./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3668975876 <...> Warning: Permanently added '10.128.0.6' (ED25519) to the list of known hosts. execve("./syz-executor3668975876", ["./syz-executor3668975876"], 0x7ffd84ded2e0 /* 10 vars */) = 0 brk(NULL) = 0x555594890000 brk(0x555594890e00) = 0x555594890e00 arch_prctl(ARCH_SET_FS, 0x555594890480) = 0 set_tid_address(0x555594890750) = 295 set_robust_list(0x555594890760, 24) = 0 rseq(0x555594890da0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3668975876", 4096) = 28 getrandom("\x66\x84\x5c\x63\x47\xf5\xdd\x1b", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555594890e00 brk(0x5555948b1e00) = 0x5555948b1e00 brk(0x5555948b2000) = 0x5555948b2000 mprotect(0x7f1cea838000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 296 attached [pid 296] set_robust_list(0x555594890760, 24) = 0 [pid 295] <... clone resumed>, child_tidptr=0x555594890750) = 296 [pid 295] openat(AT_FDCWD, "/sys/kernel/debug/x86/nmi_longest_ns", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "10000000000", 11) = 11 [pid 295] close(3) = 0 [pid 295] openat(AT_FDCWD, "/proc/sys/kernel/hung_task_check_interval_secs", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "20", 2) = 2 [pid 295] close(3) = 0 [pid 295] openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_kallsyms", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "1", 1) = 1 [pid 295] close(3) = 0 [pid 295] openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_harden", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "0", 1) = 1 [pid 295] close(3) = 0 [pid 295] openat(AT_FDCWD, "/proc/sys/kernel/kptr_restrict", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "0", 1) = 1 [pid 295] close(3) = 0 [pid 295] openat(AT_FDCWD, "/proc/sys/kernel/softlockup_all_cpu_backtrace", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "1", 1) = 1 [pid 295] close(3) = 0 [pid 295] openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "100", 3) = 3 [pid 295] close(3) = 0 [pid 295] openat(AT_FDCWD, "/proc/sys/vm/oom_dump_tasks", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "0", 1) = 1 [pid 295] close(3) = 0 [pid 295] openat(AT_FDCWD, "/proc/sys/debug/exception-trace", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "0", 1) = 1 [pid 295] close(3) = 0 [pid 295] openat(AT_FDCWD, "/proc/sys/kernel/printk", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "7 4 1 3", 7) = 7 [pid 295] close(3) = 0 [pid 295] openat(AT_FDCWD, "/proc/sys/kernel/keys/gc_delay", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "1", 1) = 1 [pid 295] close(3) = 0 [pid 295] openat(AT_FDCWD, "/proc/sys/vm/oom_kill_allocating_task", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "1", 1) = 1 [pid 295] close(3) = 0 [pid 295] openat(AT_FDCWD, "/proc/sys/kernel/ctrl-alt-del", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "0", 1) = 1 [pid 295] close(3) = 0 [pid 295] openat(AT_FDCWD, "/proc/sys/kernel/cad_pid", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "296", 3) = 3 [pid 295] close(3) = 0 [pid 295] kill(296, SIGKILL) = 0 [pid 296] +++ killed by SIGKILL +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=296, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=0} --- rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGSEGV, {sa_handler=0x7f1cea77bce0, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f1cea785820}, NULL, 8) = 0 rt_sigaction(SIGBUS, {sa_handler=0x7f1cea77bce0, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7f1cea785820}, NULL, 8) = 0 mkdir("./syzkaller.IHk45F", 0700) = 0 chmod("./syzkaller.IHk45F", 0777) = 0 chdir("./syzkaller.IHk45F") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555594890750) = 297 ./strace-static-x86_64: Process 297 attached [pid 297] set_robust_list(0x555594890760, 24) = 0 [pid 297] chdir("./0") = 0 [ 22.502932][ T30] audit: type=1400 audit(1735334015.881:66): avc: denied { execmem } for pid=295 comm="syz-executor366" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 22.507860][ T30] audit: type=1400 audit(1735334015.891:67): avc: denied { integrity } for pid=295 comm="syz-executor366" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1 [pid 297] prctl(PR_SET_PDEATHSIG, SIGKILLexecuting program ) = 0 [pid 297] setpgid(0, 0) = 0 [pid 297] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 297] write(3, "1000", 4) = 4 [pid 297] close(3) = 0 [pid 297] symlink("/dev/binderfs", "./binderfs") = 0 [pid 297] write(1, "executing program\n", 18) = 18 [pid 297] futex(0x7f1cea83e6cc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] rt_sigaction(SIGRT_1, {sa_handler=0x7f1cea7dc400, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1cea785820}, NULL, 8) = 0 [pid 297] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 297] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f1cea751000 [pid 297] mprotect(0x7f1cea752000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 297] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 297] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f1cea771990, parent_tid=0x7f1cea771990, exit_signal=0, stack=0x7f1cea751000, stack_size=0x20240, tls=0x7f1cea7716c0} => {parent_tid=[299]}, 88) = 299 [pid 297] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 297] futex(0x7f1cea83e6c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] futex(0x7f1cea83e6cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 299 attached [pid 299] set_robust_list(0x7f1cea7719a0, 24) = 0 [pid 299] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 299] memfd_create("syzkaller", 0) = 3 [pid 299] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1ce2351000 [pid 299] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 299] munmap(0x7f1ce2351000, 138412032) = 0 [pid 299] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 299] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 299] close(3) = 0 [pid 299] close(4) = 0 [pid 299] mkdir("./file0", 0777) = 0 [ 22.530989][ T30] audit: type=1400 audit(1735334015.911:68): avc: denied { read write } for pid=295 comm="syz-executor366" name="loop0" dev="devtmpfs" ino=112 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 22.554861][ T299] loop0: detected capacity change from 0 to 512 [ 22.555272][ T30] audit: type=1400 audit(1735334015.911:69): avc: denied { open } for pid=295 comm="syz-executor366" path="/dev/loop0" dev="devtmpfs" ino=112 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 22.585299][ T30] audit: type=1400 audit(1735334015.921:70): avc: denied { ioctl } for pid=295 comm="syz-executor366" path="/dev/loop0" dev="devtmpfs" ino=112 ioctlcmd=0x4c01 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 22.610802][ T30] audit: type=1400 audit(1735334015.961:71): avc: denied { mounton } for pid=297 comm="syz-executor366" path="/root/syzkaller.IHk45F/0/file0" dev="sda1" ino=1930 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 22.635668][ T299] EXT4-fs (loop0): Ignoring removed mblk_io_submit option [ 22.642660][ T299] EXT4-fs (loop0): mounting ext3 file system using the ext4 subsystem [ 22.651502][ T299] [EXT4 FS bs=1024, gc=1, bpg=8192, ipg=32, mo=b016c118, mo2=0002] [ 22.659298][ T299] System zones: 1-12 [ 22.663860][ T299] EXT4-fs error (device loop0): ext4_xattr_ibody_find:2219: inode #15: comm syz-executor366: corrupted in-inode xattr [ 22.676183][ T299] EXT4-fs error (device loop0): ext4_orphan_get:1406: comm syz-executor366: couldn't read orphan inode 15 (err -117) [pid 299] mount("/dev/loop0", "./file0", "ext3", MS_MGC_VAL|MS_NOSUID|MS_NODEV|MS_NOEXEC, "jqfmt=vfsold,data_err=abort,debug,noload,mblk_io_submit,commit=0x0000000000000005,init_itable=0x0000"...) = 0 [pid 299] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 299] chdir("./file0") = 0 [pid 299] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 299] ioctl(4, LOOP_CLR_FD) = 0 [pid 299] close(4) = 0 [pid 299] futex(0x7f1cea83e6cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 297] <... futex resumed>) = 0 [pid 297] futex(0x7f1cea83e6c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] futex(0x7f1cea83e6cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 299] <... futex resumed>) = 1 [pid 299] creat("./bus", 000) = 4 [pid 299] futex(0x7f1cea83e6cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 297] <... futex resumed>) = 0 [pid 297] futex(0x7f1cea83e6c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] futex(0x7f1cea83e6cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 299] <... futex resumed>) = 1 [pid 299] mount("/dev/loop0", "./bus", NULL, MS_NODEV|MS_SYNCHRONOUS|MS_BIND, NULL) = 0 [pid 299] futex(0x7f1cea83e6cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 297] <... futex resumed>) = 0 [pid 297] futex(0x7f1cea83e6c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] futex(0x7f1cea83e6cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 299] <... futex resumed>) = 1 [pid 299] mknod("./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", 000) = 0 [pid 299] futex(0x7f1cea83e6cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 297] <... futex resumed>) = 0 [pid 297] futex(0x7f1cea83e6c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] futex(0x7f1cea83e6cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 299] <... futex resumed>) = 1 [pid 299] link("./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") = 0 [pid 299] futex(0x7f1cea83e6cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 297] <... futex resumed>) = 0 [pid 297] futex(0x7f1cea83e6c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] futex(0x7f1cea83e6cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 299] <... futex resumed>) = 1 [pid 299] link("./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") = 0 [pid 299] futex(0x7f1cea83e6cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 297] <... futex resumed>) = 0 [pid 297] futex(0x7f1cea83e6c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] futex(0x7f1cea83e6cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 299] <... futex resumed>) = 1 [pid 299] rename("./file0", "./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") = 0 [pid 299] futex(0x7f1cea83e6cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 297] <... futex resumed>) = 0 [pid 297] futex(0x7f1cea83e6c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] futex(0x7f1cea83e6cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 299] <... futex resumed>) = 1 [pid 299] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_CLOEXEC) = 5 [pid 299] futex(0x7f1cea83e6cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 297] <... futex resumed>) = 0 [pid 297] futex(0x7f1cea83e6c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] futex(0x7f1cea83e6cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 299] <... futex resumed>) = 1 [pid 299] mmap(0x20000000, 8388608, PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 5, 0x1000) = 0x20000000 [pid 299] futex(0x7f1cea83e6cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 297] <... futex resumed>) = 0 [pid 297] futex(0x7f1cea83e6c8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 297] futex(0x7f1cea83e6cc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 299] <... futex resumed>) = 1 [pid 299] sendmsg(-1, 0x200001c0, 0) = -1 EBADF (Bad file descriptor) [pid 299] futex(0x7f1cea83e6cc, FUTEX_WAKE_PRIVATE, 1000000 [pid 297] <... futex resumed>) = 0 [pid 297] exit_group(0) = ? [pid 299] <... futex resumed>) = ? [pid 299] +++ exited with 0 +++ [pid 297] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=297, si_uid=0, si_status=0, si_utime=0, si_stime=6} --- umount2("./0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x5555948917f0 /* 4 entries */, 32768) = 112 umount2("./0/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/binderfs") = 0 umount2("./0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) newfstatat(AT_FDCWD, "./0/file0", {st_mode=S_IFDIR|0755, st_size=3072, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) openat(AT_FDCWD, "./0/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=3072, ...}, AT_EMPTY_PATH) = 0 [ 22.688433][ T299] EXT4-fs (loop0): mounted filesystem without journal. Opts: jqfmt=vfsold,data_err=abort,debug,noload,mblk_io_submit,commit=0x0000000000000005,init_itable=0x0000000000000601,grpquota,,errors=continue. Quota mode: writeback. [ 22.709969][ T30] audit: type=1400 audit(1735334016.091:72): avc: denied { mount } for pid=297 comm="syz-executor366" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 22.732206][ T30] audit: type=1400 audit(1735334016.091:73): avc: denied { write } for pid=297 comm="syz-executor366" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 22.740159][ T295] ================================================================== [ 22.754084][ T30] audit: type=1400 audit(1735334016.091:74): avc: denied { add_name } for pid=297 comm="syz-executor366" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 22.761689][ T295] BUG: KASAN: use-after-free in ext4_htree_fill_tree+0x131b/0x13e0 [ 22.782216][ T30] audit: type=1400 audit(1735334016.091:75): avc: denied { create } for pid=297 comm="syz-executor366" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 22.789897][ T295] Read of size 1 at addr ffff88811e847a67 by task syz-executor366/295 [ 22.789912][ T295] [ 22.789923][ T295] CPU: 0 PID: 295 Comm: syz-executor366 Not tainted 5.15.173-syzkaller-00161-gb4bd207b0380 #0 [ 22.830181][ T295] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 22.840074][ T295] Call Trace: [ 22.843192][ T295] [ 22.845968][ T295] dump_stack_lvl+0x151/0x1c0 [ 22.850481][ T295] ? io_uring_drop_tctx_refs+0x190/0x190 [ 22.856062][ T295] ? panic+0x760/0x760 [ 22.859960][ T295] print_address_description+0x87/0x3b0 [ 22.865341][ T295] kasan_report+0x179/0x1c0 [ 22.869683][ T295] ? ext4_htree_fill_tree+0x131b/0x13e0 [ 22.875066][ T295] ? ext4_htree_fill_tree+0x131b/0x13e0 [ 22.880445][ T295] __asan_report_load1_noabort+0x14/0x20 [ 22.885911][ T295] ext4_htree_fill_tree+0x131b/0x13e0 [ 22.891122][ T295] ? ext4_handle_dirty_dirblock+0x6d0/0x6d0 [ 22.896855][ T295] ? __kasan_kmalloc+0x9/0x10 [ 22.901369][ T295] ? ext4_readdir+0x523/0x3960 [ 22.905963][ T295] ext4_readdir+0x2f75/0x3960 [ 22.910478][ T295] ? __kasan_check_write+0x14/0x20 [ 22.915423][ T295] ? compat_start_thread+0x20/0x20 [ 22.920374][ T295] ? down_read_killable+0x1035/0x1b10 [ 22.925583][ T295] ? down_read_interruptible+0x1bf0/0x1bf0 [ 22.931220][ T295] ? finish_task_switch+0x167/0x7b0 [ 22.936255][ T295] ? ext4_dir_llseek+0x540/0x540 [ 22.941028][ T295] ? __schedule+0xcd4/0x1590 [ 22.945454][ T295] ? __kasan_check_read+0x11/0x20 [ 22.950314][ T295] ? security_file_permission+0x86/0xb0 [ 22.955695][ T295] iterate_dir+0x265/0x600 [ 22.959950][ T295] ? ext4_dir_llseek+0x540/0x540 [ 22.964722][ T295] __se_sys_getdents64+0x1c1/0x460 [ 22.969669][ T295] ? __x64_sys_getdents64+0x90/0x90 [ 22.974704][ T295] ? filldir+0x680/0x680 [ 22.978784][ T295] __x64_sys_getdents64+0x7b/0x90 [ 22.983644][ T295] x64_sys_call+0x5ae/0x9a0 [ 22.987982][ T295] do_syscall_64+0x3b/0xb0 [ 22.992236][ T295] ? clear_bhb_loop+0x35/0x90 [ 22.996748][ T295] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 23.002480][ T295] RIP: 0033:0x7f1cea7e3033 [ 23.006732][ T295] Code: c1 66 0f 1f 44 00 00 48 83 c4 08 48 89 ef 5b 5d e9 e2 c1 fa ff 66 90 b8 ff ff ff 7f 48 39 c2 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 b0 ff ff ff f7 d8 [ 23.026174][ T295] RSP: 002b:00007ffd8043a8f8 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9 [ 23.034418][ T295] RAX: ffffffffffffffda RBX: 0000555594899830 RCX: 00007f1cea7e3033 [ 23.042231][ T295] RDX: 0000000000008000 RSI: 0000555594899830 RDI: 0000000000000004 [ 23.050041][ T295] RBP: 0000555594899804 R08: 0000000000000000 R09: 0000000000000000 [ 23.057852][ T295] R10: 0000000000001000 R11: 0000000000000293 R12: ffffffffffffffb0 [ 23.065666][ T295] R13: 0000000000000010 R14: 0000555594899800 R15: 00007ffd8043cb44 [ 23.073484][ T295] [ 23.076343][ T295] [ 23.078512][ T295] Allocated by task 236: [ 23.082590][ T295] ____kasan_kmalloc+0xdb/0x110 [ 23.087276][ T295] __kasan_kmalloc+0x9/0x10 [ 23.091618][ T295] __kmalloc_track_caller+0x13e/0x2c0 [ 23.096822][ T295] __alloc_skb+0x10c/0x550 [ 23.101077][ T295] __napi_alloc_skb+0x167/0x2e0 [ 23.105782][ T295] page_to_skb+0x2a5/0xb40 [ 23.110017][ T295] receive_buf+0xed9/0x5860 [ 23.114356][ T295] virtnet_poll+0x615/0x1250 [ 23.118785][ T295] __napi_poll+0xc4/0x5a0 [ 23.122949][ T295] net_rx_action+0x47d/0xc50 [ 23.127374][ T295] handle_softirqs+0x25e/0x5c0 [ 23.131975][ T295] __irq_exit_rcu+0x52/0xf0 [ 23.136317][ T295] irq_exit_rcu+0x9/0x10 [ 23.140395][ T295] common_interrupt+0x68/0xe0 [ 23.144908][ T295] asm_common_interrupt+0x27/0x40 [ 23.149772][ T295] [ 23.151938][ T295] Freed by task 234: [ 23.155671][ T295] kasan_set_track+0x4b/0x70 [ 23.160098][ T295] kasan_set_free_info+0x23/0x40 [ 23.164874][ T295] ____kasan_slab_free+0x126/0x160 [ 23.169825][ T295] __kasan_slab_free+0x11/0x20 [ 23.174420][ T295] slab_free_freelist_hook+0xbd/0x190 [ 23.179629][ T295] kfree+0xcc/0x270 [ 23.183275][ T295] skb_release_data+0x8a9/0xa80 [ 23.187958][ T295] __kfree_skb+0x50/0x70 [ 23.192043][ T295] tcp_recvmsg_locked+0x17fd/0x2890 [ 23.197071][ T295] tcp_recvmsg+0x24e/0x7f0 [ 23.201331][ T295] inet_recvmsg+0x158/0x500 [ 23.205665][ T295] sock_read_iter+0x353/0x480 [ 23.210180][ T295] vfs_read+0xa81/0xd40 [ 23.214170][ T295] ksys_read+0x199/0x2c0 [ 23.218250][ T295] __x64_sys_read+0x7b/0x90 [ 23.222590][ T295] x64_sys_call+0x28/0x9a0 [ 23.226842][ T295] do_syscall_64+0x3b/0xb0 [ 23.231095][ T295] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 23.236823][ T295] [ 23.238997][ T295] The buggy address belongs to the object at ffff88811e847800 [ 23.238997][ T295] which belongs to the cache kmalloc-1k of size 1024 [ 23.252885][ T295] The buggy address is located 615 bytes inside of [ 23.252885][ T295] 1024-byte region [ffff88811e847800, ffff88811e847c00) [ 23.266083][ T295] The buggy address belongs to the page: [ 23.271557][ T295] page:ffffea00047a1000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e840 [ 23.281611][ T295] head:ffffea00047a1000 order:3 compound_mapcount:0 compound_pincount:0 [ 23.289769][ T295] flags: 0x4000000000010200(slab|head|zone=1) [ 23.295679][ T295] raw: 4000000000010200 0000000000000000 dead000000000122 ffff888100043080 [ 23.304137][ T295] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 23.312513][ T295] page dumped because: kasan: bad access detected [ 23.318773][ T295] page_owner tracks the page as allocated [ 23.324313][ T295] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 0, ts 15796021232, free_ts 13657665590 [ 23.342370][ T295] post_alloc_hook+0x1a3/0x1b0 [ 23.346967][ T295] prep_new_page+0x1b/0x110 [ 23.351306][ T295] get_page_from_freelist+0x3550/0x35d0 [ 23.356688][ T295] __alloc_pages+0x27e/0x8f0 [ 23.361116][ T295] new_slab+0x9a/0x4e0 [ 23.365021][ T295] ___slab_alloc+0x39e/0x830 [ 23.369449][ T295] __slab_alloc+0x4a/0x90 [ 23.373612][ T295] __kmalloc_track_caller+0x171/0x2c0 [ 23.378821][ T295] __alloc_skb+0x10c/0x550 [ 23.383096][ T295] __napi_alloc_skb+0x167/0x2e0 [ 23.387759][ T295] page_to_skb+0x2a5/0xb40 [ 23.392014][ T295] receive_buf+0xed9/0x5860 [ 23.396358][ T295] virtnet_poll+0x615/0x1250 [ 23.400781][ T295] __napi_poll+0xc4/0x5a0 [ 23.404948][ T295] net_rx_action+0x47d/0xc50 [ 23.409375][ T295] handle_softirqs+0x25e/0x5c0 [ 23.413972][ T295] page last free stack trace: [ 23.418489][ T295] free_unref_page_prepare+0x7c8/0x7d0 [ 23.423787][ T295] free_unref_page+0xe8/0x750 [ 23.428299][ T295] __put_page+0xb0/0xe0 [ 23.432285][ T295] anon_pipe_buf_release+0x187/0x200 [ 23.437408][ T295] pipe_read+0x5a6/0x1040 [ 23.441573][ T295] vfs_read+0xa81/0xd40 [ 23.445567][ T295] ksys_read+0x199/0x2c0 [ 23.449645][ T295] __x64_sys_read+0x7b/0x90 [ 23.453986][ T295] x64_sys_call+0x28/0x9a0 [ 23.458238][ T295] do_syscall_64+0x3b/0xb0 [ 23.462491][ T295] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 23.468222][ T295] [ 23.470390][ T295] Memory state around the buggy address: [ 23.475860][ T295] ffff88811e847900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.483757][ T295] ffff88811e847980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.491657][ T295] >ffff88811e847a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.499552][ T295] ^ getdents64(4, 0x555594899830 /* 1 entries */, 32768) = 176 umount2("\x2e\x2f\x30\x2f\x66\x69\x6c\x65\x30\x2f\xf7\x6c\x70\xb6\x3b\xa7\x71\x1b\x28\x03\x02\x02\x2e\x2e", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "\x2e\x2f\x30\x2f\x66\x69\x6c\x65\x30\x2f\xf7\x6c\x70\xb6\x3b\xa7\x71\x1b\x28\x03\x02\x02\x2e\x2e", 0x7ffd8043a960, AT_SYMLINK_NOFOLLOW) = -1 ENOENT (No such file or directory) exit_group(1) = ? +++ exited with 1 +++ [ 23.506584][ T295] ffff88811e847a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.514483][ T295] ffff88811e847b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.522382][ T295] ================================================================== [ 23.530280][ T295] Disabling lock debugging due to kernel taint