./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor561023198 <...> forked to background, child pid 197 Starting sshd: OK syzkaller syzkaller login: [ 11.361010][ T23] kauditd_printk_skb: 60 callbacks suppressed [ 11.361017][ T23] audit: type=1400 audit(1674250522.340:71): avc: denied { transition } for pid=290 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 11.367625][ T23] audit: type=1400 audit(1674250522.340:72): avc: denied { write } for pid=290 comm="sh" path="pipe:[10563]" dev="pipefs" ino=10563 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1 [ 11.999873][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #08!!! Warning: Permanently added '10.128.10.5' (ECDSA) to the list of known hosts. execve("./syz-executor561023198", ["./syz-executor561023198"], 0x7ffd6f332560 /* 10 vars */) = 0 brk(NULL) = 0x5555569aa000 brk(0x5555569aac40) = 0x5555569aac40 arch_prctl(ARCH_SET_FS, 0x5555569aa300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor561023198", 4096) = 27 brk(0x5555569cbc40) = 0x5555569cbc40 brk(0x5555569cc000) = 0x5555569cc000 mprotect(0x7fe05fb83000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555569aa5d0) = 373 ./strace-static-x86_64: Process 373 attached [pid 373] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 373] setpgid(0, 0) = 0 [pid 373] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 373] write(3, "1000", 4) = 4 [pid 373] close(3) = 0 [pid 373] memfd_create("syzkaller", 0) = 3 [pid 373] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe0576c8000 [pid 373] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 373] munmap(0x7fe0576c8000, 262144) = 0 [pid 373] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 373] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 373] close(3) = 0 [pid 373] mkdir("./file0", 0777) = 0 [ 19.897606][ T23] audit: type=1400 audit(1674250530.870:73): avc: denied { execmem } for pid=371 comm="syz-executor561" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 19.900889][ T23] audit: type=1400 audit(1674250530.880:74): avc: denied { read write } for pid=371 comm="syz-executor561" name="loop0" dev="devtmpfs" ino=115 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 19.905095][ T23] audit: type=1400 audit(1674250530.880:75): avc: denied { open } for pid=371 comm="syz-executor561" path="/dev/loop0" dev="devtmpfs" ino=115 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 19.908360][ T23] audit: type=1400 audit(1674250530.880:76): avc: denied { ioctl } for pid=371 comm="syz-executor561" path="/dev/loop0" dev="devtmpfs" ino=115 ioctlcmd=0x4c01 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 19.921872][ T23] audit: type=1400 audit(1674250530.900:77): avc: denied { mounton } for pid=373 comm="syz-executor561" path="/root/file0" dev="sda1" ino=1138 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 19.947505][ T373] EXT4-fs (loop0): Mount option "nouser_xattr" will be removed by 3.5 [ 19.947505][ T373] Contact linux-ext4@vger.kernel.org if you think we should keep it. [ 19.947505][ T373] [ 19.966078][ T373] EXT4-fs (loop0): Ignoring removed nobh option [ 19.972408][ T373] EXT4-fs: Warning: mounting with data=journal disables delayed allocation, dioread_nolock, O_DIRECT and fast_commit support! [ 19.985547][ T373] EXT4-fs (loop0): encrypted files will use data=ordered instead of data journaling mode [pid 373] mount("/dev/loop0", "./file0", "ext4", MS_DIRSYNC|MS_REC, "nouser_xattr,acl,debug_want_extra_isize=0x0000000000000080,lazytime,nobh,quota,,errors=continue") = 0 [pid 373] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 373] chdir("./file0") = 0 [pid 373] ioctl(4, LOOP_CLR_FD) = 0 [pid 373] close(4) = 0 [pid 373] sendfile(-1, -1, NULL, 27651) = -1 EBADF (Bad file descriptor) [ 19.996731][ T373] EXT4-fs error (device loop0): ext4_xattr_ibody_find:2179: inode #15: comm syz-executor561: corrupted in-inode xattr [ 20.009270][ T373] EXT4-fs error (device loop0): ext4_orphan_get:1395: comm syz-executor561: couldn't read orphan inode 15 (err -117) [ 20.021642][ T373] EXT4-fs (loop0): mounted filesystem without journal. Opts: nouser_xattr,acl,debug_want_extra_isize=0x0000000000000080,lazytime,nobh,quota,,errors=continue [ 20.037653][ T23] audit: type=1400 audit(1674250531.020:78): avc: denied { mount } for pid=373 comm="syz-executor561" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 20.046251][ T373] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN [ 20.059762][ T23] audit: type=1400 audit(1674250531.020:79): avc: denied { write } for pid=373 comm="syz-executor561" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 20.071374][ T373] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 20.071385][ T373] CPU: 0 PID: 373 Comm: syz-executor561 Not tainted 5.10.161-syzkaller-00019-g416c4356f372 #0 [ 20.071389][ T373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 [ 20.071412][ T373] RIP: 0010:ext4_xattr_set_entry+0x4a7/0x3820 [ 20.093646][ T23] audit: type=1400 audit(1674250531.020:80): avc: denied { add_name } for pid=373 comm="syz-executor561" name="cgroup.controllers" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 20.101569][ T373] Code: 00 00 48 89 d8 48 c1 e8 03 48 89 84 24 28 01 00 00 42 80 3c 20 00 74 08 48 89 df e8 63 79 ba ff 4c 8b 33 4c 89 f0 48 c1 e8 03 <42> 8a 04 20 84 c0 0f 85 8f 2d 00 00 4c 89 f8 48 2b 44 24 18 48 89 [ 20.101575][ T373] RSP: 0018:ffffc9000095ef60 EFLAGS: 00010246 [ 20.101585][ T373] RAX: 0000000000000000 RBX: ffffc9000095f360 RCX: ffff8881065cbb40 [ 20.101597][ T373] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000001c [ 20.112174][ T23] audit: type=1400 audit(1674250531.020:81): avc: denied { create } for pid=373 comm="syz-executor561" name="cgroup.controllers" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 20.122105][ T373] RBP: ffffc9000095f1f8 R08: ffffffff81eca8b9 R09: ffffed1021d7782a [ 20.122112][ T373] R10: ffffed1021d7782a R11: 1ffff11021d77829 R12: dffffc0000000000 [ 20.122118][ T373] R13: 1ffff9200012be66 R14: 0000000000000000 R15: 0000000000000000 [ 20.122126][ T373] FS: 00005555569aa300(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 [ 20.122139][ T373] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 20.252974][ T373] CR2: 00000000004571f0 CR3: 000000011e9d6000 CR4: 00000000003506b0 [ 20.260935][ T373] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 20.268884][ T373] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 20.276844][ T373] Call Trace: [ 20.280129][ T373] ? errseq_check+0x40/0x70 [ 20.284622][ T373] ? ext4_xattr_ibody_inline_set+0x380/0x380 [ 20.290585][ T373] ? __ext4_journal_ensure_credits+0x460/0x460 [ 20.296728][ T373] ? __kasan_check_write+0x14/0x20 [ 20.301812][ T373] ? _raw_spin_lock_irqsave+0xf8/0x210 [ 20.307340][ T373] ? ext4_reserve_inode_write+0x2d2/0x380 [ 20.313033][ T373] ? __kasan_check_write+0x14/0x20 [ 20.318121][ T373] ext4_xattr_ibody_set+0x7c/0x2a0 [ 20.323204][ T373] ext4_xattr_set_handle+0xc5d/0x15a0 [ 20.328636][ T373] ? ext4_xattr_set_entry+0x3820/0x3820 [ 20.334157][ T373] ? selinux_inode_free_security+0x200/0x200 [ 20.340124][ T373] ext4_initxattrs+0xb2/0x120 [ 20.344774][ T373] security_inode_init_security+0x26c/0x3c0 [ 20.350651][ T373] ? ext4_init_security+0x40/0x40 [ 20.355661][ T373] ? security_dentry_create_files_as+0xd0/0xd0 [ 20.361785][ T373] ? __ext4_set_acl+0x5f0/0x5f0 [ 20.366613][ T373] ? prandom_u32+0x24c/0x290 [ 20.371267][ T373] ext4_init_security+0x34/0x40 [ 20.376087][ T373] __ext4_new_inode+0x3648/0x4530 [ 20.381088][ T373] ? ext4_mark_inode_used+0xc00/0xc00 [ 20.386431][ T373] ? d_splice_alias+0x12e/0x3b0 [ 20.391252][ T373] ? dquot_initialize+0x20/0x20 [ 20.396081][ T373] ? ext4_lookup+0x597/0xb20 [ 20.400647][ T373] ? ext4_add_entry+0x12e0/0x12e0 [ 20.405645][ T373] ext4_create+0x266/0x540 [ 20.410211][ T373] ? ext4_lookup+0xb20/0xb20 [ 20.414773][ T373] ? selinux_inode_create+0x22/0x30 [ 20.419952][ T373] ? security_inode_create+0xf1/0x130 [ 20.425293][ T373] ? ext4_lookup+0xb20/0xb20 [ 20.429858][ T373] path_openat+0x1362/0x2fd0 [ 20.434424][ T373] ? do_filp_open+0x440/0x440 [ 20.439089][ T373] do_filp_open+0x200/0x440 [ 20.443575][ T373] ? vfs_tmpfile+0x280/0x280 [ 20.448139][ T373] ? get_unused_fd_flags+0x95/0xa0 [ 20.453227][ T373] do_sys_openat2+0x13b/0x470 [ 20.457876][ T373] ? ptrace_stop+0x6ff/0x9f0 [ 20.462438][ T373] ? do_sys_open+0x220/0x220 [ 20.467001][ T373] ? _raw_spin_unlock_irq+0x4e/0x70 [ 20.472175][ T373] ? ptrace_notify+0x248/0x340 [ 20.476996][ T373] __x64_sys_openat+0x243/0x290 [ 20.481818][ T373] ? __ia32_sys_open+0x270/0x270 [ 20.486727][ T373] ? syscall_enter_from_user_mode+0x58/0x1b0 [ 20.492679][ T373] do_syscall_64+0x34/0x70 [ 20.497083][ T373] entry_SYSCALL_64_after_hwframe+0x61/0xc6 [ 20.502947][ T373] RIP: 0033:0x7fe05fb15239 [ 20.507335][ T373] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 20.527005][ T373] RSP: 002b:00007ffe38f3b5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 20.535565][ T373] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe05fb15239 [ 20.543512][ T373] RDX: 000000000000275a RSI: 0000000020000080 RDI: 00000000ffffff9c [ 20.551630][ T373] RBP: 0000000000000000 R08: 00007fe05fb83ec0 R09: 00007fe05fb83ec0 [ 20.559591][ T373] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe38f3b5e0 [ 20.567621][ T373] R13: 0000000000000000 R14: 431bde82d7b634db R15: 0000000000000000 [ 20.575561][ T373] Modules linked in: [ 20.579646][ T373] ---[ end trace 8203cde358d9c80f ]--- [ 20.585116][ T373] RIP: 0010:ext4_xattr_set_entry+0x4a7/0x3820 [ 20.591259][ T373] Code: 00 00 48 89 d8 48 c1 e8 03 48 89 84 24 28 01 00 00 42 80 3c 20 00 74 08 48 89 df e8 63 79 ba ff 4c 8b 33 4c 89 f0 48 c1 e8 03 <42> 8a 04 20 84 c0 0f 85 8f 2d 00 00 4c 89 f8 48 2b 44 24 18 48 89 [ 20.610938][ T373] RSP: 0018:ffffc9000095ef60 EFLAGS: 00010246 [ 20.616993][ T373] RAX: 0000000000000000 RBX: ffffc9000095f360 RCX: ffff8881065cbb40 [ 20.625276][ T373] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000001c [ 20.633406][ T373] RBP: ffffc9000095f1f8 R08: ffffffff81eca8b9 R09: ffffed1021d7782a [ 20.641382][ T373] R10: ffffed1021d7782a R11: 1ffff11021d77829 R12: dffffc0000000000 [ 20.649365][ T373] R13: 1ffff9200012be66 R14: 0000000000000000 R15: 0000000000000000 [ 20.657512][ T373] FS: 00005555569aa300(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 [ 20.666562][ T373] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 20.673176][ T373] CR2: 00000000004571f0 CR3: 000000011e9d6000 CR4: 00000000003506b0 [ 20.681159][ T373] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 20.689137][ T373] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 20.697087][ T373] Kernel panic - not syncing: Fatal exception [ 20.703273][ T373] Kernel Offset: disabled [ 20.707578][ T373] Rebooting in 86400 seconds..