./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1469235090
<...>
Warning: Permanently added '10.128.0.149' (ED25519) to the list of known hosts.
execve("./syz-executor1469235090", ["./syz-executor1469235090"], 0x7ffef6aa36e0 /* 10 vars */) = 0
brk(NULL) = 0x555556ae2000
brk(0x555556ae2e00) = 0x555556ae2e00
arch_prctl(ARCH_SET_FS, 0x555556ae2480) = 0
set_tid_address(0x555556ae2750) = 5018
set_robust_list(0x555556ae2760, 24) = 0
rseq(0x555556ae2da0, 0x20, 0, 0x53053053) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor1469235090", 4096) = 28
getrandom("\x0d\x5e\x91\xbe\x5b\x25\x7c\x9f", 8, GRND_NONBLOCK) = 8
brk(NULL) = 0x555556ae2e00
brk(0x555556b03e00) = 0x555556b03e00
brk(0x555556b04000) = 0x555556b04000
mprotect(0x7f803fc3a000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
getpid() = 5018
openat(AT_FDCWD, "/sys/kernel/debug/x86/nmi_longest_ns", O_WRONLY|O_CLOEXEC) = 3
write(3, "10000000000", 11) = 11
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/hung_task_check_interval_secs", O_WRONLY|O_CLOEXEC) = 3
write(3, "20", 2) = 2
close(3) = 0
openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_kallsyms", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_harden", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/kptr_restrict", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/softlockup_all_cpu_backtrace", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3
write(3, "100", 3) = 3
close(3) = 0
openat(AT_FDCWD, "/proc/sys/vm/oom_dump_tasks", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/debug/exception-trace", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/printk", O_WRONLY|O_CLOEXEC) = 3
write(3, "7 4 1 3", 7) = 7
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/keys/gc_delay", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/vm/oom_kill_allocating_task", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/ctrl-alt-del", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/proc/sys/kernel/cad_pid", O_WRONLY|O_CLOEXEC) = 3
write(3, "5018", 4) = 4
close(3) = 0
rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0
rt_sigaction(SIGSEGV, {sa_handler=0x7f803fb72e50, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f803fb7add0}, NULL, 8) = 0
rt_sigaction(SIGBUS, {sa_handler=0x7f803fb72e50, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f803fb7add0}, NULL, 8) = 0
mkdir("./syzkaller.jsD0kI", 0700) = 0
chmod("./syzkaller.jsD0kI", 0777) = 0
chdir("./syzkaller.jsD0kI") = 0
memfd_create("syzkaller", 0) = 3
mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8037769000
write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x08\x01\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\xff\xff\xff\xff\xff\xff\xff\x08\x00\x00\x00\x00\x00\x00\x00\xff\x01\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\xbb\x02\x87\x1c\xc7\xbb\xb3\x5e\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152
munmap(0x7f8037769000, 2097152) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
ioctl(4, LOOP_SET_FD, 3) = 0
close(3) = 0
mkdir("./file0", 0777) = 0
[ 43.628800][ T5018] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=5018 'syz-executor146'
[ 43.656181][ T5018] loop0: detected capacity change from 0 to 4096
[ 43.665483][ T5018] ntfs3: loop0: Different NTFS sector size (2048) and media sector size (512).
[ 43.674520][ T5018] ntfs3: loop0: NTFS 0.00 Gb is too big to use 32 bits per cluster.
[ 43.682934][ T5018] ==================================================================
[ 43.690978][ T5018] BUG: KASAN: use-after-free in memcmp+0x172/0x1c0
[ 43.697475][ T5018] Read of size 8 at addr ffff888072fc3002 by task syz-executor146/5018
[ 43.705688][ T5018]
[ 43.707990][ T5018] CPU: 1 PID: 5018 Comm: syz-executor146 Not tainted 6.5.0-rc1-syzkaller-00152-g4b810bf037e5 #0
[ 43.718376][ T5018] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023
[ 43.728404][ T5018] Call Trace:
[ 43.731657][ T5018]
[ 43.734562][ T5018] dump_stack_lvl+0xd9/0x1b0
[ 43.739134][ T5018] print_report+0xc4/0x620
[ 43.743533][ T5018] ? __virt_addr_valid+0x5e/0x2d0
[ 43.748538][ T5018] ? __phys_addr+0xc6/0x140
[ 43.753019][ T5018] kasan_report+0xda/0x110
[ 43.757414][ T5018] ? memcmp+0x172/0x1c0
[ 43.761545][ T5018] ? memcmp+0x172/0x1c0
[ 43.765679][ T5018] memcmp+0x172/0x1c0
[ 43.769631][ T5018] ? __bread_gfp+0x79/0x310
[ 43.774112][ T5018] ntfs_fill_super+0x6e0/0x43b0
[ 43.778949][ T5018] ? put_ntfs+0x330/0x330
[ 43.783257][ T5018] ? vsprintf+0x30/0x30
[ 43.787391][ T5018] ? set_blocksize+0x2bd/0x360
[ 43.792129][ T5018] get_tree_bdev+0x43e/0x7d0
[ 43.796695][ T5018] ? put_ntfs+0x330/0x330
[ 43.801001][ T5018] vfs_get_tree+0x88/0x350
[ 43.805390][ T5018] path_mount+0x1492/0x1ed0
[ 43.809868][ T5018] ? kmem_cache_free+0xf0/0x490
[ 43.814696][ T5018] ? finish_automount+0xa50/0xa50
[ 43.819698][ T5018] ? putname+0x101/0x140
[ 43.823928][ T5018] __x64_sys_mount+0x293/0x310
[ 43.828672][ T5018] ? copy_mnt_ns+0xb60/0xb60
[ 43.833235][ T5018] ? lockdep_hardirqs_on+0x7d/0x100
[ 43.838412][ T5018] ? _raw_spin_unlock_irq+0x2e/0x50
[ 43.843587][ T5018] ? ptrace_notify+0xf4/0x130
[ 43.848257][ T5018] do_syscall_64+0x38/0xb0
[ 43.852647][ T5018] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 43.858529][ T5018] RIP: 0033:0x7f803fbafb8a
[ 43.862923][ T5018] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 3e 07 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 43.882514][ T5018] RSP: 002b:00007fffca1ee648 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
[ 43.890902][ T5018] RAX: ffffffffffffffda RBX: 00007fffca1ee660 RCX: 00007f803fbafb8a
[ 43.898879][ T5018] RDX: 0000000020000180 RSI: 0000000020000040 RDI: 00007fffca1ee660
[ 43.906843][ T5018] RBP: 0000000000000004 R08: 00007fffca1ee6a0 R09: 000000000001f3ed
[ 43.914789][ T5018] R10: 0000000001000018 R11: 0000000000000286 R12: 0000000001000018
[ 43.922735][ T5018] R13: 00007fffca1ee6a0 R14: 0000000000000003 R15: 0000000000200000
[ 43.930687][ T5018]
[ 43.933678][ T5018]
[ 43.935974][ T5018] The buggy address belongs to the physical page:
[ 43.942355][ T5018] page:ffffea0001cbf0c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x72fc3
[ 43.952482][ T5018] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 43.959563][ T5018] page_type: 0xffffffff()
[ 43.963868][ T5018] raw: 00fff00000000000 ffffea0001cbf108 ffffea0001cbf448 0000000000000000
[ 43.972426][ T5018] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[ 43.980982][ T5018] page dumped because: kasan: bad access detected
[ 43.987365][ T5018] page_owner tracks the page as freed
[ 43.992701][ T5018] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5010, tgid 5010 (sshd), ts 37778005519, free_ts 37850403020
[ 44.010642][ T5018] post_alloc_hook+0x2d2/0x350
[ 44.015385][ T5018] get_page_from_freelist+0x10a9/0x31e0
[ 44.020909][ T5018] __alloc_pages+0x1d0/0x4a0
[ 44.025477][ T5018] __folio_alloc+0x16/0x40
[ 44.029874][ T5018] vma_alloc_folio+0x156/0x890
[ 44.034611][ T5018] __handle_mm_fault+0x12a8/0x3b80
[ 44.039701][ T5018] handle_mm_fault+0x2ab/0x9d0
[ 44.044446][ T5018] do_user_addr_fault+0x2e7/0xfc0
[ 44.049442][ T5018] exc_page_fault+0x5c/0xd0
[ 44.053917][ T5018] asm_exc_page_fault+0x26/0x30
[ 44.058741][ T5018] page last free stack trace:
[ 44.063381][ T5018] free_unref_page_prepare+0x508/0xb90
[ 44.068814][ T5018] free_unref_page_list+0xe6/0xb30
[ 44.073898][ T5018] release_pages+0x32a/0x14e0
[ 44.078547][ T5018] tlb_batch_pages_flush+0x9a/0x190
[ 44.083721][ T5018] tlb_finish_mmu+0x14b/0x7e0
[ 44.088371][ T5018] exit_mmap+0x2db/0x960
[ 44.092583][ T5018] __mmput+0x12a/0x4d0
[ 44.096631][ T5018] mmput+0x62/0x70
[ 44.100326][ T5018] do_exit+0x9b4/0x2a20
[ 44.104458][ T5018] do_group_exit+0xd4/0x2a0
[ 44.108942][ T5018] __x64_sys_exit_group+0x3e/0x50
[ 44.113946][ T5018] do_syscall_64+0x38/0xb0
[ 44.118339][ T5018] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 44.124216][ T5018]
[ 44.126516][ T5018] Memory state around the buggy address:
[ 44.132114][ T5018] ffff888072fc2f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 44.140150][ T5018] ffff888072fc2f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 44.148183][ T5018] >ffff888072fc3000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 44.156214][ T5018] ^
[ 44.160252][ T5018] ffff888072fc3080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 44.168281][ T5018] ffff888072fc3100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 44.176325][ T5018] ==================================================================
[ 44.184829][ T5018] Disabling lock debugging due to kernel taint
[ 44.191013][ T5018] ==================================================================
[ 44.199059][ T5018] BUG: KASAN: use-after-free in memcmp+0x1a3/0x1c0
[ 44.205544][ T5018] Read of size 1 at addr ffff888072fc3002 by task syz-executor146/5018
[ 44.213760][ T5018]
[ 44.216072][ T5018] CPU: 1 PID: 5018 Comm: syz-executor146 Tainted: G B 6.5.0-rc1-syzkaller-00152-g4b810bf037e5 #0
[ 44.227943][ T5018] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023
[ 44.237981][ T5018] Call Trace:
[ 44.241241][ T5018]
[ 44.244153][ T5018] dump_stack_lvl+0xd9/0x1b0
[ 44.248733][ T5018] print_report+0xc4/0x620
[ 44.253143][ T5018] ? __virt_addr_valid+0x5e/0x2d0
[ 44.258157][ T5018] ? __phys_addr+0xc6/0x140
[ 44.262649][ T5018] kasan_report+0xda/0x110
[ 44.267073][ T5018] ? memcmp+0x1a3/0x1c0
[ 44.271213][ T5018] ? memcmp+0x1a3/0x1c0
[ 44.275353][ T5018] memcmp+0x1a3/0x1c0
[ 44.279319][ T5018] ? __bread_gfp+0x79/0x310
[ 44.283816][ T5018] ntfs_fill_super+0x6e0/0x43b0
[ 44.288659][ T5018] ? put_ntfs+0x330/0x330
[ 44.292972][ T5018] ? vsprintf+0x30/0x30
[ 44.297116][ T5018] ? set_blocksize+0x2bd/0x360
[ 44.301864][ T5018] get_tree_bdev+0x43e/0x7d0
[ 44.306439][ T5018] ? put_ntfs+0x330/0x330
[ 44.310758][ T5018] vfs_get_tree+0x88/0x350
[ 44.315159][ T5018] path_mount+0x1492/0x1ed0
[ 44.319648][ T5018] ? kmem_cache_free+0xf0/0x490
[ 44.324486][ T5018] ? finish_automount+0xa50/0xa50
[ 44.329505][ T5018] ? putname+0x101/0x140
[ 44.333741][ T5018] __x64_sys_mount+0x293/0x310
[ 44.338490][ T5018] ? copy_mnt_ns+0xb60/0xb60
[ 44.343082][ T5018] ? lockdep_hardirqs_on+0x7d/0x100
[ 44.348265][ T5018] ? _raw_spin_unlock_irq+0x2e/0x50
[ 44.353456][ T5018] ? ptrace_notify+0xf4/0x130
[ 44.358115][ T5018] do_syscall_64+0x38/0xb0
[ 44.362516][ T5018] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 44.368432][ T5018] RIP: 0033:0x7f803fbafb8a
[ 44.372829][ T5018] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 3e 07 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 44.392473][ T5018] RSP: 002b:00007fffca1ee648 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
[ 44.400872][ T5018] RAX: ffffffffffffffda RBX: 00007fffca1ee660 RCX: 00007f803fbafb8a
[ 44.408825][ T5018] RDX: 0000000020000180 RSI: 0000000020000040 RDI: 00007fffca1ee660
[ 44.416777][ T5018] RBP: 0000000000000004 R08: 00007fffca1ee6a0 R09: 000000000001f3ed
[ 44.424730][ T5018] R10: 0000000001000018 R11: 0000000000000286 R12: 0000000001000018
[ 44.432685][ T5018] R13: 00007fffca1ee6a0 R14: 0000000000000003 R15: 0000000000200000
[ 44.440647][ T5018]
[ 44.443646][ T5018]
[ 44.445947][ T5018] The buggy address belongs to the physical page:
[ 44.452334][ T5018] page:ffffea0001cbf0c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x72fc3
[ 44.462463][ T5018] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 44.469552][ T5018] page_type: 0xffffffff()
[ 44.473867][ T5018] raw: 00fff00000000000 ffffea0001cbf108 ffffea0001cbf448 0000000000000000
[ 44.482433][ T5018] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[ 44.490994][ T5018] page dumped because: kasan: bad access detected
[ 44.497383][ T5018] page_owner tracks the page as freed
[ 44.502736][ T5018] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5010, tgid 5010 (sshd), ts 37778005519, free_ts 37850403020
[ 44.520687][ T5018] post_alloc_hook+0x2d2/0x350
[ 44.525445][ T5018] get_page_from_freelist+0x10a9/0x31e0
[ 44.530981][ T5018] __alloc_pages+0x1d0/0x4a0
[ 44.535559][ T5018] __folio_alloc+0x16/0x40
[ 44.539958][ T5018] vma_alloc_folio+0x156/0x890
[ 44.544707][ T5018] __handle_mm_fault+0x12a8/0x3b80
[ 44.549808][ T5018] handle_mm_fault+0x2ab/0x9d0
[ 44.554564][ T5018] do_user_addr_fault+0x2e7/0xfc0
[ 44.559573][ T5018] exc_page_fault+0x5c/0xd0
[ 44.564061][ T5018] asm_exc_page_fault+0x26/0x30
[ 44.568900][ T5018] page last free stack trace:
[ 44.573549][ T5018] free_unref_page_prepare+0x508/0xb90
[ 44.578992][ T5018] free_unref_page_list+0xe6/0xb30
[ 44.584093][ T5018] release_pages+0x32a/0x14e0
[ 44.588749][ T5018] tlb_batch_pages_flush+0x9a/0x190
[ 44.593933][ T5018] tlb_finish_mmu+0x14b/0x7e0
[ 44.598599][ T5018] exit_mmap+0x2db/0x960
[ 44.602826][ T5018] __mmput+0x12a/0x4d0
[ 44.606876][ T5018] mmput+0x62/0x70
[ 44.610574][ T5018] do_exit+0x9b4/0x2a20
[ 44.614716][ T5018] do_group_exit+0xd4/0x2a0
[ 44.619211][ T5018] __x64_sys_exit_group+0x3e/0x50
[ 44.624221][ T5018] do_syscall_64+0x38/0xb0
[ 44.628616][ T5018] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 44.634500][ T5018]
[ 44.636805][ T5018] Memory state around the buggy address:
[ 44.642414][ T5018] ffff888072fc2f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 44.650457][ T5018] ffff888072fc2f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 44.658500][ T5018] >ffff888072fc3000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 44.666539][ T5018] ^
[ 44.670582][ T5018] ffff888072fc3080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
mount("/dev/loop0", "./file0", "ntfs3", MS_NOEXEC|MS_SYNCHRONOUS|MS_STRICTATIME, "") = -1 EINVAL (Invalid argument)
[ 44.678621][ T5018] ffff888072fc3100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 44.686658][ T5018] ==================================================================
[ 44.696420][ T5018] ntfs3: loop0: Alternative boot signature is not NTFS.
ioctl(4, LOOP_CLR_FD) = 0
close(4) = 0
exit_group(0) = ?
+++ exited with 0 +++