./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2439402721 <...> Warning: Permanently added '10.128.1.60' (ED25519) to the list of known hosts. execve("./syz-executor2439402721", ["./syz-executor2439402721"], 0x7ffc65cc5750 /* 10 vars */) = 0 brk(NULL) = 0x55557b710000 brk(0x55557b710d00) = 0x55557b710d00 arch_prctl(ARCH_SET_FS, 0x55557b710380) = 0 set_tid_address(0x55557b710650) = 287 set_robust_list(0x55557b710660, 24) = 0 rseq(0x55557b710ca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2439402721", 4096) = 28 getrandom("\xef\x19\xb0\x1e\x9b\x2a\x18\xa1", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55557b710d00 brk(0x55557b731d00) = 0x55557b731d00 brk(0x55557b732000) = 0x55557b732000 mprotect(0x7f84c2175000, 16384, PROT_READ) = 0 mmap(0x3ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3ffffffff000 mmap(0x400000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x400000000000 mmap(0x400001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x400001000000 write(1, "executing program\n", 18executing program ) = 18 openat(AT_FDCWD, "net_prio.prioidx", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 3 [ 20.975065][ T24] audit: type=1400 audit(1739152062.930:66): avc: denied { execmem } for pid=287 comm="syz-executor243" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 write(3, "\x23\x21\x20\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 16777216 mmap(0x400000000000, 11755520, PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 3, 0) = 0x400000000000 preadv(3, 0x4000000015c0, 5, 0) = 16777088 memfd_create("syzkaller", 0) = 4 mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f84b9cc4000 write(4, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 munmap(0x7f84b9cc4000, 138412032) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 ioctl(5, LOOP_SET_FD, 4) = 0 close(4) = 0 [ 21.100624][ T24] audit: type=1400 audit(1739152063.060:67): avc: denied { read write } for pid=287 comm="syz-executor243" name="loop0" dev="devtmpfs" ino=111 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 21.124794][ T24] audit: type=1400 audit(1739152063.060:68): avc: denied { open } for pid=287 comm="syz-executor243" path="/dev/loop0" dev="devtmpfs" ino=111 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 close(5) = 0 mkdir(0x400000000240, 0777) = 0 [ 21.148700][ T24] audit: type=1400 audit(1739152063.060:69): avc: denied { ioctl } for pid=287 comm="syz-executor243" path="/dev/loop0" dev="devtmpfs" ino=111 ioctlcmd=0x4c00 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 21.198511][ T24] audit: type=1400 audit(1739152063.160:70): avc: denied { mounton } for pid=287 comm="syz-executor243" path="/root/file1" dev="sda1" ino=1928 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 21.198566][ T287] ====================================================== [ 21.198566][ T287] WARNING: the mand mount option is being deprecated and [ 21.198566][ T287] will be removed in v5.15! [ 21.198566][ T287] ====================================================== mount("/dev/loop0", 0x400000000240, 0x400000000080, MS_MANDLOCK|MS_LAZYTIME, "discard,nodiscard,noquota,noinit_itable,stripe=0x0000000000000079,resgid=0x0000000000000000,sysvgrou"...) = 0 openat(AT_FDCWD, 0x400000000240, O_RDONLY|O_DIRECTORY) = 4 chdir(0x400000000240) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 ioctl(5, LOOP_CLR_FD) = 0 close(5) = 0 creat(0x400000000040, 000) = 5 open(0x400000000180, O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_LARGEFILE|O_NOATIME|0x3c, 000) = 6 fallocate(6, 0, 0, 1048820) = -1 ENOSPC (No space left on device) mount(0x400000000380, 0x400000000140, NULL, MS_BIND, NULL) = 0 open(0x400000000100, O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 7 write(6, 0x400000000000, 42) = 42 write(7, 0x400000000080, 34136651) = 262144 [ 21.329075][ T287] EXT4-fs (loop0): 1 orphan inode deleted [ 21.334610][ T287] EXT4-fs (loop0): mounted filesystem without journal. Opts: discard,nodiscard,noquota,noinit_itable,stripe=0x0000000000000079,resgid=0x0000000000000000,sysvgroups,delalloc,delalloc,,errors=continue [ 21.354151][ T24] audit: type=1400 audit(1739152063.320:71): avc: denied { mount } for pid=287 comm="syz-executor243" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 21.354173][ T287] ext4 filesystem being mounted at /root/file1 supports timestamps until 2038-01-19 (0x7fffffff) [ 21.373622][ T287] ================================================================== [ 21.376566][ T24] audit: type=1400 audit(1739152063.330:72): avc: denied { write } for pid=287 comm="syz-executor243" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 21.386107][ T287] BUG: KASAN: use-after-free in ext4_find_extent+0xbea/0xe30 [ 21.386124][ T287] Read of size 4 at addr ffff888122048ccc by task syz-executor243/287 [ 21.394228][ T24] audit: type=1400 audit(1739152063.330:73): avc: denied { add_name } for pid=287 comm="syz-executor243" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 21.415586][ T287] [ 21.415599][ T287] CPU: 1 PID: 287 Comm: syz-executor243 Not tainted 5.10.234-syzkaller-00148-g6686f2996d23 #0 [ 21.415603][ T287] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 21.415624][ T287] Call Trace: [ 21.423107][ T24] audit: type=1400 audit(1739152063.330:74): avc: denied { create } for pid=287 comm="syz-executor243" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 21.430815][ T287] dump_stack_lvl+0x1e2/0x24b [ 21.430824][ T287] ? bfq_pos_tree_add_move+0x43b/0x43b [ 21.430832][ T287] ? panic+0x812/0x812 [ 21.430841][ T287] ? __getblk_gfp+0x3d/0x7e0 [ 21.430850][ T287] print_address_description+0x81/0x3b0 [ 21.430866][ T287] kasan_report+0x179/0x1c0 [ 21.451682][ T24] audit: type=1400 audit(1739152063.330:75): avc: denied { write open } for pid=287 comm="syz-executor243" path="/root/file1/bus" dev="loop0" ino=16 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 21.453439][ T287] ? ext4_find_extent+0xbea/0xe30 [ 21.552495][ T287] ? ext4_find_extent+0xbea/0xe30 [ 21.557351][ T287] __asan_report_load4_noabort+0x14/0x20 [ 21.562811][ T287] ext4_find_extent+0xbea/0xe30 [ 21.567506][ T287] ext4_ext_remove_space+0x369/0x4e10 [ 21.572709][ T287] ? __es_remove_extent+0xe36/0x1dd0 [ 21.577823][ T287] ? _raw_spin_trylock_bh+0x190/0x190 [ 21.583047][ T287] ? __kasan_check_write+0x14/0x20 [ 21.587994][ T287] ? _raw_write_lock+0xa4/0x170 [ 21.592668][ T287] ? _raw_write_trylock+0x1a0/0x1a0 [ 21.597706][ T287] ? ext4_discard_preallocations+0xd0e/0xef0 [ 21.603547][ T287] ? ext4_ext_index_trans_blocks+0x120/0x120 [ 21.609331][ T287] ? ext4_es_remove_extent+0x297/0x460 [ 21.614623][ T287] ? ext4_zero_partial_blocks+0x1e5/0x220 [ 21.620195][ T287] ext4_punch_hole+0x720/0xb10 [ 21.624792][ T287] ext4_fallocate+0x2e8/0x1cc0 [ 21.629529][ T287] ? ext4_ext_truncate+0x200/0x200 [ 21.634468][ T287] ? fsnotify_perm+0x67/0x4e0 [ 21.638979][ T287] ? security_file_permission+0x7b/0xb0 [ 21.644362][ T287] ? preempt_count_add+0x92/0x1a0 [ 21.649224][ T287] vfs_fallocate+0x492/0x570 [ 21.653646][ T287] __x64_sys_fallocate+0xc0/0x110 [ 21.658510][ T287] do_syscall_64+0x34/0x70 [ 21.662780][ T287] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 21.668498][ T287] RIP: 0033:0x7f84c2101cf9 [ 21.672746][ T287] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 21.692186][ T287] RSP: 002b:00007ffe03ad2718 EFLAGS: 00000246 ORIG_RAX: 000000000000011d [ 21.700427][ T287] RAX: ffffffffffffffda RBX: 00004000000008af RCX: 00007f84c2101cf9 [ 21.708241][ T287] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000005 [ 21.716049][ T287] RBP: 00007f84c2175610 R08: 00007ffe03ad28e8 R09: 00007ffe03ad28e8 [ 21.723859][ T287] R10: 0000000000001a00 R11: 0000000000000246 R12: 0000000000000001 [ 21.731674][ T287] R13: 00007ffe03ad28d8 R14: 0000000000000001 R15: 0000000000000001 [ 21.739481][ T287] [ 21.741647][ T287] The buggy address belongs to the page: [ 21.747156][ T287] page:ffffea0004881200 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x122048 [ 21.757191][ T287] flags: 0x4000000000000000() [ 21.761708][ T287] raw: 4000000000000000 ffffea0004881248 ffffea00048811c8 0000000000000000 [ 21.770124][ T287] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 21.778542][ T287] page dumped because: kasan: bad access detected [ 21.784792][ T287] page_owner info is not present (never set?) [ 21.790684][ T287] [ 21.792967][ T287] Memory state around the buggy address: [ 21.798443][ T287] ffff888122048b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.806336][ T287] ffff888122048c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.814242][ T287] >ffff888122048c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.822137][ T287] ^ [ 21.828467][ T287] ffff888122048d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.836390][ T287] ffff888122048d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.844285][ T287] ================================================================== [ 21.852255][ T287] Disabling lock debugging due to kernel taint [ 21.858994][ T287] ------------[ cut here ]------------ [ 21.864263][ T287] kernel BUG at fs/ext4/extents.c:3180! [ 21.869690][ T287] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 21.875544][ T287] CPU: 1 PID: 287 Comm: syz-executor243 Tainted: G B 5.10.234-syzkaller-00148-g6686f2996d23 #0 [ 21.887078][ T287] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 21.897086][ T287] RIP: 0010:ext4_split_extent_at+0x121c/0x1240 [ 21.903049][ T287] Code: fe c1 38 c1 0f 8c 16 fa ff ff e8 cf b7 cf ff 48 8b 54 24 58 48 8b 74 24 40 e9 02 fa ff ff e8 1b 18 92 ff 0f 0b e8 14 18 92 ff <0f> 0b e8 0d 18 92 ff 0f 0b e8 d6 49 d5 02 e8 01 18 92 ff 0f 0b e8 [ 21.922492][ T287] RSP: 0018:ffffc90000ae7820 EFLAGS: 00010293 [ 21.928398][ T287] RAX: ffffffff81d8a74c RBX: 0000000000000000 RCX: ffff88810c9dbb40 [ 21.936204][ T287] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 [ 21.944016][ T287] RBP: ffffc90000ae7990 R08: ffffffff81d897b2 R09: ffffc90000ae7920 [ 21.951825][ T287] R10: fffff5200015cf25 R11: dffffc0000000001 R12: 0000000000000000 [ 21.959636][ T287] R13: 0000000000000000 R14: 1ffff11024409930 R15: 0000000000000000 [ 21.967449][ T287] FS: 000055557b710380(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 [ 21.976214][ T287] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 21.982725][ T287] CR2: 0000558382432a78 CR3: 000000010a948000 CR4: 00000000003506a0 [ 21.990539][ T287] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 21.998344][ T287] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 22.006156][ T287] Call Trace: [ 22.009289][ T287] ? __die_body+0x62/0xb0 [ 22.013447][ T287] ? die+0x88/0xb0 [ 22.017007][ T287] ? do_trap+0x1a4/0x310 [ 22.021088][ T287] ? ext4_split_extent_at+0x121c/0x1240 [ 22.026467][ T287] ? handle_invalid_op+0x95/0xc0 [ 22.031243][ T287] ? ext4_split_extent_at+0x121c/0x1240 [ 22.036622][ T287] ? exc_invalid_op+0x32/0x50 [ 22.041136][ T287] ? asm_exc_invalid_op+0x12/0x20 [ 22.045995][ T287] ? ext4_split_extent_at+0x282/0x1240 [ 22.051293][ T287] ? ext4_split_extent_at+0x121c/0x1240 [ 22.056673][ T287] ? ext4_split_extent_at+0x121c/0x1240 [ 22.062052][ T287] ? check_panic_on_warn+0x65/0xb0 [ 22.067002][ T287] ? ext4_ext_try_to_merge_right+0x7e0/0x7e0 [ 22.072815][ T287] ext4_ext_remove_space+0x719/0x4e10 [ 22.078024][ T287] ? _raw_spin_trylock_bh+0x190/0x190 [ 22.083235][ T287] ? __kasan_check_write+0x14/0x20 [ 22.088184][ T287] ? _raw_write_lock+0xa4/0x170 [ 22.092876][ T287] ? _raw_write_trylock+0x1a0/0x1a0 [ 22.097901][ T287] ? ext4_discard_preallocations+0xd0e/0xef0 [ 22.103715][ T287] ? ext4_ext_index_trans_blocks+0x120/0x120 [ 22.109526][ T287] ? ext4_es_remove_extent+0x297/0x460 [ 22.114824][ T287] ? ext4_zero_partial_blocks+0x1e5/0x220 [ 22.120378][ T287] ext4_punch_hole+0x720/0xb10 [ 22.124979][ T287] ext4_fallocate+0x2e8/0x1cc0 [ 22.129576][ T287] ? ext4_ext_truncate+0x200/0x200 [ 22.134523][ T287] ? fsnotify_perm+0x67/0x4e0 [ 22.139035][ T287] ? security_file_permission+0x7b/0xb0 [ 22.144418][ T287] ? preempt_count_add+0x92/0x1a0 [ 22.149277][ T287] vfs_fallocate+0x492/0x570 [ 22.153702][ T287] __x64_sys_fallocate+0xc0/0x110 [ 22.158566][ T287] do_syscall_64+0x34/0x70 [ 22.162819][ T287] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 22.168545][ T287] RIP: 0033:0x7f84c2101cf9 [ 22.172799][ T287] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 22.192240][ T287] RSP: 002b:00007ffe03ad2718 EFLAGS: 00000246 ORIG_RAX: 000000000000011d [ 22.200484][ T287] RAX: ffffffffffffffda RBX: 00004000000008af RCX: 00007f84c2101cf9 [ 22.208294][ T287] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000005 [ 22.216108][ T287] RBP: 00007f84c2175610 R08: 00007ffe03ad28e8 R09: 00007ffe03ad28e8 [ 22.223919][ T287] R10: 0000000000001a00 R11: 0000000000000246 R12: 0000000000000001 [ 22.231727][ T287] R13: 00007ffe03ad28d8 R14: 0000000000000001 R15: 0000000000000001 [ 22.239541][ T287] Modules linked in: [ 22.243455][ T287] ---[ end trace 8220ca3021389ef7 ]--- [ 22.248764][ T287] RIP: 0010:ext4_split_extent_at+0x121c/0x1240 [ 22.254706][ T287] Code: fe c1 38 c1 0f 8c 16 fa ff ff e8 cf b7 cf ff 48 8b 54 24 58 48 8b 74 24 40 e9 02 fa ff ff e8 1b 18 92 ff 0f 0b e8 14 18 92 ff <0f> 0b e8 0d 18 92 ff 0f 0b e8 d6 49 d5 02 e8 01 18 92 ff 0f 0b e8 [ 22.274217][ T287] RSP: 0018:ffffc90000ae7820 EFLAGS: 00010293 [ 22.280071][ T287] RAX: ffffffff81d8a74c RBX: 0000000000000000 RCX: ffff88810c9dbb40 [ 22.287889][ T287] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 [ 22.295672][ T287] RBP: ffffc90000ae7990 R08: ffffffff81d897b2 R09: ffffc90000ae7920 [ 22.303547][ T287] R10: fffff5200015cf25 R11: dffffc0000000001 R12: 0000000000000000 [ 22.311305][ T287] R13: 0000000000000000 R14: 1ffff11024409930 R15: 0000000000000000 [ 22.319127][ T287] FS: 000055557b710380(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 [ 22.327884][ T287] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 22.334289][ T287] CR2: 0000558382432a78 CR3: 000000010a948000 CR4: 00000000003506a0 [ 22.342143][ T287] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 22.349929][ T287] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 22.357745][ T287] Kernel panic - not syncing: Fatal exception [ 22.363826][ T287] Kernel Offset: disabled [ 22.367947][ T287] Rebooting in 86400 seconds..