./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2711293210 <...> DUID 00:04:de:98:af:7d:11:7e:80:43:16:00:7b:1b:58:16:2b:58 forked to background, child pid 209 Starting sshd: OK syzkaller syzkaller login: [ 13.421406][ T24] kauditd_printk_skb: 60 callbacks suppressed [ 13.421412][ T24] audit: type=1400 audit(1665832030.979:71): avc: denied { transition } for pid=302 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 13.426548][ T24] audit: type=1400 audit(1665832030.979:72): avc: denied { write } for pid=302 comm="sh" path="pipe:[11305]" dev="pipefs" ino=11305 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1 Warning: Permanently added '10.128.1.77' (ECDSA) to the list of known hosts. [ 21.120167][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #80!!! execve("./syz-executor2711293210", ["./syz-executor2711293210"], 0x7ffd396e8570 /* 10 vars */) = 0 brk(NULL) = 0x55555676d000 brk(0x55555676dc40) = 0x55555676dc40 arch_prctl(ARCH_SET_FS, 0x55555676d300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor2711293210", 4096) = 28 brk(0x55555678ec40) = 0x55555678ec40 brk(0x55555678f000) = 0x55555678f000 mprotect(0x7fbbc8790000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 getpid() = 383 mkdir("./syzkaller.RlNTP8", 0700) = 0 chmod("./syzkaller.RlNTP8", 0777) = 0 chdir("./syzkaller.RlNTP8") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555676d5d0) = 385 ./strace-static-x86_64: Process 385 attached [pid 385] chdir("./0") = 0 [pid 385] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 385] setpgid(0, 0) = 0 [pid 385] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 385] write(3, "1000", 4) = 4 [pid 385] close(3) = 0 [pid 385] symlink("/dev/binderfs", "./binderfs") = 0 [pid 385] mkdir("./file0", 000) = 0 [pid 385] mkdir("./file1", 000) = 0 [pid 385] mount("./file1", "./file0", NULL, MS_NOSUID|MS_DIRSYNC|MS_NOATIME|MS_NODIRATIME|MS_BIND|MS_SLAVE, NULL) = 0 [pid 385] memfd_create("syzkaller", 0) = 3 [pid 385] ftruncate(3, 47393) = 0 [pid 385] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 385] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 385] mkdir("./file0", 0777) = -1 EEXIST (File exists) [ 21.277938][ T24] audit: type=1400 audit(1665832038.829:73): avc: denied { execmem } for pid=383 comm="syz-executor271" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 21.299259][ T24] audit: type=1400 audit(1665832038.849:74): avc: denied { read write } for pid=383 comm="syz-executor271" name="loop0" dev="devtmpfs" ino=115 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [pid 385] mount("/dev/loop0", "./file0", 0x20000040, MS_NOSUID|MS_NODEV|MS_REMOUNT|MS_NODIRATIME|MS_SILENT|MS_SLAVE|MS_SHARED|MS_I_VERSION|MS_STRICTATIME, "inode_readahead_blks=0x0000000000004000,barrier,debug_want_extra_isize=0x000000000000007a,nombcache,"...) = -1 EINVAL (Invalid argument) [ 21.317100][ T385] EXT4-fs (sda1): can't enable nombcache during remount [ 21.324501][ T24] audit: type=1400 audit(1665832038.849:75): avc: denied { open } for pid=383 comm="syz-executor271" path="/dev/loop0" dev="devtmpfs" ino=115 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [pid 385] ioctl(4, LOOP_CLR_FD) = 0 [pid 385] close(4) = 0 [pid 385] close(3) = 0 [pid 385] exit_group(0) = ? [pid 385] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=385, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x55555676e620 /* 5 entries */, 32768) = 144 umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./0/binderfs") = 0 umount2("./0/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./0/file1", {st_mode=S_IFDIR|000, st_size=4096, ...}) = 0 umount2("./0/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|000, st_size=4096, ...}) = 0 getdents64(4, 0x555556776660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556776660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./0/file1") = 0 [ 21.354407][ T24] audit: type=1400 audit(1665832038.849:76): avc: denied { ioctl } for pid=383 comm="syz-executor271" path="/dev/loop0" dev="devtmpfs" ino=115 ioctlcmd=0x4c01 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 21.380168][ T24] audit: type=1400 audit(1665832038.849:77): avc: denied { mounton } for pid=385 comm="syz-executor271" path="/root/syzkaller.RlNTP8/0/file0" dev="sda1" ino=1141 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 21.404605][ T24] audit: type=1400 audit(1665832038.849:78): avc: denied { remount } for pid=385 comm="syz-executor271" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./0/file0", {st_mode=S_IFDIR|000, st_size=4096, ...}) = 0 umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|000, st_size=4096, ...}) = 0 getdents64(4, 0x555556776660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556776660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./0/file0") = 0 getdents64(3, 0x55555676e620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./0") = 0 [ 21.433333][ T24] audit: type=1400 audit(1665832038.989:79): avc: denied { unmount } for pid=383 comm="syz-executor271" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 21.455283][ T383] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN [ 21.466992][ T383] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 21.475379][ T383] CPU: 0 PID: 383 Comm: syz-executor271 Not tainted 5.10.147-syzkaller-01341-gbc7618b4936f #0 [ 21.485587][ T383] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 21.496000][ T383] RIP: 0010:ext4_xattr_set_entry+0x4a7/0x3820 [ 21.502041][ T383] Code: 00 00 48 89 d8 48 c1 e8 03 48 89 84 24 28 01 00 00 42 80 3c 20 00 74 08 48 89 df e8 13 88 ba ff 4c 8b 33 4c 89 f0 48 c1 e8 03 <42> 8a 04 20 84 c0 0f 85 8f 2d 00 00 4c 89 f8 48 2b 44 24 18 48 89 [ 21.521621][ T383] RSP: 0018:ffffc9000026f3c0 EFLAGS: 00010246 [ 21.527663][ T383] RAX: 0000000000000000 RBX: ffffc9000026f7c0 RCX: ffff8881067d4f00 [ 21.535612][ T383] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000001c [ 21.543557][ T383] RBP: ffffc9000026f658 R08: ffffffff81ec7899 R09: ffffed1021df082a [ 21.551502][ T383] R10: ffffed1021df082a R11: 1ffff11021df0829 R12: dffffc0000000000 [ 21.559449][ T383] R13: 1ffff9200004def2 R14: 0000000000000000 R15: 0000000000000000 [ 21.567392][ T383] FS: 000055555676d300(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 [ 21.576294][ T383] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 21.582844][ T383] CR2: 00007ffdb7ae26c8 CR3: 00000001083ae000 CR4: 00000000003506b0 [ 21.590789][ T383] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 21.598731][ T383] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 21.606670][ T383] Call Trace: [ 21.609934][ T383] ? jbd2_journal_get_write_access+0x2ab/0x2d0 [ 21.616061][ T383] ? ext4_xattr_ibody_inline_set+0x380/0x380 [ 21.622011][ T383] ? __ext4_journal_ensure_credits+0x460/0x460 [ 21.628136][ T383] ? __kasan_check_write+0x14/0x20 [ 21.633219][ T383] ? _raw_spin_lock_irqsave+0xf8/0x210 [ 21.638648][ T383] ? ext4_reserve_inode_write+0x2d2/0x380 [ 21.644338][ T383] ? __kasan_check_write+0x14/0x20 [ 21.649423][ T383] ext4_xattr_ibody_set+0x7c/0x2a0 [ 21.654508][ T383] ext4_xattr_set_handle+0xc5d/0x15a0 [ 21.659855][ T383] ? ext4_xattr_set_entry+0x3820/0x3820 [ 21.665376][ T383] ? selinux_inode_free_security+0x200/0x200 [ 21.671327][ T383] ext4_initxattrs+0xb2/0x120 [ 21.675982][ T383] security_inode_init_security+0x26c/0x3c0 [ 21.681846][ T383] ? ext4_init_security+0x40/0x40 [ 21.686843][ T383] ? security_dentry_create_files_as+0xd0/0xd0 [ 21.692966][ T383] ? __ext4_set_acl+0x5f0/0x5f0 [ 21.697793][ T383] ? ext4_has_metadata_csum+0x1f0/0x1f0 [ 21.703322][ T383] ext4_init_security+0x34/0x40 [ 21.708160][ T383] __ext4_new_inode+0x3648/0x4530 [ 21.713163][ T383] ? ext4_mark_inode_used+0xc00/0xc00 [ 21.718516][ T383] ? dquot_initialize+0x20/0x20 [ 21.723346][ T383] ? may_create+0x641/0x8b0 [ 21.727827][ T383] ext4_mkdir+0x3b3/0xbb0 [ 21.732134][ T383] ? ext4_symlink+0xf50/0xf50 [ 21.736794][ T383] ? selinux_inode_mkdir+0x22/0x30 [ 21.741879][ T383] ? security_inode_mkdir+0xf1/0x130 [ 21.747135][ T383] vfs_mkdir+0x435/0x610 [ 21.751351][ T383] do_mkdirat+0x1b6/0x2d0 [ 21.755657][ T383] ? do_mknodat+0x430/0x430 [ 21.760133][ T383] __x64_sys_mkdir+0x60/0x70 [ 21.764697][ T383] do_syscall_64+0x34/0x70 [ 21.769090][ T383] entry_SYSCALL_64_after_hwframe+0x61/0xc6 [ 21.774952][ T383] RIP: 0033:0x7fbbc8721ff7 [ 21.779340][ T383] Code: 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 21.799466][ T383] RSP: 002b:00007ffde03a8d28 EFLAGS: 00000206 ORIG_RAX: 0000000000000053 [ 21.807855][ T383] RAX: ffffffffffffffda RBX: 0000000000005325 RCX: 00007fbbc8721ff7 [ 21.815798][ T383] RDX: 0000000000000000 RSI: 00000000000001ff RDI: 00007ffde03a8d60 [ 21.823847][ T383] RBP: 0000000000000181 R08: 0000000000000000 R09: 0000000000000003 [ 21.831797][ T383] R10: 00007ffde03a8ac7 R11: 0000000000000206 R12: 00007ffde03a8d4c [ 21.839741][ T383] R13: 00007ffde03a8d80 R14: 00007ffde03a8d60 R15: 0000000000000001 [ 21.847688][ T383] Modules linked in: [ 21.851716][ T383] ---[ end trace 0e5a4b7a0dcdcf68 ]--- [ 21.857350][ T383] RIP: 0010:ext4_xattr_set_entry+0x4a7/0x3820 [ 21.863472][ T383] Code: 00 00 48 89 d8 48 c1 e8 03 48 89 84 24 28 01 00 00 42 80 3c 20 00 74 08 48 89 df e8 13 88 ba ff 4c 8b 33 4c 89 f0 48 c1 e8 03 <42> 8a 04 20 84 c0 0f 85 8f 2d 00 00 4c 89 f8 48 2b 44 24 18 48 89 [ 21.883122][ T383] RSP: 0018:ffffc9000026f3c0 EFLAGS: 00010246 [ 21.889168][ T383] RAX: 0000000000000000 RBX: ffffc9000026f7c0 RCX: ffff8881067d4f00 [ 21.897155][ T383] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000001c [ 21.905123][ T383] RBP: ffffc9000026f658 R08: ffffffff81ec7899 R09: ffffed1021df082a [ 21.913096][ T383] R10: ffffed1021df082a R11: 1ffff11021df0829 R12: dffffc0000000000 [ 21.921058][ T383] R13: 1ffff9200004def2 R14: 0000000000000000 R15: 0000000000000000 [ 21.929011][ T383] FS: 000055555676d300(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 [ 21.937938][ T383] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 21.944510][ T383] CR2: 000055555677e668 CR3: 00000001083ae000 CR4: 00000000003506a0 [ 21.952491][ T383] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 21.960459][ T383] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 21.968399][ T383] Kernel panic - not syncing: Fatal exception [ 21.974590][ T383] Kernel Offset: disabled [ 21.978890][ T383] Rebooting in 86400 seconds..