./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3671480254 <...> Warning: Permanently added '10.128.1.118' (ED25519) to the list of known hosts. execve("./syz-executor3671480254", ["./syz-executor3671480254"], 0x7ffffada9a40 /* 10 vars */) = 0 brk(NULL) = 0x55556629f000 brk(0x55556629fd00) = 0x55556629fd00 arch_prctl(ARCH_SET_FS, 0x55556629f380) = 0 set_tid_address(0x55556629f650) = 291 set_robust_list(0x55556629f660, 24) = 0 rseq(0x55556629fca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3671480254", 4096) = 28 getrandom("\xfe\xc7\xb9\x50\x46\x38\xa6\xba", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55556629fd00 brk(0x5555662c0d00) = 0x5555662c0d00 brk(0x5555662c1000) = 0x5555662c1000 mprotect(0x7fa859a94000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0executing program ) = 0x200001000000 write(1, "executing program\n", 18) = 18 memfd_create("syzkaller", 0) = 3 mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa8515e4000 write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 munmap(0x7fa8515e4000, 138412032) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 ioctl(4, LOOP_SET_FD, 3) = 0 close(3) = 0 close(4) = 0 mkdir("./file0", 0777) = 0 [ 60.889904][ T28] audit: type=1400 audit(1750753109.080:64): avc: denied { execmem } for pid=291 comm="syz-executor367" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 60.893594][ T291] loop0: detected capacity change from 0 to 512 [ 60.909832][ T28] audit: type=1400 audit(1750753109.090:65): avc: denied { read write } for pid=291 comm="syz-executor367" name="loop0" dev="devtmpfs" ino=118 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 60.941837][ T291] EXT4-fs error (device loop0): ext4_xattr_inode_iget:404: comm syz-executor367: inode #1: comm syz-executor367: iget: illegal inode # [ 60.946078][ T28] audit: type=1400 audit(1750753109.090:66): avc: denied { open } for pid=291 comm="syz-executor367" path="/dev/loop0" dev="devtmpfs" ino=118 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 60.955945][ T291] EXT4-fs error (device loop0): ext4_xattr_inode_iget:409: comm syz-executor367: error while reading EA inode 1 err=-117 [ 60.979844][ T28] audit: type=1400 audit(1750753109.090:67): avc: denied { ioctl } for pid=291 comm="syz-executor367" path="/dev/loop0" dev="devtmpfs" ino=118 ioctlcmd=0x4c00 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 60.992914][ T291] EXT4-fs warning (device loop0): ext4_expand_extra_isize_ea:2818: Unable to expand inode 15. Delete some EAs or run e2fsck. [ 61.018530][ T28] audit: type=1400 audit(1750753109.120:68): avc: denied { mounton } for pid=291 comm="syz-executor367" path="/root/file0" dev="sda1" ino=2024 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 61.031237][ T291] EXT4-fs error (device loop0): ext4_xattr_inode_iget:404: comm syz-executor367: inode #1: comm syz-executor367: iget: illegal inode # [ 61.067760][ T291] EXT4-fs error (device loop0): ext4_xattr_inode_iget:409: comm syz-executor367: error while reading EA inode 1 err=-117 [ 61.080674][ T291] EXT4-fs (loop0): 1 orphan inode deleted mount("/dev/loop0", "./file0", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_I_VERSION|0x200, "usrjquota=,journal_dev=0x0000000000008000,debug_want_extra_isize=0x000000000000005c,minixdf,resgid=0"...) = 0 openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 chdir("./file0") = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 ioctl(4, LOOP_CLR_FD) = 0 close(4) = 0 chdir("./file0") = 0 creat("./bus", 000) = 4 mount("/dev/loop0", "./bus", NULL, MS_NODEV|MS_SYNCHRONOUS|MS_BIND|MS_REC|MS_SILENT|MS_POSIXACL|MS_UNBINDABLE|MS_RELATIME|MS_KERNMOUNT, NULL) = 0 open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_DIRECT|O_CLOEXEC) = 5 mmap(0x200000000000, 8388608, PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 5, 0) = 0x200000000000 request_key(NULL, NULL, 0x200000001fee, 0) = -1 EFAULT (Bad address) [ 61.086491][ T291] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 61.095651][ T28] audit: type=1400 audit(1750753109.290:69): avc: denied { mount } for pid=291 comm="syz-executor367" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 61.105891][ T291] ================================================================== [ 61.125530][ T291] BUG: KASAN: out-of-bounds in ext4_xattr_set_entry+0xaf2/0x21d0 [ 61.126790][ T28] audit: type=1400 audit(1750753109.290:70): avc: denied { write } for pid=291 comm="syz-executor367" name="file0" dev="loop0" ino=12 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 61.133304][ T291] Read of size 18446744073709551600 at addr ffff88811dd33008 by task syz-executor367/291 [ 61.133324][ T291] [ 61.133329][ T291] CPU: 1 PID: 291 Comm: syz-executor367 Not tainted 6.1.141-syzkaller-00025-g45271a2c461a #0 [ 61.156086][ T28] audit: type=1400 audit(1750753109.290:71): avc: denied { add_name } for pid=291 comm="syz-executor367" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 61.165375][ T291] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 61.165405][ T291] Call Trace: [ 61.165412][ T291] [ 61.165419][ T291] __dump_stack+0x21/0x24 [ 61.168129][ T28] audit: type=1400 audit(1750753109.290:72): avc: denied { create } for pid=291 comm="syz-executor367" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 61.177885][ T291] dump_stack_lvl+0xee/0x150 [ 61.177918][ T291] ? __cfi_dump_stack_lvl+0x8/0x8 [ 61.177946][ T291] ? __cfi__printk+0x8/0x8 [ 61.198951][ T28] audit: type=1400 audit(1750753109.290:73): avc: denied { write open } for pid=291 comm="syz-executor367" path="/root/file0/file0/bus" dev="loop0" ino=15 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 61.208655][ T291] ? is_bpf_text_address+0x177/0x190 [ 61.208689][ T291] ? ext4_xattr_set_entry+0xaf2/0x21d0 [ 61.287913][ T291] print_address_description+0x71/0x210 [ 61.293478][ T291] print_report+0x4a/0x60 [ 61.297819][ T291] kasan_report+0x122/0x150 [ 61.302329][ T291] ? ext4_xattr_set_entry+0xaf2/0x21d0 [ 61.307796][ T291] ? ext4_xattr_set_entry+0xaf2/0x21d0 [ 61.313258][ T291] kasan_check_range+0x280/0x290 [ 61.318201][ T291] memmove+0x2d/0x70 [ 61.322104][ T291] ext4_xattr_set_entry+0xaf2/0x21d0 [ 61.327403][ T291] ext4_xattr_ibody_set+0x24e/0x6c0 [ 61.332606][ T291] ext4_destroy_inline_data_nolock+0x211/0x5b0 [ 61.338773][ T291] ? ext4_destroy_inline_data+0xe0/0xe0 [ 61.344330][ T291] ? ext4_check_all_de+0x61/0x100 [ 61.349366][ T291] ? ext4_check_all_de+0xc8/0x100 [ 61.354399][ T291] ext4_convert_inline_data_nolock+0x3c9/0x9e0 [ 61.360561][ T291] ? ext4_add_dirent_to_inline+0x420/0x420 [ 61.366376][ T291] ? __kasan_check_read+0x11/0x20 [ 61.371408][ T291] ? get_max_inline_xattr_value_size+0x4ed/0x630 [ 61.377750][ T291] ext4_try_add_inline_entry+0x784/0xad0 [ 61.383398][ T291] ? ext4_fname_setup_filename+0x243/0x2d0 [ 61.389207][ T291] ? __cfi_ext4_try_add_inline_entry+0x10/0x10 [ 61.395370][ T291] ? __kasan_check_write+0x14/0x20 [ 61.400493][ T291] ext4_add_entry+0x4eb/0xd70 [ 61.405268][ T291] ? ext4_inc_count+0x1b0/0x1b0 [ 61.410132][ T291] ? __cfi___ext4_new_inode+0x10/0x10 [ 61.415509][ T291] ? dquot_initialize+0x20/0x20 [ 61.420366][ T291] ext4_add_nondir+0x97/0x270 [ 61.425050][ T291] ext4_create+0x2e0/0x460 [ 61.429472][ T291] ? __cfi_ext4_create+0x10/0x10 [ 61.434411][ T291] ? selinux_inode_create+0x22/0x30 [ 61.439622][ T291] ? security_inode_create+0xd2/0x120 [ 61.444995][ T291] ? __cfi_ext4_create+0x10/0x10 [ 61.449940][ T291] path_openat+0x11e3/0x2f50 [ 61.454535][ T291] ? do_filp_open+0x3c0/0x3c0 [ 61.459214][ T291] do_filp_open+0x1c1/0x3c0 [ 61.463718][ T291] ? __cfi_do_filp_open+0x10/0x10 [ 61.468749][ T291] ? alloc_fd+0x4e6/0x590 [ 61.473087][ T291] do_sys_openat2+0x185/0x7e0 [ 61.477772][ T291] ? _raw_spin_unlock_irq+0x4d/0x70 [ 61.482978][ T291] ? ptrace_notify+0x1d1/0x250 [ 61.487750][ T291] ? do_sys_open+0xe0/0xe0 [ 61.492170][ T291] ? __cfi_ptrace_notify+0x10/0x10 [ 61.497294][ T291] ? xfd_validate_state+0x70/0x150 [ 61.502412][ T291] ? do_user_addr_fault+0x9ac/0x1050 [ 61.507705][ T291] __x64_sys_openat+0x136/0x160 [ 61.512569][ T291] x64_sys_call+0x783/0x9a0 [ 61.517096][ T291] do_syscall_64+0x4c/0xa0 [ 61.521521][ T291] ? clear_bhb_loop+0x30/0x80 [ 61.526207][ T291] ? clear_bhb_loop+0x30/0x80 [ 61.530895][ T291] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 61.536809][ T291] RIP: 0033:0x7fa859a21bf9 [ 61.541246][ T291] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 61.560859][ T291] RSP: 002b:00007fff7d2c2c48 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 61.569286][ T291] RAX: ffffffffffffffda RBX: 0000000000000073 RCX: 00007fa859a21bf9 [ 61.577279][ T291] RDX: 000000000000275a RSI: 00002000000000c0 RDI: 00000000ffffff9c [ 61.585282][ T291] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 61.593284][ T291] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa859a86604 [ 61.601270][ T291] R13: 00007fff7d2c2e28 R14: 0000000000000001 R15: 0000000000000001 [ 61.609253][ T291] [ 61.612272][ T291] [ 61.614595][ T291] The buggy address belongs to the physical page: [ 61.621011][ T291] page:ffffea0004774cc0 refcount:2 mapcount:0 mapping:ffff8881094cd308 index:0xbd7 pfn:0x11dd33 [ 61.631437][ T291] memcg:ffff88810033f500 [ 61.635713][ T291] aops:ext4_da_aops ino:7e4 dentry name(?):"syz-execprog" [ 61.642852][ T291] flags: 0x5000000000002014(uptodate|lru|private|zone=1) [ 61.649906][ T291] raw: 5000000000002014 ffffea0004713f48 ffffea0004774d08 ffff8881094cd308 [ 61.658490][ T291] raw: 0000000000000bd7 ffff8881133eb930 00000002ffffffff ffff88810033f500 [ 61.667068][ T291] page dumped because: kasan: bad access detected [ 61.673474][ T291] page_owner tracks the page as allocated [ 61.679182][ T291] page last allocated via order 0, migratetype Movable, gfp_mask 0x141cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_WRITE), pid 272, tgid 272 (sftp-server), ts 52241439526, free_ts 52174364389 [ 61.697691][ T291] post_alloc_hook+0x1f5/0x210 [ 61.702575][ T291] prep_new_page+0x1c/0x110 [ 61.707103][ T291] get_page_from_freelist+0x2c7b/0x2cf0 [ 61.712666][ T291] __alloc_pages+0x19e/0x3a0 [ 61.717270][ T291] __folio_alloc+0x12/0x40 [ 61.721694][ T291] __filemap_get_folio+0x6ec/0x980 [ 61.726841][ T291] pagecache_get_page+0x2b/0x110 [ 61.731787][ T291] grab_cache_page_write_begin+0x43/0x60 [ 61.737433][ T291] ext4_da_write_begin+0x4f0/0x8b0 [ 61.742551][ T291] generic_perform_write+0x2f6/0x6d0 [ 61.747839][ T291] ext4_buffered_write_iter+0x36f/0x660 [ 61.753392][ T291] ext4_file_write_iter+0x18f/0x13d0 [ 61.758680][ T291] vfs_write+0x5db/0xca0 [ 61.763107][ T291] ksys_write+0x140/0x240 [ 61.767448][ T291] __x64_sys_write+0x7b/0x90 [ 61.772041][ T291] x64_sys_call+0x27b/0x9a0 [ 61.776548][ T291] page last free stack trace: [ 61.781214][ T291] free_unref_page_prepare+0x742/0x750 [ 61.786679][ T291] free_unref_page_list+0xba/0x7c0 [ 61.791791][ T291] release_pages+0xad1/0xb20 [ 61.796390][ T291] free_pages_and_swap_cache+0x86/0xa0 [ 61.801851][ T291] tlb_finish_mmu+0x1aa/0x370 [ 61.806538][ T291] unmap_region+0x28d/0x2e0 [ 61.811048][ T291] do_mas_align_munmap+0xb94/0x11b0 [ 61.816246][ T291] do_mas_munmap+0x241/0x2b0 [ 61.820837][ T291] __vm_munmap+0x19f/0x2f0 [ 61.825257][ T291] __x64_sys_munmap+0x6b/0x80 [ 61.829935][ T291] x64_sys_call+0x8a/0x9a0 [ 61.834352][ T291] do_syscall_64+0x4c/0xa0 [ 61.838767][ T291] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 61.844659][ T291] [ 61.846977][ T291] Memory state around the buggy address: [ 61.852602][ T291] ffff88811dd32f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 61.860661][ T291] ffff88811dd32f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 61.868717][ T291] >ffff88811dd33000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 61.876768][ T291] ^ [ 61.881088][ T291] ffff88811dd33080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 61.889144][ T291] ffff88811dd33100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 openat(AT_FDCWD, 0x2000000000c0, O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 6 exit_group(0) = ? +++ exited with 0 +++ [