./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2700514295 <...> Starting sshd: OK syzkaller syzkaller login: [ 6.380551][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #08!!! [ 9.940448][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #80!!! [ 10.244482][ T23] kauditd_printk_skb: 60 callbacks suppressed [ 10.244489][ T23] audit: type=1400 audit(1654617842.640:71): avc: denied { transition } for pid=287 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 10.250243][ T23] audit: type=1400 audit(1654617842.640:72): avc: denied { write } for pid=287 comm="sh" path="pipe:[1015]" dev="pipefs" ino=1015 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1 [ 15.390465][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #80!!! Warning: Permanently added '10.128.0.140' (ECDSA) to the list of known hosts. execve("./syz-executor2700514295", ["./syz-executor2700514295"], 0x7ffc8bd7a790 /* 10 vars */) = 0 brk(NULL) = 0x555556445000 brk(0x555556445d00) = 0x555556445d00 arch_prctl(ARCH_SET_FS, 0x5555564453c0) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor2700514295", 4096) = 28 brk(0x555556466d00) = 0x555556466d00 brk(0x555556467000) = 0x555556467000 mprotect(0x7f7969872000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGSEGV, {sa_handler=0x7f79697c3bd0, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f79697c3ec0}, NULL, 8) = 0 rt_sigaction(SIGBUS, {sa_handler=0x7f79697c3bd0, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f79697c3ec0}, NULL, 8) = 0 mkdir("./file0", 0777) = 0 --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} --- pipe2([3, 4], 0) = 0 write(4, "\x15\x00\x00\x00\x65\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 21) = 21 dup(4) = 5 mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000003,wfdno=0x0000000000000005,") = -1 EREMOTEIO (Remote I/O error) write(5, "\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 24) = 24 write(5, "\xb0\x00\x00\x00\x08\x00\x00\x6b\x2e\x7f\xb3\xd8\xc3\xe6\xa4\xfb\xab\x53\xd2\x3f\xd1\x1d\x10\xa4\x70\xfa\x38\x47\xd6\x27\x3c\x54\xc4\x84\x03\x64\x04\x71\x56\xd3\xc3\x66\xb3\x9b\x34\x12\x7a\xdc\x03\x15\x7c\x6b\x1c\x80\xa1\xc9\x68\x94\x76\x38\x2b\xbc\xe1\x8d\x8e\xd0\x22\xa5\x0f\x2c\x26\x2c\xad\xa3\x02\x7d\xda\x95\xe4\x36\xe4\x75\x3a\xea\xfb\xd2\xe5\x45\xd0\x1d\x8b\x5a\x77\x67\x11\x92\x5b\xcc\xb6\xe1"..., 176) = 176 write(5, "\x4c\x01\x00\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 311) = 311 mount(NULL, "./file0", "9p", 0, "trans=fd,rfdno=0x0000000000000003,wfdno=0x0000000000000004,fscache,") = 0 open("./file0/file0/../file0", O_ACCMODE|O_EXCL|O_NOCTTY|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|O_DIRECTORY) = -1 ENOENT (No such file or directory) [ 17.673114][ T23] audit: type=1400 audit(1654617850.070:73): avc: denied { execmem } for pid=371 comm="syz-executor270" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 17.683825][ T371] general protection fault, probably for non-canonical address 0xdffffc000000000c: 0000 [#1] PREEMPT SMP KASAN [ 17.694620][ T23] audit: type=1400 audit(1654617850.070:74): avc: denied { mounton } for pid=371 comm="syz-executor270" path="/root/file0" dev="sda1" ino=1138 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 17.704179][ T371] KASAN: null-ptr-deref in range [0x0000000000000060-0x0000000000000067] [ 17.704191][ T371] CPU: 0 PID: 371 Comm: syz-executor270 Not tainted 5.10.117-syzkaller-00814-gfdd06dc6b0f8 #0 [ 17.704195][ T371] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 17.704209][ T371] RIP: 0010:chrdev_open+0xb3/0x680 [ 17.704217][ T371] Code: 00 4c 89 fb 48 c1 eb 03 42 80 3c 33 00 74 08 4c 89 ff e8 50 25 f7 ff 4d 8b 2f 4d 85 ed 74 40 49 8d 5d 60 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 2e 25 f7 ff 48 8b 1b 48 85 db 0f [ 17.704223][ T371] RSP: 0018:ffffc90000c077a0 EFLAGS: 00010206 [ 17.704232][ T371] RAX: 000000000000000c RBX: 0000000000000062 RCX: 0000000000000001 [ 17.704237][ T371] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffc90000c07720 [ 17.704243][ T371] RBP: ffffc90000c07880 R08: dffffc0000000000 R09: 0000000000000003 [ 17.704249][ T371] R10: fffff52000180ee5 R11: 1ffff92000180ee4 R12: 1ffff92000180efc [ 17.704254][ T371] R13: 0000000000000002 R14: dffffc0000000000 R15: ffff8881199fdbc0 [ 17.704262][ T371] FS: 00005555564453c0(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 [ 17.704268][ T371] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 17.704275][ T371] CR2: 00007f652f57e6a8 CR3: 00000001061ab000 CR4: 00000000003506b0 [ 17.704284][ T371] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 17.704290][ T371] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 17.704293][ T371] Call Trace: [ 17.704305][ T371] ? selinux_file_receive+0x140/0x140 [ 17.704321][ T371] ? cd_forget+0x170/0x170 [ 17.729179][ T23] audit: type=1400 audit(1654617850.070:75): avc: denied { mount } for pid=371 comm="syz-executor270" name="/" dev="9p" ino=5132127137084480979 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=filesystem permissive=1 [ 17.737064][ T371] ? fsnotify_perm+0x3ed/0x4e0 [ 17.737073][ T371] ? cd_forget+0x170/0x170 [ 17.737088][ T371] do_dentry_open+0x7a2/0x1090 [ 17.747334][ T23] audit: type=1400 audit(1654617850.070:76): avc: denied { execute } for pid=371 comm="syz-executor270" dev="9p" ino=5132127137084480979 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 17.757318][ T371] vfs_open+0x73/0x80 [ 17.757327][ T371] path_openat+0x2638/0x2fd0 [ 17.757343][ T371] ? __kasan_slab_alloc+0xb2/0xe0 [ 17.762456][ T23] audit: type=1400 audit(1654617850.070:77): avc: denied { write } for pid=371 comm="syz-executor270" dev="9p" ino=5132127137084480979 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 17.782000][ T371] ? do_filp_open+0x440/0x440 [ 17.782012][ T371] do_filp_open+0x200/0x440 [ 17.782021][ T371] ? vfs_tmpfile+0x230/0x230 [ 17.782033][ T371] ? get_unused_fd_flags+0x95/0xa0 [ 17.782040][ T371] do_sys_openat2+0x13b/0x470 [ 17.782053][ T371] ? ptrace_stop+0x6ff/0x9f0 [ 17.782068][ T371] ? do_sys_open+0x220/0x220 [ 18.009354][ T371] ? _raw_spin_unlock_irq+0x4e/0x70 [ 18.014528][ T371] ? ptrace_notify+0x248/0x340 [ 18.019265][ T371] __x64_sys_open+0x221/0x270 [ 18.023945][ T371] ? do_sys_openat2+0x470/0x470 [ 18.028765][ T371] ? syscall_enter_from_user_mode+0x58/0x1b0 [ 18.034714][ T371] do_syscall_64+0x34/0x70 [ 18.039208][ T371] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 18.045068][ T371] RIP: 0033:0x7f7969805909 [ 18.049455][ T371] Code: 28 c3 e8 5a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 18.069040][ T371] RSP: 002b:00007fffdc1184c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 18.077430][ T371] RAX: ffffffffffffffda RBX: 00007fffdc1184d8 RCX: 00007f7969805909 [ 18.085375][ T371] RDX: 0000000000000034 RSI: 0000000000080082 RDI: 0000000020000040 [ 18.093317][ T371] RBP: 00007fffdc1184d0 R08: 00007f79697c3bd0 R09: 00007f79697c3bd0 [ 18.101258][ T371] R10: 00007f79697c3bd0 R11: 0000000000000246 R12: 0000000000000000 [ 18.109284][ T371] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 18.117226][ T371] Modules linked in: [ 18.121172][ T371] ---[ end trace 0fd24476f99204e4 ]--- [ 18.126638][ T371] RIP: 0010:chrdev_open+0xb3/0x680 [ 18.131802][ T371] Code: 00 4c 89 fb 48 c1 eb 03 42 80 3c 33 00 74 08 4c 89 ff e8 50 25 f7 ff 4d 8b 2f 4d 85 ed 74 40 49 8d 5d 60 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 2e 25 f7 ff 48 8b 1b 48 85 db 0f [ 18.151431][ T371] RSP: 0018:ffffc90000c077a0 EFLAGS: 00010206 [ 18.157499][ T371] RAX: 000000000000000c RBX: 0000000000000062 RCX: 0000000000000001 [ 18.165483][ T371] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffc90000c07720 [ 18.173474][ T371] RBP: ffffc90000c07880 R08: dffffc0000000000 R09: 0000000000000003 [ 18.181449][ T371] R10: fffff52000180ee5 R11: 1ffff92000180ee4 R12: 1ffff92000180efc [ 18.189493][ T371] R13: 0000000000000002 R14: dffffc0000000000 R15: ffff8881199fdbc0 [ 18.197471][ T371] FS: 00005555564453c0(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 [ 18.206397][ T371] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 18.213150][ T371] CR2: 00007f652f57e6a8 CR3: 00000001061ab000 CR4: 00000000003506b0 [ 18.221115][ T371] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 18.229067][ T371] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 18.237036][ T371] Kernel panic - not syncing: Fatal exception [ 18.243242][ T371] Kernel Offset: disabled [ 18.247545][ T371] Rebooting in 86400 seconds..