./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor301296238 <...> Starting sshd: OK syzkaller syzkaller login: [ 14.711385][ T22] kauditd_printk_skb: 60 callbacks suppressed [ 14.711393][ T22] audit: type=1400 audit(1672535093.349:71): avc: denied { transition } for pid=265 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 14.715954][ T22] audit: type=1400 audit(1672535093.349:72): avc: denied { write } for pid=265 comm="sh" path="pipe:[552]" dev="pipefs" ino=552 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1 [ 15.892430][ T268] scp (268) used greatest stack depth: 23672 bytes left [ 16.082390][ T269] sshd (269) used greatest stack depth: 22520 bytes left Warning: Permanently added '10.128.10.43' (ECDSA) to the list of known hosts. execve("./syz-executor301296238", ["./syz-executor301296238"], 0x7ffd989bfa60 /* 10 vars */) = 0 brk(NULL) = 0x555556772000 brk(0x555556772c40) = 0x555556772c40 arch_prctl(ARCH_SET_FS, 0x555556772300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor301296238", 4096) = 27 brk(0x555556793c40) = 0x555556793c40 brk(0x555556794000) = 0x555556794000 mprotect(0x7fcb46bd1000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) = 3 [ 22.722853][ T22] audit: type=1400 audit(1672535101.359:73): avc: denied { execmem } for pid=304 comm="syz-executor301" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 22.726520][ T304] netlink: 12 bytes leftover after parsing attributes in process `syz-executor301'. [ 22.755459][ T22] audit: type=1400 audit(1672535101.389:74): avc: denied { create } for pid=304 comm="syz-executor301" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_xfrm_socket permissive=1 [ 22.775844][ T22] audit: type=1400 audit(1672535101.389:75): avc: denied { write } for pid=304 comm="syz-executor301" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_xfrm_socket permissive=1 [ 22.776035][ C1] ================================================================== [ 22.796112][ T22] audit: type=1400 audit(1672535101.389:76): avc: denied { nlmsg_write } for pid=304 comm="syz-executor301" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_xfrm_socket permissive=1 [ 22.804108][ C1] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x2f65/0x34a0 [ 22.824846][ T22] audit: type=1400 audit(1672535101.399:77): avc: denied { read } for pid=193 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_kobject_uevent_socket permissive=1 [ 22.832659][ C1] Read of size 4 at addr ffff8881f6f09a18 by task swapper/1/0 [ 22.832661][ C1] [ 22.832669][ C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.4.219-syzkaller-00012-ga8aad8851131 #0 [ 22.832673][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 22.832684][ C1] Call Trace: [ 22.886239][ C1] [ 22.889065][ C1] dump_stack+0x1d8/0x241 [ 22.893363][ C1] ? debug_smp_processor_id+0x20/0x20 [ 22.898698][ C1] ? nf_ct_l4proto_log_invalid+0x26c/0x26c [ 22.904464][ C1] ? printk+0xcf/0x10f [ 22.908590][ C1] ? xfrm_state_find+0x2f65/0x34a0 [ 22.913666][ C1] print_address_description+0x8c/0x630 [ 22.919280][ C1] ? rt_set_nexthop+0x20f/0x6e0 [ 22.924102][ C1] ? xfrm_state_find+0x2f65/0x34a0 [ 22.929184][ C1] __kasan_report+0xf6/0x130 [ 22.933833][ C1] ? xfrm_state_find+0x2f65/0x34a0 [ 22.938911][ C1] kasan_report+0x30/0x60 [ 22.943333][ C1] xfrm_state_find+0x2f65/0x34a0 [ 22.948261][ C1] ? call_rcu+0x10/0x10 [ 22.952387][ C1] ? arch_stack_walk+0x114/0x140 [ 22.957320][ C1] ? xfrm_sad_getinfo+0x160/0x160 [ 22.962313][ C1] ? xfrm4_get_saddr+0x1a1/0x2d0 [ 22.967225][ C1] ? xfrm_pol_bin_obj+0x1c0/0x1c0 [ 22.972214][ C1] xfrm_resolve_and_create_bundle+0x6fc/0x3290 [ 22.978341][ C1] ? xfrm_sk_policy_lookup+0x540/0x540 [ 22.983769][ C1] xfrm_lookup_with_ifid+0x78a/0x2120 [ 22.989117][ C1] ? __xfrm_sk_clone_policy+0xa80/0xa80 [ 22.994749][ C1] ? ip_route_output_key_hash_rcu+0xf40/0xf40 [ 23.000789][ C1] ? ip_route_output_key_hash_rcu+0x6a0/0xf40 [ 23.006824][ C1] xfrm_lookup_route+0x37/0x170 [ 23.011643][ C1] ip_route_output_flow+0x1f6/0x320 [ 23.016808][ C1] ? ipv4_sk_update_pmtu+0x1e00/0x1e00 [ 23.022232][ C1] ? make_kuid+0x20a/0x700 [ 23.026619][ C1] ? __put_user_ns+0x50/0x50 [ 23.031179][ C1] igmpv3_newpack+0x414/0x1040 [ 23.035912][ C1] ? igmpv3_sendpack+0x190/0x190 [ 23.040812][ C1] ? check_preemption_disabled+0x9e/0x330 [ 23.046502][ C1] ? _raw_spin_lock+0x1b0/0x1b0 [ 23.051317][ C1] ? mld_sendpack+0x755/0xb00 [ 23.055962][ C1] add_grhead+0x75/0x2b0 [ 23.060171][ C1] add_grec+0x12f8/0x1600 [ 23.064463][ C1] ? debug_smp_processor_id+0x20/0x20 [ 23.069803][ C1] ? mod_timer_pending+0x20/0x20 [ 23.074706][ C1] ? _raw_spin_lock_bh+0xa3/0x1b0 [ 23.079693][ C1] ? igmpv3_send_report+0x430/0x430 [ 23.084961][ C1] ? prandom_u32+0x21a/0x240 [ 23.089516][ C1] igmp_ifc_timer_expire+0x823/0xf10 [ 23.094851][ C1] ? _raw_spin_lock_irqsave+0x210/0x210 [ 23.100358][ C1] ? trigger_load_balance+0x99/0x850 [ 23.105608][ C1] ? igmp_gq_timer_expire+0xe0/0xe0 [ 23.110769][ C1] call_timer_fn+0x31/0x350 [ 23.115250][ C1] ? igmp_gq_timer_expire+0xe0/0xe0 [ 23.120410][ C1] expire_timers+0x21e/0x400 [ 23.124963][ C1] __run_timers+0x5e0/0x700 [ 23.129429][ C1] ? __internal_add_timer+0x4a0/0x4a0 [ 23.134764][ C1] ? check_preemption_disabled+0x9e/0x330 [ 23.140448][ C1] ? debug_smp_processor_id+0x20/0x20 [ 23.145869][ C1] run_timer_softirq+0x46/0x80 [ 23.150596][ C1] __do_softirq+0x23e/0x643 [ 23.155068][ C1] irq_exit+0x195/0x1c0 [ 23.159186][ C1] smp_apic_timer_interrupt+0x113/0x440 [ 23.164699][ C1] apic_timer_interrupt+0xf/0x20 [ 23.169596][ C1] [ 23.172503][ C1] ? check_preemption_disabled+0x90/0x330 [ 23.178186][ C1] ? default_idle+0x1f/0x30 [ 23.182652][ C1] ? default_idle+0x11/0x30 [ 23.187119][ C1] ? do_idle+0x255/0x670 [ 23.191325][ C1] ? cpus_share_cache+0xe0/0xe0 [ 23.196138][ C1] ? idle_inject_timer_fn+0x60/0x60 [ 23.201301][ C1] ? __wake_up_locked+0xc2/0x120 [ 23.206208][ C1] ? complete+0x5e/0xb0 [ 23.210346][ C1] ? cpu_startup_entry+0x15/0x20 [ 23.215246][ C1] ? start_secondary+0x357/0x3f0 [ 23.220147][ C1] ? mwait_play_dead+0x1d0/0x1d0 [ 23.225047][ C1] ? secondary_startup_64+0xa4/0xb0 [ 23.230203][ C1] [ 23.232498][ C1] The buggy address belongs to the page: [ 23.238095][ C1] page:ffffea0007dbc240 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 23.247163][ C1] flags: 0x8000000000001000(reserved) [ 23.252497][ C1] raw: 8000000000001000 ffffea0007dbc248 ffffea0007dbc248 0000000000000000 [ 23.261043][ C1] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 23.269589][ C1] page dumped because: kasan: bad access detected [ 23.275963][ C1] page_owner info is not present (never set?) [ 23.281989][ C1] [ 23.284283][ C1] Memory state around the buggy address: [ 23.289880][ C1] ffff8881f6f09900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 23.297905][ C1] ffff8881f6f09980: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 [ 23.305932][ C1] >ffff8881f6f09a00: 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 [ 23.313953][ C1] ^ [ 23.318763][ C1] ffff8881f6f09a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 23.326788][ C1] ffff8881f6f09b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 23.334894][ C1] ================================================================== [ 23.342919][ C1] Disabling lock debugging due to kernel taint