./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2048621398 <...> [ 4.037714][ T30] audit: type=1400 audit(1679554215.320:9): avc: denied { append open } for pid=80 comm="syslogd" path="/tmp/messages" dev="tmpfs" ino=2 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1 [ 4.046380][ T30] audit: type=1400 audit(1679554215.320:10): avc: denied { getattr } for pid=80 comm="syslogd" path="/tmp/messages" dev="tmpfs" ino=2 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1 [ 4.205450][ T97] udevd[97]: starting version 3.2.10 [ 4.230565][ T98] udevd[98]: starting eudev-3.2.10 [ 4.233437][ T97] udevd (97) used greatest stack depth: 23568 bytes left [ 5.466061][ T184] ssh-keygen (184) used greatest stack depth: 23472 bytes left [ 16.792263][ T30] kauditd_printk_skb: 49 callbacks suppressed [ 16.792274][ T30] audit: type=1400 audit(1679554228.120:60): avc: denied { transition } for pid=301 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 16.804427][ T30] audit: type=1400 audit(1679554228.130:61): avc: denied { write } for pid=301 comm="sh" path="pipe:[13137]" dev="pipefs" ino=13137 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1 [ 18.452013][ T302] sshd (302) used greatest stack depth: 22832 bytes left Warning: Permanently added '10.128.1.163' (ECDSA) to the list of known hosts. execve("./syz-executor2048621398", ["./syz-executor2048621398"], 0x7ffc52199390 /* 10 vars */) = 0 brk(NULL) = 0x5555574d3000 brk(0x5555574d3c40) = 0x5555574d3c40 arch_prctl(ARCH_SET_FS, 0x5555574d3300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor2048621398", 4096) = 28 brk(0x5555574f4c40) = 0x5555574f4c40 brk(0x5555574f5000) = 0x5555574f5000 mprotect(0x7f973d5e5000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555574d35d0) = 328 ./strace-static-x86_64: Process 328 attached [pid 328] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 328] setpgid(0, 0) = 0 [pid 328] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 328] write(3, "1000", 4) = 4 [pid 328] close(3) = 0 [pid 328] openat(AT_FDCWD, "/dev/kvm", O_RDONLY) = 3 [ 25.021372][ T30] audit: type=1400 audit(1679554236.350:62): avc: denied { execmem } for pid=327 comm="syz-executor204" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 25.024122][ T328] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. [ 25.041140][ T30] audit: type=1400 audit(1679554236.350:63): avc: denied { read } for pid=328 comm="syz-executor204" name="kvm" dev="devtmpfs" ino=82 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 [ 25.079571][ T30] audit: type=1400 audit(1679554236.350:64): avc: denied { open } for pid=328 comm="syz-executor204" path="/dev/kvm" dev="devtmpfs" ino=82 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 [pid 328] ioctl(3, KVM_CREATE_VM, 0) = 4 [pid 328] ioctl(4, KVM_SET_USER_MEMORY_REGION, {slot=0, flags=0, guest_phys_addr=0, memory_size=536879104, userspace_addr=0x20000000}) = 0 [pid 328] ioctl(4, KVM_CREATE_VCPU, 0) = 5 [pid 328] sendmmsg(-1, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}}, {msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}}, {msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=NULL, msg_iovlen=0, msg_control=[{cmsg_len=24, cmsg_level=SOL_SOCKET, cmsg_type=SCM_RIGHTS, cmsg_data=[-1, 3]}], msg_controllen=24, msg_flags=0}}], 3, 0) = -1 EBADF (Bad file descriptor) [pid 328] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=0, flags=0, guest_phys_addr=0, memory_size=4096, userspace_addr=0x20000000}) = -1 EBADF (Bad file descriptor) [pid 328] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=1, flags=0, guest_phys_addr=0x1000, memory_size=4096, userspace_addr=0x20001000}) = -1 EBADF (Bad file descriptor) [pid 328] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=2, flags=0, guest_phys_addr=0x2000, memory_size=4096, userspace_addr=0x20002000}) = -1 EBADF (Bad file descriptor) [pid 328] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=3, flags=0, guest_phys_addr=0x3000, memory_size=4096, userspace_addr=0x20003000}) = -1 EBADF (Bad file descriptor) [pid 328] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=4, flags=0, guest_phys_addr=0x4000, memory_size=4096, userspace_addr=0x20004000}) = -1 EBADF (Bad file descriptor) [pid 328] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=5, flags=0, guest_phys_addr=0x5000, memory_size=4096, userspace_addr=0x20005000}) = -1 EBADF (Bad file descriptor) [pid 328] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=6, flags=0, guest_phys_addr=0x6000, memory_size=4096, userspace_addr=0x20006000}) = -1 EBADF (Bad file descriptor) [pid 328] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=7, flags=0, guest_phys_addr=0x7000, memory_size=4096, userspace_addr=0x20007000}) = -1 EBADF (Bad file descriptor) [pid 328] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=8, flags=0, guest_phys_addr=0x8000, memory_size=4096, userspace_addr=0x20008000}) = -1 EBADF (Bad file descriptor) [pid 328] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=9, flags=0, guest_phys_addr=0x9000, memory_size=4096, userspace_addr=0x20009000}) = -1 EBADF (Bad file descriptor) [pid 328] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=10, flags=0, guest_phys_addr=0xfec00000, memory_size=4096, userspace_addr=0x2000a000}) = -1 EBADF (Bad file descriptor) [pid 328] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=11, flags=0, guest_phys_addr=0xb000, memory_size=4096, userspace_addr=0x2000b000}) = -1 EBADF (Bad file descriptor) [pid 328] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=12, flags=0, guest_phys_addr=0xc000, memory_size=4096, userspace_addr=0x2000c000}) = -1 EBADF (Bad file descriptor) [pid 328] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=13, flags=0, guest_phys_addr=0xd000, memory_size=4096, userspace_addr=0x2000d000}) = -1 EBADF (Bad file descriptor) [pid 328] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=14, flags=0, guest_phys_addr=0xe000, memory_size=4096, userspace_addr=0x2000e000}) = -1 EBADF (Bad file descriptor) [pid 328] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=15, flags=0, guest_phys_addr=0xf000, memory_size=4096, userspace_addr=0x2000f000}) = -1 EBADF (Bad file descriptor) [pid 328] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=16, flags=0, guest_phys_addr=0x10000, memory_size=4096, userspace_addr=0x20010000}) = -1 EBADF (Bad file descriptor) [pid 328] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=17, flags=0, guest_phys_addr=0x11000, memory_size=4096, userspace_addr=0x20011000}) = -1 EBADF (Bad file descriptor) [pid 328] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=18, flags=0, guest_phys_addr=0x12000, memory_size=4096, userspace_addr=0x20012000}) = -1 EBADF (Bad file descriptor) [pid 328] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=19, flags=0, guest_phys_addr=0x13000, memory_size=4096, userspace_addr=0x20013000}) = -1 EBADF (Bad file descriptor) [pid 328] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=20, flags=0, guest_phys_addr=0x14000, memory_size=4096, userspace_addr=0x20014000}) = -1 EBADF (Bad file descriptor) [pid 328] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=21, flags=0, guest_phys_addr=0x15000, memory_size=4096, userspace_addr=0x20015000}) = -1 EBADF (Bad file descriptor) [pid 328] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=22, flags=0, guest_phys_addr=0x16000, memory_size=4096, userspace_addr=0x20016000}) = -1 EBADF (Bad file descriptor) [pid 328] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=23, flags=0, guest_phys_addr=0x17000, memory_size=4096, userspace_addr=0x20017000}) = -1 EBADF (Bad file descriptor) [pid 328] ioctl(-1, KVM_SET_USER_MEMORY_REGION, {slot=65537, flags=0, guest_phys_addr=0x30000, memory_size=65536, userspace_addr=0x20000000}) = -1 EBADF (Bad file descriptor) [pid 328] ioctl(5, KVM_GET_SREGS, {cs={base=0xffff0000, limit=65535, selector=61440, type=11, present=1, dpl=0, db=0, s=1, l=0, g=0, avl=0}, ...}) = 0 [pid 328] openat(AT_FDCWD, "/dev/kvm", O_RDWR) = 6 [pid 328] ioctl(6, KVM_GET_SUPPORTED_CPUID, {nent=31, entries=[...]}) = 0 [pid 328] ioctl(5, KVM_SET_CPUID2, {nent=31, entries=[...]}) = 0 [pid 328] close(6) = 0 [pid 328] ioctl(5, KVM_SET_MSRS, 0x7fff76e009e0) = 5 [pid 328] ioctl(5, KVM_SET_SREGS, {cs={base=0, limit=1048575, selector=48, type=11, present=1, dpl=0, db=1, s=1, l=0, g=0, avl=0}, ...}) = 0 [pid 328] ioctl(5, KVM_SET_REGS, {rax=0, ..., rsp=0xf80, rbp=0, ..., rip=0, rflags=0x2}) = 0 [ 25.102991][ T30] audit: type=1400 audit(1679554236.350:65): avc: denied { ioctl } for pid=328 comm="syz-executor204" path="/dev/kvm" dev="devtmpfs" ino=82 ioctlcmd=0xae01 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 [ 25.142262][ T30] audit: type=1400 audit(1679554236.470:66): avc: denied { write } for pid=328 comm="syz-executor204" name="kvm" dev="devtmpfs" ino=82 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 [pid 328] ioctl(5, KVM_RUN [pid 327] kill(-328, SIGKILL) = 0 [pid 327] kill(328, SIGKILL) = 0 [ 30.022232][ T328] general protection fault, probably for non-canonical address 0xdffffc000000000d: 0000 [#1] PREEMPT SMP KASAN [ 30.033787][ T328] KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f] [ 30.042134][ T328] CPU: 1 PID: 328 Comm: syz-executor204 Not tainted 5.15.94-syzkaller-03204-g5448b2fda85f #0 [ 30.052115][ T328] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 [ 30.062010][ T328] RIP: 0010:restart_apic_timer+0x99/0x990 [ 30.067564][ T328] Code: f2 01 66 43 c7 44 3c 0d f3 f3 43 c6 44 3c 0f f3 e8 6c e4 58 00 bf 01 00 00 00 e8 a2 e1 35 00 49 8d 5e 68 49 89 dd 49 c1 ed 03 <43> 0f b6 44 3d 00 84 c0 0f 85 e8 05 00 00 48 89 5c 24 20 8b 1b bf [ 30.087128][ T328] RSP: 0018:ffffc90000947a40 EFLAGS: 00010202 [ 30.093021][ T328] RAX: 1ffff11020e35da8 RBX: 0000000000000068 RCX: ffffffff84b88c00 [ 30.100835][ T328] RDX: 0000000000000000 RSI: 0000000000030d40 RDI: ffffffff81168d5e [ 30.108755][ T328] RBP: ffffc90000947b60 R08: ffffffff8108d82b R09: ffffed1020e35c59 [ 30.116567][ T328] R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92000128f50 [ 30.124384][ T328] R13: 000000000000000d R14: 0000000000000000 R15: dffffc0000000000 [ 30.132199][ T328] FS: 00005555574d3300(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 [ 30.140957][ T328] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 30.147397][ T328] CR2: 00007f973d5e9130 CR3: 000000011fa0a000 CR4: 00000000003526a0 [ 30.155191][ T328] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 30.163002][ T328] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 30.170813][ T328] Call Trace: [ 30.173938][ T328] [ 30.176760][ T328] ? nested_vmx_preemption_timer_pending+0x84/0x110 [ 30.183207][ T328] ? advance_periodic_target_expiration+0x230/0x230 [ 30.189668][ T328] ? kvm_vcpu_check_block+0x200/0x230 [ 30.194875][ T328] ? ktime_get+0x12f/0x160 [ 30.199128][ T328] ? kvm_vcpu_block+0x6d3/0xb30 [ 30.203813][ T328] kvm_lapic_switch_to_hv_timer+0x3b/0x40 [ 30.209373][ T328] vmx_post_block+0x4b/0x60 [ 30.213817][ T328] kvm_arch_vcpu_ioctl_run+0xdff/0x2150 [ 30.219188][ T328] ? ioctl_has_perm+0x1f8/0x560 [ 30.223877][ T328] ? __kvm_request_immediate_exit+0x70/0x70 [ 30.229691][ T328] kvm_vcpu_ioctl+0x7eb/0xcf0 [ 30.234204][ T328] ? _raw_spin_unlock_irq+0x4e/0x70 [ 30.239238][ T328] ? kvm_clear_stat_per_vcpu+0x1e0/0x1e0 [ 30.244706][ T328] ? selinux_file_ioctl+0x3cc/0x540 [ 30.249756][ T328] ? selinux_file_alloc_security+0x120/0x120 [ 30.255564][ T328] ? _raw_spin_unlock_irq+0x4e/0x70 [ 30.260590][ T328] ? ptrace_notify+0x24c/0x350 [ 30.265204][ T328] ? security_file_ioctl+0x84/0xb0 [ 30.270148][ T328] ? kvm_clear_stat_per_vcpu+0x1e0/0x1e0 [ 30.275622][ T328] __se_sys_ioctl+0x114/0x190 [ 30.280134][ T328] __x64_sys_ioctl+0x7b/0x90 [ 30.284541][ T328] do_syscall_64+0x3d/0xb0 [ 30.288795][ T328] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 30.294524][ T328] RIP: 0033:0x7f973d577b99 [ 30.298780][ T328] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 30.318251][ T328] RSP: 002b:00007fff76e02538 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 30.326498][ T328] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f973d577b99 [ 30.334276][ T328] RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005 [ 30.342091][ T328] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007fff76e026d8 [ 30.349899][ T328] R10: 0000000000009120 R11: 0000000000000246 R12: 00007f973d53ae00 [ 30.357709][ T328] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000 [ 30.365524][ T328] [ 30.368382][ T328] Modules linked in: [ 30.372235][ T328] ---[ end trace f6414f99fcc491c7 ]--- [ 30.377458][ T328] RIP: 0010:restart_apic_timer+0x99/0x990 [ 30.382975][ T328] Code: f2 01 66 43 c7 44 3c 0d f3 f3 43 c6 44 3c 0f f3 e8 6c e4 58 00 bf 01 00 00 00 e8 a2 e1 35 00 49 8d 5e 68 49 89 dd 49 c1 ed 03 <43> 0f b6 44 3d 00 84 c0 0f 85 e8 05 00 00 48 89 5c 24 20 8b 1b bf [ 30.402525][ T328] RSP: 0018:ffffc90000947a40 EFLAGS: 00010202 [ 30.408447][ T328] RAX: 1ffff11020e35da8 RBX: 0000000000000068 RCX: ffffffff84b88c00 [ 30.416288][ T328] RDX: 0000000000000000 RSI: 0000000000030d40 RDI: ffffffff81168d5e [ 30.424039][ T328] RBP: ffffc90000947b60 R08: ffffffff8108d82b R09: ffffed1020e35c59 [ 30.431892][ T328] R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92000128f50 [ 30.439677][ T328] R13: 000000000000000d R14: 0000000000000000 R15: dffffc0000000000 [ 30.447503][ T328] FS: 00005555574d3300(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 [ 30.456253][ T328] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 30.462663][ T328] CR2: 00007f973d5e9130 CR3: 000000011fa0a000 CR4: 00000000003526a0 [ 30.470505][ T328] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 30.478309][ T328] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 30.486127][ T328] Kernel panic - not syncing: Fatal exception [ 30.492349][ T328] Kernel Offset: disabled [ 30.496484][ T328] Rebooting in 86400 seconds..