./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1470679551 <...> 26 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 13.750553][ T28] audit: type=1400 audit(1694299183.071:65): avc: denied { siginh } for pid=226 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 16.067076][ T229] sftp-server (229) used greatest stack depth: 22864 bytes left [ 18.212072][ T250] sshd (250) used greatest stack depth: 22832 bytes left Warning: Permanently added '10.128.1.163' (ED25519) to the list of known hosts. execve("./syz-executor1470679551", ["./syz-executor1470679551"], 0x7ffc84e92320 /* 10 vars */) = 0 brk(NULL) = 0x55555694b000 brk(0x55555694be00) = 0x55555694be00 arch_prctl(ARCH_SET_FS, 0x55555694b480) = 0 set_tid_address(0x55555694b750) = 297 set_robust_list(0x55555694b760, 24) = 0 rseq(0x55555694bda0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1470679551", 4096) = 28 getrandom("\xb7\x04\x92\xfc\x5a\xad\x82\x3a", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55555694be00 brk(0x55555696ce00) = 0x55555696ce00 brk(0x55555696d000) = 0x55555696d000 mprotect(0x7f11e1e9c000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 getpid() = 297 openat(AT_FDCWD, "/sys/kernel/debug/x86/nmi_longest_ns", O_WRONLY|O_CLOEXEC) = 3 write(3, "10000000000", 11) = 11 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/hung_task_check_interval_secs", O_WRONLY|O_CLOEXEC) = 3 write(3, "20", 2) = 2 close(3) = 0 openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_kallsyms", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_harden", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/kptr_restrict", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/softlockup_all_cpu_backtrace", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3 write(3, "100", 3) = 3 close(3) = 0 openat(AT_FDCWD, "/proc/sys/vm/oom_dump_tasks", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/debug/exception-trace", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/printk", O_WRONLY|O_CLOEXEC) = 3 write(3, "7 4 1 3", 7) = 7 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/keys/gc_delay", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/vm/oom_kill_allocating_task", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/ctrl-alt-del", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/cad_pid", O_WRONLY|O_CLOEXEC) = 3 write(3, "297", 3) = 3 close(3) = 0 rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGSEGV, {sa_handler=0x7f11e1de0f60, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f11e1de96b0}, NULL, 8) = 0 rt_sigaction(SIGBUS, {sa_handler=0x7f11e1de0f60, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f11e1de96b0}, NULL, 8) = 0 mkdir("./syzkaller.WVn9to", 0700) = 0 chmod("./syzkaller.WVn9to", 0777) = 0 chdir("./syzkaller.WVn9to") = 0 futex(0x7f11e1ea240c, FUTEX_WAKE_PRIVATE, 1000000) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7f11e1e466a0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f11e1de96b0}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f11e1db6000 mprotect(0x7f11e1db7000, 131072, PROT_READ|PROT_WRITE) = 0 rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f11e1dd6990, parent_tid=0x7f11e1dd6990, exit_signal=0, stack=0x7f11e1db6000, stack_size=0x20240, tls=0x7f11e1dd66c0} => {parent_tid=[298]}, 88) = 298 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 futex(0x7f11e1ea2408, FUTEX_WAKE_PRIVATE, 1000000) = 0 futex(0x7f11e1ea240c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 298 attached [pid 298] set_robust_list(0x7f11e1dd69a0, 24) = 0 [pid 298] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 298] openat(AT_FDCWD, "/dev/fuse", O_RDWR) = 3 [pid 298] futex(0x7f11e1ea240c, FUTEX_WAKE_PRIVATE, 1000000 [pid 297] <... futex resumed>) = 0 [pid 297] futex(0x7f11e1ea2408, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] futex(0x7f11e1ea240c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 298] <... futex resumed>) = 1 [pid 298] mkdir("./file0", 0777) = 0 [pid 298] mount(NULL, "./file0", "fuse", 0, "fd=0x0000000000000003,rootmode=00000000000000000040000,user_id=00000000000000000000,group_id=0000000"...) = 0 [ 24.870230][ T28] audit: type=1400 audit(1694299194.351:66): avc: denied { execmem } for pid=297 comm="syz-executor147" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [pid 298] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY [pid 297] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 297] futex(0x7f11e1ea241c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f11e1d95000 [pid 297] mprotect(0x7f11e1d96000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 297] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 297] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f11e1db5990, parent_tid=0x7f11e1db5990, exit_signal=0, stack=0x7f11e1d95000, stack_size=0x20240, tls=0x7f11e1db56c0} => {parent_tid=[300]}, 88) = 300 [pid 297] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 297] futex(0x7f11e1ea2418, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] futex(0x7f11e1ea241c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 300 attached [pid 300] set_robust_list(0x7f11e1db59a0, 24) = 0 [pid 300] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [ 24.912412][ T28] audit: type=1400 audit(1694299194.351:67): avc: denied { read write } for pid=297 comm="syz-executor147" name="fuse" dev="devtmpfs" ino=93 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fuse_device_t tclass=chr_file permissive=1 [pid 300] setxattr("./file0/file0", NULL, NULL, 0, 0x4 /* XATTR_??? */ [pid 297] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 297] futex(0x7f11e1ea242c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f11e1d74000 [pid 297] mprotect(0x7f11e1d75000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 297] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 297] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f11e1d94990, parent_tid=0x7f11e1d94990, exit_signal=0, stack=0x7f11e1d74000, stack_size=0x20240, tls=0x7f11e1d946c0} => {parent_tid=[301]}, 88) = 301 [pid 297] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 297] futex(0x7f11e1ea2428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] futex(0x7f11e1ea242c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 301 attached [pid 301] set_robust_list(0x7f11e1d949a0, 24) = 0 [pid 301] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 301] read(3, "\x68\x00\x00\x00\x1a\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x25\x00\x00\x00\x00\x00\x02\x00\xfb\xff\xff\x73\x01\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 8224) = 104 [pid 301] futex(0x7f11e1ea242c, FUTEX_WAKE_PRIVATE, 1000000 [pid 297] <... futex resumed>) = 0 [pid 297] futex(0x7f11e1ea2428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] futex(0x7f11e1ea242c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 301] <... futex resumed>) = 1 [pid 301] write(3, "\x18\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00\x00", 24) = 24 [pid 301] futex(0x7f11e1ea242c, FUTEX_WAKE_PRIVATE, 1000000 [pid 297] <... futex resumed>) = 0 [pid 297] futex(0x7f11e1ea2428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 24.970293][ T28] audit: type=1400 audit(1694299194.351:68): avc: denied { open } for pid=297 comm="syz-executor147" path="/dev/fuse" dev="devtmpfs" ino=93 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fuse_device_t tclass=chr_file permissive=1 [pid 297] futex(0x7f11e1ea242c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 301] <... futex resumed>) = 1 [pid 301] read(3, "\x2e\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2c\x01\x00\x00\x00\x00\x00\x00\x66\x69\x6c\x65\x30\x00", 8192) = 46 [ 25.024651][ T28] audit: type=1400 audit(1694299194.351:69): avc: denied { mounton } for pid=297 comm="syz-executor147" path="/root/syzkaller.WVn9to/file0" dev="sda1" ino=1928 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 25.028846][ T300] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN [pid 301] write(3, "\x90\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\xdb\xc0\x00\x00\x00\x00\x00\x00\x01\x76\x00\x00\xf9\xff\xff\xff\x05\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x00\x07\x00\x00\x00"..., 144) = 144 [pid 301] futex(0x7f11e1ea242c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 301] futex(0x7f11e1ea2428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 297] <... futex resumed>) = 0 [ 25.073387][ T28] audit: type=1400 audit(1694299194.351:70): avc: denied { mount } for pid=297 comm="syz-executor147" name="/" dev="fuse" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=filesystem permissive=1 [ 25.100889][ T300] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] [ 25.100912][ T300] CPU: 1 PID: 300 Comm: syz-executor147 Not tainted 6.1.25-syzkaller-00088-gcd94fe67fd33 #0 [ 25.100928][ T300] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 25.100936][ T300] RIP: 0010:step_into+0x1c4/0x1090 [ 25.229989][ T300] Code: c0 0f 85 bb 0b 00 00 44 8b 3b 43 80 3c 34 00 74 0a 48 8b 7c 24 10 e8 9b fe f2 ff 48 8b 9c 24 d8 00 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 30 84 c0 0f 85 a8 0b 00 00 8b 1b 89 de 81 e6 00 00 07 [ 25.271009][ T300] RSP: 0018:ffffc90000da79a0 EFLAGS: 00010202 [ 25.287962][ T300] RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff8881096b6540 [ 25.302179][ T300] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 25.314433][ T300] RBP: ffffc90000da7af0 R08: ffffffff81c82c79 R09: ffffed10226176fd [pid 297] exit_group(0) = ? [pid 298] <... openat resumed>) = ? [pid 298] +++ exited with 0 +++ [pid 301] <... futex resumed>) = ? [pid 301] +++ exited with 0 +++ [ 25.331957][ T300] R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff920001b4f4f [ 25.350997][ T300] R13: ffffc90000da7c20 R14: dffffc0000000000 R15: 0000000000000001 [ 25.370584][ T300] FS: 00007f11e1db56c0(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 [ 25.391076][ T300] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 25.408204][ T300] CR2: 0000000020009000 CR3: 0000000122040000 CR4: 00000000003506a0 [ 25.426799][ T300] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 25.442476][ T300] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 25.458733][ T300] Call Trace: [ 25.470366][ T300] [ 25.474015][ T300] ? __lookup_slow+0x36e/0x3e0 [ 25.489584][ T300] ? lookup_one_len+0x2c0/0x2c0 [ 25.494666][ T300] ? set_root+0x400/0x400 [ 25.507669][ T300] walk_component+0x234/0x410 [ 25.513132][ T300] path_lookupat+0x16d/0x450 [ 25.527658][ T300] filename_lookup+0x251/0x600 [ 25.532888][ T300] ? hashlen_string+0x120/0x120 [ 25.547248][ T300] ? strncpy_from_user+0x169/0x2b0 [ 25.553066][ T300] ? getname_flags+0x1fd/0x520 [ 25.568524][ T300] user_path_at_empty+0x43/0x1a0 [ 25.573612][ T300] path_setxattr+0xae/0x2a0 [ 25.586446][ T300] ? simple_xattr_list_add+0x120/0x120 [ 25.592989][ T300] ? fpregs_restore_userregs+0x130/0x290 [ 25.608867][ T300] __x64_sys_setxattr+0xc5/0xe0 [ 25.614343][ T300] do_syscall_64+0x3d/0xb0 [ 25.628530][ T300] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 25.635571][ T300] RIP: 0033:0x7f11e1e20879 [ 25.653817][ T300] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 25.705964][ T300] RSP: 002b:00007f11e1db5168 EFLAGS: 00000246 ORIG_RAX: 00000000000000bc [ 25.715650][ T300] RAX: ffffffffffffffda RBX: 00007f11e1ea2418 RCX: 00007f11e1e20879 [ 25.733892][ T300] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020002740 [ 25.754385][ T300] RBP: 00007f11e1ea2410 R08: 0000000000000004 R09: 00007f11e1ea2418 [ 25.774412][ T300] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f11e1ea241c [ 25.794002][ T300] R13: 000000000000006e R14: 00007ffda71c3da0 R15: 00007ffda71c3e88 [ 25.815873][ T300] [ 25.818841][ T300] Modules linked in: [ 25.827394][ T300] ---[ end trace 0000000000000000 ]--- [ 25.841767][ T300] RIP: 0010:step_into+0x1c4/0x1090 [ 25.852938][ T300] Code: c0 0f 85 bb 0b 00 00 44 8b 3b 43 80 3c 34 00 74 0a 48 8b 7c 24 10 e8 9b fe f2 ff 48 8b 9c 24 d8 00 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 30 84 c0 0f 85 a8 0b 00 00 8b 1b 89 de 81 e6 00 00 07 [ 25.898699][ T300] RSP: 0018:ffffc90000da79a0 EFLAGS: 00010202 [ 25.910049][ T300] RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff8881096b6540 [ 25.925287][ T300] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 25.942333][ T300] RBP: ffffc90000da7af0 R08: ffffffff81c82c79 R09: ffffed10226176fd [ 25.963106][ T300] R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff920001b4f4f [ 25.976612][ T300] R13: ffffc90000da7c20 R14: dffffc0000000000 R15: 0000000000000001 [ 25.990648][ T300] FS: 00007f11e1db56c0(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 [ 26.015213][ T300] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 26.023498][ T300] CR2: 0000000020009000 CR3: 0000000122040000 CR4: 00000000003506a0 [ 26.033950][ T300] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 26.048764][ T300] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 26.063869][ T300] Kernel panic - not syncing: Fatal exception [ 26.074188][ T300] Kernel Offset: disabled [ 26.081859][ T300] Rebooting in 86400 seconds..