./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2704372394 <...> [ 29.225496][ T3187] 8021q: adding VLAN 0 to HW filter on device bond0 [ 29.236042][ T3187] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller syzkaller login: [ 40.093355][ T27] kauditd_printk_skb: 37 callbacks suppressed [ 40.093371][ T27] audit: type=1400 audit(1661819536.227:73): avc: denied { transition } for pid=3415 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 40.121971][ T27] audit: type=1400 audit(1661819536.237:74): avc: denied { write } for pid=3415 comm="sh" path="pipe:[28317]" dev="pipefs" ino=28317 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1 Warning: Permanently added '10.128.0.131' (ECDSA) to the list of known hosts. execve("./syz-executor2704372394", ["./syz-executor2704372394"], 0x7ffe12598810 /* 10 vars */) = 0 brk(NULL) = 0x555556321000 brk(0x555556321c40) = 0x555556321c40 arch_prctl(ARCH_SET_FS, 0x555556321300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor2704372394", 4096) = 28 brk(0x555556342c40) = 0x555556342c40 brk(0x555556343000) = 0x555556343000 mprotect(0x7f1a40848000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 openat(AT_FDCWD, "/dev/kvm", O_RDONLY) = 3 [ 51.436170][ T27] audit: type=1400 audit(1661819547.567:75): avc: denied { execmem } for pid=3607 comm="syz-executor270" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 51.442820][ T3607] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. ioctl(3, KVM_CREATE_VM, 0) = 4 openat(AT_FDCWD, "/dev/bus/usb/007/001", O_RDONLY) = 5 mmap(0x2004b000, 4096, PROT_READ|PROT_WRITE|PROT_GROWSDOWN|0x10, MAP_PRIVATE|MAP_FIXED|MAP_EXECUTABLE, 5, 0) = 0x2004b000 [ 51.455757][ T27] audit: type=1400 audit(1661819547.567:76): avc: denied { read } for pid=3607 comm="syz-executor270" name="kvm" dev="devtmpfs" ino=84 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 [ 51.495144][ T27] audit: type=1400 audit(1661819547.567:77): avc: denied { open } for pid=3607 comm="syz-executor270" path="/dev/kvm" dev="devtmpfs" ino=84 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=0, flags=0, guest_phys_addr=0, memory_size=536879104, userspace_addr=0x20000000}) = 0 ioctl(4, KVM_CREATE_VCPU, 0) = 6 ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=0, flags=0, guest_phys_addr=0, memory_size=4096, userspace_addr=0x20000000}) = -1 EBADF (Bad file descriptor) ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=1, flags=0, guest_phys_addr=0x1000, memory_size=4096, userspace_addr=0x20001000}) = -1 EBADF (Bad file descriptor) ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=2, flags=0, guest_phys_addr=0x2000, memory_size=4096, userspace_addr=0x20002000}) = -1 EBADF (Bad file descriptor) ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=3, flags=0, guest_phys_addr=0x3000, memory_size=4096, userspace_addr=0x20003000}) = -1 EBADF (Bad file descriptor) ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=4, flags=0, guest_phys_addr=0x4000, memory_size=4096, userspace_addr=0x20004000}) = -1 EBADF (Bad file descriptor) ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=5, flags=0, guest_phys_addr=0x5000, memory_size=4096, userspace_addr=0x20005000}) = -1 EBADF (Bad file descriptor) ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=6, flags=0, guest_phys_addr=0x6000, memory_size=4096, userspace_addr=0x20006000}) = -1 EBADF (Bad file descriptor) ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=7, flags=0, guest_phys_addr=0x7000, memory_size=4096, userspace_addr=0x20007000}) = -1 EBADF (Bad file descriptor) ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=8, flags=0, guest_phys_addr=0x8000, memory_size=4096, userspace_addr=0x20008000}) = -1 EBADF (Bad file descriptor) ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=9, flags=0, guest_phys_addr=0x9000, memory_size=4096, userspace_addr=0x20009000}) = -1 EBADF (Bad file descriptor) ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=10, flags=0, guest_phys_addr=0xfec00000, memory_size=4096, userspace_addr=0x2000a000}) = -1 EBADF (Bad file descriptor) ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=11, flags=0, guest_phys_addr=0xb000, memory_size=4096, userspace_addr=0x2000b000}) = -1 EBADF (Bad file descriptor) ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=12, flags=0, guest_phys_addr=0xc000, memory_size=4096, userspace_addr=0x2000c000}) = -1 EBADF (Bad file descriptor) ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=13, flags=0, guest_phys_addr=0xd000, memory_size=4096, userspace_addr=0x2000d000}) = -1 EBADF (Bad file descriptor) ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=14, flags=0, guest_phys_addr=0xe000, memory_size=4096, userspace_addr=0x2000e000}) = -1 EBADF (Bad file descriptor) ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=15, flags=0, guest_phys_addr=0xf000, memory_size=4096, userspace_addr=0x2000f000}) = -1 EBADF (Bad file descriptor) ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=16, flags=0, guest_phys_addr=0x10000, memory_size=4096, userspace_addr=0x20010000}) = -1 EBADF (Bad file descriptor) ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=17, flags=0, guest_phys_addr=0x11000, memory_size=4096, userspace_addr=0x20011000}) = -1 EBADF (Bad file descriptor) ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=18, flags=0, guest_phys_addr=0x12000, memory_size=4096, userspace_addr=0x20012000}) = -1 EBADF (Bad file descriptor) ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=19, flags=0, guest_phys_addr=0x13000, memory_size=4096, userspace_addr=0x20013000}) = -1 EBADF (Bad file descriptor) ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=20, flags=0, guest_phys_addr=0x14000, memory_size=4096, userspace_addr=0x20014000}) = -1 EBADF (Bad file descriptor) ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=21, flags=0, guest_phys_addr=0x15000, memory_size=4096, userspace_addr=0x20015000}) = -1 EBADF (Bad file descriptor) ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=22, flags=0, guest_phys_addr=0x16000, memory_size=4096, userspace_addr=0x20016000}) = -1 EBADF (Bad file descriptor) ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=23, flags=0, guest_phys_addr=0x17000, memory_size=4096, userspace_addr=0x20017000}) = -1 EBADF (Bad file descriptor) ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=65537, flags=0, guest_phys_addr=0x30000, memory_size=65536, userspace_addr=0x20000000}) = -1 EBADF (Bad file descriptor) ioctl(6, KVM_GET_SREGS, {cs={base=0xffff0000, limit=65535, selector=61440, type=11, present=1, dpl=0, db=0, s=1, l=0, g=0, avl=0}, ...}) = 0 openat(AT_FDCWD, "/dev/kvm", O_RDWR) = 7 ioctl(7, KVM_GET_SUPPORTED_CPUID, {nent=33, entries=[...]}) = 0 ioctl(6, KVM_SET_CPUID2, {nent=33, entries=[...]}) = 0 close(7) = 0 ioctl(6, KVM_SET_MSRS, 0x7ffe95693420) = 5 ioctl(6, KVM_SET_SREGS, {cs={base=0, limit=1048575, selector=48, type=11, present=1, dpl=0, db=1, s=1, l=0, g=0, avl=0}, ...}) = 0 [ 51.519921][ T27] audit: type=1400 audit(1661819547.567:78): avc: denied { ioctl } for pid=3607 comm="syz-executor270" path="/dev/kvm" dev="devtmpfs" ino=84 ioctlcmd=0xae01 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 [ 51.544882][ T27] audit: type=1400 audit(1661819547.657:79): avc: denied { map } for pid=3607 comm="syz-executor270" path="/dev/bus/usb/007/001" dev="devtmpfs" ino=726 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:usb_device_t tclass=chr_file permissive=1 ioctl(6, KVM_SET_REGS, {rax=0, ..., rsp=0xf80, rbp=0, ..., rip=0, rflags=0x2}) = 0 ioctl(-1, USBDEVFS_IOCTL, 0x200000c0) = -1 EBADF (Bad file descriptor) [ 51.581889][ T27] audit: type=1400 audit(1661819547.717:80): avc: denied { write } for pid=3607 comm="syz-executor270" name="kvm" dev="devtmpfs" ino=84 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 ioctl(6, KVM_RUN, 0) = 0 exit_group(0) = ? [ 51.650046][ T3607] page:ffffea0001f7d200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7df48 [ 51.660787][ T3607] head:ffffea0001f7d200 order:1 compound_mapcount:0 compound_pincount:0 [ 51.669117][ T3607] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 51.677204][ T3607] raw: 00fff00000010200 ffffea0001f6fc88 ffffea0001f76408 ffff888011840900 [ 51.685856][ T3607] raw: 0000000000000000 ffff88807df48000 0000000100000001 0000000000000000 [ 51.695174][ T3607] page dumped because: VM_BUG_ON_FOLIO(folio_test_slab(folio)) [ 51.702799][ T3607] page_owner tracks the page as allocated [ 51.708525][ T3607] page last allocated via order 1, migratetype Unmovable, gfp_mask 0x242040(__GFP_IO|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 3244, tgid 3244 (dhcpcd-run-hook), ts 28823315051, free_ts 28764121727 [ 51.728141][ T3607] get_page_from_freelist+0x109b/0x2ce0 [ 51.733766][ T3607] __alloc_pages+0x1c7/0x510 [ 51.738365][ T3607] cache_grow_begin+0x75/0x360 [ 51.743190][ T3607] cache_alloc_refill+0x27f/0x380 [ 51.748233][ T3607] __kmalloc+0x3a1/0x4a0 [ 51.752563][ T3607] tomoyo_realpath_from_path+0xc3/0x620 [ 51.758143][ T3607] tomoyo_path_perm+0x21b/0x400 [ 51.763093][ T3607] security_inode_getattr+0xcf/0x140 [ 51.768417][ T3607] vfs_statx+0x16a/0x390 [ 51.772745][ T3607] vfs_fstatat+0x8c/0xb0 [ 51.777010][ T3607] __do_sys_newfstatat+0x91/0x110 [ 51.782150][ T3607] do_syscall_64+0x35/0xb0 [ 51.786592][ T3607] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 51.792570][ T3607] page last free stack trace: [ 51.797249][ T3607] free_pcp_prepare+0x5e4/0xd20 [ 51.802179][ T3607] free_unref_page+0x19/0x4d0 [ 51.806906][ T3607] slabs_destroy+0x89/0xc0 [ 51.811396][ T3607] ___cache_free+0x2a8/0x3d0 [ 51.816015][ T3607] qlist_free_all+0x4f/0x1b0 [ 51.820789][ T3607] kasan_quarantine_reduce+0x180/0x200 [ 51.826383][ T3607] __kasan_slab_alloc+0x97/0xb0 [ 51.831323][ T3607] kmem_cache_alloc+0x214/0x520 [ 51.836282][ T3607] vm_area_alloc+0x1c/0x110 [ 51.840951][ T3607] mmap_region+0x976/0x1460 [ 51.845466][ T3607] do_mmap+0x863/0xfa0 [ 51.849532][ T3607] vm_mmap_pgoff+0x1ab/0x270 [ 51.854213][ T3607] ksys_mmap_pgoff+0x41b/0x5a0 [ 51.858990][ T3607] do_syscall_64+0x35/0xb0 [ 51.863472][ T3607] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 51.869458][ T3607] ------------[ cut here ]------------ [ 51.875039][ T3607] kernel BUG at include/linux/memcontrol.h:478! [ 51.881370][ T3607] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 51.887432][ T3607] CPU: 0 PID: 3607 Comm: syz-executor270 Not tainted 6.0.0-rc3-syzkaller #0 [ 51.896150][ T3607] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 51.906231][ T3607] RIP: 0010:workingset_activation+0x5e3/0x6c0 [ 51.912289][ T3607] Code: 48 89 ef e8 ff 00 00 00 c6 05 b7 e3 17 0c 01 0f 0b e9 05 fc ff ff e8 bc 2a ca ff 48 c7 c6 60 25 f8 89 48 89 ef e8 dd 00 00 00 <0f> 0b e8 a6 2a ca ff 0f 0b e9 f5 fa ff ff e8 9a 2a ca ff 48 c7 c6 [ 51.931885][ T3607] RSP: 0018:ffffc90003067510 EFLAGS: 00010293 [ 51.937944][ T3607] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 [ 51.945899][ T3607] RDX: ffff8880747a4200 RSI: ffffffff81b10e83 RDI: 0000000000000003 [ 51.953856][ T3607] RBP: ffffea0001f7d200 R08: 0000000000000003 R09: 000000000000ffff [ 51.961822][ T3607] R10: 000000000000ffff R11: 0000000000000000 R12: 0000000000000000 [ 51.969779][ T3607] R13: ffff8880b9a34d08 R14: dffffc0000000000 R15: 0000000000000003 [ 51.977734][ T3607] FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 [ 51.986651][ T3607] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 51.993223][ T3607] CR2: 0000000000000000 CR3: 000000007585e000 CR4: 00000000003526f0 [ 52.001184][ T3607] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 52.009140][ T3607] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 52.017100][ T3607] Call Trace: [ 52.020363][ T3607] [ 52.023281][ T3607] folio_mark_accessed+0x591/0xda0 [ 52.028384][ T3607] kvm_set_pfn_accessed+0x23b/0x2a0 [ 52.033571][ T3607] handle_changed_spte_acc_track+0x1bc/0x290 [ 52.039545][ T3607] __handle_changed_spte+0xc75/0x1810 [ 52.044904][ T3607] ? tdp_mmu_init_child_sp+0x590/0x590 [ 52.050361][ T3607] ? mark_lock.part.0+0xee/0x1910 [ 52.055369][ T3607] __handle_changed_spte+0xc66/0x1810 [ 52.060727][ T3607] ? tdp_mmu_init_child_sp+0x590/0x590 [ 52.066174][ T3607] __tdp_mmu_set_spte+0x229/0x9d0 [ 52.071185][ T3607] ? zap_collapsible_spte_range+0xa30/0xa30 [ 52.077063][ T3607] ? spte_to_child_pt+0xa0/0xa0 [ 52.081899][ T3607] __tdp_mmu_zap_root+0x7e7/0x860 [ 52.086909][ T3607] ? clear_dirty_pt_masked+0x520/0x520 [ 52.092375][ T3607] ? lock_release+0x780/0x780 [ 52.097037][ T3607] ? tdp_mmu_zap_root_work+0x70/0x70 [ 52.102394][ T3607] tdp_mmu_zap_root+0x12e/0x330 [ 52.107249][ T3607] kvm_tdp_mmu_zap_all+0x154/0x1b0 [ 52.112365][ T3607] ? kvm_mmu_notifier_invalidate_range+0xd0/0xd0 [ 52.118688][ T3607] kvm_mmu_zap_all+0x27c/0x2c0 [ 52.123443][ T3607] ? kvm_mmu_slot_leaf_clear_dirty+0x4d0/0x4d0 [ 52.129597][ T3607] ? lock_release+0x780/0x780 [ 52.134264][ T3607] ? kvm_mmu_notifier_invalidate_range+0xd0/0xd0 [ 52.140581][ T3607] kvm_mmu_notifier_release+0x5c/0xb0 [ 52.145941][ T3607] ? kvm_mmu_notifier_invalidate_range+0xd0/0xd0 [ 52.152254][ T3607] __mmu_notifier_release+0x1a9/0x600 [ 52.157612][ T3607] ? mmu_interval_notifier_insert+0x170/0x170 [ 52.163670][ T3607] ? uprobe_clear_state+0xf8/0x410 [ 52.168767][ T3607] ? lock_downgrade+0x6e0/0x6e0 [ 52.173604][ T3607] ? rcu_read_lock_sched_held+0x3a/0x70 [ 52.179136][ T3607] ? __mutex_lock+0x231/0x1350 [ 52.183887][ T3607] exit_mmap+0x3b6/0x490 [ 52.188133][ T3607] ? __ia32_sys_remap_file_pages+0x150/0x150 [ 52.194118][ T3607] ? ioctx_alloc+0x21f0/0x21f0 [ 52.198867][ T3607] ? find_held_lock+0x2d/0x110 [ 52.203620][ T3607] __mmput+0x122/0x4b0 [ 52.207678][ T3607] mmput+0x56/0x60 [ 52.211387][ T3607] do_exit+0x9e2/0x29b0 [ 52.215531][ T3607] ? mm_update_next_owner+0x7a0/0x7a0 [ 52.220890][ T3607] ? _raw_spin_unlock_irq+0x1f/0x40 [ 52.226092][ T3607] ? _raw_spin_unlock_irq+0x1f/0x40 [ 52.231277][ T3607] do_group_exit+0xd2/0x2f0 [ 52.235768][ T3607] __x64_sys_exit_group+0x3a/0x50 [ 52.240791][ T3607] do_syscall_64+0x35/0xb0 [ 52.245211][ T3607] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 52.251089][ T3607] RIP: 0033:0x7f1a407db069 [ 52.255493][ T3607] Code: Unable to access opcode bytes at RIP 0x7f1a407db03f. [ 52.262841][ T3607] RSP: 002b:00007ffe95694f38 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 52.271248][ T3607] RAX: ffffffffffffffda RBX: 00007f1a4084e290 RCX: 00007f1a407db069 [ 52.279209][ T3607] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 52.287168][ T3607] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 52.295129][ T3607] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1a4084e290 [ 52.303094][ T3607] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 52.311054][ T3607] [ 52.314057][ T3607] Modules linked in: [ 52.317997][ T3607] ---[ end trace 0000000000000000 ]--- [ 52.323490][ T3607] RIP: 0010:workingset_activation+0x5e3/0x6c0 [ 52.329590][ T3607] Code: 48 89 ef e8 ff 00 00 00 c6 05 b7 e3 17 0c 01 0f 0b e9 05 fc ff ff e8 bc 2a ca ff 48 c7 c6 60 25 f8 89 48 89 ef e8 dd 00 00 00 <0f> 0b e8 a6 2a ca ff 0f 0b e9 f5 fa ff ff e8 9a 2a ca ff 48 c7 c6 [ 52.349290][ T3607] RSP: 0018:ffffc90003067510 EFLAGS: 00010293 [ 52.355382][ T3607] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 [ 52.363377][ T3607] RDX: ffff8880747a4200 RSI: ffffffff81b10e83 RDI: 0000000000000003 [ 52.371383][ T3607] RBP: ffffea0001f7d200 R08: 0000000000000003 R09: 000000000000ffff [ 52.379379][ T3607] R10: 000000000000ffff R11: 0000000000000000 R12: 0000000000000000 [ 52.387389][ T3607] R13: ffff8880b9a34d08 R14: dffffc0000000000 R15: 0000000000000003 [ 52.395393][ T3607] FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 [ 52.404344][ T3607] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 52.410958][ T3607] CR2: 0000000000000000 CR3: 000000007585e000 CR4: 00000000003526f0 [ 52.418920][ T3607] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 52.426909][ T3607] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 52.434911][ T3607] Kernel panic - not syncing: Fatal exception [ 52.441183][ T3607] Kernel Offset: disabled [ 52.445498][ T3607] Rebooting in 86400 seconds..