DUID 00:04:11:8f:03:6f:2d:f9:09:85:36:f8:30:a5:df:54:60:b4 forked to background, child pid 192 Starting sshd: OK syzkaller syzkaller login: [ 12.151332][ T22] kauditd_printk_skb: 60 callbacks suppressed [ 12.151343][ T22] audit: type=1400 audit(1672040785.789:71): avc: denied { transition } for pid=265 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 12.157018][ T22] audit: type=1400 audit(1672040785.789:72): avc: denied { write } for pid=265 comm="sh" path="pipe:[1670]" dev="pipefs" ino=1670 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1 Warning: Permanently added '10.128.1.13' (ECDSA) to the list of known hosts. executing program [ 28.543112][ T22] audit: type=1400 audit(1672040802.179:73): avc: denied { execmem } for pid=298 comm="syz-executor259" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 28.548849][ T22] audit: type=1400 audit(1672040802.179:74): avc: denied { read write } for pid=298 comm="syz-executor259" name="loop0" dev="devtmpfs" ino=1154 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 28.552984][ T22] audit: type=1400 audit(1672040802.189:75): avc: denied { open } for pid=298 comm="syz-executor259" path="/dev/loop0" dev="devtmpfs" ino=1154 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 28.557113][ T22] audit: type=1400 audit(1672040802.189:76): avc: denied { ioctl } for pid=298 comm="syz-executor259" path="/dev/loop0" dev="devtmpfs" ino=1154 ioctlcmd=0x4c00 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 28.561599][ T298] EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue [ 28.562126][ T22] audit: type=1400 audit(1672040802.189:77): avc: denied { mounton } for pid=298 comm="syz-executor259" path="/root/file0" dev="sda1" ino=1137 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 28.565511][ T298] ================================================================== [ 28.587139][ T22] audit: type=1400 audit(1672040802.199:78): avc: denied { mount } for pid=298 comm="syz-executor259" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 28.595070][ T298] BUG: KASAN: slab-out-of-bounds in ext4_find_extent+0x7ae/0xdc0 [ 28.595082][ T298] Read of size 4 at addr ffff8881e645eda8 by task syz-executor259/298 [ 28.616953][ T22] audit: type=1400 audit(1672040802.199:79): avc: denied { write } for pid=298 comm="syz-executor259" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 28.624517][ T298] [ 28.624527][ T298] CPU: 0 PID: 298 Comm: syz-executor259 Not tainted 5.4.219-syzkaller-00012-ga8aad8851131 #0 [ 28.624531][ T298] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 28.624534][ T298] Call Trace: [ 28.624548][ T298] dump_stack+0x1d8/0x241 [ 28.632847][ T22] audit: type=1400 audit(1672040802.199:80): avc: denied { add_name } for pid=298 comm="syz-executor259" name="file1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 28.654424][ T298] ? __vfs_write+0x5e3/0x780 [ 28.654439][ T298] ? nf_ct_l4proto_log_invalid+0x26c/0x26c [ 28.656763][ T22] audit: type=1400 audit(1672040802.199:81): avc: denied { create } for pid=298 comm="syz-executor259" name="file1" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 28.666871][ T298] ? printk+0xcf/0x10f [ 28.666881][ T298] ? ext4_find_extent+0x7ae/0xdc0 [ 28.666893][ T298] ? vprintk_emit+0x437/0x4a0 [ 28.676935][ T22] audit: type=1400 audit(1672040802.199:82): avc: denied { write } for pid=298 comm="syz-executor259" name="file1" dev="loop0" ino=15 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 [ 28.680172][ T298] ? ext4_find_extent+0x7ae/0xdc0 [ 28.680186][ T298] print_address_description+0x8c/0x630 [ 28.782434][ T298] ? panic+0x73e/0x73e [ 28.786472][ T298] ? ext4_find_extent+0x7ae/0xdc0 [ 28.791461][ T298] __kasan_report+0xf6/0x130 [ 28.796016][ T298] ? ext4_find_extent+0x7ae/0xdc0 [ 28.801004][ T298] kasan_report+0x30/0x60 [ 28.805300][ T298] ext4_find_extent+0x7ae/0xdc0 [ 28.810120][ T298] ? ext4_es_scan_range+0x220/0x220 [ 28.815282][ T298] ext4_clu_mapped+0x9d/0x790 [ 28.819927][ T298] ? debug_smp_processor_id+0x20/0x20 [ 28.825263][ T298] ext4_da_get_block_prep+0x9cc/0x13a0 [ 28.830687][ T298] ? ext4_da_release_space+0x450/0x450 [ 28.836116][ T298] ? create_page_buffers+0x179/0x1e0 [ 28.841367][ T298] __block_write_begin_int+0x6df/0x1810 [ 28.846877][ T298] ? gfp_pfmemalloc_allowed+0x120/0x120 [ 28.852390][ T298] ? ext4_da_release_space+0x450/0x450 [ 28.857811][ T298] ? page_zero_new_buffers+0x530/0x530 [ 28.863235][ T298] ? wait_for_stable_page+0x125/0x160 [ 28.868603][ T298] ext4_da_write_inline_data_begin+0x512/0xbe0 [ 28.874724][ T298] ? ext4_journalled_write_inline_data+0x630/0x630 [ 28.881188][ T298] ? __brelse+0x54/0x90 [ 28.885310][ T298] ? ext4_xattr_ibody_get+0x630/0xb20 [ 28.890645][ T298] ext4_da_write_begin+0x532/0xf80 [ 28.895723][ T298] ? down_write_trylock+0x130/0x130 [ 28.900894][ T298] ? unwind_get_return_address_ptr+0xa0/0xa0 [ 28.906835][ T298] ? ext4_set_page_dirty+0x1a0/0x1a0 [ 28.912085][ T298] ? ext4_initxattrs+0x110/0x110 [ 28.916987][ T298] ? __vfs_getxattr+0x62f/0x700 [ 28.921804][ T298] ? iov_iter_fault_in_readable+0x31c/0x4d0 [ 28.927674][ T298] ? asan.module_dtor+0x20/0x20 [ 28.932489][ T298] ? deref_stack_reg+0x1f0/0x1f0 [ 28.937392][ T298] ? ktime_get_coarse_real_ts64+0xcf/0xe0 [ 28.943085][ T298] generic_perform_write+0x2f9/0x5a0 [ 28.948337][ T298] ? grab_cache_page_write_begin+0x90/0x90 [ 28.954123][ T298] ? file_remove_privs+0x640/0x640 [ 28.959204][ T298] ? debug_smp_processor_id+0x20/0x20 [ 28.964543][ T298] ? down_write_trylock+0xd8/0x130 [ 28.969626][ T298] __generic_file_write_iter+0x239/0x490 [ 28.975224][ T298] ext4_file_write_iter+0x495/0x10e0 [ 28.980479][ T298] ? ext4_file_read_iter+0x140/0x140 [ 28.985907][ T298] ? iov_iter_init+0x83/0x160 [ 28.990552][ T298] __vfs_write+0x5e3/0x780 [ 28.994938][ T298] ? __kernel_write+0x340/0x340 [ 28.999759][ T298] ? check_preemption_disabled+0x9e/0x330 [ 29.005461][ T298] ? debug_smp_processor_id+0x20/0x20 [ 29.010799][ T298] ? selinux_file_permission+0x2c2/0x530 [ 29.016396][ T298] vfs_write+0x210/0x4f0 [ 29.020606][ T298] ksys_write+0x198/0x2c0 [ 29.024902][ T298] ? __ia32_sys_read+0x80/0x80 [ 29.029632][ T298] ? _raw_spin_unlock_irq+0x4a/0x60 [ 29.034803][ T298] ? task_work_run+0x19e/0x1b0 [ 29.039560][ T298] do_syscall_64+0xcb/0x1c0 [ 29.044028][ T298] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 29.049884][ T298] [ 29.052267][ T298] Allocated by task 234: [ 29.056476][ T298] __kasan_kmalloc+0x131/0x1e0 [ 29.061209][ T298] kmem_cache_alloc+0xd0/0x210 [ 29.065941][ T298] __d_alloc+0x2a/0x6a0 [ 29.070061][ T298] d_alloc_parallel+0xe6/0x1310 [ 29.074878][ T298] __lookup_slow+0x15a/0x450 [ 29.079433][ T298] lookup_slow+0x53/0x70 [ 29.083639][ T298] walk_component+0x62a/0xb30 [ 29.088278][ T298] path_lookupat+0x188/0x3f0 [ 29.092832][ T298] filename_lookup+0x223/0x6a0 [ 29.097559][ T298] do_faccessat+0x367/0x780 [ 29.102025][ T298] do_syscall_64+0xcb/0x1c0 [ 29.106492][ T298] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 29.112344][ T298] [ 29.114640][ T298] Freed by task 16: [ 29.118412][ T298] __kasan_slab_free+0x178/0x240 [ 29.123313][ T298] slab_free_freelist_hook+0x80/0x150 [ 29.128652][ T298] kmem_cache_free+0xa9/0x1d0 [ 29.133292][ T298] rcu_do_batch+0x49e/0xa10 [ 29.137760][ T298] rcu_core+0x4ba/0xca0 [ 29.141881][ T298] __do_softirq+0x23e/0x643 [ 29.146355][ T298] [ 29.148653][ T298] The buggy address belongs to the object at ffff8881e645ecc0 [ 29.148653][ T298] which belongs to the cache dentry of size 208 [ 29.162235][ T298] The buggy address is located 24 bytes to the right of [ 29.162235][ T298] 208-byte region [ffff8881e645ecc0, ffff8881e645ed90) [ 29.175899][ T298] The buggy address belongs to the page: [ 29.181501][ T298] page:ffffea0007991780 refcount:1 mapcount:0 mapping:ffff8881f5cf9680 index:0x0 [ 29.190569][ T298] flags: 0x8000000000000200(slab) [ 29.195560][ T298] raw: 8000000000000200 dead000000000100 dead000000000122 ffff8881f5cf9680 [ 29.204123][ T298] raw: 0000000000000000 00000000000f000f 00000001ffffffff 0000000000000000 [ 29.212671][ T298] page dumped because: kasan: bad access detected [ 29.219046][ T298] page_owner tracks the page as allocated [ 29.224729][ T298] page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x12cd0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_RECLAIMABLE) [ 29.238400][ T298] prep_new_page+0x194/0x380 [ 29.242953][ T298] get_page_from_freelist+0x524/0x560 [ 29.248288][ T298] __alloc_pages_nodemask+0x372/0x860 [ 29.253625][ T298] alloc_slab_page+0x39/0x3e0 [ 29.258265][ T298] new_slab+0x97/0x450 [ 29.262298][ T298] ___slab_alloc+0x320/0x4a0 [ 29.266853][ T298] __slab_alloc+0x5a/0x90 [ 29.271188][ T298] kmem_cache_alloc+0x100/0x210 [ 29.276009][ T298] __d_alloc+0x2a/0x6a0 [ 29.280133][ T298] d_alloc_parallel+0xe6/0x1310 [ 29.284958][ T298] path_openat+0x102c/0x3ea0 [ 29.289517][ T298] do_filp_open+0x208/0x450 [ 29.293989][ T298] do_sys_open+0x393/0x7e0 [ 29.298373][ T298] do_syscall_64+0xcb/0x1c0 [ 29.302843][ T298] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [ 29.308703][ T298] page_owner free stack trace missing [ 29.314040][ T298] [ 29.316337][ T298] Memory state around the buggy address: [ 29.321941][ T298] ffff8881e645ec80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 29.329974][ T298] ffff8881e645ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.338001][ T298] >ffff8881e645ed80: fb fb fc fc fc fc fc fc fc fc fb fb fb fb fb fb [ 29.