./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1715183745 <...> Warning: Permanently added '10.128.1.90' (ED25519) to the list of known hosts. execve("./syz-executor1715183745", ["./syz-executor1715183745"], 0x7fffc3bc2300 /* 10 vars */) = 0 brk(NULL) = 0x555565fa0000 brk(0x555565fa0d00) = 0x555565fa0d00 arch_prctl(ARCH_SET_FS, 0x555565fa0380) = 0 set_tid_address(0x555565fa0650) = 295 set_robust_list(0x555565fa0660, 24) = 0 rseq(0x555565fa0ca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1715183745", 4096) = 28 getrandom("\x50\xa7\xe9\x99\x3f\xbc\xce\x91", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555565fa0d00 brk(0x555565fc1d00) = 0x555565fc1d00 brk(0x555565fc2000) = 0x555565fc2000 mprotect(0x7f4601187000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555565fa0650) = 297 ./strace-static-x86_64: Process 297 attached [pid 297] set_robust_list(0x555565fa0660, 24) = 0 [pid 295] openat(AT_FDCWD, "/sys/kernel/debug/x86/nmi_longest_ns", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "10000000000", 11) = 11 [pid 295] close(3) = 0 [pid 295] openat(AT_FDCWD, "/proc/sys/kernel/hung_task_check_interval_secs", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "20", 2) = 2 [pid 295] close(3) = 0 [pid 295] openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_kallsyms", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "1", 1) = 1 [pid 295] close(3) = 0 [pid 295] openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_harden", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "0", 1) = 1 [pid 295] close(3) = 0 [pid 295] openat(AT_FDCWD, "/proc/sys/kernel/kptr_restrict", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "0", 1) = 1 [pid 295] close(3) = 0 [pid 295] openat(AT_FDCWD, "/proc/sys/kernel/softlockup_all_cpu_backtrace", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "1", 1) = 1 [pid 295] close(3) = 0 [pid 295] openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "100", 3) = 3 [pid 295] close(3) = 0 [pid 295] openat(AT_FDCWD, "/proc/sys/vm/oom_dump_tasks", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "0", 1) = 1 [pid 295] close(3) = 0 [pid 295] openat(AT_FDCWD, "/proc/sys/debug/exception-trace", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "0", 1) = 1 [pid 295] close(3) = 0 [pid 295] openat(AT_FDCWD, "/proc/sys/kernel/printk", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "7 4 1 3", 7) = 7 [pid 295] close(3) = 0 [pid 295] openat(AT_FDCWD, "/proc/sys/kernel/keys/gc_delay", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "1", 1) = 1 [pid 295] close(3) = 0 [pid 295] openat(AT_FDCWD, "/proc/sys/vm/oom_kill_allocating_task", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "1", 1) = 1 [pid 295] close(3) = 0 [pid 295] openat(AT_FDCWD, "/proc/sys/kernel/ctrl-alt-del", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "0", 1) = 1 [pid 295] close(3) = 0 [pid 295] openat(AT_FDCWD, "/proc/sys/kernel/cad_pid", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "297", 3) = 3 [pid 295] close(3) = 0 [pid 295] kill(297, SIGKILL) = 0 [pid 297] +++ killed by SIGKILL +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=297, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=0} --- mkdir("./syzkaller.ehNl2v", 0700) = 0 chmod("./syzkaller.ehNl2v", 0777) = 0 chdir("./syzkaller.ehNl2v"executing program ) = 0 write(1, "executing program\n", 18) = 18 memfd_create("syzkaller", 0) = 3 mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f45f8cd4000 write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 munmap(0x7f45f8cd4000, 138412032) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 ioctl(4, LOOP_SET_FD, 3) = 0 close(3) = 0 close(4) = 0 mkdir("\xe9\x1f\x71\x89\x59\x1e\x92\x33\x61\x4b", 0777) = 0 [ 21.895978][ T28] audit: type=1400 audit(1731364834.119:66): avc: denied { execmem } for pid=295 comm="syz-executor171" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 21.912012][ T28] audit: type=1400 audit(1731364834.139:67): avc: denied { read write } for pid=295 comm="syz-executor171" name="loop0" dev="devtmpfs" ino=114 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 21.912692][ T295] loop0: detected capacity change from 0 to 512 [ 21.915527][ T28] audit: type=1400 audit(1731364834.139:68): avc: denied { open } for pid=295 comm="syz-executor171" path="/dev/loop0" dev="devtmpfs" ino=114 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 21.933220][ T295] EXT4-fs error (device loop0): ext4_xattr_inode_iget:404: comm syz-executor171: inode #1: comm syz-executor171: iget: illegal inode # [ 21.941745][ T28] audit: type=1400 audit(1731364834.139:69): avc: denied { ioctl } for pid=295 comm="syz-executor171" path="/dev/loop0" dev="devtmpfs" ino=114 ioctlcmd=0x4c00 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 21.955408][ T295] EXT4-fs error (device loop0): ext4_xattr_inode_iget:409: comm syz-executor171: error while reading EA inode 1 err=-117 mount("/dev/loop0", "\xe9\x1f\x71\x89\x59\x1e\x92\x33\x61\x4b", "ext4", 0, "journal_ioprio=0x0000000000000004,nogrpid,nombcache,minixdf,sysvgroups,sysvgroups,usrjquota=,,errors"...) = 0 openat(AT_FDCWD, "\xe9\x1f\x71\x89\x59\x1e\x92\x33\x61\x4b", O_RDONLY|O_DIRECTORY) = 3 chdir("\xe9\x1f\x71\x89\x59\x1e\x92\x33\x61\x4b") = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 ioctl(4, LOOP_CLR_FD) = 0 close(4) = 0 [ 21.992932][ T28] audit: type=1400 audit(1731364834.149:70): avc: denied { mounton } for pid=295 comm="syz-executor171" path=2F726F6F742F73797A6B616C6C65722E65684E6C32762FE91F7189591E9233614B dev="sda1" ino=1928 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 21.993315][ T295] EXT4-fs (loop0): 1 orphan inode deleted [ 22.025565][ T295] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. chdir("./file0") = 0 open_tree(AT_FDCWD, "", OPEN_TREE_CLONE|OPEN_TREE_CLOEXEC|AT_SYMLINK_NOFOLLOW|AT_NO_AUTOMOUNT|AT_EMPTY_PATH|AT_RECURSIVE) = 4 openat(4, "./bus", O_ACCMODE|O_CREAT|O_TRUNC|O_NONBLOCK|__O_SYNC|O_LARGEFILE|O_CLOEXEC|0x4c000020, 0100) = 5 openat(AT_FDCWD, "blkio.bfq.io_service_time_recursive", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 6 mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 open("./bus", O_RDONLY) = 7 [ 22.033983][ T28] audit: type=1400 audit(1731364834.259:71): avc: denied { mount } for pid=295 comm="syz-executor171" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 22.055806][ T28] audit: type=1400 audit(1731364834.279:72): avc: denied { write } for pid=295 comm="syz-executor171" name="file0" dev="loop0" ino=12 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 22.078018][ T28] audit: type=1400 audit(1731364834.279:73): avc: denied { add_name } for pid=295 comm="syz-executor171" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 22.098555][ T28] audit: type=1400 audit(1731364834.279:74): avc: denied { create } for pid=295 comm="syz-executor171" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 22.118742][ T28] audit: type=1400 audit(1731364834.279:75): avc: denied { ioctl open } for pid=295 comm="syz-executor171" path="/bus" dev="loop0" ino=15 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 ioctl(7, LOOP_SET_STATUS64, {lo_offset=0x5, lo_number=0, lo_flags=0, lo_file_name="\x2d\xbe", ...}) = 0 [ 22.147054][ T295] loop0: detected capacity change from 512 to 511 [ 22.154515][ T295] ================================================================== [ 22.162531][ T295] BUG: KASAN: use-after-free in ext4_search_dir+0xf7/0x1b0 [ 22.169555][ T295] Read of size 1 at addr ffff8881183c53aa by task syz-executor171/295 [ 22.177540][ T295] [ 22.179721][ T295] CPU: 0 PID: 295 Comm: syz-executor171 Not tainted 6.1.112-syzkaller-00006-g96ad4e759ff4 #0 [ 22.189692][ T295] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 22.199813][ T295] Call Trace: [ 22.202926][ T295] [ 22.205704][ T295] dump_stack_lvl+0x151/0x1b7 [ 22.210393][ T295] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 22.215684][ T295] ? _printk+0xd1/0x111 [ 22.219681][ T295] ? __virt_addr_valid+0x242/0x2f0 [ 22.224625][ T295] print_report+0x158/0x4e0 [ 22.228969][ T295] ? __virt_addr_valid+0x242/0x2f0 [ 22.233919][ T295] ? kasan_addr_to_slab+0xd/0x80 [ 22.238687][ T295] ? ext4_search_dir+0xf7/0x1b0 [ 22.243369][ T295] kasan_report+0x13c/0x170 [ 22.247710][ T295] ? ext4_search_dir+0xf7/0x1b0 [ 22.252402][ T295] __asan_report_load1_noabort+0x14/0x20 [ 22.257866][ T295] ext4_search_dir+0xf7/0x1b0 [ 22.262378][ T295] ext4_find_inline_entry+0x4b6/0x5e0 [ 22.267595][ T295] ? ext4_try_create_inline_dir+0x320/0x320 [ 22.273317][ T295] __ext4_find_entry+0x2b0/0x1af0 [ 22.278174][ T295] ? kasan_save_alloc_info+0x1f/0x30 [ 22.283299][ T295] ? __kasan_slab_alloc+0x6c/0x80 [ 22.288157][ T295] ? ext4_fname_setup_ci_filename+0x70/0x480 [ 22.293972][ T295] ? ext4_ci_compare+0x660/0x660 [ 22.298770][ T295] ? memcpy+0x56/0x70 [ 22.302562][ T295] ? ext4_fname_prepare_lookup+0x3b5/0x4e0 [ 22.308207][ T295] ? d_alloc_parallel+0x116c/0x12e0 [ 22.313238][ T295] ? generic_set_encrypted_ci_d_ops+0x91/0xf0 [ 22.319141][ T295] ext4_lookup+0x176/0x740 [ 22.323396][ T295] ? ext4_add_entry+0xed0/0xed0 [ 22.328080][ T295] ? __down_common+0x690/0x690 [ 22.332683][ T295] ? lockref_get_not_dead+0x248/0x340 [ 22.337888][ T295] ? lockref_mark_dead+0xb0/0xb0 [ 22.342660][ T295] __lookup_slow+0x2b9/0x3e0 [ 22.347088][ T295] ? lookup_one_len+0x2c0/0x2c0 [ 22.351796][ T295] lookup_slow+0x5a/0x80 [ 22.355854][ T295] walk_component+0x2e7/0x410 [ 22.360369][ T295] path_lookupat+0x16d/0x450 [ 22.364795][ T295] filename_lookup+0x251/0x600 [ 22.369395][ T295] ? hashlen_string+0x120/0x120 [ 22.374084][ T295] do_linkat+0x177/0x9f0 [ 22.378161][ T295] ? common_interrupt+0x65/0xd0 [ 22.382848][ T295] ? fsnotify_link+0x240/0x240 [ 22.387447][ T295] __x64_sys_link+0x86/0x90 [ 22.391787][ T295] x64_sys_call+0x282/0x9a0 [ 22.396137][ T295] do_syscall_64+0x3b/0xb0 [ 22.400384][ T295] ? clear_bhb_loop+0x55/0xb0 [ 22.404899][ T295] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 22.410634][ T295] RIP: 0033:0x7f4601112d79 [ 22.414874][ T295] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 22.434328][ T295] RSP: 002b:00007ffe9cdc8d28 EFLAGS: 00000246 ORIG_RAX: 0000000000000056 [ 22.442564][ T295] RAX: ffffffffffffffda RBX: 00007ffe9cdc8d50 RCX: 00007f4601112d79 [ 22.450373][ T295] RDX: 00007f4601112d79 RSI: 0000000000000000 RDI: 0000000020000000 [ 22.458181][ T295] RBP: 0000000000000129 R08: 0000555500373932 R09: 0000555500373932 [ 22.465994][ T295] R10: 0000555500373932 R11: 0000000000000246 R12: 00007ffe9cdc8e30 [ 22.473805][ T295] R13: 00007ffe9cdc8d50 R14: 0000000000000001 R15: 0000000000000001 [ 22.481621][ T295] [ 22.484481][ T295] [ 22.486651][ T295] The buggy address belongs to the physical page: [ 22.492901][ T295] page:ffffea000460f140 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x1183c5 [ 22.502973][ T295] flags: 0x4000000000000000(zone=1) [ 22.508005][ T295] raw: 4000000000000000 ffffea000460f188 ffffea000460f108 0000000000000000 [ 22.516422][ T295] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 22.524841][ T295] page dumped because: kasan: bad access detected [ 22.531103][ T295] page_owner tracks the page as freed [ 22.536295][ T295] page last allocated via order 0, migratetype Movable, gfp_mask 0x8140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO|__GFP_CMA), pid 240, tgid 240 (sshd), ts 16373553135, free_ts 16383829378 [ 22.554881][ T295] post_alloc_hook+0x213/0x220 [ 22.559468][ T295] prep_new_page+0x1b/0x110 [ 22.563812][ T295] get_page_from_freelist+0x2980/0x2a10 [ 22.569211][ T295] __alloc_pages+0x234/0x610 [ 22.573617][ T295] __folio_alloc+0x15/0x40 [ 22.577872][ T295] handle_mm_fault+0x1cf7/0x30e0 [ 22.582644][ T295] exc_page_fault+0x3b3/0x6d0 [ 22.587155][ T295] asm_exc_page_fault+0x27/0x30 [ 22.591841][ T295] page last free stack trace: [ 22.596358][ T295] free_unref_page_prepare+0x83d/0x850 [ 22.601650][ T295] free_unref_page_list+0xf1/0x7b0 [ 22.606597][ T295] release_pages+0xf7f/0xfe0 [ 22.611025][ T295] free_pages_and_swap_cache+0x8a/0xa0 [ 22.616317][ T295] tlb_finish_mmu+0x1e0/0x3f0 [ 22.620829][ T295] unmap_region+0x2c1/0x310 [ 22.625172][ T295] do_mas_align_munmap+0xd05/0x1400 [ 22.630205][ T295] do_mas_munmap+0x23e/0x2b0 [ 22.634635][ T295] __vm_munmap+0x263/0x3a0 [ 22.638884][ T295] __x64_sys_munmap+0x6b/0x80 [ 22.643398][ T295] x64_sys_call+0x75/0x9a0 [ 22.647650][ T295] do_syscall_64+0x3b/0xb0 [ 22.651901][ T295] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 22.657633][ T295] [ 22.659799][ T295] Memory state around the buggy address: [ 22.665271][ T295] ffff8881183c5280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.673169][ T295] ffff8881183c5300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.681069][ T295] >ffff8881183c5380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.689072][ T295] ^ link("\xe9\x1f\x71\x89\x59\x1e\x92\x33\x61\x4b", NULL) = -1 ENOENT (No such file or directory) exit_group(0) = ? +++ exited with 0 +++ [ 22.694276][ T295] ffff8881183c5400: ff ff ff ff ff ff ff f