./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3401476885

<...>
Warning: Permanently added '10.128.0.212' (ED25519) to the list of known hosts.
execve("./syz-executor3401476885", ["./syz-executor3401476885"], 0x7ffe4a806b70 /* 10 vars */) = 0
brk(NULL)                               = 0x555567027000
brk(0x555567027d00)                     = 0x555567027d00
arch_prctl(ARCH_SET_FS, 0x555567027380) = 0
set_tid_address(0x555567027650)         = 282
set_robust_list(0x555567027660, 24)     = 0
rseq(0x555567027ca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented)
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor3401476885", 4096) = 28
getrandom("\xbf\xb5\x2d\x65\x45\x6a\x4f\x66", 8, GRND_NONBLOCK) = 8
brk(NULL)                               = 0x555567027d00
brk(0x555567048d00)                     = 0x555567048d00
brk(0x555567049000)                     = 0x555567049000
mprotect(0x7f4d0fd19000, 16384, PROT_READ) = 0
mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000
mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000
mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000
write(1, "executing program\n", 18executing program
)     = 18
memfd_create("syzkaller", 0)            = 3
mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4d07869000
write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144
munmap(0x7f4d07869000, 138412032)       = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR)  = 4
ioctl(4, LOOP_SET_FD, 3)                = 0
close(3)                                = 0
[   29.372958][   T24] audit: type=1400 audit(1755825191.230:64): avc:  denied  { execmem } for  pid=282 comm="syz-executor340" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   29.399976][   T24] audit: type=1400 audit(1755825191.250:65): avc:  denied  { read write } for  pid=282 comm="syz-executor340" name="loop0" dev="devtmpfs" ino=115 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1
[   29.435466][   T24] audit: type=1400 audit(1755825191.250:66): avc:  denied  { open } for  pid=282 comm="syz-executor340" path="/dev/loop0" dev="devtmpfs" ino=115 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1
[   29.470582][   T24] audit: type=1400 audit(1755825191.250:67): avc:  denied  { ioctl } for  pid=282 comm="syz-executor340" path="/dev/loop0" dev="devtmpfs" ino=115 ioctlcmd=0x4c00 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1
close(4)                                = 0
mkdir("./file2", 0777)                  = 0
[   29.573663][   T24] audit: type=1400 audit(1755825191.430:68): avc:  denied  { mounton } for  pid=282 comm="syz-executor340" path="/root/file2" dev="sda1" ino=2024 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1
[   29.653221][  T282] EXT4-fs: Warning: mounting with data=journal disables delayed allocation, dioread_nolock, O_DIRECT and fast_commit support!
[   29.668800][  T282] EXT4-fs (loop0): encrypted files will use data=ordered instead of data journaling mode
[   29.682710][  T282] EXT4-fs warning (device loop0): ext4_expand_extra_isize_ea:2815: Unable to expand inode 15. Delete some EAs or run e2fsck.
[   29.703479][  T282] EXT4-fs (loop0): 1 truncate cleaned up
[   29.710331][  T282] EXT4-fs (loop0): mounted filesystem without journal. Opts: init_itable=0x0000000000000000,jqfmt=vfsold,debug_want_extra_isize=0x000000000000006a,user_xattr,errors=remount-ro,quota,
mount("/dev/loop0", "./file2", "ext4", MS_NODEV|MS_NOATIME, "init_itable=0x0000000000000000,jqfmt=vfsold,debug_want_extra_isize=0x000000000000006a,user_xattr,err"...) = 0
openat(AT_FDCWD, "./file2", O_RDONLY|O_DIRECTORY) = 3
chdir("./file2")                        = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR)  = 4
ioctl(4, LOOP_CLR_FD)                   = 0
close(4)                                = 0
lsetxattr("./file1", "trusted.overlay.upper", "\x2e\x2f\x66\x69\x6c\x65\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x69\x6e\x69\x74\x5f\x69\x74\x61\x62\x6c\x65\x3d\x30\x78\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x2c\x6a\x71\x66\x6d\x74"..., 865, 0) = 0
creat("./file2", 043)                   = 4
[   29.735937][   T24] audit: type=1400 audit(1755825191.600:69): avc:  denied  { mount } for  pid=282 comm="syz-executor340" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1
[   29.742245][  T282] ==================================================================
[   29.772527][   T24] audit: type=1400 audit(1755825191.600:70): avc:  denied  { setattr } for  pid=282 comm="syz-executor340" name="file1" dev="loop0" ino=15 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1
[   29.772593][  T282] BUG: KASAN: out-of-bounds in ext4_xattr_set_entry+0x1339/0x36c0
[   29.799951][   T24] audit: type=1400 audit(1755825191.600:71): avc:  denied  { write } for  pid=282 comm="syz-executor340" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1
[   29.807554][  T282] Read of size 18446744073709551540 at addr ffff888104bef070 by task syz-executor340/282
[   29.807558][  T282] 
[   29.807583][  T282] CPU: 0 PID: 282 Comm: syz-executor340 Not tainted 5.10.240-syzkaller #0
[   29.807599][  T282] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/14/2025
[   29.832467][   T24] audit: type=1400 audit(1755825191.600:72): avc:  denied  { add_name } for  pid=282 comm="syz-executor340" name="file2" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1
[   29.844744][  T282] Call Trace:
[   29.844768][  T282]  __dump_stack+0x21/0x24
[   29.844780][  T282]  dump_stack_lvl+0x169/0x1d8
[   29.844792][  T282]  ? show_regs_print_info+0x18/0x18
[   29.844803][  T282]  ? thaw_kernel_threads+0x220/0x220
[   29.844815][  T282]  print_address_description+0x7f/0x2c0
[   29.844838][  T282]  ? ext4_xattr_set_entry+0x1339/0x36c0
[   29.847802][   T24] audit: type=1400 audit(1755825191.600:73): avc:  denied  { create } for  pid=282 comm="syz-executor340" name="file2" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1
[   29.857025][  T282]  kasan_report+0xe2/0x130
[   29.857041][  T282]  ? ext4_xattr_set_entry+0x1339/0x36c0
[   29.857063][  T282]  ? ext4_xattr_set_entry+0x1339/0x36c0
[   30.019351][  T282]  kasan_check_range+0x280/0x290
[   30.026300][  T282]  memmove+0x2d/0x70
[   30.032638][  T282]  ext4_xattr_set_entry+0x1339/0x36c0
[   30.039694][  T282]  ? fscrypt_drop_inode+0xad/0x110
[   30.046890][  T282]  ? ext4_xattr_ibody_set+0x360/0x360
[   30.053904][  T282]  ? slab_post_alloc_hook+0x7d/0x2f0
[   30.062448][  T282]  ? __ext4_journal_get_write_access+0x21b/0x490
[   30.071077][  T282]  ? __wake_up_bit+0x100/0x100
[   30.078175][  T282]  ? ext4_xattr_block_set+0x847/0x2a50
[   30.084925][  T282]  ? __kmalloc_track_caller+0x181/0x320
[   30.093192][  T282]  ? memcpy+0x56/0x70
[   30.098477][  T282]  ext4_xattr_block_set+0x92f/0x2a50
[   30.106115][  T282]  ? __kasan_check_read+0x11/0x20
[   30.114488][  T282]  ? __ext4_xattr_check_block+0x265/0x8e0
[   30.121976][  T282]  ? ext4_xattr_block_find+0x4f0/0x4f0
[   30.128810][  T282]  ? __kasan_check_write+0x14/0x20
[   30.136056][  T282]  ext4_xattr_set_handle+0xba5/0x12a0
[   30.143089][  T282]  ? ext4_xattr_set_entry+0x36c0/0x36c0
[   30.150535][  T282]  ? __kasan_check_read+0x11/0x20
[   30.157028][  T282]  ? __ext4_journal_start_sb+0x2e2/0x490
[   30.165995][  T282]  ext4_xattr_set+0x1ec/0x320
[   30.172216][  T282]  ? ext4_xattr_set_credits+0x290/0x290
[   30.179219][  T282]  ext4_xattr_trusted_set+0x3b/0x50
[   30.186462][  T282]  ? ext4_xattr_trusted_get+0x40/0x40
[   30.193235][  T282]  __vfs_setxattr+0x42a/0x480
[   30.198741][  T282]  __vfs_setxattr_noperm+0x11e/0x4e0
[   30.205095][  T282]  __vfs_setxattr_locked+0x203/0x220
[   30.212520][  T282]  vfs_setxattr+0x8d/0x1c0
[   30.218105][  T282]  setxattr+0x1a9/0x370
[   30.224945][  T282]  ? path_setxattr+0x210/0x210
[   30.230885][  T282]  ? __mnt_want_write+0x1e6/0x260
[   30.236770][  T282]  ? mnt_want_write+0x19d/0x270
[   30.243494][  T282]  path_setxattr+0x110/0x210
[   30.248666][  T282]  ? simple_xattr_list_add+0x120/0x120
[   30.256812][  T282]  ? fpu__clear_all+0x20/0x20
[   30.262973][  T282]  ? filp_close+0x105/0x150
[   30.268968][  T282]  __x64_sys_lsetxattr+0xc2/0xe0
[   30.275953][  T282]  do_syscall_64+0x31/0x40
[   30.281551][  T282]  entry_SYSCALL_64_after_hwframe+0x61/0xcb
[   30.289889][  T282] RIP: 0033:0x7f4d0fca6af9
[   30.296631][  T282] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[   30.335362][  T282] RSP: 002b:00007ffc105e3b38 EFLAGS: 00000246 ORIG_RAX: 00000000000000bd
[   30.346601][  T282] RAX: ffffffffffffffda RBX: 00002000000001c0 RCX: 00007f4d0fca6af9
[   30.361298][  T282] RDX: 0000200000000040 RSI: 0000200000000300 RDI: 0000200000000100
[   30.372223][  T282] RBP: 0000200000000040 R08: 0000000000000000 R09: 0000000000000000
[   30.383098][  T282] R10: 000000000000fe37 R11: 0000000000000246 R12: 0072657070752e79
[   30.396635][  T282] R13: 0032656c69662f2e R14: 0031656c69662f2e R15: 0000000000000001
[   30.408487][  T282] 
[   30.412668][  T282] Allocated by task 0:
[   30.419699][  T282] (stack is not available)
[   30.424941][  T282] 
[   30.428026][  T282] The buggy address belongs to the object at ffff888104bef000
[   30.428026][  T282]  which belongs to the cache kmalloc-1k of size 1024
[   30.447917][  T282] The buggy address is located 112 bytes inside of
[   30.447917][  T282]  1024-byte region [ffff888104bef000, ffff888104bef400)
[   30.464873][  T282] The buggy address belongs to the page:
[   30.473229][  T282] page:ffffea000412fa00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104be8
[   30.485934][  T282] head:ffffea000412fa00 order:3 compound_mapcount:0 compound_pincount:0
[   30.497197][  T282] flags: 0x4000000000010200(slab|head)
[   30.504247][  T282] raw: 4000000000010200 dead000000000100 dead000000000122 ffff888100042f00
[   30.513836][  T282] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[   30.525412][  T282] page dumped because: kasan: bad access detected
[   30.534244][  T282] page_owner tracks the page as allocated
[   30.542040][  T282] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 282, ts 29737134338, free_ts 29656987537
[   30.568067][  T282]  prep_new_page+0x179/0x180
[   30.573483][  T282]  get_page_from_freelist+0x2235/0x23d0
[   30.581405][  T282]  __alloc_pages_nodemask+0x268/0x5f0
[   30.588206][  T282]  new_slab+0x84/0x3f0
[   30.593112][  T282]  ___slab_alloc+0x2a6/0x450
[   30.600021][  T282]  __slab_alloc+0x63/0xa0
[   30.606330][  T282]  __kmalloc+0x201/0x330
[   30.611942][  T282]  kvmalloc_node+0x88/0x130
[   30.617816][  T282]  setxattr+0x1c0/0x370
[   30.623380][  T282]  path_setxattr+0x110/0x210
[   30.630287][  T282]  __x64_sys_lsetxattr+0xc2/0xe0
[   30.637330][  T282]  do_syscall_64+0x31/0x40
[   30.643688][  T282]  entry_SYSCALL_64_after_hwframe+0x61/0xcb
[   30.650955][  T282] page last free stack trace:
[   30.657254][  T282]  __free_pages_ok+0x7fc/0x820
[   30.664740][  T282]  __free_pages+0xdd/0x380
[   30.669855][  T282]  __free_slab+0xcf/0x190
[   30.675126][  T282]  unfreeze_partials+0x15f/0x190
[   30.681391][  T282]  put_cpu_partial+0xc1/0x180
[   30.687267][  T282]  __slab_free+0x2c9/0x3a0
[   30.693133][  T282]  ___cache_free+0x111/0x130
[   30.699295][  T282]  qlink_free+0x50/0x90
[   30.705256][  T282]  qlist_free_all+0x5f/0xb0
[   30.711231][  T282]  kasan_quarantine_reduce+0x14a/0x160
[   30.718100][  T282]  __kasan_slab_alloc+0x2f/0xf0
[   30.723782][  T282]  slab_post_alloc_hook+0x5d/0x2f0
[   30.730280][  T282]  kmem_cache_alloc+0x165/0x2e0
[   30.740082][  T282]  getname_flags+0xb9/0x500
[   30.747368][  T282]  user_path_at_empty+0x2f/0x50
[   30.756088][  T282]  vfs_statx+0xff/0x520
[   30.762257][  T282] 
[   30.765776][  T282] Memory state around the buggy address:
[   30.773602][  T282]  ffff888104beef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.791022][  T282]  ffff888104beef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
lsetxattr("./file1", "trusted.overlay.upper", "\x65\x78\x74\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 65079, 0) = 0
exit_group(0)                           = ?
+++ exited with 0 +++
[   30.801666][  T282] >ffff888104bef000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0