./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2917137260 <...> Warning: Permanently added '10.128.10.0' (ED25519) to the list of known hosts. execve("./syz-executor2917137260", ["./syz-executor2917137260"], 0x7fff616b5b80 /* 10 vars */) = 0 brk(NULL) = 0x555561137000 brk(0x555561137e00) = 0x555561137e00 arch_prctl(ARCH_SET_FS, 0x555561137480) = 0 set_tid_address(0x555561137750) = 307 set_robust_list(0x555561137760, 24) = 0 rseq(0x555561137da0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2917137260", 4096) = 28 getrandom("\x84\xef\x39\x8e\x75\xb7\x25\x9c", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555561137e00 brk(0x555561158e00) = 0x555561158e00 brk(0x555561159000) = 0x555561159000 mprotect(0x7f6cbcec0000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555561137750) = 308 openat(AT_FDCWD, "/sys/kernel/debug/x86/nmi_longest_ns", O_WRONLY|O_CLOEXEC./strace-static-x86_64: Process 308 attached ) = 3 [pid 307] write(3, "10000000000", 11) = 11 [pid 307] close(3) = 0 [pid 307] openat(AT_FDCWD, "/proc/sys/kernel/hung_task_check_interval_secs", O_WRONLY|O_CLOEXEC) = 3 [pid 307] write(3, "20", 2) = 2 [pid 307] close(3) = 0 [pid 307] openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_kallsyms", O_WRONLY|O_CLOEXEC) = 3 [pid 307] write(3, "1", 1 [pid 308] set_robust_list(0x555561137760, 24 [pid 307] <... write resumed>) = 1 [pid 307] close(3) = 0 [pid 307] openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_harden", O_WRONLY|O_CLOEXEC) = 3 [pid 307] write(3, "0", 1) = 1 [pid 307] close(3) = 0 [pid 307] openat(AT_FDCWD, "/proc/sys/kernel/kptr_restrict", O_WRONLY|O_CLOEXEC) = 3 [pid 307] write(3, "0", 1) = 1 [pid 307] close(3) = 0 [pid 307] openat(AT_FDCWD, "/proc/sys/kernel/softlockup_all_cpu_backtrace", O_WRONLY|O_CLOEXEC) = 3 [pid 307] write(3, "1", 1) = 1 [pid 307] close(3) = 0 [pid 307] openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC [pid 308] <... set_robust_list resumed>) = 0 [pid 307] <... openat resumed>) = 3 [pid 307] write(3, "100", 3) = 3 [pid 307] close(3) = 0 [pid 307] openat(AT_FDCWD, "/proc/sys/vm/oom_dump_tasks", O_WRONLY|O_CLOEXEC) = 3 [pid 307] write(3, "0", 1) = 1 [pid 307] close(3) = 0 [pid 307] openat(AT_FDCWD, "/proc/sys/debug/exception-trace", O_WRONLY|O_CLOEXEC) = 3 [pid 307] write(3, "0", 1) = 1 [pid 307] close(3) = 0 [pid 307] openat(AT_FDCWD, "/proc/sys/kernel/printk", O_WRONLY|O_CLOEXEC) = 3 [pid 307] write(3, "7 4 1 3", 7) = 7 [pid 307] close(3) = 0 [pid 307] openat(AT_FDCWD, "/proc/sys/kernel/keys/gc_delay", O_WRONLY|O_CLOEXEC) = 3 [pid 307] write(3, "1", 1) = 1 [pid 307] close(3) = 0 [pid 307] openat(AT_FDCWD, "/proc/sys/vm/oom_kill_allocating_task", O_WRONLY|O_CLOEXEC) = 3 [pid 307] write(3, "1", 1) = 1 [pid 307] close(3) = 0 [pid 307] openat(AT_FDCWD, "/proc/sys/kernel/ctrl-alt-del", O_WRONLY|O_CLOEXEC) = 3 [pid 307] write(3, "0", 1) = 1 [pid 307] close(3) = 0 [pid 307] openat(AT_FDCWD, "/proc/sys/kernel/cad_pid", O_WRONLY|O_CLOEXEC) = 3 [pid 307] write(3, "308", 3) = 3 [pid 307] close(3) = 0 [pid 307] kill(308, SIGKILL) = 0 [pid 308] +++ killed by SIGKILL +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=308, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=0} --- mount(NULL, "/proc/sys/fs/binfmt_misc", "binfmt_misc", 0, NULL) = -1 EBUSY (Device or resource busy) openat(AT_FDCWD, "/proc/sys/fs/binfmt_misc/register", O_WRONLY|O_CLOEXEC) = 3 write(3, "\x3a\x73\x79\x7a\x30\x3a\x4d\x3a\x30\x3a\x01\x3a\x3a\x2e\x2f\x66\x69\x6c\x65\x30\x3a", 21) = 21 close(3) = 0 openat(AT_FDCWD, "/proc/sys/fs/binfmt_misc/register", O_WRONLY|O_CLOEXEC) = 3 write(3, "\x3a\x73\x79\x7a\x31\x3a\x4d\x3a\x31\x3a\x02\x3a\x3a\x2e\x2f\x66\x69\x6c\x65\x30\x3a\x50\x4f\x43", 24) = 24 close(3) = 0 chmod("/dev/raw-gadget", 0666) = 0 rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGSEGV, {sa_handler=0x7f6cbce106c0, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f6cbce1c0a0}, NULL, 8) = 0 rt_sigaction(SIGBUS, {sa_handler=0x7f6cbce106c0, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f6cbce1c0a0}, NULL, 8) = 0 unshare(CLONE_NEWPID) = 0 [ 41.946855][ T24] audit: type=1400 audit(1744001998.580:66): avc: denied { execmem } for pid=307 comm="syz-executor291" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555561137750) = 309 ./strace-static-x86_64: Process 309 attached [pid 309] set_robust_list(0x555561137760, 24) = 0 [pid 309] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 309] getppid() = 0 [pid 309] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0 [pid 309] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0 [pid 309] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0 [pid 309] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0 [pid 309] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0 [pid 309] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0 [pid 309] unshare(CLONE_NEWNS) = 0 [pid 309] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0 [pid 309] unshare(CLONE_NEWIPC) = -1 EINVAL (Invalid argument) [pid 309] unshare(CLONE_NEWCGROUP) = 0 [pid 309] unshare(CLONE_NEWUTS) = 0 [pid 309] unshare(CLONE_SYSVSEM) = 0 [pid 309] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 309] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 309] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 309] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 309] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 309] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 309] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 309] getpid() = 1 [pid 309] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1< 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 43.261619][ T309] RSP: 002b:00007ffd42806bc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 [ 43.269863][ T309] RAX: ffffffffffffffda RBX: 00007f6cbce94616 RCX: 00007f6cbce50c99 [ 43.277672][ T309] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000300 [ 43.285482][ T309] RBP: 00007f6cbce945e6 R08: 00007ffd42806c10 R09: 00007ffd42806c10 [ 43.293292][ T309] R10: 00007ffd42806c10 R11: 0000000000000246 R12: 00007f6cbce94567 [ 43.301106][ T309] R13: 00007ffd42806c20 R14: 00007f6cbce94448 R15: 00007ffd42806c0c [ 43.309437][ T309] [ 43.311601][ T309] The buggy address belongs to the page: [ 43.317097][ T309] page:ffffea0004800c80 refcount:3 mapcount:0 mapping:ffff8881091a4290 index:0x3f pfn:0x120032 [ 43.327231][ T309] aops:def_blk_aops ino:0 [ 43.331391][ T309] flags: 0x400000000000202a(referenced|dirty|active|private) [ 43.338604][ T309] raw: 400000000000202a dead000000000100 dead000000000122 ffff8881091a4290 [ 43.347022][ T309] raw: 000000000000003f ffff8881210a5690 00000003ffffffff ffff888100138000 [ 43.355431][ T309] page dumped because: kasan: bad access detected [ 43.361683][ T309] page->mem_cgroup:ffff888100138000 [ 43.366722][ T309] page_owner tracks the page as allocated [ 43.372289][ T309] page last allocated via order 0, migratetype Movable, gfp_mask 0x108c48(GFP_NOFS|__GFP_NOFAIL|__GFP_HARDWALL|__GFP_MOVABLE), pid 309, ts 42972599008, free_ts 36298759709 [ 43.389126][ T309] prep_new_page+0x166/0x180 [ 43.393537][ T309] get_page_from_freelist+0x2d8c/0x2f30 [ 43.398920][ T309] __alloc_pages_nodemask+0x435/0xaf0 [ 43.404130][ T309] pagecache_get_page+0x669/0x950 [ 43.408989][ T309] __getblk_gfp+0x221/0x7e0 [ 43.413344][ T309] ext4_getblk+0x259/0x660 [ 43.417588][ T309] ext4_bread+0x2f/0x1b0 [ 43.421661][ T309] ext4_append+0x29a/0x4d0 [ 43.425912][ T309] make_indexed_dir+0x505/0x1500 [ 43.430685][ T309] ext4_add_entry+0xdcf/0x1280 [ 43.435301][ T309] ext4_add_nondir+0x97/0x270 [ 43.439812][ T309] ext4_create+0x348/0x530 [ 43.444059][ T309] path_openat+0x1377/0x3000 [ 43.448477][ T309] do_filp_open+0x21c/0x460 [ 43.452820][ T309] do_sys_openat2+0x13f/0x710 [ 43.457329][ T309] __x64_sys_creat+0x11f/0x160 [ 43.461927][ T309] page last free stack trace: [ 43.466451][ T309] free_unref_page_prepare+0x2ae/0x2d0 [ 43.471744][ T309] free_unref_page_list+0x122/0xb20 [ 43.477008][ T309] release_pages+0xea0/0xef0 [ 43.481429][ T309] free_pages_and_swap_cache+0x8a/0xa0 [ 43.486727][ T309] tlb_finish_mmu+0x177/0x320 [ 43.491235][ T309] exit_mmap+0x306/0x560 [ 43.495312][ T309] __mmput+0x95/0x2d0 [ 43.499130][ T309] mmput+0x59/0x170 [ 43.502781][ T309] do_exit+0xbda/0x2a50 [ 43.506771][ T309] do_group_exit+0x141/0x310 [ 43.511199][ T309] __x64_sys_exit_group+0x3f/0x40 [ 43.516060][ T309] do_syscall_64+0x34/0x70 [ 43.520310][ T309] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 43.526036][ T309] [ 43.528204][ T309] Memory state around the buggy address: [ 43.533683][ T309] ffff888120032f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 43.541578][ T309] ffff888120032f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [pid 309] creat("./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", 000) = 5 [pid 309] exit_group(1) = ? [ 43.549473][ T309] >ffff888120033000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 43.557369][ T309] ^ [ 43.561280][ T309] ffff888120033080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 43.569177][ T309] ffff888120033100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 43.577081][ T309] ================================================================== [ 43.584975][ T309] Disabling lock debugging due to kernel taint [pid 309] +++ exited with 1 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=309, si_uid=0, si_status=1, si_utime=0, si_stime=38} --- exit_group(0) = ? +++ exited with 0 +++