./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2769601804 <...> Starting sshd: OK syzkaller syzkaller login: [ 11.796840][ T22] kauditd_printk_skb: 60 callbacks suppressed [ 11.796847][ T22] audit: type=1400 audit(1652543713.329:71): avc: denied { transition } for pid=264 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 11.801967][ T22] audit: type=1400 audit(1652543713.329:72): avc: denied { write } for pid=264 comm="sh" path="pipe:[10660]" dev="pipefs" ino=10660 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1 [ 12.457524][ T265] sshd (265) used greatest stack depth: 26944 bytes left [ 13.981907][ T275] sshd (275) used greatest stack depth: 26704 bytes left Warning: Permanently added '10.128.0.218' (ECDSA) to the list of known hosts. execve("./syz-executor2769601804", ["./syz-executor2769601804"], 0x7ffe4a4d5380 /* 10 vars */) = 0 brk(NULL) = 0x555556fcf000 brk(0x555556fcfc40) = 0x555556fcfc40 arch_prctl(ARCH_SET_FS, 0x555556fcf300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x555556fcf5d0) = 304 set_robust_list(0x555556fcf5e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7fce51782840, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7fce51782f10}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7fce517828e0, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fce51782f10}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2769601804", 4096) = 28 brk(0x555556ff0c40) = 0x555556ff0c40 brk(0x555556ff1000) = 0x555556ff1000 mprotect(0x7fce51844000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 unshare(CLONE_NEWPID) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556fcf5d0) = 306 ./strace-static-x86_64: Process 306 attached [pid 306] set_robust_list(0x555556fcf5e0, 24) = 0 [pid 306] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy) [pid 306] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 306] setsid() = 1 [pid 306] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0 [pid 306] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0 [pid 306] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0 [pid 306] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0 [pid 306] prlimit64(0, RLIMIT_CORE, {rlim_cur=0, rlim_max=0}, NULL) = 0 [pid 306] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0 [pid 306] unshare(CLONE_NEWNS) = 0 [pid 306] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0 [pid 306] unshare(CLONE_NEWIPC) = -1 EINVAL (Invalid argument) [pid 306] unshare(CLONE_NEWCGROUP) = 0 [pid 306] unshare(CLONE_NEWUTS) = 0 [pid 306] unshare(CLONE_SYSVSEM) = 0 [pid 306] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 306] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 306] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 306] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 306] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 306] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 306] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 306] getpid() = 1 [pid 306] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1< [pid 308] set_robust_list(0x7fce517719e0, 24) = 0 [pid 308] creat("./file0", 000) = 3 [pid 308] futex(0x7fce518501ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 307] <... futex resumed>) = 0 [pid 307] futex(0x7fce518501a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 307] futex(0x7fce518501ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=100000000} [pid 308] <... futex resumed>) = 1 [pid 308] memfd_create("syzkaller", 0) = 4 [pid 308] ftruncate(4, 0) = 0 [pid 308] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [pid 308] ioctl(5, LOOP_SET_FD, 4) = 0 [pid 308] mkdir("./file0", 0777) = -1 EEXIST (File exists) [pid 308] mount("/dev/loop0", "./file0", 0x200000c0, MS_BIND, 0x7fce517711b0) = 0 [pid 308] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = -1 ENOTDIR (Not a directory) [ 19.391911][ T22] audit: type=1400 audit(1652543720.909:75): avc: denied { mount } for pid=306 comm="syz-executor276" name="/" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=filesystem permissive=1 [ 19.414589][ T22] audit: type=1400 audit(1652543720.909:76): avc: denied { mounton } for pid=306 comm="syz-executor276" path="/" dev="sda1" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [pid 308] ioctl(5, LOOP_CLR_FD) = 0 [pid 308] close(5) = 0 [pid 308] close(4) = 0 [pid 308] futex(0x7fce518501ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 307] <... futex resumed>) = 0 [pid 308] <... futex resumed>) = 1 [pid 307] futex(0x7fce518501a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 308] memfd_create("syzkaller", 0 [pid 307] <... futex resumed>) = 0 [pid 308] <... memfd_create resumed>) = 4 [pid 307] futex(0x7fce518501ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=100000000} [pid 308] ftruncate(4, 262144) = 0 [pid 308] pwrite64(4, "\x20\x00\x00\x00\x80\x00\x00\x00\x06\x00\x00\x00\x60\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x40\x00\x00\x00\x40\x00\x00\x20\x00\x00\x00\xd8\xf4\x65\x5f\xd8\xf4\x65\x5f\x01\x00\xff\xff\x53\xef\x01\x00\x01\x00\x00\x00\xd8\xf4\x65\x5f\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x80\x00\x00\x00\x08\x00\x00\x00\x52\x47\x00\x00"..., 102, 1024) = 102 [pid 308] pwrite64(4, "\x01\x00\x00\x00\x00\x00\x05\x00\x0c", 9, 1376) = 9 [pid 308] pwrite64(4, NULL, 0, 1600) = 0 [pid 308] pwrite64(4, "\x02\x00\x00\x00\x12\x00\x00\x00\x22\x00\x00\x00\x60\x00", 14, 2048) = 14 [pid 308] pwrite64(4, NULL, 0, 4096) = 0 [pid 308] pwrite64(4, "\x50\x4d\x4d\x00\x50\x4d\x4d\xff", 8, 24576) = 8 [pid 308] pwrite64(4, NULL, 0, 26624) = 0 [pid 308] pwrite64(4, NULL, 0, 0) = 0 [pid 308] pwrite64(4, NULL, 0, 31744) = 0 [pid 308] pwrite64(4, NULL, 0, 32768) = 0 [pid 308] pwrite64(4, NULL, 0, 33792) = 0 [pid 308] pwrite64(4, NULL, 0, 34816) = 0 [pid 308] pwrite64(4, NULL, 0, 35840) = 0 [pid 308] pwrite64(4, NULL, 0, 36864) = 0 [pid 308] pwrite64(4, NULL, 0, 39936) = 0 [pid 308] pwrite64(4, NULL, 0, 69760) = 0 [pid 308] pwrite64(4, NULL, 0, 69888) = 0 [pid 308] pwrite64(4, NULL, 0, 70016) = 0 [pid 308] pwrite64(4, NULL, 0, 71040) = 0 [pid 308] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 5 [pid 308] ioctl(5, LOOP_SET_FD, 4) = 0 [pid 308] mkdir("./file0", 0777) = -1 EEXIST (File exists) [ 19.436167][ T22] audit: type=1400 audit(1652543720.909:77): avc: denied { mounton } for pid=306 comm="syz-executor276" path="/dev/binderfs" dev="devtmpfs" ino=9976 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:device_t tclass=dir permissive=1 [ 19.459190][ T22] audit: type=1400 audit(1652543720.909:78): avc: denied { mount } for pid=306 comm="syz-executor276" name="/" dev="binder" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=filesystem permissive=1 [ 19.482719][ T22] audit: type=1400 audit(1652543720.939:79): avc: denied { module_request } for pid=306 comm="syz-executor276" kmod="ip6table_nat" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 19.504812][ T22] audit: type=1400 audit(1652543720.939:80): avc: denied { read write } for pid=306 comm="syz-executor276" name="loop0" dev="devtmpfs" ino=67 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 19.510759][ T308] EXT4-fs error (device loop0): ext4_fill_super:4599: inode #2: comm syz-executor276: iget: root inode unallocated [pid 308] mount("/dev/loop0", "./file0", "ext4", 0, ",errors=continue" [pid 307] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 307] futex(0x7fce518501bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 307] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fce51730000 [pid 307] mprotect(0x7fce51731000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 307] clone(child_stack=0x7fce517503f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4], tls=0x7fce51750700, child_tidptr=0x7fce517509d0) = 4 [pid 307] futex(0x7fce518501b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 307] futex(0x7fce518501bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 313 attached [pid 313] set_robust_list(0x7fce517509e0, 24) = 0 [pid 313] creat("./file0", 000) = 6 [pid 313] futex(0x7fce518501bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 307] <... futex resumed>) = 0 [pid 307] futex(0x7fce518501b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 307] futex(0x7fce518501bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 313] <... futex resumed>) = 1 [pid 313] fallocate(6, FALLOC_FL_KEEP_SIZE|FALLOC_FL_PUNCH_HOLE, 0, 672267775) = 0 [pid 313] futex(0x7fce518501bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 307] <... futex resumed>) = 0 [pid 313] <... futex resumed>) = 1 [ 19.528994][ T22] audit: type=1400 audit(1652543720.939:81): avc: denied { open } for pid=306 comm="syz-executor276" path="/dev/loop0" dev="devtmpfs" ino=67 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 19.541274][ T308] EXT4-fs (loop0): get root inode failed [ 19.565049][ T22] audit: type=1400 audit(1652543720.939:82): avc: denied { ioctl } for pid=306 comm="syz-executor276" path="/dev/loop0" dev="devtmpfs" ino=67 ioctlcmd=0x4c01 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 19.574822][ T308] EXT4-fs (loop0): mount failed [ 19.601174][ T311] ------------[ cut here ]------------ [ 19.606607][ T311] kernel BUG at fs/buffer.c:3027! [ 19.611634][ T311] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 19.617687][ T311] CPU: 1 PID: 311 Comm: kmmpd-loop0 Not tainted 5.4.180-syzkaller-00006-gee52e8cb3015 #0 [ 19.627458][ T311] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 19.637497][ T311] RIP: 0010:submit_bh_wbc+0x76e/0x790 [ 19.642845][ T311] Code: 08 80 e1 07 80 c1 03 38 c1 0f 8c be fe ff ff 48 8b 7c 24 08 e8 83 97 ee ff e9 af fe ff ff e8 69 37 c2 ff 0f 0b e8 62 37 c2 ff <0f> 0b e8 5b 37 c2 ff 0f 0b e8 54 37 c2 ff 0f 0b e8 4d 37 c2 ff 0f [ 19.662427][ T311] RSP: 0018:ffff8881dd377d10 EFLAGS: 00010293 [ 19.668462][ T311] RAX: ffffffff819e077e RBX: 0000000000000000 RCX: ffff8881dd0ebf00 [ 19.676401][ T311] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 19.684340][ T311] RBP: 1ffff1103cdd8a00 R08: ffffffff819e00a9 R09: ffffed103cdd8a01 [pid 313] futex(0x7fce518501b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 307] close(3) = 0 [pid 307] close(4) = 0 [pid 307] close(5) = 0 [pid 307] close(6) = 0 [pid 307] close(7) = -1 EBADF (Bad file descriptor) [pid 307] close(8) = -1 EBADF (Bad file descriptor) [pid 307] close(9) = -1 EBADF (Bad file descriptor) [pid 307] close(10) = -1 EBADF (Bad file descriptor) [pid 307] close(11) = -1 EBADF (Bad file descriptor) [pid 307] close(12) = -1 EBADF (Bad file descriptor) [pid 307] close(13) = -1 EBADF (Bad file descriptor) [pid 307] close(14) = -1 EBADF (Bad file descriptor) [pid 307] close(15) = -1 EBADF (Bad file descriptor) [pid 307] close(16) = -1 EBADF (Bad file descriptor) [pid 307] close(17) = -1 EBADF (Bad file descriptor) [pid 307] close(18) = -1 EBADF (Bad file descriptor) [pid 307] close(19) = -1 EBADF (Bad file descriptor) [pid 307] close(20) = -1 EBADF (Bad file descriptor) [pid 307] close(21) = -1 EBADF (Bad file descriptor) [pid 307] close(22) = -1 EBADF (Bad file descriptor) [pid 307] close(23) = -1 EBADF (Bad file descriptor) [pid 307] close(24) = -1 EBADF (Bad file descriptor) [pid 307] close(25) = -1 EBADF (Bad file descriptor) [pid 307] close(26) = -1 EBADF (Bad file descriptor) [pid 307] close(27) = -1 EBADF (Bad file descriptor) [pid 307] close(28) = -1 EBADF (Bad file descriptor) [pid 307] close(29) = -1 EBADF (Bad file descriptor) [pid 307] exit_group(0) = ? [pid 313] <... futex resumed>) = ? [pid 313] +++ exited with 0 +++ [ 19.692278][ T311] R10: ffffed103cdd8a01 R11: 1ffff1103cdd8a00 R12: 0000000000000001 [ 19.700216][ T311] R13: ffff8881e6ec5000 R14: dffffc0000000000 R15: 0000000000003800 [ 19.708155][ T311] FS: 0000000000000000(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000 [ 19.717068][ T311] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 19.723640][ T311] CR2: 00007fce51806860 CR3: 00000001dd781000 CR4: 00000000003406e0 [ 19.731584][ T311] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 19.739524][ T311] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 19.747463][ T311] Call Trace: [ 19.750726][ T311] ? _raw_spin_lock_irqsave+0x9a/0x190 [ 19.756151][ T311] ? _raw_spin_unlock_irqrestore+0x57/0x80 [ 19.762096][ T311] ? check_preemption_disabled+0x51/0x2c0 [ 19.767823][ T311] ? try_to_del_timer_sync+0x313/0x460 [ 19.773248][ T311] submit_bh+0x21/0x30 [ 19.777285][ T311] write_mmp_block+0x34d/0x4f0 [ 19.782016][ T311] kmmpd+0x25f/0x9b0 [ 19.785880][ T311] ? __kthread_parkme+0xb1/0x1b0 [ 19.790785][ T311] kthread+0x2d8/0x360 [ 19.794830][ T311] ? write_mmp_block+0x4f0/0x4f0 [ 19.799745][ T311] ? kthread_destroy_worker+0x1f0/0x1f0 [ 19.805258][ T311] ret_from_fork+0x1f/0x30 [ 19.809643][ T311] Modules linked in: [ 19.813559][ T311] ---[ end trace 8cf4d2162c2db652 ]--- [ 19.819002][ T311] RIP: 0010:submit_bh_wbc+0x76e/0x790 [ 19.824369][ T311] Code: 08 80 e1 07 80 c1 03 38 c1 0f 8c be fe ff ff 48 8b 7c 24 08 e8 83 97 ee ff e9 af fe ff ff e8 69 37 c2 ff 0f 0b e8 62 37 c2 ff <0f> 0b e8 5b 37 c2 ff 0f 0b e8 54 37 c2 ff 0f 0b e8 4d 37 c2 ff 0f [ 19.844051][ T311] RSP: 0018:ffff8881dd377d10 EFLAGS: 00010293 [ 19.850119][ T311] RAX: ffffffff819e077e RBX: 0000000000000000 RCX: ffff8881dd0ebf00 [ 19.858074][ T311] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 19.866040][ T311] RBP: 1ffff1103cdd8a00 R08: ffffffff819e00a9 R09: ffffed103cdd8a01 [ 19.874003][ T311] R10: ffffed103cdd8a01 R11: 1ffff1103cdd8a00 R12: 0000000000000001 [ 19.881967][ T311] R13: ffff8881e6ec5000 R14: dffffc0000000000 R15: 0000000000003800 [ 19.890120][ T311] FS: 0000000000000000(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000 [ 19.899021][ T311] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 19.905609][ T311] CR2: 00007fce51806860 CR3: 00000001dd781000 CR4: 00000000003406e0 [ 19.913581][ T311] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 19.921546][ T311] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 19.929493][ T311] Kernel panic - not syncing: Fatal exception [ 19.935695][ T311] Kernel Offset: disabled [ 19.939998][ T311] Rebooting in 86400 seconds..