./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor858449193 <...> Warning: Permanently added '10.128.0.158' (ECDSA) to the list of known hosts. execve("./syz-executor858449193", ["./syz-executor858449193"], 0x7fff194c81b0 /* 10 vars */) = 0 brk(NULL) = 0x555556417000 brk(0x555556417c40) = 0x555556417c40 arch_prctl(ARCH_SET_FS, 0x555556417300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor858449193", 4096) = 27 brk(0x555556438c40) = 0x555556438c40 brk(0x555556439000) = 0x555556439000 mprotect(0x7f2ec4f5a000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555564175d0) = 3612 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555564175d0) = 3613 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555564175d0) = 3614 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555564175d0) = 3615 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555564175d0) = 3616 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555564175d0) = 3617 ./strace-static-x86_64: Process 3617 attached [pid 3617] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3616 attached [pid 3616] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3617] <... clone resumed>, child_tidptr=0x5555564175d0) = 3618 [pid 3616] <... clone resumed>, child_tidptr=0x5555564175d0) = 3619 ./strace-static-x86_64: Process 3615 attached [pid 3615] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555564175d0) = 3620 ./strace-static-x86_64: Process 3619 attached [pid 3619] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3619] setpgid(0, 0) = 0 [pid 3619] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3619] write(3, "1000", 4./strace-static-x86_64: Process 3620 attached ) = 4 [pid 3619] close(3) = 0 ./strace-static-x86_64: Process 3618 attached [pid 3620] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3619] openat(AT_FDCWD, "/proc/bus/input/devices", O_RDONLY [pid 3620] setpgid(0, 0) = 0 [pid 3620] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3618] prctl(PR_SET_PDEATHSIG, SIGKILL./strace-static-x86_64: Process 3614 attached ./strace-static-x86_64: Process 3613 attached ./strace-static-x86_64: Process 3612 attached [pid 3620] <... openat resumed>) = 3 [pid 3619] <... openat resumed>) = 3 [pid 3619] io_uring_setup(1915, {flags=IORING_SETUP_CLAMP, sq_thread_cpu=0, sq_thread_idle=0 [pid 3620] write(3, "1000", 4 [pid 3619] <... io_uring_setup resumed>, sq_entries=2048, cq_entries=4096, features=IORING_FEAT_SINGLE_MMAP|IORING_FEAT_NODROP|IORING_FEAT_SUBMIT_STABLE|IORING_FEAT_RW_CUR_POS|IORING_FEAT_CUR_PERSONALITY|IORING_FEAT_FAST_POLL|IORING_FEAT_POLL_32BITS|IORING_FEAT_SQPOLL_NONFIXED|IORING_FEAT_EXT_ARG|IORING_FEAT_NATIVE_WORKERS|IORING_FEAT_RSRC_TAGS|IORING_FEAT_CQE_SKIP|0x1000, sq_off={head=0, tail=64, ring_mask=256, ring_entries=264, flags=276, dropped=272, array=65856}, cq_off={head=128, tail=192, ring_mask=260, ring_entries=268, overflow=284, cqes=320, flags=280}}) = 4 [pid 3618] <... prctl resumed>) = 0 [pid 3614] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3619] mmap(0x20ffc000, 74048, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 4, 0 [pid 3620] <... write resumed>) = 4 [pid 3619] <... mmap resumed>) = 0x20ffc000 [pid 3618] setpgid(0, 0 [pid 3619] mmap(0x20ee7000, 131072, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 4, 0x10000000 [pid 3620] close(3 [pid 3619] <... mmap resumed>) = 0x20ee7000 [pid 3618] <... setpgid resumed>) = 0 [pid 3619] io_uring_enter(4, 17678, 0, 0, NULL, 0 [pid 3620] <... close resumed>) = 0 [pid 3618] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3613] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [ 48.834845][ T28] audit: type=1400 audit(1655199351.968:75): avc: denied { execmem } for pid=3611 comm="syz-executor858" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 48.873673][ T28] audit: type=1400 audit(1655199352.008:76): avc: denied { create } for pid=3619 comm="syz-executor858" anonclass=[io_uring] scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:sysadm_t tclass=anon_inode permissive=1 [ 48.873673][ T28] audit: type=1400 audit(1655199352.008:76): avc: denied { create } for pid=3619 comm="syz-executor858" anonclass=[io_uring] scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:sysadm_t tclass=anon_inode permissive=1 [ 48.875468][ T28] audit: type=1400 audit(1655199352.008:77): avc: denied { map } for pid=3619 comm="syz-executor858" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=27576 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:sysadm_t tclass=anon_inode permissive=1 [ 48.875516][ T28] audit: type=1400 audit(1655199352.008:78): avc: denied { read write } for pid=3619 comm="syz-executor858" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=27576 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:sysadm_t tclass=anon_inode permissive=1 [ 48.882747][ T3622] ================================================================== [ 48.882757][ T3622] BUG: KASAN: null-ptr-deref in io_file_get_normal+0x351/0x3b0 [ 48.882800][ T3622] Write of size 4 at addr 0000000000000118 by task iou-wrk-3619/3622 [ 48.882816][ T3622] [ 48.882821][ T3622] CPU: 0 PID: 3622 Comm: iou-wrk-3619 Not tainted 5.19.0-rc2-syzkaller #0 [ 48.882843][ T3622] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.882854][ T3622] Call Trace: [ 48.882860][ T3622] [ 48.882866][ T3622] dump_stack_lvl+0xcd/0x134 [ 48.882894][ T3622] kasan_report.cold+0x61/0x1c6 [ 48.882917][ T3622] ? io_file_get_normal+0x351/0x3b0 [ 48.882938][ T3622] kasan_check_range+0x13d/0x180 [ 48.882964][ T3622] io_file_get_normal+0x351/0x3b0 [ 48.882985][ T3622] io_issue_sqe+0x48b7/0x9750 [ 48.883008][ T3622] ? asm_common_interrupt+0x27/0x40 [ 48.883034][ T3622] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 48.883062][ T3622] ? asm_common_interrupt+0x27/0x40 [ 48.883085][ T3622] ? __io_close_fixed.isra.0+0x4d0/0x4d0 [ 48.883111][ T3622] ? find_held_lock+0x2d/0x110 [ 48.883134][ T3622] ? io_worker_handle_work+0x53d/0x1ab0 [ 48.883158][ T3622] ? lock_downgrade+0x6e0/0x6e0 [ 48.883181][ T3622] ? do_raw_spin_lock+0x120/0x2a0 [ 48.883201][ T3622] io_wq_submit_work+0x287/0x740 [ 48.883224][ T3622] io_worker_handle_work+0xb1c/0x1ab0 [ 48.883251][ T3622] io_wqe_worker+0x637/0xdb0 [ 48.883275][ T3622] ? io_wqe_dec_running+0x240/0x240 [ 48.883297][ T3622] ? ret_from_fork+0x8/0x30 [ 48.883319][ T3622] ? lock_downgrade+0x6e0/0x6e0 [ 48.883343][ T3622] ? do_raw_spin_lock+0x120/0x2a0 [ 48.883362][ T3622] ? rwlock_bug.part.0+0x90/0x90 [ 48.883389][ T3622] ? _raw_spin_unlock_irq+0x1f/0x40 [ 48.883414][ T3622] ? _raw_spin_unlock_irq+0x1f/0x40 [ 48.883437][ T3622] ? io_wqe_dec_running+0x240/0x240 [ 48.883461][ T3622] ret_from_fork+0x1f/0x30 [ 48.883485][ T3622] [ 48.883491][ T3622] ================================================================== [ 48.883499][ T3622] Kernel panic - not syncing: panic_on_warn set ... [ 48.883509][ T3622] CPU: 0 PID: 3622 Comm: iou-wrk-3619 Not tainted 5.19.0-rc2-syzkaller #0 [ 48.883530][ T3622] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.883541][ T3622] Call Trace: [ 48.883547][ T3622] [ 48.883553][ T3622] dump_stack_lvl+0xcd/0x134 [ 48.883576][ T3622] panic+0x2d7/0x636 [ 48.883595][ T3622] ? panic_print_sys_info.part.0+0x10b/0x10b [ 48.883620][ T3622] ? io_file_get_normal+0x351/0x3b0 [ 48.883640][ T3622] ? io_file_get_normal+0x351/0x3b0 [ 48.883661][ T3622] end_report.part.0+0x3f/0x7c [ 48.883682][ T3622] kasan_report.cold+0x93/0x1c6 [ 48.883703][ T3622] ? io_file_get_normal+0x351/0x3b0 [ 48.883725][ T3622] kasan_check_range+0x13d/0x180 [ 48.883749][ T3622] io_file_get_normal+0x351/0x3b0 [ 48.883771][ T3622] io_issue_sqe+0x48b7/0x9750 [ 48.883793][ T3622] ? asm_common_interrupt+0x27/0x40 [ 48.883818][ T3622] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 48.883844][ T3622] ? asm_common_interrupt+0x27/0x40 [ 48.883868][ T3622] ? __io_close_fixed.isra.0+0x4d0/0x4d0 [ 48.883892][ T3622] ? find_held_lock+0x2d/0x110 [ 48.883916][ T3622] ? io_worker_handle_work+0x53d/0x1ab0 [ 48.883941][ T3622] ? lock_downgrade+0x6e0/0x6e0 [ 48.883965][ T3622] ? do_raw_spin_lock+0x120/0x2a0 [ 48.883986][ T3622] io_wq_submit_work+0x287/0x740 [ 48.884009][ T3622] io_worker_handle_work+0xb1c/0x1ab0 [ 48.884036][ T3622] io_wqe_worker+0x637/0xdb0 [ 48.884060][ T3622] ? io_wqe_dec_running+0x240/0x240 [ 48.884084][ T3622] ? ret_from_fork+0x8/0x30 [ 48.884106][ T3622] ? lock_downgrade+0x6e0/0x6e0 [ 48.884130][ T3622] ? do_raw_spin_lock+0x120/0x2a0 [ 48.884149][ T3622] ? rwlock_bug.part.0+0x90/0x90 [ 48.884169][ T3622] ? _raw_spin_unlock_irq+0x1f/0x40 [ 48.884192][ T3622] ? _raw_spin_unlock_irq+0x1f/0x40 [ 48.884215][ T3622] ? io_wqe_dec_running+0x240/0x240 [ 48.884239][ T3622] ret_from_fork+0x1f/0x30 [ 48.884263][ T3622] [ 48.902614][ T3622] Kernel Offset: disabled