./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2277738928 <...> syzkaller syzkaller login: [ 11.093863][ T23] kauditd_printk_skb: 60 callbacks suppressed [ 11.093872][ T23] audit: type=1400 audit(1669510239.579:71): avc: denied { transition } for pid=289 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 11.098874][ T23] audit: type=1400 audit(1669510239.579:72): avc: denied { write } for pid=289 comm="sh" path="pipe:[916]" dev="pipefs" ino=916 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1 [ 11.790231][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #80!!! [ 12.650925][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #28a!!! [ 12.653408][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #08!!! [ 12.655664][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #08!!! Warning: Permanently added '10.128.10.21' (ECDSA) to the list of known hosts. execve("./syz-executor2277738928", ["./syz-executor2277738928"], 0x7fffd221f4c0 /* 10 vars */) = 0 brk(NULL) = 0x55555722f000 brk(0x55555722fd40) = 0x55555722fd40 arch_prctl(ARCH_SET_FS, 0x55555722f400) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x55555722f6d0) = 371 set_robust_list(0x55555722f6e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7f038e0ba400, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f038e0b9950}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7f038e0ba4a0, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f038e0b9950}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2277738928", 4096) = 28 brk(0x555557250d40) = 0x555557250d40 brk(0x555557251000) = 0x555557251000 mprotect(0x7f038e17b000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGSEGV, {sa_handler=0x7f038e0b42b0, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f038e0b9950}, NULL, 8) = 0 rt_sigaction(SIGBUS, {sa_handler=0x7f038e0b42b0, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f038e0b9950}, NULL, 8) = 0 futex(0x7f038e1816ec, FUTEX_WAKE_PRIVATE, 1000000) = 0 mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f038e089000 mprotect(0x7f038e08a000, 131072, PROT_READ|PROT_WRITE) = 0 clone(child_stack=0x7f038e0a92f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[372], tls=0x7f038e0a9700, child_tidptr=0x7f038e0a99d0) = 372 futex(0x7f038e1816e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 futex(0x7f038e1816ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 372 attached [pid 372] set_robust_list(0x7f038e0a99e0, 24) = 0 [pid 372] memfd_create("syzkaller", 0) = 3 [pid 372] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0385c89000 [pid 372] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 1048576) = 1048576 [pid 372] munmap(0x7f0385c89000, 1048576) = 0 [pid 372] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 372] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 372] close(3) = 0 [pid 372] mkdir("./file0", 0777) = 0 [ 19.710154][ T23] audit: type=1400 audit(1669510248.189:73): avc: denied { execmem } for pid=371 comm="syz-executor227" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 19.719576][ T23] audit: type=1400 audit(1669510248.199:74): avc: denied { read write } for pid=371 comm="syz-executor227" name="loop0" dev="devtmpfs" ino=115 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 19.723492][ T23] audit: type=1400 audit(1669510248.199:75): avc: denied { open } for pid=371 comm="syz-executor227" path="/dev/loop0" dev="devtmpfs" ino=115 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 19.727010][ T23] audit: type=1400 audit(1669510248.199:76): avc: denied { ioctl } for pid=371 comm="syz-executor227" path="/dev/loop0" dev="devtmpfs" ino=115 ioctlcmd=0x4c00 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 19.731008][ T23] audit: type=1400 audit(1669510248.199:77): avc: denied { mounton } for pid=371 comm="syz-executor227" path="/root/file0" dev="sda1" ino=1138 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 19.732675][ T372] EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue [ 19.764856][ T23] audit: type=1400 audit(1669510248.259:78): avc: denied { mount } for pid=371 comm="syz-executor227" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 19.773975][ T372] EXT4-fs error (device loop0): ext4_mb_generate_buddy:805: group 0, [pid 372] mount("/dev/loop0", "./file0", "ext4", MS_DIRSYNC|MS_NOATIME|MS_LAZYTIME, ",errors=continue") = 0 [pid 372] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 372] chdir("./file0") = 0 [pid 372] ioctl(4, LOOP_CLR_FD) = 0 [pid 372] close(4) = 0 [pid 372] futex(0x7f038e1816ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 371] <... futex resumed>) = 0 [pid 371] futex(0x7f038e1816e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 371] futex(0x7f038e1816ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 372] <... futex resumed>) = 1 [pid 372] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_LARGEFILE|O_NOFOLLOW|O_NOATIME|0x29800030, 000) = 4 [pid 372] futex(0x7f038e1816ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 371] <... futex resumed>) = 0 [pid 371] futex(0x7f038e1816e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 371] futex(0x7f038e1816ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 372] <... futex resumed>) = 1 [pid 372] write(4, "#! ./bus\n", 9) = 9 [pid 372] futex(0x7f038e1816ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 371] <... futex resumed>) = 0 [pid 371] futex(0x7f038e1816e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 371] futex(0x7f038e1816ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 372] <... futex resumed>) = 1 [pid 372] open("./bus", O_RDWR) = 5 [pid 372] futex(0x7f038e1816ec, FUTEX_WAKE_PRIVATE, 1000000 [pid 371] <... futex resumed>) = 0 [pid 371] futex(0x7f038e1816e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 371] futex(0x7f038e1816ec, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 372] <... futex resumed>) = 1 [pid 372] mmap(0x20000000, 6291456, PROT_WRITE|PROT_EXEC|PROT_SEM|0x7ffff0, MAP_SHARED|MAP_FIXED|MAP_LOCKED|1< [pid 371] <... futex resumed>) = 0 [pid 371] futex(0x7f038e1816e8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 371] futex(0x7f038e1816fc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 371] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f0385d68000 [pid 371] mprotect(0x7f0385d69000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 371] clone(child_stack=0x7f0385d882f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[377], tls=0x7f0385d88700, child_tidptr=0x7f0385d889d0) = 377 [pid 371] futex(0x7f038e1816f8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 371] futex(0x7f038e1816fc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 372] <... futex resumed>) = 1 ./strace-static-x86_64: Process 377 attached [pid 377] set_robust_list(0x7f0385d889e0, 24) = 0 [pid 371] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 19.786707][ T23] audit: type=1400 audit(1669510248.259:79): avc: denied { write } for pid=371 comm="syz-executor227" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 19.786721][ T23] audit: type=1400 audit(1669510248.259:80): avc: denied { add_name } for pid=371 comm="syz-executor227" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 19.786733][ T23] audit: type=1400 audit(1669510248.259:81): avc: denied { create } for pid=371 comm="syz-executor227" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [pid 372] --- SIGBUS {si_signo=SIGBUS, si_code=BUS_ADRERR, si_addr=0x20000f82} --- [pid 377] openat(4, 0x20000040, O_WRONLY|O_CREAT|O_APPEND|O_SYNC|O_LARGEFILE|O_NOFOLLOW|O_NOATIME|O_CLOEXEC|__O_TMPFILE, 0213) = -1 EINVAL (Invalid argument) [pid 372] write(4, 0x20000f80, 9 [pid 377] futex(0x7f038e1816fc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 19.786750][ T23] audit: type=1400 audit(1669510248.259:82): avc: denied { read write open } for pid=371 comm="syz-executor227" path="/root/file0/bus" dev="loop0" ino=18 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 19.794963][ T372] block bitmap and bg descriptor inconsistent: 25 vs 150994969 free clusters [ 19.890822][ T372] ------------[ cut here ]------------ [ 19.896281][ T372] kernel BUG at fs/ext4/inode.c:2767! [ 19.901714][ T372] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 19.907760][ T372] CPU: 0 PID: 372 Comm: syz-executor227 Not tainted 5.10.153-syzkaller-00570-g673a7341bdab #0 [ 19.917985][ T372] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 19.928020][ T372] RIP: 0010:ext4_writepages+0x36f6/0x3710 [ 19.933821][ T372] Code: c6 31 ff e8 3c ec 8f ff 84 db 75 2c e8 23 e9 8f ff 48 bb 00 00 00 00 00 fc ff df 4c 8b 64 24 40 e9 28 f7 ff ff e8 0a e9 8f ff <0f> 0b e8 03 e9 8f ff e8 8d 87 23 ff eb a0 e8 f7 e8 8f ff e8 81 87 [ 19.953406][ T372] RSP: 0018:ffffc90000b87300 EFLAGS: 00010293 [pid 377] futex(0x7f038e1816f8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 371] exit_group(0) = ? [pid 377] <... futex resumed>) = ? [pid 377] +++ exited with 0 +++ [ 19.959454][ T372] RAX: ffffffff81dcfab6 RBX: 0000008000000000 RCX: ffff888106583b40 [ 19.967408][ T372] RDX: 0000000000000000 RSI: 0000008000000000 RDI: 0000000000000000 [ 19.975359][ T372] RBP: ffffc90000b876f0 R08: ffffffff81dcca9a R09: ffffed1021ce176d [ 19.983306][ T372] R10: ffffed1021ce176d R11: 1ffff11021ce176c R12: ffff8881059d4000 [ 19.991255][ T372] R13: ffffc90000b875c0 R14: 0000008410000000 R15: ffffc90000b87860 [ 19.999210][ T372] FS: 00007f038e0a9700(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 [ 20.008140][ T372] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 20.014697][ T372] CR2: 0000000020000f82 CR3: 0000000106388000 CR4: 00000000003506b0 [ 20.022644][ T372] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 20.030592][ T372] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 20.038544][ T372] Call Trace: [ 20.041815][ T372] ? __ext4_get_inode_loc+0x44c/0xd20 [ 20.047160][ T372] ? errseq_check+0x40/0x70 [ 20.051635][ T372] ? __kasan_check_read+0x11/0x20 [ 20.056629][ T372] ? mark_buffer_dirty+0x1eb/0x310 [ 20.061712][ T372] ? __ext4_handle_dirty_metadata+0x2d0/0x800 [ 20.067748][ T372] ? ext4_readpage+0x220/0x220 [ 20.072486][ T372] ? __kasan_check_write+0x14/0x20 [ 20.077572][ T372] ? ext4_mark_iloc_dirty+0x2183/0x3350 [ 20.083097][ T372] ? __ext4_expand_extra_isize+0x3d0/0x3d0 [ 20.088889][ T372] ? ext4_readpage+0x220/0x220 [ 20.093633][ T372] do_writepages+0x13a/0x280 [ 20.098203][ T372] ? __kasan_check_read+0x11/0x20 [ 20.103206][ T372] ? __writepage+0x130/0x130 [ 20.107774][ T372] ? __kasan_check_write+0x14/0x20 [ 20.112866][ T372] ? _raw_spin_unlock+0x4d/0x70 [ 20.117700][ T372] __filemap_fdatawrite_range+0x354/0x420 [ 20.123396][ T372] ? filemap_check_errors+0x120/0x120 [ 20.128748][ T372] ? generic_perform_write+0x51c/0x5b0 [ 20.134182][ T372] file_write_and_wait_range+0x89/0x120 [ 20.139702][ T372] ext4_sync_file+0x19e/0x9d0 [ 20.144368][ T372] vfs_fsync_range+0x17b/0x190 [ 20.149111][ T372] ext4_buffered_write_iter+0x565/0x610 [ 20.154630][ T372] ext4_file_write_iter+0x192/0x1c70 [ 20.159890][ T372] ? set_next_entity+0xc5/0x390 [ 20.164722][ T372] ? compat_start_thread+0x80/0x80 [ 20.169805][ T372] ? __kasan_check_read+0x11/0x20 [ 20.174805][ T372] ? avc_policy_seqno+0x1b/0x70 [ 20.179633][ T372] ? selinux_file_permission+0x2a9/0x520 [ 20.185239][ T372] ? fsnotify_perm+0x67/0x4e0 [ 20.189888][ T372] ? ext4_file_read_iter+0x4d0/0x4d0 [ 20.195147][ T372] ? security_file_permission+0xa8/0xc0 [ 20.200665][ T372] ? iov_iter_init+0x3f/0x120 [ 20.205315][ T372] vfs_write+0xc4a/0xf80 [ 20.209531][ T372] ? __kasan_check_write+0x14/0x20 [ 20.214616][ T372] ? kernel_write+0x420/0x420 [ 20.219269][ T372] ? mutex_lock+0xb2/0x1e0 [ 20.223660][ T372] ? mutex_trylock+0x180/0x180 [ 20.228400][ T372] ? __fdget_pos+0x26d/0x310 [ 20.232960][ T372] ? ksys_write+0x77/0x2c0 [ 20.237358][ T372] ksys_write+0x198/0x2c0 [ 20.241659][ T372] ? do_notify_parent+0xa40/0xa40 [ 20.246655][ T372] ? __ia32_sys_read+0x90/0x90 [ 20.251391][ T372] ? debug_smp_processor_id+0x17/0x20 [ 20.256745][ T372] ? fpregs_assert_state_consistent+0xb6/0xe0 [ 20.262784][ T372] __x64_sys_write+0x7b/0x90 [ 20.267362][ T372] do_syscall_64+0x34/0x70 [ 20.271770][ T372] entry_SYSCALL_64_after_hwframe+0x61/0xc6 [ 20.277645][ T372] RIP: 0033:0x7f038e0fc889 [ 20.282050][ T372] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 20.301633][ T372] RSP: 002b:00007f038e0a9208 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 20.310046][ T372] RAX: ffffffffffffffda RBX: 00007f038e1816e8 RCX: 00007f038e0fc889 [ 20.317990][ T372] RDX: 0000000000000009 RSI: 0000000020000f80 RDI: 0000000000000004 [ 20.325935][ T372] RBP: 00007f038e1816e0 R08: 00007f038e1816e0 R09: 0000000000000000 [ 20.333881][ T372] R10: 00007f038e0a9210 R11: 0000000000000246 R12: 00007f038e1816ec [ 20.341827][ T372] R13: 00007ffdf7fe3e4f R14: 00007f038e0a9300 R15: 0000000000022000 [ 20.349772][ T372] Modules linked in: [ 20.353795][ T372] ---[ end trace 692ed9bbd04ade5c ]--- [ 20.359250][ T372] RIP: 0010:ext4_writepages+0x36f6/0x3710 [ 20.364990][ T372] Code: c6 31 ff e8 3c ec 8f ff 84 db 75 2c e8 23 e9 8f ff 48 bb 00 00 00 00 00 fc ff df 4c 8b 64 24 40 e9 28 f7 ff ff e8 0a e9 8f ff <0f> 0b e8 03 e9 8f ff e8 8d 87 23 ff eb a0 e8 f7 e8 8f ff e8 81 87 [ 20.384609][ T372] RSP: 0018:ffffc90000b87300 EFLAGS: 00010293 [ 20.390675][ T372] RAX: ffffffff81dcfab6 RBX: 0000008000000000 RCX: ffff888106583b40 [ 20.398626][ T372] RDX: 0000000000000000 RSI: 0000008000000000 RDI: 0000000000000000 [ 20.406597][ T372] RBP: ffffc90000b876f0 R08: ffffffff81dcca9a R09: ffffed1021ce176d [ 20.414564][ T372] R10: ffffed1021ce176d R11: 1ffff11021ce176c R12: ffff8881059d4000 [ 20.422528][ T372] R13: ffffc90000b875c0 R14: 0000008410000000 R15: ffffc90000b87860 [ 20.430498][ T372] FS: 00007f038e0a9700(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 [ 20.439394][ T372] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 20.446015][ T372] CR2: 0000000020000f82 CR3: 0000000106388000 CR4: 00000000003506b0 [ 20.454003][ T372] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 20.461985][ T372] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 20.469940][ T372] Kernel panic - not syncing: Fatal exception [ 20.476143][ T372] Kernel Offset: disabled [ 20.480448][ T372] Rebooting in 86400 seconds..