./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2818416634 <...> syzkaller login: [ 4.923545][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #08!!! [ 11.557287][ T23] kauditd_printk_skb: 60 callbacks suppressed [ 11.557297][ T23] audit: type=1400 audit(1672040895.839:71): avc: denied { transition } for pid=290 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 11.563052][ T23] audit: type=1400 audit(1672040895.839:72): avc: denied { write } for pid=290 comm="sh" path="pipe:[362]" dev="pipefs" ino=362 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1 [ 11.567044][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #08!!! [ 11.773562][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #88!!! [ 11.803503][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #288!!! [ 12.855267][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #10!!! [ 12.893450][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #82!!! Warning: Permanently added '10.128.10.32' (ECDSA) to the list of known hosts. execve("./syz-executor2818416634", ["./syz-executor2818416634"], 0x7ffdb7236a30 /* 10 vars */) = 0 brk(NULL) = 0x555557485000 brk(0x555557485c40) = 0x555557485c40 arch_prctl(ARCH_SET_FS, 0x555557485300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor2818416634", 4096) = 28 brk(0x5555574a6c40) = 0x5555574a6c40 brk(0x5555574a7000) = 0x5555574a7000 mprotect(0x7f65552cc000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 memfd_create("syzkaller", 0) = 3 mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f654ce12000 write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 1048576) = 1048576 munmap(0x7f654ce12000, 1048576) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 ioctl(4, LOOP_SET_FD, 3) = 0 close(3) = 0 mkdir("./file0", 0777) = 0 [ 19.535235][ T23] audit: type=1400 audit(1672040903.819:73): avc: denied { execmem } for pid=371 comm="syz-executor281" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 19.546760][ T23] audit: type=1400 audit(1672040903.829:74): avc: denied { read write } for pid=371 comm="syz-executor281" name="loop0" dev="devtmpfs" ino=115 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 19.552073][ T23] audit: type=1400 audit(1672040903.829:75): avc: denied { open } for pid=371 comm="syz-executor281" path="/dev/loop0" dev="devtmpfs" ino=115 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 mount("/dev/loop0", "./file0", "ext4", MS_DIRSYNC|MS_NOATIME|MS_LAZYTIME, ",errors=continue") = 0 openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 chdir("./file0") = 0 ioctl(4, LOOP_CLR_FD) = 0 close(4) = 0 creat("./file1", 000) = 4 [ 19.565156][ T23] audit: type=1400 audit(1672040903.829:76): avc: denied { ioctl } for pid=371 comm="syz-executor281" path="/dev/loop0" dev="devtmpfs" ino=115 ioctlcmd=0x4c00 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 19.591011][ T23] audit: type=1400 audit(1672040903.829:77): avc: denied { mounton } for pid=371 comm="syz-executor281" path="/root/file0" dev="sda1" ino=1138 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 19.592405][ T371] EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue [ 19.622761][ T23] audit: type=1400 audit(1672040903.899:78): avc: denied { mount } for pid=371 comm="syz-executor281" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 19.625293][ T371] ================================================================== [ 19.650718][ T23] audit: type=1400 audit(1672040903.899:79): avc: denied { write } for pid=371 comm="syz-executor281" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 19.652791][ T371] BUG: KASAN: use-after-free in ext4_find_extent+0x697/0xd80 [ 19.674895][ T23] audit: type=1400 audit(1672040903.899:80): avc: denied { add_name } for pid=371 comm="syz-executor281" name="file1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 19.681909][ T371] Read of size 4 at addr ffff88810e7ae368 by task syz-executor281/371 [ 19.703029][ T23] audit: type=1400 audit(1672040903.899:81): avc: denied { create } for pid=371 comm="syz-executor281" name="file1" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 19.710827][ T371] [ 19.710839][ T371] CPU: 1 PID: 371 Comm: syz-executor281 Not tainted 5.10.160-syzkaller-01321-g003c389455eb #0 [ 19.710844][ T371] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 19.710847][ T371] Call Trace: [ 19.710861][ T371] dump_stack_lvl+0x1e2/0x24b [ 19.710869][ T371] ? printk+0xcf/0x10f [ 19.710884][ T371] ? bfq_pos_tree_add_move+0x43e/0x43e [ 19.732000][ T23] audit: type=1400 audit(1672040903.899:82): avc: denied { write } for pid=371 comm="syz-executor281" name="file1" dev="loop0" ino=15 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 [ 19.733695][ T371] ? wake_up_klogd+0xb8/0xf0 [ 19.733704][ T371] ? panic+0x7d7/0x7d7 [ 19.733722][ T371] print_address_description+0x81/0x3c0 [ 19.807696][ T371] kasan_report+0x1a4/0x1f0 [ 19.812178][ T371] ? ext4_find_extent+0x697/0xd80 [ 19.817257][ T371] ? ext4_find_extent+0x697/0xd80 [ 19.822253][ T371] __asan_report_load4_noabort+0x14/0x20 [ 19.827857][ T371] ext4_find_extent+0x697/0xd80 [ 19.832679][ T371] ext4_clu_mapped+0xa0/0x7a0 [ 19.837324][ T371] ? ext4_es_lookup_extent+0x3c5/0x9d0 [ 19.842757][ T371] ext4_da_get_block_prep+0x9f9/0x13d0 [ 19.848199][ T371] ? ext4_da_release_space+0x410/0x410 [ 19.853630][ T371] ? _raw_spin_unlock+0x4d/0x70 [ 19.858452][ T371] ? __kasan_check_read+0x11/0x20 [ 19.863450][ T371] ? create_page_buffers+0x174/0x1e0 [ 19.868704][ T371] __block_write_begin_int+0x6df/0x1800 [ 19.874218][ T371] ? ext4_update_inode_fsync_trans+0x2a0/0x2a0 [ 19.880341][ T371] ? ext4_da_release_space+0x410/0x410 [ 19.885768][ T371] ? page_zero_new_buffers+0x540/0x540 [ 19.891200][ T371] ? ext4_readpage_inline+0x730/0x730 [ 19.896540][ T371] ? ext4_da_release_space+0x410/0x410 [ 19.901968][ T371] __block_write_begin+0x30/0x40 [ 19.906873][ T371] ext4_da_convert_inline_data_to_extent+0x310/0x5c0 [ 19.913515][ T371] ext4_da_write_inline_data_begin+0x23b/0x750 [ 19.919640][ T371] ? ext4_journalled_write_inline_data+0x600/0x600 [ 19.926111][ T371] ? asan.module_dtor+0x20/0x20 [ 19.930940][ T371] ext4_da_write_begin+0x532/0xf10 [ 19.936021][ T371] ? ext4_set_page_dirty+0x1d0/0x1d0 [ 19.941278][ T371] ? ext4_initxattrs+0x120/0x120 [ 19.946186][ T371] ? __vfs_getxattr+0x62f/0x700 [ 19.951015][ T371] ? iov_iter_fault_in_readable+0x325/0x500 [ 19.956875][ T371] ? asan.module_dtor+0x20/0x20 [ 19.961695][ T371] ? current_time+0x1c4/0x310 [ 19.966516][ T371] ? security_inode_need_killpriv+0x99/0xb0 [ 19.972386][ T371] generic_perform_write+0x309/0x5b0 [ 19.977642][ T371] ? file_remove_privs+0x640/0x640 [ 19.982728][ T371] ? grab_cache_page_write_begin+0xa0/0xa0 [ 19.988501][ T371] ? update_load_avg+0x4e7/0xa90 [ 19.993413][ T371] ? generic_write_checks+0x3d8/0x490 [ 19.998755][ T371] ext4_buffered_write_iter+0x47c/0x610 [ 20.004273][ T371] ext4_file_write_iter+0x192/0x1c70 [ 20.009526][ T371] ? native_set_ldt+0x360/0x360 [ 20.014344][ T371] ? set_next_entity+0xc5/0x390 [ 20.019163][ T371] ? compat_start_thread+0x80/0x80 [ 20.024248][ T371] ? avc_policy_seqno+0x1b/0x70 [ 20.029072][ T371] ? selinux_file_permission+0x2a9/0x520 [ 20.034674][ T371] ? fsnotify_perm+0x67/0x4e0 [ 20.039320][ T371] ? ext4_file_read_iter+0x4d0/0x4d0 [ 20.044572][ T371] ? security_file_permission+0xa8/0xc0 [ 20.050090][ T371] ? iov_iter_init+0x3f/0x120 [ 20.054737][ T371] vfs_write+0xc4a/0xf80 [ 20.059034][ T371] ? __kasan_check_write+0x14/0x20 [ 20.064115][ T371] ? kernel_write+0x420/0x420 [ 20.068763][ T371] ? _raw_spin_unlock_irq+0x4e/0x70 [ 20.073929][ T371] ? ptrace_stop+0x6ff/0x9f0 [ 20.078487][ T371] ? __kasan_check_read+0x11/0x20 [ 20.083478][ T371] ? __fdget_pos+0x27e/0x310 [ 20.088038][ T371] ksys_write+0x198/0x2c0 [ 20.092348][ T371] ? do_notify_parent+0xa40/0xa40 [ 20.097341][ T371] ? __ia32_sys_read+0x90/0x90 [ 20.102118][ T371] ? __x64_sys_creat+0x11f/0x160 [ 20.107025][ T371] ? __x32_compat_sys_openat+0x290/0x290 [ 20.112628][ T371] __x64_sys_write+0x7b/0x90 [ 20.117193][ T371] do_syscall_64+0x34/0x70 [ 20.121579][ T371] entry_SYSCALL_64_after_hwframe+0x61/0xc6 [ 20.127447][ T371] RIP: 0033:0x7f655525e7b9 [ 20.131835][ T371] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 20.151409][ T371] RSP: 002b:00007ffe5faa6898 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 20.159788][ T371] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f655525e7b9 [ 20.167728][ T371] RDX: 00000000175d9003 RSI: 0000000020000200 RDI: 0000000000000004 [ 20.175674][ T371] RBP: 00007f655521e050 R08: 0000000000000000 R09: 0000000000000000 [ 20.183615][ T371] R10: 000000000000079f R11: 0000000000000246 R12: 00007f655521e0e0 [ 20.191557][ T371] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 20.199500][ T371] [ 20.201798][ T371] Allocated by task 296: [ 20.206013][ T371] __kasan_slab_alloc+0xb2/0xe0 [ 20.210831][ T371] kmem_cache_alloc+0x16c/0x300 [ 20.215650][ T371] proc_alloc_inode+0x1d/0xb0 [ 20.220295][ T371] new_inode_pseudo+0x64/0x220 [ 20.225027][ T371] new_inode+0x28/0x1c0 [ 20.229153][ T371] proc_pid_make_inode+0x27/0x2f0 [ 20.234145][ T371] proc_pid_instantiate+0x4c/0x1a0 [ 20.239252][ T371] proc_pid_lookup+0x196/0x270 [ 20.243986][ T371] proc_root_lookup+0x22/0x50 [ 20.248628][ T371] __lookup_slow+0x2b3/0x400 [ 20.253186][ T371] lookup_slow+0x5a/0x80 [ 20.257396][ T371] walk_component+0x425/0x5a0 [ 20.262041][ T371] link_path_walk+0x5e7/0xc40 [ 20.266687][ T371] path_openat+0x264/0x2fd0 [ 20.271185][ T371] do_filp_open+0x200/0x440 [ 20.275657][ T371] do_sys_openat2+0x13b/0x470 [ 20.280321][ T371] __x64_sys_openat+0x243/0x290 [ 20.285140][ T371] do_syscall_64+0x34/0x70 [ 20.289527][ T371] entry_SYSCALL_64_after_hwframe+0x61/0xc6 [ 20.295383][ T371] [ 20.297681][ T371] Freed by task 143: [ 20.301548][ T371] kasan_set_track+0x4c/0x80 [ 20.306121][ T371] kasan_set_free_info+0x23/0x40 [ 20.311029][ T371] ____kasan_slab_free+0x121/0x160 [ 20.316107][ T371] __kasan_slab_free+0x11/0x20 [ 20.320837][ T371] slab_free_freelist_hook+0xcc/0x1a0 [ 20.326178][ T371] kmem_cache_free+0xa9/0x1f0 [ 20.330823][ T371] proc_free_inode+0x1d/0x20 [ 20.335387][ T371] i_callback+0x4b/0x70 [ 20.339511][ T371] rcu_do_batch+0x59e/0xc40 [ 20.343986][ T371] rcu_core+0x59b/0xe30 [ 20.348108][ T371] rcu_core_si+0x9/0x10 [ 20.352318][ T371] __do_softirq+0x27e/0x596 [ 20.356791][ T371] [ 20.359087][ T371] Last potentially related work creation: [ 20.364775][ T371] kasan_save_stack+0x36/0x60 [ 20.369420][ T371] kasan_record_aux_stack+0xca/0xf0 [ 20.374586][ T371] call_rcu+0x140/0x1300 [ 20.378803][ T371] evict+0x646/0x6c0 [ 20.382668][ T371] iput+0x61f/0x7d0 [ 20.386450][ T371] dentry_unlink_inode+0x2df/0x3d0 [ 20.391529][ T371] __dentry_kill+0x3e2/0x5d0 [ 20.396088][ T371] dentry_kill+0xc0/0x2a0 [ 20.400387][ T371] dput+0x175/0x320 [ 20.404165][ T371] proc_invalidate_siblings_dcache+0x2c1/0x410 [ 20.410283][ T371] proc_flush_pid+0x1a/0x20 [ 20.414756][ T371] release_task+0x10d6/0x1340 [ 20.419404][ T371] wait_consider_task+0x18a2/0x2970 [ 20.424570][ T371] do_wait+0x2f1/0x810 [ 20.428611][ T371] kernel_wait4+0x29c/0x3c0 [ 20.433082][ T371] __x64_sys_wait4+0x130/0x1e0 [ 20.437817][ T371] do_syscall_64+0x34/0x70 [ 20.442206][ T371] entry_SYSCALL_64_after_hwframe+0x61/0xc6 [ 20.448069][ T371] [ 20.450372][ T371] The buggy address belongs to the object at ffff88810e7ae350 [ 20.450372][ T371] which belongs to the cache proc_inode_cache of size 776 [ 20.469861][ T371] The buggy address is located 24 bytes inside of [ 20.469861][ T371] 776-byte region [ffff88810e7ae350, ffff88810e7ae658) [ 20.483119][ T371] The buggy address belongs to the page: [ 20.488811][ T371] page:ffffea000439eb00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10e7ac [ 20.499010][ T371] head:ffffea000439eb00 order:2 compound_mapcount:0 compound_pincount:0 [ 20.507303][ T371] flags: 0x8000000000010200(slab|head) [ 20.512735][ T371] raw: 8000000000010200 dead000000000100 dead000000000122 ffff88810017f980 [ 20.521288][ T371] raw: 0000000000000000 0000000000120012 00000001ffffffff 0000000000000000 [ 20.529834][ T371] page dumped because: kasan: bad access detected [ 20.536212][ T371] page_owner tracks the page as allocated [ 20.541906][ T371] page last allocated via order 2, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 293, ts 11702775924, free_ts 0 [ 20.561925][ T371] get_page_from_freelist+0x755/0x810 [ 20.567267][ T371] __alloc_pages_nodemask+0x3b6/0x890 [ 20.572606][ T371] allocate_slab+0x78/0x540 [ 20.577079][ T371] ___slab_alloc+0x131/0x2e0 [ 20.581635][ T371] __slab_alloc+0x63/0xa0 [ 20.585932][ T371] kmem_cache_alloc+0x1ef/0x300 [ 20.590751][ T371] proc_alloc_inode+0x1d/0xb0 [ 20.595396][ T371] new_inode_pseudo+0x64/0x220 [ 20.600127][ T371] new_inode+0x28/0x1c0 [ 20.604343][ T371] proc_pid_make_inode+0x27/0x2f0 [ 20.609422][ T371] proc_pident_instantiate+0x75/0x2f0 [ 20.614807][ T371] proc_tgid_base_lookup+0x1a5/0x250 [ 20.620146][ T371] path_openat+0x119a/0x2fd0 [ 20.624717][ T371] do_filp_open+0x200/0x440 [ 20.629202][ T371] do_sys_openat2+0x13b/0x470 [ 20.633871][ T371] __x64_sys_openat+0x243/0x290 [ 20.638716][ T371] page_owner free stack trace missing [ 20.644083][ T371] [ 20.646386][ T371] Memory state around the buggy address: [ 20.652113][ T371] ffff88810e7ae200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.660149][ T371] ffff88810e7ae280: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 20.668196][ T371] >ffff88810e7ae300: fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb fb [ 20.676268][ T371] ^ write(4, "\x74\x68\x72\x65\x61\x64\x65\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 392007683) = -1 EUCLEAN (Structure needs cleaning) exit_group(0) = ? +++ exited with 0 +++ [ 20.683719][ T371] ffff88810e7ae380: fb fb fb fb fb fb fb fb fb fb f