./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3208103218
<...>
syzkaller
syzkaller login: [ 46.256914][ T26] kauditd_printk_skb: 42 callbacks suppressed
[ 46.256931][ T26] audit: type=1400 audit(1686862029.375:77): avc: denied { transition } for pid=4848 comm="sshd" path="/bin/sh" dev="sda1" ino=89 scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 46.305623][ T26] audit: type=1400 audit(1686862029.385:78): avc: denied { noatsecure } for pid=4848 comm="sshd" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 46.333538][ T26] audit: type=1400 audit(1686862029.405:79): avc: denied { write } for pid=4848 comm="sh" path="pipe:[29841]" dev="pipefs" ino=29841 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1
[ 46.365865][ T26] audit: type=1400 audit(1686862029.405:80): avc: denied { rlimitinh } for pid=4848 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 46.394269][ T26] audit: type=1400 audit(1686862029.405:81): avc: denied { siginh } for pid=4848 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 46.995358][ T26] audit: type=1400 audit(1686862030.105:82): avc: denied { read } for pid=4430 comm="syslogd" name="log" dev="sda1" ino=1915 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1
Warning: Permanently added '10.128.10.62' (ECDSA) to the list of known hosts.
execve("./syz-executor3208103218", ["./syz-executor3208103218"], 0x7ffebc80d560 /* 10 vars */) = 0
brk(NULL) = 0x555555c4b000
brk(0x555555c4bc40) = 0x555555c4bc40
arch_prctl(ARCH_SET_FS, 0x555555c4b300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor3208103218", 4096) = 28
brk(0x555555c6cc40) = 0x555555c6cc40
brk(0x555555c6d000) = 0x555555c6d000
mprotect(0x7fd222be6000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
[ 62.280232][ T26] audit: type=1400 audit(1686862045.395:83): avc: denied { write } for pid=4995 comm="strace-static-x" path="pipe:[28540]" dev="pipefs" ino=28540 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1
[ 62.304666][ T26] audit: type=1400 audit(1686862045.415:84): avc: denied { execmem } for pid=4998 comm="syz-executor320" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
memfd_create("syzkaller", 0) = 3
mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd21a72c000
write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 524288) = 524288
munmap(0x7fd21a72c000, 524288) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[ 62.306199][ T4998] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=4998 'syz-executor320'
[ 62.341695][ T26] audit: type=1400 audit(1686862045.455:85): avc: denied { read write } for pid=4998 comm="syz-executor320" name="loop0" dev="devtmpfs" ino=648 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1
[ 62.348772][ T4998] loop0: detected capacity change from 0 to 1024
ioctl(4, LOOP_SET_FD, 3) = 0
close(3) = 0
mkdir("./bus", 0777) = 0
[ 62.366527][ T26] audit: type=1400 audit(1686862045.465:86): avc: denied { open } for pid=4998 comm="syz-executor320" path="/dev/loop0" dev="devtmpfs" ino=648 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1
[ 62.398123][ T26] audit: type=1400 audit(1686862045.465:87): avc: denied { ioctl } for pid=4998 comm="syz-executor320" path="/dev/loop0" dev="devtmpfs" ino=648 ioctlcmd=0x4c00 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1
mount("/dev/loop0", "./bus", "hfsplus", MS_NOEXEC|MS_RELATIME, "") = 0
openat(AT_FDCWD, "./bus", O_RDONLY|O_DIRECTORY) = 3
chdir("./bus") = 0
ioctl(4, LOOP_CLR_FD) = 0
close(4) = 0
openat(AT_FDCWD, ".", O_RDONLY) = 4
getdents64(4, 0x20000340 /* 3 entries */, 97) = 80
getdents64(4, 0x20000340 /* 3 entries */, 97) = 96
[ 62.425017][ T26] audit: type=1400 audit(1686862045.515:88): avc: denied { mounton } for pid=4998 comm="syz-executor320" path="/root/bus" dev="sda1" ino=1927 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1
[ 62.441166][ T4998] ==================================================================
[ 62.455693][ T4998] BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x953/0xa50
[ 62.463370][ T4998] Read of size 2 at addr ffff8880142eb40c by task syz-executor320/4998
[ 62.466846][ T26] audit: type=1400 audit(1686862045.545:89): avc: denied { mount } for pid=4998 comm="syz-executor320" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dosfs_t tclass=filesystem permissive=1
[ 62.471609][ T4998]
[ 62.471616][ T4998] CPU: 0 PID: 4998 Comm: syz-executor320 Not tainted 6.4.0-rc6-syzkaller-00037-gb6dad5178cea #0
[ 62.506473][ T4998] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
[ 62.516552][ T4998] Call Trace:
[ 62.519838][ T4998]
[ 62.522756][ T4998] dump_stack_lvl+0xd9/0x150
[ 62.527349][ T4998] print_address_description.constprop.0+0x2c/0x3c0
[ 62.533928][ T4998] ? hfsplus_uni2asc+0x953/0xa50
[ 62.538852][ T4998] kasan_report+0x11c/0x130
[ 62.543343][ T4998] ? hfsplus_uni2asc+0x953/0xa50
[ 62.548314][ T4998] ? char2uni+0x130/0x130
[ 62.552737][ T4998] hfsplus_uni2asc+0x953/0xa50
[ 62.557495][ T4998] ? char2uni+0x130/0x130
[ 62.561819][ T4998] ? hfsplus_bnode_read+0xb8/0x150
[ 62.566924][ T4998] hfsplus_readdir+0x952/0xfd0
[ 62.571677][ T4998] ? hfsplus_dir_release+0x1d0/0x1d0
[ 62.576961][ T4998] ? lock_sync+0x190/0x190
[ 62.581363][ T4998] ? down_read_killable+0x14a/0x4f0
[ 62.586551][ T4998] ? down_read+0x480/0x480
[ 62.590975][ T4998] ? fsnotify_perm.part.0+0x221/0x610
[ 62.596352][ T4998] iterate_dir+0x56e/0x6f0
[ 62.600765][ T4998] __x64_sys_getdents64+0x13e/0x2c0
[ 62.605954][ T4998] ? __ia32_sys_getdents+0x2c0/0x2c0
[ 62.611225][ T4998] ? compat_fillonedir+0x470/0x470
[ 62.616319][ T4998] ? lockdep_hardirqs_on+0x7d/0x100
[ 62.621506][ T4998] ? _raw_spin_unlock_irq+0x2e/0x50
[ 62.626700][ T4998] ? ptrace_notify+0xfe/0x140
[ 62.631369][ T4998] do_syscall_64+0x39/0xb0
[ 62.635770][ T4998] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 62.641668][ T4998] RIP: 0033:0x7fd222b78889
[ 62.646067][ T4998] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 62.665749][ T4998] RSP: 002b:00007ffc134c5498 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
[ 62.674148][ T4998] RAX: ffffffffffffffda RBX: 000000000000003f RCX: 00007fd222b78889
[ 62.682109][ T4998] RDX: 0000000000000061 RSI: 0000000020000340 RDI: 0000000000000004
[ 62.690071][ T4998] RBP: 00007fd222b38120 R08: 0000000000000000 R09: 0000000000000000
[ 62.698041][ T4998] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd222b381b0
[ 62.706014][ T4998] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 62.713978][ T4998]
[ 62.716993][ T4998]
[ 62.719316][ T4998] Allocated by task 4998:
[ 62.723636][ T4998] kasan_save_stack+0x22/0x40
[ 62.728332][ T4998] kasan_set_track+0x25/0x30
[ 62.732907][ T4998] __kasan_kmalloc+0xa3/0xb0
[ 62.737483][ T4998] __kmalloc+0x5e/0x190
[ 62.741624][ T4998] hfsplus_find_init+0x95/0x230
[ 62.747205][ T4998] hfsplus_readdir+0x21e/0xfd0
[ 62.752067][ T4998] iterate_dir+0x56e/0x6f0
[ 62.756474][ T4998] __x64_sys_getdents64+0x13e/0x2c0
[ 62.761673][ T4998] do_syscall_64+0x39/0xb0
[ 62.766072][ T4998] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 62.771959][ T4998]
[ 62.774264][ T4998] Last potentially related work creation:
[ 62.779957][ T4998] kasan_save_stack+0x22/0x40
[ 62.784637][ T4998] __kasan_record_aux_stack+0x7b/0x90
[ 62.790021][ T4998] __call_rcu_common.constprop.0+0x99/0x7e0
[ 62.795909][ T4998] netlink_release+0xcde/0x1e40
[ 62.800755][ T4998] __sock_release+0xcd/0x290
[ 62.805339][ T4998] sock_close+0x1c/0x20
[ 62.809484][ T4998] __fput+0x27c/0xa90
[ 62.813458][ T4998] task_work_run+0x16f/0x270
[ 62.818041][ T4998] exit_to_user_mode_prepare+0x210/0x240
[ 62.823664][ T4998] syscall_exit_to_user_mode+0x1d/0x50
[ 62.829111][ T4998] do_syscall_64+0x46/0xb0
[ 62.833517][ T4998] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 62.839401][ T4998]
[ 62.841954][ T4998] The buggy address belongs to the object at ffff8880142eb000
[ 62.841954][ T4998] which belongs to the cache kmalloc-2k of size 2048
[ 62.857231][ T4998] The buggy address is located 0 bytes to the right of
[ 62.857231][ T4998] allocated 1036-byte region [ffff8880142eb000, ffff8880142eb40c)
[ 62.871912][ T4998]
[ 62.874221][ T4998] The buggy address belongs to the physical page:
[ 62.880631][ T4998] page:ffffea000050bac0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x142eb
[ 62.890780][ T4998] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 62.898307][ T4998] page_type: 0x1()
[ 62.902021][ T4998] raw: 00fff00000000200 ffff888012440800 ffffea000050b750 ffffea00005ef050
[ 62.910600][ T4998] raw: 0000000000000000 ffff8880142eb000 0000000100000001 0000000000000000
[ 62.919174][ T4998] page dumped because: kasan: bad access detected
[ 62.925567][ T4998] page_owner tracks the page as allocated
[ 62.931260][ T4998] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 1, tgid 1 (swapper/0), ts 2487009578, free_ts 0
[ 62.949829][ T4998] post_alloc_hook+0x2db/0x350
[ 62.954580][ T4998] get_page_from_freelist+0xf41/0x2c00
[ 62.960027][ T4998] __alloc_pages+0x1cb/0x4a0
[ 62.964615][ T4998] cache_grow_begin+0x9b/0x3b0
[ 62.969376][ T4998] cache_alloc_refill+0x27f/0x380
[ 62.974395][ T4998] __kmem_cache_alloc_node+0x360/0x3f0
[ 62.979841][ T4998] kmalloc_trace+0x26/0xe0
[ 62.984245][ T4998] acpi_ds_create_walk_state+0x7e/0x260
[ 62.989783][ T4998] acpi_ds_auto_serialize_method+0xef/0x260
[ 62.995689][ T4998] acpi_ds_init_one_object+0x359/0x450
[ 63.001132][ T4998] acpi_ns_walk_namespace+0x41d/0x5e0
[ 63.006501][ T4998] acpi_ds_initialize_objects+0x12f/0x190
[ 63.012205][ T4998] acpi_ns_load_table+0x9c/0x140
[ 63.017128][ T4998] acpi_tb_load_namespace+0x26b/0x700
[ 63.022484][ T4998] acpi_load_tables+0x2f/0x120
[ 63.027244][ T4998] acpi_init+0x123/0xab0
[ 63.031759][ T4998] page_owner free stack trace missing
[ 63.038681][ T4998]
[ 63.040993][ T4998] Memory state around the buggy address:
[ 63.046689][ T4998] ffff8880142eb300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 63.054904][ T4998] ffff8880142eb380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 63.063050][ T4998] >ffff8880142eb400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 63.071268][ T4998] ^
[ 63.075947][ T4998] ffff8880142eb480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 63.084086][ T4998] ffff8880142eb500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 63.092397][ T4998] ==================================================================
[ 63.101014][ T4998] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 63.108220][ T4998] CPU: 0 PID: 4998 Comm: syz-executor320 Not tainted 6.4.0-rc6-syzkaller-00037-gb6dad5178cea #0
[ 63.118649][ T4998] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
[ 63.128890][ T4998] Call Trace:
[ 63.132290][ T4998]
[ 63.135257][ T4998] dump_stack_lvl+0xd9/0x150
[ 63.139857][ T4998] panic+0x686/0x730
[ 63.143762][ T4998] ? panic_smp_self_stop+0xa0/0xa0
[ 63.148878][ T4998] ? preempt_schedule_thunk+0x1a/0x20
[ 63.154269][ T4998] ? preempt_schedule_common+0x45/0xb0
[ 63.159737][ T4998] check_panic_on_warn+0xb1/0xc0
[ 63.164681][ T4998] end_report+0xe9/0x120
[ 63.169007][ T4998] ? hfsplus_uni2asc+0x953/0xa50
[ 63.173946][ T4998] kasan_report+0xf9/0x130
[ 63.178550][ T4998] ? hfsplus_uni2asc+0x953/0xa50
[ 63.183491][ T4998] ? char2uni+0x130/0x130
[ 63.187936][ T4998] hfsplus_uni2asc+0x953/0xa50
[ 63.192789][ T4998] ? char2uni+0x130/0x130
[ 63.197127][ T4998] ? hfsplus_bnode_read+0xb8/0x150
[ 63.202247][ T4998] hfsplus_readdir+0x952/0xfd0
[ 63.207030][ T4998] ? hfsplus_dir_release+0x1d0/0x1d0
[ 63.212331][ T4998] ? lock_sync+0x190/0x190
[ 63.216753][ T4998] ? down_read_killable+0x14a/0x4f0
[ 63.222046][ T4998] ? down_read+0x480/0x480
[ 63.226480][ T4998] ? fsnotify_perm.part.0+0x221/0x610
[ 63.231856][ T4998] iterate_dir+0x56e/0x6f0
[ 63.236362][ T4998] __x64_sys_getdents64+0x13e/0x2c0
[ 63.241566][ T4998] ? __ia32_sys_getdents+0x2c0/0x2c0
[ 63.246952][ T4998] ? compat_fillonedir+0x470/0x470
[ 63.252096][ T4998] ? lockdep_hardirqs_on+0x7d/0x100
[ 63.257677][ T4998] ? _raw_spin_unlock_irq+0x2e/0x50
[ 63.263333][ T4998] ? ptrace_notify+0xfe/0x140
[ 63.268290][ T4998] do_syscall_64+0x39/0xb0
[ 63.272739][ T4998] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 63.278668][ T4998] RIP: 0033:0x7fd222b78889
[ 63.283097][ T4998] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 63.302802][ T4998] RSP: 002b:00007ffc134c5498 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
[ 63.311304][ T4998] RAX: ffffffffffffffda RBX: 000000000000003f RCX: 00007fd222b78889
[ 63.319361][ T4998] RDX: 0000000000000061 RSI: 0000000020000340 RDI: 0000000000000004
[ 63.327504][ T4998] RBP: 00007fd222b38120 R08: 0000000000000000 R09: 0000000000000000
[ 63.335657][ T4998] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd222b381b0
[ 63.343646][ T4998] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 63.352767][ T4998]
[ 63.355950][ T4998] Kernel Offset: disabled
[ 63.360267][ T4998] Rebooting in 86400 seconds..