./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1485480918 <...> [ 35.996344][ T3209] 8021q: adding VLAN 0 to HW filter on device bond0 [ 36.016568][ T3209] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller syzkaller login: [ 47.132247][ T26] kauditd_printk_skb: 37 callbacks suppressed [ 47.132265][ T26] audit: type=1400 audit(1670396208.547:73): avc: denied { transition } for pid=3440 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 47.193102][ T26] audit: type=1400 audit(1670396208.557:74): avc: denied { write } for pid=3440 comm="sh" path="pipe:[28897]" dev="pipefs" ino=28897 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1 Warning: Permanently added '10.128.0.13' (ECDSA) to the list of known hosts. execve("./syz-executor1485480918", ["./syz-executor1485480918"], 0x7fffa40232f0 /* 10 vars */) = 0 brk(NULL) = 0x555555eee000 brk(0x555555eeec40) = 0x555555eeec40 arch_prctl(ARCH_SET_FS, 0x555555eee300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor1485480918", 4096) = 28 brk(0x555555f0fc40) = 0x555555f0fc40 brk(0x555555f10000) = 0x555555f10000 mprotect(0x7fa4db278000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 memfd_create("syzkaller", 0) = 3 mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa4d2d9f000 write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x04\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\xff\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\x01\x00\x00\x00\xbf\xd6\xaf\x3d\x29\x4e\xa1\x54\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 munmap(0x7fa4d2d9f000, 2097152) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 60.524787][ T26] audit: type=1400 audit(1670396221.947:75): avc: denied { execmem } for pid=3634 comm="syz-executor148" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 ioctl(4, LOOP_SET_FD, 3) = 0 close(3) = 0 mkdir("./file0", 0777) = 0 [ 60.558851][ T26] audit: type=1400 audit(1670396221.977:76): avc: denied { read write } for pid=3634 comm="syz-executor148" name="loop0" dev="devtmpfs" ino=647 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 60.566328][ T3634] loop0: detected capacity change from 0 to 4096 [ 60.583610][ T26] audit: type=1400 audit(1670396221.987:77): avc: denied { open } for pid=3634 comm="syz-executor148" path="/dev/loop0" dev="devtmpfs" ino=647 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 60.600178][ T3634] ntfs3: loop0: Different NTFS' sector size (1024) and media sector size (512) mount("/dev/loop0", "./file0", "ntfs3", 0, "") = 0 [ 60.614805][ T26] audit: type=1400 audit(1670396221.987:78): avc: denied { ioctl } for pid=3634 comm="syz-executor148" path="/dev/loop0" dev="devtmpfs" ino=647 ioctlcmd=0x4c00 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 60.648896][ T26] audit: type=1400 audit(1670396222.017:79): avc: denied { mounton } for pid=3634 comm="syz-executor148" path="/root/file0" dev="sda1" ino=1138 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 chdir("./file0") = 0 ioctl(4, LOOP_CLR_FD) = 0 close(4) = 0 [ 60.678726][ T26] audit: type=1400 audit(1670396222.097:80): avc: denied { mount } for pid=3634 comm="syz-executor148" name="/" dev="loop0" ino=5 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=filesystem permissive=1 [ 60.696398][ T3634] ================================================================== [ 60.709317][ T3634] BUG: KASAN: slab-out-of-bounds in ntfs_listxattr+0x402/0x460 [ 60.716904][ T3634] Read of size 1 at addr ffff88807ce7fabd by task syz-executor148/3634 [ 60.725169][ T3634] [ 60.727510][ T3634] CPU: 1 PID: 3634 Comm: syz-executor148 Not tainted 6.1.0-rc8-syzkaller-00014-g8ed710da2873 #0 [ 60.737944][ T3634] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 60.747996][ T3634] Call Trace: [ 60.751266][ T3634] [ 60.754184][ T3634] dump_stack_lvl+0xd1/0x138 [ 60.758772][ T3634] print_report+0x15e/0x461 [ 60.763263][ T3634] ? __phys_addr+0xc8/0x140 [ 60.767758][ T3634] ? ntfs_listxattr+0x402/0x460 [ 60.772604][ T3634] kasan_report+0xbf/0x1f0 [ 60.777009][ T3634] ? ntfs_listxattr+0x402/0x460 [ 60.781938][ T3634] ntfs_listxattr+0x402/0x460 [ 60.786632][ T3634] ? selinux_inode_listxattr+0xdb/0x130 [ 60.792183][ T3634] ? ntfs_permission+0x120/0x120 [ 60.797117][ T3634] ? kmem_cache_free+0x264/0x4c0 [ 60.802048][ T3634] ? putname+0x102/0x140 [ 60.806281][ T3634] ? lockdep_hardirqs_on+0x7d/0x100 [ 60.811468][ T3634] ? ntfs_permission+0x120/0x120 [ 60.816395][ T3634] vfs_listxattr+0x109/0x190 [ 60.820978][ T3634] listxattr+0xf6/0x180 [ 60.825124][ T3634] path_listxattr+0xae/0x140 [ 60.829704][ T3634] ? listxattr+0x180/0x180 [ 60.834111][ T3634] ? lockdep_hardirqs_on+0x7d/0x100 [ 60.839305][ T3634] ? _raw_spin_unlock_irq+0x2e/0x50 [ 60.844496][ T3634] ? ptrace_notify+0xfe/0x140 [ 60.849171][ T3634] do_syscall_64+0x39/0xb0 [ 60.853573][ T3634] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 60.859461][ T3634] RIP: 0033:0x7fa4db1eb749 [ 60.863869][ T3634] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 60.883553][ T3634] RSP: 002b:00007fffa7d68008 EFLAGS: 00000246 ORIG_RAX: 00000000000000c3 [ 60.891952][ T3634] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00007fa4db1eb749 [ 60.899928][ T3634] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200000c0 [ 60.907896][ T3634] RBP: 00007fa4db1aafe0 R08: 000000000001f6fe R09: 0000000000000000 [ 60.915887][ T3634] R10: 00007fffa7d67ed0 R11: 0000000000000246 R12: 00007fa4db1ab070 [ 60.923850][ T3634] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 60.931810][ T3634] [ 60.934816][ T3634] [ 60.937129][ T3634] Allocated by task 3634: [ 60.941439][ T3634] kasan_save_stack+0x22/0x40 [ 60.946116][ T3634] kasan_set_track+0x25/0x30 [ 60.950704][ T3634] __kasan_kmalloc+0xa3/0xb0 [ 60.955285][ T3634] __kmalloc+0x5a/0xd0 [ 60.959346][ T3634] ntfs_read_ea+0x3e4/0x850 [ 60.963843][ T3634] ntfs_listxattr+0x16b/0x460 [ 60.968505][ T3634] vfs_listxattr+0x109/0x190 [ 60.973088][ T3634] listxattr+0xf6/0x180 [ 60.977233][ T3634] path_listxattr+0xae/0x140 [ 60.981812][ T3634] do_syscall_64+0x39/0xb0 [ 60.986214][ T3634] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 60.992103][ T3634] [ 60.994413][ T3634] The buggy address belongs to the object at ffff88807ce7fa80 [ 60.994413][ T3634] which belongs to the cache kmalloc-64 of size 64 [ 61.008278][ T3634] The buggy address is located 61 bytes inside of [ 61.008278][ T3634] 64-byte region [ffff88807ce7fa80, ffff88807ce7fac0) [ 61.021361][ T3634] [ 61.023668][ T3634] The buggy address belongs to the physical page: [ 61.030080][ T3634] page:ffffea0001f39fc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88807ce7f180 pfn:0x7ce7f [ 61.041542][ T3634] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 61.049081][ T3634] raw: 00fff00000000200 ffffea0001e69a08 ffffea0000895088 ffff888012040200 [ 61.057660][ T3634] raw: ffff88807ce7f180 ffff88807ce7f000 0000000100000016 0000000000000000 [ 61.066225][ T3634] page dumped because: kasan: bad access detected [ 61.072621][ T3634] page_owner tracks the page as allocated [ 61.078315][ T3634] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x242040(__GFP_IO|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 3009, tgid 3009 (udevd), ts 32348431009, free_ts 32117580289 [ 61.096966][ T3634] get_page_from_freelist+0x10b5/0x2d50 [ 61.102508][ T3634] __alloc_pages+0x1cb/0x5b0 [ 61.107084][ T3634] cache_grow_begin+0x94/0x390 [ 61.111861][ T3634] cache_alloc_refill+0x27f/0x380 [ 61.116874][ T3634] __kmem_cache_alloc_node+0x44a/0x510 [ 61.122325][ T3634] __kmalloc+0x4a/0xd0 [ 61.126385][ T3634] tomoyo_encode2.part.0+0xe9/0x3a0 [ 61.131597][ T3634] tomoyo_encode+0x2c/0x50 [ 61.136000][ T3634] tomoyo_realpath_from_path+0x185/0x600 [ 61.141635][ T3634] tomoyo_check_open_permission+0x27a/0x380 [ 61.147519][ T3634] tomoyo_file_open+0xa1/0xc0 [ 61.152205][ T3634] security_file_open+0x49/0xb0 [ 61.157043][ T3634] do_dentry_open+0x575/0x13f0 [ 61.161797][ T3634] path_openat+0x1bf6/0x2860 [ 61.166482][ T3634] do_filp_open+0x1ba/0x410 [ 61.170980][ T3634] do_sys_openat2+0x16d/0x4c0 [ 61.175679][ T3634] page last free stack trace: [ 61.180332][ T3634] free_pcp_prepare+0x65c/0xd90 [ 61.185169][ T3634] free_unref_page+0x1d/0x4d0 [ 61.189834][ T3634] slabs_destroy+0x85/0xc0 [ 61.194257][ T3634] ___cache_free+0x2ac/0x3d0 [ 61.198851][ T3634] qlist_free_all+0x4f/0x1a0 [ 61.203444][ T3634] kasan_quarantine_reduce+0x184/0x210 [ 61.208905][ T3634] __kasan_slab_alloc+0x63/0x90 [ 61.213747][ T3634] kmem_cache_alloc+0x220/0x460 [ 61.218597][ T3634] getname_flags.part.0+0x50/0x4f0 [ 61.223702][ T3634] getname_flags+0x9e/0xe0 [ 61.228109][ T3634] vfs_fstatat+0x77/0xb0 [ 61.232342][ T3634] __do_sys_newfstatat+0x94/0x120 [ 61.237368][ T3634] do_syscall_64+0x39/0xb0 [ 61.241774][ T3634] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 61.247774][ T3634] [ 61.250100][ T3634] Memory state around the buggy address: [ 61.255718][ T3634] ffff88807ce7f980: 00 00 00 00 00 00 00 03 fc fc fc fc fc fc fc fc [ 61.263768][ T3634] ffff88807ce7fa00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 61.271813][ T3634] >ffff88807ce7fa80: 00 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc [ 61.279854][ T3634] ^ [ 61.285733][ T3634] ffff88807ce7fb00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 61.293780][ T3634] ffff88807ce7fb80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 61.301822][ T3634] ================================================================== [ 61.310160][ T3634] Kernel panic - not syncing: panic_on_warn set ... [ 61.316765][ T3634] CPU: 1 PID: 3634 Comm: syz-executor148 Not tainted 6.1.0-rc8-syzkaller-00014-g8ed710da2873 #0 [ 61.327204][ T3634] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 61.337264][ T3634] Call Trace: [ 61.340539][ T3634] [ 61.343470][ T3634] dump_stack_lvl+0xd1/0x138 [ 61.348088][ T3634] panic+0x2cc/0x626 [ 61.351991][ T3634] ? panic_print_sys_info.part.0+0x110/0x110 [ 61.357984][ T3634] ? preempt_schedule_common+0x59/0xc0 [ 61.363452][ T3634] ? preempt_schedule_thunk+0x1a/0x1c [ 61.368846][ T3634] end_report.part.0+0x3f/0x7c [ 61.373622][ T3634] ? ntfs_listxattr+0x402/0x460 [ 61.378491][ T3634] kasan_report.cold+0xa/0xf [ 61.383093][ T3634] ? ntfs_listxattr+0x402/0x460 [ 61.387966][ T3634] ntfs_listxattr+0x402/0x460 [ 61.392657][ T3634] ? selinux_inode_listxattr+0xdb/0x130 [ 61.398220][ T3634] ? ntfs_permission+0x120/0x120 [ 61.403170][ T3634] ? kmem_cache_free+0x264/0x4c0 [ 61.408128][ T3634] ? putname+0x102/0x140 [ 61.412383][ T3634] ? lockdep_hardirqs_on+0x7d/0x100 [ 61.417597][ T3634] ? ntfs_permission+0x120/0x120 [ 61.422547][ T3634] vfs_listxattr+0x109/0x190 [ 61.427160][ T3634] listxattr+0xf6/0x180 [ 61.431330][ T3634] path_listxattr+0xae/0x140 [ 61.435935][ T3634] ? listxattr+0x180/0x180 [ 61.440372][ T3634] ? lockdep_hardirqs_on+0x7d/0x100 [ 61.445586][ T3634] ? _raw_spin_unlock_irq+0x2e/0x50 [ 61.450799][ T3634] ? ptrace_notify+0xfe/0x140 [ 61.455583][ T3634] do_syscall_64+0x39/0xb0 [ 61.460010][ T3634] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 61.465930][ T3634] RIP: 0033:0x7fa4db1eb749 [ 61.470348][ T3634] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 61.489958][ T3634] RSP: 002b:00007fffa7d68008 EFLAGS: 00000246 ORIG_RAX: 00000000000000c3 [ 61.498378][ T3634] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00007fa4db1eb749 [ 61.506351][ T3634] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200000c0 [ 61.514324][ T3634] RBP: 00007fa4db1aafe0 R08: 000000000001f6fe R09: 0000000000000000 [ 61.522304][ T3634] R10: 00007fffa7d67ed0 R11: 0000000000000246 R12: 00007fa4db1ab070 [ 61.530277][ T3634] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 61.538254][ T3634] [ 61.541328][ T3634] Kernel Offset: disabled [ 61.545646][ T3634] Rebooting in 86400 seconds..