal inode # [ 24.463146][ T28] audit: type=1400 audit(1732981138.147:68): avc: denied { open } for pid=298 comm="syz-executor167" path="/dev/loop0" dev="devtmpfs" ino=114 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 24.476763][ T298] EXT4-fs error (device loop0): ext4_xattr_inode_iget:409: comm syz-executor167: error while reading EA inode 1 err=-117 [ 24.500267][ T28] audit: type=1400 audit(1732981138.147:69): avc: denied { ioctl } for pid=298 comm="syz-executor167" path="/dev/loop0" dev="devtmpfs" ino=114 ioctlcmd=0x4c00 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 24.538251][ T28] audit: type=1400 audit(1732981138.177:70): avc: denied { mounton } for pid=298 comm="syz-executor167" path=2F726F6F742FE91F7189591E9233614B dev="sda1" ino=1927 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 mount("/dev/loop0", "\xe9\x1f\x71\x89\x59\x1e\x92\x33\x61\x4b", "ext4", MS_DIRSYNC|MS_NOSYMFOLLOW|MS_NOATIME|MS_I_VERSION|0x200, ",errors=continue") = 0 openat(AT_FDCWD, "\xe9\x1f\x71\x89\x59\x1e\x92\x33\x61\x4b", O_RDONLY|O_DIRECTORY) = 3 chdir("\xe9\x1f\x71\x89\x59\x1e\x92\x33\x61\x4b") = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 ioctl(4, LOOP_CLR_FD) = 0 close(4) = 0 chdir("./file0") = 0 openat(AT_FDCWD, "net_prio.prioidx", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 mkdir("./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", 005) = 0 creat("./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", 000) = 5 symlink("./file0", "./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") = 0 [ 24.538473][ T298] EXT4-fs (loop0): 1 orphan inode deleted [ 24.568102][ T298] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [ 24.577049][ T28] audit: type=1400 audit(1732981138.307:71): avc: denied { mount } for pid=298 comm="syz-executor167" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 24.597905][ T298] ================================================================== [ 24.599467][ T28] audit: type=1400 audit(1732981138.307:72): avc: denied { write } for pid=298 comm="syz-executor167" name="file0" dev="loop0" ino=12 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 24.606714][ T298] BUG: KASAN: use-after-free in ext4_insert_dentry+0x389/0x720 [ 24.628788][ T28] audit: type=1400 audit(1732981138.307:73): avc: denied { add_name } for pid=298 comm="syz-executor167" name="net_prio.prioidx" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 24.636138][ T298] Write of size 250 at addr ffff8881152dcf18 by task syz-executor167/298 [ 24.636157][ T298] [ 24.636172][ T298] CPU: 1 PID: 298 Comm: syz-executor167 Not tainted 6.1.115-syzkaller-00041-ga887a44ace2a #0 [ 24.658291][ T28] audit: type=1400 audit(1732981138.307:74): avc: denied { create } for pid=298 comm="syz-executor167" name="net_prio.prioidx" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 24.665994][ T298] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 24.666008][ T298] Call Trace: [ 24.666023][ T298] [ 24.666031][ T298] dump_stack_lvl+0x151/0x1b7 [ 24.668569][ T28] audit: type=1400 audit(1732981138.307:75): avc: denied { read append open } for pid=298 comm="syz-executor167" path=2F726F6F742FE91F7189591E9233614B2F66696C65302F6E65745F7072696F2E7072696F696478 dev="loop0" ino=15 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 24.678144][ T298] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 24.678172][ T298] ? _printk+0xd1/0x111 [ 24.757823][ T298] ? __virt_addr_valid+0x242/0x2f0 [ 24.762766][ T298] print_report+0x158/0x4e0 [ 24.767104][ T298] ? __virt_addr_valid+0x242/0x2f0 [ 24.772057][ T298] ? kasan_addr_to_slab+0xd/0x80 [ 24.776823][ T298] ? ext4_insert_dentry+0x389/0x720 [ 24.781858][ T298] kasan_report+0x13c/0x170 [ 24.786198][ T298] ? ext4_insert_dentry+0x389/0x720 [ 24.791235][ T298] kasan_check_range+0x294/0x2a0 [ 24.796006][ T298] ? ext4_insert_dentry+0x389/0x720 [ 24.801041][ T298] memcpy+0x44/0x70 [ 24.804684][ T298] ext4_insert_dentry+0x389/0x720 [ 24.809546][ T298] add_dirent_to_buf+0x38c/0x780 [ 24.814320][ T298] ? ext4_dx_add_entry+0x1620/0x1620 [ 24.819441][ T298] ? ext4_handle_dirty_dx_node+0x41c/0x580 [ 24.825093][ T298] make_indexed_dir+0xf29/0x1590 [ 24.829856][ T298] ? add_dirent_to_buf+0x780/0x780 [ 24.834800][ T298] ? add_dirent_to_buf+0x558/0x780 [ 24.839754][ T298] ? ext4_dx_add_entry+0x1620/0x1620 [ 24.844869][ T298] ? __kasan_check_read+0x11/0x20 [ 24.849733][ T298] ? __ext4_read_dirblock+0x56f/0x8e0 [ 24.854938][ T298] ext4_add_entry+0xbbf/0xed0 [ 24.859450][ T298] ? ext4_inc_count+0x190/0x190 [ 24.864136][ T298] ? ext4_init_new_dir+0x515/0x620 [ 24.869086][ T298] ? ext4_init_dot_dotdot+0x5d0/0x5d0 [ 24.874291][ T298] ext4_mkdir+0x54f/0xce0 [ 24.878459][ T298] ? ext4_symlink+0xc10/0xc10 [ 24.882970][ T298] ? selinux_inode_mkdir+0x22/0x30 [ 24.887916][ T298] ? security_inode_mkdir+0xbc/0x100 [ 24.893038][ T298] vfs_mkdir+0x398/0x570 [ 24.897119][ T298] do_mkdirat+0x1eb/0x450 [ 24.901284][ T298] ? vfs_mkdir+0x570/0x570 [ 24.905534][ T298] ? getname_flags+0x1fd/0x520 [ 24.910136][ T298] __x64_sys_mkdirat+0x89/0xa0 [ 24.914736][ T298] x64_sys_call+0x6c6/0x9a0 [ 24.919074][ T298] do_syscall_64+0x3b/0xb0 [ 24.923327][ T298] ? clear_bhb_loop+0x55/0xb0 [ 24.927842][ T298] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 24.933568][ T298] RIP: 0033:0x7f8e8649a819 [ 24.937821][ T298] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 24.957263][ T298] RSP: 002b:00007ffe77255668 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 [ 24.965506][ T298] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00007f8e8649a819 [ 24.973320][ T298] RDX: 0000000000000000 RSI: 00000000200005c0 RDI: 00000000ffffff9c [ 24.981130][ T298] RBP: 000000000000012b R08: 0000555500393932 R09: 0000555500393932 [ 24.988939][ T298] R10: 0000555500393932 R11: 0000000000000246 R12: 00007ffe77255770 [ 24.996752][ T298] R13: 00007ffe77255938 R14: 0000000000000001 R15: 0000000000000001 [ 25.004566][ T298] [ 25.007427][ T298] [ 25.009596][ T298] The buggy address belongs to the physical page: [ 25.015854][ T298] page:ffffea000454b700 refcount:3 mapcount:0 mapping:ffff88810054f650 index:0x3f pfn:0x1152dc [ 25.026001][ T298] memcg:ffff888100334000 [ 25.030093][ T298] aops:def_blk_aops ino:700000 [ 25.034681][ T298] flags: 0x420000000000204a(referenced|dirty|workingset|private|zone=1) [ 25.042848][ T298] raw: 420000000000204a 0000000000000000 dead000000000122 ffff88810054f650 [ 25.051265][ T298] raw: 000000000000003f ffff888123d6a498 00000003ffffffff ffff888100334000 [ 25.059677][ T298] page dumped because: kasan: bad access detected [ 25.065929][ T298] page_owner tracks the page as allocated [ 25.071481][ T298] page last allocated via order 0, migratetype Movable, gfp_mask 0x148c48(GFP_NOFS|__GFP_NOFAIL|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 298, tgid 298 (syz-executor167), ts 24597397389, free_ts 18917580587 [ 25.091705][ T298] post_alloc_hook+0x213/0x220 [ 25.096302][ T298] prep_new_page+0x1b/0x110 [ 25.100642][ T298] get_page_from_freelist+0x2980/0x2a10 [ 25.106022][ T298] __alloc_pages+0x234/0x610 [ 25.110476][ T298] __folio_alloc+0x15/0x40 [ 25.114703][ T298] __filemap_get_folio+0x827/0xae0 [ 25.119647][ T298] pagecache_get_page+0x2f/0x110 [ 25.124421][ T298] __getblk_gfp+0x205/0x7d0 [ 25.128760][ T298] ext4_getblk+0x2a7/0x7b0 [ 25.133015][ T298] ext4_bread+0x2f/0x180 [ 25.137094][ T298] ext4_append+0x31f/0x5b0 [ 25.141345][ T298] make_indexed_dir+0x518/0x1590 [ 25.146118][ T298] ext4_add_entry+0xbbf/0xed0 [ 25.150634][ T298] ext4_mkdir+0x54f/0xce0 [ 25.154801][ T298] vfs_mkdir+0x398/0x570 [ 25.158882][ T298] do_mkdirat+0x1eb/0x450 [ 25.163044][ T298] page last free stack trace: [ 25.167555][ T298] free_unref_page_prepare+0x83d/0x850 [ 25.172853][ T298] free_unref_page_list+0xf1/0x7b0 [ 25.177797][ T298] release_pages+0xf7f/0xfe0 [ 25.182360][ T298] free_pages_and_swap_cache+0x8a/0xa0 [ 25.187633][ T298] tlb_finish_mmu+0x1e0/0x3f0 [ 25.192143][ T298] exit_mmap+0x460/0xbe0 [ 25.196226][ T298] __mmput+0x95/0x310 [ 25.200040][ T298] mmput+0x56/0x170 [ 25.203689][ T298] do_exit+0xb29/0x2b80 [ 25.207678][ T298] do_group_exit+0x21a/0x2d0 [ 25.212103][ T298] __x64_sys_exit_group+0x3f/0x40 [ 25.216963][ T298] x64_sys_call+0x610/0x9a0 [ 25.221305][ T298] do_syscall_64+0x3b/0xb0 [ 25.225558][ T298] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 25.231287][ T298] [ 25.233456][ T298] Memory state around the buggy address: [ 25.238928][ T298] ffff8881152dcf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.246823][ T298] ffff8881152dcf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 25.254736][ T298] >ffff8881152dd000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 25.262620][ T298] ^ mkdirat(AT_FDCWD, "./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", 000) = 0 exit_group(0) = ? +++ exited with 0 +++ [ 25.26